From b2675168511d4d2a587f6ab6c68e9ec221f70ad2 Mon Sep 17 00:00:00 2001
From: Teknium <teknium1@gmail.com>
Date: Wed, 1 Apr 2026 10:56:22 -0700
Subject: [PATCH] fix: also exclude .env from default profile exports

The original PR excluded auth.json from _DEFAULT_EXPORT_EXCLUDE_ROOT and
filtered both auth.json and .env from named profile exports, but missed
adding .env to the default profile exclusion set. Default exports would
still leak .env containing API keys.

Added .env to _DEFAULT_EXPORT_EXCLUDE_ROOT, added test coverage, and
updated the existing test that incorrectly asserted .env presence.
---
 hermes_cli/profiles.py                              | 1 +
 tests/hermes_cli/test_profile_export_credentials.py | 4 ++++
 tests/hermes_cli/test_profiles.py                   | 4 ++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hermes_cli/profiles.py b/hermes_cli/profiles.py
index 060774ace..e4ffcc30b 100644
--- a/hermes_cli/profiles.py
+++ b/hermes_cli/profiles.py
@@ -75,6 +75,7 @@ _DEFAULT_EXPORT_EXCLUDE_ROOT = frozenset({
     "response_store.db", "response_store.db-shm", "response_store.db-wal",
     "gateway.pid", "gateway_state.json", "processes.json",
     "auth.json",            # API keys, OAuth tokens, credential pools
+    ".env",                 # API keys (dotenv)
     "auth.lock", "active_profile", ".update_check",
     "errors.log",
     ".hermes_history",
diff --git a/tests/hermes_cli/test_profile_export_credentials.py b/tests/hermes_cli/test_profile_export_credentials.py
index 683f5e868..b26937e35 100644
--- a/tests/hermes_cli/test_profile_export_credentials.py
+++ b/tests/hermes_cli/test_profile_export_credentials.py
@@ -17,6 +17,10 @@ class TestCredentialExclusion:
         """auth.json must be in the default export exclusion set."""
         assert "auth.json" in _DEFAULT_EXPORT_EXCLUDE_ROOT
 
+    def test_dotenv_in_default_exclude_set(self):
+        """.env must be in the default export exclusion set."""
+        assert ".env" in _DEFAULT_EXPORT_EXCLUDE_ROOT
+
     def test_named_profile_export_excludes_auth(self, tmp_path, monkeypatch):
         """Named profile export must not contain auth.json or .env."""
         profiles_root = tmp_path / "profiles"
diff --git a/tests/hermes_cli/test_profiles.py b/tests/hermes_cli/test_profiles.py
index 15c96d71e..50b5e2311 100644
--- a/tests/hermes_cli/test_profiles.py
+++ b/tests/hermes_cli/test_profiles.py
@@ -505,7 +505,7 @@ class TestExportImport:
         assert tarfile.is_tarfile(str(result))
 
     def test_export_default_includes_profile_data(self, profile_env, tmp_path):
-        """Profile data files end up in the archive."""
+        """Profile data files end up in the archive (credentials excluded)."""
         default_dir = get_profile_dir("default")
         (default_dir / "config.yaml").write_text("model: test")
         (default_dir / ".env").write_text("KEY=val")
@@ -522,7 +522,7 @@ class TestExportImport:
             names = tf.getnames()
 
         assert "default/config.yaml" in names
-        assert "default/.env" in names
+        assert "default/.env" not in names  # credentials excluded
         assert "default/SOUL.md" in names
         assert "default/memories/MEMORY.md" in names