feat(hermes): bring Hermes setup and Node UI Connect to OpenClaw lifecycle parity (issue #386)

[Jurij89]

Summary

This PR brings Hermes setup and Node UI Connect to lifecycle parity with OpenClaw, fulfilling issue #386. It is a focused follow-up to PR #315 (which integrated the Hermes adapter as a DKG V10 local agent) and intentionally does not touch the verified parts of that integration.

Headline changes:

• dkg hermes setup now matches dkg openclaw setup: idempotent DKG node config bootstrap (via shared ensureDkgNodeConfig in packages/core), daemon start by default with --no-start opt-out, faucet funding parity (--fund / --no-fund) preserving the same 5×1s retry semantics OpenClaw uses, and a single runHermesSetup orchestrator consumed by both CLI and Node UI.
• Node UI Connect Hermes invokes the same shared setup-safe entrypoint as Connect OpenClaw (via a new runHermesUiSetup daemon shim parallel to runOpenClawUiSetup), then probes Hermes health and transitions to ready / degraded. Refresh stays a non-destructive health reprobe; Disconnect runs reverse Hermes profile cleanup followed by restoreHermesProfile, preserving chat and memory history.
• Hermes provider election now selects memory.provider: dkg by default — even over an existing non-DKG provider — with a timestamped sibling backup at <hermesHome>/config.yaml.bak.<unix-ts-ms>, prior-provider state captured into setup-state.json (first-wins, optional field, STATE_VERSION unchanged), and a surgical-first restore primitive with backup-file fallback. Opt-out flag for advanced users: --preserve-provider (alias --no-replace-provider). Restore is invoked unconditionally on UI Disconnect, on dkg hermes uninstall, and on dkg hermes disconnect --restore-provider.
• All existing Hermes setup options preserved (--profile, --daemon-url, --bridge-url, --gateway-url, --bridge-health-url, --memory-mode, --dry-run, --no-verify). Fixes the existing dry-run side-effect bug where setupHermesProfile was writing setup-state.json even under --dry-run.

Slice structure (review aid)

This PR is the union of five sequential vertical slices that landed on feat/hermes-setup-parity. Reviewers can skim the diff slice-by-slice via the commit prefixes (refactor(s1): / feat(s2): / feat(s3): / feat(s4): / docs(s5): / test(s3,s4): / chore(s3):).

• S1 — Shared lifecycle helpers extraction (no behavior change). Five extractions from adapter-openclaw/src/setup.ts and daemon/openclaw.ts into shared modules:
  1. resolveDkgCli + resolveCliPackageDir → packages/core/src/
  2. startDaemon (+ private deps) → packages/core/src/daemon-lifecycle.ts
  3. fundWalletsBestEffort orchestration (readWalletsWithRetry, manual-curl print, faucet skip path) → packages/core/src/faucet-orchestration.ts. 5×1s faucet retry semantics preserved exactly.
  4. ensureDkgNodeConfig (agent-agnostic chunk of writeDkgConfig covering name / apiPort / nodeRole / contextGraphs / auth / relay / autoUpdate) → packages/core/src/ensure-dkg-node-config.ts. OpenClaw legacy migrations (migrateLegacyOpenClawTransport, openclawAdapter / openclawChannel deletes) deliberately stay inside writeDkgConfig — they are not lifted into the shared helper.
  5. local-agent-attach-jobs Map + helpers → packages/cli/src/daemon/local-agent-attach-jobs.ts (daemon-only state). daemon/openclaw.ts keeps the legacy attach-jobs symbol names as thin re-export wrappers around the new generic implementations — kept S1's diff to renames + tiny shims and left daemon/local-agents.ts completely untouched in S1 (S3's writer-owned territory, single-writer ownership preserved).
  • OpenClaw test suite is the regression boundary; no behavior delta.
• S2 — CLI parity + runHermesSetup orchestrator. Extends HermesSetupCliOptions with start / fund / preserveProvider; registers --no-start / --fund / --no-fund / --preserve-provider (alias --no-replace-provider) / --restore-provider (S4-bound) flags. packages/cli/src/hermes-setup.ts becomes a thin pass-through over a new runHermesSetup orchestrator inside packages/adapter-hermes/src/setup.ts that composes the four S1 helpers + existing setupHermesProfile. Adds the port-conflict warning when --port and --daemon-url disagree (daemonUrl first-wins). Fixes the dry-run state-file write bug.
• S3 — UI Connect runs setup, Refresh stays health-only, Disconnect with restore. Adds runHermesUiSetup(signal) daemon shim parallel to runOpenClawUiSetup. Wires the Hermes branch in connectLocalAgentIntegrationFromUi to call it. Updates the Hermes notice copy. After disconnectHermesProfile, calls restoreHermesProfile; restore failure surfaces as runtime.lastError warning chip on a disconnected row and does not roll back the disconnect. Uses the new attach-jobs scheduler from S1.
• S4 — Provider replacement, restore primitive, idempotency, adversarial pass. Adds priorMemoryProvider field to HermesSetupState (optional, STATE_VERSION unchanged). Captures it before ensureManagedProviderBlock writes; first-wins. Authors restoreHermesProfile (surgical → backup-file → failed). Wires dkg hermes disconnect --restore-provider and dkg hermes uninstall (unconditional restore). Adversarial pass attacked dry-run regressions, idempotent rerun byte-equality, restore loss, --no-start bypass, and backup-path drift under --profile. One concrete bug found and fixed (SIGINT mid-execute could leave state without intent record); regression test landed.
• S5 — Docs. New flag table in docs/setup/SETUP_HERMES.md and packages/adapter-hermes/README.md; provider-replacement-with-backup section; restore path; UI Connect / Refresh / Disconnect summary; existing-user E2E flow; one-line root README mention.

Each acceptance criterion from issue #386 maps to one or more H-AC-NN test rows; the mapping is enforced by the test plan below.

Provider-replacement contract — at-a-glance

(This is the security-sensitive change in this PR. Reviewers should scrutinize §S4 carefully.)

• Replace by default: dkg hermes setup selects memory.provider: dkg even over an existing non-DKG provider. Rationale: DKG is the intended Hermes memory backend for this adapter; the prior "throw on conflict" default was too conservative for the first product UX.
• Backup file: <hermesHome>/config.yaml.bak.<unix-ts-ms>, sibling to config.yaml. Written only when actually replacing a non-DKG provider — no replacement, no backup. First-wins on re-runs (no backup churn).
• Capture: setup-state.json.priorMemoryProvider = { provider, configBackupPath, capturedAt }. First-wins; re-runs do not overwrite.
• Restore (restoreHermesProfile): surgical line-rewrite first (preserves unrelated user edits made after setup), atomic backup-file rename as fallback, then failed. Returns { ok, path: 'surgical' | 'backup-file' | 'noop' | 'failed', restoredFrom?, restoredProvider?, restoreError? }.
• Restore failure UX: integration stays disconnected, restore error surfaces as runtime.lastError warning chip on the disconnected row. Restore failure does NOT roll back disconnect.
• Opt-out: --preserve-provider (alias --no-replace-provider) keeps today's "throw on conflict" behavior. UI Connect never sets this flag.
• Idempotency: byte-equality of config.yaml between consecutive runHermesSetup invocations on an already-DKG-selected profile. No backup churn. installedAt stable; only updatedAt changes.
• Restore invocation matrix:
  • UI Disconnect → always restores.
  • dkg hermes uninstall → always restores.
  • dkg hermes disconnect (CLI) → only when --restore-provider flag passed (parity with today's CLI default behavior of "disconnect-only").

Helper-reuse rationale (S1)

The four function-style helpers (resolveDkgCli, startDaemon, fundWalletsBestEffort, ensureDkgNodeConfig) live in packages/core/src/, not in packages/cli/src/. Reason: the original plan placed them in dkg-cli, but that would have created a cyclic import (cli → adapter-{openclaw,hermes} → cli) at runtime. packages/core already sits below both adapters in the dependency graph, so hosting these helpers there inverts the dependency cleanly: cli → adapter-{openclaw,hermes} → core.

local-agent-attach-jobs correctly stays in packages/cli/src/daemon/. It is daemon-only state (a Map keyed by integration ID + cancellation primitives), shared between the OpenClaw and Hermes branches of the same daemon process. There is no reason for an adapter or core to depend on it.

