diff --git a/CLAUDE.md b/CLAUDE.md
index 8787ede..ce2500a 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -116,7 +116,24 @@ Two credential types: `static` (default) for API keys and `oauth` for OAuth acce
 
 `sluice binding update --destination` also updates the paired auto-created allow rule (tagged `binding-add:<credential>` or `cred-add:<credential>`) so the new destination is not orphaned. If no paired rule exists (e.g. because it was manually removed), the binding destination is still updated and a warning is printed. No fallback rule is created so an operator's intentional removal is not silently reverted. `--env-var` on binding update can be used to change or clear the env var name after the initial binding was created.
 
-Runtime flags: `--mcp-base-url` sets the external URL the agent uses to reach sluice's MCP gateway (e.g. `http://sluice:3000`). This is added to `SelfBypass` so sluice does not policy-check its own MCP traffic. Defaults to deriving from `--health-addr`.
+Runtime flags: `--mcp-base-url` sets the external URL the agent uses to reach sluice's MCP gateway (e.g. `http://sluice:3000`). This is added to `SelfBypass` so sluice does not policy-check its own MCP traffic. Defaults to deriving from `--health-addr`. `--agent <profile>` selects an agent profile (`openclaw`, `hermes`); the profile controls the env file path inside the container, the secrets-reload mechanism, and the MCP wiring command. The default is `openclaw`. May also be set via `SLUICE_AGENT_PROFILE`.
+
+## Agent Profiles
+
+Profiles abstract per-agent runtime conventions so sluice's container managers stay agent-agnostic. Each profile carries `EnvFileRelPath` (where to write phantom-token env vars), `ReloadCmd` (argv to exec for in-place secret reload, or nil), and `WireMCPCmd` (argv to register sluice as an MCP server in the agent's config).
+
+| Profile | Env file | Reload | MCP wiring |
+|---------|----------|--------|------------|
+| `openclaw` (default) | `~/.openclaw/.env` | `node -e <gateway_rpc.js> secrets.reload` over the agent's WebSocket gateway | `node -e <gateway_rpc.js> wire-mcp <name> <url>` patches `mcp.servers.<name>` |
+| `hermes` | `~/.hermes/.env` | None — Hermes has no documented in-place reload; new env values take effect on next message / restart | `python3 -c <script> <name> <url>` patches `mcp_servers.<name>.url` in `~/.hermes/config.yaml` (idempotent; relies on PyYAML which Hermes already requires) |
+
+Adding a new profile is a single edit to `internal/container/agent_profile.go`: register a struct in `builtinProfiles`. All three container backends (Docker, Apple Container, tart) consume the profile through `BuildEnvInjectionScriptForProfile`, `profile.ReloadCmd()`, and `profile.WireMCPCmd()`, so backend code does not need to know about specific agents.
+
+Hermes-specific caveats:
+
+- `ReloadCmd` is nil; `ReloadSecrets` logs a notice and returns nil. New phantom tokens take effect on the next Hermes message or `/reload-mcp` slash command.
+- `WireMCPCmd` rewrites `~/.hermes/config.yaml` directly. Hermes picks up the change on its next startup or via `/reload-mcp` from the chat session — sluice cannot trigger that command remotely.
+- Hermes' Modal, Daytona, and Vercel Sandbox terminal backends run code on third-party infrastructure that sluice cannot intercept. The local and Docker Hermes backends are the supported targets for sluice's network-layer governance.
 
 ## MCP Gateway Setup
 
@@ -126,9 +143,11 @@ OpenClaw connects to sluice's MCP gateway via Streamable HTTP. This is a one-tim
 docker exec openclaw openclaw mcp set sluice '{"url":"http://sluice:3000/mcp"}'
 ```
 
-For the hostname `sluice` to resolve inside OpenClaw, the compose file pins sluice's IP on the internal network (172.30.0.2) and adds an `extra_hosts` entry on tun2proxy (which OpenClaw shares). Docker's embedded DNS (127.0.0.11) is not reachable from OpenClaw because its DNS is routed through the TUN device. The `/etc/hosts` entry bypasses DNS entirely.
+For Hermes, the equivalent runs once at sluice startup via `WireMCPGateway` and writes `mcp_servers.sluice.url` into `~/.hermes/config.yaml`. Trigger Hermes' `/reload-mcp` slash command (or restart Hermes) once after first wire-up so it picks up the new server.
+
+For the hostname `sluice` to resolve inside the agent container, the compose file pins sluice's IP on the internal network (172.30.0.2) and adds an `extra_hosts` entry on tun2proxy (which the agent shares). Docker's embedded DNS (127.0.0.11) is not reachable from the agent because its DNS is routed through the TUN device. The `/etc/hosts` entry bypasses DNS entirely.
 
-MCP upstreams can be managed via `sluice mcp add|list|remove`, the REST API (`/api/mcp/upstreams`), or the Telegram bot (`/mcp add|list|remove`). All three paths write to the same SQLite store. After any addition or removal, restart sluice so the gateway re-reads the upstream set. OpenClaw does not need to be restarted: its connection to `sluice:3000/mcp` is registered once at sluice startup (via `WireMCPGateway`, which patches `mcp.servers.sluice = {url: ...}` in the agent's openclaw.json) and stays valid across sluice restarts. The agent re-queries the tool list on subsequent agent runs.
+MCP upstreams can be managed via `sluice mcp add|list|remove`, the REST API (`/api/mcp/upstreams`), or the Telegram bot (`/mcp add|list|remove`). All three paths write to the same SQLite store. After any addition or removal, restart sluice so the gateway re-reads the upstream set. The agent does not need to be restarted: its connection to `sluice:3000/mcp` is registered once at sluice startup (via `WireMCPGateway`) and stays valid across sluice restarts. The agent re-queries the tool list on subsequent runs.
 
 The Telegram `/mcp add` path auto-deletes the chat message because `--env KEY=VAL` pairs may contain secrets (use `KEY=vault:name` to keep the plaintext out of the SQLite store and `/mcp list` output entirely).
 
diff --git a/README.md b/README.md
index 65e4ff3..63f9e21 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# :shield: Sluice — Credential Governance Proxy for OpenClaw
+# :shield: Sluice — Credential Governance Proxy for AI Agents
 
 [![Tests](https://github.com/nnemirovsky/sluice/actions/workflows/test.yml/badge.svg)](https://github.com/nnemirovsky/sluice/actions/workflows/test.yml)
 [![E2E](https://github.com/nnemirovsky/sluice/actions/workflows/e2e-linux.yml/badge.svg)](https://github.com/nnemirovsky/sluice/actions/workflows/e2e-linux.yml)
@@ -13,18 +13,18 @@ Keeps real secrets out of the agent, enforces per-request policy on every connec
 
 AI agents need credentials to be useful. Giving them real credentials is dangerous.
 
-**The problem:** OpenClaw makes API calls, opens network connections, and invokes MCP tools. Without governance, it can leak secrets in tool outputs, connect to unexpected endpoints, or make destructive API calls. No existing tool combines credential isolation, human approval, all-protocol interception, and MCP-level governance in one place.
+**The problem:** Agents like [OpenClaw](https://openclaw.ai) and [Hermes](https://github.com/NousResearch/hermes-agent) make API calls, open network connections, and invoke MCP tools. Without governance, they can leak secrets in tool outputs, connect to unexpected endpoints, or make destructive API calls. No existing tool combines credential isolation, human approval, all-protocol interception, and MCP-level governance in one place.
 
-**The solution:** Sluice intercepts everything at two layers and never gives OpenClaw real credentials.
+**The solution:** Sluice intercepts everything at two layers and never gives the agent real credentials.
 
 | Layer | What it sees | What it governs |
 |-------|-------------|-----------------|
 | **MCP Gateway** | Tool names, arguments, responses | File writes, exec, deletions, any MCP tool call |
 | **SOCKS5 Proxy** | Every TCP and UDP connection | HTTP, HTTPS, WebSocket, gRPC, SSH, IMAP, SMTP, DNS, QUIC/HTTP3 |
 
-**Phantom token swap:** OpenClaw gets phantom tokens that look like real API keys, injected as environment variables via `docker exec` (no shared volume needed). Sluice's MITM proxy swaps them for real credentials in-flight. If a phantom token leaks, it is useless outside the proxy. OAuth credentials are handled bidirectionally: sluice intercepts token endpoint responses, captures real tokens, and returns phantom tokens to the agent. The entire OAuth lifecycle (initial auth, token refresh, token rotation) is transparent.
+**Phantom token swap:** the agent gets phantom tokens that look like real API keys, injected as environment variables via `docker exec` (no shared volume needed). Sluice's MITM proxy swaps them for real credentials in-flight. If a phantom token leaks, it is useless outside the proxy. OAuth credentials are handled bidirectionally: sluice intercepts token endpoint responses, captures real tokens, and returns phantom tokens to the agent. The entire OAuth lifecycle (initial auth, token refresh, token rotation) is transparent.
 
-**Human approval:** Connections and tool calls matching "ask" policy rules trigger a notification via Telegram or HTTP webhook. OpenClaw blocks until a human responds with Allow or Deny.
+**Human approval:** Connections and tool calls matching "ask" policy rules trigger a notification via Telegram or HTTP webhook. The agent blocks until a human responds with Allow or Deny.
 
 **Credential isolation:** Real secrets live in an encrypted vault (age, HashiCorp Vault, 1Password, Bitwarden, KeePass, or gopass). They are decrypted into zeroed memory only at injection time and never exposed to the agent process.
 
@@ -69,6 +69,22 @@ flowchart LR
 
 ## Quick Start
 
+### Choosing an agent profile
+
+Sluice ships with profiles for the agents it knows about. The profile controls where credentials are written inside the container, how secret reload is signalled, and how sluice's MCP gateway is registered in the agent's config.
+
+| Profile | Env file | In-place reload | MCP wiring |
+|---------|----------|-----------------|------------|
+| `openclaw` (default) | `~/.openclaw/.env` | Gateway WebSocket RPC (`secrets.reload`) | Patches `mcp.servers.<name>` via gateway RPC |
+| `hermes` | `~/.hermes/.env` | None — picked up on next agent run | Patches `mcp_servers.<name>.url` in `~/.hermes/config.yaml` (requires `python3` + `pyyaml` in the container, both shipped with Hermes) |
+
+Select with `--agent <name>` (or `SLUICE_AGENT_PROFILE=<name>`). The default is `openclaw` so existing setups need no changes.
+
+For Hermes specifically, two follow-up notes:
+
+- Sluice cannot trigger Hermes' `/reload-mcp` slash command after wiring; either restart Hermes once after `sluice` first writes the config, or invoke `/reload-mcp` from your Hermes chat session.
+- Hermes' Modal/Daytona/Vercel Sandbox terminal backends run code on third-party infrastructure that sluice cannot intercept. Use the `local` or `docker` Hermes backend if you want sluice's network governance to apply.
+
 ### Docker (Linux)
 
 The recommended setup for Linux. Three containers share a network namespace: sluice (proxy), tun2proxy (routes all traffic through SOCKS5), and OpenClaw.
diff --git a/cmd/sluice/main.go b/cmd/sluice/main.go
index 9e7cd6d..3e9926c 100644
--- a/cmd/sluice/main.go
+++ b/cmd/sluice/main.go
@@ -88,6 +88,7 @@ func main() {
 	certDir := flag.String("cert-dir", "", "shared volume path for CA certificate (enables MITM trust injection into guest)")
 	dnsResolver := flag.String("dns-resolver", "", "upstream DNS resolver address for DNS interception (default: 8.8.8.8:53)")
 	mcpBaseURL := flag.String("mcp-base-url", "", "external base URL the agent uses to reach sluice's MCP gateway (e.g. http://sluice:3000); added to SelfBypass so sluice does not policy-check its own MCP traffic")
+	agentFlag := flag.String("agent", envDefault("SLUICE_AGENT_PROFILE", "openclaw"), "agent profile: openclaw, hermes (controls env file path, reload mechanism, MCP config wiring)")
 	flag.Parse()
 
 	// Validate --runtime flag early.
@@ -106,6 +107,14 @@ func main() {
 		log.Fatalf("--runtime macos requires --vm-image (e.g. ghcr.io/cirruslabs/macos-sequoia-base:latest)")
 	}
 
+	// Resolve the agent profile early so it can be threaded into every
+	// container manager constructor below.
+	agentProfile, err := container.ProfileFromName(*agentFlag)
+	if err != nil {
+		log.Fatalf("invalid --agent value: %v", err)
+	}
+	log.Printf("agent profile: %s (env file ~/%s)", agentProfile.Name, agentProfile.EnvFileRelPath)
+
 	// Open the SQLite store.
 	db, err := store.New(*dbPath)
 	if err != nil {
@@ -250,7 +259,7 @@ func main() {
 		} else {
 			if fi, statErr := os.Stat(sock); statErr == nil && fi.Mode().Type() == os.ModeSocket {
 				client := container.NewSocketClient(sock)
-				containerMgr = container.NewDockerManager(client, *containerName)
+				containerMgr = container.NewDockerManagerForProfile(client, *containerName, agentProfile)
 				log.Printf("docker manager enabled: socket=%s, container=%s", sock, *containerName)
 			} else if *runtimeFlag == "docker" {
 				log.Fatalf("--runtime docker: socket %q not found or not a socket", sock)
@@ -269,11 +278,12 @@ func main() {
 			containerMgr = container.NewAppleManager(container.AppleManagerConfig{
 				CLI:           cli,
 				ContainerName: *containerName,
+				Profile:       agentProfile,
 			})
 			log.Printf("apple container manager enabled: container=%s", *containerName)
 		}
 	case "macos":
-		tartMgr, tartRouter, containerMgr, tartVMOwned = startMacOSVM(*vmImage, *containerName, *certDir)
+		tartMgr, tartRouter, containerMgr, tartVMOwned = startMacOSVM(*vmImage, *containerName, *certDir, agentProfile)
 	case "none":
 		log.Printf("standalone mode: no container runtime (configure ALL_PROXY=socks5://%s manually)", *listenAddr)
 	case "":
@@ -1050,13 +1060,13 @@ func seedStoreFromConfig(db *store.Store, configPath string) error {
 // routing. Returns the TartManager, NetworkRouter (for shutdown cleanup),
 // the ContainerManager interface, and a boolean indicating whether sluice
 // started the VM. Calls log.Fatalf on unrecoverable errors.
-func startMacOSVM(vmImage, vmName, certDir string) (*container.TartManager, *container.NetworkRouter, container.ContainerManager, bool) {
+func startMacOSVM(vmImage, vmName, certDir string, profile *container.AgentProfile) (*container.TartManager, *container.NetworkRouter, container.ContainerManager, bool) {
 	cli, cliErr := container.NewTartCLI(nil)
 	if cliErr != nil {
 		log.Fatalf("--runtime macos: tart CLI not available: %v", cliErr)
 	}
 
-	mgr, router, owned, err := setupMacOSVM(cli, vmImage, vmName, certDir)
+	mgr, router, owned, err := setupMacOSVM(cli, vmImage, vmName, certDir, profile)
 	if err != nil {
 		log.Fatalf("--runtime macos: %v", err)
 	}
@@ -1105,7 +1115,7 @@ func waitForVMIP(ctx context.Context, cli *container.TartCLI, vmName string) (st
 // indicates whether sluice started the VM (true) or attached to an
 // already-running VM (false). Only VMs started by sluice should be
 // stopped on shutdown.
-func setupMacOSVM(cli *container.TartCLI, vmImage, vmName, certDir string) (*container.TartManager, *container.NetworkRouter, bool, error) {
+func setupMacOSVM(cli *container.TartCLI, vmImage, vmName, certDir string, profile *container.AgentProfile) (*container.TartManager, *container.NetworkRouter, bool, error) {
 	ctx := context.Background()
 
 	// Check if VM already exists.
@@ -1182,6 +1192,7 @@ func setupMacOSVM(cli *container.TartCLI, vmImage, vmName, certDir string) (*con
 		CLI:       cli,
 		VMName:    vmName,
 		RunConfig: runCfg,
+		Profile:   profile,
 	})
 
 	// Set up pf routing to redirect VM traffic through tun2proxy to SOCKS5.
diff --git a/cmd/sluice/mcp_test.go b/cmd/sluice/mcp_test.go
index d7f9ab4..70f8f21 100644
--- a/cmd/sluice/mcp_test.go
+++ b/cmd/sluice/mcp_test.go
@@ -648,7 +648,8 @@ func TestHandleMCPGatewayNoUpstreams(t *testing.T) {
 		return
 	}
 	cmd := exec.Command(os.Args[0], "-test.run=TestHandleMCPGatewayNoUpstreams")
-	cmd.Env = append(os.Environ(),
+	cmd.Env = append(
+		os.Environ(),
 		"TEST_MCP_SUBPROCESS=no_upstreams",
 		"TEST_DB_PATH="+dbPath,
 		"TELEGRAM_BOT_TOKEN=",
@@ -686,7 +687,8 @@ func TestHandleMCPGatewayInvalidChatID(t *testing.T) {
 		return
 	}
 	cmd := exec.Command(os.Args[0], "-test.run=TestHandleMCPGatewayInvalidChatID")
-	cmd.Env = append(os.Environ(),
+	cmd.Env = append(
+		os.Environ(),
 		"TEST_MCP_SUBPROCESS=invalid_chat_id",
 		"TEST_DB_PATH="+dbPath,
 	)
diff --git a/cmd/sluice/policy.go b/cmd/sluice/policy.go
index 5496cb2..111ac69 100644
--- a/cmd/sluice/policy.go
+++ b/cmd/sluice/policy.go
@@ -261,7 +261,8 @@ func handlePolicyImport(args []string) error {
 		return fmt.Errorf("import: %w", err)
 	}
 
-	fmt.Printf("imported: %d rules (%d skipped), %d bindings (%d skipped), %d upstreams (%d skipped), %d config\n",
+	fmt.Printf(
+		"imported: %d rules (%d skipped), %d bindings (%d skipped), %d upstreams (%d skipped), %d config\n",
 		result.RulesInserted, result.RulesSkipped,
 		result.BindingsInserted, result.BindingsSkipped,
 		result.UpstreamsInserted, result.UpstreamsSkipped,
diff --git a/e2e/apple_test.go b/e2e/apple_test.go
index d79f056..6827eac 100644
--- a/e2e/apple_test.go
+++ b/e2e/apple_test.go
@@ -287,7 +287,8 @@ func (e *appleEnv) startTun2proxy() {
 		e.t.Skipf("tun2proxy not in PATH: %v", err)
 	}
 
-	cmd := exec.Command(tun2proxyBin,
+	cmd := exec.Command(
+		tun2proxyBin,
 		"--proxy", "socks5://"+e.sluice.ProxyAddr,
 		"--tun", e.tunIface,
 	)
@@ -655,7 +656,8 @@ func TestAppleContainerSluiceStartsWithRuntimeFlag(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
-	cmd := exec.CommandContext(ctx, binary,
+	cmd := exec.CommandContext(
+		ctx, binary,
 		"--runtime", "apple",
 		"--listen", fmt.Sprintf("127.0.0.1:%d", proxyPort),
 		"--db", dbPath,
diff --git a/e2e/credential_test.go b/e2e/credential_test.go
index f6503f8..1b34ee8 100644
--- a/e2e/credential_test.go
+++ b/e2e/credential_test.go
@@ -278,7 +278,8 @@ func TestCredential_HeaderInjection(t *testing.T) {
 	_, port := mustSplitAddr(t, echo.URL)
 
 	// Add credential with binding for the echo server.
