Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix [Bug]: config migration rewrites ${ENV_VAR} provider api_key placeholders into literal secrets in config.yaml [2 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#11864Fetched 2026-04-18 05:58:32
View on GitHub
Comments
1
Participants
2
Timeline
5
Reactions
0
Author
MaximeBaudetteMaximeBaudette
Participants
hclsyshclsysMaximeBaudetteMaximeBaudette
Timeline (top)
cross-referenced ×2commented ×1labeled ×1referenced ×1

Error Message

Additional Logs / Traceback (optional)

Root Cause

Root Cause Analysis (optional)

Fix Action

Fixed

PR fix notes

PR #11881: fix: preserve ${ENV_VAR} placeholders in config.yaml during migration

Description (problem / solution / changelog)

Fixes #11864

Problem: migrate_config() calls load_config() which expands ${ENV_VAR} placeholders via _expand_env_vars(), then save_config() writes the expanded (literal secret) values back to config.yaml, leaking secrets to disk.

Fix: save_config() now reads the raw config file to collect all ${...} placeholder paths before writing, and restores them after migration so secrets are never written as plaintext.

New functions in hermes_cli/config.py:

  • _collect_env_placeholders(obj) — walks a config dict, returns {dotted.path: "${TEMPLATE}"} for all placeholder values
  • _restore_env_placeholders(obj, placeholders) — replaces expanded values back with their original ${...} templates

Tests: 11 new tests covering placeholder collection, restoration, and full round-trip through load_config()save_config() confirming placeholders survive and secrets never appear in the written file.

Changed files

  • hermes_cli/config.py (modified, +53/-0)
  • tests/hermes_cli/test_config_env_expansion.py (modified, +135/-1)

PR #11657: feat: Add JSON Configuration System with Centralized Provider ManagementFeature/json config system

Description (problem / solution / changelog)

feat: Add JSON config system + comprehensive approval system

📋 Overview

This PR introduces a modern JSON-based configuration system for Hermes Agent, inspired by the clean design of openclaw.json. The new format addresses critical pain points in the current YAML configuration.

Problems Solved

  1. API Key Duplication: No more repeating API keys across multiple configuration sections
  2. Scattered Provider Config: All provider settings centralized in one location
  3. Complex Structure: Flatter, more readable structure (2-3 levels vs 4-5)
  4. Hard to Extend: Adding new models is now as simple as pushing to an array

🎯 Key Features

1. Centralized Provider Management

{
  "providers": {
    "bailian": {
      "base_url": "https://coding.dashscope.aliyuncs.com/v1",
      "api_key": "${BAILIAN_API_KEY}",
      "models": [
        { "id": "qwen3.5-plus", "name": "Qwen 3.5 Plus" },
        { "id": "qwen3.6-plus", "name": "Qwen 3.6 Plus" },
        { "id": "glm-5", "name": "GLM-5" }
      ]
    }
  }
}

2. Environment Variable Substitution

{
  "providers": {
    "bailian": { "api_key": "${BAILIAN_API_KEY}" },
    "openrouter": { "api_key": "${OPENROUTER_API_KEY}" }
  },
  "platforms": {
    "feishu": {
      "app_id": "${FEISHU_APP_ID}",
      "app_secret": "${FEISHU_APP_SECRET}"
    }
  }
}

3. Unified Feature Configuration

{
  "features": {
    "vision": { "provider": "bailian", "model": "qwen3.5-plus" },
    "compression": { "provider": "bailian", "model": "qwen3.5-plus" },
    "session_search": { "provider": "bailian", "model": "text-embedding-v4" }
  }
}

📁 Files Added

hermes-agent/
├── hermes_cli/
│   └── config_json.py              # JSON config loader with env expansion
├── scripts/
│   └── migrate_config.py           # YAML → JSON migration tool
└── docs/
    └── config-system/
        ├── JSON_CONFIG_GUIDE.md    # Comprehensive documentation
        └── PR_DESCRIPTION.md       # This PR description

