Hermes Agent — Entity Architecture

Entity Landscape v1.2 · 左翼=静态配置层(Memory/Session/Model) · 心脏=AgentEvent+Context · 右翼=动态能力层(Planner/SelfEvolution/AgentRelation) · ATA Ontology v4.1
🏛 AgentProfile & Permission — 灵魂层
身份
AgentProfile.identity
AgentProfile.name"Hermes Agent"
AgentProfile.creator"Nous Research"
soul_config.hermes.md / SOUL.md
系统提示
system_prompt_build_system_prompt()
PromptTemplate多槽位动态组装
ModelPrompt最终发送给模型
权限控制
Permission.approval_modeon / auto / off
dangerous_patterns~30 rules
🧠 记忆层 Memory
LongTermMemory
MEMORY.mdAgent 笔记
Sensitive-MEMORY Perm-FILE-WRITE SC⚠️ _MEMORY_THREAT_PATTERNS(11条,可绕过)
USER.md用户偏好档案 · 优先级 > MEMORY.md
Sensitive-MEMORY Sensitive-COMMUNICATION Perm-FILE-WRITE SC❌ 无 URL 校验(SC-GAP-CTX-INTEGRITY · AP-12 入口)
ShortTermMemory
SQLite messages本会话历史
MemoryManager
context_blockbuild_memory_context_block()
sanitize()剥离 fence 块
📋 会话层 Session
SessionSQLite sessions 表
Session.idTEXT PK
Session.sourcecli/discord/slack...
parent_session_idSubAgent 链接
token_counts / cost
SCHEMA_VERSIONv6
模型配置 Model
SmartModelRouting
reasoning_effortlow / medium / high
AnthropicAdapter
BedrockAdapter / OpenRouter
AgentEvent Loop
6-Step Iteration
POISON → INSTRUCT → [ N × Iteration ] → ENDS
1
OBSERVING
感知输入·读取上下文·工具调用结果·记忆内容
2
ASSOCIATING
关联历史·跨会话检索·知识匹配
3
ASSEMBLING
PromptTemplate 组装·注入槽位填充
identity memory_guidance skills_guidance context_files tool_call_result delegate_context gateway_msg_ctx model_routing_ctx
4
REASONING
Model 推理·SmartModelRouting·reasoning_effort
5
EXECUTING
工具调用·EventResult 生成·SubAgent spawn
6
SAFETY_VALIDATE
dangerous_patterns 检查·approval_mode·GuardRail
AttackPath Events(叠加在正常循环上)
Poison InstructTo Inject Persist LeadToHarm HarmEvent LeakToEvent TamperEvent DeleteEvent
📦 Context — 消息容器(每轮 LLM 完整输入/输出)
压缩参数
threshold=0.75 protect_first=3 protect_last=6
内容组成
messages[] system_prompt tool_results compressed_summary
调度层 Planner
LongTermPlanner
cron/scheduler.py
CronCreateTOOL-ACT-DESTRUCTIVE
CronList / CronDelete
自进化模块 SelfEvolution
强制触发 · 代码生命周期钩子
sync_turn() on_session_end() on_pre_compress() on_delegation() on_memory_write() expiry_watcher skills_sync
载体:MemoryProvider ABC → 8 外部 plugin (honcho/mem0/hindsight/holographic…)
半自动触发 · LLM Schema 驱动
memory_tool.write() skill_manage create skill_manage patch
"proactively write memory" · "after difficult tasks, save skill"
rl_training_tool Tinker-Atropos · 模型权重级 RL 进化
🕸 Agent 协作 AgentRelation
↓ 上游 · 接受指令
API Server Webhook gateway_msg_ctx slot
↓ 下游 · 委托子 Agent
delegate_task() MAX_DEPTH=2 max_concurrent=3 BLOCKED_TOOLS
⇌ 第三方协作 · MoA
mixture_of_agents claude-opus gpt-5 gemini
🔧 ToolSpace(35+ 工具)
terminal_tool execute_code CronCreate memory_tool write_file send_message delegate_task patch browse_web web_search read_file browser_tool
■ CRITICAL ■ HIGH ■ MEDIUM
TOOL-* 多维风险 & SecurityChecker 覆盖
