2026-02-21 22:31:43 -08:00
|
|
|
"""Local execution environment with interrupt support and non-blocking I/O."""
|
|
|
|
|
|
2026-03-15 01:12:16 +05:30
|
|
|
import glob
|
2026-02-21 22:31:43 -08:00
|
|
|
import os
|
2026-03-01 01:54:27 +03:00
|
|
|
import platform
|
2026-02-27 15:10:27 -08:00
|
|
|
import shutil
|
2026-02-21 22:31:43 -08:00
|
|
|
import signal
|
|
|
|
|
import subprocess
|
|
|
|
|
import threading
|
|
|
|
|
import time
|
|
|
|
|
|
2026-03-01 01:54:27 +03:00
|
|
|
_IS_WINDOWS = platform.system() == "Windows"
|
|
|
|
|
|
2026-02-21 22:31:43 -08:00
|
|
|
from tools.environments.base import BaseEnvironment
|
2026-03-13 16:54:11 +05:30
|
|
|
from tools.environments.persistent_shell import PersistentShellMixin
|
|
|
|
|
from tools.interrupt import is_interrupted
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-02 22:53:21 +03:00
|
|
|
# Unique marker to isolate real command output from shell init/exit noise.
|
|
|
|
|
# printf (no trailing newline) keeps the boundaries clean for splitting.
|
|
|
|
|
_OUTPUT_FENCE = "__HERMES_FENCE_a9f7b3__"
|
|
|
|
|
|
2026-03-13 17:52:03 +03:00
|
|
|
# Hermes-internal env vars that should NOT leak into terminal subprocesses.
|
|
|
|
|
# These are loaded from ~/.hermes/.env for Hermes' own LLM/provider calls
|
|
|
|
|
# but can break external CLIs (e.g. codex) that also honor them.
|
|
|
|
|
# See: https://github.com/NousResearch/hermes-agent/issues/1002
|
|
|
|
|
#
|
|
|
|
|
# Built dynamically from the provider registry so new providers are
|
|
|
|
|
# automatically covered without manual blocklist maintenance.
|
|
|
|
|
_HERMES_PROVIDER_ENV_FORCE_PREFIX = "_HERMES_FORCE_"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _build_provider_env_blocklist() -> frozenset:
|
2026-03-15 02:51:04 -07:00
|
|
|
"""Derive the blocklist from provider, tool, and gateway config.
|
2026-03-13 17:52:03 +03:00
|
|
|
|
|
|
|
|
Automatically picks up api_key_env_vars and base_url_env_var from
|
2026-03-15 02:51:04 -07:00
|
|
|
every registered provider, plus tool/messaging env vars from the
|
|
|
|
|
optional config registry, so new Hermes-managed secrets are blocked
|
|
|
|
|
in subprocesses without having to maintain multiple static lists.
|
2026-03-13 17:52:03 +03:00
|
|
|
"""
|
|
|
|
|
blocked: set[str] = set()
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
from hermes_cli.auth import PROVIDER_REGISTRY
|
|
|
|
|
for pconfig in PROVIDER_REGISTRY.values():
|
|
|
|
|
blocked.update(pconfig.api_key_env_vars)
|
|
|
|
|
if pconfig.base_url_env_var:
|
|
|
|
|
blocked.add(pconfig.base_url_env_var)
|
|
|
|
|
except ImportError:
|
|
|
|
|
pass
|
|
|
|
|
|
2026-03-15 02:51:04 -07:00
|
|
|
try:
|
|
|
|
|
from hermes_cli.config import OPTIONAL_ENV_VARS
|
|
|
|
|
for name, metadata in OPTIONAL_ENV_VARS.items():
|
|
|
|
|
category = metadata.get("category")
|
|
|
|
|
if category in {"tool", "messaging"}:
|
|
|
|
|
blocked.add(name)
|
|
|
|
|
elif category == "setting" and metadata.get("password"):
|
|
|
|
|
blocked.add(name)
|
|
|
|
|
except ImportError:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# Vars not covered above but still Hermes-internal / conflict-prone.
