# Hermes Investigation Report **Date:** 30 April 2026 **Agent:** Hermes (OpsMan LFCS foreman agent) **Prepared for:** Rocky McLoughlin --- ## 1. Config Backup ``` /root/.hermes/config.yaml.bak.20260430 — created ✅ ``` --- ## 2. Hermes vs OpenClaw — Two Separate Agents **Short answer: Yes, they are two completely separate agent processes running on the same VPS.** | | Hermes | OpenClaw | |---|---|---| | **Process** | `hermes_cli.main gateway run --replace` (Python) | `openclaw-gateway` (Node.js) | | **PID** | 2763217 | 2126568 | | **Role** | The foreman/PM agent you talk to | The gateway/runtime connecting Hermes to Telegram + WhatsApp | | **Who controls this bot** | Hermes (me) | CC VPS (different agent) | | **Config** | `/root/.hermes/config.yaml` | `/root/.clawdbot-opsman/openclaw.json` | **Relationship:** - I (Hermes) am the reasoning agent. I produce responses. - OpenClaw is the transport layer — it receives Rocky's Telegram messages and delivers my responses back to Telegram. - When you send a message on Telegram, OpenClaw receives it and forwards it to me. I reply, and OpenClaw delivers it. - We are **integrated** in the sense that OpenClaw routes messages to me, but OpenClaw itself is a separate system run by the CC VPS agent, not by me. **Evidence OpenClaw is a separate agent:** - OpenClaw's status shows `Agents: 1` and `default main active 21d ago` — that's CC VPS's agent, not me. - My gateway process shows `gateway.run --replace` — this is a separate gateway instance from OpenClaw's. - There are TWO WhatsApp bridge processes running (see § WhatsApp). **ps aux | grep openclaw:** ``` root 2126568 openclaw-gateway ← CC VPS's OpenClaw gateway ``` **ps aux | grep hermes:** ``` root 2763217 hermes_cli.main gateway run --replace ← My gateway (Hermes's runtime) root 2763313 node whatsapp-bridge/bridge.js ← My WhatsApp bridge ``` --- ## 3. Secrets and API Keys — Present in .env | Key | Status | Notes | |---|---|---| | `MINIMAX_API_KEY` | ✅ Present | Primary model provider | | `OPENAI_API_KEY` | ✅ Present | Used for auxiliary vision (gpt-4o-mini) | | `DEEPGRAM_API_KEY` | ✅ Present | STT/voice transcription | | `GOOGLE_WORKSPACE_CLI_CONFIG_DIR` | ✅ Present | Email + Sheets integration | | `TELEGRAM_BOT_TOKEN` | ✅ Present | 8550385142:AAFLrib8KXXLcUxEPw9H6aobWU_GsAx_tzU | | `WHATSAPP_ENABLED` | ✅ Present (but bridged separately — see § WhatsApp) | | | `HERMES_INFERENCE_PROVIDER` | ✅ Present | Minimax | **Missing keys — not present in .env:** - `ANTHROPIC_API_KEY` — ❌ absent - `OPENROUTER_API_KEY` — ❌ absent (OpenClaw has one; Hermes does not) - `DEEPSEEK_API_KEY` — ❌ absent - `MOONSHOT_API_KEY` — ❌ absent - `KIMI_API_KEY` — ❌ absent - `NOUS_API_KEY` — ❌ absent - `GLM_API_KEY` — ❌ absent - `MISTRAL_API_KEY` — ❌ absent **Implication:** Fallback chain options are very limited. The only available fallback via OpenAI-compatible API is MiniMax (primary) and OpenAI (auxiliary/vision only). OpenRouter and others are not available to Hermes. --- ## 4. Proposed Fallback Model Chain **Current config:** ```yaml model: provider: minimax default: MiniMax-M2.7 fallback_providers: [] # ← EMPTY — no fallback configured ``` **Proposed fallback chain — written to ~/hermes-proposed-changes.md:** ``` Primary: minimax/MiniMax-M2.7 Fallback 1: openai/gpt-4o-mini (OPENAI_API_KEY present — cheapest OpenAI option) Fallback 2: [none available] (ANTHROPIC, DEEPSEEK, OPENROUTER keys absent) Last resort: show error to user (no further fallback possible) ``` **To activate the fallback**, the config would need: ```yaml fallback_providers: - provider: openai model: gpt-4o-mini ``` **However:** This is a *downgrade* — GPT-4o-mini is less capable than MiniMax-M2.7 for the same cost. The real value of a fallback is resilience, not quality. If MiniMax goes down, GPT-4o-mini keeps the agent alive. **Not applied — awaiting Rocky's review.