indexAgent Security & Ops#security#ops#isolation#threat-model#always-on

Agent Security & Ops

Security is an always-active branch, not a late phase. Several workflows touch money, accounts, and outbound messages, so the threat model is in scope from day one. The premise to internalize: profiles do not sandbox — they isolate Hermes state, they don't give you a jail. Real isolation comes from the terminal backends plus draft/approval mode.

The strong rule: any workflow that can send a message, apply on my behalf, touch money, or delete/modify external accounts starts in draft/review. SOUL.md imposes no limits — the limits are the backend (Docker/SSH/Modal) and the approval gate.

Planned notes

  • The personal-agent threat model
  • Profiles isolate state, not a jail — what that means
  • Real isolation: Docker / SSH / Modal terminal backends
  • Draft / approval mode as the default safety gate
  • Secrets handling and .env hygiene per profile
  • MCP credential isolation
  • Prompt injection: attack surface and defenses
  • Context file scanning
  • Cron safety: approval before sensitive scheduled actions
  • Audit logs and what to log
  • Backups, checkpoints, and rollback
  • The "draft-first" rule for money/accounts/sends

Core sources

  • Hermes — Security — https://hermes-agent.nousresearch.com/docs/user-guide/security
  • Hermes — Checkpoints & Rollback — https://hermes-agent.nousresearch.com/docs/user-guide/checkpoints-and-rollback
  • Hermes — User Guide: Profiles (state isolation) — https://hermes-agent.nousresearch.com/docs/user-guide/profiles
  • Agentic Systems — agent securityTODO (see SOURCES.md).

Connects to: Profiles, Actors & Delegation · Tools, MCP & Plugins · Telegram Agent Interface · Evaluation & Observability