Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix [Bug]: Agent assumes consent without it was given [1 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#24912Fetched 2026-05-14 03:50:39
View on GitHub
Comments
1
Participants
2
Timeline
6
Reactions
0
Author
tofalcktofalck
Participants
CaiMingFangCaiMingFangtofalcktofalck
Timeline (top)
labeled ×4commented ×1cross-referenced ×1

Error Message

Additional Logs / Traceback (optional)

Root Cause

Root Cause Analysis (optional)

Fix Action

Fixed

PR fix notes

PR #24923: fix(clarify): treat timeout as refusal instead of implicit consent

Description (problem / solution / changelog)

Summary

When the clarify tool times out (user does not respond within the configured window), the CLI callback currently returns:

"Use your best judgement to make the choice and proceed."

The LLM interprets this as permission to execute whatever action it was asking about — including destructive operations like rm -rf .git. This is a security/safety failure: silence is not consent.

Root Cause

In hermes_cli/callbacks.py, the clarify_callback function handles timeout by returning a message that explicitly tells the agent to proceed:

return (
    "The user did not provide a response within the time limit. "
    "Use your best judgement to make the choice and proceed."
)

This message is then passed to the LLM as the user's "response" to the clarify question. For permission-seeking questions ("May I delete .git?"), the LLM reads this as approval.

Fix

  1. hermes_cli/callbacks.py: Changed the timeout return message to explicitly refuse — "Treat this as a refusal — do NOT proceed with any pending destructive or irreversible action."

  2. tools/clarify_tool.py: Added timeout-refusal guidance to the tool description so the LLM understands the expected behavior before it even calls the tool.

  3. Regression test: Added test_timeout_refusal_response_passed_through to verify refusal messages are not overwritten by permissive language.

Testing

  • All 21 tests in tests/tools/test_clarify_tool.py pass (including the new regression test)
  • All 14 tests in tests/tools/test_clarify_gateway.py pass

Notes

  • The oneshot callback (hermes_cli/oneshot.py) intentionally uses permissive language for non-interactive hermes run mode — this is correct since oneshot has no user present.
  • The gateway does not pass a clarify_callback to AIAgent, so the clarify tool returns an error in gateway mode. This is a separate issue — the gateway should have its own clarify handling with proper timeout refusal behavior.
  • The TUI callback (tui_gateway/server.py) uses _block which waits indefinitely for the TUI response — no timeout handling needed there.

Fixes [Bug]: Agent assumes consent without it was given #24912

Changed files

  • hermes_cli/callbacks.py (modified, +4/-2)
  • tests/tools/test_clarify_tool.py (modified, +20/-0)
  • tools/clarify_tool.py (modified, +2/-0)

Code Example

The agent has also dumped api keys and what not so I'm not going to upload anything here. 

Hermes needs hardening around guard rails.

---
RAW_BUFFERClick to expand / collapse

Bug Description

I was in Slack doing a messy cleanup where we used git to merge a number of files into SKILL.md.

At the wrong point it prompted for permission to remove the .git folder.

I didn't give that consent as I was away - and wouldn't have anyway as it had gone off its rails and didn't complete the important rework we had going on.

The prompt timed out but the agent removed the .git folder on its own.

<img width="587" height="564" alt="Image" src="https://github.com/user-attachments/assets/2efdf326-2776-44b6-836b-5704b22390d3" />

So when a permission prompt times out (i.e., the user does not respond within the configured window), the agent incorrectly interprets the silence as consent and proceeds with the requested action.

Steps to Reproduce

  1. Agent identifies a need for a destructive or irreversible action (e.g., rm -rf .git).
  2. Agent calls clarify or equivalent tool to request permission.
  3. User does not respond within the timeout window.
  4. Agent proceeds with the action as if permission was granted.

Expected Behavior

A timeout must be treated as a definitive NO or PENDING. The agent must halt execution and wait for explicit user input. Permission boundaries are non-negotiable; silence is not consent.

Actual Behavior

The agent detects a timeout, defaults to consent = true, and executes the action without explicit user approval.

Affected Component

Agent Core (conversation loop, context compression, memory)

Messaging Platform (if gateway-related)

Slack

Debug Report

The agent has also dumped api keys and what not so I'm not going to upload anything here. 

Hermes needs hardening around guard rails.

Operating System

Debian 13 LXC under Proxmox

Python Version

3.11.15

Hermes Version

Hermes Agent v0.13.0 (2026.5.7)

Additional Logs / Traceback (optional)

Root Cause Analysis (optional)

This is a critical trust and safety failure. It violates the fundamental principle that agents must never assume authority over irreversible state changes without explicit user consent. It also breaks the operational contract where "no answer" means "wait."

Proposed Fix (optional)

Implement a strict state check in the permission loop:

  • Treat permissions as that, e.g. with proper ACL management
  • If timeout == true, immediately set consent = false.
  • Halt the action and return a "waiting for confirmation" state.
  • Do not default to proceeding or "best guess" execution for permission-gated steps.

Are you willing to submit a PR for this?

  • I'd like to fix this myself and submit a PR

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#container setup#orchestration issue#cache issue#memory leak

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - ✅(Solved) Fix [Bug]: Agent assumes consent without it was given [1 pull requests, 1 comments, 2 participants]