feat: add Hermes Agent as agent provider#824
Conversation
Add Hermes Agent (NousResearch) as a supported agent provider, enabling OAB to leverage Hermes's multi-provider OAuth infrastructure via ACP. Key benefits: - xAI Grok OAuth (SuperGrok $30/mo flat rate vs pay-per-token) - 30+ providers accessible through one agent - OAuth token lifecycle managed by Hermes (zero auth complexity for OAB) - Multi-modal support (TTS, image gen, video gen) via same OAuth token - Built-in fallback chains for provider resilience Files added: - Dockerfile.hermes: runtime image with Hermes Agent installed - docs/hermes.md: setup guide with auth and provider switching docs - config.toml.example: added Hermes agent config example Closes #823
|
All PRs must reference a prior Discord discussion to ensure community alignment before implementation. Please edit the PR description to include a link like: This PR will be automatically closed in 3 days if the link is not added. |
github-actions
Bot
added
closing-soon
OpenAB PR ScreeningThis is auto-generated by the OpenAB project-screening flow for context collection and reviewer handoff.
Screening reportscreened PR #824 and moved the project item from `Incoming` to `PR-Screening`.GitHub comment: #824 (comment) IntentAdd Hermes Agent as a supported OpenAB agent provider so deployments can run an ACP-compatible agent process that delegates provider auth, token refresh, and model/provider switching to Hermes. FeatFeature work. Adds a Hermes runtime image, example config, and setup docs. No OpenAB runtime code change is visible from the item summary. Who It ServesDeployers and agent runtime operators. Rewritten PromptAdd Hermes Agent as an optional OpenAB agent provider path with a reproducible Merge PitchWorth advancing because Hermes may broaden provider/auth support without OpenAB owning every provider directly. Main risk is operational: auth persistence, pod restarts, and whether ACP stdio is proven enough for unattended deployments. Best-Practice ComparisonOpenClaw mostly does not apply except for durable operational state. Hermes Agent directly applies: this should document credential storage, mounted state, provider/model selection, and rotation/verification paths. Implementation Options
Comparison Table
RecommendationTake the balanced path: require Dockerfile build/startup evidence, tighten docs around credential persistence and non-interactive restarts, and keep Hermes optional/experimental until ACP startup has coverage. |
chaodu-agent
left a comment
chaodu-agent
left a comment
There was a problem hiding this comment.
PR Review — feat: add Hermes Agent as agent provider
Thanks for the PR, @chaodu-agent! The overall direction is solid and the doc coverage is good. A few items to address before merging:
🔴 SUGGESTED CHANGES — Dockerfile.hermes: unversioned install script (security risk)
RUN curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bashPiping from main to bash with no version pin is a supply-chain risk — the script contents can change at any time. This breaks reproducibility and could silently pull in a compromised version. Pin to a specific release tag or commit SHA:
RUN curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/v1.2.3/scripts/install.sh | bash
# or use a versioned release binary directly🔴 SUGGESTED CHANGES — Dockerfile.hermes: user creation ordering
WORKDIR /home/agent and COPY --chown=1000:1000 both run before useradd -m -u 1000 agent. WORKDIR pre-creates /home/agent owned by root, and then useradd -m may conflict or skip recreating it — leaving /home/agent/.hermes with incorrect ownership depending on the Docker layer cache. Move user creation to before ENV HOME/WORKDIR/COPY:
# create user first
RUN useradd -m -u 1000 agent && mkdir -p /home/agent/.hermes
ENV HOME=/home/agent
WORKDIR /home/agent
COPY --from=builder --chown=1000:1000 /build/target/release/openab /usr/local/bin/openab
USER agent🔴 SUGGESTED CHANGES — docs/hermes.md: Helm values reference non-existent chart keys
The Helm install snippet uses agents.hermes.* values:
--set agents.hermes.discord.enabled=true
--set agents.hermes.image=...But this PR includes no chart changes. If the Helm chart doesn't actually support agents.hermes, users following these docs will get silent no-ops or errors. Either:
- Add the corresponding chart changes in this PR, or
- Remove the Helm section and file a follow-up issue for chart support.
🟡 NIT — Dockerfile.hermes: HEALTHCHECK is process-level only
CMD pgrep -x openab || exit 1This confirms the process is alive but not that it's actually healthy (e.g., ACP stdio not hung). Not a blocker, but worth noting — other Dockerfiles in this repo may have a more meaningful check.
🟢 INFO — All testing checkboxes are unchecked
The PR description lists three manual test items (Dockerfile build, ACP stdio connection, OAuth login) and none are marked done. Please confirm these have been verified before requesting merge, especially the OAuth flow inside the container.
