A futuristic field manual for building a reliable AI operations agent.

curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash

hermes setup
hermes doctor

hermes                       # interactive CLI
hermes chat -q "hello"       # one-shot query
hermes model                 # choose provider/model
hermes config edit           # edit config.yaml
hermes config path           # print config path
hermes config env-path       # print .env path
hermes tools                 # enable/disable tools
hermes gateway status        # check messaging gateway

web
browser
terminal
file
code_execution
vision
skills
memory
session_search
delegation
cronjob
messaging

model.provider: openai-codex
model.default: gpt-5.5
agent.reasoning_effort: minimal
memory.memory_enabled: true
memory.user_profile_enabled: true
compression.enabled: true
security.redact_secrets: true
gateway.bind_address: 0.0.0.0
platforms.api_server.enabled: true

~/.hermes/

~/.hermes/config.yaml          Main non-secret config
~/.hermes/.env                 API keys and secret environment variables
~/.hermes/auth.json            OAuth credentials / credential pools
~/.hermes/skills/              Installed/custom skills
~/.hermes/logs/                Gateway, dashboard, scheduler logs
~/.hermes/state.db             Session database
~/.hermes/sessions/            Session/routing artifacts
~/.hermes/cron/                Cron job state/config, depending on install version
~/.hermes/profiles/<name>/     Isolated profile homes for additional agents

config.yaml = behavior
.env = secrets
skills/ = reusable procedures
state.db/sessions = conversation history
logs/ = debugging
Obsidian = durable human-readable operating notes, never secrets

~/.hermes/.env

OPENROUTER_API_KEY=...
ANTHROPIC_API_KEY=...
GOOGLE_API_KEY=...
GEMINI_API_KEY=...
DEEPSEEK_API_KEY=...
XAI_API_KEY=...
HF_TOKEN=...
TELEGRAM_BOT_TOKEN=...
DISCORD_BOT_TOKEN=...
API_SERVER_KEY=...
OBSIDIAN_API_KEY=...
GMAIL_CLIENT_ID=...
GMAIL_CLIENT_SECRET=...

hermes auth
hermes auth add openai-codex
hermes auth add nous
hermes auth list

hermes config set security.redact_secrets true

“I placed OPENROUTER_API_KEY in ~/.hermes/.env. Verify that Hermes can see it without printing the value.”

memory:
  memory_enabled: true
  user_profile_enabled: true
  memory_char_limit: 2200
  user_char_limit: 1375
  flush_min_turns: 6
  nudge_interval: 10

- User preferences
- Stable environment facts
- Permanent naming conventions
- Long-lived project structure
- “Don’t do this again” corrections

- Temporary task progress
- PR numbers
- Issue numbers
- Completed task logs
- One-off command outputs
- Anything likely stale in a week

User prefers concise actionable technical summaries.
Project X uses Docker Compose with services api, worker, postgres, and redis.
The production server runs Ubuntu 24.04 and uses systemd services.

Fixed bug today.
PR #123 was opened.
Run pytest tomorrow.
API key is sk-...

- Multi-step setup procedures
- Debugging recipes
- Project-specific deployment workflows
- Reusable scripts and templates
- Anything learned after a tricky 5+ step task

hermes skills list
hermes skills browse
hermes skills search "docker"
hermes skills install <skill-id>
hermes skills check
hermes skills update

When you solve a complex or reusable problem for me, offer to save the workflow as a Hermes skill. If you load a skill and discover it is outdated or missing a pitfall, patch the skill immediately instead of leaving it stale.

devops/
github/
email/
note-taking/
project-specific/<project-name>/
debugging/

inter_agent_message(
  action="send",
  to_profile="default",
  subject="Technical escalation: short title",
  message="Profile: <name>\nProblem: <what failed>\nLogs/errors: <redacted excerpts>\nWhat I tried: <steps>\nImpact: <user impact>"
)

hermes tools enable inter_agent

toolsets:
  - hermes-cli
  - web
  - inter_agent

platform_toolsets:
  cli:
    - hermes-cli
    - inter_agent

If you hit a technical problem you cannot safely resolve — gateway failure, model/provider issue, cron failure, missing credential, broken script, API problem, database issue, or uncertainty about infrastructure — escalate to the default Hermes profile using inter_agent_message. Include exact error text, log paths/snippets, what you tried, and whether the user is impacted. Do not use Telegram, shared files, or cron jobs for internal agent messaging.

default       Technical lead / infrastructure / escalation
email         Email processing and triage
calendar      Calendar/scheduling assistant
research      Web research and notes
dev           Coding and GitHub helper
obsidian      Knowledge-base steward

~/.hermes/profiles/<name>/config.yaml
~/.hermes/profiles/<name>/.env
~/.hermes/profiles/<name>/skills/
~/.hermes/profiles/<name>/logs/

hermes -p <profile> gateway setup telegram --bot-token <token>

~/.hermes/profiles/<profile>/.env                  # TELEGRAM_BOT_TOKEN=...
~/.hermes/profiles/<profile>/telegram_bot_token.txt # raw token if you use helper scripts

hermes gateway setup
hermes gateway install
hermes gateway start
hermes gateway stop
hermes gateway restart
hermes gateway status

~/Library/LaunchAgents/ai.hermes.gateway.plist

launchctl list | grep hermes
tail -100 ~/.hermes/logs/gateway.log
tail -100 ~/.hermes/logs/gateway.error.log

- The gateway runs as a launchd service.
- It uses --replace so restarts replace stale instances cleanly.
- gateway.bind_address is set to 0.0.0.0 for LAN accessibility where needed.
- API server is enabled for local dashboard/integrations.

gateway:
  bind_address: 0.0.0.0
  port: 9119

platforms:
  api_server:
    enabled: true
    extra:
      host: 127.0.0.1
      port: 8642

hermes dashboard

~/Library/LaunchAgents/ai.hermes.dashboard.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>ai.hermes.dashboard</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Users/YOUR_USER/.hermes/hermes-agent/venv/bin/hermes</string>
        <string>dashboard</string>
        <string>--tui</string>
        <string>--skip-build</string>
        <string>--host</string>
        <string>0.0.0.0</string>
        <string>--insecure</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>WorkingDirectory</key>
    <string>/Users/YOUR_USER</string>
    <key>StandardOutPath</key>
    <string>/Users/YOUR_USER/.hermes/logs/dashboard-stdout.log</string>
    <key>StandardErrorPath</key>
    <string>/Users/YOUR_USER/.hermes/logs/dashboard-stderr.log</string>
</dict>
</plist>

launchctl list | grep ai.hermes.dashboard
tail -100 ~/.hermes/logs/dashboard-stdout.log
tail -100 ~/.hermes/logs/dashboard-stderr.log

- Gateway restarts should not kill dashboard.
- Dashboard can be independently supervised and restarted.
- Logs are separate and easier to debug.

--host 0.0.0.0 and --insecure are convenient for LAN testing, not for internet exposure. Put it behind a reverse proxy with auth/TLS if exposing outside your machine.

every 15m
every 2h
0 17 * * *
2026-06-01T09:00:00

1. Daily Hermes update check at 5 PM
   - Loads hermes-agent skill
   - Reviews changelogs/updates/breaking changes
   - Sends concise action-required summary

2. Gateway health check every 15 minutes
   - Script-only no-agent watchdog
   - Quiet when healthy
   - Alerts only when something is wrong

3. Dashboard/plugin health check every 2 hours
   - Script-only no-agent watchdog
   - Checks dashboard/plugin availability

4. Obsidian/Kanban sync every 5 minutes
   - Script-only sync job
   - Quiet unless there is a real problem or configured output

5. Email bridge/poller where needed
   - Script-only polling is acceptable for external email bridge checks
   - Do not use polling cron for local inter-agent messaging

- Use no-agent script mode for simple watchdogs.
- Print nothing when healthy.
- Print concise alert text when unhealthy.
- Use agent-driven cron when reasoning/summarization is needed.
- Include all context in the cron prompt because future cron runs start fresh.
- For recurring reports, make them actionable: changed, risk, action needed, recommended next step.

A. Gmail/Google Workspace via gws CLI or Google APIs
B. IMAP/SMTP via Himalaya or another CLI
C. Platform-specific Hermes email gateway if configured
D. Custom Python script using IMAP/SMTP libraries or provider APIs

EMAIL_IMAP_HOST=imap.example.com
EMAIL_IMAP_USER=you@example.com
EMAIL_IMAP_PASSWORD=app-specific-password
EMAIL_SMTP_HOST=smtp.example.com
EMAIL_SMTP_USER=you@example.com
EMAIL_SMTP_PASSWORD=app-specific-password

- Prefer OAuth over raw password auth.
- If IMAP is used, use an app-specific password, not your main account password.
- Use least privilege scopes where possible.

- urgent human email
- invoices/receipts
- calendar/scheduling
- newsletters/promotions
- security alerts
- family/school/kids
- work/client email

Vault/
  Agents/
    Agent Directory.md
    default/
    email/
    calendar/
    obsidian/
    shared/
      systems/
      procedures/
      standards/
  Businesses/
    <workspace>/
  Projects/
    <project>/

- Each agent/profile gets its own folder under Agents/<agent-name>/.
- Shared cross-agent standards go under Agents/shared/.
- Business/workspace operations go under Businesses/<workspace>/.
- Search before creating notes.
- Update existing notes instead of making duplicates.
- Never put secrets in Obsidian.
- Use wikilinks for navigation.

plugins:
  enabled:
    - obsidian-memory

When I refer to something from a prior conversation, use session_search before asking me to repeat myself. Summarize what you found and cite the relevant session/context in plain English.

delegation:
  max_concurrent_children: 3
  max_spawn_depth: 1
  child_timeout_seconds: 600
  orchestrator_enabled: true

Use delegation intelligently. For complex tasks, split work into specialist subagents such as Docker, networking, backend, frontend, database, or security review. Pass each subagent complete context. Verify their claims before reporting success, especially for file writes, external API actions, or deployments.

