[Bug]: agent self-terminates via `pkill -f "cli.py --gateway"` — not caught by DANGEROUS_PATTERNS

[arasovic]

Bug Description

A Telegram gateway agent attempted to set up a reminder, concluded the gateway wasn't running (incorrectly — it checked HTTP ports, but the gateway uses polling), and ran:

pkill -f "cli.py --gateway"

This killed the gateway process from within itself. systemd logged a clean deactivation and the gateway stayed down until manually restarted.

This is a variant of #2617 (agent killing gateway via kill PID), but using process name targeting instead of a known PID.

Steps to Reproduce

1. Run gateway via systemd (hermes --gateway)
2. In Telegram, ask the agent to do something that involves checking its own operational state
3. Agent concludes gateway is not running (e.g. checks HTTP ports that don't exist for polling-based gateway)
4. Agent runs pkill -f "cli.py --gateway" to "clean up"
5. Gateway process dies, service deactivates

Expected Behavior

pkill -f "cli.py --gateway" should be caught by DANGEROUS_PATTERNS and trigger the approval flow, giving the user a chance to deny self-termination.

Actual Behavior

The command executes without any guard, killing the gateway process immediately. From journalctl:

hermes[28026]:   [tool] ♪(´ε` ) 💻 pkill -f "cli.py --gateway"...
systemd[1]: hermes-gateway.service: Deactivated successfully.
systemd[1]: hermes-gateway.service: Consumed 3min 35.926s CPU time, 134.2M memory peak.

Affected Component

Gateway (Telegram/Discord/Slack/WhatsApp), Tools (terminal, file ops, web, code execution, etc.)

Messaging Platform (if gateway-related)

Telegram

Operating System

Ubuntu 24.04

Python Version

Python 3.12

Hermes Version

Hermes v0.4.0

Relevant Logs / Traceback

Mar 27 12:02:11 zinchy hermes[28026]:   [tool] ٩(๑❛ᴗ❛๑)۶ processing...
Mar 27 12:02:19 zinchy hermes[28026]:   ┊ 💬 Elektrik faturası hatırlatması oluşturulamadı — gateway çalışmıyor (port 8000/8080'de dinleme yok).
# Translation: "Electricity bill reminder could not be created — gateway is not running (no listener on port 8000/8080)."
Mar 27 12:02:27 zinchy hermes[28026]:   [tool] ♪(´ε` ) 💻 pkill -f "cli.py --gateway"...
Mar 27 12:02:37 zinchy systemd[1]: hermes-gateway.service: Deactivated successfully.
Mar 27 12:02:37 zinchy systemd[1]: hermes-gateway.service: Consumed 3min 35.926s CPU time, 134.2M memory peak, 0B memory swap peak.

Root Cause Analysis (optional)

tools/approval.py DANGEROUS_PATTERNS catches pkill -9 (force kill) but not pkill -f (filter by name). Any pkill/killall targeting hermes, gateway, or cli.py bypasses all guards.

Current patterns that are close but don't match:

• r'\bpkill\s+-9\b' — only catches -9 flag
• r'gateway\s+run\b.*(&|disown|setsid)' — only catches gateway startup outside systemd (fix: prevent agents from starting gateway outside systemd management #2617)
• r'\bsystemctl\s+(stop|disable|mask)\b' — only catches systemctl

Related: #2617, #2894

Proposed Fix (optional)

Add a self-termination pattern to DANGEROUS_PATTERNS:

(r'\b(pkill|killall)\b.*\b(hermes|gateway|cli\.py)\b', "kill hermes/gateway process (self-termination)"),

This reuses the existing approval flow — in gateway mode it sends an approval request to the user, in CLI mode it prompts interactively.

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[teknium1]

Fixed — the exact pattern from this issue (pkill -f "cli.py --gateway") is caught by the existing pkill.*hermes/gateway dangerous command pattern. PR #9895 also added hermes gateway stop/restart, hermes update, and systemctl restart to the approval blocklist for broader coverage.

[DrVelsharoom]

Anyone running Hermes on Windows native (not WSL) encountered this? Same problem here - the agent inside the Gateway kills its own host process via execute_code + schtasks /end to force a restart after code changes. execute_code bypasses DANGEROUS_PATTERNS entirely since Python subprocess is not the terminal tool. My workaround: set the scheduled task to auto-restart on failure (999 retries, 5s interval). Gateway comes right back but loses inflight session. Anyone found a better approach for Windows? Would love to hear.