§
    ²ÙýiÊ>  ã                  óN  — U d Z ddlmZ ddlZddlZddlmZ ddlmZ ddl	m
Z
mZ ddlmZ  ej        e¦  «        Z ed¦  «        Zd	ed
<   d/d„Zdaded<   d0d„Z	 d1d2d„Z	 d1d3d„Zd4d„Zd4d„Z	 d1d5d „Zdad!ed"<   d6d$„Z	 d1d7d%„Zg d&¢Zd'ed(<   	 d1d7d)„Z	 d1d8d+„Z 	 d1d7d,„Z!d9d.„Z"dS ):uÜ  File passthrough registry for remote terminal backends.

Remote backends (Docker, Modal, SSH) create sandboxes with no host files.
This module ensures that credential files, skill directories, and host-side
cache directories (documents, images, audio, screenshots) are mounted or
synced into those sandboxes so the agent can access them.

**Credentials and skills** â€” session-scoped registry fed by skill declarations
(``required_credential_files``) and user config (``terminal.credential_files``).

**Cache directories** â€” gateway-cached uploads, browser screenshots, TTS
audio, and processed images.  Mounted read-only so the remote terminal can
reference files the host side created (e.g. ``unzip`` an uploaded archive).

Remote backends call :func:`get_credential_file_mounts`,
:func:`get_skills_directory_mount` / :func:`iter_skills_files`, and
:func:`get_cache_directory_mounts` / :func:`iter_cache_files` at sandbox
creation time and before each command (for resync on Modal).
é    )ÚannotationsN)Ú
ContextVar)ÚPath)ÚDictÚList)Úcfg_getÚ_registered_fileszContextVar[Dict[str, str]]Ú_registered_files_varÚreturnúDict[str, str]c                 ó’   — 	 t                                ¦   «         S # t          $ r! i } t                                | ¦  «         | cY S w xY w)zSGet or create the registered credential files dict for the current context/session.)r
   ÚgetÚLookupErrorÚset)Úvals    ú;/home/piyush/.hermes/hermes-agent/tools/credential_files.pyÚ_get_registeredr   %   sV   € ðÝ$×(Ò(Ñ*Ô*Ð*øÝð ð ð Ø ˆÝ×!Ò! #Ñ&Ô&Ð&Øˆ
ˆ
ˆ
ðøøøs   ‚ ›(AÁAzList[Dict[str, str]] | NoneÚ_config_filesr   c                 ó"   — ddl m}   | ¦   «         S )Nr   ©Úget_hermes_home)Úhermes_constantsr   r   s    r   Ú_resolve_hermes_homer   3   s"   € Ø0Ð0Ð0Ð0Ð0Ð0Øˆ?ÑÔÐó    ú/root/.hermesÚrelative_pathÚstrÚcontainer_baseÚboolc                ó:  — t          ¦   «         }t          j                             | ¦  «        rt                               d| ¦  «         dS || z  }ddlm}  |||¦  «        }|rt                               d| |¦  «         dS |                     ¦   «         }| 	                    ¦   «         st           
                    d|¦  «         dS |                     d¦  «        › d| › }t          |¦  «        t          ¦   «         |<   t           
                    d||¦  «         d	S )
a  Register a credential file for mounting into remote sandboxes.

    *relative_path* is relative to ``HERMES_HOME`` (e.g. ``google_token.json``).
    Returns True if the file exists on the host and was registered.

