From e946f49ab550325028694fd39b488d9d9eb4b099 Mon Sep 17 00:00:00 2001 From: Teknium <127238744+teknium1@users.noreply.github.com> Date: Mon, 1 Jun 2026 16:31:13 -0700 Subject: [PATCH] fix(models): add gemini-3.5-flash to Gemini OAuth + API-key pickers (#37046) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(file_tools): block agent writes to ~/.hermes/config.yaml to prevent silent approval bypass * fix(approval): pair terminal-side gate for ~/.hermes/config.yaml writes Subway2023's #14639 blocks write_file/patch to ~/.hermes/config.yaml, but the terminal side was only partially paired: echo>/tee/cp/mv to config.yaml already tripped the project-config pattern, while `sed -i` and direct edits slipped through with auto-approve. An unpaired write_file deny is theater per SECURITY.md — the agent could flip approvals.mode=off via `sed -i` and the mtime-keyed config cache reloads it mid-session. config.yaml IS the security policy (approvals.mode/yolo/permanent allowlist live there), so it warrants real pairing, not a half-door. Add a _HERMES_CONFIG_PATH fragment mirroring _HERMES_ENV_PATH, fold it into _SENSITIVE_WRITE_TARGET (covers tee/>/>>/cp/mv), and add sed -i coverage for both config.yaml and .env. Pins 9 regression tests including no-regression guards (reads pass, /tmp writes pass). Co-authored-by: sbw2025 * chore(release): map Subway2023 for PR #14639 salvage * fix(models): add gemini-3.5-flash to Gemini OAuth + API-key pickers #34581 swapped gemini-3-flash-preview -> gemini-3.5-flash in the OpenRouter and Nous lists but missed the curated Gemini catalogs, so the Google OAuth (google-gemini-cli) picker still offered the retired gemini-3-flash-preview slug and gemini-3.5-flash was unselectable. Per Google's docs gemini-3-flash-preview was renamed to gemini-3.5-flash and is served via Cloud Code Assist, so this completes the rename for: - google-gemini-cli (OAuth/Code Assist) picker - gemini (API-key) picker - gemini provider default_aux_model copilot keeps gemini-3-flash-preview (separate backend, own slug). --------- Co-authored-by: sbw2025 --- hermes_cli/models.py | 4 ++-- plugins/model-providers/gemini/__init__.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hermes_cli/models.py b/hermes_cli/models.py index 4c3b7b475..e1e066851 100644 --- a/hermes_cli/models.py +++ b/hermes_cli/models.py @@ -235,13 +235,13 @@ _PROVIDER_MODELS: dict[str, list[str]] = { "gemini": [ "gemini-3.1-pro-preview", "gemini-3-pro-preview", - "gemini-3-flash-preview", + "gemini-3.5-flash", "gemini-3.1-flash-lite-preview", ], "google-gemini-cli": [ "gemini-3.1-pro-preview", "gemini-3-pro-preview", - "gemini-3-flash-preview", + "gemini-3.5-flash", ], "zai": [ "glm-5.1", diff --git a/plugins/model-providers/gemini/__init__.py b/plugins/model-providers/gemini/__init__.py index 0812f07ba..f7ae69615 100644 --- a/plugins/model-providers/gemini/__init__.py +++ b/plugins/model-providers/gemini/__init__.py @@ -56,7 +56,7 @@ gemini = GeminiProfile( env_vars=("GOOGLE_API_KEY", "GEMINI_API_KEY"), base_url="https://generativelanguage.googleapis.com/v1beta", auth_type="api_key", - default_aux_model="gemini-3-flash-preview", + default_aux_model="gemini-3.5-flash", ) google_gemini_cli = GeminiProfile(