PL j 0UdZddlZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ddl mZmZejeZejddZejeed <d ed dfd Zd ed ejefdZdejed dfdZdded efdZd efdZd efdZdZdZ dZ!dZ"dZ#dZ$dZ%de%dZ&de&ded e d e#d e$d Z'de!d e"dZ(d!Z)d"Z*d#d$d%d&d'd(d)d*e*d+zd,fe*d-zd.fe*d/zd0fe*d1zd2fg Z+ej,ej-zZ.d3e+DZ/ej0d4ej,Z1d5ed e2fd6Z3d5ed e2fd7Z4d8ed e5fd9Z6d8ed e5fd:Z7gd;d<d=d>d?d@dAdBdCdDdEdFdGdHe&dIfdJdKdLdMdNdOd)dPdQdRdSdTe'dUfdVe'dWfdTe(dXe)dYfdVe(dXe)dZfd[d\d]d^d_d`dadbdcdddee&dffdge(dXe)dhfdie&djfdke&dlfdmdndodpdqdrdsdtduZ8dve8DZ9dwed efdxZ:iZ;e5eee:e=Z?e>Z@e;Ae@e<Be@e?he;Ae?e<Be?e@hydzed es $ $[%6B 7 77tokenc:t|dS)z/Restore the prior approval session key context.N)r reset)rs rreset_current_session_keyr!Cs&&&&&rr c`t}|r|Sddlm}|d|S)a Return the active session key, preferring context-local state. Resolution order: 1. approval-specific contextvars (set by gateway before agent.run) 2. session_context contextvars (set by _set_session_env) 3. os.environ fallback (CLI, cron, tests) rget_session_envHERMES_SESSION_KEY)r getgateway.session_contextr$)r rr$s rget_current_session_keyr(HsH(++--K777777 ?/ 9 99rcz ddlm}|ddpdS#t$rtjddpdcYSwxYw)zBReturn the current gateway platform from contextvars/env fallback.rr#HERMES_SESSION_PLATFORMr)r'r$rosgetenvr#s r_get_session_platformr-Wsj>;;;;;;8"==CC >>>y2B77=2===>s !::c|tdrdStdrdSttS)uTrue when this call is inside a gateway/API session. Legacy gateway integrations set HERMES_GATEWAY_SESSION in process env. Newer concurrent gateway paths bind HERMES_SESSION_PLATFORM via contextvars so approval mode does not depend on process-global flags. Cron jobs are NEVER gateway-approval contexts even when they originate from a gateway platform (cron binds HERMES_SESSION_PLATFORM via contextvars for delivery routing). Cron approvals are governed by ``approvals.cron_mode`` config, not interactive resolve — letting cron fall through to the gateway branch would submit a pending approval with no listener and block the job indefinitely. HERMES_CRON_SESSIONFHERMES_GATEWAY_SESSIONT)rboolr-rr_is_gateway_approval_contextr3asE,--u/00t %'' ( ((rz$(?:~|\$home|\$\{home\})/\.ssh(?:/|$)z\(?:~\/\.hermes/|(?:\$home|\$\{home\})/\.hermes/|(?:\$hermes_home|\$\{hermes_home\})/)\.env\bz;(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*\.env(?:\.[^/\s"\'`]+)*)z0(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*config\.yaml)zJ(?:~|\$home|\$\{home\})/\.(?:bashrc|zshrc|profile|bash_profile|zprofile)\bz9(?:~|\$home|\$\{home\})/\.(?:netrc|pgpass|npmrc|pypirc)\bz/private/(?:etc|var|tmp|home)/z (?:/etc/|)z(?:z |/dev/sd||z(?:\s*(?:&&|\|\||;).*)?$zp(?:^|[;&|\n`]|\$\()\s*(?:sudo\s+(?:-[^\s]+\s+)*)?(?:env\s+(?:\w+=\S*\s+)*)?(?:(?:exec|nohup|setsid|time)\s+)*\s*)z&\brm\s+(-[^\s]*\s+)*(/|/\*|/ \*)(\s|$)z#recursive delete of root filesystem)z\brm\s+(-[^\s]*\s+)*(/home|/home/\*|/root|/root/\*|/etc|/etc/\*|/usr|/usr/\*|/var|/var/\*|/bin|/bin/\*|/sbin|/sbin/\*|/boot|/boot/\*|/lib|/lib/\*)(\s|$)z$recursive delete of system directory)z-\brm\s+(-[^\s]*\s+)*(~|\$HOME)(/?|/\*)?(\s|$)z"recursive delete of home directory)z\bmkfs(\.[a-z0-9]+)?\bzformat filesystem (mkfs))z9\bdd\b[^\n]*\bof=/dev/(sd|nvme|hd|mmcblk|vd|xvd)[a-z0-9]*zdd to raw block device)z.