PL ju> UdZddlmZddlZddlZddlZddlmZmZddl m Z ddl m Z m Z ejeZedGd d Zed d d ddedhffdddfZded<edGddZd?dZefd@d!ZdAd#ZdBd&ZdCd(ZdDd)ZdEd+ZdFd-Zd.Zd/ZdGd1Z dHd3Z!dId6Z"ed7dJd:Z#dKd<Z$dLd=Z%dLd>Z&dS)Ma1 Security advisory checker for Hermes Agent. Detects known-compromised Python packages installed in the active venv (supply-chain attacks like the Mini Shai-Hulud worm of May 2026 that poisoned ``mistralai 2.4.6`` on PyPI) and surfaces remediation guidance to the user. Design goals: - **Cheap.** A single ``importlib.metadata.version()`` call per advisory package. Safe to run on every CLI startup. - **Loud when it matters, silent otherwise.** If no compromised package is installed, the user sees nothing. - **Acknowledgeable.** Once the user has read and acted on an advisory they can dismiss it via ``hermes doctor --ack ``; the ack is persisted to ``config.security.acked_advisories`` and survives restart. - **Extensible.** Adding a new advisory is one entry in ``ADVISORIES``; adding a new compromised version is a one-line edit. No code changes needed when the next worm hits. The check is invoked from three places: 1. ``hermes doctor`` (and ``hermes doctor --ack ``) 2. CLI startup banner (one short line, then full guidance via ``hermes doctor``) 3. Gateway startup (logged to gateway.log; first interactive message gets a one-line operator banner) This module is intentionally dependency-free beyond the stdlib so it can run in environments where the rest of Hermes failed to import. ) annotationsN) dataclassfield)Path)IterableOptionalT)frozencleZdZUdZded<ded<ded<ded<ded<d ed <d Zded <d Zded<dS)Advisoryu(One security advisory entry. Attributes: id: stable identifier used for acks (e.g. ``shai-hulud-2026-05``). Lowercase-hyphen, never reused. title: one-line headline shown in banners. summary: 1-3 sentence description of what was compromised and how. url: reference URL (Socket advisory, GitHub advisory, PyPI page). compromised: tuple of ``(package_name, frozenset_of_versions)`` pairs. Empty frozenset means "any version of this package is considered suspect" — use sparingly. remediation: ordered list of steps the user should take. First step should be the uninstall command; subsequent steps the credential audit / rotation guidance. published: ISO date string for sort order. stridtitlesummaryurlz&tuple[tuple[str, frozenset[str]], ...] compromisedztuple[str, ...] remediation publishedhighseverityN)__name__ __module__ __qualname____doc____annotations__rrB/home/kuhnn/.hermes/hermes-agent/hermes_cli/security_advisories.pyr r Bs|" GGGJJJLLL HHH7777    IHrr zshai-hulud-2026-05u<Mini Shai-Hulud worm — mistralai 2.4.6 compromised on PyPIuPyPI quarantined the mistralai package on 2026-05-12 after a malicious 2.4.6 release. The worm steals credentials from environment variables and credential files (~/.npmrc, ~/.pypirc, ~/.aws/credentials, GitHub PATs, cloud SDK tokens) and exfils them to a hardcoded webhook. If you ran any Python process that imported mistralai 2.4.6 — including hermes when configured with provider=mistral for TTS or STT — assume those credentials are exposed.z1https://socket.dev/blog/mini-shai-hulud-worm-pypi mistralaiz2.4.6)zARun: pip uninstall -y mistralai (or: uv pip uninstall mistralai)zlRotate API keys in ~/.hermes/.env (OpenRouter, Anthropic, OpenAI, Nous, GitHub, AWS, Google, Mistral, etc.).zAudit ~/.npmrc, ~/.pypirc, ~/.aws/credentials, ~/.config/gh/hosts.yml, and any other credential files for tokens that may have been read.zgCheck GitHub for unexpected new SSH keys, deploy keys, or webhook additions on repos you have admin on.zOAfter cleanup: hermes doctor --ack shai-hulud-2026-05 to dismiss this warning.z 2026-05-12critical)r rrrrrrrztuple[Advisory, ...] ADVISORIESc2eZdZUdZded<ded<ded<dS) AdvisoryHitz.One