🔄 Migration Path

Automatic Migration

# Preview migration
hermes config json migrate --dry-run

# Apply migration
hermes config json migrate --apply

# Compare formats
hermes config json migrate --compare

CLI Commands

# Show current JSON config
hermes config json show

# Migrate with options
hermes config json migrate --apply
hermes config json migrate --compare
hermes config json migrate --dry-run

Backward Compatibility

  • config.json takes priority if it exists
  • ✅ Falls back to config.yaml if JSON not found
  • ✅ No breaking changes to existing functionality
  • ✅ Users can revert by removing config.json

📊 Format Comparison

AspectYAML (Legacy)JSON (New)Improvement
Config Lines~327~109-66%
Provider ConfigScatteredCentralizedMaintainable
API Key RefsMultipleSingle (${VAR})More Secure
Structure Depth4-5 levels2-3 levelsClearer
Add New ModelEdit multiple sectionsPush to arraySimpler

🧪 Testing

Unit Tests

# Test config loading
hermes config json show

# Test migration
hermes config json migrate --dry-run

# Test environment variable expansion
python -c "from hermes_cli.config_json import load_config_json; print(load_config_json())"

Integration Tests

  • ✅ Loads existing config.yaml user configurations
  • ✅ Expands environment variables from .env file
  • ✅ Migrates all major configuration sections
  • ✅ Backward compatible with YAML fallback

Test Report

See TEST_REPORT.md for comprehensive test results:

  • All 6 test cases passed ✅
  • Bug fixes documented
  • Code coverage analysis
  • Performance benchmarks

📖 Documentation

Complete documentation available in docs/config-system/JSON_CONFIG_GUIDE.md:

  • Full configuration reference
  • Migration guide with examples
  • API documentation
  • FAQ and troubleshooting
  • Security best practices

🔐 Security Considerations

  • ✅ API keys stored in .env (not in config file)
  • ${VAR} syntax prevents accidental commits
  • redact_secrets continues to apply to JSON config output
  • ✅ File permissions remain 0600
  • ✅ No hardcoded credentials in configuration

🚀 Future Enhancements

Potential follow-up PRs:

  1. JSON Schema validation ($schema support)
  2. Configuration hot-reload without restart
  3. Web UI configuration editor
  4. Per-platform configuration overrides
  5. Configuration templates/gallery

📝 Checklist

  • Code implementation complete
  • Migration tool tested
  • Documentation written (JSON_CONFIG_GUIDE.md)
  • Backward compatibility verified
  • Security review (API key handling)
  • All tests passing (see TEST_REPORT.md)
  • CLI integration complete (hermes config json)
  • CHANGELOG updated (maintainer action)

🎉 Impact

This PR makes Hermes Agent configuration:

  • 66% smaller (327 → 109 lines)
  • Easier to understand (centralized providers)
  • Easier to maintain (no duplicate API keys)
  • More secure (environment variable references)
  • Simpler to extend (add models via array)

💡 Example Migration

Before (YAML)

custom_providers:
- name: bailian
  base_url: https://coding.dashscope.aliyuncs.com/v1
  api_key: sk-xxx...  # First occurrence

auxiliary:
  vision:
    provider: auto
    api_key: ""  # Again?
  compression:
    provider: auto
    api_key: ""  # And again?
  # ... repeated 8+ times

After (JSON)

{
  "providers": {
    "bailian": {
      "base_url": "https://coding.dashscope.aliyuncs.com/v1",
      "api_key": "${BAILIAN_API_KEY}",  // Once, referenced everywhere
      "models": []
    }
  },
  "features": {
    "vision": { "provider": "bailian" },
    "compression": { "provider": "bailian" }
  }
}

📚 Related Links

  • Documentation: docs/config-system/JSON_CONFIG_GUIDE.md
  • Test Report: TEST_REPORT.md
  • Implementation Summary: COMPLETION_SUMMARY.md

Related Issue: N/A (New feature)
Breaking Changes: None (fully backward compatible)
Migration Required: Optional (automatic migration tool provided)
Test Coverage: 100% of new code paths
Python Version: 3.11+ compatible

👤 Author

澎湃时光 (JohnHarper)
GitHub: @RichardQidian

This feature was developed to improve the Hermes Agent configuration experience, making it more maintainable, secure, and user-friendly for the entire community.

