hermes-agent/tools
Eugeniusz Gilewski e4dbb67bf5 fix(security): remove model-controlled delegate ACP transport
Source: https://github.com/NousResearch/hermes-agent/pull/52346
Related prior work: https://github.com/NousResearch/hermes-agent/pull/39462
Related prior work: https://github.com/NousResearch/hermes-agent/pull/27426
Maintainer direction: https://github.com/NousResearch/hermes-agent/pull/52346#issuecomment-4854881612

Remove acp_command and acp_args from the model-facing delegate_task schema and
dispatch paths. Child agents can still use ACP subprocess transport when it
comes from trusted delegation config or parent inheritance, but a model tool
call can no longer choose the command or arguments that reach child
construction.

This is salvageable because the risky boundary is model control over child ACP
transport, not ACP itself. The patch follows the maintainer direction from the
source discussion by preserving trusted ACP configuration and prior integration
work while removing the untrusted tool-call fields from both top-level and
per-task delegate inputs.

Reproduced on main by passing acp_command through delegate_task and observing it
reach _build_child_agent. Verified after the fix that model dispatch strips the
hidden top-level fields and per-task hidden fields are ignored before child
construction.

Co-authored-by: Carlosian <claudlos@agentmail.to>
Co-authored-by: ssiweifnag <120658181+ssiweifnag@users.noreply.github.com>
Co-authored-by: nikshepsvn <23241247+nikshepsvn@users.noreply.github.com>
2026-07-03 03:27:47 -07:00
..
computer_use revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
environments fix(terminal): also set MSYS2_ARG_CONV_EXCL for MSYS2/Cygwin bash fallback 2026-07-02 11:48:03 -07:00
neutts_samples
__init__.py Merge branch 'main' into rewbs/tool-use-charge-to-subscription 2026-03-31 08:48:54 +09:00
ansi_strip.py fix: strip ANSI at the source — clean terminal output before it reaches the model 2026-03-23 07:43:12 -07:00
approval.py refactor(approval): extract is_approval_bypass_active(); use frozen-env bypass in codex routing 2026-07-01 22:58:37 +05:30
async_delegation.py fix(cli): reliable interrupts, bounded exit, and exit feedback (#57000) 2026-07-02 04:20:43 -07:00
binary_extensions.py fix(tools): address PR review — remove _extract_raw_output, BudgetConfig everywhere, read_file hardening 2026-04-08 02:24:32 -07:00
blueprints.py refactor(cron): rebrand Cron Recipes -> Automation Blueprints 2026-06-11 10:49:47 -07:00
browser_camofox.py fix(browser): block Camofox input on private pages 2026-07-03 03:27:47 -07:00
browser_camofox_state.py feat(browser): add persistent Camofox sessions and VNC URL discovery (salvage #4400) (#4419) 2026-04-01 04:18:50 -07:00
browser_cdp_tool.py fix(browser): apply private-page guard to browser_cdp frame_id routing 2026-07-03 03:27:47 -07:00
browser_dialog_tool.py feat: auto-launch Chromium-family browser for CDP 2026-05-19 22:34:05 -07:00
browser_supervisor.py fix(browser): harden browser tool safety boundaries 2026-07-01 05:04:41 -07:00
browser_tool.py fix(browser): guard Camofox eval private pages 2026-07-02 13:10:30 +05:30
budget_config.py fix(agent): scale tool-output budget to the model context window (#23767) 2026-06-21 17:46:38 +05:30
checkpoint_manager.py refactor(windows): unify windowless spawn form across the touched sites 2026-06-28 17:44:47 -05:00
clarify_gateway.py fix: accept typed clarify choice replies 2026-06-28 04:13:19 -07:00
clarify_tool.py fix(clarify): docstring — put options in choices[] only, never enumerate in question text 2026-06-19 07:34:02 -07:00
close_terminal_tool.py fix(config): accept 'on' as truthy for env flags via shared env_var_enabled helper 2026-07-02 03:00:59 -07:00
code_execution_tool.py fix(code-exec): bind execute_code tool socket to a per-session RPC token 2026-07-01 04:08:37 -07:00