Caveats reviewers should know about (transparency callouts)

These are NOT blockers — they're documented disclosures so reviewers do not waste time on out-of-scope expectations. Surfaced from the QA release-readiness verdict.

A. Two adapter-openclaw test failures pre-exist on upstream/main

packages/adapter-openclaw/test/adapter-openclaw-extra.test.ts > [K-9] openclaw.plugin.json id matches package.json name (RED until reconciled) and packages/adapter-openclaw/test/setup.test.ts > writeDkgConfig > mirrors only autoUpdate.enabled from network default and preserves existing pins. The K-9 row's name literally contains "RED until reconciled" — it is an intentional pre-existing canary. The autoUpdate one expects repo: 'OriginTrail/dkg' in the merged config but receives only branch + enabled — pre-existing flake on baseline.

QA verified by checking out upstream/main HEAD (83096835) and running the same two test files in isolation: identical 2 failures, 167 passed. Same shape. Not introduced by this PR. Per the agreed PR scope, not fixed in this change. Happy to file a follow-up issue if reviewers prefer.

B. Hardhat-dependent CLI tests deferred to CI

CLI vitest config uses globalSetup: ['../chain/test/hardhat-global-setup.ts'] which fails locally because spawnHardhatEnv cannot bind port 9548 in the parity worktree's environment. Many CLI tests beyond the curated 5 transitively depend on it. This is pre-existing on upstream/main and unrelated to this PR. The curated CLI gate (5 files: hermes-setup-cli-args.test.ts, openclaw-setup-cli-args.test.ts, daemon-hermes.test.ts, daemon-openclaw.test.ts, hermes-setup-orchestration.test.ts) covers every H-AC-NN row that S2 / S3 need. CI exercises the Hardhat-dependent path in a provisioned environment.

C. Live e2e operator validation (H-AC-06 / H-AC-11) deferred

E2e Playwright spec at packages/node-ui/e2e/specs/hermes-connect.spec.ts covers click-to-state-transition with API route interception (CI-friendly, deterministic). The "live" cases need a real Hermes gateway and a packaged-CLI install to exercise the full daemon lifecycle. All four file-system / DKG-state assertions of the live path were exercised by hand against tmp HOME (manual sanity gates #3, #4, #5 — see Test Plan) with evidence captured in QA's release-readiness writeup.

D. Commit message-vs-content asymmetry on two commits

Two commits on the branch carry messages that don't perfectly match their actual content due to a parallel-staging mishap in the shared worktree (one engineer's git add swept up another engineer's uncommitted WIP). The commits in question are labeled feat(s4): replace-by-default… (rebased SHA 1ff36742) but actually contains S3 step 2 work, and feat(s4): author restoreHermesProfile primitive… (rebased SHA a455c13f) which contains BOTH S4.2 (replace-by-default + capture) AND S4.3 (restore primitive). Functionality is correct; tests pass; the final upstream/main..HEAD diff is correct. Per-commit asymmetry doesn't affect functionality or test coverage. Squash-merge eliminates the asymmetry at merge time (see request below). Evaluate the final diff and test coverage rather than per-commit message mapping.

E. Diff is parity-only after rebase

Rebased on upstream/main immediately before push so the GitHub diff view shows parity-only changes (31 files, +4107/-590). One chore(s3) commit at the tip removes a coordination doc that was inadvertently tracked during the S3 e2e spec commit (see commit ee7ca035).

F. S2-deferred test sweep partial coverage

s2-deferred-tests.md listed 21 H-AC rows for S2 close; the S4-close sweep landed 6 (H-AC-12, 16, 22, 23, 24, 50). The remaining 15 are partially redundant log-line / retry-accounting assertions covered at the dkg-core/faucet-orchestration extractor source. Accepted-with-rationale by QA; reviewer can request the additional sweep as a follow-up if they care.

