From 32dbd31b9a8746d58a1680e57c66092515e1ed99 Mon Sep 17 00:00:00 2001
From: Himess <semihcvlk53@gmail.com>
Date: Fri, 6 Mar 2026 15:14:26 +0300
Subject: [PATCH] fix: restrict .env file permissions to owner-only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

save_env_value() writes API keys to ~/.hermes/.env but never sets file
permissions, leaving the file world-readable (0644). auth.py already
restricts auth.json to 0600 — apply the same treatment to .env.

Skipped on Windows where chmod is not effective.
---
 hermes_cli/config.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hermes_cli/config.py b/hermes_cli/config.py
index 042a4ad28..011256942 100644
--- a/hermes_cli/config.py
+++ b/hermes_cli/config.py
@@ -14,8 +14,9 @@ This module provides:
 
 import os
 import platform
-import sys
+import stat
 import subprocess
+import sys
 from pathlib import Path
 from typing import Dict, Any, Optional, List, Tuple
 
@@ -680,6 +681,13 @@ def save_env_value(key: str, value: str):
     with open(env_path, 'w', **write_kw) as f:
         f.writelines(lines)
 
+    # Restrict .env permissions to owner-only (contains API keys)
+    if not _IS_WINDOWS:
+        try:
+            os.chmod(env_path, stat.S_IRUSR | stat.S_IWUSR)
+        except OSError:
+            pass
+
 
 def get_env_value(key: str) -> Optional[str]:
     """Get a value from ~/.hermes/.env or environment."""