fix(file-safety): widen read-deny to .env, mcp-tokens/, webhook secrets, root

Extends @briandevans's PR #17659 from {auth.json, auth.lock,
.anthropic_oauth.json} to also cover:

  - HERMES_HOME/.env                       (provider API keys)
  - HERMES_HOME/webhook_subscriptions.json (per-route HMAC secrets)
  - HERMES_HOME/mcp-tokens/                (OAuth token directory; dir
                                            + everything inside)

…AND iterates over both _hermes_home_path() AND _hermes_root_path()
so profile-mode runs (HERMES_HOME = <root>/profiles/<name>) also block
<root>/{auth.json, .env, mcp-tokens/, ...}. Same widening shape as the
write-deny side already does (#15981, #14157).

Explicitly NOT a security boundary. Per the personal-assistant trust
model, the terminal tool runs as the same OS user and can `cat
auth.json` directly. This read-deny exists as defense-in-depth:

  - Models that respect tool denials empirically tend to stop rather
    than reach for the shell.
  - The denial surfaces an audit trail when something tries to read
    credentials — easier to spot in logs than a generic `cat`.

Docstring + error message both flag this as defense-in-depth so future
contributors don't mistake it for a real security boundary and don't
re-decline reports that propose the same fix shape.

Absorbs the .env and mcp-tokens/ coverage from @tomqiaozc's parallel
PR #8055 (closed-as-duplicate, credited).

Co-authored-by: Tom Qiao <zqiao@microsoft.com>

tests/agent/test_file_safety_credentials.py

@@ -147,3 +147,129 @@ def test_read_file_tool_blocks_relative_path_under_terminal_cwd(
     out = json.loads(ft.read_file_tool("auth.json"))
     assert "error" in out
     assert "credential store" in out["error"]
+
+
+# ---------------------------------------------------------------------------
+# Widening: .env, webhook_subscriptions.json, mcp-tokens/
+# ---------------------------------------------------------------------------
+
+
+def test_dotenv_blocked(fake_home):
+    """.env in HERMES_HOME holds API keys — blocked."""
+    from agent.file_safety import get_read_block_error
+
+    env = _create(fake_home, ".env")
+    err = get_read_block_error(str(env))
+    assert err is not None
+    assert "credential store" in err
+
+
+def test_webhook_subscriptions_blocked(fake_home):
+    """webhook_subscriptions.json holds per-route HMAC secrets — blocked."""
+    from agent.file_safety import get_read_block_error
+
+    subs = _create(fake_home, "webhook_subscriptions.json")
+    err = get_read_block_error(str(subs))
+    assert err is not None
+    assert "credential store" in err
+
+
+def test_mcp_tokens_file_blocked(fake_home):
+    """Files under mcp-tokens/ hold OAuth tokens — blocked."""
+    from agent.file_safety import get_read_block_error
+
+    tok = _create(fake_home, Path("mcp-tokens") / "github.json")
+    err = get_read_block_error(str(tok))
+    assert err is not None
+    assert "MCP token" in err
+
+
+def test_mcp_tokens_nested_blocked(fake_home):
+    """Nested files inside mcp-tokens/ are also blocked."""
+    from agent.file_safety import get_read_block_error
+
+    tok = _create(fake_home, Path("mcp-tokens") / "providers" / "azure.json")
+    err = get_read_block_error(str(tok))
+    assert err is not None
+    assert "MCP token" in err
+
+
+def test_mcp_tokens_dir_itself_blocked(fake_home):
+    """The mcp-tokens directory itself is blocked (listing is exfiltrating)."""
+    from agent.file_safety import get_read_block_error
+
+    tokens_dir = fake_home / "mcp-tokens"
+    tokens_dir.mkdir(parents=True, exist_ok=True)
+    err = get_read_block_error(str(tokens_dir))
+    assert err is not None
+    assert "MCP token" in err
+
+
+def test_identically_named_files_outside_hermes_home_not_blocked(
+    fake_home, tmp_path
+):
+    """A project's ``.env``, ``auth.json``, or ``mcp-tokens/`` outside
+    HERMES_HOME must remain readable — the gate is per-location, not
+    per-filename."""
+    from agent.file_safety import get_read_block_error
+
+    project = tmp_path / "myproject"
+    project.mkdir()
+    for rel in (".env", "auth.json"):
+        p = project / rel
+        p.write_text("not secret here", encoding="utf-8")
+        assert get_read_block_error(str(p)) is None, (
+            f"{rel} outside HERMES_HOME should NOT be blocked"
+        )
+
+    tokens = project / "mcp-tokens"
+    tokens.mkdir()
+    tok_file = tokens / "token.json"
+    tok_file.write_text("not really a token", encoding="utf-8")
+    assert get_read_block_error(str(tok_file)) is None
+
+
+def test_config_yaml_not_blocked(fake_home):
+    """config.yaml is NOT a credential file — agent should still be
+    able to read it for debugging.  (Writes are denied separately by
+    is_write_denied; reads stay allowed.)"""
+    from agent.file_safety import get_read_block_error
+
+    cfg = _create(fake_home, "config.yaml")
+    assert get_read_block_error(str(cfg)) is None
+
+
+def test_profile_mode_blocks_root_credentials(tmp_path, monkeypatch):
+    """Under a profile, HERMES_HOME = <root>/profiles/<name>, but
+    <root>/auth.json must ALSO be blocked — credentials at root are
+    inherited by every profile."""
+    import agent.file_safety as fs
+
+    root = tmp_path / "hermes"
+    profile = root / "profiles" / "coder"
+    profile.mkdir(parents=True)
+    monkeypatch.setattr(fs, "_hermes_home_path", lambda: profile)
+    monkeypatch.setattr(fs, "_hermes_root_path", lambda: root)
+
+    from agent.file_safety import get_read_block_error
+
+    # Profile-local credential store: blocked
+    profile_auth = profile / "auth.json"
+    profile_auth.write_text("x")
+    assert "credential store" in (get_read_block_error(str(profile_auth)) or "")
+
+    # Root-level credential store: ALSO blocked (this is the widening)
+    root_auth = root / "auth.json"
+    root_auth.write_text("x")
+    assert "credential store" in (get_read_block_error(str(root_auth)) or "")
+
+    # Root-level .env: blocked too
+    root_env = root / ".env"
+    root_env.write_text("x")
+    assert "credential store" in (get_read_block_error(str(root_env)) or "")
+
+    # Root-level mcp-tokens: blocked
+    root_tok = root / "mcp-tokens" / "gh.json"
+    root_tok.parent.mkdir(parents=True, exist_ok=True)
+    root_tok.write_text("x")
+    assert "MCP token" in (get_read_block_error(str(root_tok)) or "")