feat(secrets): add phase 1 secrets tool and redaction hardening#3651
feat(secrets): add phase 1 secrets tool and redaction hardening#3651shannonsands wants to merge 1 commit into
Conversation
|
8c38abf to
916975a
Compare
|
CI note: The current failing Failing test on this PRFrom the failed Actions log for this PR (
CI summary on this PR run:
Evidence this is pre-existing / flaky on
|
Implements the first pragmatic slice of issue #3627 / #410: - add agent-facing tool with list/check/request/delete/inject actions - reuse existing secure CLI secret capture path via getpass-backed callback so secret values never enter model context - support as an alias for the existing skill frontmatter - redact execute_code stdout/stderr before returning tool output - expand redaction patterns for Twilio SIDs and JWTs - register the new tool in discovery/core toolsets and add regression tests Gateway DM+delete secret capture remains scoped as follow-up work per the Phase 1 issue discussion.
916975a to
c1ef64a
Compare
This is compilation of a regular expression. |
|
Why hasn't this been merged yet? |
What does this PR do?
Implements the scoped Phase 1 slice of secure secrets management from #3627 / #410.
This PR adds a first-class secrets tool for the agent (list, check, request, delete, inject), reuses Hermes’ existing secure CLI secret capture path so secret values never enter model context, adds requires_secrets as an alias for skill frontmatter, and hardens output redaction by covering execute_code and patch results plus additional token formats.
This intentionally does not implement gateway DM+delete secret capture yet. That part was explicitly scoped as follow-up work on #3627 because it needs gateway-level secure prompt plumbing rather than a local tool-only change.
Related Issue
Fixes #3627
Type of Change
[x] ✨ New feature (non-breaking change that adds functionality)
[x] 📝 Documentation update
[x] ✅ Tests (adding or improving test coverage)
Changes Made
Added tools/secrets_tool.py
secrets(action="list")
secrets(action="check")
secrets(action="request")
secrets(action="delete")
secrets(action="inject")
Wired secure CLI secret capture into the new tool via existing callback flow in cli.py
Added requires_secrets alias support in tools/skills_tool.py
Registered the tool in:
model_tools.py
toolsets.py
Hardened redaction:
tools/code_execution_tool.py now redacts stdout/stderr before returning
tools/file_tools.py now redacts serialized patch output
agent/redact.py now covers:
Twilio Account SID
bare Twilio auth token style values
JWTs
Tightened secret-name filtering in tools/secrets_tool.py
only secret-like names are accepted
non-secret env vars like PATH, HOME, SSH_AUTH_SOCK, etc. are rejected
Fixed delete semantics so secrets(delete) removes the key from ~/.hermes/.env instead of leaving KEY=
Added tests:
tests/tools/test_secrets_tool.py
tests/agent/test_skill_commands.py
tests/tools/test_code_execution.py
tests/agent/test_redact.py
tests/test_model_tools.py
How to Test
Run the focused suite:
uv run --extra dev python -m pytest \ tests/tools/test_secrets_tool.py \ tests/tools/test_code_execution.py \ tests/agent/test_skill_commands.py \ tests/agent/test_redact.py \ tests/test_model_tools.py \ -q -o "addopts="Verify the secrets tool behavior:
list returns secret names only
check reports configured vs missing secret-like vars
request uses secure CLI callback flow
delete removes the key from .env
inject registers env passthrough only for allowed secret-like vars
Verify redaction hardening:
execute_code output is redacted
patch output is redacted
Twilio/JWT cases are covered by tests/agent/test_redact.py
Checklist
Code
[x] I've read the Contributing Guide
[x] My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
[x] I searched for existing PRs to make sure this isn't a duplicate
[x] My PR contains only changes related to this fix/feature (no unrelated commits)
[ ] I've run pytest tests/ -q and all tests pass
[x] I've added tests for my changes (required for bug fixes, strongly encouraged for features)
[x] I've tested on my platform: macOS
Documentation & Housekeeping
[ ] I've updated relevant documentation (README, docs/, docstrings) — or N/A
[x] I've updated cli-config.yaml.example if I added/changed config keys — or N/A
[x] I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
[x] I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
[x] I've updated tool descriptions/schemas if I changed tool behavior — or N/A
Screenshots / Logs
Focused suite result after rebase on latest main:
71 passed, 62 skipped, 1 warning
Scoped note:
This PR intentionally does not implement gateway DM+delete secret capture.
That follow-up remains tracked in the Phase 1 issue discussion on #3627.