PR #13697: fix: approval prompt freeze — CLI thread-local + TUI blind-keystroke

• Repository: NousResearch/hermes-agent
• Author: teknium1
• State: closed | merged: True
• Link: https://github.com/NousResearch/hermes-agent/pull/13697

Description (problem / solution / changelog)

Restores dangerous-command approval in both CLI and TUI — approval prompts now accept keystrokes instead of freezing the terminal for 60s.

Salvage of #13634 by @Societus (rebase-merged for authorship preservation) + regression-guard tests.

Root cause

62348cff (#13525) moved _approval_callback / _sudo_password_callback to threading.local() to fix GHSA-qg5c-hvr5-hjgr (ACP race). CLI registers callbacks in the main thread but the agent runs in a daemon thread spawned by chat() — threading.local doesn't propagate, so _get_approval_callback() returned None in the agent thread and fell back to input(), which deadlocks inside prompt_toolkit.

TUI had an adjacent bug: useInputHandlers consumed keystrokes via return when isBlocked, but Ink's EventEmitter still delivered them to ApprovalPrompt — user saw a frozen overlay while blind keystrokes could silently approve dangerous commands session-wide or write to the permanent allowlist.

Changes

Validation

• tests/cli/test_cli_approval_ui.py tests/acp/test_approval_isolation.py tests/tools/test_command_guards.py — 35 passed
• E2E: confirmed main-thread registration is invisible to child thread on current main, and child-thread registration is visible + cleared on finally
• TUI: tsc --noEmit clean

Closes #13617, closes #13618.

Changed files

• cli.py (modified, +20/-0)
• tests/cli/test_cli_approval_ui.py (modified, +85/-0)
• ui-tui/src/app/useInputHandlers.ts (modified, +11/-0)

---

PR #13734: fix(agent): propagate approval callbacks to concurrent tool worker threads

• Repository: NousResearch/hermes-agent
• Author: andrewhosf
• State: open | merged: False
• Link: https://github.com/NousResearch/hermes-agent/pull/13734

Description (problem / solution / changelog)

Bug #13617 Regression: Concurrent tool execution deadlocks on dangerous-command approval

Summary

When the agent executes a batch of tools concurrently (e.g. read_file + terminal in the same turn), any dangerous-command approval prompt deadlocks. The user can type a selection but pressing Return has no effect; the prompt times out after 60 seconds and denies the command.

Root Cause

_execute_tool_calls_concurrent() in run_agent.py dispatches tool calls to a ThreadPoolExecutor. The dangerous-command approval callback (and sudo password callback) are stored in threading.local() inside tools/terminal_tool.py. Worker threads spawned by the executor cannot see callbacks registered in the parent agent thread, so _get_approval_callback() returns None.

When the callback is None, tools/approval.py falls back to plain input() in a background daemon thread. However, the Hermes CLI uses prompt_toolkit, which puts the terminal in raw mode. The background thread's input() competes with prompt_toolkit for stdin. The user can type characters (they may echo), but the Enter key is captured by prompt_toolkit and never reaches input(), causing a deadlock until the timeout fires.

Affected Code Paths

• run_agent.py → AIAgent._execute_tool_calls_concurrent() → _run_tool() worker function
• Any concurrent batch containing terminal, execute_code, or other tools that trigger dangerous-command detection

Fix

Capture the parent thread's approval/sudo callbacks before launching the thread pool, then register them locally inside each worker thread (and clear them on exit). This mirrors the existing fix pattern used in cli.py for the main agent worker thread.

Files Changed

• run_agent.py

Key Diff Points

1. Import callback getters/setters from tools.terminal_tool
2. Before defining _run_tool, snapshot _get_approval_callback() and _get_sudo_password_callback()
3. Inside _run_tool, after set_activity_callback(), register the callbacks:

   if _parent_approval_cb is not None:
       _set_approval_callback(_parent_approval_cb)
   if _parent_sudo_cb is not None:
       _set_sudo_password_callback(_parent_sudo_cb)

4. At the end of _run_tool, clear them:

   _set_approval_callback(None)
   _set_sudo_password_callback(None)

Regression Tests

• tests/cli/test_cli_approval_ui.py::TestApprovalCallbackThreadLocalWiring
  • test_main_thread_registration_is_invisible_to_child_thread
  • test_child_thread_registration_is_visible_and_cleared_in_finally

All 10 approval UI tests pass after the fix.

Related

• Original fix: GHSA-qg5c-hvr5-hjgr / #13617 (made callbacks thread-local)
• The original fix registered callbacks inside the main agent worker thread (cli.py ~8378) but missed the concurrent execution path (run_agent.py ~7876).

Changed files

• run_agent.py (modified, +33/-0)