Shadow HERMES_HOME pattern: .env stays local, bucket symlinks in

bootstrap.sh

@@ -4,22 +4,30 @@
 # ============================================================================
 # Creates your own HF bucket from the merve/hermes-agent template, mounts it,
 # installs Hermes, sets up Telegram, and launches the agent.
-# Idempotent: re-runs are safe.
+#
+# Layout:
+#   ~/hermes-bucket     mount of YOUR bucket (config, SOUL, skills, memories, ...)
+#   ~/.hermes-home      HERMES_HOME (LOCAL). Secrets live here, everything else
+#                       is symlinked to ~/hermes-bucket so Hermes data syncs.
+#   ~/.hermes           Hermes Python install (code + venv)
+#
+# Why the shadow dir: Hermes hardcodes its secrets file at $HERMES_HOME/.env
+# and atomically rewrites it on `hermes setup` / sanitization. If HERMES_HOME
+# were the mount, those writes would land in a public bucket. The shadow dir
+# keeps .env local while every other Hermes write still passes through to the
+# bucket via symlink.
 #
 #   bash <(curl -fsSL https://huggingface.co/merve/hermes-agent-bootstrap/resolve/main/bootstrap.sh)
 #
-# What it touches:
-#   <YOUR_HF_USERNAME>/hermes-agent   — your personal bucket (created if missing)
-#   ~/hermes-bucket                   — local mount of your bucket
-#   ~/.hermes-secrets.env             — your local secrets (mode 600, NEVER uploaded)
-#   ~/.hermes/                        — Hermes code + venv
-#   ~/.local/bin/{hf,hermes,hf-mount} — installed CLIs
+# Idempotent: re-runs are safe.
 # ============================================================================
 set -euo pipefail
 
 TEMPLATE="merve/hermes-agent"
 MOUNT="$HOME/hermes-bucket"
-SECRETS="$HOME/.hermes-secrets.env"
+HOME_DIR="$HOME/.hermes-home"
+LEGACY_SECRETS="$HOME/.hermes-secrets.env"
+SECRETS="$HOME_DIR/.env"
 
 G='\033[0;32m'; Y='\033[0;33m'; C='\033[0;36m'; R='\033[0;31m'; N='\033[0m'
 say()  { printf "${C}→${N} %s\n" "$*"; }
@@ -107,7 +115,7 @@ else
 fi
 
 # ----------------------------------------------------------------------------
-# 6. Hermes Agent
+# 6. Hermes Agent install
 # ----------------------------------------------------------------------------
 if ! command -v hermes >/dev/null 2>&1; then
   say "Installing Hermes Agent (this takes a minute)..."
@@ -117,7 +125,38 @@ fi
 ok "Hermes: $(command -v hermes)"
 
 # ----------------------------------------------------------------------------
-# 7. Telegram (required step)
+# 7. Shadow HERMES_HOME — keeps .env local, symlinks everything else to bucket
+# ----------------------------------------------------------------------------
+say "Setting up shadow HERMES_HOME at $HOME_DIR..."
+mkdir -p "$HOME_DIR" "$HOME_DIR/audio_cache" "$HOME_DIR/image_cache" "$HOME_DIR/logs"
+
+# Make sure bucket subdirs that Hermes writes to exist (so symlinks resolve)
+for d in memories cron hooks pairing sessions; do
+  mkdir -p "$MOUNT/$d"
+done
+
+# Files mirrored from the bucket (read mostly; if Hermes ever rewrites one
+# atomically the symlink severs and the local copy takes over — safe but no
+# longer syncing for that file)
+for f in config.yaml SOUL.md README.md .env.example; do
+  ln -sfn "$MOUNT/$f" "$HOME_DIR/$f"
+done
+# Directory trees that Hermes appends to: writes inside flow through to bucket
+for d in skills memories cron hooks pairing sessions; do
+  ln -sfn "$MOUNT/$d" "$HOME_DIR/$d"
+done
+ok "Shadow dir wired: $HOME_DIR (.env stays local, data symlinks → $MOUNT)"
+
+# Migrate legacy secrets file from a previous bootstrap, if present
+if [ -f "$LEGACY_SECRETS" ] && [ ! -f "$SECRETS" ]; then
+  cp "$LEGACY_SECRETS" "$SECRETS"
+  chmod 600 "$SECRETS"
+  warn "Migrated legacy $LEGACY_SECRETS → $SECRETS"
+  warn "  You can delete $LEGACY_SECRETS once you confirm things work."
+fi
+
+# ----------------------------------------------------------------------------
+# 8. Telegram (required step)
 # ----------------------------------------------------------------------------
 printf "\n${C}Telegram setup${N}\n"
 
