Hermes
Hermes connector wires config.yaml hooks for the Hermes agent runtime, with discovery for MCP, skills, and plugins.
The Hermes connector wires DefenseClaw into the Hermes agent runtime via ~/.hermes/config.yaml hooks and discovery surfaces for MCP servers, skills, and plugins.
Setup
defenseclaw setup hermessetup hermes is shorthand for setup guardrail --connector hermes: it adds or reconfigures Hermes, wires hooks against ~/.hermes/config.yaml, and discovers existing MCP servers, skills, and plugins. There is no proxy-enforcement path for Hermes — blocking happens hook-side via the documented pre-tool-call hook. Hermes has no native human-approval surface, so confirm verdicts use an immediate system-message fallback with raw_action preserved for audit.
What setup hermes actually does
The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.
| Flag | Default | What it does |
|---|---|---|
--yes / -y | off | Skip the confirmation prompt (alias: --non-interactive, --accept-defaults). |
--restart / --no-restart | --restart | Bounce defenseclaw-gateway after applying changes so the new hooks wire in. |
--with-local-stack / --no-local-stack | --no-local-stack | Also bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up. |
The alias defaults Hermes to observe mode and can join an existing hook-connector roster when you choose Add. To tune Hermes after install, keep using defenseclaw setup guardrail --connector hermes — see the variations below.
Common variations — pick the recipe that fits your phase
defenseclaw setup hermesConfirms once, wires the hooks block in ~/.hermes/config.yaml, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.
defenseclaw setup hermes --yes --with-local-stackSame as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.
export DEFENSECLAW_LLM_KEY='replace-with-your-key'
defenseclaw setup hermes # base alias first
defenseclaw setup guardrail \
--connector hermes \
--rule-pack strict \
--scanner-mode both \
--detection-strategy regex_judge \
--judge-model anthropic/claude-sonnet-4-20250514 \
--judge-api-key-env DEFENSECLAW_LLM_KEY \
--restartThe alias selects Hermes; the follow-up setup guardrail --connector hermes swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.
Hermes has no proxy enforcement, but its hooks themselves can block. After setup hermes, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:
connector_hooks:
hermes:
enabled: true
mode: action # observe (default) | action
fail_mode: open # open | closedThen defenseclaw setup guardrail --restart to re-wire. With mode: action, Hermes' pre-tool-call hook blocks when policy returns block. A confirm result falls back to a system message because Hermes has no native ask surface; the TUI can review the audit event but cannot resume the call.
Decision aids — should I turn this on?
Human-in-the-loop (HITL)
Per-connector ask matrix. Hermes has no native ask; confirm uses a system-message fallback preserved in audit.
Full setup guardrail flag reference
All ~20 flags you can pass via `setup guardrail --connector hermes` when tuning Hermes.
Defaults & rule packs
What permissive / default / strict actually ship, and which one matches your risk tolerance.
Interactive wizard
Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.
Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.
Files DefenseClaw will modify
Hook capabilities
Block events
- pre_tool_call
Native ask events
None — confirm verdicts are downgraded with the raw action preserved.
Hermes can block supported hook events but has no native human-approval surface. Confirm verdicts use a system-message fallback with raw_action preserved; audit and the TUI are review-only.
Disable
defenseclaw setup guardrail --disableCursor
Cursor connector wires hooks.json with native ask on beforeShellExecution and beforeMCPExecution. Block on preToolUse, beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop.
OpenCode
The OpenCode connector wires DefenseClaw into opencode via a dependency-free JavaScript bridge plugin auto-loaded from ~/.config/opencode/plugins/, whose tool.execute.before hook blocks risky tool calls by throwing.