timmy-config/hermes-sovereign/guards/README.md

Poka-Yoke Guards for the Agent Fleet

These guards prevent common failure modes in the Hermes agent fleet. Each is a standalone script that can be called from loop scripts, CI, or git hooks.

Guards

1. api-key-preflight.sh

Purpose: Validate all API keys are alive BEFORE starting an agent loop. Usage: ./api-key-preflight.sh Exit code: Number of failed checks (0 = all good) Checks: Groq, Gemini CLI, xAI, Ollama

2. duplicate-pr-gate.sh

Purpose: Prevent duplicate PRs for the same issue. Usage: ./duplicate-pr-gate.sh <owner/repo> <issue_number> Exit code: 0 = safe to create PR, 1 = PR already exists

3. hardcoded-ip-scanner.sh

Purpose: Git pre-commit hook that rejects hardcoded VPS IPs. Usage: Symlink into .git/hooks/pre-commit or source from existing hook. Exit code: 0 = clean, 1 = hardcoded IPs found Blocked IPs: Hermes (143.198.27.163), Allegro (167.99.126.228), Bezalel (159.203.146.185)

4. quality-verify.sh

Purpose: After an agent claims success, verify the PR actually exists and has a real diff. Usage: ./quality-verify.sh <owner/repo> <pr_number> Exit code: 0 = verified real, 1 = fake/empty

5. max-attempts.sh

Purpose: Track agent attempts per issue. After N failures, skip permanently. Usage: ./max-attempts.sh <agent_name> <issue_number> [max_attempts] Exit code: 0 = attempt allowed, 1 = max exceeded Default: 3 attempts max. State stored in ~/.hermes/logs/<agent>-attempts.json

Integration

# In a loop script:
source guards/api-key-preflight.sh || { echo "Keys dead, aborting"; exit 1; }

# Before creating a PR:
guards/duplicate-pr-gate.sh owner/repo 42 || continue

# After agent reports success:
guards/quality-verify.sh owner/repo 15 || echo "Fake success detected"

# Track attempts:
guards/max-attempts.sh claude-agent 42 || { echo "Too many failures"; continue; }

Installing as git hook

ln -sf $(pwd)/hardcoded-ip-scanner.sh /path/to/repo/.git/hooks/pre-commit