@@ -162,11 +201,11 @@ except Exception:
 fi
 
 # ----------------------------------------------------------------------------
-# 8. Write secrets file (outside the bucket, mode 600)
+# 9. Write secrets file (LOCAL, never reaches the bucket)
 # ----------------------------------------------------------------------------
 umask 077
 cat > "$SECRETS" <<EOF
-# Hermes secrets — DO NOT commit, DO NOT put in the bucket
+# Hermes secrets — local-only ($HOME_DIR is HERMES_HOME, not a mount)
 HF_TOKEN=$HF_TOKEN_VAL
 TELEGRAM_BOT_TOKEN=$TG_TOKEN
 TELEGRAM_ALLOWED_USERS=$USER_ID
@@ -176,7 +215,7 @@ chmod 600 "$SECRETS"
 ok "Secrets saved to $SECRETS (mode 600)"
 
 # ----------------------------------------------------------------------------
-# 9. Shell aliases
+# 10. Shell aliases
 # ----------------------------------------------------------------------------
 SHELL_NAME="${SHELL##*/}"
 case "$SHELL_NAME" in
@@ -185,29 +224,41 @@ case "$SHELL_NAME" in
   *)    SHELL_RC="$HOME/.profile" ;;
 esac
 
-if ! grep -q "# hermes-bucket aliases" "$SHELL_RC" 2>/dev/null; then
-  cat >> "$SHELL_RC" <<EOF
+# Rewrite the aliases block if we already added one (keeps users on the
+# latest definition — old runs used a different layout)
+if [ -f "$SHELL_RC" ] && grep -q "# hermes-bucket aliases" "$SHELL_RC"; then
+  python3 - "$SHELL_RC" <<'PY'
+import sys, pathlib
+p = pathlib.Path(sys.argv[1])
+text = p.read_text()
+start = text.find("# hermes-bucket aliases")
+if start == -1:
+    sys.exit(0)
+end = text.find("\n\n", start)
+end = len(text) if end == -1 else end
+p.write_text(text[:start].rstrip() + "\n" + text[end:].lstrip("\n"))
+PY
+fi
+
+cat >> "$SHELL_RC" <<EOF
 
-# hermes-bucket aliases (added by bootstrap.sh)
-alias hermes-here='HERMES_HOME=\$HOME/hermes-bucket bash -c "set -a; source \$HOME/.hermes-secrets.env; set +a; exec hermes"'
-alias hermes-gateway='HERMES_HOME=\$HOME/hermes-bucket bash -c "set -a; source \$HOME/.hermes-secrets.env; set +a; exec hermes gateway start"'
+# hermes-bucket aliases (added by bootstrap.sh — safe to remove if you'd rather export HERMES_HOME yourself)
+alias hermes-here='HERMES_HOME=\$HOME/.hermes-home hermes'
+alias hermes-gateway='HERMES_HOME=\$HOME/.hermes-home hermes gateway start'
 EOF
-  ok "Added shell aliases to $SHELL_RC"
-else
-  ok "Shell aliases already present in $SHELL_RC"
-fi
+ok "Shell aliases written to $SHELL_RC"
 
 # ----------------------------------------------------------------------------
-# 10. Summary + launch
+# 11. Summary + launch
 # ----------------------------------------------------------------------------
 cat <<EOF
 
 ${G}✓ Ready.${N}
 
-  Your bucket:  https://huggingface.co/buckets/$BUCKET
-  Mount:        $MOUNT
-  Secrets:      $SECRETS
-  Model:        Qwen/Qwen3.6-35B-A3B  (HF Inference Providers → deepinfra)
+  Your bucket:   https://huggingface.co/buckets/$BUCKET
+  Bucket mount:  $MOUNT
+  HERMES_HOME:   $HOME_DIR   (secrets local; everything else symlinks to mount)
+  Model:         Qwen/Qwen3.6-35B-A3B  (HF Inference Providers → deepinfra)
 
   ${C}hermes-here${N}     — chat in your terminal
   ${C}hermes-gateway${N}  — start Telegram bot (talk from your phone)
@@ -217,8 +268,7 @@ EOF
 if [ -t 0 ] && [ -t 1 ]; then
   say "Launching Hermes now..."
   sleep 1
-  export HERMES_HOME="$MOUNT"
-  set -a; source "$SECRETS"; set +a
+  export HERMES_HOME="$HOME_DIR"
   exec hermes
 else
   say "Run ${C}source $SHELL_RC${N} then ${C}hermes-here${N} to start chatting."