§ jh jYfمَخ—UdZddlmZddlZddlmZddlmZd'd„Zd'd „Z d(d „Z d)d„Zd*d„Zd+d„Z hd£Zded<d,d„ZdZd-d„Zd.d„Zd,d„Zd/d „Zd.d!„Zd,d"„Z d0d1d%„Z d0d2d&„ZdS)3z:Shared file safety rules used by both tools and ACP shims.é)عannotationsN)عPath)عOptionalعreturnrcَœ— ddlm}|¦«S#t$r/ttj d¦«¦«cYSwxYw)zHResolve the active HERMES_HOME (profile-aware) without circular imports.r©عget_hermes_homeْ ~/.hermes)عhermes_constantsr ع Exceptionrعosعpathع expanduserrs ْ6/home/ubuntu/.hermes/hermes-agent/agent/file_safety.pyع_hermes_home_pathr sf€ً5ط4ذ4ذ4ذ4ذ4ذ4طˆر ش ذ ّفً5ً5ً5ف•B”G×&ز& {ر3ش3ر4ش4ذ4ذ4ذ4ً5َّّّ‚’6Aء Acَœ— ddlm}|¦«S#t$r/ttj d¦«¦«cYSwxYw)zRResolve the Hermes root dir (always the parent of any profile, never per-profile).r©عget_default_hermes_rootr )rrrrr rrrs rع_hermes_root_pathrsg€ً5ط<ذ<ذ<ذ<ذ<ذ<ط&ذ&ر(ش(ذ(ّفً5ً5ً5ف•B”G×&ز& {ر3ش3ر4ش4ذ4ذ4ذ4ً5ّّّrعhomeعstrْset[str]cَL—t¦«}t¦«}d„tj |dd¦«tj |dd¦«tj |dd¦«tj |dd¦«t|dz¦«t|dz¦«t|dz¦«t|dz¦«tj |d ¦«tj |d ¦«tj |d¦«tj |d¦«tj |d ¦«tj |d¦«tj |d¦«tj |d¦«tj |d¦«tj |d¦«dddfD¦«S)z8Return exact sensitive paths that must never be written.cَL—h|]!}tj |¦«’Œ"S©)r rعrealpath©ع.0عps rْ z+build_write_denied_paths.. s8€ًًًà ُ Œ×زکرشًًًَْ.sshعauthorized_keysعid_rsaع id_ed25519عconfigْ.envْ.anthropic_oauth.jsonz.bashrcz.zshrcz.profilez .bash_profilez .zprofilez.netrcz.pgpassz.npmrcz.pypircz.git-credentialsz/etc/sudoersz/etc/passwdz/etc/shadow)rrr rعjoinr)rعhermes_homeعhermes_roots rعbuild_write_denied_pathsr-s €ه#ر%ش%€Kف#ر%ش%€Kًًُ ŒGڈLٹLککvذ'8ر9ش9فŒGڈLٹLککv xر0ش0فŒGڈLٹLککv |ر4ش4فŒGڈLٹLککv xر0ش0هگکfر$ر%ش%ُ گکfر$ر%ش%هگذ5ر5ر6ش6ُ گذ5ر5ر6ش6فŒGڈLٹLککyر)ش)فŒGڈLٹLککxر(ش(فŒGڈLٹLککzر*ش*فŒGڈLٹLککر/ش/فŒGڈLٹLکک{ر+ش+فŒGڈLٹLککxر(ش(فŒGڈLٹLککyر)ش)فŒGڈLٹLککxر(ش(فŒGڈLٹLککyر)ش)فŒGڈLٹLکذ1ر2ش2طططً7 ًٌôًr"ْ list[str]cَ—d„tj |d¦«tj |d¦«tj |d¦«tj |d¦«ddtj |d¦«tj |d ¦«tj |d d¦«tj |d d¦«f D¦«S) z?Return sensitive directory prefixes that must never be written.cَf—g|].}tj |¦«tjz‘Œ/Sr)r rrعseprs rْ z/build_write_denied_prefixes..Ds?€ًًًà ُ Œ×زکرش‌bœfر$ًًًr"r#z.awsz.gnupgz.kubez/etc/sudoers.dz/etc/systemdz.dockerz.azurez.configعghعgcloud)r rr*)rs rعbuild_write_denied_prefixesr5Bsة€ًًُ ŒGڈLٹLککvر&ش&فŒGڈLٹLککvر&ش&فŒGڈLٹLککxر(ش(فŒGڈLٹLککwر'ش'ططفŒGڈLٹLککyر)ش)فŒGڈLٹLککxر(ش(فŒGڈLٹLککy¨$ر/ش/فŒGڈLٹLککy¨(ر3ش3ً ًٌôًr"ْ Optional[str]cَذ—tjdd¦«}|sdS tj tj |¦«¦«S#t $rYdSwxYw)zBReturn the resolved HERMES_WRITE_SAFE_ROOT path, or None if unset.عHERMES_WRITE_SAFE_ROOTعN)r عgetenvrrrr)عroots rعget_safe_write_rootr<Usn€ه Œ9ذ-¨rر2ش2€DطًطˆtًفŒw×ز¥¤× 2ز 2°4ر 8ش 8ر9ش9ذ9ّفًًًطˆtˆtًّّّs›;Aء A%ء$A%rعboolc َ†—tj tj d¦«¦«}tj tj t |¦«¦«¦«}|t|¦«vrdSt |¦«D]}| |¦«rdSŒd}d}g}t¦«t¦«fD]K} tj |¦«}||vr| |¦«Œ<#t$rYŒHwxYw|Dگ]R} |D]X} |tj tj | | ¦«¦«krdSŒI#t$rYŒUwxYw tj tj | |¦«¦«}||ks"| |tj z¦«rdSn#t$rYnwxYw tj tj | d¦«¦«}||ks"| |tj z¦«rdSگŒC#t$rYگŒPwxYwt¦«} | r*|| ks$| | tj z¦«sdSdS)zBReturn True if path is blocked by the write denylist or safe root.