feat(windows): native Windows support (early beta) by teknium1 · Pull Request #21561 · NousResearch/hermes-agent

teknium1 · 2026-05-07T23:32:26Z

Status: Early BETA. Native Windows support landed with this PR but is still early beta — it installs, runs, and passes our Windows-footgun CI gate, but hasn't been road-tested at the scale our Linux/macOS/WSL2 paths have. Expect rough edges around subprocess handling, path quirks, and non-ASCII console output. Please file issues with repro steps when you hit something. Follow-up framing: #22115.

Native Windows support for Hermes Agent

This PR closes the gap between POSIX and native Windows hosts. Before this
work, Hermes-on-Windows shipped with silent killers, broken subprocess
management, no service-install story, an installer that routinely left
messaging SDKs half-installed, and a Python codebase peppered with idioms
that AttributeError-at-import on win32. After this PR, hermes installs,
runs, survives gateway status loops, auto-registers as a login item,
passes a Windows-footgun CI gate, and — within the [messaging] extra —
actually has the SDKs the user configured.

Why this matters

Windows is the most-requested missing platform and WSL2 is not an answer
for everyone (admins who want a real desktop integration, corp boxes
locked out of the Linux subsystem, etc.). OpenClaw, Claude Code, Codex
and Cursor all run natively on Windows; Hermes should too.

Every fix here traces to a specific failure mode reproduced on Windows 10
during dogfooding on Delta-1 (Windows user ryanc, Python 3.11,
PowerShell 5.1 / Windows Terminal). No test matrix was harmed — the
existing test suite still passes because 380 files now route through
psutil / _pid_exists instead of POSIX idioms that would have no-op'd
on Windows and flown under the radar.

What shipped (6 focused commits)

1. `acc0a8162` — browser tool + SIGINT resilience

tools/browser_tool.py now resolves agent-browser through
shutil.which(..., path=local_bin) so PATHEXT picks the .CMD shim
— CreateProcessW can't execute an extensionless shebang script,
which was giving WinError 193 "not a valid Win32 application".
cli.py installs a SIGINT absorber on win32 so spawning a
background subprocess (e.g. browser_get_images) doesn't let a
spurious CTRL_C_EVENT from the child's console group kill the
parent CLI.

2. `87fca8342` — installer hardening

install.ps1 writes all generated text files via .NET
UTF8Encoding($false) instead of PowerShell 5.1's default
Set-Content -Encoding UTF8 (which emits a BOM that Hermes's
prompt-injection scanner flags as an invisible-unicode attack).
Tiered uv pip install cascade: [all] → big PyPI-only extras
bundle → minimal dashboard/messaging extras → bare .. Previously
a single git+https flake during [all] dropped the user to .
with no extras at all.
tinker-atropos (RL training) is skipped by default — its
git+https deps (atroposlib, tinker) fail on rate-limited
github.com and used to kill the whole install mid-flight.

3. `ac178b78c` — gateway as a real Windows login item

New hermes_cli/gateway_windows.py (~690 lines) implements
install/uninstall/start/stop/restart/status via
schtasks ONLOGON /RL LIMITED (no admin required), with a
Startup-folder fallback (start /min cmd.exe /d /c <wrapper>) for
boxes where group policy blocks schtasks. Mirrors the OpenClaw
pattern.
Detached spawn via pythonw.exe (not python.exe — the former has
no console and is immune to CTRL_C_EVENT broadcasts from
siblings). Flags:
DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP | CREATE_NO_WINDOW | CREATE_BREAKAWAY_FROM_JOB.
_scan_gateway_pids falls back from wmic process (removed in
Windows 10 21H1+) to PowerShell Get-CimInstance Win32_Process
when shutil.which("wmic") is None.

4. `1cbe39914` — `os.kill(pid, 0)` is NOT a no-op on Windows

The most insidious bug in the whole stack. Python's Windows
posixmodule.c::os_kill_impl maps sig=0 to CTRL_C_EVENT (they
collide at integer value 0) and routes it through
GenerateConsoleCtrlEvent(0, pid), which broadcasts Ctrl+C to the
entire console process group containing the target PID. See
bpo-14484 (open since 2012).

Every place in the codebase that used the standard POSIX idiom
os.kill(pid, 0) to check "is this PID alive" was silently killing
the target on Windows. Most memorably, hermes gateway status
routinely killed the gateway it was trying to check.

Fix: gateway.status._pid_exists(pid) on Windows uses OpenProcess (PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE) + WaitForSingleObject(handle, 0) == WAIT_TIMEOUT, no signal path at
all. 14 callsites migrated across 11 files. Audit grep for future
drift: rg "os\.kill$[^,]+,\s*0\s*$".

5. `3dfb35700` — psutil + Windows footgun checker

psutil>=5.9.0,<8 promoted to a core dependency. It's the
canonical cross-platform answer for liveness and process-tree walk
— uses OpenProcess + GetExitCodeProcess on Windows internally,
never touches signals. _pid_exists now calls psutil.pid_exists()
first with the hand-rolled ctypes as a fallback for scaffold-phase
installs before pip finishes.
7 os.killpg callsites migrated to
psutil.Process(pid).children(recursive=True) + .kill() —
os.killpg doesn't exist on Windows at all. 3 residual callsites
in tools/environments/local.py use pgid semantics psutil can't
replicate and are suppressed with a marker, already Windows-guarded
at an outer branch.
New scripts/check-windows-footguns.py (500 lines, stdlib-only)
with 11 rules covering os.kill(0), os.setsid, os.killpg,
os.getuid/geteuid/getgid, os.fork, signal.SIGKILL/SIGHUP/
SIGUSR*/SIGALRM/SIGCHLD/SIGPIPE/SIGQUIT,
shebang-script-via-subprocess, wmic without shutil.which guard,
hardcoded ~/Desktop (OneDrive trap), asyncio.add_signal_handler
without try/except, open() without encoding= on text mode.
Docstring-aware, comment-aware, guard-hint-aware, inline
# windows-footgun: ok — <reason> suppression, --list / --all
/ --diff <ref> modes. Scans 380 files in under 2 seconds.
CONTRIBUTING.md "Cross-Platform Compatibility" expanded from 5
rules to 16, each with concrete example + fix.
Baseline cleanup: 91 findings → 0. 14 open() calls got
encoding='utf-8' (or 'utf-8-sig' for Notepad-editable files),
23 legitimately-POSIX-only sites got the marker, 7 os.killpg
sites migrated.

6. `b2bdf274f` — status dedup + install.ps1 platform-SDK bootstrap

Two residuals closed:

hermes gateway status reported 2 PIDs per gateway. Two bugs
stacked:
- _get_parent_pid shelled out to ps -o ppid= -p <pid> which
  doesn't exist on Windows → silent FileNotFoundError → ancestor
  walk bailed at self → status-call's own launcher escaped the
  exclusion set. Rewritten to call psutil.Process(pid).ppid()
  first.
- Windows venvs have a launcher-stub pattern: <venv>/Scripts/ pythonw.exe is a 5 MB stub that spawns the base Python
  (Python311/pythonw.exe) with the same command line. New
  _filter_venv_launcher_stubs in _scan_gateway_pids drops any
  PID whose parent is also in the match set.
- Result: 5 back-to-back gateway status runs now all report
  PID: 21952 — one process, stable.
install.ps1 now bootstraps pip + auto-installs messaging SDKs
keyed off .env. Two related gaps: (a) uv creates venvs
without pip, and (b) the tier cascade can silently skip some
[messaging] SDKs when an earlier tier partial-resolves. New
Install-PlatformSdks function: detects TELEGRAM_BOT_TOKEN /
DISCORD_BOT_TOKEN / SLACK_BOT_TOKEN / SLACK_APP_TOKEN /
WHATSAPP_ENABLED in ~/.hermes/.env, verifies each SDK imports,
on failure runs python -m ensurepip --upgrade then a targeted
pip install <spec> (specs mirror pyproject.toml's [messaging]
extra verbatim). Live-tested: detected missing discord +
slack_sdk, bootstrapped, installed, idempotent on re-run.

Verification

$ venv/Scripts/python.exe scripts/check-windows-footguns.py --all
✓ No Windows footguns found (380 file(s) scanned).

$ # Stress test: 5 consecutive gateway status calls against a live
$ # gateway, none killed it or over-counted:
$ for _ in 1 2 3 4 5; do hermes gateway status; done
✓ Gateway process running (PID: 21952)
✓ Gateway process running (PID: 21952)
✓ Gateway process running (PID: 21952)
✓ Gateway process running (PID: 21952)
✓ Gateway process running (PID: 21952)

$ # Fresh token in .env triggers SDK install end-to-end:
$ # (appended DISCORD_BOT_TOKEN, SLACK_BOT_TOKEN)
$ # → Install-PlatformSdks detected both missing,
$ # → ensurepip bootstrapped pip,
$ # → pip installed discord.py[voice] 2.7.1 + slack-sdk 3.41.0.
$ # Re-run is a clean no-op.

