feat(chat): handle gateway sudo.request / secret.request via hardened modal

[0xr00tf3rr3t]

Summary

• handle the gateway's sudo.request / secret.request prompts instead of dead-ending the turn with "Hermes One does not yet expose that gateway dialog" (the same dead-end feat(chat): render gateway clarify.request as an inline card #604 removed for clarify.request)
• a sudo password / secret value is sensitive, so — unlike the inline clarify card — it is collected in the app's existing hardened askpass modal (CSP default-src 'none', script-src 'none', sandboxed, contextIsolation, ephemeral data-URL) and never rendered into the chat transcript or persisted
• showPasswordDialog is parameterized with title / heading (defaults unchanged, so the installer's existing call is untouched) and exported; gatewayPrompt.ts wraps it as promptSudoPassword() / promptSecretValue(envVar, prompt)
• answers are forwarded with the gateway's exact shapes — sudo.respond { request_id, password } and secret.respond { request_id, value } — and Cancel maps to an empty answer, a safe skip the gateway already handles (secret.request → { skipped: true }; sudo -S -p '' lets the terminal prompt fail cleanly), so the turn never wedges

Why a modal, not an inline card

clarify.request (#604) is a non-sensitive question → inline transcript card. A sudo password or secret must never land in scrollback, so this reuses the installer's already-hardened askpass dialog rather than introducing a new surface. Same trust boundary the app already uses to collect the installer's sudo password.

Testing

• npm run typecheck
• npm run build
• npm run lint -- --quiet (no new problems from this change; one pre-existing error in src/main/ssh-remote.ts is untouched here)
• git diff --check
• npm test — 1052 passing (+4 new askpass-security.test.ts cases: modal reuse, no-log/no-persist, exact respond shapes, cancel→skip)

Note

Stacked on #604 (inline clarify card) — that branch is its base, so the diff shows the clarify commits too until #604 merges. The only new commit here is the top one (feat(chat): handle gateway sudo.request / secret.request via hardened modal). Happy to rebase onto main once #604 lands.

[greptile-apps]

Greptile Summary

This PR wires up the gateway's sudo.request and secret.request events by collecting credentials through the existing hardened askpass modal (showPasswordDialog), keeping sensitive values out of the chat transcript entirely. It also implements clarify.request as an inline card in the transcript. The showPasswordDialog function is exported and parameterised with title/heading while preserving the installer's existing defaults.

• gatewayPrompt.ts wraps the askpass modal for both sudo and secret prompts; answers are forwarded to the gateway via the correct sudo.respond/secret.respond shapes, and cancel maps to \"\" (a safe skip).
• ClarifyCard.tsx renders mid-turn clarifying questions inline; choice buttons, open-ended textarea, skip, and resolved read-only state are all handled, with error feedback if IPC delivery fails.
• repositionClarifyCards in sessionHistory.ts re-anchors renderer-only clarify cards to their original chronological position after reconcileStreamedWithDb, preventing them from appearing below post-answer agent content.

Confidence Score: 3/5

Safe to merge after adding a finished guard in the sudo/secret .then() callback; without it a cancelled turn can still dispatch credentials to a dead gateway session.

The sudo/secret collect-and-forward chain fires unconditionally once the modal resolves, even if the turn was cancelled or errored while the modal was open. The finished flag is in scope and used everywhere else in the same function, but it is not checked at the top of the .then() callback. This means a user who dismisses or submits the askpass modal after aborting their turn will have their credential forwarded to a session the gateway is no longer expecting, and the 300 s client.request timeout will hang until the gateway rejects.

src/main/hermes.ts — the sudo/secret event handler around the void collect.then() block

Important Files Changed

Filename	Overview
src/main/hermes.ts	Adds clarify/sudo/secret event handlers; sudo/secret path lacks a finished guard before forwarding credentials to the gateway, so a turn cancellation while the modal is open can still dispatch sudo.respond/secret.respond on a dead session
src/main/gatewayPrompt.ts	New module cleanly wraps showPasswordDialog for sudo/secret prompts; heading/prompt are HTML-escaped by buildDialogHtml; cancel correctly maps to ""
src/main/askpass.ts	showPasswordDialog exported and parameterized with title/heading; buildDialogHtml updated to escape both prompt and heading; backward-compatible defaults preserved
src/main/index.ts	Wires setGatewayPromptParent and the clarify-respond IPC handler correctly; payload coercion with ?? "" is safe
src/renderer/src/screens/Chat/ClarifyCard.tsx	New inline clarify component with choice buttons / textarea / skip; error/retry logic and resolved read-only state handled correctly
src/renderer/src/screens/Chat/sessionHistory.ts	repositionClarifyCards correctly re-anchors renderer-only clarify cards after reconcile; leading-card and missing-predecessor safety nets in place
src/renderer/src/screens/Chat/hooks/useChatIPC.ts	onClarifyRequest listener correctly deduplicates by requestId and cleans up in the useEffect teardown
tests/askpass-security.test.ts	New static-analysis tests verify modal reuse, no-log/no-persist, exact respond shapes, and cancel→skip mapping

_{Reviews (1): Last reviewed commit: "feat(chat): handle gateway sudo.request ..." | Re-trigger Greptile}

[greptile-apps]

Missing finished guard before forwarding credentials to the gateway. If cancel() or finish() is called while the askpass modal is still open (e.g. the user aborts the chat turn), finished becomes true but the modal stays open with no way to dismiss it programmatically. When the user eventually submits the modal, collect resolves and the .then() fires unconditionally — forwarding the sudo password or secret value to the gateway on a session that has already been torn down. The clarify path avoids this by clearing pendingClarify in finish()/cancel(), making stale responses a no-op; the same protection is missing here.

Suggested change

	void collect
	.then((answer) => {
	const method = isSudo ? "sudo.respond" : "secret.respond";
	const params = isSudo
	? { request_id: requestId, password: answer }
	: { request_id: requestId, value: answer };
	return client.request(method, params, 300_000);
	})
	void collect
	.then((answer) => {
	if (finished) return;
	const method = isSudo ? "sudo.respond" : "secret.respond";
	const params = isSudo
	? { request_id: requestId, password: answer }
	: { request_id: requestId, value: answer };
	return client.request(method, params, 300_000);
	})

[greptile-apps]

envVar used verbatim in the modal heading without sanitisation. envVar comes directly from event.payload.env_var in the gateway event stream — an untrusted, agent-controlled string. It flows into the heading option and is rendered as <div class="title">${safeHeading}</div> in buildDialogHtml, which does HTML-escape it, so the XSS risk in the rendered DOM is mitigated. However, the raw value also appears in the title option, which is used as the OS-level window title (win.title), where HTML escaping is irrelevant. A length cap and simple printable-chars validation on envVar would close the spoofing surface entirely.

[0xr00tf3rr3t]

Addressed Greptile's finding + added security provider integration:

1. finished guard — added if (finished) return; at the top of the .then() callback (commit c07534e). A turn cancelled while the askpass modal is open no longer dispatches credentials to a dead gateway session.

2. Vault-first secret resolution — for secret.request, the handler now calls getSecret(env_var, profile) from the configured security provider before falling back to the interactive modal. If the vault already holds the key (e.g. it was loaded for the provider at chat-start), the secret is answered silently without prompting the user. sudo.request always goes to the modal — no vault lookup applies to passwords.

Rebased onto current main. typecheck:node clean, askpass-security.test.ts 10/10 passing.