{
  "module": "DD-08 — Hermes: Layered Persistent Memory",
  "course": "Master Course",
  "version": "1.0.0",
  "duration_minutes": 30,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What is Hermes's defining architectural contribution?",
      "options": [
        "A wide channel surface (40+ integrations) for enterprise communication.",
        "Self-evolving skills: the agent writes reusable procedures to persistent memory, auto-invoked in future sessions. Episodic memory that compounds — each session makes the agent more capable.",
        "A governance-first model where the harness validates every model write before persisting.",
        "A containerized sandbox that isolates every tool execution from the host."
      ],
      "answer_index": 1,
      "rationale": "Hermes's defining contribution is the self-evolving skill store — the agent writes reusable procedures (skills) to persistent memory, and those skills are retrieved and invoked in future sessions. This is episodic memory that compounds: each session leaves the agent more capable than the last. It is the deepest memory implementation in the roster and the Module 4 reference (5/5). The other options describe OpenClaw (breadth), NemoClaw (governance), and OpenCode (sandbox) — not Hermes."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Hermes scores 36/60 on the 12-module rubric. On which module does it score highest, and why?",
      "options": [
        "Module 5 (Sandbox), because it runs every tool in an isolated container.",
        "Module 6 (Permission), because harness-managed writes gate every persistent write.",
        "Module 4 (Memory) at 5/5, because it implements all five memory tiers with a self-evolving episodic store (tier 4 with write-back) — the only harness in the roster at this tier.",
        "Module 9 (Verification), because every skill is verified before persistence."
      ],
      "answer_index": 2,
      "rationale": "Hermes scores 5/5 on Module 4 (Memory) — the highest score in its profile and the reference axis. It implements all five memory tiers (in-context, working files, semantic store, episodic log, structured DB), with the differentiator being tier 4 with write-back: the episodic record is not just logged (read-only) but curated into skills and re-injected. No other harness in the roster operates at this tier with curation and re-injection. Modules 5 and 6 are the LOW scores (2/5 each), not the high."
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "What market event validated Hermes's depth-over-breadth thesis, and what command expressed it?",
      "options": [
        "Hermes acquired OpenClaw and shut it down.",
        "Hermes overtook OpenClaw on OpenRouter on May 10, 2026 (224B tokens/day) and shipped a 'hermes claw migrate' command FROM OpenClaw — actively pulling users from the market leader.",
        "Hermes was acquired by OpenClaw's parent company.",
        "Hermes open-sourced its entire governance layer."
      ],
      "answer_index": 1,
      "rationale": "On May 10, 2026, Hermes overtook OpenClaw on OpenRouter at 224B tokens/day and shipped a 'hermes claw migrate' command FROM OpenClaw — a competitor aggressive enough to actively pull users from the market leader. This is the market expression of the depth thesis: Hermes argues depth makes reach obsolete, and the migrate command is the mechanism. The overtake is early evidence for the bet (on the memory-depth axis)."
    },
    {
      "id": "Q04", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are architecting a research assistant that must get smarter with every session — each user's accumulated procedures should carry forward and compound. Which harness's architecture is the reference, and what is the load-bearing property?",
      "options": [
        "OpenClaw (DD-07) — its 40+ channels mean the assistant reaches the user everywhere.",
        "Hermes (DD-08) — its self-evolving skill store is episodic memory that compounds: skills are born, retrieved by semantic match, and reinforced across sessions. The load-bearing property is tier 4 with write-back.",
        "NemoClaw (DD-09) — its harness-managed write gate guarantees every persisted skill is clean.",
        "OpenCode (DD-03) — its containerized server isolates each session."
      ],
      "answer_index": 1,
      "rationale": "The requirement — get smarter with every session, accumulated procedures carry forward and compound — is precisely Hermes's value proposition. The load-bearing property is the self-evolving skill store at Module 4 tier 4 with write-back: the episodic record is curated into skills and re-injected, so each session leaves the agent more capable. OpenClaw competes on breadth (channels), not compounding memory. NemoClaw competes on governance (the write gate) — relevant as a fix to Hermes's poisoning surface, not as the compounding capability. OpenCode competes on sandbox isolation."
    },
    {
      "id": "Q05", "bloom": "application", "type": "multiple_choice",
      "prompt": "An attacker injects a payload via an untrusted external input that reaches a Hermes agent's model. The model writes the payload as a skill. How does the damage differ from the same payload written to a working file (/tmp/note.txt)?",
      "options": [
        "There is no difference — both are persistent writes that an attacker can read later.",
        "The working file is read once when a task references it (activation surface: a single file path). The skill is retrieved on EVERY similar future task across the entire task space it plausibly covers, compounding with no natural decay. The skill's half-life is effectively unbounded; the file's is bounded by the task that reads it.",
        "The working file is more dangerous because it persists on disk; the skill is in memory only.",
        "The skill is safer because Hermes validates it before persistence; the file is not validated."
      ],
      "answer_index": 1,
      "rationale": "The asymmetry is the point. A poisoned working file (Module 4 tier 2) is read when a task references that file path — if the task is one-off, the file is read once. A poisoned skill (tier 4) is retrieved on semantic match against ANY similar future task, so the activation surface is the entire task space the skill covers. The skill does not decay — no TTL, no session boundary clears it — and each retrieval is an opportunity for the payload to refine, spread, or escalate. This is why poisoning compounds with memory depth, and why Hermes (deepest memory) has the largest poisoning surface."
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "A client wants to deploy Hermes for a security-critical workflow (handling credentials, financial data). Using the architect's verdict, what must you do before deployment?",
      "options": [
        "Deploy as-is; Hermes's 36/60 is sufficient for any workload.",
        "Add NemoClaw-style harness-managed write gating (Module 4.3) — model proposes, harness validates — before deploying in any context that cannot tolerate a persistent compromise. Without the gate, a single injection persists indefinitely via the compounding skill store.",
        "Remove the self-evolving skill store entirely; it is the only way to make Hermes safe.",
        "Increase the model's context window; the security issue is context length."
      ],
      "answer_index": 1,
      "rationale": "The architect's verdict is explicit: build on Hermes when memory depth and skill accumulation are the primary value; do NOT build on it for security-critical work without adding NemoClaw-style write gating. The write gate (model proposes, harness validates: provenance, schema, taint check) is the single highest-value fix — it closes the compounding-poisoning class. For a security-critical workflow, a persistent compromise (which the ungated skill store enables) is unacceptable, so the gate is mandatory. Removing the store defeats the purpose of using Hermes; context length is unrelated to the write-path risk."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "A teammate says: 'We found a poisoned skill in the store, but we restarted the session, so it's cleared.' What is the error?",
      "options": [
        "No error — restarting the session clears the skill store by design.",
        "The skill store is PERSISTENT across sessions. Restarting the session does NOT clear it. A poisoned skill has no TTL and no session boundary that retires it. The correct remediation is a skill-store audit (identify and remove the poisoned skill), not a session restart.",
        "The error is that the skill store should have been backed up before restart.",
        "The error is that the teammate should have restarted the host machine, not just the session."
      ],
      "answer_index": 1,
      "rationale": "The 'assuming a poisoned skill decays' anti-pattern. The self-evolving skill store is persistent by design — that persistence IS the value (compounding across sessions). It is also the risk: a poisoned skill does not decay, has no TTL, and is not cleared by a session restart. The skill store outlives every session. The correct remediation for a poisoned skill is an active skill-store audit: identify the poisoned entry and remove it. A session restart addresses session-scoped state (context window, working files), not the persistent skill store."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "You are explaining why Hermes uses model-initiated writes (the agent writes skills freely, no gate). A colleague asks why the team doesn't just add a validation gate. What is the design trade-off the gate introduces?",
      "options": [
        "No trade-off — the gate is a pure improvement with no cost.",
        "The gate is a CAPABILITY TAX: model proposes, harness validates, some proposals rejected. This throttles the rate at which skills are written, so the agent learns more slowly. Hermes chose the compounding speed (capability) over the gate (safety). The poisoning surface is the price of the compounding. A defensible choice for a depth-specialist, but a choice the architect must understand.",
        "The gate would break the model's context window management.",
        "The gate is incompatible with the OpenRouter API."
