Security Posture¶
All critical security issues resolved.
Resolved¶
- UFW active (deny incoming), EPMD removed
- NAT mode in wsl.conf (intentional β set by harden.sh)
- Discord bot token rotated Apr 2026 (~/.hermes/.env, chmod 600)
- File permissions 600 on: ~/.hermes/.env, ~/.hermes/config.yaml, project .env files
- WSL auto-start via wsl-startup.vbs in Windows Startup folder
- hermes-gateway.service enabled (preset: enabled)
- appendWindowsPath=false in wsl.conf (intentional)
Intentional Decisions¶
- Docker group membership kept β Adam needs Docker access for assistant tools
- NAT mode preferred over mirrored for WSL networking
Remaining (Windows-only)¶
- Windows auto-logon registry keys need admin PowerShell (HKLM inaccessible from WSL)
- Keys: AutoAdminLogon=1, DefaultUserName="Dell 5520", DefaultDomainName="DESKTOP-G4VGIC6", DefaultPassword=""
Monitoring¶
- Daily 7am cron runs security-audit skill (job 074b4cdc3ed7)
- DevicePasswordLessBuildVersion=2 in registry hides netplwiz checkbox (user removed Windows password instead)
Rule¶
Never store secrets in filesystem memory. Use .env with 600 perms.
Related¶
- [[Bio Bridge]]
- [[Hermes Infrastructure]]
- [[LLM Judge Standard]]