Platform matrix

Feature	Linux	macOS	WSL2	Win (native)
CLI runs	✓	✓	✓	✓ NEW
Gateway survives `status` loop	✓	✓	✓	✓ NEW
Gateway auto-starts on boot	systemd	launchd	systemd	schtasks + Startup NEW
`gateway install/stop/restart`	✓	✓	✓	✓ NEW
Browser tool (`agent-browser`)	✓	✓	✓	✓ NEW
Messaging SDKs auto-installed	—	—	—	✓ NEW
Ctrl+C in CLI prompt behaves	✓	✓	✓	✓ NEW
`check-windows-footguns.py`	gates	gates	gates	gates NEW

Follow-ups (explicitly out of scope for this PR)

CI workflow for the checker. File .github/workflows/windows- footguns.yml is ready (saved locally at /tmp/hermes-stash/ windows-footguns.yml on the authoring machine) but pushing it
requires a gh token with workflow OAuth scope, which the author's
token lacks. A maintainer with workflow permissions should add
it in a one-line follow-up PR. Until then the checker runs
manually; no new Windows footguns can be introduced unnoticed by
a reviewer who runs it before approving.
Linux installer parity with Windows's tier cascade +
Install-PlatformSdks. Linux install.sh has the same silent
partial-messaging-install gap that Windows had before this PR
(single tier → bare . fallback; no post-install SDK verify).
Intentionally not addressed here — scope of this PR is
Windows-native, not cross-platform installer refactor.
Hardening pass on asyncio.add_signal_handler + the
gateway/run.py inline ctypes watcher. Both work correctly on
Windows after the commits above but carry stylistic cruft; low-
urgency cleanup.

Closes / refs

Refs #22012
(reported during this work — browser_get_images SyntaxError on
Windows, also fixed here as a side-effect of the agent-browser
PATH resolution fix).

@sprmn24

…, UTF-8 stdio, tzdata dep, docs Native Windows (with Git for Windows installed) can now run the Hermes CLI and gateway end-to-end without crashing. install.ps1 already existed and the Git Bash terminal backend was already wired up — this PR fills the remaining gaps discovered by auditing every Windows-unsafe primitive (`signal.SIGKILL`, `os.kill(pid, 0)` probes, bare `fcntl`/`termios` imports) and by comparing hermes against how Claude Code, OpenCode, Codex, and Cline handle native Windows. ## What changed ### UTF-8 stdio (new module) - `hermes_cli/stdio.py` — single `configure_windows_stdio()` entry point. Flips the console code page to CP_UTF8 (65001), reconfigures `sys.stdout`/`stderr`/`stdin` to UTF-8, sets `PYTHONIOENCODING` + `PYTHONUTF8` for subprocesses. No-op on non-Windows. Opt out via `HERMES_DISABLE_WINDOWS_UTF8=1`. - Called early in `cli.py::main`, `hermes_cli/main.py::main`, and `gateway/run.py::main` so Unicode banners (box-drawing, geometric symbols, non-Latin chat text) don't `UnicodeEncodeError` on cp1252 consoles. ### Crash sites fixed - `hermes_cli/main.py:7970` (hermes update → stuck gateway sweep): raw `os.kill(pid, _signal.SIGKILL)` → `gateway.status.terminate_pid(pid, force=True)` which routes through `taskkill /T /F` on Windows. - `hermes_cli/profiles.py::_stop_gateway_process`: same fix — also converted SIGTERM path to `terminate_pid()` and widened OSError catch on the intermediate `os.kill(pid, 0)` probe. - `hermes_cli/kanban_db.py:2914, 3041`: raw `signal.SIGKILL` → `getattr(signal, "SIGKILL", signal.SIGTERM)` fallback (matches the pattern already used in `gateway/status.py`). ### OSError widening on `os.kill(pid, 0)` probes Windows raises `OSError` (WinError 87) for a gone PID instead of `ProcessLookupError`. Widened the catch at: - `gateway/run.py:15101` (`--replace` wait-for-exit loop — without this, the loop busy-spins the full 10s every Windows gateway start) - `hermes_cli/gateway.py:228, 460, 940` - `hermes_cli/profiles.py:777` - `tools/process_registry.py::_is_host_pid_alive` - `tools/browser_tool.py:1170, 1206` ### Dashboard PTY graceful degradation `hermes_cli/pty_bridge.py` depends on `fcntl`/`termios`/`ptyprocess`, none of which exist on native Windows. Previously a Windows dashboard would crash on `import hermes_cli.web_server` because of a top-level import. Now: - `hermes_cli/web_server.py` wraps the pty_bridge import in `try/except ImportError` and sets `_PTY_BRIDGE_AVAILABLE=False`. - The `/api/pty` WebSocket handler returns a friendly "use WSL2 for this tab" message instead of exploding. - Every other dashboard feature (sessions, jobs, metrics, config editor) runs natively on Windows. ### Dependency - `pyproject.toml`: add `tzdata>=2023.3; sys_platform == 'win32'` so Python's `zoneinfo` works on Windows (which has no IANA tzdata shipped with the OS). Credits @sprmn24 (PR #13182). ### Docs - README.md: removed "Native Windows is not supported"; added PowerShell one-liner and Git-for-Windows prerequisite note. - `website/docs/getting-started/installation.md`: new Windows section with capability matrix (everything native except the dashboard `/chat` PTY tab, which is WSL2-only). - `website/docs/user-guide/windows-wsl-quickstart.md`: reframed as "WSL2 as an alternative to native" rather than "the only way". - `website/docs/developer-guide/contributing.md`: updated cross-platform guidance with the `signal.SIGKILL` / `OSError` rules we enforce now. - `website/docs/user-guide/features/web-dashboard.md`: acknowledged native Windows works for everything except the embedded PTY pane. ## Why this shape Pulled from a survey of how other agent codebases handle native Windows (Claude Code, OpenCode, Codex, Cline): - All four treat Git Bash as the canonical shell on Windows, same as hermes already does in `tools/environments/local.py::_find_bash()`. - None of them force `SetConsoleOutputCP` — but they don't have to, Node/Rust write UTF-16 to the Win32 console API. Python does not get that for free, so we flip CP_UTF8 via ctypes. - None of them ship PowerShell-as-primary-shell (Claude Code exposes PS as a secondary tool; scope creep for this PR). - All of them use `taskkill /T /F` for force-kill on Windows, which is exactly what `gateway.status.terminate_pid(force=True)` does. ## Non-goals (deliberate scope limits) - No PowerShell-as-a-second-shell tool — worth designing separately. - No terminal routing rewrite (#12317, #15461, #19800 cluster) — that's the hardest design call and needs a separate doc. - No wholesale `open()` → `open(..., encoding="utf-8")` sweep (Tianworld cluster) — will do as follow-up if users hit actual breakage; most modern code already specifies it. ## Validation - 28 new tests in `tests/tools/test_windows_native_support.py` — all platform-mocked, pass on Linux CI. Cover: - `configure_windows_stdio` idempotency, opt-out, env-preservation - `terminate_pid` taskkill routing, failure → OSError, FileNotFoundError fallback - `getattr(signal, "SIGKILL", …)` fallback shape - `_is_host_pid_alive` OSError widening (Windows-gone-PID behavior) - Source-level checks that all entry points call `configure_windows_stdio` - pty_bridge import-guard present in `web_server.py` - README no longer says "not supported" - 12 pre-existing tests in `tests/tools/test_windows_compat.py` still pass. - `tests/hermes_cli/` ran fully (3909 passed, 9 failures — all confirmed pre-existing on main by stash-test). - `tests/gateway/` ran fully (5021 passed, 1 pre-existing failure). - `tests/tools/test_process_registry.py` + `test_browser_*` pass. - Manual smoke: `import hermes_cli.stdio; import gateway.run; import hermes_cli.web_server` — all clean, `_PTY_BRIDGE_AVAILABLE=True` on Linux (as expected). ## Files - New: `hermes_cli/stdio.py`, `tests/tools/test_windows_native_support.py` - Modified: `cli.py`, `gateway/run.py`, `hermes_cli/main.py`, `hermes_cli/profiles.py`, `hermes_cli/gateway.py`, `hermes_cli/kanban_db.py`, `hermes_cli/pty_bridge.py`, `hermes_cli/web_server.py`, `tools/browser_tool.py`, `tools/process_registry.py`, `pyproject.toml`, `README.md`, and 4 docs pages. Credits to everyone whose prior PR work informed these fixes — see the co-author trailers. All of the PRs listed in `~/.hermes/plans/windows-support-prs.md` fixing `os.kill` / `signal.SIGKILL` / UTF-8 stdio / tzdata / README patterns found the same issues; this PR consolidates them. Co-authored-by: Philip D'Souza <9472774+PhilipAD@users.noreply.github.com> Co-authored-by: Arecanon <42595053+ArecaNon@users.noreply.github.com> Co-authored-by: XiaoXiao0221 <263113677+XiaoXiao0221@users.noreply.github.com> Co-authored-by: Lars Hagen <1360677+lars-hagen@users.noreply.github.com> Co-authored-by: Luan Dias <65574834+luandiasrj@users.noreply.github.com> Co-authored-by: Ruzzgar <ruzzgarcn@gmail.com> Co-authored-by: sprmn24 <oncuevtv@gmail.com> Co-authored-by: adybag14-cyber <252811164+adybag14-cyber@users.noreply.github.com> Co-authored-by: Prasanna28Devadiga <54196612+Prasanna28Devadiga@users.noreply.github.com>

github-actions · 2026-05-07T23:33:30Z

🔎 Lint report: `hermes/hermes-b2e6c99b` vs `origin/main`

ruff

Total: 0 on HEAD, 0 on base (➖ 0)

