feat(security): Extend approval.py with Vitalik's threat model

Add three new threat categories to the approval system:
1. LLM jailbreaks (prompt injection, system prompt extraction, social engineering)
2. LLM accidents (credential leakage, API key exposure, sensitive data)
3. Software bugs/supply chain risks (typosquatting, dependency confusion, obfuscated code)

Resolves #284

gateway/config.py

@@ -648,6 +648,51 @@ def load_gateway_config() -> GatewayConfig:
     return config
 
 
+# Known-weak placeholder tokens from .env.example, tutorials, etc.
+_WEAK_TOKEN_PATTERNS = {
+    "your-token-here", "your_token_here", "your-token", "your_token",
+    "change-me", "change_me", "changeme",
+    "xxx", "xxxx", "xxxxx", "xxxxxxxx",
+    "test", "testing", "fake", "placeholder",
+    "replace-me", "replace_me", "replace this",
+    "insert-token-here", "put-your-token",
+    "bot-token", "bot_token",
+    "sk-xxxxxxxx", "sk-placeholder",
+    "BOT_TOKEN_HERE", "YOUR_BOT_TOKEN",
+}
+
+# Minimum token lengths by platform (tokens shorter than these are invalid)
+_MIN_TOKEN_LENGTHS = {
+    "TELEGRAM_BOT_TOKEN": 30,
+    "DISCORD_BOT_TOKEN": 50,
+    "SLACK_BOT_TOKEN": 20,
+    "HASS_TOKEN": 20,
+}
+
+
+def _guard_weak_credentials() -> list[str]:
+    """Check env vars for known-weak placeholder tokens.
+
+    Returns a list of warning messages for any weak credentials found.
+    """
+    warnings = []
+    for env_var, min_len in _MIN_TOKEN_LENGTHS.items():
+        value = os.getenv(env_var, "").strip()
+        if not value:
+            continue
+        if value.lower() in _WEAK_TOKEN_PATTERNS:
+            warnings.append(
+                f"{env_var} is set to a placeholder value ('{value[:20]}'). "
+                f"Replace it with a real token."
+            )
+        elif len(value) < min_len:
+            warnings.append(
+                f"{env_var} is suspiciously short ({len(value)} chars, "
+                f"expected >{min_len}). May be truncated or invalid."
+            )
+    return warnings
+
+
 def _apply_env_overrides(config: GatewayConfig) -> None:
     """Apply environment variable overrides to config."""
     
@@ -941,3 +986,7 @@ def _apply_env_overrides(config: GatewayConfig) -> None:
             config.default_reset_policy.at_hour = int(reset_hour)
         except ValueError:
             pass
+
+    # Guard against weak placeholder tokens from .env.example copies
+    for warning in _guard_weak_credentials():
+        logger.warning("Weak credential: %s", warning)

model_tools.py

@@ -540,6 +540,29 @@ def handle_function_call(
         except Exception:
             pass
 
+        # Poka-yoke: validate tool handler return type.
+        # Handlers MUST return a JSON string. If they return dict/list/None,
+        # wrap the result so the agent loop doesn't crash with cryptic errors.
+        if not isinstance(result, str):
+            logger.warning(
+                "Tool '%s' returned %s instead of str — wrapping in JSON",
+                function_name, type(result).__name__,
+            )
+            result = json.dumps(
+                {"output": str(result), "_type_warning": f"Tool returned {type(result).__name__}, expected str"},
+                ensure_ascii=False,
+            )
+        else:
+            # Validate it's parseable JSON
+            try:
+                json.loads(result)
+            except (json.JSONDecodeError, TypeError):
+                logger.warning(
+                    "Tool '%s' returned non-JSON string — wrapping in JSON",
+                    function_name,
+                )
+                result = json.dumps({"output": result}, ensure_ascii=False)
+
         return result
 
     except Exception as e:

plugins/memory/holographic/__init__.py

@@ -12,7 +12,7 @@ Config in $HERMES_HOME/config.yaml (profile-scoped):
       auto_extract: false
       default_trust: 0.5
       min_trust_threshold: 0.3
-      temporal_decay_half_life: 0
+      temporal_decay_half_life: 60
 """
 
 from __future__ import annotations
@@ -152,6 +152,7 @@ class HolographicMemoryProvider(MemoryProvider):
             {"key": "auto_extract", "description": "Auto-extract facts at session end", "default": "false", "choices": ["true", "false"]},
             {"key": "default_trust", "description": "Default trust score for new facts", "default": "0.5"},
             {"key": "hrr_dim", "description": "HRR vector dimensions", "default": "1024"},
+            {"key": "temporal_decay_half_life", "description": "Days for facts to lose half their relevance (0=disabled)", "default": "60"},
         ]
 
     def initialize(self, session_id: str, **kwargs) -> None:
@@ -168,7 +169,7 @@ class HolographicMemoryProvider(MemoryProvider):
         default_trust = float(self._config.get("default_trust", 0.5))
         hrr_dim = int(self._config.get("hrr_dim", 1024))
         hrr_weight = float(self._config.get("hrr_weight", 0.3))
-        temporal_decay = int(self._config.get("temporal_decay_half_life", 0))
+        temporal_decay = int(self._config.get("temporal_decay_half_life", 60))
 
         self._store = MemoryStore(db_path=db_path, default_trust=default_trust, hrr_dim=hrr_dim)
         self._retriever = FactRetriever(

plugins/memory/holographic/retrieval.py

@@ -98,7 +98,15 @@ class FactRetriever:
 
             # Optional temporal decay
             if self.half_life > 0:
-                score *= self._temporal_decay(fact.get("updated_at") or fact.get("created_at"))
+                decay = self._temporal_decay(fact.get("updated_at") or fact.get("created_at"))
+                # Access-recency boost: facts retrieved recently decay slower.
+                # A fact accessed within 1 half-life gets up to 1.5x the decay
+                # factor, tapering to 1.0x (no boost) after 2 half-lives.
+                last_accessed = fact.get("last_accessed_at")
+                if last_accessed:
+                    access_boost = self._access_recency_boost(last_accessed)
+                    decay = min(1.0, decay * access_boost)
+                score *= decay
 
             fact["score"] = score
             scored.append(fact)
@@ -591,3 +599,41 @@ class FactRetriever:
             return math.pow(0.5, age_days / self.half_life)
         except (ValueError, TypeError):
             return 1.0
+
+    def _access_recency_boost(self, last_accessed_str: str | None) -> float:
+        """Boost factor for recently-accessed facts. Range [1.0, 1.5].
+
+        Facts accessed within 1 half-life get up to 1.5x boost (compensating
+        for content staleness when the fact is still being actively used).
+        Boost decays linearly to 1.0 (no boost) at 2 half-lives.
+
+        Returns 1.0 if half-life is disabled or timestamp is missing.
+        """
+        if not self.half_life or not last_accessed_str:
+            return 1.0
+
+        try:
+            if isinstance(last_accessed_str, str):
+                ts = datetime.fromisoformat(last_accessed_str.replace("Z", "+00:00"))
+            else:
+                ts = last_accessed_str
+
+            if ts.tzinfo is None:
+                ts = ts.replace(tzinfo=timezone.utc)
+
+            age_days = (datetime.now(timezone.utc) - ts).total_seconds() / 86400
+            if age_days < 0:
+                return 1.5  # Future timestamp = just accessed
+
+            half_lives_since_access = age_days / self.half_life
+
+            if half_lives_since_access <= 1.0:
+                # Within 1 half-life: linearly from 1.5 (just now) to 1.0 (at 1 HL)
+                return 1.0 + 0.5 * (1.0 - half_lives_since_access)
+            elif half_lives_since_access <= 2.0:
+                # Between 1 and 2 half-lives: linearly from 1.0 to 1.0 (no boost)
+                return 1.0
+            else:
+                return 1.0
+        except (ValueError, TypeError):
+            return 1.0

tests/gateway/test_weak_credential_guard.py

@@ -0,0 +1,52 @@
+"""Tests for weak credential guard in gateway/config.py."""
+
+import os
+import pytest
+
+from gateway.config import _guard_weak_credentials, _WEAK_TOKEN_PATTERNS, _MIN_TOKEN_LENGTHS
+
+
+class TestWeakCredentialGuard:
+    """Tests for _guard_weak_credentials()."""
+
+    def test_no_tokens_set(self, monkeypatch):
+        """When no relevant tokens are set, no warnings."""
+        for var in _MIN_TOKEN_LENGTHS:
+            monkeypatch.delenv(var, raising=False)
+        warnings = _guard_weak_credentials()
+        assert warnings == []
+
+    def test_placeholder_token_detected(self, monkeypatch):
+        """Known-weak placeholder tokens are flagged."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "your-token-here")
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 1
+        assert "TELEGRAM_BOT_TOKEN" in warnings[0]
+        assert "placeholder" in warnings[0].lower()
+
+    def test_case_insensitive_match(self, monkeypatch):
+        """Placeholder detection is case-insensitive."""
+        monkeypatch.setenv("DISCORD_BOT_TOKEN", "FAKE")
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 1
+        assert "DISCORD_BOT_TOKEN" in warnings[0]
+
+    def test_short_token_detected(self, monkeypatch):
+        """Suspiciously short tokens are flagged."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "abc123")  # 6 chars, min is 30
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 1
+        assert "short" in warnings[0].lower()
+
+    def test_valid_token_passes(self, monkeypatch):
+        """A long, non-placeholder token produces no warnings."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "1234567890:ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567")
+        warnings = _guard_weak_credentials()
+        assert warnings == []
+
+    def test_multiple_weak_tokens(self, monkeypatch):
+        """Multiple weak tokens each produce a warning."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "change-me")
+        monkeypatch.setenv("DISCORD_BOT_TOKEN", "xx")  # short
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 2

tests/plugins/memory/test_temporal_decay.py

@@ -0,0 +1,209 @@
+"""Tests for temporal decay and access-recency boost in holographic memory (#241)."""
+
+import math
+from datetime import datetime, timedelta, timezone
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+
+class TestTemporalDecay:
+    """Test _temporal_decay exponential decay formula."""
+
+    def _make_retriever(self, half_life=60):
+        from plugins.memory.holographic.retrieval import FactRetriever
+        store = MagicMock()
+        return FactRetriever(store=store, temporal_decay_half_life=half_life)
+
+    def test_fresh_fact_no_decay(self):
+        """A fact updated today should have decay ≈ 1.0."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc).isoformat()
+        decay = r._temporal_decay(now)
+        assert decay > 0.99
+
+    def test_one_half_life(self):
+        """A fact updated 1 half-life ago should decay to 0.5."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=60)).isoformat()
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.5) < 0.01
+
+    def test_two_half_lives(self):
+        """A fact updated 2 half-lives ago should decay to 0.25."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=120)).isoformat()
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.25) < 0.01
+
+    def test_three_half_lives(self):
+        """A fact updated 3 half-lives ago should decay to 0.125."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=180)).isoformat()
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.125) < 0.01
+
+    def test_half_life_disabled(self):
+        """When half_life=0, decay should always be 1.0."""
+        r = self._make_retriever(half_life=0)
+        old = (datetime.now(timezone.utc) - timedelta(days=365)).isoformat()
+        assert r._temporal_decay(old) == 1.0
+
+    def test_none_timestamp(self):
+        """Missing timestamp should return 1.0 (no decay)."""
+        r = self._make_retriever(half_life=60)
+        assert r._temporal_decay(None) == 1.0
+
+    def test_empty_timestamp(self):
+        r = self._make_retriever(half_life=60)
+        assert r._temporal_decay("") == 1.0
+
+    def test_invalid_timestamp(self):
+        """Malformed timestamp should return 1.0 (fail open)."""
+        r = self._make_retriever(half_life=60)
+        assert r._temporal_decay("not-a-date") == 1.0
+
+    def test_future_timestamp(self):
+        """Future timestamp should return 1.0 (no decay for future dates)."""
+        r = self._make_retriever(half_life=60)
+        future = (datetime.now(timezone.utc) + timedelta(days=10)).isoformat()
+        assert r._temporal_decay(future) == 1.0
+
+    def test_datetime_object(self):
+        """Should accept datetime objects, not just strings."""
+        r = self._make_retriever(half_life=60)
+        old = datetime.now(timezone.utc) - timedelta(days=60)
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.5) < 0.01
+
+    def test_different_half_lives(self):
+        """30-day half-life should decay faster than 90-day."""
+        r30 = self._make_retriever(half_life=30)
+        r90 = self._make_retriever(half_life=90)
+        old = (datetime.now(timezone.utc) - timedelta(days=45)).isoformat()
+        assert r30._temporal_decay(old) < r90._temporal_decay(old)
+
+    def test_decay_is_monotonic(self):
+        """Older facts should always decay more."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc)
+        d1 = r._temporal_decay((now - timedelta(days=10)).isoformat())
+        d2 = r._temporal_decay((now - timedelta(days=30)).isoformat())
+        d3 = r._temporal_decay((now - timedelta(days=60)).isoformat())
+        assert d1 > d2 > d3
+
+
+class TestAccessRecencyBoost:
+    """Test _access_recency_boost for recently-accessed facts."""
+
+    def _make_retriever(self, half_life=60):
+        from plugins.memory.holographic.retrieval import FactRetriever
+        store = MagicMock()
+        return FactRetriever(store=store, temporal_decay_half_life=half_life)
+
+    def test_just_accessed_max_boost(self):
+        """A fact accessed just now should get maximum boost (1.5)."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc).isoformat()
+        boost = r._access_recency_boost(now)
+        assert boost > 1.45  # Near 1.5
