mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-30 11:52:04 +00:00
Subprocesses spawned outside the terminal/execute_code path (agent-browser,
copilot ACP, dep-ensure, lazy_deps uv install, TUI Node host, cli.exec)
inherited the operator's full credential environment via os.environ.copy().
The terminal path was already scrubbed by _HERMES_PROVIDER_ENV_BLOCKLIST
(#1002/#1264/#32314); these spawn sites bypassed it.
Adds hermes_subprocess_env(inherit_credentials=) in tools/environments/local.py
reusing the existing dynamic blocklist as the single source of truth:
- Tier 1 (_ALWAYS_STRIP_KEYS): gateway bot tokens, GitHub auth, infra
secrets -- stripped even for credential-inheriting children.
- Tier 2 (_HERMES_PROVIDER_ENV_BLOCKLIST): provider/tool keys -- stripped
unless inherit_credentials=True. The opt-in is grep-able for audit.
Browser worker keeps a _BROWSER_PASSTHROUGH_KEYS allowlist (BROWSERBASE/
FIRECRAWL) re-added after the strip. Model-driving children (ACP, TUI Node
host, cli.exec) use inherit_credentials=True so they still get provider keys
while losing Tier-1 secrets. Installers (dep-ensure, lazy_deps) inherit
nothing sensitive. cua_backend already routed through _sanitize_subprocess_env
on main -- left as-is. Gateway adapter utility spawns (gh pr comment, ffmpeg)
are left inheriting env: gh needs GH_TOKEN by design, ffmpeg is a trusted
system binary -- no untrusted-dependency exposure.
This is defense-in-depth (personal-assistant trust model: same-user spawns),
making the existing scrub policy uniform across the spawn surface; the main
real payoff is shrinking the blast radius if a transitive npm dep in
agent-browser is compromised.
Reconstructed on current main from the design in #31959 (Tranquil-Flow);
also credits #39003 (rodboev), #37843 (coygeek), #35769 (egilewski).
Co-authored-by: Tranquil-Flow <tranquil_flow@protonmail.com>
Co-authored-by: rodboev <rod.boev@gmail.com>
Co-authored-by: egilewski <egilewski@egilewski.com>
163 lines
5.3 KiB
Python
163 lines
5.3 KiB
Python
"""Lazy dependency bootstrapper for non-Python runtime deps.
|
|
|
|
Detection and prompting live here in Python — not in install.sh — because:
|
|
1. shutil.which() works on every platform; install.sh needs bash.
|
|
2. Detection is instant; spawning bash for a "is node installed?" check is waste.
|
|
3. Python controls the UX (rich prompts, non-interactive fallback, TTY detection).
|
|
|
|
install.sh is still the *installation* backend because it has 1900 lines of
|
|
battle-tested OS detection and package-manager logic (apt/brew/pacman/dnf/
|
|
zypper/Termux/…). Reimplementing that in Python would be huge duplication.
|
|
|
|
Deps that degrade gracefully (ripgrep → grep fallback, ffmpeg → skip conversion)
|
|
don't need ensure_dependency wired in — only hard-fail sites do (TUI needs node,
|
|
browser tool needs agent-browser).
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import platform
|
|
import shutil
|
|
import subprocess
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
from hermes_constants import agent_browser_runnable
|
|
from tools.environments.local import hermes_subprocess_env
|
|
|
|
_IS_WINDOWS = platform.system() == "Windows"
|
|
|
|
_DEP_CHECKS = {
|
|
"node": lambda: shutil.which("node") is not None,
|
|
"browser": lambda: (
|
|
agent_browser_runnable(shutil.which("agent-browser"))
|
|
or _has_system_browser()
|
|
or _has_hermes_agent_browser()
|
|
),
|
|
"ripgrep": lambda: shutil.which("rg") is not None,
|
|
"ffmpeg": lambda: shutil.which("ffmpeg") is not None,
|
|
}
|
|
|
|
_DEP_DESCRIPTIONS = {
|
|
"node": "Node.js (required for browser tools and TUI)",
|
|
"browser": "Browser engine (Chromium, for web browsing tools)",
|
|
"ripgrep": "ripgrep (fast file search)",
|
|
"ffmpeg": "ffmpeg (TTS voice messages)",
|
|
}
|
|
|
|
|
|
def _has_system_browser() -> bool:
|
|
if _IS_WINDOWS:
|
|
names = ("chrome", "msedge", "chromium")
|
|
else:
|
|
names = ("google-chrome", "google-chrome-stable", "chromium", "chromium-browser", "chrome")
|
|
for name in names:
|
|
if shutil.which(name):
|
|
return True
|
|
return False
|
|
|
|
|
|
def _has_hermes_agent_browser() -> bool:
|
|
from hermes_constants import get_hermes_home
|
|
home = get_hermes_home()
|
|
if _IS_WINDOWS:
|
|
# npm -g --prefix puts .cmd shims directly in the prefix dir on Windows
|
|
return (home / "node" / "agent-browser.cmd").is_file()
