A persistent, risk-aware engineering protocol for Hermes Agent
Project description
HARDPROOF
Software has to earn done.
Alpha software. v0.2.0 Gatehouse is the current signed public alpha on PyPI. v0.3.0 Workcells development has not begun. Commands, schemas, and contracts may change before v1.0.0.
Hardproof gives coding agents a persistent, risk-aware engineering process that turns ambiguous software requests into reviewed, verified results while preserving the evidence behind every completion claim.
A persistent, risk-aware engineering protocol for Hermes Agent.
Current Release
| Release | Version | Status |
|---|---|---|
| Public alpha | v0.2.0 Gatehouse | Released on GitHub and PyPI |
| Previous | v0.1.1 Core Heat | Released on GitHub and PyPI |
| Previous | v0.1.0 Core Heat | Released on GitHub |
| Future | v0.3.0 Workcells | Not started |
Install
From PyPI:
pip install hardproof
hermes plugins enable hardproof
From GitHub:
hermes plugins install asimons81/hardproof --enable
Enable
Enable the plugin in Hermes:
hermes plugins enable hardproof
Verify discovery:
hermes hardproof doctor
Quick Start
Both the CLI and slash-command surfaces work identically:
# Terminal
hermes hardproof start standard "Build API-key rotation with rollback support"
hermes hardproof status
hermes hardproof doctor
# In Hermes chat
/hardproof start standard "Build API-key rotation with rollback support"
/hardproof status
Hardproof stores state under .hardproof/, adds that directory to the repository-local Git exclude file, and injects compact stage context into bound Hermes sessions.
How Hardproof Changes an Agent Workflow
- INT AKE — clarify the request before any code is written
- DISCOVERY — inspect the repository, constraints, and unknowns
- DESIGN — shape a reversible solution (requires human approval)
- PLAN — turn the design into dependency-aware tasks (requires human approval)
- IMPLEMENT — execute approved tasks with focused tests
- REVIEW — challenge the implementation and risks
- VERIFY — run checks and evaluate fresh workspace-bound evidence
- DELIVER — prepare an evidence-backed completion handoff
- LEARN — capture lessons or explicitly skip
Every stage has defined gates. No run completes without fresh successful evidence.
Profiles
| Profile | Use Case | Key Requirements |
|---|---|---|
| Quick | Typo fixes, doc updates, one-line changes | Recorded skips, at least one fresh verification check |
| Standard | Feature work, refactors, multi-file changes | Discovery, design and plan, human design and plan approval, tracked implementation, review, fresh verification, delivery, learning decision |
| Critical | Auth changes, data migrations, production config | Destructive-action approvals, at least two checks, rollback and risk material, fail-closed mutation policy, human completion approval |
No profile permits completion without fresh successful evidence.
Gatehouse v0.2.0 Features
Gatehouse adds strict project allow/deny/approval rules, ordered policy explanations, human-only scoped waivers, advisory risk suggestions, bounded monotonic stage graphs, configuration and migration diagnostics, and versioned Python/Node/Rust/Go policy packs. See configuration and migrations and policy packs.
Common Commands
hermes hardproof start quick|standard|critical "request"
hermes hardproof status
hermes hardproof doctor
hermes hardproof approve design|plan|completion [reason]
hermes hardproof waive <reason>
hermes hardproof pause [reason]
hermes hardproof resume [run-id]
hermes hardproof abort <reason>
hermes hardproof evidence
hermes hardproof export [path]
hermes hardproof config init|validate|explain
hermes hardproof db status|migrate [--dry-run]
hermes hardproof migrate-state
hermes hardproof runs
hermes hardproof show <run-id>
hermes hardproof policy <args>
All commands also work as /hardproof <subcommand> in Hermes chat.
Point Hermes Agent at This Repository
Hermes Agent automatically reads AGENTS.md when started in the repository. To work on Hardproof itself:
- Clone or open the repo
- Start Hermes from the repository root
- Confirm
AGENTS.mdis loaded (Hermes prints a context-file banner on startup) - Follow the instructions in docs/hermes-agent-guide.md
Architecture
Hardproof is a standalone Python package discovered through the hermes_agent.plugins entry-point group. It uses only the public Hermes registration, hook, command, skill, and dispatch APIs.
- Plugin layer — registers slash commands, CLI commands, six tools, lifecycle hooks, and nine stage skills
- Domain layer — run profiles, stages, transitions, approval gates, and immutable event models
- Policy layer — stage-aware mutation rules, tool policies, and human-required approval escalation
- Storage layer — project-local SQLite database with forward-only migrations plus human-readable artifacts under
.hardproof/runs/<run-id>/ - Verification layer — workspace-bound evidence with Git HEAD capture, binary diff freshness checks, and redacted output recording
See architecture, profiles, and compatibility.
Verification Evidence
Hardproof requires fresh, workspace-bound evidence before any run can complete. Verification checks capture:
- Git HEAD commit hash at the time of verification
- Binary diff against the working tree to detect uncommitted changes
- Redacted, size-bounded output from each configured check
- Strict exit-code evaluation (only explicit zero passes)
Stale evidence — recorded against a different workspace state — is flagged and cannot satisfy completion gates.
