mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
* fix(security): redact secrets in background process + foreground env-dump output Terminal-output redaction was incomplete (#43025): - Gap 1: process(action=poll/log/wait) returned background stdout verbatim — no redaction at all. A background printenv/server/test emitting a key leaked raw to the model, session.db, and CLI display. Same for the gateway background-process watcher's completion/progress notifications. - Gap 2: the foreground terminal path hardcoded code_file=True, which skips the ENV-assignment pass, so an opaque token (no vendor prefix) from env/printenv leaked even there. Adds agent.redact.redact_terminal_output(output, command) as the single policy for ALL terminal-output surfaces: env-dump commands (env/printenv/set/export/ declare) get the ENV-assignment pass (code_file=False) to mask opaque tokens; other commands stay on code_file=True to avoid false positives on source dumps. Wired into terminal_tool, process_registry (_handle_process boundary), and the gateway watcher. Respects security.redact_secrets (no force) — opt-out preserved. * docs: add infographic for #43025 terminal-output redaction fix |
||
|---|---|---|
| .. | ||
| 43083-secret-redaction | ||
| 53175-gateway-cleanup-off-loop | ||
| atomic-env-snapshot-38249 | ||
| auth-login-hint-fix | ||
| ci-file-timeout-300 | ||
| clarify-expiry-32762 | ||
| content-filter-fallback | ||
| discord-no-bot2bot | ||
| eager-fallback-transport | ||
| empty-400-unmasked | ||
| gateway-force-exit-53107 | ||
| intent-ack-continuation | ||
| model-name-canon | ||
| model-picker-fixes | ||
| partial-stream-recovery | ||
| pr-27539 | ||
| pr-29285-provider-precedence | ||
| pr-54028-pty-fd-leak | ||
| redact-terminal-43025 | ||
| skills-sync-external-dirs | ||
| standalone-plugin-policy | ||
| state-db-fullfsync | ||
| telegram-send-path-35205 | ||
| vision-any-provider | ||
| whatsapp-lid-session-fix | ||
| whatsapp-send-queue | ||
| windows-update-loop-52378 | ||