mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-29 06:31:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 14
hermes-agent/gateway/platforms
History
Hinotoi-agent 3bace071bf fix(state): restrict sensitive store file permissions 
response_store.db (api server) holds conversation history including tool
payloads, prompts, and results. webhook_subscriptions.json holds per-route
HMAC secrets. Under a permissive umask (e.g. 0o022, default on most
distros) both files were created mode 0o644 — readable by other local
users on shared boxes.

- gateway/platforms/api_server.py: ResponseStore tightens itself + WAL/SHM
  sidecars to 0o600 after __init__, then trusts the inode. (Original
  contributor patch chmod'd after every _commit() — wasteful on a hot
  api_server path; chmod-on-create is sufficient since SQLite preserves
  mode bits across writes.)

- hermes_cli/webhook.py: _save_subscriptions writes via tempfile.mkstemp
  (which itself creates the file with 0o600), chmods the temp before the
  atomic rename, and re-asserts 0o600 on the destination so an existing
  permissive file from before this fix gets narrowed.

Tests cover (a) creation under permissive umask leaves 0o600 and (b) an
existing 0o644 webhook_subscriptions.json gets narrowed on next save.
Tests guarded with skipif os.name=='nt' since POSIX mode bits don't apply
on Windows.

Salvaged from PR #30917 by @Hinotoi-agent. Reworked the api_server.py
side from chmod-on-every-commit to chmod-on-create.

Co-authored-by: teknium1 <127238744+teknium1@users.noreply.github.com>
2026-05-24 04:55:18 -07:00
..
qqbot fix(qqbot): authorize approval button interactions by session owner (#30737) 2026-05-24 04:25:12 -07:00
__init__.py perf(gateway): defer QQAdapter and YuanbaoAdapter imports via PEP 562 (#22790) 2026-05-09 13:17:48 -07:00
_http_client_limits.py fix(gateway): tighten httpx keepalive and close whatsapp typing-response leak (#18451) 2026-05-02 02:23:37 -07:00
ADDING_A_PLATFORM.md refactor(plugins): add apply_yaml_config_fn registry hook 2026-05-13 22:20:30 -07:00
api_server.py fix(state): restrict sensitive store file permissions 2026-05-24 04:55:18 -07:00
base.py fix(gateway): drop text snippet from debounce debug log (CodeQL) 2026-05-24 01:31:45 -07:00
bluebubbles.py chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937) 2026-05-11 11:13:25 -07:00
dingtalk.py fix(dingtalk): finalize open streaming cards before disconnect 2026-05-23 20:48:56 -07:00
email.py chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937) 2026-05-11 11:13:25 -07:00
feishu.py fix(feishu): validate verification token before reflecting url_verification challenge 2026-05-24 04:51:19 -07:00
feishu_comment.py chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937) 2026-05-11 11:13:25 -07:00
feishu_comment_rules.py chore: ruff auto-fix C401, C416, C408, PLR1722 (#23940) 2026-05-11 11:20:58 -07:00
helpers.py fix(gateway): preserve underscores in plain-text identifiers 2026-05-16 23:11:43 -07:00
homeassistant.py chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937) 2026-05-11 11:13:25 -07:00
matrix.py fix(matrix): implement thread_require_mention to prevent multi-agent reply loops 2026-05-19 00:04:23 -07:00
mattermost.py fix(mattermost): resolve thread root_id and route progress to threads 2026-05-18 20:09:08 -07:00
msgraph_webhook.py Harden msgraph webhook auth requirements (#30169) 2026-05-24 04:25:20 -07:00
signal.py feat(signal): add require_mention filter for group chats 2026-05-18 23:59:05 -07:00
signal_rate_limit.py feat(gateway/signal): add support for multiple images sending 2026-04-30 04:28:08 -07:00
slack.py fix(gateway): add trust_env=True to aiohttp sessions in SMS, Slack, Teams, Google Chat adapters 2026-05-16 23:11:43 -07:00
sms.py fix(gateway): add trust_env=True to aiohttp sessions in SMS, Slack, Teams, Google Chat adapters 2026-05-16 23:11:43 -07:00
telegram.py fix(telegram): preserve observed group slash commands 2026-05-23 16:26:28 -07:00
telegram_network.py fix(telegram): reset sticky fallback IP on connect failure, retry primary DNS 2026-05-18 22:14:45 -07:00
webhook.py fix(webhook): use 403 not 500 for missing-secret rejection 2026-05-24 04:47:45 -07:00
wecom.py fix(wecom): guard flush task against cancel-delivery race to prevent message loss 2026-05-24 01:33:40 -07:00
wecom_callback.py fix(wecom-callback): retry send with fresh token on errcode 40001/42001 2026-05-24 01:30:47 -07:00
wecom_crypto.py feat(gateway): add WeCom callback-mode adapter for self-built apps 2026-04-11 15:22:49 -07:00
weixin.py Fix unsafe gateway media path delivery 2026-05-23 01:40:35 -07:00
whatsapp.py fix(gateway): keep running when platforms fail; add per-platform circuit breaker + /platform (#26600) 2026-05-15 14:32:14 -07:00
yuanbao.py feat(state.db): persist platform_message_id; restore yuanbao exact-id recall 2026-05-20 13:00:57 -07:00
yuanbao_media.py chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937) 2026-05-11 11:13:25 -07:00
yuanbao_proto.py chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937) 2026-05-11 11:13:25 -07:00
yuanbao_sticker.py yuanbao platform (#16298) 2026-04-26 18:50:49 -07:00