mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-09 08:21:50 +00:00
91db0ab420
Down to 4 CodeQL alerts after the last pass; all addressed:
cli.py:215 (clear-text-logging-sensitive-data)
The status banner literal 'project secret : ✓ stored' tripped
CodeQL's variable-name heuristic even though only a boolean was
interpolated. Renamed the column labels to 'project key' and
'webhook key' — fields contain only ✓ stored / ✗ missing / ⚠ unset
literals now, the word 'secret' is no longer in the source.
cli.py:283 (clear-text-logging-sensitive-data)
The fallback path for register-webhook used to echo
'PHOTON_WEBHOOK_SECRET=<value>' to stdout when the .env write
failed. Removed entirely — there is no scenario where we should
print the secret. On failure we now tell the user to fix the .env
permissions and re-register (after deleting the orphaned webhook
from the Photon dashboard).
cli.py:354 (clear-text-storage-sensitive-data) +
cli.py:276 (clear-text-logging-sensitive-data)
Replaced the hand-rolled .env writer in cli.py with the canonical
hermes_cli.config.save_env_value helper that every other API-key
persistence path uses (OpenAI key, Anthropic, Telegram, ...).
Moved the persist logic into auth.py as
persist_webhook_signing_secret(webhook_data) so the signing-secret
value never gets bound to a local in cli.py at all — cli.py hands
the raw API response straight to the helper and receives back only
the path + a redacted copy of the response for display. This both
matches project convention and removes the taint flow CodeQL was
tracking.
Bonus cleanup:
- dropped unused 'from typing import Any, Optional' in cli.py
- added 2 tests covering persist_webhook_signing_secret (writes
env successfully + returns redacted copy + no-secret-no-write)
Validation:
tests/plugins/platforms/photon/ → 24/24 pass
scripts/check-windows-footguns.py --all → 0 footguns
py_compile on all photon modules → clean
|
||
|---|---|---|
| .. | ||
| browser | ||
| dashboard_auth | ||
| image_gen | ||
| memory | ||
| model_providers | ||
| platforms/photon | ||
| transcription | ||
| tts | ||
| video_gen | ||
| web | ||
| __init__.py | ||
| test_achievements_plugin.py | ||
| test_disk_cleanup_plugin.py | ||
| test_google_meet_audio.py | ||
| test_google_meet_node.py | ||
| test_google_meet_plugin.py | ||
| test_google_meet_realtime.py | ||
| test_kanban_attachments.py | ||
| test_kanban_dashboard_plugin.py | ||
| test_kanban_worker_runs.py | ||
| test_langfuse_plugin.py | ||
| test_nemo_relay_plugin.py | ||
| test_plugin_dashboard_auth_contract.py | ||
| test_retaindb_plugin.py | ||
| test_security_guidance_plugin.py | ||
| test_teams_pipeline_plugin.py | ||