From 5643c297901312d817713a8cc870a28a439e3114 Mon Sep 17 00:00:00 2001 From: pefontana Date: Wed, 6 May 2026 17:56:19 -0300 Subject: [PATCH] feat(docker): bootstrap auth.json from env on first boot Lets orchestrators (e.g. an account-management service provisioning a Hermes VPS) seed an OAuth refresh credential non-interactively instead of walking the user through `hermes setup` + the device-flow login dance. Matches the existing first-boot-only pattern used for .env, config.yaml, and SOUL.md. If HERMES_AUTH_JSON_BOOTSTRAP is set and $HERMES_HOME/auth.json doesn't already exist, write the env var's contents to auth.json with mode 600. The `[ ! -f ... ]` guard is critical: it ensures that on container restart the rotated refresh token Hermes wrote back to the persistent volume is never clobbered by the now-stale value the orchestrator originally seeded. Generic name (not Nous-specific) so the feature is reusable by any future orchestrator. --- docker/entrypoint.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 65386e53dd5..288ae2614bb 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -81,6 +81,20 @@ if [ ! -f "$HERMES_HOME/SOUL.md" ]; then cp "$INSTALL_DIR/docker/SOUL.md" "$HERMES_HOME/SOUL.md" fi +# auth.json: bootstrap from env on first boot only. Used by orchestrators +# (e.g. provisioning a Hermes VPS from an account-management service) that +# need to seed the OAuth refresh credential non-interactively, instead of +# walking the user through `hermes setup` + the device-flow login dance. +# Subsequent token rotations write back to the same file, which lives on a +# persistent volume — so this env var is consumed exactly once at first +# boot. The `[ ! -f ... ]` guard is critical: without it, a container +# restart would clobber a rotated refresh token with the now-stale value +# the orchestrator originally seeded. +if [ ! -f "$HERMES_HOME/auth.json" ] && [ -n "$HERMES_AUTH_JSON_BOOTSTRAP" ]; then + printf '%s' "$HERMES_AUTH_JSON_BOOTSTRAP" > "$HERMES_HOME/auth.json" + chmod 600 "$HERMES_HOME/auth.json" +fi + # Sync bundled skills (manifest-based so user edits are preserved) if [ -d "$INSTALL_DIR/skills" ]; then python3 "$INSTALL_DIR/tools/skills_sync.py"