Bug Description
Hermes has a second project-context injection path beyond the normal startup cwd-based prompt assembly.
Even when the initial session context is clean, post-tool-call path discovery can append context from nearby AGENTS.md, CLAUDE.md, or .cursorrules files based on tool arguments. This can pull in unrelated instruction files from outside the intended workspace and contaminate the agent’s context.
This is especially problematic for long-running orchestrator agents , where an unrelated AGENTS.md can silently influence behavior mid-session.
Why this is a bug
This breaks workspace isolation expectations. In my case, it pulls in the AGENTS.md inside the "hermes-agent" runtime folder.
An agent should not silently ingest instructions from unrelated directories just because:
a tool touched some file elsewhere on disk
a terminal command contained a path-like token
an ancestor directory outside the workspace happened to contain AGENT.md i
This can cause:
unexpected instruction contamination
profile/agent behavior drift
hard-to-debug prompt pollution
cross-project leakage of local instruction files
Recommended behavior
Only load post-tool-call subdirectory hints when the discovered directory is:
inside the configured working_dir, or
inside the active repo root associated with that workspace
Additional note
Messaging/gateway sessions may be more exposed if TERMINAL_CWD is broad or falls back unexpectedly, since that increases the chance of incorrect workspace assumptions. But the primary bug is the permissive external-path scanning in agent/subdirectory_hints.py.
Steps to Reproduce
Start Hermes in workspace A with no problematic local AGENTS.md
Make a tool call that touches a file in unrelated directory B
Put an AGENTS.md in B or one of its ancestors
Hermes appends:
[Subdirectory context discovered: ...]
Agent behavior is now influenced by unrelated instructions from directory B(2/3)
Proposed fix
Scope subdirectory hint discovery to the active workspace only.
Expected Behavior
Project context discovery should be limited to the active workspace/repo for the session.
A tool call that touches a file outside the intended workspace should not cause Hermes to ingest unrelated AGENTS.md/CLAUDE.md/.cursorrules files from ancestor directories elsewhere on disk.
Actual Behavior
After tool calls, Hermes inspects tool arguments for paths and scans those paths plus ancestors for:
AGENTS.md
CLAUDE.md
.cursorrules
If found, it appends the contents to the tool result as:
[Subdirectory context discovered: ...]
This happens even for paths outside the active working directory.
Affected Component
Tools (terminal, file ops, web, code execution, etc.)
Messaging Platform (if gateway-related)
No response
Debug Report
Report https://paste.rs/x40Qu
agent.log https://paste.rs/0pl92
Operating System
Pop!_OS 24.04 LTS
Python Version
No response
Hermes Version
No response
Additional Logs / Traceback (optional)
Root Cause Analysis (optional)
There are two separate context-loading mechanisms:
Startup context loading
agent/prompt_builder.py
This is relatively constrained:
.hermes.md via walk-to-git-root
AGENTS.md, CLAUDE.md, .cursorrules from cwd only
Relevant code:
agent/prompt_builder.py:1019-1045
agent/prompt_builder.py:957-1016
Post-tool-call subdirectory hint loading
agent/subdirectory_hints.py
This is much more permissive:
extracts path-like values from tool args (path, file_path, workdir)
parses terminal commands for path-like tokens (1/3)
walks ancestor directories
loads the first matching hint file
appends it into the conversation
Relevant code:
run_agent.py:1749-1751 — tracker initialization
run_agent.py:7846-7848 — append hints after one tool path
run_agent.py:8205-8208 — append hints after another tool path
agent/subdirectory_hints.py:29-33 — hint filenames
agent/subdirectory_hints.py:38-46 — tracked arg keys and ancestor walk
agent/subdirectory_hints.py:67-89 — check_tool_call
agent/subdirectory_hints.py:97-109 — direct path extraction
agent/subdirectory_hints.py:141-158 — terminal command path extraction
agent/subdirectory_hints.py:171-224 — hint loading and injection format
Evidence that external paths are intentionally allowed
There is already a test that explicitly confirms this behavior:
tests/agent/test_subdirectory_hints.py:125-135
test: test_outside_working_dir_still_checked
That test asserts that a path outside working_dir is still checked and can load AGENTS.md.
So this is not incidental behavior, it is currently baked into the implementation and tests.
Proposed Fix (optional)
Constrain candidate directories in:
agent/subdirectory_hints.py
_add_path_candidate()
and/or _is_valid_subdir()
Suggested config addition
Add a config mode, something like:
agent.subdirectory_hints_mode: workspace
Possible values:
disabled
workspace
external
Recommended default:
workspace
That preserves the feature while preventing unrelated context injection by default.
