fix: restrict .env file permissions to owner-only

save_env_value() writes API keys to ~/.hermes/.env but never sets file permissions, leaving the file world-readable (0644). auth.py already restricts auth.json to 0600 — apply the same treatment to .env. Skipped on Windows where chmod is not effective.
2026-04-27 01:11:40 +00:00 · 2026-03-06 15:14:26 +03:00 · 2026-03-06 15:14:26 +03:00 · 32dbd31b9a
commit 32dbd31b9a
parent b89eb29174
1 changed files with 9 additions and 1 deletions
--- a/hermes_cli/config.py
+++ b/hermes_cli/config.py
@ -14,8 +14,9 @@ This module provides:

 import os
 import platform
-import sys
+import stat
 import subprocess
+import sys
 from pathlib import Path
 from typing import Dict, Any, Optional, List, Tuple

@ -680,6 +681,13 @@ def save_env_value(key: str, value: str):
    with open(env_path, 'w', **write_kw) as f:
        f.writelines(lines)

+    # Restrict .env permissions to owner-only (contains API keys)
+    if not _IS_WINDOWS:
+        try:
+            os.chmod(env_path, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            pass
+

 def get_env_value(key: str) -> Optional[str]:
    """Get a value from ~/.hermes/.env or environment."""