docs(part19): correct security playbook to real Hermes Agent schema

[OnlyTerp]

Summary

Part 19 documented a fictional Hermes config schema — a top-level security: block with provenance, approval.require_approval regex + denylist, approval_channels, bypass_subagents, secrets.scope/secrets.env_access, and security.network.egress_allowlist. None of those keys exist in Hermes Agent, so operators following the old guide were writing config that is silently ignored — a false sense of security. This PR rewrites the playbook against the real schema verified from the official Hermes Agent docs and SECURITY.md. Resolves #19.

What changed (fiction → reality)

• Approval: invented security.approval.require_approval/denylist/approval_channels regex → real top-level approvals: (mode: manual|smart|off, timeout, cron_mode, mcp_reload_confirm, destructive_slash_confirm). Dangerous patterns are native (tools/approval.py), not user regex; documented the always-on UNRECOVERABLE_BLOCKLIST, command_allowlist: (human-readable descriptions), YOLO mode, the container-backend approval bypass, and optional security.tirith_* scanning.
• Provenance (Layer 1): removed the non-existent security.provenance trust-labeling block → replaced with real user authorization (.env allowlists: TELEGRAM_ALLOWED_USERS, GATEWAY_ALLOWED_USERS, default-deny, DM pairing, discord.require_mention).
• Secrets (Layer 3): removed secrets.scope: per_tool / env_access / custom redaction.patterns → real security.redact_secrets, .env 0600 perms, and automatic credential scoping for shell/MCP/code-exec subprocesses. Added the SECURITY.md caveat that this is leak-reduction, not containment.
• Network egress (Layer 5): removed the non-existent security.network.egress_allowlist/block_private_ranges/block_metadata_ip → egress control actually lives in the terminal backend / whole-process sandbox (Docker/Compose or NVIDIA OpenShell L7 policy).
• MCP trust (Layer 6): removed invented trust:/allow_sampling/tools_allowlist/max_concurrent_calls keys → real mcp_servers.<name> with env: credential filtering and tools.include/exclude; trust = operator review before install (skills run Python at import, plugins run with full privileges) + Skills Guard.
• Reframed the doc around the SECURITY.md thesis: OS-level isolation is the only real boundary; in-process controls are heuristics.
• Replaced the fictional webhook-signature gateways: block and --profile quarantine profiles with accurate guidance.
• CHANGELOG.md entry added (follows the existing "Part 20 routing schema fixes" precedent).

Type

• Docs / content update
• Fix / typo / link

Checklist

• Cross-links are relative (./partN-foo.md) and resolve (markdown-link-check passes — 10/10 links)
• No secrets in any example — ${VAR} placeholders only
• Dates / prices / PR numbers are current (or marked with the date)
• For skills: n/a (no skill changes)
• For templates: n/a (note: templates/config/security-hardened.yaml carries the same fictional schema and should be fixed in a follow-up)
• CHANGELOG.md updated

Link to Devin session: https://app.devin.ai/sessions/1db51c934b3e40a3a54b58fdb5c788ae
Requested by: @OnlyTerp

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🟡 Section heading renames break 5 existing anchor cross-links across the repo

Renaming Part 19's section headings (e.g. "Layer 1: Input Origin Labeling" → "Layer 1: User Authorization", "Layer 6: MCP Server Trust Model" → "Layer 5: MCP and Plugin Trust", "Layer 2: Approval and Denylist Layers" → "Layer 2: Dangerous-Command Approval") breaks 5 existing anchor-based cross-links that target the old headings. The CI markdown-link-check is configured with check-modified-files-only: 'yes' (.github/workflows/ci.yml:21) so it won't detect these breakages in unmodified files.

Broken links (5 total)

1. skills/ops/telegram-triage/SKILL.md:83 → #layer-1-input-origin-labeling (gone)
2. skills/dev/pr-review/SKILL.md:90 → #layer-6-mcp-server-trust-model (gone)
3. part17-mcp-servers.md:201 → #mcp-server-trust-model (gone)
4. part18-coding-agents.md:246 → #approval-and-denylist-layers (gone)
5. part21-remote-sandboxes.md:260 → #mcp-server-trust-model (gone)

Prompt for agents

The PR renames several section headings in part19-security-playbook.md which breaks 5 anchor-based cross-links in other files. The following files need their links updated to match the new heading anchors:

1. skills/ops/telegram-triage/SKILL.md line 83: change #layer-1-input-origin-labeling to #layer-1-user-authorization--who-can-talk-to-the-agent (and update link text from 'provenance labels' to match the new concept)
2. skills/dev/pr-review/SKILL.md line 90: change #layer-6-mcp-server-trust-model to #layer-5-mcp-and-plugin-trust
3. part17-mcp-servers.md line 201: change #mcp-server-trust-model to #layer-5-mcp-and-plugin-trust
4. part18-coding-agents.md line 246: change #approval-and-denylist-layers to #layer-2-dangerous-command-approval
5. part21-remote-sandboxes.md line 260: change #mcp-server-trust-model to #layer-5-mcp-and-plugin-trust

Additionally, the link text and surrounding descriptions in these files may reference old concepts (provenance labels, MCP trust levels, approval bypass subagents, denylist) that Part 19 now explicitly says don't exist in Hermes. Consider updating the text to match the corrected guidance.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Good catch — confirmed and fixed in ddfaebd. Repointed all 5 anchor cross-links to the renamed Part 19 headings:

• skills/ops/telegram-triage/SKILL.md → #layer-1-user-authorization--who-can-talk-to-the-agent (also updated link text from "provenance labels" → "user authorization")
• skills/dev/pr-review/SKILL.md → #layer-5-mcp-and-plugin-trust
• part17-mcp-servers.md → #layer-5-mcp-and-plugin-trust
• part18-coding-agents.md → #layer-2-dangerous-command-approval
• part21-remote-sandboxes.md → #layer-5-mcp-and-plugin-trust

Verified each with markdown-link-check. Note: the deeper concept drift you flagged (telegram-triage still showing a trust_label: example, part17's allow_sampling:, part16's bypass_subagents anchor, part18's auto_approve_read/require_approval example) is the same fictional schema living in other files — out of scope for issue #19 (Part 19 only), but I'm flagging it to the maintainer as follow-up work.