Spaces:
Running
Running
Z User commited on
Commit ·
692d0b9
1
Parent(s): 62ec96b
security: mask all secrets in build logs (start.sh)
Browse files- Add _mask_val() helper to show only first 6 + **** + last 4 chars
- Mask OPENROUTER_API_KEY, FEISHU_APP_SECRET, FIRECRAWL_API_KEY in stdout
- Mask AUTH_TOKEN in startup summary
- Secrets still written correctly to .env file (unchanged)
- Prevents secrets from appearing in public HF Space build logs
start.sh
CHANGED
|
@@ -58,7 +58,15 @@ fi
|
|
| 58 |
ENV_FILE="$HERMES_HOME/.env"
|
| 59 |
ENV_DATA="/data/hermes/.env"
|
| 60 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 61 |
# Generate .env from Space Secrets (environment variables injected by HF)
|
|
|
|
| 62 |
if [ ! -f "$ENV_DATA" ] && [ -n "$OPENROUTER_API_KEY" ]; then
|
| 63 |
echo "Generating .env from Space Secrets..."
|
| 64 |
{
|
|
@@ -73,7 +81,12 @@ if [ ! -f "$ENV_DATA" ] && [ -n "$OPENROUTER_API_KEY" ]; then
|
|
| 73 |
[ -n "$FIRECRAWL_API_KEY" ] && echo "FIRECRAWL_API_KEY=$FIRECRAWL_API_KEY"
|
| 74 |
} > "$ENV_DATA"
|
| 75 |
chmod 600 "$ENV_DATA"
|
| 76 |
-
echo "Created .env from Space Secrets"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 77 |
fi
|
| 78 |
|
| 79 |
# Fallback: if no secrets and no persistent data
|
|
@@ -394,7 +407,7 @@ echo "=== All services started ==="
|
|
| 394 |
echo " Gateway: http://127.0.0.1:8642 (with Python watchdog in entry.py)"
|
| 395 |
echo " WebUI: http://127.0.0.1:6060"
|
| 396 |
echo " Proxy: http://0.0.0.0:7860"
|
| 397 |
-
echo " Auth Token: $AUTH_TOKEN"
|
| 398 |
echo ""
|
| 399 |
|
| 400 |
# Start Python proxy on :7860 (main HF Space port)
|
|
|
|
| 58 |
ENV_FILE="$HERMES_HOME/.env"
|
| 59 |
ENV_DATA="/data/hermes/.env"
|
| 60 |
|
| 61 |
+
# Helper: mask a secret value for safe logging (show first 6 + **** + last 4)
|
| 62 |
+
_mask_val() {
|
| 63 |
+
local val="$1"
|
| 64 |
+
if [ -z "$val" ] || [ ${#val} -lt 12 ]; then echo "****"; return; fi
|
| 65 |
+
echo "${val:0:6}****${val: -4}"
|
| 66 |
+
}
|
| 67 |
+
|
| 68 |
# Generate .env from Space Secrets (environment variables injected by HF)
|
| 69 |
+
# SECURITY: secrets are written to file ONLY — never echoed to stdout/build logs
|
| 70 |
if [ ! -f "$ENV_DATA" ] && [ -n "$OPENROUTER_API_KEY" ]; then
|
| 71 |
echo "Generating .env from Space Secrets..."
|
| 72 |
{
|
|
|
|
| 81 |
[ -n "$FIRECRAWL_API_KEY" ] && echo "FIRECRAWL_API_KEY=$FIRECRAWL_API_KEY"
|
| 82 |
} > "$ENV_DATA"
|
| 83 |
chmod 600 "$ENV_DATA"
|
| 84 |
+
echo "Created .env from Space Secrets (keys masked below)"
|
| 85 |
+
echo " OPENROUTER_API_KEY=$(_mask_val "$OPENROUTER_API_KEY")"
|
| 86 |
+
[ -n "$OPENAI_API_KEY" ] && echo " OPENAI_API_KEY=$(_mask_val "$OPENAI_API_KEY")"
|
| 87 |
+
[ -n "$FEISHU_APP_ID" ] && echo " FEISHU_APP_ID=$FEISHU_APP_ID"
|
| 88 |
+
[ -n "$FEISHU_APP_SECRET" ] && echo " FEISHU_APP_SECRET=$(_mask_val "$FEISHU_APP_SECRET")"
|
| 89 |
+
[ -n "$FIRECRAWL_API_KEY" ] && echo " FIRECRAWL_API_KEY=$(_mask_val "$FIRECRAWL_API_KEY")"
|
| 90 |
fi
|
| 91 |
|
| 92 |
# Fallback: if no secrets and no persistent data
|
|
|
|
| 407 |
echo " Gateway: http://127.0.0.1:8642 (with Python watchdog in entry.py)"
|
| 408 |
echo " WebUI: http://127.0.0.1:6060"
|
| 409 |
echo " Proxy: http://0.0.0.0:7860"
|
| 410 |
+
echo " Auth Token: $(_mask_val "$AUTH_TOKEN")"
|
| 411 |
echo ""
|
| 412 |
|
| 413 |
# Start Python proxy on :7860 (main HF Space port)
|