fix: sandbox HOME override breaks Path.home() and expanduser() resolution

[iRonin]

Problem

The terminal sandbox environment overrides HOME to {HERMES_HOME}/home/ for profile isolation. While this is intentional for subprocess credential isolation (git, gh, npm, etc.), it silently breaks all code that uses Path.home(), os.path.expanduser(), or os.environ.get("HERMES_HOME", Path.home() / ".hermes").

Impact

Category	Files	What breaks
Native root detection	hermes_constants.py:36, cli.py:3791, profiles.py:152	Path.home() / ".hermes" resolves to profile home instead of real ~/.hermes
External tool configs	agent/anthropic_adapter.py:311,333,459, tools/tool_backend_helpers.py:44, gateway/status.py:48	Looks for ~/.claude/, ~/.modal.toml, ~/.local/state/ in profile home
User file paths	tools/file_tools.py:82,102, tools/delegate_tool.py:142, cli.py:1088,1158	~/myfile expands to profile home instead of real home
Wrapper scripts	profiles.py:152	~/.local/bin resolves to profile home

Root cause

The sandbox sets HOME to the profile's home/ directory. The codebase uses Path.home() (which reads from the process's HOME env var) as a fallback when HERMES_HOME isn't set, and for native path resolution.

Proposed fix

1. Capture the real user home at import time (before sandbox overrides HOME) in hermes_constants.py
2. Replace all Path.home() calls that need the real user home with a new get_real_home() helper
3. Keep Path.home() for expanduser() in file tools (or use the real home for those too)

Files to update:

File	Change
hermes_constants.py	Add _REAL_HOME and get_real_home()
hermes_constants.py:36	Use get_real_home() in get_default_hermes_root()
cli.py:3791	Use get_real_home() for profile parent detection
profiles.py:152	Use get_real_home() for wrapper dir
agent/anthropic_adapter.py	Use get_real_home() for Claude config paths
tools/tool_backend_helpers.py	Use get_real_home() for modal.toml
gateway/status.py:48	Use get_real_home() for XDG state fallback
tools/file_tools.py	Use get_real_home() for expanduser
tools/delegate_tool.py	Use get_real_home() for script paths

Why this matters

• gh CLI auth fails because it looks in profile home for keychain tokens
• Claude adapter can't find real Claude credentials
• User's ~/Documents/myfile.txt resolves to the wrong place
• hermes profile list may fail to find the profiles root

[teknium1]

Closing — the premise doesn't hold. The subprocess HOME override ({HERMES_HOME}/home/) is only injected into child process env dicts passed to subprocess.Popen(). The main Python process's os.environ["HOME"] and Path.home() are never modified. All the listed callsites (anthropic_adapter.py, file_tools.py, profiles.py, etc.) run in the main process where Path.home() correctly returns the real user home. See PR #8910 comment for the full audit.

[iRonin]

Reopening with empirical evidence from the running sandbox environment.

The sandbox terminal environment overrides HOME to {HERMES_HOME}/home/ for the entire Python process lifecycle. This isn't a theoretical concern — it's the actual runtime environment for the agent's terminal tool.

Proof (from running hermes -p dev):

Before fix:

$ echo HOME=$HOME
HOME=/Users/ironin/.hermes/profiles/dev/home

$ gh auth status
Error: not logged in to any GitHub hosts

After fix with terminal.profile_home_isolation: false:

$ echo HOME=$HOME
HOME=/Users/ironin

$ gh auth status
You're authenticated to github.com as iRonin via keyring

What the fix actually does:

1. hermes_constants.py: Uses pwd.getpwuid(os.getuid()).pw_dir to get the real OS user home, bypassing the env var entirely. This works regardless of whether HOME has been overridden.

2. tools/environments/local.py and tools/code_execution_tool.py: When profile_home_isolation: false, explicitly sets HOME to the real user home in subprocess env dicts. Without this, the parent process's overridden HOME is inherited.

3. Config option terminal.profile_home_isolation: false: Gives users the choice to keep their real ~ for subprocesses instead of the isolated profile home.

Why the upstream audit missed this:

The audit looked at the codebase in isolation and correctly noted that the code doesn't call os.environ["HOME"] = .... But the sandbox terminal environment that hermes runs inside does override HOME — and all subprocesses spawned by the terminal tool inherit that override. The profile_home_isolation config is the escape hatch.

[iRonin]

@teknium1 ^ whenever you have time