#Security Best Practices

I'm currently setting up Hermes, and want it to follow Security's best practices.

Do people recommend using the SOUL.md file and outlining it's guardrails (as a drawn out prompt) there? Or is there another way to do it so it has it in memory across all sessions.

love to hear suggestions from people

for something like security guardrails, I would not rely on memory alone

the better pattern is to keep it in files that Hermes can consistently load, so the behavior is explicit and repeatable instead of hoping it “remembers” across sessions

SOUL.md can work fine for that if you want a global standing policy file, especially for things like:

• never expose secrets
• prefer least privilege
• ask before destructive actions
• avoid insecure defaults
• explain security tradeoffs before changing auth / network / sandbox settings

if you want it to be more reusable and less just “one big prompt file,” a skill is often even better. that lets you keep a named security policy / workflow and invoke it cleanly when needed

so the practical split I’d suggest is:

• use SOUL.md or another always-loaded context file for broad guardrails you want across sessions
• use a skill for more detailed security review behavior or checklists
• do not depend on memory as the source of truth for safety rules

that way the rules are stable, inspectable, and easy to update