Skip to main content

SecureVector SDK for Hermes (NousResearch hermes-agent) — brings the local threat monitor's three controls (tool-call permissions, secret/data-leak detection, threat detection) to every Hermes tool call, with tamper-evident audit logging.

Project description

SecureVector SDK for Hermes

PyPI Downloads Python License

Bring the SecureVector local threat monitor's three controls — tool-call permissions, secret / data-leak detection, and threat detection — to every Hermes (NousResearch hermes-agent) tool call, with tamper-evident audit logging. Zero code changes.

pip install securevector-sdk-hermes

📦 One install — batteries included. pip install securevector-sdk-hermes also installs the local SecureVector app (securevector-ai-monitor): the adapter and the detection engine + tamper-evident audit chain arrive in a single pip install. The SDK is a thin interception layer — the app must be running locally (securevector-app --web) for it to do anything.

🌐 Pointing at your own cloud? Use the lightweight install. If you've deployed SecureVector to your own cloud, you don't need the bundled local app. Install only the adapter on the machine where your agents run, and point it at your deployment:

# lightweight — adapter only, no bundled app.
# NOTE: --no-deps also skips hermes-agent; that's fine because the machine
# running Hermes already has it. Ensure hermes-agent is installed there.
pip install securevector-sdk-hermes --no-deps

# point at your SecureVector endpoint — all you need for a private (in-VPC) endpoint
export SECUREVECTOR_ENGINE_ENDPOINT=https://<your-securevector-endpoint>

# OPTIONAL: only if your endpoint is publicly exposed and gated with an inbound token.
# A private endpoint in your own VPC needs no key. To gate a public one, use a free
# SecureVector cloud account API key or an SVET token — it gates access only; no agent
# data is sent to SecureVector.
export SECUREVECTOR_API_KEY=<SecureVector account key or SVET token>

The plugin then forwards every tool call to your remote deployment instead of a local app. The default pip install securevector-sdk-hermes (no --no-deps) still bundles the app for local use.

Quick start

Zero-config (recommended). The package registers a Hermes plugin via the hermes_agent.plugins entry point — the Hermes plugin manager auto-loads it on startup in every mode: the interactive hermes CLI, hermes gateway (Telegram / Discord / Slack / …), and the ACP/Zed adapter.

pip install securevector-sdk-hermes
hermes                       # that's it — observe mode is on

export SECUREVECTOR_SDK_MODE=enforce   # opt into blocking
hermes

A denied tool is stopped through Hermes's own pre_tool_call block directive — the model sees a clean SecureVector Guard: tool '<name>' blocked — <reason> result. No exceptions, no crashed runs, no fork of Hermes.

Programmatic / library embeddings (driving AIAgent from your own Python process, where the plugin manager never runs):

from securevector_sdk_hermes import install

install(mode="enforce")   # wraps Hermes's tool-registry dispatch

Why two paths? The plugin hooks are Hermes's documented interception surface and require no code at all. install() covers embeddings by wrapping tools.registry.dispatch — the single choke point every Hermes execution path (CLI, gateway, ACP, subagents) funnels through.

What happens on every tool call

Before a tool runs, the SDK:

  1. (a) Permissions — resolves an allow/block verdict for the tool, using the app's own precedence: cloud-pushed synced policy → local overrideessential registry → default-allow. Hermes MCP tools (mcp_<server>_<tool>) are matched against the raw Hermes name and the cloud <server>:<tool> form, so policies authored either way apply.
  2. (b)+(c) Secret & threat scan — sends the serialized tool input through the app's /analyze pipeline.

After the tool returns, the result is scanned the same way to catch secrets / exfiltration in tool output. Every decision is written to the app's audit chain tagged runtime_kind="hermes", keyed by Hermes's own session_id and tool_call_id.

This covers all ~70 Hermes built-in tools (terminal, execute_code, write_file, browser_*, …), every MCP tool, and plugin tools — including in gateway/headless contexts where Hermes's built-in dangerous-command approval is known to fail open (upstream hermes-agent issue #30882): the guard sits underneath the approval layer, at the dispatch choke point.

observe vs enforce

local app reachable local app unreachable
observe (default) log + advisory verdict; tool always runs tool runs (fail-open, one-line notice)
enforce (opt-in) tool runs only if the verdict ≠ block tool denied (fail-closed)

Enforce mode prints a one-time disclosure to stderr.

