fix: address remaining review items from cursor bugbot

- hermes_cli/main.py: move container routing BEFORE parse_args() so --help, unrecognised flags, and all subcommands are forwarded transparently into the container instead of being intercepted by argparse on the host (high severity) - nix/nixosModules.nix: resolve home dirs via config.users.users.${user}.home instead of hardcoding /home/${user}, supporting users with custom home directories (medium severity) - nix/nixosModules.nix: gate hostUsers group membership on container.enable so setting hostUsers without container mode doesn't silently add users to the hermes group (low severity)
2026-04-25 00:51:20 +00:00 · 2026-04-11 18:19:37 +00:00 · 2026-04-11 18:19:37 +00:00 · 726cf90f98
commit 726cf90f98
parent 38277a6a95
2 changed files with 10 additions and 7 deletions
--- a/hermes_cli/main.py
+++ b/hermes_cli/main.py
@ -5758,12 +5758,11 @@ Examples:
    # Pre-process argv so unquoted multi-word session names after -c / -r
    # are merged into a single token before argparse sees them.
    # e.g. ``hermes -c Pokemon Agent Dev`` → ``hermes -c 'Pokemon Agent Dev'``
-    _processed_argv = _coalesce_session_name_args(sys.argv[1:])
-    args = parser.parse_args(_processed_argv)
-
    # ── Container-aware routing ────────────────────────────────────────
    # When NixOS container mode is active, route ALL subcommands into
-    # the managed container. This runs before any subcommand dispatch.
+    # the managed container.  This MUST run before parse_args() so that
+    # --help, unrecognised flags, and every subcommand are forwarded
+    # transparently instead of being intercepted by argparse on the host.
    try:
        from hermes_cli.config import get_container_exec_info
        container_info = get_container_exec_info()
@ -5775,6 +5774,9 @@ Examples:
    except Exception:
        pass  # Container routing unavailable, proceed locally

+    _processed_argv = _coalesce_session_name_args(sys.argv[1:])
+    args = parser.parse_args(_processed_argv)
+
    # Handle --version flag
    if args.version:
        cmd_version(args)
--- a/nix/nixosModules.nix
+++ b/nix/nixosModules.nix
@ -568,7 +568,7 @@
      })

      # ── Host user group membership ─────────────────────────────────────
-      (lib.mkIf (cfg.container.hostUsers != []) {
+      (lib.mkIf (cfg.container.enable && cfg.container.hostUsers != []) {
        users.users = lib.genAttrs cfg.container.hostUsers (user: {
          extraGroups = [ cfg.group ];
        });
@ -659,7 +659,8 @@ HERMES_CONTAINER_MODE_EOF
            # Remove symlink bridge for hostUsers
            ${lib.concatStringsSep "\n" (map (user:
              let
-                symlinkPath = "/home/${user}/.hermes";
+                userHome = config.users.users.${user}.home;
+                symlinkPath = "${userHome}/.hermes";
              in ''
                if [ -L "${symlinkPath}" ] && [ "$(readlink "${symlinkPath}")" = "${cfg.stateDir}/.hermes" ]; then
                  rm -f "${symlinkPath}"
@ -675,7 +676,7 @@ HERMES_CONTAINER_MODE_EOF
          ${lib.optionalString cfg.container.enable
            (lib.concatStringsSep "\n" (map (user:
              let
-                userHome = "/home/${user}";
+                userHome = config.users.users.${user}.home;
                symlinkPath = "${userHome}/.hermes";
                target = "${cfg.stateDir}/.hermes";
              in ''