-	runCredAdd(t, setup.Proc, "test_api_key", "real-secret-value-123",
+	runCredAdd(
+		t, setup.Proc, "test_api_key", "real-secret-value-123",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "X-Api-Key",
@@ -308,7 +309,8 @@ func TestCredential_PhantomInBody(t *testing.T) {
 	echo := startTLSEchoServerWithCA(t, setup.CA)
 	_, port := mustSplitAddr(t, echo.URL)
 
-	runCredAdd(t, setup.Proc, "body_cred", "body-secret-42",
+	runCredAdd(
+		t, setup.Proc, "body_cred", "body-secret-42",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "Authorization",
@@ -352,7 +354,8 @@ func TestCredential_UnboundPhantomStripped(t *testing.T) {
 	_, unboundPort := mustSplitAddr(t, unboundEcho.URL)
 
 	// Add credential bound to the first echo server only.
-	runCredAdd(t, setup.Proc, "bound_cred", "bound-secret",
+	runCredAdd(
+		t, setup.Proc, "bound_cred", "bound-secret",
 		"--destination", "127.0.0.1",
 		"--ports", boundPort,
 		"--header", "X-Cred",
@@ -480,7 +483,8 @@ func TestCredential_Rotation(t *testing.T) {
 	_, port := mustSplitAddr(t, echo.URL)
 
 	// Add initial credential.
-	runCredAdd(t, setup.Proc, "rotate_key", "original-value",
+	runCredAdd(
+		t, setup.Proc, "rotate_key", "original-value",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "X-Api-Key",
@@ -524,14 +528,16 @@ func TestCredential_MultipleDestinations(t *testing.T) {
 	_, portB := mustSplitAddr(t, echoB.URL)
 
 	// Add credential A bound to echo server A.
-	runCredAdd(t, setup.Proc, "cred_a", "secret-a",
+	runCredAdd(
+		t, setup.Proc, "cred_a", "secret-a",
 		"--destination", "127.0.0.1",
 		"--ports", portA,
 		"--header", "X-Key-A",
 	)
 
 	// Add credential B bound to echo server B.
-	runCredAdd(t, setup.Proc, "cred_b", "secret-b",
+	runCredAdd(
+		t, setup.Proc, "cred_b", "secret-b",
 		"--destination", "127.0.0.1",
 		"--ports", portB,
 		"--header", "X-Key-B",
diff --git a/e2e/grpc_test.go b/e2e/grpc_test.go
index 69cb9a7..ea37794 100644
--- a/e2e/grpc_test.go
+++ b/e2e/grpc_test.go
@@ -174,7 +174,8 @@ func TestGRPC_CredentialInjectionInMetadata(t *testing.T) {
 	_, port := splitHostPort(t, h2Addr)
 
 	// Add credential with binding for the H2 server.
-	runCredAdd(t, setup.Proc, "grpc_token", "grpc-real-secret-456",
+	runCredAdd(
+		t, setup.Proc, "grpc_token", "grpc-real-secret-456",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "Authorization",
diff --git a/e2e/helpers_test.go b/e2e/helpers_test.go
index 75df496..1bc2d8c 100644
--- a/e2e/helpers_test.go
+++ b/e2e/helpers_test.go
@@ -589,7 +589,8 @@ func sluiceWithWebhook(t *testing.T, policyTOML, webhookURL string) *SluiceProce
 	}
 
 	// Add the HTTP webhook channel to the pre-seeded DB.
-	channelCmd := exec.Command(binary, "channel", "add",
+	channelCmd := exec.Command(
+		binary, "channel", "add",
 		"--type", "http",
 		"--url", webhookURL,
 		"--db", dbPath,
diff --git a/e2e/websocket_test.go b/e2e/websocket_test.go
index 532476f..5c0b44f 100644
--- a/e2e/websocket_test.go
+++ b/e2e/websocket_test.go
@@ -209,7 +209,8 @@ func TestWebSocket_CredentialInjectionInUpgradeHeaders(t *testing.T) {
 	_, port := splitHostPort(t, wsAddr)
 
 	// Add credential bound to the WS echo server.
-	runCredAdd(t, setup.Proc, "ws_api_key", "ws-real-secret-789",
+	runCredAdd(
+		t, setup.Proc, "ws_api_key", "ws-real-secret-789",
 		"--destination", "127.0.0.1",
 		"--ports", port,
 		"--header", "X-Ws-Key",
diff --git a/internal/channel/channel_test.go b/internal/channel/channel_test.go
index 958ad20..5c1bd09 100644
--- a/internal/channel/channel_test.go
+++ b/internal/channel/channel_test.go
@@ -397,7 +397,8 @@ func TestBrokerPendingLimitZeroMeansUnlimited(t *testing.T) {
 		}()
 	}
 
-	broker = NewBroker([]Channel{ch1},
+	broker = NewBroker(
+		[]Channel{ch1},
 		WithMaxPending(0),
 		WithDestinationRateLimit(0, 0),
 	)
@@ -429,7 +430,8 @@ func TestBrokerDestinationRateLimiting(t *testing.T) {
 		}()
 	}
 
-	broker = NewBroker([]Channel{ch1},
+	broker = NewBroker(
+		[]Channel{ch1},
 		WithMaxPending(0),
 		WithDestinationRateLimit(3, time.Minute),
 	)
@@ -477,7 +479,8 @@ func TestBrokerDestinationRateLimitDisabled(t *testing.T) {
 		}()
 	}
 
-	broker = NewBroker([]Channel{ch1},
+	broker = NewBroker(
+		[]Channel{ch1},
 		WithMaxPending(0),
 		WithDestinationRateLimit(0, 0),
 	)
diff --git a/internal/container/agent_profile.go b/internal/container/agent_profile.go
new file mode 100644
index 0000000..e5939c5
--- /dev/null
+++ b/internal/container/agent_profile.go
@@ -0,0 +1,165 @@
+package container
+
+import (
+	"fmt"
+	"path"
+	"sort"
+	"strings"
+)
+
+// AgentProfile abstracts agent-specific runtime conventions so that sluice
+// can manage credential and MCP wiring for more than one agent. Each agent
+// stores its env file in a different location, has a different mechanism
+// for picking up secret changes, and registers MCP servers in a different
+// config format. A profile captures all three so that the container
+// managers (Docker, Apple Container, tart) stay agent-agnostic.
+type AgentProfile struct {
+	// Name is the human-readable profile identifier (e.g. "openclaw").
+	Name string
+
+	// EnvFileRelPath is the path to the agent's secret env file relative
+	// to the in-container HOME directory (e.g. ".openclaw/.env").
+	EnvFileRelPath string
+
+	// ReloadCmd returns the argv to exec inside the agent container in
+	// order to make a freshly-written env file take effect. Returning nil
+	// means the profile has no in-place reload mechanism; the caller
+	// should log a notice and rely on the next agent run / container
+	// restart picking up the new values.
+	ReloadCmd func() []string
+
+	// WireMCPCmd returns the argv to exec for registering sluice's MCP
+	// gateway URL inside the agent's config. It is invoked once per
+	// sluice startup. Returning nil means the profile cannot patch
+	// config in place and the operator must wire the MCP gateway
+	// manually before starting the agent.
+	WireMCPCmd func(name, url string) []string
+}
+
+// OpenclawProfile is the default profile. Openclaw stores secrets at
+// ~/.openclaw/.env and exposes a JSON-RPC gateway (over WebSocket) for
+// reloading secrets and patching config. The embedded gateway_rpc.js
+// script handles the device-signed handshake.
+var OpenclawProfile = &AgentProfile{
+	Name:           "openclaw",
+	EnvFileRelPath: ".openclaw/.env",
+	ReloadCmd: func() []string {
+		return GatewayRPCNodeCommand("secrets.reload")
+	},
+	WireMCPCmd: func(name, url string) []string {
+		return GatewayRPCNodeCommand("wire-mcp", name, url)
+	},
+}
+
+// hermesMCPWireScript is a small Python script that registers an MCP
+// server inside ~/.hermes/config.yaml under the mcp_servers key. Hermes
+// reads MCP servers from this file at startup and on the /reload-mcp
+// slash command. We rely on PyYAML being available because Hermes itself
+// is a Python application that ships with PyYAML as a hard dependency.
+//
+// The script is idempotent: if mcp_servers.<name>.url already matches,
+// the file is not rewritten.
+const hermesMCPWireScript = `
+import os, sys, yaml
+name, url = sys.argv[1], sys.argv[2]
+cfg_path = os.path.expanduser("~/.hermes/config.yaml")
+os.makedirs(os.path.dirname(cfg_path), exist_ok=True)
+data = {}
+if os.path.exists(cfg_path):
+    with open(cfg_path) as fh:
+        data = yaml.safe_load(fh) or {}
+servers = data.setdefault("mcp_servers", {})
+existing = servers.get(name) or {}
+if existing.get("url") == url:
+    sys.exit(0)
+existing["url"] = url
+servers[name] = existing
+with open(cfg_path, "w") as fh:
+    yaml.safe_dump(data, fh, sort_keys=False)
+`
+
+// HermesProfile targets nousresearch/hermes-agent. Hermes stores secrets
+// at ~/.hermes/.env and MCP servers under mcp_servers in
+// ~/.hermes/config.yaml. There is no documented in-process reload for
+// .env, so ReloadCmd is nil and callers fall back to logging a notice;
+// new credentials take effect on the next agent message.
+//
+// MCP wiring patches config.yaml directly. Hermes picks up the change on
+// startup or via the /reload-mcp slash command (which the operator must
+// invoke from the agent UI; sluice cannot trigger it remotely).
+var HermesProfile = &AgentProfile{
+	Name:           "hermes",
+	EnvFileRelPath: ".hermes/.env",
+	ReloadCmd:      nil,
+	WireMCPCmd: func(name, url string) []string {
+		return []string{"python3", "-c", hermesMCPWireScript, name, url}
+	},
+}
+
+// builtinProfiles is the registry consulted by ProfileFromName.
+var builtinProfiles = map[string]*AgentProfile{
+	"openclaw": OpenclawProfile,
+	"hermes":   HermesProfile,
+}
+
+// ProfileFromName returns the built-in profile matching name, or an
+// error listing the known profiles.
+func ProfileFromName(name string) (*AgentProfile, error) {
+	if p, ok := builtinProfiles[name]; ok {
+		return p, nil
+	}
+	known := make([]string, 0, len(builtinProfiles))
+	for k := range builtinProfiles {
+		known = append(known, k)
+	}
+	sort.Strings(known)
+	return nil, fmt.Errorf("unknown agent profile %q (known: %s)", name, strings.Join(known, ", "))
+}
+
+// validateEnvFileRelPath ensures the env file path declared by an
+// AgentProfile is safe to interpolate into a shell snippet inside
+// double quotes. The path must be relative (no leading "/"), must
+// not contain ".." segments, and must not contain shell metacharacters
+// or whitespace that would let a maliciously constructed profile run
+// arbitrary commands when BuildEnvInjectionScriptForProfile is called.
+//
+// All built-in profiles in this package are constants and pass this
+// check trivially. The validation exists to keep the surface safe if
+// a future caller in this internal package constructs an AgentProfile
+// dynamically.
+func validateEnvFileRelPath(p string) error {
+	if p == "" {
+		return fmt.Errorf("EnvFileRelPath is empty")
+	}
+	if strings.HasPrefix(p, "/") {
+		return fmt.Errorf("EnvFileRelPath %q must be relative (not absolute)", p)
+	}
+	cleaned := path.Clean(p)
+	if cleaned != p {
+		return fmt.Errorf("EnvFileRelPath %q is not in canonical form (got %q)", p, cleaned)
+	}
+	if strings.HasPrefix(cleaned, "../") || cleaned == ".." || strings.Contains(cleaned, "/../") {
+		return fmt.Errorf("EnvFileRelPath %q must not traverse parent directories", p)
+	}
+	for _, r := range p {
+		switch {
+		case r >= 'A' && r <= 'Z':
+		case r >= 'a' && r <= 'z':
+		case r >= '0' && r <= '9':
+		case r == '/' || r == '.' || r == '_' || r == '-':
+		default:
+			return fmt.Errorf("EnvFileRelPath %q contains disallowed character %q", p, r)
+		}
+	}
+	return nil
+}
+
+// resolveProfile returns p when non-nil, or OpenclawProfile as the
+// default. This lets existing call sites that do not pass a profile
+// keep their previous behavior.
+func resolveProfile(p *AgentProfile) *AgentProfile {
+	if p == nil {
+		return OpenclawProfile
+	}
+	return p
+}
diff --git a/internal/container/agent_profile_test.go b/internal/container/agent_profile_test.go
new file mode 100644
index 0000000..d54a61f
--- /dev/null
+++ b/internal/container/agent_profile_test.go
@@ -0,0 +1,167 @@
+package container
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestProfileFromName(t *testing.T) {
+	tests := []struct {
+		name      string
+		input     string
+		wantPath  string
+		wantError bool
+	}{
+		{"openclaw", "openclaw", ".openclaw/.env", false},
+		{"hermes", "hermes", ".hermes/.env", false},
+		{"unknown", "claude", "", true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p, err := ProfileFromName(tt.input)
+			if (err != nil) != tt.wantError {
+				t.Fatalf("err = %v, wantError = %v", err, tt.wantError)
+			}
+			if err == nil && p.EnvFileRelPath != tt.wantPath {
+				t.Errorf("EnvFileRelPath = %q, want %q", p.EnvFileRelPath, tt.wantPath)
+			}
+		})
+	}
+}
+
+func TestBuildEnvInjectionScriptForProfile_Hermes(t *testing.T) {
+	envMap := map[string]string{"OPENAI_API_KEY": "sk-phantom-xyz"}
+	script, err := BuildEnvInjectionScriptForProfile(HermesProfile, envMap, false, false)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !strings.Contains(script, ".hermes/.env") {
+		t.Errorf("script should reference .hermes/.env, got: %s", script)
+	}
+	if strings.Contains(script, ".openclaw") {
+		t.Errorf("script should not reference .openclaw for hermes profile: %s", script)
+	}
+	if !strings.Contains(script, "OPENAI_API_KEY") {
+		t.Errorf("script should contain env var name: %s", script)
+	}
+}
+
+func TestBuildEnvInjectionScript_DefaultsToOpenclaw(t *testing.T) {
+	script, err := BuildEnvInjectionScript(map[string]string{"FOO": "bar"}, false, false)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !strings.Contains(script, ".openclaw/.env") {
+		t.Errorf("default script should target .openclaw/.env, got: %s", script)
+	}
+}
+
+func TestOpenclawProfile_ReloadAndWireCommands(t *testing.T) {
+	if OpenclawProfile.ReloadCmd == nil {
+		t.Fatal("openclaw should have a reload command")
+	}
+	cmd := OpenclawProfile.ReloadCmd()
+	if len(cmd) < 3 || cmd[0] != "node" || cmd[1] != "-e" {
+		t.Errorf("reload should be node -e <script> ..., got: %v", cmd)
+	}
+	if cmd[len(cmd)-1] != "secrets.reload" {
+		t.Errorf("reload last arg should be secrets.reload, got: %v", cmd)
+	}
+
+	if OpenclawProfile.WireMCPCmd == nil {
+		t.Fatal("openclaw should have a wire MCP command")
+	}
+	wcmd := OpenclawProfile.WireMCPCmd("sluice", "http://sluice:3000/mcp")
+	if wcmd[0] != "node" {
+		t.Errorf("wire mcp should be node-based, got: %v", wcmd)
+	}
+}
+
+func TestHermesProfile_ReloadIsNil(t *testing.T) {
+	if HermesProfile.ReloadCmd != nil {
+		t.Error("hermes profile should have nil ReloadCmd (no in-place reload documented)")
+	}
+}
+
+func TestHermesProfile_WireMCPUsesPython(t *testing.T) {
+	if HermesProfile.WireMCPCmd == nil {
+		t.Fatal("hermes should have a wire MCP command")
+	}
+	cmd := HermesProfile.WireMCPCmd("sluice", "http://sluice:3000/mcp")
+	if cmd[0] != "python3" {
+		t.Errorf("hermes wire MCP should use python3, got: %v", cmd[:1])
+	}
+	if cmd[1] != "-c" {
+		t.Errorf("hermes wire MCP should use -c, got: %v", cmd[:2])
+	}
+	if cmd[len(cmd)-2] != "sluice" || cmd[len(cmd)-1] != "http://sluice:3000/mcp" {
+		t.Errorf("hermes wire MCP last args should be name and url, got: %v", cmd[len(cmd)-2:])
+	}
+	if !strings.Contains(cmd[2], "mcp_servers") {
+		t.Error("hermes wire MCP script should target mcp_servers key")
+	}
+	if !strings.Contains(cmd[2], "yaml.safe_load") {
+		t.Error("hermes wire MCP script should parse yaml safely")
+	}
+}
+
+func TestProfileFromName_ErrorListsKnownSorted(t *testing.T) {
+	_, err := ProfileFromName("does-not-exist")
+	if err == nil {
+		t.Fatal("expected error for unknown profile")
+	}
+	msg := err.Error()
+	// "hermes" must appear before "openclaw" alphabetically when the list is sorted.
+	hi := strings.Index(msg, "hermes")
+	oi := strings.Index(msg, "openclaw")
+	if hi < 0 || oi < 0 || hi > oi {
+		t.Errorf("error message %q should list known profiles in sorted order (hermes before openclaw)", msg)
+	}
+}
+
+func TestValidateEnvFileRelPath(t *testing.T) {
+	good := []string{
+		".openclaw/.env",
+		".hermes/.env",
+		"home/agent/.env",
+		"a-b_c.env",
+	}
+	for _, p := range good {
+		if err := validateEnvFileRelPath(p); err != nil {
+			t.Errorf("expected %q to be accepted, got: %v", p, err)
+		}
+	}
+	bad := []string{
+		"",
+		"/abs/path",
+		"../escape",
+		"a/../b",
+		`a"; rm -rf /`,
+		"a$(whoami)",
+		"a b",
+		"a;b",
+		"a\nb",
+	}
+	for _, p := range bad {
+		if err := validateEnvFileRelPath(p); err == nil {
+			t.Errorf("expected %q to be rejected", p)
+		}
+	}
+}
+
+func TestBuildEnvInjectionScriptForProfile_RejectsUnsafePath(t *testing.T) {
+	bad := &AgentProfile{Name: "evil", EnvFileRelPath: `evil"; touch /tmp/pwned`}
+	_, err := BuildEnvInjectionScriptForProfile(bad, map[string]string{"K": "v"}, false, false)
+	if err == nil {
+		t.Fatal("expected error for unsafe EnvFileRelPath")
+	}
+}
+
+func TestResolveProfile_NilDefaultsToOpenclaw(t *testing.T) {
+	if resolveProfile(nil) != OpenclawProfile {
+		t.Error("nil profile should default to OpenclawProfile")
+	}
+	if resolveProfile(HermesProfile) != HermesProfile {
+		t.Error("non-nil profile should be returned as-is")
+	}
+}
diff --git a/internal/container/apple.go b/internal/container/apple.go
index cf3e3ea..50a7e0b 100644
--- a/internal/container/apple.go
+++ b/internal/container/apple.go
@@ -194,12 +194,15 @@ func (c *AppleCLI) List(ctx context.Context) ([]VMListEntry, error) {
 type AppleManager struct {
 	cli           *AppleCLI
 	containerName string
+	profile       *AgentProfile
 }
 
 // AppleManagerConfig holds configuration for creating an AppleManager.
 type AppleManagerConfig struct {
 	CLI           *AppleCLI
 	ContainerName string
+	// Profile selects agent-specific conventions. Nil falls back to OpenclawProfile.
+	Profile *AgentProfile
 }
 
 // NewAppleManager creates a new AppleManager from the given config.
@@ -207,6 +210,7 @@ func NewAppleManager(cfg AppleManagerConfig) *AppleManager {
 	return &AppleManager{
 		cli:           cfg.CLI,
 		containerName: cfg.ContainerName,
+		profile:       resolveProfile(cfg.Profile),
 	}
 }
 
@@ -220,7 +224,7 @@ func (m *AppleManager) InjectEnvVars(ctx context.Context, envMap map[string]stri
 		return nil
 	}
 
-	script, err := BuildEnvInjectionScript(envMap, false, fullReplace)
+	script, err := BuildEnvInjectionScriptForProfile(m.profile, envMap, false, fullReplace)
 	if err != nil {
 		return fmt.Errorf("build env injection script: %w", err)
 	}
@@ -236,16 +240,26 @@ func (m *AppleManager) InjectEnvVars(ctx context.Context, envMap map[string]stri
 	return nil
 }
 
-// ReloadSecrets signals the openclaw gateway to re-read secrets via WebSocket RPC.
+// ReloadSecrets signals the agent inside the VM to re-read its env file.
+// The mechanism is profile-specific; nil ReloadCmd means no in-place
+// reload (best-effort, logged).
 func (m *AppleManager) ReloadSecrets(ctx context.Context) error {
-	_, err := m.cli.Exec(ctx, m.containerName, GatewayRPCNodeCommand("secrets.reload"))
+	if m.profile.ReloadCmd == nil {
+		log.Printf("agent profile %q has no in-place reload; new secrets take effect on next agent run", m.profile.Name)
+		return nil
+	}
+	_, err := m.cli.Exec(ctx, m.containerName, m.profile.ReloadCmd())
 	return err
 }
 
 // WireMCPGateway registers sluice's MCP gateway URL in the agent's
-// openclaw.json config via a gateway WebSocket RPC.
+// config. The exact storage format depends on the profile.
 func (m *AppleManager) WireMCPGateway(ctx context.Context, name, sluiceURL string) error {
-	_, err := m.cli.Exec(ctx, m.containerName, GatewayRPCNodeCommand("wire-mcp", name, sluiceURL))
+	if m.profile.WireMCPCmd == nil {
+		log.Printf("agent profile %q does not support automatic MCP wiring; configure %s manually", m.profile.Name, sluiceURL)
+		return nil
+	}
+	_, err := m.cli.Exec(ctx, m.containerName, m.profile.WireMCPCmd(name, sluiceURL))
 	return err
 }
 
diff --git a/internal/container/docker.go b/internal/container/docker.go
index d436f5b..5c10ef0 100644
--- a/internal/container/docker.go
+++ b/internal/container/docker.go
@@ -59,13 +59,23 @@ type ContainerSpec struct { //nolint:revive // stuttering accepted for clarity
 type DockerManager struct {
 	client        ContainerClient
 	containerName string
+	profile       *AgentProfile
 }
 
-// NewDockerManager creates a new Docker container manager.
+// NewDockerManager creates a new Docker container manager using the
+// default OpenclawProfile. Use NewDockerManagerForProfile to target a
+// different agent (e.g. HermesProfile).
 func NewDockerManager(client ContainerClient, containerName string) *DockerManager {
+	return NewDockerManagerForProfile(client, containerName, OpenclawProfile)
+}
+
+// NewDockerManagerForProfile creates a Docker container manager bound to
+// the supplied AgentProfile. Pass nil to fall back to OpenclawProfile.
+func NewDockerManagerForProfile(client ContainerClient, containerName string, profile *AgentProfile) *DockerManager {
 	return &DockerManager{
 		client:        client,
 		containerName: containerName,
+		profile:       resolveProfile(profile),
 	}
 }
 
@@ -79,7 +89,7 @@ func (m *DockerManager) InjectEnvVars(ctx context.Context, envMap map[string]str
 		return nil
 	}
 
-	script, err := BuildEnvInjectionScript(envMap, false, fullReplace)
+	script, err := BuildEnvInjectionScriptForProfile(m.profile, envMap, false, fullReplace)
 	if err != nil {
 		return fmt.Errorf("build env injection script: %w", err)
 	}
@@ -97,32 +107,39 @@ func (m *DockerManager) InjectEnvVars(ctx context.Context, envMap map[string]str
 	return nil
 }
 
-// ReloadSecrets signals the openclaw gateway to re-read secrets via WebSocket RPC.
-// Uses the embedded gateway_rpc.js script to do the full device-signed
-// connect handshake before invoking secrets.reload.
+// ReloadSecrets signals the agent inside the container to re-read its env
+// file. The exact mechanism is profile-specific (openclaw uses a JSON-RPC
+// over WebSocket; hermes has no in-place reload). When the profile does
+// not provide a reload command, this is a logged no-op so callers can
+// treat it as best-effort.
 func (m *DockerManager) ReloadSecrets(ctx context.Context) error {
-	return m.client.ExecInContainer(ctx, m.containerName,
-		GatewayRPCNodeCommand("secrets.reload"))
+	if m.profile.ReloadCmd == nil {
+		log.Printf("agent profile %q has no in-place reload; new secrets take effect on next agent run", m.profile.Name)
+		return nil
+	}
+	return m.client.ExecInContainer(ctx, m.containerName, m.profile.ReloadCmd())
 }
 
-// WireMCPGateway registers sluice's MCP gateway URL in the agent's
-// openclaw.json config (at mcp.servers.<name>) via a gateway WebSocket
-// RPC. This is a one-shot idempotent operation: if the entry already
-// matches, openclaw returns a noop. Call this once at sluice startup
-// after the MCP gateway is initialized.
+// WireMCPGateway registers sluice's MCP gateway URL inside the agent's
+// config so that its embedded runtime discovers sluice as an MCP server.
+// The exact storage format depends on the profile (openclaw patches its
+// JSON config via a gateway RPC; hermes patches mcp_servers in
+// ~/.hermes/config.yaml). Call this once at sluice startup after the
+// MCP gateway is initialized.
 //
-// On first wire-up the config change triggers an openclaw gateway
-// restart, which kills the docker exec we're running and reports
-// exit code 137. The config write itself has already succeeded at
-// that point, so we swallow 137 and treat it as success. Genuine
-// failures surface as non-zero exit codes other than 137 or
-// connect-time errors before the exec runs.
+// For openclaw, the config change triggers a gateway restart that kills
+// the running exec with code 137. The config write has already
+// succeeded at that point, so we swallow 137 and treat it as success
+// for the openclaw profile only. Other profiles surface 137 as a real
+// error so a legitimate OOM / SIGKILL is not silently masked.
 func (m *DockerManager) WireMCPGateway(ctx context.Context, name, sluiceURL string) error {
-	err := m.client.ExecInContainer(ctx, m.containerName,
-		GatewayRPCNodeCommand("wire-mcp", name, sluiceURL))
-	if err != nil && strings.Contains(err.Error(), "exit") && strings.Contains(err.Error(), "137") {
-		// The config.patch response was delivered successfully; the
-		// exec was terminated by the subsequent gateway restart.
+	if m.profile.WireMCPCmd == nil {
+		log.Printf("agent profile %q does not support automatic MCP wiring; configure %s manually", m.profile.Name, sluiceURL)
+		return nil
+	}
+	err := m.client.ExecInContainer(ctx, m.containerName, m.profile.WireMCPCmd(name, sluiceURL))
+	if err != nil && m.profile.Name == OpenclawProfile.Name &&
+		strings.Contains(err.Error(), "exit") && strings.Contains(err.Error(), "137") {
 		return nil
 	}
 	return err
diff --git a/internal/container/docker_test.go b/internal/container/docker_test.go
index b23d2fe..3b12ada 100644
--- a/internal/container/docker_test.go
+++ b/internal/container/docker_test.go
@@ -447,6 +447,65 @@ func TestInjectEnvVarsWritesEnvFile(t *testing.T) {
 	}
 }
 
+func TestInjectEnvVarsHermesProfile(t *testing.T) {
+	mc := &mockClient{}
+	mgr := NewDockerManagerForProfile(mc, "hermes", HermesProfile)
+
+	err := mgr.InjectEnvVars(context.Background(), map[string]string{"OPENAI_API_KEY": "sk-phantom-xyz"}, false)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Hermes has no in-place reload, so we expect exactly one exec call
+	// (the env file write). ReloadSecrets logs and returns nil without
+	// invoking exec.
+	if len(mc.execCalls) != 1 {
+		t.Fatalf("expected 1 exec call (no reload for hermes), got %d", len(mc.execCalls))
+	}
+	script := mc.execCalls[0][2]
+	if !strings.Contains(script, ".hermes/.env") {
+		t.Errorf("script should target ~/.hermes/.env, got: %s", script)
+	}
+	if strings.Contains(script, ".openclaw") {
+		t.Errorf("script should not mention .openclaw under hermes profile: %s", script)
+	}
+}
+
+func TestWireMCPGateway_Exit137GatedToOpenclaw(t *testing.T) {
+	// Openclaw profile: exit 137 from the gateway restart is swallowed.
+	mc := &mockClient{execErr: fmt.Errorf("exec failed: exit 137")}
+	mgr := NewDockerManagerForProfile(mc, "openclaw", OpenclawProfile)
+	if err := mgr.WireMCPGateway(context.Background(), "sluice", "http://sluice:3000/mcp"); err != nil {
+		t.Errorf("openclaw: expected exit 137 to be swallowed, got: %v", err)
+	}
+
+	// Other profiles must surface 137 so a real OOM is not masked.
+	mc2 := &mockClient{execErr: fmt.Errorf("exec failed: exit 137")}
+	mgr2 := NewDockerManagerForProfile(mc2, "hermes", HermesProfile)
+	if err := mgr2.WireMCPGateway(context.Background(), "sluice", "http://sluice:3000/mcp"); err == nil {
+		t.Error("hermes: expected exit 137 to surface as error, got nil")
+	}
+}
+
+func TestWireMCPGatewayHermesProfile(t *testing.T) {
+	mc := &mockClient{}
+	mgr := NewDockerManagerForProfile(mc, "hermes", HermesProfile)
+
+	if err := mgr.WireMCPGateway(context.Background(), "sluice", "http://sluice:3000/mcp"); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(mc.execCalls) != 1 {
+		t.Fatalf("expected 1 exec call, got %d", len(mc.execCalls))
+	}
+	cmd := mc.execCalls[0]
+	if cmd[0] != "python3" || cmd[1] != "-c" {
+		t.Errorf("hermes wire MCP should run python3 -c, got: %v", cmd[:2])
+	}
+	if cmd[len(cmd)-1] != "http://sluice:3000/mcp" {
+		t.Errorf("hermes wire MCP should pass url as last arg, got: %v", cmd)
+	}
+}
+
 func TestInjectEnvVarsEmptyMap(t *testing.T) {
 	mc := &mockClient{}
 	mgr := NewDockerManager(mc, "openclaw")
diff --git a/internal/container/tart.go b/internal/container/tart.go
index 5700e1d..4d389b1 100644
--- a/internal/container/tart.go
+++ b/internal/container/tart.go
@@ -222,6 +222,7 @@ type TartManager struct {
 	// startVM launches the VM in the background. Defaults to cli.StartVM.
 	// Replaceable in tests to avoid spawning real processes.
 	startVM func(TartRunConfig) (*exec.Cmd, error)
+	profile *AgentProfile
 }
 
 // TartManagerConfig holds configuration for creating a TartManager.
@@ -232,6 +233,8 @@ type TartManagerConfig struct {
 	// stores this so it can re-run the VM on restart since tart does not have
 	// an inspect command to recover the original run parameters.
 	RunConfig TartRunConfig
+	// Profile selects agent-specific conventions. Nil falls back to OpenclawProfile.
+	Profile *AgentProfile
 }
 
 // NewTartManager creates a new TartManager from the given config.
@@ -241,9 +244,10 @@ func NewTartManager(cfg TartManagerConfig) *TartManager {
 		panic("container: NewTartManager requires non-nil CLI")
 	}
 	m := &TartManager{
-		cli:    cfg.CLI,
-		vmName: cfg.VMName,
-		runCfg: cfg.RunConfig,
+		cli:     cfg.CLI,
+		vmName:  cfg.VMName,
+		runCfg:  cfg.RunConfig,
+		profile: resolveProfile(cfg.Profile),
 	}
 	m.startVM = cfg.CLI.StartVM
 	return m
@@ -260,7 +264,7 @@ func (m *TartManager) InjectEnvVars(ctx context.Context, envMap map[string]strin
 	}
 
 	// Tart VMs run macOS which uses BSD sed (requires -i '').
-	script, err := BuildEnvInjectionScript(envMap, true, fullReplace)
+	script, err := BuildEnvInjectionScriptForProfile(m.profile, envMap, true, fullReplace)
 	if err != nil {
 		return fmt.Errorf("build env injection script: %w", err)
 	}
@@ -276,16 +280,25 @@ func (m *TartManager) InjectEnvVars(ctx context.Context, envMap map[string]strin
 	return nil
 }
 
-// ReloadSecrets signals the openclaw gateway to re-read secrets via WebSocket RPC.
+// ReloadSecrets signals the agent inside the VM to re-read its env file.
+// The mechanism is profile-specific; nil ReloadCmd means no in-place reload.
 func (m *TartManager) ReloadSecrets(ctx context.Context) error {
-	_, err := m.cli.Exec(ctx, m.vmName, GatewayRPCNodeCommand("secrets.reload"))
+	if m.profile.ReloadCmd == nil {
+		log.Printf("agent profile %q has no in-place reload; new secrets take effect on next agent run", m.profile.Name)
+		return nil
+	}
+	_, err := m.cli.Exec(ctx, m.vmName, m.profile.ReloadCmd())
 	return err
 }
 
-// WireMCPGateway registers sluice's MCP gateway URL in the agent's
-// openclaw.json config via a gateway WebSocket RPC.
+// WireMCPGateway registers sluice's MCP gateway URL in the agent's config.
+// The exact storage format depends on the profile.
 func (m *TartManager) WireMCPGateway(ctx context.Context, name, sluiceURL string) error {
-	_, err := m.cli.Exec(ctx, m.vmName, GatewayRPCNodeCommand("wire-mcp", name, sluiceURL))
+	if m.profile.WireMCPCmd == nil {
+		log.Printf("agent profile %q does not support automatic MCP wiring; configure %s manually", m.profile.Name, sluiceURL)
+		return nil
+	}
+	_, err := m.cli.Exec(ctx, m.vmName, m.profile.WireMCPCmd(name, sluiceURL))
 	return err
 }
 
diff --git a/internal/container/types.go b/internal/container/types.go
index 855538d..7f0579a 100644
--- a/internal/container/types.go
+++ b/internal/container/types.go
@@ -101,8 +101,11 @@ func ValidateEnvVarKey(key string) error {
 }
 
 // BuildEnvInjectionScript constructs a shell script that writes each key=value
-// pair from envMap into ~/.openclaw/.env inside the agent container. When
-// fullReplace is false, existing entries with the same key are updated
+// pair from envMap into the agent's env file inside the container. The path
+// defaults to ~/.openclaw/.env (OpenclawProfile); pass a different profile
+// via BuildEnvInjectionScriptForProfile to target Hermes or future agents.
+//
+// When fullReplace is false, existing entries with the same key are updated
 // in-place via sed and new entries are appended (merge semantics). When
 // fullReplace is true, the file is truncated first so that only the entries
 // in envMap remain (reconciliation semantics). The bsdSed flag controls
@@ -113,8 +116,20 @@ func ValidateEnvVarKey(key string) error {
 // internal single quotes escaped, and the sed delimiter uses ASCII 0x01
 // (SOH) to avoid conflicts with any printable character in values.
 func BuildEnvInjectionScript(envMap map[string]string, bsdSed bool, fullReplace bool) (string, error) {
+	return BuildEnvInjectionScriptForProfile(OpenclawProfile, envMap, bsdSed, fullReplace)
+}
+
+// BuildEnvInjectionScriptForProfile is like BuildEnvInjectionScript but
+// targets the env file path declared by the given AgentProfile. A nil
+// profile defaults to OpenclawProfile so existing call sites keep their
+// behavior.
+func BuildEnvInjectionScriptForProfile(profile *AgentProfile, envMap map[string]string, bsdSed bool, fullReplace bool) (string, error) {
+	p := resolveProfile(profile)
+	if err := validateEnvFileRelPath(p.EnvFileRelPath); err != nil {
+		return "", fmt.Errorf("agent profile %q: %w", p.Name, err)
+	}
 	var script strings.Builder
-	script.WriteString(`ENV_FILE="$HOME/.openclaw/.env" && mkdir -p "$(dirname "$ENV_FILE")"`)
+	script.WriteString(fmt.Sprintf(`ENV_FILE="$HOME/%s" && mkdir -p "$(dirname "$ENV_FILE")"`, p.EnvFileRelPath))
 	if fullReplace {
 		// Truncate the file so stale entries from removed bindings are cleared.
 		script.WriteString(` && : > "$ENV_FILE"`)
diff --git a/internal/proxy/addon.go b/internal/proxy/addon.go
index c356536..d742985 100644
--- a/internal/proxy/addon.go
+++ b/internal/proxy/addon.go
@@ -485,7 +485,8 @@ func (a *SluiceAddon) Requestheaders(f *mitmproxy.Flow) {
 		method = "UPGRADE"
 		httpVer = ""
 	}
-	verdict, err := checker.CheckAndConsume(connectHost, connectPort,
+	verdict, err := checker.CheckAndConsume(
+		connectHost, connectPort,
 		WithRequestInfo(method, f.Request.URL.Path),
 		WithProtocol(protoStr),
 		WithHTTPVersion(httpVer),
@@ -591,13 +592,15 @@ func (a *SluiceAddon) Request(f *mitmproxy.Flow) {
 	// Pass 2+3 on URL query.
 	if rawQ := f.Request.URL.RawQuery; bytes.Contains([]byte(rawQ), phantomPrefix) {
 		f.Request.URL.RawQuery = string(
-			a.swapPhantomBytes([]byte(rawQ), pairs, host, port, "URL query"))
+			a.swapPhantomBytes([]byte(rawQ), pairs, host, port, "URL query"),
+		)
 	}
 
 	// Pass 2+3 on URL path.
 	if rawP := f.Request.URL.Path; bytes.Contains([]byte(rawP), phantomPrefix) {
 		f.Request.URL.Path = string(
-			a.swapPhantomBytes([]byte(rawP), pairs, host, port, "URL path"))
+			a.swapPhantomBytes([]byte(rawP), pairs, host, port, "URL path"),
+		)
 		f.Request.URL.RawPath = ""
 	}
 }
diff --git a/internal/proxy/addon_test.go b/internal/proxy/addon_test.go
index 27dd93c..c58d363 100644
--- a/internal/proxy/addon_test.go
+++ b/internal/proxy/addon_test.go
@@ -594,7 +594,8 @@ func setupAddonConn(addon *SluiceAddon, addr string) *mitmproxy.ClientConn {
 }
 
 func TestRequest_PhantomSwapInBody(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"api_key": "real-secret-value"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -617,7 +618,8 @@ func TestRequest_PhantomSwapInBody(t *testing.T) {
 }
 
 func TestRequest_PhantomSwapInHeaders(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"api_key": "real-secret-value"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -640,7 +642,8 @@ func TestRequest_PhantomSwapInHeaders(t *testing.T) {
 }
 
 func TestRequest_HeaderInjection(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"github_token": "ghp_realtoken123"},
 		[]vault.Binding{{
 			Destination: "api.github.com",
@@ -664,7 +667,8 @@ func TestRequest_HeaderInjection(t *testing.T) {
 }
 
 func TestRequest_HeaderInjectionNoTemplate(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"raw_key": "secret123"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -688,7 +692,8 @@ func TestRequest_HeaderInjectionNoTemplate(t *testing.T) {
 func TestRequest_StripUnboundPhantoms(t *testing.T) {
 	// Credential "api_key" is bound to example.com. A phantom token for
 	// "other_key" is not bound and should be stripped.
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{
 			"api_key":   "real-secret",
 			"other_key": "other-secret",
@@ -722,7 +727,8 @@ func TestRequest_StripUnboundPhantoms(t *testing.T) {
 func TestRequest_NoBindingNoChange(t *testing.T) {
 	// No bindings configured. Body without phantom tokens should pass
 	// through unchanged.
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"api_key": "secret"},
 		nil,
 	)
@@ -741,7 +747,8 @@ func TestRequest_NoBindingNoChange(t *testing.T) {
 }
 
 func TestRequest_PhantomSwapInURL(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"api_key": "real-secret"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -782,7 +789,8 @@ func TestRequest_NilResolverNoOp(t *testing.T) {
 }
 
 func TestStreamRequestModifier_PhantomSwap(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"api_key": "real-secret-value"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -825,7 +833,8 @@ func TestStreamRequestModifier_NilResolverPassthrough(t *testing.T) {
 }
 
 func TestStreamRequestModifier_LargeBodySpanningReads(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{"api_key": "REPLACED"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -862,7 +871,8 @@ func TestStreamRequestModifier_LargeBodySpanningReads(t *testing.T) {
 }
 
 func TestStreamRequestModifier_StripUnbound(t *testing.T) {
-	addon := newTestAddonWithCreds(t,
+	addon := newTestAddonWithCreds(
+		t,
 		map[string]string{
 			"bound":   "real-secret",
 			"unbound": "not-for-you",
diff --git a/internal/proxy/phantom_strip.go b/internal/proxy/phantom_strip.go
index f7ac9e2..420796f 100644
--- a/internal/proxy/phantom_strip.go
+++ b/internal/proxy/phantom_strip.go
@@ -28,7 +28,8 @@ func stripUnboundPhantomsFromProvider(data []byte, provider vault.Provider) []by
 				cred, parseErr := vault.ParseOAuth(secret.Bytes())
 				secret.Release()
 				if parseErr == nil {
-					phantoms = append(phantoms,
+					phantoms = append(
+						phantoms,
 						[]byte(oauthPhantomAccess(name, cred.AccessToken)),
 						[]byte(oauthPhantomRefresh(name, cred.RefreshToken)),
 						[]byte(PhantomToken(name)),
@@ -39,7 +40,8 @@ func stripUnboundPhantomsFromProvider(data []byte, provider vault.Provider) []by
 				secret.Release()
 			}
 		}
-		phantoms = append(phantoms,
+		phantoms = append(
+			phantoms,
 			[]byte(oauthPhantomAccess(name)),
 			[]byte(oauthPhantomRefresh(name)),
 			[]byte(PhantomToken(name)),
diff --git a/internal/proxy/quic.go b/internal/proxy/quic.go
index fa6bfaa..8b0884a 100644
--- a/internal/proxy/quic.go
+++ b/internal/proxy/quic.go
@@ -383,7 +383,8 @@ func (q *QUICProxy) buildHandler(upstreamHost string, destPort int, checker *Req
 
 		// Per-request policy check for ask-rule sessions.
 		if checker != nil {
-			verdict, err := checker.CheckAndConsume(host, port,
+			verdict, err := checker.CheckAndConsume(
+				host, port,
 				WithRequestInfo(r.Method, r.URL.RequestURI()),
 				WithProtocol(ProtoQUIC.String()),
 				WithSkipBrokerRateLimit(),
diff --git a/internal/proxy/quic_test.go b/internal/proxy/quic_test.go
index 0cc8127..21016af 100644
--- a/internal/proxy/quic_test.go
+++ b/internal/proxy/quic_test.go
@@ -407,7 +407,8 @@ func TestQUICProxy_HTTP3PhantomTokenReplacement(t *testing.T) {
 
 	// Send request with phantom token in Authorization header.
 	phantomToken := PhantomToken("test_api_key")
-	status, headers, body := doH3Request(t, qp, proxyAddr, proxyCAX509,
+	status, headers, body := doH3Request(
+		t, qp, proxyAddr, proxyCAX509,
 		"api.example.com", "POST", "/v1/test",
 		[]byte("payload with "+phantomToken+" inside"),
 		map[string]string{
@@ -465,7 +466,8 @@ func TestQUICProxy_HTTP3ContentDenyBlocks(t *testing.T) {
 	defer func() { _ = qp.Close() }()
 
 	// Request with banned content should be blocked.
-	status, _, _ := doH3Request(t, qp, proxyAddr, proxyCAX509,
+	status, _, _ := doH3Request(
+		t, qp, proxyAddr, proxyCAX509,
 		"api.example.com", "POST", "/v1/data",
 		[]byte(`{"password = hunter2"}`),
 		nil,
@@ -475,7 +477,8 @@ func TestQUICProxy_HTTP3ContentDenyBlocks(t *testing.T) {
 	}
 
 	// Request without banned content should pass.
-	status2, _, _ := doH3Request(t, qp, proxyAddr, proxyCAX509,
+	status2, _, _ := doH3Request(
+		t, qp, proxyAddr, proxyCAX509,
 		"api.example.com", "POST", "/v1/data",
 		[]byte(`{"message": "hello world"}`),
 		nil,
@@ -508,7 +511,8 @@ func TestQUICProxy_HTTP3ContentRedact(t *testing.T) {
 	proxyAddr := waitForQUICAddr(t, qp)
 	defer func() { _ = qp.Close() }()
 
-	status, _, body := doH3Request(t, qp, proxyAddr, proxyCAX509,
+	status, _, body := doH3Request(
+		t, qp, proxyAddr, proxyCAX509,
 		"api.example.com", "GET", "/v1/data",
 		nil, nil,
 	)
diff --git a/internal/proxy/server.go b/internal/proxy/server.go
index c2f1396..17bc1f4 100644
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@@ -420,7 +420,8 @@ func (r *policyRuleSet) Allow(ctx context.Context, req *socks5.Request) (context
 			// No seed credit: every HTTP request triggers its own
 			// per-request approval with method and path visible in
 			// the Telegram message.
-			checker := NewRequestPolicyChecker(r.engine, r.broker,
+			checker := NewRequestPolicyChecker(
+				r.engine, r.broker,
 				WithPersist(r.buildPersistFunc()),
 			)
 			ctx = context.WithValue(ctx, ctxKeyPerRequestPolicy, checker)
@@ -1435,7 +1436,8 @@ func (s *Server) sniPolicyCheckBeforeDial(ctx context.Context, request *socks5.R
 		} else if s.rules.broker == nil {
 			ctx = context.WithValue(ctx, ctxKeySkipPerRequest, true)
 		} else {
-			checker := NewRequestPolicyChecker(s.rules.engine, s.rules.broker,
+			checker := NewRequestPolicyChecker(
+				s.rules.engine, s.rules.broker,
 				WithPersist(s.rules.buildPersistFunc()),
 			)
 			ctx = context.WithValue(ctx, ctxKeyPerRequestPolicy, checker)
@@ -1452,7 +1454,8 @@ func (s *Server) sniPolicyCheckBeforeDial(ctx context.Context, request *socks5.R
 		// Auto-allow the connection and defer approval to per-request
 		// checks where the HTTP method and path are visible.
 		log.Printf("[SNI->DEFER] %s:%d (hostname %s: approval deferred to per-request)", ipStr, port, sni)
-		checker := NewRequestPolicyChecker(s.rules.engine, s.rules.broker,
+		checker := NewRequestPolicyChecker(
+			s.rules.engine, s.rules.broker,
 			WithPersist(s.rules.buildPersistFunc()),
 		)
 		ctx = context.WithValue(ctx, ctxKeyPerRequestPolicy, checker)
@@ -2173,7 +2176,8 @@ func (s *Server) resolveQUICPolicy(dest string, port int) (checker *RequestPolic
 		switch resp {
 		case channel.ResponseAllowOnce:
 			log.Printf("[QUIC->ALLOW] %s:%d (user approved once)", dest, port)
-			return NewRequestPolicyChecker(s.rules.engine, s.rules.broker,
+			return NewRequestPolicyChecker(
+				s.rules.engine, s.rules.broker,
 				WithPersist(s.rules.buildPersistFunc()),
 				WithSeedCredits(1),
 			), false
@@ -2203,7 +2207,8 @@ func (s *Server) resolveQUICPolicy(dest string, port int) (checker *RequestPolic
 	// re-evaluate policy. SeedCredits(1) means the first request passes
 	// without a broker call, then the checker kicks in.
 	if verdict == policy.Allow && matchSource == policy.DefaultVerdict {
-		return NewRequestPolicyChecker(s.rules.engine, s.rules.broker,
+		return NewRequestPolicyChecker(
+			s.rules.engine, s.rules.broker,
 			WithPersist(s.rules.buildPersistFunc()),
 			WithSeedCredits(1),
 		), false
diff --git a/internal/proxy/ws_test.go b/internal/proxy/ws_test.go
index 1aa7317..8f35c6b 100644
--- a/internal/proxy/ws_test.go
+++ b/internal/proxy/ws_test.go
@@ -603,7 +603,8 @@ func readFrameFromConn(t *testing.T, conn net.Conn) *Frame {
 }
 
 func TestWSProxy_PhantomTokenReplacement(t *testing.T) {
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		map[string]string{"api_key": "sk-real-secret-12345"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -650,7 +651,8 @@ func TestWSProxy_PhantomTokenReplacement(t *testing.T) {
 
 func TestWSProxy_UnboundPhantomStripped(t *testing.T) {
 	// Credential exists but no binding for this destination.
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		map[string]string{"api_key": "sk-real-secret-12345"},
 		nil, // no bindings
 		nil, nil,
@@ -687,7 +689,8 @@ func TestWSProxy_UnboundPhantomStripped(t *testing.T) {
 }
 
 func TestWSProxy_BinaryFramePassthrough(t *testing.T) {
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		map[string]string{"api_key": "sk-real-secret-12345"},
 		[]vault.Binding{{
 			Destination: "api.example.com",
@@ -755,7 +758,8 @@ func TestWSProxy_ControlFramePassthrough(t *testing.T) {
 }
 
 func TestWSProxy_ContentDenyClosesConnection(t *testing.T) {
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		nil, nil,
 		[]WSBlockRuleConfig{{
 			Pattern: `(?i)password\s*[:=]\s*\S+`,
@@ -804,7 +808,8 @@ func TestWSProxy_ContentDenyClosesConnection(t *testing.T) {
 }
 
 func TestWSProxy_ContentRedactInResponse(t *testing.T) {
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		nil, nil, nil,
 		[]WSRedactRuleConfig{{
 			Pattern:     `sk-[a-zA-Z0-9_-]{20,}`,
@@ -847,7 +852,8 @@ func TestWSProxy_ContentRedactInResponse(t *testing.T) {
 }
 
 func TestWSProxy_ContentDenyDoesNotBlockNonMatching(t *testing.T) {
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		nil, nil,
 		[]WSBlockRuleConfig{{
 			Pattern: `(?i)password\s*[:=]\s*\S+`,
@@ -886,7 +892,8 @@ func TestWSProxy_ContentDenyDoesNotBlockNonMatching(t *testing.T) {
 }
 
 func TestWSProxy_RedactDoesNotModifyBinary(t *testing.T) {
-	wp := setupWSProxy(t,
+	wp := setupWSProxy(
+		t,
 		nil, nil, nil,
 		[]WSRedactRuleConfig{{
 			Pattern:     `secret`,
diff --git a/internal/vault/provider_1password.go b/internal/vault/provider_1password.go
index a9e0cf2..f484aec 100644
--- a/internal/vault/provider_1password.go
+++ b/internal/vault/provider_1password.go
@@ -96,7 +96,8 @@ func NewOnePasswordProvider(token, vaultName, field string) (*OnePasswordProvide
 		field = "credential"
 	}
 
-	client, err := onepassword.NewClient(context.Background(),
+	client, err := onepassword.NewClient(
+		context.Background(),
 		onepassword.WithServiceAccountToken(token),
 		onepassword.WithIntegrationInfo("Sluice", "v1.0.0"),
 	)
diff --git a/internal/vault/provider_keepass_test.go b/internal/vault/provider_keepass_test.go
index 76c9608..ee2afd2 100644
--- a/internal/vault/provider_keepass_test.go
+++ b/internal/vault/provider_keepass_test.go
@@ -37,7 +37,8 @@ func createTestKDBXAt(t *testing.T, dbPath, password string, entries map[string]
 
 	for title, pw := range entries {
 		entry := gokeepasslib.NewEntry()
-		entry.Values = append(entry.Values,
+		entry.Values = append(
+			entry.Values,
 			mkValue("Title", title),
 			mkProtectedValue("Password", pw),
 		)
@@ -49,7 +50,8 @@ func createTestKDBXAt(t *testing.T, dbPath, password string, entries map[string]
 		sub.Name = groupName
 		for title, pw := range groupEntries {
 			entry := gokeepasslib.NewEntry()
-			entry.Values = append(entry.Values,
+			entry.Values = append(
+				entry.Values,
 				mkValue("Title", title),
 				mkProtectedValue("Password", pw),
 			)
@@ -260,7 +262,8 @@ func TestKeePassProviderListEmpty(t *testing.T) {
 
 func TestKeePassProviderSubGroups(t *testing.T) {
 	dir := t.TempDir()
-	dbPath := createTestKDBXWithGroups(t, dir, "testpass",
+	dbPath := createTestKDBXWithGroups(
+		t, dir, "testpass",
 		map[string]string{"root_key": "root_val"},
 		map[string]map[string]string{
 			"APIs": {"api_key": "api_val"},
@@ -431,7 +434,8 @@ func TestKeePassProviderDuplicateTitles(t *testing.T) {
 	// Add two entries with the same title.
 	for _, pw := range []string{"first-value", "second-value"} {
 		entry := gokeepasslib.NewEntry()
-		entry.Values = append(entry.Values,
+		entry.Values = append(
+			entry.Values,
 			mkValue("Title", "dup_key"),
 			mkProtectedValue("Password", pw),
 		)