Review of the #50531 salvage found the cross-session HERMES_SESSION_* leak also survives on the non-terminal spawn helper hermes_subprocess_env (added by #56202 after #50531 was written), which does os.environ.copy() without the guard. Of its six callers, five re-bind the session identity explicitly (slash_worker/ACP via --session-key argv) and are safe by accident; but tui_gateway cli.exec (server.py) spawns a fresh CLI with NO --session-key under the engaged TUI host, so it inherits a possibly-foreign HERMES_SESSION_* from the last-writer-wins global and would stamp Kanban rows / telemetry with another session's id. Route hermes_subprocess_env through the same _inject_session_context_env chokepoint, restoring the single-uniform-policy-across-every-spawn-surface invariant the codebase already claims for the internal-secret filter. Safe for all six callers: bound ContextVars win (re-binders unaffected), _UNSET strips (closes cli.exec). Adds 3 guard tests; mutation-checked. |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| base.py | ||
| daytona.py | ||
| docker.py | ||
| file_sync.py | ||
| local.py | ||
| managed_modal.py | ||
| modal.py | ||
| modal_utils.py | ||
| singularity.py | ||
| ssh.py | ||