144 lines
7.0 KiB
Plaintext
144 lines
7.0 KiB
Plaintext
# Hermes Workspace — Environment Variables
|
|
#
|
|
# Copy this to .env and adjust as needed:
|
|
# cp .env.example .env
|
|
|
|
# ═══════════════════════════════════════════════════════════════
|
|
# LLM Provider — pick ONE (you don't need all of them)
|
|
# ═══════════════════════════════════════════════════════════════
|
|
# hermes-agent supports many providers. For Docker Compose the agent
|
|
# container needs the key for whichever provider you configured in
|
|
# ~/.hermes/config.yaml. Common options:
|
|
#
|
|
# OpenAI Codex / OpenAI-compatible: configure through `hermes setup` / `hermes model`
|
|
# OpenAI (GPT / o-series): https://platform.openai.com/api-keys
|
|
# OpenRouter (many models, free tier available): https://openrouter.ai/keys
|
|
# Google (Gemini): https://aistudio.google.com/app/apikey
|
|
# Ollama / local: No key needed — just run `ollama serve`
|
|
#
|
|
# Uncomment ONLY the key(s) for the providers you actually use.
|
|
# See docs/api-key-registry.md for the broader SCOM key inventory and
|
|
# rotation checklist.
|
|
|
|
# ANTHROPIC_API_KEY=sk-ant-...
|
|
# NOUS_API_KEY=...
|
|
# OPENAI_API_KEY=sk-...
|
|
# OPENROUTER_API_KEY=sk-or-v1-...
|
|
# GOOGLE_API_KEY=AIza...
|
|
# GOOGLE_AI_STUDIO_API_KEY=AIza...
|
|
# MINIMAX_API_KEY=...
|
|
|
|
# ═══════════════════════════════════════════════════════════════
|
|
# Optional: Hermes Agent Connection
|
|
# ═══════════════════════════════════════════════════════════════
|
|
|
|
# Hermes Agent WebAPI URL (default: http://127.0.0.1:8642)
|
|
# - For Docker: Uses http://hermes-agent:8642 automatically
|
|
# - For local dev: Set to http://127.0.0.1:8642
|
|
# IMPORTANT: The Hermes Agent gateway HTTP API server is opt-in.
|
|
# Add API_SERVER_ENABLED=true to ~/.hermes/.env and restart the gateway.
|
|
# Without it, the gateway serves messaging platforms but not port 8642.
|
|
# HERMES_API_URL=http://127.0.0.1:8642
|
|
|
|
# Hermes Agent API token — required when the gateway is authenticated
|
|
# (e.g. Docker deployments exposing API_SERVER_HOST=0.0.0.0).
|
|
#
|
|
# When your Hermes Agent gateway has API_SERVER_KEY set, workspace must send the
|
|
# SAME value as HERMES_API_TOKEN here, or requests will be rejected with 401.
|
|
#
|
|
# ~/.hermes/.env: API_SERVER_KEY=<your-secret>
|
|
# hermes-workspace/.env: HERMES_API_TOKEN=<same-secret>
|
|
#
|
|
# Leave unset for local loopback gateways that don't set API_SERVER_KEY.
|
|
# HERMES_API_TOKEN=your-gateway-secret
|
|
|
|
# Hermes Agent directory (auto-detected if sibling to workspace)
|
|
# Set this if hermes-agent is installed elsewhere
|
|
# HERMES_AGENT_PATH=/path/to/hermes-agent
|
|
|
|
# Server port (default: 3000)
|
|
# PORT=3000
|
|
|
|
# ══════════════════════════════════════════════════════════════
|
|
# Security
|
|
# ══════════════════════════════════════════════════════════════
|
|
|
|
# Bind address (default: 127.0.0.1)
|
|
#
|
|
# The workspace exposes terminals, file read/write, agent control, and job
|
|
# management. Off-loopback exposure is opt-in. Set HOST=0.0.0.0 only if you
|
|
# *also* set HERMES_PASSWORD below. Without a password, the server refuses
|
|
# to start on a non-loopback host.
|
|
# HOST=127.0.0.1
|
|
|
|
# Workspace session password (required for any remote deployment)
|
|
#
|
|
# Enables password protection of the web UI. Tokens are stored encrypted
|
|
# in ~/.hermes/workspace-sessions.json. Pick a strong secret (32+ chars).
|
|
# Legacy CLAUDE_PASSWORD is still honored for back-compat with pre-rename setups.
|
|
# HERMES_PASSWORD=change-me-to-a-strong-secret
|
|
|
|
# Cookie Secure flag (default: on in production, off in dev)
|
|
#
|
|
# Set to 1 to force the Secure attribute on session cookies even when
|
|
# NODE_ENV is not production — useful when terminating TLS at a reverse
|
|
# proxy.
|
|
# COOKIE_SECURE=1
|
|
#
|
|
# Set to 0 when running a plain-HTTP LAN deployment (HOST=0.0.0.0 without
|
|
# HTTPS). NODE_ENV=production enables Secure cookies by default; browsers
|
|
# silently drop Secure cookies over http://, causing login to silently fail.
|
|
# COOKIE_SECURE=0
|
|
|
|
# Trust proxy-forwarded headers (default: off)
|
|
#
|
|
# When running behind a trusted reverse proxy (Traefik, Nginx, Cloudflare,
|
|
# Tailscale Serve) that sanitizes x-forwarded-for / x-real-ip, set to 1 so
|
|
# that local-request classification and rate-limiting use the real client IP
|
|
# instead of the proxy's. Leaving this off on a direct-exposure deployment
|
|
# is the safe default — otherwise clients can spoof their IP.
|
|
# TRUST_PROXY=1
|
|
|
|
# SSE stream activity timeouts (optional)
|
|
#
|
|
# How long the browser waits without any event before marking a run as stalled.
|
|
# The built-in 30s heartbeat resets these timers during normal operation, so
|
|
# these only fire when the gateway is genuinely unresponsive.
|
|
# Values are in milliseconds. Defaults: 120000 (accepted), 300000 (handoff).
|
|
# STREAM_ACCEPTED_TIMEOUT_MS=120000
|
|
# STREAM_HANDOFF_TIMEOUT_MS=300000
|
|
|
|
# Dashboard URL
|
|
#
|
|
# Where Hermes Agent's dashboard is reachable (default: 127.0.0.1:9119).
|
|
# /api/sessions, the conductor mission API, and the upstream kanban plugin
|
|
# all live on the dashboard, not the gateway.
|
|
# HERMES_DASHBOARD_URL=http://127.0.0.1:9119
|
|
|
|
# Dashboard session token
|
|
#
|
|
# Workspace scrapes the dashboard's ephemeral session token from the root HTML
|
|
# automatically. Do not copy this token into .env: it changes whenever the
|
|
# dashboard restarts and stale values cause 401s on /api/sessions and related APIs.
|
|
|
|
# Bypass fail-closed startup guard (NOT recommended)
|
|
#
|
|
# If you understand the risks and want to run the workspace on 0.0.0.0
|
|
# without a password (e.g. behind a custom auth layer), set this to 1.
|
|
# Legacy CLAUDE_ALLOW_INSECURE_REMOTE is still honored for back-compat.
|
|
# HERMES_ALLOW_INSECURE_REMOTE=0
|
|
|
|
# ═════════════════════════════════════════════════════════════════
|
|
# HermesWorld (multiplayer hub + online chip)
|
|
# ═════════════════════════════════════════════════════════════════
|
|
# Set to 0 to hide the "HermesWorld" link in the sidebar.
|
|
# Default is enabled (1).
|
|
# VITE_HERMESWORLD_ENABLED=1
|
|
|
|
# When set, HermesWorld tabs on different devices/networks meet on the hub.
|
|
# Without these, multiplayer falls back to BroadcastChannel (same-browser only).
|
|
# Public hosted Cloudflare Worker hub:
|
|
VITE_PLAYGROUND_WS_URL=wss://hermes-playground-ws.myaurora-agi.workers.dev/playground
|
|
VITE_PLAYGROUND_STATS_URL=https://hermes-playground-ws.myaurora-agi.workers.dev/stats
|
|
# Run your own hub: see playground-ws-worker/README.md
|