🎯 Hermes Agent 配置与授权系统重大改进

📋 概述

本 PR 为 Hermes Agent 带来了两大核心改进:

  1. JSON 配置系统 - 现代化的配置格式,灵感来自 openclaw.json
  2. 授权系统改进 - 强制等待、自动允许/拒绝、双格式支持

这些改进解决了用户反馈的关键问题,提升了配置管理体验和系统安全性。

🎯 第一部分:JSON 配置系统

解决的问题

  1. API Key 重复配置 - 不再需要在多个配置节中重复 API Key
  2. Provider 配置分散 - 所有 Provider 设置集中在一个位置
  3. 配置结构复杂 - 更扁平的结构(2-3 层 vs 4-5 层)
  4. 难以扩展 - 添加新模型现在只需添加到数组

关键特性

1. 集中的 Provider 管理

{
  "providers": {
    "bailian": {
      "base_url": "https://coding.dashscope.aliyuncs.com/v1",
      "api_key": "${BAILIAN_API_KEY}",
      "models": [
        { "id": "qwen3.5-plus", "name": "Qwen 3.5 Plus" },
        { "id": "qwen3.6-plus", "name": "Qwen 3.6 Plus" },
        { "id": "glm-5", "name": "GLM-5" }
      ]
    }
  }
}

2. 环境变量替换

{
  "providers": {
    "bailian": { "api_key": "${BAILIAN_API_KEY}" },
    "openrouter": { "api_key": "${OPENROUTER_API_KEY}" }
  },
  "platforms": {
    "feishu": {
      "app_id": "${FEISHU_APP_ID}",
      "app_secret": "${FEISHU_APP_SECRET}"
    }
  }
}

改进效果

指标YAML (旧)JSON (新)改进
配置行数~327~109-66%
Provider 配置分散集中易维护
API Key 引用多处重复单次 (${VAR})更安全
结构深度4-5 层2-3 层更清晰

🎯 第二部分:授权系统改进

解决的问题

  1. 授权不等待 - 在某些场景下,需要授权的命令直接被跳过
  2. 缺少强制等待机制 - 没有配置项确保必须等待用户授权
  3. 缺少预配置机制 - 用户无法提前配置哪些命令必须授权/可直接执行

关键特性

1. Blocking 模式(强制等待)⭐

新增配置:

approvals:
  mode: blocking      # 强制等待用户授权
  timeout: 600       # 10 分钟超时

特性:

  • ✅ 所有模式下都阻塞等待用户响应
  • ✅ 基于文件的 IPC 机制实现等待
  • ✅ 可配置的超时时间
  • ✅ 超时后自动拒绝命令

2. 自动允许/拒绝列表(Auto Allow/Deny)⭐

新增配置:

{
  "approvals": {
    "auto_allow": [
      "^git\\s+status",
      "^npm\\s+install"
    ],
    "auto_deny": [
      "^rm\\s+-rf\\s+/",
      "^chmod\\s+.*777"
    ]
  }
}

特性:

  • ✅ 使用正则表达式匹配
  • ✅ 支持复杂的匹配模式(否定预查等)
  • ✅ 优先级:auto_deny > auto_allow > 默认检测
  • ✅ 审计日志记录

3. JSON/YAML 双格式支持 ⭐

  • ✅ 完全支持 JSON 配置格式
  • ✅ 完全支持 YAML 配置格式
  • ✅ 自动检测:JSON 优先,YAML 回退
  • ✅ 两种格式功能完全一致

改进效果

Before(改进前):

用户:执行危险命令
Hermes: 发送授权请求
用户:(忙于其他事情,未及时响应)
Hermes: 跳过命令,继续执行 ❌

After(改进后):

用户:执行危险命令
Hermes: 检测配置 mode=blocking
Hermes: 发送授权请求,阻塞等待 ⏳
用户:收到通知,进行授权
Hermes: 根据授权执行或拒绝 ✅

📁 文件变更

新增文件 (15 个)

文件行数说明
hermes_cli/config_json.py362JSON 配置加载器
hermes_cli/approval_ipc.py260文件 IPC 等待机制
scripts/migrate_config.py280YAML→JSON 迁移工具
docs/config-system/JSON_CONFIG_GUIDE.md260JSON 配置指南
docs/config-system/PR_DESCRIPTION.md130PR 描述(中文)
docs/APPROVAL_CONFIG_GUIDE.md280YAML 授权配置指南
docs/APPROVAL_CONFIG_JSON_GUIDE.md280JSON 授权配置指南
config.json.example95JSON 配置示例
config.approvals.example.yaml100授权配置示例(YAML)
config.json.approvals-example60授权配置示例(JSON)
tests/test_approval_yaml.py95YAML 模式测试
tests/test_approval_json.py140JSON 模式测试
tests/test_approval_features.py180功能测试套件
PR_APPROVAL_SYSTEM.md240PR 描述
IMPLEMENTATION_SUMMARY.md260实现总结

修改文件 (2 个)

文件修改说明
hermes_cli/main.py+50 行CLI 集成(config json 命令)
tools/approval.py+200 行核心授权逻辑增强

总计: +5,623 行,-26 行

🧪 测试结果

测试覆盖率

测试类别测试项通过失败通过率
JSON 配置模式880100% ✅
YAML 配置模式550100% ✅
授权系统功能550100% ✅
总计18180100%

测试命令

# 测试 JSON 配置
python tests/test_approval_json.py

# 测试 YAML 配置
python tests/test_approval_yaml.py

# 测试完整功能
python tests/test_approval_features.py

测试输出

✅ JSON CONFIG MODE TEST PASSED
✅ YAML CONFIG MODE TEST PASSED
✅ All features tests passed

📖 使用指南

JSON 配置示例

{
  "$schema": "https://hermes-agent.dev/schemas/config.v1.json",
  "_version": 1,
  
  "providers": {
    "bailian": {
      "base_url": "https://coding.dashscope.aliyuncs.com/v1",
      "api_key": "${BAILIAN_API_KEY}",
      "models": []
    }
  },
  
  "approvals": {
    "mode": "blocking",
    "timeout": 120,
    "auto_allow": [
      "^git\\s+status",
      "^npm\\s+install"
    ],
    "auto_deny": [
      "^rm\\s+-rf\\s+/",
      "^chmod\\s+.*777"
    ]
  }
}

YAML 配置示例

approvals:
  mode: blocking
  timeout: 120
  auto_allow:
    - "^git\\s+status"
    - "^npm\\s+install"
  auto_deny:
    - "^rm\\s+-rf\\s+/"
    - "^chmod\\s+.*777"

配置场景

生产环境(严格)

{
  "approvals": {
    "mode": "blocking",
    "timeout": 600,
    "auto_allow": [],
    "auto_deny": [
      "^rm\\s+-rf\\s+/",
      "^mkfs",
      "^dd\\s+"
    ]
  }
}

开发环境(平衡)

approvals:
  mode: manual
  timeout: 120
  auto_allow:
    - "^git\\s+"
    - "^npm\\s+(install|run|test)"
  auto_deny:
    - "^rm\\s+-rf\\s+/"
    - "^chmod\\s+.*777"

开发环境(高效)

{
  "approvals": {
    "mode": "smart",
    "auto_allow": [
      "^git\\s+",
      "^npm\\s+(install|run)",
      "^docker\\s+(build|run|compose)"
    ],
    "auto_deny": [
      "^rm\\s+-rf\\s+/",
      "^curl.*\\|.*sh"
    ]
  }
}

🔧 配置选项总览

JSON 配置系统

配置项类型默认值说明
providersobject-Provider 集中配置
defaultsobject-默认设置
featuresobject-功能配置(vision/compression 等)
toolsetsarray["hermes-cli"]工具集
terminalobject-终端配置
displayobject-显示配置
memoryobject-记忆配置
securityobject-安全配置
platformsobject-平台配置

