auto-save 2026-07-13
This commit is contained in:
@@ -18,6 +18,7 @@ Keep a Hermes Agent installation healthy: audit config, move secrets to `.env`,
|
||||
- User asks "is my config efficient" or "does this look right"
|
||||
- After a major Hermes upgrade — run `hermes config migrate`
|
||||
- Config references a different backend than what's actually in use
|
||||
- User asks to push/backup/version-control `~/.hermes/` to a git repo
|
||||
|
||||
## Config Hygiene Workflow
|
||||
|
||||
@@ -102,6 +103,56 @@ A real config cleanup session (DeepSeek-based install, local backend):
|
||||
- **Gateway**: `/restart`
|
||||
- Verify with `hermes config check`
|
||||
|
||||
## Git Backup of ~/.hermes/
|
||||
|
||||
Push the Hermes config directory to a self-hosted Git repo (Gitea, Gogs, etc.) for version control and disaster recovery. Excludes secrets, caches, logs, databases, and transient runtime files.
|
||||
|
||||
**Reference:** `.gitignore` template at `references/hermes-config-gitignore.md`
|
||||
**Verification:** script at `references/verify-gitignore.sh`
|
||||
|
||||
### 1. Create .gitignore FIRST (before `git add`)
|
||||
|
||||
The `.gitignore` must exist before staging — otherwise `git add -A` will capture secrets. Use the template at `references/hermes-config-gitignore.md`.
|
||||
|
||||
```bash
|
||||
cd ~/.hermes
|
||||
git init
|
||||
# (write .gitignore here — see template)
|
||||
git add -A && git status # review staged files BEFORE committing
|
||||
```
|
||||
|
||||
### 2. Audit staged files for secrets
|
||||
|
||||
Before committing, scan `git status` output for anything sensitive. These must NOT appear:
|
||||
- `.env`, `auth.json`, `honcho.json` — credential stores
|
||||
- `memories/` — personal data (network topology, passwords, preferences)
|
||||
- `*.db`, `*.db-shm`, `*.db-wal` — runtime databases
|
||||
- `sessions/`, `logs/`, `cache/`, `audio_cache/` — transient data
|
||||
- `hermes-agent/` — separate git clone, not config
|
||||
|
||||
If any appear, fix `.gitignore` and `git rm --cached` them.
|
||||
|
||||
### 3. Check config.yaml for hardcoded secrets
|
||||
|
||||
```bash
|
||||
grep -n -i 'api_key\|token\|secret\|password' config.yaml
|
||||
```
|
||||
|
||||
All should reference `${ENV_VAR}` placeholders, never literal keys. If hardcoded keys exist, move them to `.env` first (see Config Hygiene above).
|
||||
|
||||
### 4. Commit and push
|
||||
|
||||
```bash
|
||||
git commit -m "initial commit"
|
||||
git remote add origin http://<user>:<token>@<gitea-host>:3000/<user>/hermes-config.git
|
||||
git branch -m master main # Gitea repos default to 'main'
|
||||
git push -u origin main
|
||||
```
|
||||
|
||||
### 5. Verify exclusions (optional)
|
||||
|
||||
Run `references/verify-gitignore.sh` to confirm sensitive files are excluded and key config files are tracked.
|
||||
|
||||
## Pitfalls
|
||||
|
||||
- **`hermes config set` can't delete** — it only sets/overwrites values. Use terminal Python for deletions.
|
||||
@@ -109,3 +160,4 @@ A real config cleanup session (DeepSeek-based install, local backend):
|
||||
- **Don't use `sed` on YAML** — nested keys and indentation break easily. Always use Python `yaml` module.
|
||||
- **`.env` can't be read directly** — `read_file` on `~/.hermes/.env` returns "Access denied." Use `grep`/terminal to check contents, `echo >>` to append.
|
||||
- **Config changes need a restart** — they don't hot-reload mid-session.
|
||||
- **`memories/` needs its own gitignore entry** — the root `~/.hermes/memories/` directory contains personal markdown files (network topology, passwords, preferences). `profiles/*/memories/` covers profile-level memories but not the root. Add a separate `memories/` line.
