+ Ӄi,Rt^RIt^RIt^RIt^RIt^RIt^RIt^RIHt^RI H t ^RI H t Rt ^tRtRtRt^t^t] !RR 4tR R lt!R R 4tR#)a DM Pairing System Code-based approval flow for authorizing new users on messaging platforms. Instead of static allowlists with user IDs, unknown users receive a one-time pairing code that the bot owner approves via the CLI. Security features (based on OWASP + NIST SP 800-63-4 guidance): - 8-char codes from 32-char unambiguous alphabet (no 0/O/1/I) - Cryptographic randomness via secrets.choice() - 1-hour code expiry - Max 3 pending codes per platform - Rate limiting: 1 request per user per 10 minutes - Lockout after 5 failed approval attempts (1 hour) - File permissions: chmod 0600 on all data files - Codes are never logged to stdout Storage: ~/.hermes/pairing/ NPath)Optional)get_hermes_dir ABCDEFGHJKLMNPQRSTUVWXYZ23456789iiXzplatforms/pairingpairingc4V^8dQhR\R\RR/#pathdatareturnN)rstr)formats",/home/ubuntu/hermes-agent/gateway/pairing.py __annotate__r1s!CDcVPPRRR7\P!\ VP4RR7wr#\ P !VRRR7;_uu_4pVPV4VP4\ P!VP44RRR4\ P!V\ V44\ P!VR 4R# +'giLJ;i \dR#i;i \d+\ P!T4h \dhi;ii;i) uWrite data to file with restrictive permissions (owner read/write only). Uses a temp-file + atomic rename so readers always see either the old complete file or the new one — never a partial write. Tparentsexist_okz.tmp)dirsuffixwutf-8encodingNi)parentmkdirtempfilemkstemprosfdopenwriteflushfsyncfilenoreplacechmodOSError BaseExceptionunlink)r r fdtmp_pathfs&& r _secure_writer/1s  KKdT2##DKK(8HLB YYr3 1 1Q GGDM GGI HHQXXZ 2 8SY'  HHT5 ! 2 1      IIh      sg !D-AC53(DD5 D D DDDD E&D=<E= E E E  Eca]tRt^KtoRtRtV3RlRltV3RlRltV3RlRltV3R lR lt V3R lR lt V3R lRlt R+V3RlRllt R,V3RlRllt V3RlRltR,V3RlRlltV3RlRltR+V3RlRlltR+V3RlRlltV3RlRltV3R lR!ltV3R"lR#ltV3R$lR%ltV3R&lR'ltV3R(lR)ltR*tVtR#)- PairingStorez Manages pairing codes and approved user lists. Data files per platform: - {platform}-pending.json : pending pairing requests - {platform}-approved.json : approved (paired) users - _rate_limits.json : rate limit tracking ch\PRRR7\P!4VnR#)TrN) PAIRING_DIRr threadingRLock_lockselfs&r__init__PairingStore.__init__Us%$6__& rc&<V^8dQhRS[RS[/#r platformr rr)r __classdict__s"rrPairingStore.__annotate__[s88c8d8rc"\V R2, #)z -pending.jsonr3r8r=s&&r _pending_pathPairingStore._pending_path[sz777rc&<V^8dQhRS[RS[/#r<r>)rr?s"rrr@^s99s9t9rc"\V R2, #)z-approved.jsonrBrCs&&r_approved_pathPairingStore._approved_path^sz888rc <V^8dQhRS[/#)r r r)rr?s"rrr@as11$1rc\R, #)z_rate_limits.jsonrBr7s&r_rate_limit_pathPairingStore._rate_limit_pathas000rc&<V^8dQhRS[RS[/#)r r r rdict)rr?s"rrr@dstrcVP4'd(\P!VPRR74#/# \P\ 3d/u#i;i)rr)existsjsonloads read_textJSONDecodeErrorr))r8r s&&r _load_jsonPairingStore._load_jsondsT ;;== zz$..'