mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
HMAC validation authenticates the webhook sender, not the business fields inside the payload (PR titles, commit messages, issue bodies), which are authored by untrusted third parties. Expand the prompt- injection section to make the trust boundary explicit: the agent's capability surface, not the input channel. Document the hardening levers (sandbox the runtime, scope the toolset, keep approvals on, template narrowly) instead of pretending to sanitize untrusted text. Refs #8820.
21 KiB
21 KiB
| sidebar_position | title | description |
|---|---|---|
| 13 | Webhooks | Receive events from GitHub, GitLab, and other services to trigger Hermes agent runs |
Webhooks
Receive events from external services (GitHub, GitLab, JIRA, Stripe, etc.) and trigger Hermes agent runs automatically. The webhook adapter runs an HTTP server that accepts POST requests, validates HMAC signatures, transforms payloads into agent prompts, and routes responses back to the source or to another configured platform.
The agent processes the event and can respond by posting comments on PRs, sending messages to Telegram/Discord, or logging the result.