Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 38 Pull Requests 2 Actions 18 Packages Projects Releases Wiki Activity

docs: add comprehensive MCP documentation and examples

Browse Source 
- docs/mcp.md: Full MCP documentation covering prerequisites, configuration,
  transports (stdio + HTTP), security (env filtering, credential stripping),
  reconnection, troubleshooting, popular servers, and advanced usage
- README.md: Add MCP section with quick config example and install instructions
- cli-config.yaml.example: Add commented mcp_servers section with examples
  for stdio, HTTP, and authenticated server configs
- docs/tools.md: Add MCP to Tool Categories table and MCP Tools section
- skills/mcp/native-mcp/SKILL.md: Create native MCP client skill with
  full configuration reference, transport types, security, troubleshooting
- skills/mcp/DESCRIPTION.md: Update category description to cover both
  native MCP client and mcporter bridge approaches
This commit is contained in:
teknium1
2026-03-02 18:52:33 -08:00
parent 64ff8f065b
commit 63f5e14c69
6 changed files with 928 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
README.md
View File

@@ -496,6 +496,23 @@ hermes tools
**Available toolsets:** `web`, `terminal`, `file`, `browser`, `vision`, `image_gen`, `moa`, `skills`, `tts`, `todo`, `memory`, `session_search`, `cronjob`, `code_execution`, `delegation`, `clarify`, and more.
### 🔌 MCP (Model Context Protocol)
Connect to any MCP-compatible server to extend Hermes with external tools. Just add servers to your config:
```yaml
mcp_servers:
time:
command: uvx
args: ["mcp-server-time"]
notion:
url: https://mcp.notion.com/mcp
```
Supports stdio and HTTP transports, auto-reconnection, and env var filtering. See [docs/mcp.md](docs/mcp.md) for details.
Install MCP support: `pip install hermes-agent[mcp]`
### 🖥️ Terminal & Process Management
The terminal tool can execute commands in different environments, with full background process management via the `process` tool:

35
cli-config.yaml.example
View File

@@ -442,6 +442,41 @@ toolsets:
# toolsets:
# - safe
# =============================================================================
# MCP (Model Context Protocol) Servers
# =============================================================================
# Connect to external MCP servers to add tools from the MCP ecosystem.
# Each server's tools are automatically discovered and registered.
# See docs/mcp.md for full documentation.
#
# Stdio servers (spawn a subprocess):
# command: the executable to run
# args: command-line arguments
# env: environment variables (only these + safe defaults passed to subprocess)
#
# HTTP servers (connect to a URL):
# url: the MCP server endpoint
# headers: HTTP headers (e.g., for authentication)
#
# Optional per-server settings:
# timeout: tool call timeout in seconds (default: 120)
# connect_timeout: initial connection timeout (default: 60)
#
# mcp_servers:
# time:
# command: uvx
# args: ["mcp-server-time"]
# filesystem:
# command: npx
# args: ["-y", "@modelcontextprotocol/server-filesystem", "/home/user"]
# notion:
# url: https://mcp.notion.com/mcp
# github:
# command: npx
# args: ["-y", "@modelcontextprotocol/server-github"]
# env:
# GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_..."
# =============================================================================
# Voice Transcription (Speech-to-Text)
# =============================================================================

527
docs/mcp.md Normal file
View File

@@ -0,0 +1,527 @@
# MCP (Model Context Protocol) Support
MCP lets Hermes Agent connect to external tool servers — giving the agent access to databases, APIs, filesystems, and more without any code changes.
## Overview
The [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) is an open standard for connecting AI agents to external tools and data sources. MCP servers expose tools over a lightweight RPC protocol, and Hermes Agent can connect to any compliant server automatically.
What this means for you:
- **Thousands of ready-made tools** — browse the [MCP server directory](https://github.com/modelcontextprotocol/servers) for servers covering GitHub, Slack, databases, file systems, web scraping, and more.
- **No code changes needed** — add a few lines to `~/.hermes/config.yaml` and the tools appear alongside built-in ones.
- **Mix and match** — run multiple MCP servers simultaneously, combining stdio-based and HTTP-based servers.
- **Secure by default** — environment variables are filtered and credentials are stripped from error messages returned to the LLM.
## Prerequisites
Install MCP support as an optional dependency:
```bash
pip install hermes-agent[mcp]
```
Depending on which MCP servers you want to use, you may need additional runtimes:
| Server Type | Runtime Needed | Example |
|-------------|---------------|---------|
| HTTP/remote | Nothing extra | `url: "https://mcp.example.com"` |
| npm-based (npx) | Node.js 18+ | `command: "npx"` |
| Python-based | uv (recommended) | `command: "uvx"` |
Most popular MCP servers are distributed as npm packages and launched via `npx`. Python-based servers typically use `uvx` (from the [uv](https://docs.astral.sh/uv/) package manager).
## Configuration
MCP servers are configured in `~/.hermes/config.yaml` under the `mcp_servers` key. Each entry is a named server with its connection details.
### Stdio Servers (command + args + env)
Stdio servers run as local subprocesses. Communication happens over stdin/stdout.
```yaml
mcp_servers:
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/home/user/projects"]
env: {}
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxx"
```
| Key | Required | Description |
|-----|----------|-------------|
| `command` | Yes | Executable to run (e.g., `npx`, `uvx`, `python`) |
| `args` | No | List of command-line arguments |
| `env` | No | Environment variables to pass to the subprocess |
**Note:** Only explicitly listed `env` variables plus a safe baseline (PATH, HOME, USER, LANG, SHELL, TMPDIR, XDG_*) are passed to the subprocess. Your shell's API keys, tokens, and secrets are **not** leaked. See [Security](#security) for details.
### HTTP Servers (url + headers)
HTTP servers run remotely and are accessed over HTTP/StreamableHTTP.
```yaml
mcp_servers:
remote_api:
url: "https://my-mcp-server.example.com/mcp"
headers:
Authorization: "Bearer sk-xxxxxxxxxxxx"
```
| Key | Required | Description |
|-----|----------|-------------|
| `url` | Yes | Full URL of the MCP HTTP endpoint |
| `headers` | No | HTTP headers to include (e.g., auth tokens) |
### Per-Server Timeouts
Each server can have custom timeouts:
```yaml
mcp_servers:
slow_database:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-postgres"]
env:
DATABASE_URL: "postgres://user:pass@localhost/mydb"
timeout: 300 # Tool call timeout in seconds (default: 120)
connect_timeout: 90 # Initial connection timeout in seconds (default: 60)
```
| Key | Default | Description |
|-----|---------|-------------|
| `timeout` | 120 | Maximum seconds to wait for a single tool call to complete |
| `connect_timeout` | 60 | Maximum seconds to wait for the initial connection and tool discovery |
### Mixed Configuration Example
You can combine stdio and HTTP servers freely:
```yaml
mcp_servers:
# Local filesystem access via stdio
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
# GitHub API via stdio with auth
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxx"
# Remote database via HTTP
company_db:
url: "https://mcp.internal.company.com/db"
headers:
Authorization: "Bearer sk-xxxxxxxxxxxx"
timeout: 180
# Python-based server via uvx
memory:
command: "uvx"
args: ["mcp-server-memory"]
```
## Config Translation (Claude/Cursor JSON → Hermes YAML)
Many MCP server docs show configuration in Claude Desktop JSON format. Here's how to translate:
**Claude Desktop JSON** (`claude_desktop_config.json`):
```json
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"],
"env": {}
},
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_xxxxxxxxxxxx"
}
}
}
}
```
**Hermes Agent YAML** (`~/.hermes/config.yaml`):
```yaml
mcp_servers: # mcpServers → mcp_servers (snake_case)
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
env: {}
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxx"
```
Translation rules:
1. **Key name**: `mcpServers``mcp_servers` (snake_case)
2. **Format**: JSON → YAML (remove braces/brackets, use indentation)
3. **Arrays**: `["a", "b"]` stays the same in YAML flow style, or use block style with `- a`
4. **Everything else**: Keys (`command`, `args`, `env`) are identical
## How It Works
### Startup & Discovery
When Hermes Agent starts, the tool discovery system calls `discover_mcp_tools()`:
