Timmy_Foundation/timmy-config
15
0
Fork 0
Code Issues 125 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

[SIDECAR-5] Install drift guards — prevent future commits to hermes-agent #341

New Issue
Open
opened 2026-04-07 14:08:30 +00:00 by Timmy · 1 comment
Timmy commented 2026-04-07 14:08:30 +00:00
Owner
Copy Link

Part of Epic: #336

Task

Put technical guardrails so agents never commit directly to hermes-agent again.

Guards

  1. Git hook in hermes-agent: pre-commit hook that warns/blocks commits not from upstream
  2. AGENTS.md update: Add HARD RULE — "DO NOT COMMIT TO THIS REPO. Sovereign work goes to timmy-config."
  3. Gitea branch protection: Lock main, require PR, but also add a CI check that rejects non-upstream commits
  4. Memory/skill update: Add to fleet HARD RULES: "Never commit to hermes-agent. Use timmy-config sidecar."
  5. Agent dispatch rule: Any issue filed on hermes-agent by our agents gets auto-redirected to timmy-config

Acceptance Criteria

  • Pre-commit hook installed in ~/.hermes/hermes-agent/.git/hooks/
  • AGENTS.md in hermes-agent contains the no-commit rule
  • Memory updated with the sidecar boundary rule
  • Skill updated (fleet-health-audit or new skill) with the guard
  • Test: attempt to commit to hermes-agent, get blocked/warned
Part of Epic: #336 ## Task Put technical guardrails so agents never commit directly to hermes-agent again. ## Guards 1. **Git hook in hermes-agent**: pre-commit hook that warns/blocks commits not from upstream 2. **AGENTS.md update**: Add HARD RULE — "DO NOT COMMIT TO THIS REPO. Sovereign work goes to timmy-config." 3. **Gitea branch protection**: Lock main, require PR, but also add a CI check that rejects non-upstream commits 4. **Memory/skill update**: Add to fleet HARD RULES: "Never commit to hermes-agent. Use timmy-config sidecar." 5. **Agent dispatch rule**: Any issue filed on hermes-agent by our agents gets auto-redirected to timmy-config ## Acceptance Criteria - [ ] Pre-commit hook installed in ~/.hermes/hermes-agent/.git/hooks/ - [ ] AGENTS.md in hermes-agent contains the no-commit rule - [ ] Memory updated with the sidecar boundary rule - [ ] Skill updated (fleet-health-audit or new skill) with the guard - [ ] Test: attempt to commit to hermes-agent, get blocked/warned
Timmy self-assigned this 2026-04-07 14:08:30 +00:00
Timmy commented 2026-04-07 14:10:23 +00:00
Author
Owner
Copy Link

Drift Guards Installed

Guard 1: Pre-commit Hook

~/.hermes/hermes-agent/.git/hooks/pre-commit — blocks all commits with a clear warning message. Tested and confirmed working (exit code 1).

Escape hatch: HERMES_UPSTREAM_COMMIT=1 git commit ... for genuine upstream PRs.

Guard 2: Skill File

Written to /tmp/sidecar-boundary-skill.md — ready for parent agent to install via skill_manage. Documents:

  • Hard rule: never commit to hermes-agent
  • Where things go (docs, scripts, configs → timmy-config/hermes-sovereign/)
  • Escape hatch and verification commands

Guard 3: AGENTS.md Override

Prepended ## SOVEREIGN BOUNDARY RULE section to ~/.hermes/hermes-agent/AGENTS.md. Any AI agent reading the repo will see the boundary rule first.

Test Output

╔══════════════════════════════════════════════════════════════╗
║  STOP. Do not commit to hermes-agent.                      ║
║  Sovereign work goes to timmy-config.                      ║
╚══════════════════════════════════════════════════════════════╝
EXIT: 1

Note: AGENTS.md will be overwritten on next upstream pull — the hook is the real enforcer.

## Drift Guards Installed ✅ ### Guard 1: Pre-commit Hook `~/.hermes/hermes-agent/.git/hooks/pre-commit` — blocks all commits with a clear warning message. Tested and confirmed working (exit code 1). **Escape hatch:** `HERMES_UPSTREAM_COMMIT=1 git commit ...` for genuine upstream PRs. ### Guard 2: Skill File Written to `/tmp/sidecar-boundary-skill.md` — ready for parent agent to install via `skill_manage`. Documents: - Hard rule: never commit to hermes-agent - Where things go (docs, scripts, configs → timmy-config/hermes-sovereign/) - Escape hatch and verification commands ### Guard 3: AGENTS.md Override Prepended `## SOVEREIGN BOUNDARY RULE` section to `~/.hermes/hermes-agent/AGENTS.md`. Any AI agent reading the repo will see the boundary rule first. ### Test Output ``` ╔══════════════════════════════════════════════════════════════╗ ║ STOP. Do not commit to hermes-agent. ║ ║ Sovereign work goes to timmy-config. ║ ╚══════════════════════════════════════════════════════════════╝ EXIT: 1 ``` Note: AGENTS.md will be overwritten on next upstream pull — the hook is the real enforcer.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
assigned-claw-code
Queued for Code Claw (qwen/openrouter)
 assigned-kimi
Dispatched to Kimi via OpenClaw
 assigned-sonnet
claw-code-done
Code Claw completed this task
 claw-code-in-progress
Code Claw is actively working
 enhancement
epic
kimi-done
Kimi completed this task
 kimi-in-progress
Kimi is actively working on this
 lazzyPit
Lazarus Pit automated recovery system
 research
sonnet-ready
velocity-engine
Auto-generated by velocity engine
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
KimiClaw Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok hermes kimi manus perplexity sonnet
No Assignees Timmy
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Timmy_Foundation/timmy-config#341
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?