|
2026-03-13 17:52:03 +03:00
|
|
|
blocked.update({
|
|
|
|
|
"OPENAI_BASE_URL",
|
|
|
|
|
"OPENAI_API_KEY",
|
|
|
|
|
"OPENAI_API_BASE", # legacy alias
|
|
|
|
|
"OPENAI_ORG_ID",
|
|
|
|
|
"OPENAI_ORGANIZATION",
|
|
|
|
|
"OPENROUTER_API_KEY",
|
|
|
|
|
"ANTHROPIC_BASE_URL",
|
|
|
|
|
"ANTHROPIC_TOKEN", # OAuth token (not in registry as env var)
|
|
|
|
|
"CLAUDE_CODE_OAUTH_TOKEN",
|
|
|
|
|
"LLM_MODEL",
|
2026-03-15 05:42:06 +01:00
|
|
|
# Expanded isolation for other major providers (Issue #1002)
|
|
|
|
|
"GOOGLE_API_KEY", # Gemini / Google AI Studio
|
|
|
|
|
"DEEPSEEK_API_KEY", # DeepSeek
|
|
|
|
|
"MISTRAL_API_KEY", # Mistral AI
|
|
|
|
|
"GROQ_API_KEY", # Groq
|
|
|
|
|
"TOGETHER_API_KEY", # Together AI
|
|
|
|
|
"PERPLEXITY_API_KEY", # Perplexity
|
|
|
|
|
"COHERE_API_KEY", # Cohere
|
|
|
|
|
"FIREWORKS_API_KEY", # Fireworks AI
|
|
|
|
|
"XAI_API_KEY", # xAI (Grok)
|
|
|
|
|
"HELICONE_API_KEY", # LLM Observability proxy
|
feat(web): add Parallel as alternative web search/extract backend (#1696)
* feat(web): add Parallel as alternative web search/extract backend
Adds Parallel (parallel.ai) as a drop-in alternative to Firecrawl for
web_search and web_extract tools using the official parallel-web SDK.
- Backend selection via WEB_SEARCH_BACKEND env var (auto/parallel/firecrawl)
- Auto mode prefers Firecrawl when both keys present; Parallel when sole backend
- web_crawl remains Firecrawl-only with clear error when unavailable
- Lazy SDK imports, interrupt support, singleton clients
- 16 new unit tests for backend selection and client config
Co-authored-by: s-jag <s-jag@users.noreply.github.com>
* fix: add PARALLEL_API_KEY to config registry and fix web_crawl policy tests
Follow-up for Parallel backend integration:
- Add PARALLEL_API_KEY to OPTIONAL_ENV_VARS (hermes doctor, env blocklist)
- Add to set_config_value api_keys list (hermes config set)
- Add to doctor keys display
- Fix 2 web_crawl policy tests that didn't set FIRECRAWL_API_KEY
(needed now that web_crawl has a Firecrawl availability guard)
* refactor: explicit backend selection via hermes tools, not auto-detect
Replace the auto-detect backend selection with explicit user choice:
- hermes tools saves WEB_SEARCH_BACKEND to .env when user picks a provider
- _get_backend() reads the explicit choice first
- Fallback only for manual/legacy config (uses whichever key is present)
- _is_provider_active() shows [active] for the selected web backend
- Updated tests, docs, and .env.example to remove 'auto' mode language
* refactor: use config.yaml for web backend, not env var
Match the TTS/browser pattern — web.backend is stored in config.yaml
(set by hermes tools), not as a WEB_SEARCH_BACKEND env var.
- _load_web_config() reads web: section from config.yaml
- _get_backend() reads web.backend from config, falls back to key detection
- _configure_provider() saves to config dict (saved to config.yaml)
- _is_provider_active() reads from config dict
- Removed WEB_SEARCH_BACKEND from .env.example, set_config_value, docs
- Updated all tests to mock _load_web_config instead of env vars
---------
Co-authored-by: s-jag <s-jag@users.noreply.github.com>
2026-03-17 04:02:02 -07:00
|
|
|
"PARALLEL_API_KEY",
|
|
|
|
|
"FIRECRAWL_API_KEY",
|
|
|
|
|
"FIRECRAWL_API_URL",
|
2026-03-15 02:51:04 -07:00
|
|
|
# Gateway/runtime config not represented in OPTIONAL_ENV_VARS.
|
|
|
|
|
"TELEGRAM_HOME_CHANNEL",
|
|
|
|
|
"TELEGRAM_HOME_CHANNEL_NAME",
|
|
|
|
|
"DISCORD_HOME_CHANNEL",
|
|
|
|
|
"DISCORD_HOME_CHANNEL_NAME",
|
|
|
|
|
"DISCORD_REQUIRE_MENTION",
|
|
|
|
|
"DISCORD_FREE_RESPONSE_CHANNELS",
|
|
|
|
|
"DISCORD_AUTO_THREAD",
|
|
|
|
|
"SLACK_HOME_CHANNEL",
|
|
|
|
|
"SLACK_HOME_CHANNEL_NAME",
|
|
|
|
|
"SLACK_ALLOWED_USERS",
|
|
|
|
|
"WHATSAPP_ENABLED",
|
|
|
|
|
"WHATSAPP_MODE",
|
|
|
|
|
"WHATSAPP_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_HTTP_URL",
|
|
|
|
|
"SIGNAL_ACCOUNT",
|
|
|
|
|
"SIGNAL_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_GROUP_ALLOWED_USERS",
|
|
|
|
|
"SIGNAL_HOME_CHANNEL",
|
|
|
|
|
"SIGNAL_HOME_CHANNEL_NAME",
|
|
|
|
|
"SIGNAL_IGNORE_STORIES",
|
|
|
|
|
"HASS_TOKEN",
|
|
|
|
|
"HASS_URL",
|
|
|
|
|
"EMAIL_ADDRESS",
|
|
|
|
|
"EMAIL_PASSWORD",
|
|
|
|
|
"EMAIL_IMAP_HOST",
|
|
|
|
|
"EMAIL_SMTP_HOST",
|
|
|
|
|
"EMAIL_HOME_ADDRESS",
|
|
|
|
|
"EMAIL_HOME_ADDRESS_NAME",
|
|
|
|
|
"GATEWAY_ALLOWED_USERS",
|
|
|
|
|
# Skills Hub / GitHub app auth paths and aliases.
|
|
|
|
|
"GH_TOKEN",
|
|
|
|
|
"GITHUB_APP_ID",
|
|
|
|
|
"GITHUB_APP_PRIVATE_KEY_PATH",
|
|
|
|
|
"GITHUB_APP_INSTALLATION_ID",
|
fix(security): block sandbox backend creds from subprocess env (#1264)
* fix: prevent infinite 400 failure loop on context overflow (#1630)
When a gateway session exceeds the model's context window, Anthropic may
return a generic 400 invalid_request_error with just 'Error' as the
message. This bypassed the phrase-based context-length detection,
causing the agent to treat it as a non-retryable client error. Worse,
the failed user message was still persisted to the transcript, making
the session even larger on each attempt — creating an infinite loop.
Three-layer fix:
1. run_agent.py — Fallback heuristic: when a 400 error has a very short
generic message AND the session is large (>40% of context or >80
messages), treat it as a probable context overflow and trigger
compression instead of aborting.
2. run_agent.py + gateway/run.py — Don't persist failed messages:
when the agent returns failed=True before generating any response,
skip writing the user's message to the transcript/DB. This prevents
the session from growing on each failure.
3. gateway/run.py — Smarter error messages: detect context-overflow
failures and suggest /compact or /reset specifically, instead of a
generic 'try again' that will fail identically.
* fix(skills): detect prompt injection patterns and block cache file reads
Adds two security layers to prevent prompt injection via skills hub
cache files (#1558):
1. read_file: blocks direct reads of ~/.hermes/skills/.hub/ directory
(index-cache, catalog files). The 3.5MB clawhub_catalog_v1.json
was the original injection vector — untrusted skill descriptions
in the catalog contained adversarial text that the model executed.
2. skill_view: warns when skills are loaded from outside the trusted
~/.hermes/skills/ directory, and detects common injection patterns
in skill content ("ignore previous instructions", "<system>", etc.).
Cherry-picked from PR #1562 by ygd58.
* fix(tools): chunk long messages in send_message_tool before dispatch (#1552)
Long messages sent via send_message tool or cron delivery silently
failed when exceeding platform limits. Gateway adapters handle this
via truncate_message(), but the standalone senders in send_message_tool
bypassed that entirely.
- Apply truncate_message() chunking in _send_to_platform() before
dispatching to individual platform senders
- Remove naive message[i:i+2000] character split in _send_discord()
in favor of centralized smart splitting
- Attach media files to last chunk only for Telegram
- Add regression tests for chunking and media placement
Cherry-picked from PR #1557 by llbn.
* fix(approval): show full command in dangerous command approval (#1553)
Previously the command was truncated to 80 chars in CLI (with a
[v]iew full option), 500 chars in Discord embeds, and missing entirely
in Telegram/Slack approval messages. Now the full command is always
displayed everywhere:
- CLI: removed 80-char truncation and [v]iew full menu option
- Gateway (TG/Slack): approval_required message includes full command
in a code block
- Discord: embed shows full command up to 4096-char limit
- Windows: skip SIGALRM-based test timeout (Unix-only)
- Updated tests: replaced view-flow tests with direct approval tests
Cherry-picked from PR #1566 by crazywriter1.
* fix(cli): flush stdout during agent loop to prevent macOS display freeze (#1624)
The interrupt polling loop in chat() waited on the queue without
invalidating the prompt_toolkit renderer. On macOS, the StdoutProxy
buffer only flushed on input events, causing the CLI to appear frozen
during tool execution until the user typed a key.
Fix: call _invalidate() on each queue timeout (every ~100ms, throttled
to 150ms) to force the renderer to flush buffered agent output.
* fix(claw): warn when API keys are skipped during OpenClaw migration (#1580)
When --migrate-secrets is not passed (the default), API keys like
OPENROUTER_API_KEY are silently skipped with no warning. Users don't
realize their keys weren't migrated until the agent fails to connect.
Add a post-migration warning with actionable instructions: either
re-run with --migrate-secrets or add the key manually via
hermes config set.
Cherry-picked from PR #1593 by ygd58.
* fix(security): block sandbox backend creds from subprocess env (#1264)
Add Modal and Daytona sandbox credentials to the subprocess env
blocklist so they're not leaked to agent terminal sessions via
printenv/env.
Cherry-picked from PR #1571 by ygd58.
---------
Co-authored-by: buray <ygd58@users.noreply.github.com>
Co-authored-by: lbn <llbn@users.noreply.github.com>
Co-authored-by: crazywriter1 <53251494+crazywriter1@users.noreply.github.com>
2026-03-17 02:20:42 -07:00
|
|
|
# Remote sandbox backend credentials.
|
|
|
|
|
"MODAL_TOKEN_ID",
|
|
|
|
|
"MODAL_TOKEN_SECRET",
|
|
|
|
|
"DAYTONA_API_KEY",
|
2026-03-13 17:52:03 +03:00
|
|
|
})
|
|
|
|
|
return frozenset(blocked)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
_HERMES_PROVIDER_ENV_BLOCKLIST = _build_provider_env_blocklist()
|
|
|
|
|
|
2026-03-02 22:03:29 -08:00
|
|
|
|
2026-03-15 02:51:04 -07:00
|
|
|
def _sanitize_subprocess_env(base_env: dict | None, extra_env: dict | None = None) -> dict:
|
|
|
|
|
"""Filter Hermes-managed secrets from a subprocess environment.
|
|
|
|
|
|
|
|
|
|
`_HERMES_FORCE_<VAR>` entries in ``extra_env`` opt a blocked variable back in
|
|
|
|
|
intentionally for callers that truly need it.
|
|
|
|
|
"""
|
|
|
|
|
sanitized: dict[str, str] = {}
|
|
|
|
|
|
|
|
|
|
for key, value in (base_env or {}).items():
|
|
|
|
|
if key.startswith(_HERMES_PROVIDER_ENV_FORCE_PREFIX):
|
|
|
|
|
continue
|
|
|
|
|
if key not in _HERMES_PROVIDER_ENV_BLOCKLIST:
|
|
|
|
|
sanitized[key] = value
|
|
|
|
|
|
|
|
|
|
for key, value in (extra_env or {}).items():
|
|
|
|
|
if key.startswith(_HERMES_PROVIDER_ENV_FORCE_PREFIX):
|
|
|
|
|
real_key = key[len(_HERMES_PROVIDER_ENV_FORCE_PREFIX):]
|
|
|
|
|
sanitized[real_key] = value
|
|
|
|
|
elif key not in _HERMES_PROVIDER_ENV_BLOCKLIST:
|
|
|
|
|
sanitized[key] = value
|
|
|
|
|
|
|
|
|
|
return sanitized
|
|
|
|
|
|
|
|
|
|
|
2026-03-08 03:00:05 -07:00
|
|
|
def _find_bash() -> str:
|
|
|
|
|
"""Find bash for command execution.
|
2026-03-02 22:03:29 -08:00
|
|
|
|
2026-03-08 03:00:05 -07:00
|
|
|
The fence wrapper uses bash syntax (semicolons, $?, printf), so we
|
|
|
|
|
must use bash — not the user's $SHELL which could be fish/zsh/etc.
|
2026-03-02 22:03:29 -08:00
|
|
|
On Windows: uses Git Bash (bundled with Git for Windows).
