feat(file-sync): sync remote changes back to host on teardown

[alt-glitch]

Summary

Implements Phase 2 of the bulk file sync spec (bulk-sync-spec.md). On sandbox teardown, FileSyncManager now downloads the remote .hermes/ directory, diffs against SHA-256 hashes of what was originally pushed, and applies only changed files back to the host.

Depends on #8014 (bulk upload salvage — cherry-picked as base).

Changes

Core (tools/environments/file_sync.py)

• BulkDownloadFn callback type: Callable[[Path], None] — backend writes a tar archive to the given path
• _pushed_hashes: SHA-256 content hashes computed on upload, stored alongside mtime+size
• sync_back(): orchestrates download → unpack → diff → apply with:
  • Retry with exponential backoff (3 attempts, 2s/4s/8s)
  • SIGINT trap + defer (prevents partial writes on Ctrl-C)
  • fcntl.flock on .hermes/.sync.lock (serializes concurrent gateway sandboxes)
  • Last-write-wins conflict resolution with warning when host file also changed
  • New remote files pulled back via _infer_host_path prefix matching

Backends

• SSH: _ssh_bulk_download — tar cf - -C ~/.hermes . piped over SSH to local file
• Modal: _modal_bulk_download — exec tar cf - → proc.stdout.read → write to file
• Daytona: _daytona_bulk_download — exec tar cf on remote → SDK download_file()
• All three wire bulk_download_fn into FileSyncManager and call sync_back() at the top of cleanup() (before ControlMaster close / sandbox terminate / sandbox stop)

Tests

• 10 FSM core tests: noop, no-changes, apply-changed, new-remote-file, conflict-warning, retry, exhausted-retries, hash-on-push, hash-cleared-on-delete, file-lock
• 18 backend tests: SSH/Modal/Daytona download mechanics, cleanup ordering, wiring verification

72 total tests passing.

Test plan

• 10 FSM sync-back core tests pass
• 18 backend download + wiring tests pass
• 44 existing bulk upload + file sync tests still pass (no regressions)
• tar.extractall uses filter="data" (Python 3.14 compat)

🤖 Generated with Claude Code

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: exec() or eval() usage

Dynamic code execution can hide malicious behavior, especially when combined with base64 or network fetches.

Matches (first 20):

830:+        self._sandbox.process.exec(

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[alt-glitch]

@BugBot review

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: exec() or eval() usage

Dynamic code execution can hide malicious behavior, especially when combined with base64 or network fetches.

Matches (first 20):

2151:+        self._sandbox.process.exec(

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: exec() or eval() usage

Dynamic code execution can hide malicious behavior, especially when combined with base64 or network fetches.

Matches (first 20):

831:+        self._sandbox.process.exec(

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[alt-glitch]

@BugBot review

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: exec() or eval() usage

Dynamic code execution can hide malicious behavior, especially when combined with base64 or network fetches.

Matches (first 20):

831:+        self._sandbox.process.exec(

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[alt-glitch]

@BugBot review

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6aba50f. Configure here.}

[cursor]

Daytona bulk download ignores tar command failure

Medium Severity

_daytona_bulk_download doesn't check the exit code of the process.exec tar command, unlike the SSH and Modal backends which both verify the return code and raise RuntimeError on failure. If the tar command fails (e.g., .hermes/ doesn't exist or permission denied), the code proceeds to download_file, which could download a stale /tmp/.hermes_sync.tar left over from a previous run on a persistent sandbox — silently applying outdated file contents back to the host.

 

^{Reviewed by Cursor Bugbot for commit 6aba50f. Configure here.}

[cursor]

Unguarded sync_back() in cleanup skips resource teardown

Medium Severity

The sync_back() call in all three backends' cleanup() methods is not wrapped in a try-except. While sync_back() catches exceptions internally in its retry loop, code paths before the loop (e.g., lock_path.parent.mkdir) and BaseException subclasses like KeyboardInterrupt (re-raised from the deferred SIGINT mechanism via os.kill) can propagate uncaught, causing the rest of cleanup to be skipped entirely — leaking SSH control sockets, Modal sandboxes, or Daytona sandboxes.