ع~T)ْ auth.jsonzconfig.yamlْwebhook_subscriptions.jsonْ mcp-tokensعpairingF)r rrrrr-r5ع startswithrrعappendrr*r1r<)rrعresolvedعprefixعcontrol_file_namesعmcp_tokens_dir_nameعhermes_dirsعbaseعrealع base_realعnameعmcp_realعpairing_realع safe_roots rعis_write_deniedrR`sî€ه Œ7×ز‌BœG×.ز.¨sر3ش3ر4ش4€DفŒw×ز¥¤× 2ز 2µ3°t±9´9ر =ش =ر>ش>€Hàص+¨Dر1ش1ذ1ذ1طˆtف-¨dر3ش3ًًˆط×زکvر&ش&ً طگ4گ4ً ًTذط&ذà€Kف"ر$ش$ص&7ر&9ش&9ذ:ًًˆً ف”7×#ز# Dر)ش)ˆDطک;ذ&ذ&ط×"ز" 4ر(ش(ذ(ّّفً ً ً طˆHً ًّّّ!ًٌˆ ط&ً ً ˆDً ط‌rœw×/ز/µ´·²¸Yبر0Mش0MرNشNزNذNطک4ک4ک4ًOّهً ً ً طگً ًّّّ ف”w×'ز'¬¯ھ°Yذ@Sر(Tش(TرUشUˆHطک8ز#ذ# x×':ز':¸8إbؤfر;Lر'Mش'Mذ#طگtگtً$ّهً ً ً طˆDً ًّّّ فœ7×+ز+B¬G¯LھL¸ہIر,Nش,NرOشOˆLطک<ز'ذ'¨8×+>ز+>¸|حbجfر?Tر+Uش+Uذ'طگtگtٌ(ّهً ً ً ط‰Dً ُّّّ$ر%ش%€Iطًک( iز/ذ/°8×3Fز3FہyصSUشSYرGYر3Zش3Zذ/طˆtàˆ5sKأ(8D!ؤ! D.ؤ-D.ؤ;AFئ Fئ FئA%G;ا; HبHبA%I6ة6 JتJ>ْ.envrcْ .env.testْ .env.localْ.env.stagingْ.env.productionْ.env.developmentr(ع_BLOCKED_PROJECT_ENV_BASENAMESc َذ—t|¦« ¦« ¦«}g}t¦«t ¦«fD]@} | ¦«}||vr| |¦«Œ1#t$rYŒ=wxYw|D]J}|dzdzdz|dzdzg}|D]2} | |¦«n#t$rYŒ%wxYwd|›d‌ccSŒKdddd d tj dd¦«tj d d¦«f}|D]@}|D];} || z ¦«}n#t$rYŒ'wxYw||kr d|›d‌ccSŒ<ŒA|D]g} |dz ¦«} n#t$rYŒ'wxYw|| krd|›d‌cS | | ¦«n#t$rYŒ\wxYwd|›d‌cS|jtvrd|›d‌SdS)u Return an error message when a read targets a denied Hermes path. Three categories are blocked: * Internal Hermes cache files under ``HERMES_HOME/skills/.hub`` â€” readable metadata that an attacker could use as a prompt-injection carrier. * Credential / secret stores under HERMES_HOME and the global Hermes root: ``auth.json``, ``auth.lock``, ``.anthropic_oauth.json``, ``.env``, ``webhook_subscriptions.json``, ``auth/google_oauth.json``, and anything under ``mcp-tokens/``. These hold plaintext provider keys, OAuth tokens, and HMAC secrets that the agent never needs to read directly â€” provider tools / gateway adapters consume them through internal channels. * Project-local environment files anywhere on disk: ``.env``, ``.env.local``, ``.env.development``, ``.env.production``, ``.env.test``, ``.env.staging``, ``.envrc``. These routinely hold API keys, database passwords, and other credentials for the user's own projects. The agent helping debug a project shouldn't normally need to read these â€” ``.env.example`` is the documented-shape substitute. **This is NOT a security boundary.