Skip to main content

Guard a Hermes agent and its sandbox through the OpenGuardrails (OGR) protocol — one policy enforced across the LLM gateway, the agent tool-call hook, and the real sandbox exec.

Project description

openguardrails-instrumentation-hermes

Guard a Hermes agent and its sandbox through the OpenGuardrails (OGR) protocol. One policy.json enforces across three altitudes — correlated by guard_id and provenance.

pip install openguardrails-instrumentation-hermes

(pulls in openguardrails, the zero-dependency reference runtime.)

Why a plugin, not a proxy

Hermes already exposes the interception points OGR needs, so no proxy and no core patching is required for 3 of the 4 altitudes:

OGR altitude Hermes surface Enforce? Sees
gateway (LLM I/O) pre/post_api_request hooks observe full prompt + completion
agent_hook (tool lifecycle) pre_tool_call hook block tool name + args, pre-dispatch
provenance post_tool_call hook taint tool results (web/mcp → untrusted)
sandbox (real exec) wraps BaseEnvironment.execute block real argv + secret env keys + cwd

Only the sandbox altitude needs a wrapper, because Hermes has no environment-level hook. It is installed from register(), is idempotent, and fails open if Hermes' layout differs.

Install into a real Hermes

# in a Hermes plugin entrypoint:
from openguardrails_instrumentation_hermes import register
register(ctx)   # binds the 4 hooks + installs the sandbox wrapper

Or drop the bundled plugin.yaml into a Hermes plugin dir. Override the policy with OGR_POLICY=/path/to/policy.json; a Hermes-tuned default ships inside the package.

What Hermes calls a "sandbox" (and which to use)

There is no syscall sandbox by default. "Sandbox" = a pluggable Environment backend: local = subprocess.Popen on the host (zero isolation, the default), docker = docker exec into a container, plus Modal/SSH/Daytona. All funnel through the one BaseEnvironment.execute() chokepoint we wrap.

Pick the OS-level enforcement backend with OGR_SANDBOX:

OGR_SANDBOX Scenario Enforcement
argv (default) quick start OGR decision only — no OS isolation
srt personal (one laptop, no Docker) Anthropic Sandbox Runtime: sandbox-exec/bubblewrap enforces the real syscall boundary
OpenShell (gateway) multi-tenant (shared fleet) container + OPA/Rego egress proxy + gateway credential injection

The same OGR sandbox policy block compiles to both backends — see openguardrails_instrumentation_hermes.sandbox.srt and .sandbox.openshell.

No sandbox? OGR degrades, it doesn't fail.

With local there is no isolation boundary, so the only enforcement altitude is pre_tool_call (inspect argv before exec and block). You keep policy, provenance, and gateway detection — but lose the adversary-proof view, so a clever agent can obfuscate argv past the intent check. Run tools under srt/docker so the sandbox altitude exists and closes that blind spot.

Run the self-test (no Hermes install needed)

python -m openguardrails_instrumentation_hermes.selftest

Drives four scenarios through the real hook signatures: benign / injection-blocked / same-command-trusted / defense-in-depth.

Status

v0.1. Verified against real Hermes (2026-06-28): all four hooks bound, benign commands executed, credential reads and untrusted-origin curl | bash blocked at the altitude that saw them first.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

openguardrails_instrumentation_hermes-0.1.0.tar.gz (13.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file openguardrails_instrumentation_hermes-0.1.0.tar.gz.

File metadata

File hashes

Hashes for openguardrails_instrumentation_hermes-0.1.0.tar.gz
Algorithm Hash digest
SHA256 e92a6a391775266d00649e19b43cc07c2ddd650c0982cdc5439fcb535118c447
MD5 2a7094090db36ace22f21081dedd0e96
BLAKE2b-256 23ce705ee300b3626a505ba668225857a6f26b2299927249613f7d0773222fd4

See more details on using hashes here.

File details

Details for the file openguardrails_instrumentation_hermes-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for openguardrails_instrumentation_hermes-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 add4d51a0fa8f9c2966f0d2b05bd2abdabdc619a729bc00fdacdafe7a1f11ae4
MD5 303a6b93224e8582e7703f62616fdc71
BLAKE2b-256 e3bcf187f588ea37c2a60c029b276bbe4968a4db80383b7f1d7dbc413c29205a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page