Guard
Home

Guard for Hermes

Protect long-running Hermes agents before dangerous commands and MCP changes run

Hermes gets more useful the longer it runs. Guard makes long-running agents safer with hook interception, dangerous-command review, dry-run checks, local approvals, and optional sync.

Run a dry-run demoGuard for Hermes docs
No account required for local protection. Create an account later when you want synced receipts, team policy, or shared history.

What Guard checks

A runtime safety layer shaped around this stack.

Hook interception checks Hermes tool calls and MCP requests before execution.

Dangerous-command review pauses high-risk actions in the local approval center.

Dry-run mode shows what Guard would catch without interrupting a live workflow.

Local approvals stay on your machine before any account is created.

Optional sync carries shared trust memory later if your workflow spans machines or teammates.

Rollout path

Built for how this stack is actually run.

Start with the operator’s real workflow, prove local control, then move to the smallest useful protected run.

Operator fit

Persistent-agent builders protecting long-running autonomy

Hermes operators run skills, gateways, servers, and agents that keep working across sessions, so the page speaks to durable protection instead of one-off scans.

Local proof

Lead with dry-run, local approvals, and host-level clarity

Hermes operators need confidence that Guard can review dangerous commands without breaking the agent loop or forcing cloud adoption first.

First run

Install hooks, run doctor, then dry-run a protected workflow

The CTA ladder takes the user from host setup to verification to a low-risk preview before they rely on Guard in a live Hermes run.

Install path

Activation first, account later.

Copy the local command, verify the setup, then connect cloud only when shared history is useful.

01

Install Hermes hooks

Add Guard to the Hermes runtime path before tool calls continue.

hol-guard install hermes
02

Verify hook paths

Confirm Guard sees Hermes config, MCP entries, and tool surfaces.

hol-guard doctor hermes
03

Run a dry-run demo

Preview long-running approval behavior before a protected session.

hol-guard run hermes --dry-run

Hermes

hol-guard install hermes

Data boundary

No account required for local protection.

Local first

  • Approvals stay local by default.
  • Dangerous actions pause before execution.
  • Dry-run proof works before sign-in.

Cloud later

  • Sync trust memory after local activation.
  • Share approvals across operators later.
  • Add advisories and retention when the workflow grows.

Operator proof

Proof for agents that keep running after the terminal closes.

Hermes operators need durable review for skills, gateways, MCP requests, and dangerous commands without breaking the long-running agent loop.

Risk moment

Dangerous command queued during a persistent run

Protect one host first. Coordinate later.

Receipt evidence

Decision before execution

pause_for_local_review
Harness
hermes
Boundary
host_local
Surface
tool_call
Next step
dry_run
Run a dry-run demoRun doctor intent
01

Hook-level visibility

Guard checks Hermes tool calls and MCP requests at the runtime boundary before execution continues.

02

Dry-run before enforcement

Operators can preview review behavior on the host before relying on Guard in a live workflow.

03

Host-local trust memory

Approvals and receipts start on the Hermes host, with sync only when shared operation needs it.

Pricing path

Protect one Hermes host first.

Local protection starts free. Guard Cloud adds shared history and policy once Hermes is serving more than one workflow.

Create account later

FAQ

Direct answers for local-first rollout.