fix(file-safety): extend sandbox-mirror guard to cover inner-container path (#32049)#32407
Merged
benbarclay merged 3 commits intoJun 2, 2026
Conversation
…r path (NousResearch#32049) Brian's shape-based guard (NousResearch#32213) catches paths that still carry the full sandboxes/<backend>/<task>/home/.hermes/… prefix on the host side. The inner-container case is not covered: when file tools execute inside Docker the bind-mount strips that prefix, so the guard receives plain /root/.hermes/… and passes through. The root:root ownership on the divergent SOUL.md in NousResearch#32049 confirms this is the primary failure mode. Add a ContextVar (_CONTAINER_HERMES_MIRROR) set by DockerEnvironment when persistent=True. classify_container_mirror_target / get_container_ mirror_warning detect any write whose resolved path falls under that prefix, using the same warning format and cross_profile=True bypass contract as the existing guards. Chain the new guard in _check_cross_profile_path after the two existing detectors.
dc3fa0b to
08a2919
Compare
benbarclay
added a commit
that referenced
this pull request
Jun 2, 2026
# Conflicts: # agent/file_safety.py # tools/file_tools.py
changman
pushed a commit
to changman/hermes-agent
that referenced
this pull request
Jun 10, 2026
changman
pushed a commit
to changman/hermes-agent
that referenced
this pull request
Jun 10, 2026
…r path (NousResearch#32049) (NousResearch#32407) * fix(file-safety): extend sandbox-mirror guard to cover inner-container path (NousResearch#32049) Brian's shape-based guard (NousResearch#32213) catches paths that still carry the full sandboxes/<backend>/<task>/home/.hermes/… prefix on the host side. The inner-container case is not covered: when file tools execute inside Docker the bind-mount strips that prefix, so the guard receives plain /root/.hermes/… and passes through. The root:root ownership on the divergent SOUL.md in NousResearch#32049 confirms this is the primary failure mode. Add a ContextVar (_CONTAINER_HERMES_MIRROR) set by DockerEnvironment when persistent=True. classify_container_mirror_target / get_container_ mirror_warning detect any write whose resolved path falls under that prefix, using the same warning format and cross_profile=True bypass contract as the existing guards. Chain the new guard in _check_cross_profile_path after the two existing detectors. * fix(file-safety): derive Docker mirror guard from task --------- Co-authored-by: Ben <ben@nousresearch.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Extends the sandbox-mirror write guard from #32213 to cover the inner-container case — the primary failure mode in #32049.
Why
Brian's shape-based detector catches paths that still carry the full
…/sandboxes/<backend>/<task>/home/.hermes/…prefix. But when file tools execute inside the container, the bind-mount strips that prefix: the guard receives plain/root/.hermes/…and passes through. Theroot:rootownership on the divergent SOUL.md in #32049 confirms this is what actually happened.How
agent/file_safety.py— addsclassify_container_mirror_target/get_container_mirror_warningas pure helpers that require an explicit mirror prefix. No long-livedContextVarstate.tools/file_tools.py— detects the active or configured Docker persistent backend and passes/root/.hermesinto the guard before creating file ops. This covers the first file-tool call, not only calls afterDockerEnvironmentalready exists.tests/agent/test_file_safety_container_mirror.py— covers the inner-container/root/.hermes/...path, non-Hermes paths, warning text, and the file-tool integration path before Docker environment creation.Related
Builds on #32213. Both together fully cover #32049.
Reported-by: Diandian