[Security] Secure Hardcoded API Tokens in ~/.hermes Using Secrets Management #1420

New Issue

Closed

opened 2026-03-24 13:04:36 +00:00 by Timmy · 1 comment

Timmy commented 2026-03-24 13:04:36 +00:00

Owner

Copy Link

Context: API credentials rely on open ~/.hermes/claude_token plaintexts.

Acceptance Criteria:

• Encrypt loop keys at rest using an environment vault like SOPS or directly wrap via environment injections managed by the Docker infrastructure.

**Context:** API credentials rely on open `~/.hermes/claude_token` plaintexts. **Acceptance Criteria:** - Encrypt loop keys at rest using an environment vault like SOPS or directly wrap via environment injections managed by the Docker infrastructure.

Timmy commented 2026-03-24 14:45:43 +00:00

Author

Owner

Copy Link

Implementation Plan for Secure Token Management

Priority: HIGH - Security vulnerability (plaintext credential storage)

Files to Create/Modify:

1. src/infrastructure/security/token_manager.py - Centralized token management
2. src/infrastructure/security/secrets_store.py - Encrypted storage wrapper
3. scripts/migrate-tokens.sh - Migration script for existing tokens
4. Update multiple files that currently read tokens directly

Implementation Steps:

1. Create Token Manager (src/infrastructure/security/token_manager.py):

   class TokenManager:
       def get_token(self, service: str) -> str
       def store_token(self, service: str, token: str) -> None
       def rotate_token(self, service: str, new_token: str) -> None
       def is_token_valid(self, service: str) -> bool
   

2. Create Secrets Store (src/infrastructure/security/secrets_store.py):

   • Use cryptography library for AES encryption
   • Store encrypted tokens with MAC for integrity
   • Use system keychain integration where available (macOS Keychain, Linux Secret Service)
   • Fallback to encrypted file storage with master key

3. Migration Script (scripts/migrate-tokens.sh):

   • Detect existing plaintext tokens in ~/.hermes/
   • Migrate to encrypted storage
   • Secure cleanup of plaintext files
   • Backup existing tokens before migration

4. Update Token Consumers:

   • Replace direct file reads with TokenManager.get_token()
   • Update: hermes-claim, agent loops, API clients
   • Add fallback error handling for missing/invalid tokens

Key Security Requirements:

• AES-256-GCM encryption for token storage
• Secure key derivation (PBKDF2 with salt)
• MAC validation to prevent tampering
• Proper file permissions (600 for encrypted files)
• Memory-safe token handling (clear sensitive data)
• Audit logging for token access

Files Likely Needing Updates:

• scripts/hermes-claim
• scripts/*-loop.sh
• Any Python modules reading from ~/.hermes/*_token

Testing Requirements:

• Test encryption/decryption roundtrip
• Test migration from plaintext
• Test permission scenarios
• Test corrupted file handling
• Verify no plaintext tokens remain after migration

Acceptance Criteria Met When:

• All tokens stored encrypted at rest
• Centralized token management system
• Successful migration from current plaintext storage
• No regression in agent functionality
• Comprehensive audit logging
• Documentation updated with security model

This eliminates a critical security vulnerability where API tokens are stored as plaintext files.

## Implementation Plan for Secure Token Management **Priority**: HIGH - Security vulnerability (plaintext credential storage) **Files to Create/Modify**: 1. `src/infrastructure/security/token_manager.py` - Centralized token management 2. `src/infrastructure/security/secrets_store.py` - Encrypted storage wrapper 3. `scripts/migrate-tokens.sh` - Migration script for existing tokens 4. Update multiple files that currently read tokens directly **Implementation Steps**: 1. **Create Token Manager** (`src/infrastructure/security/token_manager.py`): ```python class TokenManager: def get_token(self, service: str) -> str def store_token(self, service: str, token: str) -> None def rotate_token(self, service: str, new_token: str) -> None def is_token_valid(self, service: str) -> bool ``` 2. **Create Secrets Store** (`src/infrastructure/security/secrets_store.py`): - Use `cryptography` library for AES encryption - Store encrypted tokens with MAC for integrity - Use system keychain integration where available (macOS Keychain, Linux Secret Service) - Fallback to encrypted file storage with master key 3. **Migration Script** (`scripts/migrate-tokens.sh`): - Detect existing plaintext tokens in `~/.hermes/` - Migrate to encrypted storage - Secure cleanup of plaintext files - Backup existing tokens before migration 4. **Update Token Consumers**: - Replace direct file reads with `TokenManager.get_token()` - Update: `hermes-claim`, agent loops, API clients - Add fallback error handling for missing/invalid tokens **Key Security Requirements**: - AES-256-GCM encryption for token storage - Secure key derivation (PBKDF2 with salt) - MAC validation to prevent tampering - Proper file permissions (600 for encrypted files) - Memory-safe token handling (clear sensitive data) - Audit logging for token access **Files Likely Needing Updates**: - `scripts/hermes-claim` - `scripts/*-loop.sh` - Any Python modules reading from `~/.hermes/*_token` **Testing Requirements**: - Test encryption/decryption roundtrip - Test migration from plaintext - Test permission scenarios - Test corrupted file handling - Verify no plaintext tokens remain after migration **Acceptance Criteria Met When**: - All tokens stored encrypted at rest - Centralized token management system - Successful migration from current plaintext storage - No regression in agent functionality - Comprehensive audit logging - Documentation updated with security model This eliminates a critical security vulnerability where API tokens are stored as plaintext files.

kimi was assigned by Timmy 2026-03-24 14:45:44 +00:00

kimi was unassigned by Timmy 2026-03-24 19:32:17 +00:00

Timmy closed this issue 2026-03-24 21:54:07 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gemini/issue-892

claude/issue-1342

claude/issue-1346

claude/issue-1351

claude/issue-1340

fix/test-llm-triage-syntax

gemini/issue-1014

gemini/issue-932

claude/issue-1277

claude/issue-1139

claude/issue-870

claude/issue-1285

claude/issue-1292

claude/issue-1281

claude/issue-917

claude/issue-1275

claude/issue-925

claude/issue-1019

claude/issue-1094

claude/issue-1019-v3

fix/flaky-vassal-xdist-tests

fix/test-config-env-isolation

claude/issue-1019-v2

claude/issue-957-v2

claude/issue-1218

claude/issue-1217

test/chat-store-unit-tests

claude/issue-1191

claude/issue-1186

claude/issue-957

gemini/issue-936

claude/issue-1065

gemini/issue-976

gemini/issue-1149

claude/issue-1135

claude/issue-1064

gemini/issue-1012

claude/issue-1095

claude/issue-1102

claude/issue-1114

gemini/issue-978

gemini/issue-971

claude/issue-1074

claude/issue-987

claude/issue-1011

feature/internal-monologue

feature/issue-1006

feature/issue-1007

feature/issue-1008

feature/issue-1009

feature/issue-1010

feature/issue-1011

feature/issue-1012

feature/issue-1013

feature/issue-1014

feature/issue-981

feature/issue-982

feature/issue-983

feature/issue-984

feature/issue-985

feature/issue-986

feature/issue-987

feature/issue-993

claude/issue-943

claude/issue-975

claude/issue-989

claude/issue-988

fix/loop-guard-gitea-api-and-queue-validation

feature/lhf-tech-debt-fixes

kimi/issue-753

kimi/issue-714

kimi/issue-716

fix/csrf-check-before-execute

chore/migrate-gitea-to-vps

kimi/issue-640

fix/utcnow-calm-py

kimi/issue-635

kimi/issue-625

fix/router-api-truncated-param

kimi/issue-604

kimi/issue-594

review-fixes

kimi/issue-570

kimi/issue-554

kimi/issue-539

kimi/issue-540

feature/ipad-v1-api

kimi/issue-506

kimi/issue-512

refactor/airllm-doc-cleanup

kimi/issue-513

kimi/issue-514

kimi/issue-500

kimi/issue-492

kimi/issue-490

kimi/issue-459

kimi/issue-472

kimi/issue-473

kimi/issue-462

kimi/issue-463

kimi/issue-454

kimi/issue-445

kimi/issue-446

kimi/issue-431

GoldenRockachopa

hermes/v0.1

Labels

Clear labels

222-epic

Workshop: Timmy as Presence (Epic #222)

actionable

Has a concrete code/config task extracted

assigned-claude

Issue currently assigned to Claude agent — do not assign to another agent

assigned-gemini

Issue currently assigned to Gemini agent — do not assign to another agent

assigned-groq

assigned-kimi

Issue currently assigned to Kimi agent — do not assign to another agent

assigned-manus

Issue currently assigned to Manus agent — do not assign to another agent

claude-ready

consolidation

Part of a consolidation epic

deprioritized

Keep open but not blocking P0 work

deprioritized

Keep open but not blocking P0 work

duplicate

Duplicate of another issue

gemini-review

Auto-generated by Gemini, needs relevance review

groq-ready

harness

Core product: agent framework, heartbeat, inference, memory

heartbeat

Harness: Agent heartbeat loop

inference

Harness: Inference and model routing

infrastructure

Supporting stage: dashboard, CI/CD, deployment, DNS

kimi-ready

Scoped and ready for Kimi to pick up

memory-session

Harness: Memory and session crystallization

morrowind

Harness: Morrowind embodiment

needs-design

Needs architectural design before implementation

needs-extraction

Philosophy with unextracted engineering work

p0-critical

Priority 0: Must fix now

p1-important

Priority 1: Important, next sprint

p2-backlog

Priority 2: Backlog, do when time permits

philosophy

Philosophical foundation — informs architecture decisions

rejected-direction

Closed: rejected or superseded direction

seed:know-purpose

Three Seeds: KNOW YOUR PURPOSE

seed:serve-real

Three Seeds: SERVE THE REAL

seed:tell-truth

Three Seeds: TELL THE TRUTH

sovereignty

Harness: Sovereignty stack

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Timmy claude grok kimi manus perplexity Rockachopa

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#1420