package-version match against an advisory.r advisoryr packageinstalled_versionN)rrrrrrrrr#r#s988LLLrr#pkg_namer return Optional[str]c ddlm}m}n#t$rYdSwxYw ||S#|$rYdSt$r!t d|dYdSwxYw)zReturn the installed version of ``pkg_name``, or None if not installed. Uses ``importlib.metadata`` so we don't depend on pip being importable inside the active venv (uv-created venvs may lack pip). r)PackageNotFoundErrorversionNz%importlib.metadata.version(%s) raisedTexc_info)importlib.metadatar+r, ImportError Exceptionloggerdebug)r'r+r,s r_installed_versionr4s DDDDDDDDD ttwx   tt   z get_acked_ids..s9 : : :q3q66<<>> :CFFLLNN : : :r) hermes_cli.configr@r1r2r3setget isinstancelist)r@cfgsecraws r get_acked_idsrPs111111kmm  > NNNuu  ''*   #C ''$ % % +C c4 uu : :C : : ::s4A  A  advisory_idboolc|}|sdS ddlm}m}n+#t$rt dYdSwxYw |}|di}|dpg}t|tsg}||vr%| |||d<||dS#t$rt d|YdSwxYw) u|Persist an ack for ``advisory_id``. Returns True on success. Idempotent — acking an already-acked ID is a no-op. Fr)r@ save_configz-Could not import config module to persist ackrArBTz%Failed to persist advisory ack for %s) rDrHr@rTr1r2warning setdefaultrJrKrLr9 exception)rQr@rTrMrNexistings r ack_advisoryrYs> ##%%K u>>>>>>>>> FGGGuu kmmnnZ,,77-..4"(D)) H h & & OOK ( ( (&.C" # K   t @+NNNuus"#$A  A A7C%C10C1r:cD|sgStfd|DS)z=Return only hits whose advisories the user has not dismissed.c0g|]}|jjv|Srr$r )rEhackeds r z"filter_unacked..s' : : :!qz}E99A999r)rP)r:r^s @rfilter_unackedr`s3  OOE : : : :t : : ::rctjdrdStjsdSdS)NNO_COLORFT)osenvironrJsysstdoutisattyrrr_term_supports_colorrhs= z~~j!!u :    u 4r list[str]c &|sgS|d}d|jjd|jjd|jd|jdg}t |dkrB|ddt |dz d t |d krd nd d |S)zReturn 1-3 short lines suitable for a startup banner. Caller is responsible for color/styling. Always names the worst hit explicitly so the user knows what's wrong without running doctor. rzSECURITY ADVISORY [z]: z Detected: ==z, Run 'hermes doctor' for remediation steps.z (z additional advisoriesyz also active.))r$r rr%r&leninsert)r:primaryliness rshort_banner_linesrts  1gGNg.1NNg6F6LNNEwEE'*CEE6 E  4yy1}} QJc$ii!mJJ#&t99q==%%cJJJ K K K Lrhitc|j}d|jdd|jd|jd|jd|jd|jd|jd |jd d g}t|j d D] \}}| d |d |!|S)z@Return a multi-line block describing the advisory + remediation.z=== z ===z ID: z Severity: z Published: z Detected: rkz Reference: rz Remediation:rlz z. ) r$rr rrr%r&rr enumeraterr9)ruarsisteps rfull_remediation_textr{"s AqwRadRR!*RRQ[RR>  D::<.ks&;;;73C";;;r rrz%Could not write advisory banner cacheTr-)ritems write_textjoinr1r2r3)rrrss r_write_banner_cacherfsAyM;;djjll;;; TYYu%%,w ????? MMM \}}|r|d|t |?d|fS)zRender the security-advisory section for ``hermes doctor``. Returns ``(has_problems, lines)``. Caller is responsible for printing with whatever color scheme it uses. Fu#No active security advisories. ✓rT)r`rwr9extendr{)r:rrsryrus rrender_doctor_sectionrs 4 E ><===EE""113   LL    *3//0000 ;rct|}|sdSt|}trd}d}|d|z|zSd|S)zReturn a printable startup banner, or None if nothing is due. Updates the banner cache as a side effect (so the next call within 24h returns None for the same hit). Nzzr)rrtrhr)r:rrsredresets rstartup_bannerrsq d # #C t s # #E.TYYu%%%-- 99U  rc 4t|}|sdSt|dkrA|d}d|jjd|jd|jd|jjd|jj St|d d d |Dd S) z=Return a one-line log message for gateway operators, or None.NrlrzSecurity advisory [z ] active: rkz matches z. See z" security advisories active (IDs: z, c3.K|]}|jjVdS)Nr\)rEr]s r z&gateway_log_message..s&<<qz}<<<<<?j>N((z~(( )5zz D DYY<)rQr r(rR)r:r7r(r7)r(rR)r:r7r(ri)rur#r(ri)r(r~)r(r)rrr(r)r:r7rrr(r7)r:r7r(r)r:r7r(r))'r __future__rloggingrcre dataclassesrrpathlibrtypingrr getLoggerrr2r frozensetr!rr#r4r=rPrYr`rhrtr{r_BANNER_REPEAT_HOURSrrrrrrrrrrrsB#""""" ((((((((%%%%%%%%  8 $ $. $: H L  @ ))WI.. /   ; $    P $,&0F;;;;(:;;;;(>,.MMMM-F$" E E E E E Er