Back to portfolio

Chapter 05 - Platform engineering

Telegram Bot (Hermes)

Live case study

An agentic ops bot for repository work, Cloud Build triage, and rollback planning whose self-audit turned safety advice into enforcement layers, not instructions.

Security honestyEvidence trail
Telegram Bot approval workflow and Cloud Run operations preview
176 tests

latest repository verification snapshot in task status

3 audit gates

security, action, and completion audit suites

Open ops

live credentials, PR flow proof, and rotation stay visible

Thesis

Agentic systems need enforceable policy surfaces.

Hermes already provides Telegram transport, memory, model orchestration, and MCP execution. This repository adds the operator-owned layer: repo allowlists, proposal storage, approval commands, action history, GCP observability, and repository audits that fail when safety becomes only prose.

Telegram Bot command and enforcement pipelineTelegram commands route through Hermes, policy checks, proposal approval, audited actions, and Cloud Run/GitHub feedback loops.routepolicyapproverecordobserveTelegram commandoperator + topicHermes routerallowlist + model tierProposal guardpath + secret checksApproval executorordered GitHub planAction audithistory + redactionCloud opsbuilds, logs, rollbackBoundary: repository text, logs, and tool output are treated as untrusted input before any planned action.

Security honesty

Found -> fixed, with the remaining limits left visible.

These rows come from the 2026-06-10 audit material and the source repositories' `origin/main` history. The table only marks an item fixed when a commit, source file, or test file exists.

FindingFoundFixed evidenceStatus
Direct GitHub write tools made safety advisoryThe 2026-06-10 decisions log removed direct GitHub write tools from the exposed MCP surface.Security audit code now fails if create_or_update_file, create_branch, or create_pull_request are directly included; proposal approval is the supported write path.Source: Merge 40fafb5 / commit dd2fe3f; scripts/audit_security.py and tests/test_security_audit.py.Fixed
Sensitive paths and secret-like content needed executable guardsPath and content safety could not depend only on SOUL.md instructions when the bot can plan writes.Safety guards reject `.env*`, `.github`, Dockerfile, cloudbuild, deploy paths, secret-adjacent names, and obvious secret assignments before a proposal is rendered.Source: src/telegram_development/safety.py; tests/test_proposals.py; tests/test_security_audit.py.Fixed
Untrusted repo and Cloud Run output could become prompt instructionsRepository content and log output are operational data, but an agent loop can accidentally treat them as instructions.Router and observability paths wrap untrusted output in BEGIN_UNTRUSTED_TOOL_OUTPUT / END_UNTRUSTED_TOOL_OUTPUT and the audit checks for those delimiters.Source: Merge 40fafb5; plugins/deepseek_router, plugins/gcp_observability, tests/test_security_audit.py.Fixed
Completion and action history were not machine-enforcedA repository implementation needed gates that distinguish repository completion from live setup and record proposal actions.Completion audit, action audit, history command, and task-status checks now pin repository_ok, command evidence, and proposal events.Source: Commits a7796bd and c5508ac; tests/test_completion_audit.py and tests/test_action_audit.py.Fixed

Open item

Real approved PR flow remains outside committed repository proof

The task-status document keeps the real approved PR flow against a non-production test repo as a remaining external validation step.

Source: telegram-development/docs/task-status.md

Open item

Operator live readiness depends on local secrets and runtime setup

Repository-only completion can pass while full live readiness waits for `.env`, `config/repos.yaml`, tools, and deployed services.

Source: telegram-development/docs/runbooks/completion-audit.md

Open item

Credentials pasted during setup still require rotation

The repository does not rotate live credentials; the task-status doc records rotation as an operator step after deployment stability.

Source: telegram-development/docs/task-status.md

Open item

Hermes model switching has an upstream boundary

The model-tier router can select and hint tiers, but Hermes hooks cannot fully switch the tool-loop model per turn today.

Source: telegram-development/config/decisions-log.md

Feature evidence

Product claims stay bound to repository artifacts.

Repo-aware command surface

The repository covers `/start`, `/repo`, `/model`, `/history`, `/repo-status`, `/status`, `/approve`, `/reject`, and `/cancel` through command code, manifests, tests, and task-status evidence.

Source: telegram-development/docs/task-status.md

Approval-gated write workflow

A change proposal stores a JSON record, renders a diff, waits for approval, then returns ordered GitHub MCP commands instead of executing direct writes by default.

Source: telegram-development/docs/runbooks/pr-workflow.md

Cloud Run and CI triage awareness

The bot can reason about Cloud Build, Cloud Run, logs, rollback planning, and repository/deployment context while keeping production promotion explicit.

Source: telegram-development/OPERATIONS.md

Evidence trail

No fake screenshots, transcripts, or unproven metrics.

  • 2026-06-10 decisions log
    telegram-development/config/decisions-log.md
  • Hermes architecture
    telegram-development/ARCHITECTURE.md
  • Hermes operating rules
    telegram-development/SOUL.md
  • Security audit runbook
    telegram-development/docs/runbooks/security-audit.md
  • Completion audit runbook
    telegram-development/docs/runbooks/completion-audit.md
  • PR workflow runbook
    telegram-development/docs/runbooks/pr-workflow.md
  • Repository task status
    telegram-development/docs/task-status.md
  • Security audit source and tests
    telegram-development/src/telegram_development/security_audit.py
  • Portfolio evidence inventory
    family-finance/docs/docs/system-analysis/2026-06-11-v01-strava-telegram-case-study-evidence-sa.md