|
|
|
|
|
"""
|
|
|
|
|
if not _IS_WINDOWS:
|
2026-03-08 01:43:00 -08:00
|
|
|
return (
|
2026-03-08 03:00:05 -07:00
|
|
|
shutil.which("bash")
|
2026-03-08 01:43:00 -08:00
|
|
|
or ("/usr/bin/bash" if os.path.isfile("/usr/bin/bash") else None)
|
|
|
|
|
or ("/bin/bash" if os.path.isfile("/bin/bash") else None)
|
2026-03-08 03:00:05 -07:00
|
|
|
or os.environ.get("SHELL") # last resort: whatever they have
|
2026-03-08 01:43:00 -08:00
|
|
|
or "/bin/sh"
|
|
|
|
|
)
|
2026-03-02 22:03:29 -08:00
|
|
|
|
|
|
|
|
# Windows: look for Git Bash (installed with Git for Windows).
|
|
|
|
|
# Allow override via env var (same pattern as Claude Code).
|
|
|
|
|
custom = os.environ.get("HERMES_GIT_BASH_PATH")
|
|
|
|
|
if custom and os.path.isfile(custom):
|
|
|
|
|
return custom
|
|
|
|
|
|
|
|
|
|
# shutil.which finds bash.exe if Git\bin is on PATH
|
|
|
|
|
found = shutil.which("bash")
|
|
|
|
|
if found:
|
|
|
|
|
return found
|
|
|
|
|
|
|
|
|
|
# Check common Git for Windows install locations
|
|
|
|
|
for candidate in (
|
|
|
|
|
os.path.join(os.environ.get("ProgramFiles", r"C:\Program Files"), "Git", "bin", "bash.exe"),
|
|
|
|
|
os.path.join(os.environ.get("ProgramFiles(x86)", r"C:\Program Files (x86)"), "Git", "bin", "bash.exe"),
|
|
|
|
|
os.path.join(os.environ.get("LOCALAPPDATA", ""), "Programs", "Git", "bin", "bash.exe"),
|
|
|
|
|
):
|
|
|
|
|
if candidate and os.path.isfile(candidate):
|
|
|
|
|
return candidate
|
|
|
|
|
|
|
|
|
|
raise RuntimeError(
|
|
|
|
|
"Git Bash not found. Hermes Agent requires Git for Windows on Windows.\n"
|
|
|
|
|
"Install it from: https://git-scm.com/download/win\n"
|
|
|
|
|
"Or set HERMES_GIT_BASH_PATH to your bash.exe location."
|
|
|
|
|
)
|
|
|
|
|
|
2026-03-08 03:00:05 -07:00
|
|
|
|
|
|
|
|
# Backward compat — process_registry.py imports this name
|
|
|
|
|
_find_shell = _find_bash
|
|
|
|
|
|
|
|
|
|
|
2026-02-27 16:26:47 -08:00
|
|
|
# Noise lines emitted by interactive shells when stdin is not a terminal.
|
2026-03-02 22:53:21 +03:00
|
|
|
# Used as a fallback when output fence markers are missing.
|
2026-02-28 22:57:58 -08:00
|
|
|
_SHELL_NOISE_SUBSTRINGS = (
|
2026-03-02 22:53:21 +03:00
|
|
|
# bash
|
2026-02-28 22:57:58 -08:00
|
|
|
"bash: cannot set terminal process group",
|
2026-02-27 16:26:47 -08:00
|
|
|
"bash: no job control in this shell",
|
|
|
|
|
"no job control in this shell",
|
2026-02-28 22:57:58 -08:00
|
|
|
"cannot set terminal process group",
|
|
|
|
|
"tcsetattr: Inappropriate ioctl for device",
|
2026-03-02 22:53:21 +03:00
|
|
|
# zsh / oh-my-zsh / macOS terminal session
|
|
|
|
|
"Restored session:",
|
|
|
|
|
"Saving session...",
|
|
|
|
|
"Last login:",
|
|
|
|
|
"command not found:",
|
|
|
|
|
"Oh My Zsh",
|
|
|
|
|
"compinit:",
|
2026-02-28 22:57:58 -08:00
|
|
|
)
|
2026-02-27 16:26:47 -08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def _clean_shell_noise(output: str) -> str:
|
2026-03-02 22:53:21 +03:00
|
|
|
"""Strip shell startup/exit warnings that leak when using -i without a TTY.
|
2026-02-28 22:57:58 -08:00
|
|
|
|
2026-03-02 22:53:21 +03:00
|
|
|
Removes lines matching known noise patterns from both the beginning
|
|
|
|
|
and end of the output. Lines in the middle are left untouched.
