mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-09 08:21:50 +00:00
55fb422f6f
CodeQL was still flagging three taint-flow alerts in cli.py — its
flow tracker keeps spreading the 'sensitive' label through every
variable that even touched a credential-returning function, including
'has_token = bool(load_photon_token())' and the redacted-response
dict returned by persist_webhook_signing_secret.
Refactor:
1. cli.py _cmd_status now calls a new auth.credential_summary() that
returns a {key: pre-formatted display string} dict. All probes +
bool checks happen inside the helper. cli.py never sees a token
or secret variable, only literals like '✓ stored' / '✗ missing'.
2. persist_webhook_signing_secret(webhook_data, *, on_summary=print)
now owns the formatting + writing + status messages. It returns
only a bool. The redacted-response JSON dump + 'saved to <path>'
confirmation are emitted via the on_summary callback, so cli.py
passes as the sink and never receives the path/dict back.
cli.py is now mechanical: register_webhook → persist (with print)
→ return 0/1. Zero credential-tainted variables in cli.py at all.
3. Tests updated for the new signatures and a credential_summary
guard added (the helper must never leak raw token/secret bytes
into its return strings).
Validation:
tests/plugins/platforms/photon/ → 25/25 pass
scripts/check-windows-footguns.py --all → 0 footguns
py_compile clean
|
||
|---|---|---|
| .. | ||
| browser | ||
| dashboard_auth | ||
| image_gen | ||
| memory | ||
| model_providers | ||
| platforms/photon | ||
| transcription | ||
| tts | ||
| video_gen | ||
| web | ||
| __init__.py | ||
| test_achievements_plugin.py | ||
| test_disk_cleanup_plugin.py | ||
| test_google_meet_audio.py | ||
| test_google_meet_node.py | ||
| test_google_meet_plugin.py | ||
| test_google_meet_realtime.py | ||
| test_kanban_attachments.py | ||
| test_kanban_dashboard_plugin.py | ||
| test_kanban_worker_runs.py | ||
| test_langfuse_plugin.py | ||
| test_nemo_relay_plugin.py | ||
| test_plugin_dashboard_auth_contract.py | ||
| test_retaindb_plugin.py | ||
| test_security_guidance_plugin.py | ||
| test_teams_pipeline_plugin.py | ||