Hermes
Hermes connector wires config.yaml hooks for the Hermes agent runtime, with discovery for MCP, skills, and plugins.
The Hermes connector wires DefenseClaw into the Hermes agent runtime via ~/.hermes/config.yaml hooks and discovery surfaces for MCP servers, skills, and plugins.
Setup
defenseclaw setup hermesPins claw.mode=hermes, wires hooks against ~/.hermes/config.yaml, and discovers existing MCP servers, skills, and plugins. There is no proxy-enforcement path for Hermes — blocking happens hook-side via the documented pre-tool-call hook. Hermes has no native human-approval surface, so HITL approvals downgrade to confirm verdicts in the DefenseClaw TUI.
What setup hermes actually does
The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Flag | Default | What it does |
|---|---|---|
--yes / -y | off | Skip the confirmation prompt (alias: --non-interactive, --accept-defaults). |
--restart / --no-restart | --restart | Bounce defenseclaw-gateway after applying changes so the new hooks wire in. |
--with-local-stack / --no-local-stack | --no-local-stack | Also bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up. |
Pinned by the alias regardless of flags: claw.mode=hermes, guardrail.connector=hermes, guardrail.mode=observe, guardrail.scanner_mode=local, guardrail.judge.enabled=false, guardrail.detection_strategy=regex_only. To tune any of those after install, use defenseclaw setup guardrail --connector hermes — see the variations below.
Common variations — pick the recipe that fits your phase
defenseclaw setup hermesConfirms once, wires the hooks block in ~/.hermes/config.yaml, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.
defenseclaw setup hermes --yes --with-local-stackSame as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.
export DEFENSECLAW_LLM_KEY=<your-key>
defenseclaw setup hermes # base alias first
defenseclaw setup guardrail \
--connector hermes \
--rule-pack strict \
--scanner-mode both \
--detection-strategy regex_judge \
--judge-model anthropic/claude-sonnet-4-20250514 \
--judge-api-key-env DEFENSECLAW_LLM_KEY \
--restartThe alias keeps the connector pinned; the follow-up setup guardrail swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.
Hermes has no proxy enforcement, but its hooks themselves can block. After setup hermes, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:
connector_hooks:
hermes:
enabled: true
mode: action # observe (default) | action
fail_mode: open # open | closedThen defenseclaw setup guardrail --restart to re-wire. With mode: action, Hermes' pre-tool-call hook blocks on findings; HITL approvals downgrade to confirm verdicts in the DefenseClaw TUI since Hermes has no native ask surface — make sure operators are reachable there.
Decision aids — should I turn this on?
Human-in-the-loop (HITL)
Per-connector ask matrix. Hermes downgrades to confirm verdicts in the TUI / audit log since it has no native ask.
Full setup guardrail flag reference
All ~20 flags you can pass via `setup guardrail --connector hermes` after the alias has pinned things.
Defaults & rule packs
What permissive / default / strict actually ship, and which one matches your risk tolerance.
Interactive wizard
Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.
Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.
Files DefenseClaw will modify
Hook capabilities
Block events
- pre_tool_call
Native ask events
None — confirm verdicts are downgraded with the raw action preserved.
Hermes can block supported hook events but has no native human-approval surface; HITL approvals fall back to confirm verdicts in the DefenseClaw TUI / audit log.
Disable
defenseclaw setup guardrail --disableCursor
Cursor connector wires hooks.json with native ask on beforeShellExecution and beforeMCPExecution. Block on preToolUse, beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop.
Gemini CLI
Gemini CLI connector wires settings.json hooks (BeforeAgent, BeforeModel, BeforeTool, AfterTool, AfterAgent) plus the native OTLP exporter pointing at the gateway.