Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix Terminal prompts for sudo password even when local NOPASSWD sudo works [2 pull requests, 1 comments, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#16630Fetched 2026-04-28 06:52:04
View on GitHub
Comments
1
Participants
1
Timeline
9
Reactions
0
Author
Mind-DragonMind-Dragon
Participants
Mind-DragonMind-Dragon
Timeline (top)
labeled ×5cross-referenced ×2closed ×1commented ×1

Fix Action

Fixed

PR fix notes

PR #16631: fix: skip sudo prompt when sudo -n already works

Description (problem / solution / changelog)

Prompt to Recreate

In NousResearch/hermes-agent, fix the terminal sudo handling so an interactive Hermes session does not prompt for a sudo password when the local host already supports passwordless sudo. Reproduce on current origin/main by setting HERMES_INTERACTIVE=1, leaving SUDO_PASSWORD unset, making _sudo_nopasswd_works() / sudo -n true return success, and calling tools.terminal_tool._transform_sudo_command("sudo whoami"). The command should remain sudo whoami with no stdin and _prompt_for_sudo_password() must not be called. Preserve explicit SUDO_PASSWORD behavior and do not use the host sudo probe for non-local terminal backends.

Tracking

This PR is the single tracking surface for the sudo NOPASSWD fix. The separate issue #16630 was closed to avoid split discussion.

Bug Description

Hermes prompts for a sudo password inside interactive CLI/TUI sessions even when the local user already has working NOPASSWD sudo.

Outside Hermes, sudo -n true exits 0. Inside Hermes, a real sudo ... terminal command still enters the password prompt path before execution.

Prior Art / Relationship to #7760

#7760 is the original atomic PR for this same behavior and touches the same two files. I checked it live before opening this current-main replacement:

  • #7760 is atomic: one commit, tools/terminal_tool.py + tests/tools/test_terminal_tool.py only.
  • #7760 is currently CONFLICTING / merge state DIRTY against main.
  • The authenticated account cannot update that branch (viewerCanUpdate=false).

This PR keeps the same atomic scope, rebased on current main, and adds one extra safety boundary: the host sudo -n true probe is local-terminal-only so host sudo state is not applied to Docker/SSH/Modal/etc.

Root Cause

_transform_sudo_command() checks configured/cached sudo passwords, then immediately prompts when HERMES_INTERACTIVE is set. It never first probes whether the local host can already run sudo non-interactively with sudo -n true.

Fix

  • Add _sudo_nopasswd_works().
  • Probe sudo -n true with stdin/stdout/stderr suppressed and a short timeout.
  • Re-probe before each sudo prompt decision instead of process-caching successful probes, so an active sudo timestamp expiring cannot make a later command block without Hermes prompting.
  • Use the probe before interactive prompting when no SUDO_PASSWORD or cached password exists.
  • Scope the probe to TERMINAL_ENV=local only, so host sudo state is not incorrectly applied to Docker/SSH/Modal/etc.
  • Preserve existing explicit SUDO_PASSWORD behavior.

How to Verify

/home/agent/hermes-agent/venv/bin/python -m pytest tests/tools/test_terminal_tool.py -q -o 'addopts=' --tb=short

Expected:

13 passed

Broader terminal regression run used locally:

/home/agent/hermes-agent/venv/bin/python -m pytest \
  tests/tools/test_terminal_tool.py \
  tests/tools/test_terminal_none_command_guard.py \
  tests/tools/test_terminal_tool_requirements.py \
  tests/tools/test_terminal_foreground_timeout_cap.py \
  tests/tools/test_terminal_timeout_output.py \
  tests/tools/test_terminal_output_transform_hook.py \
  tests/tools/test_terminal_requirements.py \
  tests/tools/test_terminal_compound_background.py \
  tests/tools/test_terminal_exit_semantics.py \
  -q -o 'addopts=' --tb=short

Expected:

114 passed

Test Plan

  • Watched new regression tests fail on current origin/main.
  • Watched the Copilot stale-cache regression fail before removing process-lifetime caching.
  • tests/tools/test_terminal_tool.py passes.
  • Broader terminal tool regression subset passes.
  • tools/terminal_tool.py py_compile passes.
  • git diff --check origin/main..HEAD passes.
  • Live local smoke: sudo -n true exits 0 and _transform_sudo_command("sudo true") returns ("sudo true", None).

Risk Assessment

Low. The behavior change only affects local terminal execution when no sudo password is configured/cached and local sudo -n true succeeds at the time Hermes is deciding whether to prompt. Non-local backends still avoid the host sudo probe, and configured SUDO_PASSWORD behavior remains unchanged.

Changed files

  • tests/tools/test_terminal_tool.py (modified, +49/-0)
  • tools/terminal_tool.py (modified, +25/-0)

PR #7760: fix: skip sudo prompt when sudo -n already works

Description (problem / solution / changelog)

Summary

  • detect when the current user already has passwordless sudo via sudo -n true
  • skip the interactive sudo password prompt in that case
  • add a regression test covering the NOPASSWD path

Problem

Hermes currently prompts for a sudo password whenever it sees a sudo command in interactive mode unless SUDO_PASSWORD is set. That happens even when the host is already configured with sudo NOPASSWD, so YOLO/approval settings can be off and the user still gets an unnecessary password prompt.

Test Plan

  • ./venv/bin/python -m pytest tests/tools/test_terminal_tool.py -q
  • local smoke test of _transform_sudo_command('sudo whoami') returning ('sudo whoami', None) when sudo -n works

Changed files

  • tests/tools/test_terminal_tool.py (modified, +18/-0)
  • tools/terminal_tool.py (modified, +29/-0)
RAW_BUFFERClick to expand / collapse

Closing this to keep the sudo NOPASSWD fix tracked in one place.

Canonical tracking/review surface: #16631

Please put any further discussion, review, or merge status on #16631 so the issue and PR do not split the same conversation.

extent analysis

TL;DR

Continue discussion and tracking of the sudo NOPASSWD fix in issue #16631.

Guidance

  • Direct all further conversation and review related to the sudo NOPASSWD fix to issue #16631 to maintain a centralized tracking and discussion thread.
  • Ensure that any updates, including merge status, are posted in #16631 for consistency and ease of tracking.
  • Avoid splitting the conversation across multiple issues or PRs to prevent confusion and miscommunication.

Notes

This guidance applies specifically to the context of tracking and discussing the sudo NOPASSWD fix. It's essential to follow the recommended process to ensure efficient issue management.

Recommendation

Apply workaround by directing all related discussion to #16631, as this allows for centralized tracking and review of the fix, ensuring that all relevant information and updates are easily accessible in one place.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#API routing#API middleware#SSR setup#ISR setup#authentication setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - ✅(Solved) Fix Terminal prompts for sudo password even when local NOPASSWD sudo works [2 pull requests, 1 comments, 1 participants]