From 4ec0adebe834c4a3a3838e83f47c7fadeb62380e Mon Sep 17 00:00:00 2001
From: teknium1 <127238744+teknium1@users.noreply.github.com>
Date: Sat, 30 May 2026 14:40:59 -0700
Subject: [PATCH] fix(gateway): denylist config.yaml for media delivery
 (belt-and-suspenders)

Defense-in-depth on top of the EphemeralReply gate: even if a config.yaml
path reaches response text via some other path, it can never be delivered
as a native attachment. Matches existing protection for .env, auth.json,
and credentials/.

Co-authored-by: JezzaHehn <jezzahehn@gmail.com>
---
 gateway/platforms/base.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gateway/platforms/base.py b/gateway/platforms/base.py
index 6dbca9c7b..26a6274ee 100644
--- a/gateway/platforms/base.py
+++ b/gateway/platforms/base.py
@@ -954,11 +954,13 @@ def _media_delivery_denied_paths() -> List[Path]:
     home = Path(os.path.expanduser("~"))
     for sub in _MEDIA_DELIVERY_DENIED_HOME_SUBPATHS:
         denied.append(home / sub)
-    # The Hermes home itself contains credentials (auth.json, .env) — only the
-    # cache subdirectories under it are explicitly allowlisted above.
+    # The Hermes home itself contains credentials (auth.json, .env) and
+    # configuration (config.yaml) — only the cache subdirectories under it
+    # are explicitly allowlisted above.
     denied.append(_HERMES_HOME / ".env")
     denied.append(_HERMES_HOME / "auth.json")
     denied.append(_HERMES_HOME / "credentials")
+    denied.append(_HERMES_HOME / "config.yaml")
     return denied