1. **Config loading** — Reads `mcp_servers` from `~/.hermes/config.yaml`
2. **Background loop** — Spins up a dedicated asyncio event loop in a daemon thread for MCP connections
3. **Connection** — Connects to each configured server (stdio subprocess or HTTP)
4. **Session init** — Initializes the MCP client session (protocol handshake)
5. **Tool discovery** — Calls `list_tools()` on each server to get available tools
6. **Registration** — Registers each MCP tool into the Hermes tool registry with a prefixed name
### Tool Registration
Each discovered MCP tool is registered with a prefixed name following this pattern:
```
mcp_{server_name}_{tool_name}
```
Hyphens and dots in both server and tool names are replaced with underscores for API compatibility. For example:
| Server Name | MCP Tool Name | Registered As |
|-------------|--------------|---------------|
| `filesystem` | `read_file` | `mcp_filesystem_read_file` |
| `github` | `create-issue` | `mcp_github_create_issue` |
| `my-api` | `query.data` | `mcp_my_api_query_data` |
Tools appear alongside built-in tools — the agent sees them in its tool list and can call them like any other tool.
### Tool Calling
When the agent calls an MCP tool:
1. The handler is invoked by the tool registry (sync interface)
2. The handler schedules the actual MCP `call_tool()` RPC on the background event loop
3. The call blocks (with timeout) until the MCP server responds
4. Response content blocks are collected and returned as JSON
5. Errors are sanitized to strip credentials before returning to the LLM
### Shutdown
On agent exit, `shutdown_mcp_servers()` is called:
1. All server tasks are signalled to exit via their shutdown events
2. Each server's `async with` context manager exits, cleaning up transports
3. The background event loop is stopped and its thread is joined
4. All server state is cleared
## Security
### Environment Variable Filtering
When launching stdio MCP servers, Hermes does **not** pass your full shell environment to the subprocess. The `_build_safe_env()` function constructs a minimal environment:
**Always passed through** (from your current environment):
- `PATH`, `HOME`, `USER`, `LANG`, `LC_ALL`, `TERM`, `SHELL`, `TMPDIR`
- Any variable starting with `XDG_`
**Explicitly added**: Any variables you list in the server's `env` config.
**Everything else is excluded** — your `OPENAI_API_KEY`, `AWS_SECRET_ACCESS_KEY`, database passwords, and other secrets are never leaked to MCP server subprocesses unless you explicitly add them.
```yaml
mcp_servers:
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
# Only this token is passed — nothing else from your shell
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxx"
```
### Credential Stripping in Errors
If an MCP tool call fails, the error message is sanitized by `_sanitize_error()` before being returned to the LLM. The following patterns are replaced with `[REDACTED]`:
- GitHub PATs (`ghp_...`)
- OpenAI-style keys (`sk-...`)
- Bearer tokens (`Bearer ...`)
- Query parameters (`token=...`, `key=...`, `API_KEY=...`, `password=...`, `secret=...`)
This prevents accidental credential exposure through error messages in the conversation.
## Transport Types
### Stdio Transport
The default transport for locally-installed MCP servers. The server runs as a subprocess and communicates over stdin/stdout.
```yaml
mcp_servers:
my_server:
command: "npx" # or "uvx", "python", any executable
args: ["-y", "package"]
env:
MY_VAR: "value"
```
**Pros:** Simple setup, no network needed, works offline.
**Cons:** Server must be installed locally, one process per server.
### HTTP / StreamableHTTP Transport
For remote MCP servers accessible over HTTP. Uses the StreamableHTTP protocol from the MCP SDK.
```yaml
mcp_servers:
my_remote:
url: "https://mcp.example.com/endpoint"
headers:
Authorization: "Bearer token"
```
**Pros:** No local installation needed, shared servers, cloud-hosted.
**Cons:** Requires network, slightly higher latency, needs `mcp` package with HTTP support.
**Note:** If HTTP transport is not available in your installed `mcp` package version, Hermes will log a clear error and skip that server.
## Reconnection
If an MCP server connection drops after initial setup (e.g., process crash, network hiccup), Hermes automatically attempts to reconnect with exponential backoff:
| Attempt | Delay Before Retry |
|---------|--------------------|
| 1 | 1 second |
| 2 | 2 seconds |
| 3 | 4 seconds |
| 4 | 8 seconds |
| 5 | 16 seconds |
- Maximum of **5 retry attempts** before giving up
- Backoff is capped at **60 seconds** (relevant if the formula exceeds this)
- Reconnection only triggers for **established connections** that drop — initial connection failures are reported immediately without retries
- If shutdown is requested during reconnection, the retry loop exits cleanly
## Troubleshooting
### Common Errors
**"mcp package not installed"**
```
MCP SDK not available -- skipping MCP tool discovery
```
Solution: Install the MCP optional dependency:
```bash
pip install hermes-agent[mcp]
```
---
**"command not found" or server fails to start**
The MCP server command (`npx`, `uvx`, etc.) is not on PATH.
Solution: Install the required runtime:
```bash
