feat: mount skill credential files into remote terminal backends (Modal/Docker)

[teknium1]

Closes #3665

Problem

Skills using OAuth/file-based credentials (Google Workspace stores google_token.json in ~/.hermes/) work on the local backend but silently fail on Modal/Docker — the sandbox has no host files.

Solution

New credential file passthrough system, mirroring the existing env_passthrough pattern:

1. Skill frontmatter declaration:

required_credential_files:
  - path: google_token.json
    description: Google OAuth2 token
  - path: google_client_secret.json
    description: Google OAuth2 client credentials

2. Registry (tools/credential_files.py): Session-scoped registry tracks which files need mounting. Skills register files when loaded via skill_view. Missing files trigger setup_needed.

3. Backend mounting:

• Modal: modal.Mount.from_local_file() passed to Sandbox.create(mounts=[...])
• Docker: -v host:container:ro bind mounts (read-only)
• Local: no changes needed (files already accessible)

4. User config override:

terminal:
  credential_files:
    - google_token.json
    - custom_oauth_token.json

Files

File	Change
tools/credential_files.py	New — registry module
tools/skills_tool.py	Parse required_credential_files, register on load
tools/environments/modal.py	Mount credential files at sandbox creation
tools/environments/docker.py	Mount credential files as read-only bind mounts
skills/productivity/google-workspace/SKILL.md	Add frontmatter field
tests/tools/test_credential_files.py	New — 12 tests

Tests

pytest tests/tools/test_credential_files.py -n0 -q           # 12 passed
pytest tests/tools/test_skills_tool.py -n0 -q                # 73 passed
pytest tests/tools/test_skill_env_passthrough.py -n0 -q      # 8 passed
Full suite: 6691 passed, 2 failed (both pre-existing)

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: base64 encoding/decoding detected

Base64 has legitimate uses (images, JWT, etc.) but is also commonly used to obfuscate malicious payloads. Verify the usage is appropriate.

Matches (first 20):

476:+                b64 = base64.b64encode(content.encode("utf-8")).decode("ascii")

⚠️ WARNING: exec() or eval() usage

Dynamic code execution can hide malicious behavior, especially when combined with base64 or network fetches.

Matches (first 20):

445:+        content into the sandbox via exec(), so new/updated credentials are

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: base64 encoding/decoding detected

Base64 has legitimate uses (images, JWT, etc.) but is also commonly used to obfuscate malicious payloads. Verify the usage is appropriate.

Matches (first 20):

1582:+                b64 = base64.b64encode(content.encode("utf-8")).decode("ascii")

⚠️ WARNING: exec() or eval() usage

Dynamic code execution can hide malicious behavior, especially when combined with base64 or network fetches.

Matches (first 20):

1551:+        content into the sandbox via exec(), so new/updated credentials are

⚠️ WARNING: Install hook files modified

These files can execute code during package installation or interpreter startup.

Files:

hermes_cli/setup.py

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.