Skip to content

fix(config): drop stale placeholder secrets from .env writes#6183

Open
Kolektori wants to merge 1 commit intoNousResearch:mainfrom
Kolektori:fix/auth-env-placeholder
Open

fix(config): drop stale placeholder secrets from .env writes#6183
Kolektori wants to merge 1 commit intoNousResearch:mainfrom
Kolektori:fix/auth-env-placeholder

Conversation

@Kolektori
Copy link
Copy Markdown

@Kolektori Kolektori commented Apr 8, 2026

What does this PR do?

Fixes .env persistence so stale placeholder secrets like KEY=*** do not survive later writes and override real values.

Today save_env_value() sanitizes the file before writing, but _sanitize_env_lines() only repairs concatenated KEY=VALUE lines. It does not remove placeholder-only secret entries or collapse duplicate keys. That leaves cases like:

OPENAI_API_KEY=new-key
OPENAI_API_KEY=***

In that state, load_env() still resolves the stale trailing value because it keeps the last matching entry.

This change makes _sanitize_env_lines() drop placeholder-only secret lines and keep a single canonical entry per key before writes are persisted.

Related Issue

N/A

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✅ Tests (adding or improving test coverage)

Changes Made

  • Update hermes_cli/config.py so _sanitize_env_lines() removes KEY=*** placeholder secret entries
  • Collapse duplicate KEY= entries during sanitization so stale trailing values cannot shadow the current value
  • Add a regression test in tests/hermes_cli/test_config.py that reproduces the bug through save_env_value() and load_env()

How to Test

  1. Run uv run pytest -q -n 0 tests/hermes_cli/test_config.py
  2. Confirm test_save_env_value_removes_stale_placeholder_duplicates passes
  3. Confirm the full test file passes

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix/feature (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass
  • I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • I've tested on my platform: macOS

Documentation & Housekeeping

  • I've updated relevant documentation (README, docs/, docstrings) — or N/A
  • I've updated cli-config.yaml.example if I added/changed config keys — or N/A
  • I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
  • I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
  • I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

Focused verification:

uv run pytest -q -n 0 tests/hermes_cli/test_config.py
41 passed, 1 warning in 0.33s

@alt-glitch alt-glitch mentioned this pull request Apr 23, 2026
Open
@alt-glitch alt-glitch added type/bug Something isn't working P2 Medium — degraded but workaround exists comp/cli CLI entry point, hermes_cli/, setup wizard area/config Config system, migrations, profiles labels Apr 30, 2026
@alt-glitch alt-glitch mentioned this pull request May 5, 2026
Open
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/config Config system, migrations, profiles comp/cli CLI entry point, hermes_cli/, setup wizard P2 Medium — degraded but workaround exists type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kolektori @alt-glitch