hermes-agent/acp_adapter
Jace Nibarger 060779bb76 fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits
Salvaged from PR #35130 (the safe subset of jnibarger01's security pass):

- threat_patterns.py: replace unbounded (?:\w+\s+)* filler with bounded
  {0,8} + cap scan input at MAX_SCAN_CHARS (64KiB), and bound the .*
  runs in the exfil/config-mod patterns. Kills catastrophic backtracking
  on adversarial near-misses.
- hermes_state.py: cap FTS5 query length (MAX_FTS5_QUERY_CHARS) and
  extract quoted phrases with a linear scan instead of a regex so
  pathological quote runs can't induce backtracking.
- acp_adapter/edit_approval.py + agent/tool_dispatch_helpers.py: recognize
  '*** Move File: src -> dst' V4A headers so patch-mode edits are
  permissioned/traversal-checked (previously only Update/Add/Delete), and
  surface a proposal for mode=patch V4A calls (previously replace-only).

Tests: +ReDoS-bound + FTS5-cap + Move-File-target + V4A-approval cases.
2026-07-01 01:05:28 -07:00
..
__init__.py feat: restore ACP server implementation from PR #949 (#1254) 2026-03-14 00:09:05 -07:00
__main__.py feat: restore ACP server implementation from PR #949 (#1254) 2026-03-14 00:09:05 -07:00
auth.py feat(azure-foundry): add Microsoft Entra ID auth 2026-05-18 10:14:38 -07:00
edit_approval.py fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits 2026-07-01 01:05:28 -07:00
entry.py fix(tui): stop a cwd package named utils/proxy/ui from crashing the gateway child (#51693) 2026-06-23 23:29:45 -07:00
events.py fix(acp): use modes for edit auto-approval 2026-05-18 01:19:55 -07:00
permissions.py feat(acp): enrich permission request cards 2026-05-18 11:47:27 -07:00
provenance.py feat(acp): emit session provenance metadata for compression rotation (#41724) 2026-06-07 22:22:21 -07:00
server.py fix(acp): thread-safe interactive approval via contextvars 2026-06-30 03:24:58 -07:00
session.py fix(codex): seed app-server sessions with configured cwd 2026-06-21 16:39:02 -07:00
tools.py feat(moa): expose MoA presets as selectable virtual models (#46081) 2026-06-25 13:52:06 -07:00