PR #18089: fix(approval): tighten 'delete in root path' regex to system-root targets only

• Repository: NousResearch/hermes-agent
• Author: briandevans
• State: open | merged: False
• Link: https://github.com/NousResearch/hermes-agent/pull/18089

Description (problem / solution / changelog)

Summary

The delete in root path rule in DANGEROUS_PATTERNS (tools/approval.py:215) matched ANY rm with an absolute path because the regex required only a single / after the optional flags. Tighten it so it fires on real system-root targets only — plain /, root globs, and the system top-level dirs already enumerated by HARDLINE_PATTERNS.

The bug

(r'\brm\s+(-[^\s]*\s+)*/', "delete in root path"),

The / after the flag group matches the leading / of any absolute path, regardless of where in the filesystem the target lives. Every rm /home/<user>/..., rm /tmp/..., rm /mnt/c/... is flagged as delete in root path and forced through an approval prompt — including routine cleanup of the agent's own working files. From the reporter's run:

rm -f /home/scott/hermes-home/fawn_lily_temp.html
↳ Reason: delete in root path

That's deleting one file in the user's home directory; nothing about it is near the system root.

The fix

Constrain what comes after the / to the genuinely-dangerous shapes:

(r'\brm\s+(-[^\s]*\s+)*/(\s|\*|$|\.\*|(bin|boot|dev|etc|lib|lib64|opt|proc|root|run|sbin|srv|sys|usr|var)(/|\s|$))', "delete in root path"),

System top-level dirs match the set already enumerated by the HARDLINE_PATTERNS rules at lines 144-148, so the two layers stay aligned. Recursive rm of any deeper path (including /home/...) is still caught by the separate -r/--recursive rules at lines 216-217 — coverage is unchanged for actually-recursive deletes.

Test plan

• Focused: tests/tools/test_approval.py — 143 passed (11 new in TestRmRootPathRegexPrecision)
• Adjacent: tests/tools/test_force_dangerous_override.py, test_approval_plugin_hooks.py, test_approval_heartbeat.py, test_cron_approval_mode.py — 37 passed
• Regression guard: each false-positive case in the table fails the old regex (old=True) and passes the new one (new=False); each true-positive case matches both. Verified end-to-end with re.compile(...).search(cmd).
• Confirmed rm -rf /home/user/.cache stays dangerous via the separate recursive delete rule (not via this rule), so coverage of recursive deletes is unchanged.

Pre-existing baseline failures in tests/tools/test_mcp_tool.py, test_mcp_oauth.py, test_mcp_reconnect_signal.py, test_tts_kittentts.py are orthogonal — those modules are untouched.

Related

• Fixes #18083
• Aligns the system-dir enumeration in DANGEROUS_PATTERNS with the existing HARDLINE_PATTERNS set at tools/approval.py:144-148
• Independent from #17962 (different rules; reverse-shell-via-flag and two-stage download-execute)

Changed files

• tests/tools/test_approval.py (modified, +80/-0)
• tools/approval.py (modified, +20/-1)