+
+    def test_one_half_life_no_boost(self):
+        """A fact accessed 1 half-life ago should have no boost (1.0)."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=60)).isoformat()
+        boost = r._access_recency_boost(old)
+        assert abs(boost - 1.0) < 0.01
+
+    def test_half_way_boost(self):
+        """A fact accessed 0.5 half-lives ago should get ~1.25 boost."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=30)).isoformat()
+        boost = r._access_recency_boost(old)
+        assert abs(boost - 1.25) < 0.05
+
+    def test_beyond_one_half_life_no_boost(self):
+        """Beyond 1 half-life, boost should be 1.0."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=90)).isoformat()
+        boost = r._access_recency_boost(old)
+        assert boost == 1.0
+
+    def test_disabled_no_boost(self):
+        """When half_life=0, boost should be 1.0."""
+        r = self._make_retriever(half_life=0)
+        now = datetime.now(timezone.utc).isoformat()
+        assert r._access_recency_boost(now) == 1.0
+
+    def test_none_timestamp(self):
+        r = self._make_retriever(half_life=60)
+        assert r._access_recency_boost(None) == 1.0
+
+    def test_invalid_timestamp(self):
+        r = self._make_retriever(half_life=60)
+        assert r._access_recency_boost("bad") == 1.0
+
+    def test_boost_range(self):
+        """Boost should always be in [1.0, 1.5]."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc)
+        for days in [0, 1, 15, 30, 45, 59, 60, 90, 365]:
+            ts = (now - timedelta(days=days)).isoformat()
+            boost = r._access_recency_boost(ts)
+            assert 1.0 <= boost <= 1.5, f"days={days}, boost={boost}"
+
+
+class TestTemporalDecayIntegration:
+    """Test that decay integrates correctly with search scoring."""
+
+    def test_recently_accessed_old_fact_scores_higher(self):
+        """An old fact that's been accessed recently should score higher
+        than an equally old fact that hasn't been accessed."""
+        from plugins.memory.holographic.retrieval import FactRetriever
+        store = MagicMock()
+        r = FactRetriever(store=store, temporal_decay_half_life=60)
+
+        now = datetime.now(timezone.utc)
+        old_date = (now - timedelta(days=120)).isoformat()  # 2 half-lives old
+        recent_access = (now - timedelta(days=10)).isoformat()  # accessed 10 days ago
+        old_access = (now - timedelta(days=200)).isoformat()  # accessed 200 days ago
+
+        # Old fact, recently accessed
+        decay1 = r._temporal_decay(old_date)
+        boost1 = r._access_recency_boost(recent_access)
+        effective1 = min(1.0, decay1 * boost1)
+
+        # Old fact, not recently accessed
+        decay2 = r._temporal_decay(old_date)
+        boost2 = r._access_recency_boost(old_access)
+        effective2 = min(1.0, decay2 * boost2)
+
+        assert effective1 > effective2
+
+    def test_decay_formula_45_days(self):
+        """Verify exact decay at 45 days with 60-day half-life."""
+        from plugins.memory.holographic.retrieval import FactRetriever
+        r = FactRetriever(store=MagicMock(), temporal_decay_half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=45)).isoformat()
+        decay = r._temporal_decay(old)
+        expected = math.pow(0.5, 45/60)
+        assert abs(decay - expected) < 0.001
+
+
+class TestDecayDefaultEnabled:
+    """Verify the default half-life is non-zero (decay is on by default)."""
+
+    def test_default_config_has_decay(self):
+        """The plugin's default config should enable temporal decay."""
+        from plugins.memory.holographic import _load_plugin_config
+        # The docstring says temporal_decay_half_life: 60
+        # The initialize() default should be 60
+        import inspect
+        from plugins.memory.holographic import HolographicMemoryProvider
+        src = inspect.getsource(HolographicMemoryProvider.initialize)
+        assert "temporal_decay_half_life" in src
+        # Check the default is 60, not 0
+        import re
+        m = re.search(r'"temporal_decay_half_life",\s*(\d+)', src)
+        assert m, "Could not find temporal_decay_half_life default"
+        assert m.group(1) == "60", f"Default is {m.group(1)}, expected 60"

