Local-dev MCP sidecar for exposing selected Hermes Agent capabilities.
Project description
hermes-gpt
hermes-gpt is a standalone MCP sidecar for Hermes Agent. It imports selected local Hermes Agent internals at runtime and exposes them to MCP clients without modifying Hermes Agent source files.
pip install hermes-gpt
Or clone from GitHub.
This is a local-dev release.
v0.5.0 Two-Way Codex Bridge
v0.5.0 adds a two-way bridge: Codex can opt into Hermes Operator tools, and trusted Hermes GPT clients can delegate asynchronous tasks and reviews to Codex. Updates remain check-first and mutations remain gated and dry-run-first. See Codex setup, Operator Mode, updating, and the v0.5.0 release notes.
Updating Hermes GPT
hermes-gpt update
hermes-gpt update --apply
The first command only checks. --apply fast-forwards a clean checkout on its default branch, or upgrades an installed PyPI package. It never creates merge commits, rebases, downgrades packages, or overwrites tracked local changes.
Codex App / Codex CLI Support
The v0.5.0 core connector is a curated tool surface for planning, local vision analysis, web search/extraction, cron planning, skill drafts, and gateway diagnostics; it does not modify Codex itself or bypass its permissions.
$env:HERMES_GPT_ENABLE_CODEX="1"
$env:HERMES_GPT_ENABLE_MCP="1"
hermes-gpt codex install --toolset core
hermes-gpt codex doctor
Use hermes-gpt codex install --toolset operator --refresh for the opt-in Operator control plane. The installer creates a backup before refreshing only the Hermes GPT entry. Use --project for <repo>/.codex/config.toml, and uninstall to remove only that entry. Full setup, runner gates, and troubleshooting live in docs/codex.md.
What's New in v0.4.0
v0.4.0 is the Tool Surface Expansion release. It adds env-gated Hermes tool wrappers, a cron creation operator tool, and ships the first external contribution.
- New env-gated MCP tools:
hermes_vision_analyze— analyze images through Hermes Agent (HERMES_GPT_ENABLE_VISION=1)hermes_web_search— search the web (HERMES_GPT_ENABLE_WEB=1)hermes_web_extract— extract page content (same env gate)
- New operator tool:
hermes_cron_create— create cron jobs from scratch with full field support: schedule, prompt, script, skills, deliver, repeat, workdir, no_agent, model, context_from, enabled_toolsets
- First external contribution: Gateway PID fallback from
gateway_state.jsonwhengateway.pidis missing (fixes macOS detection) - Expanded gateway diagnostics: New fields —
gateway_state,gateway_kind,gateway_pid_source,gateway_updated_at,gateway_exit_reason,gateway_active_agents - Infrastructure: Vercel static site deploys correctly, HTTP smoke test no longer fails CI
- Published on PyPI:
pip install hermes-gpt
What’s New in v0.3.0
v0.3.0 is the Operator Reliability Release. It makes Hermes GPT self-diagnosing, safely recoverable, and release-checkable.
- New operator diagnostics tools:
hermes_operator_doctor— read-only deep health check across operator, gateway, config, env, cron, skills, policy, audit, and connector surfaces.hermes_operator_snapshot— single current-state summary.hermes_release_doctor— release readiness checks with PASS / WARN / BLOCKED classification.hermes_operator_recover— conservative dry-run-first recovery sequence.
- All operator-facing failures now return a structured error envelope:
{success, ok, error, layer, code, safe_message, suggested_action, trace_id}. - Diagnostic and recovery statuses use PASS / WARN / FAIL / UNSUPPORTED.
- Connector re-registration is explicitly reported as unsupported unless a real supported command/API exists.
hermes_operator_recoveris dry-run by default and requiresapply=truefor mutations.
What’s New in v0.2.0
v0.2.0 adds tiered Operator / Owner Mode so trusted MCP clients can see the full Hermes GPT surface while the default posture stays safe.
- Default mode remains read-only.
- Recommended always-on connector/tunnel mode is
dry_run. - Direct mutation requires both:
HERMES_GPT_OPERATOR_APPLY_MODE=direct- the mutating tool call sets
dry_run=false
- Owner Mode requires the exact break-glass acknowledgement:
HERMES_GPT_OWNER_ACK=I_UNDERSTAND_THIS_CAN_MUTATE_MY_MACHINE
- Operator Mode is not a sandbox.
- Do not expose publicly without real auth, VPN, Tailscale, or an equivalent private boundary.
