Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 247 Pull Requests 14 Actions 1 Packages Projects Releases Wiki Activity

fix: also exclude .env from default profile exports

Browse Source 
The original PR excluded auth.json from _DEFAULT_EXPORT_EXCLUDE_ROOT and
filtered both auth.json and .env from named profile exports, but missed
adding .env to the default profile exclusion set. Default exports would
still leak .env containing API keys.

Added .env to _DEFAULT_EXPORT_EXCLUDE_ROOT, added test coverage, and
updated the existing test that incorrectly asserted .env presence.
This commit is contained in:
Teknium
2026-04-01 10:56:22 -07:00
committed by Teknium
parent d435acc2c0
commit b267516851
3 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hermes_cli/profiles.py
View File

@@ -75,6 +75,7 @@ _DEFAULT_EXPORT_EXCLUDE_ROOT = frozenset({
"response_store.db", "response_store.db-shm", "response_store.db-wal",
"gateway.pid", "gateway_state.json", "processes.json",
"auth.json", # API keys, OAuth tokens, credential pools
".env", # API keys (dotenv)
"auth.lock", "active_profile", ".update_check",
"errors.log",
".hermes_history",

4
tests/hermes_cli/test_profile_export_credentials.py
View File

@@ -17,6 +17,10 @@ class TestCredentialExclusion:
"""auth.json must be in the default export exclusion set."""
assert "auth.json" in _DEFAULT_EXPORT_EXCLUDE_ROOT
def test_dotenv_in_default_exclude_set(self):
""".env must be in the default export exclusion set."""
assert ".env" in _DEFAULT_EXPORT_EXCLUDE_ROOT
def test_named_profile_export_excludes_auth(self, tmp_path, monkeypatch):
"""Named profile export must not contain auth.json or .env."""
profiles_root = tmp_path / "profiles"

4
tests/hermes_cli/test_profiles.py
View File

@@ -505,7 +505,7 @@ class TestExportImport:
assert tarfile.is_tarfile(str(result))
def test_export_default_includes_profile_data(self, profile_env, tmp_path):
"""Profile data files end up in the archive."""
"""Profile data files end up in the archive (credentials excluded)."""
default_dir = get_profile_dir("default")
(default_dir / "config.yaml").write_text("model: test")
(default_dir / ".env").write_text("KEY=val")
@@ -522,7 +522,7 @@ class TestExportImport:
names = tf.getnames()
assert "default/config.yaml" in names
assert "default/.env" in names
assert "default/.env" not in names # credentials excluded
assert "default/SOUL.md" in names
assert "default/memories/MEMORY.md" in names