feat(secrets): Phase 1 — Core Secrets Tool + Redaction Hardening

[vulcan-artivus]

Parent Issue

Sub-issue of #410 (Secure Secrets Management Tool). This is Phase 1 of the phased rollout.

Scope

A new agent-facing secrets tool that provides secure secret lifecycle management, plus hardening of existing redaction coverage.

1. New secrets tool (tools/secrets_tool.py)

Action	Description
list	Show configured secret names (never values) + cross-reference skills with requires_secrets frontmatter
check	Verify which specific keys are configured vs missing
request	Secure input via getpass() (CLI) or gateway DM+delete flow. Value never enters agent context.
delete	Remove a secret from storage
inject	Register keys for env_passthrough so the terminal tool includes them in the next subprocess call

Key security property: secret values never enter LLM context. The request action handles the entire input flow internally and only returns {"stored": true} to the agent.

2. Platform-specific secure ingestion

• CLI: getpass.getpass() — input not echoed, not in readline history
• Telegram: DM the user, accept reply, immediately delete the message containing the key
• Discord: Same DM+delete pattern
• Other platforms: Best-effort (WhatsApp has limited deletion support)

3. Skill requires_secrets frontmatter

Skills can declare required secrets in SKILL.md:

---
name: twilio
requires_secrets:
  - key: TWILIO_ACCOUNT_SID
    description: "Twilio Account SID"
    instructions: "Find at https://console.twilio.com/"
  - key: TWILIO_AUTH_TOKEN
    description: "Twilio Auth Token"
---

When loading a skill, the agent checks for missing secrets and prompts via secrets(action="request").

4. Redaction hardening (relates to #363)

• Apply redact_sensitive_text() to read_file, search_files, patch, and execute_code tool outputs
• Expand agent/redact.py patterns: add Twilio SIDs/tokens, AWS AKIA*, Stripe keys, JWTs, PEM private key blocks
• File permissions: chmod 600 on ~/.hermes/.env

5. Storage

Phase 1 continues using ~/.hermes/.env for storage. Encrypted storage comes in Phase 3.

Files to Create/Modify

• New: tools/secrets_tool.py (~400 lines)
• New: tests/tools/test_secrets_tool.py
• Modify: agent/redact.py — expanded patterns
• Modify: tools/file_tools.py — apply redaction to read/search output
• Modify: tools/code_execution_tool.py — apply redaction to script output
• Modify: model_tools.py — add to discovery
• Modify: toolsets.py — add to _HERMES_CORE_TOOLS
• Modify: agent/skill_commands.py — parse requires_secrets frontmatter

Acceptance Criteria

• secrets(action="list") returns secret names, never values
• secrets(action="request") uses getpass() in CLI, DM+delete in gateway
• Secret values never appear in conversation history or LLM context
• requires_secrets parsed from skill frontmatter
• read_file / search_files / execute_code output is redacted
• New redaction patterns cover Twilio, AWS, Stripe, JWT, PEM
• Tests cover all tool actions + edge cases

References

• Feature: Secure Secrets Management Tool — API Key Ingestion, Scoped Access, Redaction, and Skill Requirements #410 — Parent umbrella issue
• Security: File Tool Output Redaction Gap — Secrets Exposed via read_file but Masked via Terminal #363 — File tool output redaction gap
• Feature: Agent-Vault Skill — Placeholder-Based Secret Management for Config Files #364 — Agent-vault placeholder-based secret management
• PR feat(secrets): Secrets Management Tool (Phase 1) #3245 — Previous partial implementation by @zaycruz (closed, concepts reusable)

[vulcan-artivus]

Scoping note for implementation:

For the initial Phase 1 PR, I'll take a pragmatic slice:

• ✅ secrets tool (list / check / request / delete / inject)
• ✅ CLI secure input via getpass()
• ✅ requires_secrets frontmatter support / compatibility with existing skill secret metadata
• ✅ redaction hardening (especially execute_code output + any missing patterns)
• ✅ registration/tests/docs

What I am not planning to include in the first Phase 1 PR:

• full cross-platform gateway DM+delete secret capture for every messaging adapter

Reason: Hermes does not yet have a generic gateway-level secure out-of-band prompt abstraction. Doing DM+delete correctly requires per-platform DM creation, reply correlation, deletion semantics, and ensuring replies never enter normal session history / LLM context. That's implementable, but it is a larger gateway feature than the rest of Phase 1.

Proposed follow-up after Phase 1 lands:

• Phase 1b / follow-up issues for secure gateway secret capture
  • Telegram DM+delete
  • Discord DM+delete
  • fallback behavior for platforms without reliable deletion semantics

This keeps the first PR focused and gets the core agent/CLI secrets workflow landed sooner.

[vulcan-artivus]

Implemented the scoped Phase 1 slice on branch feat/secrets-phase1 and opened a PR.

Included in this PR:

• secrets tool: list / check / request / delete / inject
• CLI secure input reuse via existing getpass-backed callback path
• requires_secrets alias support in skill frontmatter
• redaction hardening for execute_code and patch outputs
• expanded redaction patterns/tests (Twilio, JWT)
• tighter secret-name filtering and actual .env key removal on delete

Deliberately not included in this PR:

• gateway DM+delete secure secret capture

That remains follow-up work per the earlier scoping note, since it requires gateway-level secure prompt plumbing rather than a local tool-only change.