What v0.2.0 adds:
- operator policy, status, and audit tools
- cron tools
- skill tools
- config and env tools
- gateway tools
- workspace tools
- owner tools behind explicit acknowledgement
- audit logging with hashes and lengths instead of raw prompt/content
- Hermes data-root normalization for operator profile operations
- packaging fixes so operator modules ship in the release
| Mode | Env posture | What happens |
|---|---|---|
| Read-only | no operator env vars | read/list/status tools only; mutations refuse |
| Dry-run Operator | operator enabled + apply_mode=dry_run | mutation tools return plans/previews only |
| Direct Operator | operator enabled + apply_mode=direct | writes allowed only when tool call also sets dry_run=false |
| Owner Mode | level=owner + exact owner ack | break-glass local owner tools; still denies secret paths |
For the full Operator Mode guide, new-user quickstart, and tunnel safety model, see docs/operator-mode.md.
Security posture
By default, hermes-gpt is designed for a trusted local machine:
- HTTP binds to
127.0.0.1by default. - Tools advertise
noauthonly for local-dev MCP clients. - Write, patch, terminal execution, memory writes, and session search are disabled or hidden by default.
- Remote/public release is not supported until real OAuth or another ChatGPT-compatible authentication layer is added.
Do not expose this server publicly without authentication. A temporary tunnel is acceptable only for short local testing when you understand that any enabled tool is reachable through that URL.
Prerequisites
- Python 3.10+
- A local Hermes Agent install
- MCP Python SDK and Uvicorn
Install dependencies:
cd ~/hermes-gpt
python -m pip install -r requirements.txt
Local MCP clients
Stdio mode is for local MCP clients that support subprocess MCP servers:
cd ~/hermes-gpt
python server.py
Example client command:
{
"command": "python",
"args": ["C:\\Users\\<YOU>\\hermes-gpt\\server.py"]
}
Local HTTP
HTTP mode uses FastMCP streamable HTTP:
cd ~/hermes-gpt
python server.py --http --host 127.0.0.1 --port 7677
Local endpoint:
http://127.0.0.1:7677/mcp
If you bind to anything other than loopback in the default local-dev profile, the server prints a warning. This warning means the configuration is not release-safe.
ChatGPT local testing
ChatGPT developer mode expects a remote MCP endpoint. Do not enter a localhost URL such as http://127.0.0.1:4750; ChatGPT fetches the MCP configuration through its connector path, where 127.0.0.1 is not your machine.
For short local testing only:
cd C:\Users\<YOU>\hermes-gpt
python server.py --http --host 127.0.0.1 --port 4750
In another terminal:
& "C:\Program Files (x86)\cloudflared\cloudflared.exe" tunnel --url http://127.0.0.1:4750 --http-host-header 127.0.0.1:4750
In ChatGPT, configure:
- Protocol: Streaming HTTP
- MCP server URL:
https://<your-trycloudflare-host>/mcp - Authentication: No Authentication
If ChatGPT only shows the old 5-tool surface, reconnect or recreate the connector and follow the workflow in docs/operator-mode.md.
Example scripts for local setup live under examples/.
Tool gates
Default visible tools:
hermes_read_file(path, offset=1, limit=500)hermes_search_files(pattern, target="content", path=".", file_glob=None, limit=50)hermes_memory(action="search", target="memory", content=None, old_text=None)hermes_skill_list()hermes_skill_view(name)
Opt-in tools and actions:
| Capability | Env var | Default |
|---|---|---|
| Write file and patch tools | HERMES_GPT_ENABLE_WRITE=1 |
Hidden |
Memory add, replace, remove |
HERMES_GPT_ENABLE_MEMORY_WRITE=1 |
Disabled |
| Session search | HERMES_GPT_ENABLE_SESSION_SEARCH=1 |
Hidden |
| Terminal command execution | HERMES_GPT_ENABLE_TERMINAL=1 |
Hidden |
Terminal timeout is capped at 120 seconds even when enabled.
The broad HERMES_GPT_ENABLE_* flags still work for backward compatibility,
but for tiered, safe operation prefer the Operator / Owner Mode tools
documented below.
Hermes GPT Operator Mode
Operator / Owner Mode is a tiered control plane that lets trusted MCP clients (like ChatGPT) operate Hermes safely: cron jobs, skills, profile config wiring, safe non-secret env keys, gateway/runtime status and restart, scoped workspace edits, and (with explicit acknowledgement) owner-level command and file access.
Safety model
- Default behavior is read-only. Mutating operator tools refuse unless operator mode is explicitly enabled.
- Dry-run is the default. Even when operator mode is enabled, every
mutating tool defaults to
dry_run=Trueand returns a plan instead of mutating. To actually mutate, you must setHERMES_GPT_OPERATOR_APPLY_MODE=directAND passdry_run=Falseto the tool call. - Direct mutation requires explicit opt-in.
