hermes-agent-cli-core 1.14.19

Blazing-fast, Windows-first AI agent CLI with 22+ LLM providers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

use anyhow::{Context, Result};
use directories::ProjectDirs;
use serde::{Deserialize, Serialize};
use std::fs;
use std::path::PathBuf;

/// Credentials storage for auth providers
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct AuthStore {
    #[serde(default)]
    pub credentials: Vec<ProviderCredentials>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProviderCredentials {
    pub provider: String,
    pub api_key: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub base_url: Option<String>,
}

impl AuthStore {
    /// Load auth store from disk
    pub fn load() -> Result<Self> {
        let path = Self::auth_path();
        if !path.exists() {
            return Ok(AuthStore::default());
        }
        let content = fs::read_to_string(&path)
            .with_context(|| format!("failed to read auth store from {:?}", path))?;
        let store: AuthStore = serde_yaml::from_str(&content)
            .with_context(|| format!("failed to parse auth store from {:?}", path))?;
        Ok(store)
    }

    /// Save auth store to disk securely
    /// Uses atomic write: temp file → set permissions → rename
    pub fn save(&self) -> Result<()> {
        let path = Self::auth_path();
        if let Some(parent) = path.parent() {
            fs::create_dir_all(parent)
                .with_context(|| format!("failed to create auth directory {:?}", parent))?;
        }
        let content = serde_yaml::to_string(self).context("failed to serialize auth store")?;

        // Atomic write: write to temp file first
        let temp_path = path.with_extension("tmp");
        fs::write(&temp_path, &content)
            .with_context(|| format!("failed to write auth store to temp {:?}", temp_path))?;

        // Set restrictive permissions on Unix (owner only)
        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mut perms = fs::Permissions::mode(0o600);
            fs::set_permissions(&temp_path, perms)?;
        }

        // Windows: mark file as hidden and system to provide some protection
        #[cfg(windows)]
        {
            use std::process::Command;
            // Set file as hidden
            let _ = Command::new("attrib").arg("+H").arg(&temp_path).output();
        }

        // Atomic rename (overwrites existing file)
        fs::rename(&temp_path, &path)
            .with_context(|| format!("failed to rename temp auth store to {:?}", path))?;

        Ok(())
    }

    /// Get auth path
    pub fn auth_path() -> PathBuf {
        if let Ok(home) = std::env::var("HERMES_HOME") {
            return PathBuf::from(home).join("credentials.yaml");
        }
        if let Ok(profile) = std::env::var("HERMES_PROFILE") {
            if let Some(proj_dirs) =
                ProjectDirs::from("ai", "hermes", &format!("hermes-{}", profile))
            {
                return proj_dirs.config_dir().join("credentials.yaml");
            }
        }
        if let Some(proj_dirs) = ProjectDirs::from("ai", "hermes", "hermes-cli") {
            return proj_dirs.config_dir().join("credentials.yaml");
        }
        if let Ok(home) = std::env::var("USERPROFILE") {
            return PathBuf::from(home).join(".hermes").join("credentials.yaml");
        }
        PathBuf::from(".hermes").join("credentials.yaml")
    }

    /// Add credentials for a provider
    pub fn add(&mut self, provider: &str, api_key: &str, base_url: Option<&str>) {
        // Remove existing credentials for this provider
        self.credentials.retain(|c| c.provider != provider);

        // Add new credentials
        self.credentials.push(ProviderCredentials {
            provider: provider.to_string(),
            api_key: api_key.to_string(),
            base_url: base_url.map(|s| s.to_string()),
        });
    }

    /// List all credentials (with API keys masked)
    pub fn list(&self) -> Vec<(String, String, Option<String>)> {
        self.credentials
            .iter()
            .map(|c| (c.provider.clone(), mask_key(&c.api_key), c.base_url.clone()))
            .collect()
    }

    /// Get credentials for a provider
    pub fn get(&self, provider: &str) -> Option<&ProviderCredentials> {
        self.credentials.iter().find(|c| c.provider == provider)
    }

    /// Remove credentials for a provider
    pub fn remove(&mut self, provider: &str) -> bool {
        let len = self.credentials.len();
        self.credentials.retain(|c| c.provider != provider);
        self.credentials.len() < len
    }

    /// Clear all credentials
    pub fn reset(&mut self) {
        self.credentials.clear();
    }
}

/// Mask an API key for display (show first 4 and last 4 chars)
fn mask_key(key: &str) -> String {
    if key.len() <= 8 {
        return "*".repeat(key.len());
    }
    let start = &key[..4];
    let end = &key[key.len() - 4..];
    format!("{}...{}", start, end)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_mask_key() {
        // Keys <= 8 chars are fully masked
        assert_eq!(mask_key("short"), "*****");
        assert_eq!(mask_key("12345678"), "********");
        // Keys > 8 chars show first 4 and last 4
        assert_eq!(mask_key("sk-1234567890abcdef"), "sk-1...cdef");
    }

    #[test]
    fn test_auth_store_add_get() {
        let mut store = AuthStore::default();
        store.add("openai", "sk-test123", None);
        assert!(store.get("openai").is_some());
        assert_eq!(store.get("openai").unwrap().api_key, "sk-test123");
    }

    #[test]
    fn test_auth_store_remove() {
        let mut store = AuthStore::default();
        store.add("openai", "sk-test123", None);
        assert!(store.remove("openai"));
        assert!(store.get("openai").is_none());
    }

    #[test]
    fn test_auth_store_list_masked() {
        let mut store = AuthStore::default();
        store.add("openai", "sk-1234567890abcdef", None);
        let list = store.list();
        assert_eq!(list.len(), 1);
        assert_eq!(list[0].0, "openai");
        assert_eq!(list[0].1, "sk-1...cdef"); // Masked
    }
}