j*? UdZddlmZddlZddlZddlZddlmZddlm Z ddl m Z m Z ej eZedGd d Zed d d ddedhffdddfZded<edGddZd?dZefd@d!ZdAd#ZdBd&ZdCd(ZdDd)ZdEd+ZdFd-Zd.Zd/ZdGd1ZdHd3Z dId6Z!ed7dJd:Z"dKd<Z#dLd=Z$dLd>Z%dS)Ma1 Security advisory checker for Hermes Agent. Detects known-compromised Python packages installed in the active venv (supply-chain attacks like the Mini Shai-Hulud worm of May 2026 that poisoned ``mistralai 2.4.6`` on PyPI) and surfaces remediation guidance to the user. Design goals: - **Cheap.** A single ``importlib.metadata.version()`` call per advisory package. Safe to run on every CLI startup. - **Loud when it matters, silent otherwise.** If no compromised package is installed, the user sees nothing. - **Acknowledgeable.** Once the user has read and acted on an advisory they can dismiss it via ``hermes doctor --ack ``; the ack is persisted to ``config.security.acked_advisories`` and survives restart. - **Extensible.** Adding a new advisory is one entry in ``ADVISORIES``; adding a new compromised version is a one-line edit. No code changes needed when the next worm hits. The check is invoked from three places: 1. ``hermes doctor`` (and ``hermes doctor --ack ``) 2. CLI startup banner (one short line, then full guidance via ``hermes doctor``) 3. Gateway startup (logged to gateway.log; first interactive message gets a one-line operator banner) This module is intentionally dependency-free beyond the stdlib so it can run in environments where the rest of Hermes failed to import. ) annotationsN) dataclass)Path)IterableOptionalT)frozencleZdZUdZded<ded<ded<ded<ded<d ed <d Zded <d Zded<dS)Advisoryu(One security advisory entry. Attributes: id: stable identifier used for acks (e.g. ``shai-hulud-2026-05``). Lowercase-hyphen, never reused. title: one-line headline shown in banners. summary: 1-3 sentence description of what was compromised and how. url: reference URL (Socket advisory, GitHub advisory, PyPI page). compromised: tuple of ``(package_name, frozenset_of_versions)`` pairs. Empty frozenset means "any version of this package is considered suspect" — use sparingly. remediation: ordered list of steps the user should take. First step should be the uninstall command; subsequent steps the credential audit / rotation guidance. published: ISO date string for sort order. stridtitlesummaryurlz&tuple[tuple[str, frozenset[str]], ...] compromisedztuple[str, ...] remediation publishedhighseverityN)__name__ __module__ __qualname____doc____annotations__rrC/home/ubuntu/.hermes/hermes-agent/hermes_cli/security_advisories.pyr r Bs|" GGGJJJLLL HHH7777    IHrr zshai-hulud-2026-05u<Mini Shai-Hulud worm — mistralai 2.4.6 compromised on PyPIu`PyPI quarantined the mistralai package on 2026-05-12 after a malicious 2.4.6 release. The worm steals credentials from environment variables and credential files (~/.npmrc, ~/.pypirc, ~/.aws/credentials, GitHub PATs, cloud SDK tokens) and exfils them to a hardcoded webhook. If you ran any Python process that imported mistralai 2.4.6 — including hermes when configured with provider=mistral for TTS or STT — assume those credentials are exposed. PyPI has since removed 2.4.6 and the project ships clean releases again (2.4.7, 2.4.8); this advisory only fires if the compromised 2.4.6 is still installed.z1https://socket.dev/blog/mini-shai-hulud-worm-pypi mistralaiz2.4.6)zARun: pip uninstall -y mistralai (or: uv pip uninstall mistralai)zlRotate API keys in ~/.hermes/.env (OpenRouter, Anthropic, OpenAI, Nous, GitHub, AWS, Google, Mistral, etc.).zAudit ~/.npmrc, ~/.pypirc, ~/.aws/credentials, ~/.config/gh/hosts.yml, and any other credential files for tokens that may have been read.zgCheck GitHub for unexpected new SSH keys, deploy keys, or webhook additions on repos you have