Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 248 Pull Requests 14 Actions 1 Packages Projects Releases Wiki Activity

fix(security): extend secret redaction to ElevenLabs, Tavily and Exa API keys (#3920)
Some checks failed
Nix / nix (ubuntu-latest) (push) Failing after 3m9s
Details
Docker Build and Publish / build-and-push (push) Failing after 4m1s
Details
Tests / test (push) Failing after 29m41s
Details
Nix / nix (macos-latest) (push) Has been cancelled
Details

Browse Source 
ElevenLabs (sk_), Tavily (tvly-), and Exa (exa_) keys were not covered
by _PREFIX_PATTERNS, leaking in plain text via printenv or log output.

Salvaged from PR #3790 by @memosr. Tests rewritten with correct
assertions (original tests had vacuously true checks).

Co-authored-by: memosr <memosr@users.noreply.github.com>
This commit is contained in:
Teknium
2026-03-30 08:13:01 -07:00
committed by GitHub
parent 74181fe726
commit fb634068df
2 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
agent/redact.py
View File

@@ -37,6 +37,9 @@ _PREFIX_PATTERNS = [
r"dop_v1_[A-Za-z0-9]{10,}", # DigitalOcean PAT
r"doo_v1_[A-Za-z0-9]{10,}", # DigitalOcean OAuth
r"am_[A-Za-z0-9_-]{10,}", # AgentMail API key
r"sk_[A-Za-z0-9_]{10,}", # ElevenLabs TTS key (sk_ underscore, not sk- dash)
r"tvly-[A-Za-z0-9]{10,}", # Tavily search API key
r"exa_[A-Za-z0-9]{10,}", # Exa search API key
]
# ENV assignment patterns: KEY=value where KEY contains a secret-like name