      ],
      "answer_index": 1,
      "rationale": "The model-initiated write decision is not an oversight — it is the architectural choice that makes compounding possible at speed. A harness-managed write gate (model proposes, harness validates) throttles the write rate: validation takes time and rejects some proposals. That throttle is the security gain (the gate) AND a capability tax (slower learning). Hermes chose the capability (compounding speed) over the safety (the gate). For a depth-specialist whose value proposition is compounding, this is defensible — but the poisoning surface is the price, and the architect must add the gate for security-critical contexts."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "Hermes has two security gaps that compose: (a) external inputs enter context without untrusted-tagging, and (b) model-initiated writes. What persistent-compromise path do these two gaps create together?",
      "options": [
        "They do not compose — each gap is independent and must be exploited separately.",
        "Untrusted external input reaches the model WITHOUT a trust boundary (gap a). The model, treating the injected content, writes a skill via the ungated model-initiated path (gap b). The injected input becomes a POISONED SKILL that outlives the session and activates on every similar future task. Each gap alone is concerning; together they create a persistent-compromise path.",
        "The two gaps cancel out — the untrusted input is blocked by the write path.",
        "The two gaps only compose if the model is running in a container."
      ],
      "answer_index": 1,
      "rationale": "The two gaps compose into a persistent-compromise path. Gap (a): untrusted external content (webpage, tool output) enters the model's context without a trust boundary — same gap as OpenClaw (DD-07). Gap (b): the model writes skills freely via the ungated model-initiated path. Together: the injected input causes the model to persist a poisoned skill. The skill outlives the session (it is in the persistent store), activates on every similar future task, and compounds. Closing only one gap breaks the chain: untrusted-tagging prevents the injection from reaching the write decision; the write gate prevents the poisoned skill from persisting. Defense in depth closes both."
    },
    {
      "id": "Q10", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does the teaching document argue that Hermes's 5/5 on Module 4 (Memory) and its 2/5 on Module 6 (Permission) are 'the same design decision read from two sides'?",
      "options": [
        "They are unrelated — Module 4 and Module 6 measure independent properties.",
        "Both scores derive from model-initiated writes. As a CAPABILITY: the agent writes skills freely, enabling the self-evolving store that earns 5/5 on Memory. As a VULNERABILITY: the same free write lets a prompt-injected model persist a poisoned skill that compounds, earning 2/5 on Permission. One design decision (no write gate) produces both the high capability score and the low security score.",
        "The 5/5 and 2/5 are scoring errors and should both be 3/5.",
        "Module 4 measures the skill store; Module 6 measures the sandbox — they cannot share a decision."
      ],
      "answer_index": 1,
      "rationale": "The central tension of the harness. Model-initiated writes (no harness-level gate between the model's decision to persist and the write) is the single design decision that produces both scores. Read as a capability: the agent learns from every session without throttle, the skill store compounds, and Module 4 earns 5/5 (the reference). Read as a vulnerability: the same free write lets a prompt-injected model persist a poisoned skill that compounds across all future sessions, and Module 6 earns 2/5. A harness-managed write gate would improve the Module 6 score but throttle the compounding (a capability tax) — the trade-off is intrinsic. This is why the score is a profile, not a ranking."
