# Hermes + Tailscale FleetOps

This bundle contains a practical implementation for remote incident analysis with Hermes as the local control plane and Tailscale as the private transport.

Files:
- `bootstrap-linux.sh`
- `bootstrap-macos.sh`
- `bootstrap-windows.ps1`
- `hermes-fleet.sh`
- `acl-example.json`
- `hermes-config-snippet.yaml`

Recommended architecture:
- Local Hermes machine: control plane
- Tailscale: private network + ACL
- Remote machines: minimal agentless footprint
- Diagnostics: collect evidence bundle remotely, analyze locally

Safety model:
- No Hermes install on remote hosts
- No model API keys on remote hosts
- No public inbound exposure
- Use short-lived Tailscale auth keys
- Use a dedicated `hermesops` account