# For npm-based servers
npm install -g npx # or ensure Node.js 18+ is installed
# For Python-based servers
pip install uv # then use "uvx" as the command
```
---
**"MCP server 'X' has no 'command' in config"**
Your stdio server config is missing the `command` key.
Solution: Check your `~/.hermes/config.yaml` indentation and ensure `command` is present:
```yaml
mcp_servers:
my_server:
command: "npx" # <-- required for stdio servers
args: ["-y", "package-name"]
```
---
**Server connects but tools fail with authentication errors**
Your API key or token is missing or invalid.
Solution: Ensure the key is in the server's `env` block (not your shell env):
```yaml
mcp_servers:
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_your_actual_token" # <-- check this
```
---
**"MCP server 'X' is not connected"**
The server disconnected and reconnection failed (or was never established).
Solution:
1. Check the Hermes logs for connection errors (`hermes --verbose`)
2. Verify the server works standalone (e.g., run the `npx` command manually)
3. Increase `connect_timeout` if the server is slow to start
---
**Connection timeout during discovery**
```
Failed to connect to MCP server 'X': TimeoutError
```
Solution: Increase the `connect_timeout` for slow-starting servers:
```yaml
mcp_servers:
slow_server:
command: "npx"
args: ["-y", "heavy-server-package"]
connect_timeout: 120 # default is 60
```
---
**HTTP transport not available**
```
mcp.client.streamable_http is not available
```
Solution: Upgrade the `mcp` package to a version that includes HTTP support:
```bash
pip install --upgrade mcp
```
## Popular MCP Servers
Here are some popular free MCP servers you can use immediately:
| Server | Package | Description |
|--------|---------|-------------|
| Filesystem | `@modelcontextprotocol/server-filesystem` | Read/write/search local files |
| GitHub | `@modelcontextprotocol/server-github` | Issues, PRs, repos, code search |
| Git | `@modelcontextprotocol/server-git` | Git operations on local repos |
| Fetch | `@modelcontextprotocol/server-fetch` | HTTP fetching and web content extraction |
| Memory | `@modelcontextprotocol/server-memory` | Persistent key-value memory |
| SQLite | `@modelcontextprotocol/server-sqlite` | Query SQLite databases |
| PostgreSQL | `@modelcontextprotocol/server-postgres` | Query PostgreSQL databases |
| Brave Search | `@modelcontextprotocol/server-brave-search` | Web search via Brave API |
| Puppeteer | `@modelcontextprotocol/server-puppeteer` | Browser automation |
| Sequential Thinking | `@modelcontextprotocol/server-sequential-thinking` | Step-by-step reasoning |
### Example Configs for Popular Servers
```yaml
mcp_servers:
# Filesystem — no API key needed
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/home/user/projects"]
# Git — no API key needed
git:
command: "uvx"
args: ["mcp-server-git", "--repository", "/home/user/my-repo"]
# GitHub — requires a personal access token
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxx"
# Fetch — no API key needed
fetch:
command: "uvx"
args: ["mcp-server-fetch"]
# SQLite — no API key needed
sqlite:
command: "uvx"
args: ["mcp-server-sqlite", "--db-path", "/home/user/data.db"]
# Brave Search — requires API key (free tier available)
brave_search:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-brave-search"]
env:
BRAVE_API_KEY: "BSA_xxxxxxxxxxxx"
```
## Advanced
### Multiple Servers
You can run as many MCP servers as you want simultaneously. Each server gets its own subprocess (stdio) or HTTP connection, and all tools are registered into a single unified namespace.
Servers are connected sequentially during startup. If one server fails to connect, the others still work — failed servers are logged as warnings and skipped.
### Tool Naming Convention
All MCP tools follow the naming pattern:
```
mcp_{server_name}_{tool_name}
```
Both the server name and tool name are sanitized: hyphens (`-`) and dots (`.`) are replaced with underscores (`_`). This ensures compatibility with LLM function-calling APIs that restrict tool name characters.
If you configure a server named `my-api` that exposes a tool called `query.users`, the agent will see it as `mcp_my_api_query_users`.
### Configurable Timeouts
Fine-tune timeouts per server based on expected response times:
```yaml
mcp_servers:
fast_cache:
command: "npx"
args: ["-y", "mcp-server-redis"]
timeout: 30 # Fast lookups — short timeout
connect_timeout: 15
slow_analysis:
url: "https://analysis.example.com/mcp"
timeout: 600 # Long-running analysis — generous timeout
connect_timeout: 120
```
### Idempotent Discovery
`discover_mcp_tools()` is idempotent — calling it multiple times only connects to servers that aren't already running. Already-connected servers keep their existing connections and tool registrations.
### Custom Toolsets
Each MCP server's tools are automatically grouped into a toolset named `mcp-{server_name}`. These toolsets are also injected into all `hermes-*` platform toolsets, so MCP tools are available in CLI, Telegram, Discord, and other platforms.
### Thread Safety
The MCP subsystem is fully thread-safe. A dedicated background event loop runs in a daemon thread, and all server state is protected by a lock. This works correctly even with Python 3.13+ free-threading builds.

