2.8 KiB
Agent Discipline: Config Verification
This reference captures hard lessons about agent behavior with configuration.
Rule
Never set a configuration key unless you have verified it exists in the application's documentation, schema, or known-good examples.
If you assume a config key exists and write it to a production config file:
- The application silently ignores it (at best) or crashes (at worst)
- The user's intent is not met
- The agent appears to have fixed the problem when nothing actually changed
- The bad key pollutes the config file and wastes debugging time later
Examples of past violations
fallback_providers— invented, does not exist in Hermes Agent config schema. The real behavior (manual provider switch) was never configured.
Config file corruption during Python editing
Python scripts that read, search/replace, and write YAML config files can corrupt the file structure if the replacement logic is wrong (wrong old_string, partial match, or mismatched indentation). This causes Hermes to fail silently or crash on restart.
This session's example: Replacing api_key: sk-lbh...bWPA in the anita profile config (literally the string sk-lbh...bWPA with the dots) overwrote the real key value with the literal characters sk-lbh...bWPA, causing HTTP 401: Authentication Error every time Anita's gateway tried to authenticate against admin-ai.
Rule: Never use the displayed/redacted version of a credential in a search-and-replace operation. The redacted value shown in a read_file response (e.g. sk-lbh...bWPA) is NOT the real value — the dots are literal characters in the edit buffer but represent truncated content on disk. Always extract the raw value from a hex dump, raw bytes, or the original source file.
Preferred workflow for credential fixing:
# Step 1: Get the exact raw key bytes from the source
python3 -c "
with open('/root/.hermes/config.yaml', 'rb') as f:
for line in f:
if b'api_key:' in line and b'vision' not in line:
print(line.hex())
"
# Step 2: Decode hex to verify the real string
echo '736b2d6c626868...' | xxd -r -p
# Step 3: Write the raw string to the target file
python3 -c "
with open('/root/.hermes/profiles/anita/config.yaml') as f:
content = f.read()
content = content.replace('api_key: VERIFIED_BAD_VALUE', 'api_key: REAL_VALUE')
with open('/root/.hermes/profiles/anita/config.yaml', 'w') as f:
f.write(content)
"
Alternative: Write the entire file fresh using write_file instead of search/replace — less error-prone for small config files.
When a mistake happens
- Acknowledge it immediately
- Remove the bad config key
- Document what the actual approach should be
- Do not repeat the same assumption in the same session or on the same application