gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
600c945fe2833043313cda887c1feb755ba20920
clawsec/skills/hermes-attestation-guardian/README.md
T
David Abutbul 600c945fe2 feat(hermes-attestation-guardian): harden attestation verification and drift controls (#192) 
* feat(hermes-attestation-guardian): harden attestation verification and drift controls

* docs(wiki): add human-friendly claim mapping for hermes attestation guardian

* docs(wiki): expand hermes attestation claim narratives and archive draft

* fix(attestation): address Baz review findings for schema and verifier

* fix(attestation): reject broken symlink output paths

* docs(attestation): pass clean community install guard without force

* fix(attestation): harden writes and fail-closed config parsing

* feat(ui): add Hermes to rotating platform text

* test(attestation): add sandboxed Hermes regression runner script

---------

Co-authored-by: David Abutbul <David.a@prompt.security>
2026-04-16 17:59:18 +03:00

1.4 KiB
Raw Blame History

hermes-attestation-guardian

Hermes-only security attestation and drift detection skill.

Status: implemented (v0.0.1), Hermes-only.

What it does

  • Generates deterministic Hermes runtime posture attestations.
  • Verifies attestation schema + canonical digest with fail-closed semantics.
  • Optionally verifies detached signatures using a provided public key.
  • Fails closed on baseline diffing unless baseline authenticity is verified (trusted digest and/or detached signature).
  • Restricts attestation output writes to Hermes attestation scope ($HERMES_HOME/security/attestations).
  • Compares baseline vs current attestations with stable severity classification.
  • Provides an optional Hermes-oriented cron setup helper (print-only by default).

Scope boundaries

In scope:

  • Hermes environment posture snapshots
  • deterministic baseline diffing
  • fail-closed verification semantics
  • Hermes optional scheduling helper

Out of scope / unsupported (v0.0.1):

  • OpenClaw runtime hooks (unsupported)
  • destructive auto-remediation
  • automatic rollback of runtime configuration

Quickstart

node scripts/generate_attestation.mjs
node scripts/verify_attestation.mjs --input ~/.hermes/security/attestations/current.json
node scripts/setup_attestation_cron.mjs --every 6h --print-only

Tests

node test/attestation_schema.test.mjs
node test/attestation_diff.test.mjs
node test/attestation_cli.test.mjs
node test/setup_attestation_cron.test.mjs
Reference in New Issue View Git Blame Copy Permalink