Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix Add optional alert when dangerous-command approval is waiting [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#17934Fetched 2026-05-01 05:55:01
View on GitHub
Comments
0
Participants
1
Timeline
4
Reactions
0
Author
hanzckernelhanzckernel
Participants
hanzckernelhanzckernel
Timeline (top)
labeled ×4

Manual approvals are safety-critical, but the CLI prompt is easy to miss when the terminal is not focused. display.bell_on_complete only rings when the agent finishes a response; it does not alert when a dangerous-command approval is waiting.

Related timeout bugfix PR: #17933. That PR keeps scope to honoring the existing approvals.timeout config. This issue is for the separate alert/notification behavior.

Root Cause

Manual approvals are safety-critical, but the CLI prompt is easy to miss when the terminal is not focused. display.bell_on_complete only rings when the agent finishes a response; it does not alert when a dangerous-command approval is waiting.

Related timeout bugfix PR: #17933. That PR keeps scope to honoring the existing approvals.timeout config. This issue is for the separate alert/notification behavior.

Code Example

approvals:
  timeout: 600
  alert:
    enabled: true
    terminal_bell: true
    repeat_seconds: 10
    repeats: 6
RAW_BUFFERClick to expand / collapse

Dangerous-command approvals can currently wait silently if the user misses the prompt.

Context

Manual approvals are safety-critical, but the CLI prompt is easy to miss when the terminal is not focused. display.bell_on_complete only rings when the agent finishes a response; it does not alert when a dangerous-command approval is waiting.

Related timeout bugfix PR: #17933. That PR keeps scope to honoring the existing approvals.timeout config. This issue is for the separate alert/notification behavior.

Current behavior

  • A dangerous command opens the normal approval prompt.
  • If the user misses it, the prompt eventually times out and denies.
  • There is no approval-specific terminal bell, repeated alert, or notification.

Expected behavior

Add an optional approval-waiting alert that fires when an approval request is created and stops when the request is approved, denied, or times out.

A conservative config shape could be:

approvals:
  timeout: 600
  alert:
    enabled: true
    terminal_bell: true
    repeat_seconds: 10
    repeats: 6

Proposed boundary

  • Default off, or at most a single terminal bell if maintainers prefer a low-friction default.
  • V1 should be cross-platform and low-risk: terminal bell is enough.
  • Desktop notifications / macOS sounds can be a later opt-in path or plugin hook consumer.
  • Avoid arbitrary alert_command in v1 unless there is a stronger sandbox/trust story; running configured shell commands during dangerous-command approval is security-sensitive.
  • The alert must not auto-approve, bypass, or weaken the existing approval gate.
  • Repeated alerts should be rate-limited and must stop on approve/deny/timeout.

Acceptance sketch

  • CLI prompt_toolkit path triggers the alert when _approval_state is created.
  • Gateway approval path can either use the same hook/event or explicitly stay out of scope for v1.
  • Tests cover start/stop behavior and timeout cleanup.

extent analysis

TL;DR

Implement an optional approval-waiting alert that fires when a dangerous-command approval is created and stops when the request is approved, denied, or times out.

Guidance

  • Introduce a new configuration option approvals.alert to control the alert behavior, with properties like enabled, terminal_bell, repeat_seconds, and repeats.
  • Modify the CLI prompt_toolkit path to trigger the alert when the _approval_state is created, and stop the alert when the approval request is approved, denied, or times out.
  • Implement rate-limiting for repeated alerts to prevent overwhelming the user.
  • Ensure the alert does not auto-approve, bypass, or weaken the existing approval gate.

Example

approvals:
  timeout: 600
  alert:
    enabled: true
    terminal_bell: true
    repeat_seconds: 10
    repeats: 6

Notes

The implementation should be cross-platform and low-risk, with a focus on terminal bell alerts for v1. Desktop notifications and other alert methods can be considered for future versions.

Recommendation

Apply a workaround by implementing the proposed approvals.alert configuration option and modifying the CLI prompt_toolkit path to trigger the alert, as this provides a clear and controlled way to address the issue without introducing unnecessary complexity or security risks.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Add an optional approval-waiting alert that fires when an approval request is created and stops when the request is approved, denied, or times out.

A conservative config shape could be:

approvals:
  timeout: 600
  alert:
    enabled: true
    terminal_bell: true
    repeat_seconds: 10
    repeats: 6
#task chaining#parallel task#integration issue#index setup#retrieval issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - 💡(How to fix) Fix Add optional alert when dangerous-command approval is waiting [1 participants]