>\s*/dev/(sd|nvme|hd|mmcblk|vd|xvd)[a-z0-9]*\bzredirect to raw block device)z(:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:z fork bomb)z\bkill\s+(-[^\s]+\s+)*-1\bkill all processesz!(shutdown|reboot|halt|poweroff)\bzsystem shutdown/rebootz init\s+[06]\bzinit 0/6 (shutdown/reboot)z*systemctl\s+(poweroff|reboot|halt|kexec)\bzsystemctl poweroff/rebootztelinit\s+[06]\bztelinit 0/6 (shutdown/reboot)cLg|]!\}}tj|t|f"Sr2recompile _RE_FLAGS.0pattern descriptions r r@s=Z##[1rz)(?:^|[;&|`\n]|&&|\|\||\$\()\s*sudo\s+-S\bcommandcdtjvrdSt|}t|rdSdS)uDetect ``sudo -S`` (stdin password) without configured SUDO_PASSWORD. When SUDO_PASSWORD is set, ``_transform_sudo_command`` injects ``-S`` internally — that path is legitimate and handled elsewhere. This guard only fires when SUDO_PASSWORD is *not* set, meaning the LLM explicitly wrote ``sudo -S`` to pipe a guessed password. Returns: (is_blocked: bool, description: str | None) SUDO_PASSWORDFN)Tz*sudo password guessing via stdin (sudo -S))r+environ _normalize_command_for_detectionlower_SUDO_STDIN_REsearch)rA normalizeds r_check_sudo_stdin_guardrKsQ"*$$}1'::@@BBJZ((DCC =rct|}tD] \}}||rd|fcS!dS)zCheck if a command matches the unconditional hardline blocklist. Returns: (is_hardline, description) or (False, None) TrD)rFrGHARDLINE_PATTERNS_COMPILEDrI)rArJ pattern_rer?s rdetect_hardline_commandrO sb 2'::@@BBJ#='' K   Z ( ( '+& & & & ' =rr?cddd|ddS)z5Build the standard block result for a hardline match.FTzBLOCKED (hardline): u. This command is on the unconditional blocklist and cannot be executed via the agent — not even with --yolo, /yolo, approvals.mode=off, or cron approve mode. If you genuinely need to run it, run it yourself in a terminal outside the agent.)approvedhardlinemessager2r?s r_hardline_block_resultrUs/ ;      rcdd|ddS)z5Build the standard block result for sudo stdin guard.Fz BLOCKED: u. Do not pipe passwords to 'sudo -S' — this is a brute-force attack vector. Set SUDO_PASSWORD in your .env file if the agent needs passwordless sudo, or run the sudo command manually in your own terminal.rQrSr2rTs r_sudo_stdin_block_resultrX*s, -  - - -   r)z\brm\s+(-[^\s]*\s+)*/zdelete in root path)z\brm\s+-[^\s]*rzrecursive delete)z\brm\s+--recursive\bzrecursive delete (long flag))z8\bchmod\s+(-[^\s]*\s+)*(777|666|o\+[rwx]*w|a\+[rwx]*w)\bz world/other-writable permissions)z8\bchmod\s+--recursive\b.*(777|666|o\+[rwx]*w|a\+[rwx]*w)z*recursive world/other-writable (long flag))z\bchown\s+(-[^\s]*)?R\s+rootzrecursive chown to root)z\bchown\s+--recursive\b.*rootz#recursive chown to root (long flag))z\bmkfs\bzformat filesystem)z \bdd\s+.*if=z disk copy)z >\s*/dev/sdzwrite to block device)z\bDROP\s+(TABLE|DATABASE)\bzSQL DROP)z$\bDELETE\s+FROM\b(?![^\n]*\bWHERE\b)zSQL DELETE without WHERE)z\bTRUNCATE\s+(TABLE)?\s*\wz SQL TRUNCATEz>\s*zoverwrite system config)z8\bsystemctl\s+(-[^\s]+\s+)*(stop|restart|disable|mask)\bzstop/restart system service)z\bkill\s+-9\s+-1\br6)z\bpkill\s+-9\bzforce kill processes)z,\bkillall\s+(-[^\s]*\s+)*-(9|KILL|SIGKILL)\bz$force kill processes (killall -KILL))z0\bkillall\s+(-[^\s]*\s+)*-s\s+(KILL|SIGKILL|9)\bz&force kill processes (killall -s KILL))z\bkillall\s+(-[^\s]*\s+)*-r\bz$kill processes by regex (killall -r))z%\b(bash|sh|zsh|ksh)\s+-[^\s]*c(\s+|$)zshell command via -c/-lc flag)z)\b(python[23]?