feat: profile boundary isolation for cross-profile data protection#9960
Open
whyihaveyou wants to merge 1 commit into
Open
feat: profile boundary isolation for cross-profile data protection#9960whyihaveyou wants to merge 1 commit into
whyihaveyou wants to merge 1 commit into
Conversation
Add is_within_profile_boundary() guard to file tool operations (read, write, patch, search) to prevent named profiles from accessing other profiles' data directories (memory, sessions, config). - hermes_constants.py: add is_profiled_mode(), get_profile_boundary(), is_within_profile_boundary() — soft isolation that blocks cross-profile access while preserving full filesystem access for project work - tools/file_tools.py: add boundary checks at all four file operation entry points (read, write, patch, search) - tests/test_profile_boundary.py: 28 tests covering default profile (admin, unrestricted), named profiles (restricted), symlinks, tilde expansion, edge cases Motivation: In multi-profile setups (e.g., separate Feishu bots per profile), profiles share the same Python venv and codebase. Without boundary enforcement, one profile's agent could accidentally read or modify another profile's memory, sessions, or configuration.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
is_within_profile_boundary()guard to file tool operations to prevent named profiles from accessing other profiles' data directories (memory, sessions, config).Problem
In multi-profile setups (e.g., separate Feishu bots per profile), all profiles share the same Python venv and codebase. Without boundary enforcement, one profile's agent could accidentally — or via LLM hallucination — read or modify another profile's memory, sessions, or configuration.
This was discovered after a real incident where a frog profile agent rebuilt the shared venv, breaking TLS for all profiles simultaneously.
Changes
hermes_constants.pyis_profiled_mode(),get_profile_boundary(),is_within_profile_boundary()— soft isolation that blocks cross-profile access while preserving full filesystem access for project worktools/file_tools.pyread_file,write_file,patch,search)tests/test_profile_boundary.pyDesign Decisions
~/.hermes/profiles/OTHER_PROFILE/.HERMES_HOME == ~/.hermes) has no restrictions — it needs access to all profiles for management tasks (profile list, skill syncing, etc.).file_tools.py(the LLM's file interface). Terminal andexecute_codecan still bypass viacat/open(). A future PR could extend this toapproval.pypatterns.Known Limitations
terminal_tool.pyorcode_execution_tool.py— those can still access arbitrary paths via shell commands. Suggested follow-up: add dangerous path patterns toapproval.py.Test Plan