diff --git a/tests/tools/test_approval.py b/tests/tools/test_approval.py index b973cb0f0..0d48b7c1f 100644 --- a/tests/tools/test_approval.py +++ b/tests/tools/test_approval.py @@ -512,6 +512,30 @@ class TestGatewayProtection: dangerous, key, desc = detect_dangerous_command(cmd) assert dangerous is False + def test_pkill_hermes_detected(self): + """pkill targeting hermes/gateway processes must be caught.""" + cmd = 'pkill -f "cli.py --gateway"' + dangerous, key, desc = detect_dangerous_command(cmd) + assert dangerous is True + assert "self-termination" in desc + + def test_killall_hermes_detected(self): + cmd = "killall hermes" + dangerous, key, desc = detect_dangerous_command(cmd) + assert dangerous is True + assert "self-termination" in desc + + def test_pkill_gateway_detected(self): + cmd = "pkill -f gateway" + dangerous, key, desc = detect_dangerous_command(cmd) + assert dangerous is True + + def test_pkill_unrelated_not_flagged(self): + """pkill targeting unrelated processes should not be flagged.""" + cmd = "pkill -f nginx" + dangerous, key, desc = detect_dangerous_command(cmd) + assert dangerous is False + class TestNormalizationBypass: """Obfuscation techniques must not bypass dangerous command detection.""" diff --git a/tools/approval.py b/tools/approval.py index 4229164b4..ee74b1134 100644 --- a/tools/approval.py +++ b/tools/approval.py @@ -53,6 +53,8 @@ DANGEROUS_PATTERNS = [ # Gateway protection: never start gateway outside systemd management (r'gateway\s+run\b.*(&\s*$|&\s*;|\bdisown\b|\bsetsid\b)', "start gateway outside systemd (use 'systemctl --user restart hermes-gateway')"), (r'\bnohup\b.*gateway\s+run\b', "start gateway outside systemd (use 'systemctl --user restart hermes-gateway')"), + # Self-termination protection: prevent agent from killing its own process + (r'\b(pkill|killall)\b.*\b(hermes|gateway|cli\.py)\b', "kill hermes/gateway process (self-termination)"), ]