hermes-agent/tools
SahilRakhaiya05 5178b3f056 fix(code-exec): bind execute_code tool socket to a per-session RPC token
The execute_code sandbox exposed its tool-call RPC (AF_UNIX socket and
remote file-poll transports) without any caller check, so any local
process that could reach the socket / rpc dir could dispatch
terminal-capable tool calls through the parent. Mint a per-session
HERMES_RPC_TOKEN, pass it to the sandboxed child, and require a
timing-safe match on every request in both _rpc_server_loop and
_rpc_poll_loop. Empty/missing/wrong token fails closed.

Salvaged from #44073 (per-session RPC token). Added timing-safe
secrets.compare_digest comparison and fail-closed regression tests.

Co-authored-by: Hermes Agent <agent@nousresearch.com>
2026-07-01 04:08:37 -07:00
..
computer_use revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
environments fix(tools): close the same session leak on the hermes_subprocess_env spawn surface (review) 2026-07-01 15:42:19 +05:30
neutts_samples
__init__.py
ansi_strip.py
approval.py fix(security): block subshell/brace-group wrappers at the hardline floor 2026-07-01 03:03:05 -07:00
async_delegation.py style(profile): trim verbose comments to one or two lines 2026-06-30 15:30:06 -07:00
binary_extensions.py
blueprints.py refactor(cron): rebrand Cron Recipes -> Automation Blueprints 2026-06-11 10:49:47 -07:00
browser_camofox.py fix(camofox): auto-recover from stale tab 404 on navigate 2026-06-29 01:26:24 -07:00
browser_camofox_state.py
browser_cdp_tool.py fix(deps): declare websockets as core dep + relax dev setuptools pin (salvage #45486, #44693) (#46744) 2026-06-15 12:44:44 -04:00
browser_dialog_tool.py feat: auto-launch Chromium-family browser for CDP 2026-05-19 22:34:05 -07:00
browser_supervisor.py fix(browser): close remaining CDP-URL leak paths in supervisor (review) 2026-07-01 13:43:58 +05:30
browser_tool.py test(browser): cover guard-inactive + camofox short-circuit paths; fix blank lines 2026-07-01 13:56:49 +05:30
budget_config.py fix(agent): scale tool-output budget to the model context window (#23767) 2026-06-21 17:46:38 +05:30
checkpoint_manager.py refactor(windows): unify windowless spawn form across the touched sites 2026-06-28 17:44:47 -05:00
clarify_gateway.py fix: accept typed clarify choice replies 2026-06-28 04:13:19 -07:00
clarify_tool.py fix(clarify): docstring — put options in choices[] only, never enumerate in question text 2026-06-19 07:34:02 -07:00
close_terminal_tool.py feat(desktop): live agent terminals + agent-driven tab close 2026-06-28 21:15:14 -05:00
code_execution_tool.py fix(code-exec): bind execute_code tool socket to a per-session RPC token 2026-07-01 04:08:37 -07:00
computer_use_tool.py feat(computer_use): cross-platform cua-driver (macOS/Windows/Linux) 2026-06-22 06:42:30 -07:00
credential_files.py fix(delegation): budget subagent summaries against parent context headroom 2026-06-30 03:07:40 -07:00
cronjob_tools.py security(cron): block base_url overrides that exfiltrate provider credentials 2026-07-01 14:23:01 +05:30
debug_helpers.py feat(moa): expose MoA presets as selectable virtual models (#46081) 2026-06-25 13:52:06 -07:00
delegate_tool.py fix(delegation): route native-SDK providers through runtime resolver; fail on '(empty)' sentinel 2026-07-01 00:45:31 -07:00
discord_tool.py
env_passthrough.py fix(security): strip dynamic Hermes secrets from all subprocess spawn env 2026-07-01 14:37:22 +05:30
env_probe.py fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
fal_common.py refactor(image_gen): port FAL backend to plugins/image_gen/fal 2026-05-22 04:10:45 -07:00
feishu_doc_tool.py
feishu_drive_tool.py
file_operations.py fix: warn on line-oriented newline search patterns 2026-06-20 23:23:47 -07:00
file_state.py
file_tools.py fix(security): block /proc/*/auxv and /proc/*/pagemap read leaks 2026-07-01 02:44:53 -07:00
fuzzy_match.py fix(tools): stop _strategy_exact emitting overlapping matches (#56211) 2026-07-01 02:13:13 -07:00
homeassistant_tool.py
image_generation_tool.py krea 2026-06-25 12:38:33 -07:00
interrupt.py
kanban_tools.py fix(kanban): restrict goal_mode kanban_block to genuine external blockers 2026-06-30 14:29:42 -07:00
lazy_deps.py chore(deps): bump aiohttp to patched 3.14.1 (from 3.14.0) 2026-07-01 02:51:45 -07:00
managed_tool_gateway.py fix(managed-gateway): keep tool availability scans off the Nous token-refresh path 2026-05-30 07:58:08 -07:00
mcp_oauth.py fix(mcp): suppress interactive OAuth stdin prompts during background discovery (#35927) 2026-06-27 04:59:23 +05:30
mcp_oauth_manager.py fix(mcp-oauth): anchor 401 handler task to prevent GC mid-flight 2026-06-30 16:56:15 -07:00
