§ áìõiýÎã ób—UdZddlZddlZddlZddlZddlZddlZddlZddlZddl m Z ddlmZddl mZeje¦«Zejdd¬¦«Zejeed <d eddfd„Zd edejefd„Zdejeddfd„Zddedefd„ZdZdZdZdZde›de›dZde›de›dZ dZ!dZ"dddd d!d"d#d$e"d%zd&fe"d'zd(fe"d)zd*fe"d+zd,fgZ#ej$ej%zZ&d-„e#D¦«Z'd.ede(fd/„Z)d0ede*fd1„Z+gd2‘d3‘d4‘d5‘d6‘d7‘d8‘d9‘d:‘d;‘d<‘d=‘d>‘d?‘d@‘dA‘dB‘d#‘dC‘dD‘dE‘dF‘dGe›dHf‘dIe›dJf‘dGe ›dKe!›dLf‘dIe ›dKe!›dMf‘dN‘dO‘dP‘dQ‘dR‘dS‘dT‘dU‘dV‘dW‘dX‘dYe ›dKe!›dZf‘d[‘d\‘d]‘d^‘d_‘d`‘da‘db‘dc‘Z,dd„e,D¦«Z-deedefdf„Z.iZ/e*ee0efedg<e,D]x\Z1Z2e.e1¦«Z3e2Z4e/ 5e4e0¦«¦« 6e4e3h¦«e/ 5e3e0¦«¦« 6e3e4h¦«Œydhede0efdi„Z7d.edefdj„Z8d.ede(fdk„Z9ej:¦«Z;iZe0eedn<e0¦«Z?e0edo<Gdp„dq¦«Z@iZAe*eeBfedr<iZCe*eeDfeds<d eddfdt„ZEd eddfdu„ZF d˜d edwedxeGdeHfdy„ZId edeGfdz„ZJd ed{e*fd|„ZKd edhefd}„ZLd eddfd~„ZMd eddfd„ZNd eddfd€„ZOd edeGfd„ZPdeGfd‚„ZQd edhedeGfdƒ„ZRdhefd„„ZSd…e0fd†„ZTde0fd‡„ZUd…e0fdˆ„ZV d™d.ed0edŠeHdzd‹eGdef dŒ„ZWdefd„ZXde*fdŽ„ZYdefd„ZZdeHfd„Z[defd‘„Z\d.ed0edefd’„Z] dšd.ed“ede*fd”„Z^d•e*defd–„Z_ dšd.ed“ede*fd—„Z`eU¦«dS)›aÇDangerous command approval -- detection, prompting, and per-session state. This module is the single source of truth for the dangerous command system: - Pattern detection (DANGEROUS_PATTERNS, detect_dangerous_command) - Per-session approval state (thread-safe, keyed by session_key) - Approval prompting (CLI interactive + gateway async) - Smart approval via auxiliary LLM (auto-approve low-risk commands) - Permanent allowlist persistence (config.yaml) éN)ÚOptional)Úcfg_get)Úis_truthy_valueÚapproval_session_keyÚ©ÚdefaultÚ_approval_session_keyÚ hook_nameÚreturncó´— ddlm}n#t$rYdSwxYw ||fi|¤ŽdS#t$r'}t d||¦«Yd}~dSd}~wwxYw)a{Invoke a plugin lifecycle hook for the approval system. Lazy-imports the plugin manager to avoid circular imports (approval.py is imported very early, long before plugins are discovered). Never raises -- plugin errors are logged and swallowed. Only fires for the two approval-specific hooks in VALID_HOOKS: pre_approval_request, post_approval_response. r)Úinvoke_hookNz$Approval hook %s dispatch failed: %s)Úhermes_cli.pluginsrÚ ExceptionÚloggerÚdebug)rÚkwargsrÚexcs ú3/home/ubuntu/.hermes/hermes-agent/tools/approval.pyÚ_fire_approval_hookr$s²€ðØ2Ð2Ð2Ð2Ð2Ð2Ð2øÝðððð ˆˆðøøøðMØˆIÐ(Ð( Ð(Ð(Ð(Ð(Ð(øÝðMðMðMõ ŠÐ;¸YÈÑLÔLÐLÐLÐLÐLÐLÐLÐLøøøøð Møøøs ‚ ‰ –› &¦ A°AÁAÚsession_keycó:—t |pd¦«S)zs€å ×$Ò$ [Ð%6°BÑ7Ô7Ð7óÚtokencó:—t |¦«dS)z/Restore the prior approval session key context.N)r Úreset)rs rÚreset_current_session_keyr Cs€å×Ò Ñ&Ô&Ð&Ð&Ð&rr có`—t ¦«}|r|Sddlm}|d|¦«S)aReturn the active session key, preferring context-local state. Resolution order: 1. approval-specific contextvars (set by gateway before agent.run) 2. session_context contextvars (set by _set_session_env) 3. os.environ fallback (CLI, cron, tests) r)Úget_session_envÚHERMES_SESSION_KEY)r ÚgetÚgateway.session_contextr")r rr"s rÚget_current_session_keyr&HsH€õ(×+Ò+Ñ-Ô-€KØðØÐØ7Ð7Ð7Ð7Ð7Ð7Øˆ?Ð/°Ñ9Ô9Ð9rz$(?:~|\$home|\$\{home\})/\.ssh(?:/|$)z$?:~\/\.hermes/|(?:\$home|\$\{home\})/\.hermes/|(?:\$hermes_home|\$\{hermes_home\})/)\.env\bz;(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*\.env(?:\.[^/\s"\'`]+)*)z0(?:(?:/|\.{1,2}/)?(?:[^\s/"\'`]+/)*config\.yaml)z(?:/etc/|/dev/sd|Ú|ú)z(?:z(?:\s*(?:&&|\|\||;).*)?$zp(?:^|[;&|\n`]|\$\()\s*(?:sudo\s+(?:-[^\s]+\s+)*)?(?:env\s+(?:\w+=\S*\s+)*)?