HERMES_GPT_OPERATOR_APPLY_MODE=directis required for any write to happen. - Owner Mode requires an additional explicit acknowledgement. Setting
HERMES_GPT_OPERATOR_LEVEL=owneralone is not enough; you must also setHERMES_GPT_OWNER_ACK=I_UNDERSTAND_THIS_CAN_MUTATE_MY_MACHINE. Without the exact ack string, owner tools refuse. - No secrets exposed. Config
getredacts secret-looking keys;envtools never return values; skill/cron prompts are logged and surfaced only asprompt_len+prompt_sha256. - No
.envraw read/write. The denied-path policy refuses.env,auth.json,mcp-tokens/,.ssh/,.aws/,vault/, and any secret-looking filename. - No
shell=Trueanywhere. Every subprocess invocation usesshell=Falsewith a fixed argv. - No
git add -A, nogit push, no destructive filesystem operations. Workspacerun_testonly allows a conservative allowlist (pytest, ruff, mypy, npm test/lint, git status/diff). Ownerrun_commandblocks catastrophic patterns (rm -rf /,del /s,format,curl | bash,git push --force,git add -A,git add ., anything touching.env/vault/token/.ssh). - Operator Mode is not a sandbox. Use OS-level isolation (container, VM, or a tool like OpenShell) for untrusted input. The operator gates are defense-in-depth, not a security boundary — same stance as Hermes Agent's own SECURITY.md.
- Do not expose remote without real auth. Operator Mode does not add any authentication. Bind to loopback only, or put a real auth layer (VPN, Tailscale, OAuth) in front before exposing on a network.
Operator levels
Levels are ordered; each level includes all capabilities of the levels above it in this list.
| Level | Capabilities |
|---|---|
read_only |
status, policy, audit tail, cron list/status, skill diff/list/view, config get, env status, gateway status, git status/diff |
cron |
+ cron run, cron pause, cron copy, cron move |
skills |
+ skill create, edit, patch, write_file, copy, sync_to_default, delete |
skills_config |
+ config set/patch, env set/copy (non-secret keys only) |
workspace |
+ scoped workspace patch/write, test/lint allowlist, gateway restart |
owner |
+ raw command, raw file patch/write — still gated by explicit owner ack and still denies secret paths |
Env flags
| Env var | Default | Purpose |
|---|---|---|
HERMES_GPT_OPERATOR_ENABLED |
unset (false) | Enable operator mode |
HERMES_GPT_OPERATOR_LEVEL |
read_only |
Operator level (see table above) |
HERMES_GPT_OPERATOR_APPLY_MODE |
dry_run |
dry_run returns plans; direct allows mutation |
HERMES_GPT_OPERATOR_ALLOWED_PROFILES |
default |
Comma-separated profile names, or * for all existing |
HERMES_GPT_OPERATOR_ALLOWED_PATHS |
empty | Comma-separated workspace root paths; empty disables workspace writes |
HERMES_GPT_OPERATOR_DENIED_PATHS |
built-in defaults | Extra denied paths (additions only; cannot weaken defaults) |
HERMES_GPT_OWNER_ACK |
unset | Must equal I_UNDERSTAND_THIS_CAN_MUTATE_MY_MACHINE for owner tools |
Examples
Read-only default (no env vars needed):
hermes-gpt
Cron dry-run:
$env:HERMES_GPT_OPERATOR_ENABLED="1"
$env:HERMES_GPT_OPERATOR_LEVEL="cron"
$env:HERMES_GPT_OPERATOR_APPLY_MODE="dry_run"
$env:HERMES_GPT_OPERATOR_ALLOWED_PROFILES="default,hermes-researcher"
hermes-gpt
Skills/config dry-run:
$env:HERMES_GPT_OPERATOR_ENABLED="1"
$env:HERMES_GPT_OPERATOR_LEVEL="skills_config"
$env:HERMES_GPT_OPERATOR_APPLY_MODE="dry_run"
$env:HERMES_GPT_OPERATOR_ALLOWED_PROFILES="default,hermes-researcher,hermes-trt-manager,hermes-nexus-wiki"
hermes-gpt
Workspace direct with allowed path:
$env:HERMES_GPT_OPERATOR_ENABLED="1"
$env:HERMES_GPT_OPERATOR_LEVEL="workspace"
$env:HERMES_GPT_OPERATOR_APPLY_MODE="direct"
$env:HERMES_GPT_OPERATOR_ALLOWED_PATHS="C:\Users\<YOU>\hermes-gpt,C:\Users\<YOU>\AppData\Local\hermes\hermes-agent"
hermes-gpt
Owner Mode (WARNING: can mutate your machine):
$env:HERMES_GPT_OPERATOR_ENABLED="1"
$env:HERMES_GPT_OPERATOR_LEVEL="owner"
$env:HERMES_GPT_OPERATOR_APPLY_MODE="direct"
$env:HERMES_GPT_OWNER_ACK="I_UNDERSTAND_THIS_CAN_MUTATE_MY_MACHINE"
hermes-gpt
Audit log
Every mutating tool call appends a JSONL record to:
%USERPROFILE%\AppData\Local\hermes\logs\hermes_gpt_operator_audit.jsonl(preferred), or<hermes-gpt>\logs\hermes_gpt_operator_audit.jsonl(fallback)
Each record contains: timestamp, tool, level, apply_mode, dry_run,
success, changed, summary, error, profile(s), path summary, job_id /
skill_name / key (when relevant), and prompt_len + prompt_sha256 /
content_len + content_sha256 for skill/cron content. The audit log
never records full prompts, full config values, raw .env contents,
vault contents, or command output likely to contain secrets. Read it with
the hermes_operator_audit_tail tool.
Owner Mode warning
Owner Mode can mutate your machine. Use it only on a trusted local
machine. It is not a sandbox — it is the explicit break-glass path
for the local owner. Even in Owner Mode, secret paths (.env, auth.json,
.ssh/, mcp-tokens/, etc.) remain denied; no secret override is
shipped in this release.
Remote profile
--profile remote is intentionally blocked because authentication is not implemented:
python server.py --http --profile remote
For temporary experiments only, you can bypass this block with both:
HERMES_GPT_UNSAFE_REMOTE_NOAUTH=1
python server.py --http --profile remote --i-understand-this-is-unsafe
Do not use this bypass for release.
Release checklist
Before publishing:
- No
*.pemfiles. - No
*.logor*.err.logfiles. - No
__pycache__/or*.pyc. python -m py_compile server.pypasses.pytestpasses.- Server binds to loopback by default.
- Terminal, write tools, memory writes, and session search are disabled by default.
Current capability notes
The feasibility probe passed in this environment:
- Hermes source root:
C:\Users\<YOU>\AppData\Local\hermes\hermes-agent - File tools: available
- Terminal tool: available, gated by
HERMES_GPT_ENABLE_TERMINAL=1 - Memory tool: available
- Skill discovery: available through local and bundled skill directories
- Session search: available through
SessionDB.search_messages - FastMCP stdio: available
- FastMCP streamable HTTP: available
See FEASIBILITY.md for probe details and exact signatures.
License
MIT. See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hermes_gpt-0.5.0.tar.gz.
File metadata
- Download URL: hermes_gpt-0.5.0.tar.gz
- Upload date:
- Size: 98.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1e0688fe55a5a1b897be892920171372bc960d27286ec3c15db04926e7993ec1
|
|
| MD5 |
9069ff61de16ea67a4949b409728cf04
|
|
| BLAKE2b-256 |
f9fe9d3a67e8ea2fff4ad6ad27d9310d9b87f5f4ac4265b9cbafd8e409be07f7
|
Provenance
The following attestation bundles were made for hermes_gpt-0.5.0.tar.gz:
Publisher:
publish.yml on asimons81/hermes-gpt
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hermes_gpt-0.5.0.tar.gz -
Subject digest:
1e0688fe55a5a1b897be892920171372bc960d27286ec3c15db04926e7993ec1 - Sigstore transparency entry: 2139228068
- Sigstore integration time:
-
Permalink:
asimons81/hermes-gpt@db5ffa1bd2e4fcfecdebb2bcf479334144e1cbe3 -
Branch / Tag:
refs/tags/v0.5.0 - Owner: https://github.com/asimons81
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@db5ffa1bd2e4fcfecdebb2bcf479334144e1cbe3 -
Trigger Event:
push
-
Statement type:
File details
Details for the file hermes_gpt-0.5.0-py3-none-any.whl.
File metadata
- Download URL: hermes_gpt-0.5.0-py3-none-any.whl
- Upload date:
- Size: 115.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7883e38bd8145cd1ac27ddfa3905243dfcfe6d85387f5f710da461c0174e4f38
|
|
| MD5 |
d72f41654f08404b73617531cdd10d5b
|
|
| BLAKE2b-256 |
9af018b84d3dc7d6bff4eee5bfca064e92a3d1530b595e09988ec21dc9f50dd1
|
Provenance
The following attestation bundles were made for hermes_gpt-0.5.0-py3-none-any.whl:
Publisher:
publish.yml on asimons81/hermes-gpt
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
hermes_gpt-0.5.0-py3-none-any.whl -
Subject digest:
7883e38bd8145cd1ac27ddfa3905243dfcfe6d85387f5f710da461c0174e4f38 - Sigstore transparency entry: 2139228108
- Sigstore integration time:
-
Permalink:
asimons81/hermes-gpt@db5ffa1bd2e4fcfecdebb2bcf479334144e1cbe3 -
Branch / Tag:
refs/tags/v0.5.0 - Owner: https://github.com/asimons81
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@db5ffa1bd2e4fcfecdebb2bcf479334144e1cbe3 -
Trigger Event:
push
-
Statement type: