feat(security): make secret redaction off by default by teknium1 · Pull Request #16794 · NousResearch/hermes-agent

teknium1 · 2026-04-28T03:33:24Z

Summary

Secret redaction (security.redact_secrets) now defaults to false. New installs get pass-through tool output; users who want the masking behavior opt in with hermes config set security.redact_secrets true.

Existing users who already have redact_secrets: true in their config.yaml keep redaction on — the config-YAML → env-var bridges in hermes_cli/main.py and gateway/run.py are unchanged and still respect explicit settings.

Changes

hermes_cli/config.py: DEFAULT_CONFIG[security][redact_secrets] True → False; updated _SECURITY_COMMENT and _COMMENTED_SECTIONS to reflect new default.
agent/redact.py: env-var fallback flipped — requires explicit opt-in (1/true/yes/on) instead of implicit-on-unless-disabled.
website/docs/user-guide/configuration.md: documented new default and opt-in guidance.
skills/autonomous-ai-agents/hermes-agent/SKILL.md: flipped user guidance — default is off, enable with security.redact_secrets true.
tests/hermes_cli/test_redact_config_bridge.py: renamed test_redact_secrets_default_true_when_unset → _default_false_, added test_redact_secrets_true_in_config_yaml_is_honored for the opposite direction.

Validation

Scenario	Env var	config.yaml	Expected `_REDACT_ENABLED`
Brand new install	unset	no `security` key	False
Opt-in via config	unset	`redact_secrets: true`	True
Opt-in via .env	`true`	anything	True
Opt-out via config	unset	`redact_secrets: false`	False
.env beats config	`true`	`redact_secrets: false`	True

All 79 targeted tests pass (scripts/run_tests.sh tests/hermes_cli/test_redact_config_bridge.py tests/agent/test_redact.py).

Flips security.redact_secrets from true to false in DEFAULT_CONFIG, and the HERMES_REDACT_SECRETS env-var fallback in agent/redact.py now requires explicit opt-in ("1"/"true"/"yes"/"on") to enable. New installs and users without a security.redact_secrets key get pass- through tool output. Existing users whose config.yaml explicitly sets redact_secrets: true keep redaction on — the config-yaml -> env-var bridges in hermes_cli/main.py and gateway/run.py still honor their setting. Also updates the inline config comments, website docs, and the hermes-agent skill so /hermes config set security.redact_secrets true is now the documented way to turn it on.

) Flips security.redact_secrets from true to false in DEFAULT_CONFIG, and the HERMES_REDACT_SECRETS env-var fallback in agent/redact.py now requires explicit opt-in ("1"/"true"/"yes"/"on") to enable. New installs and users without a security.redact_secrets key get pass- through tool output. Existing users whose config.yaml explicitly sets redact_secrets: true keep redaction on — the config-yaml -> env-var bridges in hermes_cli/main.py and gateway/run.py still honor their setting. Also updates the inline config comments, website docs, and the hermes-agent skill so /hermes config set security.redact_secrets true is now the documented way to turn it on.

Apply agent.redact.redact_sensitive_text with force=True to log content captured by _capture_log_snapshot before it reaches upload_to_pastebin. On-disk logs are untouched. Compatible with the off-by-default local redaction policy from NousResearch#16794: this is upload-time-only and applies regardless of security.redact_secrets because the public paste service is the leak surface. A visible banner is prepended to each uploaded log paste so reviewers know redaction was applied. --no-redact preserves deliberate unredacted sharing for maintainer-coordinated cases. The bug-report, setup-help, and feature-request issue templates direct users to run hermes debug share and paste the resulting public URLs. With redaction off by default per NousResearch#16794, those uploads have been carrying credentials onto paste.rs and dpaste.com. force=True is non-negotiable: without it, redact_sensitive_text short-circuits at agent/redact.py:322 when the env var is unset, so the fix would silently be a no-op for its target audience. A regression test pins this down. Fixes NousResearch#19316

Apply agent.redact.redact_sensitive_text with force=True to log content captured by _capture_log_snapshot before it reaches upload_to_pastebin. On-disk logs are untouched. Compatible with the off-by-default local redaction policy from #16794: this is upload-time-only and applies regardless of security.redact_secrets because the public paste service is the leak surface. A visible banner is prepended to each uploaded log paste so reviewers know redaction was applied. --no-redact preserves deliberate unredacted sharing for maintainer-coordinated cases. The bug-report, setup-help, and feature-request issue templates direct users to run hermes debug share and paste the resulting public URLs. With redaction off by default per #16794, those uploads have been carrying credentials onto paste.rs and dpaste.com. force=True is non-negotiable: without it, redact_sensitive_text short-circuits at agent/redact.py:322 when the env var is unset, so the fix would silently be a no-op for its target audience. A regression test pins this down. Fixes #19316

