,jrv%UdZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlmZddlmZddlmZmZmZmZmZddlmZejeZeZeed<ded eefd Z ded e!d dfd Z"ej#d kZ$ej%dZ&e'hdZ(e'e)ed<de)d dfdZ*iZ+ee)efed<iZ,ee)ee-e-ee)efffed<iZ.ee)ee-e-ee)efffed<e j/Z0e'hdZ1ddl2Z2ddl3m4Z4m5Z5ddl6m7Z7dZ8dddddZ9d ee)fdZ:d e;fdZdd!eed e)fd"Z?d#e)d dfd$Z@d e;fd%ZAd#e)d e)fd&ZBd e)fd'ZCd(ZDd e)fd)ZEdd+e)d e)fd,ZFdd+e)fd.ZGd eeHfd/ZIdd0lJmKZKdd1lLmMZMd efd2ZNd efd3ZOd efd4ZPd eQee-ee-ffd5ZRdd6ZSd7ZTd e;fd8ZUd9ZVd:ed dfd;ZWd<ZXd:efd=ZYid>d?d@idAgdBidCdDgdEddFidGdHdIdJdKdLdMdNdOd?dPdQdRdSdTdSdUd?dVdQdWdXdYdZd[dLd\d]d^dQd_gd`idadbdcdQdddedfdLdggdhgdidSdjdkdlgdmidndodpdkdqdkdrdsdtdudvdwdxdSgdygdydSdzd{d?d?d?d|d}d~ddydydQdSd?dddyd?d?dydyddd ddyddddSddSdddddddddddSdyddNdddddddddSdddddNdydSddddiddSdddidd?dSgd]dd?d?ddddddQd?d?d?d~idddQd?d?d?diddQd?d?d?d~iddQd?d?d?diddQd?d?d?diddQd?d?d?diddQd?d?d?diddQd?d?d?diddQd?d?d?d~iddQd?d?d?dLiddQd?d?d?diddQd?d?d?dZiddQd?d?d?didd diddydd?ddddddddddNddSddddddyddSddyddyddyddyddœiddSddddSddSddSddSddSddyddϓddѓddӓdddd՜ddSddydiddddddSiddyidۜdygdܢdݜdQdޜdddyd?d?dd?d?d?d?ddd?ddddyiddddidddddddddyd?dddddddddd?d?dddddid ddSdbdd?dd>did>didd?dydyddddd~dydSdddd d d d d dddiddSdSdyddd?ddd?d?d?d?d?dSddZd?dNdsdSdyd dd?ddGdidgdSdyddydydddSddddHdSdSdddd iid!d?d"dSd?d?id#d$dSd?d?dSdydSddSid?d?dyd%dydSd?d&d'd(dSgd)d*d+d,id-dyid?d.d/dSd?d?id#d0dSd?d?d1d2d3dd4dSdSd5d6gd7id8id9dyd:id;dydSdSd d?dSdd@dAdSdddBdsd?d?ddSdNdCdD dEdFdGiidHdIdQddddJidKdLddNdMdNdSdOdsidPdQdRdyidSdygdSdZdTddydQdUddVdWdXdYdydHdSddydZd[id\d]d^dydd_d`dadSdbdcdQidddedfdLddgdhdidydjd?ddSdSd?dkidlddmddnddodpZZgdqdrdsggdtdugdvgdwZ[ee-ee)fedx<iZ\idydzd{ddyd|dSd}d~ddddSddgd|dSddddddSd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddSd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}idddddSd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}dÐdĐdĐddSd|dSd}dƐdǐdddyd|dSd}dɐdʐdːddSd|dSd}d͐dΐdddyd|dSd}dАdѐdҐddSd|dSd}dԐdՐdddyd|dSd}dאdؐdِddSd|dۜdܐdݐdd?dyd|dۜdߐddddSd|dۜdddd?dyd|dSd}dddddyd|dSd}dddddyd|dSd}idddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dSd}dddddyd|dSd}dddddSd|dۜdddddyd|dSd}ddd d dSd|dSd}d d d ddyd|dSd}dddddSd|dۜdddddyd|dSd}dddddyd|dSd}dddddyd|dSd}dddddSd|dۜd d!d"ddyd|dSd}d#d$d%d&d'd(gdSd)d*id+d,d-d.d'd(gdSd)d*d/d0d1d2d'd(gdSd)d*d3d4d5ddyd)dSd}d6d7d8ddyd)dSd}d9d:d;ddyd)dSd}d<d=d>ddyd)dSd}d?d@dAddSd)dSd}dudBdCdDd'd(gdSd)d*dEdFdGdHd'gdyd)d*dIdJdKdLd'gdSd)d*dMdNdOdPdQdRgdSd)d*dSdTdUdPdQdRgdyd)d*dVdWdXdYdQdRgdSd)d*dZd[d\dQdRgdyd)d]d^d_d`dagdbdyd)dSdcdddedfdgdQdRgdyd)d*dhdidjdkdldmgdSd)d*idndodpdqdlgdSd)d*drdrdsdtdudvgdSd)d*dsdwdxdydzdugdSd)d*d{d|d}d~dSd)dۜdddddSd)dۜdddddSddSd}dddddSddSd}dddddSddSd}dddddSddSd}dddddgdSd)d*dddd)ddddddyd)dۜdddddSd)dۜdddddyd)dSd}dddddSddۜdddddyddۜddddyddidddddSddۜdddddyddۜdddddyddۜdddddSddۜddÐdĐddSddۜdŐdƐdǐddyddۜdɐdʐdddSddۜd̐d͐dddyddۜdϐdАdddyddۜdҐdӐdddyddۜdՐd֐dאddyddۜdِdڐdddSddۜdܐdݐdddyddۜdߐddddyddۜdddddyddSd}dddddyddSd}dddddyddSd}idddddyddSd}dddddyddSd}dddddSddSd}dddddyddۜdddddSddۜdddddyddۜdddddddddddddddSddd d d ddd d ddddddddddddddddddddddddddddyddۜddd ddyddۜid!d"d#ddyddۜd$d%d&ddSddSd}d'd(d)ddSddSd}d*d+d,ddyddSd}d-d.d/ddyddSd}d0d1d2ddSddSd}d3d4d5ddyddSd}d6d7d8ddyddSd}d9d:d;ddyddSd}d<d=d>ddyddSd}d?d@dAddSddSd}dBdCdDddyddۜdEdFdGddyddۜdHdIdJddSddۜdKdLdMddSdNdۜdOdPdQddydNdۜdRdSdTddydNdۜZ]dȐdUe;d eee)effdVZ^dWe)fdXZ_d eee)effdYZ`d eee)effdZZad?d[d\ed]e)d eee)effd^Zbd?d[d\ed]e)d eee)effd_Zcd`ed eee)effdaZd dĐdbeee)efd eee)effdcZe dd>e)dde)deeeee)efdbeee)efd ee-f dfZfdged e-fdhZgd ee-e-ffdiZhhdjZihdkZjhdlZkeGdmdnZldĐdbeee)efd ednfdoZmdĐdbeee)efd dfdpZndĐdbeee)efd dfdqZodʐdre;dse;d ee)effdtZpdeHdueHd eHfdvZqdwZrdxZsdĐdyZtdbee)efd ee)effdzZudbee)efd ee)effd{Zvdd|d}eee)efd~e)ded efdZwd ee)effdZxd ee)effdZyd ee)effdZzidaddcdvddddfddddjddlddnddpddqddddddddddrddtddvdddddddddddd Z{dged e)fdZ|de)d ee)fdZ}dddddeee)e)fdbeee)efduee;d ee)e)ffdZ~de;d ee)effdZdZdZdZdbee)effdZd ee)e)ffdZdaeeee)eeee-fee)e)ffed<dǐdZded efdZd e-fdZde)dge)d e)fdZde)dge)fdZde)d e;fdZdĐdge)fdZdĐdZdĐdge)fdZde)dge)d ee)effdZd e-fdZde)d ee)fdZde)d e)fdZdZdZde)dge)fdZdZdyadǐd„ZedyadǐdÄZedS(a Configuration management for Hermes Agent. Config files are stored in ~/.hermes/ for easy access: - ~/.hermes/config.yaml - All settings (model, toolsets, terminal, etc.) - ~/.hermes/.env - API keys and secrets This module provides: - hermes config - Show current configuration - hermes config edit - Open config in editor - hermes config set - Set a specific value - hermes config wizard - Re-run setup wizard N) dataclass)Path)DictAnyOptionalListTuple)masked_secret_prompt_CONFIG_PARSE_WARNED config_pathreturnc* |rdS|}|jdkrdStjd}||jd|d}t|j |jd}|D]8} |j|jkrdS)#t$rY5wxYw| rdStj |||S#t$rYdSwxYw)uPreserve a corrupted ``config.yaml`` by copying it to a timestamped ``.bak``. When the YAML can't be parsed, ``load_config()`` silently falls back to ``DEFAULT_CONFIG`` and the user's broken file stays on disk untouched. That file is still the user's only copy of their intended overrides — if they re-run the setup wizard or ``hermes config set`` (which rewrites ``config.yaml``), the broken-but-recoverable content is gone for good. This snapshots the corrupted file to ``config.yaml.corrupt..bak`` so the user can diff/repair it. Unlike Gemini CLI's policy-file recovery (which resets the live file to a clean state), we deliberately leave ``config.yaml`` in place: hermes never silently mutates the user's config, and leaving it means a hand-fixed file is re-read on the next load. The backup is best-effort — any failure (permissions, symlink, disk full) is swallowed so config loading is never blocked by backup problems. Returns the backup path on success, else ``None``. Symlinks are not followed/copied (mirrors the Gemini #21541 lstat guard) to avoid clobbering whatever a malicious/misconfigured symlink points at. Nrz %Y%m%d-%H%M%Sz .corrupt.z.bakz.corrupt.*.bak) is_symlinkstatst_sizetimestrftime with_namenamelistparentglobOSErrorexistsshutilcopy2 Exception)r stts backup_path sibling_baksexistings 6/home/ubuntu/.hermes/hermes-agent/hermes_cli/config.py_backup_corrupt_configr$*s[*  ! ! # # 4      :??4 ]? + +!++{/?,R,R",R,R,RSS    # #{'7$G$G$G H H  %  H ==??*bj88 449          4 [+... ttsLDDA'D!"CDD CDCD-D DDexcc |}t||j|jf}n"#t$rt|ddf}YnwxYw|t vrdSt |t|}d|d|d}| |d|dz }t | tj d|d tj dS#t$rYdSwxYw) aSurface a config.yaml parse failure to user, log, and stderr. A YAML parse error in ``~/.hermes/config.yaml`` causes ``load_config()`` to silently fall back to ``DEFAULT_CONFIG``, which means every user override (auxiliary providers, fallback chain, model overrides, etc.) is dropped. Before this helper that was a one-line ``print(...)`` that scrolled off-screen on the first invocation and was never seen again. Now: warn once per (path, mtime_ns, size) on stderr **and** in ``agent.log`` / ``errors.log`` at WARNING level so ``hermes logs`` surfaces it. Re-warns automatically if the file changes (different mtime/size), so users editing the config see the next failure. On the first warning for a given broken file we also snapshot it to a timestamped ``.bak`` (best-effort) so the user's recoverable content survives any later rewrite of ``config.yaml`` by the setup wizard or ``hermes config set``. rNzFailed to parse : u. Falling back to default config — every user override (auxiliary providers, fallback chain, model settings) is being IGNORED. Fix the YAML and restart.z+ A copy of the corrupted file was saved to .u⚠️ hermes config:  )rstr st_mtime_nsrrr addr$loggerwarningsysstderrwriteflushr)r r%rkeyr msgs r#_warn_config_parse_failurer5`sQ$'     ;< ''';A&' """S!!!(55K %; % %# % % %  K[KKKK NN3  :3:::;;;       s"03AA8AC;; D D Windowsz^[A-Za-z_][A-Za-z0-9_]*$>PATHPAGERSHELLEDITORVISUALBROWSERLD_AUDITLD_DEBUG GIT_SHELL NODE_PATH HERMES_ENV LD_PRELOAD PYTHONHOME PYTHONPATH HERMES_HOME NODE_OPTIONS GIT_EXEC_PATH HERMES_CONFIG PYTHONSTARTUPHERMES_PROFILEPYTHONUSERBASEGIT_SSH_COMMANDLD_LIBRARY_PATHPYTHONEXECUTABLEPYTHONNOUSERSITEDYLD_LIBRARY_PATHDYLD_FRAMEWORK_PATHDYLD_INSERT_LIBRARIESDYLD_FALLBACK_LIBRARY_PATHDYLD_FALLBACK_FRAMEWORK_PATH_ENV_VAR_NAME_DENYLISTr3c>|tvrtd|ddS)zRaise if ``key`` is in :data:`_ENV_VAR_NAME_DENYLIST`. Centralised so both the regular and "secure" env writers share the same gate, and so the message is consistent for callers. zEnvironment variable a is on the writer denylist. Names that influence subprocess execution (LD_PRELOAD, PYTHONPATH, PATH, EDITOR, ...) or Hermes runtime location (HERMES_HOME, HERMES_PROFILE, ...) cannot be persisted via the env writer. If you really need this, edit ~/.hermes/.env directly.N)rU ValueError)r3s r#_reject_denylisted_env_varrXs@  $$$ 'C ' ' '   %$_LAST_EXPANDED_CONFIG_BY_PATH_LOAD_CONFIG_CACHE_RAW_CONFIG_CACHE>gIRC_PORT QQ_APP_ID IRC_SERVER IRC_CHANNEL IRC_USE_TLS IRC_NICKNAME QQ_STT_MODEL TERMINAL_ENV WECOM_BOT_ID WECOM_SECRET WEIXIN_TOKEN FEISHU_APP_ID WHATSAPP_MODEOPENAI_API_KEYQQ_STT_API_KEYSIGNAL_ACCOUNTANTHROPIC_TOKENMATRIX_PASSWORDOPENAI_BASE_URLQQ_HOME_CHANNELQQ_STT_BASE_URLSIGNAL_HTTP_URLWEIXIN_BASE_URLMATRIX_DEVICE_IDMATRIX_HOME_ROOMQQ_ALLOWED_USERSQQ_CLIENT_SECRETSMS_HOME_CHANNELTERMINAL_SSH_KEYWEIXIN_DM_POLICYWHATSAPP_ENABLEDANTHROPIC_API_KEYFEISHU_APP_SECRETLANGFUSE_BASE_URLMATRIX_ENCRYPTIONTERMINAL_SSH_PORTWEIXIN_ACCOUNT_IDDINGTALK_CLIENT_IDFEISHU_ENCRYPT_KEYMATRIX_AUTO_THREADQQBOT_HOME_CHANNELQQ_ALLOW_ALL_USERSSLACK_HOME_CHANNELWECOM_HOME_CHANNELFEISHU_HOME_CHANNELHERMES_LANGFUSE_ENVIRC_SERVER_PASSWORDLANGFUSE_PUBLIC_KEYLANGFUSE_SECRET_KEYMATRIX_RECOVERY_KEYQQ_MARKDOWN_SUPPORTSIGNAL_HOME_CHANNELWECOM_CALLBACK_HOSTWECOM_CALLBACK_PORTWEIXIN_CDN_BASE_URLWEIXIN_GROUP_POLICYWEIXIN_HOME_CHANNELBLUEBUBBLES_PASSWORDDISCORD_HOME_CHANNELHERMES_TOOL_PROGRESSQQ_HOME_CHANNEL_NAMESIGNAL_ALLOWED_USERSWECOM_CALLBACK_TOKENWEIXIN_ALLOWED_USERSYUANBAO_HOME_CHANNELDINGTALK_HOME_CHANNELHERMES_LANGFUSE_DEBUGIRC_NICKSERV_PASSWORDMATRIX_DM_AUTO_THREADMATTERMOST_REPLY_MODESMS_HOME_CHANNEL_NAMETELEGRAM_HOME_CHANNELBLUEBUBBLES_SERVER_URLDINGTALK_CLIENT_SECRETMATRIX_REQUIRE_MENTIONQQ_GROUP_ALLOWED_USERSWECOM_CALLBACK_CORP_IDWEIXIN_ALLOW_ALL_USERSHERMES_LANGFUSE_RELEASEMATTERMOST_HOME_CHANNELQQBOT_HOME_CHANNEL_NAMESLACK_HOME_CHANNEL_NAMEWECOM_CALLBACK_AGENT_IDWECOM_HOME_CHANNEL_NAMEBLUEBUBBLES_HOME_CHANNELFEISHU_HOME_CHANNEL_NAMESIGNAL_HOME_CHANNEL_NAMEWEIXIN_HOME_CHANNEL_NAMEDISCORD_HOME_CHANNEL_NAMEFEISHU_VERIFICATION_TOKENHERMES_LANGFUSE_MAX_CHARSHERMES_TOOL_PROGRESS_MODEYUANBAO_HOME_CHANNEL_NAMEDINGTALK_HOME_CHANNEL_NAMEMATRIX_FREE_RESPONSE_ROOMSSIGNAL_GROUP_ALLOWED_USERSTELEGRAM_HOME_CHANNEL_NAMEWECOM_CALLBACK_CORP_SECRETWEIXIN_GROUP_ALLOWED_USERSHERMES_LANGFUSE_SAMPLE_RATEMATTERMOST_HOME_CHANNEL_NAMEBLUEBUBBLES_HOME_CHANNEL_NAMEWECOM_CALLBACK_ENCODING_AES_KEY)Colorscolor)DEFAULT_SOUL_MD)true1yesHomebrewNixOS)brewhomebrewnixnixosctjdd}|r:|}|tvrdSt ||Stdz }|rdSdS)z7Return the package manager owning this install, if any.HERMES_MANAGEDrz.managedN) osgetenvstriplower_MANAGED_TRUE_VALUES_MANAGED_SYSTEM_NAMESgetget_hermes_homer)raw normalizedmanaged_markers r#get_managed_systemr;s )$b ) ) / / 1 1C :YY[[ - - -7$((S999$&&3Nw 4rYc"tduS)aCheck if Hermes is running in package-manager-managed mode. Two signals: the HERMES_MANAGED env var (set by the systemd service), or a .managed marker file in HERMES_HOME (set by the NixOS activation script, so interactive shells also see it). N)rrYr# is_managedrJs   t ++rYzfUpdate your Nix flake input and rebuild (e.g. nix flake update, nixos-rebuild, or home-manager switch)cLt}|dkrdS|dkrtSdS)z;Return the preferred upgrade command for a managed install.rbrew upgrade hermes-agentrN)r_NIX_UPDATE_MSG)managed_systems r#get_managed_update_commandrWs4'))N##**   4rY project_rootctdz } |d}|r|Sn#t$rYnwxYwt }|r(|ddS|0ttj j }|dz rdSd S) aDetect how Hermes was installed: 'docker', 'nixos', 'homebrew', 'git', or 'pip'. Resolution order: 1. Stamped ``~/.hermes/.install_method`` file (written by installers) 2. HERMES_MANAGED env / .managed marker (NixOS, Homebrew) 3. .git directory presence -> 'git' 4. Fallback -> 'pip' Note: running inside a container is NOT treated as "docker" on its own. The two supported install paths both self-identify via the ``.install_method`` stamp (caught by step 1), so neither relies on container detection here: - the curl installer (scripts/install.sh, the README/website install command) git-clones the repo and stamps ``git``; - the published ``nousresearch/hermes-agent`` image stamps ``docker`` at boot via ``docker/stage2-hook.sh``. An unsupported manual install dropped into a container (no stamp) was wrongly classified as the published image by bare container detection, so ``hermes update`` bailed with "doesn't apply inside the Docker container". Without that fallback such installs fall through to the ``.git``/pip checks and behave like any off-path install. See issue #34397. .install_methodutf-8encoding -Nz.gitgitpip) r read_textrrrrreplacer__file__rresolveis_dir)rstampmethodmanageds r#detect_install_methodras.    1 1E '2288::@@BB  M        ""G1}}&&sC000H~~,3;;== v%%''u 5s=A AArctdz } |jdd||dzddS#t$rYdSwxYw)z6Write the install method to ~/.hermes/.install_method.rTparentsexist_okr)rrN)rrmkdir write_textr)rrs r#stamp_install_methodrsx    1 1E  4$777 $99999      s6A AAcdtdtfd}|tjrdS|tjpdrdSdS)aReturn True when the *running* Hermes lives in a ``uv tool`` layout. ``uv tool install hermes-agent`` places the install at ``.../uv/tools/hermes-agent/...`` (default ``~/.local/share/uv/tools``, or ``$UV_TOOL_DIR/...``). Such installs live outside any virtualenv, so ``uv pip install`` fails with ``No virtual environment found`` and the update path must use ``uv tool upgrade`` instead. Detection is intentionally restricted to properties of the running interpreter (``sys.prefix`` / ``sys.executable``). We deliberately do NOT consult ``uv tool list``: it would also return True when ``hermes-agent`` happens to be uv-tool-installed on the machine while the *active* Hermes is a regular pip/venv install, causing ``hermes update`` to upgrade the wrong copy. It would also block on a subprocess call (~seconds) just to compute a recommendation string. pathr ctj|tjd}d|dzvS)N/z/uv/tools/hermes-agent/)rrnormpathrsepr)rnorms r#_has_uv_tool_markerz/is_uv_tool_install.._has_uv_tool_markersDw%%--bfc::@@BB(D3J66rYTrF)r*boolr/prefix executable)rs r#is_uv_tool_installr sd"7#7$77773:&&t3>/R00t 5rYc|dkrtS|dkrdS|dkrdS|dkr(trdSdd l}|jd rd Sd Sd S)zAReturn the update command or guidance for a given install method.rrrdockerz,docker pull nousresearch/hermes-agent:latestrzuv tool upgrade hermes-agentrNuvz%uv pip install --upgrade hermes-agentz"pip install --upgrade hermes-agentz hermes update)rr rwhich)rrs r#%recommended_update_command_for_methodrs  ** ==     211 6<   ;::33 ?rYc`t}|r|St}t|S)z C C CrYmodify configurationcVtt|tjdS)z+Print user-friendly error for managed mode.fileN)printrr/r0)rs r# managed_errorr"s&  ( (sz::::::rYctjddkrdSddlm}|rdSt dz } i}t |dd 5}|D]q}|}d |vrW|d sB| d \}}}|||<r dddn #1swxYwYn#t$rYdSwxYw|d d }|dd} |dd} |dd} || | | dS)aRead container mode metadata from HERMES_HOME/.container-mode. Returns a dict with keys: backend, container_name, exec_user, hermes_bin or None if container mode is not active, we're already inside the container, or HERMES_DEV=1 is set. The .container-mode file is written by the NixOS activation script when container.enable = true. It tells the host CLI to exec into the container instead of running locally. HERMES_DEVrNr) is_containerz.container-moderrr=#backendrcontainer_namez hermes-agent exec_userhermes hermes_binz /data/current-package/bin/hermes)r)r*r+r-) renvironrhermes_constantsr%ropenr startswith partitionFileNotFoundError) r%container_mode_fileinfofliner3_valuer)r*r+r-s r#get_container_exec_infor:#s z~~l##s**t------|~~t)++.??  %sW = = = 6 6 6zz||$;;ts';';;$(NN3$7$7MCE(- D%  6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 tthhy(++GXX.??Nh//I,(JKKJ(   s7 C,A5C  C, C$$C,'C$(C,, C:9C:r)atomic_replacec$tdz S)zGet the main config file path.z config.yamlr;rrYr#get_config_pathr>Xs   } ,,rYc$tdz S)z&Get the .env file path (for API keys).z.envr;rrYr# get_env_pathr@\s   v %%rYcbttjjS)z'Get the project installation directory.)rrrrrrYr#get_project_rootrB`s >> ' / / 1 11rYctjdkrdStjdd}tjdd} |rt |nd}n#t$rd}YnwxYw |rt |nd}n#t$rd}YnwxYw||fS)aRead the HERMES_UID / HERMES_GID env vars set by Docker deployments. Docker containers running Hermes commonly set these to map the in-container user to a host user so volume-mounted state files end up with the right ownership. The entrypoint chowns the top-level HERMES_HOME once, but subdirectories created at runtime by ``ensure_hermes_home()`` (especially for profile namespaces under ``profiles//``) need the same chown or they land as ``root:root`` and block subsequent uid-mapped workers with ``PermissionError [Errno 13]``. See #34107. Returns ``(uid, gid)`` parsed from the env vars, or ``(None, None)`` when either is missing/invalid. Returns ``(None, None)`` on Windows too (where chown is a no-op anyway). win32NN HERMES_UIDr HERMES_GIDN)r/platformrr.rrintrW)uid_strgid_struidgids r#_resolve_hermes_uid_gidrNds |wzjnn\2..4466Gjnn\2..4466G%/c'lll4 %/c'lll4  8Os$8B BBB33 CCct\}}||dS tj|||nd||nddS#ttt f$rYdSwxYw)uChown ``path`` to ``HERMES_UID:HERMES_GID`` if those env vars are set. No-op when: - Either env var is unset/invalid - The current process isn't root (chown will EPERM — silently ignored) - On Windows (chown semantics don't apply) Used by :func:`_secure_dir` to keep ownership consistent across all directories created by :func:`ensure_hermes_home` on Docker deployments. See #34107. N)rNrchownrAttributeErrorNotImplementedError)rrLrMs r#_chown_to_hermes_uidrTs'((HC {s{    ?CC?CC     ^%8 9      s9AAcTtrdS tjdd}|rt |dnd}n#t $rd}YnwxYw tj||n#ttf$rYnwxYwt|dS)uXSet directory to owner-only access (0700 by default). No-op on Windows. Skipped in managed mode — the NixOS module sets group-readable permissions (0750) so interactive users in the hermes group can share state with the gateway service. The mode can be overridden via the HERMES_HOME_MODE environment variable (e.g. HERMES_HOME_MODE=0701) for deployments where a web server (nginx, caddy, etc.) needs to traverse HERMES_HOME to reach a served subdirectory. The execute-only bit on a directory permits cd-through without exposing directory listings. Also applies ``HERMES_UID``/``HERMES_GID``-based ownership when those env vars are set (#34107 — Docker deployments need this so profile subdirs created at runtime by kanban workers don't land as root:root and block subsequent uid-mapped workers). NHERMES_HOME_MODEri) rrr.rrrIrWchmodrrSrT)rmode_strmodes r# _secure_dirr[s$||:>>"4b99??AA#+6s8Q   t ( )     s$AA A('A(,BBBctjdstjdrdStjdrdS t ddd5}|}d d d n #1swxYwYd |vsd |vsd |vrdSn#ttf$rYnwxYwd S)a3Detect if we're running inside a Docker/Podman/LXC container. When Hermes runs in a container with volume-mounted config files, forcing 0o600 permissions breaks multi-process setups where the gateway and dashboard run as different UIDs or the volume mount requires broader permissions. HERMES_CONTAINERHERMES_SKIP_CHMODTz /.dockerenvz/proc/1/cgroupr&rrNrlxckubepodsF) rr.rrrr0readrIOError)r6cgroup_contents r# _is_containerrds! z~~())RZ^^>#d)) $ $ " HT5 ! ! ! ! ! " " ( )     sAA%%A:9A:homec|dz }|rdS|tdt|dS)zISeed a default SOUL.md into HERMES_HOME if the user doesn't have one yet.zSOUL.mdNrr)rrrrf)rg soul_paths r#_ensure_default_soul_mdrjsRy I 7;;;rYct}trStjd} t |tj|dS#tj|wxYw|ddt |dD]-}||z }|ddt |.t|dS)a Ensure ~/.hermes directory structure exists with secure permissions. In managed mode (NixOS), dirs are created by the activation script with setgid + group-writable (2770). We skip mkdir and set umask(0o007) so any files created (e.g. SOUL.md) are group-writable (0660). Tr) cronsessionslogsz logs/curatormemoriespairinghooks image_cache audio_cacheskillsN)rrrumask_ensure_hermes_home_managedrr[rj)rg old_umasksubdirds r#ensure_hermes_homer{s   D||&HUOO  ' - - - HY     BHY     4$ ///D   Fv A GGD4G 0 0 0 NNNN%%%%%s AA-c |std|ddD]-}||z }|st|d.|dz dz ddt|dS) zPManaged-mode variant: verify dirs exist (activation creates them), seed SOUL.md.z HERMES_HOME z7 does not exist. Run 'sudo nixos-rebuild switch' first.)rmrnrorprocuratorTrN)r RuntimeErrorrrj)rgryrzs r#rwrws ;;==  54 5 5 5   ; 6Mxxzz 999   F]Y%%dT%BBBD!!!!!rYmodelr providersfallback_providerscredential_pool_strategiestoolsetsz hermes-climax_concurrent_sessionsagent max_turnsZgateway_timeoutirestart_drain_timeoutapi_max_retries service_tiertool_use_enforcementautotask_completion_guidanceTenvironment_probeenvironment_hintcoding_contextgateway_timeout_warningiclarify_timeoutiXgateway_notify_intervalgateway_auto_continue_freshnessiimage_input_modedisabled_toolsetsterminalr)local modal_modecwdr(timeoutenv_passthroughshell_init_filesauto_source_bashrc docker_image*nikolaik/python-nodejs:python3.11-nodejs20docker_forward_env docker_envsingularity_image3docker://nikolaik/python-nodejs:python3.11-nodejs20 modal_image daytona_image container_cpucontainer_memoryicontainer_diskicontainer_persistentF)docker_volumesdocker_mount_cwd_to_workspacedocker_extra_argsdocker_run_as_host_userpersistent_shellweb)r)search_backendextract_backendbrowserx must_respondi,zhost.docker.internal)managed_persistenceuser_id session_keyadopt_existing_tabrewrite_loopback_urlsloopback_host_alias) inactivity_timeoutcommand_timeoutrecord_sessionsallow_private_urlsengineauto_local_for_private_urlscdp_url dialog_policydialog_timeout_scamofox checkpointsi rl)enabled max_snapshotsmax_total_size_mbmax_file_size_mb auto_pruneretention_daysdelete_orphansmin_interval_hoursfile_read_max_charsi tool_outputiPi) max_bytes max_linesmax_line_lengthtool_loop_guardrails) exact_failuresame_tool_failureidempotent_no_progressrW)warnings_enabledhard_stop_enabled warn_afterhard_stop_after compression?皙?i)r threshold target_ratioprotect_last_nhygiene_hard_message_limitprotect_first_nabort_on_summary_failurecodex_gpt55_autoraiseprompt_caching cache_ttl5m openrouterg?)response_cacheresponse_cache_ttlmin_coding_scorebedrock)rprovider_filterrefresh_intervalasyncdisabled)guardrail_identifierguardrail_versionstream_processing_modetrace)region discovery guardrail auxiliary)providerrbase_urlapi_keyr extra_bodydownload_timeoutih)rrrrrr<) vision web_extractr skills_hubapprovalmcptitle_generationtts_audio_tagstriage_specifierkanban_decomposerprofile_describerr}monitordisplaycompact personalityresume_displayfullresume_exchangesresume_max_user_charsresume_max_assistant_charsresume_max_assistant_linesresume_skip_tool_onlybusy_input_mode interrupt interfaceclitui_auto_resume_recenttui_agents_nudgebell_on_completeshow_reasoning streaming timestampsfinal_response_markdownrpersistent_outputpersistent_output_max_linespersist_prompts inline_diffsfile_mutation_verifiercredits_noticesturn_completion_explainer show_costskindefaultlanguageentui_status_indicatorkaomojiuser_message_preview) first_lines last_linesinterim_assistant_messagestool_progress_commandtool_progress_overridestool_preview_lengthephemeral_system_ttl)telegramdiscord)r context_pctr)rfields) platformsruntime_footer copy_shortcut dashboard) client_id portal_url)username password_hashpasswordsecretsession_ttl_seconds)themeshow_token_analyticsoauth basic_auth public_urlprivacy redact_piittsedgevoicezen-US-AriaNeuralpNInz6obpgDQGcFmaJgBeleven_multilingual_v2)voice_idmodel_idzgpt-4o-mini-ttsalloy)rrYzgemini-2.5-flash-preview-ttsKore)rrY audio_tagspersona_prompt_fileevei]i)r\r5 sample_ratebit_ratezvoxtral-mini-tts-2603z$c69964a6-ab8b-4f8a-9465-ec0925096ec8)rr\zneuphonic/neutts-air-q4-ggufcpu) ref_audioref_textrdevicezen_US-lessac-medium) rrX elevenlabsopenaigeminixaimistralneuttspipersttbase)rr5z whisper-1zvoxtral-mini-latest scribe_v2)r] language_codetag_audio_eventsdiarize)rrrrjrmrizctrl+bg@) record_keymax_recording_secondsauto_tts beep_enabledsilence_thresholdsilence_duration human_delayoffi i )rZmin_msmax_mscontextr compressormemoryii_)memory_enableduser_profile_enabledwrite_approvalmemory_char_limituser_char_limitr delegation2) rrrrapi_modeinherit_mcp_toolsetsmax_iterationschild_timeout_secondsreasoning_effortmax_concurrent_childrenmax_spawn_depthorchestrator_enabledsubagent_auto_approveprefill_messages_filegoalsru) external_dirs template_vars inline_shellinline_shell_timeoutguard_agent_createdrr})rkeep)rinterval_hoursmin_idle_hoursstale_after_daysarchive_after_daysprune_builtinsbackuphonchotimezoneslack)require_mentionfree_response_channelsallowed_channelschannel_promptsrBig ףp= ?gQ?g?)zLet me look into that.z One moment.zChecking on that now.zGive me a sec.zOn it.)rambient_enabled ambient_path ambient_gain duck_gain speech_gain ack_enabled ack_phrases)rrr auto_threadthread_require_mentionhistory_backfillhistory_backfill_limit reactionsrdm_role_auth_guildserver_actionsallow_any_attachmentmax_attachment_bytesvoice_fxwhatsapprA)rr allowed_chats mattermostmatrix)rfree_response_rooms allowed_rooms approvalsmanualdeny)rZr cron_modemcp_reload_confirmdestructive_slash_confirmcommand_allowlistquick_commandsrrhooks_auto_accept personalitiessecuritytirith)rdomains shared_files) rredact_secretstirith_enabled tirith_pathtirith_timeouttirith_fail_openwebsite_blocklistacked_advisoriesallow_lazy_installsrm) wrap_responsemax_parallel_jobskanbani i@8) dispatch_in_gatewaydispatch_interval_seconds failure_limitworker_log_rotate_bytesworker_log_backup_countorchestrator_profiledefault_assigneemax_in_progress_per_profileauto_decomposeauto_decompose_per_tickdispatch_stale_timeout_secondscode_executionrZprojecttools tool_search)r threshold_pctsearch_default_limitmax_search_limitloggingINFO)level max_size_mb backup_count model_catalogzAhttps://hermes-agent.nousresearch.com/docs/api/model-catalog.json)rurl ttl_hoursrnetwork force_ipv4gateway)strictmedia_delivery_allow_dirstrust_recent_filestrust_recent_files_secondsg?u ▉gN@)r transport edit_intervalbuffer_thresholdcursorfresh_final_after_secondsrn)rrvacuum_after_prunerwrite_json_snapshots onboardingask)seen profile_buildupdatesstash)pre_update_backup backup_keepnon_interactive_local_changeslspdocumentg@)r wait_mode wait_timeoutinstall_strategyserversx_searchzgrok-4.20-reasoning)rtimeout_secondsretriessecrets bitwardenBWS_ACCESS_TOKEN)raccess_token_env project_idcache_ttl_secondsoverride_existing auto_install server_urlpaste_collapse_threshold!paste_collapse_threshold_fallbackpaste_collapse_char_threshold_config_version)FIRECRAWL_API_KEYBROWSERBASE_API_KEYBROWSERBASE_PROJECT_IDFAL_KEYVOICE_TOOLS_OPENAI_KEYELEVENLABS_API_KEY)r{riWHATSAPP_ALLOWED_USERSSLACK_BOT_TOKENSLACK_APP_TOKENSLACK_ALLOWED_USERSTAVILY_API_KEYTERMINAL_MODAL_MODE)rrr ENV_VARS_BY_VERSION NOUS_BASE_URLzNous Portal base URL overridez.Nous Portal base URL (leave empty for default)r descriptionpromptrrMcategoryadvancedOPENROUTER_API_KEYz>OpenRouter API key (for vision, web scraping helpers, and MoA)zOpenRouter API keyzhttps://openrouter.ai/keysvision_analyzemixture_of_agents)r2r3rrMrr4r5GOOGLE_API_KEYzAlibaba Cloud DashScope API key (Qwen + multi-provider models)zDashScope API Keyz-https://modelstudio.console.alibabacloud.com/DASHSCOPE_BASE_URLzGCustom DashScope base URL (default: coding-intl OpenAI-compat endpoint)zDashScope Base URLHERMES_QWEN_BASE_URLzBQwen Portal base URL override (default: https://portal.qwen.ai/v1)z.Qwen Portal base URL (leave empty for default)HERMES_GEMINI_CLIENT_IDzfGoogle OAuth client ID for google-gemini-cli (optional; defaults to Google's public gemini-cli client)uKGoogle OAuth client ID (optional — leave empty to use the public default)z1https://console.cloud.google.com/apis/credentialsHERMES_GEMINI_CLIENT_SECRETz;Google OAuth client secret for google-gemini-cli (optional)z%Google OAuth client secret (optional)HERMES_GEMINI_PROJECT_IDz@GCP project ID for paid Gemini tiers (free tier auto-provisions)z;GCP project ID for Gemini OAuth (leave empty for free tier)OPENCODE_ZEN_API_KEYz=OpenCode Zen API key (pay-as-you-go access to curated models)zOpenCode Zen API keyzhttps://opencode.ai/authOPENCODE_ZEN_BASE_URLzOpenCode Zen base URL overridez/OpenCode Zen base URL (leave empty for default)OPENCODE_GO_API_KEYzOllama Cloud API key (ollama.com — cloud-hosted open models)zOllama Cloud API keyzhttps://ollama.com/settingsOLLAMA_BASE_URLz?Ollama Cloud base URL override (default: https://ollama.com/v1)z)Ollama base URL (leave empty for default)XIAOMI_API_KEYzhXiaomi MiMo API key for MiMo models (mimo-v2.5-pro, mimo-v2.5, mimo-v2-pro, mimo-v2-omni, mimo-v2-flash)zXiaomi MiMo API Keyzhttps://platform.xiaomimimo.comXIAOMI_BASE_URLzFXiaomi MiMo base URL override (default: https://api.xiaomimimo.com/v1)z)Xiaomi base URL (leave empty for default) AWS_REGIONz?AWS region for Bedrock API calls (e.g. us-east-1, eu-central-1)z AWS RegionzIhttps://docs.aws.amazon.com/bedrock/latest/userguide/bedrock-regions.html AWS_PROFILEzFAWS named profile for Bedrock authentication (from ~/.aws/credentials)z AWS ProfileAZURE_FOUNDRY_API_KEYz0Azure Foundry API key for custom Azure endpointszAzure Foundry API Keyzhttps://ai.azure.com/AZURE_FOUNDRY_BASE_URLzLAzure Foundry base URL (set via 'hermes model' for endpoint-specific config)zAzure Foundry base URL EXA_API_KEYz1Exa API key for AI-native web search and contentsz Exa API keyzhttps://exa.ai/ web_searchr tool)r2r3rrrMr4PARALLEL_API_KEYz5Parallel API key for AI-native web search and extractzParallel API keyzhttps://parallel.ai/r!z-Firecrawl API key for web search and scrapingzFirecrawl API keyzhttps://firecrawl.dev/FIRECRAWL_API_URLz6Firecrawl API URL for self-hosted instances (optional)z)Firecrawl API URL (leave empty for cloud)FIRECRAWL_GATEWAY_URLzQExact Firecrawl tool-gateway origin override for Nous Subscribers only (optional)z9Firecrawl gateway URL (leave empty to derive from domain)TOOL_GATEWAY_DOMAINzShared tool-gateway domain suffix for Nous Subscribers only, used to derive vendor hosts, e.g. nousresearch.com -> firecrawl-gateway.nousresearch.comzTool-gateway domain suffixTOOL_GATEWAY_SCHEMEzShared tool-gateway URL scheme for Nous Subscribers only, used to derive vendor hosts (`https` by default, set `http` for local gateway testing)zTool-gateway URL schemeTOOL_GATEWAY_USER_TOKENzuExplicit Nous Subscriber access token for tool-gateway requests (optional; otherwise read from the Hermes auth store)zTool-gateway user tokenz3Tavily API key for AI-native web search and extractzTavily API keyzhttps://app.tavily.com/home SEARXNG_URLzAuto-create threads for DM messages in Matrix (default: false)z'Auto-create threads in DMs (true/false)rtzNStable Matrix device ID for E2EE persistence across restarts (e.g. HERMES_BOT)z)Matrix device ID (stable across restarts)ruMatrix recovery key for cross-signing verification after device key rotation (from Element: Settings → Security → Recovery Key)zMatrix recovery keyrzOBlueBubbles server URL for iMessage integration (e.g. http://192.168.1.10:1234)zBlueBubbles server URLzhttps://bluebubbles.app/ruJBlueBubbles server password (from BlueBubbles Server → Settings → API)zBlueBubbles server passwordBLUEBUBBLES_ALLOWED_USERSzJComma-separated iMessage addresses (email or phone) allowed to use the botz,Allowed iMessage addresses (comma-separated)BLUEBUBBLES_ALLOW_ALL_USERSz-Allow all BlueBubbles users without allowlistzAllow All BlueBubbles Usersr^z.QQ Bot App ID from QQ Open Platform (q.qq.com)z QQ App IDzhttps://q.qq.com)r2r3rr4rwz*QQ Bot Client Secret from QQ Open PlatformzQQ Client Secretrvz2Comma-separated QQ user IDs allowed to use the botzQQ Allowed Usersrz=Comma-separated QQ group IDs allowed to interact with the botzQQ Group Allowed Usersrz4Allow all QQ users without an allowlist (true/false)zAllow All QQ UsersrzVV VV  9D'4  "D  s A  (A2ct}gddtdtdtffd t|S)z Check which config fields are missing or outdated (recursive). Walks the DEFAULT_CONFIG tree at arbitrary depth and reports any keys present in defaults but absent from the user's loaded config. rdefaultsrr c`|D]\}}|dr|s|n|d|}||vr||d|dGt|tr;t||tr||||dS)Nr8r(zNew config option: )r3r4r2)rr1rrrr)rrr r3 default_valuefull_key_checkrs r#rz)get_missing_config_fields.._checkrs"*.."2"2 > > C~~c"" "(?ss.?.?#.?.?H'!!#,#C#C#C   M400 >Z C@P@PRV5W5W >}gclH=== > >rY)r) load_configrr*DEFAULT_CONFIG)rrrs @@r#get_missing_config_fieldsrhsj]]FG > > > >c > > > > > > > F>6""" NrYc6 ddlm}m}n#t$rgcYSwxYw |}nF#t$r9}ddl}|jt d|gcYd}~Sd}~wwxYw|sgSt}g}|D]}|d|d}| d} |} d} | D](} t| tr| | vr | | } | } &d} | )t| tr)| s|||S)a3Return skill-declared config vars that are missing or empty in config.yaml. Scans all enabled skills for ``metadata.hermes.config`` entries, then checks which ones are absent or empty under ``skills.config.`` in the user's config.yaml. Returns a list of dicts suitable for prompting. r)discover_all_skill_config_varsSKILL_CONFIG_PREFIXNz)discover_all_skill_config_vars failed: %sr(r3)agent.skill_utilsrrrr getLoggerrdebugrrrrr*rr) rrall_varserrrvar storage_keyrrr9rs r#get_missing_skill_config_varsrsYYYYYYYYY   1133  (##)) 7      ]]F$&G  ,;;s5z;; !!#&&  D'4(( TW__!$- =Zs33=EKKMM= NN3    Ns&  ) A,.A'!A,'A, provider_keyentryrc  t|tsdSddddddddd }d |vrd|vr |d |d<hd }|D]7\}}||vr.||vr*td |pd ||||||<8t ||z t |z }|r>td|pd dt|ddl m }d}dD]} | | } t| trd| rP| } || } | jr | jr| }n td|pd | | |sdSd} | d}t|tr)| r| } n(| r| } | sdS| |d}| }|r||d<| d}t|tr+| r| |d<| d}t|tr+| r| |d<| dp| d}t|tr+| r| |d<| dp| d}t|tr+| r| |d<| d}t|tr|r||d<n&t|t r|rd|D|d<| d}t|t"r |dkr||d<| d}t|t"t$fr |dkr||d<| d}t|t&r||d<| d}t|trt||d<|S)z>Return a runtime-compatible custom provider entry or ``None``.Nrrrkey_env default_modelcontext_lengthrate_limit_delay)apiKeybaseUrlapiModekeyEnv apiKeyEnv defaultModel contextLengthrateLimitDelay api_key_env>apirrrmodelsrrrrrrrrrdiscover_modelsrstale_timeout_secondsrequest_timeout_secondsz[providers.%s: camelCase key '%s' auto-mapped to '%s' (use snake_case to avoid this warning)?z-providers.%s: unknown config keys ignored: %s, rurlparser)rrruPproviders.%s: '%s' value '%s' is not a valid URL (no scheme or host) — skippedr)rrrrrrci|];}t|t|+t|iz4_normalize_custom_provider_entry.. sO   *Q*<*< AB FFB   rYrr)rrrr-r.setkeysjoinsorted urllib.parserrr*rschemenetlocrrIfloatr )rr_CAMEL_ALIASES _KNOWN_KEYScamelsnakeunknownrrurl_keyraw_url candidateparsedrraw_namerrrr model_namerrrrrs r# _normalize_custom_provider_entryrsh eT " "t'), & &N)5"8"8 /iK',,..(( u E>>e500 NN9#UE    !"ii ""G'30GMMOO0 '  9ii ""G'30GMMOO0 '  9yy$$> +(>(>H(C  2X^^%5%52!)!1!1 :7##Auyy'A'AJ*c""1z'7'7'9'91(..00 7 YYx F&$  F  % 8 FD ! ! f   &   8YY/00N.#&&6>A+=+='5 #$yy!344"S%L11:6F!6K6K)9 %&ii 122O/4((8(7 $%<((J*d##4#' #3#3 < rYctt|trt|n||}|dSd|di}dD]}||vr ||||<d|vr |d|d<d|vr |d|d <|S) zDTranslate a legacy custom provider entry to the v12 providers shape.rNrr)rrrrrrrrrrrr)rrr)rrrprovider_entryfields r#)_custom_provider_entry_to_provider_configr7s 2!%..9U E!Jt&+Z -C%DN  6 6 J  $.u$5N5 !**4W*='Z&0&<{# rYproviders_dictct|tsgSg}|D]:\}}t|t |}|||;|S)zMNormalize ``providers`` config entries into the legacy custom-provider shape.r)rrrrr*r)rcustom_providersr3rrs r#"providers_dict_to_custom_providersr[sw nd + + -/$**,,00 U5e#c((SSS  !  # #J / / / rYrc|t}gttdtttt fddffd }|d}|4t|tsgS|D]}|t|t|dD] }||S)ayReturn a deduplicated custom-provider view across legacy and v12+ config. ``custom_providers`` remains the on-disk legacy format, while ``providers`` is the newer keyed schema. Runtime and picker flows still need a single list-shaped view, but we should not materialise that compatibility layer back into config.yaml because it duplicates entries in UIs. Nrr c>|dSt|ddpd}t|ddpd}t|ddpdd}t|ddpd}|||f}|r|vrdS|r|r|vrdS||r||r|r|dSdSdS)Nrrrrrr)r*rrrrstriprr,) rrrrrpair compatibleseen_name_url_pairsseen_provider_keyss r#_append_if_newz7get_compatible_custom_providers.._append_if_newzs = F599^R88>B??EEGGMMOO 599VR((.B//5577==??uyyR006B77==??FFsKKQQSSEIIgr**0b117799??AAh&  L,>>> F  H ).context_length`` if present and valid. Returns ``None`` when no override applies. This is the single source of truth for custom-provider context overrides, used by: * ``AIAgent.__init__`` (startup resolution) * ``AIAgent.switch_model`` (mid-session ``/model`` switch) * ``hermes_cli.model_switch.resolve_display_context_length`` (``/model`` confirmation display) * ``gateway.run._format_session_info`` (``/info`` display) * ``agent.model_metadata.get_model_context_length`` (when custom_providers is threaded through) Before this helper existed, the lookup was duplicated in ``run_agent.py``'s startup path only; every other path (notably ``/model`` switch) fell back to the 128K default. See #15779. Nrrrrrrr) r"rrrrrrrIrrW) rrrrr target_urlr entry_urlr model_cfgraw_ctxctxs r#"get_custom_provider_context_lengthr)s0 t D>vFF   D D D~tt**/00C&0d&;&;Css     D & - -t.b((--J t!%&&  YYz**0b88==  I33 8$$&$''  JJu%% )T**  -- 011 ?  g,,CC:&    H  77JJJ  4s& A.AA EE/.E/r9ct|trdS t|}n#ttf$rYdSwxYwt |dS)zHReturn a safe integer config version, treating invalid values as legacy.r)rr rIrrWmax)r9versions r#_coerce_config_versionr-s`%qe** z "qq w??s )>>cttddpd}t}|s||fS t |d5}t j|pi}dddn #1swxYwYn+#t$r}t||||fcYd}~Sd}~wwxYwt|tsi}t|d}||fS)a Check the raw on-disk config schema version. ``load_config()`` deliberately starts from ``DEFAULT_CONFIG`` and deep-merges the user's file, which is correct for runtime reads but wrong for deciding whether the user's persisted schema has been migrated. A config file with no raw ``_config_version`` must remain visible as legacy instead of inheriting the latest default version in memory. Returns (current_version, latest_version). rrrrN) r-rrr>rr0yaml safe_loadrr5rr)latestr r6rrrs r#check_config_versionr2sW$N$6$67H!$L$L M M RQRF!##K     v~ + 0 0 0 -A^A&&,"F - - - - - - - - - - - - - - -  #;222v~  fd # #$VZZ0A%B%BCCG F?sBB#B: BB  B B B B:B5/B:5B:>rrrrrrrrnrrrrr(rrfallback_modelrrrr> rrrrrrrrrr>rrrrc2eZdZUdZeed<eed<eed<dS) ConfigIssuez$A detected config structure problem.severitymessagehintN)r __module__ __qualname____doc__r*__annotations__rrYr#r5r5!s1..MMM LLL IIIIIrYr5c d |2 t}n"#t$rtdddgcYSwxYwg}|d}|t |t r|tdddt |t r!t|n t}|tz}|r5|tdd t|d d nt |trt|D]\}}t |t s>|tdd |d t|jddX|ds(|tdd |dd|ds(|tdd |dd|d}|t |trt|D]\}}t |t s=|tdd|dt|jdW|ds(|tdd|dd|ds(|tdd|ddnt |t s:|tdd t|jd!nt|rr|ds$|tdd"d|ds$|tdd#d$t |t r.d|vr*d|pivr$|tdd%d&|d}|r&|s$|tdd'd(|D]V} | d)r| t vr5| tvr,|tdd*| d+d,| d-W|S).a"Validate config.yaml structure and return a list of detected issues. Catches common YAML formatting mistakes that produce confusing runtime errors (like "Unknown provider") instead of clear diagnostics. Can be called with a pre-loaded config dict, or will load from disk. NerrorzCould not load config.yamlz+Run 'hermes setup' to create a valid configruOcustom_providers is a dict — it must be a YAML list (items prefixed with '-')zeChange to: custom_providers: - name: my-provider base_url: https://... api_key: ...r.zRoot-level keys z( look like custom_providers entry fieldszLThese should be indented under a '- name: ...' list entry, not at root levelzcustom_providers[z] is not a dict (got )z1Each entry should have at minimum: name, base_urlrz] is missing 'name' fieldz#Add a name, e.g.: name: my-providerrz] is missing 'base_url' fieldzDAdd the API endpoint URL, e.g.: base_url: https://api.example.com/v1r3zfallback_model[z] should be a dict, got z!Each entry needs provider + modelrz] is missing 'provider' fieldz/Add: provider: openrouter (or another provider)rz] is missing 'model' fieldzAdd: model: zAfallback_model should be a dict with 'provider' and 'model', got zZChange to: fallback_model: provider: openrouter model: anthropic/claude-sonnet-4uHfallback_model is missing 'provider' field — fallback will be disableduEfallback_model is missing 'model' field — fallback will be disabledz8Add: model: anthropic/claude-sonnet-4 (or another model)zGfallback_model appears inside custom_providers instead of at root levelzDMove fallback_model to the top level of config.yaml (no indentation)u[custom_providers defined but no 'model' section — Hermes won't know which provider to useziAdd a model section: model: provider: custom default: your-model-name base_url: https://...r8zRoot-level key 'uW' looks misplaced — should it be under 'model:' or inside a 'custom_providers' entry?zMove 'z' under the appropriate section)rrr5rrrrrr_CUSTOM_PROVIDER_LIKE_FIELDSrr enumeraterrr1_KNOWN_ROOT_KEYS) rissuescpcp_keys suspiciousirfbr&r3s r#validate_config_structurerI*s~ w ]]FF w w w)EGtuuv v v v w!