LLM cost tracking

Nothing to wire — installing the package is enough. Alongside the tool-guard hooks, the plugin registers Hermes's post_api_request hook, so every model call's token usage (input / output / cached) posts to the app's Cost Tracking, where the pricing table turns it into real dollars (your agent runs on your own API keys) and per-agent budgets apply.

Hermes hands the hook a pre-normalized usage bucket plus the provider and model, so there's no message parsing — the SDK just maps them onto the app's pricing keys (e.g. xai → grok, openai-codex → openai) and posts. Records are attributed to agent_id="hermes-agent" by default; name yours with SECUREVECTOR_SDK_AGENT_ID. Capture is best-effort: an unreachable app or an unknown model never breaks the agent.

Cost tracking rides the plugin path (CLI / gateway / ACP). The library-only install() embedding wraps the tool registry, not the model call, so it does not emit token usage.

Configuration

All optional, via env (the plugin path) or install(...) kwargs:

Env var Default Meaning
SECUREVECTOR_ENGINE_ENDPOINT http://127.0.0.1:8741 local app / engine base URL (unified variable; legacy SECUREVECTOR_SDK_APP_URL also honored)
SECUREVECTOR_SDK_MODE observe observe or enforce
SECUREVECTOR_SDK_TIMEOUT_MS 3000 per-call verdict timeout
SECUREVECTOR_SDK_RISK_THRESHOLD 70 risk score that blocks in enforce mode
SECUREVECTOR_SDK_AGENT_ID hermes-agent agent id shown in Cost Tracking
SECUREVECTOR_SDK_DISABLED (unset) set truthy to no-op
SECUREVECTOR_API_KEY (unset) bearer credential for remote, token-gated deployments

Version pinning

The guard attaches to Hermes internals (the plugin hook bus and tools.registry), so the dependency is pinned to the verified minor: hermes-agent>=0.18,<0.19. Each upstream minor is re-verified against the attach points before the pin is raised — see CHANGELOG.

Privacy

Everything runs on loopback; the SDK makes no external network calls. See PRIVACY.md for the exact read/send surface.

Compliance

The tool-call-level, attributed, tamper-evident audit trail this produces is exactly the action-layer logging auditors ask for under EU AI Act Art. 12 / 15. This SDK produces the local evidence; the cloud governance surface turns it into an auditor-ready pack.

Trademarks

SecureVector is the product name of this SDK. Hermes and Nous Research are trademarks of Nous Research. This is an independent, community SDK that integrates with Hermes via its public plugin API. It is not affiliated with, sponsored by, or endorsed by Nous Research. The name uses "hermes" only descriptively, to identify the framework this package works with (nominative fair use).

License

Apache-2.0. See LICENSE and NOTICE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

securevector_sdk_hermes-1.1.0.tar.gz (41.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

securevector_sdk_hermes-1.1.0-py3-none-any.whl (31.3 kB view details)

Uploaded Python 3

File details

Details for the file securevector_sdk_hermes-1.1.0.tar.gz.

File metadata

  • Download URL: securevector_sdk_hermes-1.1.0.tar.gz
  • Upload date:
  • Size: 41.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for securevector_sdk_hermes-1.1.0.tar.gz
Algorithm Hash digest
SHA256 e5d0d3d56c1837e9300ebb12b678ce1aa17696ab4a85ec458787274a94a2478f
MD5 c86ec141f1978f86dbbba7148b2c39ea
BLAKE2b-256 fb69000da57e2c83dcd2091b994bcf692c03d4470a6bef3aad1f5f6ebadc814c

See more details on using hashes here.

Provenance

The following attestation bundles were made for securevector_sdk_hermes-1.1.0.tar.gz:

Publisher: release.yml on Secure-Vector/securevector-sdk-hermes

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file securevector_sdk_hermes-1.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for securevector_sdk_hermes-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f0451c1c3b617209300aa5e43029614bba4f81f566260d6977301bcad9939494
MD5 35c47c74889d6afc91fae04818977865
BLAKE2b-256 99c048f96e66bf71e2e79da75c56047717145a50112f3d4addaed67ff654dc79

See more details on using hashes here.

Provenance

The following attestation bundles were made for securevector_sdk_hermes-1.1.0-py3-none-any.whl:

Publisher: release.yml on Secure-Vector/securevector-sdk-hermes

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page