mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-08 13:12:08 +00:00
The 1Password secret source resolves op:// references using OP_SERVICE_ACCOUNT_TOKEN read from os.environ. Under systemd the gateway gets that token via EnvironmentFile, but cron jobs, subprocesses, CLI runs, macOS launchd, and Docker containers spawn fresh interpreters with no inherited shell state — so they silently failed to resolve any reference and fell back to empty strings. Two patches close the gap, matching Bitwarden's reliability guarantees: 1. env_loader: auto-load ~/.hermes/.op.env after .env so the gitignored bootstrap token is available everywhere. override=False plus an explicit guard ensure it never clobbers a token already in env (e.g. from a systemd EnvironmentFile, which keeps precedence). 2. credential_pool: _get_env_prefer_dotenv() now prefers the resolved value in os.environ when .env still holds a raw op:// reference, instead of handing a URL to provider auth. Non-op:// values keep the existing .env-takes-precedence behaviour. Also gitignore .op.env, document the three bootstrap-token options, and add tests covering auto-load, no-override, and the resolved-vs-raw precedence (plus regression guards). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
146 lines
3.9 KiB
Text
146 lines
3.9 KiB
Text
.DS_Store
|
|
/venv/
|
|
/venv.old/
|
|
/_pycache/
|
|
*.pyc*
|
|
__pycache__/
|
|
.venv/
|
|
.venv
|
|
.vscode/
|
|
.env
|
|
.op.env
|
|
.env.local
|
|
.env.development.local
|
|
.env.test.local
|
|
.env.production.local
|
|
.env.development
|
|
.env.test
|
|
.hermes-docker/
|
|
.notebooklm-home/
|
|
.notebooklm-cli-venv/
|
|
.notebooklm-playwright/
|
|
.pip-cache/
|
|
.uv-cache/
|
|
compose.hermes.local.yml
|
|
export*
|
|
__pycache__/model_tools.cpython-310.pyc
|
|
__pycache__/web_tools.cpython-310.pyc
|
|
logs/
|
|
data/
|
|
.pytest_cache/
|
|
test_durations.json
|
|
.pytest-cache/
|
|
tmp/
|
|
temp_vision_images/
|
|
hermes-*/*
|
|
examples/
|
|
tests/quick_test_dataset.jsonl
|
|
tests/sample_dataset.jsonl
|
|
run_datagen_kimik2-thinking.sh
|
|
run_datagen_megascience_glm4-6.sh
|
|
run_datagen_sonnet.sh
|
|
source-data/*
|
|
run_datagen_megascience_glm4-6.sh
|
|
data/*
|
|
node_modules/
|
|
browser-use/
|
|
agent-browser/
|
|
# Private keys
|
|
*.ppk
|
|
*.pem
|
|
privvy*
|
|
images/
|
|
__pycache__/
|
|
hermes_agent.egg-info/
|
|
wandb/
|
|
testlogs
|
|
|
|
# CLI config (may contain sensitive SSH paths)
|
|
cli-config.yaml
|
|
|
|
# Skills Hub state (lives in ~/.hermes/skills/.hub/ at runtime, but just in case)
|
|
skills/.hub/
|
|
ignored/
|
|
.worktrees/
|
|
environments/benchmarks/evals/
|
|
|
|
# Web UI build output
|
|
hermes_cli/web_dist/
|
|
apps/desktop/build/
|
|
apps/desktop/dist/
|
|
apps/desktop/release/
|
|
apps/desktop/*.tsbuildinfo
|
|
|
|
# Web UI assets — synced from @nous-research/ui at build time via
|
|
# `npm run sync-assets` (see web/package.json).
|
|
web/public/fonts/
|
|
web/public/ds-assets/
|
|
|
|
# Release script temp files
|
|
.release_notes.md
|
|
mini-swe-agent/
|
|
|
|
# Nix
|
|
.direnv/
|
|
.nix-stamps/
|
|
result
|
|
website/static/api/skills-index.json
|
|
# skills.json + skills-meta.json are build artifacts emitted by
|
|
# website/scripts/extract-skills.py during prebuild — keep them out of
|
|
# git for the same reason as skills-index.json (large, generated, change
|
|
# every build).
|
|
website/static/api/skills.json
|
|
website/static/api/skills-meta.json
|
|
# automation-blueprints-index.json is a build artifact emitted by
|
|
# website/scripts/extract-automation-blueprints.py during prebuild.
|
|
website/static/api/automation-blueprints-index.json
|
|
models-dev-upstream/
|
|
|
|
# Local editor / agent tooling (machine-specific; keep in global config, not the repo)
|
|
.codex/
|
|
.cursor/
|
|
.gemini/
|
|
.zed/
|
|
.mcp.json
|
|
opencode.json
|
|
config/mcporter.json
|
|
|
|
hermes_cli/tui_dist/*
|
|
hermes_cli/scripts/
|
|
docs/superpowers/*
|
|
# Working directory for the Hermes Agent's session state (~/.hermes/ at runtime;
|
|
# also created in-repo when an agent operates in this checkout). Plans, audit
|
|
# logs, and per-session caches are never artifacts of the codebase.
|
|
.hermes/
|
|
|
|
# Desktop/bootstrap install marker written into the managed checkout root by the
|
|
# bootstrap installer. It is Hermes-managed runtime state, never a code change —
|
|
# ignore it so `hermes update`'s `git stash push --include-untracked` does not
|
|
# treat it as a local edit and autostash it on every run (#38529).
|
|
.hermes-bootstrap-complete
|
|
|
|
# Interrupted-update breadcrumb + recovery lock written next to the shared venv
|
|
# by `hermes update` / launch-time self-heal. Runtime state, never a code change
|
|
# — ignore so `git status` stays clean and update's autostash skips them.
|
|
.update-incomplete
|
|
.update-incomplete.lock
|
|
|
|
# Tool Search live-test harness output — non-deterministic model transcripts,
|
|
# regenerated by scripts/tool_search_livetest.py. Never an artifact of the repo.
|
|
scripts/out/
|
|
|
|
# Per-release changelog drafts. These exist only transiently during a release
|
|
# cut (passed to `gh release create --notes-file`); the GitHub Release itself
|
|
# stores the published notes. They are not a build artifact and must never be
|
|
# committed to the repo root. See the hermes-release skill.
|
|
RELEASE_v*.md
|
|
|
|
# Desktop demo-run scratch output (hermes writes demo/*.txt during recorded
|
|
# walkthroughs). Throwaway artifacts, never part of the app.
|
|
apps/desktop/demo/
|
|
|
|
# PR infographics are rendered locally and embedded in PR descriptions via the
|
|
# image-provider (fal.media) URL — they are NEVER committed to the repo. The
|
|
# PR body is the archive. See the hermes-agent-dev skill's
|
|
# pr-infographic-workflow reference (storage rule + lapse #8 / #COMMIT-1).
|
|
infographic/
|