#F & ' 'B ~ b$  (  MM+a%   )32t(<(<Gc"''))nnn#%%G #??J  kcvj'9'9cccb D ! ! %bMM  5!%..MM+![A[[DKKDX[[[K## yy((MM+!HAHHH=## yy,,MM+!LALLL^## $ % %B ~ b$  + %bMM  5!%..MM+[![[T%[[EY[[;## !99Z00 k%NaNNNM'' !99W-- k%KaKKK6'' (B%%  MM+gTXY[T\T\Tegg7     66*%%  k^E 66'??  k[N"d 0 > >CSXZX`^`CaCa k  U R      7##I  )   k  i (      >>#     & & &32N+N+N MM+3====    Ms 22cT t|}n#t$rYdSwxYw|sdSdg}|D]1}|jdkrdnd}|d|d|j2|dt jd |d zdS) zPrint config structure warnings to stderr at startup. Called early in CLI and gateway init so users see problems before they hit cryptic "Unknown provider" errors. Prints nothing if config is healthy. Nu3⚠ Config issues detected in config.yaml:r>u ✗u ⚠ rz2 Run 'hermes doctor' for fix suggestions.r) ) rIrr6rr7r/r0r1r)rrClinescimarkers r#print_config_warningsrPs*622   H IE11)+)?)?%%EY /&//2://0000 LLKLLLJTYYu%%./////s   ctjd}tjd}|! t}n#t$rYdSwxYw|di}t |t r|ddnd}|dv}g}|r|d|d |r|s|d |d |rtjd d }|d d|d|d|dtj d |dzdSdS)uWarn if MESSAGING_CWD or TERMINAL_CWD is set in .env instead of config.yaml. These env vars are deprecated — the canonical setting is terminal.cwd in config.yaml. Prints a migration hint to stderr. MESSAGING_CWD TERMINAL_CWDNrrr(>rrrr(u ⚠ MESSAGING_CWD=u& found in .env — this is deprecated.u ⚠ TERMINAL_CWD=rEz ~/.hermesru/⚠ Deprecated .env settings detected:zN Move to config.yaml instead: terminal:\n cwd: /your/project/pathz' Then remove the old entries from z /.envr)rL) rr.rrrrrrinsertr/r0r1r)r messaging_cwdterminal_cwd_env terminal_cfg config_cwdconfig_has_explicit_cwdrM hint_paths r#warn_deprecated_cwd_env_varsr[s JNN?33Mz~~n55 ~  ]]FF    FF ::j"--L1;L$1O1OX!!%---UXJ(0HHE   #- # # #    7   #1A # # #    4JNN=+>>  QOPPP  >     P P P P    5))F233333 4 4sA AA interactivequietc 3^gggd} t}|r|std|dn#t$rYnwxYwt\}}|dkrFt }|di}t |tsi}d|vrtd}td} |r7| d vr!d |d<|d  d n| r_| d vrI| |d<|d  d| dn d|d<|d  d||d<t||std|d|dkrt }d|vrtj dd} | r]| rI| |d<|d  d| dn d|d<|d  dt||s|dpd} td| |dkrD td} | r!tdd|stdn#t$rYnwxYw|dkrt }|d } t | t r| r|d!i}t |tsi}d"}| D]}t |ts|d#d}|d$dp-|d%dp|d&dpd}|sv| d'd(d)dd*d}d+|vr|d+d(}d+|v|d(}|sE d"d,lm}||}|jpd-d.d(}n#t$rd/|}YnwxYw|}|}||vr|d(|}|d0z }||vt+||1}||s|d#d2|d3d4vr|d3d2|||<|d0z }|d"kr||d!<|d d2t||sqtd5|d6t!|| d2D]3}||}td7|d8|d&d4|d9krLd:D]I} t|}|r%t|d|std;|d<:#t$rYFwxYw|d=kr]t1}|d>i}t |tr#d?|vr|d?}|d@dA}t }|d>i} | d?d2|dBvrShdC}!||!vrJ|dAi}"t |"trd?|"vr| dAi}#||#d?<nJ||i}$t |$trd?|$vr| |i}%||%d?<| |d><t||stdD|dEkrt1}|di}t |tsi}dF|vrEdG|dF<||d<|d  dHt||stdI|dJkrEt1}|di}t |tsi}|dK}&t |&tr|&r|dLi}'t |'tsi}'|&D]#\}(})|(|'vri|'|(<d|'|(vr |)|'|(d<$|'|dL<||d<t||sCdMdN|&D}*tdO|*|d  dP|dQkrt1}|dRi}+t |+tr|+dSd2},|+dTd2}-|+dUd2}.g}/|,rt9|,r}|dVi}0|0dRi}1|1d?stRdmi}?|dm}@t |@tsi}@g}A|?D]5\}B}C|B|@vr,tUj+|C|@|B<|A |B6|Ar|@|dm<dG}>tRdVidmi}D|dV}Et |Etsi}E|Edm}Ft |Ftsi}Fg}G|DD]5\}B}C|B|Fvr,tUj+|C|F|B<|G |B6|Gr |F|Edm<|E|dV<dG}>|>rt||ArS|d  drtO|Ads|s%tdtdM|A|GrS|d  dutO|Gds|s%tdvdM|G|dwkrt1}|dx}Ht |Htr^|HdydzkrEd0|Hdy<|H|dx<t||d  d{|std||d}krt1}dq}>d~D]}I||I}Jt |Jtrd|Jvr1|Jd}Kt |Kt8r&|K n|K}L|Ldk|Jd<|J||I<dG}>|d  |Id|Jd|>r t||std||kr|std|d|tYdG}M|Mr7|s5td|MD]#}Ntd|Nd#d8|Nd$|r%|Mr"td|MD]}N|Nd%rtd|Nd%|Ndrt[d|Ndd8}On+t]d|Ndd8}O|OrPt|Nd#|O|d |Nd#td|Nd#n%|do d|Nd#dttYdq}P|Mr d|MDn t;^^fd|PD}Pt;}Qt_|d0z|d0zD]0}R|Q0tb|Rg1|Qr9|r6|s3dtA|QD}S|SrtdtO|Sd|SD].\};}Ttd|;d|Tdd/t t]d }Un#tdtff$rd}UYnwxYw|UdvrVt|SD]C\};}T|Td%r?td|Td|;td|Td%n&td|Td|;|Tdr(t[d|Td|;d}On9t]d|Td|;d}O|Or=t|;|O|d |;td|;tEntdti}V|Vr{t }|VD]U}W|Wd}|Wd}Xtk|||X|d  ||std|d|XV||d<t|n(||kr"t }||d<t|tm}Y|Yr*|r'|s$tdtO|Yd|YD]=}N|Ndd}Ztd|Ndd|Ndd|Zd*>t t]d }Un#tdtff$rd}UYnwxYw|UdvrTtt } d"dl7m8}[n#t$rd}[YnwxYw|YD] }N|Ndd}X|Xrd|Xd*nd}\t]d|Nd|\d8}O|Os|Xrt9|X}O|Or[|[d.|Nd}]tk||]|O|d  |Ndtd|Ndd|On<|do d|Ndd|Ndddt t|ntd|S)a< Migrate config to latest version, prompting for new required fields. Args: interactive: If True, prompt user for missing values quiet: If True, suppress output Returns: Dict with migration results: {"env_added": [...], "config_added": [...], "warnings": [...]} ) env_added config_addedwarningsu ✓ Repaired .env file (z corrupted entries fixed)r-r tool_progressrr>0nofalser}r`z;display.tool_progress=off (from HERMES_TOOL_PROGRESS=false)>allnewzdisplay.tool_progress=z! (from HERMES_TOOL_PROGRESS_MODE)rfz#display.tool_progress=all (default)u- ✓ Migrated tool progress to config.yaml: rrHERMES_TIMEZONErz timezone=z (from HERMES_TIMEZONE)z$timezone= (empty, uses server-local)(server-local)u% ✓ Added timezone to config.yaml: rmu8 ✓ Cleared ANTHROPIC_TOKEN from .env (no longer used) rrrrrrrrr(r?z--rendpointr(z endpoint-rrNr>no-keyno-key-requiredru ✓ Migrated z) custom provider(s) to providers: sectionu → r' ) LLM_MODEL OPENAI_MODELu ✓ Cleared u> from .env (no longer used — config.yaml is source of truth)rprrr>r local_command>base.entiny.enlarge-v1large-v2large-v3small.en medium.enlarge-v3-turbodistil-large-v2distil-large-v3distil-small.endistil-medium.endistil-large-v3.5rqtinylargesmallturbomediumu; ✓ Migrated legacy stt.model to provider-specific configr<Tz1display.interim_assistant_messages=true (default)u3 ✓ Added display.interim_assistant_messages=truer>rErc3*K|]\}}|d|VdS)r'Nr)rprs r# z!migrate_config..s0$R$RDAqZZAZZ$R$R$R$R$R$RrYu> ✓ Migrated tool_progress_overrides → display.platforms: z9display.platforms (migrated from tool_progress_overrides)r summary_modelsummary_providersummary_base_urlrmodel=>rrr provider=z base_url=u@ ✓ Migrated compression.summary_* → auxiliary.compression: u/ ✓ Removed unused compression.summary_* keyspluginsrr plugin.yaml plugin.ymlrrz$plugins.enabled (opt-in allow-list, z grandfathered)u( ✓ Plugins now opt-in: grandfathered z( existing plugin(s) into plugins.enabledum ✓ Plugins now opt-in: no existing plugins to grandfather. Use `hermes plugins enable ` to activate.ror}rrazCould not create Fz curator (z default key(s))u. ✓ Seeded curator defaults in config.yaml: zauxiliary.curator (u8 ✓ Seeded auxiliary.curator defaults in config.yaml: rrrumodel_catalog.ttl_hours 24→1uB ✓ Lowered model_catalog.ttl_hours to 1 (hourly picker refresh)r )rru write_modeapproveru.write_mode → write_approval=u: ✓ Renamed write_mode → write_approval (boolean gate)zConfig version:  → ru0 ⚠️ Missing required environment variables:u • r2z Let's configure them now: z Get your key at: rMrKr3r_u ✓ Saved zSkipped z - some features may not workch|] }|d S)rrrvs r# z!migrate_config..s555Aai555rYcRg|]#}|dv |d!|$S)rr5r)rrrequired_namess r# z"migrate_config..sC V9N * *1553D3D * * * *rYc\g|])}t|s|tv|t|f*Sr)rr)rrs r#rz"migrate_config..sK    && ,03D+D+D$T* ++D+D+DrY z$ new optional key(s) in this update:u • u — z Configure new keys? [y/N]: n>yrz (Enter to skip): z1 Set later with: hermes config set r3r4u ✓ Added  = rz! skill setting(s) not configured:rr z (from skill: z# Configure skill settings? [y/N]: )rz skills.configz (default: u — skill 'rz' may ask for it later)9sanitize_env_filer!rr2rrrrrrr save_configrrrsave_env_valuerrrrhostnamerpoprread_raw_config setdefaultrrr*rrrriterdirrr0r/r0rlenrrcopydeepcopyrr inputrangeupdater/EOFErrorKeyboardInterruptrrrrr)_r\r]resultsfixes current_ver latest_verrr old_enabledold_modeold_tz tz_display old_token custom_listrmigrated_countrold_nameold_urlr3rrbase_keysuffix new_entryepdead_varold_valrraw_stt legacy_modelrrp _local_models raw_local local_cfg raw_provider provider_cfg old_overridesrEplatrZmigratedcomps_model s_provider s_base_url migrated_keysauxaux_comp plugins_cfgr disabled_set grandfathereduser_plugins_dirchild manifest_file_mfmanifestr curator_dirrtouched_curator_defaults raw_curator added_curatorkr_aux_curator_defaultsraw_auxraw_aux_curator added_auxraw_mc subsystemsuboldold_norm missing_envrr9missing_optional new_var_namesver new_and_unsetr5answermissing_configrr4missing_skill_config skill_namer default_hintrrs_ @r#migrate_configrsCCG !##  Q Q OuOOO P P P      344KQ**Y++'4(( G ' ) )'(>??K$%@AAH V{00226JJJ+0('../lmmmm Vhnn...@@+3>>+;+;('../{HXHX/{/{/{||||+0('../TUUU 'F9      b`goF^``aaaQ V # #Y0"55F W&,,.. W%+\\^^z"'../b6<<>>/b/b/bcccc%'z"'../UVVV     L#J/C3C JjJJKKKQ %&788I V0"555VTUUU    D Rjj!344 k4 ( (: E[: E#ZZ R88Nnd33 $!#N$* $* $!%.. 99VR00))J33iuyy7K7KiuyyY^`bOcOciginn&&,,..66sC@@HHbQQYYZ]_abbckk++dC00Cckkiinn;;999999!)'!2!2%<*EEc3OO$;;;:.::;'^++%0000CaKF^++F!$ $0MM&$///==++/PPPMM)T222&/s#!#!!&4{# -t444F###EeNeeefff#N$7$7$9$9::N?;K;KLEE+C0CCCub0A0ACCDDDD R5  H '11y"8R000 ywxwwwxxx    R''%$$ gt $ $% VG););"7+L{{:w77H ]]F**UB''C GGGT " " "555!!!  =00!( GR 8 8I%i66:':R:R$'NN7B$?$? -9 '* '{{8R88 !,559 9T9T#&>>(B#?#?L,8L)F5M     VTUUUR ""**Y++'4(( G 'w 6 648G0 1 'F9  N # * *+^ _ _ _     MKLLLR ""**Y++'4(( G $=>> mT * * h} h K44Ii..  +1133 < < dy((&(IdO")D/997;IdOO4#,GK 'F9      c99$R$RM>-<<||G,,=(+G (:(:(<(>-<<||J//C8<< 3K3Kv3U3U+.z??+@+@+B+BHZ(!(()AZ)A)ABBB Cc*oo3355 C'' R88>>-<<||J//C+.z??+@+@+B+BHZ(!(()AZ)A)ABBB Q 3z7MQ[Qg(,}%F###Q$Q{aeajajkxayay{{||||OPPPR ""jj++ +t,, K K ' '"z266<"Hh-- x==L(*M ##2#4#4y#@ #**,,3!'(8(@(@(B(B!C!C33$||~~%$(- (= ,3355A,1L,@M,3355%$*!%mg!F!F!FE#+/>#+>+>+D"EEEEEEEEEEEEEEE(***')HHH*'||F33Auz<//$%,,T2222 # # # "  #&3K " +F9      N # * *Zs=7I7IZZZ     X}--XXX J0R O)++f4y@K   dT  : : : : O O O J  & &'M;'M'M!'M'M N N N N N N N N O!""+..y"==jj++ +t,, K#% %++-- ( (DAq ##!