    Security: rejects absolute paths and path traversal sequences (``..``).
    The resolved host path must remain inside HERMES_HOME so that a malicious
    skill cannot declare ``required_credential_files: ['../../.ssh/id_rsa']``
    and exfiltrate sensitive host files into a container sandbox.
    zMcredential_files: rejected absolute path %r (must be relative to HERMES_HOME)Fr   ©Úvalidate_within_dirz1credential_files: rejected path traversal %r (%s)z)credential_files: skipping %s (not found)ú/z%credential_files: registered %s -> %sT)r   ÚosÚpathÚisabsÚloggerÚwarningÚtools.path_securityr"   ÚresolveÚis_fileÚdebugÚrstripr   r   )r   r   Úhermes_homeÚ	host_pathr"   Úcontainment_errorÚresolvedÚcontainer_paths           r   Úregister_credential_filer3   8   s;  € õ 'Ñ(Ô(€Kõ 
„w‡}‚}]Ñ#Ô#ð ÝŠØ[Øñ	
ô 	
ð 	
ð ˆuà˜mÑ+€Ið 8Ð7Ð7Ð7Ð7Ð7à+Ð+¨I°{ÑCÔCÐØð ÝŠØ?ØØñ	
ô 	
ð 	
ð
 ˆuà× Ò Ñ"Ô"€HØ×ÒÑÔð ÝŠÐ@À(ÑKÔKÐKØˆuà&×-Ò-¨cÑ2Ô2ÐDÐD°]ÐDÐD€NÝ(+¨H©¬…OÑÔnÑ%Ý
‡L‚LÐ8¸(ÀNÑSÔSÐSØˆ4r   ÚentriesÚlistú	List[str]c                ób  — g }| D ]©}t          |t          ¦  «        r|                     ¦   «         }nUt          |t          ¦  «        r?|                     d¦  «        p|                     d¦  «        pd                     ¦   «         }nŒ|sŒ„t          ||¦  «        s|                     |¦  «         Œª|S )zûRegister multiple credential files from skill frontmatter entries.

    Each entry is either a string (relative path) or a dict with a ``path``
    key.  Returns the list of relative paths that were NOT found on the host
    (i.e. missing files).
    r%   ÚnameÚ )Ú
isinstancer   ÚstripÚdictr   r3   Úappend)r4   r   ÚmissingÚentryÚrel_paths        r   Úregister_credential_filesrA   j   s¸   € ð €GØð 
%ð 
%ˆÝeSÑ!Ô!ð 	Ø—{’{‘}”}ˆHˆHÝ˜tÑ$Ô$ð 	ØŸ	š	 &Ñ)Ô)ÐD¨U¯YªY°vÑ->Ô->ÐDÀ"×KÒKÑMÔMˆHˆHàØð 	ØÝ'¨°.ÑAÔAð 	%ØNŠN˜8Ñ$Ô$Ð$øØ€Nr   úList[Dict[str, str]]c                 ó0  — t           t           S g } 	 ddlm} t          ¦   «         } |¦   «         }t	          |dd¦  «        }t          |t          ¦  «        rddlm} |D ]ü}t          |t          ¦  «        rå| 
                    ¦   «         rÑ| 
                    ¦   «         }t          j                             |¦  «        rt                               d|¦  «         Œz||z  } |||¦  «        }	|	rt                               d||	¦  «         Œª|                     ¦   «         }
|
                     ¦   «         r*d	|› }|                      t          |
¦  «        |d
œ¦  «         Œýn2# t&          $ r%}t                               d|¦  «         Y d}~nd}~ww xY w| a t           S )z=Load ``terminal.credential_files`` from config.yaml (cached).Nr   )Úread_raw_configÚterminalÚcredential_filesr!   z2credential_files: rejected absolute config path %rz8credential_files: rejected config path traversal %r (%s)z/root/.hermes/©r/   r2   z8Could not read terminal.credential_files from config: %s)r   Úhermes_cli.configrD   r   r   r:   r5   r)   r"   r   r;   r$   r%   r&   r'   r(   r*   r+   r=   Ú	Exception)ÚresultrD   r.   ÚcfgÚ
cred_filesr"   ÚitemÚrelr/   r0   Úresolved_pathr2   Úes                r   Ú_load_config_filesrQ   ƒ   sñ  € õ Ð ÝÐà#%€Fð VØ5Ð5Ð5Ð5Ð5Ð5Ý*Ñ,Ô,ˆØˆoÑÔˆÝ˜S *Ð.@ÑAÔAˆ
Ýj¥$Ñ'Ô'ñ 	Ø?Ð?Ð?Ð?Ð?Ð?à"ð ð Ý˜d¥CÑ(Ô(ð ¨T¯ZªZ©\¬\ð ØŸ*š*™,œ,CÝ”w—}’} SÑ)Ô)ð !ÝŸšØPÐRUñô ð ð !Ø +¨cÑ 1IØ(;Ð(;¸IÀ{Ñ(SÔ(SÐ%Ø(ð !ÝŸšØVØÐ!2ñô ð ð !Ø$-×$5Ò$5Ñ$7Ô$7MØ$×,Ò,Ñ.Ô.ð Ø)?¸#Ð)?Ð)?˜ØŸšÝ),¨]Ñ);Ô);Ø.<ð'ð 'ñ ô ð øøøõ ð Vð Vð VÝŠÐQÐSTÑUÔUÐUÐUÐUÐUÐUÐUøøøøðVøøøð €MÝÐs   ’E
E Å
FÅ'FÆFc                 óx  — i } t          ¦   «                              ¦   «         D ]+\  }}t          |¦  «                             ¦   «         r|| |<   Œ,t	          ¦   «         D ]@}|d         }|| vr2t          |d         ¦  «                             ¦   «         r|d         | |<   ŒAd„ |                      ¦   «         D ¦   «         S )zÁReturn all credential files that should be mounted into remote sandboxes.

