Hermes-agent

This commit is contained in:
Zakaria
2026-06-14 14:30:48 -04:00
commit dac4b88b94
5058 changed files with 1884848 additions and 0 deletions
@@ -0,0 +1,69 @@
# Engagement Authorization
Fill out before any active testing. Save to `engagement/authorization.md`.
---
**Engagement ID:** <UUID or short slug>
**Operator:** <name of the person driving this Hermes session>
**Date opened:** <ISO 8601 timestamp>
**Engagement window:** <start ISO timestamp> through <end ISO timestamp>
## Target
- Primary URL(s):
- https://...
- Primary IP(s):
- X.X.X.X
- Hostnames covered:
- host.example.com
- api.host.example.com
- Networks covered (CIDR):
- 10.0.0.0/24 (internal lab)
## Authorization Basis
(Pick one — record evidence in writing for anything but ownership.)
- [ ] Operator owns the application and infrastructure being tested.
- [ ] Written authorization from <name, role, organization, date>.
Document stored at: <path or link to signed authorization>.
- [ ] Hermes Agent dashboard, running on this same workstation, used
as a self-test target. Operator confirms no other user is
connected to the dashboard instance during the engagement.
## Out of Scope (must not be tested)
- Production systems unless explicitly listed above
- Third-party APIs / SaaS the application calls into
- Other tenants if the target is multi-tenant
- Cloud metadata endpoints (169.254.169.254, etc.) unless explicitly
included above
- Destructive payloads (DROP, DELETE, file writes outside test
directories) without per-payload approval
- Active social engineering, phishing, physical security
## Constraints
- Rate limit: <N> req/s per host. Default 5/s (200ms gap).
- Hours: <none> | <only between HH:MM and HH:MM local>
- Notify-before for: <list of categories> e.g. "any payload that
writes data," "any traffic that touches the auth endpoint after
10pm local"
## Acknowledgement
By approving this engagement, the operator confirms:
1. The targets listed above are authorized for active testing by the
listed authorization basis.
2. Testing may produce HTTP 4xx/5xx responses, log noise, alert
notifications, and rate-limit triggers in monitoring systems.
3. The operator is responsible for any consequences of testing
targets that are NOT correctly authorized.
4. The operator will revoke authorization (by stopping the agent) if
the scope changes, the time window ends, or any unexpected
off-scope behavior is observed.
**Operator signature (typed name):** ________________
**Confirmed at:** <ISO 8601 timestamp>