|
||||
|
||||
@@ -0,0 +1,108 @@
|
||||
# Credentials & secrets (DO NOT COMMIT)
|
||||
.env
|
||||
auth.json
|
||||
auth.lock
|
||||
honcho.json
|
||||
credentials*
|
||||
secrets*
|
||||
|
||||
# Logs
|
||||
logs/
|
||||
*.log
|
||||
interrupt_debug.log
|
||||
|
||||
# Caches
|
||||
cache/
|
||||
audio_cache/
|
||||
image_cache/
|
||||
models_dev_cache.json
|
||||
ollama_cloud_models_cache.json
|
||||
provider_models_cache.json
|
||||
context_length_cache.yaml
|
||||
|
||||
# Sessions (runtime conversation data)
|
||||
sessions/
|
||||
profiles/*/sessions/
|
||||
profiles/*/memories/
|
||||
profiles/*/cache/
|
||||
profiles/*/logs/
|
||||
profiles/*/audio_cache/
|
||||
|
||||
# Databases (runtime state)
|
||||
state.db
|
||||
state.db-shm
|
||||
state.db-wal
|
||||
response_store.db
|
||||
response_store.db-shm
|
||||
response_store.db-wal
|
||||
kanban.db
|
||||
kanban.db-shm
|
||||
kanban.db-wal
|
||||
kanban.db.dispatch.lock
|
||||
kanban.db.init.lock
|
||||
verification_evidence.db
|
||||
verification_evidence.db-shm
|
||||
verification_evidence.db-wal
|
||||
|
||||
# Runtime / process files
|
||||
gateway.pid
|
||||
gateway.lock
|
||||
gateway_state.json
|
||||
processes.json
|
||||
channel_directory.json
|
||||
|
||||
# State snapshots
|
||||
state-snapshots/
|
||||
checkpoints/
|
||||
|
||||
# Internal tracking files
|
||||
.hermes_history
|
||||
.skills_prompt_snapshot.json
|
||||
.update_check
|
||||
.restart_last_processed.json
|
||||
|
||||
# Hermes agent source (separate repo, clone on demand)
|
||||
hermes-agent/
|
||||
|
||||
# Node / npm
|
||||
node/
|
||||
node_modules/
|
||||
|
||||
# Python
|
||||
__pycache__/
|
||||
*.pyc
|
||||
*.pyo
|
||||
|
||||
# Generated / sandbox dirs
|
||||
sandboxes/
|
||||
pastes/
|
||||
lsp/
|
||||
webui/
|
||||
platforms/
|
||||
pairing/
|
||||
images/
|
||||
image_cache/
|
||||
|
||||
# Cron runtime output
|
||||
cron/output/
|
||||
cron/ticker_heartbeat
|
||||
cron/ticker_last_success
|
||||
|
||||
# State dir
|
||||
state/
|
||||
|
||||
# Memories (personal data — network topology, passwords, preferences)
|
||||
memories/
|
||||
|
||||
# Kanban board data
|
||||
kanban/
|
||||
|
||||
# Backup files
|
||||
*.bak
|
||||
|
||||
# IDE / editor
|
||||
.idea/
|
||||
.vscode/
|
||||
*.swp
|
||||
*.swo
|
||||
*~
|
||||
@@ -0,0 +1,59 @@
|
||||
#!/usr/bin/env bash
|
||||
# Verify .gitignore is excluding sensitive files and tracking key config files.
|
||||
# Run from ~/.hermes/ after git init and .gitignore creation.
|
||||
set -euo pipefail
|
||||
cd ~/.hermes
|
||||
errors=0
|
||||
|
||||
echo "=== Verifying .gitignore exclusions ==="
|
||||
|
||||
# Files that MUST be excluded
|
||||
for pattern in \
|
||||
".env" \
|
||||
"auth.json" \
|
||||
"honcho.json" \
|
||||
"memories/MEMORY.md" \
|
||||
"memories/USER.md" \
|
||||
"state.db" \
|
||||
"kanban.db" \
|
||||
"response_store.db" \
|
||||
"logs/" \
|
||||
"cache/" \
|
||||
"sessions/" \
|
||||
"hermes-agent/" \
|
||||
"node_modules/" \
|
||||
"__pycache__/" \
|
||||
"*.pyc"
|
||||
do
|
||||
if git check-ignore -q "$pattern" 2>/dev/null; then
|
||||
echo " PASS: '$pattern' is excluded"
|
||||
else
|
||||
echo " FAIL: '$pattern' is NOT excluded"
|
||||
((errors++)) || true
|
||||
fi
|
||||
done
|
||||
|
||||
echo ""
|
||||
echo "=== Files that SHOULD be tracked ==="
|
||||
for file in \
|
||||
"config.yaml" \
|
||||
".gitignore" \
|
||||
"SOUL.md" \
|
||||
"cron/jobs.json" \
|
||||
"profiles/advisor/config.yaml"
|
||||
do
|
||||
if git ls-files --error-unmatch "$file" >/dev/null 2>&1; then
|
||||
echo " PASS: '$file' is tracked"
|
||||
else
|
||||
echo " FAIL: '$file' is NOT tracked"
|
||||
((errors++)) || true
|
||||
fi
|
||||
done
|
||||
|
||||
echo ""
|
||||
if [ "$errors" -eq 0 ]; then
|
||||
echo "ALL CHECKS PASSED"
|
||||
else
|
||||
echo "$errors FAILURE(S)"
|
||||
fi
|
||||
exit $errors
|
||||
Reference in New Issue
Block a user