@0xyg3n

* fix(model): avoid bedrock credential probe in provider picker * fix(tools): reconfigure enabled unconfigured toolsets * fix(acp): route Zed thoughts to reasoning callbacks * fix(acp): polish Zed context and tool rendering * fix(acp): polish common tool rendering * fix(acp): keep read-file starts compact * fix(acp): keep web extract rendering compact * Schedule ACP history replay and fence file output * fix(acp): compact Zed tool replay rendering * fix(weixin): send_weixin_direct cross-loop session check When send_message tool is called from inside a running gateway, the _run_async bridge spawns a worker thread with a separate event loop. send_weixin_direct then reuses the live adapter's aiohttp session which was created on the gateway's main loop. aiohttp's TimerContext checks asyncio.current_task(loop=session._loop) and sees None because we're executing on the worker thread's loop → raises 'Timeout context manager should be used inside a task'. Fix: skip the live-adapter shortcut when the session belongs to a different event loop, falling through to the fresh-session path. * chore: add MottledShadow to AUTHOR_MAP * feat(openrouter): add response caching support (NousResearch#19132) Enable OpenRouter's response caching feature (beta) via X-OpenRouter-Cache headers. When enabled, identical API requests return cached responses for free (zero billing), reducing both latency and cost. Configuration via config.yaml: openrouter: response_cache: true # default: on response_cache_ttl: 300 # 1-86400 seconds Changes: - Add openrouter config section to DEFAULT_CONFIG (response_cache + TTL) - Add build_or_headers() in auxiliary_client.py that builds attribution headers plus optional cache headers based on config - Replace inline _OR_HEADERS dicts with build_or_headers() at all 5 sites: run_agent.py __init__, _apply_client_headers_for_base_url(), and auxiliary_client.py _try_openrouter() + _to_async_client() - Add _check_openrouter_cache_status() method to AIAgent that reads X-OpenRouter-Cache-Status from streaming response headers and logs HIT/MISS status - Document in cli-config.yaml.example - Add 28 tests (22 unit + 6 integration) Ref: https://openrouter.ai/docs/guides/features/response-caching * fix: After _clamp_command_names truncates skill names to fit the 32-cha… * test: add tests for cmd_key preservation through name clamping - TestClampCommandNamesTriples: unit tests for 3-tuple support in _clamp_command_names (short names, long names, collisions, multiple entries, backward compat with 2-tuples) - TestDiscordSkillCmdKeyDispatch: integration test through the full discord_skill_commands pipeline verifying long skill names retain their original cmd_key after clamping - Add contributor CharlieKerfoot to AUTHOR_MAP * fix(gateway/discord): require allowlist auth on slash commands Slash commands (_run_simple_slash, _handle_thread_create_slash) bypassed every DISCORD_ALLOWED_* gate enforced by on_message. Any guild member could invoke /background (RCE via terminal), /restart, /model, /skill, etc. CVSS 9.8 Critical. - _evaluate_slash_authorization mirrors on_message gates (user, role, channel, ignored channel) with fail-closed semantics - _check_slash_authorization sends ephemeral reject + logs + admin alert - Auth gate runs before defer() so rejections are ephemeral - /skill autocomplete returns [] for unauthorized users (no catalog leak) - Component views (ExecApproval, SlashConfirm, UpdatePrompt, ModelPicker) now honor role allowlists via shared _component_check_auth helper - Optional DISCORD_HIDE_SLASH_COMMANDS defense-in-depth - Cross-platform admin alert (Telegram/Slack fallback) on unauthorized attempts Based on PR NousResearch#18125 by @0xyg3n. * chore: add 0xyg3n noreply email to AUTHOR_MAP * fix(slack): close previous handler in connect() to prevent zombie Socket Mode connections SlackAdapter.connect() overwrote self._handler, self._app, and self._socket_mode_task without closing the prior AsyncSocketModeHandler first. If connect() was called a second time on the same adapter (e.g. during a gateway restart or in-process reconnect attempt), the old Socket Mode websocket stayed alive. Both the old and new connections received every Slack event and dispatched it twice — producing double responses with different wording, the same bug that affected DiscordAdapter (NousResearch#18187, fixed in NousResearch#18758). Fix: add a close-before-reassign guard at the start of the connection setup path, mirroring the guard DiscordAdapter.connect() already has. When self._handler is None (fresh adapter, first connect()) the block is a harmless no-op. Scoped to the handler/app fields only — no behavior change for any path that does not call connect() twice. Fixes NousResearch#18980 * chore: add nftpoetrist to AUTHOR_MAP * fix(gateway): resume sessions after crash/restart instead of blanket suspend suspend_recently_active() was unconditionally setting suspended=True on startup, causing get_or_create_session() to wipe conversation history on every restart. Change to set resume_pending=True instead, so sessions auto-resume while still allowing stuck-loop escalation after 3 failures. * chore: add millerc79 to AUTHOR_MAP * fix(gateway): send /new response before cancel_session_processing to avoid race (NousResearch#18912) When /new is issued while an agent is actively processing, the confirmation response was never sent to the user because cancel_session_processing() was called before _send_with_retry(). Task cancellation side effects could silently drop the response. Fix: reorder to send the response BEFORE cancelling the old task. Add logging at the send point (matching the pattern at line 2800 in _process_message_background) so future failures are visible. Closes: NousResearch#18912 * chore: add shellybotmoyer to AUTHOR_MAP * fix(gateway): correct ws scheme conversion for https urls * fix: update tests for resume_pending semantics + add AUTHOR_MAP entries Tests updated to reflect suspend_recently_active now setting resume_pending=True (preserves session) instead of suspended=True (wipes session history). AUTHOR_MAP entries: millerc79 (NousResearch#19033), shellybotmoyer (NousResearch#18915) * fix(whatsapp): pin protobufjs >=7.5.5 via npm overrides to clear 3 critical vulns (NousResearch#19204) The whatsapp-bridge pulls @whiskeysockets/baileys at a pinned git commit whose transitive dep tree ships protobufjs <7.5.5, triggering GHSA-xq3m-2v4x-88gg (critical, arbitrary code execution). npm audit reported 3 cascading criticals: protobufjs, @whiskeysockets/libsignal-node (pulls protobufjs), and baileys itself (effect rollup). Fix: add npm overrides block pinning protobufjs to ^7.5.5. Deduplicates to a single 7.5.6 copy at node_modules/protobufjs that both libsignal-node and any other consumers resolve through normal module resolution. Why not bump baileys: npm-published baileys@6.17.16 is deprecated by the maintainers (wrong version), 7.0.0-rc.* still pulls the same vulnerable libsignal-node, and upstream Baileys HEAD adds a 4th vuln (music-metadata). The override is the minimal, behavior-preserving fix. Validation: - npm audit: 3 critical -> 0 vulnerabilities - node -e "import('@whiskeysockets/baileys')" -> all 5 named exports (makeWASocket, useMultiFileAuthState, DisconnectReason, fetchLatestBaileysVersion, downloadMediaMessage) resolve - node bridge.js loads all modules and reaches Express bind (exits only on EADDRINUSE because the live gateway owns :3000) - Single deduped protobufjs@7.5.6 in the tree * fix(goals): make /goal work in TUI and fix gateway verdict delivery (NousResearch#19209) /goal was silently broken outside the classic CLI. TUI: /goal was routed through the HermesCLI slash-worker subprocess, which set the goal row in SessionDB but then called _pending_input.put(state.goal) — the subprocess has no reader for that queue, so the kickoff message was discarded. No post-turn judge was wired into prompt.submit either, so even a manual kickoff would not continue the goal loop. Intercept /goal in command.dispatch instead, drive GoalManager directly, and return {type: send, notice, message} so the TUI client renders the Goal-set notice and fires the kickoff. Run the judge in _run_prompt_submit after message.complete, surface the verdict via status.update {kind: goal}, and chain the continuation turn after the running guard is released. Gateway: _post_turn_goal_continuation was gated on hasattr(adapter, 'send_message'), but adapters only expose send(). That branch was dead on every platform — users never saw '✓ Goal achieved', 'Continuing toward goal', or budget-exhausted messages. Replace the dead call with adapter.send(chat_id, content, metadata) and drop a broken reference to self._loop. Tests: - tests/tui_gateway/test_goal_command.py — full /goal dispatch matrix (set / status / pause / resume / clear / stop / done / whitespace) plus regressions for slash.exec → 4018 and 'goal' staying in _PENDING_INPUT_COMMANDS. - tests/gateway/test_goal_verdict_send.py — locks in the adapter.send path for done / continue / budget-exhausted and verifies the hook no-ops when no goal is set or the adapter lacks send(). * fix(gateway): preserve home-channel thread targets across restart notifications * chore(release): map leprincep35700 email for PR NousResearch#18440 salvage * fix(approval): extend sensitive write target to cover shell RC and credential files Terminal commands can write to shell RC files (~/.bashrc, ~/.zshrc, ~/.profile) and credential files (~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc) via redirection or tee without triggering approval, even though write_file already blocks these paths in file_safety.py. This creates an inconsistency: write_file protects these paths but terminal shell redirections bypass the same protection. An agent prompted via indirect injection could install persistent backdoors (e.g. PATH manipulation, alias overrides) or write credential entries without user approval. Extend _SENSITIVE_WRITE_TARGET with two new regex groups matching the same paths that file_safety.py's WRITE_DENIED_PATHS already covers: _SHELL_RC_FILES — ~/.bashrc, ~/.zshrc, ~/.profile, ~/.bash_profile, ~/.zprofile _CREDENTIAL_FILES — ~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc All 130 existing tests pass. * fix(cron): treat non-dict origin as missing instead of crashing tick ``_resolve_origin`` called ``origin.get('platform')`` on whatever ``job.get('origin')`` returned. The leading ``if not origin: return None`` short-circuited the falsy cases (None, empty dict, "") but a non-empty string passed that guard and then crashed with ``AttributeError: 'str' object has no attribute 'get'`` on every fire attempt. Observed in the wild after a migration script tagged jobs with free-form provenance strings (e.g. ``"combined-digest-replaces-x-and-y-20260503"``). ``mark_job_run`` did record ``last_status: error, last_error: "'str' object has no attribute 'get'"`` once, but the next tick re-loaded the same poisoned origin and crashed identically. The job stayed enabled, fired every tick, and accumulated cascading errors in the log until ``origin`` was patched manually. Replace the falsy guard with ``isinstance(origin, dict)``. Non-dict origins (string, int, list, tuple, float — anything that survived a hand-edit, JSON-script write, or migration) are now treated the same as a missing origin: the job continues with ``deliver`` falling back through its normal home-channel path instead of crashing the scheduler loop. Test parametrises the non-dict shapes that can appear in jobs.json through external writers and asserts ``_resolve_origin`` returns None for each. Note: this fix scope is the non-dict-``origin`` crash only. The ``next_run_at: null`` recurring-job recovery (the second sub-bug in NousResearch#18722) is independently addressed by the in-flight NousResearch#18825, which extends the never-silently-disable defense from NousResearch#16265 to ``get_due_jobs()`` — that approach is well-aligned with the existing recovery pattern and ships fine without a competing change here. Fixes NousResearch#18722 (non-dict origin crash; recurring-job recovery covered by NousResearch#18825) * fix(tools): write_file handler now rejects missing 'content'/'path' args instead of silently writing zero-byte files (NousResearch#19096) Under context pressure, frontier models sometimes emit tool calls with required fields dropped. Previously _handle_write_file() used args.get('content', '') which substituted an empty string for the missing key, returned success with bytes_written=0, and created a zero-byte file on disk. The model had no way to detect the failure. Changes: - Reject calls where 'path' is absent or not a non-empty string - Reject calls where 'content' key is entirely absent (key-presence check, not truthiness) — distinguishing a legitimately empty file from a dropped arg - Reject calls where 'content' is a non-string type - All error messages include guidance to re-emit the tool call or switch to execute_code with hermes_tools.write_file() for large payloads - Explicit empty string content (file truncation) continues to work Regression tests added for all four cases: missing path, missing content, explicit-empty content, and wrong content type. Fixes NousResearch#19096 * fix(tui): clear Apple Terminal resize artifacts Use a deeper alt-screen clear for Apple Terminal resize repaints so host reflow artifacts do not survive the recovery frame. * feat(skill): add video-orchestrator optional creative skill Meta-pipeline that wraps any video request — narrative film, product / marketing, music video, explainer, ASCII, generative, comic, 3D, real-time/installation — in a Hermes Kanban pipeline. Performs adaptive discovery, designs an appropriate team for the requested style, generates the setup script that creates Hermes profiles + initial kanban task, and helps monitor execution. Routes scenes to whichever existing Hermes skill fits each beat (`ascii-video`, `manim-video`, `p5js`, `comfyui`, `touchdesigner-mcp`, `blender-mcp`, `pixel-art`, `baoyu-comic`, `claude-design`, `excalidraw`, `songsee`, `heartmula`, …) plus external APIs for TTS, image-gen, and image-to-video. Kanban orchestration uses the `kanban-orchestrator` and `kanban-worker` skills. The single-project workspace layout, profile-config patching pattern, SOUL.md-per-profile model, and `--workspace dir:<path>` discipline are adapted from alt-glitch's original kanban-video-pipeline at https://github.com/NousResearch/kanban-video-pipeline. This skill generalizes those patterns across video styles and replaces the original string-replacement config patcher with a PyYAML-based one that touches only `toolsets` and `skills.always_load` (preserving security-sensitive fields like `approvals.mode`). Includes: - SKILL.md — workflow + critical rules - references/ — intake, role archetypes, tool matrix, kanban setup, monitoring, six worked examples - assets/ — brief / setup.sh / soul.md templates - scripts/ — bootstrap_pipeline.py (plan.json -> setup.sh) and monitor.py (poll + issue detection) Co-authored-by: alt-glitch <balyan.sid@gmail.com> * rename: video-orchestrator → kanban-video-orchestrator The kanban prefix makes the skill discoverable alongside `kanban-orchestrator` and `kanban-worker`, and signals up front that this skill drives the kanban plugin rather than being a generic video tool. Updated: - directory rename - SKILL.md frontmatter `name:` and H1 - setup.sh.tmpl header * feat: add video_analyze tool for native video understanding (NousResearch#19301) * feat: add video_analyze tool for native video understanding Adds a video_analyze tool that sends video files to multimodal LLMs (e.g. Gemini) for analysis via the OpenRouter-compatible video_url content type. Mirrors vision_analyze in structure, error handling, and registration pattern. Key design: - Base64 encodes entire video (no frame extraction, no ffmpeg dep) - Uses 'video_url' content block type (OpenRouter standard) - Supports mp4, webm, mov, avi, mkv, mpeg formats - 50 MB hard cap, 20 MB warning threshold - 180s minimum timeout (videos take longer than images) - AUXILIARY_VIDEO_MODEL env override, falls back to AUXILIARY_VISION_MODEL - Same SSRF protection, retry logic, and cleanup as vision_analyze Default disabled: registered in 'video' toolset (not in _HERMES_CORE_TOOLS). Users opt in via: hermes tools enable video, or enabled_toolsets=['video']. * feat(video): add models.dev capability pre-check + CONFIGURABLE_TOOLSETS entry - Pre-checks model video capability via models.dev modalities.input before expensive base64 encoding. Fails early with helpful message suggesting video-capable alternatives (gemini, mimo-v2.5-pro). - Passes optimistically if model unknown or lookup fails. - Adds ModelInfo.supports_video_input() helper. - Adds 'video' to CONFIGURABLE_TOOLSETS and _DEFAULT_OFF_TOOLSETS so 'hermes tools enable video' works from CLI. - 8 new tests for the capability check (37 total). * refactor(video): remove models.dev capability pre-check Removes _check_video_model_capability and ModelInfo.supports_video_input. The vision_analyze tool doesn't pre-check image capability either — both tools rely on the same pattern: send request, handle API errors gracefully with categorized user-facing messages. The pre-check was inconsistent (only worked for some providers/models) so drop it for parity. * cleanup: compress comments, fix fragile timeout coupling - Replace _VISION_DOWNLOAD_TIMEOUT * 2 with hardcoded 60s (no silent breakage if vision timeout changes independently) - Strip verbose comments and redundant log lines throughout - No behavioral changes * fix(debug): redact log content at upload time in hermes debug share Apply agent.redact.redact_sensitive_text with force=True to log content captured by _capture_log_snapshot before it reaches upload_to_pastebin. On-disk logs are untouched. Compatible with the off-by-default local redaction policy from NousResearch#16794: this is upload-time-only and applies regardless of security.redact_secrets because the public paste service is the leak surface. A visible banner is prepended to each uploaded log paste so reviewers know redaction was applied. --no-redact preserves deliberate unredacted sharing for maintainer-coordinated cases. The bug-report, setup-help, and feature-request issue templates direct users to run hermes debug share and paste the resulting public URLs. With redaction off by default per NousResearch#16794, those uploads have been carrying credentials onto paste.rs and dpaste.com. force=True is non-negotiable: without it, redact_sensitive_text short-circuits at agent/redact.py:322 when the env var is unset, so the fix would silently be a no-op for its target audience. A regression test pins this down. Fixes NousResearch#19316 * fix(cli): CLI/TUI on local backend always uses launch directory, ignores terminal.cwd (NousResearch#19242) CLI/TUI sessions on the local backend now unconditionally use os.getcwd() as the working directory. The terminal.cwd config value is only consumed by gateway/cron/delegation modes (where there's no shell to cd from). Previously, 'hermes setup' would write an absolute path (e.g. $HOME) into terminal.cwd which then pinned the CLI to that directory regardless of where the user launched hermes from. This was a silent foot-gun — the user's 'cd' was being ignored. Changes: 1. cli.py: Restructured CWD resolution — if TERMINAL_CWD is not already set by the gateway, and the backend is local, always use os.getcwd(). Config terminal.cwd is irrelevant for interactive CLI/TUI sessions. 2. setup.py: Moved the cwd prompt from setup_terminal_backend() to setup_gateway(). It now only appears when configuring messaging platforms and is labeled 'Gateway working directory'. 3. Tests: Rewrote test_cwd_env_respect.py to validate the new behavior: explicit config paths are ignored for CLI, gateway pre-set values are preserved, non-local backends keep their config paths. 4. Docs: Updated configuration.md, profiles.md, and environment-variables.md to clarify that terminal.cwd only affects gateway/cron mode on local backend. Closes NousResearch#19214 * Revert "fix(cli): CLI/TUI on local backend always uses launch directory, ignores terminal.cwd (NousResearch#19242)" (NousResearch#19329) This reverts commit 9eaddfa. --------- Co-authored-by: helix4u <4317663+helix4u@users.noreply.github.com> Co-authored-by: Henkey <noonou7@gmail.com> Co-authored-by: MottledShadow <159539633+MottledShadow@users.noreply.github.com> Co-authored-by: Teknium <127238744+teknium1@users.noreply.github.com> Co-authored-by: kshitij <82637225+kshitijk4poor@users.noreply.github.com> Co-authored-by: charliekerfoot <charliekerfoot@gmail.com> Co-authored-by: 0xyg3n <jz.pentest@gmail.com> Co-authored-by: nftpoetrist <nftpoetrist@gmail.com> Co-authored-by: millerc79 <millerc79@users.noreply.github.com> Co-authored-by: Hermes Agent <hermes@example.com> Co-authored-by: leprincep35700 <61830395+leprincep35700@users.noreply.github.com> Co-authored-by: JasonOA888 <jason@outland.art> Co-authored-by: Tranquil-Flow <tranquil_flow@protonmail.com> Co-authored-by: Bartok9 <danielrpike9@gmail.com> Co-authored-by: Brooklyn Nicholson <brooklyn.bb.nicholson@gmail.com> Co-authored-by: SHL0MS <SHL0MS@users.noreply.github.com> Co-authored-by: alt-glitch <balyan.sid@gmail.com> Co-authored-by: Siddharth Balyan <52913345+alt-glitch@users.noreply.github.com> Co-authored-by: GodsBoy <dhuysamen@gmail.com>

Apply agent.redact.redact_sensitive_text with force=True to log content captured by _capture_log_snapshot before it reaches upload_to_pastebin. On-disk logs are untouched. Compatible with the off-by-default local redaction policy from NousResearch#16794: this is upload-time-only and applies regardless of security.redact_secrets because the public paste service is the leak surface. A visible banner is prepended to each uploaded log paste so reviewers know redaction was applied. --no-redact preserves deliberate unredacted sharing for maintainer-coordinated cases. The bug-report, setup-help, and feature-request issue templates direct users to run hermes debug share and paste the resulting public URLs. With redaction off by default per NousResearch#16794, those uploads have been carrying credentials onto paste.rs and dpaste.com. force=True is non-negotiable: without it, redact_sensitive_text short-circuits at agent/redact.py:322 when the env var is unset, so the fix would silently be a no-op for its target audience. A regression test pins this down. Fixes NousResearch#19316

* fix(model): avoid bedrock credential probe in provider picker * fix(tools): reconfigure enabled unconfigured toolsets * fix(acp): route Zed thoughts to reasoning callbacks * fix(acp): polish Zed context and tool rendering * fix(acp): polish common tool rendering * fix(acp): keep read-file starts compact * fix(acp): keep web extract rendering compact * Schedule ACP history replay and fence file output * fix(acp): compact Zed tool replay rendering * fix(weixin): send_weixin_direct cross-loop session check When send_message tool is called from inside a running gateway, the _run_async bridge spawns a worker thread with a separate event loop. send_weixin_direct then reuses the live adapter's aiohttp session which was created on the gateway's main loop. aiohttp's TimerContext checks asyncio.current_task(loop=session._loop) and sees None because we're executing on the worker thread's loop → raises 'Timeout context manager should be used inside a task'. Fix: skip the live-adapter shortcut when the session belongs to a different event loop, falling through to the fresh-session path. * chore: add MottledShadow to AUTHOR_MAP * feat(openrouter): add response caching support (#19132) Enable OpenRouter's response caching feature (beta) via X-OpenRouter-Cache headers. When enabled, identical API requests return cached responses for free (zero billing), reducing both latency and cost. Configuration via config.yaml: openrouter: response_cache: true # default: on response_cache_ttl: 300 # 1-86400 seconds Changes: - Add openrouter config section to DEFAULT_CONFIG (response_cache + TTL) - Add build_or_headers() in auxiliary_client.py that builds attribution headers plus optional cache headers based on config - Replace inline _OR_HEADERS dicts with build_or_headers() at all 5 sites: run_agent.py __init__, _apply_client_headers_for_base_url(), and auxiliary_client.py _try_openrouter() + _to_async_client() - Add _check_openrouter_cache_status() method to AIAgent that reads X-OpenRouter-Cache-Status from streaming response headers and logs HIT/MISS status - Document in cli-config.yaml.example - Add 28 tests (22 unit + 6 integration) Ref: https://openrouter.ai/docs/guides/features/response-caching * fix: After _clamp_command_names truncates skill names to fit the 32-cha… * test: add tests for cmd_key preservation through name clamping - TestClampCommandNamesTriples: unit tests for 3-tuple support in _clamp_command_names (short names, long names, collisions, multiple entries, backward compat with 2-tuples) - TestDiscordSkillCmdKeyDispatch: integration test through the full discord_skill_commands pipeline verifying long skill names retain their original cmd_key after clamping - Add contributor CharlieKerfoot to AUTHOR_MAP * fix(gateway/discord): require allowlist auth on slash commands Slash commands (_run_simple_slash, _handle_thread_create_slash) bypassed every DISCORD_ALLOWED_* gate enforced by on_message. Any guild member could invoke /background (RCE via terminal), /restart, /model, /skill, etc. CVSS 9.8 Critical. - _evaluate_slash_authorization mirrors on_message gates (user, role, channel, ignored channel) with fail-closed semantics - _check_slash_authorization sends ephemeral reject + logs + admin alert - Auth gate runs before defer() so rejections are ephemeral - /skill autocomplete returns [] for unauthorized users (no catalog leak) - Component views (ExecApproval, SlashConfirm, UpdatePrompt, ModelPicker) now honor role allowlists via shared _component_check_auth helper - Optional DISCORD_HIDE_SLASH_COMMANDS defense-in-depth - Cross-platform admin alert (Telegram/Slack fallback) on unauthorized attempts Based on PR #18125 by @0xyg3n. * chore: add 0xyg3n noreply email to AUTHOR_MAP * fix(slack): close previous handler in connect() to prevent zombie Socket Mode connections SlackAdapter.connect() overwrote self._handler, self._app, and self._socket_mode_task without closing the prior AsyncSocketModeHandler first. If connect() was called a second time on the same adapter (e.g. during a gateway restart or in-process reconnect attempt), the old Socket Mode websocket stayed alive. Both the old and new connections received every Slack event and dispatched it twice — producing double responses with different wording, the same bug that affected DiscordAdapter (#18187, fixed in #18758). Fix: add a close-before-reassign guard at the start of the connection setup path, mirroring the guard DiscordAdapter.connect() already has. When self._handler is None (fresh adapter, first connect()) the block is a harmless no-op. Scoped to the handler/app fields only — no behavior change for any path that does not call connect() twice. Fixes #18980 * chore: add nftpoetrist to AUTHOR_MAP * fix(gateway): resume sessions after crash/restart instead of blanket suspend suspend_recently_active() was unconditionally setting suspended=True on startup, causing get_or_create_session() to wipe conversation history on every restart. Change to set resume_pending=True instead, so sessions auto-resume while still allowing stuck-loop escalation after 3 failures. * chore: add millerc79 to AUTHOR_MAP * fix(gateway): send /new response before cancel_session_processing to avoid race (#18912) When /new is issued while an agent is actively processing, the confirmation response was never sent to the user because cancel_session_processing() was called before _send_with_retry(). Task cancellation side effects could silently drop the response. Fix: reorder to send the response BEFORE cancelling the old task. Add logging at the send point (matching the pattern at line 2800 in _process_message_background) so future failures are visible. Closes: #18912 * chore: add shellybotmoyer to AUTHOR_MAP * fix(gateway): correct ws scheme conversion for https urls * fix: update tests for resume_pending semantics + add AUTHOR_MAP entries Tests updated to reflect suspend_recently_active now setting resume_pending=True (preserves session) instead of suspended=True (wipes session history). AUTHOR_MAP entries: millerc79 (#19033), shellybotmoyer (#18915) * fix(whatsapp): pin protobufjs >=7.5.5 via npm overrides to clear 3 critical vulns (#19204) The whatsapp-bridge pulls @whiskeysockets/baileys at a pinned git commit whose transitive dep tree ships protobufjs <7.5.5, triggering GHSA-xq3m-2v4x-88gg (critical, arbitrary code execution). npm audit reported 3 cascading criticals: protobufjs, @whiskeysockets/libsignal-node (pulls protobufjs), and baileys itself (effect rollup). Fix: add npm overrides block pinning protobufjs to ^7.5.5. Deduplicates to a single 7.5.6 copy at node_modules/protobufjs that both libsignal-node and any other consumers resolve through normal module resolution. Why not bump baileys: npm-published baileys@6.17.16 is deprecated by the maintainers (wrong version), 7.0.0-rc.* still pulls the same vulnerable libsignal-node, and upstream Baileys HEAD adds a 4th vuln (music-metadata). The override is the minimal, behavior-preserving fix. Validation: - npm audit: 3 critical -> 0 vulnerabilities - node -e "import('@whiskeysockets/baileys')" -> all 5 named exports (makeWASocket, useMultiFileAuthState, DisconnectReason, fetchLatestBaileysVersion, downloadMediaMessage) resolve - node bridge.js loads all modules and reaches Express bind (exits only on EADDRINUSE because the live gateway owns :3000) - Single deduped protobufjs@7.5.6 in the tree * fix(goals): make /goal work in TUI and fix gateway verdict delivery (#19209) /goal was silently broken outside the classic CLI. TUI: /goal was routed through the HermesCLI slash-worker subprocess, which set the goal row in SessionDB but then called _pending_input.put(state.goal) — the subprocess has no reader for that queue, so the kickoff message was discarded. No post-turn judge was wired into prompt.submit either, so even a manual kickoff would not continue the goal loop. Intercept /goal in command.dispatch instead, drive GoalManager directly, and return {type: send, notice, message} so the TUI client renders the Goal-set notice and fires the kickoff. Run the judge in _run_prompt_submit after message.complete, surface the verdict via status.update {kind: goal}, and chain the continuation turn after the running guard is released. Gateway: _post_turn_goal_continuation was gated on hasattr(adapter, 'send_message'), but adapters only expose send(). That branch was dead on every platform — users never saw '✓ Goal achieved', 'Continuing toward goal', or budget-exhausted messages. Replace the dead call with adapter.send(chat_id, content, metadata) and drop a broken reference to self._loop. Tests: - tests/tui_gateway/test_goal_command.py — full /goal dispatch matrix (set / status / pause / resume / clear / stop / done / whitespace) plus regressions for slash.exec → 4018 and 'goal' staying in _PENDING_INPUT_COMMANDS. - tests/gateway/test_goal_verdict_send.py — locks in the adapter.send path for done / continue / budget-exhausted and verifies the hook no-ops when no goal is set or the adapter lacks send(). * fix(gateway): preserve home-channel thread targets across restart notifications * chore(release): map leprincep35700 email for PR #18440 salvage * fix(approval): extend sensitive write target to cover shell RC and credential files Terminal commands can write to shell RC files (~/.bashrc, ~/.zshrc, ~/.profile) and credential files (~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc) via redirection or tee without triggering approval, even though write_file already blocks these paths in file_safety.py. This creates an inconsistency: write_file protects these paths but terminal shell redirections bypass the same protection. An agent prompted via indirect injection could install persistent backdoors (e.g. PATH manipulation, alias overrides) or write credential entries without user approval. Extend _SENSITIVE_WRITE_TARGET with two new regex groups matching the same paths that file_safety.py's WRITE_DENIED_PATHS already covers: _SHELL_RC_FILES — ~/.bashrc, ~/.zshrc, ~/.profile, ~/.bash_profile, ~/.zprofile _CREDENTIAL_FILES — ~/.netrc, ~/.pgpass, ~/.npmrc, ~/.pypirc All 130 existing tests pass. * fix(cron): treat non-dict origin as missing instead of crashing tick ``_resolve_origin`` called ``origin.get('platform')`` on whatever ``job.get('origin')`` returned. The leading ``if not origin: return None`` short-circuited the falsy cases (None, empty dict, "") but a non-empty string passed that guard and then crashed with ``AttributeError: 'str' object has no attribute 'get'`` on every fire attempt. Observed in the wild after a migration script tagged jobs with free-form provenance strings (e.g. ``"combined-digest-replaces-x-and-y-20260503"``). ``mark_job_run`` did record ``last_status: error, last_error: "'str' object has no attribute 'get'"`` once, but the next tick re-loaded the same poisoned origin and crashed identically. The job stayed enabled, fired every tick, and accumulated cascading errors in the log until ``origin`` was patched manually. Replace the falsy guard with ``isinstance(origin, dict)``. Non-dict origins (string, int, list, tuple, float — anything that survived a hand-edit, JSON-script write, or migration) are now treated the same as a missing origin: the job continues with ``deliver`` falling back through its normal home-channel path instead of crashing the scheduler loop. Test parametrises the non-dict shapes that can appear in jobs.json through external writers and asserts ``_resolve_origin`` returns None for each. Note: this fix scope is the non-dict-``origin`` crash only. The ``next_run_at: null`` recurring-job recovery (the second sub-bug in #18722) is independently addressed by the in-flight #18825, which extends the never-silently-disable defense from #16265 to ``get_due_jobs()`` — that approach is well-aligned with the existing recovery pattern and ships fine without a competing change here. Fixes #18722 (non-dict origin crash; recurring-job recovery covered by #18825) * fix(tools): write_file handler now rejects missing 