."BCC (('2   s%AA A c*<V^8dQhRS[RS[RR/#r rO)rr?s"rrr@ls'LLtL4LDLrc L\V\P!V^RR74R#)r F)indent ensure_asciiN)r/rSdumps)r8r r s&&&r _save_jsonPairingStore._save_jsonlsdDJJtAEJKrc,<V^8dQhRS[RS[RS[/#r r=user_idr rbool)rr?s"rrr@qs"##C###$#rc JVPVPV44pW#9#)z3Check if a user is approved (paired) on a platform.)rWrH)r8r=rbapproveds&&& r is_approvedPairingStore.is_approvedqs$??4#6#6x#@A""rNc&<V^8dQhRS[RS[/#r<rlist)rr?s"rrr@vscTrc .pV'dV.MVPR4pVFSpVPVPV44pVP4FwrgVP RVRV/VC4K KU V#)z5List approved users, optionally filtered by platform.rfr=rb)_all_platformsrWrHitemsappend)r8r=results platformsprfuidinfos&& r list_approvedPairingStore.list_approvedvst"*XJ0C0CJ0O At':':1'=>H%^^-  Ay#FFG.rc0<V^8dQhRS[RS[RS[RR/#)r r=rb user_namer Nr)rr?s"rrr@s0AAcACACAQUArc VPVPV44pRVR\P!4/WB&VPVPV4V4R#)zAAdd a user to the approved list. Must be called under self._lock.rx approved_atN)rWrHtimer^)r8r=rbrxrfs&&&& r _approve_userPairingStore._approve_usersP??4#6#6x#@A  499;  ++H5x@rc,<V^8dQhRS[RS[RS[/#rarc)rr?s"rrr@s"  s S T rc VPV4pVP;_uu_4VPV4pW$9dWBVPW44RRR4R#RRR4R# +'giR#;i)z-PairingStore.generate_code..sP=O7>>(33=Os')rbrx created_at)r6_cleanup_expired_is_locked_out_is_rate_limitedrWrDlenMAX_PENDING_PER_PLATFORMjoinrange CODE_LENGTHr|r^_record_rate_limit)r8r=rbrxpendingcodes&&&& r generate_codePairingStore.generate_codesZZZ  ! !( +""8,, Z$$X77Zood&8&8&BCG7|77Z"77PU;=OPPD7YdiikGM OOD..x8' B  # #H 6=ZZZs*D* D*+5D**A5D** D; c<<V^8dQhRS[RS[RS[S[,/#)r r=rr )rrrP)rr?s"rrr@s&Src  :VP;_uu_4VPV4VP4P4pVP VP V44pW#9dVP V4RRR4R#VPV4pVPVP V4V4VPWR,VPRR44RVR,RVPRR4/uuRRR4# +'giR#;i)z Approve a pairing code. Adds the user to the approved list. Returns {user_id, user_name} on success, None if code is invalid/expired. Nrbrxr) r6rupperstriprWrD_record_failed_attemptpopr^r}get)r8r=rrentrys&&& r approve_codePairingStore.approve_codes ZZZ  ! !( +::<%%'Dood&8&8&BCG"++H5ZKK%E OOD..x8' B   xy)9599[RT;U V5+UYY{B7ZZZsA(D A7D  D c&<V^8dQhRS[RS[/#r<rj)rr?s"rrr@sSDrc .pV'dV.MVPR4pVFpVPV4VPVPV44pVP 4Fjwrg\ \ P !4VR,, ^<, 4pVPRVRVRVR,RVPRR4RV/4Kl K V#) z?List pending pairing requests, optionally filtered by platform.rrr=rrbrxr age_minutes) rmrrWrDrnintr|ror) r8r=rprqrrrrrtage_mins && r list_pendingPairingStore.list_pendings"*XJ0C0CI0N A  ! !! $ood&8&8&;>AfXU*;R@**3//$$X. ' r)r6r)r)__name__ __module__ __qualname____firstlineno____doc__r9rDrHrLrWr^rgrur}rrrrrrrrrrrm__static_attributes____classdictcell__)r?s@rr1r1Ks' 889911LL ## AA  ))V4$  AA99++ 9 9 + +rr1)rrSr!rrr4r|pathlibrtypingrhermes_constantsrrrrrrrrr3r/r1rrrsr(  + . 0)< 4jjr