%q!1!1 A$$Q'''   +F9 G   {B / / 3 3Ir B B **[))'4(( G!++i00/400 ! O! )//11 $ $DAq''%)]1%5%5"  ###  !0GI ")F; G       '..DM 2 2DDD699]3366 '..J#i..JJJ299Y//22R ""O,, fd # # \ ;(?(?2(E(E"#F; &,F? #     N # * *+K L L L \Z[[[R ""-  I**Y''Cc4(( L,C,C'',''C.8c.B.BKsyy{{((***H%-%:C ! #F9 G N # * *TTSAQ=RTT      T     TRSSSZ ???:??@@@'T:::KA5A ABBB A AC ?CK??3}+=?? @ @ @ @{ -...  Cwwu~~ :8CJ88999wwz"" >,-C#h--C-C-CDD43x=44455;;== bs6{E222 $++CK8882S[223333 #**+`c&k+`+`+`aaa GGGG,%@@@9DO555555#%%N# EEM[1_j1n55??044S"==>>>>$K$KU$K  }--    K Q]++QQQ R R R+ K K dIIIDHH]B,G,GIIJJJJ GGG >??EEGGMMOO/0    %%"/JD$xxDB488M4#@#@BBCCCADKAABBBBB488M4#@#@BBCCCxx ++a 4M(D!9!9MMM!!!&&W488Hd+C+C&W&W&W X X ^ ^ ` `5&tU333 ,33D9993T33444GGGG!$IJJJ/00N# 8 8E,CI&G W - - - N # * *3 / / / 86S66W66777%/ !F z ! !$. !F 9::$G $GE$G QS-..QQQRRR' _ _C)44J ]SZ]]c-.@]]PZ]]] ^ ^ ^ ^  @AAGGIIOOQQFF+,   FFF  \ ! ! GGG ]]F 6AAAAAAA 6 6 6&5### 6+  '')R00;BJ7W7777 B3x=B,BBBCCIIKK))LLE%8"G"G3u:"G"GK U;;;N+223u:>>>?U????@@@@J'..h3u:hh3777C;P;Phhh      E F F F Ns%/ <<=2J00 J=<J=.Q11RR26W)) W65W6Bv* u 1u u u u u u v* u/,v*.u//:v** v98v9=+y)) z3!zzT3AUUAU%U$AU%` 3A`?`?AaaAaa:Abb AbbAboverridec|}|D]X\}}||vrJt||tr/t|trt |||||<S|||<Y|S)aRecursively merge *override* into *base*, preserving nested defaults. Keys in *override* take precedence. If both values are dicts the merge recurses, so a user who overrides only ``tts.elevenlabs.voice_id`` will keep the default ``tts.elevenlabs.model_id`` intact. )rrrr _deep_merge)rqrresultr3r9s r#rrmsYY[[Fnn&&  U 6MM6#;-- 5$'' &fSk599F3KKF3KK MrYct|trtjdd|St|trd|DSt|t r d|DS|S)aRecursively expand ``${VAR}`` references in config values. Only string values are processed; dict keys, numbers, booleans, and None are left untouched. Unresolved references (variable not in ``os.environ``) are kept verbatim so callers can detect them. z \${([^}]+)}ctj|d|dS)Nrr)rr.rgroup)rs r#z"_expand_env_vars..s*bjnnQWWQZZ<<rYc4i|]\}}|t|Sr_expand_env_vars)rrrs r#rz$_expand_env_vars..s'???41a#A&&???rYc,g|]}t|Srr)ritems r#rz$_expand_env_vars..s!7774 &&777rY)rr*rerrrr)objs r#r r s#s v  < <    #t@??399;;????#t87737777 JrYct|tsdSi}|D]V}t|tr(t|dtsdS|d}||vrdS|||<W|S)zHReturn a name-indexed dict only when all items have unique string names.Nr)rrrrr*)rindexedr rs r#_items_by_unique_namers eT " "tG$%% Z8H8H#-N-N 44F| 7??44 NrYct|trfttrQtjdr<|krSttr|krSt |krS|St|t r6tt r!fd|DSt|trqttr\t|}tt|fd|DSfdt|DS|S)aRestore raw ``${VAR}`` templates when a value is otherwise unchanged. ``load_config()`` expands env refs for runtime use. When a caller later persists that config after modifying some unrelated setting, keep the original on-disk template instead of writing the expanded plaintext secret back to ``config.yaml``. Prefer preserving the raw template when ``current`` still matches either the value previously returned by ``load_config()`` for this config path or the current environment expansion of ``raw``. This handles env-var rotation between load and save while still treating mixed literal/template string edits as caller-owned once their rendered value diverges. z \${[^}]+}c i|]T\}}|t||ttr|ndUSN)_preserve_env_ref_templatesrrr)rr3r9loaded_expandedrs r#rz/_preserve_env_ref_templates..sr   U , ,6,M,MW##C(((SW   rYNc g|]c}t||d(|dnddS)rN)rr)rr loaded_by_name raw_by_names r#rz/_preserve_env_ref_templates..s{  ,OODHHV$4$455.s    t (#c#hh..E Dot449>_AUAU9U9U &&       rY) rr*r searchr rrrrrA)rrrcurrent_by_namerrs `` @@r#rrs'3JsC$8$8RY|UX=Y=Y c>>J os + + ?0J0JJ C G + +J'4   ZT%:%:      &mmoo     '4   ZT%:%: 088+C00 .??  &;+B $         )11     NrYcjtfddD}|sStd}t|ts |rd|ini}|d<dD]I}|}|r||s|||<|dJS)uMove stale root-level provider/base_url/context_length into model section. Some users (or older code) placed ``provider:``, ``base_url:``, or ``context_length:`` at the config root instead of inside ``model:``. These root-level keys are only used as a fallback when the corresponding ``model.*`` key is empty — they never override an existing value. After migration the root-level keys are removed so they can't cause confusion on subsequent loads. c3BK|]}|VdSrr)rrrs r#rz-_normalize_root_model_keys..s-UUQ6::a==UUUUUUrY)rrrrr4N)anyrrrr)rhas_rootrr3root_vals` r#_normalize_root_model_keysr"sUUUU*TUUUUUH  &\\F JJw  E eT " " &+3E""w9::c??  "EIIcNN "!E#J 3 MrYct|}t|dpi}d|vrd|vr |d|d<d|vrtdd|d<||d<|dd|S)z;Normalize legacy root-level max_turns into agent.max_turns.rrN)rrrr)r agent_configs r#_normalize_max_turns_configr%s &\\F 7++1r22LfL!@!@$*;$7 [!,&&$27$;K$H [!"F7O JJ{D!!! MrY)r4cfgrct|ts|S|}|D]+}t|ts|cS||vr|cS||},|S)u%Traverse nested dict keys safely, returning ``default`` on any miss. Canonical helper for the ``cfg.get("X", {}).get("Y", default)`` pattern that appears 50+ times across the codebase. Handles three common gotchas in one place: 1. Missing intermediate keys (returns ``default``, no KeyError). 2. An intermediate value that's not a dict (e.g. a user wrote a string where a section was expected). Returns ``default`` instead of AttributeError on ``.get()``. 3. ``cfg is None`` (callers sometimes pass ``load_config() or None``). Named ``cfg_get`` rather than ``cfg_path`` to avoid shadowing the ubiquitous ``cfg_path = _hermes_home / "config.yaml"`` local variable that appears in gateway/run.py, cron/scheduler.py, main.py, etc. Explicit ``None`` values are returned as-is (matches ``dict.get(key, default)`` semantics — ``default`` is only returned when the key is *absent*, not when it's present but set to ``None``). Examples: >>> cfg_get({"agent": {"reasoning_effort": "high"}}, "agent", "reasoning_effort") 'high' >>> cfg_get({}, "agent", "reasoning_effort", default="medium") 'medium' >>> cfg_get({"agent": "oops_a_string"}, "agent", "reasoning_effort", default="low") 'low' >>> cfg_get(None, "anything", default=42) 42 >>> cfg_get({"a": {"b": None}}, "a", "b", default="def") # explicit None preserved >>> cfg_get({"a": {"b": False}}, "a", "b", default=True) # falsy values preserved False )rr)r&r4rnoder3s r#cfg_getr)smD c4 D$%% NNN d??NNNCy KrYc$t5 t}|}|j|jf}n%#t t f$ricYcdddSwxYwt|}t |}|4|dd|kr&tj |dcdddS t|d5}tj|pi}dddn #1swxYwYn5#t$r(}t!||icYd}~cdddSd}~wwxYwt#|t$si}|d|dtj |ft|<|cdddS#1swxYwYdS)uRead ~/.hermes/config.yaml as-is, without merging defaults or migrating. Returns the raw YAML dict, or ``{}`` if the file doesn't exist or can't be parsed. Use this for lightweight config reads where you just need a single value and don't want the overhead of ``load_config()``'s deep-merge + migration pipeline. Cached on the config file's (mtime_ns, size) — same strategy as ``load_config()``. Returns a deepcopy on every call since some callers mutate the result before passing to ``save_config()``. Nrrrrr) _CONFIG_LOCKr>rr+rr3rr*r\rrrr0r/r0rr5rr)r r cache_keypath_keycachedr6datars r#rrAs  )++K!!##B4II!7+   II   {##"&&x00  &!* "9"9=++ kG444 /~a((.B / / / / / / / / / / / / / / /    &{A 6 6 6IIIII%  $%% D'0|Yq\4=QUCVCV&W(#/sF0;FAFAAFDC4( D4C8 8D;C8 <D?F D2 D-D2F-D22AFF  F c"tdS)uLoad configuration from ~/.hermes/config.yaml. Cached on the config file's (mtime_ns, size). Returns a deepcopy of the cached value when unchanged, since most call sites mutate the result (e.g. ``cfg["model"]["default"] = ...`` before ``save_config``). The cache is keyed on ``str(config_path)`` so profile switches (which change ``HERMES_HOME`` and therefore ``get_config_path()``) don't collide. Read-only callers should use ``load_config_readonly()`` to skip the defensive deepcopy — that path matters in agent-loop hot spots like ``get_provider_request_timeout`` which is called once per API turn. T want_deepcopy_load_config_implrrYr#rrgs 4 0 0 00rYc"tdS)uFast-path variant of ``load_config()`` for callers that ONLY READ. Returns the cached config dict directly without the defensive deepcopy that ``load_config()`` applies. **Mutating the returned dict (or any nested structure) corrupts the in-process cache for every subsequent caller** — only use this when you are absolutely sure your code path will not write to the result. If you need to mutate or pass to ``save_config``, call ``load_config()`` instead. Why this exists: ``load_config()`` cache-hit cost is ~265us per call, half of which (~135us) is the defensive deepcopy. The agent loop calls into config reads (timeouts, thresholds, feature flags) ~20-50x per conversation; skipping deepcopy here removes a measurable allocation source and the GC pressure that comes with it. Note: this returns a plain ``dict`` (not ``MappingProxyType``) so existing ``isinstance(x, dict)`` guards downstream keep working. The safety guarantee is purely documented, not enforced — be careful. Fr1r3rrYr#load_config_readonlyr6xs( 5 1 1 11rYrdrSTERMINAL_TIMEOUTlifetime_secondsTERMINAL_LIFETIME_SECONDSTERMINAL_DOCKER_IMAGETERMINAL_DOCKER_FORWARD_ENVTERMINAL_SINGULARITY_IMAGETERMINAL_MODAL_IMAGETERMINAL_DAYTONA_IMAGEssh_hostTERMINAL_SSH_HOSTssh_userTERMINAL_SSH_USERssh_portrssh_keyryTERMINAL_CONTAINER_CPUTERMINAL_CONTAINER_MEMORYTERMINAL_CONTAINER_DISKTERMINAL_CONTAINER_PERSISTENTTERMINAL_DOCKER_VOLUMESTERMINAL_DOCKER_ENV&TERMINAL_DOCKER_MOUNT_CWD_TO_WORKSPACETERMINAL_DOCKER_EXTRA_ARGS TERMINAL_DOCKER_RUN_AS_HOST_USER(TERMINAL_DOCKER_PERSIST_ACROSS_PROCESSESTERMINAL_DOCKER_ORPHAN_REAPERTERMINAL_SANDBOX_DIRTERMINAL_PERSISTENT_SHELL) rrrrrrdocker_persist_across_processesdocker_orphan_reaper sandbox_dirrct|ttfrtj|St |Sr)rrrjsondumpsr*)r9s r#_terminal_env_valuerXs4%$&&!z%   u::rYcd}||sdSt|t|dS)z;Return the env var mirrored by a ``terminal.*`` config key.z terminal.N)r1TERMINAL_CONFIG_ENV_MAPrr)r3r s r#terminal_config_env_var_for_keyr[sC F >>& ! !t " & &s3v;;<<'8 9 99rY)envrrr\c| tjn|}t}t|dt }||n|}||n t }t|t r|dini}t|t s|StD]\} } | |vr || } | dkr\t| pd } | dvr@t| trtj | } |s| |vrt| || <|S)a`Bridge ``terminal.