Summary: The two Dockerfile issues (user ordering + unversioned install script) and the Helm docs mismatch are the blockers. The rest is polish. Happy to re-review once those are addressed.
…stence docs - Dockerfile.hermes: pin install script to commit cc07e30f with SHA256 checksum verification instead of curl-pipe-bash from main - docs/hermes.md & config.toml.example: correct command from 'hermes --acp --stdio' to 'hermes-acp' (verified upstream) - docs/hermes.md: add PVC/volume mount guidance for credential persistence Addresses review findings from PR #824.
chaodu-agent
left a comment
chaodu-agent
left a comment
There was a problem hiding this comment.
Additional Findings (follow-up)
Two more issues surfaced from further analysis:
🔴 SUGGESTED CHANGES — Dockerfile.hermes: Hermes installed as root, run as non-root agent
The install script runs as root, placing the hermes binary and any associated virtualenv/config under /root/.hermes (or similar). When the container switches to USER agent, hermes may not be on $PATH or may fail to access its runtime data at ~/.hermes.
Fix: either install Hermes after switching to USER agent (if the install script supports it), or explicitly install to a system-wide path like /usr/local/bin and set HERMES_DATA_DIR to /home/agent/.hermes before the USER agent switch:
ENV HERMES_DATA_DIR=/home/agent/.hermes
RUN curl -fsSL https://... | bash # ensure binary lands in /usr/local/bin🔴 SUGGESTED CHANGES — docs/hermes.md: Helm --set-string brace syntax for args
--set agents.hermes.args='{--acp,--stdio}'Helm interprets {a,b} as a set literal only in some contexts; in many shell environments this gets passed as a single string {--acp,--stdio} rather than a two-element array, causing the agent to launch with the wrong arguments. Use indexed syntax instead:
--set agents.hermes.args[0]=--acp --set agents.hermes.args[1]=--stdioAdds Dockerfile.hermes to the build-image, merge-manifests, and promote-stable matrices so the ghcr.io/openabdev/openab-hermes image is published by CI alongside other agent variants.
- Create agent user before WORKDIR so /home/agent has correct ownership - Set HERMES_HOME=/home/agent/.hermes during install so OAuth tokens are stored in agent user's home (not /root/.hermes) - Add ffmpeg for Hermes multi-modal support - chown /home/agent after all root operations complete Addresses review findings from 覺渡法師.
This comment has been minimized.
This comment has been minimized.
- docker-smoke-test.yml: add Dockerfile.hermes variant - docs/hermes.md: clarify that Helm chart persistence covers .hermes by default; manual PVC only needed for non-Helm deploys
This comment has been minimized.
This comment has been minimized.
The chart is generic over agents.<name>, so hermes already works, but adding a commented example makes discoverability easier and aligns with the docs/hermes.md Helm install instructions.
This comment has been minimized.
This comment has been minimized.
FHS root install only links 'hermes' to /usr/local/bin, but 'hermes-acp' stays in the venv. Add explicit symlink.
uv installs its own Python 3.11 at /root/.local/share/uv/python/ which is inaccessible to the agent user. Recreate venv with the image's system Python 3.12 after install script completes.
The hermes install script uses uv which places Python 3.11 under /root/.local/share/uv/. The container runs as non-root user 'agent', causing 'Permission denied' when the venv tries to resolve its Python interpreter. Fix: chmod the uv directory and parent paths to be world-readable/executable. Also symlink hermes-acp to /usr/local/bin for PATH accessibility. Tested and verified working on orbstack with xai-oauth + grok-4.3.
pahud
force-pushed
the
feat/hermes-agent-provider
branch
from
68dc972 to
c503969
Compare
pahud
force-pushed
the
feat/hermes-agent-provider
branch
from
c503969 to
8f2fec3
Compare
|
LGTM ✅ — All findings resolved. Local k3s deployment verified. Ready to merge. What This PR DoesAdds Hermes Agent (by Nous Research) as a supported agent provider for OpenAB, enabling multi-provider OAuth infrastructure via ACP stdio protocol. How It Works
Findings (All Resolved)
Local Testing ✅Deployed to k3s and verified:
Reviewers
|
3 participants
Summary
Add Hermes Agent as a supported agent provider for OpenAB, enabling OAB agents to leverage Hermes's multi-provider OAuth infrastructure via ACP.
What's Included
Dockerfile.hermes— runtime image with Hermes Agent installeddocs/hermes.md— setup guide covering auth, provider switching, and advantagesconfig.toml.example— added Hermes agent config exampleArchitecture
Key Benefits
hermes model)Config Example
Auth (one-time, inside pod)
Testing
Closes #823