    Each item has ``host_path`` and ``container_path`` keys.
    Combines skill-registered files and user config.
    r2   r/   c                ó   — g | ]
\  }}||d œ‘ŒS )rG   © )Ú.0ÚcpÚhps      r   ú
<listcomp>z.get_credential_file_mounts.<locals>.<listcomp>Ä   s4   € ð ð ð áˆBð ¨BÐ/Ð/ðð ð r   )r   Úitemsr   r+   rQ   )Úmountsr2   r/   r?   rV   s        r   Úget_credential_file_mountsr[   °   sÙ   € ð  €Fõ &5Ñ%6Ô%6×%<Ò%<Ñ%>Ô%>ð /ð /Ñ!ˆ˜	å	‰?Œ?×"Ò"Ñ$Ô$ð 	/Ø%.ˆF>Ñ"øõ $Ñ%Ô%ð ,ð ,ˆØÐ#Ô$ˆØVÐÐ¥ U¨;Ô%7Ñ 8Ô 8× @Ò @Ñ BÔ BÐØ˜{Ô+ˆF2‰Jøðð à—l’l‘n”nðñ ô ð r   úlist[Dict[str, str]]c                óâ  — g }t          ¦   «         }|dz  }|                     ¦   «         r=t          |¦  «        }|                     ||                      d¦  «        › ddœ¦  «         	 ddlm} t           |¦   «         ¦  «        D ]X\  }}|                     ¦   «         r?t          |¦  «        }|                     ||                      d¦  «        › d|› dœ¦  «         ŒYn# t          $ r Y nw xY w|S )aM  Return mount info for all skill directories (local + external).

    Skills may include ``scripts/``, ``templates/``, and ``references/``
    subdirectories that the agent needs to execute inside remote sandboxes.

    **Security:** Bind mounts follow symlinks, so a malicious symlink inside
    the skills tree could expose arbitrary host files to the container.  When
    symlinks are detected, this function creates a sanitized copy (regular
    files only) in a temp directory and returns that path instead.  When no
    symlinks are present (the common case), the original directory is returned
    directly with zero overhead.