Are you willing to submit a PR for this?
Bug Description
Hermes has a second project-context injection path beyond the normal startup cwd-based prompt assembly.
Even when the initial session context is clean, post-tool-call path discovery can append context from nearby AGENTS.md, CLAUDE.md, or .cursorrules files based on tool arguments. This can pull in unrelated instruction files from outside the intended workspace and contaminate the agent’s context.
This is especially problematic for long-running orchestrator agents , where an unrelated AGENTS.md can silently influence behavior mid-session.
Why this is a bug
This breaks workspace isolation expectations. In my case, it pulls in the AGENTS.md inside the "hermes-agent" runtime folder.
An agent should not silently ingest instructions from unrelated directories just because:
a tool touched some file elsewhere on disk
a terminal command contained a path-like token
an ancestor directory outside the workspace happened to contain AGENT.md i
This can cause:
unexpected instruction contamination
profile/agent behavior drift
hard-to-debug prompt pollution
cross-project leakage of local instruction files
Recommended behavior
Only load post-tool-call subdirectory hints when the discovered directory is:
inside the configured working_dir, or
inside the active repo root associated with that workspace
Additional note
Messaging/gateway sessions may be more exposed if TERMINAL_CWD is broad or falls back unexpectedly, since that increases the chance of incorrect workspace assumptions. But the primary bug is the permissive external-path scanning in agent/subdirectory_hints.py.
Steps to Reproduce
Start Hermes in workspace A with no problematic local AGENTS.md
Make a tool call that touches a file in unrelated directory B
Put an AGENTS.md in B or one of its ancestors
Hermes appends:
[Subdirectory context discovered: ...]
Agent behavior is now influenced by unrelated instructions from directory B(2/3)
Proposed fix
Scope subdirectory hint discovery to the active workspace only.
Expected Behavior
Project context discovery should be limited to the active workspace/repo for the session.
A tool call that touches a file outside the intended workspace should not cause Hermes to ingest unrelated AGENTS.md/CLAUDE.md/.cursorrules files from ancestor directories elsewhere on disk.
Actual Behavior
After tool calls, Hermes inspects tool arguments for paths and scans those paths plus ancestors for:
AGENTS.md
CLAUDE.md
.cursorrules
If found, it appends the contents to the tool result as:
[Subdirectory context discovered: ...]
This happens even for paths outside the active working directory.
Affected Component
Tools (terminal, file ops, web, code execution, etc.)
Messaging Platform (if gateway-related)
No response
Debug Report
Operating System
Pop!_OS 24.04 LTS
Python Version
No response
Hermes Version
No response
Additional Logs / Traceback (optional)
Root Cause Analysis (optional)
There are two separate context-loading mechanisms:
Startup context loading
agent/prompt_builder.py
This is relatively constrained:
.hermes.md via walk-to-git-root
AGENTS.md, CLAUDE.md, .cursorrules from cwd only
Relevant code:
agent/prompt_builder.py:1019-1045
agent/prompt_builder.py:957-1016
Post-tool-call subdirectory hint loading
agent/subdirectory_hints.py
This is much more permissive:
extracts path-like values from tool args (path, file_path, workdir)
parses terminal commands for path-like tokens (1/3)
walks ancestor directories
loads the first matching hint file
appends it into the conversation
Relevant code:
run_agent.py:1749-1751 — tracker initialization
run_agent.py:7846-7848 — append hints after one tool path
run_agent.py:8205-8208 — append hints after another tool path
agent/subdirectory_hints.py:29-33 — hint filenames
agent/subdirectory_hints.py:38-46 — tracked arg keys and ancestor walk
agent/subdirectory_hints.py:67-89 — check_tool_call
agent/subdirectory_hints.py:97-109 — direct path extraction
agent/subdirectory_hints.py:141-158 — terminal command path extraction
agent/subdirectory_hints.py:171-224 — hint loading and injection format
Evidence that external paths are intentionally allowed
There is already a test that explicitly confirms this behavior:
tests/agent/test_subdirectory_hints.py:125-135
test: test_outside_working_dir_still_checked
That test asserts that a path outside working_dir is still checked and can load AGENTS.md.
So this is not incidental behavior, it is currently baked into the implementation and tests.
Proposed Fix (optional)
Constrain candidate directories in:
agent/subdirectory_hints.py
_add_path_candidate()
and/or _is_valid_subdir()
Suggested config addition
Add a config mode, something like:
agent.subdirectory_hints_mode: workspace
Possible values:
disabled
workspace
external
Recommended default:
workspace
That preserves the feature while preventing unrelated context injection by default.
Are you willing to submit a PR for this?