common/hermes
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
c14bf441a313cf02b82f2964c1b46e5e252a12ba
hermes/tests
History
0xyg3n 19ba9e43b6 fix(gateway/discord): require allowlist auth on slash commands 
Slash commands (_run_simple_slash, _handle_thread_create_slash) bypassed
every DISCORD_ALLOWED_* gate enforced by on_message. Any guild member
could invoke /background (RCE via terminal), /restart, /model, /skill,
etc. CVSS 9.8 Critical.

- _evaluate_slash_authorization mirrors on_message gates (user, role,
  channel, ignored channel) with fail-closed semantics
- _check_slash_authorization sends ephemeral reject + logs + admin alert
- Auth gate runs before defer() so rejections are ephemeral
- /skill autocomplete returns [] for unauthorized users (no catalog leak)
- Component views (ExecApproval, SlashConfirm, UpdatePrompt, ModelPicker)
  now honor role allowlists via shared _component_check_auth helper
- Optional DISCORD_HIDE_SLASH_COMMANDS defense-in-depth
- Cross-platform admin alert (Telegram/Slack fallback) on unauthorized attempts

Based on PR #18125 by @0xyg3n.
2026-05-03 03:44:55 -07:00
..
acp
fix(acp): compact Zed tool replay rendering
2026-05-03 01:44:23 -07:00
acp_adapter
fix(acp): run /steer as a regular prompt on idle sessions (#18258)
2026-04-30 22:45:14 -07:00
agent
feat(openrouter): add response caching support (#19132)
2026-05-03 01:54:24 -07:00
cli
fix(compression): include system prompt + tool schemas in token estimates (#18265)
2026-04-30 23:03:54 -07:00
cron
fix(curator): rewrite cron job skill refs after consolidation (#18253)
2026-04-30 23:04:50 -07:00
e2e
fix(gateway): coerce plaintext "restart gateway" DMs to /restart
2026-04-28 01:40:28 -07:00
environments/benchmarks
fix(security): consolidated security hardening — SSRF, timing attack, tar traversal, credential leakage (#5944)
2026-04-07 17:28:37 -07:00
fakes
fix: streaming tool call parsing, error handling, and fake HA state mutation
2026-03-14 14:27:20 +03:00
gateway
fix(gateway/discord): require allowlist auth on slash commands
2026-05-03 03:44:55 -07:00
hermes_cli
test: add tests for cmd_key preservation through name clamping
2026-05-03 03:25:45 -07:00
hermes_state
fix(resume): redirect --resume to the descendant that actually holds the messages
2026-04-24 03:04:42 -07:00
honcho_plugin
feat(honcho): explain why when honcho_profile returns an empty card
2026-04-27 12:37:33 -07:00
integration
fix(discord): strip RTP padding before DAVE/Opus decode (#11267)
2026-04-16 16:50:15 -07:00
openviking_plugin
fix(openviking): pre-check fs/stat to route file URIs before hitting directory-only endpoints
2026-04-30 02:35:29 -07:00
plugins
feat(kanban): durable multi-profile collaboration board (#17805)
2026-04-30 13:36:47 -07:00
run_agent
feat(openrouter): add response caching support (#19132)
2026-05-03 01:54:24 -07:00
skills
test(openclaw-migration): cover alias reverse-lookup for real OpenClaw schema
2026-04-28 04:58:13 -07:00
stress
feat(kanban): durable multi-profile collaboration board (#17805)
2026-04-30 13:36:47 -07:00
tools
fix(curator): authoritative absorbed_into on delete + restore cron skill links on rollback (#18671) (#18731)
2026-05-02 01:29:57 -07:00
tui_gateway
fix(plugins): await async handlers in CLI and TUI dispatch
2026-04-30 19:56:18 -07:00
website
fix(website): auto-wrap ASCII-art code blocks in generated skill pages (#16497)
2026-04-27 03:38:39 -07:00
__init__.py
conftest.py
fix(ci): stabilize main test suite regressions (#17660)
2026-04-29 23:18:55 -07:00
run_interrupt_test.py
fix: thread safety for concurrent subagent delegation (#1672)
2026-03-17 02:53:33 -07:00
test_account_usage.py
feat(account-usage): add per-provider account limits module
2026-04-21 01:56:35 -07:00
test_atomic_replace_symlinks.py
refactor: consolidate symlink-safe atomic replace into shared helper
2026-04-28 04:58:22 -07:00
test_base_url_hostname.py
security(runtime_provider): close OLLAMA_API_KEY substring-leak sweep miss (#13522)
2026-04-21 06:06:16 -07:00
test_batch_runner_checkpoint.py
test: regression coverage for checkpoint dedup and inf/nan coercion
2026-04-24 14:32:21 -07:00
test_cli_file_drop.py
fix(tui): improve macOS paste and shortcut parity
2026-04-21 08:00:00 -07:00
test_cli_manual_compress.py
test(cli): regression test for manual /compress system_message
2026-04-28 05:21:49 -07:00
test_cli_skin_integration.py
fix(ci): stabilize main test suite regressions (#17660)
2026-04-29 23:18:55 -07:00
test_ctx_halving_fix.py
fix(tests): fix 78 CI test failures and remove dead test (#9036)
2026-04-13 10:50:24 -07:00