    Returns a list of dicts with ``host_path`` and ``container_path`` keys.
    The local skills dir mounts at ``<container_base>/skills``, external dirs
    at ``<container_base>/external_skills/<index>``.
    Úskillsr#   ú/skillsrG   r   ©Úget_external_skills_dirsú/external_skills/)	r   Úis_dirÚ_safe_skills_pathr=   r-   Úagent.skill_utilsra   Ú	enumerateÚImportError)r   rZ   r.   Ú
skills_dirr/   ra   ÚidxÚext_dirs           r   Úget_skills_directory_mountrk   Ê   sI  € ð& €FÝ&Ñ(Ô(€KØ˜xÑ'€JØ×ÒÑÔð Ý% jÑ1Ô1ˆ	ØŠØ"Ø!/×!6Ò!6°sÑ!;Ô!;ÐDÐDÐDð
ð 
ñ 	ô 	ð 	ð
Ø>Ð>Ð>Ð>Ð>Ð>Ý%Ð&>Ð&>Ñ&@Ô&@ÑAÔAð 	ð 	‰LˆCØ~Š~ÑÔð Ý-¨gÑ6Ô6	Ø—’Ø!*Ø)7×)>Ò)>¸sÑ)CÔ)CÐ&[Ð&[ÐVYÐ&[Ð&[ðð ñ ô ð øð	øõ ð ð ð Øˆðøøøð €Ms   Á(A6C Ã
C,Ã+C,zPath | NoneÚ_safe_skills_tempdirrh   c                óÖ  ‡	‡
— d„ |                       d¦  «        D ¦   «         }|st          | ¦  «        S |D ]0}t                               d|t	          j        |¦  «        ¦  «         Œ1ddl}ddlŠ
ddl}t          r5t           
                    ¦   «         r‰
                     t          d¬¦  «         t          |                     d¬	¦  «        ¦  «        Š	‰	a	|                       d¦  «        D ]½}|                     ¦   «         rŒ|                     | ¦  «        }‰	|z  }| 
                    ¦   «         r|                     dd¬
¦  «         Œ]|                     ¦   «         rL|j                             dd¬
¦  «         ‰
                     t          |¦  «        t          |¦  «        ¦  «         Œ¾ˆ	ˆ
fd„}|                     |¦  «         t                               d‰	¦  «         t          ‰	¦  «        S )z@Return *skills_dir* if symlink-free, else a sanitized temp copy.c                ó:   — g | ]}|                      ¦   «         ¯|‘ŒS rT   )Ú
is_symlink)rU   Úps     r   rX   z%_safe_skills_path.<locals>.<listcomp>þ   s%   € ÐCÐCÐCa°A·L²L±N´NÐCÐCÐCÐCr   Ú*z:credential_files: skipping symlink in skills dir: %s -> %sr   NT©Úignore_errorszhermes-skills-safe-)Úprefix)ÚparentsÚexist_okc                 ób   •— ‰                       ¦   «         r‰                     ‰ d¬¦  «         d S d S )NTrr   )rc   Úrmtree)Úsafe_dirÚshutils   €€r   Ú_cleanupz#_safe_skills_path.<locals>._cleanup  s;   ø€ Ø?Š?ÑÔð 	8ØMŠM˜(°$ˆMÑ7Ô7Ð7Ð7Ð7ð	8ð 	8r   z8credential_files: created symlink-safe skills copy at %s)Úrglobr   r'   r(   r$   ÚreadlinkÚatexitrz   Útempfilerl   rc   rx   r   Úmkdtempro   Úrelative_toÚmkdirr+   ÚparentÚcopy2ÚregisterÚinfo)rh   ÚsymlinksÚlinkr~   r   rM   rN   Útargetr{   ry   rz   s            @@r   rd   rd   ú   s  øø€ ð DÐC˜:×+Ò+¨CÑ0Ô0ÐCÑCÔC€HØð Ý:‰ŒÐàð 0ð 0ˆÝŠÐSØRœ[¨Ñ.Ô.ñ	0ô 	0ð 	0ð 	0ð €M€M€MØ€M€M€MØ€O€O€Oõ ð @Õ 4× ;Ò ;Ñ =Ô =ð @ØŠÕ*¸$ˆÑ?Ô?Ð?åH×$Ò$Ð,AÐ$ÑBÔBÑCÔC€HØ#Ðà× Ò  Ñ%Ô%ð 	1ð 	1ˆØ?Š?ÑÔð 	ØØ×Ò˜zÑ*Ô*ˆØ˜C‘ˆØ;Š;‰=Œ=ð 	1ØLŠL °ˆLÑ5Ô5Ð5Ð5Ø\Š\‰^Œ^ð 	1ØŒM×Ò¨°tÐÑ<Ô<Ð<ØLŠL˜T™œ¥C¨¡K¤KÑ0Ô0Ð0øð8ð 8ð 8ð 8ð 8ð 8ð ‡O‚OHÑÔÐÝ
‡K‚KÐJÈHÑUÔUÐUÝˆx‰=Œ=Ðr   c                óP  — g }t          ¦   «         }|dz  }|                     ¦   «         r˜|                      d¦  «        › d}|                     d¦  «        D ]j}|                     ¦   «         s|                     ¦   «         sŒ+|                     |¦  «        }|                     t          |¦  «        |› d|› dœ¦  «         Œk	 ddl	m
} t           |¦   «         ¦  «        D ]´\  }}	|	                     ¦   «         sŒ|                      d¦  «        › d|› }|	                     d¦  «        D ]j}|                     ¦   «         s|                     ¦   «         sŒ+|                     |	¦  «        }|                     t          |¦  «        |› d|› dœ¦  «         ŒkŒµn# t          $ r Y nw xY w|S )	a>  Yield individual (host_path, container_path) entries for skills files.

