Draft Security Advanced Hermes

Hermes Action Gate

Hermes-side enforcement hook for Action Gate, dev only.

Hermes Action Gate is the Hermes-side enforcement hook for the Action Gate project. The plugin hooks pre_gateway_dispatch, pre_tool_call, and should_suppress_runtime_noise, applies the per-scope policy the openclaw-action-gate plugin also enforces, and writes a parallel audit record. The hard-egress wrapper artifacts are still landing; this entry is Draft/dev until they do.

Source

h-mascot/agent-action-gate (plugins/hermes-action-gate)

Canonical source: https://github.com/h-mascot/agent-action-gate/tree/main/plugins/hermes-action-gate

Supported platforms

Hermes

Hermes plugin hooks plus hard-egress wrapper artifacts around send paths.

Prerequisites

Runtime Hermes 1.6+ (isolated/dev)

The plugin targets the isolated/dev Hermes surface; production Hermes is not in scope for this entry.

Dependency Python 3.11+

The plugin is a Python package; install with a venv for isolation.

Review Hard-egress wrapper artifacts

Until the wrapper patches land, this plugin reports hook load but does not actually wrap direct send paths.

Install

One-shot install into a host plugins/ directory, then the auto installer registers the plugin with the running runtime.

git clone --depth=1 https://github.com/h-mascot/agent-action-gate.git /tmp/agent-action-gate && cp -R /tmp/agent-action-gate/plugins/hermes-action-gate ~/.hermes/plugins/hermes-action-gate && (cd ~/.hermes/plugins/hermes-action-gate && python3 -m venv .venv && .venv/bin/pip install -e .) && hermes plugins enable action-gate

Step 1

Clone the canonical Action Gate source

Fetch the agent-action-gate repo into a scratch directory on the Hermes host.

git clone --depth=1 https://github.com/h-mascot/agent-action-gate.git /tmp/agent-action-gate

Step 2

Stage the Hermes plugin

Copy plugins/hermes-action-gate into the Hermes plugins directory.

cp -R /tmp/agent-action-gate/plugins/hermes-action-gate ~/.hermes/plugins/hermes-action-gate

Step 3

Install the Python package

venv + pip install -e . for the local package install.

cd ~/.hermes/plugins/hermes-action-gate && python3 -m venv .venv && .venv/bin/pip install -e .

Step 4

Enable the plugin

hermes plugins enable action-gate registers the hooks and reads the action-gate.json policy.

hermes plugins enable action-gate

Verification

Configuration is what you wanted. Enforcement is what happened. The verify script is the receipt.

ssh enterprise@100.104.229.62 "action-gate verify --scope shared-room --non-owner ada"

Check 1

Hermes plugin loaded with required hooks

hermes plugins list must include action-gate, and inspect must show all three hooks.

hermes plugins list | grep action-gate

Expected action-gate enforce ~/.hermes/plugins/action-gate

Check 2

Non-owner send is denied on the Hermes side

A second agent identity attempting to publish into the protected scope via Hermes must be denied with reason non_owner.

ssh enterprise@100.104.229.62 "action-gate verify --scope shared-room --non-owner ada"

Expected decision=deny reason=non_owner audit=recorded

Uninstall / rollback

Disable the plugin with the running runtime first, then remove the staged plugin directory. The audit store stays so you can prove the rollout happened.

hermes plugins disable action-gate && rm -rf ~/.hermes/plugins/hermes-action-gate

Status

Draft/dev. The plugin hook surface is in place, but the hard-egress wrapper artifacts around the Hermes send paths are still landing. Until they do, this plugin reports hook load but does not actually wrap direct send paths. Treat this entry as documentation of the eventual contract, not as an installable enforcement target.

Isolated/dev Hermes only; production Hermes is not in scope.
Hard-egress wrapper artifacts are still landing; do not claim enforcement from this entry alone.
Companion to openclaw-action-gate; the two runtimes must agree on the same scope policy for the gate to be real.