NousResearch
diff --git a/‎agent/proxy_sources/iron_proxy.py‎
Lines changed: 166 additions & 77 deletions b/‎agent/proxy_sources/iron_proxy.py‎
Lines changed: 166 additions & 77 deletions
diff --git a/‎hermes_cli/proxy_cli.py‎
Lines changed: 42 additions & 9 deletions b/‎hermes_cli/proxy_cli.py‎
Lines changed: 42 additions & 9 deletions
diff --git a/‎tests/test_iron_proxy.py‎
Lines changed: 156 additions & 17 deletions b/‎tests/test_iron_proxy.py‎
Lines changed: 156 additions & 17 deletions
diff --git a/‎tests/test_iron_proxy_cli.py‎
Lines changed: 85 additions & 0 deletions b/‎tests/test_iron_proxy_cli.py‎
Lines changed: 85 additions & 0 deletions
@@ -351,17 +351,19 @@ def cmd_setup(args: argparse.Namespace) -> int:
     ]
 
     audit_log_path = ip._proxy_state_dir() / "audit.log"
-    # Pre-create the audit log with 0o600 so iron-proxy inherits private
-    # perms instead of letting the daemon create it under the default
-    # umask (potentially world-readable).  Raises on failure (planted
-    # symlink, immutable parent, full disk) — the wizard must surface
-    # that rather than print "✓" for a file the daemon will create
-    # under a slacker umask.
+    # Pre-create the audit log with 0o600.  On the pinned v0.39 the
+    # daemon does NOT write to this file (no ``log.audit_path`` field in
+    # its config schema) — it's reserved for the v0.40+ upgrade where
+    # per-request records start flowing.  Because the file is
+    # non-load-bearing today, a pre-create failure (immutable parent,
+    # pre-existing foreign-owned file, full disk) is a WARNING, not a
+    # setup abort.
+    audit_log_ok = True
     try:
         ip.ensure_audit_log(audit_log_path)
     except RuntimeError as exc:
-        console.print(f"  [red]✗ {exc}[/red]")
-        return 1
+        audit_log_ok = False
+        console.print(f"  [yellow]⚠ {exc}[/yellow]")
 
     # Allow operator override of the deny list via
     # ``proxy.upstream_deny_cidrs`` — but the default (None) gives a safe
@@ -381,7 +383,12 @@ def cmd_setup(args: argparse.Namespace) -> int:
     mappings_path = ip.write_mappings(mappings)
     console.print(f"  [green]✓[/green] config:   {cfg_path}")
     console.print(f"  [green]✓[/green] mappings: {mappings_path}")
-    console.print(f"  [green]✓[/green] audit log: {audit_log_path}")
+    if audit_log_ok:
+        console.print(
+            f"  [green]✓[/green] audit log: {audit_log_path} "
+            f"[dim](reserved — not written by iron-proxy v0.39; "
+            f"per-request records land in iron-proxy.log)[/dim]"
+        )
 
     # ------------------------------------------------------------------ enable
     proxy_cfg["enabled"] = True
@@ -451,6 +458,32 @@ def cmd_start(args: argparse.Namespace) -> int:
         and bw_cfg is not None
         and bool(bw_cfg.get("enabled"))
     )
+    # Silent-degrade guard: the operator explicitly chose
+    # ``credential_source: bitwarden``, but secrets.bitwarden has since
+    # been disabled or removed.  Proceeding would quietly start on host
+    # env — exactly the bug class the BW mode is meant to defeat.  Refuse
+    # unless the documented escape hatch is set.
+    if credential_source == "bitwarden" and not refresh_bw:
+        if bool(proxy_cfg.get("allow_env_fallback", False)):
+            console.print(
+                "[yellow]⚠ credential_source=bitwarden but "
+                "secrets.bitwarden is disabled or missing — falling back "
+                "to host-env secrets (allow_env_fallback=true).  Rotated "
+                "Bitwarden keys will NOT propagate.[/yellow]"
+            )
+        else:
+            console.print(
+                "[red]✗ Refusing to start: proxy.credential_source is "
+                "'bitwarden' but secrets.bitwarden is disabled or "
+                "missing.[/red]"
+            )
+            console.print(
+                "  Re-enable it (`secrets.bitwarden.enabled: true`), switch "
+                "back to env credentials with `hermes egress setup "
+                "--no-bitwarden`, or set `proxy.allow_env_fallback: true` "
+                "to opt into the host-env fallback."
+            )
+            return 1
     # Pass the proxy-side allow_env_fallback opt-in through to
     # start_proxy.  This is a deliberate, documented escape hatch: when
     # set, the daemon silently falls back to host env if BWS is
 