terminal_tool TOOL-INPUT-PARTIAL TOOL-DATA-SECRET TOOL-DATA-MEM TOOL-ACT-DESTRUCTIVE TOOL-FIELD-CODE SC⚠️ DANGEROUS_PATTERNS 44条
execute_code TOOL-INPUT-UNTRUSTED TOOL-DATA-SECRET TOOL-DATA-MEM TOOL-ACT-DESTRUCTIVE TOOL-FIELD-CODE SC⚠️ PTC沙箱(可经UDS调terminal逃逸)
CronCreate TOOL-ACT-DESTRUCTIVE SC❌ 无内容审批(SC-GAP-CRON · AP-07/AP-12)
memory_tool TOOL-DATA-MEM TOOL-ACT-MODIFY SC⚠️ _MEMORY_THREAT_PATTERNS(partial)
send_message TOOL-DATA-PII TOOL-ACT-DESTRUCTIVE SC⚠️ DANGEROUS_PATTERNS(部分覆盖)
write_file TOOL-DATA-MEM TOOL-ACT-MODIFY TOOL-FIELD-CODE SC✓ path_security.validate_within_dir()
browse_web TOOL-INPUT-UNTRUSTED TOOL-FIELD-CODE SC❌ 返回内容零扫描(SC-GAP-WEB-CONTENT)
📦 SkillSpace
~/.hermes/skills/本地技能目录
optional-skills/
skill_manage安装/卸载/查询
SKILL.md技能描述(注入 skills_guidance)
SkillRegistry
ST- 信任分级
ST-Builtin 最高信任,内置技能
ST-AgentCreated ⚠️ 次高信任 — Agent 自创,70+规则扫描
ST-Community 社区技能,ask-only 安装策略
ST-External 外部 URL,最低信任
🔌 MCPSpace
MCPServer外部 MCP 进程
TOOL-INPUT-UNTRUSTED SC⚠️ _build_safe_env(仅过滤 env key)
transportstdio / HTTP / StreamableHTTP
TOOL-INPUT-UNTRUSTED SC❌ 响应内容无扫描(SC-GAP-MCP-RESP)
_build_safe_env()API key 过滤
SC✓ 过滤敏感 env key(SC-RULE-ENV) SC❌ 不校验 MCP 返回内容
mcp_servers config
Auth-TYPE-NONE SC❌ 无网关级审批
📡 Channel & Gateway — 通道层
输入平台(20+)
CLI Discord Slack Telegram Email API Server Webhook WhatsApp GitHub Linear SMS ...
消息网关
MessageGatewaygateway/delivery.py
gateway/mirror.py会话镜像
pii_redactagent/redact.py
SessionSource来源枚举
ExternalEnv — 外部环境(Extended-Clean 场景引入)
🌐
WebSite / WebSitePage
browse_web 载体
AP-01, AP-09
📁
GitHub / Code Repo
AGENTS.md / SKILL.md
AP-02, AP-03
💬
Slack / Messaging
Agent3rd / Channel
AP-05, AP-09
📦
PyPI / Supply Chain
litellm 依赖
AP-10
SecurityChecker × Entity 覆盖矩阵
检查器 ID 源文件 覆盖实体 效果 主要缺口 / SC-GAP
approval.py
DANGEROUS_PATTERNS		 agent/approval.py
terminal_tool execute_code send_message CronCreate browse_web 响应
SC⚠️ Partial 44条正则;等语义操作(find+tar+curl)未覆盖;
CronCreate 命令体无审批(SC-GAP-CRON-APPROVAL
_MEMORY_THREAT
_PATTERNS		 agent/memory/core.py
MEMORY.md memory_tool USER.md
SC⚠️ Partial 11条规则覆盖 MEMORY.md;USER.md 写入无过滤
SC-GAP-USER-PROFILE-URL → AP-12)
skills_guard.py skills/skills_guard.py
ST-Community Skill ST-External Skill ST-AgentCreated Skill
SC⚠️ Partial 70+ 规则;ST-AgentCreated 技能享受次高信任,
绕过全部 guard 检查(信任悖论)
path_security
validate_within_dir()		 agent/path_security.py
write_file read_file
SC✓ Effective 有效防止路径穿越;terminal_tool 可绕过
(shell 命令不走 path_security)
_build_safe_env() agent/mcp_client.py
MCPServer env MCPServer 响应内容
SC⚠️ Partial 只过滤传给 MCP 进程的 env key;
MCP 返回 payload 不扫描(SC-GAP-MCP-RESP
osv_check
供应链检查		 agent/osv_check.py
PyPI 依赖 运行时注入路径
SC⚠️ Partial 已知 CVE 数据库对比;litellm 子依赖劫持
在安装阶段静默执行(AP-10 SUP=0.2)
SC✓ = 有效覆盖  ·  SC⚠️ = 部分覆盖(可绕过) ·  SC❌ = 未覆盖(已记录 SC-GAP)
灵魂层 AgentProfile
记忆层 Memory
会话层 Session
模型配置 Model
心脏 AgentEvent Loop
消息容器 Context
调度层 Planner
自进化 SelfEvolution
Agent协作 AgentRelation
工具层 ToolSpace
MCP Space
通道层 Channel
外部环境 ExternalEnv