Merge PR #529: fix: restrict .env file permissions to owner-only

Authored by Himess. Adds 0600 chmod on ~/.hermes/.env after writing API keys, matching the existing pattern in auth.py for auth.json.
2026-03-09 23:10:59 -07:00
parent bdce33e239 32dbd31b9a
commit 805ce8177b
1 changed files with 9 additions and 1 deletions
--- a/hermes_cli/config.py
+++ b/hermes_cli/config.py
@@ -14,8 +14,9 @@ This module provides:

 import os
 import platform
-import sys
+import stat
 import subprocess
+import sys
 from pathlib import Path
 from typing import Dict, Any, Optional, List, Tuple

@@ -869,6 +870,13 @@ def save_env_value(key: str, value: str):
    with open(env_path, 'w', **write_kw) as f:
        f.writelines(lines)

+    # Restrict .env permissions to owner-only (contains API keys)
+    if not _IS_WINDOWS:
+        try:
+            os.chmod(env_path, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            pass
+

 def get_env_value(key: str) -> Optional[str]:
    """Get a value from ~/.hermes/.env or environment."""