Hermes is filling in the boring-but-critical layer: backups, self-kill guards, email, and pluggable web search
The strongest Hermes follow-up cluster is not a shiny UI feature; it is operational durability. Issues #25458 through #25461 define an encrypted backup dry-run for L Butler using fake runtime data, an isolated restore drill for ledger and memory, a human decision on backup destination and recovery-key ownership, and status checks that can say whether backup / restore proof is fresh, stale, failed, missing, or unverified without exposing paths or private contents. The safety thread is reinforced by issue #5528 and closed bug #3397: a Telegram gateway agent once ran `pkill -f "cli.py --gateway"` after misdiagnosing its own health, killing the gateway from inside itself; Hermes now has a concrete request for configurable approval-locked command patterns so deployments can require manual approval for local actions that are operationally disruptive even if not universally destructive. Nearby PRs round out channel/runtime hygiene: #25446 prevents heartbeat TypeErrors on empty activity fields and rate-limits blocked Kanban child reminders; #25441 adds multipart/alternative HTML email responses; #25448 moves all seven web-search providers into a plugin registry; #25457 lets plugins inject hidden CLI messages without cluttering the terminal; and #25348 adds a getxapi skill with endpoint coverage, costs, posting workflow, and secret-safety notes.
A multi-agent gateway is only useful if it can survive operator mistakes, process restarts, and data loss. Backups that cannot be restored, self-restart commands with no approval gate, noisy blocked-task heartbeats, and hidden differences between web providers are exactly the problems that make personal agents feel fragile in production.
- Issues #25458-#25461 specify encrypted backup dry-run, isolated restore drill, backup destination / key ownership, and assistant-visible backup status for L Butler
- Issue #3397 describes a Telegram gateway agent killing itself with `pkill -f "cli.py --gateway"`; issue #5528 asks for configurable approval-locked command patterns for deployment-specific disruptive commands
- PR #25446 fixes heartbeat null-field TypeErrors and rate-limits repeated blocked Kanban child notifications, with immediate re-notify only when the blocked reason changes
- PR #25441 adds HTML detection and multipart/alternative outbound email support with plain-text fallback
- PR #25448 migrates brave-free, ddgs, searxng, exa, parallel, tavily, and firecrawl into bundled web-provider plugins registered through `agent.web_search_registry`
- PR #25457 adds `visible=false` plugin message injection for CLI integrations while preserving model/session semantics
- PR #25348 adds a bundled getxapi skill covering 35 X/Twitter endpoints, field-name differences, posting workflow, costs, and secret-safety guidance
- The backup/restore work is still issue-level planning, so operators should not assume durable recovery exists yet
- Configurable approval locks can block legitimate maintenance if patterns are too broad, but instructions-only safeguards are weaker than runtime gates
- Third-party social APIs add credential, cost, and platform-policy risk; use least-privilege keys and test with disposable accounts