MCP security
Hermes retests: prompt fence improved, symlink and learning issues remain open
Hermes security rounds covering secret migration, learning provider prompts, subagents, prefetch boundaries and symlinked profile paths.
Verdict
The 0.4.17 retest is mixed: selected prompt-boundary escapes are fixed, while symlink isolation, migrated secret prefetch and learning-reference cases still need patch confirmation.
Why Hermes is central
Hermes preloads memory into the agent context. That is powerful, but it turns every memory into prompt surface.
The tests check whether a migrated secret, a subagent write, or a plugin installed through a symlinked path can contaminate the primary context.
What improved
The later retest showed the forgeable untrusted-context fence working on the main prompt-boundary cases I checked.
That is a real fix, so I should not present every original Hermes failure as still unchanged.
What remains open
The symlink cross-profile family still needs patch confirmation, including HERMES_HOME and active_profile paths.
The retest also kept migrated secret prefetch and learning-reference promotion cases open, so this is not ready to be framed as fully fixed.
Rerun the test
docker run --rm --network none --cap-drop ALL --security-opt no-new-privileges --pids-limit 192 --memory 768m --cpus 1 --tmpfs /tmp:rw,nosuid,nodev,size=128m --tmpfs /data:rw,nosuid,nodev,size=512m,mode=1777 -v "$PWD:/work" -w /work -e SIBYL_SECURITY_DATA_ROOT=/data sibyl-memory:local python scripts/run_hermes_security_round12_critical_chain_suite.py