Files
hermes-workspace/.env.example
2026-06-05 16:56:08 -04:00

144 lines
7.0 KiB
Plaintext

# Hermes Workspace — Environment Variables
#
# Copy this to .env and adjust as needed:
# cp .env.example .env
# ═══════════════════════════════════════════════════════════════
# LLM Provider — pick ONE (you don't need all of them)
# ═══════════════════════════════════════════════════════════════
# hermes-agent supports many providers. For Docker Compose the agent
# container needs the key for whichever provider you configured in
# ~/.hermes/config.yaml. Common options:
#
# OpenAI Codex / OpenAI-compatible: configure through `hermes setup` / `hermes model`
# OpenAI (GPT / o-series): https://platform.openai.com/api-keys
# OpenRouter (many models, free tier available): https://openrouter.ai/keys
# Google (Gemini): https://aistudio.google.com/app/apikey
# Ollama / local: No key needed — just run `ollama serve`
#
# Uncomment ONLY the key(s) for the providers you actually use.
# See docs/api-key-registry.md for the broader SCOM key inventory and
# rotation checklist.
# ANTHROPIC_API_KEY=sk-ant-...
# NOUS_API_KEY=...
# OPENAI_API_KEY=sk-...
# OPENROUTER_API_KEY=sk-or-v1-...
# GOOGLE_API_KEY=AIza...
# GOOGLE_AI_STUDIO_API_KEY=AIza...
# MINIMAX_API_KEY=...
# ═══════════════════════════════════════════════════════════════
# Optional: Hermes Agent Connection
# ═══════════════════════════════════════════════════════════════
# Hermes Agent WebAPI URL (default: http://127.0.0.1:8642)
# - For Docker: Uses http://hermes-agent:8642 automatically
# - For local dev: Set to http://127.0.0.1:8642
# IMPORTANT: The Hermes Agent gateway HTTP API server is opt-in.
# Add API_SERVER_ENABLED=true to ~/.hermes/.env and restart the gateway.
# Without it, the gateway serves messaging platforms but not port 8642.
# HERMES_API_URL=http://127.0.0.1:8642
# Hermes Agent API token — required when the gateway is authenticated
# (e.g. Docker deployments exposing API_SERVER_HOST=0.0.0.0).
#
# When your Hermes Agent gateway has API_SERVER_KEY set, workspace must send the
# SAME value as HERMES_API_TOKEN here, or requests will be rejected with 401.
#
# ~/.hermes/.env: API_SERVER_KEY=<your-secret>
# hermes-workspace/.env: HERMES_API_TOKEN=<same-secret>
#
# Leave unset for local loopback gateways that don't set API_SERVER_KEY.
# HERMES_API_TOKEN=your-gateway-secret
# Hermes Agent directory (auto-detected if sibling to workspace)
# Set this if hermes-agent is installed elsewhere
# HERMES_AGENT_PATH=/path/to/hermes-agent
# Server port (default: 3000)
# PORT=3000
# ══════════════════════════════════════════════════════════════
# Security
# ══════════════════════════════════════════════════════════════
# Bind address (default: 127.0.0.1)
#
# The workspace exposes terminals, file read/write, agent control, and job
# management. Off-loopback exposure is opt-in. Set HOST=0.0.0.0 only if you
# *also* set HERMES_PASSWORD below. Without a password, the server refuses
# to start on a non-loopback host.
# HOST=127.0.0.1
# Workspace session password (required for any remote deployment)
#
# Enables password protection of the web UI. Tokens are stored encrypted
# in ~/.hermes/workspace-sessions.json. Pick a strong secret (32+ chars).
# Legacy CLAUDE_PASSWORD is still honored for back-compat with pre-rename setups.
# HERMES_PASSWORD=change-me-to-a-strong-secret
# Cookie Secure flag (default: on in production, off in dev)
#
# Set to 1 to force the Secure attribute on session cookies even when
# NODE_ENV is not production — useful when terminating TLS at a reverse
# proxy.
# COOKIE_SECURE=1
#
# Set to 0 when running a plain-HTTP LAN deployment (HOST=0.0.0.0 without
# HTTPS). NODE_ENV=production enables Secure cookies by default; browsers
# silently drop Secure cookies over http://, causing login to silently fail.
# COOKIE_SECURE=0
# Trust proxy-forwarded headers (default: off)
#
# When running behind a trusted reverse proxy (Traefik, Nginx, Cloudflare,
# Tailscale Serve) that sanitizes x-forwarded-for / x-real-ip, set to 1 so
# that local-request classification and rate-limiting use the real client IP
# instead of the proxy's. Leaving this off on a direct-exposure deployment
# is the safe default — otherwise clients can spoof their IP.
# TRUST_PROXY=1
# SSE stream activity timeouts (optional)
#
# How long the browser waits without any event before marking a run as stalled.
# The built-in 30s heartbeat resets these timers during normal operation, so
# these only fire when the gateway is genuinely unresponsive.
# Values are in milliseconds. Defaults: 120000 (accepted), 300000 (handoff).
# STREAM_ACCEPTED_TIMEOUT_MS=120000
# STREAM_HANDOFF_TIMEOUT_MS=300000
# Dashboard URL
#
# Where Hermes Agent's dashboard is reachable (default: 127.0.0.1:9119).
# /api/sessions, the conductor mission API, and the upstream kanban plugin
# all live on the dashboard, not the gateway.
# HERMES_DASHBOARD_URL=http://127.0.0.1:9119
# Dashboard session token
#
# Workspace scrapes the dashboard's ephemeral session token from the root HTML
# automatically. Do not copy this token into .env: it changes whenever the
# dashboard restarts and stale values cause 401s on /api/sessions and related APIs.
# Bypass fail-closed startup guard (NOT recommended)
#
# If you understand the risks and want to run the workspace on 0.0.0.0
# without a password (e.g. behind a custom auth layer), set this to 1.
# Legacy CLAUDE_ALLOW_INSECURE_REMOTE is still honored for back-compat.
# HERMES_ALLOW_INSECURE_REMOTE=0
# ═════════════════════════════════════════════════════════════════
# HermesWorld (multiplayer hub + online chip)
# ═════════════════════════════════════════════════════════════════
# Set to 0 to hide the "HermesWorld" link in the sidebar.
# Default is enabled (1).
# VITE_HERMESWORLD_ENABLED=1
# When set, HermesWorld tabs on different devices/networks meet on the hub.
# Without these, multiplayer falls back to BroadcastChannel (same-browser only).
# Public hosted Cloudflare Worker hub:
VITE_PLAYGROUND_WS_URL=wss://hermes-playground-ws.myaurora-agi.workers.dev/playground
VITE_PLAYGROUND_STATS_URL=https://hermes-playground-ws.myaurora-agi.workers.dev/stats
# Run your own hub: see playground-ws-worker/README.md