Hermes’ workflow core arrives beside a URL-safety bypass fix and profile-scoped scheduled jobs
Hermes’ strongest fresh update is architectural: PR #25806 adds the workflow system core, including workflow policy, store, DAG, gate, materialization foundations, Core/dashboard APIs for reading workflows, inboxes, promotions, gates, and materialization, plus stale-inbox promotion guards. That is the first sign of a more formal task/workflow layer rather than ad-hoc agent turns. The risk item to notice is #25961: IPv6 scope IDs such as `fe80::1%eth0` could make URL safety parsing throw and silently skip all resolved addresses, potentially allowing a hostname controlled by an attacker to bypass link-local or cloud-metadata protections; the fix strips scope IDs and fails closed on unparseable addresses. A second reliability fix, #25962, resolves yesterday’s split clarify-timeout problem by making the CLI callback honor `agent.clarify_timeout` before the older `clarify.timeout` key. PR #25917 adds profile-scoped scheduled jobs so cron jobs can run with a specific Hermes profile’s config, scripts, skills, and memory paths. The surrounding channel and operator polish is also practical: #25956 strips emoji, diagrams, inline code, tables, and symbols before TTS so spoken replies stop reading UI artifacts; #25960 prevents native Windows Telegram `/restart` from leaving the gateway stopped; #25959 tightens Discord channel-directory resurrection behavior and lowers batching latency; #25958 allows configured Discord role mentions as triggers; and #25954 adds a read-only Kanban metrics CLI for review and verification gates.
A workflow core changes Hermes from a turn runner toward a more inspectable operations system. The URL-safety fix is higher urgency because agent web-fetch and proxy tools often touch untrusted hostnames; fail-open URL classification can become an SSRF path. Profile-scoped cron and clarify-timeout unification reduce the kind of invisible context mismatch that makes scheduled agents hard to trust.
- PR #25806 adds workflow policy/store/DAG/gate/materialization foundations and workflow read/inbox/promotion/gate/materialization APIs
- PR #25961 documents an IPv6 scope-ID parsing bypass in `is_always_blocked_url()` and `is_safe_url()` and changes unparseable addresses to fail closed
- PR #25962 reads `agent.clarify_timeout` in CLI clarify callbacks, fixing issue #25859 where CLI/TUI still timed out after 120 seconds
- PR #25917 adds a profile field to scheduled jobs and wires profile support through cron creation, updates, CLI, tools, and subprocess home scoping
- PR #25956 strips TTS-hostile markup and symbols only from the text sent to the TTS engine, leaving original chat output untouched
- PR #25960 routes native Windows gateway restart/start through the detached backend so Telegram `/restart` does not leave the gateway stopped
- PR #25959 and #25958 tighten Discord channel controls and add configured role-mention triggers
- PR #25954 adds `hermes kanban metrics` with gate metrics coverage for re-review and re-verify tasks
- The workflow core is foundational; downstream behavior depends on how policies, gates, and materialization endpoints are exposed in real installations
- URL-safety fixes should be backported or staged quickly, but any allowlist/proxy behavior around IPv6 literals and scoped addresses needs regression testing
- Profile-scoped cron increases power and complexity; operators need clear visibility into which profile, skills, and memory path a scheduled job actually used