# Sibyl Hermes Security Round 6 2026-06-02

Focused checks for Hermes adapter prompt-boundary handling and credential
filesystem boundary behavior.

## How to run

```bash
docker run --rm --network none --cap-drop ALL --security-opt no-new-privileges --pids-limit 192 --memory 768m --cpus 1 --tmpfs /tmp:rw,nosuid,nodev,size=128m --tmpfs /data:rw,nosuid,nodev,size=512m,mode=1777 -v "$PWD:/work" -w /work -e SIBYL_SECURITY_DATA_ROOT=/data sibyl-memory:local python scripts/run_hermes_security_round6_suite.py
```

## Summary

| Metric | Count |
|---|---:|
| Total | 2 |
| PASS | 0 |
| FAIL | 2 |

## Runs

| Run | Status | Checks | Reason |
|---|---:|---:|---|
| run-2026-06-02-hermes-run228-prefetch-untrusted-marker-injection | FAIL | 0 / 2 | single_guard_close_marker; stored_marker_escaped_or_removed; Hermes prefetch guard can be marker-injected: stored memory containing the untrusted-context END marker appears before the adapter's official closing marker. |
| run-2026-06-02-hermes-run229-credentials-write-follows-symlink-outside | FAIL | 0 / 2 | symlink_not_followed_on_write; outside_target_not_credentials_json; sibyl_memory_hermes.credentials.write_credentials resolves credentials.json before no-follow handling, so a symlinked credentials path can redirect credential writes outside the intended directory. |