@@ -212,8 +212,8 @@ def test_wizard_rendered_yaml_contains_deny_list(hermes_home, tmp_path):
 
 
 def test_default_bind_is_loopback_not_zero_zero(tmp_path):
-    """``http_listen`` must NOT be ``0.0.0.0:PORT`` or ``:PORT`` (latter is
-    INADDR_ANY).  Loopback only by default."""
+    """The sandbox-facing listeners must NOT be ``0.0.0.0:PORT`` or
+    ``:PORT`` (latter is INADDR_ANY)."""
 
     cfg = ip.build_proxy_config(
         mappings=[_sample_mapping()],
@@ -222,12 +222,16 @@ def test_default_bind_is_loopback_not_zero_zero(tmp_path):
         tunnel_port=12345,
         http_listen=["127.0.0.1:12345"],  # explicit so test is deterministic
     )
-    primary = cfg["proxy"]["http_listen"]
-    assert primary == "127.0.0.1:12345"
-    # Sentinel: confirm we didn't accidentally serialize a bare-port form
-    # like ":12345" (that's INADDR_ANY).
-    assert not primary.startswith(":")
-    assert "0.0.0.0" not in primary
+    # tunnel_listen is the CONNECT/MITM listener sandboxes hit via
+    # HTTPS_PROXY; http_listen is the plain-HTTP forward on port+1.
+    assert cfg["proxy"]["tunnel_listen"] == "127.0.0.1:12345"
+    assert cfg["proxy"]["http_listen"] == "127.0.0.1:12346"
+    for key in ("tunnel_listen", "http_listen", "https_listen"):
+        val = cfg["proxy"][key]
+        # Sentinel: confirm we didn't accidentally serialize a bare-port
+        # form like ":12345" (that's INADDR_ANY).
+        assert not val.startswith(":")
+        assert "0.0.0.0" not in val
     # iron-proxy v0.39 doesn't support http_listens (plural).  We
     # deliberately do NOT emit that key — re-emitting it would cause
     # the daemon to fail YAML unmarshal at start time.
@@ -237,14 +241,14 @@ def test_default_bind_is_loopback_not_zero_zero(tmp_path):
     )
 
 
-def test_default_bind_uses_loopback_on_linux(tmp_path, monkeypatch):
+def test_default_bind_uses_docker_bridge_on_linux(tmp_path, monkeypatch):
     """When http_listen isn't passed AND we're on Linux, the singular
-    http_listen field is the loopback bind.  iron-proxy v0.39 only
-    supports one bind per daemon process — earlier versions of this
-    code emitted a plural http_listens list with the docker bridge
-    appended, but v0.39 rejects that key so we keep loopback only.
-    Sandboxes still reach the daemon via host.docker.internal which
-    Docker maps to the host gateway, so loopback-only is functional."""
+    http_listen field is the DOCKER BRIDGE bind — not loopback.
+    iron-proxy v0.39 only supports one bind per daemon process, and on
+    Linux ``host.docker.internal:host-gateway`` resolves to the bridge
+    gateway (172.17.0.1 by default), which a loopback-only daemon never
+    answers.  Sandboxes must be able to reach the proxy from the
+    container's vantage point."""
 
