hermes

The server runs within a Trusted Execution Environment (TEE) providing hardware isolation for secret keys and pending entries in memory, which is a strong security measure. A recovery file persists pending entries to a Docker volume on graceful shutdown; while the README states TEE protection covers pending entries, the explicit disk persistence via a volume should be verified to be TEE-encrypted to fully align with 'memory-only' claims. A significant functional security gap is the absence of a server-side anonymization/sensitivity filter for the `write_journal_entry` content. Although the tool schema *forces* Claude to perform a `sensitivity_check` before writing, the server does not programmatically re-validate or filter the `entry` content itself, relying solely on Claude's adherence to privacy guidelines. The default `JWT_SECRET` value `hermes-default-secret-change-in-production` should be changed for production deployments. Namecheap credentials (`NAMECHEAP_API_KEY`, `NAMECHEAP_USERNAME`, `NAMECHEAP_CLIENT_IP`) are used for DNS management and are passed as environment variables. No obvious 'eval' or malicious code patterns were found.