Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 248 Pull Requests 14 Actions 1 Packages Projects Releases Wiki Activity

fix: protect profile-scoped google workspace oauth tokens

Browse Source
This commit is contained in:
kshitijk4poor
2026-04-03 11:55:45 +05:30
committed by Teknium
parent 92dcdbff66
commit 37e2ef6c3f
6 changed files with 250 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
website/docs/user-guide/security.md
View File

@@ -363,7 +363,7 @@ terminal:
### Credential File Passthrough (OAuth tokens, etc.) {#credential-file-passthrough}
Some skills need **files** (not just env vars) in the sandbox — for example, Google Workspace stores OAuth tokens as `google_token.json` in `~/.hermes/`. Skills declare these in frontmatter:
Some skills need **files** (not just env vars) in the sandbox — for example, Google Workspace stores OAuth tokens as `google_token.json` under the active profile's `HERMES_HOME`. Skills declare these in frontmatter:
```yaml
required_credential_files:
@@ -373,7 +373,7 @@ required_credential_files:
description: Google OAuth2 client credentials
```
When loaded, Hermes checks if these files exist in `~/.hermes/` and registers them for mounting:
When loaded, Hermes checks if these files exist in the active profile's `HERMES_HOME` and registers them for mounting:
- **Docker**: Read-only bind mounts (`-v host:container:ro`)
- **Modal**: Mounted at sandbox creation + synced before each command (handles mid-session OAuth setup)