(?:(?:exec|nohup|setsid|time)\s+)*\s*)z&\brm\s+(-[^\s]*\s+)*(/|/\*|/ \*)(\s|$)z#recursive delete of root filesystem)z˜\brm\s+(-[^\s]*\s+)*(/home|/home/\*|/root|/root/\*|/etc|/etc/\*|/usr|/usr/\*|/var|/var/\*|/bin|/bin/\*|/sbin|/sbin/\*|/boot|/boot/\*|/lib|/lib/\*)(\s|$)z$recursive delete of system directory)z-\brm\s+(-[^\s]*\s+)*(~|\$HOME)(/?|/\*)?(\s|$)z"recursive delete of home directory)z\bmkfs(\.[a-z0-9]+)?\bzformat filesystem (mkfs))z9\bdd\b[^\n]*\bof=/dev/(sd|nvme|hd|mmcblk|vd|xvd)[a-z0-9]*zdd to raw block device)z.>\s*/dev/(sd|nvme|hd|mmcblk|vd|xvd)[a-z0-9]*\bzredirect to raw block device)z(:\($\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:z fork bomb)z\bkill\s+(-[^\s]+\s+)*-1\búkill all processesz!(shutdown|reboot|halt|poweroff)\bzsystem shutdown/rebootz init\s+[06]\bzinit 0/6 (shutdown/reboot)z*systemctl\s+(poweroff|reboot|halt|kexec)\bzsystemctl poweroff/rebootztelinit\s+[06]\bztelinit 0/6 (shutdown/reboot)cóL—g|]!\}}tj|t¦«|f‘Œ"S©©ÚreÚcompileÚ _RE_FLAGS©Ú.0ÚpatternÚdescriptions rú r4±s=€ðððáˆõ„ZÑ#Ô# [Ð1ðððrÚcommandcó˜—t|¦« ¦«}tD] \}}| |¦«rd|fcSŒ!dS)z‡Check if a command matches the unconditional hardline blocklist. Returns: (is_hardline, description) or (False, None) T)FN)Ú _normalize_command_for_detectionÚlowerÚHARDLINE_PATTERNS_COMPILEDÚsearch)r5Ú normalizedÚ pattern_rer3s rÚdetect_hardline_commandr=·sb€õ2°'Ñ:Ô:×@Ò@ÑBÔB€JÝ#=ð'ð'Ñˆ KØ×Ò˜ZÑ(Ô(ð 'Ø˜+Ð&Ð&Ð&Ð&ð 'àˆ=rr3có—ddd|›ddœS)z5Build the standard block result for a hardline match.FTzBLOCKED (hardline): uò. This command is on the unconditional blocklist and cannot be executed via the agent â€” not even with --yolo, /yolo, approvals.mode=off, or cron approve mode. If you genuinely need to run it, run it yourself in a terminal outside the agent.)ÚapprovedÚhardlineÚmessager+)r3s rÚ_hardline_block_resultrBÄs/€ðØð ;ð ð ð ð ððr)z\brm\s+(-[^\s]*\s+)*/zdelete in root path)z\brm\s+-[^\s]*rzrecursive delete)z\brm\s+--recursive\bzrecursive delete (long flag))z8\bchmod\s+(-[^\s]*\s+)*(777|666|o\+[rwx]*w|a\+[rwx]*w)\bz world/other-writable permissions)z8\bchmod\s+--recursive\b.*(777|666|o\+[rwx]*w|a\+[rwx]*w)z*recursive world/other-writable (long flag))z\bchown\s+(-[^\s]*)?R\s+rootzrecursive chown to root)z\bchown\s+--recursive\b.*rootz#recursive chown to root (long flag))z\bmkfs\bzformat filesystem)z\bdd\s+.*if=z disk copy)z>\s*/dev/sdzwrite to block device)z\bDROP\s+(TABLE|DATABASE)\bzSQL DROP)z \bDELETE\s+FROM\b(?!.*\bWHERE\b)zSQL DELETE without WHERE)z\bTRUNCATE\s+(TABLE)?\s*\wzSQL TRUNCATE)z >\s*/etc/zoverwrite system config)z8\bsystemctl\s+(-[^\s]+\s+)*(stop|restart|disable|mask)\bzstop/restart system service)z\bkill\s+-9\s+-1\br))z\bpkill\s+-9\bzforce kill processes)z%\b(bash|sh|zsh|ksh)\s+-[^\s]*c(\s+|$)zshell command via -c/-lc flag)z)\b(python[23]?|perl|ruby|node)\s+-[ec]\s+zscript execution via -e/-c flag)z\b(curl|wget)\b.*\|\s*(ba)?sh\bzpipe remote content to shell)z1\b(bash|sh|zsh|ksh)\s+<\s*>?\s*["\']?z%overwrite system file via redirectionz["\']?z$overwrite project env/config via teez,overwrite project env/config via redirection)z\bxargs\s+.*\brm\bz xargs with rm)z\bfind\b.*-exec\s+(/\S*/)?rm\bz find -exec rm)z\bfind\b.*-delete\bzfind -delete)z%\bhermes\s+gateway\s+(stop|restart)\bz2stop/restart hermes gateway (kills running agents))z\bhermes\s+update\bz6hermes update (restarts gateway, kills running agents))z4gateway\s+run\b.*(&\s*$|&\s*;|\bdisown\b|\bsetsid\b)úMstart gateway outside systemd (use 'systemctl --user restart hermes-gateway'))z\bnohup\b.*gateway\s+run\brC)z1\b(pkill|killall)\b.