- Gateway process running
- Dashboard process running
- API server responding
- Cron scheduler healthy
- Disk space not full
- Recent logs do not show repeated errors
- Telegram/Discord/etc. bot polling not conflicted
- Provider credentials not expired
- Memory/config files readable

hermes status --all
hermes doctor
hermes gateway status
hermes cron status
hermes cron list
hermes profile list
launchctl list | grep hermes
tail -100 ~/.hermes/logs/gateway.log
tail -100 ~/.hermes/logs/gateway.error.log

Build a quiet Hermes health monitoring setup. It should check gateway, dashboard, cron, API server, disk space, and recent logs. It should run on a schedule, print nothing when healthy, and alert me only when there is a real issue. Use script-only cron jobs for mechanical checks. Document the checks and verification steps in Obsidian without storing secrets.

AGENTS.md
CLAUDE.md
README.md
.env.example
docker-compose.yml
Makefile

- How to install dependencies
- How to run tests
- How to run lint/typecheck
- How to start dev server
- Project architecture
- Deployment process
- Branch/PR conventions
- Safety rules

# Agent Instructions

## Setup
- Use pnpm install for Node dependencies.
- Use uv for Python tooling.
- Copy .env.example to .env.local; never print or commit secrets.

## Verification
- Run pnpm lint before commits.
- Run pnpm test for unit tests.
- Run pnpm build before deployment changes.

## Architecture
- frontend/ is Next.js.
- backend/ is FastAPI.
- db migrations live in backend/migrations/.

## Safety
- Do not run destructive database migrations without explicit approval.
- Do not commit .env files.

platforms:
  api_server:
    enabled: true
    extra:
      host: 127.0.0.1
      port: 8642

- Bind host intentionally
- Use API_SERVER_KEY or equivalent bearer auth
- Use reverse proxy with TLS
- Restrict firewall rules
- Use stable session keys for automation continuity
- Log requests and failures

You are my technical operations assistant. Prioritize reliability over cleverness. Verify assumptions with tools. Do not fabricate results. When configuring Hermes, use Hermes-native config and commands. Keep secrets out of memory, notes, logs, and replies. Use ~/.hermes/.env or profile-local .env files for credentials. Use config.yaml for behavior. Use skills for reusable procedures. Use memory only for compact durable facts. Use Obsidian for long-form human-readable operating docs. Search before creating notes. Never delete or destructively reorganize without approval. Use cron jobs for durable scheduled automation. Use script-only no-agent cron jobs for quiet mechanical watchdogs. Use inter_agent_message for profile-to-profile communication. Escalate infrastructure failures to the default technical lead profile with exact logs and what was tried. After making changes, verify with real commands and report actual output, not guesses.

Work methodically. Verify each change. If something is risky, ask before doing it. If something fails, show the exact error and try a safe alternative.

- Add an AGENTS.md file to each important repo.
- Include install, test, lint, build, dev server, deployment, and safety rules.
- Tell Hermes to verify commands instead of guessing.

Your agent can jump into a Next.js, React, Vue, Laravel, Rails, Django, FastAPI, Node, or monorepo project and know how to operate without asking the same setup questions every time.

- Install and authenticate GitHub CLI: gh auth login
- Store GITHUB_TOKEN in ~/.hermes/.env only if CLI auth is not enough.
- Add repo-specific PR conventions to AGENTS.md.

- Add a new API endpoint and tests.
- Fix a login redirect bug.
- Add a feature flag.
- Refactor a component while preserving behavior.
- Add a missing validation rule.

Hermes watches a failed GitHub Actions run, reads logs, fixes the issue, pushes a commit, and re-checks CI.

- TypeScript type errors
- ESLint failures
- broken tests
- missing env var examples
- build failures
- dependency/version mismatches

Hermes reproduces a bug with a failing test before fixing it.

- Form validation bug
- API response edge case
- auth/session bug
- date/timezone bug
- pagination bug
- race condition around async data fetching

Hermes builds UI components consistent with your project’s existing patterns.

- Pricing card component
- Dashboard metric tile
- Modal/dialog component
- User profile dropdown
- Search/filter toolbar
- Empty/error/loading states

- accessibility labels
- keyboard navigation
- responsive layout
- dark mode behavior
- loading/error states
- reusable props API

Hermes wires third-party APIs into a web app safely.

