Connectors

Hermes

Hermes connector wires config.yaml hooks for the Hermes agent runtime, with discovery for MCP, skills, and plugins.

The Hermes connector wires DefenseClaw into the Hermes agent runtime via ~/.hermes/config.yaml hooks and discovery surfaces for MCP servers, skills, and plugins.

Three commands against one Hermes Agent session in observe mode, every event reporting into the DefenseClaw gateway: (1) `echo hello` flows through as action=allow / severity=NONE; (2) `chmod 777 /tmp/dc_test` matches CMD-CHMOD-WORLD HIGH — DefenseClaw's finding is injected into the agent's context via Hermes' pre_llm_call hook, so the agent itself explains inline why world-writable + world-executable perms are risky; (3) `cat /etc/shadow` raises a CRITICAL sensitive-file read. Observe mode logs without blocking, so each pre_tool_call / post_tool_call / llm_prompt / session event streams live into the Splunk Connector Activity dashboard filtered to connector=hermes on the right.

Setup

defenseclaw setup hermes

setup hermes is shorthand for setup guardrail --connector hermes: it adds or reconfigures Hermes, wires hooks against ~/.hermes/config.yaml, and discovers existing MCP servers, skills, and plugins. There is no proxy-enforcement path for Hermes — blocking happens hook-side via the documented pre-tool-call hook. Hermes has no native human-approval surface, so confirm verdicts use an immediate system-message fallback with raw_action preserved for audit.

What setup hermes actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.

The alias defaults Hermes to observe mode and can join an existing hook-connector roster when you choose Add. To tune Hermes after install, keep using defenseclaw setup guardrail --connector hermes — see the variations below.

Common variations — pick the recipe that fits your phase

defenseclaw setup hermes

Confirms once, wires the hooks block in ~/.hermes/config.yaml, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

defenseclaw setup hermes --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.

export DEFENSECLAW_LLM_KEY='replace-with-your-key'

defenseclaw setup hermes                                  # base alias first
defenseclaw setup guardrail \
  --connector hermes \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias selects Hermes; the follow-up setup guardrail --connector hermes swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Hermes has no proxy enforcement, but its hooks themselves can block. After setup hermes, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  hermes:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, Hermes' pre-tool-call hook blocks when policy returns block. A confirm result falls back to a system message because Hermes has no native ask surface; the TUI can review the audit event but cannot resume the call.

Decision aids — should I turn this on?

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

config.yaml (hooks block)

Hook capabilities

Block events

  • pre_tool_call

Native ask events

None — confirm verdicts are downgraded with the raw action preserved.

Hermes can block supported hook events but has no native human-approval surface. Confirm verdicts use a system-message fallback with raw_action preserved; audit and the TUI are review-only.

Disable

defenseclaw setup guardrail --disable