    Includes both the local skills dir and any external dirs configured via
    skills.external_dirs.  Skips symlinks entirely.  Preferred for backends
    that upload files individually (Daytona, Modal) rather than mounting a
    directory.
    r^   r#   r_   rq   rG   r   r`   rb   )r   rc   r-   r|   ro   r+   r   r=   r   re   ra   rf   rg   )
r   rJ   r.   rh   Úcontainer_rootrM   rN   ra   ri   rj   s
             r   Úiter_skills_filesrŒ   %  s  € ð $&€Få&Ñ(Ô(€KØ˜xÑ'€JØ×ÒÑÔð 	Ø*×1Ò1°#Ñ6Ô6Ð?Ð?Ð?ˆØ×$Ò$ SÑ)Ô)ð 	ð 	ˆDØŠÑ Ô ð ¨¯ª©¬ð ØØ×"Ò" :Ñ.Ô.ˆCØMŠMÝ  ™YœYØ%3Ð";Ð";°cÐ";Ð";ðð ñ ô ð ð ðØ>Ð>Ð>Ð>Ð>Ð>Ý%Ð&>Ð&>Ñ&@Ô&@ÑAÔAð 	ð 	‰LˆCØ—>’>Ñ#Ô#ð ØØ .× 5Ò 5°cÑ :Ô :ÐRÐRÈSÐRÐRˆNØŸš cÑ*Ô*ð ð Ø—?’?Ñ$Ô$ð ¨D¯LªL©N¬Nð ØØ×&Ò& wÑ/Ô/Ø—’Ý!$ T¡¤Ø)7Ð&?Ð&?¸#Ð&?Ð&?ðð ñ ô ð ð ð	ð		øõ ð ð ð Øˆðøøøð €Ms   ÃCF Æ
F#Æ"F#))zcache/documentsÚdocument_cache)zcache/imagesÚimage_cache)zcache/audioÚaudio_cache)zcache/screenshotsÚbrowser_screenshotszlist[tuple[str, str]]Ú_CACHE_DIRSc                óî   — ddl m} g }t          D ]d\  }} |||¦  «        }|                     ¦   «         r?|                      d¦  «        › d|› }|                     t          |¦  «        |dœ¦  «         Œe|S )a   Return mount entries for each cache directory that exists on disk.

    Used by Docker to create bind mounts.  Each entry has ``host_path`` and
    ``container_path`` keys.  The host path is resolved via
    ``get_hermes_dir()`` for backward compatibility with old directory layouts.
    r   ©Úget_hermes_dirr#   rG   )r   r”   r‘   rc   r-   r=   r   )r   r”   rZ   Únew_subpathÚold_nameÚhost_dirr2   s          r   Úget_cache_directory_mountsr˜   a  s§   € ð 0Ð/Ð/Ð/Ð/Ð/à#%€FÝ!,ð ð ÑˆXØ!> +¨xÑ8Ô8ˆØ?Š?ÑÔð 	à .× 5Ò 5°cÑ :Ô :ÐJÐJ¸[ÐJÐJˆNØMŠMÝ  ™]œ]Ø"0ðð ñ ô ð øð €Mr   r/   c                óX  — t           j                             dd¦  «        dk    r| S t          | ¦  «        }t	          |¬¦  «        D ]c}t          |d         ¦  «        }	 |                     |¦  «        }t          t          |d         ¦  «        |z  ¦  «        c S # t          $ r Y Œ`w xY w| S )a  Translate a host cache path to its mounted path inside the sandbox.

    Returns the input unchanged if it is not under any auto-mounted cache
    directory, or if the active terminal backend does not require path
    translation (only Docker for now).
    ÚTERMINAL_ENVÚlocalÚdocker)r   r/   r2   )r$   Úenvironr   r   r˜   r   r   Ú
ValueError)r/   r   r%   Úmountr—   rN   s         r   Úto_agent_visible_cache_pathr    y  sÁ   € õ 
„z‡~‚~n gÑ.Ô.°(Ò:Ð:ØÐå	‰?Œ?€DÝ+¸>ÐJÑJÔJð ð ˆÝ˜˜kÔ*Ñ+Ô+ˆð	Ø×"Ò" 8Ñ,Ô,ˆCÝ•t˜EÐ"2Ô3Ñ4Ô4°sÑ:Ñ;Ô;Ð;Ð;Ð;øÝð 	ð 	ð 	ØˆHð	øøøàÐs   Á9BÂ
B'Â&B'c                ó¦  — ddl m} g }t          D ]À\  }} |||¦  «        }|                     ¦   «         sŒ&|                      d¦  «        › d|› }|                     d¦  «        D ]j}|                     ¦   «         s|                     ¦   «         sŒ+|                     |¦  «        }| 	                    t          |¦  «        |› d|› dœ¦  «         ŒkŒÁ|S )zëReturn individual (host_path, container_path) entries for cache files.

    Used by Modal to upload files individually and resync before each command.
    Skips symlinks.  The container paths use the new ``cache/<subdir>`` layout.
    r   r“   r#   rq   rG   )r   r”   r‘   rc   r-   r|   ro   r+   r   r=   r   )	r   r”   rJ   r•   r–   r—   r‹   rM   rN   s	            r   Úiter_cache_filesr¢   •  s  € ð 0Ð/Ð/Ð/Ð/Ð/à#%€FÝ!,ð ð ÑˆXØ!> +¨xÑ8Ô8ˆØŠÑ Ô ð 	ØØ*×1Ò1°#Ñ6Ô6ÐFÐF¸ÐFÐFˆØ—N’N 3Ñ'Ô'ð 	ð 	ˆDØŠÑ Ô ð ¨¯ª©¬ð ØØ×"Ò" 8Ñ,Ô,ˆCØMŠMÝ  ™YœYØ%3Ð";Ð";°cÐ";Ð";ðð ñ ô ð ð ð		ð €Mr   ÚNonec                 óF   — t          ¦   «                              ¦   «          dS )z8Reset the skill-scoped registry (e.g. on session reset).N)r   ÚclearrT   r   r   Úclear_credential_filesr¦   °  s    € åÑÔ×ÒÑÔÐÐÐr   )r   r   )r   r   )r   )r   r   r   r   r   r   )r4   r5   r   r   r   r6   )r   rB   )r   r   r   r\   )rh   r   r   r   )r   r   r   rB   )r/   r   r   r   r   r   )r   r£   )#Ú__doc__Ú
__future__r   Úloggingr$   Úcontextvarsr   Úpathlibr   Útypingr   r   rH   r   Ú	getLoggerÚ__name__r'   r
   Ú__annotations__r   r   r   r3   rA   rQ   r[   rk   rl   rd   rŒ   r‘   r˜   r    r¢   r¦   rT   r   r   ú<module>r°      s^  ððð ð ð( #Ð "Ð "Ð "Ð "Ð "à €€€Ø 	€	€	€	Ø "Ð "Ð "Ð "Ð "Ð "Ø Ð Ð Ð Ð Ð Ø Ð Ð Ð Ð Ð Ð Ð Ø %Ð %Ð %Ð %Ð %Ð %à	ˆÔ	˜8Ñ	$Ô	$€ð 5?°JÐ?RÑ4SÔ4SÐ Ð SÐ SÐ SÑ Sðð ð ð ð .2€Ð 1Ð 1Ð 1Ñ 1ðð ð ð ð *ð/ð /ð /ð /ð /ðh *ðð ð ð ð ð2*ð *ð *ð *ðZð ð ð ð6 *ð*ð *ð *ð *ð *ðZ %)Ð Ð (Ð (Ð (Ñ (ð(ð (ð (ð (ðX *ð+ð +ð +ð +ð +ðh&ð &ð &€ð ð ð ñ ð *ðð ð ð ð ð4 *ðð ð ð ð ð: *ðð ð ð ð ð6ð ð ð ð ð r   