mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
HMAC validation authenticates the webhook sender, not the business fields inside the payload (PR titles, commit messages, issue bodies), which are authored by untrusted third parties. Expand the prompt- injection section to make the trust boundary explicit: the agent's capability surface, not the input channel. Document the hardening levers (sandbox the runtime, scope the toolset, keep approvals on, template narrowly) instead of pretending to sanitize untrusted text. Refs #8820. |
||
|---|---|---|
| .. | ||
| developer-guide | ||
| getting-started | ||
| guides | ||
| integrations | ||
| reference | ||
| user-guide | ||
| index.mdx | ||
| user-stories.mdx | ||