mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-08 13:12:08 +00:00
Adds approvals.deny to config.yaml — a list of fnmatch globs matched against terminal commands. A match blocks unconditionally, BEFORE the --yolo / /yolo / approvals.mode=off bypass, making it the user-editable counterpart to the code-shipped hardline blocklist. - Checked in both command gates (check_dangerous_command and check_all_command_guards), after the hardline floor and sudo-stdin guard, before the yolo bypass and permanent allowlist. - Matching runs over the same normalized/deobfuscated command variants as the dangerous-pattern detector, case-insensitive. - Opt-in: empty/absent list is a no-op; behavior unchanged. Supersedes the trust-engine approach from #21500 with a minimal config-native design: the only capability the existing stack lacked was deny-that-beats-yolo. Allow already exists (command_allowlist), ask already exists (session approvals). |
||
|---|---|---|
| .. | ||
| developer-guide | ||
| getting-started | ||
| guides | ||
| integrations | ||
| reference | ||
| user-guide | ||
| index.mdx | ||
| user-stories.mdx | ||