*`` config into the env vars terminal tools read. ``tools.terminal_tool`` is intentionally environment-driven because it also runs in child processes (TUI, dashboard PTY, gateway workers). This helper gives those child-process launch paths the same config bridge as classic CLI without importing ``cli.py`` and paying for its startup side effects. When the user config contains a ``terminal`` section, config.yaml is authoritative and overrides existing env values. Otherwise defaults only backfill missing env vars so exported/.env values keep working. Nrrr>rrr()rr.rrrrr6rZrr*rr expanduserrX) r\rrtarget raw_configfile_has_terminal_configshould_overrider&rWcfg_keyenv_varr9raw_cwds r#apply_terminal_config_to_envrfs\";RZZCF ""J)*..*D*DdKK2:2B..O&&&,@,B,BC.8d.C.CK377:r***L lD ) ) 399;; 9 9 , & & W% e  %+2&&,,..G...%%% 2**511  9gV331%88F7O MrYr2ct5tt}t|} |}|j|jf}n#t$rd}YnwxYwt |}|@|>|dd|kr0|rtj |dn|dcdddStj t}| t|d5}tj|pi}dddn #1swxYwYd|vr_t!| dpi} | d |d| d<| |d<|ddt%||}n'#t&$r} t)|| Yd} ~ nd} ~ wwxYwt+t-|} t/| } tj | t0|<|>tj | } |d|d| ft|<|s| cdddSnt|d| cdddS#1swxYwYdS)Nrrrrrrr)r+r{r>r*rr+rr3r[rrrrr0r/r0rrrrr5r"r%r rZ)r2r r-rr,r.rr6 user_configagent_user_configrrexpanded cached_copys r#r4r4sj 77%'' {## !!##B46NBJ3OII    III $''11  )"7F2A2J).sNgg_`jD11ZaeeJ6G6GZAEERYNNggggggrYrrr) extra_content)r+rr"utilsrnr{r>r"r%rrrZrr*r_SECURITY_COMMENTrrrrr _FALLBACK_COMMENTrrfrr) rrnr current_normalizedr raw_existingrsecrH fb_is_valids r#rrms '\'\ <<  . / / / '\'\'\'\'\'\'\'\ ,+++++%'' 78STZ8[8[\\' 12MoN_N_2`2`aa  4-11#k2B2BCCJnnZ,, ,cgg.//7 LL* + + + ^^,b 1 1 b$   GggdfgggggKK D ! ! Grvvj11EbffWooFFK , LL* + + +  ,1;"''%...t    [!!!:>-HZ:[:[%c+&6&67O'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\sH6G5H66H:=H:cZt} |j}|j}t |||f}n/#t $rt |ddf}Ynt $rd}YnwxYw|&tt\}}||krt|Si}| rddd}t|fi|5}| } dddn #1swxYwYt| } | D]} | } | rn| dsYd| vrU| d\} } }| d|| <||t|fa|S)uLoad environment variables from ~/.hermes/.env. Sanitizes lines before parsing so that corrupted files (e.g. concatenated KEY=VALUE pairs on a single line) are handled gracefully instead of producing mangled values such as duplicated bot tokens. See #8908. The parsed dict is memoised keyed on the .env file mtime, because ``get_env_value()`` is called dozens-to-hundreds of times per interactive menu render (`hermes tools`, `hermes setup`, status panels). Sanitisation is O(lines × known-keys), so re-parsing the same file on every call was burning ~300ms of CPU per `hermes tools` menu paint on top of the OAuth-refresh slowness. The mtime check invalidates the cache when the user edits .env mid-process. N utf-8-sigrrerrorsr(r'z"')r@rst_mtimerr*r3r _env_cacherrr0 readlines_sanitize_env_linesrr1r2)env_pathmtimesizer, cached_key cached_varsenv_varsopen_kwr6 raw_linesrMr7r3r8r9s r#load_envrs "~~H (}}&]]E40 000]]D$/  !7", K  " " $$ $!HC +i@@ ( & &g & & &! I & & & & & & & & & & & & & & &$I.. C CD::<..sZBa:B!G:RQF(:rY)r)rrr match_rangess @@r#rz&_sanitize_env_lines..sj" " " !Q*" " " " rYr) rrr_EXTRA_ENV_KEYSrrr1rfindrrrA)rM known_keys sanitizedr7rstrippedkey_nameneedlersplit_positionsrGposendrrs @r#rrs&++--..@JI&.&.kk&!!99;; 8..s33    S4Z ( ( ( /1 " ? ?H^F--''C((##S#F *;$<===mmFC#f++,=>>((!" " " " &" " "      ! # ##O44 2 2301AO8L8L0L0Loa!e,,RUV^R_R_C(..002$$TD[111  2   X_ - - - - rYc$t}|sdSddd}ddi}t|fi|5}|}dddn #1swxYwYt |}||krdSt t |t |z }|dkrVtdt||D}|t t |t |z z }tj t|j d d \}} tj|d fi|5}|||tj|dddn #1swxYwYt'||n5#t($r( tj|n#t,$rYnwxYwwxYwt/|t1|S) zRead, sanitize, and rewrite ~/.hermes/.env in place. Returns the number of lines that were fixed (concatenation splits + placeholder removals). Returns 0 when no changes are needed. rryrrzrrNc3,K|]\}}||k dVdS)rNr)rabs r#rz$sanitize_env_file..;s*KK$!QAFFAFFFFKKrY.tmp.env_dirrr w)r@rr0r~rabsrsumziptempfilemkstempr*rrfdopen writelinesr2fsyncfilenor< BaseExceptionunlinkrrfr) rread_kwwrite_kwr6original_linesrrfdtmp_paths r#rr"s ~~H ??  q&)<AF" F>"F&&F>)F&*F>> G0 GG0 G+(G0*G++G0c  |d|S#t$rYnwxYwg}t|D]E\}}t|dkr-|d|d|dt|ddF|dd d}t d |d d d |ddDzt|dkrdndzdztj |S)u1Warn and strip non-ASCII characters from credential values. API keys and tokens must be pure ASCII — they are sent as HTTP header values which httpx/httpcore encode as ASCII. Non-ASCII characters (commonly introduced by copy-pasting from rich-text editors or PDFs that substitute lookalike Unicode glyphs for ASCII letters) cause ``UnicodeEncodeError: 'ascii' codec can't encode character`` at request time. Returns the sanitized (ASCII-only) value. Prints a warning if any non-ASCII characters were found and removed. asciiz position r'z (U+04Xr?ignore)r{z Warning: z contains non-ASCII characters that will break API requests. This usually happens when copy-pasting from a PDF, rich-text editor, or web page that substitutes lookalike Unicode glyphs for ASCII letters. r)c3 K|] }d|V dS)rKNr)rr7s r#rz._check_non_ascii_credential..os(::DKKK::::::rYNrz ... and morerz The non-ASCII characters have been stripped automatically. If authentication fails, re-copy the key from the provider's dashboard. r) encodeUnicodeEncodeErrorrAordrdecoder!rrr/r0)r3r9 bad_charsrGchrs r#_check_non_ascii_credentialrPsc  W      I5!!JJ2 r77S==   H1HHHH#b''HHHH I I I WX 66==gFFI      ))::IbqbM::: : :  ; "%Y!!3!3    =  W  WZ     s  &&ctrtd|dSt|st d|t ||dddd}t||}tt}ddd }d d i}g}| rHt|fi|5}| }dddn #1swxYwYt|}d }t|D]>\}} | |d r|d |d||<d}n?|sH|r+|dds|dxxdz cc<||d |dt'jt+|jdd\} } d} | r= t/j|j} n#t4$rYnwxYw t7j| dfi|5}|||t7j| dddn #1swxYwYtC| || ' t7j"|| n#t4$rYnwxYwtG|n5#tH$r( t7j%| n#t4$rYnwxYwwxYw|t6j&|<tOdS)z)Save or update a value in ~/.hermes/.env.zset N#Invalid environment variable name: r)r ryrrzrrFr'TrPrrrr)(rr"_ENV_VAR_NAME_REmatchrWrXrrr{r@rr0r~rrArr1endswithrrrr*rrS_IMODEst_moderrrrr2rrr<rXrfrrr.r) r3r9rrrrMr6foundrGr7rr original_modes r#rrxs1||lSll###  ! !# & &HFsFFGGGs### MM$ # # + +D" 5 5E 'U 3 3E~~H')<.s:RRR$tzz||/F/F#yyy/Q/QRRRRrYrrrr)!rr"rrrWr@rrr.rr0r~rrrrr*rrrrrrrr2rrr<rXrfrrr) r3rrrr6rM new_linesrrrrs ` r#remove_env_valuersV ||ooo&&&u  ! !# & &HFsFFGGG~~H ??   sD!!!u&)<=E>IAG1% I1G55I8G59IH%$I% H2/I1H22I I7I%$I7% I2/I71I22I7cH|pt}|d||dddS)zBPersist an Anthropic OAuth/setup token and clear the API-key slot.rmr|rNrr9save_fnwriters r#save_anthropic_oauth_tokenrs8  &F F e$$$ F #####rYcH|pt}|dd|dddS)zHUse Claude Code's own credential files instead of persisting env tokens.rmrr|Nr)rrs r#%use_anthropic_claude_code_credentialsrs8  &F F b!!! F #####rYcH|pt}|d||dddS)zBPersist an Anthropic API key and clear the OAuth/setup-token slot.r|rmrNrrs r#save_anthropic_api_keyr s8  &F F &&& F b!!!!!rYc.t||d|ddS)NTF)success stored_as validatedr)r3r9s r#save_env_value_securers*3  rYcvt}tttz}d}|D]<\}}t j||kr|t j|<|dz }=|D]&}||vr |t jvrt j|=|dz }'|S)u&Re-read ~/.hermes/.env into os.environ. Returns count of vars updated. Adds/updates vars that changed and removes vars that were deleted from the .env file (but only vars known to Hermes — OPTIONAL_ENV_VARS and _EXTRA_ENV_KEYS — to avoid clobbering unrelated environment). rr) rrrrrrrr.r)rrcountr3r9s r# reload_envrszzH&++--..@J Enn&& U :>>#  % ' '#BJsO QJE h  3"*#4#4 3 QJE LrYc|tjvrtj|St}||S)z/Get a value from ~/.hermes/.env or environment.)rr.rr)r3rs r#rr4s: bjz#zzH <<  rYcXddlm}||tdtjS)uRedact an API key for display. Thin wrapper over :func:`agent.redact.mask_secret` — preserves the "(not set)" placeholder in dim color for the empty case. r) mask_secret (not set))empty) agent.redactrrrDIM)r3rs r# redact_keyrCs7 )((((( ;s% VZ"@"@ A A AArYc t}tttdtjttdtjttdtjtttdtjtjtdt tdttdttttdtjtjgd }|D]7\}}t|}td |d d t|8d dl m }|}td dd d t|tttdtjtjtd| dd| di dtdd}td| t d}|ot!|t!|kr+ttd|dtjn#t&$rYnwxYwtttdtjtj| di} td| dpdtd | d!d"rd#nd$td%| d&d"rd#nd$t)| d'it*r| d'ini} | d(d)} | d*d)} td+| d,| d-tttd.tjtj| d/i} td0| d1d2td3| d4d5td6| d7d8d9| d1d:kr(td;| dkr(td?| d@dAn)| d1dBkrLtdC| dDd=tdE}tdF|rdGndHn| d1dIkrLtdJ| dKd=tdL}tdM|rdGndHn_| d1dNkrFtdO}tdP}tdQ|pdHtdR|pdHtttdStjtj| dTdU}|rtdV|n*tdVtdWtjtttdXtjtj| dYi}| dZd[}td\|rd]nd^|r(td_| d`dadbzdcddtde| dfdgdbzdcdhtdi| djdkdltdm| dndodp| dqi dYi}| ddUpdr}td|| dsdt}|r|dtkrtdu|| dqi}| dvi| dwidx}t/dy|D}|rtttdztjtj|D]\}}| dsdt}| ddU}|dtks|rId{|g}|r|d||td |d}d d~|tttdtjtjtd} td}!td| rdGntdtjtd|!rdGntdtj d dlm}"m}#|"}$|$r|#|$}%tttdtjtj|$D]}&|&d}'|% |'dU}|& ddU}(|rt!|ntdHtj})td |'dd |)d td|(dtjn#t&$rYnwxYwtttdtjttdtjttdtjttdtjtdS)zDisplay current configuration.u┌─────────────────────────────────────────────────────────┐u@│ ⚕ Hermes Configuration │u└─────────────────────────────────────────────────────────┘u ◆ Pathsz Config: z Secrets: z Install: u ◆ API Keys) )r6 OpenRouter)r%zOpenAI (STT/TTS))rjExa)rmParallel)r! Firecrawl)r+Tavily)r" Browserbase)rwz Browser Use)r$FALrKz<14rr)get_anthropic_key Anthropicu ◆ Modelz Model: rznot setrrz Max turns: HERMES_MAX_ITERATIONSNu9 ⚠ .env has stale HERMES_MAX_ITERATIONS=z& (run 'hermes doctor --fix' to remove)u ◆ Displayrz Personality: rnonez Reasoning: r'Fonr}z Bell: r&r9r:rr;z User preview: first z line(s), last z line(s)u ◆ Terminalrz Backend: r)rz Working dir: rr(z Timeout: rr rrz Docker image: rr singularityz Image: rrmodalz Modal image: rMODAL_TOKEN_IDz Modal token: configuredrdaytonaz Daytona image: rDAYTONA_API_KEYz API key: sshr@rBz SSH host: z SSH user: u ◆ Timezonerrz Timezone: riu◆ Context CompressionrrTz Enabled: rrdz Threshold: rrdz.0f%z Target ratio: rrz% of threshold preservedz Protect last: rrz messagesz Protect first: rrz non-system head messagesrz(auto)rrz Provider: r r )Visionz Web extractc3vK|]4}|dddkp|ddV5dS)rrrrNr)rts r#rzshow_config..s\  j&!!V+AquuWb/A/ArYu ◆ Auxiliary Models (overrides)rr12sru◆ Messaging Platformsrrz Telegram: znot configuredz Discord: )rresolve_skill_config_valuesu◆ Skill Settingsr3rz<20s[]u────────────────────────────────────────────────────────────z+ hermes config edit # Edit config filez! hermes config set z+ hermes setup # Run setup wizard)rr!rrCYANBOLDr>r@rBrrhermes_cli.authrrrrr*rYELLOWrrrrrvaluesrrrrrr)*rrenv_keyrr9ranthropic_value_cfg_max_turns _env_ghostrump ump_firstump_lastr modal_token daytona_keyr?rAtzrr _aux_comp_sm comp_providerr aux_tasks has_overrideslabeltask_cfgprovmdlrtelegram_token discord_tokenrr skill_varsresolvedrr3r display_vals* r# show_configr$Ms ]]F GGG %DFLFQ R RSSS %RTZT_ ` `aaa %DFLFQ R RSSS GGG % V[&+ 6 6777 0_.. 