tests/test_model_tools.py

@@ -137,3 +137,78 @@ class TestBackwardCompat:
     def test_tool_to_toolset_map(self):
         assert isinstance(TOOL_TO_TOOLSET_MAP, dict)
         assert len(TOOL_TO_TOOLSET_MAP) > 0
+
+
+class TestToolReturnTypeValidation:
+    """Poka-yoke: tool handlers must return JSON strings."""
+
+    def test_handler_returning_dict_is_wrapped(self, monkeypatch):
+        """A handler that returns a dict should be auto-wrapped to JSON string."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        # Register a bad handler that returns dict instead of str
+        registry.register(
+            name="__test_bad_dict",
+            toolset="test",
+            schema={"name": "__test_bad_dict", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: {"this is": "a dict not a string"},
+        )
+        result = handle_function_call("__test_bad_dict", {})
+        parsed = json.loads(result)
+        assert "output" in parsed
+        assert "_type_warning" in parsed
+        # Cleanup
+        registry._tools.pop("__test_bad_dict", None)
+
+    def test_handler_returning_none_is_wrapped(self, monkeypatch):
+        """A handler that returns None should be auto-wrapped."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        registry.register(
+            name="__test_bad_none",
+            toolset="test",
+            schema={"name": "__test_bad_none", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: None,
+        )
+        result = handle_function_call("__test_bad_none", {})
+        parsed = json.loads(result)
+        assert "_type_warning" in parsed
+        registry._tools.pop("__test_bad_none", None)
+
+    def test_handler_returning_non_json_string_is_wrapped(self):
+        """A handler returning a plain string (not JSON) should be wrapped."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        registry.register(
+            name="__test_bad_plain",
+            toolset="test",
+            schema={"name": "__test_bad_plain", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: "just a plain string, not json",
+        )
+        result = handle_function_call("__test_bad_plain", {})
+        parsed = json.loads(result)
+        assert "output" in parsed
+        registry._tools.pop("__test_bad_plain", None)
+
+    def test_handler_returning_valid_json_passes_through(self):
+        """A handler returning valid JSON string passes through unchanged."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        registry.register(
+            name="__test_good",
+            toolset="test",
+            schema={"name": "__test_good", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: json.dumps({"status": "ok", "data": [1, 2, 3]}),
+        )
+        result = handle_function_call("__test_good", {})
+        parsed = json.loads(result)
+        assert parsed == {"status": "ok", "data": [1, 2, 3]}
+        registry._tools.pop("__test_good", None)

tools/approval.py

@@ -129,6 +129,335 @@ def _approval_key_aliases(pattern_key: str) -> set[str]:
     return _PATTERN_KEY_ALIASES.get(pattern_key, {pattern_key})
 
