Engineer proof point
Hermes is a runtime, not the enterprise boundary
Hermes Agent is useful OSS substrate, but it is not enterprise-ready as a shared multi-tenant agent by default. The credible product is an external control plane: identity, RBAC, policy, isolation, scoped MCP, audit, and review.
What Hermes already has
Hermes already exposes primitives that matter: terminal backends, website blocklists, SSRF protections, memory and skill write gates, and tool-loop guardrails. These are useful controls, but they are not a complete shared-enterprise security model.
Sandboxable terminal backends
Hermes documentation lists local, Docker, SSH, Modal, Daytona, and Singularity/Apptainer terminal backends. Docker supports mounts, read-only mounts, env forwarding, and resource controls.
Network protections
Hermes has URL blocklists and SSRF protection for URL-capable tools, including private networks, loopback, link-local, metadata hosts, and reserved ranges.
Mutable-instruction gates
Skill and memory writes can be gated for approval, which matters because self-improvement is also a hidden enterprise mutation plane.
Loop circuit breakers
Tool-loop guardrails can warn or halt repeated no-progress calls. This protects budgets and operations, not security boundaries.
The issue trail is the market evidence
The strongest engineer-facing proof is that Hermes users are already asking for the missing enterprise control plane. These are not theoretical product-manager concerns; they are concrete GitHub issues around shared deployment.
| Gap | Public evidence | Enterprise wrapper requirement |
|---|---|---|
| RBAC / per-user capabilities | #527 says gateway auth is binary; #3897 asks for per-user tool restrictions. | OIDC identity, role tiers, per-tool permissions, per-user approval modes. |
| Multi-tenancy / memory isolation | #34352 states one agent equals one tenant and memory is global; #28279 asks for scoped memory. | Tenant-scoped profiles, memory namespaces, per-channel context isolation. |
| MCP tool governance | #16462 asks for first-invoke approval for MCP tools; #51626 asks for project-scoped MCP servers. | MCP gateway, scoped registries, first-call approvals, argument filters, tool allowlists. |
| Audit / compliance | #487 proposes structured action-level audit logs; #34992 proposes policy/audit authorization via Agent_Sudo. | Append-only action log, hash chain, SIEM export, replayable tool-call records. |
| Whole-process isolation | Hermes security policy warns that external controls are required for public/shared deployments; NVIDIA shows Hermes with OpenShell/NemoClaw as a security-approved runtime. | Run Hermes inside OpenShell, Docker, or Kubernetes isolation with filesystem, network, process, and secret policy. |
Enterprise wrapper architecture
User / Slack / Discord / Web UI
-> Enterprise Gateway
- SSO/OIDC
- tenant/user identity
- request classification
- rate limits and budgets
- approval UX
-> Policy Decision Point
- OPA/Rego or Agent_Sudo
- tool RBAC
- argument-level policy
- data classification policy
- approval-required decisions
-> Hermes Runtime
- one profile per tenant/workspace
- memory namespace per tenant
- skill writes gated or disabled
- MCP tools scoped by project
-> OpenShell / Container Sandbox
- filesystem policy
- network egress policy
- process/syscall policy
- model/inference routing policy
- secret injection
-> Enterprise Tools
- MCP gateway
- GitHub/GitLab, Jira, Slack
- internal APIs and databasesProduct surface
Hermes Enterprise Wrapper
OIDC, tenants, RBAC, tool policy, audit, approval workflows, and budget limits.
Hermes Sandbox Pack
OpenShell/Docker/Kubernetes profiles with filesystem, network, secret, and process policies.
Hermes MCP Gateway
Project-scoped MCP registry, first-invoke approvals, tool allowlists, argument filters, and rate limits.
Hermes Audit Plane
Append-only action log, hash-chain verification, SIEM export, replayable tool-call records, and incident timelines.