     monkeypatch.setattr(ip.platform, "system", lambda: "Linux")
     monkeypatch.setattr(ip, "_detect_docker_bridge_ip", lambda: "172.17.0.1")
@@ -254,12 +258,48 @@ def test_default_bind_uses_loopback_on_linux(tmp_path, monkeypatch):
         ca_key=tmp_path / "ca.key",
         tunnel_port=9090,
     )
-    # Primary http_listen is loopback.
-    assert cfg["proxy"]["http_listen"] == "127.0.0.1:9090"
+    # The sandbox-facing CONNECT/MITM listener binds the bridge gateway —
+    # reachable from containers via host.docker.internal.  Plain-HTTP
+    # forward listener rides on port+1, same host.
+    assert cfg["proxy"]["tunnel_listen"] == "172.17.0.1:9090"
+    assert cfg["proxy"]["http_listen"] == "172.17.0.1:9091"
     # No http_listens (plural) — v0.39 rejects that key.
     assert "http_listens" not in cfg["proxy"]
 
 
+def test_default_bind_falls_back_to_loopback_without_bridge(tmp_path, monkeypatch):
+    """On Linux without a detectable docker0 bridge (docker not
+    installed / not running), fall back to loopback rather than
+    refusing to bind."""
+
+    monkeypatch.setattr(ip.platform, "system", lambda: "Linux")
+    monkeypatch.setattr(ip, "_detect_docker_bridge_ip", lambda: None)
+    cfg = ip.build_proxy_config(
+        mappings=[_sample_mapping()],
+        ca_cert=tmp_path / "ca.crt",
+        ca_key=tmp_path / "ca.key",
+        tunnel_port=9090,
+    )
+    assert cfg["proxy"]["tunnel_listen"] == "127.0.0.1:9090"
+    assert cfg["proxy"]["http_listen"] == "127.0.0.1:9091"
+
+
+def test_default_bind_is_loopback_on_macos(tmp_path, monkeypatch):
+    """On Docker Desktop platforms host.docker.internal routes to the
+    host via VPNkit, so loopback is reachable from containers and is
+    the least-exposed bind."""
+
+    monkeypatch.setattr(ip.platform, "system", lambda: "Darwin")
+    cfg = ip.build_proxy_config(
+        mappings=[_sample_mapping()],
+        ca_cert=tmp_path / "ca.crt",
+        ca_key=tmp_path / "ca.key",
+        tunnel_port=9090,
+    )
+    assert cfg["proxy"]["tunnel_listen"] == "127.0.0.1:9090"
+    assert cfg["proxy"]["http_listen"] == "127.0.0.1:9091"
+
+
 def test_metrics_listener_pinned_to_loopback_ephemeral(tmp_path):
     """iron-proxy v0.39's default metrics_listen is ``:9090``, which
     collides with our default tunnel_port=9090.  build_proxy_config MUST
@@ -1455,3 +1495,102 @@ def test_persisted_nonce_roundtrip(hermes_home, monkeypatch):
 def test_persisted_nonce_returns_none_when_missing(hermes_home):
     """No nonce file → None, callers fall back to argv0 basename."""
     assert ip._read_persisted_nonce() is None
+
+
+# ---------------------------------------------------------------------------
+# v4 round (GodsBoy follow-up): bind-host-aware liveness probes +
+# allow_env_fallback on the partial-secret path
+# ---------------------------------------------------------------------------
+
+
+def test_read_http_listen_from_config_returns_host_and_port(hermes_home):
+    """_read_http_listen_from_config must surface the BIND HOST, not just
+    the port — on Linux the daemon binds the docker bridge gateway and a
+    hardcoded loopback probe would report a healthy daemon as dead."""
+
+    state = ip._proxy_state_dir()
+    (state / "proxy.yaml").write_text(