- Stripe checkout/subscriptions
- Resend/Postmark email
- Twilio SMS
- OpenAI/OpenRouter API
- Google Maps
- Airtable/Notion
- Slack/Discord webhooks

- Use typed request/response shapes.
- Centralize API client code.
- Add retry/backoff only where safe.
- Log useful metadata, not secrets.
- Add .env.example placeholders.

Hermes reviews DB migrations before they break production.

- Prisma migrations
- Drizzle migrations
- Alembic migrations
- Rails migrations
- Laravel migrations
- raw SQL migrations

- rollback plan
- zero-downtime plan
- index strategy
- backfill strategy
- staging verification

Hermes finds performance bottlenecks and proposes measurable fixes.

Audit this web app for performance. Check bundle size, large dependencies, image optimization, lazy loading, caching, server/client rendering boundaries, database/API waterfalls, and Core Web Vitals risks. Give prioritized fixes with expected impact and verification commands.

- Reduce Next.js bundle size
- Replace heavy client dependency
- Add image optimization
- Fix N+1 API/database calls
- Improve caching headers
- Split large routes/components

Hermes reviews web app changes for common security issues.

- auth flows
- payment endpoints
- admin dashboards
- file uploads
- webhook handlers
- API routes

Hermes builds robust webhook endpoints and tests them.

Build a robust webhook endpoint for <provider>. Verify signature validation, idempotency, replay protection where possible, event routing, safe logging, and tests using sample payloads. Add .env.example placeholders. Do not store real signing secrets in code or docs.

- Stripe webhooks
- GitHub webhooks
- Clerk/Auth0 webhooks
- Shopify webhooks
- Slack events

- signature verification
- idempotency key/event ID storage
- safe failure behavior
- retry awareness
- structured logs
- fixture payload tests

Hermes makes local setup easy for future you and teammates.

- .env.example
- docker-compose.yml
- Makefile
- scripts/dev-check.sh
- docs/local-development.md
- seed script
- health endpoint

Hermes turns project knowledge into useful docs.

Generate developer documentation for this project. Include architecture overview, request/data flow, important directories, environment variables, local setup, deployment, testing, troubleshooting, and known gotchas. Keep it accurate by reading the repo, not guessing.

- onboarding guide
- API docs
- deployment runbook
- incident/debugging runbook
- architecture diagram
- feature flag guide
- environment variable reference

Hermes prepares releases without forgetting steps.

- release notes
- changelog entry
- deployment checklist
- rollback plan
- risk summary

Hermes sends a morning summary of what matters for work.

- GitHub CLI/API
- Linear/Jira
- Slack/Discord summaries
- Sentry/Datadog alerts
- Google Calendar

Hermes maps an unfamiliar app quickly.

- starting a new job
- inheriting a legacy codebase
- onboarding contractors
- planning refactors

Hermes turns screenshots, Figma notes, or written requirements into UI code.

Give Hermes screenshots, current component paths, and the exact route/component where the UI belongs.

- outage triage
- high error rate
- slow endpoint
- failed deploy
- broken auth/payment flow

Hermes handles repetitive developer chores.

default / lead:
  technical lead, system health, escalation, architecture

dev:
  coding, PRs, tests, repo work

reviewer:
  code review, security review, CI failure analysis

notes:
  Obsidian/docs/runbooks

email-calendar:
  work email triage, calendar summaries, meeting prep

monitor:
  quiet cron watchdogs for CI, deploys, uptime, alerts

- what it owns
- what it must not touch
- when to escalate to default
- where credentials live
- where to document non-secret durable facts

1. Run hermes doctor.
2. Check hermes status --all.
3. Check gateway status.
4. Check cron status/list.
5. Check logs in ~/.hermes/logs/.
6. Verify .env exists and required keys are present without printing values.
7. Verify toolsets are enabled.
8. Restart gateway after config/tool changes.
9. Start a new session after tool/skill changes.
10. Search prior sessions before repeating old debugging.

hermes doctor
hermes status --all
hermes gateway status
hermes cron status
hermes cron list
hermes tools list
hermes config check
tail -100 ~/.hermes/logs/gateway.log
tail -100 ~/.hermes/logs/gateway.error.log

- Verified Hermes install and doctor output
- Enabled memory and user profile memory
- Enabled core technical toolsets
- Secrets in ~/.hermes/.env, never in notes
- Gateway installed as service
- Dashboard installed as separate service
- API server enabled locally if needed
- Daily update-check cron
- Quiet gateway/dashboard health-check crons
- Inter-agent escalation pattern if using profiles
- Obsidian vault integration with safe folder structure
- Dedicated email agent/profile if using email automation
- Repo-level AGENTS.md files for important codebases
- Documented troubleshooting checklist

“Show me the command you ran to verify it and the real output.”