fix(security): guard os.chmod(parent) against / and top-level dirs

[liuhao1024]

Summary

Five call sites do os.chmod(path.parent, 0o700) on a derived path without checking that the parent resolves to a safe directory. If HERMES_HOME or another path env var resolves to /, the chmod strips traversal permission from the root inode and bricks the entire host — every non-root user fails any path lookup with EACCES, taking out DNS, networking, journald, and every Docker container that drops privileges.

This was hit in production (see #25821). Root cause took 5+ hours to isolate.

Root Cause

All 5 call sites share this pattern:

path.parent.mkdir(parents=True, exist_ok=True)
try:
    os.chmod(path.parent, 0o700)
except OSError:
    pass

os.chmod("/", 0o700) raises no exception — it succeeds.

Fix

Add secure_parent_dir(path) to hermes_constants.py that refuses to chmod / or any top-level directory (depth < 2 resolved parts). Replace all 5 call sites:

• tools/mcp_oauth.py:179 — _write_json (MCP OAuth tokens)
• hermes_cli/auth.py:991 — _save_auth_store
• hermes_cli/auth.py:1573 — _save_qwen_cli_tokens
• hermes_cli/auth.py:2991 — _save_nous_shared_token
• agent/google_oauth.py:495 — save_credentials

Code Intelligence

• Analyzed: secure_parent_dir (new function), _save_auth_store, _write_json, save_credentials
• Blast radius: LOW — the guard only blocks chmod on / and top-level dirs; all normal paths behave identically
• Related patterns: _secure_dir() in cron/jobs.py (addresses ~/.hermes only, not the 5 credential sites)

Regression Coverage

6 new tests in tests/test_hermes_constants.py::TestSecureParentDir:

• test_safe_path_calls_chmod — normal nested path (depth ≥ 3) calls os.chmod
• test_root_dir_skipped — / is never chmod'd
• test_top_level_dir_skipped — /usr and similar depth-2 dirs are never chmod'd
• test_two_component_path_skipped — paths with < 3 resolved parts are skipped
• test_oserror_suppressed — OSError from chmod is silently caught
• test_symlink_resolved — symlinks are resolved before depth check

Testing

• tests/test_hermes_constants.py — 40 passed (includes all 6 new tests)
• tests/hermes_cli/test_auth_toctou_file_modes.py — 4 passed (existing auth chmod tests)
• tests/tools/test_mcp_oauth.py — 38 passed (existing OAuth tests)

Fixes [bug] os.chmod(path.parent, 0o700) bricks host when path.parent resolves to / #25821

[teknium1]

Wait — your PR was actually salvaged. Disregard, this comment is in error.

[teknium1]

Update: this PR's substantive commit was cherry-picked verbatim into PR #29670 (now merged on main as commit 9c83e2e3... — see #29670). Your authorship is preserved in the git log. Thanks for the fix and the 5 unit tests — production-confirmed P0 closed.