|perl|ruby|node)\s+-[ec]\s+zscript execution via -e/-c flag)z\b(curl|wget)\b.*\|\s*(ba)?sh\bzpipe remote content to shell)z1\b(bash|sh|zsh|ksh)\s+<\s*>?\s*["\']?z%overwrite system file via redirectionz["\']?z$overwrite project env/config via teez,overwrite project env/config via redirection)z\bxargs\s+.*\brm\bz xargs with rm)z&\bfind\b.*-exec(?:dir)?\s+(/\S*/)?rm\bzfind -exec/-execdir rm)z\bfind\b.*-delete\bz find -delete)z%\bhermes\s+gateway\s+(stop|restart)\bz2stop/restart hermes gateway (kills running agents))z\bhermes\s+update\bz6hermes update (restarts gateway, kills running agents))z4gateway\s+run\b.*(&\s*$|&\s*;|\bdisown\b|\bsetsid\b)Mstart gateway outside systemd (use 'systemctl --user restart hermes-gateway'))z\bnohup\b.*gateway\s+run\brY)z1\b(pkill|killall)\b.*\b(hermes|gateway|cli\.py)\bz.kill hermes/gateway process (self-termination))z\bkill\b.*\$\(\s*pgrep\bz3kill process via pgrep expansion (self-termination))z\bkill\b.*`\s*pgrep\bzcTd|vr|ddn |ddS)zIReproduce the old regex-derived approval key for backwards compatibility.z\bN)split)r>s r_legacy_pattern_keyr_s0&+w&6&67==   " "GCRCLHr_PATTERN_KEY_ALIASES pattern_keyc:t||hS)zReturn all approval keys that should match this pattern. New approvals use the human-readable description string, but older command_allowlist entries and session approvals may still contain the historical regex-derived key. )r`r&ras r_approval_key_aliasesrds # #K+ ? ??rc~ddlm}||}|dd}tjd|}|S)aNormalize a command string before dangerous-pattern matching. Strips ANSI escape sequences (full ECMA-48 via tools.ansi_strip), null bytes, and normalizes Unicode fullwidth characters so that obfuscation techniques cannot bypass the pattern-based detection. r) strip_ansirNFKC)tools.ansi_striprfreplace unicodedata normalize)rArfs rrFrFsQ,+++++j!!Goofb))G#FG44G Nrct|}tD]#\}}||r |}d||fcS$dS)zCheck if a command matches any dangerous patterns. Returns: (is_dangerous, pattern_key, description) or (False, None, None) T)FNN)rFrGDANGEROUS_PATTERNS_COMPILEDrI)rA command_lowerrNr?ras rdetect_dangerous_commandrpsl 5W==CCEEM#>44 K   ] + + 4%K+{3 3 3 3 4  r_pending_session_approved _session_yolo_permanent_approvedc"eZdZdZdZdefdZdS)_ApprovalEntryz@One pending dangerous-command approval inside a gateway session.)eventdataresultrxcRtj|_||_d|_dSN) threadingEventrwrxry)selfrxs r__init__z_ApprovalEntry.__init__s#_&&  %) rN)__name__ __module__ __qualname____doc__ __slots__dictrr2rrrvrvs:JJ+I*T******rrv_gateway_queues_gateway_notify_cbscZt5|t|<ddddS#1swxYwYdS)uaRegister a per-session callback for sending approval requests to the user. The callback signature is ``cb(approval_data: dict) -> None`` where *approval_data* contains ``command``, ``description``, and ``pattern_keys``. The callback bridges sync→async (runs in the agent thread, must schedule the actual send on the event loop). N)_lockr)rcbs rregister_gateway_notifyrsy ..