hermes-agent/tests/acp
Jace Nibarger 060779bb76 fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits
Salvaged from PR #35130 (the safe subset of jnibarger01's security pass):

- threat_patterns.py: replace unbounded (?:\w+\s+)* filler with bounded
  {0,8} + cap scan input at MAX_SCAN_CHARS (64KiB), and bound the .*
  runs in the exfil/config-mod patterns. Kills catastrophic backtracking
  on adversarial near-misses.
- hermes_state.py: cap FTS5 query length (MAX_FTS5_QUERY_CHARS) and
  extract quoted phrases with a linear scan instead of a regex so
  pathological quote runs can't induce backtracking.
- acp_adapter/edit_approval.py + agent/tool_dispatch_helpers.py: recognize
  '*** Move File: src -> dst' V4A headers so patch-mode edits are
  permissioned/traversal-checked (previously only Update/Add/Delete), and
  surface a proposal for mode=patch V4A calls (previously replace-only).

Tests: +ReDoS-bound + FTS5-cap + Move-File-target + V4A-approval cases.
2026-07-01 01:05:28 -07:00
..
__init__.py
test_approval_isolation.py fix(acp): thread-safe interactive approval via contextvars 2026-06-30 03:24:58 -07:00
test_auth.py
test_edit_approval.py fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits 2026-07-01 01:05:28 -07:00
test_entry.py refactor(bootstrap): consolidate ACP browser bootstrap into install.{sh,ps1} (#27851) 2026-05-18 16:36:26 +05:30
test_events.py fix(ci): rip out some xdist legacy stuff... how did these ever work?? 2026-06-26 19:15:18 -07:00
test_mcp_e2e.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_permissions.py feat(acp): enrich permission request cards 2026-05-18 11:47:27 -07:00
test_ping_suppression.py
test_registry_manifest.py feat(acp-registry): switch to uvx distribution, drop npm launcher 2026-05-14 22:27:09 -07:00
test_server.py fix(acp): preserve memory provider tools 2026-06-13 04:51:44 -07:00
test_session.py fix(codex): seed app-server sessions with configured cwd 2026-06-21 16:39:02 -07:00
test_session_db_private_access.py fix(acp): replace direct db._lock/_conn access with public update_session_meta() 2026-06-04 17:54:59 -07:00
test_session_provenance.py feat(acp): emit session provenance metadata for compression rotation (#41724) 2026-06-07 22:22:21 -07:00
test_tools.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00