computer_use_tool.py feat(computer_use): cross-platform cua-driver (macOS/Windows/Linux) 2026-06-22 06:42:30 -07:00
credential_files.py fix(delegation): budget subagent summaries against parent context headroom 2026-06-30 03:07:40 -07:00
cronjob_tools.py security(cron): block base_url overrides that exfiltrate provider credentials 2026-07-01 14:23:01 +05:30
daemon_pool.py fix(cli): reliable interrupts, bounded exit, and exit feedback (#57000) 2026-07-02 04:20:43 -07:00
debug_helpers.py feat(moa): expose MoA presets as selectable virtual models (#46081) 2026-06-25 13:52:06 -07:00
delegate_tool.py fix(security): remove model-controlled delegate ACP transport 2026-07-03 03:27:47 -07:00
discord_tool.py feat: add Discord message deletion action 2026-05-07 05:11:09 -07:00
env_passthrough.py fix(security): strip dynamic Hermes secrets from all subprocess spawn env 2026-07-01 14:37:22 +05:30
env_probe.py fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
fal_common.py refactor(image_gen): port FAL backend to plugins/image_gen/fal 2026-05-22 04:10:45 -07:00
feishu_doc_tool.py perf(cli): cut ~19s from 'hermes' cold start (skills cache + lazy Feishu + no Nous HTTP) (#22138) 2026-05-08 16:39:32 -07:00
feishu_drive_tool.py perf(cli): cut ~19s from 'hermes' cold start (skills cache + lazy Feishu + no Nous HTTP) (#22138) 2026-05-08 16:39:32 -07:00
file_operations.py fix: warn on line-oriented newline search patterns 2026-06-20 23:23:47 -07:00
file_state.py feat(delegate): cross-agent file state coordination for concurrent subagents (#13718) 2026-04-21 16:41:26 -07:00
file_tools.py fix(file-tools): preserve container paths for docker file ops (#56637) 2026-07-03 14:18:20 +10:00
fuzzy_match.py fix(patch): preserve file Unicode when unicode_normalized strategy matches 2026-07-01 17:48:32 +05:30
homeassistant_tool.py fix: clean up description escaping, add string-data tests 2026-04-13 04:45:07 -07:00
image_generation_tool.py krea 2026-06-25 12:38:33 -07:00
interrupt.py fix(interrupt): propagate to concurrent-tool workers + opt-in debug trace (#11907) 2026-04-17 20:39:25 -07:00
kanban_tools.py feat(kanban): route notifications via owning profile + wake creator agent 2026-07-02 00:05:48 +05:30
lazy_deps.py feat(vertex): add Google Vertex AI provider for Gemini (OAuth2) 2026-07-01 05:25:33 -07:00
managed_tool_gateway.py fix(managed-gateway): keep tool availability scans off the Nous token-refresh path 2026-05-30 07:58:08 -07:00
mcp_oauth.py fix(mcp): suppress interactive OAuth stdin prompts during background discovery (#35927) 2026-06-27 04:59:23 +05:30
mcp_oauth_manager.py fix(mcp-oauth): anchor 401 handler task to prevent GC mid-flight 2026-06-30 16:56:15 -07:00
mcp_tool.py fix(tui): prevent killpg suicide during MCP shutdown 2026-07-01 04:54:46 -07:00
memory_tool.py fix(memory): degrade gracefully after repeated at-capacity consolidation failures (#42405) 2026-06-30 20:01:16 +05:30
microsoft_graph_auth.py feat(msgraph): add auth and client foundation 2026-05-08 09:27:26 -07:00
microsoft_graph_client.py fix(msgraph): stream download_to_file body instead of buffering 2026-05-08 09:27:26 -07:00
neutts_synth.py
openrouter_client.py
osv_check.py fix(osv_check): honor npx --package/-p install target when parsing package arg (#40567) 2026-06-06 18:30:39 -07:00
patch_parser.py fix(lint): skip per-file shell linter when LSP will handle the file (#29054) 2026-05-20 01:46:40 -05:00
path_security.py refactor: extract shared helpers to deduplicate repeated code patterns (#7917) 2026-04-11 13:59:52 -07:00
process_registry.py fix(desktop): tree-kill Windows terminal descendants 2026-06-30 04:23:27 -05:00
project_tools.py feat(tools): add project workspace tools 2026-06-25 16:40:27 -05:00
read_extract.py feat(read): extract notebook and office documents (#37082) 2026-06-13 14:42:51 -07:00
read_terminal_tool.py fix(config): accept 'on' as truthy for env flags via shared env_var_enabled helper 2026-07-02 03:00:59 -07:00
registry.py fix(security): use caller package root for deregister opt-in policy lookup 2026-07-01 15:37:58 +05:30
schema_sanitizer.py fix(tools): strip default from $ref nodes in tool schemas 2026-06-12 00:30:51 -05:00
send_message_tool.py fix(matrix): route text-only send_message through adapter for E2EE support 2026-07-01 00:12:11 -07:00
session_search_tool.py fix(session_search): demote cron below interactive sessions in discover ranking (#53597) 2026-06-27 04:41:22 -07:00
skill_manager_tool.py fix(skills): require review forks to read before writing skills 2026-06-30 15:49:36 -07:00
skill_provenance.py fix(curator): only mark agent-created for background-review sediment (#19621) 2026-05-04 02:42:16 -07:00
skill_usage.py fix(curator): protect external skills from background curation 2026-06-25 22:03:02 -07:00
skills_ast_audit.py refactor(skills): slim AST diagnostic to single entry point 2026-05-23 17:47:26 -07:00
skills_guard.py fix(skills-guard): stop flagging benign skill content + honor skill ignore files (#36231) 2026-06-01 01:58:48 -07:00
skills_hub.py fix(cli): reliable interrupts, bounded exit, and exit feedback (#57000) 2026-07-02 04:20:43 -07:00
skills_sync.py fix(skills): skip shadowing when external_dirs provides the skill 2026-06-27 21:07:53 -07:00
skills_tool.py fix(skills): require review forks to read before writing skills 2026-06-30 15:49:36 -07:00
slash_confirm.py fix(async): close unscheduled coroutines in all threadsafe bridges (#26584) 2026-05-15 14:00:01 -07:00
terminal_tool.py fix(terminal): require approval for host-bound Docker commands (#54483) 2026-06-29 11:35:41 +10:00
thread_context.py fix(code-exec): propagate agent-turn context into tool worker threads 2026-05-29 03:44:49 -07:00
threat_patterns.py fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits 2026-07-01 01:05:28 -07:00
tirith_security.py fix(security): add circuit breaker for tirith crashes to prevent agent hangs (#41400) 2026-06-26 15:26:08 +05:30
todo_tool.py fix(agent): restrict todo hydration to paired assistant todo calls 2026-07-01 01:02:17 -07:00
tool_backend_helpers.py feat(tools): surface the free tool pool in entitlement + setup (#36153) 2026-06-01 06:32:48 +05:30
tool_output_limits.py fix: tool_output_limits re-reads config on every call (no caching) 2026-05-31 00:50:19 -07:00
tool_result_storage.py fix: keep persisted tool results inside their storage directory 2026-06-30 16:39:41 -07:00
tool_search.py fix(tool-search): scope bridge catalog + dispatch to the session's toolsets 2026-05-29 02:04:12 -07:00
transcription_tools.py fix(windows): hide remaining backend console-flash legs missed on main 2026-06-28 10:19:21 -05:00
tts_tool.py fix(windows): hide remaining backend console-flash legs missed on main 2026-06-28 10:19:21 -05:00
url_safety.py fix(browser): narrow credential-query denylist to unambiguous names 2026-07-01 05:04:41 -07:00
video_generation_tool.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
vision_tools.py fix(security): close SSRF redirect-guard bypass across all httpx download hooks 2026-07-01 01:18:53 -07:00
voice_mode.py fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
web_tools.py fix(browser): harden browser tool safety boundaries 2026-07-01 05:04:41 -07:00
website_policy.py chore(web): remove web_crawl tool + provider crawl plumbing (#33824) 2026-05-28 04:52:42 -07:00
write_approval.py fix(memory,skills): repair write-approval inline prompt, gateway staging, and gateway /skills review (#43452) 2026-06-10 02:57:15 -07:00
x_search_tool.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
xai_http.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
xai_video_tools.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
yuanbao_tools.py Fix unsafe gateway media path delivery 2026-05-23 01:40:35 -07:00