🆕 New issues: none

✅ Fixed issues: none

Unchanged: 0 pre-existing issues carried over.

ty (type checker)

Total: 7829 on HEAD, 7797 on base (🆕 +32)

🆕 New issues (30):

Rule	Count
`unresolved-import`	14
`unresolved-attribute`	11
`invalid-argument-type`	2
`unused-type-ignore-comment`	1
`invalid-type-form`	1
`invalid-assignment`	1

First entries

tests/test_lint_config.py:23: [unresolved-import] unresolved-import: Cannot resolve imported module `pytest`
agent/prompt_builder.py:649: [unused-type-ignore-comment] unused-type-ignore-comment: Unused blanket `type: ignore` directive
hermes_cli/gateway.py:3005: [unresolved-attribute] unresolved-attribute: Module `ctypes` has no member `windll`
scripts/check-windows-footguns.py:135: [invalid-type-form] invalid-type-form: Function `callable` is not valid in a type expression: Did you mean `collections.abc.Callable`?
scripts/keystroke_diagnostic.py:38: [unresolved-import] unresolved-import: Cannot resolve imported module `prompt_toolkit.layout`
hermes_cli/stdio.py:59: [unresolved-attribute] unresolved-attribute: Module `ctypes` has no member `windll`
hermes_cli/uninstall.py:324: [unresolved-attribute] unresolved-attribute: Module `winreg` has no member `OpenKey`
scripts/keystroke_diagnostic.py:39: [unresolved-import] unresolved-import: Cannot resolve imported module `prompt_toolkit.layout.containers`
hermes_cli/uninstall.py:332: [unresolved-attribute] unresolved-attribute: Module `winreg` has no member `DeleteValue`
hermes_cli/uninstall.py:309: [unresolved-attribute] unresolved-attribute: Module `winreg` has no member `SetValueEx`
tools/code_execution_tool.py:1152: [invalid-argument-type] invalid-argument-type: Argument to function `chmod` is incorrect: Expected `int | str | bytes | PathLike[str] | PathLike[bytes]`, found `None | str`
tools/code_execution_tool.py:1151: [invalid-argument-type] invalid-argument-type: Argument to bound method `socket.bind` is incorrect: Expected `tuple[Any, ...] | str | Buffer`, found `None | str`
tools/tts_tool.py:544: [unresolved-import] unresolved-import: Cannot resolve imported module `psutil`
hermes_cli/web_server.py:2990: [invalid-assignment] invalid-assignment: Object of type `None` is not assignable to `<class 'PtyBridge'>`
tools/process_registry.py:1052: [unresolved-import] unresolved-import: Cannot resolve imported module `psutil`
tools/code_execution_tool.py:1454: [unresolved-import] unresolved-import: Cannot resolve imported module `psutil`
hermes_cli/uninstall.py:325: [unresolved-attribute] unresolved-attribute: Module `winreg` has no member `KEY_WRITE`
scripts/keystroke_diagnostic.py:36: [unresolved-import] unresolved-import: Cannot resolve imported module `prompt_toolkit`
hermes_cli/uninstall.py:325: [unresolved-attribute] unresolved-attribute: Module `winreg` has no member `KEY_READ`
scripts/keystroke_diagnostic.py:40: [unresolved-import] unresolved-import: Cannot resolve imported module `prompt_toolkit.layout.controls`
gateway/platforms/whatsapp.py:158: [unresolved-import] unresolved-import: Cannot resolve imported module `psutil`
tests/tools/test_code_execution_windows_env.py:30: [unresolved-import] unresolved-import: Cannot resolve imported module `pytest`
tests/test_hermes_bootstrap.py:29: [unresolved-import] unresolved-import: Cannot resolve imported module `pytest`
hermes_cli/uninstall.py:324: [unresolved-attribute] unresolved-attribute: Module `winreg` has no member `HKEY_CURRENT_USER`
tests/tools/test_windows_native_support.py:22: [unresolved-import] unresolved-import: Cannot resolve imported module `pytest`
... and 5 more

✅ Fixed issues (3):

Rule	Count
`unresolved-attribute`	2
`no-matching-overload`	1

First entries

tools/environments/base.py:107: [unresolved-attribute] unresolved-attribute: Attribute `close` is not defined on `None` in union `IO[Unknown] | None`
tui_gateway/entry.py:84: [no-matching-overload] no-matching-overload: No overload of bound method `dict.get` matches arguments
tools/environments/base.py:106: [unresolved-attribute] unresolved-attribute: Attribute `write` is not defined on `None` in union `IO[Unknown] | None`

Unchanged: 4092 pre-existing issues carried over.

Diagnostics are surfaced as warnings — this check never fails the build.

…inget User hit a real failure case: their system Git was in a half-installed state (can neither uninstall nor reinstall) and winget refused to work around it. We were one step away from shipping an installer that would have left users with exactly the problem he already had. What other agents do (reality check): - Claude Code: requires pre-installed Git; breaks if user doesn't have it. - OpenCode, Codex: don't need bash at all — PowerShell-first design. - Cline: uses whatever shell VSCode is configured with; installs nothing. None of them solve the "broken system Git" problem. We need to own our Git. Changes: - scripts/install.ps1::Install-Git: dropped winget path entirely. Now: (1) use existing git if present; (2) download portable MinGit from the official git-for-windows GitHub release to %LOCALAPPDATA%\hermes\git. No winget, no admin, no Windows installer registry, no system impact. - Added %LOCALAPPDATA%\hermes\git\{cmd,usr\bin} to User PATH so git + bash + POSIX coreutils (which, env, grep, …) resolve in fresh shells. - tools/environments/local.py::_find_bash: reorder so Hermes' portable MinGit install is checked BEFORE falling through to shutil.which("bash") or system install locations. This way a broken system Git can't hijack the bash lookup. - README + installation docs reworded to reflect the new story: "portable Git Bash, isolated from any system install, recoverable via rm -rf if it ever breaks." Recoverability: if Hermes' Git install ever breaks, ``Remove-Item %LOCALAPPDATA%\hermes\git`` and re-run the installer — no system impact, no uninstall drama, no winget to fight with.

…E work Pre-existing Windows bug surfaced while reviewing the portable-MinGit install: prompt_toolkit's Buffer.open_in_editor() falls back to POSIX absolute paths (/usr/bin/nano, /usr/bin/vi, /usr/bin/emacs) that don't exist on native Windows. When neither $EDITOR nor $VISUAL is set, Ctrl+X Ctrl+E ("open prompt in editor") and /edit both silently do nothing on Windows — the user hits the key, nothing happens, no error. This wasn't caused by MinGit (full Git for Windows doesn't fix it either, because the Windows Python subprocess call resolves `/usr/bin/nano` as `C:\usr\bin\nano`, which doesn't exist even with nano installed). Fixes: - hermes_cli/stdio.py::configure_windows_stdio now sets EDITOR=notepad on Windows if neither EDITOR nor VISUAL is set. notepad.exe is in every Windows install, works as a blocking editor (subprocess.call waits for the window to close), and writes back to the file. - hermes_cli/config.py (hermes config edit): reorder fallback list so Windows tries notepad first — previously nano led the list, which required Git Bash / WSL to be in PATH. - Users who want VSCode / Neovim / Notepad++ can still override via $env:EDITOR — that's checked before our default kicks in. Docstring spells out the common overrides. The Ink TUI (`hermes --tui`) already handled Windows correctly via ui-tui/src/lib/editor.ts falling back to notepad.exe on win32 — this commit brings the classic prompt_toolkit CLI into parity. 3 new tests in test_windows_native_support.py verify: - EDITOR=notepad gets set when unset on Windows - Explicit $EDITOR is respected - $VISUAL is respected (not overwritten by our default)

…an waitpid, AF_UNIX sandbox, /bin/bash, npm .cmd shims, cwd tracking, detach flags Second pass on native Windows support, driven by a systematic audit across five areas: POSIX-only primitives (signal.SIGKILL/SIGHUP/SIGPIPE, os.WNOHANG, os.setsid), path translation bugs (/c/Users → C:\Users), subprocess patterns (npm.cmd batch shims, start_new_session no-op on Windows), subsystem health (cron, gateway daemon, update flow), and module-level import guards. Every change is platform-gated — POSIX (Linux/macOS) behaviour is preserved bit-identical. Explicit "do no harm" test: test_posix_path_preserved_on_linux, test_posix_noop, test_windows_detach_popen_kwargs_is_posix_equivalent_on_posix. ## New module - hermes_cli/_subprocess_compat.py — shared helpers (resolve_node_command, windows_detach_flags, windows_hide_flags, windows_detach_popen_kwargs). All no-ops on non-Windows. ## CRITICAL fixes (would crash or silently break on Windows) - tui_gateway/entry.py: SIGPIPE/SIGHUP referenced at module top level would AttributeError on import on Windows, breaking `hermes --tui` entirely (it spawns this module as a subprocess). Guard each signal.signal() call with hasattr() and add SIGBREAK as Windows' SIGHUP equivalent. - hermes_cli/kanban_db.py: os.waitpid(-1, os.WNOHANG) in dispatcher tick was unguarded. os.WNOHANG doesn't exist on Windows. Gate the whole reap loop behind `os.name != "nt"` — Windows has no zombies anyway. - tools/code_execution_tool.py: AF_UNIX socket for execute_code RPC fails on most Windows builds. Fall back to loopback TCP (AF_INET on 127.0.0.1:0 ephemeral port) when _IS_WINDOWS. HERMES_RPC_SOCKET env var now accepts either a filesystem path (POSIX) or `tcp://127.0.0.1:<port>` (Windows). Generated sandbox client parses both. - cron/scheduler.py: `argv = ["/bin/bash", str(path)]` hardcoded. Use shutil.which("bash") so Windows (Git Bash via MinGit) works, with a readable error when bash is genuinely absent. - 6 bare npm/npx spawn sites: tools_config.py x2, doctor.py, whatsapp.py (npm install + node version probe), browser_tool.py x2. On Windows npm is npm.cmd / npx is npx.cmd (batch shims); subprocess.Popen(["npm", ...]) fails with WinError 193. shutil.which(...) returns the absolute .cmd path which CreateProcessW accepts because the extension routes through cmd.exe /c. POSIX behaviour unchanged (shutil.which still returns the same path subprocess would resolve itself). ## HIGH fixes (silent misbehaviour on Windows) - tools/environments/local.py get_temp_dir: hardcoded /tmp returned on Windows meant `_cwd_file = "/tmp/hermes-cwd-*.txt"`, which bash wrote via MSYS2's virtual /tmp but native Python couldn't open. Result: cwd tracking silently broken — `cd` in terminal tool did nothing. Windows branch now returns `%HERMES_HOME%/cache/terminal` with forward slashes (works in both bash and Python, guaranteed no spaces). - tools/environments/local.py _make_run_env PATH injection: `/usr/bin not in split(":")` heuristic mangles Windows PATH (";" separator). Gate the injection behind `not _IS_WINDOWS`. - hermes_cli/gateway.py launch_detached_profile_gateway_restart: outer Popen + watcher-script Popen both used start_new_session=True, which Windows silently ignores. Watcher stayed attached to CLI's console, died when user closed terminal after `hermes update`, left gateway stale. Now branches through windows_detach_popen_kwargs() helper (CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS | CREATE_NO_WINDOW on Windows, start_new_session=True on POSIX — identical to main). ## MEDIUM fixes - gateway/run.py /restart and /update handlers: hardcoded bash/setsid chain crashes on Windows when user triggers /update in-gateway. Now has sys.platform=="win32" branch using sys.executable + a tiny Python watcher with proper detach flags. POSIX path is unchanged. - cli.py _git_repo_root: Git on Windows sometimes returns /c/Users/... style paths that break subprocess.Popen(cwd=...) and Path().resolve(). Added _normalize_git_bash_path() helper that translates /c/Users, /cygdrive/c, /mnt/c variants to native C:\Users form. POSIX no-op. _git_repo_root() now routes every result through it. - cli.py worktree .worktreeinclude: os.symlink on directories failed hard on Windows (requires admin or Developer Mode). Falls back to shutil.copytree with a warning log. ## Tests - 29 new tests in tests/tools/test_windows_native_support.py covering: subprocess_compat helpers, TUI entry signal guards, kanban waitpid guard, code_execution TCP fallback source-level invariants, cron bash resolution, npm/npx bare-spawn lint per-file, local env Windows temp dir, PATH injection gating, git bash path normalization, symlink fallback, gateway detached watcher flags. - One existing test assertion adjusted in test_browser_homebrew_paths: it compared captured Popen argv to the BARE `"npx"` literal; after the shutil.which() change argv[0] is the absolute path. New assertion checks the shape (two items, second is `agent-browser`) rather than the exact first-item string. Behaviour unchanged; test was too strict. All 56 tests pass on Linux (30 from previous commits + 26 new). 267 tests from the affected files/dirs (browser, code_exec, local_env, process_registry, kanban_db, windows_compat) all pass — zero regressions. tests/hermes_cli/ (3909 pass) and tests/gateway/ (5021 pass) unchanged; all pre-existing test failures confirmed unrelated via `git stash` re-run. ## What's still deferred (LOW priority) - Visible cmd-window flashes on short-lived console apps (~14 sites) — cosmetic, needs a follow-up pass once we have user reports. - agent/file_safety.py POSIX-only security deny patterns — separate hardening task. - tools/process_registry.py returning "/tmp" as fallback — theoretical; reachable only when all env-var candidates fail.

…ash, surface npm errors Three real bugs from teknium1's first Windows install run: 1. **MinGit has no bash.exe.** MinGit is the minimal-automation Git for Windows distribution — it ships git.exe but deliberately strips bash and the POSIX coreutils. Installer logged "Could not locate bash.exe" and Hermes would fail to run any shell command. Switched to PortableGit — the full Git for Windows minus the installer UI. PortableGit ships bash.exe at <root>\bin\bash.exe plus sh, awk, sed, grep, curl, ssh in usr\bin\. ARM64 variant is detected separately (PortableGit-*-arm64.7z.exe). 32-bit falls back to MinGit-32-bit with a warning (PortableGit is 64-bit only). PortableGit ships as a 7z self-extractor (56MB vs MinGit's 38MB). We invoke it with `-o<target> -y` to extract silently — no 7z install needed, it's self-contained. Updated tools/environments/local.py::_find_bash candidate order to prefer the PortableGit layout (<root>\bin\bash.exe) with the MinGit layout (<root>\usr\bin\bash.exe) as a fallback so existing installs keep working. 2. **os.execvp "Exec format error" on Windows.** Setup wizard's "Launch hermes chat now? Y" called `os.execvp(["hermes", "chat"])` which on Windows can only swap to real Win32 .exe files — chokes with OSError(8) on .cmd batch shims and Python console-script wrappers. Added a win32 branch in hermes_cli/relaunch.py::relaunch() that uses subprocess.run + sys.exit — functionally identical (user sees "hermes exited, then new hermes started") with one extra PID in play. POSIX path is UNCHANGED — still uses os.execvp for in-place replacement. Catches OSError in the Windows branch and surfaces a "open a new terminal so PATH picks up, then re-run hermes" hint instead of a cryptic traceback. 3. **npm install failures silent on Windows.** The install.ps1 was invoking `npm install --silent 2>&1 | Out-Null` inside a try/catch. PowerShell's try/catch does NOT trigger on non-zero process exit codes — only on unhandled .NET exceptions — so npm failing printed a generic "npm install failed" with zero information about WHY. The silent pipe ate the stderr. Rewrote Install-NodeDeps to: - Resolve npm.cmd via Get-Command (respects PATHEXT) instead of relying on bare `npm` name resolution. - Use Start-Process with -PassThru to capture the actual exit code. - Redirect stderr to a temp log and surface the first ~800 chars of the real npm error when install fails, plus the log path for the full text. - Fail loudly with the right exit code instead of a misleading success. - Bail cleanly with a helpful message when npm isn't on PATH at all. 4. **"True" printing to console after Node check.** `Test-Node` returns $true; installer called it as a bare statement (no assignment, no cast). PowerShell prints bare return values. Wrapped the call in `[void](Test-Node)`. ## Tests - Added 3 new tests in tests/hermes_cli/test_relaunch.py covering the Windows branch: subprocess is called (not execvp), child exit code propagates, OSError surfaces a helpful message. All 23 tests pass (20 existing + 3 new). - 77 Windows-compat tests still pass, POSIX behaviour unchanged.

