fix: managed mode PID detection and cron permissions#9385
Open
lvnilesh wants to merge 1 commit into
Open
Conversation
1. web_server.py: Fall back to gateway_state.json when gateway.pid is not written (managed gateway writes state JSON, not PID file), so the dashboard correctly shows gateway status under systemd. 2. cron/jobs.py: Respect HERMES_MANAGED env var in _secure_dir() and _secure_file() — use group-accessible 2770/0640 instead of owner-only 0700/0600, matching the NixOS module's activation script. Fixes NousResearch#9383 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
houko
reviewed
Apr 14, 2026
houko
left a comment
Contributor
There was a problem hiding this comment.
Good fix — 0o2770/0o640 permissions for managed mode and fallback PID detection from gateway_state.json are both important improvements. 👍
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes three issues when running hermes-agent under NixOS systemd managed mode (
HERMES_MANAGED=true):Dashboard shows "gateway not running":
get_status()inweb_server.pyonly checksgateway.pid, which the managed gateway never writes. Added fallback togateway_state.jsonwith/proc/{pid}validation so the dashboard correctly reflects gateway status under systemd.Cron directories reset to 0700:
_secure_dir()incron/jobs.pyhardcodeschmod 0700on every startup, overriding the NixOS module's2770(setgid + group-accessible). Now respectsHERMES_MANAGEDenv var and uses2770in managed mode.Cron files reset to 0600:
_secure_file()incron/jobs.pysimilarly hardcodes0600, breaking group-readable access needed by the service user. Now uses0640in managed mode.Note on .env permissions: The
.envfile permissions (Fix 3 in #9383) are already handled correctly —save_env_value()returns early in managed mode, and_secure_file()inconfig.pyalready has a managed-mode guard. No additional changes needed there.Fixes #9383
Files changed
hermes_cli/web_server.py—get_status(): fall back toread_runtime_status()whenget_running_pid()returns Nonecron/jobs.py—_secure_dir()and_secure_file(): use group-accessible permissions whenHERMES_MANAGED=trueTest plan
get_status()returnsgateway_running: truewhen gateway is running under systemd (nogateway.pidfile, butgateway_state.jsonhas"gateway_state": "running")2770permissions afterensure_dirs()runs in managed mode0640permissions after_secure_file()runs in managed mode0700/0600as before🤖 Generated with Claude Code