auto-save 2026-07-13
This commit is contained in:
@@ -18,6 +18,7 @@ Keep a Hermes Agent installation healthy: audit config, move secrets to `.env`,
|
||||
- User asks "is my config efficient" or "does this look right"
|
||||
- After a major Hermes upgrade — run `hermes config migrate`
|
||||
- Config references a different backend than what's actually in use
|
||||
- User asks to push/backup/version-control `~/.hermes/` to a git repo
|
||||
|
||||
## Config Hygiene Workflow
|
||||
|
||||
@@ -102,6 +103,56 @@ A real config cleanup session (DeepSeek-based install, local backend):
|
||||
- **Gateway**: `/restart`
|
||||
- Verify with `hermes config check`
|
||||
|
||||
## Git Backup of ~/.hermes/
|
||||
|
||||
Push the Hermes config directory to a self-hosted Git repo (Gitea, Gogs, etc.) for version control and disaster recovery. Excludes secrets, caches, logs, databases, and transient runtime files.
|
||||
|
||||
**Reference:** `.gitignore` template at `references/hermes-config-gitignore.md`
|
||||
**Verification:** script at `references/verify-gitignore.sh`
|
||||
|
||||
### 1. Create .gitignore FIRST (before `git add`)
|
||||
|
||||
The `.gitignore` must exist before staging — otherwise `git add -A` will capture secrets. Use the template at `references/hermes-config-gitignore.md`.
|
||||
|
||||
```bash
|
||||
cd ~/.hermes
|
||||
git init
|
||||
# (write .gitignore here — see template)
|
||||
git add -A && git status # review staged files BEFORE committing
|
||||
```
|
||||
|
||||
### 2. Audit staged files for secrets
|
||||
|
||||
Before committing, scan `git status` output for anything sensitive. These must NOT appear:
|
||||
- `.env`, `auth.json`, `honcho.json` — credential stores
|
||||
- `memories/` — personal data (network topology, passwords, preferences)
|
||||
- `*.db`, `*.db-shm`, `*.db-wal` — runtime databases
|
||||
- `sessions/`, `logs/`, `cache/`, `audio_cache/` — transient data
|
||||
- `hermes-agent/` — separate git clone, not config
|
||||
|
||||
If any appear, fix `.gitignore` and `git rm --cached` them.
|
||||
|
||||
### 3. Check config.yaml for hardcoded secrets
|
||||
|
||||
```bash
|
||||
grep -n -i 'api_key\|token\|secret\|password' config.yaml
|
||||
```
|
||||
|
||||
All should reference `${ENV_VAR}` placeholders, never literal keys. If hardcoded keys exist, move them to `.env` first (see Config Hygiene above).
|
||||
|
||||
### 4. Commit and push
|
||||
|
||||
```bash
|
||||
git commit -m "initial commit"
|
||||
git remote add origin http://<user>:<token>@<gitea-host>:3000/<user>/hermes-config.git
|
||||
git branch -m master main # Gitea repos default to 'main'
|
||||
git push -u origin main
|
||||
```
|
||||
|
||||
### 5. Verify exclusions (optional)
|
||||
|
||||
Run `references/verify-gitignore.sh` to confirm sensitive files are excluded and key config files are tracked.
|
||||
|
||||
## Pitfalls
|
||||
|
||||
- **`hermes config set` can't delete** — it only sets/overwrites values. Use terminal Python for deletions.
|
||||
@@ -109,3 +160,4 @@ A real config cleanup session (DeepSeek-based install, local backend):
|
||||
- **Don't use `sed` on YAML** — nested keys and indentation break easily. Always use Python `yaml` module.
|
||||
- **`.env` can't be read directly** — `read_file` on `~/.hermes/.env` returns "Access denied." Use `grep`/terminal to check contents, `echo >>` to append.
|
||||
- **Config changes need a restart** — they don't hot-reload mid-session.
|
||||
- **`memories/` needs its own gitignore entry** — the root `~/.hermes/memories/` directory contains personal markdown files (network topology, passwords, preferences). `profiles/*/memories/` covers profile-level memories but not the root. Add a separate `memories/` line.
|
||||
|
||||
Reference in New Issue
Block a user