-
Notifications
You must be signed in to change notification settings - Fork 0
Roadmap
Stephen Cross edited this page Jun 3, 2026
·
4 revisions
| Item | Priority | Description |
|---|---|---|
✅ enabled field on patterns |
High |
enabled: false skips pattern at load; re-enable without rewriting regex |
✅ group tag on patterns |
High | Optional label for bulk filtering; supports --group testing and future bulk enable/disable |
✅ deny_patterns top-level list |
High | New action tier: matched commands blocked immediately, no prompt (below hardline, above block patterns). Intercepts before yolo/mode=off checks — cannot be bypassed. |
✅ Protected pattern tier (protected: true) |
High | At load: protected patterns must be present and their regex must match the stored hash. Missing/changed → CRITICAL log with details. |
| ✅ Config hash tracking | High | SHA-256 of config at load, persisted in ~/.hermes/.custom-patterns-hash. Changed → security warning with delta. |
| ✅ New-allow shadowing warning | Medium | When a new allow pattern matches a built-in dangerous pattern with no overlapping custom block pattern, log WARN. |
| ✅ Directory config support | High |
*.d/ directory loading with alphabetic precedence |
| ✅ AGENTS.md safety guard | High | Add testing safety and self-modification risk sections to project AGENTS.md |
| ✅ Test pattern collection | Medium | Ship the [TEST] patterns as examples/test-patterns.yaml, all enabled: false, group: testing
|
Note: Hermes plugins can register CLI subcommands via
ctx.register_cli_command().
| Item | Priority | Description |
|---|---|---|
hermes custom-patterns CLI |
High |
add, remove, list, test, enable, disable, enable --group testing subcommands |
| Pattern test runner | High |
hermes custom-patterns test "vultr instance delete" → shows which patterns match, outcome, and whether the prompt would appear |
| Config syntax validation | Medium |
hermes custom-patterns validate — check YAML + regex validity without running |
| Built-in pattern reference | Medium |
hermes custom-patterns builtins — list Hermes's ~47 hardcoded patterns |
| Pattern description search | Low |
hermes custom-patterns search "terraform" — find all patterns matching a keyword |
| Item | Priority | Description |
|---|---|---|
| Pattern profiles | Medium | Named config sets: profiles/work.yaml (strict), profiles/personal.yaml (relaxed), switchable via env var |
| Include/import directive | Medium |
patterns: ["#include: community/cloud-aws.yaml"] for YAML-level composition |
| Community pattern packs | Low | Curated sets published as GitHub repos, installable via hermes custom-patterns install scross01/cloud-patterns
|
| Pattern audit log | Low | Record which patterns triggered, how often, user's decision — helps users refine their config |
These require Hermes core changes:
-
register_dangerous_pattern()API onPluginContext— eliminates the need for monkey-patching -
Sensitive-write gate for plugin config —
_SENSITIVE_WRITE_TARGETshould covercustom-dangerous-patterns.yaml -
pre_tool_executionhook — pre-execution veto without monkey-patching - Structured logging for approval events — standardized event format for analytics
- GUI config editor:
hermes custom-patterns add "vultr" "Vultr CLI"CLI command - Pattern groups: Pre-defined pattern sets (e.g.,
cloud: [aws, gcp, azure]) - Pattern testing:
hermes custom-patterns test "vultr account info"→ shows which patterns match - Community patterns: Share pattern sets via GitHub (e.g., "common cloud CLI patterns")