# User Environment Notes: ZimaOS / Kimi K2.6 Session-discovered facts about this specific Hermes deployment. ## System - **OS:** Linux ZimaOS 6.12.25 (x86_64) - **User:** `az-a` - **HERMES_HOME:** `/DATA/AppData/hermes` - **Gateway:** Runs as systemd service `hermes-gateway.service` (auto-restart enabled) ## Hermes CLI Location The `hermes` binary exists **only** inside the venv: ``` /DATA/AppData/hermes/venv/bin/hermes ``` It is **NOT** in the user's `PATH`. Any CLI invocation must use the full path or add it to `PATH`/`~/.local/bin`. ## Credential & Secrets Layout Secrets and `.env` files live under `/DATA/AppData/`, NOT under `~/.hermes/`: - Hermes `.env`: `/DATA/AppData/hermes/.env` (chmod 600) - Secrets dir: `/DATA/AppData/.secrets/` (chmod 700) - Cache dir: `/DATA/AppData/hermes/.cache/` — use this, NOT `/DATA/AppData/.cache/` (root-owned, inaccessible) - Agent binary dir: `/DATA/AppData/hermes/.bin/` — install standalone binaries here (yt-dlp, himalaya, codex, etc.) ## Root / Sudo Boundary - Agent runs as user `az-a` - Gateway runs as `root` via systemd service - `sudo` requires explicit `NOPASSWD` entry in `/etc/sudoers.d/` for systemctl operations - Docker commands also require root — the user must grant access if needed ## STT / Whisper Local Setup - `faster_whisper` Python module is available in the venv - Cache MUST be under `/DATA/AppData/hermes/.cache/` (root-owned `/DATA/AppData/.cache/` causes PermissionError) - Env vars needed: `HF_HOME`, `WHISPER_CACHE_DIR`, `XDG_CACHE_HOME` pointing to agent-owned cache - Gateway restart required after env changes (agent cannot self-restart without sudo) ## Browser Automation - Chromium with remote debugging runs on `127.0.0.1:18800` - Launch flags: `--headless --disable-gpu --no-sandbox --disable-dev-shm-usage --remote-debugging-port=18800 --user-data-dir=/tmp/chromium-data` - `playwright` Python module is NOT installed; raw HTTP requests or `selenium`/`requests_html` may be needed - Amazon and other strict sites block headless automation frequently ## Installing CLI Tools (No pip/apt) ZimaOS does not have standard package managers for user `az-a`. Pattern: `curl -sL -o /DATA/AppData/hermes/.bin/TOOL 'https://.../TOOL-linux-x86_64' && chmod +x ...` Successfully installed: yt-dlp, himalaya, codex. Fails: pip install (no pip in venv), cargo install (no Rust), npm (no Node). ## Telegram Gateway Security Lockdown User requirement: **ONLY this chat, NEVER any other platform (no email, no Discord, no Slack, no other Telegram chat).** Verified configuration in `/DATA/AppData/hermes/.env`: ``` TELEGRAM_BOT_TOKEN=... TELEGRAM_ALLOWED_USERS= # Only this user TELEGRAM_HOME_CHANNEL= # Only this chat TELEGRAM_HOME_CHANNEL_THREAD_ID= # Empty = no group threads ``` And in `config.yaml`: ```yaml gateway: platforms: telegram: enabled: true ``` No other platforms configured. No email, no Discord, no Slack, no WhatsApp, no Signal. **Never suggest adding other platforms or gateways without explicit user approval.** This is a hard security boundary, not a default setting. ## Multi-Drive Search Protocol User has **at least two drives**: - `/DATA` (system / AppData) - `/DATA/.media/HDD_1TB` (HDD, large media storage) **Always search both** before concluding a file does not exist. Pattern: 1. Search primary: `/DATA/AppData/...` 2. Search secondary: `/DATA/.media/HDD_1TB/...` 3. If neither, search broader paths with `find` Never assume a file is missing just because it's not in one location. ## User Credential Handling Pattern When asked to set up accounts or services, the user **prefers providing credentials directly in chat** and expects the agent to handle everything end-to-end without asking for permission at each step. He explicitly stated: *"Ich gebe dir einfach meine Zugangsdaten und du versuchst es so lange bis es klappt. Wie du es machst ist mir egal!"* **Protocol:** 1. Accept the credentials when offered 2. Use them immediately to complete the setup 3. **Do NOT store them persistently** in memory or skills (never write the raw password) 4. Confirm completion 5. Discard the credentials from active context This applies to service logins, OAuth, API setups — any auth flow the user wants handled.