§
    ,jÃ- ã                   ó0
  — U d Z ddlZddlZddlZddlZddlZddlZddlZddlZddl	m
Z
 ddlmZ ddlmZmZ  ej        e¦  «        Z e ej        dd¦  «        ¦  «        Zeed<    ej        d	d¬
¦  «        Zej        e         ed<    ej        dd¬
¦  «        Zej        e         ed<    ej        dd¬
¦  «        Zej        e         ed<   deddfd„Zdedej        e         fd„Zdej        e         ddfd„Zdddœdedede ej        e         ej        e         f         fd„Z!de ej        e         ej        e         f         ddfd„Z"d
dedefd„Z#defd„Z$defd „Z%d!Z&d"Z'd#Z(d$Z)d%Z*d&Z+d'Z,d(Z-d)e-› d*Z.d+e.› d,e&› d-e'› d-e(› d-e+› d-e,› d*Z/d+e)› d-e*› d*Z0d.Z1d/Z2d0d1d2d3d4d5d6d7e2d8z   d9fe2d:z   d;fe2d<z   d=fe2d>z   d?fgZ3ej4        ej5        z  Z6d@„ e3D ¦   «         Z7 ej8        dAej4        ¦  «        Z9dBede fdC„Z:dBede fdD„Z;dEede<fdF„Z=dEede<fdG„Z>g dH‘dI‘dJ‘dK‘dL‘dM‘dN‘dO‘dP‘dQ‘dR‘dS‘dT‘dUe.› dVf‘dW‘dX‘dY‘dZ‘d[‘d\‘d6‘d]‘d^‘d_‘d`‘dae/› dbf‘dce/› ddf‘dae0› dee1› dff‘dce0› dee1› dgf‘dh‘di‘dj‘dk‘dl‘dm‘dn‘do‘dp‘dq‘dr‘ds‘dte.› duf‘dve0› dee1› dwf‘dxe.› dyf‘dze.› d{f‘d|e(› d-e'› d*d}f‘d~e(› d-e'› d*df‘d€e(› d-e'› d*df‘d‚‘dƒ‘d„‘d…‘d†‘d‡‘dˆ‘d‰‘dŠ‘Z?d‹„ e?D ¦   «         Z@dŒedefd„ZAi ZBe<eeCe         f         edŽ<   e?D ]x\  ZDZE eAeD¦  «        ZFeEZGeB H                    eG eC¦   «         ¦  «         I                    eGeFh¦  «         eB H                    eF eC¦   «         ¦  «         I                    eFeGh¦  «         ŒydedeCe         fd„ZJdBedefd‘„ZKdBedefd’„ZLdBede fd“„ZM ejN        ¦   «         ZOi ZPe<ee<f         ed”<   i ZQe<eeCf         ed•<    eC¦   «         ZReCe         ed–<    eC¦   «         ZSeCed—<    G d˜„ d™¦  «        ZTi ZUe<eeVf         edš<   i ZWe<eeXf         ed›<   deddfdœ„ZYdeddfd„ZZ	 dÇdedŸed ede[fd¡„Z\dedefd¢„Z]ded£e<fd¤„Z^dedefd¥„Z_deddfd¦„Z`deddfd§„Zadeddfd¨„Zbdedefd©„Zcdefdª„Zddededefd«„Zedefd¬„Zfd­eCfd®„ZgdeCfd¯„Zhd­eCfd°„Zi	 	 	 dÈdBedEed²e[dz  d³edef
d´„Zjdefdµ„Zkde<fd¶„Zldefd·„Zmde[fd¸„Zndefd¹„ZodBedEedefdº„Zp	 dÉdBed»ede<fd¼„Zqd½e<defd¾„Zrd¿dÀœdedÁe<dÂede<fdÃ„Zs	 dÉdBed»ede<fdÄ„ZtdÅed»ede<fdÆ„Zu eh¦   «          dS )ÊaÇ  Dangerous command approval -- detection, prompting, and per-session state.

This module is the single source of truth for the dangerous command system:
- Pattern detection (DANGEROUS_PATTERNS, detect_dangerous_command)
- Per-session approval state (thread-safe, keyed by session_key)
- Approval prompting (CLI interactive + gateway async)
- Smart approval via auxiliary LLM (auto-approve low-risk commands)
- Permanent allowlist persistence (config.yaml)
é    N)ÚOptional)Úcfg_get)Úenv_var_enabledÚis_truthy_valueÚHERMES_YOLO_MODEÚ Ú_YOLO_MODE_FROZENÚapproval_session_key©ÚdefaultÚ_approval_session_keyÚapproval_turn_idÚ_approval_turn_idÚapproval_tool_call_idÚ_approval_tool_call_idÚ	hook_nameÚreturnc                 óh  — 	 ddl m} n# t          $ r Y dS w xY w	 |                     dt                               ¦   «         ¦  «         |                     dt                               ¦   «         ¦  «          || fi |¤Ž dS # t          $ r'}t                               d| |¦  «         Y d}~dS d}~ww xY w)a{  Invoke a plugin lifecycle hook for the approval system.

    Lazy-imports the plugin manager to avoid circular imports (approval.py is
    imported very early, long before plugins are discovered). Never raises --
    plugin errors are logged and swallowed.

    Only fires for the two approval-specific hooks in VALID_HOOKS:
    pre_approval_request, post_approval_response.
    r   )Úinvoke_hookNÚturn_idÚtool_call_idz$Approval hook %s dispatch failed: %s)	Úhermes_cli.pluginsr   Ú	ExceptionÚ
setdefaultr   Úgetr   ÚloggerÚdebug)r   Úkwargsr   Úexcs       ú3/home/ubuntu/.hermes/hermes-agent/tools/approval.pyÚ_fire_approval_hookr!   1   sø   € ðØ2Ð2Ð2Ð2Ð2Ð2Ð2øÝð ð ð ð 	ˆˆðøøøðMØ×Ò˜)Õ%6×%:Ò%:Ñ%<Ô%<Ñ=Ô=Ð=Ø×Ò˜.Õ*@×*DÒ*DÑ*FÔ*FÑGÔGÐGØˆIÐ(Ð( Ð(Ð(Ð(Ð(Ð(øÝð Mð Mð Mõ 	ŠÐ;¸YÈÑLÔLÐLÐLÐLÐLÐLÐLÐLøøøøð	Møøøs$   ‚	 ‰
–›A#B  Â 
B1Â
B,Â,B1Úsession_keyc                 ó:   — t                                | pd¦  «        S )z<Bind the active approval session key to the current context.r   )r   Úset©r"   s    r    Úset_current_session_keyr&   M   s   € å ×$Ò$ [Ð%6°BÑ7Ô7Ð7ó    Útokenc                 ó:   — t                                | ¦  «         dS )z/Restore the prior approval session key context.N)r   Úreset)r(   s    r    Úreset_current_session_keyr+   R   s   € å×Ò Ñ&Ô&Ð&Ð&Ð&r'   ©r   r   r   r   c                 ór   — t                                | pd¦  «        t                               |pd¦  «        fS )z3Bind active tool correlation IDs to approval hooks.r   )r   r$   r   r,   s     r    Ú!set_current_observability_contextr.   W   s9   € õ 	×Ò˜g˜m¨Ñ,Ô,Ý×"Ò" <Ð#5°2Ñ6Ô6ðð r'   Útokensc                 óx   — | \  }}t                                |¦  «         t                               |¦  «         dS )z,Restore prior approval hook correlation IDs.N)r   r*   r   )r/   Ú
turn_tokenÚ
tool_tokens      r    Ú#reset_current_observability_contextr3   c   s<   € ð $Ñ€J
Ý× Ò  Ñ,Ô,Ð,Ý×Ò˜JÑ'Ô'Ð'Ð'Ð'r'   r   c                 ó`   — t                                ¦   «         }|r|S ddlm}  |d| ¦  «        S )a  Return the active session key, preferring context-local state.

    Resolution order:
    1. approval-specific contextvars (set by gateway before agent.run)
    2. session_context contextvars (set by _set_session_env)
    3. os.environ fallback (CLI, cron, tests)
    r   ©Úget_session_envÚHERMES_SESSION_KEY)r   r   Úgateway.session_contextr6   )r   r"   r6   s      r    Úget_current_session_keyr9   l   sH   € õ (×+Ò+Ñ-Ô-€KØð ØÐØ7Ð7Ð7Ð7Ð7Ð7Øˆ?Ð/°Ñ9Ô9Ð9r'   c                  óz   — 	 ddl m}   | dd¦  «        pdS # t          $ r t          j        dd¦  «        pdcY S w xY w)zBReturn the current gateway platform from contextvars/env fallback.r   r5   ÚHERMES_SESSION_PLATFORMr   )r8   r6   r   ÚosÚgetenvr5   s    r    Ú_get_session_platformr>   {   sj   € ð>Ø;Ð;Ð;Ð;Ð;Ð;àˆÐ8¸"Ñ=Ô=ÐCÀÐCøÝð >ð >ð >ÝŒyÐ2°BÑ7Ô7Ð=¸2Ð=Ð=Ð=ð>øøøs   ‚ –!:¹:c                  ó|   — t          d¦  «        rdS t          d¦  «        rdS t          t          ¦   «         ¦  «        S )u²  True when this call is inside a gateway/API session.

    Legacy gateway integrations set HERMES_GATEWAY_SESSION in process env.
    Newer concurrent gateway paths bind HERMES_SESSION_PLATFORM via
    contextvars so approval mode does not depend on process-global flags.

    Cron jobs are NEVER gateway-approval contexts even when they originate
    from a gateway platform (cron binds HERMES_SESSION_PLATFORM via
    contextvars for delivery routing). Cron approvals are governed by
    ``approvals.cron_mode`` config, not interactive resolve â€” letting cron
    fall through to the gateway branch would submit a pending approval
    with no listener and block the job indefinitely.
    ÚHERMES_CRON_SESSIONFÚHERMES_GATEWAY_SESSIONT)r   Úboolr>   © r'   r    Ú_is_gateway_approval_contextrD   …   sE   € õ Ð,Ñ-Ô-ð ØˆuÝÐ/Ñ0Ô0ð ØˆtÝÕ%Ñ'Ô'Ñ(Ô(Ð(r'   z$(?:~|\$home|\$\{home\})/\.ssh(?:/|$)z\(?:~\/\.hermes/|(?:\$home|\$\{home\})/\.hermes/|(?:\$hermes_home|\$\{hermes_home\})/)\.env\bzc(?:~\/\.hermes/|(?:\$home|\$\{home\})/\.hermes/|(?:\$hermes_home|\$\{hermes_home\})/)config\.yaml\bz;(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*\.env(?:\.[^/\s"\'`]+)*)z0(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*config\.yaml)zJ(?:~|\$home|\$\{home\})/\.(?:bashrc|zshrc|profile|bash_profile|zprofile)\bz9(?:~|\$home|\$\{home\})/\.(?:netrc|pgpass|npmrc|pypirc)\bz/private/(?:etc|var|tmp|home)/z	(?:/etc/|ú)z(?:z	|/dev/sd|Ú|z(?:\s*(?:&&|\|\||;).*)?$zp(?:^|[;&|\n`]|\$\()\s*(?:sudo\s+(?:-[^\s]+\s+)*)?(?:env\s+(?:\w+=\S*\s+)*)?(?:(?:exec|nohup|setsid|time)\s+)*\s*)z&\brm\s+(-[^\s]*\s+)*(/|/\*|/ \*)(\s|$)z#recursive delete of root filesystem)z˜\brm\s+(-[^\s]*\s+)*(/home|/home/\*|/root|/root/\*|/etc|/etc/\*|/usr|/usr/\*|/var|/var/\*|/bin|/bin/\*|/sbin|/sbin/\*|/boot|/boot/\*|/lib|/lib/\*)(\s|$)z$recursive delete of system directory)z-\brm\s+(-[^\s]*\s+)*(~|\$HOME)(/?|/\*)?(\s|$)z"recursive delete of home directory)z\bmkfs(\.[a-z0-9]+)?\bzformat filesystem (mkfs))z9\bdd\b[^\n]*\bof=/dev/(sd|nvme|hd|mmcblk|vd|xvd)[a-z0-9]*zdd to raw block device)z.>\s*/dev/(sd|nvme|hd|mmcblk|vd|xvd)[a-z0-9]*\bzredirect to raw block device)z(:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:z	fork bomb)z\bkill\s+(-[^\s]+\s+)*-1\búkill all processesz!(shutdown|reboot|halt|poweroff)\bzsystem shutdown/rebootzinit\s+[06]\bzinit 0/6 (shutdown/reboot)z*systemctl\s+(poweroff|reboot|halt|kexec)\bzsystemctl poweroff/rebootztelinit\s+[06]\bztelinit 0/6 (shutdown/reboot)c                 óL   — g | ]!\  }}t          j        |t          ¦  «        |f‘Œ"S rC   ©ÚreÚcompileÚ	_RE_FLAGS©Ú.0ÚpatternÚdescriptions      r    ú
<listcomp>rQ     s=   € ð ð ð áˆõ „ZÑ#Ô# [Ð1ðð ð r'   z)(?:^|[;&|`\n]|&&|\|\||\$\()\s*sudo\s+-S\bÚcommandc                 ó    — dt           j        v rdS t          | ¦  «                             ¦   «         }t                               |¦  «        rdS dS )u¢  Detect ``sudo -S`` (stdin password) without configured SUDO_PASSWORD.

    When SUDO_PASSWORD is set, ``_transform_sudo_command`` injects ``-S``
    internally â€” that path is legitimate and handled elsewhere.  This guard
    only fires when SUDO_PASSWORD is *not* set, meaning the LLM explicitly
    wrote ``sudo -S`` to pipe a guessed password.

    Returns:
        (is_blocked: bool, description: str | None)
    ÚSUDO_PASSWORD©FN)Tz*sudo password guessing via stdin (sudo -S))r<   ÚenvironÚ _normalize_command_for_detectionÚlowerÚ_SUDO_STDIN_REÚsearch)rR   Ú
normalizeds     r    Ú_check_sudo_stdin_guardr\   3  sQ   € ð "œ*Ð$Ð$Øˆ}Ý1°'Ñ:Ô:×@Ò@ÑBÔB€JÝ×Ò˜ZÑ(Ô(ð DØCÐCØˆ=r'   c                 ó˜   — t          | ¦  «                             ¦   «         }t          D ] \  }}|                     |¦  «        rd|fc S Œ!dS )z‡Check if a command matches the unconditional hardline blocklist.

    Returns:
        (is_hardline, description) or (False, None)
    TrU   )rW   rX   ÚHARDLINE_PATTERNS_COMPILEDrZ   )rR   r[   Ú
pattern_rerP   s       r    Údetect_hardline_commandr`   F  sb   € õ 2°'Ñ:Ô:×@Ò@ÑBÔB€JÝ#=ð 'ð 'Ñˆ
KØ×Ò˜ZÑ(Ô(ð 	'Ø˜+Ð&Ð&Ð&Ð&ð	'àˆ=r'   rP   c                 ó   — ddd| › ddœS )z5Build the standard block result for a hardline match.FTzBLOCKED (hardline): uò   . This command is on the unconditional blocklist and cannot be executed via the agent â€” not even with --yolo, /yolo, approvals.mode=off, or cron approve mode. If you genuinely need to run it, run it yourself in a terminal outside the agent.)ÚapprovedÚhardlineÚmessagerC   ©rP   s    r    Ú_hardline_block_resultrf   S  s/   € ð Øð ;ð ð ð ð	ð ð r'   c                 ó   — dd| › ddœS )z5Build the standard block result for sudo stdin guard.Fz	BLOCKED: uÎ   . Do not pipe passwords to 'sudo -S' â€” this is a brute-force attack vector. Set SUDO_PASSWORD in your .env file if the agent needs passwordless sudo, or run the sudo command manually in your own terminal.©rb   rd   rC   re   s    r    Ú_sudo_stdin_block_resultri   c  s,   € ð ð-˜ð -ð -ð -ð	ð 	ð 	r'   )z\brm\s+(-[^\s]*\s+)*/zdelete in root path)z\brm\s+-[^\s]*rzrecursive delete)z\brm\s+--recursive\bzrecursive delete (long flag))z8\bchmod\s+(-[^\s]*\s+)*(777|666|o\+[rwx]*w|a\+[rwx]*w)\bz world/other-writable permissions)z8\bchmod\s+--recursive\b.*(777|666|o\+[rwx]*w|a\+[rwx]*w)z*recursive world/other-writable (long flag))z\bchown\s+(-[^\s]*)?R\s+rootzrecursive chown to root)z\bchown\s+--recursive\b.*rootz#recursive chown to root (long flag))z\bmkfs\bzformat filesystem)z\bdd\s+.*if=z	disk copy)z>\s*/dev/sdzwrite to block device)z\bDROP\s+(TABLE|DATABASE)\bzSQL DROP)z$\bDELETE\s+FROM\b(?![^\n]*\bWHERE\b)zSQL DELETE without WHERE)z\bTRUNCATE\s+(TABLE)?\s*\wzSQL TRUNCATEz>\s*zoverwrite system config)z8\bsystemctl\s+(-[^\s]+\s+)*(stop|restart|disable|mask)\bzstop/restart system service)z\bkill\s+-9\s+-1\brG   )z\bpkill\s+-9\bzforce kill processes)z,\bkillall\s+(-[^\s]*\s+)*-(9|KILL|SIGKILL)\bz$force kill processes (killall -KILL))z0\bkillall\s+(-[^\s]*\s+)*-s\s+(KILL|SIGKILL|9)\bz&force kill processes (killall -s KILL))z\bkillall\s+(-[^\s]*\s+)*-r\bz$kill processes by regex (killall -r))z%\b(bash|sh|zsh|ksh)\s+-[^\s]*c(\s+|$)zshell command via -c/-lc flag)z)\b(python[23]?|perl|ruby|node)\s+-[ec]\s+zscript execution via -e/-c flag)z6\b(curl|wget)\b.*\|\s*(?:[/\w]*/)?(?:ba)?sh(?:\s|$|-c)zpipe remote content to shell)z1\b(bash|sh|zsh|ksh)\s+<\s*<?\s*\(\s*(curl|wget)\bz.execute remote script via process substitutionz\btee\b.*["\']?zoverwrite system file via teez>>?\s*["\']?z%overwrite system file via redirectionz["\']?z$overwrite project env/config via teez,overwrite project env/config via redirection)z\bxargs\s+.*\brm\bzxargs with rm)z&\bfind\b.*-exec(?:dir)?\s+(/\S*/)?rm\bzfind -exec/-execdir rm)z\bfind\b.*-delete\bzfind -delete)z%\bhermes\s+gateway\s+(stop|restart)\bz2stop/restart hermes gateway (kills running agents))z\bhermes\s+update\bz6hermes update (restarts gateway, kills running agents))z/\bdocker\s+compose\s+(restart|stop|kill|down)\bz;docker compose restart/stop/kill/down (container lifecycle))z \bdocker\s+(restart|stop|kill)\bz.docker restart/stop/kill (container lifecycle))z4gateway\s+run\b.*(&\s*$|&\s*;|\bdisown\b|\bsetsid\b)úMstart gateway outside systemd (use 'systemctl --user restart hermes-gateway'))z\bnohup\b.*gateway\s+run\brj   )z1\b(pkill|killall)\b.*\b(hermes|gateway|cli\.py)\bz.kill hermes/gateway process (self-termination))z\bkill\b.*\$\(\s*pgrep\bz3kill process via pgrep expansion (self-termination))z\bkill\b.*`\s*pgrep\bz<kill process via backtick pgrep expansion (self-termination)z\b(cp|mv|install)\b.*\sz&copy/move file into system config pathz\b(cp|mv|install)\b.*\s["\']?z!overwrite project env/config filez\bsed\s+-[^\s]*i.*\szin-place edit of system configz\bsed\s+--in-place\b.*\sz*in-place edit of system config (long flag)z\bsed\s+-[^\s]*i.*(?:z"in-place edit of Hermes config/envz\bsed\s+--in-place\b.*(?:z.in-place edit of Hermes config/env (long flag)z*\b(?:perl|ruby)\b.*(?:^|\s)-[^\s]*i\b.*(?:z.in-place edit of Hermes config/env (perl/ruby))z#\b(python[23]?|perl|ruby|node)\s+<<zscript execution via heredoc)z\bgit\s+reset\s+--hard\bz/git reset --hard (destroys uncommitted changes))z\bgit\s+push\b.*--force\bz(git force push (rewrites remote history))z\bgit\s+push\b.*-f\bz3git force push short flag (rewrites remote history))z\bgit\s+clean\s+-[^\s]*fz.git clean with force (deletes untracked files))z\bgit\s+branch\s+-D\bzgit branch force delete)z\bchmod\s+\+x\b.*[;&|]+\s*\./z(chmod +x followed by immediate execution)z8\bsudo\b[^;|&\n]*?\s+(?:-s\b|--stdin\b|-a\b|--askpass\b)z3sudo with privilege flag (stdin/askpass/shell/list))z(\bsudo\b[^;|&\n]*?\s+-[a-z]*[sa][a-z]*\bz,sudo with combined-flag privilege escalationc                 óL   — g | ]!\  }}t          j        |t          ¦  «        |f‘Œ"S rC   rI   rM   s      r    rQ   rQ   ò  s=   € ð ð ð áˆõ „ZÑ#Ô# [Ð1ðð ð r'   rO   c                 óT   — d| v r|                       d¦  «        d         n	| dd…         S )zIReproduce the old regex-derived approval key for backwards compatibility.z\bé   Né   )Úsplit)rO   s    r    Ú_legacy_pattern_keyrp   ø  s0   € à&+¨wÐ&6Ð&6ˆ7=Š=˜ÑÔ Ô"Ð"¸GÀCÀRÀC¼LÐHr'   Ú_PATTERN_KEY_ALIASESÚpattern_keyc                 ó:   — t                                | | h¦  «        S )zñReturn all approval keys that should match this pattern.

    New approvals use the human-readable description string, but older
    command_allowlist entries and session approvals may still contain the
    historical regex-derived key.
    )rq   r   ©rr   s    r    Ú_approval_key_aliasesru     s   € õ  ×#Ò# K°+°Ñ?Ô?Ð?r'   c                 óô   — ddl m}  || ¦  «        } |                      dd¦  «        } t          j        d| ¦  «        } t          j        dd| ¦  «        } t          j        dd| ¦  «        } t          | ¦  «        } | S )	a  Normalize a command string before dangerous-pattern matching.

    Strips ANSI escape sequences (full ECMA-48 via tools.ansi_strip),
    null bytes, and normalizes Unicode fullwidth characters so that
    obfuscation techniques cannot bypass the pattern-based detection.
    r   )Ú
strip_ansiú r   ÚNFKCz	\\([^\n])z\1z''|\"\")Útools.ansi_striprw   ÚreplaceÚunicodedataÚ	normalizerJ   ÚsubÚ_rewrite_resolved_hermes_home)rR   rw   s     r    rW   rW     s†   € ð ,Ð+Ð+Ð+Ð+Ð+ð ˆj˜Ñ!Ô!€GàoŠo˜f bÑ)Ô)€GåÔ# F¨GÑ4Ô4€GåŒf\ 5¨'Ñ2Ô2€GåŒfZ  WÑ-Ô-€Gõ ,¨GÑ4Ô4€GØ€Nr'   c                 ó:  — 	 ddl m}  |¦   «                              ¦   «         }t          |¦  «                             d¦  «        t          |                     d¬¦  «        ¦  «                             d¦  «        g}n# t          $ r | cY S w xY wt          ¦   «         }|D ]{}|r||v rŒ	|                     |¦  «         |                     d¦  «        }| 	                    d¦  «        r| 
                    d¦  «        dk     rŒb|                      |dz   d¦  «        } Œ|| S )a{  Rewrite the resolved absolute Hermes home prefix to ``~/.hermes/``.

    Resolves the active ``HERMES_HOME`` at call time (and its symlink-resolved
    form) and replaces an occurrence of ``<home>/`` in *command* with
    ``~/.hermes/`` so the static ``_HERMES_CONFIG_PATH`` / ``_HERMES_ENV_PATH``
    patterns match. No-op when the path can't be resolved or doesn't appear.
    r   )Úget_hermes_homeú/F)Ústricté   z
~/.hermes/)Úhermes_constantsr   Ú
expanduserÚstrÚrstripÚresolver   r$   ÚaddÚ
startswithÚcountr{   )rR   r   ÚhomeÚ
candidatesÚseenÚpathr[   s          r    r   r   1  s>  € ðØ4Ð4Ð4Ð4Ð4Ð4ØˆÑ Ô ×+Ò+Ñ-Ô-ˆå‰IŒI×Ò˜SÑ!Ô!Ý—’ EÑ*Ô*Ñ+Ô+×2Ò2°3Ñ7Ô7ð
ˆ
ˆ
øõ ð ð ð Øˆˆˆðøøøå‘U”U€DØð Bð BˆØð 	t˜t||ØØŠ‰Œˆð
 —[’[ Ñ%Ô%ˆ
Ø×$Ò$ SÑ)Ô)ð 	¨Z×-=Ò-=¸cÑ-BÔ-BÀQÒ-FÐ-FØØ—/’/ *¨sÑ"2°LÑAÔAˆˆØ€Ns   ‚A:A= Á=BÂBc                 óž   — t          | ¦  «                             ¦   «         }t          D ]#\  }}|                     |¦  «        r	|}d||fc S Œ$dS )zCheck if a command matches any dangerous patterns.

    Returns:
        (is_dangerous, pattern_key, description) or (False, None, None)
    T)FNN)rW   rX   ÚDANGEROUS_PATTERNS_COMPILEDrZ   )rR   Úcommand_lowerr_   rP   rr   s        r    Údetect_dangerous_commandr”   R  sl   € õ 5°WÑ=Ô=×CÒCÑEÔE€MÝ#>ð 4ð 4Ñˆ
KØ×Ò˜]Ñ+Ô+ð 	4Ø%ˆKØ˜+ {Ð3Ð3Ð3Ð3ð	4ð Ðr'   Ú_pendingÚ_session_approvedÚ_session_yoloÚ_permanent_approvedc                   ó"   — e Zd ZdZdZdefd„ZdS )Ú_ApprovalEntryz@One pending dangerous-command approval inside a gateway session.)ÚeventÚdataÚresultrœ   c                 óR   — t          j        ¦   «         | _        || _        d | _        d S ©N)Ú	threadingÚEventr›   rœ   r   )Úselfrœ   s     r    Ú__init__z_ApprovalEntry.__init__w  s#   € Ý”_Ñ&Ô&ˆŒ
ØˆŒ	Ø%)ˆŒˆˆr'   N)Ú__name__Ú
__module__Ú__qualname__Ú__doc__Ú	__slots__Údictr£   rC   r'   r    rš   rš   s  s:   € € € € € ØJÐJØ+€Ið*˜Tð *ð *ð *ð *ð *ð *r'   rš   Ú_gateway_queuesÚ_gateway_notify_cbsc                 óZ   — t           5  |t          | <   ddd¦  «         dS # 1 swxY w Y   dS )ua  Register a per-session callback for sending approval requests to the user.

    The callback signature is ``cb(approval_data: dict) -> None`` where
    *approval_data* contains ``command``, ``description``, and
    ``pattern_keys``.  The callback bridges syncâ†’async (runs in the agent
    thread, must schedule the actual send on the event loop).
    N)Ú_lockr«   )r"   Úcbs     r    Úregister_gateway_notifyr¯     sy   € õ 
ð .ð .Ø+-Õ˜KÑ(ð.ð .ð .ñ .ô .ð .ð .ð .ð .ð .ð .ð .øøøð .ð .ð .ð .ð .ð .ó   ˆ  $§$c                 óì   — t           5  t                               | d¦  «         t                               | g ¦  «        }ddd¦  «         n# 1 swxY w Y   |D ]}|j                             ¦   «          ŒdS )zÁUnregister the per-session gateway approval callback.

    Signals ALL blocked threads for this session so they don't hang forever
    (e.g. when the agent run finishes or is interrupted).
    N)r­   r«   Úpoprª   r›   r$   ©r"   ÚentriesÚentrys      r    Úunregister_gateway_notifyr¶     sº   € õ 
ð 7ð 7Ý×Ò ¨TÑ2Ô2Ð2Ý!×%Ò% k°2Ñ6Ô6ˆð7ð 7ð 7ñ 7ô 7ð 7ð 7ð 7ð 7ð 7ð 7øøøð 7ð 7ð 7ð 7ð ð ð ˆØŒŠÑÔÐÐðð s   ˆ7AÁAÁAFÚchoiceÚresolve_allc                 ó®  — t           5  t                               | ¦  «        }|s	 ddd¦  «         dS |r$t          |¦  «        }|                     ¦   «          n|                     d¦  «        g}|st                               | d¦  «         ddd¦  «         n# 1 swxY w Y   |D ]"}||_        |j                             ¦   «          Œ#t          |¦  «        S )aT  Called by the gateway's /approve or /deny handler to unblock
    waiting agent thread(s).

    When *resolve_all* is True every pending approval in the session is
    resolved at once (``/approve all``).  Otherwise only the oldest one
    is resolved (FIFO).

    Returns the number of approvals resolved (0 means nothing was pending).
    Nr   )
r­   rª   r   ÚlistÚclearr²   r   r›   r$   Úlen)r"   r·   r¸   ÚqueueÚtargetsrµ   s         r    Úresolve_gateway_approvalr¿   š  s1  € õ 
ð 
3ð 
3Ý×#Ò# KÑ0Ô0ˆØð 	Øð
3ð 
3ð 
3ñ 
3ô 
3ð 
3ð 
3ð 
3ð ð 	%Ý˜5‘k”kˆGØKŠK‰MŒMˆMˆMà—y’y ‘|”|nˆGØð 	3Ý×Ò ¨TÑ2Ô2Ð2ð
3ð 
3ð 
3ñ 
3ô 
3ð 
3ð 
3ð 
3ð 
3ð 
3ð 
3øøøð 
3ð 
3ð 
3ð 
3ð ð ð ˆØˆŒØŒŠÑÔÐÐÝˆw‰<Œ<Ðs   ˆB³ABÂBÂBc                 ó’   — t           5  t          t                               | ¦  «        ¦  «        cddd¦  «         S # 1 swxY w Y   dS )zFCheck if a session has one or more blocking gateway approvals waiting.N)r­   rB   rª   r   r%   s    r    Úhas_blocking_approvalrÁ   ·  s…   € å	ð 6ð 6Ý•O×'Ò'¨Ñ4Ô4Ñ5Ô5ð6ð 6ð 6ð 6ñ 6ô 6ð 6ð 6ð 6ð 6ð 6ð 6øøøð 6ð 6ð 6ð 6ð 6ð 6s   ˆ'<¼A ÁA Úapprovalc                 óZ   — t           5  |t          | <   ddd¦  «         dS # 1 swxY w Y   dS )z/Store a pending approval request for a session.N)r­   r•   )r"   rÂ   s     r    Úsubmit_pendingrÄ   ½  sv   € å	ð )ð )Ø (Ñð)ð )ð )ñ )ô )ð )ð )ð )ð )ð )ð )ð )øøøð )ð )ð )ð )ð )ð )r°   c                 óº   — t           5  t                               | t          ¦   «         ¦  «                             |¦  «         ddd¦  «         dS # 1 swxY w Y   dS )z(Approve a pattern for this session only.N)r­   r–   r   r$   rŠ   )r"   rr   s     r    Úapprove_sessionrÆ   Ã  s¨   € å	ð Jð JÝ×$Ò$ [µ#±%´%Ñ8Ô8×<Ò<¸[ÑIÔIÐIðJð Jð Jñ Jô Jð Jð Jð Jð Jð Jð Jð Jøøøð Jð Jð Jð Jð Jð Js   ˆ;AÁAÁAc                 ó‚   — | sdS t           5  t                               | ¦  «         ddd¦  «         dS # 1 swxY w Y   dS )z,Enable YOLO bypass for a single session key.N)r­   r—   rŠ   r%   s    r    Úenable_session_yolorÈ   É  s   € àð ØˆÝ	ð 'ð 'Ý×Ò˜+Ñ&Ô&Ð&ð'ð 'ð 'ñ 'ô 'ð 'ð 'ð 'ð 'ð 'ð 'ð 'øøøð 'ð 'ð 'ð 'ð 'ð 'ó   Œ4´8»8c                 ó‚   — | sdS t           5  t                               | ¦  «         ddd¦  «         dS # 1 swxY w Y   dS )z-Disable YOLO bypass for a single session key.N)r­   r—   Údiscardr%   s    r    Údisable_session_yolorÌ   Ñ  s   € àð ØˆÝ	ð +ð +Ý×Ò˜kÑ*Ô*Ð*ð+ð +ð +ñ +ô +ð +ð +ð +ð +ð +ð +ð +øøøð +ð +ð +ð +ð +ð +rÉ   c                 ól  — | sdS t           5  t                               | d¦  «         t                               | ¦  «         t
                               | d¦  «         t                               | g ¦  «        }ddd¦  «         n# 1 swxY w Y   |D ]"}d|_        |j         	                    ¦   «          Œ#dS )z7Remove all approval and yolo state for a given session.NÚdeny)
r­   r–   r²   r—   rË   r•   rª   r   r›   r$   r³   s      r    Úclear_sessionrÏ   Ù  sö   € àð ØˆÝ	ð 7ð 7Ý×Ò˜k¨4Ñ0Ô0Ð0Ý×Ò˜kÑ*Ô*Ð*ÝŠ[ $Ñ'Ô'Ð'Ý!×%Ò% k°2Ñ6Ô6ˆð	7ð 7ð 7ñ 7ô 7ð 7ð 7ð 7ð 7ð 7ð 7øøøð 7ð 7ð 7ð 7ð
 ð ð ˆð ˆŒØŒŠÑÔÐÐð	ð s   ŒA,BÂBÂBc                 ó^   — | sdS t           5  | t          v cddd¦  «         S # 1 swxY w Y   dS )z?Return True when YOLO bypass is enabled for a specific session.FN)r­   r—   r%   s    r    Úis_session_yolo_enabledrÑ   é  s   € àð ØˆuÝ	ð ,ð ,ØmÐ+ð,ð ,ð ,ð ,ñ ,ô ,ð ,ð ,ð ,ð ,ð ,ð ,øøøð ,ð ,ð ,ð ,ð ,ð ,s   Œ	"¢&©&c                  ó<   — t          t          d¬¦  «        ¦  «        S )zEReturn True when the active approval session has YOLO bypass enabled.r   r   )rÑ   r9   rC   r'   r    Úis_current_session_yolo_enabledrÓ   ñ  s   € å"Õ#:À2Ð#FÑ#FÔ#FÑGÔGÐGr'   c                 ó6  ‡— t          |¦  «        }t          5  t          d„ |D ¦   «         ¦  «        r	 ddd¦  «         dS t                               | t          ¦   «         ¦  «        Št          ˆfd„|D ¦   «         ¦  «        cddd¦  «         S # 1 swxY w Y   dS )zßCheck if a pattern is approved (session-scoped or permanent).

    Accept both the current canonical key and the legacy regex-derived key so
    existing command_allowlist entries continue to work after key migrations.
    c              3   ó(   K  — | ]}|t           v V — Œd S rŸ   )r˜   )rN   Úaliass     r    ú	<genexpr>zis_approved.<locals>.<genexpr>þ  s(   è è € ÐAÐA°ˆuÕ+Ð+ÐAÐAÐAÐAÐAÐAr'   NTc              3   ó    •K  — | ]}|‰v V — Œ	d S rŸ   rC   )rN   rÖ   Úsession_approvalss     €r    r×   zis_approved.<locals>.<genexpr>  s)   øè è € ÐCÐC°%5Ð-Ð-ÐCÐCÐCÐCÐCÐCr'   )ru   r­   Úanyr–   r   r$   )r"   rr   ÚaliasesrÙ   s      @r    Úis_approvedrÜ   ö  s  ø€ õ $ KÑ0Ô0€GÝ	ð Dð DÝÐAÐA¸ÐAÑAÔAÑAÔAð 	ØðDð Dð Dñ Dô Dð Dð Dð Dõ .×1Ò1°+½s¹u¼uÑEÔEÐÝÐCÐCÐCÐC¸7ÐCÑCÔCÑCÔCð	Dð Dð Dð Dñ Dô Dð Dð Dð Dð Dð Dð Døøøð Dð Dð Dð Dð Dð Ds   ˜BÁ ABÂBÂBc                 óz   — t           5  t                               | ¦  «         ddd¦  «         dS # 1 swxY w Y   dS )z)Add a pattern to the permanent allowlist.N)r­   r˜   rŠ   rt   s    r    Úapprove_permanentrÞ     s€   € å	ð -ð -Ý×Ò Ñ,Ô,Ð,ð-ð -ð -ñ -ô -ð -ð -ð -ð -ð -ð -ð -øøøð -ð -ð -ð -ð -ð -ó   ˆ0°4·4Úpatternsc                 óz   — t           5  t                               | ¦  «         ddd¦  «         dS # 1 swxY w Y   dS )z2Bulk-load permanent allowlist entries from config.N)r­   r˜   Úupdate)rà   s    r    Úload_permanentrã   
  s€   € å	ð -ð -Ý×"Ò" 8Ñ,Ô,Ð,ð-ð -ð -ñ -ô -ð -ð -ð -ð -ð -ð -ð -øøøð -ð -ð -ð -ð -ð -rß   c                  ó  — 	 ddl m}   | ¦   «         }t          |                     dg ¦  «        pg ¦  «        }|rt	          |¦  «         |S # t
          $ r3}t                               d|¦  «         t          ¦   «         cY d}~S d}~ww xY w)z»Load permanently allowed command patterns from config.

    Also syncs them into the approval module so is_approved() works for
    patterns added via 'always' in a previous session.
    r   ©Úload_configÚcommand_allowlistz&Failed to load permanent allowlist: %sN)Úhermes_cli.configræ   r$   r   rã   r   r   Úwarning)ræ   Úconfigrà   Úes       r    Úload_permanent_allowlistrì     s§   € ð	Ø1Ð1Ð1Ð1Ð1Ð1Ø‘”ˆÝv—z’zÐ"5°rÑ:Ô:Ð@¸bÑAÔAˆØð 	%Ý˜8Ñ$Ô$Ð$ØˆøÝð ð ð ÝŠÐ?ÀÑCÔCÐCÝ‰uŒuˆˆˆˆˆˆøøøøðøøøs   ‚AA
 Á

BÁ(BÁ<BÂBc                 óÌ   — 	 ddl m}m}  |¦   «         }t          | ¦  «        |d<    ||¦  «         dS # t          $ r&}t
                               d|¦  «         Y d}~dS d}~ww xY w)z4Save permanently allowed command patterns to config.r   )ræ   Úsave_configrç   zCould not save allowlist: %sN)rè   ræ   rî   rº   r   r   ré   )rà   ræ   rî   rê   rë   s        r    Úsave_permanent_allowlistrï   '  s—   € ð:Ø>Ð>Ð>Ð>Ð>Ð>Ð>Ð>Ø‘”ˆÝ&*¨8¡n¤nˆÐ"Ñ#ØˆFÑÔÐÐÐøÝð :ð :ð :ÝŠÐ5°qÑ9Ô9Ð9Ð9Ð9Ð9Ð9Ð9Ð9øøøøð:øøøs   ‚/3 ³
A#½AÁA#TÚtimeout_secondsÚallow_permanentc                 óÊ	  ‡‡
‡— |€t          ¦   «         }|D	  || |‰¬¦  «        S # t          $ r(}t                               d|d¬¦  «         Y d}~dS d}~ww xY w	 ddlm}  |¦   «         t                               d	| |¦  «         dS n# t          $ r Y nw xY wd
t          j        d<   	 ddl	m
Š 	 t          ¦   «          t          d ‰d|¬¦  «        › ¦  «         t          d| › ¦  «         t          ¦   «          ‰rt           ‰d¦  «        ¦  «         nt           ‰d¦  «        ¦  «         t          ¦   «          t          j                             ¦   «          ddiŠ
ˆˆ
ˆfd„}t          j        |d¬¦  «        }|                     ¦   «          |                     |¬¦  «         |                     ¦   «         ret          d ‰d¦  «        z   ¦  «         	 dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          dS ‰
d         }	|	dv rbt           ‰d¦  «        ¦  «         	 dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          dS |	dv rbt           ‰d¦  «        ¦  «         	 dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          dS |	d v rÆ‰sbt           ‰d¦  «        ¦  «         	 dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          dS t           ‰d!¦  «        ¦  «         	 dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          d"S t           ‰d#¦  «        ¦  «         	 dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          dS # t(          t*          f$ rf t          d ‰d$¦  «        z   ¦  «         Y dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          dS w xY w# dt          j        v rt          j        d= t          ¦   «          t          j                             ¦   «          w xY w)%a  Prompt the user to approve a dangerous command (CLI only).

    Args:
        allow_permanent: When False, hide the [a]lways option (used when
            tirith warnings are present, since broad permanent allowlisting
            is inappropriate for content-level security findings).
        approval_callback: Optional callback registered by the CLI for
            prompt_toolkit integration. Signature:
            (command, description, *, allow_permanent=True) -> str.

    Returns: 'once', 'session', 'always', or 'deny'
    N)rñ   zApproval callback failed: %sT)Úexc_inforÎ   r   )Úget_app_or_nonez¥Dangerous-command approval requested on a thread with no approval callback while prompt_toolkit is active; denying to avoid stdin deadlock. command=%r description=%rÚ1ÚHERMES_SPINNER_PAUSE)Útz  zapproval.dangerous_headerre   z      zapproval.choose_longzapproval.choose_shortr·   r   c                  óà   •— 	 ‰r ‰d¦  «        n
 ‰d¦  «        } t          | ¦  «                             ¦   «                              ¦   «         ‰d<   d S # t          t          f$ r	 d‰d<   Y d S w xY w)Nzapproval.prompt_longzapproval.prompt_shortr·   r   )ÚinputÚstriprX   ÚEOFErrorÚOSError)Úpromptrñ   r   r÷   s    €€€r    Ú	get_inputz,prompt_dangerous_approval.<locals>.get_input  sŽ   ø€ ð*Ø:IÐi˜Q˜QÐ5Ñ6Ô6Ð6ÈqÈqÐQhÑOiÔOiFÝ',¨V¡}¤}×':Ò':Ñ'<Ô'<×'BÒ'BÑ'DÔ'DF˜8Ñ$Ð$Ð$øÝ ¥'Ð*ð *ð *ð *Ø')F˜8Ñ$Ð$Ð$Ð$ð*øøøs   ƒAA ÁA-Á,A-)ÚtargetÚdaemon©ÚtimeoutÚ
zapproval.timeout>   ÚoÚoncezapproval.allowed_oncer  >   ÚsÚsessionzapproval.allowed_sessionr  >   ÚaÚalwayszapproval.allowed_alwaysr	  zapproval.deniedzapproval.cancelled)Ú_get_approval_timeoutr   r   ÚerrorÚ"prompt_toolkit.application.currentrô   ré   r<   rV   Ú
agent.i18nr÷   ÚprintÚsysÚstdoutÚflushr    ÚThreadÚstartÚjoinÚis_aliverû   ÚKeyboardInterrupt)rR   rP   rð   rñ   Úapproval_callbackrë   rô   rþ   Úthreadr·   r   r÷   s      `      @@r    Úprompt_dangerous_approvalr  6  sh  øøø€ ð  ÐÝ/Ñ1Ô1ˆàÐ$ð	Ø$Ð$ W¨kØ5DðFñ Fô Fð Føåð 	ð 	ð 	ÝLŠLÐ7¸ÀTˆLÑJÔJÐJØ66666øøøøð	øøøðØFÐFÐFÐFÐFÐFØˆ?ÑÔÐ(ÝNŠNðEð ˜ñ	ô ð ð 6ð )øõ ð ð ð ð 	ˆð	øøøð *-…B„JÐ%Ñ&ð9ð 	!Ð Ð Ð Ð Ð ð,	Ý‰GŒGˆGÝÐPqqÐ4À+ÐNÑNÔNÐPÐPÑQÔQÐQÝÐ$˜7Ð$Ð$Ñ%Ô%Ð%Ý‰GŒGˆGØð 2ÝaaÐ.Ñ/Ô/Ñ0Ô0Ð0Ð0åaaÐ/Ñ0Ô0Ñ1Ô1Ð1Ý‰GŒGˆGÝŒJ×ÒÑÔÐà ^ˆFð*ð *ð *ð *ð *ð *ð *õ Ô%¨Y¸tÐDÑDÔDˆFØLŠL‰NŒNˆNØKŠK ˆKÑ0Ô0Ð0àŠÑ Ô ð Ýd˜Q˜QÐ1Ñ2Ô2Ñ2Ñ3Ô3Ð3Øð. "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐð1 ˜HÔ%ˆFØ˜Ð&Ð&ÝaaÐ/Ñ0Ô0Ñ1Ô1Ð1Øð$ "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐð) Ð+Ð+Ð+ÝaaÐ2Ñ3Ô3Ñ4Ô4Ð4Ø ð "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐð# ˜?Ð*Ð*Ø&ð %Ý˜!˜!Ð6Ñ7Ô7Ñ8Ô8Ð8Ø$ð "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐõ aaÐ1Ñ2Ô2Ñ3Ô3Ð3Øð "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐõ aaÐ)Ñ*Ô*Ñ+Ô+Ð+Øð "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐøõ Õ'Ð(ð ð ð ÝˆdQQÐ+Ñ,Ô,Ñ,Ñ-Ô-Ð-Øà!¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐÐðøøøøð "¥R¤ZÐ/Ð/Ý”
Ð1Ð2Ý‰ŒˆÝŒ
×ÒÑÔÐÐøøøsj   —% ¥
A¯AÁAÁ,B
 Â

BÂBÂ*D+P È$P ÊP Ë3P ÍP Î=P Ð,RÑR ÒRÒR ÒA	S"c                 ó¾   — t          | t          ¦  «        r| du rdndS t          | t          ¦  «        r*|                      ¦   «                              ¦   «         }|pdS dS )a"  Normalize approval mode values loaded from YAML/config.

