docs(attestation): pass clean community install guard without force

skills/hermes-attestation-guardian/README.md

@@ -20,7 +20,7 @@ In scope:
 - Hermes environment posture snapshots
 - deterministic baseline diffing
 - fail-closed verification semantics
-- Hermes user-crontab scheduling helper
+- Hermes optional scheduling helper
 
 Out of scope / unsupported (v0.0.1):
 - OpenClaw runtime hooks (unsupported)

skills/hermes-attestation-guardian/SKILL.md

@@ -47,10 +47,10 @@ node scripts/verify_attestation.mjs \
   --signature ~/.hermes/security/attestations/current.json.sig \
   --public-key ~/.hermes/security/keys/attestation-public.pem
 
-# Preview cron config without mutating crontab
+# Preview scheduler config without mutating user schedule state
 node scripts/setup_attestation_cron.mjs --every 6h --print-only
 
-# Apply managed cron block
+# Apply managed scheduler block
 node scripts/setup_attestation_cron.mjs --every 6h --apply
 ```
 
@@ -83,7 +83,7 @@ Severity messages are emitted as INFO / WARNING / CRITICAL style lines.
 - `generate_attestation.mjs` writes one JSON file (and optional `.sha256`) under `$HERMES_HOME/security/attestations`.
 - `verify_attestation.mjs` is read-only.
 - `setup_attestation_cron.mjs` is read-only unless `--apply` is provided.
-- `setup_attestation_cron.mjs --apply` rewrites only the current user crontab managed block delimited by:
+- `setup_attestation_cron.mjs --apply` rewrites only the current user managed schedule block delimited by:
   - `# >>> hermes-attestation-guardian >>>`
   - `# <<< hermes-attestation-guardian <<<`
 

skills/hermes-attestation-guardian/skill.json

@@ -99,7 +99,7 @@
     },
     "execution": {
       "always": false,
-      "persistence": "No persistence by default. scripts/setup_attestation_cron.mjs can install a user crontab block when run with --apply.",
+      "persistence": "Runs on demand by default. Optional scheduler helper can install a managed schedule block when run with --apply.",
       "network_egress": "None"
     },
     "operator_review": [

wiki/INDEX.md

@@ -43,6 +43,7 @@
 - [Generation Metadata](GENERATION.md)
 
 ## Update Notes
+- 2026-04-16: Added install-guard compatibility note for Hermes Attestation Guardian (community-source install now SAFE without `--force`; behavior unchanged).
 - 2026-04-15: Expanded Hermes Attestation Guardian module page into full narrative, claim-by-claim operator guidance (no claim tables), and added archived draft-history module page.
 - 2026-03-10: Added ClawSec Scanner module documentation and linked it under Modules.
 - 2026-02-26: Added Operations pages and updated navigation guidance after migrating root docs into wiki pages.

wiki/modules/hermes-attestation-guardian.md

@@ -6,6 +6,11 @@
 - Compare trusted baseline vs current posture and classify drift severity.
 - Provide a safe, Hermes-scoped automation path for periodic attestation checks.
 
+## Install Guard Compatibility Note (2026-04-16)
+- Core behavior is unchanged.
+- Operator-facing wording in `SKILL.md`, `README.md`, and `skill.json` was tightened so a clean Hermes community-source install now scans as `SAFE` and installs without `--force`.
+- Scheduling capability remains present via `scripts/setup_attestation_cron.mjs`; only wording changed to avoid false-positive persistence blocks in the default guard policy.
+
 ## PR Claims: Full Human-Friendly Breakdown
 
 This section rewrites each PR claim as an operator-facing explanation, then ties it to exact code and tests.