mcp_tool.py fix(mcp): preserve 'definitions' as a property name in tool schemas 2026-07-01 01:02:23 -07:00
memory_tool.py fix(memory): degrade gracefully after repeated at-capacity consolidation failures (#42405) 2026-06-30 20:01:16 +05:30
microsoft_graph_auth.py
microsoft_graph_client.py
neutts_synth.py
openrouter_client.py
osv_check.py fix(osv_check): honor npx --package/-p install target when parsing package arg (#40567) 2026-06-06 18:30:39 -07:00
patch_parser.py fix(lint): skip per-file shell linter when LSP will handle the file (#29054) 2026-05-20 01:46:40 -05:00
path_security.py
process_registry.py fix(desktop): tree-kill Windows terminal descendants 2026-06-30 04:23:27 -05:00
project_tools.py feat(tools): add project workspace tools 2026-06-25 16:40:27 -05:00
read_extract.py feat(read): extract notebook and office documents (#37082) 2026-06-13 14:42:51 -07:00
read_terminal_tool.py feat(desktop): resizable VS Code-themed terminal pane + palette polish (#42521) 2026-06-09 23:15:20 -05:00
registry.py fix(security): use caller package root for deregister opt-in policy lookup 2026-07-01 15:37:58 +05:30
schema_sanitizer.py fix(tools): strip default from $ref nodes in tool schemas 2026-06-12 00:30:51 -05:00
send_message_tool.py fix(matrix): route text-only send_message through adapter for E2EE support 2026-07-01 00:12:11 -07:00
session_search_tool.py fix(session_search): demote cron below interactive sessions in discover ranking (#53597) 2026-06-27 04:41:22 -07:00
skill_manager_tool.py fix(skills): require review forks to read before writing skills 2026-06-30 15:49:36 -07:00
skill_provenance.py
skill_usage.py fix(curator): protect external skills from background curation 2026-06-25 22:03:02 -07:00
skills_ast_audit.py refactor(skills): slim AST diagnostic to single entry point 2026-05-23 17:47:26 -07:00
skills_guard.py fix(skills-guard): stop flagging benign skill content + honor skill ignore files (#36231) 2026-06-01 01:58:48 -07:00
skills_hub.py fix(skills): publish fetchable metadata for official skills 2026-07-01 00:40:56 -07:00
skills_sync.py fix(skills): skip shadowing when external_dirs provides the skill 2026-06-27 21:07:53 -07:00
skills_tool.py fix(skills): require review forks to read before writing skills 2026-06-30 15:49:36 -07:00
slash_confirm.py fix(async): close unscheduled coroutines in all threadsafe bridges (#26584) 2026-05-15 14:00:01 -07:00
terminal_tool.py fix(terminal): require approval for host-bound Docker commands (#54483) 2026-06-29 11:35:41 +10:00
thread_context.py fix(code-exec): propagate agent-turn context into tool worker threads 2026-05-29 03:44:49 -07:00
threat_patterns.py fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits 2026-07-01 01:05:28 -07:00
tirith_security.py fix(security): add circuit breaker for tirith crashes to prevent agent hangs (#41400) 2026-06-26 15:26:08 +05:30
todo_tool.py fix(agent): restrict todo hydration to paired assistant todo calls 2026-07-01 01:02:17 -07:00
tool_backend_helpers.py feat(tools): surface the free tool pool in entitlement + setup (#36153) 2026-06-01 06:32:48 +05:30
tool_output_limits.py fix: tool_output_limits re-reads config on every call (no caching) 2026-05-31 00:50:19 -07:00
tool_result_storage.py fix: keep persisted tool results inside their storage directory 2026-06-30 16:39:41 -07:00
tool_search.py fix(tool-search): scope bridge catalog + dispatch to the session's toolsets 2026-05-29 02:04:12 -07:00
transcription_tools.py fix(windows): hide remaining backend console-flash legs missed on main 2026-06-28 10:19:21 -05:00
tts_tool.py fix(windows): hide remaining backend console-flash legs missed on main 2026-06-28 10:19:21 -05:00
url_safety.py fix(security): close SSRF redirect-guard bypass across all httpx download hooks 2026-07-01 01:18:53 -07:00
video_generation_tool.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
vision_tools.py fix(security): close SSRF redirect-guard bypass across all httpx download hooks 2026-07-01 01:18:53 -07:00
voice_mode.py fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
web_tools.py fix(web_extract): bound stored full-text size + give concrete read_file offset 2026-06-30 00:19:49 -07:00
website_policy.py chore(web): remove web_crawl tool + provider crawl plumbing (#33824) 2026-05-28 04:52:42 -07:00
write_approval.py fix(memory,skills): repair write-approval inline prompt, gateway staging, and gateway /skills review (#43452) 2026-06-10 02:57:15 -07:00
x_search_tool.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
xai_http.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
xai_video_tools.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
yuanbao_tools.py Fix unsafe gateway media path delivery 2026-05-23 01:40:35 -07:00