Additional Locations (2)

• tools/environments/modal.py#L425-L428
• tools/environments/daytona.py#L225-L228

 

^{Reviewed by Cursor Bugbot for commit 6aba50f. Configure here.}

[kshitijk4poor]

PR Review — #8018: feat(file-sync): sync remote changes back to host on teardown

Verdict: Request Changes
Tests: 44 passed, 0 failed (3 skipped — pre-existing SSH-marked perf tests)

Critical

• file_sync.py:9 — import fcntl is unconditional. This module does not exist on Windows and will crash at import time. The codebase already has the correct pattern in cron/scheduler.py:21 and hermes_cli/auth.py:46: try: import fcntl / except ImportError: fcntl = None with msvcrt fallback. _sync_back_locked should skip file locking (or use msvcrt.locking) when fcntl is unavailable.

Warnings

• file_sync.py:275 — assert self._bulk_download_fn is not None is stripped by python -O. This is a runtime code path, not a dev-only assertion. The caller already guards (if self._bulk_download_fn is None: return), so this assert is defense-in-depth — but should be a proper if check or raise RuntimeError(...).

• file_sync.py:273-357 — _resolve_host_path and _infer_host_path each call self._get_files_fn() independently, which iterates credentials+skills+cache every call. In _sync_back_impl, this is called once per remote file (potentially twice if resolve fails and infer is tried). O(n*m) where n=synced files, m=changed files. Easy fix: cache the mapping list once at the start of _sync_back_impl and pass it to both methods.

• ssh.py, modal.py, daytona.py — BulkDownloadFn is imported but never used as a type annotation in any backend file. Dead import. (Consistent with the pre-existing BulkUploadFn pattern, so low priority — but would be nice to either use the types or remove the imports.)

• modal.py:356 — "tar cf - -C / root/.hermes" hardcodes the path. SSH and Daytona dynamically construct the path from self._remote_home. Modal mirrors the existing hardcoded /root/.hermes on line 269, so it is internally consistent — but worth a comment explaining the assumption (Modal sandboxes always run as root).

Suggestions

• file_sync.py:291 — _sha256_file(staged_file) is called for every extracted file including ones where pushed_hash is None (new remote files). For new files the hash comparison is always False. Minor optimization: skip hashing when pushed_hash is None.

• daytona.py:168-170 — The remote temp file /tmp/.hermes_sync.tar is created on the sandbox but never cleaned up. If sync_back() retries or the sandbox persists, stale tar files accumulate. Consider adding rm -f /tmp/.hermes_sync.tar after download.

• Test coverage gaps (MEDIUM): SIGINT deferral logic (main thread vs worker thread paths) is not tested. _infer_host_path edge cases (no matching prefix, partial prefix that shouldn't match) — only one positive case tested. Daytona download_file failure propagation not tested.

Looks Good

• Clean architecture: sync_back -> retry -> SIGINT protection -> file lock -> download -> diff -> apply. Good separation of concerns across the 4 method layers.
• _pushed_hashes lifecycle is correct: populated on upload, cleared on delete, rolled back on failure.
• tarfile.open with filter="data" — proper security against path traversal.
• threading.current_thread() is threading.main_thread() check before signal.signal() — correct handling for gateway worker threads.
• Cleanup ordering is well-tested: all 3 backends verify sync_back runs before sandbox teardown (control_exit, terminate, stop).
• Tests are well-structured with clear helpers, good coverage of the happy path and error paths (retry, exhausted retries, conflict).
• Consistent with the existing bulk upload pattern — download is a clean mirror.

[teknium1]

Merged via #11291. Your original implementation made it onto main through @kshitijk4poor's salvage PR (#8189) — they cherry-picked your work, addressed the first review round, and we then cherry-picked that onto current main with further hardening. Thanks for the clean architecture (retry + SIGINT defer + flock + hash diff) — it held up through two rebase rounds untouched.