mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-06 07:51:53 +00:00
552e9c7881
* feat(secrets): Bitwarden Secrets Manager integration with lazy bws install
Pull API keys from Bitwarden Secrets Manager at process startup
instead of storing them all in plaintext in ~/.hermes/.env. One
bootstrap token (BWS_ACCESS_TOKEN) replaces N per-provider keys, and
rotating a credential becomes a single change in the Bitwarden web
app.
Bitwarden defaults to source of truth: secrets pulled from BSM
overwrite any matching env vars on startup so rotations actually
take effect. Set secrets.bitwarden.override_existing: false in
config.yaml to invert.
The bws binary is auto-downloaded into ~/.hermes/bin/bws on first
use (pinned to v2.0.0, SHA-256 verified against the GitHub release
checksum file). No apt, brew, or sudo required.
New surfaces:
hermes secrets bitwarden setup — interactive wizard
hermes secrets bitwarden status — config + binary + token state
hermes secrets bitwarden sync — dry-run fetch / --apply exports
hermes secrets bitwarden disable — flip enabled: false
hermes secrets bitwarden install — just download the binary
Failures (missing binary, bad token, no network) never block Hermes
startup — they emit a one-line warning to stderr and continue with
whatever credentials .env already had.
Docs: website/docs/user-guide/secrets/{index,bitwarden}.md
Tests: tests/test_bitwarden_secrets.py (26 tests, hermetic — bws
subprocess and HTTP downloads fully mocked)
* chore(infographic): add bitwarden-secrets-manager bento-grid retro-pop-grid
Generated for PR #30035 — Bitwarden Secrets Manager integration.
Style picked via pick_pr_infographic_style.py rotation:
layout: bento-grid
style: retro-pop-grid
aspect: 1:1 square
Saved at infographic/bitwarden-secrets-manager/infographic.png
57 lines
1.7 KiB
Markdown
57 lines
1.7 KiB
Markdown
# Hermes-Agent PR #30035 — Bitwarden Secrets Manager Integration
|
||
|
||
## Hero
|
||
**ONE TOKEN, EVERY KEY**
|
||
Rotate once. Every Hermes process picks it up on next start.
|
||
`secrets.bitwarden.override_existing: true` (default)
|
||
|
||
## Cells
|
||
|
||
### Lazy Install
|
||
- `bws v2.0.0` pinned
|
||
- Downloaded into `~/.hermes/bin/bws`
|
||
- SHA-256 verified vs GitHub Releases checksum file
|
||
- No apt, no brew, no sudo
|
||
- Cross-platform: linux gnu+musl, macos universal, windows x86_64+arm64
|
||
|
||
### CLI Surface
|
||
- `hermes secrets bitwarden setup` wizard
|
||
- `hermes secrets bitwarden status` diagnose
|
||
- `hermes secrets bitwarden sync` dry-run / --apply
|
||
- `hermes secrets bitwarden install` binary only
|
||
- `hermes secrets bitwarden disable` off switch
|
||
|
||
### Source of Truth
|
||
- Bitwarden WINS on every Hermes start
|
||
- BSM values overwrite stale `.env` lines
|
||
- Rotate a key once → all your machines reload it
|
||
- Bootstrap token `BWS_ACCESS_TOKEN` is the lone exception (never overwritten)
|
||
|
||
### Never Blocks Startup
|
||
- Missing binary → warn + continue
|
||
- Bad token → warn + continue
|
||
- Checksum mismatch → refuse install + warn
|
||
- No network → warn + continue
|
||
- Timeout → 30s ceiling, warn + continue
|
||
|
||
### Tests
|
||
- 26/26 passing, hermetic
|
||
- subprocess + urllib mocked
|
||
- Platform matrix tested (linux, macos, windows × x86_64, arm64)
|
||
- Cache hit/miss, auth fail, non-JSON, timeout, override behavior
|
||
|
||
### Config
|
||
```yaml
|
||
secrets:
|
||
bitwarden:
|
||
enabled: true
|
||
project_id: <uuid>
|
||
override_existing: true # NEW DEFAULT
|
||
cache_ttl_seconds: 300
|
||
auto_install: true
|
||
```
|
||
|
||
## Footer
|
||
PR #30035 · commit 7f9b05668 · NousResearch/hermes-agent
|
||
|
||
10 files changed · +1743 / -1 · agent/secret_sources/ · hermes_cli/secrets_cli.py · tests · docs
|