Tirith Security — Safe Autonomy with Human Oversight
Key Points
- ✓Approval workflows for sensitive actions
- ✓Permission levels per tool
- ✓Audit trail of all actions
- ✓Rate limiting and cost controls
- ✓Configurable guardrails
- ✓Human-in-the-loop when it matters
How It Works
- 1Configure permission levels in config.yaml
- 2Hermes requests approval for sensitive actions
- 3You approve or deny via chat
- 4Full audit log of all actions taken
Real-World Use Cases
Production Deployment Gating
Configure Hermes so that any kubectl apply or terraform apply to production requires your explicit approval via chat. The agent prepares the deployment, presents a summary, and waits. You approve once; it executes. One wrong keystroke can't bypass the gate.
Financial API Rate Controls
Set daily spend limits on API calls and cost controls per task. If a scheduled workflow would exceed the limit, it pauses and notifies you rather than running up an unexpected bill. Cost transparency before it hits your card.
Multi-User Permission Levels
In shared Hermes deployments (team Discord, family Telegram), configure different permission levels per user. Junior team members can run read-only skills; senior engineers can approve write operations; only you can run destructive commands.
Compliance Audit Trail
Every tool call, every action taken, every approval granted or denied is logged with timestamp, user, and outcome in a structured audit log. Export it for compliance review, incident investigation, or just peace of mind.
Under the Hood
Tirith implements a permission model with four levels: read-only (no side effects), low-risk writes (file edits, local changes), high-risk writes (deployments, external API mutations), and destructive (deletes, irreversible operations). Each tool in Hermes's toolkit is assigned a risk level, and the configuration maps risk levels to approval requirements. You can override individual tools to be more or less restrictive than their default classification.
Approval workflows are delivered through the same messaging platform you're using — no separate app, no email, no context switch. Hermes presents the pending action with a plain-language summary of exactly what it will do, and you approve or deny inline. Approvals are cryptographically scoped to the specific action: approving 'delete this file' does not grant permission to delete other files. The approval token expires after a configurable window (default: 5 minutes) to prevent approval-then-wait attacks.
The audit log uses an append-only SQLite table with tamper detection — log entries include a hash chain so deletions or modifications are detectable. Log entries capture: timestamp, session ID, tool name, full parameters, calling user, approval chain (if required), and outcome. This structured log is queryable via hermes audit query with natural language — 'show me all file deletions in the last week' works as you'd expect. Rate limiting and token cost controls integrate with the permission system, so budget guardrails and safety guardrails share the same configuration surface.