Putting It Together: A Real Hermes Workflow
- Describe the three Hermes entry points (CLI, Gateway, ACP) and how they all feed into one AIAgent orchestration engine
- Explain the three core data flow patterns: CLI, Gateway, and Cron
- Complete a real capstone build combining fallback providers, messaging, skills, scheduled jobs, checkpoints, and log review
- Re-verify a real setup against the Lesson 15 security checklist rather than treating it as a one-time read
- Identify hermes doctor, hermes logs, and the official documentation as the ongoing tools for troubleshooting beyond what any single lesson covers
Two Tracks, One System
Hermes Agent Fundamentals gave you a personalized, working agent. This track added autonomy and reach: scheduling, messaging platforms, tools, skills, code execution, checkpoints, MCP, the API server, delegation, voice, browser control, image generation, multi-agent coordination, reliability, extensibility, and production security. Sixteen lessons in, it is worth seeing how the pieces actually fit together as one system, not sixteen separate features.
The Architecture, Briefly
Underneath everything you have used, there are three entry points: the CLI (cli.py), the Gateway (gateway/run.py), and the ACP adapter for IDE integration. All three feed into one unified orchestration engine -- the AIAgent class in run_agent.py -- which is the synchronous center handling prompt construction, provider selection, tool dispatch, and conversation persistence, regardless of which entry point triggered it.
A few subsystems worth knowing the shape of:
- The prompt system assembles a tiered system prompt -- stable identity (SOUL.md) first, then contextual elements (AGENTS.md, memory), then volatile elements -- applies Anthropic-specific caching where available, and compresses context as needed.
- The tool registry (
tools/registry.py) holds 70-plus registered tools across roughly 28 toolsets, each self-registering at import time -- this is the same registry that MCP tools and plugin-registered tools join. - Session storage is a SQLite database with full-text search (FTS5), tracking conversation lineage and keeping each platform's sessions properly isolated from each other.
- Provider resolution maps a provider/model pair to the right API credentials and endpoint, across 18-plus supported providers.
Three data flow patterns cover almost everything you have done across both tracks: CLI (your input → prompt assembly → API call → tool execution loop → response shown to you → saved to the database), Gateway (a platform event arrives → authorization checked → session restored → agent runs → response delivered back to the platform), and Cron (the scheduler fires → the job executes with whatever skill was attached → output is delivered). Every feature in this track is really a variation on one of these three flows.
The Capstone Build
Work through this in order, on a real setup -- not a throwaway test. Each step uses something specific from this track.
1. Configure a fallback provider. From Lesson 13: set up at least one fallback so a single provider outage does not take your agent down entirely.
hermes fallback
2. Set up one real messaging channel. From Lesson 5: connect whichever platform you actually use day to day.
hermes gateway setup
Confirm your allowlist is explicit, not GATEWAY_ALLOW_ALL_USERS=true, per Lesson 15.
3. Add a memory-aware skill. From Lesson 4: write or install a skill for something you do repeatedly -- a status check, a report format, a recurring research task.
4. Schedule a cron job that uses that skill. From Lesson 1, combined with step 3:
hermes cron create "0 9 * * *" "Run the morning check" --skill your-skill-name
5. Enable checkpoints. From Lesson 3, as a safety net for whatever file work this job or your agent more broadly might do:
checkpoints:
enabled: true
6. Run it, then review the logs. From earlier diagnostic commands:
hermes logs gateway -f
hermes logs agent --since 1h
Confirm the job actually ran, delivered output to the right place, and did not trip anything in the approval or security systems unexpectedly.
7. Set a deny-by-default allowlist, deliberately, not by accident. Re-check Lesson 15's checklist against your actual setup: explicit allowlist, .env permissions, non-root execution if this is running anywhere beyond your personal machine.
What "Done" Looks Like
At the end of this build, you have an agent that: survives a provider outage without manual intervention, is reachable from a real messaging platform with an explicit allowlist rather than open access, runs a real recurring task using a skill rather than improvising the same procedure differently each time, has a rollback safety net for file changes, and that you can audit through logs rather than having to trust blindly. That is meaningfully different from where Hermes Agent Fundamentals left off -- not because any single feature here is complicated on its own, but because together they describe an agent that can be trusted to act without you watching every moment.
Where to Go From Here
Both tracks together cover the documented Hermes feature set as it exists today -- but Hermes is actively developed, and the documentation it was built from will keep growing. The two habits worth carrying forward: hermes doctor and hermes logs as your first move whenever something looks wrong, and the official documentation at hermes-agent.nousresearch.com/docs as the source of truth when something in your version behaves differently than what these lessons describe. Software changes; the discipline of checking primary sources before assuming does not.
- Every feature across both tracks reduces to one of three data flows: CLI (input to API to tool loop to save), Gateway (platform event to auth to session to agent to delivery), or Cron (scheduler tick to skill-backed execution to delivery)
- The tool registry is the same registry MCP tools and plugin-registered tools join -- there is one unified pool of capability, not separate systems for built-in vs external tools
- A genuinely production-ready agent combines several things together, not one impressive feature -- fallback handling, explicit access control, repeatable skills instead of improvised procedures, a rollback safety net, and actual log review
- Re-checking the security checklist against your real, current setup matters more than having read it once -- configuration drifts as you add platforms, skills, and scheduled jobs over time
- hermes doctor and hermes logs remain the right first moves for any unexpected behavior, and the official docs are the source of truth when this track's documented behavior and your installed version diverge