docs/install/migrating-hermes.md
The bundled Hermes migration provider detects state at ~/.hermes, previews every change before applying, redacts secrets in plans and reports, and writes a verified OpenClaw backup before it touches anything.
```bash
openclaw onboard --flow import
```
Or point at a specific source:
```bash
openclaw onboard --import-from hermes --import-source ~/.hermes
```
```bash
openclaw migrate hermes --dry-run # preview only
openclaw migrate apply hermes --yes # apply with confirmation skipped
```
Add `--from <path>` when Hermes lives outside `~/.hermes`.
The provider copies these into the migration report directory for manual review, but does not load them into live OpenClaw config or credentials:
plugins/sessions/logs/cron/mcp-tokens/state.dbOpenClaw refuses to execute or trust this state automatically because formats and trust assumptions can drift between systems. Move what you need by hand after reviewing the archive.
The plan lists everything that will change, including conflicts, skipped items, and sensitive items. Nested secret-looking keys are redacted in the output.
OpenClaw creates and verifies a backup before applying. This non-interactive example imports non-secret state only. Run without `--yes` to answer the credential prompt interactively, or add `--include-secrets` to include supported credentials in an unattended run.
[Doctor](/gateway/doctor) reapplies any pending config migrations and checks for issues introduced during the import.
Confirm the gateway is healthy and your imported model, memory, and skills are loaded.
Apply refuses to continue when the plan reports conflicts (a file or config value already exists at the target).
<Warning> Rerun with `--overwrite` only when replacing the existing target is intentional. Providers may still write item-level backups for overwritten files in the migration report directory. </Warning>Conflicts are unusual on a fresh install. They typically show up when you re-run the import against a setup that already has user edits.
If a conflict surfaces mid-apply (for example, an unexpected race on a config file), Hermes marks remaining dependent config items as skipped with reason blocked by earlier apply conflict instead of writing them partially. The migration report records each blocked item so you can resolve the original conflict and rerun the import.
Interactive openclaw migrate asks whether to import detected auth credentials, with yes selected by default.
auth.json, plus the supported .env keys. Hermes's own auth.json OAuth entries are reported for manual OpenAI reauth or doctor repair instead.--no-auth-credentials, or answer no at the prompt, to import non-secret state only.--include-secrets to import credentials in an unattended --yes run.--import-secrets flag to import credentials from the wizard.openclaw migrate hermes --dry-run --json
openclaw migrate apply hermes --json --yes
With --json and no --yes, apply prints the plan and does not mutate state — the safest mode for CI and shared scripts.
openclaw migrate: full CLI reference, plugin contract, and JSON shapes.SOUL.md, AGENTS.md, and memory files live.