…olve on first launch Three interrelated bugs from teknium1's first interactive chat on Windows: 1. **Snapshot/cwd file paths unquoted in bash command strings.** The session bootstrap and per-command wrapper interpolated ``self._snapshot_path`` / ``self._cwd_file`` unquoted into bash commands like ``export -p > C:/Users/ryanc/.../hermes-snap-xxx.sh``. Git Bash's MSYS2 layer handles ``C:/...`` paths correctly ONLY when quoted; unquoted, the colon and forward-slash get glob-parsed and the redirect targets a bogus path. Symptom: every terminal command emitted two ``C:/Users/.../hermes-snap-*.sh (No such file or directory)`` lines that bled into stdout (``stderr=STDOUT`` on the local backend) and corrupted file contents when the agent wrote to scratch paths via the terminal tool. Fix: ``shlex.quote()`` every interpolation of ``_snapshot_path`` and ``_cwd_file`` in base.py — no-op on POSIX (the paths contain no shell-metachars), critical on Windows. 2. **Stale PATH on first hermes launch after install.** ``install.ps1`` adds the PortableGit ``cmd`` / ``bin`` / ``usr\bin`` directories to the Windows **User** PATH via ``SetEnvironmentVariable(..., "User")``. That write propagates to newly *spawned* processes only — already-running shells (including the one the user types ``hermes`` into immediately after install) retain their old PATH. So hermes starts with a PATH that doesn't include bash, rg, grep, ssh — and ``search_files`` reports "rg/find not available" when the user clearly just installed them. Fix: new ``_augment_path_with_known_tools()`` helper called from ``configure_windows_stdio()`` on startup. Prepends the Hermes-managed Git directories + the WinGet Links directory (where ripgrep lands) to ``os.environ['PATH']`` if they exist on disk but aren't already in PATH. Subsequent subprocess calls (including bash spawns via ``_find_bash()``) inherit the augmented PATH and find everything. No-op on POSIX and when the directories don't exist. 3. **Root cause of "file content corruption".** #1 was the proximate cause. Errors like ``C:/Users/.../hermes-snap-xxx.sh: No such file or directory`` were emitted on stderr by the failed redirect, captured into stdout via ``stderr=subprocess.STDOUT``, and if the agent used terminal commands like ``cat > file`` the leaked error bytes became part of the file. Fixing #1 eliminates this entirely. ## Tests All 77 Windows-compat tests still pass on Linux (POSIX path is shlex.quote('/tmp/foo.sh') → '/tmp/foo.sh' — unchanged). ## Not addressed here (would need a bigger design) - Python file tools (``write_file``, ``read_file``) and the bash-backed terminal tool see DIFFERENT views of ``/tmp`` on Windows. Python treats ``/tmp`` as ``C:\tmp`` (drive-relative), Git Bash's MSYS2 treats it as a virtual mount to the PortableGit install's ``tmp\``. Would need a translation shim in the Python tools to resolve bash-virtual paths to their native-Windows equivalents. Workaround for users today: use absolute native paths (``C:\Users\you\...``) instead of ``/tmp/...`` when crossing between terminal and Python file tools.

…oken stubs teknium1 hit "fatal: not in a git directory" on re-install when the previous install left a $InstallDir\.git stub that Test-Path matched but git didn't recognize (three "fatal: not a git repository" lines, then the script exited before touching anything). Two bugs: 1. Test-Path "$InstallDir\.git" was a weak gate — it matches .git whether it's a directory, file, symlink, submodule gitfile, OR a broken stub from a failed previous Remove-Item. Replaced with a real repo probe: Push-Location + git rev-parse --is-inside-work-tree + $LASTEXITCODE check. If git itself can't see a repo, we treat the directory as not-a-repo and fall through to fresh clone. 2. The original update path ignored $LASTEXITCODE. fetch/checkout/pull all emitted fatals but the script kept going. Now each command checks $LASTEXITCODE and throws with an explicit message. Also: when the directory exists but isn't a valid repo, the new code wipes it (Remove-Item -ErrorAction Stop) and falls through to fresh clone, instead of dying with the old "Directory exists but is not a git repository" error. If the wipe itself fails (file locked, hermes still running), we throw with a user-readable "close any programs using files in <dir>" hint. Refactored the function to use a $didUpdate flag instead of my earlier draft's early `return` — that was skipping the submodule init block at the bottom of the function. Both the update and fresh-clone paths now fall through to the submodule init step, which is correct (git pull doesn't auto-update submodules). PowerShell structural check: 21 functions defined, braces balanced.

… repo probe User hit 'fatal: not in a git directory' on re-install because: 1. They ran Remove-Item -Force $env:LOCALAPPDATA\hermes -ErrorAction SilentlyContinue WHILE cd'd inside the install dir. Windows silently refuses to delete a directory any shell is currently cd'd inside and leaves the skeleton intact, but the -ErrorAction SilentlyContinue swallowed every partial-delete failure so they thought the wipe succeeded. 2. The installer then walked into Install-Repository, saw $InstallDir still exists with a partial .git stub, my repo-validity probe returned success (the probe's git rev-parse may have exit-code-zeroed in a way I didn't expect), and the real git fetch died with three 'fatal: not a git repository' errors. Two fixes belt-and-braces: - Main() now cds to $env:USERPROFILE at start if the current shell is inside $InstallDir. Harmless when the user ran from elsewhere; critical when they didn't. This alone fixes the user's case. - Install-Repository's 'is this a valid repo' probe now runs BOTH git rev-parse --is-inside-work-tree AND git status, resets $LASTEXITCODE before each to avoid picking up a stale 0, and requires BOTH to succeed. Also requires rev-parse's output to match 'true' (not just exit 0) to rule out exit-0-with-empty-output edge cases.

Three bugs from teknium1's successful install + diagnostic chat on Windows: 1. **Start-Process -FilePath npm.cmd fails with "%1 is not a valid Win32 application".** Start-Process bypasses cmd.exe and PATHEXT to call CreateProcessW directly, which refuses .cmd batch shims. Switched Install-NodeDeps to use PowerShell's invocation operator (``& $npmExe install --silent *> $log``) which DOES honour PATHEXT. Extracted a ``_Run-NpmInstall`` helper so the browser + TUI paths share the same logic. Captures $LASTEXITCODE correctly, still surfaces the real stderr on failure with a log-file pointer for the full output. 2. **patch tool returns false-negative on Windows due to CRLF round-trip.** Root cause was upstream of patch: ``subprocess.Popen(..., text=True, stdin=PIPE)`` on Windows translates ``\\n`` → ``\\r\\n`` when data flows through the stdin pipe. ``_pipe_stdin()`` was writing the patch's new_content string through a text-mode pipe, bash then wrote those CRLF bytes to disk, and patch's post-write verify compared the on-disk CRLF bytes against the original LF-only string — fail. Fixed in two places for defense in depth: - ``_pipe_stdin()`` now writes through ``proc.stdin.buffer`` with explicit UTF-8 encoding, bypassing Python's newline translation on every platform. No behaviour change on POSIX (bytes are identical) but stops the CRLF injection on Windows. - ``patch_replace``'s post-write verify normalizes CRLF→LF on both sides before comparing, so even if some future backend still translates newlines the patch tool won't report a bogus failure. 3. **SOUL.md gets a UTF-8 BOM on Windows PowerShell 5.1.** ``Set-Content -Encoding UTF8`` on PS5.1 writes UTF-8 WITH a byte-order-mark (changed in PS7 via ``utf8NoBOM``). Hermes's prompt-injection scanner sees the BOM (U+FEFF invisible char) and refuses to load the file, so SOUL.md's persona instructions never get applied. Fixed by writing the file via ``[System.IO.File]::WriteAllText`` with an explicit ``UTF8Encoding($false)`` — BOM-free on every PowerShell version. All POSIX behaviour verified unchanged: 198 tests pass across test_file_operations, test_local_env_cwd_recovery, test_code_execution, test_windows_native_support, test_windows_compat.

…he tool teknium1 noticed execute_code was missing from his enabled tools on Windows. Root cause: tools/code_execution_tool.py set ``SANDBOX_AVAILABLE = sys.platform != \"win32\"`` as a module-level constant, originally because the RPC transport required AF_UNIX. We added loopback TCP fallback for the sandbox in commit eeb723f (and covered it in the Windows TCP tests), but forgot to lift the availability gate. So execute_code was still invisible via the check_fn path on Windows. - SANDBOX_AVAILABLE is now True unconditionally (it's still checked — a future platform could flip it off via monkeypatch/env if needed). - Error message when disabled no longer mentions Windows specifically, just says 'sandbox is unavailable in this environment'. - test_windows_returns_error updated: patches SANDBOX_AVAILABLE=False directly (which was always its real intent) and asserts on 'unavailable' instead of 'Windows'. Tests: 171 code-execution + windows-compat tests pass, no regressions.