    YAML 1.1 treats bare words like `off` as booleans, so a config entry like
    `approvals:
  mode: off` is parsed as False unless quoted. Treat that as the
    intended string mode instead of falling back to manual approvals.
    FÚoffÚmanual)Ú
isinstancerB   r‡   rú   rX   )Úmoder[   s     r    Ú_normalize_approval_moder  ©  sc   € õ $ÑÔð 4Ø ˜˜ˆuˆu¨8Ð3Ý$ÑÔð &Ø—Z’Z‘\”\×'Ò'Ñ)Ô)ˆ
ØÐ%˜XÐ%Øˆ8r'   c                  ó¼   — 	 ddl m}   | ¦   «         }|                     di ¦  «        pi S # t          $ r'}t                               d|¦  «         i cY d}~S d}~ww xY w)zLRead the approvals config block. Returns a dict with 'mode', 'timeout', etc.r   rå   Ú	approvalsz"Failed to load approval config: %sN)rè   ræ   r   r   r   ré   )ræ   rê   rë   s      r    Ú_get_approval_configr"  ¸  s€   € ðØ1Ð1Ð1Ð1Ð1Ð1Ø‘”ˆØzŠz˜+ rÑ*Ô*Ð0¨bÐ0øÝð ð ð ÝŠÐ;¸QÑ?Ô?Ð?Øˆ	ˆ	ˆ	ˆ	ˆ	ˆ	øøøøðøøøs   ‚'* ª
A´AÁAÁAc                  ód   — t          ¦   «                              dd¦  «        } t          | ¦  «        S )zHRead the approval mode from config. Returns 'manual', 'smart', or 'off'.r  r  )r"  r   r  )r  s    r    Ú_get_approval_moder$  Ã  s+   € åÑ!Ô!×%Ò% f¨hÑ7Ô7€DÝ# DÑ)Ô)Ð)r'   c                  ó’   — 	 t          t          ¦   «                              dd¦  «        ¦  «        S # t          t          f$ r Y dS w xY w)z>Read the approval timeout from config. Defaults to 60 seconds.r  é<   )Úintr"  r   Ú
ValueErrorÚ	TypeErrorrC   r'   r    r
  r
  É  sS   € ðÝÕ'Ñ)Ô)×-Ò-¨i¸Ñ<Ô<Ñ=Ô=Ð=øÝ	Ð"ð ð ð Øˆrˆrðøøøs   ‚.1 ±AÁAc                  óÞ   — 	 ddl m}   | ¦   «         }t          t          |ddd¬¦  «        ¦  «                             ¦   «                              ¦   «         }|dv rdS dS # t          $ r Y dS w xY w)	zERead the cron approval mode from config. Returns 'deny' or 'approve'.r   rå   r!  Ú	cron_moderÎ   r   >   r  ÚyesÚallowÚapprover.  )rè   ræ   r‡   r   rX   rú   r   )ræ   rê   r  s      r    Ú_get_cron_approval_moder/  Ñ  s’   € ðØ1Ð1Ð1Ð1Ð1Ð1Ø‘”ˆÝ•7˜6 ;°ÀVÐLÑLÔLÑMÔM×SÒSÑUÔU×[Ò[Ñ]Ô]ˆØÐ5Ð5Ð5Ø9ØˆvøÝð ð ð Øˆvˆvðøøøs   ‚AA Á
A,Á+A,c                 óL  — 	 ddl m} d| › d|› d} |dd|dœgdd	¬
¦  «        }|j        d         j        j        pd                     ¦   «                              ¦   «         }|dk    rdS |dk    rdS dS # t          $ r&}t           	                    d|¦  «         Y d}~dS d}~ww xY w)a  Use the auxiliary LLM to assess risk and decide approval.

    Returns 'approve' if the LLM determines the command is safe,
    'deny' if genuinely dangerous, or 'escalate' if uncertain.

    Inspired by OpenAI Codex's Smart Approvals guardian subagent
    (openai/codex#13860).
    r   )Úcall_llmz‹You are a security reviewer for an AI coding agent. A terminal command was flagged by pattern matching as potentially dangerous.

Command: z
Flagged reason: ul  

Assess the ACTUAL risk of this command. Many flagged commands are false positives â€” for example, `python -c "print('hello')"` is flagged as "script execution via -c flag" but is completely harmless.

Rules:
- APPROVE if the command is clearly safe (benign script execution, safe file operations, development tools, package installs, git operations, etc.)
- DENY if the command could genuinely damage the system (recursive delete of important paths, overwriting system files, fork bombs, wiping disks, dropping databases, etc.)
- ESCALATE if you're uncertain

Respond with exactly one word: APPROVE, DENY, or ESCALATErÂ   Úuser)ÚroleÚcontenté   )ÚtaskÚmessagesÚtemperatureÚ
max_tokensr   ÚAPPROVEr.  ÚDENYrÎ   Úescalatez1Smart approvals: LLM call failed (%s), escalatingN)
Úagent.auxiliary_clientr1  Úchoicesrd   r4  rú   Úupperr   r   r   )rR   rP   r1  rý   ÚresponseÚanswerrë   s          r    Ú_smart_approverB  Þ  s  € ð#Ø3Ð3Ð3Ð3Ð3Ð3ð=à
ð=ð =ð ð=ð =ð =ˆð 8ØØ%°&Ð9Ð9Ð:ØØð	
ñ 
ô 
ˆð Ô" 1Ô%Ô-Ô5Ð;¸×BÒBÑDÔD×JÒJÑLÔLˆàYÒÐØ9ØvÒÐØ6à:øåð ð ð ÝŠÐHÈ!ÑLÔLÐLØˆzˆzˆzˆzˆzøøøøðøøøs   ‚A%A3 Á)A3 Á3
B#Á=BÂB#Úenv_typec           
      ó’  — |dv rdddœS t          | ¦  «        \  }}|r3t                               d|| dd…         ¦  «         t          |¦  «        S t          st          ¦   «         rdddœS t          | ¦  «        \  }}}|sdddœS t          ¦   «         }t          ||¦  «        rdddœS t          d¦  «        }	t          ¦   «         }
|	sU|
sSt          d¦  «        rt          ¦   «         d	k    r	d
d|› ddœS t                               d|| dd…         ¦  «         dddœS |
st          d¦  «        r$t          || ||dœ¦  «         d
|d| |d|› d| › ddœS t          | ||¬¦  «        }|d	k    rd
d|› d||dœS |dk    rt          ||¦  «         n9|dk    r3t          ||¦  «         t          |¦  «         t!          t"          ¦  «         dddœS )aç  Check if a command is dangerous and handle approval.

    This is the main entry point called by terminal_tool before executing
    any command. It orchestrates detection, session checks, and prompting.

    Args:
        command: The shell command to check.
        env_type: Terminal backend type ('local', 'ssh', 'docker', etc.).
        approval_callback: Optional CLI callback for interactive prompts.

    Returns:
        {"approved": True/False, "message": str or None, ...}
    >   ÚmodalÚdockerÚdaytonaÚsingularityTNrh   ú Hardline block: %s (command: %s)éÈ   ÚHERMES_INTERACTIVEr@   rÎ   Fú'BLOCKED: Command flagged as dangerous (úË) but cron jobs run without a user present to approve it. Find an alternative approach that avoids this command. To allow dangerous commands in cron jobs, set approvals.cron_mode: approve in config.yaml.u¢   AUTO-APPROVED dangerous command in non-interactive non-gateway context (pattern: %s): %s â€” set HERMES_INTERACTIVE or HERMES_GATEWAY_SESSION to require approval.ÚHERMES_EXEC_ASK)rR   rr   rP   Úapproval_requiredu.   âš ï¸ This command is potentially dangerous (z3). Asking the user for approval.

**Command:**
```
ú
```)rb   rr   ÚstatusrR   rP   rd   )r  zBBLOCKED: User denied this potentially dangerous command (matched 'zL' pattern). Do NOT retry this command - the user has explicitly rejected it.©rb   rd   rr   rP   r  r	  )r`   r   ré   rf   r	   rÓ   r”   r9   rÜ   r   rD   r/  rÄ   r  rÆ   rÞ   rï   r˜   )rR   rC  r  Úis_hardlineÚhardline_descÚis_dangerousrr   rP   r"   Úis_cliÚ
is_gatewayr·   s               r    Úcheck_dangerous_commandrX    sä  € ð Ð@Ð@Ð@Ø ¨TÐ2Ð2Ð2õ "9¸Ñ!AÔ!AÑ€KØð 5ÝŠÐ9¸=È'ÐRVÐSVÐRVÌ-ÑXÔXÐXÝ% mÑ4Ô4Ð4õ ð 3Õ;Ñ=Ô=ð 3Ø ¨TÐ2Ð2Ð2å-EÀgÑ-NÔ-NÑ*€L+˜{Øð 3Ø ¨TÐ2Ð2Ð2å)Ñ+Ô+€KÝ; Ñ,Ô,ð 3Ø ¨TÐ2Ð2Ð2åÐ1Ñ2Ô2€FÝ-Ñ/Ô/€Jàð 3˜*ð 3åÐ0Ñ1Ô1ð 	Ý&Ñ(Ô(¨FÒ2Ð2à %ðGÀ+ð Gð Gð Gð	ð 	ð 	õ 	Šðjà˜  # œñ	
ô 	
ð 	
ð
 !¨TÐ2Ð2Ð2àð 
•_Ð%6Ñ7Ô7ð 
Ý{ØØ&Ø&ð%
ð %
ñ 	ô 	ð 	ð Ø&Ø)ØØ&ðVÀð Vð VØGNðVð Vð Vð

ð 

ð 
	
õ ' w°Ø9JðLñ Lô L€Fð ÒÐàð vÐ\gð  vð  vð  vØ&Ø&ð	
ð 
ð 	
ð ÒÐÝ˜ [Ñ1Ô1Ð1Ð1Ø	8Ò	Ð	Ý˜ [Ñ1Ô1Ð1Ý˜+Ñ&Ô&Ð&Ý Õ!4Ñ5Ô5Ð5à¨Ð.Ð.Ð.r'   Útirith_resultc           	      ó  — |                       d¦  «        pg }|s|                       d¦  «        pd}d|› S g }|D ]‘}|                      dd¦  «        }|                      dd¦  «        }|                      dd¦  «        }|r*|r(|                     |rd	|› d
|› d|› n|› d|› ¦  «         Œp|r|                     |rd	|› d
|› n|¦  «         Œ’|s|                       d¦  «        pd}d|› S dd                     |¦  «        z   S )z²Build a human-readable description from tirith findings.

