-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
Stephen Cross edited this page Jun 3, 2026
·
5 revisions
~/.hermes/custom-dangerous-patterns.yaml
Override with env var:
export HERMES_CUSTOM_PATTERNS_PATH=/path/to/custom-dangerous-patterns.yamlThese commands trigger the approval prompt:
patterns:
- pattern: '\bvultr\b'
description: 'Vultr CLI command'
examples:
- 'vultr account info'
- 'vultr instance list'| Field | Required | Description |
|---|---|---|
pattern |
Yes | Python regex (matched with `re.IGNORECASE |
description |
Yes | Human-readable label shown in the approval prompt |
examples |
No | Documentation-only list of example commands |
Exempt specific commands from approval, even if they match a block pattern:
allow_patterns:
- pattern: '\bvultr\s+(account\s+info|instance\s+list)\b'
description: 'Read-only Vultr commands'| Field | Required | Description |
|---|---|---|
pattern |
Yes | Python regex (same flags as block patterns) |
description |
No | Documentation-only label |
Patterns use \b to match whole words only. This prevents false positives:
| Pattern | Matches | Doesn't match |
|---|---|---|
\bvultr\b |
vultr instance list |
echo vultr_test, my-vultr-server
|
\baws\s+ec2\b |
aws ec2 describe-instances |
aws-ec2-tool, paws ec2
|
\bterraform destroy\b |
terraform destroy -auto-approve |
echo "terraform destroy" in a script |
Without \b, \bvultr would match any string containing "vultr" — including hostnames, variable names, or unrelated commands.
Tip: Use single-quoted YAML strings for patterns — backslashes pass through literally ('\bvultr\b'), avoiding the double-escaping needed with double quotes ("\\bvultr\\b").
1. Hardline check → unconditional block (rm -rf /, mkfs, etc.)
2. Sudo stdin guard → unconditional block
3. Yolo / mode=off → bypass all approval
4. Allow patterns → if match → command runs immediately (no prompt)
5. Block patterns → if match → approval prompt
6. Built-in patterns → if match → approval prompt
7. Tirith security scan → if findings → approval prompt
Allow wins over block. If a command matches both a block pattern and an allow pattern, the allow wins and the command runs without a prompt.
# ~/.hermes/custom-dangerous-patterns.yaml
#
# TIP: Use single-quoted strings for patterns — backslashes pass through
# literally: '\bvultr\b' not "\\bvultr\\b"
patterns:
# ── Cloud CLI tools (destructive) ────────────────────────────────
- pattern: '\bvultr\s+(instance\s+create|instance\s+delete|snapshot\s+create|snapshot\s+delete)\b'
description: 'Vultr destructive instance/snapshot command'
examples:
- 'vultr instance delete --instance-id cb670a12-e4f5-6d78-ab90-1234567890ab'
- 'vultr snapshot delete --snapshot-id 5a3b2c1d'
- pattern: '\bterraform\s+(destroy|apply)\b'
description: 'Terraform destroy/apply (infrastructure mutation)'
examples:
- 'terraform destroy -auto-approve'
- 'terraform apply -auto-approve'
- pattern: '\baws\s+(ec2|s3|rds|iam|lambda|cloudformation)\b'
description: 'AWS CLI mutating service command'
examples:
- 'aws ec2 terminate-instances --instance-ids i-12345'
- 'aws s3 rb s://my-bucket --force'
- 'aws rds delete-db-instance --db-instance-identifier mydb'
- pattern: '\bgcloud\s+(compute\s+instances\s+delete|projects\s+delete)\b'
description: 'GCP destructive command'
examples:
- 'gcloud compute instances delete my-vm --zone=us-central1-a'
- pattern: '\boci\s+(compute\s+instance\s+terminate|database\s+db\s+system\s+delete|network\s+vcn\s+delete)\b'
description: 'Oracle Cloud destructive command'
examples:
- 'oci compute instance terminate --instance-id ocid1.instance.oc1..aaaaaaaa'
- 'oci database db-system delete --db-system-id ocid1.dbsystem.oc1..aaaaaaaa'
- pattern: '\bdoctl\s+(compute\s+droplet\s+delete|kubernetes\s+cluster\s+delete|databases\s+delete)\b'
description: 'DigitalOcean destructive command'
examples:
- 'doctl compute droplet delete 12345678'
- 'doctl kubernetes cluster delete my-cluster'
- pattern: '\bkubectl\s+delete\s+namespace\b'
description: 'Kubernetes namespace deletion'
examples:
- 'kubectl delete namespace staging'
# ── Deployment tools ─────────────────────────────────────────────
- pattern: '\bcap\s+\w+\s+deploy\b'
description: 'Capistrano production deploy'
examples:
- 'cap production deploy'
- pattern: '\bfab\s+\w*\s*deploy\b'
description: 'Fabric deploy'
examples:
- 'fab deploy production'
# ── Database operations ──────────────────────────────────────────
- pattern: '\bDROP\s+(TABLE|DATABASE)\b'
description: 'SQL DROP statement'
examples:
- 'DROP TABLE users'
- 'DROP DATABASE production'
- pattern: '\bmongodump\b.*--drop\b'
description: 'MongoDB dump with --drop (overwrites existing data)'
examples:
- 'mongodump --drop --db production'
# ── Allow patterns ────────────────────────────────────────────────
# Commands matching these are EXEMPT from approval, even if they
# also match a blocked pattern. Evaluated BEFORE block patterns.
# Allow wins over block.
allow_patterns:
# ── Read-only cloud commands (safe) ─────────────────────────────
- pattern: '\bvultr\s+(account\s+info|instance\s+list|dns\s+list|plan\s+list)\b'
description: 'Read-only Vultr commands'
- pattern: '\baws\s+(ec2\s+describe|s3\s+ls|s3\s+cp.*--dry-run|iam\s+list)\b'
description: 'AWS read-only commands'
- pattern: '\bterraform\s+(plan|state\s+list|output)\b'
description: 'Terraform read-only commands'
- pattern: '\boci\s+(compute\s+instance\s+list|network\s+vcn\s+list|database\s+db\s+system\s+list)\b'
description: 'Oracle Cloud read-only commands'
- pattern: '\bdoctl\s+(compute\s+droplet\s+list|kubernetes\s+cluster\s+list|databases\s+list)\b'
description: 'DigitalOcean read-only commands'
# ── Help and utility (safe) ─────────────────────────────────────
- pattern: '\b(vultr|gcloud|aws|terraform|kubectl|oci|doctl)\s+(-h|--help|help)\b'
description: 'Help flags are safe'
- pattern: '\b(vultr|gcloud|aws|terraform|oci|doctl)\s+completion\b'
description: 'Shell completion scripts are safe'| Scenario | Behavior |
|---|---|
| Config file missing | Plugin loads silently, no patterns injected |
| Config file invalid YAML | Log WARNING, plugin loads with empty pattern list |
| Invalid regex in pattern | Log WARNING for that pattern, skip it, load valid ones |
| Pattern matches but allow also matches | Allow wins — no prompt |
--yolo mode |
Custom patterns bypassed |
approvals.mode: off |
Custom patterns bypassed |
approvals.mode: smart |
Custom patterns assessed by auxiliary LLM |
Cron session + cron_mode: deny
|
Custom patterns blocked in cron |
| Container backend (docker, etc.) | All approval checks skipped (sandboxed) |
command_allowlist "always" choice |
Persisted to config.yaml — survives restarts |