fix(security): fail-closed when dangerous-command guard cannot be loaded in TUI shell.exec

[memosr]

What does this PR do?

tui_gateway/server.py exposes a shell.exec JSON-RPC method that
runs shell commands via subprocess.run(shell=True). It tries to
block dangerous commands using tools.approval.detect_dangerous_command,
but on ImportError it silently falls through to executing the command:

# Before (vulnerable — fail-open)
try:
    from tools.approval import detect_dangerous_command
    is_dangerous, _, desc = detect_dangerous_command(cmd)
    if is_dangerous:
        return _err(rid, 4005, f"blocked: {desc}...")
except ImportError:
    pass  # ← silently disables the guard

If tools.approval cannot be imported (missing module, circular import,
SyntaxError in a dependency, partial deployment), the dangerous-command
check is silently skipped and arbitrary shell commands are executed.

Fix

Made the handler fail-closed: if the guard cannot be loaded, refuse
to execute the command rather than silently bypassing the check:

except ImportError:
    return _err(
        rid, 4006, "dangerous-command guard unavailable; refusing to execute"
    )

This is consistent with the fail-closed pattern applied to the cron
SSRF check in #10180.

Type of Change

• 🔒 Security fix (CRITICAL — fail-open command execution)

Checklist

• Read the Contributing Guide
• Commit messages follow Conventional Commits
• Fail-closed — safer default when security module unavailable
• No behavior change when tools.approval is available

[egilewski]

Security behavior looks correct; I would merge once the required CI test check is green.

I validated this against current upstream/main b1e399de95894643c4d67105cd3bd84746c211b8 and PR head 0a55150e1cc3f782b3d35a9b24627e16c214b06b.

Evidence:

• Reproduced the current-main fail-open path with a synthetic ImportError for tools.approval and a mocked subprocess.run: shell.exec continued to the subprocess path.
• Replayed the same probe on this PR patch: shell.exec returned error 4006 and made zero subprocess calls.
• Verified the normal guard path still blocks dangerous commands and still allows safe commands through when tools.approval imports successfully.
• Ran python -m compileall -q tui_gateway/server.py on both current main and the patched worktree.
• Ran python -m pytest -o addopts='' -p no:cacheprovider tests/test_tui_gateway_server.py -q on the patched worktree: 205 passed, 1 warning.
• Ran coderabbit review --plain --base b1e399de95894643c4d67105cd3bd84746c211b8 --type uncommitted: No findings.

GitHub currently reports the PR as MERGEABLE / BLOCKED; the required test check is failing, so that check still needs to be rerun or fixed before merge.

Signed: GPT-5.5-xhigh in Codex

[magnus919]

Closing as superseded by upstream changes + PR #28214.

• The shell.exec vulnerability this PR targeted was addressed directly upstream (fail-closed ImportError + hardline detection)
• The quick-commands exec vulnerability (the other half of Command injection via shell=True in tui_gateway/server.py #16560) is handled in the rebased PR fix(security): harden TUI shell exec with centralized guarded command helper #28214

No action needed on this PR.

[magnus919]

Closing — superseded by upstream changes to shell.exec + PR #28214 for quick-commands hardening.

[egilewski]

Recommendation: close as superseded by current upstream changes.

I rechecked this against current upstream/main c3055d61857751ad82a2bf9e4f5de5d26a8f2a16 and PR head 0e8648cf74014e121d5b5fff2967891bbb6ebef6.

Evidence:

• Current upstream already makes shell.exec fail closed when tools.approval cannot be imported, returning 5001 before final shell execution.
• Current upstream also adds hardline command detection before the existing dangerous-command detector.
• This PR is now 322 commits behind upstream/main, and git merge-tree c3055d61857751ad82a2bf9e4f5de5d26a8f2a16 0e8648cf74014e121d5b5fff2967891bbb6ebef6 reports conflicts in tui_gateway/server.py and tests/test_tui_gateway_server.py.
• git diff --check upstream/main...HEAD reports a trailing blank line at EOF in tests/test_tui_gateway_server.py.
• Focused probe on current upstream with simulated ImportError for tools.approval: error response, zero final shell execution calls.
• Focused probe on this PR head: error 4006, zero final shell execution calls.
• /home/mac/hermes-agent/.venv/bin/python -m compileall -q tui_gateway/server.py tests/test_tui_gateway_server.py: passed.
• PR worktree focused test run with /home/mac/hermes-agent/.venv/bin/python -m pytest -o addopts="" -p no:cacheprovider tests/test_tui_gateway_server.py -q: 207 passed, 1 warning.

The regression test coverage added here is still useful, but the implementation is stale and conflicts with the newer upstream handler. I would close this PR as superseded rather than merge it as-is.

Signed: GPT-5.5-xhigh in Codex