Lines 234-274javascript
234 description: "Run-bound, hash-bound Phase 06 UAT recovery control. It is accepted only on an explicitly UAT-authorized Admin lifecycle and never on Customer or ordinary Admin lifecycles.",
236 schemaVersion: { type: "string", const: "hermes-admin-uat-control-v1" },
237 runId: { type: "string", pattern: "^\\d{8}T\\d{6}Z-[a-f0-9]{8}$" },
238 action: { type: "string", enum: ["authorize", "inject", "resume", "cleanup-only"] },
239 scenario: { type: "string", enum: ["browser_session_uncertain_create", "channel_uncertain_create"] },
240 controlHash: { type: "string", pattern: "^[a-f0-9]{64}$" },
242 required: ["schemaVersion", "runId", "action", "controlHash"],
245 required: ["action"],
249function isRecord(value) {
250 return Boolean(value) && typeof value === "object" && !Array.isArray(value);
252function liveVerificationContainsSecret(value) {
253 if (typeof value === "string") {
254 return /(?:xox[abprs]-|xapp-|skt_(?:live|test|dev)_|postgres(?:ql)?:\/\/|-----BEGIN PRIVATE KEY-----|\/Users\/)/i.test(value);
CriticalCritical Secret
Package contains a critical-looking secret pattern.
dist/tools/hermesOnboardingLifecycle.jsView on unpkg · L254 CriticalSecret Pattern
RSA private key in dist/tools/hermesOnboardingLifecycle.js
dist/tools/hermesOnboardingLifecycle.jsView on unpkg · L254 256 if (Array.isArray(value))
257 return value.some(liveVerificationContainsSecret);
258 if (!isRecord(value))
260 return Object.entries(value).some(([key, child]) => /(?:token|secret|totp|password|credential|api[_-]?key)/i.test(key)
261 || liveVerificationContainsSecret(child));
263function now(options) {
264 return (options.now ?? (() => new Date().toISOString()))();
267 throw new Error(code);
269function lifecycleRoot(adminHome) {
270 return path.join(adminHome, "hermes-onboarding-lifecycles");
272function ensureOwnedDirectory(root) {
273 if (!existsSync(root)) {
274 mkdirSync(root, { recursive: true, mode: 0o700 });