원클릭으로
rotate-secrets
Rotate webhook HMACs, API keys, OAuth tokens, and update gateway configs atomically
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Rotate webhook HMACs, API keys, OAuth tokens, and update gateway configs atomically
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Delegate a PR review to Claude Code with a scoped read-only GitHub PAT
Build human-readable release notes from a range of commits or merged PRs
Weekly LLM cost breakdown by provider / gateway / skill, posted to private DM
Sweep inbox (email + Slack + Telegram DMs) and produce a prioritized action list with suggested replies
Produce a weekly "What's new in Hermes" digest by summarizing merged PRs + active issues from NousResearch/hermes-agent
Run `hermes backup`, encrypt, upload to remote storage, prune old backups
| name | rotate-secrets |
| description | Rotate webhook HMACs, API keys, OAuth tokens, and update gateway configs atomically |
| when_to_use | ["User says \"rotate secrets\" or \"rotate keys\"","Scheduled monthly rotation","After a suspected leak or security incident","Pattern-matched argument like /rotate-secrets webhook_hmac_*"] |
| toolsets | ["terminal","file"] |
| parameters | {"pattern":{"type":"string","description":"Glob pattern for which secrets to rotate (e.g. \"webhook_hmac_*\", \"TWILIO_*\", \"all\")","default":"webhook_hmac_*"}} |
| security | {"trust":"trusted","notes":"Touches ~/.hermes/.env. Never logs or echoes plaintext secret values;\nlogs SHA-256 fingerprints only. Interactive kinds (API keys, PATs)\nrequire an operator in the loop — see the headless/cron note below.\n"} |
| model_hint | google/gemini-3.1-flash |
Rotate secrets in ~/.hermes/.env, propagate the new values to every service that consumes them, and restart only the affected gateways.
Parse the pattern. Match against every key in ~/.hermes/.env. Support glob syntax (*, ?, [abc]) and the literal all.
For each matched key: a. Determine the secret kind from the key name:
*_HMAC_* or *_WEBHOOK_SECRET → generate openssl rand -hex 32*_API_KEY → prompt the user to provide the new value (can't auto-rotate external APIs)GITHUB_*_TOKEN → open https://github.com/settings/tokens and prompt for new PATTWILIO_AUTH_TOKEN → direct user to rotate in Twilio console and prompt for new valueb. Back up the current .env as ~/.hermes/.env.bak.YYYYMMDDHHMMSS before any write.
c. Update the .env atomically. Don't build a sed s/// expression from
the key or value — secret values routinely contain /, &, and \,
which corrupt the substitution (and switching the delimiter to | just
moves the problem). Use exact-match rewrite instead:
tmp=$(mktemp ~/.hermes/.env.XXXXXX)
KEY="$KEY" NEW_VALUE="$NEW_VALUE" awk -F= '
$1 == ENVIRON["KEY"] { print ENVIRON["KEY"] "=" ENVIRON["NEW_VALUE"]; found=1; next }
{ print }
END { if (!found) print ENVIRON["KEY"] "=" ENVIRON["NEW_VALUE"] }
' ~/.hermes/.env > "$tmp" && chmod 600 "$tmp" && mv "$tmp" ~/.hermes/.env
This appends the key if it was missing, keeps 0600 perms, and never
interprets a secret as a regex.
Propagate to external services. For HMAC / webhook secrets, update the remote side:
github MCP to PATCH /repos/{owner}/{repo}/hooks/{hook_id} with config.secretRestart only affected gateways.
TELEGRAM_BOT_TOKEN → hermes gateway restart telegramDISCORD_* → hermes gateway restart discordhermes gateway restart slackhermes gateway restart twilioVerify. Run hermes doctor and fail loud if any gateway is unhealthy post-rotation. If unhealthy, restore from the .env.bak.* backup and report.
Emit a rotation log entry. Append to ~/.hermes/logs/rotations.log:
2026-04-17T14:22:00Z rotated webhook_hmac_github by=user result=ok prev_sha=abc123 new_sha=def456
Store SHA-256 of the secret, never the plaintext.
.env before every run; retain 30 days of backups./rotate-secrets webhook_hmac_*
/rotate-secrets TWILIO_AUTH_TOKEN
/rotate-secrets all # With interactive confirmation per key
Only the HMAC/webhook kinds are fully automatic — API keys and PATs prompt
the operator, and a prompt in a headless cron session never gets answered:
the run stalls until approvals.timeout (or the session's own timeout) kills
it. So:
/rotate-secrets webhook_hmac_* — fine; nothing prompts./rotate-secrets all — don't. It will hang on the first
interactive kind. Run all manually from your admin DM/CLI, monthly.