Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix .env sanitizer does not remove documented KEY=*** placeholders, so load_env treats them as real credentials [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#12651Fetched 2026-04-20 12:17:37
View on GitHub
Comments
0
Participants
1
Timeline
1
Reactions
0
Author
NewTurn2017NewTurn2017
Participants
NewTurn2017NewTurn2017
Timeline (top)
cross-referenced ×1

Fix Action

Fixed

PR fix notes

PR #12690: fix(config): remove KEY=*** placeholders during .env sanitization

Description (problem / solution / changelog)

Fixes #12651. During .env sanitization, placeholder lines formatted as KEY=*** are now discarded to prevent them being returned by load_env() as usable credentials.

Changed files

  • hermes_cli/config.py (modified, +4/-0)

Code Example

source venv/bin/activate && python - <<'PY'
from pathlib import Path
import tempfile, os, json, subprocess, sys

with tempfile.TemporaryDirectory() as td:
    env = os.environ.copy()
    env['HERMES_HOME'] = td
    Path(td, '.env').write_text('GITHUB_TOKEN=***\nREAL_KEY=abc\n')
    code = 'from hermes_cli.config import load_env; import json; print(json.dumps(load_env(), sort_keys=True))'
    res = subprocess.run([sys.executable, '-c', code], env=env, capture_output=True, text=True)
    print(res.stdout.strip())
PY

---

{"GITHUB_TOKEN": "***", "REAL_KEY": "abc"}
RAW_BUFFERClick to expand / collapse

Bug Description

_sanitize_env_lines() is documented as removing stale KEY=*** placeholder entries left by incomplete setup runs, but the current implementation does not do that. As a result, load_env() can return *** as if it were a real credential value.

Affected files / lines

  • hermes_cli/config.py:2595-2597 — comment says placeholders are dropped before parsing
  • hermes_cli/config.py:2607-2617_sanitize_env_lines() docstring explicitly lists stale KEY=*** placeholders as a handled corruption pattern
  • hermes_cli/config.py:2623-2655 — implementation contains no placeholder-removal branch
  • hermes_cli/config.py:2723-2724 — write path comments also assume placeholders are removed

Why this is a bug

This causes incomplete-setup placeholders to be treated as real secrets, which can poison auth detection and contradict the function's documented behavior.

Minimal reproduction / evidence

source venv/bin/activate && python - <<'PY'
from pathlib import Path
import tempfile, os, json, subprocess, sys

with tempfile.TemporaryDirectory() as td:
    env = os.environ.copy()
    env['HERMES_HOME'] = td
    Path(td, '.env').write_text('GITHUB_TOKEN=***\nREAL_KEY=abc\n')
    code = 'from hermes_cli.config import load_env; import json; print(json.dumps(load_env(), sort_keys=True))'
    res = subprocess.run([sys.executable, '-c', code], env=env, capture_output=True, text=True)
    print(res.stdout.strip())
PY

Observed output:

{"GITHUB_TOKEN": "***", "REAL_KEY": "abc"}

Expected Behavior

Placeholder values like KEY=*** should be discarded during sanitization so they do not appear as usable credentials.

Actual Behavior

load_env() preserves and returns *** values.

Suggested investigation direction

  • Implement the documented placeholder-removal rule in _sanitize_env_lines().
  • Add a regression test that verifies load_env() drops KEY=*** entries while preserving real values.

extent analysis

TL;DR

Implement the placeholder-removal rule in _sanitize_env_lines() to discard KEY=*** entries.

Guidance

  • Modify the _sanitize_env_lines() function in hermes_cli/config.py to filter out lines containing *** as the value, ensuring that only real credential values are returned by load_env().
  • Add a conditional statement to check if the value of each environment variable is *** and skip it if true.
  • Create a regression test to verify that load_env() correctly drops KEY=*** entries while preserving real values.
  • Review the documentation of _sanitize_env_lines() to ensure it accurately reflects the updated implementation.

Example

def _sanitize_env_lines(lines):
    sanitized_lines = []
    for line in lines:
        key, value = line.split('=')
        if value != '***':  # Check if value is not a placeholder
            sanitized_lines.append(line)
    return sanitized_lines

Notes

The provided code snippet is a minimal example and may need to be adapted to fit the existing implementation of _sanitize_env_lines(). Additionally, the regression test should cover various scenarios to ensure the correctness of the load_env() function.

Recommendation

Apply the workaround by implementing the placeholder-removal rule in _sanitize_env_lines() to prevent incomplete-setup placeholders from being treated as real secrets. This change will align the function's behavior with its documentation and prevent potential auth detection issues.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#conversation history#tool integration#LLM response#prompt template#agent execution

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING