fix(docker): add explicit env allowlist for container credentials (#1436)

Docker terminal sessions are secret-dark by default. This adds terminal.docker_forward_env as an explicit allowlist for env vars that may be forwarded into Docker containers. Values resolve from the current shell first, then fall back to ~/.hermes/.env. Only variables the user explicitly lists are forwarded — nothing is auto-exposed. Cherry-picked from PR #1449 by @teknium1, conflict-resolved onto current main. Fixes #1436 Supersedes #1439
2026-04-25 00:51:20 +00:00 · 2026-03-17 02:34:25 -07:00 · 2026-03-17 02:34:25 -07:00 · 556e0f4b43
commit 556e0f4b43
parent d50e0711c2
12 changed files with 170 additions and 2 deletions
--- a/tools/terminal_tool.py
+++ b/tools/terminal_tool.py
@ -505,6 +505,7 @@ def _get_env_config() -> Dict[str, Any]:
    return {
        "env_type": env_type,
        "docker_image": os.getenv("TERMINAL_DOCKER_IMAGE", default_image),
+        "docker_forward_env": _parse_env_var("TERMINAL_DOCKER_FORWARD_ENV", "[]", json.loads, "valid JSON"),
        "singularity_image": os.getenv("TERMINAL_SINGULARITY_IMAGE", f"docker://{default_image}"),
        "modal_image": os.getenv("TERMINAL_MODAL_IMAGE", default_image),
        "daytona_image": os.getenv("TERMINAL_DAYTONA_IMAGE", default_image),
@ -562,6 +563,7 @@ def _create_environment(env_type: str, image: str, cwd: str, timeout: int,
    disk = cc.get("container_disk", 51200)
    persistent = cc.get("container_persistent", True)
    volumes = cc.get("docker_volumes", [])
+    docker_forward_env = cc.get("docker_forward_env", [])

    if env_type == "local":
        lc = local_config or {}
@ -576,6 +578,7 @@ def _create_environment(env_type: str, image: str, cwd: str, timeout: int,
            volumes=volumes,
            host_cwd=host_cwd,
            auto_mount_cwd=cc.get("docker_mount_cwd_to_workspace", False),
+            forward_env=docker_forward_env,
        )
    
    elif env_type == "singularity":