fix: also exclude .env from default profile exports

The original PR excluded auth.json from _DEFAULT_EXPORT_EXCLUDE_ROOT and filtered both auth.json and .env from named profile exports, but missed adding .env to the default profile exclusion set. Default exports would still leak .env containing API keys. Added .env to _DEFAULT_EXPORT_EXCLUDE_ROOT, added test coverage, and updated the existing test that incorrectly asserted .env presence.
2026-04-25 00:51:20 +00:00 · 2026-04-01 10:56:22 -07:00 · 2026-04-01 10:56:22 -07:00 · b267516851
commit b267516851
parent d435acc2c0
3 changed files with 7 additions and 2 deletions
--- a/tests/hermes_cli/test_profiles.py
+++ b/tests/hermes_cli/test_profiles.py
@ -505,7 +505,7 @@ class TestExportImport:
        assert tarfile.is_tarfile(str(result))

    def test_export_default_includes_profile_data(self, profile_env, tmp_path):
-        """Profile data files end up in the archive."""
+        """Profile data files end up in the archive (credentials excluded)."""
        default_dir = get_profile_dir("default")
        (default_dir / "config.yaml").write_text("model: test")
        (default_dir / ".env").write_text("KEY=val")
@ -522,7 +522,7 @@ class TestExportImport:
            names = tf.getnames()

        assert "default/config.yaml" in names
-        assert "default/.env" in names
+        assert "default/.env" not in names  # credentials excluded
        assert "default/SOUL.md" in names
        assert "default/memories/MEMORY.md" in names