Added
- Provider key management in Settings — new "Providers" tab lets users add, update, or remove API keys for direct-API providers (Anthropic, OpenAI, Google, DeepSeek, xAI, Mistral, MiniMax, Z.AI, Kimi, Ollama, Ollama Cloud, OpenCode Zen/Go) without editing
.envfiles manually. OAuth providers (Copilot, Nous, OpenAI Codex) are shown as read-only. Keys are stored in~/.hermes/.envand take effect immediately. Panel is fully localised across all 6 locales. (PR #867 by @bergeouss, closes #586)
Security
- Provider write endpoints require authentication or a local/private-network client — same gate as the onboarding setup endpoint
- New
.envfiles are created at0600from the first byte viaos.open; pre-existing files are tightened to0600on every write _ENV_LOCKnow covers the full load → modify → write cycle, preventing a TOCTOU race between concurrent POST requests
Six review-round fixes total applied before merge (B1 auth gate, B2 false-positive key detection, R1 file mode, R2 lock scope, XSS esc(), i18n coverage).
What's Changed
- fix: poll /health after update instead of blind setTimeout (closes #874) by @nesquena-hermes in #875
- release: v0.50.159 — provider key management from Settings (PR #867 by @bergeouss) by @nesquena-hermes in #876
Full Changelog: v0.50.158...v0.50.159