iUdZddlmZddlZddlmZddlmZddlm Z ej e Z edZ ded <dd Zdad ed<ddZddZd dZd!dZd dZd"dZdS)#uaEnvironment variable passthrough registry. Skills that declare ``required_environment_variables`` in their frontmatter need those vars available in sandboxed execution environments (execute_code, terminal). By default both sandboxes strip secrets from the child process environment for security. This module provides a session-scoped allowlist so skill-declared vars (and user-configured overrides) pass through. Two sources feed the allowlist: 1. **Skill declarations** — when a skill is loaded via ``skill_view``, its ``required_environment_variables`` are registered here automatically. 2. **User config** — ``terminal.env_passthrough`` in config.yaml lets users explicitly allowlist vars for non-skill use cases. Both ``code_execution_tool.py`` and ``tools/environments/local.py`` consult :func:`is_env_passthrough` before stripping a variable. ) annotationsN) ContextVar)Iterable)cfg_get_allowed_env_varszContextVar[set[str]]_allowed_env_vars_varreturnset[str]c tS#t$r-t}t||cYSwxYw)zGGet or create the allowed env vars set for the current context/session.)rget LookupErrorset)vals :/home/ubuntu/.hermes/hermes-agent/tools/env_passthrough.py _get_allowedr"sZ$((*** !!#&&& s4AAzfrozenset[str] | None_config_passthroughnamestrboolc< ddlm}n#t$rYdSwxYw||vS)uTrue if ``name`` is a Hermes-managed provider credential (API key, token, or similar) per ``_HERMES_PROVIDER_ENV_BLOCKLIST``. Skill-declared ``required_environment_variables`` frontmatter must not be able to override this list — that was the bypass in GHSA-rhgp-j443-p4rf where a malicious skill registered ``ANTHROPIC_TOKEN`` / ``OPENAI_API_KEY`` as passthrough and received the credential in the ``execute_code`` child process, defeating the sandbox's scrubbing guarantee. Non-Hermes API keys (TENOR_API_KEY, NOTION_TOKEN, etc.) are NOT in the blocklist and remain legitimately registerable — skills that wrap third-party APIs still work. r)_HERMES_PROVIDER_ENV_BLOCKLISTF)tools.environments.localr Exception)rrs r_is_hermes_provider_credentialr0sJKKKKKKK uu 1 11s   var_names Iterable[str]Nonec |D]}|}|st|rtd|Dt |td|dS)uRegister environment variable names as allowed in sandboxed environments. Typically called when a skill declares ``required_environment_variables``. Variables that are Hermes-managed provider credentials (from ``_HERMES_PROVIDER_ENV_BLOCKLIST``) are rejected here to preserve the ``execute_code`` sandbox's credential-scrubbing guarantee per GHSA-rhgp-j443-p4rf. A skill that needs to talk to a Hermes-managed provider should do so via the agent's main-process tools (web_search, web_extract, etc.) where the credential remains safely in the main process. Non-Hermes third-party API keys (TENOR_API_KEY, NOTION_TOKEN, etc.) pass through normally — they were never in the sandbox scrub list. zenv passthrough: refusing to register Hermes provider credential %r (blocked by _HERMES_PROVIDER_ENV_BLOCKLIST). Skills must not override the execute_code sandbox's credential scrubbing; see GHSA-rhgp-j443-p4rf.zenv passthrough: registered %sN)striprloggerwarningradddebug)rrs rregister_env_passthroughr$Fs ==zz||   )$ / /  NNA     4    5t<<<<==frozenset[str]cttSt} ddlm}|}t |dd}t |t rU|D]R}t |tr;|r'| |Sn2#t$r%}t d|Yd}~nd}~wwxYwt|atS)z9Load ``tools.env_passthrough`` from config.yaml (cached).Nr)read_raw_configterminalenv_passthroughz4Could not read tools.env_passthrough from config: %s)rrhermes_cli.configr(r isinstancelistrrr"rr r# frozenset)resultr(cfg passthroughitemes r_load_config_passthroughr4gs &""uuF P555555oc:/@AA k4 ( ( -# - -dC((-TZZ\\-JJtzz||,,, PPP KQOOOOOOOOP$F++ sB B** C4CCvar_namecF|tvrdS|tvS)zCheck whether *var_name* is allowed to pass through to sandboxes. Returns ``True`` if the variable was registered by a skill or listed in the user's ``tools.env_passthrough`` config. T)rr4)r5s ris_env_passthroughr7}s* <>>!!t /11 11r%cVtttzS)zGReturn the union of skill-registered and config-based passthrough vars.)r.rr4r%rget_all_passthroughr:s \^^ $ $'?'A'A AAr%cFtdS)z9Reset the skill-scoped allowlist (e.g. on session reset).N)rclearr9r%rclear_env_passthroughr=sNNr%)r r )rrr r)rrr r)r r&)r5rr r)r r)__doc__ __future__rlogging contextvarsrtypingrr+r getLogger__name__r r__annotations__rrrr$r4r7r:r=r9r%rrFsG&#"""""""""""%%%%%%  8 $ $/9j9L.M.MMMMM.211112222,====B,2222BBBB r%