From 16e774083f8b3caa44c5a244b7247c0298a10bf6 Mon Sep 17 00:00:00 2001
From: Stephen Chin <steveonjava@gmail.com>
Date: Sat, 2 May 2026 08:08:41 -0700
Subject: [PATCH] fix(hermes-agent): set UMask=0077 on systemd services

The Anthropic OAuth helper writes credential files with the process
default umask, resulting in 0644 permissions on sensitive files. Set
UMask=0077 on both hermes-gateway and hermes-dashboard services so all
files created at runtime are owner-only (0600/0700).

Ref: https://github.com/NousResearch/hermes-agent/issues/11003
---
 install/hermes-agent-install.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/hermes-agent-install.sh b/install/hermes-agent-install.sh
index 3a2fb520..43be60ec 100644
--- a/install/hermes-agent-install.sh
+++ b/install/hermes-agent-install.sh
@@ -69,6 +69,7 @@ Wants=network-online.target
 Type=simple
 User=hermes
 Group=hermes
+UMask=0077
 WorkingDirectory=/home/hermes
 ExecStart=/home/hermes/.local/bin/hermes gateway run --replace
 Environment="HERMES_HOME=/home/hermes/.hermes"
@@ -93,6 +94,7 @@ Wants=network-online.target
 Type=simple
 User=hermes
 Group=hermes
+UMask=0077
 WorkingDirectory=/home/hermes
 ExecStart=/home/hermes/.local/bin/hermes dashboard --host 127.0.0.1 --port 9119 --no-open
 Environment="HERMES_HOME=/home/hermes/.hermes"