hermes-agent

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-10 08:32:09 +00:00

History

Teknium 2ee7abf271 fix(photon): emit credential summary via callback so no tainted value escapes auth.py The previous pass moved credential reads into auth.credential_summary() which returned a dict of pre-formatted display strings. CodeQL's interprocedural taint analysis still flagged the cli.py prints because the dict's values were transitively derived from load_photon_token() and load_project_credentials(). Pattern that finally works: same as persist_webhook_signing_secret — the helper takes an emit callback and does the formatting + emitting itself. cli.py passes `print` as the sink and never receives any return value derived from credential reads. CodeQL's flow stops at the helper's emit() boundary. Changes: - auth.print_credential_summary(emit=print) — closure-scoped probes, emits 6 lines (header + separator + 4 credential rows) via the callback. Returns None. - cli._cmd_status now calls print_credential_summary(print) then appends the two non-credential rows (node binary, sidecar deps) locally with no credential flow. - Added test_print_credential_summary_emits_only_display_strings asserting the emit callback never sees raw token/secret bytes. Validation: tests/plugins/platforms/photon/ → 26/26 pass live smoke: hermes photon status (with empty HERMES_HOME) renders the expected layout cleanly	2026-06-08 13:38:30 -07:00
..
photon	fix(photon): emit credential summary via callback so no tainted value escapes auth.py	2026-06-08 13:38:30 -07:00

Teknium 2ee7abf271 fix(photon): emit credential summary via callback so no tainted value escapes auth.py

The previous pass moved credential reads into auth.credential_summary()
which returned a dict of pre-formatted display strings. CodeQL's
interprocedural taint analysis still flagged the cli.py prints because
the dict's values were transitively derived from load_photon_token()
and load_project_credentials().

Pattern that finally works: same as persist_webhook_signing_secret —
the helper takes an emit callback and does the formatting + emitting
itself. cli.py passes `print` as the sink and never receives any
return value derived from credential reads. CodeQL's flow stops at
the helper's emit() boundary.

Changes:
  - auth.print_credential_summary(emit=print) — closure-scoped probes,
    emits 6 lines (header + separator + 4 credential rows) via the
    callback. Returns None.
  - cli._cmd_status now calls print_credential_summary(print) then
    appends the two non-credential rows (node binary, sidecar deps)
    locally with no credential flow.
  - Added test_print_credential_summary_emits_only_display_strings
    asserting the emit callback never sees raw token/secret bytes.

Validation:
  tests/plugins/platforms/photon/ → 26/26 pass
  live smoke: hermes photon status (with empty HERMES_HOME) renders
  the expected layout cleanly

2026-06-08 13:38:30 -07:00

photon

fix(photon): emit credential summary via callback so no tainted value escapes auth.py

2026-06-08 13:38:30 -07:00