A privacy-hardened, self-developing fork of NousResearch/hermes-agent.
Three guarantees:
-
No behavioral instructions from upstream are injected unless they pass through Verity's review. Verity overrides the system prompt; the agent runs under Verity's identity, not Hermes' default.
-
No outbound network calls without explicit permission. Only the LLM provider you configured (default: local Ollama or MiniMax) is reachable. Phone-home surfaces in upstream Hermes are stripped via patches; a Python-level netlock catches anything patches miss; an OS-level airgap (with sudo) blocks subprocess-bypass.
-
Verity can develop itself. Snapshots before every change, tests in an isolated worktree, git tags for rollback. Changes that break tests are discarded.
Requires Hermes already installed (the standard Hermes CLI install).
git clone https://github.com/JarrodWoodard/verity
cd verity
python3 install.py # apply patches + install netlock
python3 main.py --check # validate config
python3 main.py # launch Hermes through VerityTo run in an airgapped network namespace (Layer 3):
sudo bash scripts/airgap.sh # full Layer 3 enforcement
bash scripts/airgap.sh --check # dry-run pre-flightverity/
├── install.py — bootstrap: apply patches, install netlock, write manifest
├── main.py — entrypoint; validates config, sets VERITY_SYSTEM_PROMPT, launches Hermes
├── selfdev.py — Phase 4: snapshot → isolate → test → promote → rollback
├── update.py — Phase 5: absorb new Hermes releases (3-way merge + audit)
├── netlock.py — Layer 2: Python-level egress filter (urllib, httpx, requests, aiohttp, websockets, socket)
├── system_prompt.md — Verity's identity block (prepended to agent prompt)
├── toolsets.yaml — default-deny toolset list
├── providers.yaml — provider + network allowlist
├── patches/ — 11 numbered patches (9 real + 1 no-op + 1 placeholder)
├── scripts/
│ ├── PINNED-REF — Hermes SHA we test against
│ ├── regen-vendor.sh — creates tmp worktree for patch generation
│ ├── airgap.sh — Layer 3: OS-level network namespace + iptables
│ └── verity-supervisor.sh — pidfile-based supervised restart
├── tests/ — canned test batteries for selfdev/update
├── docs/
│ ├── PLAN.md — overall strategy + 6 phases
│ ├── AUDIT-FINDINGS.md — code-level audit
│ └── SMOKE-TEST-REPORT.md — end-to-end live test results
├── audit/
│ └── NETWORK-SINKS.md — every Hermes egress site, classified
└── .selfdev/ — transient: manifests, agent-authored tests
| Layer | File | What it does |
|---|---|---|
| 1. Source patches | patches/*.patch |
Strip C1/C2/C3/C4 egress sites from Hermes source |
| 2. Python netlock | netlock.py |
Monkeypatch urllib/httpx/requests/aiohttp/websockets/socket to refuse non-allowlisted destinations |
| 3. OS airgap | scripts/airgap.sh |
unshare -n + iptables: deny everything except allowlisted IPs |
Any one layer alone is not sufficient. All three together hold.
Verity can change itself safely:
# Make a change to a Verity file
# Then run selfdev to test and promote:
python3 selfdev.py run "describe what you changed"
# See version history:
python3 selfdev.py list
# Rollback if needed:
python3 selfdev.py rollback verity-v3When Nous ships a new Hermes release:
python3 update.py run upstream/main # or a specific SHAThis applies Verity's patches (with 3-way merge fallback), audits new egress sites, and refuses to update if any patch fails to apply.
python3 main.py --check # Phase 2: config validates
bash scripts/airgap.sh --check # Phase 3: namespace setup OK
python3 selfdev.py status # Phase 4: selfdev state
python3 update.py --help # Phase 5: update CLI surfaceSee docs/SMOKE-TEST-REPORT.md for the end-to-end live test that
confirmed all five phases working against a real Hermes install with
a real MiniMax-M3 LLM call.
Verity is licensed under the same terms as upstream Hermes (MIT).
Patches in patches/ are derivative works of MIT-licensed code.