hermes-workflows is an experimental durable workflow runtime. Treat it as alpha software until the public API and threat model are hardened.
Dynamic workflows are Python source returned by an agent runner. Approval gates make generated code inspectable and auditable; they are not a sandbox.
Do not execute generated workflow source from an untrusted agent or user without a real sandbox boundary such as a locked-down process/container, scoped filesystem, network policy, and explicit capability allowlist.
Required safeguards for generated workflow execution:
- record generated source and SHA-256 before execution
- require a human or policy approval before execution
- preserve agent provenance and prompt/request hashes
- fail closed if approval is missing, rejected, or malformed
- separate code-execution approval from external side-effect approval
Workflow examples must default to dry-run/read-only behavior. Creating Gmail drafts, sending email, mutating Sheets/D1/R2, publishing sites, posting to social media, or changing repo visibility requires an explicit approval gate in the workflow and an explicit operator decision outside the workflow.
Draft approval is not send approval. Sending/scheduling should be a separate gate.
Do not commit real participant exports, workflow SQLite databases, generated receipts from real runs, public artifact share tokens, or local .env files.
The Hack the Valley real-run path uses local snapshots and private /tmp/... outputs. Public examples use synthetic data only.
Please report suspected vulnerabilities through GitHub Private Vulnerability Reporting / Security Advisories for this repository when available. If that route is unavailable, open a minimal GitHub issue asking for a private security contact and do not include exploit details, secrets, participant data, workflow databases, or private run artifacts in the public issue.
Include enough non-sensitive detail to reproduce the issue safely: package version or commit, affected command/API, expected behavior, actual behavior, and whether external side effects or generated workflow execution are involved.