    Includes severity, title, and description for each finding so users
    can make an informed approval decision.
    ÚfindingsÚsummaryzsecurity issue detectedzSecurity scan: Úseverityr   ÚtitlerP   Ú[z] z: u   Security scan â€” ú; )r   Úappendr  )rY  r[  r\  ÚpartsÚfr]  r^  Údescs           r    Ú_format_tirith_descriptionre  y  so  € ð × Ò  Ñ,Ô,Ð2°€HØð +Ø×#Ò# IÑ.Ô.ÐKÐ2KˆØ* Ð*Ð*Ð*à€EØð Ið IˆØ—5’5˜ RÑ(Ô(ˆØ—’g˜rÑ"Ô"ˆØuŠu] BÑ'Ô'ˆØð 	ITð 	IØLŠL¸HÐ\Ð8˜XÐ8Ð8¨Ð8Ð8°$Ð8Ð8Ð8ÈUÐJ\ÐJ\ÐVZÐJ\ÐJ\Ñ]Ô]Ð]Ð]Øð 	IØLŠL°HÐGÐ0˜XÐ0Ð0¨Ð0Ð0Ð0À%ÑHÔHÐHøØð +Ø×#Ò# IÑ.Ô.ÐKÐ2KˆØ* Ð*Ð*Ð*à $§)¢)¨EÑ"2Ô"2Ñ2Ð2r'   Úgateway©ÚsurfaceÚapproval_datarh  c          
      óÂ  ‡ ‡— |                      dd¦  «        }|                      dd¦  «        }|                      dd¦  «        }|                      d|g¦  «        }t          |¦  «        Št          5  t                               ‰ g ¦  «                             ‰¦  «         ddd¦  «         n# 1 swxY w Y   dˆˆ fd„}t          d	|||t          |¦  «        ‰ |¬
¦  «         	  ||¦  «         nB# t          $ r5}	t           
                    d|	¦  «          |¦   «          ddddœcY d}	~	S d}	~	ww xY wt          ¦   «                               dd¦  «        }
	 t          |
¦  «        }
n# t          t          f$ r d}
Y nw xY w	 ddlm} n# t          $ r d}Y nw xY wt#          j        ¦   «         }|t'          |
d¦  «        z   }||dœ}d}	 |t#          j        ¦   «         z
  }|dk    rn;‰j                             t-          d|¦  «        ¬¦  «        rd}n| ||d¦  «         ŒX |¦   «          ‰j        }|sdn|r|nd}t          d|||t          |¦  «        ‰ ||¬¦  «         ||dœS )uÖ  Enqueue *approval_data*, notify the user, and block the calling agent
    thread until the request is resolved or the gateway approval timeout
    elapses â€” firing pre/post approval hooks and cleaning up the queue entry.

    Shared by the terminal command guard (``check_all_command_guards``) and
    the execute_code guard (``check_execute_code_guard``) so the fiddly
    heartbeat-polling wait loop lives in one place.

    Returns ``{"resolved": bool, "choice": str|None}`` on completion, or
    ``{"resolved": False, "choice": None, "notify_failed": True}`` if the
    notify callback raised.  Persistence of an approved choice and building
    the final tool-facing result dict remain the caller's responsibility.
    rR   r   rP   rr   Úpattern_keysNr   c                  óê   •— t           5  t                               ‰g ¦  «        } ‰| v r|                      ‰¦  «         | st                               ‰d ¦  «         d d d ¦  «         d S # 1 swxY w Y   d S rŸ   )r­   rª   r   Úremover²   )r½   rµ   r"   s    €€r    Ú_drop_entryz,_await_gateway_decision.<locals>._drop_entry¬  s»   ø€ Ýð 	7ð 	7Ý#×'Ò'¨°RÑ8Ô8ˆEØ˜ˆ~ˆ~Ø—’˜UÑ#Ô#Ð#Øð 7Ý×#Ò# K°Ñ6Ô6Ð6ð	7ð 	7ð 	7ñ 	7ô 	7ð 	7ð 	7ð 	7ð 	7ð 	7ð 	7ð 	7øøøð 	7ð 	7ð 	7ð 	7ð 	7ð 	7s   ‰AA(Á(A,Á/A,Úpre_approval_request©rR   rP   rr   rk  r"   rh  z"Gateway approval notify failed: %sFT)Úresolvedr·   Únotify_failedÚgateway_timeouti,  r   )Útouch_activity_if_due)Ú
last_touchr  g      ð?r  zwaiting for user approvalr  Úpost_approval_response©rR   rP   rr   rk  r"   rh  r·   )rq  r·   )r   N)r   rš   r­   rª   r   ra  r!   rº   r   r   ré   r"  r'  r(  r)  Útools.environments.basert  ÚtimeÚ	monotonicÚmaxr›   ÚwaitÚminr   )r"   Ú	notify_cbri  rh  rR   rP   Úprimary_keyÚall_keysrn  r   r  rt  Ú_nowÚ	_deadlineÚ_activity_staterq  Ú
_remainingr·   Ú_outcomerµ   s   `                  @r    Ú_await_gateway_decisionr†  ”  s{  øø€ ð ×Ò 	¨2Ñ.Ô.€GØ×#Ò# M°2Ñ6Ô6€KØ×#Ò# M°2Ñ6Ô6€KØ× Ò  °+°Ñ?Ô?€Hå˜=Ñ)Ô)€EÝ	ð Bð BÝ×"Ò" ;°Ñ3Ô3×:Ò:¸5ÑAÔAÐAðBð Bð Bñ Bô Bð Bð Bð Bð Bð Bð Bøøøð Bð Bð Bð Bð7ð 7ð 7ð 7ð 7ð 7ð 7õ ØØØØÝ˜(‘^”^ØØðñ ô ð ðJØˆ	-Ñ Ô Ð Ð øÝð Jð Jð JÝŠÐ;¸SÑAÔAÐAØˆ‰ŒˆØ!¨TÀDÐIÐIÐIÐIÐIÐIÐIÐIøøøøðJøøøõ #Ñ$Ô$×(Ò(Ð):¸CÑ@Ô@€GðÝg‘,”,ˆˆøÝ	Ð"ð ð ð Øˆˆˆðøøøð%ØAÐAÐAÐAÐAÐAÐAøÝð %ð %ð %Ø $ÐÐÐð%øøøõ Œ>ÑÔ€DØ•s˜7 A‘”Ñ&€IØ%)°DÐ9Ð9€OØ€HðPØ¥¤Ñ!1Ô!1Ñ1ˆ
Ø˜Š?ˆ?ØØŒ;×Ò¥C¨¨ZÑ$8Ô$8ÐÑ9Ô9ð 	ØˆHØØ Ð,Ø!Ð! /Ð3NÑOÔOÐOðPð €KM„M€MàŒ\€Fð !)ÐOˆyˆy¸Ð/N¨v¨vÀY€HÝØ ØØØÝ˜(‘^”^ØØØð	ñ 	ô 	ð 	ð !¨FÐ3Ð3Ð3sT   Á2/B-Â-B1Â4B1Ã#C/ Ã/
D.Ã9*D)Ä#D.Ä)D.ÅE$ Å$E:Å9E:Å>F ÆFÆFc                 ó
  — |dv rdddœS t          | ¦  «        \  }}|r3t                               d|| dd…         ¦  «         t          |¦  «        S t	          | ¦  «        \  }}|r3t                               d|| dd…         ¦  «         t          |¦  «        S t          ¦   «         }t          st          ¦   «         s|dk    rdddœS t          d	¦  «        }t          ¦   «         }	t          d
¦  «        }
|sH|	sF|
sDt          d¦  «        r0t          ¦   «         dk    rt          | ¦  «        \  }}}|r	dd|› ddœS dddœS dg ddœ}	 ddlm}  || ¦  «        }n# t          $ r Y nw xY wt          | ¦  «        \  }}}g }t!          ¦   «         }|d         dv rs|                     d¦  «        pg }|r|d                              dd¦  «        nd}d|› }t%          |¦  «        }t'          ||¦  «        s|                     ||df¦  «         |r(t'          ||¦  «        s|                     ||df¦  «         |sdddœS |dk    r¨d                     d„ |D ¦   «         ¦  «        }t-          | |¦  «        }|dk    rD|D ]\  }}}t/          ||¦  «         Œt                               d| dd …         |¦  «         ddd|d!œS |dk    r)d                     d"„ |D ¦   «         ¦  «        }dd#|› d$dd%œS d                     d&„ |D ¦   «         ¦  «        }|d         d         }d'„ |D ¦   «         }t3          d(„ |D ¦   «         ¦  «        }|	s|
r;d}t4          5  t6                               |¦  «        }ddd¦  «         n# 1 swxY w Y   |Ø| |||| d)œ} t9          ||| d*¬+¦  «        }!|!                     d,¦  «        rdd-||d.œS |!d/         }"|!d0         }#|"r|#|#dk    r|"sd1}$d2}%d3}&nd4}$d}%d5}&dd6|$› d7|%› |||&dd8œS |D ]^\  }}}'|#d9k    s|#d:k    r|'rt/          ||¦  «         Œ%|#d:k    r3t/          ||¦  «         t;          |¦  «         t=          t>          ¦  «         Œ_ddd|d;œS tA          || |||d<œ¦  «         d|d=d| |d>|› d?| › d@dAœS tC          dB| ||tE          |¦  «        |dC¬D¦  «         tG          | || |¬E¦  «        }#tC          dF| ||tE          |¦  «        |dC|#¬G¦  «         |#dk    r	ddH||d5dd8œS |D ]^\  }}}'|#d9k    s|#d:k    r|'rt/          ||¦  «         Œ%|#d:k    r3t/          ||¦  «         t;          |¦  «         t=          t>          ¦  «         Œ_ddd|d;œS )IaC  Run all pre-exec security checks and return a single approval decision.

    Gathers findings from tirith and dangerous-command detection, then
    presents them as a single combined approval request. This prevents
    a gateway force=True replay from bypassing one check when only the
    other was shown to the user.
    >   rE  rF  rG  rH  TNrh   rI  rJ  z(Sudo stdin guard block: %s (command: %s)r  rK  rN  r@   rÎ   FrL  rM  r-  r   )Úactionr[  r\  r   )Úcheck_command_securityrˆ  >   ÚwarnÚblockr[  Úrule_idÚunknownztirith:Úsmartr`  c              3   ó"   K  — | ]
\  }}}|V — Œd S rŸ   rC   ©rN   Ú_rd  s      r    r×   z+check_all_command_guards.<locals>.<genexpr>g  s(   è è € Ð)JÐ)J±:°1°d¸A¨$Ð)JÐ)JÐ)JÐ)JÐ)JÐ)Jr'   r.  z'Smart approval: auto-approved '%s' (%s)r&  ©rb   rd   Úsmart_approvedrP   c              3   ó"   K  — | ]
\  }}}|V — Œd S rŸ   rC   r  s      r    r×   z+check_all_command_guards.<locals>.<genexpr>s  s(   è è € Ð-NÐ-N±z°q¸$À¨dÐ-NÐ-NÐ-NÐ-NÐ-NÐ-Nr'   zBLOCKED by smart approval: z@. The command was assessed as genuinely dangerous. Do NOT retry.)rb   rd   Úsmart_deniedc              3   ó"   K  — | ]
\  }}}|V — Œd S rŸ   rC   r  s      r    r×   z+check_all_command_guards.<locals>.<genexpr>  s(   è è € Ð>Ð>¡z q¨$°˜dÐ>Ð>Ð>Ð>Ð>Ð>r'   c                 ó   — g | ]\  }}}|‘Œ	S rC   rC   )rN   Úkeyr‘  s      r    rQ   z,check_all_command_guards.<locals>.<listcomp>  s   € Ð.Ð.Ð.™	˜˜Q Ð.Ð.Ð.r'   c              3   ó"   K  — | ]
\  }}}|V — Œd S rŸ   rC   )rN   r‘  Úis_ts      r    r×   z+check_all_command_guards.<locals>.<genexpr>‚  s(   è è € Ð5Ð5™j˜a  DTÐ5Ð5Ð5Ð5Ð5Ð5r'   )rR   rr   rk  rP   rñ   rf  rg  rr  z?BLOCKED: Failed to send approval request to user. Do NOT retry.rR  rq  r·   útimed out without user responseú Silence is not consent.r  údenied by userÚdeniedzBLOCKED: Command a  . The user has NOT consented to this action. Do NOT retry this command, do NOT rephrase it, and do NOT attempt the same outcome via a different command. Stop the current workflow and wait for the user to respond before taking any further destructive or irreversible action.©rb   rd   rr   rP   ÚoutcomeÚuser_consentr  r	  ©rb   rd   Úuser_approvedrP   ©rR   rr   rk  rP   Úpending_approvalõ   âš ï¸ z2. Asking the user for approval.

