先把问题看清
只读、离线、零文件修改。适合先确认当前 Hermes posture 到底哪里在冒烟。
M78Armor Hermes Hermes Agent 安全加固产品线
M78Armor Hermes Hardening for Hermes Agent
不是泛化的“安全扫描器”。这是为 Hermes Agent 设计的两段式路径:先用 Lite 看清本地配置漂移,再用 Core 按计划完成修正、备份和回滚。
Not a generic security scanner. This is a two-step hardening path for Hermes Agent: use Lite to expose local posture drift first, then move into Core for planned remediation, backup, and restore.
Hermes 原生 · 本地执行 · 零默认遥测
Hermes-native · Runs locally · Zero default telemetry
为什么单独做 Hermes 产品
Why a dedicated Hermes line
泛用型配置检查,很容易漏掉 Hermes 真正有风险的面
Generic config review misses the control surfaces that actually matter in Hermes
Hermes 的风险不只在 YAML 语法。真正会把环境搞脏的,往往是 gateway 暴露、approval 关闭、terminal backend 选错、MCP 权限过宽、secret 落在错误位置,以及 website blocklist 留空。
The real Hermes risks are not just YAML mistakes. The hard problems are gateway exposure, disabled approvals, unsafe terminal backend choices, over-broad MCP access, secrets in the wrong place, and empty website blocklist posture.
把修正路径做短
不是盲改,而是 plan / apply / restore 三段式执行。先备份,再动手,必要时可恢复。
给技术人真正省时间
少走文档、论坛、反复手改、再调回来的弯路。把可控修正路径直接交到本地环境里。
See the drift clearly first
Read-only, offline, and zero file mutation. Built for operators who need to see where Hermes posture is weak before they touch anything.
Shorten the remediation path
Not blind mutation. Core follows a plan / apply / restore workflow so you can move faster without losing control.
Save real operator time
Spend less time in docs, forum threads, hand-edit loops, and rollback panic. Put a controlled hardening path inside the local environment.
产品路线
Product path
先判断,再决定要不要进入整改
Inspect first. Then decide whether to move into remediation.
| 对比项 | Compare | Lite | Core |
|---|---|---|---|
| 定位 | Role | 只读基线审计 | 按计划执行修正 |
| Role | Read-only baseline audit | Plan-first remediation | |
| 文件修改 | File changes | 不修改 | 在确认后修改,并先备份 |
| File changes | No mutation | Changes only after confirmation, with backup first | |
| 输出 | Output | 风险、分数、人工修复工作量 | 计划、改动、剩余问题、恢复路径 |
| Output | Findings, score, and manual effort estimate | Plan, changes, remaining findings, and restore path | |
| 适合谁 | Best for | 先确认风险的个人开发者和技术负责人 | 已经决定进入整改的实际操作人 |
| Best for | Developers and founders who need clarity first | Operators who are ready to move into remediation |
Hermes 常见问题面
Common Hermes risk surfaces
Gateway 暴露: allow-all 打开后,边界会比你以为的更大。
Gateway exposure: allow-all settings can make the trust boundary much wider than you expect.
Approval 失守: YOLO 模式或 broad allowlist 让危险命令直接绕过保护。
Approval drift: YOLO mode or broad allowlists can route dangerous commands around the guardrails.
Terminal backend 选错: local backend 在共享或 gateway 场景下会迅速放大风险。
Unsafe terminal backend: a local backend can raise risk quickly in shared or gateway-facing contexts.
MCP 权限过宽: tools.include / tools.exclude 缺失时,暴露面很容易失控。
Over-broad MCP access: when tools filters are missing, the exposed action surface can drift wider than intended.
下一步
Next step
先跑 Lite
适合还没确定问题范围的人。你会先拿到 posture 分数、关键发现和人工修复工作量估算。
直接进入 Core
适合已经知道自己要的不是“再看一遍报告”,而是更短、更稳、更可恢复的修正路径。
Run Lite first
Best when you still need to confirm the problem scope. Lite gives you a posture score, key findings, and a manual-effort estimate.
Move straight into Core
Best when you already know you do not need another report. You need a shorter, safer, and recoverable remediation path.
继续查看
NEXT STEP
不确定该停在 Lite 还是进入 Core
Not sure whether to stay on Lite or move to Core
先看差异,再决定是否需要进入整改执行路径。
Compare the two paths first, then decide whether remediation is the right next move.
查看对比Compare options先确认产品边界
Confirm the product boundary first
在购买或部署前,先看这款产品明确做什么,不做什么。
Review what this product explicitly does and does not claim before you buy or deploy.
查看边界View boundary还有问题要确认
Still have questions to clear
付款、升级、恢复路径和本地边界的常见问题集中在这里。
Common questions about payment, upgrades, restore path, and local runtime boundary are handled here.
查看 FAQRead FAQ