From cb0b16f876103097bc606dd6911125143b1a213c Mon Sep 17 00:00:00 2001 From: bussyjd <145845+bussyjd@users.noreply.github.com> Date: Tue, 16 Jun 2026 21:00:39 +0400 Subject: [PATCH 1/2] chore(hermes): use payments-enabled agent image --- internal/agentcrd/agent_contract_integration_test.go | 4 ++-- internal/hermes/hermes.go | 2 +- internal/serviceoffercontroller/agent_render.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/agentcrd/agent_contract_integration_test.go b/internal/agentcrd/agent_contract_integration_test.go index 146b28a2..70491a2d 100644 --- a/internal/agentcrd/agent_contract_integration_test.go +++ b/internal/agentcrd/agent_contract_integration_test.go @@ -20,8 +20,8 @@ import ( // // The unit tests in agent_test.go and serviceoffercontroller/agent_render_test.go // only prove that we *render* the `.no-bundled-skills` marker and the capped -// hermes-config keys. They do NOT prove the Hermes image -// (nousresearch/hermes-agent:v2026.6.5) actually honors them. v2026.5.28 +// hermes-config keys. They do NOT prove the currently pinned Hermes image +// actually honors them. v2026.5.28 // shipped the marker check on the install/CLI path only; the per-launch // sync_skills() call ignored it and re-seeded ~24 categories from the // image-baked /opt/hermes/skills source on every boot, regardless of the diff --git a/internal/hermes/hermes.go b/internal/hermes/hermes.go index d4a09eed..23bf2c98 100644 --- a/internal/hermes/hermes.go +++ b/internal/hermes/hermes.go @@ -35,7 +35,7 @@ const ( rawChartVersion = "2.0.2" // renovate: datasource=docker depName=nousresearch/hermes-agent - defaultImage = "nousresearch/hermes-agent:v2026.6.5" + defaultImage = "nousresearch/hermes-agent:main" // Use the upstream image venv instead of cloning Hermes into the PVC on // every cold start. The init container below validates the required extras // are present so image regressions fail before the gateway starts. diff --git a/internal/serviceoffercontroller/agent_render.go b/internal/serviceoffercontroller/agent_render.go index e1ade18a..2114768b 100644 --- a/internal/serviceoffercontroller/agent_render.go +++ b/internal/serviceoffercontroller/agent_render.go @@ -27,7 +27,7 @@ const ( hermesDataPVC = "hermes-data" hermesAPIPath = "/health" // renovate: datasource=docker depName=nousresearch/hermes-agent - defaultHermesImage = "nousresearch/hermes-agent:v2026.6.5" + defaultHermesImage = "nousresearch/hermes-agent:main" ) // agentLabels returns the standard label set we attach to every primitive From a8a53bda0b5eb2df007dbba4d42b19522540b248 Mon Sep 17 00:00:00 2001 From: bussyjd <145845+bussyjd@users.noreply.github.com> Date: Tue, 16 Jun 2026 21:06:17 +0400 Subject: [PATCH 2/2] fix(hermes): pin payments-enabled image digest --- internal/hermes/hermes.go | 2 +- internal/serviceoffercontroller/agent_render.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/hermes/hermes.go b/internal/hermes/hermes.go index 23bf2c98..2a473471 100644 --- a/internal/hermes/hermes.go +++ b/internal/hermes/hermes.go @@ -35,7 +35,7 @@ const ( rawChartVersion = "2.0.2" // renovate: datasource=docker depName=nousresearch/hermes-agent - defaultImage = "nousresearch/hermes-agent:main" + defaultImage = "nousresearch/hermes-agent:main@sha256:e9f2892b626468d2a65abeae9f94ec0a71872d7d9643906b956ab29c9bf328a9" // Use the upstream image venv instead of cloning Hermes into the PVC on // every cold start. The init container below validates the required extras // are present so image regressions fail before the gateway starts. diff --git a/internal/serviceoffercontroller/agent_render.go b/internal/serviceoffercontroller/agent_render.go index 2114768b..8392ac40 100644 --- a/internal/serviceoffercontroller/agent_render.go +++ b/internal/serviceoffercontroller/agent_render.go @@ -27,7 +27,7 @@ const ( hermesDataPVC = "hermes-data" hermesAPIPath = "/health" // renovate: datasource=docker depName=nousresearch/hermes-agent - defaultHermesImage = "nousresearch/hermes-agent:main" + defaultHermesImage = "nousresearch/hermes-agent:main@sha256:e9f2892b626468d2a65abeae9f94ec0a71872d7d9643906b956ab29c9bf328a9" ) // agentLabels returns the standard label set we attach to every primitive