hermes-agent/scripts
teknium1 cfbc7ed1f9 fix(browser): narrow credential-query denylist to unambiguous names
Follow-up on the salvaged #49830 hardening. The contributor's sensitive
query-param set included bare English words (code, key, auth, session,
sig) that double as ordinary page facets — ?code= on promo/challenge
pages, ?key= as a search facet, ?session= on blogs — so web_extract and
cloud browser_navigate would refuse a large slice of normal browsing.

Narrow the set to unambiguously credential-named params (access_token,
authorization, client_secret, password, token, x-amz-signature, ...).
Prefix-based vendor-key redaction (is_safe_url) still catches recognizable
key shapes; this set is the belt-and-suspenders for opaque secrets carried
under an explicit credential-named parameter.

Also fixes two intra-PR-staleness test breakages surfaced by salvaging onto
current main:
- web_extract_tool() no longer accepts use_llm_processing= (signature
  changed since the PR was authored) — dropped the invalid kwarg.
- agent.redact now fully masks keyed 'token=<secret>' to 'token=***'
  instead of partial 'sk-...'; the console-redaction test now asserts the
  real invariant (secret body gone) rather than the exact mask format.

Added a regression test that generic English-word query params are NOT
blocked by the credential guard.
2026-07-01 05:04:41 -07:00
..
ci feat(ci): add CI timing report 2026-06-29 19:07:00 -07:00
lib fix(hermes): heal broken managed Node tree instead of PATH fallback 2026-06-26 20:10:20 +05:30
tests test(install): add ConvertTo-LongPath helper for 8.3 short paths 2026-06-20 16:24:52 -07:00
whatsapp-bridge fix(whatsapp-bridge): clarify FIFO outbound-id tracker semantics 2026-06-30 03:41:43 -07:00
analyze_livetest.py test(tool-search): add live A/B harness, drop checked-in transcripts 2026-05-29 02:04:12 -07:00
benchmark_browser_eval.py
build_model_catalog.py
build_skills_index.py fix(skills): let ClawHub index build walk past the 12s browse budget (#44500) 2026-06-11 18:03:11 -04:00
check-windows-footguns.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
check_subprocess_stdin.py fix: keep interactive OAuth setup-token inheriting stdin 2026-06-08 22:46:57 -07:00
contributor_audit.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
discord-voice-doctor.py
docker_config_migrate.py fix(docker): restore config backups after failed boot migration 2026-06-24 15:23:23 +10:00
hermes-gateway
install.cmd fix(docs): update all install instructions everywhere 2026-06-04 21:07:45 -04:00
install.ps1 fix(installer): reset managed clone when ff-only pull fails 2026-06-30 20:11:01 +07:00
install.sh fix(installer): reset managed clone when ff-only pull fails 2026-06-30 20:11:01 +07:00
install_psutil_android.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
keystroke_diagnostic.py
kill_modal.sh
lint_diff.py
LIVETEST_README.md test(tool-search): add live A/B harness, drop checked-in transcripts 2026-05-29 02:04:12 -07:00
profile-tui.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
release.py fix(browser): narrow credential-query denylist to unambiguous names 2026-07-01 05:04:41 -07:00
run_tests.sh fix(tests): bare pytest flags pass through run_tests.sh without a '--' separator (#54008) 2026-06-27 22:43:26 -07:00
run_tests_parallel.py test(ci): raise per-file timeout 140s → 300s to stop false timeouts (#54143) 2026-06-28 02:41:07 -07:00
sample_and_compress.py
tool_search_livetest.py test(tool-search): redact secrets from harness transcripts + console 2026-05-29 02:04:12 -07:00