先确认风险,再决定值不值得动手
你不想一上来就改配置。你想先知道这套 Hermes 配置到底哪里在拉低姿态。
M78Armor Hermes Lite 只读基线审计
M78Armor Hermes Lite Read-only baseline audit
Lite 的工作很窄:只读取 Hermes 关键配置面,判断哪里存在真正值得处理的漂移,不修改你的文件,不安装依赖,也不做默认联网。
Lite does one job: read the critical Hermes control surfaces, show where meaningful posture drift exists, and stop there. No file changes, no dependency installs, and no default network behaviour.
只读 · 离线 · 不改文件
Read-only · Offline · No file changes
Lite 适合谁
Who Lite is for
想要一个不打扰环境的结论
Lite 不会写文件、不装包、不做后台联网。适合在本地先拿到答案。
想知道人工修正要花多少时间
Lite 会把问题按严重度排出来,同时给出人工处理工作量估算,帮助你判断是否值得直接进 Core。
Confirm the risk before you change anything
Best when you do not want to start by editing config. You want to know where Hermes posture is actually weak first.
Get an answer without disturbing the environment
Lite does not write files, install packages, or make background calls. It is built to give you a local answer first.
See the manual effort before you commit
Lite ranks the findings by severity and estimates the manual effort, so you can judge whether Core is worth it immediately.
它检查什么
What it checks
Gateway 边界: allow-all 风险、共享暴露面、审批前置是否被绕开。
Gateway boundary: allow-all exposure, shared access risk, and whether approval posture has been weakened.
Terminal 隔离: backend 选择、Docker mount、forwarded env、资源边界。
Terminal isolation: backend choice, Docker mounts, forwarded environment variables, and container bounds.
Secret 与 MCP 卫生: secret 是否落在 config,MCP headers 是否硬编码,tools filter 是否缺失。
Secret and MCP hygiene: secrets stored in config, hardcoded MCP headers, and missing tools filters.
策略面: tirith scanning、website blocklist、checkpoints 等关键控制是否被关掉。
Policy controls: tirith scanning, website blocklist, checkpoints, and other core controls that should not be left weak.
Lite 不做什么
What Lite does not do
不改配置
它不写 config.yaml、不写 .env、不碰 memory 文件,也不悄悄帮你“修好”。
不冒充执行产品
Lite 的价值是把问题看清,不是把 Core 该做的 remediation、backup、restore 偷偷免费送掉。
No config mutation
It does not write config.yaml, does not write .env, does not touch memory files, and does not pretend to fix anything.
It does not impersonate the paid tier
Lite exists to surface the pain clearly, not to give away the remediation, backup, and restore path that belongs in Core.
如果你已经确定自己不需要“再看一遍报告”,而是需要更短、更稳、更可恢复的修正路径,直接进入 Core 会更合适。
If you already know you do not need another report and you need a shorter, safer, recoverable path, move straight into Core.
FAQ
FAQ
不会。Lite 的边界就是只读,不修改配置文件、不安装依赖、不执行 remediation。
No. Lite is intentionally read-only. It does not modify config files, install dependencies, or perform remediation.
值得。如果你现在最缺的是“看清问题”,Lite 足够。如果你最缺的是“更稳地完成修正”,那就该进 Core。
Yes, if your biggest gap is visibility. If your biggest gap is controlled remediation, move into Core.
继续查看
NEXT STEP
Lite 够不够,先看对比
Not sure Lite is enough
如果你已经看到问题,但还在犹豫是否需要 Core,先看 Lite 与 Core 的差异。
If you already see the issues but are still unsure whether Core is needed, compare Lite and Core first.
查看对比Compare Lite vs Core先看常见问题
Review common questions
如果你对升级、付款、恢复路径或本地边界还有疑问,先看 FAQ。
If you still have questions about upgrades, payment, restore path, or local runtime boundary, read the FAQ first.
查看 FAQRead FAQ