+-K(.................. $$ct5t|dt|g}dddn #1swxYwY|D]}|jdS)zUnregister the per-session gateway approval callback. Signals ALL blocked threads for this session so they don't hang forever (e.g. when the agent run finishes or is interrupted). N)rrpoprrwrrentriesentrys runregister_gateway_notifyrs 77 T222!%%k266777777777777777 s7A  AAFchoice resolve_allct5t|}|s ddddS|r$t|}|n|dg}|st|ddddn #1swxYwY|D]"}||_|j#t|S)aTCalled by the gateway's /approve or /deny handler to unblock waiting agent thread(s). When *resolve_all* is True every pending approval in the session is resolved at once (``/approve all``). Otherwise only the oldest one is resolved (FIFO). Returns the number of approvals resolved (0 means nothing was pending). Nr) rrr&listclearrryrwrlen)rrrqueuetargetsrs rresolve_gateway_approvalrs1  3 3##K00  3 3 3 3 3 3 3 3  %5kkG KKMMMMyy||nG 3    T 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3   w<<sBABBBct5tt|cdddS#1swxYwYdS)zFCheck if a session has one or more blocking gateway approvals waiting.N)rr1rr&rs rhas_blocking_approvalr;s 66O'' 4455666666666666666666s'<AAapprovalcZt5|t|<ddddS#1swxYwYdS)z/Store a pending approval request for a session.N)rrq)rrs rsubmit_pendingrAsv )) ())))))))))))))))))rct5t|t|ddddS#1swxYwYdS)z(Approve a pattern for this session only.N)rrr setdefaultradd)rras rapprove_sessionrGs JJ$$[#%%88<<[IIIJJJJJJJJJJJJJJJJJJs;AAAc|sdSt5t|ddddS#1swxYwYdS)z,Enable YOLO bypass for a single session key.N)rrsrrs renable_session_yolorMs  ''+&&&'''''''''''''''''' 488c|sdSt5t|ddddS#1swxYwYdS)z-Disable YOLO bypass for a single session key.N)rrsdiscardrs rdisable_session_yolorUs  ++k***++++++++++++++++++rcl|sdSt5t|dt|t |dt |g}dddn #1swxYwY|D]"}d|_|j #dS)z7Remove all approval and yolo state for a given session.Ndeny) rrrrrsrrqrryrwrrs r clear_sessionr]s  77k4000k*** [$'''!%%k266 777777777777777    sA,BB Bc^|sdSt5|tvcdddS#1swxYwYdS)z?Return True when YOLO bypass is enabled for a specific session.FN)rrsrs ris_session_yolo_enabledrms u ,,m+,,,,,,,,,,,,,,,,,,s "&&c<ttdS)zEReturn True when the active approval session has YOLO bypass enabled.rr )rr(r2rris_current_session_yolo_enabledrus "#:2#F#F#F G GGrc6t|}t5td|Dr ddddSt|t tfd|DcdddS#1swxYwYdS)zCheck if a pattern is approved (session-scoped or permanent). Accept both the current canonical key and the legacy regex-derived key so existing command_allowlist entries continue to work after key migrations. c3(K|] }|tvVdSr{)rt)r=aliass r zis_approved..s(AAu++AAAAAArNTc3 K|]}|vV dSr{r2)r=rsession_approvalss rrzis_approved..s)CC%5--CCCCCCr)rdranyrrr&r)rraaliasesrs @r is_approvedrzs $K00G DD AAAAA A A DDDDDDDD.11+suuEECCCC7CCCCC DDDDDDDDDDDDDDDDDDsBABBBczt5t|ddddS#1swxYwYdS)z)Add a pattern to the permanent allowlist.N)rrtrrcs rapprove_permanentrs -- ,,,------------------ 044patternsczt5t|ddddS#1swxYwYdS)z2Bulk-load permanent allowlist entries from config.N)rrtupdate)rs rload_permanentrs --""8,,,------------------rc ddlm}|}t|dgpg}|rt ||S#t $r3}t d|tcYd}~Sd}~wwxYw)zLoad permanently allowed command patterns from config. Also syncs them into the approval module so is_approved() works for patterns added via 'always' in a previous session. r load_configcommand_allowlistz&Failed to load permanent