Hermes Memory Stack must not include or collect secrets.

Do not commit:

• API keys
• OAuth tokens
• Google cookies
• NotebookLM storage_state.json
• Hermes personal memory exports
• private ~/.hermes/config.yaml
• private .env files

The installer creates or appends blank env-var placeholders by default. Users fill real values locally.

Exception: when the local Hermes default provider is GPT OAuth (openai-codex), the installer may ask whether to reuse the current local OAuth access token for Hindsight local-embedded LLM calls. This is opt-in, local-only behavior. If accepted, the installer reads the token from the user's existing ~/.hermes/auth.json and writes it only to local env files such as ~/.hermes/.env and ~/.hindsight/profiles/hermes.env. The token is never bundled, printed, or committed.

NotebookLM and future NotebookLM source-pack automation are also opt-in. The pack may install CLI tools, public example configs, and local helper scripts, but it must not bundle or copy Google cookies, storage_state.json, browser profiles, NotebookLM account data, private notebooks, local source-pack manifests, history files, snapshots, bundles, or source bodies into this repository. Source-pack runtime state belongs outside the repo, for example under ~/.notebooklm-source-packs/<pack>/, and should remain secret-free URL/hash/source-id metadata only. Source-pack refresh automation should target public documentation roots by default and should require explicit user intent before uploading private/local files to Google-hosted NotebookLM.