Two fixes from teknium1's next install run: 1. **npm install: "npm.ps1 cannot be loaded because running scripts is disabled on this system."** Get-Command's default PATHEXT ordering picked up ``npm.ps1`` (the PowerShell shim) ahead of ``npm.cmd`` (the batch shim). Most Windows users have PowerShell's execution policy set to Restricted or RemoteSigned, which blocks unsigned ``.ps1`` files. ``npm.cmd`` has no such restriction and works universally. Install-NodeDeps now detects when Get-Command returned npm.ps1, looks for a sibling npm.cmd in the same directory, and prefers it. Prints an info line so the user sees why. Emits a warning + hint if only npm.ps1 is available. 2. **"Launch hermes chat now? Y" crashes with "%1 is not a valid Win32 application" on Windows installs.** The setup wizard calls ``relaunch(["chat"])``; ``resolve_hermes_bin()`` returned ``sys.argv[0]`` which was ``...\\hermes_cli\\main.py`` (because hermes was launched via ``python -m hermes_cli.main`` during setup). On Windows, ``os.access(script.py, os.X_OK)`` returns True because PATHEXT lists ``.py`` when the Python launcher is registered — but ``subprocess.run([script.py, ...])`` can't actually execute a ``.py`` directly. CreateProcessW needs a real PE file. Fixed ``resolve_hermes_bin`` to reject ``.py``/``.pyc`` argv0 values on Windows specifically. Falls through to ``shutil.which("hermes")`` (hermes.exe in the venv Scripts dir) or, as a final fallback, lets build_relaunch_argv build ``[sys.executable, "-m", "hermes_cli.main"]`` which is bulletproof. POSIX behaviour unchanged — ``.py`` argv0 with a shebang + chmod+x is still a valid exec target there. 3 new tests cover the Windows paths: .py argv0 + hermes.exe on PATH → returns hermes.exe; .py argv0 + no PATH → returns None (caller uses python -m); POSIX + executable .py → still accepted. 26 relaunch tests pass, no POSIX regressions.

The sandbox's env scrubbing was dropping SYSTEMROOT, WINDIR, COMSPEC, APPDATA, etc. On Windows this broke the child process before any RPC could happen: OSError: [WinError 10106] The requested service provider could not be loaded or initialized Python's socket module uses SYSTEMROOT to locate mswsock.dll during Winsock initialization. Without it, socket.socket(AF_INET, SOCK_STREAM) fails — and the existing loopback-TCP fallback for Windows couldn't work. Fix: add a small Windows-only allowlist (_WINDOWS_ESSENTIAL_ENV_VARS) matched by exact uppercase name, after the existing secret-substring block. The secret block still runs first, so the allowlist cannot be used to exfiltrate credentials. Also extract the env scrubber into a testable helper (_scrub_child_env) that takes is_windows as a parameter, so the logic can be unit-tested on any OS. Live Winsock smoke test verifies that a child spawned with the scrubbed env can now create an AF_INET socket on a real Windows host; the test is guarded by sys.platform == 'win32' so POSIX CI stays green.

Adds TestPosixEquivalence to test_code_execution_windows_env.py. The class pins the invariant that _scrub_child_env(env, is_windows=False) produces byte-for-byte identical output to the pre-refactor inline scrubber, across a matrix of: - 2 synthetic envs (POSIX-shaped, Windows-shaped-on-POSIX) - 3 passthrough rules (none, single-var, everything) - 1 real-os.environ check on whatever platform runs the test Plus a superset sanity check: is_windows=True must keep everything is_windows=False keeps, and any extras must come from the _WINDOWS_ESSENTIAL_ENV_VARS allowlist. Rationale: the previous commit refactored the env-scrubbing inline block into a helper. Future changes to that helper must not silently regress POSIX behavior — if someone needs to change it, they update _legacy_posix_scrubber in lockstep so the churn is visible in review. All 21 tests in the file pass locally on Windows (pytest 9.0.3). 8 of them are parametrized equivalence checks that run on every OS.

Second Windows-specific sandbox bug (WinError 10106 was the first): after the env-scrub fix let the child start, it immediately failed to import hermes_tools with: SyntaxError: (unicode error) 'utf-8' codec can't decode byte 0x97 in position 154: invalid start byte Root cause: _execute_local wrote the generated hermes_tools.py stub and the user's script.py via open(path, 'w') without encoding=. On Windows the default text-mode encoding is cp1252 (system locale), which encodes em-dashes (used in the stub's docstrings) as 0x97. Python then decodes source files as UTF-8 (PEP 3120) on import, chokes on 0x97, and the sandbox dies before any tool call. Fix: pass encoding='utf-8' to all four file opens in the code_execution path — the two staging writes in _execute_local (hermes_tools.py + script.py) and the two RPC file-transport reads/writes in the generated remote stub. JSON is ASCII-safe for most payloads but tool results (terminal output, web_extract content) routinely carry non-ASCII. Tests added (4): - test_stub_and_script_writes_specify_utf8 — source grep guard - test_file_rpc_stub_uses_utf8 — generated remote stub check - test_stub_source_roundtrips_through_utf8 — concrete round-trip - test_windows_default_encoding_would_have_failed — negative control (skips on modern Python builds where default is already UTF-8 compatible, but retained for platforms where the regression could return) 24/25 tests pass on Windows 3.11 (negative control skips because this Python build handles em-dashes via cp1252 subset — the fix is still correct, just the corruption path isn't always triggerable).

test_code_execution_modes.py had two test-level failures and two class-level stale skip reasons on this Windows-native branch: - TestResolveChildPython::test_project_with_virtualenv_picks_venv_python - TestResolveChildPython::test_project_prefers_virtualenv_over_conda Both fail on Windows with OSError: [WinError 1314] — they call pathlib.Path.symlink_to() to build a fake venv, which requires developer mode or admin on Windows. They also assume POSIX venv layout (bin/python) where Windows uses Scripts/python.exe. Skip them with a specific, accurate reason. Also updated two class-level skipif reasons that said 'execute_code is POSIX-only' — no longer true on this branch. New reason explains it's the test infrastructure (symlinks + POSIX venv layout) that's the blocker, not execute_code itself. Results on Windows Python 3.11: Before: 41 passed, 10 skipped, 2 failed After: 43 passed, 12 skipped, 0 failed

Third Windows-specific sandbox bug (after WinError 10106 and the UTF-8 file-write bug): user scripts that print non-ASCII to stdout crash with UnicodeEncodeError: 'charmap' codec can't encode character '\u2192' in position N: character maps to <undefined> Root cause: Python's sys.stdout on Windows is bound to the console code page (cp1252 on US-locale installs) when the process is attached to a pipe without PYTHONIOENCODING set. LLM-generated scripts routinely print em-dashes, arrows, accented chars, and emoji — all of which cp1252 can't encode. Fix: spawn the sandbox child with: PYTHONIOENCODING=utf-8 # sys.stdin/stdout/stderr all UTF-8 PYTHONUTF8=1 # PEP 540 UTF-8 mode — open() defaults to UTF-8 too PYTHONUTF8 is the belt-and-suspenders half: LLM scripts that call open(path, 'w') without encoding= in user code will now produce UTF-8 files by default, matching what the sandbox already does for its own staging files. The parent side already decodes child stdout/stderr as UTF-8 with errors='replace' (lines 1345-1347) so the end-to-end chain is clean. On POSIX these values usually match the locale default already, so setting them is harmless belt-and-suspenders for C/POSIX-locale containers and minimal base images. Tests added (4) — total file now at 28 passed, 1 skipped on Windows: - test_popen_env_sets_pythonioencoding_utf8 (source grep) - test_popen_env_sets_pythonutf8_mode (source grep) - test_live_child_can_print_non_ascii (cross-platform live test) - test_windows_child_without_utf8_env_would_fail (Windows negative control — actually reproduces the bug without our env overrides, proving the fix is load-bearing on this system)

Codebase-wide fix for Python-on-Windows UTF-8 footguns, complementing the earlier execute_code sandbox fixes (which remain load-bearing for when the sandbox explicitly scrubs child env). Problem: Python on Windows has two long-standing text-encoding pitfalls: 1. sys.stdout/stderr are bound to the console code page (cp1252 on US-locale installs) — print('café') crashes with UnicodeEncodeError. 2. Subprocess children don't know to use UTF-8 unless PYTHONUTF8 and/or PYTHONIOENCODING are set in their env — so any Python we spawn (linters, sandbox children, delegation workers) hits the same bug. Solution: A tiny bootstrap module (hermes_bootstrap.py) imported as the first statement of every Hermes entry point: - hermes_cli/main.py (hermes / hermes-agent console_script) - run_agent.py (hermes-agent direct) - acp_adapter/entry.py (hermes-acp) - gateway/run.py (messaging gateway) - batch_runner.py (parallel batch mode) - cli.py (legacy direct-launch CLI) On Windows, the bootstrap: - os.environ.setdefault('PYTHONUTF8', '1') (PEP 540 UTF-8 mode) - os.environ.setdefault('PYTHONIOENCODING', 'utf-8') - sys.stdout/stderr/stdin.reconfigure(encoding='utf-8', errors='replace') Children inherit the env vars → they run in UTF-8 mode. Current process's stdio is reconfigured → print('café') works now. On POSIX (Linux/macOS), the bootstrap is a complete no-op. We don't touch LANG, LC_*, or anything else — users who have intentionally configured a non-UTF-8 locale aren't affected. POSIX systems are already UTF-8 by default in 99% of modern setups, so there's nothing to fix. setdefault() (not overwrite) means users who explicitly set PYTHONUTF8=0 or PYTHONIOENCODING=cp1252 in their environment are respected. What this does NOT fix: bare open(path, 'w') calls in the *parent* process still default to locale encoding because PYTHONUTF8 is only read at interpreter init. A ruff PLW1514 sweep (separate follow-up) will add explicit encoding='utf-8' at those ~219 call sites for belt-and-suspenders. Tests (17): 16 passed, 1 skipped on Windows. - Windows: env vars set, stdio reconfigured, child inherits UTF-8 mode - POSIX: complete no-op (verified on fake POSIX + skipped on real POSIX since we don't have a Linux box in this session) - Idempotence: multiple calls safe - Graceful degradation: non-reconfigurable streams don't crash - User opt-out: explicit PYTHONUTF8=0 is respected - Load order: every entry point's FIRST top-level import is hermes_bootstrap, enforced by an AST-level parametrized test pyproject.toml: added hermes_bootstrap to py-modules so it ships with pip installs.

Closes the last Python-on-Windows UTF-8 exposure by making every text-mode open() call explicit about its encoding. Before: on Windows, bare open(path, 'r') defaults to the system locale encoding (cp1252 on US-locale installs). That means reading any config/yaml/markdown/json file with non-ASCII content either crashes with UnicodeDecodeError or silently mis-decodes bytes. After: all 89 affected call sites in production code now pass encoding='utf-8' explicitly. Works identically on every platform and every locale, no surprise behavior. Mechanical sweep via: ruff check --preview --extend-select PLW1514 --unsafe-fixes --fix --exclude 'tests,venv,.venv,node_modules,website,optional-skills, skills,tinker-atropos,plugins' . All 89 fixes have the same shape: open(x) or open(x, mode) became open(x, encoding='utf-8') or open(x, mode, encoding='utf-8'). Nothing else changed. Every modified file still parses and the Windows/sandbox test suite is still green (85 passed, 14 skipped, 0 failed across tests/tools/test_code_execution_windows_env.py + tests/tools/test_code_execution_modes.py + tests/tools/test_env_passthrough.py + tests/test_hermes_bootstrap.py). Scope notes: - tests/ excluded: test fixtures can use locale encoding intentionally (exercising edge cases). If we want to tighten tests later that's a separate PR. - plugins/ excluded: plugin-specific conventions may differ; plugin authors own their code. - optional-skills/ and skills/ excluded: skill scripts are user-authored and we don't want to mass-edit them. - website/ and tinker-atropos/ excluded: vendored / generated content. 46 files touched, 89 +/- lines (symmetric replacement). No behavior change on POSIX or on Windows when the file is ASCII; bug fix on Windows when the file contains non-ASCII.

Turns the existing 'all lints disabled' stance into 'exactly one lint enabled' — PLW1514 (unspecified-encoding) catches bare open() / read_text() / write_text() calls that default to locale encoding on Windows (cp1252), silently corrupting non-ASCII content. Changes: 1. pyproject.toml - Migrate [tool.ruff] top-level select → [tool.ruff.lint].select (deprecated config location, ruff was warning on every run) - Add preview = true (PLW1514 is a preview rule in ruff 0.15.x) - select = ['PLW1514'] (exactly one rule, deliberately minimal) - per-file-ignores exempt tests/, plugins/, skills/, optional-skills/ — those have their own conventions or intentionally exercise edge cases 2. website/scripts/extract-skills.py - Fix 3 remaining bare opens (website/ was excluded from the main sweep but needed for ruff check . to go green) 3. tests/test_lint_config.py (new, 5 tests) - Guards against accidental rule removal. If someone deletes PLW1514 from the select list or disables preview mode, these tests fail with a loud message explaining why the rule exists. Paired with a companion commit (held locally for now, pending a token with workflow scope) that adds a blocking ruff step to .github/workflows/ lint.yml. Without that companion commit, ruff is configured correctly but nothing in CI enforces it yet — the advisory PR comment will still surface new PLW1514 violations though, so authors see them. Verified: ruff check . → exit 0, 0 violations across the repo. Test suite: 90 passed, 14 skipped, 0 failed.

…kend info build_environment_hints() now emits a factual block describing the execution environment on every prompt build: * Local backend: host OS, $HOME, and cwd — so the agent stops guessing paths from the hostname. Windows also gets two specific callouts: - hostname != username (prevents C:\Users\<hostname>\... bugs) - `terminal` shells out to bash (git-bash/MSYS), not PowerShell * Remote backend (docker/singularity/modal/daytona/ssh/vercel_sandbox): host info is SUPPRESSED — the agent's tools can't touch the host, so showing it is misleading. Instead we probe the backend once per process with `uname/whoami/pwd` and cache the result. On probe failure, fall back to a per-backend description that states only what we know from the backend choice itself (container type + likely OS family) without inventing user/cwd/$HOME. Linux/Mac local users now get a small helpful 3-line host block instead of an empty string. Zero change to the existing WSL hint paragraph. Tests: 8 new/updated in TestEnvironmentHints, including a regression guard that fails if a new remote backend is added without listing it in _REMOTE_TERMINAL_BACKENDS.

Windows Terminal intercepts Alt+Enter for its fullscreen shortcut, leaving Windows users with no Enter-involving way to insert a newline in the Hermes prompt. Fix it by reclaiming c-j on Windows only: - _bind_prompt_submit_keys now binds c-j (LF) to submit only on POSIX, where thin PTYs (docker exec, some SSH configs) deliver Enter as LF. On Windows plain Enter is always c-m, so c-j is free. - Windows-only prompt binding: c-j inserts a newline. Windows Terminal sends Ctrl+Enter as LF, so the user-facing keystroke is Ctrl+Enter — no terminal settings changes required. - Alt+Enter binding unchanged; still works on mac/Linux/WSL. - Test TestPromptToolkitTerminalCompatibility::test_lf_enter_binds_to_submit_handler split into platform-aware assertions for POSIX vs win32. - Fixed the Ctrl+J claim in hermes_cli/tips.py (was wrong before this commit even on POSIX) to point Windows users at Ctrl+Enter. Tradeoff: on Windows, raw Ctrl+J (without Enter) also inserts a newline, since WT collapses Ctrl+Enter and Ctrl+J to the same c-j keycode. No conflicting Hermes binding existed for Ctrl+J, so this is a harmless side effect.

…stroke diagnostic Adds a dedicated '## Windows-Specific Quirks' section to the hermes-agent skill so Windows pitfalls have one discoverable place to evolve. Inaugural entries cover: - Input / keybindings — Alt+Enter intercepted by Windows Terminal, Ctrl+Enter as the Windows newline keystroke, mintty/git-bash behavior, pointer to scripts/keystroke_diagnostic.py for investigation. - Config / files — UTF-8 BOM HTTP-400 trap. - execute_code / sandbox — WinError 10106 SYSTEMROOT root cause + _WINDOWS_ESSENTIAL_ENV_VARS fix location. - Testing / contributing — scripts/run_tests.sh POSIX-venv limitation and the system-Python workaround, POSIX-only test skip-guard patterns. - Path / filesystem — line-ending warnings (cosmetic), forward-slash portability. Collapses the old scattered Windows bullets under 'Platform-specific issues' into a single pointer at the new dedicated section so there's only one place to maintain this content. Also adds the scripts/keystroke_diagnostic.py the skill now references — a small prompt_toolkit Application that prints the Keys.* identifier and raw escape bytes for every keystroke. Used to establish the Ctrl+Enter = c-j fact on Windows Terminal; generally useful for anyone adding a platform-aware keybinding.

…ch#22115) Adds early-beta framing to every user-facing surface where native Windows is introduced — landing page install block, Installation page, Windows (Native) guide, contributor notes, and README. Sets expectations that the path installs and runs but hasn't been road-tested as broadly as POSIX, and points users who want maximum stability at WSL2 instead. Follow-up to NousResearch#21561 (native Windows support) and NousResearch#22089 (Windows docs).

…earch#22083) _distribution_metadata() reads the profile's distribution.yaml without an explicit encoding, which defaults to the platform's locale encoding — UTF-8 on POSIX, cp1252/mbcs on Windows. Files round-tripped between hosts get mojibake on the Windows side. Single-line fix: add encoding='utf-8' to the open() call. Matches the sibling _read_config_model() site at line 398, which already does this. Surfaces once PR NousResearch#21561 lands the blocking ruff-check CI job (PLW1514 — unspecified-encoding), but the underlying bug is pre-existing on main.

PR NousResearch#21561 migrated liveness probes across 14 call sites from `os.kill(pid, 0)` to `gateway.status._pid_exists` (psutil-first) so the gateway doesn't Ctrl+C-itself on Windows via bpo-14484. A handful of tests still patched the old `os.kill` seam and either happened to pass on POSIX (when PID 12345 incidentally wasn't alive on the CI worker) or failed outright — on CI runs they surfaced as 7 flaky/stable failures. Migrate each affected test to patch the correct seam: - tests/tools/test_browser_orphan_reaper.py (5 tests) Patch `gateway.status._pid_exists` instead of `os.kill`. Rename test_permission_error_on_kill_check_skips to test_alive_legacy_daemon_is_reaped — the old assertion was "PermissionError on sig 0 → skip dir"; post-migration the untracked-alive-daemon path always reaps the dir after SIGTERM (best-effort semantics were preserved). - tests/tools/test_windows_native_support.py (4 tests) Replace tests that asserted `os.kill` seam behavior with tests that exercise `ProcessRegistry._is_host_pid_alive` as a delegator and split out a new TestPidExistsOSErrorWidening class that hits `gateway.status._pid_exists` directly via the POSIX fallback branch (so Windows-style `OSError(WinError 87)` + `PermissionError` widening is still covered on Linux CI). - tests/tools/test_process_registry.py (1 test) Mock `psutil.Process` + `_pid_exists` instead of `os.kill` for the detached-session kill path. - tests/tools/test_mcp_stability.py::test_kill_orphaned_uses_sigkill_when_available SIGTERM → alive-check → SIGKILL flow now uses `_pid_exists` for the middle step; assertion count drops from 3 to 2. - tests/gateway/test_status.py::TestScopedLocks (2 tests) `acquire_scoped_lock` consults `_pid_exists`; patch that seam directly instead of trying to control the nested psutil call via os.kill monkeypatch. - tests/hermes_cli/test_gateway.py::test_stop_profile_gateway_keeps_pid_file_when_process_still_running The stop loop sends one SIGTERM via os.kill then polls 20x via _pid_exists; instrument both separately. Old assertion `calls["kill"] == 21` split into `kill == 1` + `alive_probes == 20`. - tests/hermes_cli/test_auth_toctou_file_modes.py::test_shared_nous_store_writes_0o600_with_0o700_parent Commit c34884e switched the pytest seat-belt guard in `_nous_shared_store_path()` from `Path.home() / ".hermes"` to `get_default_hermes_root()`, which honors HERMES_HOME. The test sets both HERMES_HOME and HERMES_SHARED_AUTH_DIR to subpaths of the same tmp_path, and the override now collapses onto the same path the guard is refusing. Renamed the override subdirectory so the two paths diverge — guard passes, test runs. All 21 original CI failures and their local-flaky siblings now pass (278 tests across the touched files, 0 failures).

…ch#22115) Adds early-beta framing to every user-facing surface where native Windows is introduced — landing page install block, Installation page, Windows (Native) guide, contributor notes, and README. Sets expectations that the path installs and runs but hasn't been road-tested as broadly as POSIX, and points users who want maximum stability at WSL2 instead. Follow-up to NousResearch#21561 (native Windows support) and NousResearch#22089 (Windows docs).

…ests Post-#21561 the liveness probe in acquire_scoped_lock() routes through gateway.status._pid_exists (psutil-first, safe on Windows), not os.kill(pid, 0). The two new macOS regression tests were patching status.os.kill, which had no effect — the unmocked psutil call returned False for PID 99999, marking the lock stale before the new code branch ran. The 'replaces' test passed only because acquired=True was already the expected outcome; the 'keeps' test failed in CI. Switch both tests to monkeypatch status._pid_exists directly, matching the existing test_acquire_scoped_lock_rejects_live_other_process pattern, so they actually exercise the new start_time=None + cmdline-based staleness branch.

…earch#22083) _distribution_metadata() reads the profile's distribution.yaml without an explicit encoding, which defaults to the platform's locale encoding — UTF-8 on POSIX, cp1252/mbcs on Windows. Files round-tripped between hosts get mojibake on the Windows side. Single-line fix: add encoding='utf-8' to the open() call. Matches the sibling _read_config_model() site at line 398, which already does this. Surfaces once PR NousResearch#21561 lands the blocking ruff-check CI job (PLW1514 — unspecified-encoding), but the underlying bug is pre-existing on main.

PR NousResearch#21561 migrated liveness probes across 14 call sites from `os.kill(pid, 0)` to `gateway.status._pid_exists` (psutil-first) so the gateway doesn't Ctrl+C-itself on Windows via bpo-14484. A handful of tests still patched the old `os.kill` seam and either happened to pass on POSIX (when PID 12345 incidentally wasn't alive on the CI worker) or failed outright — on CI runs they surfaced as 7 flaky/stable failures. Migrate each affected test to patch the correct seam: - tests/tools/test_browser_orphan_reaper.py (5 tests) Patch `gateway.status._pid_exists` instead of `os.kill`. Rename test_permission_error_on_kill_check_skips to test_alive_legacy_daemon_is_reaped — the old assertion was "PermissionError on sig 0 → skip dir"; post-migration the untracked-alive-daemon path always reaps the dir after SIGTERM (best-effort semantics were preserved). - tests/tools/test_windows_native_support.py (4 tests) Replace tests that asserted `os.kill` seam behavior with tests that exercise `ProcessRegistry._is_host_pid_alive` as a delegator and split out a new TestPidExistsOSErrorWidening class that hits `gateway.status._pid_exists` directly via the POSIX fallback branch (so Windows-style `OSError(WinError 87)` + `PermissionError` widening is still covered on Linux CI). - tests/tools/test_process_registry.py (1 test) Mock `psutil.Process` + `_pid_exists` instead of `os.kill` for the detached-session kill path. - tests/tools/test_mcp_stability.py::test_kill_orphaned_uses_sigkill_when_available SIGTERM → alive-check → SIGKILL flow now uses `_pid_exists` for the middle step; assertion count drops from 3 to 2. - tests/gateway/test_status.py::TestScopedLocks (2 tests) `acquire_scoped_lock` consults `_pid_exists`; patch that seam directly instead of trying to control the nested psutil call via os.kill monkeypatch. - tests/hermes_cli/test_gateway.py::test_stop_profile_gateway_keeps_pid_file_when_process_still_running The stop loop sends one SIGTERM via os.kill then polls 20x via _pid_exists; instrument both separately. Old assertion `calls["kill"] == 21` split into `kill == 1` + `alive_probes == 20`. - tests/hermes_cli/test_auth_toctou_file_modes.py::test_shared_nous_store_writes_0o600_with_0o700_parent Commit 4e5e7f8ec switched the pytest seat-belt guard in `_nous_shared_store_path()` from `Path.home() / ".hermes"` to `get_default_hermes_root()`, which honors HERMES_HOME. The test sets both HERMES_HOME and HERMES_SHARED_AUTH_DIR to subpaths of the same tmp_path, and the override now collapses onto the same path the guard is refusing. Renamed the override subdirectory so the two paths diverge — guard passes, test runs. All 21 original CI failures and their local-flaky siblings now pass (278 tests across the touched files, 0 failures).

…ch#22115) Adds early-beta framing to every user-facing surface where native Windows is introduced — landing page install block, Installation page, Windows (Native) guide, contributor notes, and README. Sets expectations that the path installs and runs but hasn't been road-tested as broadly as POSIX, and points users who want maximum stability at WSL2 instead. Follow-up to NousResearch#21561 (native Windows support) and NousResearch#22089 (Windows docs).

…ests Post-NousResearch#21561 the liveness probe in acquire_scoped_lock() routes through gateway.status._pid_exists (psutil-first, safe on Windows), not os.kill(pid, 0). The two new macOS regression tests were patching status.os.kill, which had no effect — the unmocked psutil call returned False for PID 99999, marking the lock stale before the new code branch ran. The 'replaces' test passed only because acquired=True was already the expected outcome; the 'keeps' test failed in CI. Switch both tests to monkeypatch status._pid_exists directly, matching the existing test_acquire_scoped_lock_rejects_live_other_process pattern, so they actually exercise the new start_time=None + cmdline-based staleness branch.