hermes-agent

mirrors/hermes-agent

Fork 0

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-09 03:11:58 +00:00

Commit graph

Author	SHA1	Message	Date
Teknium	fb1ce793e6	feat(security): enable secret redaction by default (#17691 , #20785 ) (#21193 ) Flip the default for HERMES_REDACT_SECRETS from off to on so the redactor already wired into send_message_tool, logs, and tool output actually runs on a fresh install. - agent/redact.py: env-var default "" → "true" - hermes_cli/config.py: DEFAULT_CONFIG security.redact_secrets True; two config-template comments rewritten - gateway/run.py + cli.py: startup log / banner warning when the user has explicitly opted out, so the downgrade is visible in agent.log and at CLI banner time - docs/reference/environment-variables.md: description reconciled - tests: flipped the default-pin, restructured the force=True regression test to explicit-false instead of unset Users who need raw credential values (redactor development) can still opt out via security.redact_secrets: false in config.yaml or HERMES_REDACT_SECRETS=false in .env. Closes #17691. Addresses #20785 (short-term output-pipeline recommendation).	2026-05-07 05:10:33 -07:00
Teknium	8081425a1c	feat(security): make secret redaction off by default (#16794 ) Flips security.redact_secrets from true to false in DEFAULT_CONFIG, and the HERMES_REDACT_SECRETS env-var fallback in agent/redact.py now requires explicit opt-in ("1"/"true"/"yes"/"on") to enable. New installs and users without a security.redact_secrets key get pass- through tool output. Existing users whose config.yaml explicitly sets redact_secrets: true keep redaction on — the config-yaml -> env-var bridges in hermes_cli/main.py and gateway/run.py still honor their setting. Also updates the inline config comments, website docs, and the hermes-agent skill so /hermes config set security.redact_secrets true is now the documented way to turn it on.	2026-04-27 21:24:08 -07:00
Teknium	0e235947b9	fix(redact): honor security.redact_secrets from config.yaml (#15109 ) agent/redact.py snapshots _REDACT_ENABLED from HERMES_REDACT_SECRETS at module-import time. hermes_cli/main.py calls setup_logging() early, which transitively imports agent.redact — BEFORE any config bridge has run. So users who set 'security.redact_secrets: false' in config.yaml (instead of HERMES_REDACT_SECRETS=false in .env) had the toggle silently ignored in both 'hermes chat' and 'hermes gateway run'. Bridge config.yaml -> env var in hermes_cli/main.py BEFORE setup_logging. .env still wins (only set env when unset) — config.yaml is the fallback. Regression tests in tests/hermes_cli/test_redact_config_bridge.py spawn fresh subprocesses to verify: - redact_secrets: false in config.yaml disables redaction - default (key absent) leaves redaction enabled - .env HERMES_REDACT_SECRETS=true overrides config.yaml	2026-04-24 05:03:26 -07:00

Author

SHA1

Message

Date

Teknium

fb1ce793e6

feat(security): enable secret redaction by default (#17691 , #20785 ) (#21193 )

Flip the default for HERMES_REDACT_SECRETS from off to on so the redactor
already wired into send_message_tool, logs, and tool output actually runs
on a fresh install.

- agent/redact.py: env-var default "" → "true"
- hermes_cli/config.py: DEFAULT_CONFIG security.redact_secrets True;
  two config-template comments rewritten
- gateway/run.py + cli.py: startup log / banner warning when the user
  has explicitly opted out, so the downgrade is visible in agent.log
  and at CLI banner time
- docs/reference/environment-variables.md: description reconciled
- tests: flipped the default-pin, restructured the force=True
  regression test to explicit-false instead of unset

Users who need raw credential values (redactor development) can still
opt out via security.redact_secrets: false in config.yaml or
HERMES_REDACT_SECRETS=false in .env.

Closes #17691.
Addresses #20785 (short-term output-pipeline recommendation).

2026-05-07 05:10:33 -07:00

Teknium

8081425a1c

feat(security): make secret redaction off by default (#16794 )

Flips security.redact_secrets from true to false in DEFAULT_CONFIG, and
the HERMES_REDACT_SECRETS env-var fallback in agent/redact.py now
requires explicit opt-in ("1"/"true"/"yes"/"on") to enable.

New installs and users without a security.redact_secrets key get pass-
through tool output. Existing users whose config.yaml explicitly sets
redact_secrets: true keep redaction on — the config-yaml -> env-var
bridges in hermes_cli/main.py and gateway/run.py still honor their
setting.

Also updates the inline config comments, website docs, and the
hermes-agent skill so /hermes config set security.redact_secrets true
is now the documented way to turn it on.

2026-04-27 21:24:08 -07:00

Teknium

0e235947b9

fix(redact): honor security.redact_secrets from config.yaml (#15109 )

agent/redact.py snapshots _REDACT_ENABLED from HERMES_REDACT_SECRETS at
module-import time. hermes_cli/main.py calls setup_logging() early, which
transitively imports agent.redact — BEFORE any config bridge has run. So
users who set 'security.redact_secrets: false' in config.yaml (instead of
HERMES_REDACT_SECRETS=false in .env) had the toggle silently ignored in
both 'hermes chat' and 'hermes gateway run'.

Bridge config.yaml -> env var in hermes_cli/main.py BEFORE setup_logging.
.env still wins (only set env when unset) — config.yaml is the fallback.

Regression tests in tests/hermes_cli/test_redact_config_bridge.py spawn
fresh subprocesses to verify:
- redact_secrets: false in config.yaml disables redaction
- default (key absent) leaves redaction enabled
- .env HERMES_REDACT_SECRETS=true overrides config.yaml

2026-04-24 05:03:26 -07:00

3 commits