** The terminal tool runs as the same OS user with shell access; the agent can still ``cat auth.json`` or ``cat ~/.hermes/.env`` and exfiltrate the file. The read-deny exists as defense-in-depth that: * Returns a clear error to models that respect tool denials, which empirically prompts most modern models to stop rather than reach for the shell. * Surfaces a visible audit trail when something tries to read credentials â€” easier to spot in logs than a generic ``cat``. Treat any user-visible framing around this as "may help" rather than "stops attackers." A determined model or malicious instruction can always shell out. Callers that resolve relative paths against a non-process cwd (e.g. ``TERMINAL_CWD`` in ``tools/file_tools.py``) MUST pre-resolve and pass the absolute path string. This function's own ``resolve()`` is anchored at the Python process cwd, so a relative input like ``"auth.json"`` would otherwise miss the denylist when the task's terminal cwd differs from the process cwd. عskillsz.hubzindex-cachezAccess denied: z‹ is an internal Hermes cache file and cannot be read directly to prevent prompt injection. Use the skills_list or skill_view tools instead.r@z auth.lockr)r(rAعauthzgoogle_oauth.jsonعcachezbws_cache.jsonuز is a Hermes credential store and cannot be read directly. Provider tools consume these credentials through internal channels. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.)rBu“ is the Hermes MCP token directory and cannot be read directly. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.)uŒ is a Hermes MCP token file and cannot be read directly. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.)uï is a secret-bearing environment file and cannot be read to prevent credential leakage. If you need to check the file structure, read .env.example instead. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.)N)rrعresolverrrErعrelative_toع ValueErrorr rr*rNrY)rrFrJrKrLعhdعblocked_dirsعblockedعcredential_file_namesrNع mcp_tokenss rعget_read_block_errorrf¥s\€ُZگD‰zŒz×$ز$ر&ش&×.ز.ر0ش0€Hً!€Kف"ر$ش$ص&7ر&9ش&9ذ:ًًˆً ط—<’<‘>”>ˆDطک;ذ&ذ&ط×"ز" 4ر(ش(ذ(ّّفً ً ً طˆHً ًًًّّّˆàگ‰MکFر" ]ر2طگ‰MکFر"ً ˆً$ً ً ˆGً ط×$ز$ Wر-ش-ذ-ذ-ّفً ً ً طگً ًّّّC $ًCًCًCً ً ً ً ً ً ً طططط$ف ŒڈٹگVذ0ر1ش1ُ ŒڈٹگWذ.ر/ش/ًذًً ً ˆط)ً ً ˆDً ط ™9×-ز-ر/ش/گگّفً ً ً طگً ّّّàک7ز"ذ"ً7 dً7ً7ً7ًًًًًً#ً ً ً ً ˆً طک|ر+×4ز4ر6ش6ˆJˆJّفً ً ً طˆHً ّّّàگzز!ذ!ًJ $ًJًJًJً ً ً ً ط× ز ر,ش,ذ,ذ,ّفً ً ً طˆHً ًّّّ Fکdً Fً Fً Fً ً ً ً„}ص6ذ6ذ6ً bکdً bً bً bً ًˆ4sZء-Bآ BآBآ/Cأ CأCؤ.Eإ EإEإ-Fئ FئFئ$F:ئ: GاG)r[عpluginsعcronعmemoriescَV— t¦« ¦«}t¦« ¦«}n#ttf$rYdSwxYw|dz} | |¦«}|j}t|¦«dkr|dSn#t$rYnwxYwdS)aReturn the active profile name derived from HERMES_HOME. ``~/.hermes`` -> ``"default"`` ``~/.hermes/profiles/X`` -> ``"X"`` Falls back to ``"default"`` on any resolution failure so the guard never raises into the tool path. عdefaultعprofilesér) rr^rعOSErrorعRuntimeErrorr_عpartsعlenr`)ع home_realع root_realعprofiles_dirعrelrps rع_resolve_active_profile_namervSsة€ًف%ر'ش'×/ز/ر1ش1ˆ ف%ر'ش'×/ز/ر1ش1ˆ ˆ ّف•\ذ"ًًًطˆyˆyًّّّàکzر)€Lً ط×#ز# Lر1ش1ˆط” ˆفˆu‰:Œ:کٹ?