#Session conversation log

Hi all,
Not a support request per say. But I'd like to understand how does the session conversation and logs are handled within Hermes. And what are the good practices.

Currently, session logs capture the full conversation history, including LLM outputs, tool calls, and their specific arguments. I’ve noticed that if a tool requires credentials or sensitive tokens as arguments, these end up stored in the logs in plain text.

1. Is this a normal behavior? If so, isn't this a critical security issue?
2. If the logs are going to be visible in the logs in clear. What is the benefit of having a secret manager?
3. Shouldn't there be a credentials masking or post run cleaning happening for mask/clear those credentials?

Am I misusing the agent and missing something or am I just overhinking? Love to have some insight on this 🙌

Thank you all for the amazing work!!

You are not overthinking it. There are two different things here: logs and session history.

Hermes does redact common secret patterns in the normal log files. agent.log, errors.log, and gateway.log go through the redacting formatter, and common tool outputs like terminal output and file reads are also redacted before they enter the model context.

Session history is different. Hermes persists the conversation so sessions can resume, search, compress, and replay tool-call context. That includes assistant tool calls and their arguments. If a credential is passed in the prompt or passed as a normal tool argument, you should assume it may become part of the model-visible conversation history and may be persisted.

The secret manager is still useful because it avoids that path. When a secret is captured through Hermes’s secret flow, it is stored in .env and the model only gets a success/status message, not the raw value.

The safe pattern is: keep API keys/tokens/passwords in ~/.hermes/.env or the profile .env, have tools read those values from env/config internally, and do not paste credentials into chat or design custom tools where the model has to pass the raw credential as an argument.

If you already passed a real credential through chat or a tool argument, rotate that credential and treat that session as exposed.

This is fair product feedback. We should harden/document this boundary better, especially for custom tools that accept secret-like arguments. The intended boundary today is: logs try to redact, secret capture keeps values away from the model, but session history is not a vault.