Include hermes-agent in NVD queries and export keywords to environment

[davida-ps]

User description

Motivation

• Extend NVD polling and heuristics to detect the hermes-agent project alongside existing targets and make the plain keyword list available for PR bodies and workflow summaries.

Description

• Added KEYWORDS export in the poll workflow by writing KEYWORDS=$KEYWORDS_PATTERN to the GITHUB_ENV so downstream steps can access the plain keywords.
• Added hermes-agent to the NVD query specs in nvd_query_specs() and to the keyword pattern returned by nvd_keyword_pattern() in scripts/feed-utils.sh.
• Updated nvd_github_ref_pattern() to include github.com/nousresearch/hermes-agent so GitHub reference matching detects that repository.
• Extended the JSON/JQ detection logic in the workflow to recognize github.com/nousresearch/hermes-agent and the token hermes-agent in the inferred targets checks (changes appear in both detection blocks).

Testing

• No automated tests were added or executed as part of this change.

---

Codex Task

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Enable the poll workflow and feed-utils helper functions to treat hermes-agent like other monitored projects so NVD detection, inferred targets, and keyword specs include the new repo, keywords, and CPE references. Export nvd_summary_keywords into GITHUB_ENV so downstream PR body and workflow summary steps can reuse the concise keyword list.

Topic	Details
Keyword Export	Export nvd_summary_keywords into GITHUB_ENV so downstream steps can reuse the concise keyword list for PR bodies and workflow summaries. Modified files (1) .github/workflows/poll-nvd-cves.yml Latest Contributors(2) User Commit Date David.a@prompt.security fix(workflow): export ... May 07, 2026 david.a@prompt.security fix(workflow): expand ... May 05, 2026
NVD Targeting	Expand detection flows to include hermes-agent keywords, GitHub ref, and CPE patterns so the poll workflow and feed-utils inferred-target logic normalize the new repo alongside other monitored projects. Modified files (2) .github/workflows/poll-nvd-cves.yml scripts/feed-utils.sh Latest Contributors(2) User Commit Date David.a@prompt.security fix(workflow): export ... May 07, 2026 david.a@prompt.security fix(workflow): expand ... May 05, 2026

This pull request is reviewed by Baz. Review like a pro on (Baz).

[baz-reviewer]

KEYWORDS is rendered directly into the step-summary markdown table as-is (| Keywords | $KEYWORDS |), so the | alternation breaks the table; should we export a plain-text value for display or rename to KEYWORDS_PATTERN and transform before rendering?

_{Finding type: Logical Bugs | Severity: 🟢 Low}

---

Want Baz to fix this for you? Activate Fixer

Other fix methods

Prompt for AI Agents:

Before applying, verify this suggestion against the current code. In
`.github/workflows/poll-nvd-cves.yml` around lines 220-222 inside the `Merge and filter
CVEs` step, `KEYWORDS` is set to `KEYWORDS_PATTERN` (a regex alternation) and then later
interpolated into a markdown table where `|` is treated as a column separator, producing
a malformed summary. Refactor so the env used for human-facing output contains a
markdown-safe plain-text representation (e.g., a joined keyword list with `|`
escaped/removed), while keeping the regex value for jq filtering as-is. Concretely,
rename the current env export to something like `KEYWORDS_PATTERN` (or keep it internal)
and introduce/export a separate `KEYWORDS_DISPLAY` (plain keywords) for the summary
rendering.

[baz-reviewer]

Commit 00d2a0e addressed this comment by exporting a new KEYWORDS value derived from nvd_summary_keywords (a plain-text list) while keeping the regex pattern only for filtering, so the workflow summary now renders markdown-safe keywords instead of the alternation string that broke the table.