How-To Series · 9: Locking It Down
Managed Scope
Pin config and secrets across every user on a machine, where the admin's values win and users cannot override them.
After this videoYou can pin a fleet-wide baseline of config and secrets that standard users cannot change
Managed scope lets an administrator push config and secrets that a standard user cannot override. It is read from a system directory, default /etc/hermes, owned by root: a managed config.yaml and .env that win over the user's files and even the shell environment, for exactly the keys they pin. Filesystem permissions are the enforcement. Merging is leaf-level, hermes config and hermes doctor show what is managed, and v1 is a Linux-first management boundary, not an un-escapable sandbox.
About these resources. This episode explains how to set up managed scope in Hermes. The Sources block names the Hermes docs page that backs every claim.
Sources · What this video distills
1 docs page · every command below traces to one of themCommands shown · Copy and paste
each shows the source doc it came fromsudo mkdir -p /etc/hermessudo chmod 0644 /etc/hermes/config.yaml /etc/hermes/.envhermes doctor