mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-10 08:32:09 +00:00
1495f0cc38
* fix(file-safety): extend sandbox-mirror guard to cover inner-container path (#32049) Brian's shape-based guard (#32213) catches paths that still carry the full sandboxes/<backend>/<task>/home/.hermes/… prefix on the host side. The inner-container case is not covered: when file tools execute inside Docker the bind-mount strips that prefix, so the guard receives plain /root/.hermes/… and passes through. The root:root ownership on the divergent SOUL.md in #32049 confirms this is the primary failure mode. Add a ContextVar (_CONTAINER_HERMES_MIRROR) set by DockerEnvironment when persistent=True. classify_container_mirror_target / get_container_ mirror_warning detect any write whose resolved path falls under that prefix, using the same warning format and cross_profile=True bypass contract as the existing guards. Chain the new guard in _check_cross_profile_path after the two existing detectors. * fix(file-safety): derive Docker mirror guard from task --------- Co-authored-by: Ben <ben@nousresearch.com>
106 lines
3.9 KiB
Python
106 lines
3.9 KiB
Python
"""Tests for the container-context sandbox-mirror guard (#32049 follow-up).
|
|
|
|
Brian's shape-based guard (#32213) catches paths that carry the full
|
|
``…/sandboxes/<backend>/<task>/home/.hermes/…`` prefix. This covers the
|
|
complementary inner-container case: when file tools execute inside Docker,
|
|
the bind-mount strips that prefix and the guard sees plain ``/root/.hermes/…``.
|
|
The root:root ownership on the divergent SOUL.md in #32049 confirms this
|
|
is the primary failure mode.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
|
|
|
|
class TestClassifyContainerMirrorTarget:
|
|
def test_returns_none_without_context(self):
|
|
"""No Docker context — /root/.hermes/… must not be flagged."""
|
|
from agent.file_safety import classify_container_mirror_target
|
|
|
|
assert classify_container_mirror_target("/root/.hermes/profiles/group1/SOUL.md") is None
|
|
|
|
def test_catches_soul_md_with_context(self):
|
|
"""Primary failure mode from #32049: agent writes SOUL.md via container path."""
|
|
from agent.file_safety import classify_container_mirror_target
|
|
|
|
result = classify_container_mirror_target(
|
|
"/root/.hermes/profiles/group1/SOUL.md",
|
|
mirror_prefix="/root/.hermes",
|
|
)
|
|
assert result is not None
|
|
assert result["mirror_root"].replace("\\", "/").endswith("root/.hermes")
|
|
assert result["inner_path"] == "profiles/group1/SOUL.md"
|
|
|
|
@pytest.mark.parametrize("inner", [
|
|
"SOUL.md",
|
|
"memories/MEMORY.md",
|
|
])
|
|
def test_catches_authoritative_profile_files(self, inner):
|
|
from agent.file_safety import classify_container_mirror_target
|
|
|
|
result = classify_container_mirror_target(
|
|
f"/root/.hermes/{inner}",
|
|
mirror_prefix="/root/.hermes",
|
|
)
|
|
assert result is not None
|
|
assert result["inner_path"] == inner
|
|
|
|
def test_non_hermes_path_not_flagged(self):
|
|
"""/root/workspace/… is not .hermes state and must not be blocked."""
|
|
from agent.file_safety import classify_container_mirror_target
|
|
|
|
assert (
|
|
classify_container_mirror_target(
|
|
"/root/workspace/main.py",
|
|
mirror_prefix="/root/.hermes",
|
|
)
|
|
is None
|
|
)
|
|
|
|
|
|
class TestGetContainerMirrorWarning:
|
|
def test_warning_names_inner_path_and_bypass(self):
|
|
from agent.file_safety import get_container_mirror_warning
|
|
|
|
warn = get_container_mirror_warning(
|
|
"/root/.hermes/profiles/group1/SOUL.md",
|
|
mirror_prefix="/root/.hermes",
|
|
)
|
|
assert warn is not None
|
|
assert "profiles/group1/SOUL.md" in warn
|
|
assert "cross_profile=True" in warn
|
|
|
|
|
|
class TestOrthogonality:
|
|
"""Container-context guard catches what the shape-based guard (#32213) misses."""
|
|
|
|
def test_inner_container_path_caught_by_context_guard(self):
|
|
"""No sandboxes/ segment — shape guard passes, context guard blocks."""
|
|
from agent.file_safety import classify_container_mirror_target
|
|
|
|
path = "/root/.hermes/profiles/group1/SOUL.md"
|
|
|
|
assert classify_container_mirror_target(path) is None # no context
|
|
assert classify_container_mirror_target(path, mirror_prefix="/root/.hermes") is not None
|
|
|
|
|
|
class TestFileToolIntegration:
|
|
"""file_tools must catch the mirror path before creating DockerEnvironment."""
|
|
|
|
def test_guard_uses_current_docker_config_before_env_exists(self, monkeypatch):
|
|
import tools.file_tools as file_tools
|
|
|
|
monkeypatch.setattr(
|
|
file_tools,
|
|
"_get_container_mirror_prefix_for_task",
|
|
lambda task_id: "/root/.hermes",
|
|
)
|
|
|
|
warning = file_tools._check_cross_profile_path(
|
|
"/root/.hermes/profiles/group1/SOUL.md",
|
|
task_id="new-task",
|
|
)
|
|
|
|
assert warning is not None
|
|
assert "Sandbox-mirror write blocked" in warning
|
|
assert "profiles/group1/SOUL.md" in warning
|