*\b(hermes|gateway|cli\.py)\bz.kill hermes/gateway process (self-termination))z\bkill\b.*\$\(\s*pgrep\bz3kill process via pgrep expansion (self-termination))z\bkill\b.*`\s*pgrep\bzð4ð4Ñˆ KØ×Ò˜]Ñ+Ô+ð 4Ø%ˆKØ˜+ {Ð3Ð3Ð3Ð3ð 4ðÐrÚ_pendingÚ_session_approvedÚ _session_yoloÚ_permanent_approvedcó"—eZdZdZdZdefd„ZdS)Ú_ApprovalEntryz@One pending dangerous-command approval inside a gateway session.)ÚeventÚdataÚresultrbcóR—tj¦«|_||_d|_dS©N)Ú threadingÚEventrarbrc)Úselfrbs rÚ__init__z_ApprovalEntry.__init__vs#€Ý”_Ñ&Ô&ˆŒ ØˆŒ Ø%)ˆŒˆˆrN)Ú__name__Ú __module__Ú__qualname__Ú__doc__Ú __slots__Údictrir+rrr`r`rs:€€€€€ØJÐJØ+€Ið*˜Tð*ð*ð*ð*ð*ð*rr`Ú_gateway_queuesÚ_gateway_notify_cbscóZ—t5|t|<ddd¦«dS#1swxYwYdS)uaRegister a per-session callback for sending approval requests to the user. The callback signature is ``cb(approval_data: dict) -> None`` where *approval_data* contains ``command``, ``description``, and ``pattern_keys``. The callback bridges syncâ†’async (runs in the agent thread, must schedule the actual send on the event loop). N)Ú_lockrq)rÚcbs rÚregister_gateway_notifyru€sy€õ ð.ð.Ø+-Õ˜KÑ(ð.ð.ð.ñ.ô.ð.ð.ð.ð.ð.ð.ð.øøøð.ð.ð.ð.ð.ð.óˆ $§$cóì—t5t |d¦«t |g¦«}ddd¦«n#1swxYwY|D]}|j ¦«ŒdS)zÁUnregister the per-session gateway approval callback. Signals ALL blocked threads for this session so they don't hang forever (e.g. when the agent run finishes or is interrupted). N)rsrqÚpoprprar©rÚentriesÚentrys rÚunregister_gateway_notifyr|Œsº€õ ð7ð7Ý×Ò ¨TÑ2Ô2Ð2Ý!×%Ò% k°2Ñ6Ô6ˆð7ð7ð7ñ7ô7ð7ð7ð7ð7ð7ð7øøøð7ð7ð7ð7ðððˆØ ŒŠÑÔÐÐððsˆ7AÁAÁAFÚchoiceÚresolve_allcó®—t5t |¦«}|s ddd¦«dS|r$t|¦«}| ¦«n| d¦«g}|st |d¦«ddd¦«n#1swxYwY|D]"}||_|j ¦«Œ#t|¦«S)aTCalled by the gateway's /approve or /deny handler to unblock waiting agent thread(s). When *resolve_all* is True every pending approval in the session is resolved at once (``/approve all``). Otherwise only the oldest one is resolved (FIFO). Returns the number of approvals resolved (0 means nothing was pending). Nr) rsrpr$ÚlistÚclearrxrcrarÚlen)rr}r~ÚqueueÚtargetsr{s rÚresolve_gateway_approvalr…™s1€õ ð 3ð 3Ý×#Ò# KÑ0Ô0ˆØð Øð 3ð 3ð 3ñ 3ô 3ð 3ð 3ð 3ðð %Ý˜5‘k”kˆGØKŠK‰MŒMˆMˆMà—y’y ‘|”|nˆGØð 3Ý×Ò ¨TÑ2Ô2Ð2ð 3ð 3ð 3ñ 3ô 3ð 3ð 3ð 3ð 3ð 3ð 3øøøð 3ð 3ð 3ð 3ðððˆØˆŒØ ŒŠÑÔÐÐÝˆw‰<Œ<ÐsˆB³ABÂBÂBcó’—t5tt |¦«¦«cddd¦«S#1swxYwYdS)zFCheck if a session has one or more blocking gateway approvals waiting.N)rsÚboolrpr$rs rÚhas_blocking_approvalrˆ¶s…€å ð6ð6Ý•O×'Ò'¨Ñ4Ô4Ñ5Ô5ð6ð6ð6ð6ñ6ô6ð6ð6ð6ð6ð6ð6øøøð6ð6ð6ð6ð6ð6sˆ'<¼AÁAÚapprovalcóZ—t5|t|<ddd¦«dS#1swxYwYdS)z/Store a pending approval request for a session.N)rsr[)rr‰s rÚsubmit_pendingr‹¼sv€å ð)ð)Ø (Ñð)ð)ð)ñ)ô)ð)ð)ð)ð)ð)ð)ð)øøøð)ð)ð)ð)ð)ð)rvcóº—t5t |t¦«¦« |¦«ddd¦«dS#1swxYwYdS)z(Approve a pattern for this session only.N)rsr\Ú setdefaultrÚadd)rrKs rÚapprove_sessionrÂs¨€å ðJðJÝ×$Ò$ [µ#±%´%Ñ8Ô8×<Ò<¸[ÑIÔIÐIðJðJðJñJôJðJðJðJðJðJðJðJøøøðJðJðJðJðJðJsˆ;AÁAÁAcó‚—|sdSt5t |¦«ddd¦«dS#1swxYwYdS)z,Enable YOLO bypass for a single session key.N)rsr]rŽrs rÚenable_session_yolor‘Ès€àðØˆÝ ð'ð'Ý×Ò˜+Ñ&Ô&Ð&ð'ð'ð'ñ'ô'ð'ð'ð'ð'ð'ð'ð'øøøð'ð'ð'ð'ð'ð'óŒ4´8»8có‚—|sdSt5t |¦«ddd¦«dS#1swxYwYdS)z-Disable YOLO bypass for a single session key.N)rsr]Údiscardrs rÚdisable_session_yolor•Ðs€àðØˆÝ ð+ð+Ý×Ò˜kÑ*Ô*Ð*ð+ð+ð+ñ+ô+ð+ð+ð+ð+ð+ð+ð+øøøð+ð+ð+ð+ð+ð+r’cól—|sdSt5t |d¦«t |¦«t |d¦«t |g¦«}ddd¦«n#1swxYwY|D]"}d|_|j ¦«Œ#dS)z7Remove all approval and yolo state for a given session.NÚdeny) rsr\rxr]r”r[rprcrarrys rÚ clear_sessionr˜Øsö€àðØˆÝ ð7ð7Ý×Ò˜k¨4Ñ0Ô0Ð0Ý×Ò˜kÑ*Ô*Ð*ÝŠ[ $Ñ'Ô'Ð'Ý!