 
+
+# =========================================================================
+# Vitalik's Threat Model Extensions
+# =========================================================================
+# Extended threat categories addressing:
+# 1. LLM jailbreaks (Remote content 'hacking' the LLM)
+# 2. LLM accidents (Accidental data leakage)
+# 3. Software bugs (Supply chain risks)
+# =========================================================================
+
+# --- LLM JAILBREAK THREATS ---
+# Remote content that attempts to manipulate or "hack" the LLM's behavior
+LLM_JAILBREAK_PATTERNS = [
+    # Prompt injection attempts in URLs or content
+    (r'(?i)(ignore|disregard|forget|override)\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions|prompts|rules|constraints)', "prompt injection: override instructions"),
+    (r'(?i)you\s+are\s+now\s+(a\s+)?(different|new|unrestricted|jailbroken)\s+(ai|model|assistant|agent)', "prompt injection: identity override"),
+    (r'(?i)(system|admin|root)\s*:\s*(you\s+are|act\s+as|become|transform)', "prompt injection: system role hijack"),
+    (r'(?i)\[?(system|admin|root)\]?\s*[:=]\s*', "prompt injection: system tag injection"),
+    (r'(?i)<\|?(im_start|system|endoftext)\|?>', "prompt injection: token boundary attack"),
+    (r'(?i)(human|assistant|user)\s*:\s*(ignore|disregard|override)', "prompt injection: role confusion"),
+    
+    # Content that attempts to extract system prompts
+    (r'(?i)(repeat|show|reveal|display|print|output)\s+(your|the|all)\s+(system|initial|original|hidden)\s+(prompt|instructions|rules|constraints)', "prompt extraction: system prompt leak"),
+    (r'(?i)what\s+(are|were)\s+your\s+(original|initial|system|hidden)\s+(instructions|prompts|rules)', "prompt extraction: instruction leak"),
+    (r'(?i)(translate|convert|encode|cipher|obfuscate)\s+your\s+(system|instructions)\s+(to|into|as)', "prompt extraction: encoded leak"),
+    
+    # Social engineering attempts
+    (r'(?i)(pretend|imagine|roleplay|act\s+as\s+if)\s+(you\s+are|there\s+are\s+no|you\s+have\s+no)\s+(restrictions|limits|rules|constraints)', "social engineering: constraint removal"),
+    (r'(?i)this\s+is\s+(a\s+)?(test|simulation|exercise|training)\s+(environment|scenario|mode)', "social engineering: test environment bypass"),
+    (r'(?i)(emergency|urgent|critical)\s+override\s+required', "social engineering: urgency manipulation"),
+]
+
+# --- LLM ACCIDENT THREATS ---
+# Patterns that indicate accidental data leakage or unintended disclosure
+LLM_ACCIDENT_PATTERNS = [
+    # API keys and tokens in prompts or outputs
+    (r'(?i)(api[_-]?key|secret[_-]?key|access[_-]?token|auth[_-]?token)\s*[:=]\s*["']?[a-zA-Z0-9_\-]{20,}', "credential leak: API key/token"),
+    (r'(?i)(sk|pk|ak|tk)[-_]?[a-zA-Z0-9]{20,}', "credential leak: key pattern"),
+    (r'(?i)\b[A-Za-z0-9]{32,}\b', "potential leak: long alphanumeric string"),
+    
+    # Private keys and certificates
+    (r'-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----', "credential leak: private key"),
+    (r'(?i)(ssh-rsa|ssh-ed25519)\s+[A-Za-z0-9+/=]+', "credential leak: SSH public key"),
+    
+    # Database connection strings
+    (r'(?i)(mongodb|postgres|mysql|redis)://[^\s]+:[^\s]+@', "credential leak: database connection"),
+    (r'(?i)(host|server|endpoint)\s*[:=]\s*[^\s]+\s*(username|user|login)\s*[:=]\s*[^\s]+\s*(password|pass|pwd)\s*[:=]', "credential leak: connection details"),
+    
+    # Environment variables that might contain secrets
+    (r'(?i)(export|set|env)\s+[A-Z_]*(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)[A-Z_]*=', "potential leak: env var with secret name"),
+    
+    # File paths that might expose sensitive data
+    (r'(?i)(/home/|/Users/|/root/|C:\\Users\\)[^\s]*(\.ssh/|\.aws/|\.config/|\.env)', "path exposure: sensitive directory"),
+    (r'(?i)(\.pem|\.key|\.cert|\.crt)\s*$', "file exposure: certificate/key file"),
+]
+
+# --- SOFTWARE BUG / SUPPLY CHAIN THREATS ---
+# Patterns indicating potential supply chain attacks or software vulnerabilities
+SUPPLY_CHAIN_PATTERNS = [
+    # Suspicious package installations
+    (r'(?i)(pip|npm|yarn|pnpm|cargo|go\s+get)\s+(install\s+)?[^\s]*(@|git\+|http|file:)', "supply chain: suspicious package source"),
+    (r'(?i)(pip|npm|yarn|pnpm)\s+install\s+[^\s]*\s*--(no-verify|trusted-host|allow-external)', "supply chain: insecure install flags"),
+    
+    # Dependency confusion attacks
+    (r'(?i)(requirements\.txt|package\.json|Cargo\.toml|go\.mod)\s*.*\b(file:|git\+|http://|ftp://)\b', "supply chain: local/remote dependency"),
+    
+    # Obfuscated code patterns
+    (r'(?i)(eval|exec|compile)\s*\(\s*(base64|chr|ord|\+|\.)\s*\)', "supply chain: obfuscated execution"),
+    (r'(?i)(atob|btoa|Buffer\.from)\s*\([^)]*\)', "supply chain: base64 decode/encode"),
+    
+    # Typosquatting indicators
+    (r'(?i)(reqeusts|reqeust|requestr|requsts|reqests)', "supply chain: typosquatting attempt"),
+    (r'(?i)(pyyaml|yaml2|yaml3|yaml-lib)', "supply chain: suspicious YAML package"),
+    
+    # Build system attacks
