diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000..298cd2a3
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,11 @@
+# AGENTS.md — Sovereign Operation Rules
+
+## Hard Rules
+
+### SIDECAR-5: Never commit directly to hermes-agent
+
+**DO NOT COMMIT TO THIS REPO.** All custom work to the hermes-agent codebase must be done through sidecar repositories (e.g., `timmy-config`, `timmy-home`, etc.). Use the sidecar overlay mechanism; do not edit files inside `~/.hermes/hermes-agent` directly.
+
+Commits directly to `hermes-agent` are blocked by a pre-commit guard. If you need to make a change, create an issue or PR from the appropriate sidecar repo.
+
+**Rationale:** Direct commits cause drift, break updates, and violate sovereignty. Changes belong in sidecars where they can be versioned, reviewed, and deployed cleanly.
diff --git a/deploy.sh b/deploy.sh
index 704a1648..b671023c 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -58,6 +58,12 @@ for f in "$SCRIPT_DIR"/memories/*; do
 done
 log "memories/ -> $HERMES_HOME/memories/"
 
+# === Deploy AGENTS.md (sidecar boundary rule) ===
+if [ -f "$SCRIPT_DIR/AGENTS.md" ]; then
+  cp "$SCRIPT_DIR/AGENTS.md" "$HERMES_HOME/AGENTS.md"
+  log "AGENTS.md -> $HERMES_HOME/ (SIDECAR-5 rule)"
+fi
+
 # === Deploy skins ===
 for f in "$SCRIPT_DIR"/skins/*; do
   [ -f "$f" ] && cp "$f" "$HERMES_HOME/skins/"
@@ -86,6 +92,16 @@ done
 chmod +x "$HERMES_HOME/bin/"*.sh "$HERMES_HOME/bin/"*.py 2>/dev/null || true
 log "bin/ -> $HERMES_HOME/bin/"
 
+# === Install SIDECAR-5 pre-commit guard on hermes-agent repo ===
+if [ -d "$HERMES_HOME/hermes-agent/.git" ]; then
+  HOOK_SRC="$SCRIPT_DIR/hermes-sovereign/githooks/hermes-agent-pre-commit"
+  if [ -f "$HOOK_SRC" ]; then
+    cp "$HOOK_SRC" "$HERMES_HOME/hermes-agent/.git/hooks/pre-commit"
+    chmod +x "$HERMES_HOME/hermes-agent/.git/hooks/pre-commit"
+    log "Installed hermes-agent pre-commit drift guard (SIDECAR-5)"
+  fi
+fi
+
 if [ "${1:-}" != "" ]; then
   echo "ERROR: deploy.sh no longer accepts legacy loop flags." >&2
   echo "Deploy the sidecar only. Do not relaunch deprecated bash loops." >&2
diff --git a/hermes-sovereign/githooks/hermes-agent-pre-commit b/hermes-sovereign/githooks/hermes-agent-pre-commit
new file mode 100755
index 00000000..8e439403
--- /dev/null
+++ b/hermes-sovereign/githooks/hermes-agent-pre-commit
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# SIDECAR-5: Pre-commit guard for hermes-agent
+# Blocks all commits directly to the hermes-agent repository.
+# This repository is managed via sidecar overlays; commit attempts indicate drift.
+# Use --no-verify to bypass only in exceptional cases (e.g., guard installation).
+
+echo "ERROR: Commits to hermes-agent are blocked by SIDECAR-5 drift guard." >&2
+echo "All custom work must go through sidecar repositories (timmy-config, timmy-home, etc.)." >&2
+echo "If you need to modify hermes-agent, file an issue on the appropriate sidecar." >&2
+exit 1
diff --git a/memories/SIDECAR_BOUNDARY.md b/memories/SIDECAR_BOUNDARY.md
new file mode 100644
index 00000000..fd6a677f
--- /dev/null
+++ b/memories/SIDECAR_BOUNDARY.md
@@ -0,0 +1,6 @@
+SIDECAR-5: Drift Guard — Never commit directly to hermes-agent.
+All modifications must go through sidecar repos (timmy-config, timmy-home, etc.).
+Pre-commit hook blocks commits; AGENTS.md rule enforced; violations logged.
+§
+2026-04-30 — Guard installed: pre-commit hook in ~/.hermes/hermes-agent/.git/hooks/,
+AGENTS.md rule deployed, agent_guardrails updated. Never bypass without explicit approval.