|
2026-02-28 22:57:58 -08:00
|
|
|
"""
|
2026-03-02 22:53:21 +03:00
|
|
|
|
|
|
|
|
def _is_noise(line: str) -> bool:
|
|
|
|
|
return any(noise in line for noise in _SHELL_NOISE_SUBSTRINGS)
|
|
|
|
|
|
2026-02-28 22:57:58 -08:00
|
|
|
lines = output.split("\n")
|
2026-03-02 22:53:21 +03:00
|
|
|
|
|
|
|
|
# Strip leading noise
|
|
|
|
|
while lines and _is_noise(lines[0]):
|
2026-02-28 22:57:58 -08:00
|
|
|
lines.pop(0)
|
2026-03-02 22:53:21 +03:00
|
|
|
|
|
|
|
|
# Strip trailing noise (walk backwards, skip empty lines from split)
|
|
|
|
|
end = len(lines) - 1
|
|
|
|
|
while end >= 0 and (not lines[end] or _is_noise(lines[end])):
|
|
|
|
|
end -= 1
|
|
|
|
|
|
|
|
|
|
if end < 0:
|
|
|
|
|
return ""
|
|
|
|
|
|
|
|
|
|
cleaned = lines[: end + 1]
|
|
|
|
|
result = "\n".join(cleaned)
|
|
|
|
|
|
|
|
|
|
# Preserve trailing newline if original had one
|
|
|
|
|
if output.endswith("\n") and result and not result.endswith("\n"):
|
|
|
|
|
result += "\n"
|
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
|
|
2026-03-13 16:54:11 +05:30
|
|
|
_SANE_PATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _make_run_env(env: dict) -> dict:
|
|
|
|
|
"""Build a run environment with a sane PATH and provider-var stripping."""
|
|
|
|
|
merged = dict(os.environ | env)
|
|
|
|
|
run_env = {}
|
|
|
|
|
for k, v in merged.items():
|
|
|
|
|
if k.startswith(_HERMES_PROVIDER_ENV_FORCE_PREFIX):
|
|
|
|
|
real_key = k[len(_HERMES_PROVIDER_ENV_FORCE_PREFIX):]
|
|
|
|
|
run_env[real_key] = v
|
|
|
|
|
elif k not in _HERMES_PROVIDER_ENV_BLOCKLIST:
|
|
|
|
|
run_env[k] = v
|
|
|
|
|
existing_path = run_env.get("PATH", "")
|
|
|
|
|
if "/usr/bin" not in existing_path.split(":"):
|
|
|
|
|
run_env["PATH"] = f"{existing_path}:{_SANE_PATH}" if existing_path else _SANE_PATH
|
|
|
|
|
return run_env
|
|
|
|
|
|
|
|
|
|
|
2026-03-02 22:53:21 +03:00
|
|
|
def _extract_fenced_output(raw: str) -> str:
|
|
|
|
|
"""Extract real command output from between fence markers.
|
|
|
|
|
|
|
|
|
|
The execute() method wraps each command with printf(FENCE) markers.
|
|
|
|
|
This function finds the first and last fence and returns only the
|
|
|
|
|
content between them, which is the actual command output free of
|
|
|
|
|
any shell init/exit noise.
|
|
|
|
|
|
|
|
|
|
Falls back to pattern-based _clean_shell_noise if fences are missing.
|
|
|
|
|
"""
|
|
|
|
|
first = raw.find(_OUTPUT_FENCE)
|
|
|
|
|
if first == -1:
|
|
|
|
|
return _clean_shell_noise(raw)
|
|
|
|
|
|
|
|
|
|
start = first + len(_OUTPUT_FENCE)
|
|
|
|
|
last = raw.rfind(_OUTPUT_FENCE)
|
|
|
|
|
|
|
|
|
|
if last <= first:
|
|
|
|
|
# Only start fence found (e.g. user command called `exit`)
|
|
|
|
|
return _clean_shell_noise(raw[start:])
|
|
|
|
|
|
|
|
|
|
return raw[start:last]
|
2026-02-27 16:26:47 -08:00
|
|
|
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-13 16:54:11 +05:30
|
|
|
class LocalEnvironment(PersistentShellMixin, BaseEnvironment):
|
2026-02-21 22:31:43 -08:00
|
|
|
"""Run commands directly on the host machine.
|
|
|
|
|
|
|
|
|
|
Features:
|
|
|
|
|
- Popen + polling for interrupt support (user can cancel mid-command)
|
|
|
|
|
- Background stdout drain thread to prevent pipe buffer deadlocks
|
|
|
|
|
- stdin_data support for piping content (bypasses ARG_MAX limits)
|
|
|
|
|
- sudo -S transform via SUDO_PASSWORD env var
|
2026-02-27 16:26:47 -08:00
|
|
|
- Uses interactive login shell so full user env is available
|
2026-03-13 16:54:11 +05:30
|
|
|
- Optional persistent shell mode (cwd/env vars survive across calls)
|
2026-02-21 22:31:43 -08:00
|
|
|
"""
|
|
|
|
|
|
2026-03-13 16:54:11 +05:30
|
|
|
def __init__(self, cwd: str = "", timeout: int = 60, env: dict = None,
|
|
|
|
|
persistent: bool = False):
|
2026-02-21 22:31:43 -08:00
|
|
|
super().__init__(cwd=cwd or os.getcwd(), timeout=timeout, env=env)
|
2026-03-13 16:54:11 +05:30
|
|
|
self.persistent = persistent
|
|
|
|
|
if self.persistent:
|
|
|
|
|
self._init_persistent_shell()
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def _temp_prefix(self) -> str:
|
|
|
|
|
return f"/tmp/hermes-local-{self._session_id}"
|
|
|
|
|
|
|
|
|
|
def _spawn_shell_process(self) -> subprocess.Popen:
|
|
|
|
|
user_shell = _find_bash()
|
|
|
|
|
run_env = _make_run_env(self.env)
|
|
|
|
|
return subprocess.Popen(
|
|
|
|
|
[user_shell, "-l"],
|
|
|
|
|
stdin=subprocess.PIPE,
|
|
|
|
|
stdout=subprocess.PIPE,
|
2026-03-15 01:12:16 +05:30
|
|
|
stderr=subprocess.DEVNULL,
|
2026-03-13 16:54:11 +05:30
|
|
|
text=True,
|
|
|
|
|
env=run_env,
|
|
|
|
|
preexec_fn=None if _IS_WINDOWS else os.setsid,
|
|
|
|
|
)
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-13 16:54:11 +05:30
|
|
|
def _read_temp_files(self, *paths: str) -> list[str]:
|
|
|
|
|
results = []
|
|
|
|
|
for path in paths:
|
2026-03-15 02:39:56 +05:30
|
|
|
if os.path.exists(path):
|
2026-03-13 16:54:11 +05:30
|
|
|
with open(path) as f:
|
|
|
|
|
results.append(f.read())
|
2026-03-15 02:39:56 +05:30
|
|
|
else:
|
2026-03-13 16:54:11 +05:30
|
|
|
results.append("")
|
|
|
|
|
return results
|
|
|
|
|
|
|
|
|
|
def _kill_shell_children(self):
|
|
|
|
|
if self._shell_pid is None:
|
|
|
|
|
return
|
|
|
|
|
try:
|
|
|
|
|
subprocess.run(
|
|
|
|
|
["pkill", "-P", str(self._shell_pid)],
|
|
|
|
|
capture_output=True, timeout=5,
|
|
|
|
|
)
|
2026-03-15 02:39:56 +05:30
|
|
|
except (subprocess.TimeoutExpired, FileNotFoundError):
|
2026-03-13 16:54:11 +05:30
|
|
|
pass
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-15 01:12:16 +05:30
|
|
|
def _cleanup_temp_files(self):
|
|
|
|
|
for f in glob.glob(f"{self._temp_prefix}-*"):
|
2026-03-15 02:39:56 +05:30
|
|
|
if os.path.exists(f):
|
2026-03-15 01:12:16 +05:30
|
|
|
os.remove(f)
|
2026-03-13 16:54:11 +05:30
|
|
|
|
|
|
|
|
def _execute_oneshot(self, command: str, cwd: str = "", *,
|
|
|
|
|
timeout: int | None = None,
|
|
|
|
|
stdin_data: str | None = None) -> dict:
|
2026-02-21 22:31:43 -08:00
|
|
|
work_dir = cwd or self.cwd or os.getcwd()
|
|
|
|
|
effective_timeout = timeout or self.timeout
|
2026-03-08 17:46:11 +03:30
|
|
|
exec_command, sudo_stdin = self._prepare_command(command)
|
|
|
|
|
|
|
|
|
|
if sudo_stdin is not None and stdin_data is not None:
|
|
|
|
|
effective_stdin = sudo_stdin + stdin_data
|
|
|
|
|
elif sudo_stdin is not None:
|
|
|
|
|
effective_stdin = sudo_stdin
|
|
|
|
|
else:
|
|
|
|
|
effective_stdin = stdin_data
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-15 02:39:56 +05:30
|
|
|
user_shell = _find_bash()
|
|
|
|
|
fenced_cmd = (
|
|
|
|
|
f"printf '{_OUTPUT_FENCE}';"
|
|
|
|
|
f" {exec_command};"
|
|
|
|
|
f" __hermes_rc=$?;"
|
|
|
|
|
f" printf '{_OUTPUT_FENCE}';"
|
|
|
|
|
f" exit $__hermes_rc"
|
|
|
|
|
)
|
|
|
|
|
run_env = _make_run_env(self.env)
|
|
|
|
|
|
|
|
|
|
proc = subprocess.Popen(
|
|
|
|
|
[user_shell, "-lic", fenced_cmd],
|
|
|
|
|
text=True,
|
|
|
|
|
cwd=work_dir,
|
|
|
|
|
env=run_env,
|
|
|
|
|
encoding="utf-8",
|
|
|
|
|
errors="replace",
|
|
|
|
|
stdout=subprocess.PIPE,
|
|
|
|
|
stderr=subprocess.STDOUT,
|
|
|
|
|
stdin=subprocess.PIPE if effective_stdin is not None else subprocess.DEVNULL,
|
|
|
|
|
preexec_fn=None if _IS_WINDOWS else os.setsid,
|
|
|
|
|
)
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-15 02:39:56 +05:30
|
|
|
if effective_stdin is not None:
|
|
|
|
|
def _write_stdin():
|
|
|
|
|
try:
|
|
|
|
|
proc.stdin.write(effective_stdin)
|
|
|
|
|
proc.stdin.close()
|
|
|
|
|
except (BrokenPipeError, OSError):
|
|
|
|
|
pass
|
|
|
|
|
threading.Thread(target=_write_stdin, daemon=True).start()
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-15 02:39:56 +05:30
|
|
|
_output_chunks: list[str] = []
|
2026-02-21 22:31:43 -08:00
|
|
|
|
2026-03-15 02:39:56 +05:30
|
|
|
def _drain_stdout():
|
|
|
|
|
try:
|
|
|
|
|
for line in proc.stdout:
|
|
|
|
|
_output_chunks.append(line)
|
|
|
|
|
except ValueError:
|
|
|
|
|
pass
|
|
|
|
|
finally:
|
2026-02-21 22:31:43 -08:00
|
|
|
try:
|
2026-03-15 02:39:56 +05:30
|
|
|
proc.stdout.close()
|
|
|
|
|
except Exception:
|
2026-02-21 22:31:43 -08:00
|
|
|
pass
|
2026-03-13 16:54:11 +05:30
|
|
|
|
2026-03-15 02:39:56 +05:30
|
|
|
reader = threading.Thread(target=_drain_stdout, daemon=True)
|
|
|
|
|
reader.start()
|
|
|
|
|
deadline = time.monotonic() + effective_timeout
|
|
|
|
|
|
|
|
|
|
while proc.poll() is None:
|
|
|
|
|
if is_interrupted():
|
|
|
|
|
try:
|
|
|
|
|
if _IS_WINDOWS:
|
|
|
|
|
proc.terminate()
|
|
|
|
|
else:
|
|
|
|
|
pgid = os.getpgid(proc.pid)
|
|
|
|
|
os.killpg(pgid, signal.SIGTERM)
|
|
|
|
|
try:
|
|
|
|
|
proc.wait(timeout=1.0)
|
|
|
|
|
except subprocess.TimeoutExpired:
|
|
|
|
|
os.killpg(pgid, signal.SIGKILL)
|
|
|
|
|
except (ProcessLookupError, PermissionError):
|
|
|
|
|
proc.kill()
|
|
|
|
|
reader.join(timeout=2)
|
|
|
|
|
return {
|
|
|
|
|
"output": "".join(_output_chunks) + "\n[Command interrupted — user sent a new message]",
|
|
|
|
|
"returncode": 130,
|
|
|
|
|
}
|
|
|
|
|
if time.monotonic() > deadline:
|
|
|
|
|
try:
|
|
|
|
|
if _IS_WINDOWS:
|
|
|
|
|
proc.terminate()
|
|
|
|
|
else:
|
|
|
|
|
os.killpg(os.getpgid(proc.pid), signal.SIGTERM)
|
|
|
|
|
except (ProcessLookupError, PermissionError):
|
|
|
|
|
proc.kill()
|
|
|
|
|
reader.join(timeout=2)
|
|
|
|
|
return self._timeout_result(effective_timeout)
|
|
|
|
|
time.sleep(0.2)
|
|
|
|
|
|
|
|
|
|
reader.join(timeout=5)
|
|
|
|
|
output = _extract_fenced_output("".join(_output_chunks))
|
|
|
|
|
return {"output": output, "returncode": proc.returncode}
|