    },
    {
      "id": "Q11", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is the depth-versus-governance contrast between Hermes (DD-08) and NemoClaw (DD-09) described as 'load-bearing for the roster'?",
      "options": [
        "Because one is open-source and the other is proprietary.",
        "Because the two harnesses define opposite ends of the same axis: Hermes funds CAPABILITY by sacrificing safety (model-initiated writes, no gate — the depth reference); NemoClaw funds SAFETY by gating the write path (harness-managed writes — the governance reference). Together they define the depth-vs-governance axis every other harness in the roster sits between. The pairing teaches the intrinsic capability/safety trade-off in write-path design.",
        "Because Hermes and NemoClaw are built by the same team.",
        "Because NemoClaw is the successor to Hermes and replaces it."
      ],
      "answer_index": 1,
      "rationale": "The pairing is load-bearing because the two harnesses are the extreme points of a single axis. Hermes is the depth reference: it maximizes memory depth by allowing model-initiated writes (no gate), accepting the compounding-poisoning surface as the price. NemoClaw is the governance reference: it maximizes safety by making writes harness-managed (model proposes, harness validates), accepting a capability tax as the price. Every other harness in the roster sits somewhere between these two poles on the write-path design axis. The pairing teaches that the capability/safety trade-off in write-path design is intrinsic — you cannot have maximum compounding speed and maximum poisoning resistance simultaneously; the write gate is the control that trades one for the other."
    },
    {
      "id": "Q12", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why does the memory-poisoning risk 'scale with memory depth'? Trace the reasoning from Module 4 tier 2 (working files) to tier 4 with write-back (Hermes).",
      "options": [
        "Memory depth and poisoning risk are unrelated; deeper memory is always safer.",
        "Deeper memory = larger persistent write surface + longer-lived retrieval. Tier 2 (working files): a poisoned file is read once (single path, one-off task). Tier 3 (semantic store): retrieval but no evolution — poisoned entries retrieved but not refined. Tier 4 with write-back (Hermes): poisoned skills retrieved on EVERY similar future task, refined across retrievals, no decay. The activation surface grows with depth; the half-life grows with persistence. Hermes, deepest, has the largest poisoning surface — the cost of the depth.",
        "Poisoning risk decreases with depth because deeper stores have more validation.",
        "Tier 2 is more dangerous than tier 4 because files are easier to inject."
      ],
      "answer_index": 1,
      "rationale": "The poisoning risk scales with memory depth along two axes: the activation surface and the half-life. Tier 2 (working files): the activation surface is a single file path, read when a task references it; if the task is one-off, the file is read once. Tier 3 (semantic store): retrieval widens the activation surface to semantic matches, but the store does not evolve — poisoned entries are retrieved as-is, not refined. Tier 4 with write-back (Hermes): the activation surface is the entire task space the skill covers, AND each retrieval can refine the payload (the store evolves). The half-life also grows: working files may be cleaned up; skills persist indefinitely with no TTL. Hermes, operating at the deepest tier, carries the largest poisoning surface — the cost of the depth that makes it the reference."
    },
    {
      "id": "Q13", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A colleague argues: 'Hermes's 36/60 is a low score; we should not consider it a reference harness.' Using the teaching document's reasoning, what is the error?",
      "options": [
        "The colleague is correct — 36/60 is below median and disqualifies Hermes from reference status.",
        "The error is reading the score as a ranking rather than a PROFILE. Hermes is a depth-specialist: it funds depth (Module 4: 5/5, the reference axis) by sacrificing safety (Modules 5/6: 2/5). The 36/60 is the expected shape of a harness that concentrates on one axis. The 5/5 on Module 4 — the only harness at tier 4 with write-back — is what earns reference status, not the total. A depth-specialist's total is structurally lower than a generalist's; that does not negate its reference status on the depth axis.",
        "The score should be recalculated to 45/60 because the security issues are minor.",
        "The colleague is wrong because 36/60 is actually above median for the roster."
