hermes-workspace/.env.example at main · outsourc-e/hermes-workspace · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Hermes Workspace — Environment Variables
#
# Copy this to .env and adjust as needed:
#   cp .env.example .env

# ═══════════════════════════════════════════════════════════════
# LLM Provider — pick ONE (you don't need all of them)
# ═══════════════════════════════════════════════════════════════
# hermes-agent supports many providers. For Docker Compose the agent
# container needs the key for whichever provider you configured in
# ~/.hermes/config.yaml. Common options:
#
#   OpenAI Codex / OpenAI-compatible: configure through `hermes setup` / `hermes model`
#   OpenAI (GPT / o-series): https://platform.openai.com/api-keys
#   OpenRouter (many models, free tier available): https://openrouter.ai/keys
#   Google (Gemini):         https://aistudio.google.com/app/apikey
#   Ollama / local:          No key needed — just run `ollama serve`
#
# Uncomment ONLY the key(s) for the providers you actually use.
# See docs/api-key-registry.md for the broader SCOM key inventory and
# rotation checklist.

# ANTHROPIC_API_KEY=sk-ant-...
# NOUS_API_KEY=...
# OPENAI_API_KEY=sk-...
# OPENROUTER_API_KEY=sk-or-v1-...
# GOOGLE_API_KEY=AIza...
# GOOGLE_AI_STUDIO_API_KEY=AIza...
# MINIMAX_API_KEY=...

# ═══════════════════════════════════════════════════════════════
# Optional: Hermes Agent Connection
# ═══════════════════════════════════════════════════════════════

# Hermes Agent WebAPI URL (default: http://127.0.0.1:8642)
# - For Docker: Uses http://hermes-agent:8642 automatically
# - For local dev: Set to http://127.0.0.1:8642
# IMPORTANT: The Hermes Agent gateway HTTP API server is opt-in.
# Add API_SERVER_ENABLED=true to ~/.hermes/.env and restart the gateway.
# Without it, the gateway serves messaging platforms but not port 8642.
# HERMES_API_URL=http://127.0.0.1:8642

# Hermes Agent API token — required when the gateway is authenticated
# (e.g. Docker deployments exposing API_SERVER_HOST=0.0.0.0).
#
# When your Hermes Agent gateway has API_SERVER_KEY set, workspace must send the
# SAME value as HERMES_API_TOKEN here, or requests will be rejected with 401.
#
#   ~/.hermes/.env:        API_SERVER_KEY=<your-secret>
#   hermes-workspace/.env: HERMES_API_TOKEN=<same-secret>
#
# Leave unset for local loopback gateways that don't set API_SERVER_KEY.
# HERMES_API_TOKEN=your-gateway-secret

# Hermes Agent directory (auto-detected if sibling to workspace)
# Set this if hermes-agent is installed elsewhere
# HERMES_AGENT_PATH=/path/to/hermes-agent

# Server port (default: 3000)
# PORT=3000

# ══════════════════════════════════════════════════════════════
# Security
# ══════════════════════════════════════════════════════════════

# Bind address (default: 127.0.0.1)
#
# The workspace exposes terminals, file read/write, agent control, and job
# management. Off-loopback exposure is opt-in. Set HOST=0.0.0.0 only if you
# *also* set HERMES_PASSWORD below. Without a password, the server refuses
# to start on a non-loopback host.
# HOST=127.0.0.1

# Workspace session password (required for any remote deployment)
#
# Enables password protection of the web UI. Tokens are stored encrypted
# in ~/.hermes/workspace-sessions.json. Pick a strong secret (32+ chars).
# Legacy CLAUDE_PASSWORD is still honored for back-compat with pre-rename setups.
# HERMES_PASSWORD=change-me-to-a-strong-secret

# Cookie Secure flag (default: on in production, off in dev)
#
# Set to 1 to force the Secure attribute on session cookies even when
# NODE_ENV is not production — useful when terminating TLS at a reverse
# proxy.
# COOKIE_SECURE=1
#
# Set to 0 when running a plain-HTTP LAN deployment (HOST=0.0.0.0 without
# HTTPS). NODE_ENV=production enables Secure cookies by default; browsers
# silently drop Secure cookies over http://, causing login to silently fail.
# COOKIE_SECURE=0

# Trust proxy-forwarded headers (default: off)
#
# When running behind a trusted reverse proxy (Traefik, Nginx, Cloudflare,
# Tailscale Serve) that sanitizes x-forwarded-for / x-real-ip, set to 1 so
# that local-request classification and rate-limiting use the real client IP
# instead of the proxy's. Leaving this off on a direct-exposure deployment
# is the safe default — otherwise clients can spoof their IP.
# TRUST_PROXY=1

# SSE stream activity timeouts (optional)
#
# How long the browser waits without any event before marking a run as stalled.
# The built-in 30s heartbeat resets these timers during normal operation, so
# these only fire when the gateway is genuinely unresponsive.
# Values are in milliseconds. Defaults: 120000 (accepted), 300000 (handoff).
# STREAM_ACCEPTED_TIMEOUT_MS=120000
# STREAM_HANDOFF_TIMEOUT_MS=300000

# Dashboard URL
#
# Where Hermes Agent's dashboard is reachable (default: 127.0.0.1:9119).
# /api/sessions, the conductor mission API, and the upstream kanban plugin
# all live on the dashboard, not the gateway.
# HERMES_DASHBOARD_URL=http://127.0.0.1:9119

# Dashboard session token
#
# Workspace scrapes the dashboard's ephemeral session token from the root HTML
# automatically. Do not copy this token into .env: it changes whenever the
# dashboard restarts and stale values cause 401s on /api/sessions and related APIs.

# Bypass fail-closed startup guard (NOT recommended)
#
# If you understand the risks and want to run the workspace on 0.0.0.0
# without a password (e.g. behind a custom auth layer), set this to 1.
# Legacy CLAUDE_ALLOW_INSECURE_REMOTE is still honored for back-compat.
# HERMES_ALLOW_INSECURE_REMOTE=0

# ═════════════════════════════════════════════════════════════════
# HermesWorld (multiplayer hub + online chip)
# ═════════════════════════════════════════════════════════════════
# Set to 0 to hide the "HermesWorld" link in the sidebar.
# Default is enabled (1).
# VITE_HERMESWORLD_ENABLED=1

# When set, HermesWorld tabs on different devices/networks meet on the hub.
# Without these, multiplayer falls back to BroadcastChannel (same-browser only).
# Public hosted Cloudflare Worker hub:
VITE_PLAYGROUND_WS_URL=wss://hermes-playground-ws.myaurora-agi.workers.dev/playground
VITE_PLAYGROUND_STATS_URL=https://hermes-playground-ws.myaurora-agi.workers.dev/stats
# Run your own hub: see playground-ws-worker/README.md