|
|
# install.sh installs globally into $HERMES_HOME/node/bin/ via npm -g --prefix
|
|
# Also check legacy node_modules/.bin/ path for git-clone installs.
|
|
return (
|
|
(home / "node" / "bin" / "agent-browser").is_file()
|
|
or (home / "node_modules" / ".bin" / "agent-browser").is_file()
|
|
)
|
|
|
|
|
|
def _find_install_script(
|
|
package_dir: Path | None = None,
|
|
repo_root: Path | None = None,
|
|
) -> tuple[Path | None, str | None]:
|
|
"""Locate the install script — bundled in wheel or in git checkout.
|
|
|
|
On Windows, prefers install.ps1; on POSIX, prefers install.sh.
|
|
Returns a (path, shell) tuple, or (None, None) if neither is found.
|
|
"""
|
|
if package_dir is None:
|
|
package_dir = Path(__file__).parent
|
|
if repo_root is None:
|
|
repo_root = package_dir.parent
|
|
|
|
if _IS_WINDOWS:
|
|
preferred = ("install.ps1", "powershell")
|
|
fallback = ("install.sh", "bash")
|
|
else:
|
|
preferred = ("install.sh", "bash")
|
|
fallback = ("install.ps1", "powershell")
|
|
|
|
for script_name, shell in (preferred, fallback):
|
|
bundled = package_dir / "scripts" / script_name
|
|
if bundled.is_file():
|
|
return bundled, shell
|
|
repo = repo_root / "scripts" / script_name
|
|
if repo.is_file():
|
|
return repo, shell
|
|
|
|
return None, None
|
|
|
|
|
|
def ensure_dependency(
|
|
dep: str,
|
|
interactive: bool = True,
|
|
) -> bool:
|
|
"""Ensure a non-Python dependency is available. Returns True if available."""
|
|
check = _DEP_CHECKS.get(dep)
|
|
if check is None:
|
|
# Unknown dep — don't silently forward to install script.
|
|
return False
|
|
if check():
|
|
return True
|
|
|
|
script, shell = _find_install_script()
|
|
if script is None:
|
|
if interactive:
|
|
desc = _DEP_DESCRIPTIONS.get(dep, dep)
|
|
print(f" {desc} is not installed and no install script was found.")
|
|
print(f" Install {dep} manually and try again.")
|
|
return False
|
|
|
|
if interactive and sys.stdin.isatty():
|
|
desc = _DEP_DESCRIPTIONS.get(dep, dep)
|
|
try:
|
|
reply = input(f"{desc} is not installed. Install now? [Y/n] ").strip().lower()
|
|
except (EOFError, KeyboardInterrupt):
|
|
return False
|
|
if reply not in ("", "y", "yes"):
|
|
return False
|
|
|
|
if shell == "powershell":
|
|
from hermes_constants import get_hermes_home
|
|
ps_bin = shutil.which("powershell") or shutil.which("pwsh")
|
|
if not ps_bin:
|
|
if interactive:
|
|
print(" PowerShell not found. Install PowerShell or run install.ps1 manually.")
|
|
return False
|
|
cmd = [
|
|
ps_bin,
|
|
"-ExecutionPolicy", "Bypass",
|
|
"-File", str(script),
|
|
"-Ensure", dep,
|
|
"-HermesHome", str(get_hermes_home()),
|
|
]
|
|
else:
|
|
cmd = ["bash", str(script), "--ensure", dep]
|
|
|
|
run_env = hermes_subprocess_env(inherit_credentials=False)
|
|
run_env["IS_INTERACTIVE"] = "false"
|
|
result = subprocess.run(
|
|
cmd,
|
|
env=run_env,
|
|
)
|
|
if result.returncode != 0:
|
|
return False
|
|
|
|
if check:
|
|
return check()
|
|
return True
|