Hermes is opening a remote-control surface — and tightening the executable boundary around it
Hermes PR #23742 adds authenticated remote management endpoints for sessions, profiles, SOUL/persona files, memory, toolsets, skills, and gateway status, so desktop or dashboard clients can manage an agent through the API instead of using filesystem or SSH access. In the same current workstream, PR #22535 closes a more dangerous ACP boundary: previously, ACP clients could provide stdio MCP server definitions during new, load, resume, or fork session setup, and those definitions could launch local commands before a normal agent turn or dangerous-command approval path. The fix disables client-provided stdio MCP servers by default while keeping HTTP/SSE MCP servers available and adding an explicit trusted-operator opt-in. PR #23740 also bridges the clarify tool to messaging platforms, showing Hermes is making remote and channel operation more interactive, not just headless.
Remote desktop/dashboard control is useful only if the control plane is narrower than the machine it manages. Sessions, memory, skills, toolsets, persona files, and gateway status are all sensitive surfaces; combining them with client-supplied executable MCP definitions would be a serious escalation path. Hermes is moving toward richer remote operations, but the key reader takeaway is to audit the management and session-setup boundary together.
- PR #23742 adds authenticated API endpoints for sessions, profiles, persona/SOUL.md, memory, toolsets, skills, and gateway status, and advertises them via /v1/capabilities
- The PR includes tests for capabilities, memory roundtrips, auth enforcement, and skill content path safety
- PR #22535 says ACP client-provided stdio MCP servers could spawn local commands during session setup before the normal approval layer
- The fix disables those stdio definitions by default, preserves HTTP/SSE client-provided MCP servers, and adds a trusted-operator opt-in with regression coverage
- PR #23740 wires gateway clarify lifecycle and interactive card rendering so messaging clients can answer clarify prompts instead of seeing a non-functional tool message
- The remote management API and ACP stdio hardening are PRs, not a tagged Hermes release yet
- Authenticated management APIs still need deployment-level controls such as localhost binding, TLS, token rotation, and audit logs
- Trusted-operator opt-ins can become permanent footguns if teams enable them broadly for convenience
- Messaging clarify state must avoid stale answers being applied to the wrong session or user