chore(hermes): pin payments-enabled agent image#649
Open
bussyjd wants to merge 2 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bump the default Hermes agent image used by both Obol-managed Hermes runtimes to a digest-pinned upstream image that contains the new optional payments skills:
internal/hermes/hermes.gomaster agent default:nousresearch/hermes-agent:v2026.6.5->nousresearch/hermes-agent:main@sha256:e9f2892b626468d2a65abeae9f94ec0a71872d7d9643906b956ab29c9bf328a9internal/serviceoffercontroller/agent_render.goAgent CRD/sub-agent default: same pinned image refWhy
main@sha256: the latest dated Docker tag visible on Docker Hub is stillv2026.6.5, published before Hermes commit5bfed0fe0(feat(skills): add optional payments skills (Stripe Link, MPP, Projects)). Docker Hub showsmain/latestupdated after that commit, and the current multi-arch manifest digest is pinned here:This keeps the train reproducible while we wait for Hermes to publish the next dated release tag containing the optional payments skills. Once that tag exists, replace this temporary digest pin with the release tag plus digest.
Compatibility Pass Map
flowchart TB A["Hermes upstream main image pinned by digest"] --> B["Optional payments skills available in agent pod"] B --> C["stripe-link-cli skill"] B --> D["mpp-agent skill"] C --> E["Stripe Link approval + Shared Payment Token"] D --> F["MPP client probes HTTP 402 merchant"] G["Obol seller card route"] --> H{"402 challenge wire"} H -->|"current Obol"| I["PAYMENT-REQUIRED JSON + X-PAYMENT retry"] H -->|"Hermes/Stripe MPP target"| J["WWW-Authenticate: Payment method=stripe"] E --> K["Buyer retries with payment credential"] F --> K K --> L["x402-verifier card gate"] L --> M["Stripe PaymentIntent authorize"] M --> N["Proxy upstream"] N --> O{"Upstream <400?"} O -->|"yes"| P["Capture PaymentIntent + return receipt"] O -->|"no"| Q["Cancel hold + return failure"] I -.-> R["Follow-up: bridge/dual-advertise wire format"] J -.-> RStripe / SPT Flow
sequenceDiagram autonumber participant Buyer as Hermes agent payment skill participant StripeLink as Stripe Link CLI participant Seller as Obol paid service participant Verifier as x402-verifier card gate participant Stripe as Stripe PaymentIntents participant Upstream as Seller upstream Buyer->>Seller: Request paid resource without credential Seller-->>Buyer: 402 with Stripe MPP challenge Buyer->>StripeLink: Create approved spend request for shared_payment_token StripeLink-->>Buyer: SPT credential after user approval Buyer->>Seller: Retry with payment credential Seller->>Verifier: Route to card gate Verifier->>Stripe: Authorize manual-capture PaymentIntent with SPT Stripe-->>Verifier: requires_capture Verifier->>Upstream: Proxy request alt upstream succeeds Upstream-->>Verifier: 2xx/3xx response Verifier->>Stripe: Capture PaymentIntent Stripe-->>Verifier: succeeded Verifier-->>Buyer: Upstream response + payment receipt else upstream fails Upstream-->>Verifier: 4xx/5xx or no response Verifier->>Stripe: Cancel PaymentIntent hold Verifier-->>Buyer: Failure, buyer not charged endMPP / x402 Compatibility Work Remaining
flowchart LR A["Current Obol card path"] --> B["Scheme card / network stripe in x402 PaymentRequired"] A --> C["Credential read from X-PAYMENT"] A --> D["Receipt in X-PAYMENT-RESPONSE"] E["Hermes + Stripe MPP expectation"] --> F["WWW-Authenticate: Payment ... method=stripe"] E --> G["Authorization: Payment ... credential"] E --> H["Authentication-Info receipt"] E --> I["networkId is Stripe profile_ / profile_test_ id"] B --> J["Compatibility pass"] C --> J D --> J F --> J G --> J H --> J I --> J J --> K["Emit MPP challenge alongside x402 challenge"] J --> L["Accept MPP Authorization credential or translate to existing SPT payload"] J --> M["Return MPP receipt while preserving x402 receipt for existing buyers"] J --> N["Update CLI/docs from stripenet_* examples to profile_* / profile_test_*"]Validation
git diff --checkgo test ./internal/hermes ./internal/serviceoffercontroller ./internal/agentcrd -count=1docker buildx imagetools inspect nousresearch/hermes-agent:mainv2026.6.5is currently published;main/latestresolve tosha256:e9f2892b626468d2a65abeae9f94ec0a71872d7d9643906b956ab29c9bf328a9.Follow-up
main@sha256:...pin with the next dated Hermes release tag plus digest once available.