I mentioned it in that thread, but when the HERMES bug was first reported multiple people on Reddit claimed that it could also be triggered with openclaw specific file names. It makes me think that instead of going just saying, "this approach for defending against 3rd party oauth isn't working" and rolling things back, they just tried to fix forward and continue with the strategy