auto-save 2026-07-13

This commit is contained in:
Ray
2026-07-13 02:00:15 -04:00
parent dab5a4ebc6
commit 473729267c
14 changed files with 579 additions and 38 deletions
+52
View File
@@ -18,6 +18,7 @@ Keep a Hermes Agent installation healthy: audit config, move secrets to `.env`,
- User asks "is my config efficient" or "does this look right"
- After a major Hermes upgrade — run `hermes config migrate`
- Config references a different backend than what's actually in use
- User asks to push/backup/version-control `~/.hermes/` to a git repo
## Config Hygiene Workflow
@@ -102,6 +103,56 @@ A real config cleanup session (DeepSeek-based install, local backend):
- **Gateway**: `/restart`
- Verify with `hermes config check`
## Git Backup of ~/.hermes/
Push the Hermes config directory to a self-hosted Git repo (Gitea, Gogs, etc.) for version control and disaster recovery. Excludes secrets, caches, logs, databases, and transient runtime files.
**Reference:** `.gitignore` template at `references/hermes-config-gitignore.md`
**Verification:** script at `references/verify-gitignore.sh`
### 1. Create .gitignore FIRST (before `git add`)
The `.gitignore` must exist before staging — otherwise `git add -A` will capture secrets. Use the template at `references/hermes-config-gitignore.md`.
```bash
cd ~/.hermes
git init
# (write .gitignore here — see template)
git add -A && git status # review staged files BEFORE committing
```
### 2. Audit staged files for secrets
Before committing, scan `git status` output for anything sensitive. These must NOT appear:
- `.env`, `auth.json`, `honcho.json` — credential stores
- `memories/` — personal data (network topology, passwords, preferences)
- `*.db`, `*.db-shm`, `*.db-wal` — runtime databases
- `sessions/`, `logs/`, `cache/`, `audio_cache/` — transient data
- `hermes-agent/` — separate git clone, not config
If any appear, fix `.gitignore` and `git rm --cached` them.
### 3. Check config.yaml for hardcoded secrets
```bash
grep -n -i 'api_key\|token\|secret\|password' config.yaml
```
All should reference `${ENV_VAR}` placeholders, never literal keys. If hardcoded keys exist, move them to `.env` first (see Config Hygiene above).
### 4. Commit and push
```bash
git commit -m "initial commit"
git remote add origin http://<user>:<token>@<gitea-host>:3000/<user>/hermes-config.git
git branch -m master main # Gitea repos default to 'main'
git push -u origin main
```
### 5. Verify exclusions (optional)
Run `references/verify-gitignore.sh` to confirm sensitive files are excluded and key config files are tracked.
## Pitfalls
- **`hermes config set` can't delete** — it only sets/overwrites values. Use terminal Python for deletions.
@@ -109,3 +160,4 @@ A real config cleanup session (DeepSeek-based install, local backend):
- **Don't use `sed` on YAML** — nested keys and indentation break easily. Always use Python `yaml` module.
- **`.env` can't be read directly** — `read_file` on `~/.hermes/.env` returns "Access denied." Use `grep`/terminal to check contents, `echo >>` to append.
- **Config changes need a restart** — they don't hot-reload mid-session.
- **`memories/` needs its own gitignore entry** — the root `~/.hermes/memories/` directory contains personal markdown files (network topology, passwords, preferences). `profiles/*/memories/` covers profile-level memories but not the root. Add a separate `memories/` line.
@@ -0,0 +1,108 @@
# Credentials & secrets (DO NOT COMMIT)
.env
auth.json
auth.lock
honcho.json
credentials*
secrets*
# Logs
logs/
*.log
interrupt_debug.log
# Caches
cache/
audio_cache/
image_cache/
models_dev_cache.json
ollama_cloud_models_cache.json
provider_models_cache.json
context_length_cache.yaml
# Sessions (runtime conversation data)
sessions/
profiles/*/sessions/
profiles/*/memories/
profiles/*/cache/
profiles/*/logs/
profiles/*/audio_cache/
# Databases (runtime state)
state.db
state.db-shm
state.db-wal
response_store.db
response_store.db-shm
response_store.db-wal
kanban.db
kanban.db-shm
kanban.db-wal
kanban.db.dispatch.lock
kanban.db.init.lock
verification_evidence.db
verification_evidence.db-shm
verification_evidence.db-wal
# Runtime / process files
gateway.pid
gateway.lock
gateway_state.json
processes.json
channel_directory.json
# State snapshots
state-snapshots/
checkpoints/
# Internal tracking files
.hermes_history
.skills_prompt_snapshot.json
.update_check
.restart_last_processed.json
# Hermes agent source (separate repo, clone on demand)
hermes-agent/
# Node / npm
node/
node_modules/
# Python
__pycache__/
*.pyc
*.pyo
# Generated / sandbox dirs
sandboxes/
pastes/
lsp/
webui/
platforms/
pairing/
images/
image_cache/
# Cron runtime output
cron/output/
cron/ticker_heartbeat
cron/ticker_last_success
# State dir
state/
# Memories (personal data — network topology, passwords, preferences)
memories/
# Kanban board data
kanban/
# Backup files
*.bak
# IDE / editor
.idea/
.vscode/
*.swp
*.swo
*~
@@ -0,0 +1,59 @@
#!/usr/bin/env bash
# Verify .gitignore is excluding sensitive files and tracking key config files.
# Run from ~/.hermes/ after git init and .gitignore creation.
set -euo pipefail
cd ~/.hermes
errors=0
echo "=== Verifying .gitignore exclusions ==="
# Files that MUST be excluded
for pattern in \
".env" \
"auth.json" \
"honcho.json" \
"memories/MEMORY.md" \
"memories/USER.md" \
"state.db" \
"kanban.db" \
"response_store.db" \
"logs/" \
"cache/" \
"sessions/" \
"hermes-agent/" \
"node_modules/" \
"__pycache__/" \
"*.pyc"
do
if git check-ignore -q "$pattern" 2>/dev/null; then
echo " PASS: '$pattern' is excluded"
else
echo " FAIL: '$pattern' is NOT excluded"
((errors++)) || true
fi
done
echo ""
echo "=== Files that SHOULD be tracked ==="
for file in \
"config.yaml" \
".gitignore" \
"SOUL.md" \
"cron/jobs.json" \
"profiles/advisor/config.yaml"
do
if git ls-files --error-unmatch "$file" >/dev/null 2>&1; then
echo " PASS: '$file' is tracked"
else
echo " FAIL: '$file' is NOT tracked"
((errors++)) || true
fi
done
echo ""
if [ "$errors" -eq 0 ]; then
echo "ALL CHECKS PASSED"
else
echo "$errors FAILURE(S)"
fi
exit $errors