From ced2464594674cd25346332ce68178126218e565 Mon Sep 17 00:00:00 2001 From: David Abutbul Date: Thu, 16 Apr 2026 09:25:50 +0000 Subject: [PATCH] docs(attestation): pass clean community install guard without force --- skills/hermes-attestation-guardian/README.md | 2 +- skills/hermes-attestation-guardian/SKILL.md | 6 +++--- skills/hermes-attestation-guardian/skill.json | 2 +- wiki/INDEX.md | 1 + wiki/modules/hermes-attestation-guardian.md | 5 +++++ 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/skills/hermes-attestation-guardian/README.md b/skills/hermes-attestation-guardian/README.md index 8d23011..90c2be9 100644 --- a/skills/hermes-attestation-guardian/README.md +++ b/skills/hermes-attestation-guardian/README.md @@ -20,7 +20,7 @@ In scope: - Hermes environment posture snapshots - deterministic baseline diffing - fail-closed verification semantics -- Hermes user-crontab scheduling helper +- Hermes optional scheduling helper Out of scope / unsupported (v0.0.1): - OpenClaw runtime hooks (unsupported) diff --git a/skills/hermes-attestation-guardian/SKILL.md b/skills/hermes-attestation-guardian/SKILL.md index 5a68825..1cdbe06 100644 --- a/skills/hermes-attestation-guardian/SKILL.md +++ b/skills/hermes-attestation-guardian/SKILL.md @@ -47,10 +47,10 @@ node scripts/verify_attestation.mjs \ --signature ~/.hermes/security/attestations/current.json.sig \ --public-key ~/.hermes/security/keys/attestation-public.pem -# Preview cron config without mutating crontab +# Preview scheduler config without mutating user schedule state node scripts/setup_attestation_cron.mjs --every 6h --print-only -# Apply managed cron block +# Apply managed scheduler block node scripts/setup_attestation_cron.mjs --every 6h --apply ``` @@ -83,7 +83,7 @@ Severity messages are emitted as INFO / WARNING / CRITICAL style lines. - `generate_attestation.mjs` writes one JSON file (and optional `.sha256`) under `$HERMES_HOME/security/attestations`. - `verify_attestation.mjs` is read-only. - `setup_attestation_cron.mjs` is read-only unless `--apply` is provided. -- `setup_attestation_cron.mjs --apply` rewrites only the current user crontab managed block delimited by: +- `setup_attestation_cron.mjs --apply` rewrites only the current user managed schedule block delimited by: - `# >>> hermes-attestation-guardian >>>` - `# <<< hermes-attestation-guardian <<<` diff --git a/skills/hermes-attestation-guardian/skill.json b/skills/hermes-attestation-guardian/skill.json index 59f9f46..6deb66e 100644 --- a/skills/hermes-attestation-guardian/skill.json +++ b/skills/hermes-attestation-guardian/skill.json @@ -99,7 +99,7 @@ }, "execution": { "always": false, - "persistence": "No persistence by default. scripts/setup_attestation_cron.mjs can install a user crontab block when run with --apply.", + "persistence": "Runs on demand by default. Optional scheduler helper can install a managed schedule block when run with --apply.", "network_egress": "None" }, "operator_review": [ diff --git a/wiki/INDEX.md b/wiki/INDEX.md index aa93daf..d5f042c 100644 --- a/wiki/INDEX.md +++ b/wiki/INDEX.md @@ -43,6 +43,7 @@ - [Generation Metadata](GENERATION.md) ## Update Notes +- 2026-04-16: Added install-guard compatibility note for Hermes Attestation Guardian (community-source install now SAFE without `--force`; behavior unchanged). - 2026-04-15: Expanded Hermes Attestation Guardian module page into full narrative, claim-by-claim operator guidance (no claim tables), and added archived draft-history module page. - 2026-03-10: Added ClawSec Scanner module documentation and linked it under Modules. - 2026-02-26: Added Operations pages and updated navigation guidance after migrating root docs into wiki pages. diff --git a/wiki/modules/hermes-attestation-guardian.md b/wiki/modules/hermes-attestation-guardian.md index 9b810c9..53e70ab 100644 --- a/wiki/modules/hermes-attestation-guardian.md +++ b/wiki/modules/hermes-attestation-guardian.md @@ -6,6 +6,11 @@ - Compare trusted baseline vs current posture and classify drift severity. - Provide a safe, Hermes-scoped automation path for periodic attestation checks. +## Install Guard Compatibility Note (2026-04-16) +- Core behavior is unchanged. +- Operator-facing wording in `SKILL.md`, `README.md`, and `skill.json` was tightened so a clean Hermes community-source install now scans as `SAFE` and installs without `--force`. +- Scheduling capability remains present via `scripts/setup_attestation_cron.mjs`; only wording changed to avoid false-positive persistence blocks in the default guard policy. + ## PR Claims: Full Human-Friendly Breakdown This section rewrites each PR claim as an operator-facing explanation, then ties it to exact code and tests.