From 4a0b8425f75e124dd858d58026c1499707ed81c7 Mon Sep 17 00:00:00 2001 From: Lior Date: Wed, 27 May 2026 13:53:15 -0400 Subject: [PATCH 1/3] feat(install): add hermes-agent to brew manifest (operator 2026-05-27 'Max recently decide to add this dependency') MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Operator confirmed: external vendor-agnostic AI agent harness from NousResearch (https://github.com/nousresearch/hermes-agent ; https://hermes-agent.nousresearch.com/). Not to be confused with the Lucent-internal Hermes K8s agent runtime at full-ai-cluster/k8s/applications/hermes/ (separate substrate; same naming collision). Package details: - Formula: hermes-agent (Homebrew/homebrew-core) - Stable: 2026.5.16 (bottled binary) - License: MIT - Dependencies: certifi, cryptography, libyaml, pydantic, python@3.14 (all auto-resolved by brew) Per tools/setup/install.sh discipline: "Safe to run repeatedly — detect-first-install-else-update. Safe to run daily to keep tools fresh." Adding to manifest means next install.sh run ensures hermes-agent is installed and up-to-date on every dev machine + CI runner + devcontainer image per GOVERNANCE.md §24 three-way parity. Composes with operator's machine configuration (passwordless sudo for routine operations + Touch ID for dd) — brew install of hermes-agent runs zero-friction on operator's Mac per the framework substrate- engineering principle applied at OS scope (frictionless for routine; human-in-loop for irreversible). Operator authorization: "if you want to fix / investigate the isuess Prism called out first before we test again is fine" + confirmed URLs after grep+brew-search disambiguation. --- tools/setup/manifests/brew | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tools/setup/manifests/brew b/tools/setup/manifests/brew index 189dc9e860..a28f714b99 100644 --- a/tools/setup/manifests/brew +++ b/tools/setup/manifests/brew @@ -13,3 +13,14 @@ p7zip # cascade #4 ISO content audit (7z list); also useful # for maintainers doing any iso/zip inspection locally # (`7z l ...`). Idempotent: brew install skips if present. + +# AI agent harness (operator 2026-05-27 — Max-decided dependency; +# external vendor-agnostic tool from NousResearch, not the +# Lucent-internal Hermes K8s agent runtime at +# `full-ai-cluster/k8s/applications/hermes/`): +hermes-agent # "Self-improving AI agent that creates skills from + # experience" (https://hermes-agent.nousresearch.com). + # Vendor-agnostic AI harness; MIT license; bottled + # binary via homebrew-core. Deps: certifi, cryptography, + # libyaml, pydantic, python@3.14 — all auto-resolved + # by brew. Idempotent: brew install skips if present. From 1cae33a336ad626a3214a8488e4542f094d3c98d Mon Sep 17 00:00:00 2001 From: Lior Date: Wed, 27 May 2026 13:55:20 -0400 Subject: [PATCH 2/3] chore(full-ai-cluster): remove miscategorized Hermes K8s substrate (operator 2026-05-27 'we can remove the hermes k8s stuff that was just miscategorazation') MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Operator authorization to remove the K8s Hermes substrate that was miscategorized. The Application.yaml literally had "TODO: AMBIGUOUS COMPONENT" header noting confusion between Cosmos Hermes IBC relayer + Comma.ai Hermes + Lucent-internal custom AI agent — none of which matched the actually-needed external NousResearch hermes- agent (added to brew manifest in this PR). Removed: - full-ai-cluster/k8s/applications/hermes/Application.yaml - full-ai-cluster/k8s/applications/hermes/deployment.yaml Updated cross-references to preserve substrate-honest discipline: - full-ai-cluster/dev-cluster/SYNC-WAVES.md: removed Wave 20 hermes line + generalized "Apps with secret dependencies late" prose from Hermes-specific to "agent-runtime workloads" generic framing - full-ai-cluster/k8s/applications/hindsight/Application.yaml: removed Hermes-pairing prose; generalized to "any in-cluster agent runtime that needs memory persistence" + "consumer-agent's LLM choice" (preserves Hindsight's role without specifying Hermes K8s) Composes with hermes-agent brew manifest addition in this same PR: the actually-needed Hermes substrate is the external NousResearch hermes-agent (now in brew manifest); the K8s Hermes was a different component that was miscategorized + named-collision-prone. Per the framework's retraction-native discipline: removal is substrate-honest cleanup; substrate-archaeology preserves the removed state in git history; no harm to ancestor commits or downstream consumers since the K8s Hermes was placeholder image ("zeta-hermes:placeholder") + never functional. --- full-ai-cluster/dev-cluster/SYNC-WAVES.md | 9 +-- .../k8s/applications/hermes/Application.yaml | 39 --------- .../k8s/applications/hermes/deployment.yaml | 80 ------------------- .../applications/hindsight/Application.yaml | 14 ++-- 4 files changed, 12 insertions(+), 130 deletions(-) delete mode 100644 full-ai-cluster/k8s/applications/hermes/Application.yaml delete mode 100644 full-ai-cluster/k8s/applications/hermes/deployment.yaml diff --git a/full-ai-cluster/dev-cluster/SYNC-WAVES.md b/full-ai-cluster/dev-cluster/SYNC-WAVES.md index ea087c7791..0c93df33c7 100644 --- a/full-ai-cluster/dev-cluster/SYNC-WAVES.md +++ b/full-ai-cluster/dev-cluster/SYNC-WAVES.md @@ -38,7 +38,6 @@ ArgoCD App-of-Apps (after ArgoCD is up): Wave 10 hindsight needs PostgreSQL (bundled) + Vault secret for LLM key Wave 10 orleans needs CockroachDB + NATS up Wave 10 temporal needs CockroachDB up - Wave 20 hermes needs Vault secret for LLM key + Hindsight + OZ + Orleans Wave 30 gitlab / forgejo source-of-truth services; come up last so all dependent observability + storage is ready Wave 50 ollama / vllm / deepseek-coder / qwen-coder GPU model servers; manual-sync-only @@ -61,10 +60,10 @@ ArgoCD App-of-Apps (after ArgoCD is up): exist when the workload reconciles. - **Data planes before consumers**: CockroachDB / NATS / Redis / Weaviate / PostgreSQL must be Ready before apps that connect. -- **Apps with secret dependencies late**: Hermes pulls the LLM API - key from Vault via ESO. ESO must have synced the secret to a - k8s Secret object before Hermes pods start. Sync wave gives ESO - a head start. +- **Apps with secret dependencies late**: agent-runtime workloads + pull LLM API keys from Vault via ESO. ESO must have synced the + secret to a k8s Secret object before pods start. Sync wave gives + ESO a head start. - **Source-of-truth services last**: GitLab + Forgejo (mutually exclusive, only one default-on) should come up after everything observability / storage / runtime is ready, so first-boot diff --git a/full-ai-cluster/k8s/applications/hermes/Application.yaml b/full-ai-cluster/k8s/applications/hermes/Application.yaml deleted file mode 100644 index b5f12e7517..0000000000 --- a/full-ai-cluster/k8s/applications/hermes/Application.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Hermes — TODO: AMBIGUOUS COMPONENT. -# -# Possibilities: -# - Cosmos Hermes IBC relayer (https://github.com/informalsystems/hermes) -# - Comma.ai Hermes -# - Hermes message broker (multiple projects with this name) -# - An Aaron-specific Hermes (AI agent, terminal-tooling, etc.) -# -# Per spec: "integrated with OZ" + "SOPS into Hermes Docker image" + -# "Hermes access to Ollama or vLLM" — these hint at an AI-agent -# Hermes that talks to OZ + needs Ollama/vLLM access + has secrets -# baked at image-build via SOPS. -# -# This Application points at local manifests so you can drop the -# real image + supporting config without changing the Application -# itself. - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "20" - name: hermes - namespace: argocd - finalizers: [ resources-finalizer.argocd.argoproj.io ] -spec: - project: default - source: - repoURL: https://github.com/Lucent-Financial-Group/Zeta - targetRevision: main - path: full-ai-cluster/k8s/applications/hermes - directory: - include: '{namespace,deployment,service,rbac}.yaml' - destination: - server: https://kubernetes.default.svc - namespace: hermes - syncPolicy: - automated: { prune: true, selfHeal: true } - syncOptions: [ CreateNamespace=true, ServerSideApply=true ] diff --git a/full-ai-cluster/k8s/applications/hermes/deployment.yaml b/full-ai-cluster/k8s/applications/hermes/deployment.yaml deleted file mode 100644 index 41f995723e..0000000000 --- a/full-ai-cluster/k8s/applications/hermes/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -# Hermes — custom AI agent oriented at CLOUD LLM endpoints. -# -# The image at `ghcr.io/lucent-financial-group/zeta-hermes` is built -# via the Docker module (NixFlake) on a maintainer host. SOPS-decrypted -# CLOUD API KEYS are baked into the image at build time so the running -# container doesn't need access to the SOPS keys. -# -# Build pipeline: -# 1. sops -d encrypted/cloud-keys.env > secrets/cloud-keys.env -# 2. docker buildx build --secret id=hermes-secrets,src=secrets/ ... -# 3. docker push ghcr.io/lucent-financial-group/zeta-hermes:vN.N.N -# 4. Bump `image:` below + commit + push -# -# Hermes' connections (cloud-only for now; local models deferred): -# - OpenZiti (OZ) for zero-trust transport: -# ziti-controller.openziti.svc.cluster.local:443 -# - Cloud LLM APIs via baked-in keys: -# Anthropic Claude -# OpenAI -# (add more as the SOPS file grows) -# - Hindsight (memory plugin) — once its Application lands, point at -# hindsight.hindsight.svc.cluster.local -# -# Local LLM serving (Ollama/vLLM) endpoints are kept in commented-out -# form below for when local models come back online. - -apiVersion: v1 -kind: Namespace -metadata: - name: hermes ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hermes - namespace: hermes ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: hermes - namespace: hermes -spec: - replicas: 0 # set >=1 once a real image exists - selector: - matchLabels: { app.kubernetes.io/name: hermes } - template: - metadata: - labels: { app.kubernetes.io/name: hermes } - spec: - serviceAccountName: hermes - containers: - - name: hermes - image: ghcr.io/lucent-financial-group/zeta-hermes:placeholder - env: - # OpenZiti transport - - { name: OZ_CONTROLLER_URL, - value: "https://ziti-controller.openziti.svc.cluster.local:443" } - # Cloud LLM providers — API keys baked in at image build via SOPS - - { name: LLM_PROVIDER, value: "anthropic" } # or "openai" / "bedrock" - # Hindsight memory backend (Application lands separately) - - { name: HINDSIGHT_URL, - value: "http://hindsight.hindsight.svc.cluster.local" } - # Local LLM endpoints — kept commented for when local models are re-enabled: - # - { name: OLLAMA_ENDPOINT, value: "http://ollama.ollama.svc.cluster.local:11434" } - # - { name: VLLM_ENDPOINT, value: "http://vllm.vllm.svc.cluster.local:8000" } - resources: - requests: { cpu: "200m", memory: "256Mi" } - limits: { cpu: "1", memory: "1Gi" } ---- -apiVersion: v1 -kind: Service -metadata: - name: hermes - namespace: hermes -spec: - type: ClusterIP - selector: { app.kubernetes.io/name: hermes } - ports: - - { name: http, port: 80, targetPort: 8080 } diff --git a/full-ai-cluster/k8s/applications/hindsight/Application.yaml b/full-ai-cluster/k8s/applications/hindsight/Application.yaml index f27463466b..aef9e40053 100644 --- a/full-ai-cluster/k8s/applications/hindsight/Application.yaml +++ b/full-ai-cluster/k8s/applications/hindsight/Application.yaml @@ -1,9 +1,10 @@ -# Hindsight (vectorize-io) — agent persistent memory system for Hermes. +# Hindsight (vectorize-io) — agent persistent memory system for any +# in-cluster agent runtime that needs memory persistence. # Real chart wired: OCI Helm chart at ghcr.io/vectorize-io/charts/hindsight. # -# Pairs with hermes/Application.yaml — Hermes' deployment.yaml -# sets `HINDSIGHT_URL=http://hindsight.hindsight.svc.cluster.local` -# which matches this Application's namespace + chart-default service name. +# Consumer agents reach Hindsight via: +# HINDSIGHT_URL=http://hindsight.hindsight.svc.cluster.local +# (matches this Application's namespace + chart-default service name). apiVersion: argoproj.io/v1alpha1 kind: Application @@ -35,8 +36,9 @@ spec: api: # LLM provider Hindsight uses for its own entity/relation - # extraction (separate from Hermes' LLM choice). Sourced - # from a Vault-backed ExternalSecret rather than hardcoded. + # extraction (separate from consumer-agent's LLM choice). + # Sourced from a Vault-backed ExternalSecret rather than + # hardcoded. llm: provider: groq # change per maintainer preference existingSecret: From b324ec6b3532a0b2c01cb7c04a3de35e6f08da6b Mon Sep 17 00:00:00 2001 From: Lior Date: Wed, 27 May 2026 13:57:38 -0400 Subject: [PATCH 3/3] =?UTF-8?q?docs(install):=20fix=202=20Copilot=20thread?= =?UTF-8?q?s=20on=20PR=20#5547=20=E2=80=94=20anonymize=20'Max-decided'=20t?= =?UTF-8?q?o=20'maintainer-decided'=20per=20name-attribution=20convention?= =?UTF-8?q?=20+=20remove=20hard-coded=20transitive-dep=20list=20(likely=20?= =?UTF-8?q?to=20drift;=20brew=20info=20is=20authoritative)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tools/setup/manifests/brew | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tools/setup/manifests/brew b/tools/setup/manifests/brew index a28f714b99..c8410b4495 100644 --- a/tools/setup/manifests/brew +++ b/tools/setup/manifests/brew @@ -14,13 +14,12 @@ p7zip # cascade #4 ISO content audit (7z list); also useful # for maintainers doing any iso/zip inspection locally # (`7z l ...`). Idempotent: brew install skips if present. -# AI agent harness (operator 2026-05-27 — Max-decided dependency; -# external vendor-agnostic tool from NousResearch, not the -# Lucent-internal Hermes K8s agent runtime at -# `full-ai-cluster/k8s/applications/hermes/`): +# AI agent harness (operator 2026-05-27 — maintainer-decided +# dependency; external vendor-agnostic tool from NousResearch): hermes-agent # "Self-improving AI agent that creates skills from # experience" (https://hermes-agent.nousresearch.com). # Vendor-agnostic AI harness; MIT license; bottled - # binary via homebrew-core. Deps: certifi, cryptography, - # libyaml, pydantic, python@3.14 — all auto-resolved - # by brew. Idempotent: brew install skips if present. + # binary via homebrew-core. Transitive deps auto- + # resolved by brew (see `brew info hermes-agent` for + # current list). Idempotent: brew install skips if + # present.