fix: restrict .env file permissions to 0600

Set file mode 0600 on ~/.hermes/.env after creation in the installer and after every write via memory_setup._write_env_vars(). This ensures only the file owner can read/write API keys and tokens, matching standard practice for credential files (.netrc, .aws/credentials, .ssh/config). Fixes #25477
2026-05-18 04:41:56 +00:00 · 2026-05-14 07:59:31 -07:00 · 2026-05-14 07:59:31 -07:00 · a952ca3ff6
commit a952ca3ff6
parent f26098e22f
2 changed files with 10 additions and 0 deletions
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -1426,6 +1426,10 @@ copy_config_templates() {
    else
        log_info "~/.hermes/.env already exists, keeping it"
    fi
+    # Restrict .env permissions — this file holds API keys and tokens.
+    # 0600 ensures only the file owner can read/write, matching standard
+    # practice for credential files (.netrc, .aws/credentials, .ssh/config).
+    chmod 600 "$HERMES_HOME/.env"
    configure_browser_env_from_system_browser

    # Create config.yaml at ~/.hermes/config.yaml (top level, easy to find)