From 3278b423d5f094f9854795b3ee6f06e2beb0732e Mon Sep 17 00:00:00 2001 From: Coy Geek <65363919+coygeek@users.noreply.github.com> Date: Tue, 2 Jun 2026 22:22:40 -0700 Subject: [PATCH] fix(dashboard): strip session token from subprocess env Add HERMES_DASHBOARD_SESSION_TOKEN to the Hermes-managed subprocess environment blocklist so dashboard authorization material does not propagate into shell, PTY, or background process launches. Extend the local environment blocklist regression coverage to prove the dashboard session token is stripped like other Hermes-managed secrets. --- tests/tools/test_local_env_blocklist.py | 2 ++ tools/environments/local.py | 1 + 2 files changed, 3 insertions(+) diff --git a/tests/tools/test_local_env_blocklist.py b/tests/tools/test_local_env_blocklist.py index 0e0520387e1..7d7545fa8c5 100644 --- a/tests/tools/test_local_env_blocklist.py +++ b/tests/tools/test_local_env_blocklist.py @@ -176,6 +176,7 @@ class TestProviderEnvBlocklist: "HASS_TOKEN": "ha-secret", "EMAIL_PASSWORD": "email-secret", "FIRECRAWL_API_KEY": "fc-secret", + "HERMES_DASHBOARD_SESSION_TOKEN": "dashboard-session-secret", "BROWSERBASE_PROJECT_ID": "bb-project", "ELEVENLABS_API_KEY": "el-secret", "GITHUB_TOKEN": "ghp_secret", @@ -362,6 +363,7 @@ class TestBlocklistCoverage: "EMAIL_SMTP_HOST", "EMAIL_HOME_ADDRESS", "EMAIL_HOME_ADDRESS_NAME", + "HERMES_DASHBOARD_SESSION_TOKEN", "GATEWAY_ALLOWED_USERS", "GH_TOKEN", "GITHUB_APP_ID", diff --git a/tools/environments/local.py b/tools/environments/local.py index 4cc65d80af5..68ff2577473 100644 --- a/tools/environments/local.py +++ b/tools/environments/local.py @@ -175,6 +175,7 @@ def _build_provider_env_blocklist() -> frozenset: "EMAIL_SMTP_HOST", "EMAIL_HOME_ADDRESS", "EMAIL_HOME_ADDRESS_NAME", + "HERMES_DASHBOARD_SESSION_TOKEN", "GATEWAY_ALLOWED_USERS", "GH_TOKEN", "GITHUB_APP_ID",