G. Working-tree dirt to NOT push

packages/evm-module/deployments/localhost_contracts.json is regenerated by local Hardhat chain operations and was modified in the parity worktree at hand-off time. Per execution-plan §6 it was discarded with git checkout -- before rebase and is NOT in this PR's diff (verified by git diff upstream/main..HEAD --name-only).

Squash-merge requested

Per QA recommendation 4 and §D above, please squash-merge at merge time. Squash eliminates the per-commit message-vs-content asymmetry and the add+remove of manual-sanity-checks.md from final history. Suggested squash subject: the PR title verbatim. Suggested squash body: this PR description's Summary + Provider-replacement contract sections.

Related

• Fixes Bring Hermes setup and Node UI Connect to OpenClaw lifecycle parity #386
• Follow-up to Integrate Hermes adapter with DKG local agent #315 (Integrate Hermes adapter with DKG local agent)

Files changed

File	What
packages/cli/src/hermes-setup.ts	Extends HermesSetupCliOptions with start / fund / preserveProvider; normalizeHermesSetupOptions updated. Becomes a thin pass-through over runHermesSetup.
packages/cli/src/cli.ts	Registers --no-start / --fund / --no-fund / --preserve-provider (alias --no-replace-provider) / --restore-provider (on dkg hermes disconnect).
packages/adapter-hermes/src/setup.ts	New runHermesSetup orchestrator; composes ensureDkgNodeConfig + startDaemon + fundWalletsBestEffort + setupHermesProfile. Adds replace-by-default + backup-write + priorMemoryProvider capture. Adds restoreHermesProfile primitive. Fixes dry-run state-file write bug. runSetup becomes thin throw-on-error wrapper.
packages/adapter-hermes/src/types.ts	Adds priorMemoryProvider: { provider, configBackupPath, capturedAt } field. STATE_VERSION unchanged.
packages/adapter-hermes/src/index.ts	Exports restoreHermesProfile.
NEW packages/core/src/daemon-lifecycle.ts	Move of startDaemon (+ private deps) from adapter-openclaw/src/setup.ts. Re-imported by both adapters.
NEW packages/core/src/faucet-orchestration.ts	Move of fundWalletsBestEffort orchestration. 5×1s retry semantics preserved exactly.
NEW packages/core/src/resolve-dkg-cli.ts + resolve-cli-package-dir.ts	Move of resolveDkgCli + resolveCliPackageDir from adapter-openclaw/src/setup.ts.
NEW packages/core/src/ensure-dkg-node-config.ts	Agent-agnostic chunk of writeDkgConfig (name, apiPort, nodeRole, contextGraphs, auth, relay, autoUpdate). OpenClaw legacy migrations stay in the original writeDkgConfig.
packages/core/src/index.ts	Re-exports the four new helpers.
NEW packages/cli/src/daemon/local-agent-attach-jobs.ts	Move of attach-jobs Map + helpers from daemon/openclaw.ts. Exports scheduleAttachJob / cancelPending / isCancelled.
packages/cli/src/daemon/openclaw.ts	S1 only: import-rename + thin re-export shims that keep the legacy attach-jobs symbol names as wrappers around local-agent-attach-jobs.ts. No logic changes.
packages/adapter-openclaw/src/setup.ts + resolve-dkg-cli.ts	Extraction-only edits — re-imports the four moved helpers. No behavior change.
packages/adapter-openclaw/test/{resolve-dkg-cli,setup-start-daemon,setup}.test.ts	Cover the import-shuffle + smoke tests for re-imported helpers; OpenClaw regression boundary.
packages/cli/src/daemon/hermes.ts	Adds runHermesUiSetup(signal) shim parallel to runOpenClawUiSetup.
packages/cli/src/daemon/local-agents.ts	S3 only: wires Hermes branch in connectLocalAgentIntegrationFromUi to call runHermesUiSetup + map HermesSetupResult.status → runtime.status. After disconnectHermesProfile, calls restoreHermesProfile; restore failure surfaces as runtime.lastError on disconnected row. Updates Hermes notice copy. Untouched in S1 (single-writer ownership preserved).
packages/cli/src/daemon/routes/local-agents.ts	Daemon-route glue for the Hermes Connect branch.
packages/node-ui/src/ui/components/Shell/PanelRight.tsx	Warning-chip render path for runtime.status: 'disconnected' && runtime.lastError.
packages/cli/test/hermes-setup-cli-args.test.ts	Extends for new flags + replace/preserve/restore behavior.
NEW packages/cli/test/hermes-setup-orchestration.test.ts	Orchestrator-level coverage for H-AC-12/16/22/23/24/50.
packages/cli/test/daemon-hermes.test.ts	Extends for H-AC-37, 40–47, 47b.
packages/adapter-hermes/test/hermes-adapter.test.ts	Replace-by-default, backup-write, priorMemoryProvider capture, restore primitive, idempotent rerun, H-AC-26/H-AC-48 adversarial regression.
packages/node-ui/test/panel-right.logic.test.ts	Extends for H-AC-45, 47, 47b.
NEW packages/node-ui/e2e/specs/hermes-connect.spec.ts	E2E for H-AC-06 + H-AC-11 with API route interception (CI-friendly, deterministic).
docs/setup/SETUP_HERMES.md	New flag table + provider-replacement-with-backup + restore path + UI Connect/Refresh/Disconnect summary + existing-user E2E flow.
packages/adapter-hermes/README.md	Lifecycle + provider behavior + restore instructions.
README.md	One-line mention of new flags.