0 0111 -\^^ - -... 1-// 1 1222 GGG % V[ 9 9:::   D33 g&& 14111j//112222111111''))O >{ > > >O! >??? GGG % V[&+ 6 6777 =VZZ;; = =>>>ZZ,,00nW>UVa>bccN -^ - -...  ZZ^^$;<<  !c*oo&;&;&=&=^ATATAZAZA\A\&\&\ %9J999           GGG % v{FK 8 8999jjB''G CW[[77A6 C CDDD VW[[1A5%I%ITTTu V VWWW XW[[1CU%K%KVTTQV X XYYY5? Lbdf@g@gim5n5n v'++,b 1 1 1tvC q))Iww|Q''H O9 O OX O O OPPP GGG % V[ 9 9:::zz*b))H ?X\\)W== ? ?@@@ 7X\\%55 7 7888 ;X\\)R88 ; ; ;<<<||I(** mn>j!k!kmmnnnn i M 1 1 {.ACx!y!y{{|||| i G + + lm=i!j!jllmmm#$455  O!M+OOPPPP i I - - o(,,@l"m"mooppp#$566  O!M+OOPPPP i E ) ) !455 !455 :!8[::;;; :!8[::;;; GGG % V[ 9 9::: J # #B H %%%&&&& F'7!D!DFFGGG GGG %)6; D DEEE**]B//Kooi..G 9g7UU4 9 9::: 6 Pd!C!Cc!IPPPPQQQ j!F!F!Ljjjjkkk Q1A2!F!FQQQRRR b+//2CQ"G"GbbbcccJJ{B//33M2FF mmGR((4H &&&'''! j&99  6]f44 4]44 5 5 5 ;++I }}Xr22 }}]B77I!!##M <  e6 V[QQRRR(00 < >H GGG %,fk6;GG H H H! ] ]%j S"-- WWWb11 ,1Uc%jjju[&*7U7U [3[[[k[[U;Lz;L;L;Lfj5Y5Y[[\\\\       GGG % FJ ' '((( %=vz J JKKK %3VZ @ @AAA %=vz J JKKK GGGGGs&BL$$ L10L1C8p99 qqcNtrtddSt}|s&t t t d|tjdptjd}|s5ddl }ddl }|j dkrgd}ngd }|D]}|j |r|}n|s#t d t d |dSt d |d |dtj|t|gdS)z"Open config file in user's editor.zedit configurationNzCreated r:r;rrD)notepadcodevimvinano)r*r(r)r'r&z#No editor found. Config file is at:rKzOpening  in z...)rr"r>rrrr!rrrr/rHr subprocessrunr*)r editorr_sys candidatescmds r# edit_configr2sx||*+++!##K     (N### &&&'''Yx 7BIh$7$7F    =G # #AAAJJAAAJ  Cv|C      3444  ;  !!! 1[ 1 1f 1 1 1222NFC ,,-.....rYctrtddSgd}||vsN|ds'|drEt ||t d|dtdSt}i}| rS t|d 5}tj |pi}dddn #1swxYwYn#t$ri}YnwxYw|d vrd }nu|d vrd }n\|rt!|}n8|dddrt%|}t'|||t)ddlm}|||d t/|}|r#|dkrt |t1|t d|d|d|dS)zSet a configuration value.zset configuration valuesN)r6rjr|r%rjrmr!rnrorprqrrr+r"r#rwr$rrr@rBryrr(r)rr)_API_KEY_TOKEN TERMINAL_SSHu✓ Set r+rr>rrrT>rdr}reFr(rrrrm) sort_keysz terminal.cwdr)rr"upperrr1rr!r@r>rr0r/r0rrisdigitrIrrrr{rqrnr[rX)r3r9api_keysr rhr6rnrds r#set_config_valuer;*s||0111   H yy{{h#))++"6"67M"N"NRUR[R[R]R]RhRhiwRxRxsyy{{E*** 222,..22333 "##KK kG444 6"nQ//52  6 6 6 6 6 6 6 6 6 6 6 6 6 6 6   KKK  {{}}--- 0 0 0 E  sB " " * * , ,e  S%(((''''''k;%@@@@.c22G<3.((w 3E : :;;; 5S 5 5U 5 5 5 566666s62D2D& D2&D**D2-D*.D22 EEc  t|dd}||dkrtdS|dkrtdS|dkrt|dd}t|dd}|r|mtdttd td td td t jd t ||dS|dkrttdS|dkrttdS|dkrtttdtj tj ttd}t}t\}}|s?|s=||kr7ttdtjtdS||krtd|d||r tdt#|dd|D}d|D} |r=tdt#|d|D]} td| d| rztdt#| d | D]W} | d!g} | r!d"d#| dd$d%nd&} td| d| Xtt)d'd(} t| d)s| d*r'ttd+tj| d,rCt| d,D],}ttd-|tj-tdS|d.krtttd/tj tj tt\}}||krtd|d0n.ttd|d|d1tjtttd2tj t,D]O}t/|rtd3|$ttd4|d5tjPtttd6tj t2D]\}}t/|rtd3|'|d!g} | r dd#| dd$nd&} ttd7|| tjt}|rUtttd8t#|d9tjtd:tdStd;|ttd<td=td>td?td@tdAtdBtdCt jd dS)DzHandle config subcommands.config_commandNshoweditrr3r9z&Usage: hermes config set z Examples:z3 hermes config set model anthropic/claude-sonnet-4z+ hermes config set terminal.backend dockerz0 hermes config set OPENROUTER_API_KEY sk-or-...rrzenv-pathmigrateu*🔄 Checking configuration for updates...Fru ✓ Configuration is up to date!z Config version: rrz1 new config option(s) will be added with defaultsc<g|]}|d|S)rrrs r#rz"config_command..s)KKK!aeeM6J6JKAKKKrYcfg|].}|d|d,|/S)rr5rrs r#rz"config_command..sN   55'' 01j0A0A    rYu ⚠️ z required API key(s) missing:u • ru ℹ️ z$ optional API key(s) not configured:rz (enables: rrr?rT)r\r]r_r`u✓ Configuration updated!rau ⚠️ checku📋 Configuration Statusu ✓z (update available)z Required:u ✓ u ✗ z (missing)z Optional:u ○ rKz new config option(s) availablez+ Run 'hermes config migrate' to add themzUnknown config command: zAvailable commands:z4 hermes config Show current configurationz/ hermes config edit Open config in editorz6 hermes config set Set a config valuez; hermes config check Check for missing/outdated configz8 hermes config migrate Update config with new optionsz/ hermes config path Show config file pathz- hermes config env-path Show .env file path)getattrr$r2r!r/exitr;r>r@rrrrrrr2GREENrrrrr rrREDrrr)argssubcmdr3r9rrrrrequired_missingoptional_missingrr tools_strrr.rr5s r#r=r=psA T+T 2 2F ~6)) 6   5dE4((gt,, em : ; ; ; GGG +    G H H H ? @ @ @ D E E E HQKKKe$$$$$ 6   o     :   lnn 9    e@&+v{[[\\\ +??? 244"6"8"8 Z > kZ6O6O %:FLII J J J GGG F  # # E{EEEE F F F  a _^,,___ ` ` `KK{KKK  "     1 U%5!6!6UUU V V V' 1 1/#f+//0000  < \%5!6!6\\\ ] ] ]' < <,,EJRA$))E"1"I*>*>AAAAPR :#f+:y::;;;; !T???  ;  E7>#: E %4flCC D D D :  D GGG":. D De222FMBBCCCC  7    e/fkJJKKK "6"8"8 Z * $ $ 8{888 9 9 9 9 %^[^^z^^^`f`mnn o o o  eM6;//000) J JHX&& J+++,,,,e;x;;;VZHHIIII  eM6;//000/5577 K KNHdX&& K+++,,,,"-->CK:DIIeBQBi$8$8::: e>>  rYc ~trdSda ddlm}|D]}|jdvr |jD]z}|t vr |d o|d }|jp|jd|rd nd |jp|jd|rd nd |j pd|d dd t |<{dS#t$rYdSwxYw)uPopulate OPTIONAL_ENV_VARS from provider profiles not already listed. Called once at module load time. Idempotent — repeated calls are no-ops. NTr)list_providers>r _BASE_URL_URLrzAPI keyzbase URL overridez"base URL (leave empty for default)rr1) _profile_env_vars_injectedrrN auth_typerrr display_namer signup_urlr)rN_pp_var_is_keys r#_inject_profile_env_varsrXsO "!% ,,,,,,!>##  C}L00  ,,,"mmK888VvAVAV=V&)&6&B#(#t#tRYErYY_r#t#t!$!1!=SXAAW@~ Z~AA>1T ' * $ ++!$''         sBB.. B<;B<c  trdSda ddl}ttjd}|dz dz }|sdS|D]_}|s|dz }|s|dz }|sK t|d d 5}|j |pi}dddn #1swxYwYn#t$rYwxYw| d p| d p|j }t| dpg}|| dpg|D]C} t!| t"r| } i} n6t!| t$r | d r | d } | } nS| t&vr]|  t+| dp| d} | s2| ddurt- fddD} | dp|d| dp| | dpd| | dpddt&| <EadS#t$rYdSwxYw)uPopulate OPTIONAL_ENV_VARS from bundled platform plugin manifests. Called once at module load time. Idempotent — repeated calls are no-ops. Failures are swallowed so a malformed plugin.yaml can't break CLI import. NTrrrrErrr&rrrr requires_env optional_envrMrNFc3BK|]}|VdSr)r)rsuf name_uppers r#rz3_inject_platform_plugin_env_vars..nsE$$#++C00$$$$$$rY)r5_SECRET_KEY _PASSWORD_JSONr2z configurationr3rr4rrT)"_platform_plugin_env_vars_injectedr/rrrrrrrr0r0rrrrextendrr*rrr8r r)r/ repo_root platforms_dirr manifest_pathr6rrentriesrrmeta is_secretr^s @r# _inject_platform_plugin_env_varsrk:s*)-&9  NN**,,4Q7 !I- ; ##%%  F"**,,. . E<<>> !M1M '')) 5 % 4  ''))  -w???71-t~a006BH777777777777777    LL))OX\\&-A-AOUZE8<<77=2>>G NN8<<77=2 > > >   eS)) D!#DDt,,61B1B =D DD,,,"ZZ\\  *!5!5!K(9K9KLL  *)=)=)F)F #$$$$#V$$$!!I //4#333"hhx008D88E??2d ) $ 4 4 C  + +!$'') #. . ^      sbAK!AKC>C2& C>2C6 6C>9C6 :C>=K> D K D  G K K&%K&r)r)r)r N)FrE)TF)r;rrVrrrHr rrr,r/r threadingr dataclassesrpathlibrtypingrrrrr hermes_cli.secret_promptr rrr-rr r<r$rr5system _IS_WINDOWScompiler frozensetrUr*rXrZr[rIr\RLockr+rr/hermes_cli.colorsrrhermes_cli.default_soulrrrrr rrrrrr rrrrrr"rr:r/rrqr<r>r@rBtuplerNrTr[rdrfrjr{rwrr/rrrrrrrrrr"r)r-r2rB_VALID_CUSTOM_PROVIDER_FIELDSr@r5rIrPr[rrr rrr"r%r)rrr6rZrXr[rfr4rrrs_COMMENTED_SECTIONSrrr}rrrrrrrrrrrrrrrr$r2r;r=rQrXrcrkrrYr#r{sX6        !!!!!!33333333333333999999  8 $ $  CEEc!!!33$3333l* D* y* T* * * * Xho9, 2:9::P*3444** #* C D    13tCH~222BDDeCd38n$<==>CCCAC4U3T#s(^#;<<=BBBy  )66666n ++++++++333333,     HSM    ,D,,,,{HSM%%%#%%%%P      D8##$9C99990K6"c""""3s8;;#;;;;*$****d-,,,,, -----&d&&&&2$2222x}hsm'C!D<    :@t2   $$4&&&6"d""""4} R}}"}!" }  }t} tRt 4 t !t2 13t4 5t@ AtL #DMt\ T]tj BktH &ItP "3Qt\ 3]tl "3mtH *4Itd Fetf Rgt}~O7OfO sO 3 O 2O* B+OD dEOF DGOH bIOT bUOV RWOX CYOZ E[O^ _O` DaOb %cOd eOt*/$) !]OOO}`   a}l! #'+ ( $)"'&+#9  )%%m}N ! 5O}N 7O }n o }@  "!"&'  !"&'    A }^ &) %*"&/!!_ }h Ti }N ! O }}^ ! $  %'!#&-  _ }v  "                                      GGw }H}5}r} &} B} } %c} %a} !}" ;#}. U/}8 !%9}B DC}D EE}F %G}H UI}J eK}L "7M}}T TU}V &sW}^ 4_}` a}p !$q}z 4{}H $TI}J UK}L  M}V DW}\  ]}^ ! ! _}f %dg}h i}j "2k}l qm}| }}}b%d+#U+  555   y}}}I}H!&  4#$   6eSSI}teu}F  ' /0  '  4 $&       ->  3    *  Y9 9 G}|   [  * $ %     }}f !$  g}xy}P,Q}Z  $ ! -[}T!%!$#$ $"'K&&U}jRk}~ R }T   " % M''U}z  !   5{ }@" bA"}}}H"I"}N" "$ O"}^""$"' "$ !!& !)#   U::_"}X$Y$}h$i$}v$"$ w$}F% !G%}b%#&*)c%}R&S&}V&bW&}h& Ri&}t&u&}|&R}&}B'#    $5C'}|'  "  }'}^( $&($3#$ !#(, $% +0i55_(}N*   O*}}}~*  %& "!  *}l+m+}B,RC,}d, e e,}v,&(#'*K&&w,}T. &*;U.}^/ #!!&;_/}d0 e0}z0#  *1;{0}P2   #C" " Q2}b3'  c3}F4!3!$ "&!;   G4}l5m5}n5(o5}p5$Tq5}x5ry5}}L6YXX "67EEE   --T#tCy.)\6B \W&+"$78\&U,7 '\6L"7 7\F;= G\V$& W\f.: g\vT&* w\FcA G\VN4 W\f4@ g\v[& w\F=  G\V=  W\f5A g\v0 . w\F:; G\\V6(. W\f2-. g\v<H w\F)$' G\V3< W\f*%) g\v4@ w\F8#( G\V2> W\f9+* g\v:F w\FD$7 G\T@% U\bW%> c\p`& q\@[B A\P_B   Q\\\`"T9B $$a\pYO !!q\@ V() A \P 7C Q \` U') a \p 6B q \@ o&7 A \N K9 O \^ W(, _ \n X= o \~ B'0  \L _= M \\ XZ ] \l _ m \| I)& } \J e* K \^ J  . _ \\\n N$% . o \~ F%' .  \N O= O \^ jM _ \n o. o \~ j+  \NO+   O\^L", . _\nU<3 o\~Z3. \Nn')$o6 O\^\*)$o6 _\nn')$o6 o\~Y1$o6 \Lz;=\\\M\^r&:$o6 _\nC "$45 o\\\~R 8"# \NX:5'6 O\^f&'"$9: _\nP#, o\|\ 3 }\VN"6 W\fM"= g\vV$3 w\FV!F G\ZG"'"# [\jV@k\x!@'+ ##y\F!@'+ ##G\TRL !!U\h;&' i\vl?) w\Dz1 E\\\P@%< Q\^P> _\la6 m\z\/+{\LG/+M\^L)/ _\lF( m\zSA !!{\H!z0 ##I\V(c? **W\dP)6 e\rL' s\@B1 A\Ne= O\\s: ]\l!\< ##m\|Y= }\\\LW; M\\g= ]\l]' m\|h*) }\Jc/ K\X c@ ""Y\f"F/$$g\pG! q\|C$ }\HK$I\RV*S\\M&]\fU#g\p=(  q\zT#{\DC E\R; S\\\`B  a\n:' o\~B% \Nf0   O\^L2 _\nV' o\~A# \NM# O\^u) _\nyQ o\~[. \Nk0 O\\J  ]\jt" k\@ S! A \\ #_. %%] \j %h+ ''k \\D!d38n9M,0C0000f4S#X#78,tDcN';,,,,dAAA AAd38n AAAAN!!! !!d38n !!!!H s tDcN?S    (,// T#s(^ $/ $sCx.////j8<'+ >> >>tDcN34> T#s(^ $ > c] >>>>B##eCHoJ!!! WVV  MMhtCH~&>M$}J]MMMM`00(4S>":0d0000,*4*4$sCx.)A*4T*4*4*4*4Zm m m Dm T#s(^m m m m `ddt((   ====@tCH~$sCx.< S#X 4S>     GK+++$sCx.)+#++s++++^#c3h####L1T#s(^1111"2d38n2222. ~' >!  3  + 75)-###!- 3!"/#$</'%M5A'Q;)37>ss ::#::::%)'+# ((( $sCx. !( T#s(^ $(tn (  #s(^ ((((V88c3h8888v$2@)\S#X)\)\)\)\X6$sCx.6666|[_ HU5huox}!DEtCQTH~UV W^^^    9t99999x+3++++\%S%%%%%%PGGCGGGGT:#:$::::z$$c$$$$$$$$""#""""s34S>C,sx}BCBCBBBBr r r j%/%/%/P?7#?7c?7?7?7?7LFFF\#    >.&+"C C C C N! """""rY