×%Ò% k°2Ñ6Ô6ˆð 7ð7ð7ñ7ô7ð7ð7ð7ð7ð7ð7øøøð7ð7ð7ð7ð ððˆðˆŒØ ŒŠÑÔÐÐð ðsŒA,BÂBÂBcó^—|sdSt5|tvcddd¦«S#1swxYwYdS)z?Return True when YOLO bypass is enabled for a specific session.FN)rsr]rs rÚis_session_yolo_enabledršès€àðØˆuÝ ð,ð,ØmÐ+ð,ð,ð,ð,ñ,ô,ð,ð,ð,ð,ð,ð,øøøð,ð,ð,ð,ð,ð,sŒ "¢&©&có<—ttd¬¦«¦«S)zEReturn True when the active approval session has YOLO bypass enabled.rr)ršr&r+rrÚis_current_session_yolo_enabledrœðs€å"Õ#:À2Ð#FÑ#FÔ#FÑGÔGÐGrcó6‡—t|¦«}t5td„|D¦«¦«r ddd¦«dSt |t¦«¦«Štˆfd„|D¦«¦«cddd¦«S#1swxYwYdS)zßCheck if a pattern is approved (session-scoped or permanent). Accept both the current canonical key and the legacy regex-derived key so existing command_allowlist entries continue to work after key migrations. c3ó(K—|] }|tvV—ŒdSre)r^)r1Úaliass rú zis_approved..ýs(èè€ÐAÐA°ˆuÕ+Ð+ÐAÐAÐAÐAÐAÐArNTc3ó •K—|]}|‰vV—Œ dSrer+)r1rŸÚsession_approvalss €rr zis_approved..s)øèè€ÐCÐC°%5Ð-Ð-ÐCÐCÐCÐCÐCÐCr)rNrsÚanyr\r$r)rrKÚaliasesr¢s @rÚis_approvedr¥õsø€õ$ KÑ0Ô0€GÝ ðDðDÝÐAÐA¸ÐAÑAÔAÑAÔAð ØðDðDðDñDôDðDðDðDõ.×1Ò1°+½s¹u¼uÑEÔEÐÝÐCÐCÐCÐC¸7ÐCÑCÔCÑCÔCð DðDðDðDñDôDðDðDðDðDðDðDøøøðDðDðDðDðDðDs˜BÁABÂBÂBcóz—t5t |¦«ddd¦«dS#1swxYwYdS)z)Add a pattern to the permanent allowlist.N)rsr^rŽrMs rÚapprove_permanentr§s€€å ð-ð-Ý×Ò Ñ,Ô,Ð,ð-ð-ð-ñ-ô-ð-ð-ð-ð-ð-ð-ð-øøøð-ð-ð-ð-ð-ð-óˆ0°4·4Úpatternscóz—t5t |¦«ddd¦«dS#1swxYwYdS)z2Bulk-load permanent allowlist entries from config.N)rsr^Úupdate)r©s rÚload_permanentr¬ s€€å ð-ð-Ý×"Ò" 8Ñ,Ô,Ð,ð-ð-ð-ñ-ô-ð-ð-ð-ð-ð-ð-ð-øøøð-ð-ð-ð-ð-ð-r¨có— ddlm}|¦«}t| dg¦«pg¦«}|rt |¦«|S#t $r3}t d|¦«t¦«cYd}~Sd}~wwxYw)z»Load permanently allowed command patterns from config. Also syncs them into the approval module so is_approved() works for patterns added via 'always' in a previous session. r©Úload_configÚcommand_allowlistz&Failed to load permanent allowlist: %sN)Úhermes_cli.configr¯rr$r¬rrÚwarning)r¯Úconfigr©Úes rÚload_permanent_allowlistrµs§€ð Ø1Ð1Ð1Ð1Ð1Ð1Ø‘”ˆÝv—z’zÐ"5°rÑ:Ô:Ð@¸bÑAÔAˆØð %Ý˜8Ñ$Ô$Ð$ØˆøÝðððÝŠÐ?ÀÑCÔCÐCÝ‰uŒuˆˆˆˆˆˆøøøøðøøøs‚AA Á BÁ(BÁÐ>Ð>Ð>Ð>Ð>Ð>Ð>Ø‘”ˆÝ&*¨8¡n¤nˆÐ"Ñ#ØˆFÑÔÐÐÐøÝð:ð:ð:ÝŠÐ5°qÑ9Ô9Ð9Ð9Ð9Ð9Ð9Ð9Ð9øøøøð:øøøs‚/3³ A#½AÁA#TÚtimeout_secondsÚallow_permanentcóö‡‡ —|€t¦«}|D |||‰¬¦«S#t$r(}t d|d¬¦«Yd}~dSd}~wwxYw ddlm}|¦«t d ||¦«dSn#t$rYnwxYwd tjd< t¦«td|›¦«td |›¦«t¦«‰rtd¦«ntd¦«t¦«tj ¦«ddiŠ ˆˆ fd„}tj|d¬¦«}| ¦«| |¬¦«| ¦«rYtd¦« dtjvr tjd=t¦«tj ¦«dS‰ d} | dvrYtd¦« dtjvr tjd=t¦«tj ¦«dS| dvrYtd¦« dtjvr tjd=t¦«tj ¦«dS| dvr´‰sYtd¦« dtjvr tjd=t¦«tj ¦«dStd¦« dtjvr tjd=t¦«tj ¦«dStd¦« dtjvr tjd=t¦«tj ¦«dS#t$t&f$rZtd ¦«Ydtjvr tjd=t¦«tj ¦«dSwxYw#dtjvr tjd=t¦«tj ¦«wxYw)!aPrompt the user to approve a dangerous command (CLI only). Args: allow_permanent: When False, hide the [a]lways option (used when tirith warnings are present, since broad permanent allowlisting is inappropriate for content-level security findings). approval_callback: Optional callback registered by the CLI for prompt_toolkit integration. Signature: (command, description, *, allow_permanent=True) -> str. Returns: 'once', 'session', 'always', or 'deny' N)rºzApproval callback failed: %sT)Úexc_infor—r)Úget_app_or_nonez¥Dangerous-command approval requested on a thread with no approval callback while prompt_toolkit is active; denying to avoid stdin deadlock. command=%r description=%rÚ1ÚHERMES_SPINNER_PAUSEu âš ï¸ DANGEROUS COMMAND: z z2 [o]nce | [s]ession | [a]lways | [d]enyz% [o]nce | [s]ession | [d]enyr}rcó¼•— ‰rdnd}t|¦« ¦« ¦«‰d<dS#ttf$r d‰d<YdSwxYw)Nz Choice [o/s/a/D]: z Choice [o/s/D]: r}r)ÚinputÚstripr8ÚEOFErrorÚOSError)Úpromptrºrcs €€rÚ get_inputz,prompt_dangerous_approval..get_input{szø€ð*Ø;JÐhÐ7Ð7ÐPhFÝ',¨V¡}¤}×':Ò':Ñ'<Ô'<×'BÒ'BÑ'DÔ'DF˜8Ñ$Ð$Ð$øÝ ¥'Ð*ð*ð*ð*Ø')F˜8Ñ$Ð$Ð$Ð$ð*øøøsƒÔ>Ð>Ý‰GŒGˆGÝŒJ×ÒÑÔÐà ^ˆFð *ð *ð *ð *ð *ð *õÔ%¨Y¸tÐDÑDÔDˆFØLŠL‰NŒNˆNØKŠK ˆKÑ0Ô0Ð0àŠÑ Ô ð ÝÐ=Ñ>Ô>Ð>Øð."¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐð1˜HÔ%ˆFØ˜Ð&Ð&ÝÐ.Ñ/Ô/Ð/Øð$"¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐð)Ð+Ð+Ð+ÝÐ:Ñ;Ô;Ð;Ø ð"¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐð#˜?Ð*Ð*Ø&ð%ÝÐ>Ñ?Ô?Ð?Ø$ð"¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐõÐ>Ñ?Ô?Ð?Øð"¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐõÐ(Ñ)Ô)Ð)Øð"¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐøõ Õ'Ð(ðððÝ Ð%Ñ&Ô&Ð&Øà!¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐÐðøøøøð"¥R¤ZÐ/Ð/Ý” Ð1Ð2Ý ‰ŒˆÝŒ ×ÒÑÔÐÐøøøsj– $¤ A®AÁAÁ,B Â BÂBÂ)C;OÇ.OÉOÊ0OÌOÍ(OÏ P,Ï!P/Ð+P,Ð,P/Ð/A Q8có¾—t|t¦«r|durdndSt|t¦«r*| ¦« ¦«}|pdSdS)a"Normalize approval mode values loaded from YAML/config. YAML 1.1 treats bare words like `off` as booleans, so a config entry like `approvals: mode: off` is parsed as False unless quoted. Treat that as the intended string mode instead of falling back to manual approvals. FÚoffÚmanual)Ú isinstancer‡ÚstrrÂr8)Úmoder;s rÚ_normalize_approval_moderè¥sc€õ$ÑÔð4Ø ˜ ˜ ˆuˆu¨8Ð3Ý$ÑÔð&Ø—Z’Z‘\”\×'Ò'Ñ)Ô)ˆ ØÐ%˜XÐ%Øˆ8rcó¼— ddlm}|¦«}| di¦«piS#t$r'}t d|¦«icYd}~Sd}~wwxYw)zLRead the approvals config block. Returns a dict with 'mode', 'timeout', etc.rr®Ú approvalsz"Failed to load approval config: %sN)r±r¯r$rrr²)r¯r³r´s rÚ_get_approval_configrë´s€€ðØ1Ð1Ð1Ð1Ð1Ð1Ø‘”ˆØzŠz˜+ rÑ*Ô*Ð0¨bÐ0øÝðððÝŠÐ;¸QÑ?Ô?Ð?Øˆ ˆ ˆ ˆ ˆ ˆ øøøøðøøøs‚'*ª A´AÁAÁAcód—t¦« dd¦«}t|¦«S)zHRead the approval mode from config. Returns 'manual', 'smart', or 'off'.rçrä)rër$rè)rçs rÚ_get_approval_moderí¿s+€åÑ!Ô!×%Ò% f¨hÑ7Ô7€DÝ# DÑ)Ô)Ð)rcó’— tt¦« dd¦«¦«S#ttf$rYdSwxYw)z>Read the approval timeout from config. Defaults to 60 seconds.rÊé<)Úintrër$Ú ValueErrorÚ TypeErrorr+rrrÑrÑÅsS€ðÝÕ'Ñ)Ô)×-Ò-¨i¸Ñ<Ô<Ñ=Ô=Ð=øÝ Ð"ðððØˆrˆrðøøøs‚.1±AÁAcóÞ— ddlm}|¦«}tt|ddd¬¦«¦« ¦« ¦«}|dvrdSdS#t$rYdSwxYw) zERead the cron approval mode from config. Returns 'deny' or 'approve'.rr®rêÚ cron_moder—r)ÚapproverãÚallowÚyesrõ)r±r¯rærr8rÂr)r¯r³rçs rÚ_get_cron_approval_moderøÍs’€ðØ1Ð1Ð1Ð1Ð1Ð1Ø‘”ˆÝ•7˜6 ;°ÀVÐLÑLÔLÑMÔM×SÒSÑUÔU×[Ò[Ñ]Ô]ˆØÐ5Ð5Ð5Ø9ØˆvøÝðððØˆvˆvðøøøs‚AAÁ A,Á+A,cóD— ddlm}d|›d|›d}|dd|dœgdd ¬ ¦«}|jdjjpd ¦« ¦«}d|vrd Sd|vrdSdS#t$r&}t d|¦«Yd}~dSd}~wwxYw)aUse the auxiliary LLM to assess risk and decide approval. Returns 'approve' if the LLM determines the command is safe, 'deny' if genuinely dangerous, or 'escalate' if uncertain. Inspired by OpenAI Codex's Smart Approvals guardian subagent (openai/codex#13860). r)Úcall_llmz‹You are a security reviewer for an AI coding agent. A terminal command was flagged by pattern matching as potentially dangerous. Command: z Flagged reason: ul Assess the ACTUAL risk of this command. Many flagged commands are false positives â€” for example, `python -c "print('hello')"` is flagged as "script execution via -c flag" but is completely harmless. Rules: - APPROVE if the command is clearly safe (benign script execution, safe file operations, development tools, package installs, git operations, etc.) - DENY if the command could genuinely damage the system (recursive delete of important paths, overwriting system files, fork bombs, wiping disks, dropping databases, etc.) - ESCALATE if you're uncertain Respond with exactly one word: APPROVE, DENY, or ESCALATEr‰Úuser)ÚroleÚcontenté)ÚtaskÚmessagesÚtemperatureÚ max_tokensrÚAPPROVErõÚDENYr—Úescalatez1Smart approvals: LLM call failed (%s), escalatingN) Úagent.auxiliary_clientrúÚchoicesrArýrÂÚupperrrr)r5r3rúrÅÚresponseÚanswerr´s rÚ_smart_approverÚs€ð#Ø3Ð3Ð3Ð3Ð3Ð3ð=à ð=ð=ðð=ð=ð=ˆð8ØØ%°&Ð9Ð9Ð:ØØð ñ ô ˆðÔ" 1Ô%Ô-Ô5Ð;¸×BÒBÑDÔD×JÒJÑLÔLˆà˜ÐÐØ9Ø vÐ Ð Ø6à:øåðððÝŠÐHÈ!