fix(security): add bws_cache.json to file_safety read guard

The Bitwarden Secrets Manager disk cache introduced in #31968 stores plaintext secret values at <hermes_home>/cache/bws_cache.json to avoid re-fetching across back-to-back CLI invocations. The file was not added to get_read_block_error()'s credential_file_names list, leaving the agent able to read it directly via the read_file tool. Add os.path.join("cache", "bws_cache.json") to credential_file_names so both HERMES_HOME and the global root are covered, matching the existing pattern used for auth.json, .anthropic_oauth.json, etc. Other files under cache/ (images, documents, audio) are unaffected — the check is an exact-file match, not a prefix match. Verified: 11/11 exploit/regression scenarios pass; 38/38 existing file_safety tests pass.
2026-05-25 16:29:14 +03:00
parent 71ae98b792
commit 4126da65ae
1 changed files with 4 additions and 0 deletions
--- a/agent/file_safety.py
+++ b/agent/file_safety.py
@ -249,6 +249,10 @@ def get_read_block_error(path: str) -> Optional[str]:
        ".env",
        "webhook_subscriptions.json",
        os.path.join("auth", "google_oauth.json"),
+        # Bitwarden Secrets Manager disk cache: stores plaintext secret values
+        # to avoid re-fetching across back-to-back CLI invocations. The file
+        # was introduced by #31968 but not added to this guard.
+        os.path.join("cache", "bws_cache.json"),
    )
    for hd in hermes_dirs:
        for name in credential_file_names: