Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,28 @@

Dated list of meaningful guide updates. Roughly [Keep a Changelog](https://keepachangelog.com) flavored.

## 2026-06-03 — Part 19 security schema fixes

### Fixed
- **Part 19 — Security Playbook**: rewrote the configuration examples to match
the real Hermes Agent schema. The previous rev documented a top-level
`security:` block with `provenance` trust-labeling, `approval.require_approval`
regex + `denylist`, `approval_channels`, `bypass_subagents`, `secrets.scope` /
`secrets.env_access`, and a `security.network.egress_allowlist` — **none of
which exist in Hermes**. Replaced with the actual primitives: top-level
`approvals:` (`mode: manual|smart|off`, `timeout`, `cron_mode`,
`mcp_reload_confirm`, `destructive_slash_confirm`), the native
`tools/approval.py` dangerous-command detector, the always-on
`UNRECOVERABLE_BLOCKLIST`, `command_allowlist:` (human-readable pattern
descriptions), `.env` user allowlists (`TELEGRAM_ALLOWED_USERS`,
`GATEWAY_ALLOWED_USERS`, …) + DM pairing, `security.redact_secrets`, optional
`security.tirith_*` scanning, automatic credential scoping for subprocesses,
`terminal.backend` isolation, and `mcp_servers.<name>.tools.include/exclude`.
Added the SECURITY.md framing that OS-level isolation (terminal-backend or
whole-process wrapping via Docker/Compose or NVIDIA OpenShell — where real
network egress control lives) is the only boundary; in-process controls are
heuristics. Resolves [#19](https://github.com/OnlyTerp/hermes-optimization-guide/issues/19).

## 2026-05-27 — LightRAG model setup refresh

### Changed
Expand Down
2 changes: 1 addition & 1 deletion part17-mcp-servers.md
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ mcp_servers:
sampling_model: gpt-5-mini # Optional: pin a cheaper model for sampling
```

**Security note:** Sampling means an MCP server can burn your tokens. Only enable it for servers you trust. See [Part 19](./part19-security-playbook.md#mcp-server-trust-model).
**Security note:** Sampling means an MCP server can burn your tokens. Only enable it for servers you trust. See [Part 19](./part19-security-playbook.md#layer-5-mcp-and-plugin-trust).

---

Expand Down
2 changes: 1 addition & 1 deletion part18-coding-agents.md
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,7 @@ delegation:
- "curl * | bash"
```

See [Part 19](./part19-security-playbook.md#approval-and-denylist-layers) for the full story. Approval bypass inheritance landed in v0.10 ([Part 16](./part16-backup-debug.md#approval-bypass-for-trusted-subagents)) — use it for trusted specialists, not for every agent.
See [Part 19](./part19-security-playbook.md#layer-2-dangerous-command-approval) for the full story. Approval bypass inheritance landed in v0.10 ([Part 16](./part16-backup-debug.md#approval-bypass-for-trusted-subagents)) — use it for trusted specialists, not for every agent.

---

Expand Down
389 changes: 189 additions & 200 deletions part19-security-playbook.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion part21-remote-sandboxes.md
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ Each project has its own workspace with its own deps, env, and git state. Hermes

### Pattern C: Sandboxed MCP Servers

Route untrusted MCP servers (see [Part 19](./part19-security-playbook.md#mcp-server-trust-model)) into a sandbox:
Route untrusted MCP servers (see [Part 19](./part19-security-playbook.md#layer-5-mcp-and-plugin-trust)) into a sandbox:

```yaml
mcp_servers:
Expand Down
2 changes: 1 addition & 1 deletion skills/dev/pr-review/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,4 +87,4 @@ Never combine. The Claude Code sub-session only sees the read PAT in its env, an
## See also

- [Part 18: Coding Agents](../../../part18-coding-agents.md)
- [Part 19: GitHub MCP trust model](../../../part19-security-playbook.md#layer-6-mcp-server-trust-model)
- [Part 19: MCP and plugin trust](../../../part19-security-playbook.md#layer-5-mcp-and-plugin-trust)
2 changes: 1 addition & 1 deletion skills/ops/telegram-triage/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,5 +80,5 @@ gateways:

## See also

- [Part 19 provenance labels](../../../part19-security-playbook.md#layer-1-input-origin-labeling)
- [Part 19: user authorization](../../../part19-security-playbook.md#layer-1-user-authorization--who-can-talk-to-the-agent)
- [Part 4 Telegram setup](../../../part4-telegram-setup.md)
Loading