allowlist: %sN)hermes_cli.configrrr&rrrwarning)rconfigres rload_permanent_allowlistrs 111111vzz"5r::@bAA  % 8 $ $ $ ?CCCuu sAA B(B<BBc ddlm}m}|}t||d<||dS#t$r&}t d|Yd}~dSd}~wwxYw)z4Save permanently allowed command patterns to config.r)r save_configrzCould not save allowlist: %sN)rrrrrrr)rrrrrs rsave_permanent_allowlistrs:>>>>>>>>&*8nn"# F :::5q999999999:s/3 A#AA#Ttimeout_secondsallow_permanentc  |t}|D |||S#t$r(}td|dYd}~dSd}~wwxYw ddlm}|td ||dSn#t$rYnwxYwd tjd < dd l m  ttd  d|td|trt dnt dttj ddi  fd}tj|d}||||retd dz d tjvr tjd =ttj dS d} | dvrbt d d tjvr tjd =ttj dS| dvrbt d d tjvr tjd =ttj dS| d vrƉsbt d d tjvr tjd =ttj dSt d! d tjvr tjd =ttj d"St d# d tjvr tjd =ttj dS#t(t*f$rftd d$zYd tjvr tjd =ttj dSwxYw#d tjvr tjd =ttj wxYw)%aPrompt the user to approve a dangerous command (CLI only). Args: allow_permanent: When False, hide the [a]lways option (used when tirith warnings are present, since broad permanent allowlisting is inappropriate for content-level security findings). approval_callback: Optional callback registered by the CLI for prompt_toolkit integration. Signature: (command, description, *, allow_permanent=True) -> str. Returns: 'once', 'session', 'always', or 'deny' N)rzApproval callback failed: %sT)exc_inforr)get_app_or_nonezDangerous-command approval requested on a thread with no approval callback while prompt_toolkit is active; denying to avoid stdin deadlock. command=%r description=%r1HERMES_SPINNER_PAUSE)tz zapproval.dangerous_headerrTz zapproval.choose_longzapproval.choose_shortrrc r dn d}t|d<dS#ttf$r dd<YdSwxYw)Nzapproval.prompt_longzapproval.prompt_shortrr)inputstriprGEOFErrorOSError)promptrryrs r get_inputz,prompt_dangerous_approval..get_inputs*:IiQQ5666qqQhOiOiF',V}}':':'<'<'B'B'D'DF8$$$ '****')F8$$$$*sAAA-,A-)targetdaemontimeout zapproval.timeout>ooncezapproval.allowed_oncer>ssessionzapproval.allowed_sessionr>aalwayszapproval.allowed_alwaysrzapproval.deniedzapproval.cancelled)_get_approval_timeoutrrerror"prompt_toolkit.application.currentrrr+rE agent.i18nrprintsysstdoutflushr|Threadstartjoinis_aliverKeyboardInterrupt) rAr?rrapproval_callbackrrrthreadrryrs ` @@rprompt_dangerous_approvalrsh /11$ $$Wk5DFFF F    LL7TL J J J66666  FFFFFF ?   ( NNE     6 )       *-BJ%&9 !     ,  GGG Pqq4+NNNPP Q Q Q $7$$ % % % GGG 2aa.//0000aa/00111 GGG J     ^F * * * * * * *%YtDDDF LLNNN KKK 0 0 0   dQQ1222333. "RZ / / 12  1H%F&&aa/00111$ "RZ / / 12  )+++aa233444  "RZ / / 12  #?**&%!!677888$ "RZ / / 12  aa122333 "RZ / / 12  aa)**+++ "RZ / / 12   ' ( dQQ+,,,--- !RZ / / 12   "RZ / / 12  sj % AAA,B BB*D+P$P P3PP=P,R RRRA S"ct|tr|durdndSt|tr*|}|pdSdS)a"Normalize approval mode values loaded from YAML/config. YAML 1.1 treats bare words like `off` as booleans, so a config entry like `approvals: mode: off` is parsed as False unless quoted. Treat that as the intended string mode instead of falling back to manual approvals. Foffmanual) isinstancer1strrrG)moderJs r_normalize_approval_moder-sc$4 uu83$&ZZ\\'')) %X% 8rc ddlm}|}|dipiS#t$r'}td|icYd}~Sd}~wwxYw)zLRead the approvals config block. Returns a dict with 'mode', 'timeout', etc.rr approvalsz"Failed to load approval config: %sN)rrr&rrr)rrrs r_get_approval_configr<s111111zz+r**0b0 ;Q??? s'* AAAAcdtdd}t|S)zHRead the approval mode from config. Returns 'manual', 'smart', or 'off'.rr)rr&r)rs r_get_approval_moderGs+  ! ! % %fh 7 7D #D ) ))rc ttddS#ttf$rYdSwxYw)z>Read the approval timeout from config. Defaults to 60 seconds.r<)intrr& ValueError TypeErrorr2rrrrMsS'))--i<<===  "rrs.1AAc ddlm}|}tt|ddd}|dvrdSdS#t $rYdSwxYw) zERead the cron approval mode from config. Returns 'deny' or 'approve'.rrr cron_moderr >ryesallowapprover )rrrrrGrr)rrrs r_get_cron_approval_moderUs11111176; VLLLMMSSUU[[]] 5 5 59v vvsAA A,+A,cD ddlm}d|d|d}|dd|dgdd }|jdjjpd }d |vrd Sd|vrdSdS#t$r&}t d|Yd}~dSd}~wwxYw)aUse the auxiliary LLM to assess risk and decide approval. Returns 'approve' if the LLM determines the command is safe, 'deny' if genuinely dangerous, or 'escalate' if uncertain. Inspired by OpenAI Codex's Smart Approvals guardian subagent (openai/codex#13860). r)call_llmzYou are a security reviewer for an AI coding agent. A terminal command was flagged by pattern matching as potentially dangerous. Command: z Flagged reason: ul Assess the ACTUAL risk of this command. Many flagged commands are false positives — for example, `python -c "print('hello')"` is flagged as "script execution via -c flag" but is completely harmless. Rules: - APPROVE if the command is clearly safe (benign script execution, safe file operations, development tools, package installs, git operations, etc.) - DENY if the command could genuinely damage the system (recursive delete of important paths, overwriting system files, fork bombs, wiping disks, dropping databases, etc.) - ESCALATE if you're uncertain Respond with exactly one word: APPROVE, DENY, or ESCALATEruser)rolecontent)taskmessages temperature max_tokensrAPPROVEr DENYrescalatez1Smart approvals: LLM call failed (%s), escalatingN) agent.auxiliary_clientrchoicesrSrrupperrrr)rAr?rrresponseanswerrs r_smart_approver!bs#333333 =  = = = = =8%&99:    "1%-5;BBDDJJLL   9 v  6:  H!LLLzzzzzsA#A/'A// B9BBenv_typec ~|dvrdddSt|\}}|r3td||ddt|St t jdstrdddSt|\}}}|sdddSt}t||rdddStd} t} | s1| s/td rtd kr d d |d dSdddS| stdr$t||||dd |d||d|d|ddSt|||} | d kr d d|d||dS| dkrt!||n9| dkr3t!||t#|t%t&dddS)aCheck if a command is dangerous and handle approval. This is the main entry point called by terminal_tool before executing any command. It orchestrates detection, session checks, and prompting. Args: command: The shell command to check. env_type: Terminal backend type ('local', 'ssh', 'docker', etc.). approval_callback: Optional CLI callback for interactive prompts. Returns: {"approved": True/False, "message": str or None, ...} >modaldockerdaytona singularityvercel_sandboxTNrW Hardline block: %s (command: %s)HERMES_YOLO_MODEHERMES_INTERACTIVEr/rF'BLOCKED: Command flagged as dangerous () but cron jobs run without a user present to approve it. Find an alternative approach that avoids this command. To allow dangerous commands in cron jobs, set approvals.cron_mode: approve in config.yaml.HERMES_EXEC_ASK)rArar?approval_requiredu.⚠️ This command is potentially dangerous (z3). Asking the user for approval. **Command:** ```  ```rQrastatusrAr?rS)rzBBLOCKED: User denied this potentially dangerous command (matched 'zL' pattern). Do NOT retry this command - the user has explicitly rejected it.rQrSrar?rr)rOrrrUrr+r,rrpr(rrr3rrrrrrrt) rAr"r is_hardline hardline_desc is_dangerousrar?ris_cli is_gatewayrs rcheck_dangerous_commandr:sRRR T222"9!A!AK59='RVSVRV-XXX%m444ry!3445539X9Z9Z3 T222-Eg-N-N*L+{ 3 T222)++K; ,,3 T222 1 2 2F-//J 3*3 0 1 1 &((F22 %G+GGG   !T222 _%677 {&&% %    &)&VVVGNVVV   'w 9JLLLFv\gvvv&&     [1111 8   [111+&&& !4555 . ..r tirith_resultc |dpg}|s|dpd}d|Sg}|D]}|dd}|dd}|dd}|r*|r(||r d |d |d |n|d |p|r||rd |d |n||s|dpd}d|Sd d |zS)zBuild a human-readable description from tirith findings. Includes severity, title, and description for each finding so users can make an informed approval decision. findingssummaryzsecurity issue detectedzSecurity scan: severityrtitler?[z] z: uSecurity scan — ; )r&appendr)r;r=r>partsfr?r@descs r_format_tirith_descriptionrGso   ,,2H +##I..K2K**** E II55R((gr""uu]B''  IT I LLH\8X8888$888UJ\J\VZJ\J\ ] ] ] ]  I LLHG0X00000% H H H +##I..K2K**** $))E"2"2 22rc |dvrdddSt|\}}|r3td||ddt|St |\}}|r3td||ddt |St }ttj dsts|d krdddStd }t} td } |sH| sF| sDtd r0td krt|\} } } | r dd| ddSdddSdgdd} ddlm}||}n#t"$rYnwxYwt|\} }} g}t%}|ddvrs|dpg}|r|dddnd}d|}t)|}t+||s|||df| r(t+||s||| df|sdddS|dkrdd|D}t1||}|dkrD|D]\}}}t3||td |dd!|ddd|d"S|d kr)dd#|D}dd$|d%dd&Sdd'|D}|dd}d(|D}t7d)|D}| s| rd}t85t:|}dddn #1swxYwY|P||||d*} t=| }!t85t> |g|!dddn #1swxYwYtCd+|||tE||d,- || n#tF$r}"td.|"t85t>|g}#|!|#vr|#$|!|#st>%|ddddn #1swxYwYdd/||d0cYd}"~"Sd}"~"wwxYwtMd1d2}$ tO|$}$n#tPtRf$rd2}$YnwxYw dd3l*m+}%n#tF$rd}%YnwxYwtYj-}&|&t]|$dz}'|&|&d4}(d}) |'tYj-z }*|*dkrn;|!j/0tcd5|*6rd})n|% |%|(d7Xt85t>|g}#|!|#vr|#$|!|#st>%|ddddn #1swxYwY|!j2}+|)sd8n|+r|+nd8},tCd9|||tE||d,|,:|)r|+|+d kr|)sd;nd<}-dd=|-d>||d0S|D]^\}}}.|+d?ks|+d@kr|.rt3||%|+d@kr3t3||tg|titj_ddd|dAStm|||||d*d|dB||dC|dD|dEdFStCd+|||tE||dG-to||| |H}+tCd9|||tE||dG|+:|+d krddI||d0S|D]^\}}}.|+d?ks|+d@kr|.rt3||%|+d@kr3t3||tg|titj_ddd|dAS)JaCRun all pre-exec security checks and return a single approval decision. Gathers findings from tirith and dangerous-command detection, then presents them as a single combined approval request. This prevents a gateway force=True replay from bypassing one check when only the other was shown to the user. >r$r%r&r'r(TNrWr)r*z(Sudo stdin guard block: %s (command: %s)r+rr,r/r/rFr-r.r r)actionr=r>r)check_command_securityrI>warnblockr=rule_idunknownztirith:smartrBc3"K|] \}}}|V dSr{r2r=_rFs rrz+check_all_command_guards..s()J)J:1dA$)J)J)J)J)J)Jrr z'Smart approval: auto-approved '%s' (%s)r)rQrSsmart_approvedr?c3"K|] \}}}|V dSr{r2rQs rrz+check_all_command_guards..s(-N-Nzq$d-N-N-N-N-N-NrzBLOCKED by smart approval: z@. The command was assessed as genuinely dangerous. Do NOT retry.)rQrS smart_deniedc3"K|] \}}}|V dSr{r2rQs rrz+check_all_command_guards..s(>>zq$d>>>>>>rcg|]\}}}| Sr2r2)r=keyrRs rr@z,check_all_command_guards..s... Q...rc3"K|] \}}}|V dSr{r2)r=rRis_ts rrz+check_all_command_guards..s(55jaDT555555r)rAra pattern_keysr?pre_approval_requestgateway)rAr?rar[rsurfacez"Gateway approval notify failed: %sz?BLOCKED: Failed to send approval request to user. Do