'content'/'path' args instead of silently writing zero-byte files (#19096) Under context pressure, frontier models sometimes emit tool calls with required fields dropped. Previously _handle_write_file() used args.get('content', '') which substituted an empty string for the missing key, returned success with bytes_written=0, and created a zero-byte file on disk. The model had no way to detect the failure. Changes: - Reject calls where 'path' is absent or not a non-empty string - Reject calls where 'content' key is entirely absent (key-presence check, not truthiness) — distinguishing a legitimately empty file from a dropped arg - Reject calls where 'content' is a non-string type - All error messages include guidance to re-emit the tool call or switch to execute_code with hermes_tools.write_file() for large payloads - Explicit empty string content (file truncation) continues to work Regression tests added for all four cases: missing path, missing content, explicit-empty content, and wrong content type. Fixes #19096 * fix(tui): clear Apple Terminal resize artifacts Use a deeper alt-screen clear for Apple Terminal resize repaints so host reflow artifacts do not survive the recovery frame. * feat(skill): add video-orchestrator optional creative skill Meta-pipeline that wraps any video request — narrative film, product / marketing, music video, explainer, ASCII, generative, comic, 3D, real-time/installation — in a Hermes Kanban pipeline. Performs adaptive discovery, designs an appropriate team for the requested style, generates the setup script that creates Hermes profiles + initial kanban task, and helps monitor execution. Routes scenes to whichever existing Hermes skill fits each beat (`ascii-video`, `manim-video`, `p5js`, `comfyui`, `touchdesigner-mcp`, `blender-mcp`, `pixel-art`, `baoyu-comic`, `claude-design`, `excalidraw`, `songsee`, `heartmula`, …) plus external APIs for TTS, image-gen, and image-to-video. Kanban orchestration uses the `kanban-orchestrator` and `kanban-worker` skills. The single-project workspace layout, profile-config patching pattern, SOUL.md-per-profile model, and `--workspace dir:<path>` discipline are adapted from alt-glitch's original kanban-video-pipeline at https://github.com/NousResearch/kanban-video-pipeline. This skill generalizes those patterns across video styles and replaces the original string-replacement config patcher with a PyYAML-based one that touches only `toolsets` and `skills.always_load` (preserving security-sensitive fields like `approvals.mode`). Includes: - SKILL.md — workflow + critical rules - references/ — intake, role archetypes, tool matrix, kanban setup, monitoring, six worked examples - assets/ — brief / setup.sh / soul.md templates - scripts/ — bootstrap_pipeline.py (plan.json -> setup.sh) and monitor.py (poll + issue detection) Co-authored-by: alt-glitch <balyan.sid@gmail.com> * rename: video-orchestrator → kanban-video-orchestrator The kanban prefix makes the skill discoverable alongside `kanban-orchestrator` and `kanban-worker`, and signals up front that this skill drives the kanban plugin rather than being a generic video tool. Updated: - directory rename - SKILL.md frontmatter `name:` and H1 - setup.sh.tmpl header * feat: add video_analyze tool for native video understanding (#19301) * feat: add video_analyze tool for native video understanding Adds a video_analyze tool that sends video files to multimodal LLMs (e.g. Gemini) for analysis via the OpenRouter-compatible video_url content type. Mirrors vision_analyze in structure, error handling, and registration pattern. Key design: - Base64 encodes entire video (no frame extraction, no ffmpeg dep) - Uses 'video_url' content block type (OpenRouter standard) - Supports mp4, webm, mov, avi, mkv, mpeg formats - 50 MB hard cap, 20 MB warning threshold - 180s minimum timeout (videos take longer than images) - AUXILIARY_VIDEO_MODEL env override, falls back to AUXILIARY_VISION_MODEL - Same SSRF protection, retry logic, and cleanup as vision_analyze Default disabled: registered in 'video' toolset (not in _HERMES_CORE_TOOLS). Users opt in via: hermes tools enable video, or enabled_toolsets=['video']. * feat(video): add models.dev capability pre-check + CONFIGURABLE_TOOLSETS entry - Pre-checks model video capability via models.dev modalities.input before expensive base64 encoding. Fails early with helpful message suggesting video-capable alternatives (gemini, mimo-v2.5-pro). - Passes optimistically if model unknown or lookup fails. - Adds ModelInfo.supports_video_input() helper. - Adds 'video' to CONFIGURABLE_TOOLSETS and _DEFAULT_OFF_TOOLSETS so 'hermes tools enable video' works from CLI. - 8 new tests for the capability check (37 total). * refactor(video): remove models.dev capability pre-check Removes _check_video_model_capability and ModelInfo.supports_video_input. The vision_analyze tool doesn't pre-check image capability either — both tools rely on the same pattern: send request, handle API errors gracefully with categorized user-facing messages. The pre-check was inconsistent (only worked for some providers/models) so drop it for parity. * cleanup: compress comments, fix fragile timeout coupling - Replace _VISION_DOWNLOAD_TIMEOUT * 2 with hardcoded 60s (no silent breakage if vision timeout changes independently) - Strip verbose comments and redundant log lines throughout - No behavioral changes * fix(debug): redact log content at upload time in hermes debug share Apply agent.redact.redact_sensitive_text with force=True to log content captured by _capture_log_snapshot before it reaches upload_to_pastebin. On-disk logs are untouched. Compatible with the off-by-default local redaction policy from #16794: this is upload-time-only and applies regardless of security.redact_secrets because the public paste service is the leak surface. A visible banner is prepended to each uploaded log paste so reviewers know redaction was applied. --no-redact preserves deliberate unredacted sharing for maintainer-coordinated cases. The bug-report, setup-help, and feature-request issue templates direct users to run hermes debug share and paste the resulting public URLs. With redaction off by default per #16794, those uploads have been carrying credentials onto paste.rs and dpaste.com. force=True is non-negotiable: without it, redact_sensitive_text short-circuits at agent/redact.py:322 when the env var is unset, so the fix would silently be a no-op for its target audience. A regression test pins this down. Fixes #19316 * fix(cli): CLI/TUI on local backend always uses launch directory, ignores terminal.cwd (#19242) CLI/TUI sessions on the local backend now unconditionally use os.getcwd() as the working directory. The terminal.cwd config value is only consumed by gateway/cron/delegation modes (where there's no shell to cd from). Previously, 'hermes setup' would write an absolute path (e.g. $HOME) into terminal.cwd which then pinned the CLI to that directory regardless of where the user launched hermes from. This was a silent foot-gun — the user's 'cd' was being ignored. Changes: 1. cli.py: Restructured CWD resolution — if TERMINAL_CWD is not already set by the gateway, and the backend is local, always use os.getcwd(). Config terminal.cwd is irrelevant for interactive CLI/TUI sessions. 2. setup.py: Moved the cwd prompt from setup_terminal_backend() to setup_gateway(). It now only appears when configuring messaging platforms and is labeled 'Gateway working directory'. 3. Tests: Rewrote test_cwd_env_respect.py to validate the new behavior: explicit config paths are ignored for CLI, gateway pre-set values are preserved, non-local backends keep their config paths. 4. Docs: Updated configuration.md, profiles.md, and environment-variables.md to clarify that terminal.cwd only affects gateway/cron mode on local backend. Closes #19214 * Revert "fix(cli): CLI/TUI on local backend always uses launch directory, ignores terminal.cwd (#19242)" (#19329) This reverts commit 9eaddfafa30018b1d4eb3e5e72bbe2d242f8e50e. * fix(kanban): anchor board, workspaces, and worker logs at the shared Hermes root The Kanban board is documented as shared across all Hermes profiles, but `kanban_db_path()` and `workspaces_root()` resolved through `get_hermes_home()`, which returns the active profile's HERMES_HOME. When the dispatcher spawned a worker with `hermes -p <profile> --skills kanban-worker chat -q "work kanban task <id>"`, the worker rewrote HERMES_HOME to the profile subdirectory before kanban_db.py imported, opening a profile-local `kanban.db` that did not contain the dispatcher's task. `kanban_show` and `kanban_complete` failed; the dispatcher's row stayed `running` and was retried/crashed. The same defect applied to `_default_spawn`'s log directory and `worker_log_path`, so `hermes kanban tail` did not see the worker's output. Add `kanban_home()` in `hermes_cli/kanban_db.py` that resolves through `HERMES_KANBAN_HOME` (explicit override) then `get_default_hermes_root()`, which already understands the `<root>/profiles/<name>` and Docker / custom HERMES_HOME shapes. Reroute `kanban_db_path`, `workspaces_root`, the `_default_spawn` log directory, `gc_worker_logs`, and `worker_log_path` through it. Profile-specific config, `.env`, memory, and sessions stay isolated as before; only the kanban surface is shared. Add a `TestSharedBoardPaths` regression class to `tests/hermes_cli/test_kanban_db.py` covering: default install, profile-worker convergence, Docker custom HERMES_HOME, Docker profile layout, explicit `HERMES_KANBAN_HOME` override, and a real SQLite round-trip across dispatcher and worker HERMES_HOME perspectives. The dispatcher/worker convergence tests fail on origin/main and pass after the fix. Update the `kanban.md` user-guide page and the misleading docstrings in `kanban_db.py` to describe the shared-root behavior. Fixes #19348 * fix(kanban): add per-path env overrides + dispatcher env injection Layers defense-in-depth on top of the shared-root anchoring (base commit). Changes in hermes_cli/kanban_db.py: - kanban_db_path() now honours HERMES_KANBAN_DB first, then falls through to kanban_home()/kanban.db. - workspaces_root() now honours HERMES_KANBAN_WORKSPACES_ROOT first, then falls through to kanban_home()/kanban/workspaces. - All three overrides (HERMES_KANBAN_HOME, HERMES_KANBAN_DB, HERMES_KANBAN_WORKSPACES_ROOT) now call .expanduser() for consistency. - _default_spawn() injects HERMES_KANBAN_DB and HERMES_KANBAN_WORKSPACES_ROOT into the worker subprocess env. Even when the worker's get_default_hermes_root() resolution somehow disagrees with the dispatcher's (symlinks, unusual Docker layouts), the two processes still open the same SQLite file. Module docstring updated to describe all three overrides and the dispatcher env-injection contract. Tests (tests/hermes_cli/test_kanban_db.py, TestSharedBoardPaths): - test_hermes_kanban_db_pin_beats_kanban_home - test_hermes_kanban_workspaces_root_pin_beats_kanban_home - test_empty_per_path_overrides_fall_through - test_dispatcher_spawn_injects_kanban_db_and_workspaces_root (monkeypatches subprocess.Popen, asserts both env vars reach the child even after HERMES_HOME is rewritten by `hermes -p <profile>`.) Docs: website/docs/reference/environment-variables.md gets entries for the three kanban env vars. This fusion is built on the cleanest of the seven competing PRs that targeted issue #18442: * Base commit (from PR #19350 by @GodsBoy): add `kanban_home()` helper anchored at `get_default_hermes_root()`, reroute all 5 kanban path sites through it (including the 3 sibling log-dir sites that the other six PRs missed), 8-test regression class. * Dispatcher env-var injection approach drawn from PRs #18300 (@quocanh261997) and #19100 (@cg2aigc). * Per-path env overrides drawn from PR #19100 (@cg2aigc). * get_default_hermes_root() resolution direction first proposed in PR #18503 (@beibi9966) and PR #18985 (@Gosuj). Closes the duplicate/competing PRs: #18300, #18503, #18670, #18985, #19037, #19056, #19100. Fixes #18442 and #19348. Co-authored-by: quocanh261997 <17986614+quocanh261997@users.noreply.github.com> Co-authored-by: cg2aigc <232694053+cg2aigc@users.noreply.github.com> Co-authored-by: beibi9966 <beibei1988@proton.me> Co-authored-by: Gosuj <123411271+Gosuj@users.noreply.github.com> Co-authored-by: LeonSGP43 <154585401+LeonSGP43@users.noreply.github.com> * fix(mcp): reconnect on terminated sessions * fix(codex-transport): preserve request override headers for xai responses * fix(cli): follow 307 redirects in MiniMax OAuth httpx clients The MiniMax OAuth API endpoints have moved from api.minimax.io to account.minimax.io and the old paths now respond with HTTP 307. httpx defaults to follow_redirects=False (unlike requests), so the device-code and token-refresh flows fail with "Temporary Redirect". Adds follow_redirects=True to the two httpx.Client instances in hermes_cli/auth.py used by the MiniMax OAuth flow. This is forward- compatible -- if endpoints move again, the redirect chain is followed automatically. Repro before patch: curl -i -X POST https://api.minimax.io/oauth/code # -> 307 curl -i -X POST https://api.minimax.io/oauth/token # -> 307 Verified end-to-end against a real MiniMax Plus account on macOS; the existing tests/test_minimax_oauth.py suite (15 tests) still passes. * fix(api_server): fall back to default port on malformed API_SERVER_PORT * fix(vision): guard user_prompt type before debug_call_data construction * fix(vision): guard user_prompt type in video_analyze_tool before debug_call_data construction * fix(compressor): skip non-string tool content in dedup pass to prevent AttributeError * fix(gateway): hide required-arg commands from Telegram menu * fix(send_message): support QQBot C2C and group chats The _send_qqbot function was hardcoded to use the guild channel endpoint (/channels/{id}/messages), which fails for C2C private chats and QQ groups with 'channel does not exist' (code 11263). This change tries the appropriate endpoints in order: 1. /channels/{id}/messages (guild channels) 2. /v2/users/{id}/messages (C2C private chats) 3. /v2/groups/{id}/messages (QQ groups) Fixes active sending to QQBot C2C and group recipients. * fix(curator): pass auxiliary curator api_key/base_url into runtime resolution Curator review fork now forwards per-slot credentials from auxiliary.curator and legacy curator.auxiliary to resolve_runtime_provider, matching the canonical aux task schema. Add regression tests for binding and main fallback. * chore(release): map 0xKingBack noreply email * fix(windows): enforce UTF-8 stdout/stderr to prevent UnicodeEncodeError crash On Windows, services and terminals default to cp1252 encoding. The CLI uses box-drawing characters (┌│├└─) in banners, doctor output, and status displays. When print() tries to encode these under cp1252, an unhandled UnicodeEncodeError crashes the gateway on startup. This fix adds early UTF-8 enforcement in hermes_cli/__init__.py: - Sets PYTHONUTF8=1 and PYTHONIOENCODING=utf-8 - Re-opens stdout/stderr with UTF-8 encoding if not already UTF-8 Runs at import time so it protects all CLI subcommands. No effect on Unix (gated on sys.platform == "win32"). Backwards-compatible: on systems already using UTF-8, the function is a no-op. Fixes #10956 * fix(file): strip leaked terminal fences from reads * fix(kanban): drop worker identity claim from KANBAN_GUIDANCE (#19427) KANBAN_GUIDANCE layer 3 of the system prompt started with 'You are a Kanban worker', overriding the profile's SOUL.md identity at layer 1. Profiles with strict role boundaries (e.g. a reviewer profile that never writes code) still executed implementation tasks because the kanban identity claim diluted SOUL's. Drop the identity line. Layer 3 now describes the task-execution protocol only; SOUL.md remains the sole identity slot. Fixes #19351 * fix(gateway): suppress duplicate voice transcripts Deduplicate exact and near-exact Discord voice STT transcripts per guild/user over a short window to avoid duplicate delayed agent replies. Adds regression tests for exact and near-duplicate voice transcript suppression. * fix(gateway): bridge top-level require_mention to Telegram config Users commonly place `require_mention: true` at the top level of config.yaml alongside `group_sessions_per_user`, expecting it to gate Telegram group messages. The key was silently ignored because the config loader only checked `yaml_cfg["telegram"]["require_mention"]`. When `require_mention` is found at the top level and no telegram-specific value is set, the fix now: - adds it to platforms_data["telegram"]["extra"] so _telegram_require_mention() picks it up via the primary config.extra path - sets TELEGRAM_REQUIRE_MENTION env var for the secondary fallback path A telegram-specific value (telegram.require_mention) still takes precedence over the top-level shorthand. Also corrects telegram.md: bare /cmd without @botname is rejected when require_mention is enabled; only /cmd@botname (bot-menu form) passes. Fixes #3979 * fix: sanitize Telegram help command mentions * fix(gateway): clear queued reload-skills notes on new/resume/branch * fix(auxiliary): propagate explicit_api_key to _try_anthropic() _try_anthropic() lacked the explicit_api_key parameter added to _try_openrouter() in #18768. When resolve_provider_client() is called with provider="anthropic" and an explicit key (e.g. from a fallback_model entry with api_key set), the key was silently ignored — _try_anthropic() always fell back to resolve_anthropic_token(), so the fallback returned None,None for users without a default Anthropic credential configured. Fix: add explicit_api_key: str = None to _try_anthropic() and use explicit_api_key or <pool/env fallback> in both the pool-present and no-pool paths. Pass explicit_api_key=explicit_api_key at the call site in resolve_provider_client(). Symmetric with the _try_openrouter() fix. No behavior change when explicit_api_key is None. * fix(cron): bump skill usage when cron jobs load skills Cron jobs that reference skills via their skills: config never bumped the usage counters in .usage.json, so the curator could auto-archive skills actively used by cron jobs based on stale timestamps. Now _build_job_prompt() calls bump_use(skill_name) for each successfully loaded skill so the curator sees them as active. * fix(tui): tolerate npm's peer-flag drop in lockfile comparison `_tui_need_npm_install()` compares the canonical `package-lock.json` against the hidden `node_modules/.package-lock.json` to decide whether `npm install` needs to re-run. npm 9 drops the `"peer": true` field from the hidden lock on dev-deps that are *also* declared as peers (the canonical lock preserves the dual annotation). That made the check flag 16 packages (`@babel/core`, `@types/node`, `@types/react`, `@typescript-eslint/*`, `react`, `vite`, `tsx`, `typescript`, …) as mismatched on every launch, triggering a runtime `npm install`. Inside the Docker image, that runtime install then fails with EACCES because `/opt/hermes/ui-tui/node_modules/` is root-owned from build time, so `docker run … hermes-agent --tui` prints: Installing TUI dependencies… npm install failed. …and exits 1, with no preview. The empty preview is a second bug: the launcher captured only stderr, but npm 9 writes EACCES to stdout, which was DEVNULL'd. Fixes: - Add `"peer"` to `_NPM_LOCK_RUNTIME_KEYS` so the comparison ignores the non-deterministic field, alongside the existing `"ideallyInert"`. - Capture stdout as well as stderr in the install subprocess so future failures surface a useful preview instead of a bare "failed." line. Regression tests: - `test_no_install_when_only_peer_annotation_differs` — the exact scenario - `test_install_when_version_differs_even_with_peer_drop` — guards against the peer-drop tolerance masking a real version skew On-host impact: the same false-positive was firing on every `hermes --tui` invocation from a normal checkout, silently running a no-op `npm install` each time (it converged because the host's `node_modules/` is writable). Startup time on the TUI should drop noticeably. * feat(docker): launch dashboard as side-process via HERMES_DASHBOARD=1 Adds an optional dashboard side-process to the container entrypoint, toggled by `HERMES_DASHBOARD=1` (also accepts `true` / `yes`). When set, the entrypoint backgrounds `hermes dashboard` before `exec`-ing the main command so the user's chosen foreground process (gateway, chat, `sleep infinity`, …) remains PID-of-interest for the container runtime. docker run -d \ -v ~/.hermes:/opt/data \ -p 8642:8642 -p 9119:9119 \ -e HERMES_DASHBOARD=1 \ nousresearch/hermes-agent gateway run Defaults chosen for the container case: - Host: 0.0.0.0 (reachable through published port; can override to 127.0.0.1 via HERMES_DASHBOARD_HOST for sidecar/reverse-proxy setups) - Port: 9119 (matches `hermes dashboard`) - Auto-adds `--insecure` when binding to non-localhost, matching the dashboard's own safety gate for exposing API keys - HERMES_DASHBOARD_TUI is read by `hermes dashboard` directly — no entrypoint plumbing needed Dashboard output is prefixed with `[dashboard]` via `stdbuf`+`sed -u` so it's easy to separate from gateway logs in `docker logs`. No supervision: if the dashboard crashes it stays down until the container restarts (documented in the `:::note` panel). Other changes bundled in: - Deprecate GATEWAY_HEALTH_URL / GATEWAY_HEALTH_TIMEOUT env vars in hermes_cli/web_server.py with a DEPRECATED block comment and a `.. deprecated::` note on _probe_gateway_health. The feature still works for this release; it'll be removed alongside the move to a first-class dashboard config key. - Rewrite the "Running the dashboard" doc section around the new single-container pattern. Drops the previously-documented dashboard-as-its-own-container setup — that pattern relied on the deprecated env vars for cross-container gateway-liveness detection, and without them the dashboard would permanently report the gateway as "not running". - Collapse the two-service Compose example (gateway + dashboard container) into a single service with HERMES_DASHBOARD=1. Removes the now-unnecessary bridge network and `depends_on`. - Drop the ":::warning" caveat about "Running a dashboard container alongside the gateway is safe" — that case no longer exists. * fix(cli): local backend CLI always uses launch directory, stops .env sync of TERMINAL_CWD (#19334) The old CWD heuristic was fooled by: 1. TERMINAL_CWD persisted to .env by `hermes config set terminal.cwd` 2. Inherited TERMINAL_CWD from parent hermes processes 3. Only resolved when config had a placeholder value (not explicit paths) Fix: - load_cli_config() unconditionally uses os.getcwd() for local backend - TERMINAL_CWD always force-exported in CLI mode (overrides stale values) - Gateway sets _HERMES_GATEWAY=1 marker so lazy cli.py imports don't clobber - Remove terminal.cwd from config-set .env sync map (prevents re-poisoning) - Clarify setup wizard label as 'Gateway working directory' Closes #19214 * fix(skill): reference built-in video_analyze/vision_analyze tools in kanban-video-orchestrator (#19562) The tool-matrix.md had a vague 'Gemini multimodal / Claude vision' entry in the external tools table that didn't point to the actual built-in Hermes tools. Now that video_analyze exists (merged in #19301), update the skill to reference it properly: - Add 'Built-in Hermes tools for media review' section with proper toolset names, enablement instructions, and capability details - Add video + vision toolsets to cinematographer, editor, and reviewer profile configs - Update role-archetypes.md to reference tools by name - Update API key table to explain video_analyze routing * test(kanban): add failing test for list_profiles_on_disk with custom HERMES_HOME list_profiles_on_disk() hardcodes Path.home() / ".hermes" / "profiles", ignoring HERMES_HOME when set to a custom root (e.g. /opt/data). Add test_list_profiles_on_disk_custom_root to cover this case. Related to #18442, #18985. * fix(kanban): use get_default_hermes_root() in list_profiles_on_disk Path.home() / ".hermes" / "profiles" breaks custom-root deployments (e.g. HERMES_HOME=/opt/data). Switch to get_default_hermes_root() so profile discovery is consistent with kanban_db_path() and workspaces_root() fixed in #18985. Fixes #19017. Related to #18442, #18985. * fix(curator): prevent false-positive consolidation from substring matching _classify_removed_skills used naive 'in' substring matching to detect whether a removed skill's name appeared in skill_manage arguments. Short/common skill names (api, git, test, foo, etc.) matched incorrectly when they appeared as substrings of longer words in file paths (references/api-design.md) or content (latest, testing). Replace with field-aware matching: - file_path: needle must match a complete filename stem or directory name, with -/_ normalised for variant tolerance - content fields: word-boundary regex (\b) prevents embedding in longer words Also add 3 regression tests covering the false-positive scenarios. * chore(release): map daixin1204@gmail.com to @SimbaKingjoe * skills-hub: hash binary skill bundle files correctly * test(skills): add bytes-vs-str equivalence and on-disk hash parity tests Follow-up on #9925 cherry-pick adding two additional tests: - bytes content hashes identically to its str-decoded form - mixed bytes+str bundle hash equals the on-disk content_hash from skills_guard (the production invariant used to detect drift) Also map dodofun@126.com and 1615063567@qq.com in AUTHOR_MAP so the CI contributor check passes for the cherry-picked commit. Co-authored-by: LeonSGP43 <cine.dreamer.one@gmail.com> Co-authored-by: zhao0112 <1615063567@qq.com> * fix(cron): recover null next_run_at jobs and tolerate non-dict origin Fixes #18722 get_due_jobs() now recomputes next_run_at via compute_next_run() for cron/interval jobs that arrived with null next_run_at (e.g. via direct jobs.json edits) instead of silently skipping them. _resolve_origin() guards with isinstance(origin, dict), and _deliver_result() now routes through _resolve_origin() so string/non-dict origins no longer crash the ticker. References: references #18735 (open competing fix from automated bulk PR touching 79 files); this PR is a focused single-issue contribution and adds the missing interval-recovery test variant Co-Authored-By: Claude <noreply@anthropic.com> * test(cron): cover null next_run_at recovery and non-dict origin tolerance Adds four regression tests guarding the bugfix in the previous commit: - TestGetDueJobs::test_broken_cron_without_next_run_is_recovered exercises cron schedules whose next_run_at was lost; expects compute_next_run to repopulate it within get_due_jobs() rather than silently skipping the job. - TestGetDueJobs::test_broken_interval_without_next_run_is_recovered does the same for interval schedules. - TestResolveOrigin::test_string_origin_is_tolerated and test_non_dict_origin_is_tolerated confirm _resolve_origin() returns None for legacy/hand-edited origins (string, list, int) instead of raising. Co-Authored-By: Claude <noreply@anthropic.com> * chore(release): add AUTHOR_MAP entries for upcoming salvage batch Pre-adds author-email mappings for the 21 Tier 1b salvage PRs so their cherry-picked commits land with mapped GitHub logins in the release notes. * fix(cli): avoid voice TTS restart race * test: cover max-iterations summary message sanitization * fix: treat ctrl-c as curses cancel * fix(gateway): show other profiles in `gateway status` to prevent confusion When multiple gateway profiles are running (e.g. default and wx1), `hermes gateway status` can be misleading — stopping one profile's gateway and checking status may still show the other profile's process without indicating which profile it belongs to. Add `_print_other_profiles_gateway_status()` which displays running gateways from other profiles at the bottom of the status output: Other profiles: ✓ wx1 — PID 166893 This uses the existing `find_profile_gateway_processes()` and `get_active_profile_name()` — no new dependencies. Closes #19113 Related: #4402, #4587 * fix(setup): add missing SLACK_HOME_CHANNEL prompt to _setup_slack() _setup_slack() was the only platform setup function that did not prompt for a home channel. All four sibling setups (_setup_telegram, _setup_discord, _setup_mattermost, _setup_bluebubbles) close with an identical home-channel block, and setup_gateway() already checks for SLACK_HOME_CHANNEL presence at the end of the wizard — but the value was never collected, leaving cron delivery and cross-platform notifications silently broken for Slack after a fresh hermes setup run. Add the standard home-channel prompt at the end of _setup_slack(), symmetric with the Discord implementation. Add two unit tests that verify the prompt is saved when provided and skipped when left blank. * fix(signal): skip reactions for unauthorized senders The on_processing_start hook fired a reaction emoji (👀) on every inbound Signal message before run.py's _is_user_authorized check. This meant contacts not in SIGNAL_ALLOWED_USERS would see the bot react to their messages even though Hermes silently dropped them — leaking the presence of the bot and causing confusing UX. Two changes to gateway/platforms/signal.py: 1. Read SIGNAL_ALLOWED_USERS into self.dm_allow_from in __init__ (mirrors the group_allow_from pattern already in place). 2. Add _reactions_enabled(event) — two-gate check: - SIGNAL_REACTIONS=false/0/no disables reactions globally - If SIGNAL_ALLOWED_USERS is set, only react to senders in the allowlist (skips unauthorized contacts) Both on_processing_start and on_processing_complete now call this guard before sending any reaction. Telegram already has an equivalent _reactions_enabled() guard (controlled by TELEGRAM_REACTIONS). This brings Signal to parity. * fix: exclude ancestor PIDs from gateway process scan (#13242) _scan_gateway_pids() uses ps-based pattern matching to find running gateways. When invoked from the CLI (e.g. `hermes gateway status`), the calling process itself matches gateway patterns, causing false positives — the CLI is mistakenly counted as a running gateway. Add _get_ancestor_pids() that walks the process tree from the current PID up to init (PID 1). Merge this set into exclude_pids at the top of _scan_gateway_pids() so the entire ancestor chain is filtered out. This complements the existing os.getpid() exclusion in _append_unique_pid() by also covering parent/grandparent processes (e.g. when hermes is invoked via a wrapper script or shell). Closes #13242 * fix(cli): allow custom:* provider slugs in model validation Two related fixes for custom_providers model switching: 1. validate_requested_model() now recognizes custom:<name> slugs (e.g. custom:volcengine) as custom endpoints, not generic providers. Previously only the bare 'custom' slug matched the relaxed validation branch, causing model validation to fail with 'not found in provider listing' for all named custom providers. 2. switch_model() now consults the custom_providers list when deciding whether to override a validation rejection. If the requested model matches the entry's 'model' field or any key in its 'models' dict, the switch is accepted even when the remote /v1/models endpoint does not list it. Both changes are covered by existing tests (86 passed). * fix(gateway): move quick-command dispatch before built-in handlers Quick commands of type "alias" that target built-in slash commands (e.g. /h -> /model) were processed too late in _handle_message — after the if-canonical=="model" checks. This meant alias expansion never reached the target handler and fell through to the LLM as raw text. Two fixes: 1. Move the quick_commands block before built-in dispatch so alias targets (like /model) hit the correct handler after expansion. 2. Extract bare command name from target_command via .split()[0] to feed _resolve_cmd() correctly (was using the full arg-string). * fix(tui): call process.exit(0) after Ink exit to trigger terminal cleanup Ink's exit() calls unmount() which resets terminal modes (kitty keyboard, mouse, etc.) but does NOT call process.exit(). The Node process stays alive because stdin is still open (Ink listens on it), so the process.on('exit') handler in entry.tsx — which sends the final resetTerminalModes() — never fires. This left kitty keyboard protocol and other terminal modes enabled in the parent shell after /quit, Ctrl+C, or Ctrl+D, breaking arrow keys and other input in subsequent programs. Add explicit process.exit(0) after exit() in die() so the process actually terminates and the exit handler runs. Fixes #19194 * fix(tests): tolerate ps ancestor-walk in find_gateway_pids fallback test (#19590) Follow-up to #19586 (@cixuuz salvage): _get_ancestor_pids walks ps -o ppid= up the process tree, which the pre-existing mock in test_find_gateway_pids_falls_back_to_pid_file_when_process_scan_fails didn't expect. Return empty stdout so the ancestor loop terminates cleanly and the original fallback assertion still passes. * fix(web): add missing icons for config page category sidebar Add icon mappings for 9 categories that fell back to FileQuestion: - bedrock (Cloud), curator (Sparkles), kanban (LayoutDashboard) - model_catalog (BookOpen), openrouter (Route), sessions (History) - tool_loop_guardrails (Shield), tool_output (FileOutput), updates (RefreshCw) * fix(agent): surface preflight compression status Preflight compression can run synchronously before the first model call when a loaded session exceeds the active context threshold. Gateway users saw no visible progress while the compression LLM call was in flight, which can look like a dropped message during long compactions.\n\nEmit the existing lifecycle status through _emit_status before starting preflight compression so CLI, gateway, and WebUI status callbacks all get immediate feedback.\n\nAdds a regression assertion for the preflight path. * Clarify session_search auxiliary model docs * fix: _chromium_installed() now checks AGENT_BROWSER_EXECUTABLE_PATH and system Chrome Before this fix, _chromium_installed() only searched Playwright-style chromium-* / chromium_headless_shell-* directories, which meant users with system Chrome or AGENT_BROWSER_EXECUTABLE_PATH configured still had all browser_* tools gated. Now checks three sources in priority order: 1. AGENT_BROWSER_EXECUTABLE_PATH env var (if set and points to a real binary) 2. System Chrome/Chromium via shutil.which() (google-chrome, chromium-browser, chrome) 3. Playwright browser cache (existing logic, kept as fallback) Closes #19294 * fix(feishu): enable MEDIA attachment delivery in send_message tool The _send_feishu() function already supports media_files (images, video, audio, documents) via the adapter's send_image_file/send_video/send_voice /send_document methods, but _send_to_platform() never routed Feishu into the early media-handling branch — media attachments were silently dropped with a "not supported" warning. Add a Feishu-specific media branch (matching the existing Yuanbao/Signal pattern) so that MEDIA:<path> tags in send_message calls are correctly delivered as native Feishu attachments. Also update the two error/warning message strings to include feishu in the supported platform list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(security): bind Meet node server to localhost and restrict token file to owner read * fix: back up config.yaml before hermes setup modifies it Create a timestamped backup (~/.hermes/config.yaml.bak.YYYYMMDD_HHMMSS) before the setup wizard runs any configuration sections. After setup completes, show the backup path and a restore command. This protects user-customized values (compression thresholds, provider routing, PII redaction, auxiliary model configs) from being silently overwritten by setup defaults. Addresses #3522 * fix: inherit reasoning config in API server runs * fix(run_agent): gate iteration-limit provider routing to OpenRouter * fix(delegate): inherit parent fallback_chain in _build_child_agent _build_child_agent constructed child AIAgents without passing fallback_model, leaving _fallback_chain=[] for every subagent. When a subagent hit a rate-limit or credential exhaustion the runtime fallback check (run_agent.py:7486 / 12267) found an empty chain and failed immediately — even though the parent agent was configured with fallback_providers and would have recovered. The cron scheduler already propagates fallback_model correctly (scheduler.py:1038). Fix closes the parity gap by reading the parent's _fallback_chain (the normalised list form accepted by AIAgent's fallback_model parameter) and threading it through. Empty chains coerce to None so AIAgent initialises _fallback_chain=[] as usual rather than iterating an empty list. * fix: allow kanban tools for orchestrator profiles with kanban toolset The _check_kanban_mode() gating function only checked for HERMES_KANBAN_TASK env var, which is only set by the dispatcher when spawning workers. This prevented orchestrator profiles (like techlead) from using kanban_create, kanban_link, etc. even when they had 'kanban' explicitly in their toolsets config. Now uses load_config() from hermes_cli.config (which has mtime-based caching) to check if 'kanban' is in the profile's toolsets list. This enables orchestrators to route work via Kanban while workers continue using the dispatcher env var. Fixes #18968 * test(kanban): update worker-prompt header assertion to match #19427 PR #19427 dropped the 'You are a Kanban worker' identity line from KANBAN_GUIDANCE so SOUL.md stays authoritative for profile identity. This test assertion was stale against that change; update it to the new protocol-only header. * fix(skills): keep manual skills out of curator * chore(release): map cine.dreamer.one@gmail.com to @LeonSGP43 * chore(release): AUTHOR_MAP entries for Tier 1c salvage batch Pre-adds author-email mappings for upcoming Tier 1c salvage PRs (small Apr 24-25 fixes). * fix(compressor): reset _summary_failure_cooldown_until in on_session_reset() on_session_reset() cleared _previous_summary, _last_summary_error, and _ineffective_compression_count but left _summary_failure_cooldown_until intact. When a transient summary error sets a 60 s cooldown (or 600 s for a missing-provider RuntimeError) and the user immediately runs /reset or /new, the cooldown carries into the new session. If the new session reaches the compression threshold before the cooldown expires, _generate_summary() returns None early, middle turns are silently dropped without a summary, and the agent continues with no indication that compaction was skipped. Fix: set _summary_failure_cooldown_until = 0.0 in on_session_reset(), matching the value assigned in __init__ and symmetric with the other per-session fields already cleared there. Fixes #15547 * fix(delegation): pass target_model to resolve_runtime_provider in _resolve_delegation_credentials When delegation.model differs from model.default and the provider is opencode-go or opencode-zen, the wrong api_mode is computed because resolve_runtime_provider falls back to model_cfg.get('default') — the main model — instead of the configured delegation model. For example, with model.default=minimax-m2.7 (anthropic_messages) and delegation.model=glm-5.1 (chat_completions), subagents get anthropic_messages, which strips /v1 from the base URL and causes a 404. resolve_runtime_provider already accepts target_model for exactly this purpose; _resolve_delegation_credentials just wasn't passing it. Fixes #15319 Related: #13678 * fix(anthropic): cap max_tokens at 65536 for Qwen models via DashScope DashScope's Anthropic-compatible endpoint enforces max_tokens ∈ [1, 65536]. Adding "qwen3" to _ANTHROPIC_OUTPUT_LIMITS prevents 400 errors that were misclassified as context overflow, triggering premature compression. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(tui): declare nanostores dependency * fix(docker): exclude compose/profile runtime state from build context * fix(cron): drop stale env-var override of persisted provider Cron jobs were passing os.getenv("HERMES_INFERENCE_PROVIDER") as the "requested" arg to resolve_runtime_provider(), which short-circuited the resolver's own precedence (explicit arg → persisted config → env) and let stale shell/.env values outrank the user's saved provider. Long-lived cron daemons inherit env from the shell that launched them, so a since-changed provider (e.g. DeepSeek) could keep firing for jobs that don't pin provider/model. Same bug class as f0b763c74 fixed for the TUI /model switch. Pass only job.get("provider") and let resolve_requested_provider fall through to persisted config and env in the documented order. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(cron): skip AI call when script produces no output When a cron job has a pre-run script that runs successfully but produces no output (e.g. email checker with no new mail), the scheduler previously injected "[Script ran successfully but produced no output.]" into the prompt and still called the AI model. This wastes tokens on every cycle. Now _build_job_prompt() returns None when script output is empty, and run_job() short-circuits with a SILENT response - zero API calls when there is nothing to report. * fix(gateway): allow free_response_channels to override DISCORD_IGNORE_NO_MENTION When DISCORD_IGNORE_NO_MENTION is true (default), the bot ignores messages without @mention. However, this check ran before evaluating free_response_channels, so messages in free-response channels were wrongly dropped unless they contained a mention. This change adds a carve-out: if the message lands in a channel that is configured as a free response channel (or its parent category is), the ignore-no-mention rule is skipped. Also removes the unconditional skip_thread for free response channels so that auto_thread still creates threads there unless explicitly disabled via DISCORD_NO_THREAD_CHANNELS. * fix(telegram): fallback to document when photo dimensions exceed limits Telegram's send_photo has dimension limits (sum of width+height <= 10000px). When sending large screenshots or tall images, the API returns 'Photo_invalid_dimensions' error. Fix: Catch this specific error in send_image_file() and automatically fallback to send_document() which has no dimension limits (only 50MB size). This is similar to the existing 5MB URL fallback (commit 542faf22) but handles local files with dimension issues instead of URL size issues. * fix(gemini): extract usageMetadata from streaming chunks for token tracking * fix(cli): sync use_gateway in _reconfigure_provider for tts, browser, and web _reconfigure_provider() updates cloud_provider/backend/tts.provider when switching tool providers via "hermes setup tools → Reconfigure", but did not update the matching use_gateway flag. _configure_provider() (the initial-setup path) sets use_gateway on all three tool categories. The omission in _reconfigure_provider leaves a stale value in config.yaml: switching from a Nous-managed provider (use_gateway=True) to a self-hosted one keeps use_gateway=True, continuing to route requests through the Nous gateway; switching the other way leaves use_gateway unset so the managed feature does not activate. Fix: mirror _configure_provider's use_gateway = bool(managed_feature) assignment in the tts, browser, and web blocks of _reconfigure_provider. Symmetric across all three tool categories. No behavior change for any provider that does not set tts_provider, browser_provider, or web_backend. Fixes #15229 * fix(tui): close AIAgent on session teardown to prevent FD leak session.close only closed the slash_worker subprocess but never called agent.close() on the AIAgent instance. In the long-lived TUI gateway process, this left httpx clients for GC to finalize. When the OS recycled a closed FD number for a new active connection, the stale finalizer would close the live socket, causing intermittent [Errno 9] Bad file descriptor on subsequent LLM API calls. Call agent.close() (which properly shuts down the httpx transport pool and TCP sockets) before closing the slash_worker. * fix(tui): prevent trailing space in picker-command completions Commands that open pickers (/model, /skin, /personality) previously received a trailing space in their completions to keep the dropdown visible in the classic CLI. However, the TUI's submit handler applies the completion when Enter is pressed and the result differs from the input — so '/model' + space became '/model ' and the command was never executed. Picker commands now omit the trailing space for exact matches, allowing Enter to submit and open the picker. Non-picker commands (/help, etc.) are unaffected. * fix(pty): default TERM for resize probes Preserve explicit caller overrides, but backfill a sensible default TERM=xterm-256color when missing or blank in the spawn env. CI often runs without TERM in the parent process, which makes terminal probes like 'tput cols' fail before winsize reads. Salvage of #15278's core code fix only — the test changes conflict with subsequent test refactors on main that now exercise TIOCGWINSZ directly instead of via 'tput'. Co-authored-by: LeonSGP43 <154585401+LeonSGP43@users.noreply.github.com> * fix(setup): skip AUXILIARY_VISION_MODEL write when input is blank Guard the save_env_value('AUXILIARY_VISION_MODEL', ...) call with 'if _selected_vision_model:' so blank input at the non-OpenAI vision model prompt doesn't nuke existing values in .env. save_env_value has no internal guard against empty strings — it faithfully writes whatever it receives, including empty values that shadow the previously-configured model. Salvage of #15504 (core hunk). Contributor's test was dropped because it collided with subsequent test refactors; the fix stands on its own. Co-authored-by: alt-glitch <balyan.sid@gmail.com> * fix(kanban-dashboard): widen drawer, bump body fonts, fix code-block contrast (#19638) Closes #18576. Addresses three of four complaints from the readability report; live-verified in a dashboard against a seeded task with body, comments, and run history. - Drawer default width 480px → 640px, exposed as the CSS var `--hermes-kanban-drawer-width` so deployments / user themes can override without forking the plugin. - Bump body/meta/pre/log/run-history font sizes from the 0.65-0.75rem cluster to the 0.78-0.85rem cluster. Long paths and code snippets in task bodies, run metadata, and worker logs are legible again instead of requiring a squint. - Fix the black-text-on-dark-theme regression in fenced markdown code blocks. Root cause: themes that don't define `--color-foreground` (NERV, at least) leave `color: var(--color-foreground)` resolving empty on <code>, which then falls back to the UA default (near-black) instead of inheriting from the drawer's <body>. Fix: force `color: inherit` on both inline and fenced code, and give the fenced block background via `currentColor` instead of `--color-foreground` so there's a visible card even when the theme var is absent. Out of scope for this PR (comments added to #18576): - Draggable resize handle (structural JS work; plugin ships built-only, no src/ in-tree). - Live worker-log viewer for running tasks (backend WS + component). - Sibling fix: themes like NERV should define --color-foreground. The current changes make the drawer robust against that gap, but the root fix belongs in the theme layer. * fix(curator): only mark agent-created for background-review sediment (#19621) Tighten the provenance semantics added in #19618: skills a user asks a foreground agent to write via skill_manage(create) now stay invisible to the curator. Only skills the background self-improvement review fork sediments through skill_manage get the created_by=agent marker. - tools/skill_provenance.py — new ContextVar module mirroring the _approval_session_key pattern: set_current_write_origin / reset / get / is_background_review. Default origin is 'foreground'; the review fork sets 'background_review'. - run_agent.py — run_conversation() binds the ContextVar from self._memory_write_origin at the top of each call. The review fork runs on its own thread (fresh context), so foreground and review contexts never cross-contaminate. - tools/skill_manager_tool.py — skill_manage(action='create') now only calls mark_agent_created() when is_background_review(). All other cases (foreground create, patch, edit, write_file, delete) continue as before. - tests: test_skill_provenance.py (6 tests covering the ContextVar surface), split test_full_create_via_dispatcher into foreground vs. review-fork variants, curator status tests now mark-first. Why: the agent routinely edits existing user skills on the user's behalf; those writes must never flip provenance. And when a user explicitly asks the foreground agent to create a skill, that skill belongs to the user. The curator should only be cleaning up after its own autonomous sediment from the review nudge loop. * fix(agent): disable SDK retries on per-request OpenAI clients Per-request OpenAI-wire clients (used by both non-streaming and streaming chat-completions paths in _interruptible_api_call) should not run the SDK's built-in retry loop: the agent's outer loop owns retries with credential rotation, provider fallback, and backoff that the SDK can't see. Leaving SDK retries on (default 2) compounds with our outer retries and lets a single hung provider request stretch to ~3x the per-call timeout before our stale detector reports it. Shared/primary clients and Anthropic / Bedrock paths are unaffected (they don't go through here). Salvage of #15811 core improvement — the timeout push-down in the original PR required scaffolding that has since been refactored on main, so only the max_retries=0 change is preserved. Co-authored-by: QifengKuang <k2767567815@gmail.com> * fix(cli): omit empty api_mode when probing custom models * fix(agent): detect Qwen3/Ollama inline thinking after tool calls Ollama serves Qwen3 thinking inside the content field as <think>...</think> blocks rather than in the API-level reasoning_content field. This means _has_structured was False for these responses, so an empty-looking reply after a tool call triggered the nudge instead of the prefill continuation, causing a double-response loop. Fix: detect <think>/<thinking>/<reasoning> in final_response and: 1. Skip the nudge when thinking is present (model is still reasoning) 2. Include _has_inline_thinking in _has_structured so prefill kicks in * fix(email): add required Date header to send_message_tool._send_email Adds RFC 5322 Date header to the _send_email tool path in tools/send_message_tool.py. Issue #15160 noted that both gateway/platforms/email.py and tools/send_message_tool.py construct MIMEMultipart/MIMEText messages without setting a Date header. RFC 5322 requires the Date header; mail filters reject messages that lack it. PR #15207 fixed the gateway/platforms/email.py path but did not cover tools/send_message_tool._send_email, which is used by the send_message tool for cross-channel messaging. This change adds msg["Date"] = formatdate(localtime=True) to _send_email, mirroring the fix applied to the gateway email adapter. Closes #15160 * fix(cli): detect quoted relative paths in _detect_file_drop Closes #15197 * docs(model-catalog): rename x-ai/grok-4.20-beta to x-ai/grok-4.20 (#19640) OpenRouter and Nous Portal dropped the -beta suffix from the Grok 4.20 slug. The OpenRouter section already used the new slug; this updates the Nous Portal section and bumps updated_at. * docs: document /kanban slash command (#19584) * docs: document /kanban slash command The kanban user guide and slash-commands reference only mentioned the /kanban slash command in passing. Add a proper section covering: - CLI and gateway both expose the full hermes kanban surface via hermes_cli.kanban.run_slash (identical argument surface) - Mid-run usage: /kanban bypasses the running-agent guard, so reads and writes land immediately while an agent is still in a turn - Auto-subscribe on /kanban create from the gateway — originating chat is subscribed to terminal events, with a worked example - Output truncation (~3800 chars) in messaging - Autocomplete hint list vs full subcommand surface Also adds /kanban rows to both slash-command tables (CLI + messaging) in reference/slash-commands.md and moves it into the 'works in …

Apply agent.redact.redact_sensitive_text with force=True to log content captured by _capture_log_snapshot before it reaches upload_to_pastebin. On-disk logs are untouched. Compatible with the off-by-default local redaction policy from NousResearch#16794: this is upload-time-only and applies regardless of security.redact_secrets because the public paste service is the leak surface. A visible banner is prepended to each uploaded log paste so reviewers know redaction was applied. --no-redact preserves deliberate unredacted sharing for maintainer-coordinated cases. The bug-report, setup-help, and feature-request issue templates direct users to run hermes debug share and paste the resulting public URLs. With redaction off by default per NousResearch#16794, those uploads have been carrying credentials onto paste.rs and dpaste.com. force=True is non-negotiable: without it, redact_sensitive_text short-circuits at agent/redact.py:322 when the env var is unset, so the fix would silently be a no-op for its target audience. A regression test pins this down. Fixes NousResearch#19316

alt-glitch added type/security Security vulnerability or hardening P2 Medium — degraded but workaround exists comp/agent Core agent loop, run_agent.py, prompt builder comp/cli CLI entry point, hermes_cli/, setup wizard labels Apr 28, 2026

teknium1 merged commit 8081425 into main Apr 28, 2026
12 of 13 checks passed

teknium1 deleted the hermes/hermes-1318b626 branch April 28, 2026 04:24

alt-glitch mentioned this pull request Apr 28, 2026

fix: add security.display_redaction_only to keep secrets usable in tools #16849

Open

briandevans mentioned this pull request Apr 28, 2026

fix(file-safety): refuse read_file on credential paths (SSH keys, .env, …) (#16809) #16851

Open

3 tasks

alt-glitch mentioned this pull request Apr 30, 2026

Security: HERMES_REDACT_SECRETS off-by-default exposes API keys in user-visible Telegram/Discord chat output #17691

Closed

github-actions Bot mentioned this pull request May 1, 2026

chore: bump NousResearch/hermes-agent version from v2026.4.23 to v2026.4.30 Docker-Hub-sirmark/docker-hermes-agent#4

Merged

This was referenced May 3, 2026

[Bug] hermes debug share uploads logs with credentials to public paste service #19316

Closed

fix(debug): redact log content at upload time in hermes debug share #19318

Merged

GodsBoy mentioned this pull request May 3, 2026

fix(debug): redact log content at upload time in hermes debug share #19349

Closed

subinium mentioned this pull request May 11, 2026

security(core): enable secret redaction by default (Hermes v0.13 parity) subinium/CrowClaw#293

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(security): make secret redaction off by default#16794

feat(security): make secret redaction off by default#16794
teknium1 merged 1 commit into
mainfrom
hermes/hermes-1318b626

teknium1 commented Apr 28, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

teknium1 commented Apr 28, 2026

Summary

Changes

Validation

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants