Agent Security & Ops
Security is an always-active branch, not a late phase. Several workflows touch money, accounts, and outbound messages, so the threat model is in scope from day one. The premise to internalize: profiles do not sandbox — they isolate Hermes state, they don't give you a jail. Real isolation comes from the terminal backends plus draft/approval mode.
The strong rule: any workflow that can send a message, apply on my behalf, touch money, or delete/modify external accounts starts in draft/review.
SOUL.mdimposes no limits — the limits are the backend (Docker/SSH/Modal) and the approval gate.
Planned notes
- The personal-agent threat model
- Profiles isolate state, not a jail — what that means
- Real isolation: Docker / SSH / Modal terminal backends
- Draft / approval mode as the default safety gate
- Secrets handling and
.envhygiene per profile - MCP credential isolation
- Prompt injection: attack surface and defenses
- Context file scanning
- Cron safety: approval before sensitive scheduled actions
- Audit logs and what to log
- Backups, checkpoints, and rollback
- The "draft-first" rule for money/accounts/sends
Core sources
- Hermes — Security — https://hermes-agent.nousresearch.com/docs/user-guide/security
- Hermes — Checkpoints & Rollback — https://hermes-agent.nousresearch.com/docs/user-guide/checkpoints-and-rollback
- Hermes — User Guide: Profiles (state isolation) — https://hermes-agent.nousresearch.com/docs/user-guide/profiles
- Agentic Systems — agent security —
TODO(seeSOURCES.md).
Connects to: Profiles, Actors & Delegation · Tools, MCP & Plugins · Telegram Agent Interface · Evaluation & Observability