From 726cf90f98bf08faa9fd9f7db398911a19fc31f7 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@nousresearch.com>
Date: Sat, 11 Apr 2026 18:19:37 +0000
Subject: [PATCH] fix: address remaining review items from cursor bugbot

- hermes_cli/main.py: move container routing BEFORE parse_args() so
  --help, unrecognised flags, and all subcommands are forwarded
  transparently into the container instead of being intercepted by
  argparse on the host (high severity)

- nix/nixosModules.nix: resolve home dirs via
  config.users.users.${user}.home instead of hardcoding /home/${user},
  supporting users with custom home directories (medium severity)

- nix/nixosModules.nix: gate hostUsers group membership on
  container.enable so setting hostUsers without container mode doesn't
  silently add users to the hermes group (low severity)
---
 hermes_cli/main.py   | 10 ++++++----
 nix/nixosModules.nix |  7 ++++---
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/hermes_cli/main.py b/hermes_cli/main.py
index bf83065f91..76596f9234 100644
--- a/hermes_cli/main.py
+++ b/hermes_cli/main.py
@@ -5758,12 +5758,11 @@ Examples:
     # Pre-process argv so unquoted multi-word session names after -c / -r
     # are merged into a single token before argparse sees them.
     # e.g. ``hermes -c Pokemon Agent Dev`` → ``hermes -c 'Pokemon Agent Dev'``
-    _processed_argv = _coalesce_session_name_args(sys.argv[1:])
-    args = parser.parse_args(_processed_argv)
-
     # ── Container-aware routing ────────────────────────────────────────
     # When NixOS container mode is active, route ALL subcommands into
-    # the managed container. This runs before any subcommand dispatch.
+    # the managed container.  This MUST run before parse_args() so that
+    # --help, unrecognised flags, and every subcommand are forwarded
+    # transparently instead of being intercepted by argparse on the host.
     try:
         from hermes_cli.config import get_container_exec_info
         container_info = get_container_exec_info()
@@ -5775,6 +5774,9 @@ Examples:
     except Exception:
         pass  # Container routing unavailable, proceed locally
 
+    _processed_argv = _coalesce_session_name_args(sys.argv[1:])
+    args = parser.parse_args(_processed_argv)
+
     # Handle --version flag
     if args.version:
         cmd_version(args)
diff --git a/nix/nixosModules.nix b/nix/nixosModules.nix
index 918c52c149..0a5e78ec0c 100644
--- a/nix/nixosModules.nix
+++ b/nix/nixosModules.nix
@@ -568,7 +568,7 @@
       })
 
       # ── Host user group membership ─────────────────────────────────────
-      (lib.mkIf (cfg.container.hostUsers != []) {
+      (lib.mkIf (cfg.container.enable && cfg.container.hostUsers != []) {
         users.users = lib.genAttrs cfg.container.hostUsers (user: {
           extraGroups = [ cfg.group ];
         });
@@ -659,7 +659,8 @@ HERMES_CONTAINER_MODE_EOF
             # Remove symlink bridge for hostUsers
             ${lib.concatStringsSep "\n" (map (user:
               let
-                symlinkPath = "/home/${user}/.hermes";
+                userHome = config.users.users.${user}.home;
+                symlinkPath = "${userHome}/.hermes";
               in ''
                 if [ -L "${symlinkPath}" ] && [ "$(readlink "${symlinkPath}")" = "${cfg.stateDir}/.hermes" ]; then
                   rm -f "${symlinkPath}"
@@ -675,7 +676,7 @@ HERMES_CONTAINER_MODE_EOF
           ${lib.optionalString cfg.container.enable
             (lib.concatStringsSep "\n" (map (user:
               let
-                userHome = "/home/${user}";
+                userHome = config.users.users.${user}.home;
                 symlinkPath = "${userHome}/.hermes";
                 target = "${cfg.stateDir}/.hermes";
               in ''