admin on.zOAfter cleanup: hermes doctor --ack shai-hulud-2026-05 to dismiss this warning.z 2026-05-12critical)r r rrrrrrztuple[Advisory, ...] ADVISORIESc2eZdZUdZded<ded<ded<dS) AdvisoryHitz.One package-version match against an advisory.r advisoryr packageinstalled_versionN)rrrrrrrrr"r"s988LLLrr"pkg_namer return Optional[str]c ddlm}m}n#t$rYdSwxYw ||S#|$rYdSt$r!t d|dYdSwxYw)zReturn the installed version of ``pkg_name``, or None if not installed. Uses ``importlib.metadata`` so we don't depend on pip being importable inside the active venv (uv-created venvs may lack pip). r)PackageNotFoundErrorversionNz%importlib.metadata.version(%s) raisedTexc_info)importlib.metadatar*r+ ImportError Exceptionloggerdebug)r&r*r+s r_installed_versionr3s DDDDDDDDD ttwx   tt   z get_acked_ids..s9 : : :q3q66<<>> :CFFLLNN : : :r) hermes_cli.configr?r0r1r2setget isinstancelist)r?cfgsecraws r get_acked_idsrOs111111kmm  > NNNuu  ''*   #C ''$ % % +C c4 uu : :C : : ::s4A  A  advisory_idboolc|}|sdS ddlm}m}n+#t$rt dYdSwxYw |}|di}|dpg}t|tsg}||vr%| |||d<||dS#t$rt d|YdSwxYw) u|Persist an ack for ``advisory_id``. Returns True on success. Idempotent — acking an already-acked ID is a no-op. Fr)r? save_configz-Could not import config module to persist ackr@rATz%Failed to persist advisory ack for %s) rCrGr?rSr0r1warning setdefaultrIrJrKr8 exception)rPr?rSrLrMexistings r ack_advisoryrXs> ##%%K u>>>>>>>>> FGGGuu kmmnnZ,,77-..4"(D)) H h & & OOK ( ( (&.C" # K   t @+NNNuus"#$A  A A7C%C10C1r9cD|sgStfd|DS)z=Return only hits whose advisories the user has not dismissed.c0g|]}|jjv|Srr#r )rDhackeds r z"filter_unacked..s' : : :!qz}E99A999r)rO)r9r]s @rfilter_unackedr_s3  OOE : : : :t : : ::rctjdrdStjsdSdS)NNO_COLORFT)osenvironrIsysstdoutisattyrrr_term_supports_colorrgs= z~~j!!u :    u 4r list[str]c &|sgS|d}d|jjd|jjd|jd|jdg}t |dkrB|ddt |dz d t |d krd nd d |S)zReturn 1-3 short lines suitable for a startup banner. Caller is responsible for color/styling. Always names the worst hit explicitly so the user knows what's wrong without running doctor. rzSECURITY ADVISORY [z]: z Detected: ==z, Run 'hermes doctor' for remediation steps.z (z additional advisoriesyz also active.))r#r r r$r%leninsert)r9primaryliness rshort_banner_linesrss  1gGNg.1NNg6F6LNNEwEE'*CEE6 E  4yy1}} QJc$ii!mJJ#&t99q==%%cJJJ K K K Lrhitc|j}d|jdd|jd|jd|jd|jd|jd|jd |jd d g}t|j d D] \}}| d |d |!|S)z@Return a multi-line block describing the advisory + remediation.z=== z ===z ID: z Severity: z Published: z Detected: rjz Reference: rz Remediation:rkz z. ) r#r r rrr$r%rr enumeraterr8)rtarristeps rfull_remediation_textrz$s AqwRadRR!*RRQ[RR>  D::<.ms&;;;73C";;;r rrz%Could not write advisory banner cacheTr,)ritems write_textjoinr0r1r2)rrrrs r_write_banner_cacherhsAyM;;djjll;;; TYYu%%,w ????? MMM \}}|r|d|t |?d|fS)zRender the security-advisory section for ``hermes doctor``. Returns ``(has_problems, lines)``. Caller is responsible for printing with whatever color scheme it uses. Fu#No active security advisories. ✓rT)r_rvr8extendrz)r9rrrrxrts rrender_doctor_sectionrs 4 E ><===EE""113   LL    *3//0000 ;rct|}|sdSt|}trd}d}|d|z|zSd|S)zReturn a printable startup banner, or None if nothing is due. Updates the banner cache as a side effect (so the next call within 24h returns None for the same hit). Nzzr)rrsrgr)r9rrrredresets rstartup_bannerrsq d # #C t s # #E.TYYu%%%-- 99U  rc 4t|}|sdSt|dkrA|d}d|jjd|jd|jd|jjd|jj St|d d d |Dd S) z=Return a one-line log message for gateway operators, or None.NrkrzSecurity advisory [z ] active: rjz matches z. See z" security advisories active (IDs: z, c3.K|]}|jjVdS)Nr[)rDr\s r z&gateway_log_message..s&<<qz}<<<<<?j>N((z~(( )5zz D DYY<rsB#""""" !!!!!!%%%%%%%%  8 $ $. $: H L 8 @ ))WI.. /   ?   "$ """"T $,&0F;;;;(:;;;;(>,.MMMM-F$" E E E E E Er