approval: add docker restart/stop/kill to DANGEROUS_PATTERNS#33438
Merged
benbarclay merged 1 commit intoMay 29, 2026
Conversation
When docker.sock is mounted (common Docker Compose pattern), the agent can restart/stop/kill containers without user approval. hermes gateway restart is already protected, but docker restart, docker stop, docker kill, and their docker compose equivalents were not. This caused repeated self-termination: the agent ran docker restart hermes, killed its own container, Docker restarted it (restart policy), and the agent resumed the same session — creating a restart loop. Added patterns mirror the existing gateway lifecycle protection: - docker compose restart/stop/kill/down - docker restart/stop/kill
davidgut1982
added a commit
to davidgut1982/hermes-agent
that referenced
this pull request
May 31, 2026
…heck-attribution gate - batosk2@gmail.com → Sarbai (identified via PR NousResearch#33438 author) - ilonagaja509-glitch@users.noreply.github.com → ilonagaja509-glitch (bare noreply, no numeric prefix → fails CI auto-skip regex) - redpiggy-cyber@users.noreply.github.com → redpiggy-cyber (bare noreply, no numeric prefix → fails CI auto-skip regex) - sohyuanchin@gmail.com → wysie (confirmed same author as wysie@users.noreply.github.com via git log)
KKT-OPT
pushed a commit
to KKT-OPT/hermes-agent
that referenced
this pull request
May 31, 2026
…earch#33438) When docker.sock is mounted (common Docker Compose pattern), the agent can restart/stop/kill containers without user approval. hermes gateway restart is already protected, but docker restart, docker stop, docker kill, and their docker compose equivalents were not. This caused repeated self-termination: the agent ran docker restart hermes, killed its own container, Docker restarted it (restart policy), and the agent resumed the same session — creating a restart loop. Added patterns mirror the existing gateway lifecycle protection: - docker compose restart/stop/kill/down - docker restart/stop/kill Co-authored-by: Sarbai <sarbai@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When docker.sock is mounted (standard Docker Compose setup), the agent can run docker restart/stop/kill without approval. hermes gateway restart was already protected, but Docker equivalents were missing. This caused a self-termination loop. Fix: added docker restart/stop/kill and docker compose restart/stop/kill/down to DANGEROUS_PATTERNS. +7 lines in tools/approval.py.