+        "proxy:\n  http_listen: 172.17.0.1:9090\n", encoding="utf-8"
+    )
+    assert ip._read_http_listen_from_config() == ("172.17.0.1", 9090)
+    assert ip._read_tunnel_port_from_config() == 9090
+
+
+def test_read_http_listen_from_config_missing_file(hermes_home):
+    assert ip._read_http_listen_from_config() is None
+
+
+def test_get_status_probes_configured_bind_host(hermes_home, monkeypatch):
+    """get_status must probe the configured bind host (e.g. the docker
+    bridge IP), not loopback unconditionally."""
+
+    state = ip._proxy_state_dir()
+    (state / "proxy.yaml").write_text(
+        "proxy:\n  http_listen: 172.17.0.1:9123\n", encoding="utf-8"
+    )
+    (state / "ca.crt").write_text("cert")
+    ip._write_pidfile_safely(ip._pidfile(), 99999)
+    monkeypatch.setattr(ip, "_pid_alive", lambda pid: True)
+    monkeypatch.setattr(ip, "find_iron_proxy", lambda **kw: None)
+
+    probed = {}
+
+    def fake_probe(host, port):
+        probed["host"] = host
+        probed["port"] = port
+        return True
+
+    monkeypatch.setattr(ip, "_port_listening", fake_probe)
+    status = ip.get_status()
+    assert probed == {"host": "172.17.0.1", "port": 9123}
+    assert status.listening is True
+    assert status.tunnel_port == 9123
+
+
+def test_partial_bitwarden_secrets_honor_allow_env_fallback(
+    hermes_home, monkeypatch,
+):
+    """The missing-secret branch's own error message tells operators to
+    set proxy.allow_env_fallback — so the flag must actually work there
+    (previously only the empty-token branch honored it)."""
+
+    ip.write_mappings([_sample_mapping("OPENROUTER_API_KEY")])
+    monkeypatch.setenv("OPENROUTER_API_KEY", "sk-host-fallback")
+
+    import agent.secret_sources.bitwarden as bw
+    monkeypatch.setattr(
+        bw, "fetch_bitwarden_secrets", lambda **kw: ({}, []),
+    )
+    monkeypatch.setenv("BWS_ACCESS_TOKEN", "tok")
+    bw_cfg = {
+        "project_id": "proj",
+        "access_token_env": "BWS_ACCESS_TOKEN",
+        "allow_env_fallback": True,
+    }
+
+    env = ip._build_proxy_subprocess_env(
+        refresh_from_bitwarden=True, bitwarden_config=bw_cfg,
+    )
+    # Falls back to the host env value instead of raising.
+    assert env.get("OPENROUTER_API_KEY") == "sk-host-fallback"
+
+
+def test_partial_bitwarden_secrets_raise_without_fallback(
+    hermes_home, monkeypatch,
+):
+    """Strict default: missing BWS secrets raise."""
+
+    ip.write_mappings([_sample_mapping("OPENROUTER_API_KEY")])
+    monkeypatch.setenv("OPENROUTER_API_KEY", "sk-host")
+
+    import agent.secret_sources.bitwarden as bw
+    monkeypatch.setattr(
+        bw, "fetch_bitwarden_secrets", lambda **kw: ({}, []),
+    )
+    monkeypatch.setenv("BWS_ACCESS_TOKEN", "tok")
+    bw_cfg = {"project_id": "proj", "access_token_env": "BWS_ACCESS_TOKEN"}
+
+    with pytest.raises(RuntimeError, match="did not return secrets"):
+        ip._build_proxy_subprocess_env(
+            refresh_from_bitwarden=True, bitwarden_config=bw_cfg,
+        )
@@ -425,3 +425,88 @@ def test_setup_has_rotate_tokens_flag():
     assert args.rotate_tokens is False
     args = parser.parse_args(["setup", "--rotate-tokens"])
     assert args.rotate_tokens is True
+
+
+# ---------------------------------------------------------------------------
