APEX/BrowserUse_and_ComputerUse_skills
5
0
Fork 0
Code Issues 6 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions

feat: secure skill env setup on load (core #688)

Browse source 
When a skill declares required_environment_variables in its YAML
frontmatter, missing env vars trigger a secure TUI prompt (identical
to the sudo password widget) when the skill is loaded. Secrets flow
directly to ~/.hermes/.env, never entering LLM context.

Key changes:
- New required_environment_variables frontmatter field for skills
- Secure TUI widget (masked input, 120s timeout)
- Gateway safety: messaging platforms show local setup guidance
- Legacy prerequisites.env_vars normalized into new format
- Remote backend handling: conservative setup_needed=True
- Env var name validation, file permissions hardened to 0o600
- Redact patterns extended for secret-related JSON fields
- 12 existing skills updated with prerequisites declarations
- ~48 new tests covering skip, timeout, gateway, remote backends
- Dynamic panel widget sizing (fixes hardcoded width from original PR)

Cherry-picked from PR #723 by kshitijk4poor, rebased onto current main
with conflict resolution.

Fixes #688

Co-authored-by: kshitijk4poor <kshitijk4poor@users.noreply.github.com>
This commit is contained in:
kshitijk4poor 2026-03-13 03:14:04 -07:00 committed by teknium1
parent c097e56142
commit ccfbf42844
34 changed files with 2419 additions and 403 deletions
Download patch file Download diff file Expand all files Collapse all files

6
gateway/platforms/base.py
View file

@ -27,6 +27,12 @@ from gateway.config import Platform, PlatformConfig
from gateway.session import SessionSource, build_session_key
GATEWAY_SECRET_CAPTURE_UNSUPPORTED_MESSAGE = (
"Secure secret entry is not supported over messaging. "
"Run `hermes setup` or update ~/.hermes/.env locally."
)
# ---------------------------------------------------------------------------
# Image cache utilities
#

4
gateway/run.py
View file

@ -1033,7 +1033,9 @@ class GatewayRunner:
cmd_key = f"/{command}"
if cmd_key in skill_cmds:
user_instruction = event.get_command_args().strip()
msg = build_skill_invocation_message(cmd_key, user_instruction)
msg = build_skill_invocation_message(
cmd_key, user_instruction, task_id=session_key
)
if msg:
event.text = msg
# Fall through to normal message processing with skill content