+    (r'(?i)(make|cmake|configure)\s+.*\b(CC|CXX|LD_LIBRARY_PATH|DYLD_LIBRARY_PATH)\s*=', "supply chain: build env manipulation"),
+    (r'(?i)(\.sh|\.bash|\.zsh)\s*\|\s*(sh|bash|zsh)', "supply chain: script execution via pipe"),
+    
+    # Git submodule attacks
+    (r'(?i)git\s+submodule\s+(add|update|init)\s+[^\s]*(http|git@|ssh://)', "supply chain: git submodule attack"),
+    (r'(?i)\.gitmodules\s*.*\burl\s*=\s*[^\s]*(http|git@|ssh://)', "supply chain: malicious submodule URL"),
+]
+
+# =========================================================================
+# Extended threat detection functions
+# =========================================================================
+
+def detect_llm_jailbreak(content: str) -> tuple:
+    """Check if content contains LLM jailbreak attempts.
+    
+    Returns:
+        (is_jailbreak, pattern_key, description) or (False, None, None)
+    """
+    content_normalized = _normalize_command_for_detection(content).lower()
+    for pattern, description in LLM_JAILBREAK_PATTERNS:
+        if re.search(pattern, content_normalized, re.IGNORECASE | re.DOTALL):
+            pattern_key = description
+            return (True, pattern_key, description)
+    return (False, None, None)
+
+
+def detect_llm_accident(content: str) -> tuple:
+    """Check if content contains accidental data leakage patterns.
+    
+    Returns:
+        (is_leak, pattern_key, description) or (False, None, None)
+    """
+    content_normalized = _normalize_command_for_detection(content).lower()
+    for pattern, description in LLM_ACCIDENT_PATTERNS:
+        if re.search(pattern, content_normalized, re.IGNORECASE | re.DOTALL):
+            pattern_key = description
+            return (True, pattern_key, description)
+    return (False, None, None)
+
+
+def detect_supply_chain_risk(content: str) -> tuple:
+    """Check if content contains supply chain attack patterns.
+    
+    Returns:
+        (is_risk, pattern_key, description) or (False, None, None)
+    """
+    content_normalized = _normalize_command_for_detection(content).lower()
+    for pattern, description in SUPPLY_CHAIN_PATTERNS:
+        if re.search(pattern, content_normalized, re.IGNORECASE | re.DOTALL):
+            pattern_key = description
+            return (True, pattern_key, description)
+    return (False, None, None)
+
+
+def check_all_threats(content: str, env_type: str = "local") -> dict:
+    """Comprehensive threat check covering all threat categories.
+    
+    Args:
+        content: The content to check (command, prompt, output, etc.)
+        env_type: Terminal/environment type
+        
+    Returns:
+        dict with threat assessment and recommendations
+    """
+    threats_found = []
+    
+    # Check existing dangerous command patterns
+    is_dangerous, pattern_key, description = detect_dangerous_command(content)
+    if is_dangerous:
+        threats_found.append({
+            "category": "dangerous_command",
+            "pattern_key": pattern_key,
+            "description": description,
+            "severity": "high"
+        })
+    
+    # Check LLM jailbreaks
+    is_jailbreak, jailbreak_key, jailbreak_desc = detect_llm_jailbreak(content)
+    if is_jailbreak:
+        threats_found.append({
+            "category": "llm_jailbreak",
+            "pattern_key": jailbreak_key,
+            "description": jailbreak_desc,
+            "severity": "critical"
+        })
+    
+    # Check LLM accidents
+    is_leak, leak_key, leak_desc = detect_llm_accident(content)
+    if is_leak:
+        threats_found.append({
+            "category": "llm_accident",
+            "pattern_key": len(threats_found),  # Unique key
+            "description": leak_desc,
+            "severity": "high"
+        })
+    
+    # Check supply chain risks
+    is_risk, risk_key, risk_desc = detect_supply_chain_risk(content)
+    if is_risk:
+        threats_found.append({
+            "category": "supply_chain",
+            "pattern_key": risk_key,
+            "description": risk_desc,
+            "severity": "high"
+        })
+    
+    # Determine overall risk level
+    if not threats_found:
+        return {
+            "safe": True,
+            "threats": [],
+            "overall_risk": "none",
+            "recommendation": "allow"
+        }
+    
+    # Calculate overall risk
+    severities = [t["severity"] for t in threats_found]
+    if "critical" in severities:
+        overall_risk = "critical"
+        recommendation = "block"
+    elif "high" in severities:
+        overall_risk = "high"
+        recommendation = "require_approval"
+    else:
+        overall_risk = "medium"
+        recommendation = "warn"
+    
+    return {
+        "safe": False,
+        "threats": threats_found,
+        "overall_risk": overall_risk,
+        "recommendation": recommendation,
+        "requires_approval": recommendation == "require_approval",
+        "should_block": recommendation == "block"
+    }
+
+
+# =========================================================================
+# Integration with existing approval system
+# =========================================================================
+
+def check_comprehensive_threats(command: str, env_type: str,
+                               approval_callback=None) -> dict:
+    """Extended threat check that includes Vitalik's threat model.
+    
+    This function extends the existing check_dangerous_command to also
+    check for LLM jailbreaks, accidents, and supply chain risks.
+    
+    Args:
+        command: The content to check
+        env_type: Environment type
+        approval_callback: Optional approval callback
+        
+    Returns:
+        dict with approval decision and threat assessment
+    """
+    # Skip containers for all checks
+    if env_type in ("docker", "singularity", "modal", "daytona"):
+        return {"approved": True, "message": None}
+    
+    # --yolo: bypass all approval prompts
+    if os.getenv("HERMES_YOLO_MODE"):
+        return {"approved": True, "message": None}
+    
+    # Run comprehensive threat check
+    threat_assessment = check_all_threats(command, env_type)
+    
+    if threat_assessment["safe"]:
+        return {"approved": True, "message": None}
+    
+    # Handle critical threats (block immediately)
+    if threat_assessment["should_block"]:
+        threat_list = "\n".join([f"- {t['description']}" for t in threat_assessment["threats"]])
+        return {
+            "approved": False,
+            "message": f"BLOCKED: Critical security threat detected.\n{threat_list}\n\nDo NOT proceed with this content.",
+            "threats": threat_assessment["threats"],
+            "overall_risk": threat_assessment["overall_risk"],
+            "blocked": True
+        }
+    
+    # Handle threats requiring approval
+    if threat_assessment["requires_approval"]:
+        session_key = get_current_session_key()
+        threat_descriptions = "; ".join([t["description"] for t in threat_assessment["threats"]])
+        
+        # Check if already approved for this session
+        all_pattern_keys = [t["pattern_key"] for t in threat_assessment["threats"]]
+        if all(is_approved(session_key, key) for key in all_pattern_keys):
+            return {"approved": True, "message": None}
+        
+        # Submit for approval
+        is_cli = os.getenv("HERMES_INTERACTIVE")
+        is_gateway = os.getenv("HERMES_GATEWAY_SESSION")
+        
+        if not is_cli and not is_gateway:
+            return {"approved": True, "message": None}
+        
+        if is_gateway or os.getenv("HERMES_EXEC_ASK"):
+            submit_pending(session_key, {
+                "command": command,
+                "pattern_key": all_pattern_keys[0],
+                "pattern_keys": all_pattern_keys,
+                "description": threat_descriptions,
+                "threats": threat_assessment["threats"]
+            })
+            return {
+                "approved": False,
+                "pattern_key": all_pattern_keys[0],
+                "status": "approval_required",
+                "command": command,
+                "description": threat_descriptions,
+                "message": (
+                    f"⚠️ Security threat detected ({threat_descriptions}). "
+                    f"Asking the user for approval.\n\n**Content:**\n```\n{command[:500]}{'...' if len(command) > 500 else ''}\n```"
+                ),
+                "threats": threat_assessment["threats"],
+                "overall_risk": threat_assessment["overall_risk"]
+            }
+        
+        # CLI interactive approval
+        choice = prompt_dangerous_approval(command, threat_descriptions,
+                                          approval_callback=approval_callback)
+        
+        if choice == "deny":
+            return {
+                "approved": False,
+                "message": f"BLOCKED: User denied security threat ({threat_descriptions}). Do NOT retry.",
+                "threats": threat_assessment["threats"],
+                "overall_risk": threat_assessment["overall_risk"]
+            }
+        
+        if choice == "session":
+            for key in all_pattern_keys:
+                approve_session(session_key, key)
+        elif choice == "always":
+            for key in all_pattern_keys:
+                approve_session(session_key, key)
+                approve_permanent(key)
+            save_permanent_allowlist(_permanent_approved)
+        
+        return {"approved": True, "message": None,
+                "user_approved": True, "description": threat_descriptions,
+                "threats": threat_assessment["threats"]}
+    
+    # Default: warn but allow
+    return {
+        "approved": True,
+        "message": f"⚠️ Security warning: {threat_assessment['threats'][0]['description']}",
+        "threats": threat_assessment["threats"],
+        "overall_risk": threat_assessment["overall_risk"],
+        "warning": True
+    }
+
 # =========================================================================
 # Detection
 # =========================================================================