ˆ?طک”8ˆOًّهً ً ً طˆً ّّّàˆ9s$‚AAءAءAء!6Bآ B&آ%B&ْOptional[dict]cَ„— ttj t |¦«¦«¦« ¦«}t ¦« ¦«}n#ttf$rYdSwxYwd}d} | |¦«}n#t$rYdSwxYw|j}|sdS|dtvrd}|d}nA|ddkr3t|¦«dkr |dtvr|d}|d}ndSt¦«}||krdS|||t |¦«dœS) uوClassify a write target as cross-profile if it lands in another profile's scoped area (skills/plugins/cron/memories). Returns ``None`` when the target is outside Hermes scope, or is inside the ACTIVE profile, or doesn't hit a profile-scoped area. Otherwise returns a dict with: * ``active_profile``: name of the profile the agent is running as * ``target_profile``: name of the profile the path belongs to * ``area``: which scoped area (``"skills"``, ``"plugins"``, etc.) * ``target_path``: the resolved path string The caller decides what to do with the result â€” surface a warning to the model, prompt the user, or (with explicit consent / ``cross_profile=True``) proceed anyway. Nrrkrléérm)عactive_profileعtarget_profileعareaعtarget_path)rr rrrr^rrnror_r`rpعPROFILE_SCOPED_AREASrqrv)rعtargetrsr|r}rurpr{s rعclassify_cross_profile_targetrپls{€ً"ف•b”g×(ز(¨T©¬ر3ش3ر4ش4×<ز<ر>ش>ˆف%ر'ش'×/ز/ر1ش1ˆ ˆ ّف•\ذ"ًًًطˆtˆtًًّّّ%)€Nط€Dًط× ز ر+ش+ˆˆّفًًًطˆtˆtًًّّّ ŒI€EطًطˆtàˆQ„xص'ذ'ذ'à"ˆطگQŒxˆˆà ˆaŒگJزذفگ‰JŒJک!ٹOˆOطگ!ŒHص,ذ,ذ,ًکqœˆطگQŒxˆˆàˆtه1ر3ش3€Nطکز'ذ'àˆtً)ط(طفک6‘{”{ً ًًs$‚A+A.ء.BآBآB!آ! B/آ.B/c َv—t|¦«}|€dSd|d›d|d›d|d›d|d ›d ‌ S)unReturn a model-facing warning string when ``path`` is cross-profile. Returns ``None`` when the write is in-scope (same profile) or outside Hermes entirely. Caller is expected to surface the warning to the agent as a tool-result error, NOT to silently allow the write â€” the agent must either get explicit user direction to proceed, or pass ``cross_profile=True`` to its write tool. This is defense-in-depth: the terminal tool runs as the same OS user and can write any of these paths without going through this guard. Treat the guard as a confusion-reducer, not a security boundary. Nz+Cross-profile write blocked by soft guard: r~z belongs to Hermes profile r|z), but the agent is running under profile r{z. Editing another profile's r}u,/ will affect that profile's future sessions, not the one you are currently in. Confirm with the user before proceeding. To bypass this guard after explicit user direction, retry the call with ``cross_profile=True``. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.))rپ©rعinfos rعget_cross_profile_warningr…«st€ُ)¨ر.ش.€Dط€|طˆtً :°d¸=ش6Iً :ً :ط%)ذ*:ش%;ً :ً :à*.ذ/?ش*@ً :ً :ً&*¨&¤\ً :ً :ً :ً r"rpعtupleْ Optional[int]cَ¶—t|¦«D]H\}}|dkrŒ|dzt|¦«krŒ#||dzdkr||dzdkr|dzcSŒIdS)u"Return the index of the inner ``.hermes`` part in a sandbox-mirror path. Matches ``â€¦/sandboxes///home/.hermes/â€¦`` and returns the index where the inner Hermes-state portion starts. Returns ``None`` for paths that do not contain the sandbox-mirror shape. ع sandboxeséryréz.hermesN)ع enumeraterq)rpعiعparts rع_find_sandbox_mirror_segmentsrڈàs}€ُکUر#ش#ًً‰ˆˆ4طگ;زذطàˆq‰5•Cک‘J”JزذططگگQ‘Œ<ک6ز!ذ! e¨A°©E¤l°iز&?ذ&?طگq‘5ˆLˆLˆLّطˆ4r"cَع— ttj t |¦«¦«¦« ¦«}n#ttf$rYdSwxYw|j}t|¦«}|€dSt t|d|dz…ژ¦«}|dzt|¦«kr!t t||dzd…ژ¦«nd}t |¦«||dœS)uحClassify a write target as a sandbox-mirror of authoritative Hermes state. Returns ``None`` when the path does not match the sandbox-mirror shape. Otherwise returns a dict with: * ``target_path``: the resolved path string * ``mirror_root``: the ``â€¦/sandboxes///home/.hermes`` prefix (so callers can show users which sandbox owns the mirror) * ``inner_path``: the portion under the mirror's ``.hermes`` (what the agent likely meant to address on the host) Detection is path-shape-only â€” does not require any Hermes resolver to succeed, so it works correctly even when called from contexts where HERMES_HOME resolution would be ambiguous. Nrmr9©r~عmirror_rootع inner_path)rr rrrr^rnrorprڈrq)rr€rpع inner_idxr’r“s rعclassify_sandbox_mirror_targetr•ٍsّ€ً ف•b”g×(ز(¨T©¬ر3ش3ر4ش4×<ز<ر>ش>ˆˆّف•\ذ"ًًًطˆtˆtًًّّّ ŒL€Eف-¨eر4ش4€Iطذطˆtه•dکE / I°،M /ش2ذ3ر4ش4€Kط7@ہ1±}إsب5ءzؤzز7Qذ7Q••Tک5 ¨Q، ش1ذ2ر3ش3ذ3ذWY€Jُک6‘{”{ط"ط ًًًs‚AAءA#ء"A#cَd—t|¦«}|€dSd|d›d|d›d|d›d‌S) a‹Return a model-facing warning when ``path`` lands in a sandbox mirror. Returns ``None`` when the path is not a sandbox-mirror target. Caller is expected to surface the warning to the agent as a tool-result error. The bypass kwarg (``cross_profile=True``) is shared with the cross-profile guard: both are soft "I know what I'm doing" overrides a user can authorise. Defense-in-depth, NOT a security boundary: the terminal tool runs as the same OS user and can write the mirror path directly. The guard exists to surface the misclassification before the silent-success + divergent-copy footgun in #32049 fires. Nْ,Sandbox-mirror write blocked by soft guard: r~ْ sits under r’uإ, which is a per-task mirror created by a non-local terminal backend (docker/daytona/etc.). Writes here land on a copy that the host Hermes process never reads â€” the authoritative file is likely r“uB under the real HERMES_HOME. Use the host-side tool for authoritative state (e.g. ``memory`` for memories), or address the host path directly. To bypass this guard after explicit user direction, retry the call with ``cross_profile=True``. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.))r•rƒs rعget_sandbox_mirror_warningr™sa€ُ*¨$ر/ش/€Dط€|طˆtً °t¸Mش7Jً ً طک=ش)ً ً ً7;¸<ش6Hً ً ً ًr"ع mirror_prefixْ str | Nonecَê—|sdS ttj t |¦«¦«¦« ¦«}ttj |¦«¦« ¦«}| |¦«}n#tttf$rYdSwxYwt |¦«t |¦«| ¦«dœS)aCClassify a write target as a container-side sandbox mirror. ``mirror_prefix`` must be supplied by the caller after it has established that file tools are executing in a container whose home is a sandbox mirror. Returns ``None`` when no such context is active or the path is not under the mirror prefix. Otherwise returns: * ``target_path``: resolved path string * ``mirror_root``: the declared container mirror prefix * ``inner_path``: portion under the mirror root (what the agent likely meant to address in the host HERMES_HOME) Nr‘)rr rrrr^r_rnror`عas_posix)rrڑr€عmirrorعinners rع classify_container_mirror_targetr Fsـ€ً ًطˆtًف•b”g×(ز(¨T©¬ر3ش3ر4ش4×<ز<ر>ش>ˆف•b”g×(ز(¨ر7ش7ر8ش8×@ز@رBشBˆط×"ز" 6ر*ش*ˆˆّف•\¥:ذ.ًًًطˆtˆtًُّّّک6‘{”{فک6‘{”{ط—n’nر&ش&ًًًs†BB%آ%Cآ?Ccَf—t||¦«}|€dSd|d›d|d›d|d›d‌S) aصReturn a model-facing warning when *path* lands in the container's sandbox mirror of authoritative Hermes state. The caller supplies ``mirror_prefix`` only when the current file-tool backend is known to execute inside a Docker sandbox. Same contract as ``get_cross_profile_warning``: soft guard, returns ``None`` for non-mirror paths, caller surfaces as a tool-result error. Bypass via ``cross_profile=True`` after explicit user direction. Nr—r~rکr’u‡, which is the container's bind-mounted home â€” a per-task mirror that the host Hermes process never reads. The authoritative file is r“u. under the real HERMES_HOME. Use the host-side tool for authoritative state (e.g. ``memory`` for memories), or address the host path directly. To bypass after explicit user direction, retry with ``cross_profile=True``. (Defense-in-depth â€” not a security boundary; the terminal tool can still bypass.))r )rrڑr„s rعget_container_mirror_warningr¢esc€ُ,¨D°-ر@ش@€Dط€|طˆtً °t¸Mش7Jً ً طک=ش)ً ً ًگشً ً ً ًr")rr)rrrr)rrrr.)rr6)rrrr=)rrrr6)rr)rrrrw)rpr†rr‡)N)rrrڑr›rrw)rrrڑr›rr6)ع__doc__ع __future__rr عpathlibrعtypingrrrr-r5r<rRrYع__annotations__rfrrvrپr…rڈr•r™r r¢rr"rْr¨sزًط@ذ@ذ@à"ذ"ذ"ذ"ذ"ذ"à € € € طذذذذذطذذذذذً5ً5ً5ً5ً5ً5ً5ً5ً#ً#ً#ً#ًLًًًً&ًًًً4ً4ً4ً4ًt,ً,ً,ذًًًًٌOًOًOًOًVAذًًًًً2<ً<ً<ً<ً~ًًًًjًًًً$!ً!ً!ً!ًHًًًًd!%ًًًًًًB!%ًًًًًًًr"