security: generate .env from Space Secrets, remove .env from build

- Dockerfile: remove COPY .env, add COPY .env.example
- start.sh: generate .env from HF Space Secrets (env vars) on first boot
- Persistent .env is preserved across rebuilds once created
- No API keys in git repo anymore

Dockerfile

@@ -75,16 +75,14 @@ RUN mkdir -p /root/.hermes/plugins/image_gen/pollinations
 # Copy config files (to both hermes home AND /app for persistence fallback)
 COPY config.yaml /root/.hermes/config.yaml
 COPY SOUL.md /root/.hermes/SOUL.md
-COPY .env /root/.hermes/.env
 # Keep repo copies in /app as fallback sources for persistent storage recovery
 COPY config.yaml /app/config.yaml
-COPY .env /app/.env
+COPY .env.example /app/.env.example
 COPY entry.py /app/entry.py
 COPY dashboard.html /app/dashboard.html
 COPY plugins/pollinations/ /root/.hermes/plugins/image_gen/pollinations/
 COPY scripts/ /app/scripts/
 
-RUN chmod 600 /root/.hermes/.env
 
 # Startup script
 COPY start.sh /app/start.sh

start.sh

@@ -52,24 +52,37 @@ if [ -z "$WEIXIN_ACCOUNT_ID" ]; then
     fi
 fi
 
-# ── Persist .env across container rebuilds ──
-# WeChat QR login + BFF credential saves write to ~/.hermes/.env
-# Without this, WeChat tokens and other channel credentials are lost on every rebuild
+# -- Persist .env across container rebuilds --
+# Priority: Space Secrets (env vars) > persistent storage
+# SECURITY: .env is NO LONGER in git repo -- use HF Space Secrets
 ENV_FILE="$HERMES_HOME/.env"
 ENV_DATA="/data/hermes/.env"
-if [ -f "$ENV_FILE" ] && [ ! -L "$ENV_FILE" ] && [ ! -f "$ENV_DATA" ]; then
-    # First time: migrate build-time .env to persistent storage
-    cp "$ENV_FILE" "$ENV_DATA"
+
+# Generate .env from Space Secrets (environment variables injected by HF)
+if [ ! -f "$ENV_DATA" ] && [ -n "$OPENROUTER_API_KEY" ]; then
+    echo "Generating .env from Space Secrets..."
+    {
+        echo "OPENROUTER_API_KEY=$OPENROUTER_API_KEY"
+        [ -n "$OPENAI_API_KEY" ] && echo "OPENAI_API_KEY=$OPENAI_API_KEY"
+        [ -n "$OPENAI_BASE_URL" ] && echo "OPENAI_BASE_URL=$OPENAI_BASE_URL"
+        [ -n "$FEISHU_APP_ID" ] && echo "FEISHU_APP_ID=$FEISHU_APP_ID"
+        [ -n "$FEISHU_APP_SECRET" ] && echo "FEISHU_APP_SECRET=$FEISHU_APP_SECRET"
+        echo "GATEWAY_ALLOW_ALL_USERS=true"
+        echo "HERMES_ACCEPT_HOOKS=1"
+        [ -n "$MEMPALACE_PALACE_PATH" ] && echo "MEMPALACE_PALACE_PATH=$MEMPALACE_PALACE_PATH"
+        [ -n "$FIRECRAWL_API_KEY" ] && echo "FIRECRAWL_API_KEY=$FIRECRAWL_API_KEY"
+    } > "$ENV_DATA"
     chmod 600 "$ENV_DATA"
-    echo "Migrated .env to persistent storage"
-elif [ -L "$ENV_FILE" ] && [ ! -f "$ENV_DATA" ]; then
-    # Symlink exists but target is missing (data cleared) — recreate from repo copy
-    if [ -f "/app/.env" ]; then
-        cp "/app/.env" "$ENV_DATA"
-        chmod 600 "$ENV_DATA"
-        echo "Restored .env from repo fallback"
-    fi
+    echo "Created .env from Space Secrets"
 fi
+
+# Fallback: if no secrets and no persistent data
+if [ ! -f "$ENV_DATA" ] && [ -f "/app/.env.example" ]; then
+    cp "/app/.env.example" "$ENV_DATA"
+    echo "WARNING: No .env found. Set API keys via HF Space Secrets!"
+fi
+
+# Always symlink
 if [ ! -L "$ENV_FILE" ]; then
     rm -f "$ENV_FILE"
     ln -sf "$ENV_DATA" "$ENV_FILE"