بنقرة واحدة
rotate-secrets
Rotate webhook HMACs, API keys, OAuth tokens, and update gateway configs atomically
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Rotate webhook HMACs, API keys, OAuth tokens, and update gateway configs atomically
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | rotate-secrets |
| description | Rotate webhook HMACs, API keys, OAuth tokens, and update gateway configs atomically |
| when_to_use | ["User says \"rotate secrets\" or \"rotate keys\"","Scheduled monthly rotation","After a suspected leak or security incident","Pattern-matched argument like /rotate-secrets webhook_hmac_*"] |
| toolsets | ["terminal","file"] |
| parameters | {"pattern":{"type":"string","description":"Glob pattern for which secrets to rotate (e.g. \"webhook_hmac_*\", \"TWILIO_*\", \"all\")","default":"webhook_hmac_*"}} |
| security | {"trust":"trusted","notes":"Touches ~/.hermes/.env. Never logs or echoes plaintext secret values;\nlogs SHA-256 fingerprints only. Interactive kinds (API keys, PATs)\nrequire an operator in the loop — see the headless/cron note below.\n"} |
| model_hint | google/gemini-3.1-flash |
Rotate secrets in ~/.hermes/.env, propagate the new values to every service that consumes them, and restart only the affected gateways.
Parse the pattern. Match against every key in ~/.hermes/.env. Support glob syntax (*, ?, [abc]) and the literal all.
For each matched key: a. Determine the secret kind from the key name:
*_HMAC_* or *_WEBHOOK_SECRET → generate openssl rand -hex 32*_API_KEY → prompt the user to provide the new value (can't auto-rotate external APIs)GITHUB_*_TOKEN → open https://github.com/settings/tokens and prompt for new PATTWILIO_AUTH_TOKEN → direct user to rotate in Twilio console and prompt for new valueb. Back up the current .env as ~/.hermes/.env.bak.YYYYMMDDHHMMSS before any write.
c. Update the .env atomically. Don't build a sed s/// expression from
the key or value — secret values routinely contain /, &, and \,
which corrupt the substitution (and switching the delimiter to | just
moves the problem). Use exact-match rewrite instead:
tmp=$(mktemp ~/.hermes/.env.XXXXXX)
KEY="$KEY" NEW_VALUE="$NEW_VALUE" awk -F= '
$1 == ENVIRON["KEY"] { print ENVIRON["KEY"] "=" ENVIRON["NEW_VALUE"]; found=1; next }
{ print }
END { if (!found) print ENVIRON["KEY"] "=" ENVIRON["NEW_VALUE"] }
' ~/.hermes/.env > "$tmp" && chmod 600 "$tmp" && mv "$tmp" ~/.hermes/.env
This appends the key if it was missing, keeps 0600 perms, and never
interprets a secret as a regex.
Propagate to external services. For HMAC / webhook secrets, update the remote side:
github MCP to PATCH /repos/{owner}/{repo}/hooks/{hook_id} with config.secretRestart only affected gateways.
TELEGRAM_BOT_TOKEN → hermes gateway restart telegramDISCORD_* → hermes gateway restart discordhermes gateway restart slackhermes gateway restart twilioVerify. Run hermes doctor and fail loud if any gateway is unhealthy post-rotation. If unhealthy, restore from the .env.bak.* backup and report.
Emit a rotation log entry. Append to ~/.hermes/logs/rotations.log:
2026-04-17T14:22:00Z rotated webhook_hmac_github by=user result=ok prev_sha=abc123 new_sha=def456
Store SHA-256 of the secret, never the plaintext.
.env before every run; retain 30 days of backups./rotate-secrets webhook_hmac_*
/rotate-secrets TWILIO_AUTH_TOKEN
/rotate-secrets all # With interactive confirmation per key
Only the HMAC/webhook kinds are fully automatic — API keys and PATs prompt
the operator, and a prompt in a headless cron session never gets answered:
the run stalls until approvals.timeout (or the session's own timeout) kills
it. So:
/rotate-secrets webhook_hmac_* — fine; nothing prompts./rotate-secrets all — don't. It will hang on the first
interactive kind. Run all manually from your admin DM/CLI, monthly.Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
Build human-readable release notes from a range of commits or merged PRs
Weekly LLM cost breakdown by provider / gateway / skill, posted to private DM
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Run `hermes backup`, encrypt, upload to remote storage, prune old backups