Security Boundary
Hardproof coordinates engineering process; it is not a security sandbox. Policy hooks do not replace OS permissions, protected branches, sandboxing, isolation, or human code review.
Hardproof includes these protections:
- Force pushes and destructive Git operations are blocked
- Recognized destructive actions are blocked or require human approval
- Source mutation is stage-aware (locked in later stages)
- Human-only approval gates prevent model self-approval
- Policy decisions are recorded with cryptographic hashes of arguments and configuration
See SECURITY.md and the security model.
Privacy
Hardproof has no telemetry, no analytics, no accounts, no hosted dependencies, no remote asset fetching, and no automatic update checks. Normal local operation makes no intentional network request. Verification output is redacted and size-bounded. Policy events store argument keys and hashes rather than raw values. Nothing phones home.
Known Limitations
- Policy hooks coordinate process but are not a security sandbox or complete shell parser
- Managed runs require a Git worktree for workspace-bound freshness evidence
- Local compatibility evidence covers Hermes Agent 0.18.2 on native Windows; macOS and Linux are CI-enforced
- Downgrade from a migrated v0.2.0 database is not supported
Documentation Index
| Document | Audience |
|---|---|
| docs/README.md | Full documentation index |
| docs/hermes-agent-guide.md | Hermes Agent operators |
| docs/architecture.md | Architecture overview |
| docs/profiles.md | Run profiles |
| docs/protocol.md | Protocol specification |
| docs/security-model.md | Security model |
| docs/configuration-and-migrations.md | Config and migrations |
| docs/policy-packs.md | Language policy packs |
| docs/command-reference.md | All commands and tools |
| docs/repository-map.md | Repository layout |
Contributing
Start with CONTRIBUTING.md, GOVERNANCE.md, and CODE_OF_CONDUCT.md. Coding agents should read AGENTS.md first. Design changes use ADRs; breaking protocol changes require a public RFC issue. Contributions use the Developer Certificate of Origin rather than a CLA.
Roadmap
| Version | Codename | Focus |
|---|---|---|
| v0.1.1 | Core Heat | Standalone plugin, durable stages, SQLite state, approvals, skills, fresh evidence, reports |
| v0.2.0 | Gatehouse | Explainable configurable policy, scoped waivers, risk suggestions, language packs |
| v0.3.0 | Workcells | Dependency-aware task waves, resumable subagent implementers |
| v0.4.0 | Challenge Chamber | Independent specialized reviewers, severity, fix/re-review loops |
| v0.5.0 | Isolation | Branches, worktrees, baseline proof, rollback, backend adapters |
Full roadmap: ROADMAP.md.
License
Apache-2.0. See LICENSE and NOTICE.
Affiliation
Hardproof is independent open-source software. It is not affiliated with, endorsed by, or sponsored by Hermes Agent, Nous Research, Atlassian, or any other organization.
Topics: hermes-agent coding-agents agentic-coding software-engineering verification developer-tools open-source python
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hardproof-0.3.0.tar.gz.
File metadata
- Download URL: hardproof-0.3.0.tar.gz
- Upload date:
- Size: 94.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1b253b7d8207eeb88d32b3cd4a70069b99aa0092a0b2aaef0fc82013f8d04187
|
|
| MD5 |
388536a277e3baec679243f39b68b1c5
|
|
| BLAKE2b-256 |
6e55847dfab0500bc90cee0176763f13cb4b725815cb5011a5e9ad4c26c644e4
|
Provenance
The following attestation bundles were made for hardproof-0.3.0.tar.gz:
Publisher:
release.yml on asimons81/hardproof
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hardproof-0.3.0.tar.gz -
Subject digest:
1b253b7d8207eeb88d32b3cd4a70069b99aa0092a0b2aaef0fc82013f8d04187 - Sigstore transparency entry: 2148236932
- Sigstore integration time:
-
Permalink:
asimons81/hardproof@4159e80bbadbf6e118d786120c0a1f712f8a3f45 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/asimons81
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@4159e80bbadbf6e118d786120c0a1f712f8a3f45 -
Trigger Event:
push
-
Statement type:
File details
Details for the file hardproof-0.3.0-py3-none-any.whl.
File metadata
- Download URL: hardproof-0.3.0-py3-none-any.whl
- Upload date:
- Size: 117.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
11e1a67ebfd51a751e2d6a8a42caf2d9720250f215e3e4070a350f24c34270b7
|
|
| MD5 |
8c5b4e1449b2d17dee6995cb0bbb9be3
|
|
| BLAKE2b-256 |
340a3d2e7d541eb5f2c73b7db27c1b4d2de1123e39b84271e898f64ff20fd1d9
|
Provenance
The following attestation bundles were made for hardproof-0.3.0-py3-none-any.whl:
Publisher:
release.yml on asimons81/hardproof
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hardproof-0.3.0-py3-none-any.whl -
Subject digest:
11e1a67ebfd51a751e2d6a8a42caf2d9720250f215e3e4070a350f24c34270b7 - Sigstore transparency entry: 2148236951
- Sigstore integration time:
-
Permalink:
asimons81/hardproof@4159e80bbadbf6e118d786120c0a1f712f8a3f45 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/asimons81
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@4159e80bbadbf6e118d786120c0a1f712f8a3f45 -
Trigger Event:
push
-
Statement type: