bytelyst/bytelyst-devops-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e57038a6a2
bytelyst-devops-tools/docs/hermes-operations.md
root e57038a6a2
Some checks are pending
pre-commit / pre-commit (push) Waiting to run
Details
docs: advance Hermes setup roadmap
2026-05-27 10:12:27 +00:00

4.7 KiB
Raw Blame History

ByteLyst Hermes Operations Runbook

Operational runbook for the private Telegram-driven Hermes Agent setup on the ByteLyst VM.

Current baseline

Observed on 2026-05-27:

  • Hermes version: v0.14.0 (2026.5.16)
  • Install path: /usr/local/lib/hermes-agent
  • Active profile: default
  • Primary provider: OpenAI Codex OAuth
  • Telegram gateway: hermes-gateway.service, system service, enabled and running
  • Backup cron: Sync Hermes persistent-data backup to GitHub, every 30 minutes, local delivery
  • Watchdog cron: ByteLyst Hermes gateway/backup/disk watchdog, every 15 minutes, Telegram delivery on failure only
  • Dashboard policy: do not expose Hermes dashboard/API publicly without explicit approval

Safety guardrail: no public Hermes dashboard/API

Before adding any new Caddy hostname, Docker port, or dashboard/API feature, verify that it is not a Hermes dashboard/API public exposure.

# Inspect public Caddy routes and obvious Hermes/API/dashboard references.
docker ps --format '{{.Names}} {{.Ports}}' | grep -i caddy || true
grep -RniE 'hermes|dashboard|api-server|API_SERVER|8000|8080|3000|5173' /etc/caddy /root/bytelyst.ai 2>/dev/null | head -100

# Inspect listening ports. Review any 0.0.0.0 listeners before exposing a hostname.
ss -ltnp

Allowed private access patterns for a future Hermes dashboard:

  1. local-only binding (127.0.0.1)
  2. SSH tunnel
  3. Tailscale/WireGuard private network
  4. Cloudflare Access or equivalent identity gate
  5. basic auth plus IP allowlist only if public routing is unavoidable and explicitly approved

Health baseline commands

hermes --version
hermes config check
hermes doctor --fix
hermes status --all
hermes cron list
systemctl status hermes-gateway --no-pager
df -h /
free -h
ss -ltnp

Notes:

  • hermes doctor --fix migrated config from version 23 to 24 on 2026-05-27.
  • Optional providers/search backends are mostly not configured yet. Configure through Hermes setup/auth flows only; never commit credentials.

Gateway recovery

systemctl status hermes-gateway --no-pager
journalctl -u hermes-gateway -n 100 --no-pager
hermes gateway restart
# If the CLI restart path is unavailable:
sudo systemctl restart hermes-gateway

After restart, verify from Telegram:

  • inbound message receives a response
  • outbound completion messages work
  • approval prompts still reach the allowed user
  • media/file delivery works for a known safe file if needed

Cron and watchdogs

List jobs:

hermes cron list

Current watchdog script:

~/.hermes/scripts/hermes_health_watchdog.py

Tracked source copy:

scripts/hermes-health-watchdog.py

Behavior:

  • no output on success, so the cron stays silent
  • sends a Telegram message only when it detects an actionable failure
  • checks gateway service state, Hermes cron backup visibility/status, backup repo freshness when discoverable, and root disk usage

Manual smoke test:

python3 ~/.hermes/scripts/hermes_health_watchdog.py
# Healthy output should be empty.

Backup and restore drill outline

The persistent-data backup repo intentionally excludes raw secrets and state.db.

Quarterly restore drill:

  1. Run the backup sync manually or wait for a successful cron run.
  2. Clone the backup repo into a temporary directory.
  3. Inspect git contents for accidental raw secrets: 
    git grep -nE '(API_KEY|TOKEN|SECRET|PASSWORD|BEGIN .*PRIVATE KEY)' || true
  4. Restore into a non-production Hermes profile/test directory only.
  5. Verify config, skills, sessions JSON exports, cron definitions, memories, and scripts are present.
  6. Confirm .env, OAuth files, SQLite WAL/SHM files, logs, caches, and raw state.db are absent.
  7. Delete the temporary restore directory when done.

Upgrade checklist

Before upgrade:

hermes --version
hermes status --all
hermes config check
hermes cron list
python3 ~/.hermes/scripts/sync_hermes_persistent_backup.py

Upgrade from an interactive/private shell only:

hermes update

After upgrade:

hermes doctor --fix
hermes gateway restart
hermes --version
hermes status --all
hermes cron list
python3 ~/.hermes/scripts/hermes_health_watchdog.py

Then run Telegram smoke tests and record any manual fixups in this doc or the roadmap.

Provider and tool changes

Use Hermes flows rather than editing secrets into git-tracked files:

hermes model
hermes setup model
hermes tools list
hermes tools enable <toolset>
hermes tools disable <toolset>

Restart/reset requirement:

  • gateway config changes: /restart from Telegram or hermes gateway restart
  • CLI session tool changes: start a new session or /reset
  • provider auth changes: start a new session after switching models/providers