Test plan

The full test suite (pnpm --filter @origintrail-official/dkg test at the repo root) is not the gate for this PR. The Hardhat-dependent path (spawnHardhatEnv / port 9548) fails on upstream/main independently of this PR — it requires a provisioned local devnet not present in the parity worktree. CI exercises the Hardhat-dependent path; QA's release-readiness writeup documented which subsets were deferred to that environment.

Test results from the rebased HEAD (post-rebase sanity run)

Suite	Command	Result
adapter-hermes	pnpm --filter @origintrail-official/dkg-adapter-hermes test	81 / 81 passed
Curated CLI gate (5 files)	pnpm exec vitest run --pool=forks test/hermes-setup-cli-args.test.ts test/openclaw-setup-cli-args.test.ts test/daemon-hermes.test.ts test/daemon-openclaw.test.ts test/hermes-setup-orchestration.test.ts (run from packages/cli/)	5 / 5 files pass; 167 / 167 tests pass (84 daemon-openclaw, 63 daemon-hermes, 7 hermes-setup-orchestration, 9 hermes-setup-cli-args, 4 openclaw-setup-cli-args)

Test results from QA release-readiness verdict

Suite	Command	Result
adapter-hermes	pnpm --filter @origintrail-official/dkg-adapter-hermes test	81 / 81 passed
adapter-openclaw (regression boundary)	pnpm --filter @origintrail-official/dkg-adapter-openclaw test	972 / 975 passed, 1 skipped, 2 failures pre-existing on upstream/main (caveat A above)
node-ui	pnpm --filter @origintrail-official/dkg-node-ui test	382 / 420 passed, 38 skipped (skips inherited from upstream/main)
dkg-core (S1 helpers landed here)	pnpm --filter @origintrail-official/dkg-core test	550 / 550 passed
Curated CLI gate (5 files)	as above	167 / 167 passed

Manual sanity gates (executed by hand against tmp HOME)

• Gate 3 — --dry-run is strictly side-effect free (no .bak.* file, byte-equal config.yaml pre/post): ✓ passed.
• Gate 4 — Idempotent rerun: byte-equality of config.yaml (md5 identical between two runs); single backup file (no churn): ✓ passed.
• Gate 5 — Restore-on-disconnect: setup → disconnect → restore restored prior provider: redis line via surgical-first path; sibling keys (url, pool) preserved byte-identical to pre-seed: ✓ passed.

Acceptance-criteria coverage (each row maps to a test surface; all evidence in QA writeup)

• Fresh user flow (H-AC-01 through H-AC-05; H-AC-06 deferred-with-rationale per caveat C).
• Existing-user flow (H-AC-07 through H-AC-10; H-AC-11 deferred per caveat C).
• --no-start truly does not start the DKG daemon (H-AC-12, 14, 15; H-AC-13 defense-in-depth deferred).
• --no-fund / --fund parity (H-AC-16, 20; H-AC-17/18/19 §10G partial coverage at extractor source per caveat F).
• --dry-run is strictly side-effect free — no FS write, no daemon start, no faucet call, no daemon registration probe, no .bak.* file (H-AC-21 through H-AC-26).
• Provider replace by default with backup; capture in state; restore on disconnect (H-AC-27 through H-AC-39).
• --preserve-provider opt-out throws clear error instead of replacing (H-AC-30).
• Idempotent rerun: byte-equality of config.yaml; no backup churn; installedAt stable (H-AC-25, H-AC-26, H-AC-31).
• UI Connect runs setup; invariant gate; AbortController; verbatim notice copy; concurrent-Connect dedupe (H-AC-40 through H-AC-45).
• Node UI Refresh is health-only (H-AC-46, H-AC-47, H-AC-47b).
• Node UI Disconnect runs reverse setup + restore; chat + memory history preserved; restore failure surfaces as warning chip without rolling back disconnect (H-AC-37, H-AC-47, H-AC-47b).
• dkg hermes uninstall invokes restore unconditionally (H-AC-39).
• Port-conflict warning when --port and --daemon-url disagree; daemonUrl first-wins (H-AC-49, H-AC-50, H-AC-58).
• Docs walkthrough rows green (H-AC-55, H-AC-56, H-AC-57).
• PR-Integrate Hermes adapter with DKG local agent #315 regression boundary (H-AC-51 through H-AC-54).
• Adversarial pass (S4) findings: 1 concrete bug fixed (SIGINT mid-execute → state without intent record), 5 prevention proofs hold.

PR-#315 invariant cross-check (12 invariants from PR-#315 baseline)

All 12 PR-#315 invariants verified to hold. Notably: bridge URL loopback validation, /api/hermes-channel/* daemon route signatures, MANAGED_BY markers, STATE_VERSION unchanged. The new priorMemoryProvider field is optional with a safe-absent default, so STATE_VERSION does not bump.

Security and release notes

• Backup file location and behavior: <hermesHome>/config.yaml.bak.<unix-ts-ms>, sibling to config.yaml. Written only when actually replacing a non-DKG provider. First-wins on capture; re-runs do not overwrite. Inherits the same filesystem permissions as the parent profile directory; no broader read access introduced.
• Restore semantics: surgical line-rewrite first (preserves unrelated user edits made after setup), backup-file atomic rename as fallback. UI Disconnect always restores; CLI dkg hermes disconnect requires explicit --restore-provider.
• Restore failure leaves the integration disconnected and surfaces the error as runtime.lastError warning chip on the disconnected row — it does NOT roll back the disconnect. Rationale: disconnect is the user's primary intent; partial restore failure is a separate signal.
• --dry-run is now strictly side-effect free: bug fix where the prior code wrote setup-state.json under dry-run is corrected. The S4 adversarial pass explicitly attacked dry-run regressions including .bak.* writes.
• Adversarial pass found and fixed one concrete bug: SIGINT mid-execute could leave state without a priorMemoryProvider intent record, breaking subsequent restore. Fix: write intent first, then proceed with config rewrite. Regression test landed.
• PR-Integrate Hermes adapter with DKG local agent #315 invariants preserved verbatim: bridge URL loopback validation, /api/hermes-channel/* daemon route signatures, MANAGED_BY markers, and STATE_VERSION are all unchanged.
• No new network egress. No new secret-handling surface. No new credential storage paths. Hermes adapter token redaction and bridge-URL loopback restriction from PR Integrate Hermes adapter with DKG local agent #315 remain in force unchanged.

[github-actions]

Codex review skipped: filtered diff is 5531 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.

[github-actions]

Codex review skipped: filtered diff is 5529 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.