hermes - 💡(How to fix) Fix [Feature]: Command Blacklist for agent to reject commands in certain profiles

Problem or Use Case

To understand why I need something like this, first I have to explain the architecture of my system. I have many clients, and they all use multiple CRMs. For the sake of compliance and tenant isolation, each client has been allocated a VPS to run a hermes instance.

Each client has access to a web based chat that allows them access to their hermes instance, this web chat connects to the hermes instance using a proxy middleware that i've written.

The proxy middleware is a custom SSE proxy that reads headers for a specific system level key that is set for that client in order to validate that the incoming message is processable. The key is stored in a secrets vault that is accessible to the proxy and to the platform the webchat lives on. Both entities retrieve the key from a vault but are never told what it is otherwise, and only if the key matches do the messages get processed. The proxy then reads other headers and uses the details to dictate which gateway port to send the /v1/chat/completions request to.

Because the proxy is basically a SSE relay, it allows me to use headers to route the messages to the proper profiles(the profiles use different models and have different SOUL.md files). It also allows me to intercept and re-write what a user is sending through the chat. I went about this path because the profiles seem to still sometimes forego the guardrails i've put in the SOUL.md file.

This chat is accessible by all the employees of any given client. In order to disallow users from running commands to update model specific files. I am intercepting them at the proxy level and relaying a "the user has sent an invalid command" to the agent. (I can optimize this by replying on the agent's behalf I know, but the passthru is easier for now)

Is there anyway to blacklist commands from being run on a profile? So that I can clone the user facing profile but with commands blacklisted.

Proposed Solution

From Gille:

There is not currently a first-class “blacklist slash commands per profile” setting.

Profiles can have different config, models, SOUL.md files, tools/toolsets, approvals, etc., but built-in slash commands like /model, /personality, /config, /update, /profile, etc. are resolved by Hermes before the message becomes a normal agent prompt. That means SOUL.md/guardrails are not the right enforcement layer for this. command_allowlist is also for shell command approvals, not for blocking Hermes slash commands.

For the setup you described, proxy-level filtering is the correct workaround today. Block those commands at the proxy and return the denial directly to the user instead of passing “invalid command” through to the agent.

The native feature that would fit this is profile-level command policy, for example commands.disabled or commands.allowed inside each profile config. That does not exist yet, but the use case makes sense for tenant-facing deployments.

Alternatives Considered

My proxy workaround for message relay works fine, but it would just be better if this was part of the platform.

Feature Type

Gateway / messaging improvement

Scope

None

Contribution

• I'd like to implement this myself and submit a PR

Debug Report (optional)