SecureVector SDK for Hermes (NousResearch hermes-agent) — brings the local threat monitor's three controls (tool-call permissions, secret/data-leak detection, threat detection) to every Hermes tool call, with tamper-evident audit logging.
Project description
SecureVector SDK for Hermes
Bring the SecureVector local threat monitor's three controls — tool-call permissions, secret / data-leak detection, and threat detection — to every Hermes (NousResearch
hermes-agent) tool call, with tamper-evident audit logging. Zero code changes.
pip install securevector-sdk-hermes
📦 One install — batteries included.
pip install securevector-sdk-hermesalso installs the local SecureVector app (securevector-ai-monitor): the adapter and the detection engine + tamper-evident audit chain arrive in a singlepip install. The SDK is a thin interception layer — the app must be running locally (securevector-app --web) for it to do anything.
Quick start
Zero-config (recommended). The package registers a Hermes plugin via the
hermes_agent.plugins entry point — the Hermes plugin manager auto-loads it
on startup in every mode: the interactive hermes CLI, hermes gateway
(Telegram / Discord / Slack / …), and the ACP/Zed adapter.
pip install securevector-sdk-hermes
hermes # that's it — observe mode is on
export SECUREVECTOR_SDK_MODE=enforce # opt into blocking
hermes
A denied tool is stopped through Hermes's own pre_tool_call block directive —
the model sees a clean SecureVector Guard: tool '<name>' blocked — <reason>
result. No exceptions, no crashed runs, no fork of Hermes.
Programmatic / library embeddings (driving AIAgent from your own Python
process, where the plugin manager never runs):
from securevector_sdk_hermes import install
install(mode="enforce") # wraps Hermes's tool-registry dispatch
Why two paths? The plugin hooks are Hermes's documented interception surface and require no code at all.
install()covers embeddings by wrappingtools.registry.dispatch— the single choke point every Hermes execution path (CLI, gateway, ACP, subagents) funnels through.
What happens on every tool call
Before a tool runs, the SDK:
- (a) Permissions — resolves an allow/block verdict for the tool, using the
app's own precedence: cloud-pushed synced policy → local override →
essential registry → default-allow. Hermes MCP tools
(
mcp_<server>_<tool>) are matched against the raw Hermes name and the cloud<server>:<tool>form, so policies authored either way apply. - (b)+(c) Secret & threat scan — sends the serialized tool input through the
app's
/analyzepipeline.
After the tool returns, the result is scanned the same way to catch secrets /
exfiltration in tool output. Every decision is written to the app's audit chain
tagged runtime_kind="hermes", keyed by Hermes's own session_id and
tool_call_id.
This covers all ~70 Hermes built-in tools (terminal, execute_code,
write_file, browser_*, …), every MCP tool, and plugin tools — including in
gateway/headless contexts where Hermes's built-in dangerous-command approval
is known to fail open (upstream hermes-agent issue #30882): the guard sits
underneath the approval layer, at the dispatch choke point.
observe vs enforce
| local app reachable | local app unreachable | |
|---|---|---|
| observe (default) | log + advisory verdict; tool always runs | tool runs (fail-open, one-line notice) |
| enforce (opt-in) | tool runs only if the verdict ≠ block | tool denied (fail-closed) |
Enforce mode prints a one-time disclosure to stderr.
Configuration
All optional, via env (the plugin path) or install(...) kwargs:
| Env var | Default | Meaning |
|---|---|---|
SECUREVECTOR_ENGINE_ENDPOINT |
http://127.0.0.1:8741 |
local app / engine base URL (unified variable; legacy SECUREVECTOR_SDK_APP_URL also honored) |
SECUREVECTOR_SDK_MODE |
observe |
observe or enforce |
SECUREVECTOR_SDK_TIMEOUT_MS |
3000 |
per-call verdict timeout |
SECUREVECTOR_SDK_RISK_THRESHOLD |
70 |
risk score that blocks in enforce mode |
SECUREVECTOR_SDK_DISABLED |
(unset) | set truthy to no-op |
SECUREVECTOR_API_KEY |
(unset) | bearer credential for remote, token-gated deployments |
Version pinning
The guard attaches to Hermes internals (the plugin hook bus and
tools.registry), so the dependency is pinned to the verified minor:
hermes-agent>=0.18,<0.19. Each upstream minor is re-verified against the
attach points before the pin is raised — see CHANGELOG.
Privacy
Everything runs on loopback; the SDK makes no external network calls. See PRIVACY.md for the exact read/send surface.
Compliance
The tool-call-level, attributed, tamper-evident audit trail this produces is exactly the action-layer logging auditors ask for under EU AI Act Art. 12 / 15. This SDK produces the local evidence; the cloud governance surface turns it into an auditor-ready pack.
Trademarks
SecureVector is the product name of this SDK. Hermes and Nous Research are trademarks of Nous Research. This is an independent, community SDK that integrates with Hermes via its public plugin API. It is not affiliated with, sponsored by, or endorsed by Nous Research. The name uses "hermes" only descriptively, to identify the framework this package works with (nominative fair use).
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file securevector_sdk_hermes-1.0.0.tar.gz.
File metadata
- Download URL: securevector_sdk_hermes-1.0.0.tar.gz
- Upload date:
- Size: 33.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3ab552531f535d2751a69cb09ef2cf0cc4acd34097fbc940a27d0d7a91d6399c
|
|
| MD5 |
d96ca4a05c869c41860895a3f14ab58e
|
|
| BLAKE2b-256 |
02ff34151d761ec2af8278f306ceff659548a5c301bd9f1f4f90c6b2dd3905d2
|
Provenance
The following attestation bundles were made for securevector_sdk_hermes-1.0.0.tar.gz:
Publisher:
release.yml on Secure-Vector/securevector-sdk-hermes
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
securevector_sdk_hermes-1.0.0.tar.gz -
Subject digest:
3ab552531f535d2751a69cb09ef2cf0cc4acd34097fbc940a27d0d7a91d6399c - Sigstore transparency entry: 2054247632
- Sigstore integration time:
-
Permalink:
Secure-Vector/securevector-sdk-hermes@790ea78b0a55431fd655749cdb053d22390fa498 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/Secure-Vector
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@790ea78b0a55431fd655749cdb053d22390fa498 -
Trigger Event:
release
-
Statement type:
File details
Details for the file securevector_sdk_hermes-1.0.0-py3-none-any.whl.
File metadata
- Download URL: securevector_sdk_hermes-1.0.0-py3-none-any.whl
- Upload date:
- Size: 25.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d7a827a25abca8370ed3cf8d0d20fa824a7e2070b77dc6399ed1d6b77d96b672
|
|
| MD5 |
a9dfdb8ef29224bc912ed48a3eb0e46b
|
|
| BLAKE2b-256 |
60ad2b1e472e300f1c79fa138288c97ca3ae35ded6d3c163030b5ef4ee6ec933
|
Provenance
The following attestation bundles were made for securevector_sdk_hermes-1.0.0-py3-none-any.whl:
Publisher:
release.yml on Secure-Vector/securevector-sdk-hermes
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
securevector_sdk_hermes-1.0.0-py3-none-any.whl -
Subject digest:
d7a827a25abca8370ed3cf8d0d20fa824a7e2070b77dc6399ed1d6b77d96b672 - Sigstore transparency entry: 2054248037
- Sigstore integration time:
-
Permalink:
Secure-Vector/securevector-sdk-hermes@790ea78b0a55431fd655749cdb053d22390fa498 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/Secure-Vector
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@790ea78b0a55431fd655749cdb053d22390fa498 -
Trigger Event:
release
-
Statement type: