hermes - ✅(Solved) Fix platforms.api_server config values (port, host, key) silently ignored when not nested under 'extra' [3 pull requests, 1 comments, 2 participants]

hermes2026-05-06 02:22:49

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

NousResearch/hermes-agent#20501•Fetched 2026-05-06 06:36:33

View on GitHub

Comments

Participants

Timeline

Reactions

Author

lepfinder

Participants

alt-glitch

lepfinder

Timeline (top)

labeled ×4cross-referenced ×3commented ×1

Error Message

Configuration values for platforms.api_server (such as port, host, key, cors_origins) are silently ignored by the gateway when written at the top level of the api_server config block. The gateway silently falls back to defaults without any warning or error. This affects anyone running multiple Hermes profiles who needs to assign different ports. The bug is silent — no error, no warning — making it extremely difficult to debug. Users will think their config is not being picked up at all.

Root Cause

PlatformConfig.from_dict() in gateway/config.py (line 293-305) only reads from the extra dict:

return cls(
    enabled=_coerce_bool(data.get("enabled"), False),
    token=data.get("token"),
    api_key=data.get("api_key"),
    home_channel=home_channel,
    reply_to_mode=data.get("reply_to_mode", "first"),
    extra=data.get("extra", {}),  # <-- ONLY reads 'extra'
)

Meanwhile, hermes config set platforms.api_server.port 8643 writes the value at platforms.api_server.port directly, which is the natural and expected YAML structure. These top-level fields are never consumed.

Fix Action

Fixed

Fixed by PR: fix(gateway/config): merge top-level platform keys into extra (#20501) (https://github.com/NousResearch/hermes-agent/pull/20506)

PR fix notes

PR #20506: fix(gateway/config): merge top-level platform keys into extra (#20501)

Repository: NousResearch/hermes-agent
Author: Beandon13
State: open | merged: False
Link: https://github.com/NousResearch/hermes-agent/pull/20506

Description (problem / solution / changelog)

Summary

Fixes #20501 — platforms.api_server config values (port, host, key, cors_origins) are silently ignored when written at the natural top level instead of nested under extra.

Root cause

PlatformConfig.from_dict() in gateway/config.py only read platform-specific values from data.get("extra", {}). But hermes config set platforms.api_server.port 8643 writes the value at platforms.api_server.port (top level of the platform block, which is the natural and documented YAML shape and matches the error message in api_server.py:3112). The result: gateway falls back to default 8642 with no warning, no error, no log line — extremely hard to debug.

Fix

In PlatformConfig.from_dict(), merge any top-level keys that aren't dedicated PlatformConfig fields (enabled, token, api_key, home_channel, reply_to_mode, extra) into the extra dict. Explicit extra entries still win on key collision so the to_dict → from_dict roundtrip remains stable for existing configs.

This is a minimal, additive change — existing nested-under-extra configs keep working unchanged; the new behavior only kicks in for top-level keys that were previously dropped on the floor.

Test plan

New regression test: top-level port/host/key/cors_origins now reach extra
New regression test: explicit extra wins over a stale top-level key (roundtrip stability)
New regression test: reserved keys (token, api_key, reply_to_mode) still consumed as fields, not pushed into extra
All 43 tests in tests/gateway/test_config.py pass

Affected adapters

Any platform whose adapter reads config.extra.get(...) benefits. The reported issue is api_server (port/host/key/cors_origins/model_name) but the same pattern is used across other platform adapters, so they all become more forgiving of natural top-level config layout.

Changed files

gateway/config.py (modified, +31/-2)
tests/gateway/test_config.py (modified, +48/-0)

PR #20528: fix: read top-level api_server config fields into extra

Repository: NousResearch/hermes-agent
Author: Kailigithub
State: open | merged: False
Link: https://github.com/NousResearch/hermes-agent/pull/20528

Description (problem / solution / changelog)

Summary

PlatformConfig.from_dict() in gateway/config.py only consumed fields nested inside the extra dict. When users set api_server values via hermes config set platforms.api_server.port 8643, the value is written at the top level of the api_server config block and never read — causing the gateway to silently fall back to the default port with no warning.

Root Cause

from_dict() passed data.get("extra", {}) directly without checking for top-level fields that ApiServerPlatform.__init__ also reads from extra:

port
host
key
cors_origins

Fix

Before building PlatformConfig, extract any of these top-level fields and merge them into the extra dict. Fields already present in extra take precedence, preserving existing behaviour for users who wrote the correct structure.

