Skip to content

fix(approval): load permanent command allowlist on startup#4741

Closed
catbusconductor wants to merge 1 commit into
NousResearch:mainfrom
catbusconductor:fix/load-permanent-allowlist
Closed

fix(approval): load permanent command allowlist on startup#4741
catbusconductor wants to merge 1 commit into
NousResearch:mainfrom
catbusconductor:fix/load-permanent-allowlist

Conversation

@catbusconductor

@catbusconductor catbusconductor commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Calls load_permanent_allowlist() at module import time in tools/approval.py so that permanently approved command patterns persisted in config.yaml are actually loaded back into memory on restart.

Currently, save_permanent_allowlist() correctly writes patterns to disk when a user chooses /approve always, but load_permanent_allowlist() — though fully implemented — is never called anywhere. This means all "permanent" approvals are silently lost after every restart.

Related Issue

Fixes #4739

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)

Changes Made

  • tools/approval.py: Added load_permanent_allowlist() call at module level (end of file) so it executes on import

How to Test

  1. Run hermes with approvals.mode: manual
  2. Trigger a dangerous command (e.g., python3 -c "print('hello')")
  3. Approve with /approve always
  4. Verify command_allowlist in config.yaml contains the pattern
  5. Restart the gateway
  6. Trigger the same command again
  7. Confirm the command is auto-approved without re-prompting

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix/feature (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass
  • I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • I've tested on my platform: macOS (Darwin 24.5.0)

Documentation & Housekeeping

  • I've updated relevant documentation (README, docs/, docstrings) — or N/A
  • I've updated cli-config.yaml.example if I added/changed config keys — or N/A
  • I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
  • I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
  • I've updated tool descriptions/schemas if I changed tool behavior — or N/A

@claude
fix(approval): load permanent command allowlist on startup
2d36c7c 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@teknium1 teknium1 mentioned this pull request Apr 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(approval): permanent command allowlist not loaded on startup

1 participant

@catbusconductor