fix(hermes): chmod 600 config.yaml + pin install URL to commit SHA#39
Open
dgokeeffe wants to merge 1 commit into
Open
fix(hermes): chmod 600 config.yaml + pin install URL to commit SHA#39dgokeeffe wants to merge 1 commit into
dgokeeffe wants to merge 1 commit into
Conversation
Two pre-existing security bugs in setup_hermes.py, surfaced by the independent review of the enterprise-mode feature but not gated on it. Affects every CoDA deploy from main today. F-05: ~/.hermes/config.yaml written without chmod 600 (plaintext PAT) ================================================================ `config_path.write_text(...)` inherits umask-derived permissions — typically 0o644 on container filesystems — making the embedded PAT readable by any process running as the same UID. Add explicit `config_path.chmod(0o600)` after the write, mirroring what setup_opencode.py already does for its auth.json. Threat: any in-container process (a malicious agent CLI install, a planted exfil tool, a compromised dep) can `cat ~/.hermes/config.yaml` and retrieve the current Databricks PAT. F-06: Hermes installed from unpinned HEAD of upstream git ================================================================ `HERMES_PKG = "hermes-agent @ git+https://github.com/NousResearch/hermes-agent.git"` with no commit pin. Every fresh CoDA container pulls whatever is at HEAD of NousResearch's default branch at install time. Threat: a single force-push to NousResearch/hermes-agent's default branch (compromised maintainer account, contributor with merge rights, gh org admin phish) ships arbitrary code into every CoDA container worldwide on next cold start. Mitigation: pin to commit 8e4f3ba4da5337e1ad674a876ac4fb8490f0b79c (2026-05-08). That SHA is >7 days old at time of pinning, matching the npm cooldown semantics we already apply elsewhere. Documented inline that this needs deliberate rotation on each CoDA release — not auto-update. Verified ================================================================ - Local `import setup_hermes` reproduces the install from the pinned URL successfully. - Independent test on daveok (today, via Playwright e2e against the enterprise feature branch which has the same fixes): [PASS] F-05 Hermes config chmod 0o600 [PASS] F-06 Hermes installed (Hermes Agent v0.13.0 (2026.5.7)) These two fixes are also part of the larger #38 enterprise-proxy-registry PR. Landing them as a separate hotfix because they're pre-existing exposures on main, not gated on the enterprise feature shipping. Co-authored-by: Isaac
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hotfix for two pre-existing security bugs in
setup_hermes.pythat affect every CoDA deploy frommaintoday. Both were surfaced by the independent review of #38 (enterprise-proxy-registry) but they are not gated on that feature — they exist on main and are present in every container right now.Landing them as a small standalone PR for easier review and faster turnaround than waiting for the larger feature work.
F-05 —
~/.hermes/config.yamlwritten without chmod 0o600config_path.write_text(...)inherits umask-derived permissions (typically0o644on container filesystems). The file contains the user's Databricks PAT in plaintext atapi_key:. Any process running as the same UID inside the container cancat ~/.hermes/config.yamland retrieve the token.config_path.chmod(0o600)after the write. Best-effort (caughtOSError) — mirrors thesetup_opencode.py:auth_path.chmod(0o600)pattern that's already in place for OpenCode's credentials.F-06 — Hermes installed from unpinned HEAD of upstream git
HERMES_PKG = "hermes-agent @ git+https://github.com/NousResearch/hermes-agent.git"with no commit pin. Every fresh CoDA container pulls whatevergit rev-parse HEADreturns at install time.8e4f3ba4da5337e1ad674a876ac4fb8490f0b79c(2026-05-08). That SHA is ≥7 days old at the time of pinning, matching the npm cooldown semantics we already apply to opencode/codex/gemini.Operational note
The pin needs deliberate rotation on each CoDA release. Comment in the code says this explicitly. Don't auto-update — the whole point is that a CoDA-side reviewer signs off when bumping.
Test plan
import setup_hermeslocally — install runs from the pinned URL, no behavioural change in default flow[PASS] F-05 Hermes config chmod 0o600[PASS] F-06 Hermes installed (Hermes Agent v0.13.0 (2026.5.7))stat -c %a ~/.hermes/config.yamlreturns600Relation to #38
These two fixes are also included in #38 (enterprise-proxy-registry). Landing them separately because:
When #38 merges, this PR's changes will be a no-op (already present).
This pull request and its description were written by Isaac.