From 547a9d00fa9f858a3d618a33a190c3e694248428 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 27 May 2026 11:10:42 +0000 Subject: [PATCH] Clarify root GitHub credential ownership --- docs/hermes-operations.md | 11 +++++++++++ docs/hermes-setup-upgrade-roadmap.md | 14 ++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/docs/hermes-operations.md b/docs/hermes-operations.md index 59a11f5..fe86659 100644 --- a/docs/hermes-operations.md +++ b/docs/hermes-operations.md @@ -260,6 +260,17 @@ Verification recorded on 2026-05-27: For write operations, create a separate repo-scoped token and store it in a new root-only token file. Do not reuse this read-focused token for broad automation unless the required scope is explicitly reviewed first. +## GitHub credential ownership + +Root Git operations already have GitHub push credentials through the root Git credential store. Root is the operator account for both: + +- `https://github.com/saravanakumardb/learning_ai_devops_tools.git` +- `https://github.com/umadev0931/uma_hostinger_hermes_vm.git` + +Uma does not need a separate `/home/uma/.git-credentials` file for the current workflow because repo maintenance and pushes are performed from root. Do not copy root GitHub credentials into Uma's home directory unless there is a concrete need for Uma-user GitHub pushes. + +Remaining audit item: confirm in GitHub that the root token is fine-grained or otherwise limited to the intended repos and permissions. Do not print the token while checking this. + ## Telegram topics and session handling Root and Uma currently use the standard Telegram gateway session handling. Do not enable or change topic/session behavior without a concrete routing need. diff --git a/docs/hermes-setup-upgrade-roadmap.md b/docs/hermes-setup-upgrade-roadmap.md index 0e9a7fb..f3b12ae 100644 --- a/docs/hermes-setup-upgrade-roadmap.md +++ b/docs/hermes-setup-upgrade-roadmap.md @@ -9,12 +9,13 @@ ## Completion Status - **Overall checklist completion:** ~68% (`122/179` checked after the 2026-05-27 Gitea/Hermes Git smoke test). -- **Credential-independent setup:** materially further along; remaining blockers are mostly provider/search credentials, GitHub automation token, Uma backup design, and policy decisions. +- **Credential-independent setup:** materially further along; remaining blockers are mostly provider/search credentials, GitHub token scope audit, Uma backup design, and policy decisions. - vijay: percentage is based on literal Markdown checklist boxes, including nested sub-items. It intentionally counts credential-dependent future work as incomplete. ## Remaining Unchecked Item Classification -- **Needs credentials/API keys:** fallback provider setup, web search/extract backend, GitHub automation token, Browserbase/Browser Use, and provider fallback tests. +- **Needs credentials/API keys:** fallback provider setup, web search/extract backend, Browserbase/Browser Use, and provider fallback tests. +- **Needs credential audit:** GitHub push credentials already exist for root Git operations, including root-managed pushes to Uma's GitHub repo; least-privilege scope still needs to be verified from GitHub. - **Needs explicit policy decision:** Cloudflare Access/basic-auth public fallback, model-routing tiers, local browser automation, vision/image provider choice, `security.redact_secrets`, `privacy.redact_pii`, and credential rotation. - **Needs Uma backup design:** Uma/Bheem currently has a clean VM wrapper repo, but not a root-style sanitized Hermes persistent backup/restore workflow. - **Needs manual UX validation:** dashboard feature-by-feature checks, Telegram approval prompt flow, and Telegram media/file delivery. @@ -63,7 +64,8 @@ Observed on 2026-05-26: - last status: ok - Config version: `24` after `hermes doctor --fix` migration on 2026-05-27; root and Uma both verified at config v24 - Telegram credentials are present -- Most optional provider/API keys are not configured, including OpenRouter, Google/Gemini, Anthropic, Firecrawl/Tavily/Exa, Browserbase/Browser Use, GitHub token, FAL, and ElevenLabs +- Most optional provider/API keys are not configured, including OpenRouter, Google/Gemini, Anthropic, Firecrawl/Tavily/Exa, Browserbase/Browser Use, FAL, and ElevenLabs +- GitHub push credentials are configured for root Git operations through the root credential store; root also performs Uma repo pushes because root has access to `https://github.com/umadev0931/uma_hostinger_hermes_vm` - `hermes doctor --fix` completed on 2026-05-27; it migrated config v23 → v24 and left only manual provider/API-key setup as the main optional follow-up - User preference: do **not** expose the Hermes dashboard publicly @@ -234,7 +236,7 @@ A healthy ByteLyst Hermes setup should be: - [ ] Browserbase/Browser Use - [ ] Configure GitHub/Gitea automation credentials with least privilege. - vijay: root local Gitea read-only Git path is configured with `/root/.local/bin/gitea-git` plus `GIT_ASKPASS`; the token remains in `/root/.gitea_npm_token_home` and was not printed. Verified direct Git and Hermes one-shot read access to `http://localhost:3300/bytelyst/learning_ai_common_plat.git`. - - vijay: still unchecked because GitHub automation credentials are separate and have not been provisioned. + - vijay: GitHub push credentials are already configured for root Git operations through `/root/.git-credentials`; root performs pushes for both root and Uma tracking repos. Still unchecked until GitHub token repo/scope permissions are audited as least-privilege. - [ ] Add vision/image capability if screenshots, diagrams, or UI reviews are common. - [x] Validate the active Telegram toolset includes the capabilities ByteLyst expects: - vijay: `hermes doctor --fix` reported browser, clarify, code_execution, cronjob, terminal, delegation, file, memory, messaging, session_search, skills, todo, tts, vision, video, and related toolsets available; web remains blocked by missing search backend API key. @@ -411,7 +413,7 @@ A healthy ByteLyst Hermes setup should be: - vijay: documented restore drill and restored root backup into `/tmp/hermes-restore-test-root`. - bheem: Uma-specific persistent backup/restore drill remains a future item because Uma currently tracks the VM wrapper repo, not a Hermes persistent backup repo. - [ ] Add Gitea/GitHub least-privilege automation credential path. - - vijay: Gitea path is complete for root via `/root/.local/bin/gitea-git`; GitHub path remains pending, so this combined item stays unchecked. + - vijay: Gitea path is complete for root via `/root/.local/bin/gitea-git`; GitHub push path exists in root's credential store and is used for root-managed pushes, including Uma repo updates. Least-privilege scope verification remains pending, so this combined item stays unchecked. ### Medium-Term — This Month @@ -488,7 +490,7 @@ This roadmap is complete when: - vijay: installed `/root/.local/bin/gitea-git-askpass` and `/root/.local/bin/gitea-git` so Hermes/Git can authenticate to local Gitea without embedding tokens in remotes or Git config. - vijay: verified direct Git read operation: `gitea-git ls-remote http://localhost:3300/bytelyst/learning_ai_common_plat.git HEAD` returned HEAD `59c4638f85be...`. - vijay: verified the same read-only operation through Hermes one-shot; Hermes reported success and only the truncated HEAD hash. -- vijay: documented the exact safe token flow in `docs/hermes-operations.md`; GitHub automation token remains a separate future credential item. +- vijay: documented the exact safe token flow in `docs/hermes-operations.md`; corrected GitHub status to show credentials already exist for root-managed pushes, with least-privilege scope audit still pending. ## Notes For Future Transcript Pass