Hi team,
We're running Hermes v0.5.0 as a shared Telegram bot for a 4-10-personы investment team.
We have terminal access enabled (needed for admin), but we need to restrict which
tools each user can access based on their Telegram ID.
Current situation:
TELEGRAM_ALLOWED_USERS controls WHO can use the bot — works great- But there's no way to control WHAT tools each user can access
- All allowed users get identical access to all tools including terminal/execute_code
The problem:
- We added RBAC rules in system_prompt_append to block terminal for non-admin users
- The LLM ignored the prompt rule and executed
whoami && id for a non-admin user
- Prompt-based restrictions are unreliable — we need code-level enforcement
What we need:
Per-user tool restrictions in config.yaml, something like:
gateway:
user_roles:
XXXXXX: # Admin
role: admin
tools: all
YYYYYYYY: # Manager
role: manager
blocked_tools: [terminal, execute_code, bash]
default:
role: viewer
allowed_tools: [mcp_*] # MCP tools only, no terminalOr alternatively:
- A
pre_tool_call hook that receives (tool_name, user_id) and can return allow/deny
- Per-user toolset configuration in the gateway
- An approval mode that's per-user (auto-approve for admin, require approval for others)
Use case:
This is critical for any team deployment where the bot has terminal access
but not all users should be able to run system commands. We believe many teams
running Hermes on shared servers face the same issue.
Current workaround:
We patched handle_function_call in model_tools.py to check telegram_user_id
against an admin allowlist before executing terminal/execute_code. Works but
breaks on updates.
Thank you for building an amazing tool. Happy to contribute a PR if you
point us to the right architecture for this.
Hi team,
We're running Hermes v0.5.0 as a shared Telegram bot for a 4-10-personы investment team.
We have terminal access enabled (needed for admin), but we need to restrict which
tools each user can access based on their Telegram ID.
Current situation:
TELEGRAM_ALLOWED_USERScontrols WHO can use the bot — works greatThe problem:
whoami && idfor a non-admin userWhat we need:
Per-user tool restrictions in config.yaml, something like:
Or alternatively:
pre_tool_callhook that receives (tool_name, user_id) and can return allow/denyUse case:
This is critical for any team deployment where the bot has terminal access
but not all users should be able to run system commands. We believe many teams
running Hermes on shared servers face the same issue.
Current workaround:
We patched
handle_function_callin model_tools.py to check telegram_user_idagainst an admin allowlist before executing terminal/execute_code. Works but
breaks on updates.
Thank you for building an amazing tool. Happy to contribute a PR if you
point us to the right architecture for this.