+# v4 round: credential_source=bitwarden with secrets.bitwarden disabled
+# must NOT silently degrade to host-env secrets
+# ---------------------------------------------------------------------------
+
+
+def test_cmd_start_refuses_when_bitwarden_mode_but_disabled(hermes_home, monkeypatch):
+    """config keeps credential_source: bitwarden but secrets.bitwarden.enabled
+    later flips to false — cmd_start must refuse, not silently start on
+    host env (the silent-degrade class strict mode is meant to close)."""
+
+    from hermes_cli.config import load_config, save_config
+    cfg = load_config()
+    cfg.setdefault("proxy", {})["enabled"] = True
+    cfg["proxy"]["credential_source"] = "bitwarden"
+    cfg["proxy"]["fail_on_uncovered_providers"] = False
+    cfg.setdefault("secrets", {})["bitwarden"] = {"enabled": False}
+    save_config(cfg)
+
+    def must_not_call(**kw):
+        pytest.fail("start_proxy must not run when bitwarden mode is broken")
+    monkeypatch.setattr(ip, "start_proxy", must_not_call)
+    monkeypatch.setattr(ip, "discover_uncovered_providers", lambda **kw: [])
+    monkeypatch.setattr(ip, "discover_blocked_providers", lambda **kw: [])
+
+    rc = proxy_cli.cmd_start(_args())
+    assert rc == 1
+
+
+def test_cmd_start_bitwarden_disabled_proceeds_with_env_fallback(
+    hermes_home, monkeypatch,
+):
+    """Same scenario but proxy.allow_env_fallback=true is the documented
+    escape hatch — start proceeds (with a warning)."""
+
+    from hermes_cli.config import load_config, save_config
+    cfg = load_config()
+    cfg.setdefault("proxy", {})["enabled"] = True
+    cfg["proxy"]["credential_source"] = "bitwarden"
+    cfg["proxy"]["allow_env_fallback"] = True
+    cfg["proxy"]["fail_on_uncovered_providers"] = False
+    cfg.setdefault("secrets", {})["bitwarden"] = {"enabled": False}
+    save_config(cfg)
+
+    captured: dict = {}
+
+    def fake_start_proxy(**kw):
+        captured.update(kw)
+        s = ip.ProxyStatus()
+        s.pid = 4242
+        s.listening = True
+        return s
+
+    monkeypatch.setattr(ip, "start_proxy", fake_start_proxy)
+    monkeypatch.setattr(ip, "discover_uncovered_providers", lambda **kw: [])
+    monkeypatch.setattr(ip, "discover_blocked_providers", lambda **kw: [])
+
+    rc = proxy_cli.cmd_start(_args())
+    assert rc == 0
+    # BW refresh is off (bitwarden disabled), running on env secrets.
+    assert captured.get("refresh_secrets_from_bitwarden") is False
+
+
+def test_cmd_setup_audit_log_failure_is_warning_not_abort(hermes_home, monkeypatch):
+    """On the pinned v0.39 the daemon never writes audit.log, so a
+    pre-create failure must not abort the wizard."""
+
+    monkeypatch.setattr(ip, "find_iron_proxy", lambda **kw: hermes_home / "iron-proxy")
+    monkeypatch.setattr(ip, "discover_provider_mappings", lambda **kw: [
+        ip.TokenMapping(
+            proxy_token="hermes-proxy-deadbeef",
+            real_env_name="OPENROUTER_API_KEY",
+            upstream_hosts=("openrouter.ai",),
+        ),
+    ])
+    monkeypatch.setattr(ip, "discover_uncovered_providers", lambda **kw: [])
+
+    def boom(path):
+        raise RuntimeError("could not pre-create audit log (synthetic)")
+    monkeypatch.setattr(ip, "ensure_audit_log", boom)
+
+    rc = proxy_cli.cmd_setup(_args())
+    assert rc == 0