"front"	"back"	"tags"
"What is Hermes's defining architectural contribution?"	"Self-evolving skills: the agent writes reusable procedures to persistent memory; available + auto-invoked in future sessions. Episodic memory that COMPOUNDS — each session makes the agent more capable. The deepest memory implementation in the roster."	harness-engineering::dd08::recall
"What is the strategic thesis of Hermes's 'depth play'?"	"Breadth is reproducible (a competitor can add channels); a compounding memory is NOT — each user's accumulated skill store encodes a specific history and is a switching cost. The 'hermes claw migrate' command is the market expression: depth makes reach obsolete."	harness-engineering::dd08::analysis
"How does a self-evolving skill get born and reused?"	"BIRTH: during a session the agent encounters a non-trivial procedure and writes it as a skill to the persistent store. RETRIEVAL: a future session facing a similar task retrieves it by semantic match and injects into context. COMPOUNDING: each retrieval reinforces; the store grows monotonically richer."	harness-engineering::dd08::recall
"Why is Hermes the Module 4 (Memory) reference at 5/5?"	"It is the only harness in the roster at Module 4 tier 4 with WRITE-BACK: the episodic record is not just logged (read-only) but CURATED into skills and re-injected. All 5 memory tiers implemented. No other harness carries this tier at this maturity."	harness-engineering::dd08::analysis
"Why is the self-evolving skill store a security risk?"	"Model-initiated writes: the agent writes skills FREELY, no validation gate. A prompt-injected model can write a POISONED SKILL that activates on every future invocation — compounding damage. Worse than working-files poisoning (activates on USE across the task space, not just on a single read)."	harness-engineering::dd08::analysis
"Why does poisoning COMPOUND here specifically (vs a poisoned working file)?"	"A poisoned WORKING FILE is read once (single file path, one-off task). A poisoned SKILL is retrieved on EVERY similar future task — activation surface is the entire task space the skill covers. Half-life is effectively unbounded: no TTL, no session boundary clears it. Each retrieval lets the payload refine, spread, or escalate."	harness-engineering::dd08::analysis
"Hermes scores 36/60 — on which module is it highest, and why?"	"Module 4 (Memory): 5/5. The self-evolving skill model is unmatched. All 5 memory tiers implemented, tier 4 with write-back. The memory reference. The 5/5 is the capability score; the 2/5 on Module 6 is the security score — same design decision, two sides."	harness-engineering::dd08::recall
"Hermes scores 36/60 — on which modules is it lowest, and why?"	"Module 5 (Sandbox): 2/5 — no container, blast radius is the host. Module 6 (Permission): 2/5 — model-initiated writes are the poisoning surface. Both are the price of funding depth: a depth-specialist sacrifices the safety axes to maximize one."	harness-engineering::dd08::recall
"State the NemoClaw fix for Hermes's write surface."	"Harness-managed writes (Module 4.3): model PROPOSES a skill; harness VALIDATES (provenance, schema, taint check) before persisting. The poisoned skill is rejected at the gate. Hermes's model-initiated writes become NemoClaw's harness-managed writes."	harness-engineering::dd08::application
"Why is model-initiated writes 'the feature IS the vulnerability'?"	"As a FEATURE: the agent writes freely, no throttle — this is what makes compounding possible at all. As a VULNERABILITY: the same free write lets a prompt-injected model persist a poisoned skill that compounds. A write gate would throttle learning (capability tax). Hermes chose capability over safety. Same decision, two sides."	harness-engineering::dd08::analysis
"Hermes vs OpenClaw: which bet, and who won on OpenRouter?"	"Hermes = depth play (self-evolving memory). OpenClaw = breadth play (40+ channels). Hermes overtook OpenClaw on OpenRouter May 10, 2026 (224B tokens/day) and shipped 'hermes claw migrate' FROM OpenClaw. Depth won on that axis — early evidence for the depth-over-breadth thesis."	harness-engineering::dd08::recall
"What is the difference between Module 4 tier 3 (semantic store) and Hermes's tier 4 with write-back?"	"Tier 3 RETRIEVES prior context but does not evolve — it returns what was stored. Tier 4 with write-back (Hermes only) RETRIEVES AND EVOLVES — the episodic record is curated into skills and re-injected. The store grows richer with use; tier 3 does not."	harness-engineering::dd08::analysis
"Why is 'assuming a poisoned skill decays' an anti-pattern?"	"A poisoned skill does NOT decay — it accrues invocations. No TTL, no session boundary clears it. Restarting the session does not clear the skill store. Cure: treat any injection reaching the write path as a PERSISTENT compromise requiring a skill-store audit, not a session restart."	harness-engineering::dd08::application
"Why is 'building security-critical work on Hermes without write gating' an anti-pattern?"	"Hermes's value proposition is compounding; its tax is the poisoning surface. Building security-critical work on it without the NemoClaw-style write gate imports the compounding-poisoning surface into a context that cannot tolerate it. Cure: add harness-managed write gating (Module 4.3) before deploying in any persistent-compromise-intolerant context."	harness-engineering::dd08::application
"What is the Hermes vs NemoClaw contrast, and why is it load-bearing?"	"Hermes (DD-08) = depth reference: funds CAPABILITY by sacrificing safety (model-initiated writes). NemoClaw (DD-09) = governance reference: funds SAFETY by gating the write path (harness-managed writes). The two are a pair defining the depth-vs-governance axis of the roster. Read together."	harness-engineering::dd08::analysis
"How do Hermes's two security gaps (untrusted-tagging + model-initiated writes) compose?"	"Untrusted external input reaches the model WITHOUT a trust boundary (same gap as OpenClaw DD-07). The model then writes a skill via the ungated model-initiated path. The injected input becomes a POISONED SKILL that outlives the session. Each gap alone is concerning; together they create a PERSISTENT-COMPROMISE path."	harness-engineering::dd08::analysis
"Why is the 36/60 a 'depth-specialist shape' rather than a low score?"	"A depth-specialist funds depth by sacrificing safety. The 5/5 on Module 4 and the 2/5 on Modules 5 and 6 are the SAME design decision (model-initiated writes, no container) read from two sides. Read the score as a PROFILE: maximum on one axis, below median on safety. Expected shape for a depth play, not a ranking failure."	harness-engineering::dd08::analysis
"Name Hermes's architectural cousin and the distinction."	"DD-15 (Command Code): self-evolving PREFERENCES vs. Hermes's self-evolving SKILLS. Both compound; the surface that compounds differs (preference state vs. procedural skill store)."	harness-engineering::dd08::recall
"State the 3 things Hermes does better."	"(1) Self-evolving skills — deepest memory implementation, only harness at Module 4 tier 4 with write-back. (2) Memory depth — all 5 tiers, the reference for the memory axis. (3) Market momentum — overtook OpenClaw on OpenRouter (May 2026); the migrate command validates the depth-over-breadth thesis."	harness-engineering::dd08::recall
"State the 3 things to fix on Hermes."	"(1) Add harness-managed write gating (Module 4.3) — closes the compounding-poisoning class (highest-value fix). (2) Add sandboxing (Docker) — blast radius is currently the host. (3) Add untrusted-tagging on external inputs — combined with model-initiated writes it creates a persistent-compromise path."	harness-engineering::dd08::application
"Why does memory-poisoning risk scale with memory depth?"	"Deeper memory = larger persistent write surface + longer-lived retrieval. A poisoned entry in a shallow store (working files) is read once; in a deep store (self-evolving skills) it is retrieved on every similar future task and compounds. Hermes, the deepest memory, carries the largest poisoning surface in the roster — the cost of the depth."	harness-engineering::dd08::analysis