test_empty_model_fallback.py
fix: fall back to provider's default model when model config is empty (#8303)
2026-04-12 03:53:30 -07:00
test_evidence_store.py
feat: add OSS Security Forensics skill (Skills Hub) (#1482)
2026-03-15 21:59:53 -07:00
test_get_tool_definitions_cache_isolation.py
fix(tools): isolate get_tool_definitions quiet_mode cache + dedup LCM injection (#17335)
2026-04-30 04:32:06 -07:00
test_hermes_constants.py
fix(gateway): harden Docker/container gateway pathway
2026-04-12 16:36:11 -07:00
test_hermes_home_profile_warning.py
fix(constants): warn once when get_hermes_home() falls back under an active profile (#18746)
2026-05-02 01:49:55 -07:00
test_hermes_logging.py
fix(logging): attach gateway log after cli init
2026-04-26 19:01:26 -07:00
test_hermes_state.py
fix(state): include finish_reason in conversation replay
2026-04-30 20:40:28 -07:00
test_honcho_client_config.py
feat(memory): pluggable memory provider interface with profile isolation, review fixes, and honcho CLI restoration (#4623)
2026-04-02 15:33:51 -07:00
test_install_sh_setup_wizard_tty_probe.py
fix(install): widen /dev/tty open-probe to sibling gates (#16746)
2026-04-28 06:45:55 -07:00
test_ipv4_preference.py
feat: add network.force_ipv4 config to fix IPv6 timeout issues (#8196)
2026-04-11 23:12:11 -07:00
test_mcp_serve.py
feat: add MCP server mode — hermes mcp serve (#3795)
2026-03-29 15:47:19 -07:00
test_mini_swe_runner.py
fix(kimi): omit temperature entirely for Kimi/Moonshot models (#13157)
2026-04-20 12:23:05 -07:00
test_minimax_model_validation.py
fix(models): validate MiniMax models against static catalog (#12611, #12460, #12399, #12547)
2026-04-19 22:44:47 -07:00
test_minimax_oauth.py
test(cli): cover minimax-oauth resolution, refresh, menu wiring
2026-04-29 09:53:42 -07:00
test_minisweagent_path.py
chore: remove all remaining mini-swe-agent references
2026-03-24 08:19:23 -07:00
test_model_picker_scroll.py
fix: CLI/UX batch — ChatConsole errors, curses scroll, skin-aware banner, git state banner (#5974)
2026-04-07 17:59:42 -07:00
test_model_tools_async_bridge.py
fix(model_tools): cancel coroutine on timeout so worker thread exits + log full traceback
2026-04-29 05:00:40 -07:00
test_model_tools.py
fix(plugins): stop firing pre_tool_call hook twice per tool execution (#17611)
2026-04-29 12:43:39 -07:00
test_ollama_num_ctx.py
fix: provider/model resolution — salvage 4 PRs + MiniMax aux URL fix (#5983)
2026-04-07 22:23:28 -07:00
test_packaging_metadata.py
chore: prepare Hermes for Homebrew packaging (#4099)
2026-03-30 17:34:43 -07:00
test_plugin_skills.py
fix(tests): attach caplog to specific logger in 3 order-dependent tests (#11453)
2026-04-17 00:20:40 -07:00
test_project_metadata.py
build(deps): add qrcode to dingtalk + feishu extras (parity with messaging) (#11627)
2026-04-17 13:31:53 -07:00
test_retry_utils.py
feat(agent): add jittered retry backoff
2026-04-08 00:41:36 -07:00
test_sql_injection.py
fix(security): eliminate SQL string formatting in execute() calls
2026-03-19 15:16:35 +01:00
test_subprocess_home_isolation.py
fix: per-profile subprocess HOME isolation (#4426) (#7357)
2026-04-10 13:37:45 -07:00
test_timezone.py
test: speed up slow tests (backoff + subprocess + IMDS network) (#11797)
2026-04-17 14:21:22 -07:00
test_toolset_distributions.py
test: add unit tests for 8 modules (batch 2)
2026-02-26 13:54:20 +03:00
test_toolsets.py
feat(discord): split discord_server into discord + discord_admin tools
2026-04-25 04:50:14 -07:00
test_trajectory_compressor_async.py
fix(kimi): omit temperature entirely for Kimi/Moonshot models (#13157)
2026-04-20 12:23:05 -07:00
test_trajectory_compressor.py
fix(kimi): omit temperature entirely for Kimi/Moonshot models (#13157)
2026-04-20 12:23:05 -07:00
test_transform_tool_result_hook.py
test: stop testing mutable data — convert change-detectors to invariants (#13363)
2026-04-20 23:20:33 -07:00
test_tui_gateway_server.py
fix(approval): harden YOLO mode env parsing against quoted-bool strings
2026-04-30 20:37:37 -07:00
test_utils_truthy_values.py
Gate tool-gateway behind an env var, so it's not in users' faces until we're ready. Even if users enable it, it'll be blocked server-side for now, until we unlock for non-admin users on tool-gateway.
2026-03-30 13:28:10 +09:00
test_yuanbao_integration.py
yuanbao platform (#16298)
2026-04-26 18:50:49 -07:00
test_yuanbao_markdown.py
yuanbao platform (#16298)
2026-04-26 18:50:49 -07:00
test_yuanbao_pipeline.py
yuanbao platform (#16298)
2026-04-26 18:50:49 -07:00
test_yuanbao_proto.py
yuanbao platform (#16298)
2026-04-26 18:50:49 -07:00