**Command:**
```
rP  ©rb   rr   rQ  Úapproval_pendingrR   rP   rd   ro  Úclirp  )rñ   r  rv  rw  a2  BLOCKED: User denied this command. The user has NOT consented to this action. Do NOT retry this command, do NOT rephrase it, and do NOT attempt the same outcome via a different command. Stop the current workflow and wait for the user to respond before taking any further destructive or irreversible action.)$r`   r   ré   rf   r\   ri   r$  r	   rÓ   r   rD   r/  r”   Útools.tirith_securityr‰  ÚImportErrorr9   r   re  rÜ   ra  r  rB  rÆ   r   rÚ   r­   r«   r†  rÞ   rï   r˜   rÄ   r!   rº   r  )(rR   rC  r  rS  rT  Úis_sudo_guessÚsudo_guess_descÚapproval_moderV  rW  Úis_askrU  Ú_pkrP   rY  r‰  rr   Úwarningsr"   r[  rŒ  Ú
tirith_keyÚtirith_descÚcombined_desc_for_llmÚverdictr˜  r‘  Úcombined_descr  r€  Ú
has_tirithr~  ri  Údecisionrq  r·   ÚreasonÚtimeout_addendumr   Ú	is_tiriths(                                           r    Úcheck_all_command_guardsr¼  ù  ss  € ð Ð@Ð@Ð@Ø ¨TÐ2Ð2Ð2õ "9¸Ñ!AÔ!AÑ€KØð 5ÝŠÐ9¸=È'ÐRVÐSVÐRVÌ-ÑXÔXÐXÝ% mÑ4Ô4Ð4õ &=¸WÑ%EÔ%EÑ"€M?Øð 9ÝŠÐAØ&¨°°°¬ñ	7ô 	7ð 	7å'¨Ñ8Ô8Ð8õ 'Ñ(Ô(€MÝð 3Õ;Ñ=Ô=ð 3ÀÐRWÒAWÐAWØ ¨TÐ2Ð2Ð2åÐ1Ñ2Ô2€FÝ-Ñ/Ô/€JÝÐ.Ñ/Ô/€Fð ð 3˜*ð 3¨Vð 3åÐ0Ñ1Ô1ð 	Ý&Ñ(Ô(¨FÒ2Ð2å1IÈ'Ñ1RÔ1RÑ.˜c ;Øð 
à$)ðKÀkð Kð Kð Kð	ð 	ð 	ð !¨TÐ2Ð2Ð2ð  '°BÀ2ÐFÐF€MðØ@Ð@Ð@Ð@Ð@Ð@Ø.Ð.¨wÑ7Ô7ˆˆøÝð ð ð Øˆðøøøõ .FÀgÑ-NÔ-NÑ*€L+˜{ð
 €Hå)Ñ+Ô+€Kð XÔÐ"3Ð3Ð3Ø ×$Ò$ ZÑ0Ô0Ð6°BˆØ;CÐR(˜1”+—/’/ )¨YÑ7Ô7Ð7ÈˆØ(˜wÐ(Ð(ˆ
Ý0°Ñ?Ô?ˆÝ˜;¨
Ñ3Ô3ð 	=ØOŠO˜Z¨°dÐ;Ñ<Ô<Ð<àð ?Ý˜;¨Ñ4Ô4ð 	?ØOŠO˜[¨+°uÐ=Ñ>Ô>Ð>ð ð 3Ø ¨TÐ2Ð2Ð2ð ˜ÒÐØ $§	¢	Ð)JÐ)JÀÐ)JÑ)JÔ)JÑ JÔ JÐÝ  Ð*?Ñ@Ô@ˆØiÒÐà%ð 2ð 2‘	Q˜Ý ¨SÑ1Ô1Ð1Ð1ÝLŠLÐBØ   " œÐ'<ñ>ô >ð >à $°Ø&*Ø#8ð:ð :ð :ð ˜ÒÐØ$(§I¢IÐ-NÐ-NÀXÐ-NÑ-NÔ-NÑ$NÔ$NÐ!à!ð\Ð9Nð \ð \ð \à $ð	ð ð ð —I’IÐ>Ð>°XÐ>Ñ>Ô>Ñ>Ô>€MØ˜1”+˜a”.€KØ.Ð. XÐ.Ñ.Ô.€HÝÐ5Ð5¨HÐ5Ñ5Ô5Ñ5Ô5€Jð ð _
Vñ _
Øˆ	Ýð 	=ð 	=Ý+×/Ò/°Ñ<Ô<ˆIð	=ð 	=ð 	=ñ 	=ô 	=ð 	=ð 	=ð 	=ð 	=ð 	=ð 	=øøøð 	=ð 	=ð 	=ð 	=ð Ð ð #Ø*Ø (Ø,ð (2 >ðð ˆMõ /Ø˜Y¨¸yðñ ô ˆHð |Š|˜OÑ,Ô,ð à %Ø`Ø#.Ø#0ð	ð ð ð   
Ô+ˆHØ˜hÔ'ˆFàð ˜v˜~°¸6Ò1AÐ1Að  ð 'Ø>FØ'AÐ$Ø'GGà-FØ')Ð$Ø&Gà %ð.¨Fð .ð .ð ,ð.ð .ð $/Ø#0Ø&Ø$)ðð ð ð$ &.ð Bð BÑ!Q˜	Ø˜YÒ&Ð&¨6°XÒ+=Ð+=À)Ð+=Ý# K°Ñ5Ô5Ð5Ð5Ø˜xÒ'Ð'Ý# K°Ñ5Ô5Ð5Ý% cÑ*Ô*Ð*Ý,Õ-@ÑAÔAÐAøð !%°Ø%)¸-ðIð Ið Iõ
 	{ØØ&Ø$Ø(ð	%
ð %
ñ 	ô 	ð 	ð Ø&Ø(Ø $ØØ(àm˜-ÐmÐmÐ_fÐmÐmÐmð

ð 

ð 
	
õ ØØØ!ØÝ˜(‘^”^ØØðñ ô ð õ ' w°Ø;E°~Ø9JðLñ Lô L€Fõ Ø ØØ!ØÝ˜(‘^”^ØØØð	ñ 	ô 	ð 	ð ÒÐàð'ð 'Ø(ØØ!ð
ð 
ð 	
ð" &ð :ð :ÑˆˆQ	ØYÒÐ 6¨XÒ#5Ð#5¸)Ð#5å˜K¨Ñ-Ô-Ð-Ð-ØxÒÐå˜K¨Ñ-Ô-Ð-Ý˜cÑ"Ô"Ð"Ý$Õ%8Ñ9Ô9Ð9øà¨Ø!°-ðAð Að As$   ÅE Å
E"Å!E"ÍM+Í+M/Í2M/Úcodec                 ój  — d}d}|dv rdddœS t          ¦   «         }t          st          ¦   «         s|dk    rdddœS t          ¦   «         }t	          d¦  «        }t	          d	¦  «        r t          ¦   «         d
k    r	dd||dddœS dddœS |s|sdddœS t          ¦   «         }d| › d}t          ||¦  «        rdddœS |dk    rHt          ||¦  «        }	|	dk    r"t           
                    d|¦  «         ddd|dœS |	d
k    r
ddd||dddœS d}
t          5  t                               |¦  «        }
ddd¦  «         n# 1 swxY w Y   |
€'t          ||||g|dœ¦  «         d|dd||d|› d| › ddœS |||g|dœ}t          ||
|d¬¦  «        }|                     d ¦  «        r	dd!||d ddœS |d"         }|d#         }|r||d
k    r|sd$nd%}|sd&nd'}dd(|› d)|› |||sd*ndddœS |d+k    rt!          ||¦  «         n9|d,k    r3t!          ||¦  «         t#          |¦  «         t%          t&          ¦  «         ddd|d-œS ).uÀ  Approve an execute_code script before its child process is spawned.

    execute_code runs arbitrary local Python â€” the script can call
    ``subprocess``, ``os.system``, ``ctypes``, or other process/file APIs
    directly, none of which pass through ``terminal()`` /
    ``DANGEROUS_PATTERNS``. In gateway/ask contexts we fail closed by approving
    the script as a whole before it runs (#30882). Returns the same dict
    contract as ``check_all_command_guards``.

    Scope (documented limitation, #30882): in a purely local non-interactive
    non-gateway session (no TTY, not gateway, not cron-deny) this returns
    approved â€” matching the existing terminal auto-approve contract. The
    hardline floor still blocks catastrophic ``terminal()`` commands the script
    issues; running arbitrary code headlessly without any approval surface is
    trusted-by-config (set a gateway/ask surface or ``approvals.cron_mode`` to
    require approval).
    Úexecute_codez¦execute_code script execution. The script can spawn subprocesses or mutate files without passing through terminal command approval; approval is one-shot for this run.>   rE  rF  rG  rH  Úvercel_sandboxTNrh   r  rN  r@   rÎ   Fa  BLOCKED: execute_code runs arbitrary local Python (including subprocess calls that bypass shell-string approval checks). Cron jobs run without a user present to approve it. Use normal tools instead, or set approvals.cron_mode: approve only if this cron profile is intentionally trusted.ÚblockedrŸ  zexecute_code <<'PY'
z
PYrŽ  r.  z9Smart approval: auto-approved execute_code for session %sr’  zkBLOCKED by smart approval: execute_code script execution was assessed as genuinely dangerous. Do NOT retry.rž  )rb   rd   r•  rr   rP   r   r¡  r¤  r¥  r¦  z5. Asking the user for approval.

**Code:**
```python
rP  r§  rf  rg  rr  zLBLOCKED: Failed to send execute_code approval request to user. Do NOT retry.rq  r·   r›  r  rœ  r   zBLOCKED: execute_code script z–. The user has NOT consented to running this code. Do NOT retry, do NOT rephrase the script, and do NOT attempt the same outcome via a different tool.r  r  r	  r¢  )r$  r	   rÓ   rD   r   r/  r9   rÜ   rB  r   r   r­   r«   r   rÄ   r†  rÆ   rÞ   rï   r˜   )r½  rC  rr   rP   r®  rW  r¯  r"   rR   rµ  r~  ri  r¸  rq  r·   r¹  Úaddendums                    r    Úcheck_execute_code_guardrÃ  "  s;  € ð$ !€Kð	-ð ð ÐRÐRÐRØ ¨TÐ2Ð2Ð2õ 'Ñ(Ô(€MÝð 3Õ;Ñ=Ô=ð 3ÀÐRWÒAWÐAWØ ¨TÐ2Ð2Ð2å-Ñ/Ô/€JÝÐ.Ñ/Ô/€Fõ Ð,Ñ-Ô-ð 3Ý"Ñ$Ô$¨Ò.Ð.à!ð0ð  +Ø*Ø$Ø %ðð ð ð !¨TÐ2Ð2Ð2ð ð 3˜fð 3Ø ¨TÐ2Ð2Ð2å)Ñ+Ô+€Kð 1 dÐ0Ð0Ð0€Gõ
 ; Ñ,Ô,ð 3Ø ¨TÐ2Ð2Ð2ð
 ˜ÒÐÝ  ¨+Ñ6Ô6ˆØiÒÐÝLŠLÐTØ$ñ&ô &ð &à $°Ø&*¸;ðHð Hð HàfÒÐà!ð,ð !%Ø*Ø*Ø#Ø %ð
ð 
ð 
ð €IÝ	ð 9ð 9Ý'×+Ò+¨KÑ8Ô8ˆ	ð9ð 9ð 9ñ 9ô 9ð 9ð 9ð 9ð 9ð 9ð 9øøøð 9ð 9ð 9ð 9ð Ðõ 	{ØØ&Ø(˜MØ&ð	%
ð %
ñ 	ô 	ð 	ð Ø&Ø(Ø $ØØ&ð5˜+ð 5ð 5Ø)-ð5ð 5ð 5ð
ð 
ð 	
ð Ø"Ø$˜Ø"ð	ð €Mõ 'ØY °yðñ ô €Hð ‡|‚|OÑ$Ô$ð 	
àð1à&Ø&Ø&Ø!ð
ð 
ð 	
ð ˜
Ô#€HØhÔ€Fàð 
v~¨°6Ò)9Ð)9Ø:BÐXÐ2Ð2ÐHXˆØ5=ÐEÐ-Ð-À2ˆàð-°ð -ð -ð #+ð-ð -ð
 'Ø&Ø(0Ð>yy°hØ!ð
ð 
ð 	
ð ÒÐÝ˜ [Ñ1Ô1Ð1Ð1Ø	8Ò	Ð	Ý˜ [Ñ1Ô1Ð1Ý˜+Ñ&Ô&Ð&Ý Õ!4Ñ5Ô5Ð5ð ¨Ø!°+ð?ð ?ð ?s   ÄD8Ä8D<Ä?D<)F)NTNrŸ   )vr§   ÚcontextvarsÚloggingr<   rJ   r  r    ry  r|   Útypingr   rè   r   Úutilsr   r   Ú	getLoggerr¤   r   r=   r	   rB   Ú__annotations__Ú
ContextVarr   r‡   r   r   r!   ÚTokenr&   r+   Útupler.   r3   r9   r>   rD   Ú_SSH_SENSITIVE_PATHÚ_HERMES_ENV_PATHÚ_HERMES_CONFIG_PATHÚ_PROJECT_ENV_PATHÚ_PROJECT_CONFIG_PATHÚ_SHELL_RC_FILESÚ_CREDENTIAL_FILESÚ_MACOS_PRIVATE_SYSTEM_PATHÚ_SYSTEM_CONFIG_PATHÚ_SENSITIVE_WRITE_TARGETÚ_PROJECT_SENSITIVE_WRITE_TARGETÚ_COMMAND_TAILÚ_CMDPOSÚHARDLINE_PATTERNSÚ
IGNORECASEÚDOTALLrL   r^   rK   rY   r\   r`   r©   rf   ri   ÚDANGEROUS_PATTERNSr’   rp   rq   r$   Ú_patternÚ_descriptionÚ_legacy_keyÚ_canonical_keyr   râ   ru   rW   r   r”   ÚLockr­   r•   r–   r—   r˜   rš   rª   rº   r«   Úobjectr¯   r¶   r'  r¿   rÁ   rÄ   rÆ   rÈ   rÌ   rÏ   rÑ   rÓ   rÜ   rÞ   rã   rì   rï   r  r  r"  r$  r
  r/  rB  rX  re  r†  r¼  rÃ  rC   r'   r    ú<module>rä     sÕ  ððð ð ð Ð Ð Ð Ø €€€Ø 	€	€	€	Ø 	€	€	€	Ø 
€
€
€
Ø Ð Ð Ð Ø €€€Ø Ð Ð Ð Ø Ð Ð Ð Ð Ð Ø %Ð %Ð %Ð %Ð %Ð %à 2Ð 2Ð 2Ð 2Ð 2Ð 2Ð 2Ð 2à	ˆÔ	˜8Ñ	$Ô	$€ð
 *˜/¨)¨"¬)Ð4FÈÑ*KÔ*KÑLÔLÐ 4Ð LÐ LÑ Lð 6L°[Ô5KØØð6ñ 6ô 6Ð {Ô-¨cÔ2ð ð ñ ð 2H°Ô1GØØð2ñ 2ô 2Ð ;Ô)¨#Ô.ð ð ñ ð 7M°kÔ6LØØð7ñ 7ô 7Ð ˜Ô.¨sÔ3ð ð ñ ðM 3ð M°Tð Mð Mð Mð Mð88¨ð 8°Ô1BÀ3Ô1Gð 8ð 8ð 8ð 8ð
' [Ô%6°sÔ%;ð 'Àð 'ð 'ð 'ð 'ð Øð	ð 	ð 	àð	ð ð	ð ˆ;Ô˜SÔ! ;Ô#4°SÔ#9Ð9Ô:ð		ð 	ð 	ð 	ð(Ø+Ô# CÔ(¨+Ô*;¸CÔ*@Ð@ÔAð(à	ð(ð (ð (ð (ð:ð : Sð :¸ð :ð :ð :ð :ð>˜sð >ð >ð >ð >ð) dð )ð )ð )ð )ð8 >Ð ðð ðð ð SÐ ØJÐ ð8ð ð
'ð ð ?Ð ð
 /Ð+Ð.Ð.Ð.ð ðÐð ð Øðð àðð ð 	ðð ð 	ð	ð ð
 	ðð ð ð ð #UÐ):Ð"TÐ"TÐ=QÐ"TÐ"TÐ"TÐ Ø+€ðFð ð Wð JØ\à;à\ØWà>à9ð
 Ð3Ñ3Ð5MÐNØÐÑÐ!=Ð>ØÐ<Ñ<Ð>YÐZØÐ"Ñ"Ð$CÐDð+Ð ð< ŒM˜BœIÑ%€	ðð à 1ðñ ô Ð ð  ”Ø0Ø„Mñô €ð
 Sð ¨Uð ð ð ð ð&
 Sð 
¨Uð 
ð 
ð 
ð 
ð¨ð °ð ð ð ð ð ¨#ð °$ð ð ð ð ð$yØ5ðyà,ðyð >ðyð fð	yð
 pðyð Aðyð Nðyð 'ðyð #ðyð .ðyð 1ðyð Jðyð 4ðyð  #Ð Ð"Ð"Ð$=Ð>ð!yð" að#yð$ 2ð%yð& 0ð'yð0 ^ð1yð2 dð3yð4 Oð5yð6 ?ð7yð: Pð;yð< Vð=yð> `ð?yð@ mðAyðB 2Ð/Ð1Ð1Ð3RÐSðCyðD /Ð,Ð.Ð.Ð0WÐXðEyðF OÐ7ÐNÐN¸}ÐNÐNÐPvÐwðGyðH LÐ4ÐKÐK¸MÐKÐKÐM{Ð|ðIyðJ -ðKyðT JðUyðV -ðWyð^ eð_yð` Wðayðl xðmyðn \ðoyðr Oðsyðt uðuyðx mðyyðB YðCyðD _ðEyðJ 6Ð 3Ð5Ð5Ð7_Ð`ðKyðL ]Ð&EÐ\Ð\È]Ð\Ð\ð  _Bð  CðMyðN 3Ð0Ð2Ð2Ð4TÐUðOyðP 7Ð!4Ð6Ð6Ð8dÐeðQyðZ HÐ1ÐGÐGÐ4DÐGÐGÐGÐImÐnð[yð\ LÐ"5ÐKÐKÐ8HÐKÐKÐKÐM}Ð~ð]yðn ]Ð3FÐ\Ð\ÐIYÐ\Ð\Ð\ð  _Oð  Pðoyðt Mðuyðz Uð{yð| Oð}yð~ Uðyð@ TðAyðB :ðCyðJ SðKyðf<ðgyðn5ðoyÐ ðzð à 2ðñ ô Ð ðI ð I¨ð Ið Ið Ið Ið
 -/Ð d˜3  C¤˜=Ô)Ð .Ð .Ñ .Ø0ð ^ð ^Ñ€HˆlØ%Ð% hÑ/Ô/€KØ!€NØ×#Ò# N°C°C±E´EÑ:Ô:×AÒAÀ>ÐS^ÐB_Ñ`Ô`Ð`Ø×#Ò# K°°±´Ñ7Ô7×>Ò>ÀÈ^Ð?\Ñ]Ô]Ð]Ð]ð@ sð @¨s°3¬xð @ð @ð @ð @ð¨cð °cð ð ð ð ð<¨3ð °3ð ð ð ð ðB cð ¨eð ð ð ð ð$ 	ˆ	ŒÑÔ€Ø€ˆ$ˆsDˆyŒ/Ð Ð Ñ Ø$&Ð 4˜˜S˜”>Ð &Ð &Ñ &Ø˜#™%œ%€ˆs3ŒxÐ Ð Ñ Ø˜3™5œ5Ð SÐ  Ð  Ñ  ð*ð *ð *ð *ð *ñ *ô *ð *ð $&€c˜4i”Ð %Ð %Ñ %Ø)+Ð T˜#˜v˜+Ô&Ð +Ð +Ñ +ð	.¨ð 	.°Tð 	.ð 	.ð 	.ð 	.ð
¨3ð 
°4ð 
ð 
ð 
ð 
ð 27ðð ¨#ð °sð Ø*.ðØ;>ðð ð ð ð:6 sð 6¨tð 6ð 6ð 6ð 6ð) ð )¨tð )ð )ð )ð )ðJ ð J°3ð Jð Jð Jð Jð' Sð '¨Tð 'ð 'ð 'ð 'ð+ cð +¨dð +ð +ð +ð +ð˜sð  tð ð ð ð ð ,¨ð ,°ð ,ð ,ð ,ð ,ðH¨ð Hð Hð Hð Hð
D˜Sð D¨sð D°tð Dð Dð Dð Dð- 3ð -ð -ð -ð -ð-˜Sð -ð -ð -ð -ð #ð ð ð ð ð$: sð :ð :ð :ð :ð  =AØ6:Ø04ðpð p sð p¸ð pØ/2°T©zðpà/3ðpð :=ðpð pð pð pðf cð ð ð ð ð˜dð ð ð ð ð*˜Cð *ð *ð *ð *ð˜sð ð ð ð ð
 ð 
ð 
ð 
ð 
ð,˜Cð ,¨cð ,°cð ,ð ,ð ,ð ,ð` /3ðe/ð e/ Sð e/°Cð e/Ø7;ðe/ð e/ð e/ð e/ðX3¨dð 3°sð 3ð 3ð 3ð 3ð8 /8ðb4ð b4ð b4¨ð b4Èð b4Ø(+ðb4Ø<@ðb4ð b4ð b4ð b4ðL 04ðfAð fA cð fA°Sð fAØ8<ðfAð fAð fAð fAðR	q? 3ð q?°#ð q?¸$ð q?ð q?ð q?ð q?ðj Ð Ñ Ô Ð Ð Ð r'   