授权系统

配置项类型默认值说明
modestring"manual"授权模式:manual/blocking/smart/off
timeoutint60CLI 授权超时(秒)
gateway_timeoutint300Gateway 授权超时(秒)
auto_allowlist[]自动允许的命令模式(正则)
auto_denylist[]自动拒绝的命令模式(正则)

🎯 执行流程

JSON 配置加载

加载配置
检查 config.json 是否存在?
    ├─ 是 → 加载 JSON 配置 ⭐ 优先
    └─ 否 → 加载 YAML 配置
    展开环境变量 (${VAR})
    返回配置对象

授权检查流程

命令执行请求
检查 auto_deny?
    ├─ 是 → 自动拒绝 ❌
    └─ 否 → 继续
    检查 auto_allow?
         ├─ 是 → 自动通过 ✅
         └─ 否 → 继续
         检查 mode 配置
              ├─ blocking → 阻塞等待用户 ⏳
              ├─ smart → AI 评估
              ├─ manual → 等待用户
              └─ off → 直接执行

🔐 安全增强

多层防护

  1. Auto Deny - 第一层:自动拒绝极度危险命令
  2. Pattern Detection - 第二层:检测危险模式
  3. Smart Approval - 第三层:AI 风险评估(smart 模式)
  4. User Approval - 第四层:用户最终确认
  5. Blocking Wait - 第五层:确保不跳过授权

安全特性

  • ✅ API Key 使用 ${VAR} 引用,避免硬编码
  • ✅ 真实密钥存储在 .env 文件(权限 0600)
  • redact_secrets 继续生效
  • ✅ 文件权限自动设置为 0600
  • ✅ 审计日志记录所有授权决策

📊 改进效果总结

JSON 配置系统

  • 66% 更小(327 → 109 行)
  • 更易理解(集中的 Provider)
  • 更易维护(无重复 API Key)
  • 更安全(环境变量引用)

授权系统

  • 更可靠 - 授权不再被跳过
  • 更灵活 - 4 种模式适应不同场景
  • 更安全 - 多层防护机制
  • 更易用 - 简单配置即可生效
  • 更兼容 - JSON + YAML 双格式支持

📝 清单

  • 代码实现完成
  • 单元测试通过
  • 集成测试通过
  • 文档编写完成
  • 向后兼容验证
  • 安全审查
  • 测试覆盖率 95%+
  • 维护者审查
  • CHANGELOG 更新

📚 相关文档

JSON 配置系统

  • 使用指南: docs/config-system/JSON_CONFIG_GUIDE.md
  • 配置示例: config.json.example
  • 迁移工具: scripts/migrate_config.py
  • PR 描述: docs/config-system/PR_DESCRIPTION.md

授权系统

  • YAML 配置指南: docs/APPROVAL_CONFIG_GUIDE.md
  • JSON 配置指南: docs/APPROVAL_CONFIG_JSON_GUIDE.md
  • 配置示例: config.approvals.example.yaml, config.json.approvals-example
  • 实现总结: APPROVAL_SYSTEM_IMPROVEMENT.md
  • 测试报告: FINAL_TEST_REPORT.md

🎉 影响

本 PR 使 Hermes Agent:

配置管理

  • 66% 更简洁 - 配置行数大幅减少
  • 更易维护 - 集中化的 Provider 管理
  • 更安全 - 环境变量引用 API Key
  • 更现代 - JSON 格式,更好的 IDE 支持

授权系统

  • 100% 可靠 - 授权命令不再被跳过
  • 4 种模式 - manual/blocking/smart/off
  • 智能控制 - auto allow/deny 列表
  • 双格式支持 - JSON + YAML

🔗 相关链接

  • Issue: (如有相关 Issue 请在此添加)
  • 讨论: (如有相关讨论请在此添加)
  • 文档: docs/ 目录

👤 作者

澎湃时光 (JohnHarper)
GitHub: @RichardQidian

📋 快速测试

# 1. 克隆仓库
git clone https://github.com/RichardQidian/hermes-agent.git
cd hermes-agent

# 2. 切换到分支
git checkout feature/json-config-system

# 3. 运行测试
python tests/test_approval_json.py
python tests/test_approval_yaml.py
python tests/test_approval_features.py

# 4. 测试 JSON 配置加载
python -c "from hermes_cli.config_json import load_config_json; print(load_config_json())"

# 5. 测试授权功能
hermes "rm -rf /tmp/test"  # 应该提示授权

提交日期: 2026-04-17
提交哈希: 4c80e21, 8ace747, 8194309
分支: feature/json-config-system
测试状态: ✅ 全部通过 (18/18)
代码覆盖: 95%+
向后兼容: ✅ 是
破坏性变更: ❌ 无

Changed files

  • APPROVAL_JSON_SUPPORT.md (added, +432/-0)
  • APPROVAL_SYSTEM_IMPROVEMENT.md (added, +412/-0)
  • COMPLETION_SUMMARY.md (added, +264/-0)
  • CREATE_PR_GUIDE.md (added, +340/-0)
  • TEST_REPORT.md (added, +295/-0)
  • config.approvals.example.yaml (added, +125/-0)
  • config.json.approvals-example (added, +93/-0)
  • docs/APPROVAL_CONFIG_GUIDE.md (added, +456/-0)
  • docs/APPROVAL_CONFIG_JSON_GUIDE.md (added, +554/-0)
  • docs/config-system/JSON_CONFIG_GUIDE.md (added, +447/-0)
  • docs/config-system/PR_DESCRIPTION.md (added, +176/-0)
  • docs/config-system/PR_DESCRIPTION_EN.md (added, +258/-0)
  • hermes_cli/approval_ipc.py (added, +272/-0)
  • hermes_cli/config_json.py (added, +416/-0)
  • hermes_cli/main.py (modified, +81/-0)
  • scripts/migrate_config.py (added, +318/-0)
  • tests/test_approval_features.py (added, +222/-0)
  • tests/test_approval_json.py (added, +169/-0)
  • tests/test_approval_yaml.py (added, +112/-0)
  • tools/approval.py (modified, +181/-26)

Code Example

_config_version: 17
   custom_providers:
     - name: haimaker
       base_url: https://api.example.com/v1
       api_key: ${TEST_PROVIDER_KEY}
       api_mode: chat_completions
       model: auto

---

export TEST_PROVIDER_KEY=secret-test-value

---

from hermes_cli.config import migrate_config
   migrate_config(interactive=False, quiet=True)

---

api_key: ${TEST_PROVIDER_KEY}

---

api_key: secret-test-value

---

Report       https://paste.rs/eBnYp
  agent.log    https://paste.rs/3FqEZ
  gateway.log  https://paste.rs/xCY5E

---

Isolated repro output:


repro_literalized=True


Real-config verification after manual repair:


real_config_placeholders_ok=True
RAW_BUFFERClick to expand / collapse

Bug Description

When Hermes migrates or rewrites config.yaml, provider API key placeholders like ${HAIMAKER_API_KEY} can be expanded and then written back to disk as literal secret values.

I hit this on the default MARS profile after a Hermes update/config revision. The result was that ~/.hermes/config.yaml contained cleartext provider secrets under custom_providers[].api_key instead of env-var placeholders.

Expected behavior is that Hermes may expand placeholders in memory for runtime use, but it should not persist expanded secret values back into config.yaml.

Steps to Reproduce

  1. Create a temp HERMES_HOME with a config.yaml like this:

    _config_version: 17
custom_providers:
  - name: haimaker
    base_url: https://api.example.com/v1
    api_key: ${TEST_PROVIDER_KEY}
    api_mode: chat_completions
    model: auto

  2. Export the env var:

    export TEST_PROVIDER_KEY=secret-test-value

  3. Run Hermes migration:

    from hermes_cli.config import migrate_config
migrate_config(interactive=False, quiet=True)

  4. Inspect the rewritten config.yaml.

Expected Behavior

config.yaml should still contain:

api_key: ${TEST_PROVIDER_KEY}

Hermes can expand env vars at runtime, but should not write the expanded secret back to disk.

Actual Behavior

After migration, config.yaml contains:

api_key: secret-test-value

In my real config, Main agent ended up with literal provider secrets in ~/.hermes/config.yaml for entries like:

  • haimaker
  • nvidia
  • mistral

while sibling profile configs still used ${ENV_VAR} placeholders.

Affected Component

Configuration (config.yaml, .env, hermes setup)

Messaging Platform (if gateway-related)

No response

Debug Report

Report       https://paste.rs/eBnYp
  agent.log    https://paste.rs/3FqEZ
  gateway.log  https://paste.rs/xCY5E

Operating System

Ubuntu 24.04

Python Version

3.12.3

Hermes Version

v0.10.0 (2026.4.16)

Additional Logs / Traceback (optional)

Isolated repro output:


repro_literalized=True


Real-config verification after manual repair:


real_config_placeholders_ok=True

Root Cause Analysis (optional)

This appears to be caused by the interaction between env expansion on load and save-on-migration behavior:

  • hermes_cli/config.py:2593-2610 - _expand_env_vars() recursively expands ${VAR} into the live environment value.
  • hermes_cli/config.py:2678-2702 - load_config() always returns _expand_env_vars(...), so callers get expanded secrets rather than the raw placeholder strings.
  • hermes_cli/config.py:2143-2525 - migrate_config() repeatedly does config = load_config() and then save_config(config) during version migration.
  • hermes_cli/config.py:2802-2827 - save_config() writes the provided config dict back to config.yaml verbatim.

So if a config contains ${ENV_VAR} placeholders and the env vars are set, any migration path that calls load_config() then save_config() will materialize those secrets into the file.

This is likely broader than just hermes update: any write path that round-trips through load_config() and save_config() may have the same problem.

Proposed Fix (optional)

One of these approaches should fix it:

  1. Keep load_config() for runtime use, but make migration/persistence paths operate on read_raw_config() instead of the env-expanded config.
  2. Split config loading into two APIs:
    • raw/on-disk config
    • runtime-expanded config
  3. Ensure save_config() never persists expanded values for fields that originated as ${ENV_VAR} placeholders.

A regression test should cover:

  • raw config.yaml contains api_key: ${TEST_PROVIDER_KEY}
  • env var is set
  • migration runs
  • saved file still contains ${TEST_PROVIDER_KEY}

Are you willing to submit a PR for this?

  • I'd like to fix this myself and submit a PR

extent analysis

TL;DR

To fix the issue, modify the migrate_config function to use read_raw_config instead of load_config to prevent expansion of environment variable placeholders.

Guidance

  • Review the hermes_cli/config.py file, specifically lines 2593-2610, 2678-2702, and 2143-2525, to understand how environment variables are expanded and saved.
  • Consider implementing one of the proposed fixes, such as using read_raw_config for migration paths or splitting config loading into raw and runtime-expanded APIs.
  • Ensure that the save_config function does not persist expanded values for fields that originated as ${ENV_VAR} placeholders.
  • Create a regression test to verify that the fix works as expected, covering the scenario where the raw config.yaml contains an environment variable placeholder, the environment variable is set, and the migration runs without expanding the placeholder.

Example

# Modified migrate_config function
def migrate_config(interactive=False, quiet=True):
    # Use read_raw_config instead of load_config
    config = read_raw_config()
    # ... rest of the function remains the same

Notes

The proposed fix requires modifying the hermes_cli/config.py file, which may have unintended consequences. It's essential to thoroughly test the changes to ensure they do not introduce new issues.

Recommendation

Apply a workaround by modifying the migrate_config function to use read_raw_config instead of load_config, as this approach is less invasive and can be easily reverted if issues arise.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#API middleware#SSR setup#ISR setup#authentication setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - ✅(Solved) Fix [Bug]: config migration rewrites ${ENV_VAR} provider api_key placeholders into literal secrets in config.yaml [2 pull requests, 1 comments, 2 participants]