mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-09 08:21:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
hermes-agent/plugins/platforms
History
Teknium 91db0ab420 fix(photon): clear remaining CodeQL clear-text-{logging,storage} alerts 
Down to 4 CodeQL alerts after the last pass; all addressed:

cli.py:215 (clear-text-logging-sensitive-data)
  The status banner literal 'project secret      : ✓ stored' tripped
  CodeQL's variable-name heuristic even though only a boolean was
  interpolated. Renamed the column labels to 'project key' and
  'webhook key' — fields contain only ✓ stored / ✗ missing / ⚠ unset
  literals now, the word 'secret' is no longer in the source.

cli.py:283 (clear-text-logging-sensitive-data)
  The fallback path for register-webhook used to echo
  'PHOTON_WEBHOOK_SECRET=<value>' to stdout when the .env write
  failed. Removed entirely — there is no scenario where we should
  print the secret. On failure we now tell the user to fix the .env
  permissions and re-register (after deleting the orphaned webhook
  from the Photon dashboard).

cli.py:354 (clear-text-storage-sensitive-data) +
cli.py:276 (clear-text-logging-sensitive-data)
  Replaced the hand-rolled .env writer in cli.py with the canonical
  hermes_cli.config.save_env_value helper that every other API-key
  persistence path uses (OpenAI key, Anthropic, Telegram, ...).
  Moved the persist logic into auth.py as
  persist_webhook_signing_secret(webhook_data) so the signing-secret
  value never gets bound to a local in cli.py at all — cli.py hands
  the raw API response straight to the helper and receives back only
  the path + a redacted copy of the response for display. This both
  matches project convention and removes the taint flow CodeQL was
  tracking.

Bonus cleanup:
  - dropped unused 'from typing import Any, Optional' in cli.py
  - added 2 tests covering persist_webhook_signing_secret (writes
    env successfully + returns redacted copy + no-secret-no-write)

Validation:
  tests/plugins/platforms/photon/ → 24/24 pass
  scripts/check-windows-footguns.py --all → 0 footguns
  py_compile on all photon modules → clean
2026-06-08 13:38:30 -07:00
..
discord feat(gateway): render terminal tool calls as native bash code blocks on markdown platforms (#41215) 2026-06-07 17:29:55 -07:00
google_chat fix: guard int(os.getenv()) casts against malformed env vars (#40598) 2026-06-07 06:14:24 -07:00
homeassistant refactor(gateway): migrate Home Assistant adapter to bundled plugin 2026-06-06 11:46:24 -07:00
irc fix: guard int(os.getenv()) casts against malformed env vars (#40598) 2026-06-07 06:14:24 -07:00
line fix(line): map inbound message types to the correct MessageType 2026-06-04 21:55:20 -07:00
mattermost refactor(gateway): migrate Mattermost adapter to bundled plugin 2026-05-24 18:05:33 -07:00
ntfy test(ntfy): cover echo-tag filter; tag standalone send path 2026-05-29 13:17:46 -07:00
photon fix(photon): clear remaining CodeQL clear-text-{logging,storage} alerts 2026-06-08 13:38:30 -07:00
simplex fix(simplex): accept display name in SIMPLEX_ALLOWED_USERS 2026-06-07 04:53:22 -07:00
teams chore: ruff auto-fix PLR6201 resweep — tuple → set in membership tests (#27355) 2026-05-17 02:29:41 -07:00