diff --git a/full-ai-cluster/dev-cluster/SYNC-WAVES.md b/full-ai-cluster/dev-cluster/SYNC-WAVES.md index ea087c7791..0c93df33c7 100644 --- a/full-ai-cluster/dev-cluster/SYNC-WAVES.md +++ b/full-ai-cluster/dev-cluster/SYNC-WAVES.md @@ -38,7 +38,6 @@ ArgoCD App-of-Apps (after ArgoCD is up): Wave 10 hindsight needs PostgreSQL (bundled) + Vault secret for LLM key Wave 10 orleans needs CockroachDB + NATS up Wave 10 temporal needs CockroachDB up - Wave 20 hermes needs Vault secret for LLM key + Hindsight + OZ + Orleans Wave 30 gitlab / forgejo source-of-truth services; come up last so all dependent observability + storage is ready Wave 50 ollama / vllm / deepseek-coder / qwen-coder GPU model servers; manual-sync-only @@ -61,10 +60,10 @@ ArgoCD App-of-Apps (after ArgoCD is up): exist when the workload reconciles. - **Data planes before consumers**: CockroachDB / NATS / Redis / Weaviate / PostgreSQL must be Ready before apps that connect. -- **Apps with secret dependencies late**: Hermes pulls the LLM API - key from Vault via ESO. ESO must have synced the secret to a - k8s Secret object before Hermes pods start. Sync wave gives ESO - a head start. +- **Apps with secret dependencies late**: agent-runtime workloads + pull LLM API keys from Vault via ESO. ESO must have synced the + secret to a k8s Secret object before pods start. Sync wave gives + ESO a head start. - **Source-of-truth services last**: GitLab + Forgejo (mutually exclusive, only one default-on) should come up after everything observability / storage / runtime is ready, so first-boot diff --git a/full-ai-cluster/k8s/applications/hermes/Application.yaml b/full-ai-cluster/k8s/applications/hermes/Application.yaml deleted file mode 100644 index b5f12e7517..0000000000 --- a/full-ai-cluster/k8s/applications/hermes/Application.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Hermes — TODO: AMBIGUOUS COMPONENT. -# -# Possibilities: -# - Cosmos Hermes IBC relayer (https://github.com/informalsystems/hermes) -# - Comma.ai Hermes -# - Hermes message broker (multiple projects with this name) -# - An Aaron-specific Hermes (AI agent, terminal-tooling, etc.) -# -# Per spec: "integrated with OZ" + "SOPS into Hermes Docker image" + -# "Hermes access to Ollama or vLLM" — these hint at an AI-agent -# Hermes that talks to OZ + needs Ollama/vLLM access + has secrets -# baked at image-build via SOPS. -# -# This Application points at local manifests so you can drop the -# real image + supporting config without changing the Application -# itself. - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "20" - name: hermes - namespace: argocd - finalizers: [ resources-finalizer.argocd.argoproj.io ] -spec: - project: default - source: - repoURL: https://github.com/Lucent-Financial-Group/Zeta - targetRevision: main - path: full-ai-cluster/k8s/applications/hermes - directory: - include: '{namespace,deployment,service,rbac}.yaml' - destination: - server: https://kubernetes.default.svc - namespace: hermes - syncPolicy: - automated: { prune: true, selfHeal: true } - syncOptions: [ CreateNamespace=true, ServerSideApply=true ] diff --git a/full-ai-cluster/k8s/applications/hermes/deployment.yaml b/full-ai-cluster/k8s/applications/hermes/deployment.yaml deleted file mode 100644 index 41f995723e..0000000000 --- a/full-ai-cluster/k8s/applications/hermes/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -# Hermes — custom AI agent oriented at CLOUD LLM endpoints. -# -# The image at `ghcr.io/lucent-financial-group/zeta-hermes` is built -# via the Docker module (NixFlake) on a maintainer host. SOPS-decrypted -# CLOUD API KEYS are baked into the image at build time so the running -# container doesn't need access to the SOPS keys. -# -# Build pipeline: -# 1. sops -d encrypted/cloud-keys.env > secrets/cloud-keys.env -# 2. docker buildx build --secret id=hermes-secrets,src=secrets/ ... -# 3. docker push ghcr.io/lucent-financial-group/zeta-hermes:vN.N.N -# 4. Bump `image:` below + commit + push -# -# Hermes' connections (cloud-only for now; local models deferred): -# - OpenZiti (OZ) for zero-trust transport: -# ziti-controller.openziti.svc.cluster.local:443 -# - Cloud LLM APIs via baked-in keys: -# Anthropic Claude -# OpenAI -# (add more as the SOPS file grows) -# - Hindsight (memory plugin) — once its Application lands, point at -# hindsight.hindsight.svc.cluster.local -# -# Local LLM serving (Ollama/vLLM) endpoints are kept in commented-out -# form below for when local models come back online. - -apiVersion: v1 -kind: Namespace -metadata: - name: hermes ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hermes - namespace: hermes ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: hermes - namespace: hermes -spec: - replicas: 0 # set >=1 once a real image exists - selector: - matchLabels: { app.kubernetes.io/name: hermes } - template: - metadata: - labels: { app.kubernetes.io/name: hermes } - spec: - serviceAccountName: hermes - containers: - - name: hermes - image: ghcr.io/lucent-financial-group/zeta-hermes:placeholder - env: - # OpenZiti transport - - { name: OZ_CONTROLLER_URL, - value: "https://ziti-controller.openziti.svc.cluster.local:443" } - # Cloud LLM providers — API keys baked in at image build via SOPS - - { name: LLM_PROVIDER, value: "anthropic" } # or "openai" / "bedrock" - # Hindsight memory backend (Application lands separately) - - { name: HINDSIGHT_URL, - value: "http://hindsight.hindsight.svc.cluster.local" } - # Local LLM endpoints — kept commented for when local models are re-enabled: - # - { name: OLLAMA_ENDPOINT, value: "http://ollama.ollama.svc.cluster.local:11434" } - # - { name: VLLM_ENDPOINT, value: "http://vllm.vllm.svc.cluster.local:8000" } - resources: - requests: { cpu: "200m", memory: "256Mi" } - limits: { cpu: "1", memory: "1Gi" } ---- -apiVersion: v1 -kind: Service -metadata: - name: hermes - namespace: hermes -spec: - type: ClusterIP - selector: { app.kubernetes.io/name: hermes } - ports: - - { name: http, port: 80, targetPort: 8080 } diff --git a/full-ai-cluster/k8s/applications/hindsight/Application.yaml b/full-ai-cluster/k8s/applications/hindsight/Application.yaml index f27463466b..aef9e40053 100644 --- a/full-ai-cluster/k8s/applications/hindsight/Application.yaml +++ b/full-ai-cluster/k8s/applications/hindsight/Application.yaml @@ -1,9 +1,10 @@ -# Hindsight (vectorize-io) — agent persistent memory system for Hermes. +# Hindsight (vectorize-io) — agent persistent memory system for any +# in-cluster agent runtime that needs memory persistence. # Real chart wired: OCI Helm chart at ghcr.io/vectorize-io/charts/hindsight. # -# Pairs with hermes/Application.yaml — Hermes' deployment.yaml -# sets `HINDSIGHT_URL=http://hindsight.hindsight.svc.cluster.local` -# which matches this Application's namespace + chart-default service name. +# Consumer agents reach Hindsight via: +# HINDSIGHT_URL=http://hindsight.hindsight.svc.cluster.local +# (matches this Application's namespace + chart-default service name). apiVersion: argoproj.io/v1alpha1 kind: Application @@ -35,8 +36,9 @@ spec: api: # LLM provider Hindsight uses for its own entity/relation - # extraction (separate from Hermes' LLM choice). Sourced - # from a Vault-backed ExternalSecret rather than hardcoded. + # extraction (separate from consumer-agent's LLM choice). + # Sourced from a Vault-backed ExternalSecret rather than + # hardcoded. llm: provider: groq # change per maintainer preference existingSecret: diff --git a/tools/setup/manifests/brew b/tools/setup/manifests/brew index 189dc9e860..c8410b4495 100644 --- a/tools/setup/manifests/brew +++ b/tools/setup/manifests/brew @@ -13,3 +13,13 @@ p7zip # cascade #4 ISO content audit (7z list); also useful # for maintainers doing any iso/zip inspection locally # (`7z l ...`). Idempotent: brew install skips if present. + +# AI agent harness (operator 2026-05-27 — maintainer-decided +# dependency; external vendor-agnostic tool from NousResearch): +hermes-agent # "Self-improving AI agent that creates skills from + # experience" (https://hermes-agent.nousresearch.com). + # Vendor-agnostic AI harness; MIT license; bottled + # binary via homebrew-core. Transitive deps auto- + # resolved by brew (see `brew info hermes-agent` for + # current list). Idempotent: brew install skips if + # present.