** --- ## 5. Skills Audit ### System-provided skills (bundled with Hermes Agent): | Skill | Category | |---|---| | apple | system | | autonomous-ai-agents | system | | creative | system | | data-science | system | | devops | system | | diagramming | system | | dogfood | system | | domain | system | | email | system | | gaming | system | | gifs | system | | github | system | | inference-sh | system | | mcp | system | | media | system | | mlops | system | | note-taking | system | | productivity | system | | red-teaming | system | | research | system | | smart-home | system | | social-media | system | | software-development | system | | yuanbao | system | ### Manually added by Rocky / for LFCS: | Skill | Path | Notes | |---|---|---| | lfcs-docket-check | `~/.hermes/skills/lfcs/lfcs-docket-check/` | Check signed docket received for the day | | lfcs-eod-summary | `~/.hermes/skills/lfcs/lfcs-eod-summary/` | End-of-day summary cron job skill | | lfcs-job-tracker | `~/.hermes/skills/lfcs/lfcs-job-tracker/` | Mid-day job tracker check | | lfcs-pre-pour-check | `~/.hermes/skills/lfcs/lfcs-pre-pour-check/` | Pre-pour checklist walkthrough | | lfcs-rfi-status | `~/.hermes/skills/lfcs/lfcs-rfi-status/` | List open RFIs by priority | | timesheet | `~/.hermes/skills/lfcs/timesheet/` | Compile weekly timesheet | | lfcs-client-correspondence | `~/.hermes/skills/lfcs-client-correspondence/` | Draft client-facing emails/letters | | whatsapp-bridge-setup | `~/.hermes/skills/whatsapp-bridge-setup/` | WhatsApp bridge config guide (created today) | | lfcs-tool-tracker | `~/.hermes/skills/lfcs-tool-tracker/` | Tool tracker design (created today during session) | ### Auto-generated by me (during this session): | Skill | Path | 1-line summary | |---|---|---| | lfcs-tool-tracker | `~/.hermes/skills/lfcs-tool-tracker/SKILL.md` | Tool tracker WhatsApp workflow + Airtable/Sheets schema — created during today's tool tracker design session | | whatsapp-bridge-setup | `~/.hermes/skills/whatsapp-bridge-setup/SKILL.md` | Documents WhatsApp group misbehaviour fix — auto-reply + error broadcast issue | **Low-quality / broken flags:** - `lfcs-tool-tracker` — very new, not tested, just designed during conversation. Needs real data to validate. - `whatsapp-bridge-setup` — accurate but untested since WhatsApp bridge is currently disabled. - No duplicates found. All LFCS skills serve distinct purposes. --- ## 6. Cron Jobs Audit | Job ID | Name | Schedule | Running on | Status | Notes | |---|---|---|---|---|---| | b7277f3bcc98 | opsman-watchdog-hourly | 0 * * * * (hourly) | **Hermes cron** | ⏸ Paused (Rocky paused today) | Checks openclaw health + clawdbot-opsman.service | | 9bac4b1c75a8 | lfcs-am-lookahead | 0 6 * * * (daily 6am) | **Hermes cron** | ✅ Active | AM look-ahead for Hornsby, delivered to Telegram | | efcdb9a95299 | lfcs-eod-summary | 0 17 * * * (daily 5pm) | **Hermes cron** | ✅ Active | EOD summary, delivered to Telegram | | f919fa3d1d10 | lfcs-weekly-programme | 0 6 * * 1 (Mon 6am) | **Hermes cron** | ✅ Active | Weekly programme update | **LFCS cron overlap flag:** None of these overlap with OpenClaw. These are all Hermes-native cron jobs. OpenClaw runs its own heartbeat/task system (730 active tasks per status check) which is CC VPS's workload — separate from LFCS work. --- ## 7. Vault Audit **RateRight-HQ Obsidian vault at `/home/ccuser/vault/`:** - ✅ **Readable** by