Skip to content

fix(agent): scope subdirectory hint discovery to workspace - closes #14471#14510

Open
vominh1919 wants to merge 1 commit into
NousResearch:mainfrom
vominh1919:fix/subdirectory-hints-workspace-scope
Open

fix(agent): scope subdirectory hint discovery to workspace - closes #14471#14510
vominh1919 wants to merge 1 commit into
NousResearch:mainfrom
vominh1919:fix/subdirectory-hints-workspace-scope

Conversation

@vominh1919

@vominh1919 vominh1919 commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Fix: Scope subdirectory hint discovery to workspace directory

Bug

Closes #14471

Hermes has a second project-context injection path beyond the normal startup cwd-based prompt assembly. Post-tool-call path discovery can append context from nearby AGENTS.md, CLAUDE.md, or .cursorrules files based on tool arguments — even from directories completely outside the intended workspace.

This breaks workspace isolation expectations and can cause:

  • Unexpected instruction contamination
  • Profile/agent behavior drift
  • Hard-to-debug prompt pollution
  • Cross-project leakage of local instruction files

Root Cause

In agent/subdirectory_hints.py, SubdirectoryHintTracker._is_valid_subdir() only checks:

  1. Is the path a directory?
  2. Has it already been loaded?

It does not check whether the directory is inside the configured working_dir. This means any tool call that touches a file in an unrelated directory can trigger hint discovery there.

Fix

Add a workspace boundary check in _is_valid_subdir() using Path.relative_to(). Only directories inside working_dir are scanned for hint files:

def _is_valid_subdir(self, path: Path) -> bool:
    # ... existing checks ...
    # Scope to workspace — only scan directories inside working_dir
    try:
        path.relative_to(self.working_dir)
    except ValueError:
        logger.debug(
            "Skipping subdirectory hint for %s: outside working_dir %s",
            path, self.working_dir,
        )
        return False
    return True

Impact

  • Prevents injection of unrelated AGENTS.md/CLAUDE.md/.cursorrules from outside the workspace
  • Minimal change (15 lines added, 1 line modified)
  • No behavioral change for directories inside the workspace
  • Debug logging when a directory is skipped (for troubleshooting)

@vominh1919
fix(agent): scope subdirectory hint discovery to workspace directory
fc0cfd1 
SubdirectoryHintTracker._is_valid_subdir() did not check whether the
candidate directory is inside the configured working_dir. This allowed
tool calls that touch files in unrelated directories to inject AGENTS.md,
CLAUDE.md, or .cursorrules content from completely different projects
into the agent context, causing instruction contamination.

Add a workspace boundary check using Path.relative_to() so only
directories inside working_dir are scanned for hint files.

Fixes NousResearch#14471
@vominh1919 vominh1919 mentioned this pull request Apr 23, 2026
Open
1 task
@alt-glitch alt-glitch added type/bug Something isn't working P1 High — major feature broken, no workaround comp/agent Core agent loop, run_agent.py, prompt builder labels Apr 23, 2026
@alt-glitch alt-glitch mentioned this pull request Apr 23, 2026
Open
19 tasks
@alt-glitch alt-glitch mentioned this pull request May 25, 2026
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/agent Core agent loop, run_agent.py, prompt builder P1 High — major feature broken, no workaround type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Hermes injects unrelated AGENTS.md/CLAUDE.md/.cursorrules into agent context via tool-path discovery

2 participants

@vominh1919 @alt-glitch