NOT retry.r4gateway_timeouti,)touch_activity_if_due) last_touchrg?rzwaiting for user approvalrpost_approval_response)rAr?rar[rr^rz timed outzdenied by userzBLOCKED: Command z. Do NOT retry this command.rr)rQrS user_approvedr?r0u⚠️ z2. Asking the user for approval. **Command:** ``` r1r2cli)rrz#BLOCKED: User denied. Do NOT retry.)8rOrrrUrKrXrrr+r,rrr3rrptools.tirith_securityrJ ImportErrorr(r&rGrrCrr!rrrrrrvrrrrrremoverrrrrtools.environments.baser`time monotonicmaxrwwaitminryrrrtrr)/rAr"rr5r6 is_sudo_guesssudo_guess_desc approval_moder8r9is_askr7_pkr?r;rJrawarningsrr=rM tirith_key tirith_desccombined_desc_for_llmverdictrXrR combined_desc primary_keyall_keys has_tirith notify_cb approval_datarrrrr`_now _deadline_activity_stateresolved _remainingr_outcomereason is_tiriths/ rcheck_all_command_guardsrs% RRR T222 "9!A!AK59='RVSVRV-XXX%m444&=W%E%E"M?9A&  7 7 7'888'((Mry!3445539X9Z9Z3^kot^t^t T222 1 2 2F-//J . / /F 3*3V3 0 1 1 &((F221I'1R1R. c; $)KkKKK   !T222 'B2FFM @@@@@@..w77      .Fg-N-N*L+{ H)++K X"333 $$Z006B;CR(1+//)Y777(w(( 0?? ; 33 = OOZd; < < <?; 44 ? OO[+u= > > > 3 T222  $ )J)J)J)J)J J J *?@@ i  % 2 2 Q S1111 LLB "'< > > > $&*#8:: :  $(II-N-NX-N-N-N$N$N !!\9N\\\ $  II>>X>>>>>M1+a.K..X...H55H55555J [ V[   = =+// <>> ???????????????!&`#.#0  .+,,001BCHHG g,, *     -IIIIIII - - -(,%%% ->##Ds7A.I-1DAAOH &)9)99 ??;##CZ,@,@#AA#H(4))')D   ; ;'++K<<E>>LL''';#'' T:::  ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;\F "*7 &5ffI  ()'!(^^'!     v~61A1A,4J:J %W6WWW#.#0 &. B B!Q Y&&6X+=+=)+=#K5555x''#K555%c***,-@AAA!%%)-II I {&$( % %    &)(m-mm_fmmm   !(^^'w ;E~9JLLLF !(^^    <&(    &::Q Y  6X#5#5)#5 K - - - - x   K - - - c " " " $%8 9 9 9!- A AAsE// E<;E<NN  N 0/O++O/2O/ P&& S 0"SAR0$ S0R4 4S7R4 8 SS S 2TTTT## T21T2AX  X$'X$)F)NTNr{)lr contextvarsloggingr+r9rr|rirktypingrrrutilsrr getLoggerrr ContextVarr r__annotations__rTokenrr!r(r-r1r3_SSH_SENSITIVE_PATH_HERMES_ENV_PATH_PROJECT_ENV_PATH_PROJECT_CONFIG_PATH_SHELL_RC_FILES_CREDENTIAL_FILES_MACOS_PRIVATE_SYSTEM_PATH_SYSTEM_CONFIG_PATH_SENSITIVE_WRITE_TARGET_PROJECT_SENSITIVE_WRITE_TARGET _COMMAND_TAIL_CMDPOSHARDLINE_PATTERNS IGNORECASEDOTALLr;rMr:rHtuplerKrOrrUrXDANGEROUS_PATTERNSrnr_r`r_pattern _description _legacy_key_canonical_keyrrrdrFrpLockrrqrrrsrtrvrrrobjectrrrrrrrrrrrrrrrrrrrrrrrr!r:rGrr2rrrs@   %%%%%%22222222  8 $ $ 6L[5K 666{-c2 M3MTMMMM4881B31G8888 '[%6s%;''''' : :S : : : : :>s>>>>)d)))),> SJ8 '? /+...    #U):"T"T=Q"T"T"T+ F WJ\;\W>9  335MN !=> <<>YZ ""$CD+< MBI %  1 0M SU& S U           # $    $c5c,c>cf c p c A cNc'c#c.c1cJc4c # ""$=>!c"a#c$2%c&0'c0^1c2d3c4O5c6?7c:P;c<V=c>I?c@mAcB2/113RSCcD/,..0WXEcFO7NN}NNPvwGcHL4KKMKKM{|IcJ-KcTJUcV-Wc^e_c`WacdOecfugcjmkctYucv_wc|6 3557_`}c~]&E\\]\\_BCc@30224TUAcB7!4668deCcHMIcNUOcPOQcRUScTTUcV:Wc^S_cz<{cB5CcN 2 IIIIII -/d3C=)...0^^Hl%%h//K!N##NCCEE::AA>S^B_```##K77>> ^?\]]]]@s@s3x@@@@cc$ c e    $  $sDy/$&4S>&&&#%% s3x355S ********$&c4i%%%)+T#v+&+++ . .T . . . . 3 4    27#s*.;>:6s6t6666 ))t)))) JJ3JJJJ 'S'T''''+c+d++++ s t     ,,,,,,HHHHH DS Ds Dt D D D D-3---- -S----#$:s:::: =A6:04ppspp/2Tzp/3p:=ppppf c    d*C**** s     ,C,c,c,,,,`/3`/`/S`/C`/7;`/`/`/`/N3d3s3333804YAYAcYASYA8<YAYAYAYAz r