fix(agent): propagate approval callbacks to concurrent tool worker threads by andrewhosf · Pull Request #13734 · NousResearch/hermes-agent

andrewhosf · 2026-04-22T00:03:40Z

Bug #13617 Regression: Concurrent tool execution deadlocks on dangerous-command approval

Summary

When the agent executes a batch of tools concurrently (e.g. read_file + terminal in the same turn), any dangerous-command approval prompt deadlocks. The user can type a selection but pressing Return has no effect; the prompt times out after 60 seconds and denies the command.

Root Cause

_execute_tool_calls_concurrent() in run_agent.py dispatches tool calls to a ThreadPoolExecutor. The dangerous-command approval callback (and sudo password callback) are stored in threading.local() inside tools/terminal_tool.py. Worker threads spawned by the executor cannot see callbacks registered in the parent agent thread, so _get_approval_callback() returns None.

When the callback is None, tools/approval.py falls back to plain input() in a background daemon thread. However, the Hermes CLI uses prompt_toolkit, which puts the terminal in raw mode. The background thread's input() competes with prompt_toolkit for stdin. The user can type characters (they may echo), but the Enter key is captured by prompt_toolkit and never reaches input(), causing a deadlock until the timeout fires.

Affected Code Paths

run_agent.py → AIAgent._execute_tool_calls_concurrent() → _run_tool() worker function
Any concurrent batch containing terminal, execute_code, or other tools that trigger dangerous-command detection

Fix

Capture the parent thread's approval/sudo callbacks before launching the thread pool, then register them locally inside each worker thread (and clear them on exit). This mirrors the existing fix pattern used in cli.py for the main agent worker thread.

Files Changed

run_agent.py

Key Diff Points

Import callback getters/setters from tools.terminal_tool
Before defining _run_tool, snapshot _get_approval_callback() and _get_sudo_password_callback()

Inside _run_tool, after set_activity_callback(), register the callbacks:

if _parent_approval_cb is not None:
    _set_approval_callback(_parent_approval_cb)
if _parent_sudo_cb is not None:
    _set_sudo_password_callback(_parent_sudo_cb)

At the end of _run_tool, clear them:

_set_approval_callback(None)
_set_sudo_password_callback(None)

Regression Tests

tests/cli/test_cli_approval_ui.py::TestApprovalCallbackThreadLocalWiring
- test_main_thread_registration_is_invisible_to_child_thread
- test_child_thread_registration_is_visible_and_cleared_in_finally

All 10 approval UI tests pass after the fix.

Original fix: GHSA-qg5c-hvr5-hjgr / Bug: Terminal approval prompt freezes input area, preventing user interaction #13617 (made callbacks thread-local)
The original fix registered callbacks inside the main agent worker thread (cli.py ~8378) but missed the concurrent execution path (run_agent.py ~7876).

…reads When tools execute concurrently via ThreadPoolExecutor, worker threads could not see the thread-local approval/sudo callbacks registered by the CLI. This caused dangerous-command prompts to fall back to plain input(), which deadlocks against prompt_toolkit's raw terminal mode. Capture parent-thread callbacks before launching workers, register them locally in each _run_tool thread, and clear them on exit. Mirrors the existing fix pattern from cli.py run_agent() for the main agent worker thread (GHSA-qg5c-hvr5-hjgr / NousResearch#13617).

alt-glitch · 2026-04-22T00:06:20Z

Likely duplicate of #13697 (merged) — both fix thread-local approval callback propagation to concurrent tool workers for bug #13617.

alt-glitch · 2026-04-22T00:07:02Z

Likely duplicate of #13697 (merged) — both fix thread-local approval callback propagation to concurrent tool workers for bug #13617.

andrewhosf · 2026-04-22T00:10:27Z

@alt-glitch thanks for the pointer. I checked #13697 — it fixes the main agent worker thread in cli.py (the daemon thread spawned by chat()), but it does not touch run_agent.py or _execute_tool_calls_concurrent().

The ThreadPoolExecutor worker threads used for concurrent tool execution are a separate spawn path that still hit the same threading.local() gap. This PR covers that missed case.

PR #13734 fixed the concurrent-tool-executor vector (ThreadPoolExecutor workers didn't inherit the CLI's TLS approval callback). Two vectors remained that could still land in the deadlocking input() fallback: 1. _spawn_background_review spawns a raw threading.Thread with no approval callback installed, so any dangerous-command guard the review agent trips falls back to input() -> deadlock against the parent's prompt_toolkit TUI (same class as delegate_task subagents, fixed in 023b1bf / #15491). Install a _bg_review_auto_deny callback at thread start, clear on finally. 2. prompt_dangerous_approval's fallback unconditionally spawned a daemon thread calling input() when approval_callback was None. That fallback can never succeed under prompt_toolkit because the user's Enter goes to pt's raw-mode stdin capture. Detect an active pt Application via get_app_or_none() and fail closed (deny + log) instead, so future threads that forget to install a callback degrade gracefully instead of hanging 60s invisibly. Regression guards: - tests/run_agent/test_background_review.py verifies the review worker thread sees a callable auto-deny callback mid-run and that the slot is cleared in the finally block. - tests/tools/test_approval.py TestFailClosedUnderPromptToolkit verifies prompt_dangerous_approval returns 'deny' fast under a mocked pt Application, and that a real callback still wins over the guard.

Release-notes contributor attribution for the salvaged PR #13734 fix.

teknium1 · 2026-04-27T13:42:47Z

Merged via #16574 — your commit was cherry-picked onto current main with authorship preserved (0046d17). Added follow-on fixes for the background-review vector and a fail-closed guard in prompt_dangerous_approval. Thanks for the diagnosis and the fix!

PR #13734 fixed the concurrent-tool-executor vector (ThreadPoolExecutor workers didn't inherit the CLI's TLS approval callback). Two vectors remained that could still land in the deadlocking input() fallback: 1. _spawn_background_review spawns a raw threading.Thread with no approval callback installed, so any dangerous-command guard the review agent trips falls back to input() -> deadlock against the parent's prompt_toolkit TUI (same class as delegate_task subagents, fixed in 023b1bf / #15491). Install a _bg_review_auto_deny callback at thread start, clear on finally. 2. prompt_dangerous_approval's fallback unconditionally spawned a daemon thread calling input() when approval_callback was None. That fallback can never succeed under prompt_toolkit because the user's Enter goes to pt's raw-mode stdin capture. Detect an active pt Application via get_app_or_none() and fail closed (deny + log) instead, so future threads that forget to install a callback degrade gracefully instead of hanging 60s invisibly. Regression guards: - tests/run_agent/test_background_review.py verifies the review worker thread sees a callable auto-deny callback mid-run and that the slot is cleared in the finally block. - tests/tools/test_approval.py TestFailClosedUnderPromptToolkit verifies prompt_dangerous_approval returns 'deny' fast under a mocked pt Application, and that a real callback still wins over the guard.

…esearch#15216) PR NousResearch#13734 fixed the concurrent-tool-executor vector (ThreadPoolExecutor workers didn't inherit the CLI's TLS approval callback). Two vectors remained that could still land in the deadlocking input() fallback: 1. _spawn_background_review spawns a raw threading.Thread with no approval callback installed, so any dangerous-command guard the review agent trips falls back to input() -> deadlock against the parent's prompt_toolkit TUI (same class as delegate_task subagents, fixed in 26c542e / NousResearch#15491). Install a _bg_review_auto_deny callback at thread start, clear on finally. 2. prompt_dangerous_approval's fallback unconditionally spawned a daemon thread calling input() when approval_callback was None. That fallback can never succeed under prompt_toolkit because the user's Enter goes to pt's raw-mode stdin capture. Detect an active pt Application via get_app_or_none() and fail closed (deny + log) instead, so future threads that forget to install a callback degrade gracefully instead of hanging 60s invisibly. Regression guards: - tests/run_agent/test_background_review.py verifies the review worker thread sees a callable auto-deny callback mid-run and that the slot is cleared in the finally block. - tests/tools/test_approval.py TestFailClosedUnderPromptToolkit verifies prompt_dangerous_approval returns 'deny' fast under a mocked pt Application, and that a real callback still wins over the guard.