Testing

python3 -m py_compile gateway/config.py — passes
pytest tests/gateway/test_api_server.py — 15 passed (3 pre-existing async infra failures unrelated to this change; confirmed by running same tests on unmodified main)

Closes #20501

Changed files

gateway/config.py (modified, +12/-2)
run_agent.py (modified, +9/-0)

PR #20317: docs(security): rewrite policy around OS-level isolation as the boundary

Repository: NousResearch/hermes-agent
Author: jquesnelle
State: open | merged: False
Link: https://github.com/NousResearch/hermes-agent/pull/20317

Description (problem / solution / changelog)

This is a proposed rewrite of the core security policy of Hermes Agent. It outlines the trust model that the agent operates under, and the processes for security vulnerability reporting. The key pieces of it are:

Restate the trust model from first principles: the OS is the only load-bearing boundary against an adversarial LLM
Distinguish terminal-backend isolation from whole-process wrapping
Name in-process components (approval gate, output redaction, Skills Guard) as heuristics, and the class of reports that defeat them as out of scope under this policy while explicitly welcoming them as regular issues or PRs

This creates a much narrower scope of what constitutes a security vulnerability vs. what can go through the normal PR process. It also gives a firmer commitment on what really can be guaranteed at the various trust boundaries.

We'd like gather community feedback on adopting this new security policy, please leave your comments below!

Changed files

SECURITY.md (modified, +302/-55)

Code Example

return cls(
    enabled=_coerce_bool(data.get("enabled"), False),
    token=data.get("token"),
    api_key=data.get("api_key"),
    home_channel=home_channel,
    reply_to_mode=data.get("reply_to_mode", "first"),
    extra=data.get("extra", {}),  # <-- ONLY reads 'extra'
)

---

platforms:
     api_server:
       enabled: true
       port: 8643

RAW_BUFFERClick to expand / collapse

Bug Description

Root Cause

PlatformConfig.from_dict() in gateway/config.py (line 293-305) only reads from the extra dict:

return cls(
    enabled=_coerce_bool(data.get("enabled"), False),
    token=data.get("token"),
    api_key=data.get("api_key"),
    home_channel=home_channel,
    reply_to_mode=data.get("reply_to_mode", "first"),
    extra=data.get("extra", {}),  # <-- ONLY reads 'extra'
)

Reproduction

Run hermes config set platforms.api_server.port 8643

Verify config.yaml now has:

platforms:
  api_server:
    enabled: true
    port: 8643

Start gateway: hermes gateway start
Check lsof -i :8643 — nothing is listening
Check lsof -i :8642 — gateway is on 8642 (the default), with no warning

Expected Behavior

hermes config set should either write values under extra automatically, OR
PlatformConfig.from_dict() should also read top-level keys like port, host, key, cors_origins and merge them into extra
At minimum, the gateway should log a warning when config values exist that it does not consume

Environment

Hermes Agent version: latest main (as of May 2026)
macOS, Python 3.12

Impact

This affects anyone running multiple Hermes profiles who needs to assign different ports. The bug is silent — no error, no warning — making it extremely difficult to debug. Users will think their config is not being picked up at all.

extent analysis

TL;DR

Modify PlatformConfig.from_dict() to read top-level keys like port, host, key, cors_origins and merge them into extra, or update hermes config set to write values under extra automatically.

Guidance

Update gateway/config.py to read top-level config keys and merge them into extra to ensure all configuration values are consumed.
Consider adding a warning log when config values exist that are not consumed by the gateway to improve debuggability.
Review the hermes config set command to determine if it should automatically write values under extra to match the expected YAML structure.
Verify the fix by running the reproduction steps and checking that the gateway listens on the expected port.

Example

# Modified PlatformConfig.from_dict() method
return cls(
    enabled=_coerce_bool(data.get("enabled"), False),
    token=data.get("token"),
    api_key=data.get("api_key"),
    home_channel=home_channel,
    reply_to_mode=data.get("reply_to_mode", "first"),
    extra={**data.get("extra", {}), **{
        key: value for key, value in data.items() if key not in ["enabled", "token", "api_key", "reply_to_mode"]
    }},
)

Notes

This fix assumes that the top-level config keys should be merged into the extra dictionary. If this is not the case, the hermes config set command may need to be updated to write values under extra automatically.

Recommendation

Apply workaround by modifying PlatformConfig.from_dict() to read top-level config keys and merge them into extra, as this is a more straightforward fix that can be implemented immediately.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#api #API routing #API middleware #SSR setup #ISR setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

hermes - ✅(Solved) Fix platforms.api_server config values (port, host, key) silently ignored when not nested under 'extra' [3 pull requests, 1 comments, 2 participants]

Recommended Tools

GitHub issue graph ai analysis

Error Message

Root Cause

Fix Action

Fixed

PR fix notes

PR #20506: fix(gateway/config): merge top-level platform keys into extra (#20501)

Description (problem / solution / changelog)

Summary

Root cause

Fix

Test plan

Affected adapters

Changed files

PR #20528: fix: read top-level api_server config fields into extra

Description (problem / solution / changelog)

Summary

Root Cause

Fix

Testing

Changed files

PR #20317: docs(security): rewrite policy around OS-level isolation as the boundary

Description (problem / solution / changelog)

Changed files

Code Example

Bug Description

Root Cause

Reproduction

Expected Behavior

Environment

Impact

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

Still need to ship something?

RELATED_DISCOVERY

TRENDING