Harden env parsing and writes (#814)

packages/server/src/services/config-helpers.ts

@@ -88,7 +88,14 @@ export async function updateConfigYaml<T = void>(
 
 // --- .env helpers ---
 
+function assertValidEnvKey(key: string): void {
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+    throw new Error(`Invalid .env key: ${JSON.stringify(key)}`)
+  }
+}
+
 export async function saveEnvValue(key: string, value: string): Promise<void> {
+  assertValidEnvKey(key)
   const envPath = getActiveEnvPath()
   await safeFileStore.updateText(envPath, (raw) => {
     const remove = !value

packages/server/src/services/hermes/agent-bridge/hermes_bridge.py

@@ -185,29 +185,27 @@ def _profile_home(profile: str | None) -> Path:
 def _read_dotenv(path: Path) -> dict[str, str]:
     if not path.exists():
         return {}
+    values: dict[str, str] = {}
     try:
-        from dotenv import dotenv_values
-
-        values = dotenv_values(path)
-        return {str(k): str(v) for k, v in values.items() if k and v is not None}
-    except Exception:
-        values: dict[str, str] = {}
-        try:
-            for line in path.read_text(encoding="utf-8").splitlines():
-                stripped = line.strip()
-                if not stripped or stripped.startswith("#") or "=" not in stripped:
-                    continue
-                key, value = stripped.split("=", 1)
-                key = key.strip()
-                value = value.strip()
-                if not key:
-                    continue
-                if (value.startswith('"') and value.endswith('"')) or (value.startswith("'") and value.endswith("'")):
-                    value = value[1:-1]
-                values[key] = value
-        except Exception:
-            return {}
+        for line in path.read_text(encoding="utf-8").splitlines():
+            stripped = line.strip()
+            if not stripped or stripped.startswith("#") or "=" not in stripped:
+                continue
+            if stripped.startswith("export "):
+                stripped = stripped[7:].strip()
+            key, value = stripped.split("=", 1)
+            key = key.strip()
+            if not key or not (key[0].isalpha() or key[0] == "_"):
+                continue
+            if not all(ch.isalnum() or ch == "_" for ch in key):
+                continue
+            value = value.strip()
+            if (value.startswith('"') and value.endswith('"')) or (value.startswith("'") and value.endswith("'")):
+                value = value[1:-1]
+            values[key] = value
         return values
+    except Exception:
+        return {}
 
 
 def _profile_dotenv_keys() -> set[str]: