A persistent, risk-aware engineering protocol for Hermes Agent
Project description
HARDPROOF
Software has to earn done.
Alpha software. v0.1.0 is a public alpha. Latest development is v0.2.0 Gatehouse. Commands, schemas, and contracts may change before v1.0.0. Install from GitHub; PyPI publication is pending.
Hardproof gives coding agents a persistent, risk-aware engineering process that turns ambiguous software requests into reviewed, verified results while preserving the evidence behind every completion claim.
A persistent, risk-aware engineering protocol for Hermes Agent.
Current Status
| Release | Version | Status |
|---|---|---|
| Public alpha | v0.1.0 Core Heat | Released |
| Active development | v0.2.0 Gatehouse | Task 8 (stage-graph configuration) next |
Install and enable
From GitHub (only option until PyPI publication):
hermes plugins install asimons81/hardproof --enable
From PyPI (not yet published -- this will work once the package is uploaded):
pip install hardproof
hermes plugins enable hardproof
Plugins remain opt-in under Hermes configuration. Hardproof does not edit global instructions or install skills into the user's global skill directory.
First run
Start in a Git repository with at least one commit:
/hardproof start standard Build API-key rotation with rollback support
/hardproof status
The equivalent terminal surface is:
hermes hardproof start standard "Build API-key rotation with rollback support"
hermes hardproof status
Hardproof stores state under .hardproof/, adds that directory to the repository-local Git exclude file when necessary, and injects compact stage context into bound Hermes sessions.
Profiles
Quick supports low-risk localized work with recorded skips and at least one fresh verification check. Use for typo fixes, doc updates, or one-line changes.
Standard requires discovery, design and plan artifacts, human design and plan approvals, tracked implementation, review, fresh verification, delivery, and a learning decision. Use for feature work, refactors, or multi-file changes.
Critical adds destructive-action approvals, at least two checks, rollback and risk material, fail-closed mutation policy, and human completion approval. Use for auth changes, data migrations, or production configuration.
No profile permits completion without fresh successful evidence.
Architecture
Hardproof is a standalone Python package discovered through the hermes_agent.plugins entry-point group. It uses only the public Hermes registration, hook, command, skill, and dispatch APIs.
- Plugin layer -- registers slash commands, CLI commands, six tools, lifecycle hooks, and nine namespaced skills
- Domain layer -- run profiles, stages, transitions, approval gates, and immutable event models
- Policy layer -- stage-aware mutation rules, tool policies, and human-required approval escalation
- Storage layer -- project-local SQLite database with forward-only migrations plus human-readable artifacts under
.hardproof/runs/<run-id>/ - Verification layer -- workspace-bound evidence with Git HEAD capture, binary diff freshness checks, and redacted output recording
See architecture, protocol profiles, and compatibility.
Verification Evidence
Hardproof requires fresh, workspace-bound evidence before any run can complete. Verification checks run through Hermes in the current working directory, capturing:
- Git HEAD commit hash at the time of verification
- Binary diff against the working tree to detect uncommitted changes
- Redacted, size-bounded output from each configured check
- Strict exit-code evaluation (only explicit zero passes)
Evidence is recorded in the run ledger and included in every completion report. Stale evidence -- evidence recorded against a different workspace state -- is flagged and cannot satisfy completion gates.
Security Boundary
Hardproof coordinates engineering process; it is not a security sandbox. Policy hooks do not replace OS permissions, protected branches, sandboxing, isolation, or human code review.
Protections included:
- Force pushes and destructive Git operations are blocked
- Recognized destructive actions are blocked or require human approval
- Source mutation is stage-aware (locked in later stages)
- Human-only approval gates prevent model self-approval
- Policy decisions are recorded with cryptographic hashes of arguments and configuration
See SECURITY.md and the security model.
Privacy
Hardproof has no telemetry, no analytics, no accounts, no hosted dependencies, no remote asset fetching, and no automatic update checks. Normal local operation makes no intentional network request. Verification output is redacted and size-bounded. Policy events store argument keys and hashes rather than raw values. Nothing phones home.
Known Limitations in v0.1.0
- Policy hooks coordinate process but are not a security sandbox or complete shell parser
- Managed runs require a Git worktree for workspace-bound freshness evidence
- Local compatibility evidence covers Hermes Agent 0.18.2 on native Windows; other OS support is CI-enforced
- Gatehouse policy features (configurable rules, waivers, risk suggestions) ship in v0.2.0
Roadmap
| Version | Codename | Focus |
|---|---|---|
| v0.1.0 | Core Heat | Standalone plugin, durable stages, SQLite state, approvals, skills, fresh evidence, reports |
| v0.2.0 | Gatehouse | Explainable configurable policy, scoped waivers, risk suggestions, language packs |
| v0.3.0 | Workcells | Dependency-aware task waves, resumable subagent implementers |
| v0.4.0 | Challenge Chamber | Independent specialized reviewers, severity, fix/re-review loops |
| v0.5.0 | Isolation | Branches, worktrees, baseline proof, rollback, backend adapters |
| v0.6.0 | Tempering | Human-approved provenance-linked learning proposals |
| v0.7.0 | Control Room | Cross-surface continuity, timeline, notifications, local dashboard |
| v0.8.0 | Protocol SDK | Frozen documented policy, validator, evidence, report interfaces |
| v0.9.0 | Hardening | Migration rehearsals, recovery, concurrency, performance, security scenarios |
| v1.0.0 | Proven | Stable public contracts, multi-repo validation across OS and backend targets |
See ROADMAP.md. A release advances only after its tests, migrations, security review, compatibility evidence, documentation, and package artifacts pass.
Contributing
Start with CONTRIBUTING.md, GOVERNANCE.md, and CODE_OF_CONDUCT.md. Design changes use ADRs; breaking protocol changes require a public RFC issue. Contributions use the Developer Certificate of Origin rather than a CLA.
Inspiration
Hardproof acknowledges conceptual inspiration while maintaining a strict clean-room boundary. See INSPIRATION.md.
License
Apache-2.0. See LICENSE and NOTICE.
Affiliation
Hardproof is independent open-source software. It is not affiliated with, endorsed by, or sponsored by Hermes Agent, Nous Research, Atlassian, or any other organization.
Topics: hermes-agent coding-agents agentic-coding software-engineering verification developer-tools open-source python
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hardproof-0.1.1.tar.gz.
File metadata
- Download URL: hardproof-0.1.1.tar.gz
- Upload date:
- Size: 57.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b2234f4310e5a59cf13e3d85267c79b0a877c3545a1d2ed4ad9c0cbd8384ac7
|
|
| MD5 |
0fa2d84637dbe13e4173e3824b5c7fde
|
|
| BLAKE2b-256 |
4d776be634050f98369531ad0fe2b0b9d39a790af6ab6f03c534823fd5e5577e
|
Provenance
The following attestation bundles were made for hardproof-0.1.1.tar.gz:
Publisher:
release.yml on asimons81/hardproof
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hardproof-0.1.1.tar.gz -
Subject digest:
4b2234f4310e5a59cf13e3d85267c79b0a877c3545a1d2ed4ad9c0cbd8384ac7 - Sigstore transparency entry: 2145687314
- Sigstore integration time:
-
Permalink:
asimons81/hardproof@095abc3fd2829758ce3c9d86005b90fac03b8061 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/asimons81
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@095abc3fd2829758ce3c9d86005b90fac03b8061 -
Trigger Event:
push
-
Statement type:
File details
Details for the file hardproof-0.1.1-py3-none-any.whl.
File metadata
- Download URL: hardproof-0.1.1-py3-none-any.whl
- Upload date:
- Size: 74.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c7fab03e4ef7d482e8c83dababe5f3c5b9f33e1347c74a23230f297a04f1a0c9
|
|
| MD5 |
945aad3f46bc0c00f84cbc6c32c3f5f0
|
|
| BLAKE2b-256 |
5f35216e1c2ba8036347f4f5f3006a8223b0a8451f0d86eb5599f16372b064e8
|
Provenance
The following attestation bundles were made for hardproof-0.1.1-py3-none-any.whl:
Publisher:
release.yml on asimons81/hardproof
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hardproof-0.1.1-py3-none-any.whl -
Subject digest:
c7fab03e4ef7d482e8c83dababe5f3c5b9f33e1347c74a23230f297a04f1a0c9 - Sigstore transparency entry: 2145687372
- Sigstore integration time:
-
Permalink:
asimons81/hardproof@095abc3fd2829758ce3c9d86005b90fac03b8061 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/asimons81
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@095abc3fd2829758ce3c9d86005b90fac03b8061 -
Trigger Event:
push
-
Statement type: