From ce430fed4c49ee8996fdb68aead2f4fc4d96a5aa Mon Sep 17 00:00:00 2001 From: Teknium <127238744+teknium1@users.noreply.github.com> Date: Mon, 16 Mar 2026 17:43:48 -0700 Subject: [PATCH] installer: clarify why sudo is needed at every prompt (#1602) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: Anthropic OAuth compatibility — Claude Code identity fingerprinting Anthropic routes OAuth/subscription requests based on Claude Code's identity markers. Without them, requests get intermittent 500 errors (~25% failure rate observed). This matches what pi-ai (clawdbot) and OpenCode both implement for OAuth compatibility. Changes (OAuth tokens only — API key users unaffected): 1. Headers: user-agent 'claude-cli/2.1.2 (external, cli)' + x-app 'cli' 2. System prompt: prepend 'You are Claude Code, Anthropic's official CLI' 3. System prompt sanitization: replace Hermes/Nous references 4. Tool names: prefix with 'mcp_' (Claude Code convention for non-native tools) 5. Tool name stripping: remove 'mcp_' prefix from response tool calls Before: 9/12 OK, 1 hard fail, 4 needed retries (~25% error rate) After: 16/16 OK, 0 failures, 0 retries (0% error rate) * installer: clarify why sudo is needed at every prompt Every sudo prompt now explicitly states what packages are being installed and that Hermes Agent itself does not require or retain root access. Covers system packages, build tools, and Playwright browser deps. --- scripts/install.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 8c7707b81..c2ec21834 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -483,6 +483,8 @@ install_system_packages() { elif command -v sudo &> /dev/null; then if [ "$IS_INTERACTIVE" = true ]; then echo "" + log_info "sudo is needed ONLY to install optional system packages (${pkgs[*]}) via your package manager." + log_info "Hermes Agent itself does not require or retain root access." read -p "Install ${description}? (requires sudo) [y/N] " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then @@ -496,8 +498,9 @@ install_system_packages() { # Non-interactive (e.g. curl | bash) but a terminal is available. # Read the prompt from /dev/tty (same approach the setup wizard uses). echo "" - log_info "Installing ${description} requires sudo." - read -p "Install? [Y/n] " -n 1 -r < /dev/tty + log_info "sudo is needed ONLY to install optional system packages (${pkgs[*]}) via your package manager." + log_info "Hermes Agent itself does not require or retain root access." + read -p "Install ${description}? [Y/n] " -n 1 -r < /dev/tty echo if [[ $REPLY =~ ^[Yy]$ ]] || [[ -z $REPLY ]]; then if sudo DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a $install_cmd < /dev/tty; then @@ -688,7 +691,9 @@ install_deps() { sudo DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a apt-get install -y -qq build-essential python3-dev libffi-dev >/dev/null 2>&1 || true log_success "Build tools installed" else - read -p "Install build tools (build-essential, python3-dev)? (requires sudo) [Y/n] " -n 1 -r < /dev/tty + log_info "sudo is needed ONLY to install build tools (build-essential, python3-dev, libffi-dev) via apt." + log_info "Hermes Agent itself does not require or retain root access." + read -p "Install build tools? [Y/n] " -n 1 -r < /dev/tty echo if [[ $REPLY =~ ^[Yy]$ ]] || [[ -z $REPLY ]]; then sudo DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a apt-get install -y -qq build-essential python3-dev libffi-dev >/dev/null 2>&1 || true @@ -908,6 +913,8 @@ install_node_deps() { cd "$INSTALL_DIR" && npx playwright install chromium 2>/dev/null || true ;; *) + log_info "Playwright may request sudo to install browser system dependencies (shared libraries)." + log_info "This is standard Playwright setup — Hermes itself does not require root access." cd "$INSTALL_DIR" && npx playwright install --with-deps chromium 2>/dev/null || true ;; esac