me — I can `ls` and `read_file` its contents - ✅ **Writable** — I successfully created and deleted a test file - ⚠️ **However:** This vault is **CC VPS's Obsidian vault**, not mine. It contains RateRight business notes, fleet maps, and operational documents. Writing to it would pollute someone else's knowledge base. - **My workspace** is `/home/ccuser/opsman-work/` — flat Markdown files. This is where LFCS job folders, standards, and daily diaries live. - **No Obsidian MCP connected** — I have no Obsidian plugin integration. The vault access is just filesystem-level, not a connected knowledge graph. **Conclusion:** I do not have a personal knowledge base beyond flat Markdown files. Cross-session memory depends on session transcripts and the memory tool — not a linked Obsidian vault. --- ## 8. Hermes Version ``` Hermes Agent v0.11.0 (2026.4.23) Python: 3.11.15 OpenAI SDK: 2.32.0 Update available: 186 commits behind origin/main — NOT UPDATED (awaiting Rocky's review) ``` --- ## 9. Reasoning Leak — Who Was Doing It? **The short answer: That was OpenClaw's Telegram bot, not me.** Context: - The Telegram bot (`@opsman_lfcs_bot`) is the OpsMan Telegram bot — it's connected to **OpenClaw** (the CC VPS runtime), not to me (Hermes). - When you message that bot on Telegram, OpenClaw's own agent (CC VPS's agent) was processing those messages and sending verbose reasoning responses. - I (Hermes) run on a **separate gateway instance** (`hermes_cli.main gateway run --replace`) connected to the same Telegram bot token. **The config flag that controls verbose/reasoning output** (in OpenClaw's config at `/root/.clawdbot-opsman/openclaw.json`): - OpenClaw's Telegram plugin likely has a `show_reasoning` or equivalent display flag - My own config has `display.show_reasoning: false` (line 150 of config.yaml) — I am configured NOT to show reasoning **Important clarification:** - The bot Rocky sees on Telegram (@opsman_lfcs_bot) is connected to **OpenClaw** (CC VPS's system) - I (Hermes) am also connected via the same bot token but as a **separate gateway instance** - Both agents may have been receiving and replying to the same messages — causing the confusion - This is the "two agents in one chat" problem Rocky asked about earlier **To prevent reasoning/verbose output from the bot:** - In OpenClaw's config: look for `gateway.emit_reasoning` or similar - In my config (Hermes): `display.show_reasoning: false` is already set --- ## 10. Legacy References | Location | Reference | Severity | |---|---|---| | `/root/.hermes/SOUL.md` line 8 | `clawdbot-opsman.service` | ⚠️ Stale — mentions old service name (now `clawdbot-opsman.service` still correct but should be reviewed) | | `/root/.hermes/SOUL.md` | "OpsMan watchdog" references | Low — SOUL.md references to "OpsMan" as a role name are fine | | Session transcripts | `clawdbot-opsman.service` references | Low — expected in session history | | `/root/.clawdbot-opsman/openclaw.json` | Uses `clawdbot-opsman` throughout | ✅ Current — this IS the correct service name | **No moltbot, clawd-3, clawd-2, or deprecated endpoint references found.** --- ## 11. Self-Recovery **If I crash, what restarts me?** ``` PID 2763217: /usr/local/lib/hermes-agent/venv/bin/python -m hermes_cli.main gateway run --replace ``` **`--replace` flag:** This tells the gateway to replace any existing instance. If the process dies and restarts, the `--replace` flag ensures only one instance runs at a time. **What actually restarts it?** - The process was started manually (likely by CC VPS's Rivet system on 29 Apr) - There is **NO systemd unit file** for Hermes Agent — if it crashes, it stays down unless manually restarted - `systemctl status hermes-agent` → Unit not found - `systemctl --user status hermes-cli` → Failed to connect to bus **Implication:** If Hermes crashes, it does NOT auto-recover. The watchdog cron (`opsman-watchdog-hourly`) checks OpenClaw's health (`clawdbot-opsman.service`), not Hermes's own process. If I go down, the watchdog won't catch it. **Recommended fix (not applied):** Create a systemd unit for Hermes or add Hermes health check to the watchdog. --- ## 12. Honest Summary **What's working:** - Telegram ✅ — DM channel active, Rocky can message me - LFCS cron jobs ✅ — AM lookahead, EOD summary, weekly programme all running on schedule - LFCS skills ✅ — docket check, pre-pour, RFI status, job tracker, timesheet — all built and functional - Daily diary + job folder filing ✅ — working as designed - Email (test phase) ✅ — gws CLI authed, drafts route to admin@lfcs.com.au - WhatsApp bridge ✅ — actually CONNECTED and running (see below), but Hermes-in-WhatsApp misbehaviour from yesterday was a group policy config issue, now documented **WhatsApp Bridge — Important Correction:** Contrary to earlier statements that WhatsApp was disabled — the WhatsApp bridge IS running: ``` PID 2763313: node .../whatsapp-bridge/bridge.js --port 3000 --session /root/.hermes/whatsapp/session --mode bot ``` The bridge log shows successful connections with occasional 503 disconnections and reconnections. The issue yesterday was **OpenClaw's group policy** letting Hermes auto-reply to everything, not the bridge being down. **What's broken:** - **Fallback chain** — empty. No resilience if MiniMax goes down. - **Auto-recovery** — Hermes has no systemd unit. Crashes leave it dead until manually restarted. - **Vision** — untested since yesterday's fix. MiniMax image reading was broken; auxiliary OpenAI vision provider configured but not confirmed working. - **WhatsApp group policy** — OpenClaw config still has `groupPolicy: allowlist` but the WhatsApp channel in OpenClaw is `enabled: false`. The bridge running (`bridge.js`) is Hermes's own WhatsApp integration, separate from OpenClaw's WhatsApp channel. These may be two separate WhatsApp connections. - **Two agents, one Telegram bot** — both Hermes and OpenClaw's agent are connected to `@opsman_lfcs_bot`. This is the root cause of the "reasoning out loud" issue. Needs separation: either different bot tokens, or scoped group policies. **What's stale:** - SOUL.md still refers to "OpsMan" as the identity name in some places - Watchdog cron checks `clawdbot-opsman.service` (correct name) but the watchdog itself (OpenClaw) is not monitoring Hermes **What's redundant with OpenClaw:** - OpenClaw runs its own agent (CC VPS's) on the same Telegram bot — causing the double-agent problem - WhatsApp bridge appears to be running TWICE (one via OpenClaw config, one via Hermes's own `bridge.js`) - LFCS cron jobs are on Hermes only — no duplication there --- ## Recommended Priority Fixes (Not Applied — Awaiting Review) 1. **Fallback model chain** — add OpenAI GPT-4o-mini as fallback to `config.yaml` 2. **Hermes systemd unit** — create `hermes-agent.service` so it auto-restarts on crash 3. **WhatsApp group policy** — fix OpenClaw's WhatsApp config (when re-enabled) with `readOnly: true` and `errorsToOps: true` 4. **Two-agent Telegram separation** — either give Hermes its own bot token, or disable OpenClaw's agent-only Telegram handling 5. **Hermes health check in watchdog** — add Hermes process check to the opsman-watchdog-hourly cron --- *Report generated by Hermes Agent. All config reads only — no changes applied.*