      ],
      "answer_index": 1,
      "rationale": "The error is reading the total as a ranking. Hermes's 36/60 is a depth-specialist's profile: maximum on one axis (Module 4 Memory: 5/5), below median on the safety axes (Modules 5/6: 2/5). This is not a low score for a depth play — it is the expected shape of a harness that funds depth by sacrificing safety. Reference status is earned on an axis, not on the total: Hermes is the Module 4 reference because it is the only harness operating at tier 4 with write-back (curation and re-injection), a property no other harness in the roster carries. A generalist harness would score higher in total but would not be the depth reference. Read the score as a profile (which axes are maxed, which are sacrificed), not a ranking."
    },
    {
      "id": "Q14", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is 'the compounding that makes skills valuable is the same compounding that makes poisoning dangerous' the load-bearing sentence of this deep-dive, and what does it imply for how you architect around Hermes?",
      "options": [
        "It implies you should disable compounding entirely to eliminate the risk.",
        "The sentence names the intrinsic link between Hermes's value proposition and its largest risk: the self-evolving skill store compounds capability (the value) AND compounds poisoning (the cost) via the SAME mechanism (model-initiated writes with no gate). You cannot have one without the other. The architectural implication: if you need the compounding (the value), you MUST add the write gate (the NemoClaw fix) to close the poisoning class — you do not disable compounding, you gate it. The gate converts compounding-poisoning into compounding-capability.",
        "It implies Hermes is fundamentally unsafe and should be avoided.",
        "It implies the skill store should be read-only."
      ],
      "answer_index": 1,
      "rationale": "The load-bearing sentence names the intrinsic link: the self-evolving skill store's compounding is simultaneously the value (capability) and the cost (poisoning), via the same mechanism — model-initiated writes with no validation gate. The architectural implication is NOT to disable compounding (that defeats the purpose of using Hermes) but to GATE it: add the harness-managed write gate (model proposes, harness validates) so that the compounding mechanism only compounds clean skills, not poisoned ones. The gate converts the compounding-poisoning surface into a compounding-capability surface. This is the NemoClaw fix (Module 4.3, DD-09) and the single highest-value remediation. The compounding stays; the poisoning class closes."
    },
    {
      "id": "Q15", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Contrast Module 4 tier 3 (semantic store) with Hermes's tier 4 with write-back. Why does the write-back property make Hermes the reference, and why does it NOT make tier 3 harnesses reference-grade on memory?",
      "options": [
        "Tier 3 and tier 4 are equivalent; both retrieve prior context.",
        "Tier 3 RETRIEVES prior context but does NOT evolve — it returns what was stored, unchanged. Tier 4 with write-back (Hermes) RETRIEVES AND EVOLVES — the episodic record is curated into skills and re-injected, so the store grows richer with use. The write-back property is what makes the memory COMPOUND (each session leaves the agent more capable), which is the reference-grade property. Tier 3 harnesses do not compound; they retrieve. Compounding is the switching cost and the differentiator that earns 5/5.",
        "Tier 3 is reference-grade because retrieval is the hardest part.",
        "Tier 4 with write-back is inferior because it introduces write risk that tier 3 avoids."
      ],
      "answer_index": 1,
      "rationale": "The write-back property is the differentiator. Tier 3 (semantic store) retrieves prior context but does not evolve — it returns what was stored, unchanged. The store is a static retrieval index. Tier 4 with write-back (Hermes only) retrieves AND evolves: the episodic record is curated into reusable skills and re-injected into future sessions, so the store grows monotonically richer with use. This compounding property — each session leaves the agent more capable — is what makes the memory a switching cost (a competitor cannot reproduce a user's accumulated history) and what earns Hermes the 5/5 and reference status. Tier 3 harnesses do not compound; they retrieve. Compounding, not retrieval, is the reference-grade property. (Tier 4's write risk is real — the poisoning surface — but it is the price of the compounding, addressed by the write gate, not by retreating to tier 3.)"
    }
  ]
}
