hermes-agent/scripts
syahidfrd 0198713c33 fix(security): reuse auth chain when tagging unverified senders in Slack threads
Mitigates indirect prompt injection (CWE-863) in Slack thread context.
When the bot is mentioned mid-thread for the first time, _fetch_thread_context
pulls the full thread via conversations.replies and prepends every reply to
the LLM prompt. Replies from senders not on the allowlist were rendered
identically to authorised senders, letting a third party in a shared channel
inject instructions the model might act on when answering the next authorised
message.

- BasePlatformAdapter.set_authorization_check / _is_sender_authorized, registered
  by GatewayRunner._make_adapter_auth_check() with a closure over the existing
  _is_user_authorized chain (platform/global/group allowlists, allow-all flags,
  pairing store all stay the single source of truth — no env-var re-parsing).
- Tags non-bot thread messages whose sender fails the auth check with an
  [unverified] prefix; strengthens the header with soft guidance only when at
  least one unverified message is present, so setups without an allowlist see
  no behaviour change.
- Wired into all three adapter-init sites in run.py (start, reconnect watcher,
  restart) so the reconnect path is covered too.

Softened wording: adapted from the original [untrusted] tag to [unverified]
and non-accusatory header framing — the label reflects allowlist status, not
a judgment about the person. Adapter relocated to plugins/platforms/slack/
since the PR was authored.

Salvaged from #17059.
2026-06-30 18:05:43 -07:00
..
ci feat(ci): add CI timing report 2026-06-29 19:07:00 -07:00
lib fix(hermes): heal broken managed Node tree instead of PATH fallback 2026-06-26 20:10:20 +05:30
tests test(install): add ConvertTo-LongPath helper for 8.3 short paths 2026-06-20 16:24:52 -07:00
whatsapp-bridge fix(whatsapp-bridge): clarify FIFO outbound-id tracker semantics 2026-06-30 03:41:43 -07:00
analyze_livetest.py
benchmark_browser_eval.py
build_model_catalog.py
build_skills_index.py fix(skills): let ClawHub index build walk past the 12s browse budget (#44500) 2026-06-11 18:03:11 -04:00
check-windows-footguns.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
check_subprocess_stdin.py
contributor_audit.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
discord-voice-doctor.py
docker_config_migrate.py fix(docker): restore config backups after failed boot migration 2026-06-24 15:23:23 +10:00
hermes-gateway
install.cmd
install.ps1 fix(installer): reset managed clone when ff-only pull fails 2026-06-30 20:11:01 +07:00
install.sh fix(installer): reset managed clone when ff-only pull fails 2026-06-30 20:11:01 +07:00
install_psutil_android.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
keystroke_diagnostic.py
kill_modal.sh
lint_diff.py
LIVETEST_README.md
profile-tui.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
release.py fix(security): reuse auth chain when tagging unverified senders in Slack threads 2026-06-30 18:05:43 -07:00
run_tests.sh fix(tests): bare pytest flags pass through run_tests.sh without a '--' separator (#54008) 2026-06-27 22:43:26 -07:00
run_tests_parallel.py test(ci): raise per-file timeout 140s → 300s to stop false timeouts (#54143) 2026-06-28 02:41:07 -07:00
sample_and_compress.py
setup_open_webui.sh
tool_search_livetest.py