hermes-agent/website/docs/user-guide
Taylor H. Perkins 5c4c0e9d9b feat(secrets): add 1Password (op://) secret source
Resolve provider credentials from 1Password op://vault/item/field references
at startup via the official `op` CLI, alongside the existing Bitwarden source.
Users map env-var names to references in secrets.onepassword.env; after .env
loads, each is resolved with `op read` and injected into os.environ. Auth is
whatever `op` already uses (service-account token or desktop/interactive
session) — Hermes never authenticates or installs `op` itself.

Startup-safe and fail-open: a missing binary, expired auth, a bad reference,
or an empty value each warn and fall back to existing credentials, never
blocking startup. Successful, complete pulls are cached in-process and on disk
(<hermes_home>/cache/op_cache.json, 0600) via the shared DiskCache; only
secret values are stored, never the token (auth is fingerprinted into the
key). Adds `hermes secrets onepassword {setup,status,set,remove,sync,disable}`
(aliases op/1password), config defaults, the cli-config example, docs, and
hermetic tests.

Hardening applied across both backends in env_loader: each source runs in its
own guard, config sections are coerced to dict, and cache_ttl_seconds is
coerced defensively — so a malformed secrets: section can't abort startup.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 04:58:07 -07:00
..
features docs: warn that mid-session model switches break prompt caching (#58747) 2026-07-05 04:34:05 -07:00
messaging feat(discord): optional admin-only gate for exec-approval buttons (#51751) 2026-07-05 06:42:42 -07:00
secrets feat(secrets): add 1Password (op://) secret source 2026-07-06 04:58:07 -07:00
skills feat(delegate): remove model-facing toolsets arg — subagents always inherit parent's (#56386) 2026-07-01 05:35:26 -07:00
_category_.json feat: add documentation website (Docusaurus) 2026-03-05 05:24:55 -08:00
checkpoints-and-rollback.md feat(checkpoints): v2 single-store rewrite with real pruning + disk guardrails (#20709) 2026-05-06 05:44:35 -07:00
cli.md docs: deep audit — registry drift, stale claims, 2-week PR coverage, dashboard screenshot (#40952) 2026-06-07 01:39:06 -07:00
configuration.md perf(cli): TTFT round 2 — live reasoning by default, partial-line streaming, prompt-build cache, stale budget-warning docs (#59389) 2026-07-06 00:16:38 -07:00
configuring-models.md docs: warn that mid-session model switches break prompt caching (#58747) 2026-07-05 04:34:05 -07:00
desktop.md docs: warn that mid-session model switches break prompt caching (#58747) 2026-07-05 04:34:05 -07:00
docker.md fix(docker): replace dashboard --insecure with basic-auth provider 2026-06-21 19:05:27 -07:00
git-worktrees.md docs: deep audit — registry drift, stale claims, 2-week PR coverage, dashboard screenshot (#40952) 2026-06-07 01:39:06 -07:00
managed-scope.md docs: add managed scope admin guide + cross-link from configuration 2026-06-19 07:46:33 -07:00
multi-profile-gateways.md docs(gateway): document multiplexing opt-in + contract changes 2026-06-19 07:34:15 -07:00
profile-distributions.md Expand .gitignore example 2026-06-20 20:42:49 -07:00
profiles.md fix: make profile subprocess HOME policy explicit 2026-06-14 03:20:21 -07:00
security.md fix(docker): heal pairing-dir ownership after docker exec writes (#10270) (#59130) 2026-07-05 14:48:50 -07:00
sessions.md feat(sessions): any prune filter matches all ages; preview shows age span (#59415) 2026-07-05 23:01:10 -07:00
tui.md docs(tui): correct HERMES_TUI_GATEWAY_URL — dashboard-internal, not remote-attach (#42162) 2026-06-08 09:37:03 -07:00
windows-native.md docs(windows): correct native data dir to %LOCALAPPDATA%\hermes (#42856) 2026-06-09 14:11:20 -05:00
windows-wsl-quickstart.md fix(docs): update all install instructions everywhere 2026-06-04 21:07:45 -04:00