fix(security): protect Hermes control-plane files from prompt injection

Adds active-HERMES_HOME control-plane files to the write deny list:
auth.json, config.yaml, webhook_subscriptions.json, and any path
under mcp-tokens/. realpath() resolves before comparison so
directory-traversal and symlink targets are normalised, preventing
trivial deny-list bypass via ../ tricks.

Without this, a prompt-injected agent could rewrite Hermes' own
auth state or routing config via write_file / patch — without
triggering the terminal dangerous-command approval — and persist
attacker-controlled behaviour across sessions.

Fixes #14072

agent/file_safety.py

@@ -97,6 +97,29 @@ def is_write_denied(path: str) -> bool:
         if resolved.startswith(prefix):
             return True
 
+    # New: Check for Hermes control files and mcp-tokens directory
+    hermes_home = _hermes_home_path()
+    hermes_home_real = os.path.realpath(hermes_home)
+
+    # Check for exact control files
+    hermes_control_files = [
+        os.path.join(hermes_home_real, "auth.json"),
+        os.path.join(hermes_home_real, "config.yaml"),
+        os.path.join(hermes_home_real, "webhook_subscriptions.json"),
+    ]
+    for control_file in hermes_control_files:
+        if resolved == os.path.realpath(control_file):
+            return True
+
+    # Check for anything inside mcp-tokens directory
+    mcp_tokens_dir = os.path.join(hermes_home_real, "mcp-tokens")
+    try:
+        mcp_tokens_dir_real = os.path.realpath(mcp_tokens_dir)
+        if resolved.startswith(mcp_tokens_dir_real + os.sep):
+            return True
+    except Exception:
+        pass
+
     safe_root = get_safe_write_root()
     if safe_root and not (resolved == safe_root or resolved.startswith(safe_root + os.sep)):
         return True