ÑLÔLÐLØˆzˆzˆzˆzˆzøøøøðøøøs‚A#A/Á'A/Á/ BÁ9BÂBÚenv_typec ó¨—|dvrdddœSt|¦«\}}|r3t d||dd…¦«t|¦«St tjd¦«¦«st¦«rdddœSt|¦«\}}}|sdddœSt¦«}t||¦«rdddœStjd¦«} tjd ¦«} | s6| s4tjd ¦«rt¦«dkr dd |›ddœSdddœS| stjd¦«r$t||||dœ¦«d|d||d|›d|›ddœSt|||¬¦«}|dkrdd|›d||dœS|dkrt||¦«n9|dkr3t||¦«t|¦«t!t"¦«dddœS)açCheck if a command is dangerous and handle approval. This is the main entry point called by terminal_tool before executing any command. It orchestrates detection, session checks, and prompting. Args: command: The shell command to check. env_type: Terminal backend type ('local', 'ssh', 'docker', etc.). approval_callback: Optional CLI callback for interactive prompts. Returns: {"approved": True/False, "message": str or None, ...} ©ÚdockerÚsingularityÚmodalÚdaytonaÚvercel_sandboxTN©r?rAú Hardline block: %s (command: %s)éÈÚHERMES_YOLO_MODEÚHERMES_INTERACTIVEÚHERMES_GATEWAY_SESSIONÚHERMES_CRON_SESSIONr—Fú'BLOCKED: Command flagged as dangerous (úË) but cron jobs run without a user present to approve it. Find an alternative approach that avoids this command. To allow dangerous commands in cron jobs, set approvals.cron_mode: approve in config.yaml.ÚHERMES_EXEC_ASK)r5rKr3Úapproval_requiredu.âš ï¸ This command is potentially dangerous (z3). Asking the user for approval. **Command:** ``` ú ```©r?rKÚstatusr5r3rA)rßzBBLOCKED: User denied this potentially dangerous command (matched 'zL' pattern). Do NOT retry this command - the user has explicitly rejected it.©r?rArKr3rÎrÐ)r=rr²rBrrÔÚgetenvrœrZr&r¥rør‹rárr§r¸r^)r5rrßÚis_hardlineÚ hardline_descÚis_dangerousrKr3rÚis_cliÚ is_gatewayr}s rÚcheck_dangerous_commandr) s×€ðÐRÐRÐRØ ¨TÐ2Ð2Ð2õ"9¸Ñ!AÔ!AÑ€KØð5ÝŠÐ9¸=È'ÐRVÐSVÐRVÌ-ÑXÔXÐXÝ% mÑ4Ô4Ð4õ•r”yÐ!3Ñ4Ô4Ñ5Ô5ð3Õ9XÑ9ZÔ9Zð3Ø ¨TÐ2Ð2Ð2å-EÀgÑ-NÔ-NÑ*€L+˜{Øð3Ø ¨TÐ2Ð2Ð2å)Ñ+Ô+€KÝ; Ñ,Ô,ð3Ø ¨TÐ2Ð2Ð2å ŒYÐ+Ñ ,Ô ,€FÝ”Ð3Ñ4Ô4€Jàð3˜*ð3å Œ9Ð*Ñ+Ô+ð Ý&Ñ(Ô(¨FÒ2Ð2à %ðGÀ+ðGðGðGð ð ð ð!¨TÐ2Ð2Ð2àð •R”YÐ0Ñ1Ô1ð Ý{ØØ&Ø&ð% ð% ñ ô ð ðØ&Ø)ØØ&ðVÀðVðVØGNðVðVðVð ð ð õ' w°Ø9JðLñLôL€FðÒÐàðvÐ\gðvðvðvØ&Ø&ð ð ð ðÒÐÝ˜ [Ñ1Ô1Ð1Ð1Ø 8Ò Ð Ý˜ [Ñ1Ô1Ð1Ý˜+Ñ&Ô&Ð&Ý Õ!4Ñ5Ô5Ð5à¨Ð.Ð.Ð.rÚ tirith_resultc ó—| d¦«pg}|s| d¦«pd}d|›Sg}|D]‘}| dd¦«}| dd¦«}| dd¦«}|r*|r(| |rd |›d |›d|›n|›d|›¦«Œp|r| |rd |›d |›n|¦«Œ’|s| d¦«pd}d|›Sdd |¦«zS)z²Build a human-readable description from tirith findings. Includes severity, title, and description for each finding so users can make an informed approval decision. ÚfindingsÚsummaryzsecurity issue detectedzSecurity scan: ÚseverityrÚtitler3Ú[z] z: uSecurity scan â€” ú; )r$ÚappendrÜ)r*r,r-ÚpartsÚfr.r/Údescs rÚ_format_tirith_descriptionr6pso€ð× Ò Ñ,Ô,Ð2°€HØð+Ø×#Ò# IÑ.Ô.ÐKÐ2KˆØ* Ð*Ð*Ð*à€EØ ðIðIˆØ—5’5˜ RÑ(Ô(ˆØ—’g˜rÑ"Ô"ˆØuŠu] BÑ'Ô'ˆØð ITð IØLŠL¸HÐ\Ð8˜XÐ8Ð8¨Ð8Ð8°$Ð8Ð8Ð8ÈUÐJ\ÐJ\ÐVZÐJ\ÐJ\Ñ]Ô]Ð]Ð]Ø ð IØLŠL°HÐGÐ0˜XÐ0Ð0¨Ð0Ð0Ð0À%ÑHÔHÐHøØð+Ø×#Ò# IÑ.Ô.ÐKÐ2KˆØ* Ð*Ð*Ð*à $§)¢)¨EÑ"2Ô"2Ñ2Ð2rc óL—|dvrdddœSt|¦«\}}|r3t d||dd…¦«t|¦«St ¦«}tt jd¦«¦«st¦«s|dkrdddœSt jd ¦«}t jd ¦«}t jd¦«}|sM|sK|sIt jd¦«r0t¦«d krt|¦«\} } }| r dd|›ddœSdddœSdgddœ} ddlm} | |¦«}n#t$rYnwxYwt|¦«\} }}g}t¦«}|ddvrs| d¦«pg}|r|d dd¦«nd}d|›}t!|¦«}t#||¦«s| ||df¦«| r(t#||¦«s| ||df¦«|sdddœS|dkr¨d d„|D¦«¦«}t)||¦«}|dkrD|D]\}}}t+||¦«Œt d |dd!…|¦«ddd|d"œS|d kr)d d#„|D¦«¦«}dd$|›d%dd&œSd d'„|D¦«¦«}|dd}d(„|D¦«}t/d)„|D¦«¦«}|s|r³d}t05t2 |¦«}ddd¦«n#1swxYwY|P||||d*œ}t5|¦«}t05t6 |g¦« |¦«ddd¦«n#1swxYwYt;d+|||t=|¦«|d,¬-¦« ||¦«n©#t>$rœ} t d.| ¦«t05t6 |g¦«}!||!vr|! |¦«|!st6 !|d¦«ddd¦«n#1swxYwYdd/||d0œcYd} ~ Sd} ~ wwxYwtE¦« d1d2¦«}" tG|"¦«}"n#tHtJf$rd2}"YnwxYw dd3l&m'}#n#t>$rd}#YnwxYwtQj)¦«}$|$tU|"d¦«z}%|$|$d4œ}&d}' |%tQj)¦«z }(|(dkrn;|j+ ,t[d5|(¦«¬6¦«rd}'n|#|#|&d7¦«ŒXt05t6 |g¦«}!||!vr|! |¦«|!st6 !|d¦«ddd¦«n#1swxYwY|j.})|'sd8n|)r|)nd8}*t;d9|||t=|¦«|d,|*¬:¦«|'r|)|)d kr|'sd;nd<}+dd=|+›d>||d0œS|D]^\}}},|)d?ks|)d@kr|,rt+||¦«Œ%|)d@kr3t+||¦«t_|¦«tatb¦«Œ_ddd|dAœSte|||||d*œ¦«d|dB||dC|›dD|›dEdFœSt;d+|||t=|¦«|dG¬-¦«tg||||¬H¦«})t;d9|||t=|¦«|dG|)¬:¦«|)d krddI||d0œS|D]^\}}},|)d?ks|)d@kr|,rt+||¦«Œ%|)d@kr3t+||¦«t_|¦«tatb¦«Œ_ddd|dAœS)JaCRun all pre-exec security checks and return a single approval decision. Gathers findings from tirith and dangerous-command detection, then presents them as a single combined approval request. This prevents a gateway force=True replay from bypassing one check when only the other was shown to the user. rTNrrrrrãrrrrr—Frrrör)Úactionr,r-r)Úcheck_command_securityr8)ÚblockÚwarnr,Úrule_idÚunknownztirith:Úsmartr1c3ó"K—|] \}}}|V—ŒdSrer+©r1Ú_r5s rr z+check_all_command_guards..îs(èè€Ð)JÐ)J±:°1°d¸A¨$Ð)JÐ)JÐ)JÐ)JÐ)JÐ)Jrrõz'Smart approval: auto-approved '%s' (%s)rï)r?rAÚsmart_approvedr3c3ó"K—|] \}}}|V—ŒdSrer+r@s rr z+check_all_command_guards..ús(èè€Ð-NÐ-N±z°q¸$À¨dÐ-NÐ-NÐ-NÐ-NÐ-NÐ-NrzBLOCKED by smart approval: z@. The command was assessed as genuinely dangerous. Do NOT retry.)r?rAÚsmart_deniedc3ó"K—|] \}}}|V—ŒdSrer+r@s rr z+check_all_command_guards..s(èè€Ð>Ð>¡z q¨$°˜dÐ>Ð>Ð>Ð>Ð>Ð>rcó—g|]\}}}|‘Œ Sr+r+)r1ÚkeyrAs rr4z,check_all_command_guards..s€Ð.Ð.Ð.™ ˜˜Q Ð.Ð.Ð.rc3ó"K—|] \}}}|V—ŒdSrer+)r1rAÚis_ts rr z+check_all_command_guards.. s(èè€Ð5Ð5™j˜a DTÐ5Ð5Ð5Ð5Ð5Ð5r)r5rKÚpattern_keysr3Úpre_approval_requestÚgateway)r5r3rKrJrÚsurfacez"Gateway approval notify failed: %sz?BLOCKED: Failed to send approval request to user. Do NOT retry.r"Úgateway_timeouti,)Útouch_activity_if_due)Ú last_touchrÛgð?rÉzwaiting for user approvalrÊÚpost_approval_response)r5r3rKrJrrMr}z timed outzdenied by userzBLOCKED: Command z. Do NOT retry this command.rÎrÐ)r?rAÚ user_approvedr3ruâš ï¸ z2. Asking the user for approval. **Command:** ``` rr Úcli)rºrßz#BLOCKED: User denied. Do NOT retry.)4r=rr²rBrírrÔr#rœrørZÚtools.tirith_securityr9ÚImportErrorr&r$r6r¥r2rÜrrrr£rsrqr`rprrr€rÚremoverxrërðrñròÚtools.environments.baserOÚtimeÚ monotonicÚmaxraÚwaitÚminrcr§r¸r^r‹rá)-r5rrßr$r%Ú approval_moder'r(Úis_askr&Ú_pkr3r*r9rKÚwarningsrr,r<Ú tirith_keyÚtirith_descÚcombined_desc_for_llmÚverdictrGrAÚ combined_descÚprimary_keyÚall_keysÚ has_tirithÚ notify_cbÚ approval_datar{rrƒrÊrOÚ_nowÚ _deadlineÚ_activity_stateÚresolvedÚ _remainingr}Ú_outcomeÚreasonÚ is_tiriths- rÚcheck_all_command_guardsrs‹sà€ðÐRÐRÐRØ ¨TÐ2Ð2Ð2õ"9¸Ñ!AÔ!AÑ€KØð5ÝŠÐ9¸=È'ÐRVÐSVÐRVÌ-ÑXÔXÐXÝ% mÑ4Ô4Ð4õ'Ñ(Ô(€MÝ•r”yÐ!3Ñ4Ô4Ñ5Ô5ð3Õ9XÑ9ZÔ9Zð3Ð^kÐotÒ^tÐ^tØ ¨TÐ2Ð2Ð2å ŒYÐ+Ñ ,Ô ,€FÝ”Ð3Ñ4Ô4€JÝ ŒYÐ(Ñ )Ô )€Fðð3˜*ð3¨Vð3å Œ9Ð*Ñ+Ô+ð Ý&Ñ(Ô(¨FÒ2Ð2å1IÈ'Ñ1RÔ1RÑ.˜c ;Øð à$)ðKÀkðKðKðKð ð ð ð!¨TÐ2Ð2Ð2ð '°BÀ2ÐFÐF€Mð Ø@Ð@Ð@Ð@Ð@Ð@Ø.Ð.¨wÑ7Ô7ˆ ˆ øÝð ð ð Øˆð øøøõ.FÀgÑ-NÔ-NÑ*€L+˜{ð €Hå)Ñ+Ô+€KðXÔÐ"3Ð3Ð3Ø ×$Ò$ ZÑ0Ô0Ð6°BˆØ;CÐR(˜1”+—/’/ )¨YÑ7Ô7Ð7ÈˆØ(˜wÐ(Ð(ˆ Ý0°Ñ?Ô?ˆÝ˜;¨ Ñ3Ô3ð =ØOŠO˜Z¨°dÐ;Ñ<Ô<Ð<àð?Ý˜;¨Ñ4Ô4ð ?ØOŠO˜[¨+°uÐ=Ñ>Ô>Ð>ðð3Ø ¨TÐ2Ð2Ð2ð˜ÒÐØ $§ ¢ Ð)JÐ)JÀÐ)JÑ)JÔ)JÑ JÔ JÐÝ Ð*?Ñ@Ô@ˆØiÒÐà%ð 2ð 2‘ Q˜Ý ¨SÑ1Ô1Ð1Ð1ÝLŠLÐBØ " œÐ'<ñ >ô >ð >à $°Ø&*Ø#8ð:ð:ð :ð˜Ò Ð Ø$(§I¢IÐ-NÐ-NÀXÐ-NÑ-NÔ-NÑ$NÔ$NÐ!à!ð\Ð9Nð\ð\ð\à $ð ðð ð—I’IÐ>Ð>°XÐ>Ñ>Ô>Ñ>Ô>€MØ˜1”+˜a”.€KØ.Ð. XÐ.Ñ.Ô.€HÝÐ5Ð5¨HÐ5Ñ5Ô5Ñ5Ô5€Jðð[ Vñ[ Øˆ Ý ð =ð =Ý+×/Ò/°Ñ<Ô<ˆIð =ð =ð =ñ =ô =ð =ð =ð =ð =ð =ð =øøøð =ð =ð =ð =ðÑ ð #Ø*Ø (Ø,ð ðˆMõ# =Ñ1Ô1ˆEÝð Jð JÝ×*Ò*¨;¸Ñ;Ô;×BÒBÀ5ÑIÔIÐIð Jð Jð Jñ Jô Jð Jð Jð Jð Jð Jð Jøøøð Jð Jð Jð Jõ Ø&ØØ)Ø'Ý! (™^œ^Ø'Ø!ð ñ ô ð ð Ø ˜-Ñ(Ô(Ð(Ð(øÝð ð ð Ý—’ÐCÀSÑIÔIÐIÝð?ð?Ý+×/Ò/°¸RÑ@Ô@EØ ~~ØŸš UÑ+Ô+Ð+Ø ð?Ý'×+Ò+¨K¸Ñ>Ô>Ð>ð?ð?ð?ñ?ô?ð?ð?ð?ð?ð?ð?øøøð?ð?ð?ð?ð!&Ø`Ø#.Ø#0ð ðððððððøøøøð øøøõ.+Ñ,Ô,×0Ò0Ð1BÀCÑHÔHˆGð Ý˜g™,œ,øÝ¥ Ð*ð ð ð Øð øøøð -ØIÐIÐIÐIÐIÐIÐIøÝð -ð -ð -Ø(,Ð%Ð%Ð%ð -øøøõ”>Ñ#Ô#ˆDØs 7¨A™œÑ.ˆIØ-1¸DÐAÐAˆOØˆHð Ø&¬Ñ)9Ô)9Ñ9 Ø ’??Øð”;×#Ò#C°°ZÑ,@Ô,@Ð#ÑAÔAðØ#HØØ(Ð4Ø)Ð)Ø'Ð)Dñôðð õ ð ;ð ;Ý'×+Ò+¨K¸Ñ<Ô<Ø˜E>>Ø—L’L Ñ'Ô'Ð'Øð;Ý#×'Ò'¨°TÑ:Ô:Ð:ð ;ð ;ð ;ñ ;ô ;ð ;ð ;ð ;ð ;ð ;ð ;øøøð ;ð ;ð ;ð ;ð”\ˆFð "*ð7 Ø &Ð5ff¨Ið õ Ø(ØØ)Ø'Ý! (™^œ^Ø'Ø!Øð ñ ô ð ðð ˜v˜~°¸6Ò1AÐ1AØ,4ÐJ˜˜Ð:Jà %ØW°6ÐWÐWÐWØ#.Ø#0ð ððð&.ð Bð BÑ!Q˜ Ø˜YÒ&Ð&¨6°XÒ+=Ð+=À)Ð+=Ý# K°Ñ5Ô5Ð5Ð5Ø˜xÒ'Ð'Ý# K°Ñ5Ô5Ð5Ý% cÑ*Ô*Ð*Ý,Õ-@ÑAÔAÐAøð!%°Ø%)¸-ðIðIð Iõ {ØØ&Ø$Ø(ð % ð% ñ ô ð ðØ&Ø)ØØ(àm˜-ÐmÐmÐ_fÐmÐmÐmð ð ð õØØØ!ØÝ˜(‘^”^ØØðñôðõ' w° Ø;E°~Ø9JðLñLôL€FõØ ØØ!ØÝ˜(‘^”^ØØØð ñ ô ð ðÒÐàØ<Ø&Ø(ð ð ð ð&ð:ð:ÑˆˆQ ØYÒÐ 6¨XÒ#5Ð#5¸)Ð#5å˜K¨Ñ-Ô-Ð-Ð-Ø xÒ Ð å˜K¨Ñ-Ô-Ð-Ý˜cÑ"Ô"Ð"Ý$Õ%8Ñ9Ô9Ð9øà¨Ø!°-ðAðAðAs°Ä+D=Ä= E Å E Ì,MÍMÍMÍ>/N9Î9N=ÏN=Ï(O4Ï4 RÏ>"RÐ AQ>Ñ2RÑ>R ÒRÒR Ò RÒRÒRÓSÓS&Ó%S&Ó*S1Ó1TÓ?TÖAW.×.W2×5W2)F)NTNre)armÚcontextvarsÚloggingrÔr-r×rfrXrUÚtypingrr±rÚutilsrÚ getLoggerrjrÚ ContextVarr ræÚ__annotations__rÚTokenrr r&Ú_SSH_SENSITIVE_PATHÚ_HERMES_ENV_PATHÚ_PROJECT_ENV_PATHÚ_PROJECT_CONFIG_PATHÚ_SENSITIVE_WRITE_TARGETÚ_PROJECT_SENSITIVE_WRITE_TARGETÚ _COMMAND_TAILÚ_CMDPOSÚHARDLINE_PATTERNSÚ IGNORECASEÚDOTALLr/r9Útupler=rorBÚDANGEROUS_PATTERNSrXrIrJrÚ_patternÚ_descriptionÚ_legacy_keyÚ_canonical_keyrr«rNr7rZÚLockrsr[r\r]r^r`rpr€rqÚobjectrur|r‡rðr…rˆr‹rr‘r•r˜ršrœr¥r§r¬rµr¸rárèrërírÑrørr)r6rsr+rrúrs¾ðððððÐÐÐØ€€€Ø € € € Ø € € € Ø € € € ØÐÐÐØ€€€ØÐÐÐØÐÐÐÐÐØ%Ð%Ð%Ð%Ð%Ð%à!Ð!Ð!Ð!Ð!Ð!à ˆÔ ˜8Ñ $Ô $€ð6L°[Ô5KØØð6ñ6ô6Ð{Ô-¨cÔ2ððñðM 3ðM°TðMðMðMðMð48¨ð8°Ô1BÀ3Ô1Gð8ð8ð8ð8ð ' [Ô%6°sÔ%;ð'Àð'ð'ð'ð'ð :ð: Sð:¸ð:ð:ð:ð:ð >ÐðððSÐØJÐðØððàððððð #UÐ):Ð"TÐ"TÐ=QÐ"TÐ"TÐ"TÐØ+€ ðFððWðJØ\à;à\ØWà>à9ð Ð3Ñ3Ð5MÐNØÐÑÐ!=Ð>ØÐ<Ñ<Ð>YÐZØÐ"Ñ"Ð$CÐDð+Ðð< ŒM˜BœIÑ%€ ððà 1ðñôÐð Sð ¨Uð ð ð ð ð ¨ð °ð ð ð ð ð(BØ5ðBà,ðBð>ðBðfð Bð pðBðAð BðNðBð'ðBð#ðBð.ðBð1ðBðFðBð4ðBð.ðBðaðBð 2ð!Bð"0ð#Bð$?ð%Bð(Pð)Bð*Vð+Bð,Ið-Bð.mð/Bð02Ð/Ð1Ð1Ð3RÐSð1Bð2/Ð,Ð.Ð.Ð0WÐXð3Bð4OÐ7ÐNÐN¸}ÐNÐNÐPvÐwð5Bð6LÐ4ÐKÐK¸MÐKÐKÐM{Ð|ð7Bð8-ð9Bð:9ð;Bð<-ð=BðDeðEBðFWðGBðJOðKBðLuðMBðPmðQBðZYð[Bð\_ð]Bð`CðaBðb]Ð&EÐ\Ð\È]Ð\Ð\ð_BðCðcBðdEðeBðfUðgBðlMðmBðrUðsBðtOðuBðvUðwBðxTðyBðz:ð{BðBSðCBÐðLðà 2ðñôÐðI ðI¨ðIðIðIðIð -/Ðd˜3 C¤˜=Ô)Ð.Ð.Ñ.Ø0ð^ð^Ñ€HˆlØ%Ð% hÑ/Ô/€KØ!€NØ×#Ò# N°C°C±E´EÑ:Ô:×AÒAÀ>ÐS^ÐB_Ñ`Ô`Ð`Ø×#Ò# K°°±´Ñ7Ô7×>Ò>ÀÈ^Ð?\Ñ]Ô]Ð]Ð]ð@ sð@¨s°3¬xð@ð@ð@ð@ð¨cð°cððððð$ cð¨eððððð$ ˆ ŒÑÔ€Ø€ˆ$ˆsDˆyŒ/ÐÐÑØ$&Ð4˜˜S˜”>Ð&Ð&Ñ&Ø˜#™%œ%€ ˆs3ŒxÐÐÑØ˜3™5œ5ÐSÐ Ð Ñ ð*ð*ð*ð*ð*ñ*ô*ð*ð$&€c˜4i”Ð%Ð%Ñ%Ø)+ÐT˜#˜v˜+Ô&Ð+Ð+Ñ+ð .¨ð .°Tð .ð .ð .ð .ð ¨3ð °4ð ð ð ð ð27ðð¨#ð°sðØ*.ðØ;>ððððð:6 sð6¨tð6ð6ð6ð6ð) ð)¨tð)ð)ð)ð)ðJ ðJ°3ðJðJðJðJð' Sð'¨Tð'ð'ð'ð'ð+ cð+¨dð+ð+ð+ð+ð ˜sð tð ð ð ð ð ,¨ð,°ð,ð,ð,ð,ðH¨ðHðHðHðHð D˜SðD¨sðD°tðDðDðDðDð- 3ð-ð-ð-ð-ð-˜Sð-ð-ð-ð-ð #ððððð$: sð:ð:ð:ð:ð =AØ6:Ø04ðmðm sðm¸ðmØ/2°T©zðmà/3ðmð:=ðmðmðmðmð` cððððð˜dððððð*˜Cð*ð*ð*ð*ð˜sððððð ð ð ð ð ð,˜Cð,¨cð,°cð,ð,ð,ð,ð`/3ð`/ð`/ Sð`/°Cð`/Ø7;ð`/ð`/ð`/ð`/ðN3¨dð3°sð3ð3ð3ð3ð804ðNAðNA cðNA°SðNAØ8<ðNAðNAðNAðNAðd ÐÑÔÐÐÐr