docs(code-execution): document HERMES_* env narrowing + passthrough workaround#34594
Open
teknium1 wants to merge 1 commit into
Open
docs(code-execution): document HERMES_* env narrowing + passthrough workaround#34594teknium1 wants to merge 1 commit into
teknium1 wants to merge 1 commit into
Conversation
…orkaround The execute_code sandbox-child env scrub (1083977, #27303) deliberately dropped the broad HERMES_ prefix passthrough, keeping only an operational 4-var allowlist (HERMES_HOME/PROFILE/CONFIG/ENV). A script that relied on a non-secret HERMES_* var (HERMES_BASE_URL, HERMES_KANBAN_DB, HERMES_*_WEBHOOK, or a plugin-defined one) now sees it unset in the child. Document the behavior change and the two recovery routes (terminal.env_passthrough in config.yaml, or required_environment_variables in skill frontmatter), plus the debug log line that surfaces the drop for diagnosis.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The execute_code sandbox-child env scrub (landed in
108397726, hardening for #27303) deliberately removed the broadHERMES_prefix passthrough, keeping only an operational 4-var allowlist:This is correct hardening — the broad prefix leaked
HERMES_*-named config that lacks a secret substring (HERMES_BASE_URL,HERMES_KANBAN_DB,HERMES_*_WEBHOOK) into arbitrary sandboxed code. But it's a silent behavior change: a script (or a repo/plugin module it imports at import time) that read a non-secretHERMES_*var outside those four now finds it unset in the child, with no doc explaining why.What this adds
A
### HERMES_* variables in the childsubsection in the code-execution docs covering::::note Behavior changecallout explaining the drop is intentionalterminal.env_passthroughinconfig.yaml(per-machine)required_environment_variablesin skill frontmatter (per-skill)debuglog line (execute_code: dropped N non-allowlisted HERMES_* var(s)) and how to surface it viahermes logs --level DEBUGNeither workaround weakens the secret-stripping guarantee — Hermes-managed provider credentials can never be re-allowed through
env_passthrough(GHSA-rhgp-j443-p4rf).Docs-only. No code change.