18
docs/tools.md
View File

@@ -55,6 +55,7 @@ async def web_search(query: str) -> dict:
| **Clarify** | `clarify_tool.py` | `clarify` (interactive multiple-choice / open-ended questions, CLI-only) |
| **Code Execution** | `code_execution_tool.py` | `execute_code` (run Python scripts that call tools via RPC sandbox) |
| **Delegation** | `delegate_tool.py` | `delegate_task` (spawn subagents with isolated context, single + parallel batch) |
| **MCP (External)** | `tools/mcp_tool.py` | Auto-discovered from configured MCP servers |
## Tool Registration
@@ -414,3 +415,20 @@ The Skills Hub enables searching, installing, and managing skills from online re
**CLI:** `hermes skills search|install|inspect|list|audit|uninstall|publish|snapshot|tap`
**Slash:** `/skills search|install|inspect|list|audit|uninstall|publish|snapshot|tap`
## MCP Tools
MCP (Model Context Protocol) tools are **dynamically registered** from external MCP servers configured in `cli-config.yaml`. Unlike built-in tools which are defined in Python source files, MCP tools are discovered at startup by connecting to each configured server and querying its available tools.
Each MCP tool is automatically wrapped with an OpenAI-compatible schema and registered in the tool registry under the `mcp` toolset. Tool names are prefixed with the server name (e.g., `time__get_current_time`) to avoid collisions.
**Key characteristics:**
- Tools are discovered and registered at agent startup — no code changes needed
- Supports both stdio (subprocess) and HTTP (streamable HTTP) transports
- Auto-reconnects on connection failures with exponential backoff
- Environment variables passed to stdio servers are filtered for security
- Each server can have independent timeout settings
**Configuration:** Add servers to `mcp_servers` in `cli-config.yaml`. See [docs/mcp.md](mcp.md) for full documentation.
**Installation:** MCP support requires the optional `mcp` extra: `pip install hermes-agent[mcp]`

2
skills/mcp/DESCRIPTION.md
View File

@@ -1,3 +1,3 @@
---
description: Skills for working with MCP (Model Context Protocol) servers, tools, and integrations.
description: Skills for working with MCP (Model Context Protocol) servers, tools, and integrations. Includes the built-in native MCP client (configure servers in config.yaml for automatic tool discovery) and the mcporter CLI bridge for ad-hoc server interaction.
---

330
skills/mcp/native-mcp/SKILL.md Normal file
View File

@@ -0,0 +1,330 @@
---
name: native-mcp
description: Built-in MCP (Model Context Protocol) client that connects to external MCP servers, discovers their tools, and registers them as native Hermes Agent tools. Supports stdio and HTTP transports with automatic reconnection, security filtering, and zero-config tool injection.
version: 1.0.0
author: Hermes Agent
license: MIT
metadata:
hermes:
tags: [MCP, Tools, Integrations]
related_skills: [mcporter]
---
# Native MCP Client
Hermes Agent has a built-in MCP client that connects to MCP servers at startup, discovers their tools, and makes them available as first-class tools the agent can call directly. No bridge CLI needed -- tools from MCP servers appear alongside built-in tools like `terminal`, `read_file`, etc.
## When to Use
Use this whenever you want to:
- Connect to MCP servers and use their tools from within Hermes Agent
- Add external capabilities (filesystem access, GitHub, databases, APIs) via MCP
- Run local stdio-based MCP servers (npx, uvx, or any command)
- Connect to remote HTTP/StreamableHTTP MCP servers
- Have MCP tools auto-discovered and available in every conversation
For ad-hoc, one-off MCP tool calls from the terminal without configuring anything, see the `mcporter` skill instead.
## Prerequisites
- **mcp Python package** -- optional dependency; install with `pip install mcp`. If not installed, MCP support is silently disabled.
- **Node.js** -- required for `npx`-based MCP servers (most community servers)
- **uv** -- required for `uvx`-based MCP servers (Python-based servers)
Install the MCP SDK:
```bash
pip install mcp
# or, if using uv:
uv pip install mcp
```
## Quick Start
Add MCP servers to `~/.hermes/config.yaml` under the `mcp_servers` key:
```yaml
mcp_servers:
time:
command: "uvx"
args: ["mcp-server-time"]
```
Restart Hermes Agent. On startup it will:
1. Connect to the server
2. Discover available tools
3. Register them with the prefix `mcp_time_*`
4. Inject them into all platform toolsets
You can then use the tools naturally -- just ask the agent to get the current time.
## Configuration Reference
Each entry under `mcp_servers` is a server name mapped to its config. There are two transport types: **stdio** (command-based) and **HTTP** (url-based).
### Stdio Transport (command + args)
```yaml
mcp_servers:
server_name:
command: "npx" # (required) executable to run
args: ["-y", "pkg-name"] # (optional) command arguments, default: []
env: # (optional) environment variables for the subprocess
SOME_API_KEY: "value"
timeout: 120 # (optional) per-tool-call timeout in seconds, default: 120
connect_timeout: 60 # (optional) initial connection timeout in seconds, default: 60
```
### HTTP Transport (url)
```yaml
mcp_servers:
server_name:
url: "https://my-server.example.com/mcp" # (required) server URL
headers: # (optional) HTTP headers
Authorization: "Bearer sk-..."
timeout: 180 # (optional) per-tool-call timeout in seconds, default: 120
connect_timeout: 60 # (optional) initial connection timeout in seconds, default: 60
```
### All Config Options
| Option | Type | Default | Description |
|-------------------|--------|---------|---------------------------------------------------|
| `command` | string | -- | Executable to run (stdio transport, required) |
| `args` | list | `[]` | Arguments passed to the command |
| `env` | dict | `{}` | Extra environment variables for the subprocess |
| `url` | string | -- | Server URL (HTTP transport, required) |
| `headers` | dict | `{}` | HTTP headers sent with every request |
| `timeout` | int | `120` | Per-tool-call timeout in seconds |
| `connect_timeout` | int | `60` | Timeout for initial connection and discovery |
Note: A server config must have either `command` (stdio) or `url` (HTTP), not both.
## How It Works
### Startup Discovery
When Hermes Agent starts, `discover_mcp_tools()` is called during tool initialization:
1. Reads `mcp_servers` from `~/.hermes/config.yaml`
2. For each server, spawns a connection in a dedicated background event loop
3. Initializes the MCP session and calls `list_tools()` to discover available tools
4. Registers each tool in the Hermes tool registry
### Tool Naming Convention
MCP tools are registered with the naming pattern:
```
mcp_{server_name}_{tool_name}
```
Hyphens and dots in names are replaced with underscores for LLM API compatibility.
Examples:
- Server `filesystem`, tool `read_file``mcp_filesystem_read_file`
- Server `github`, tool `list-issues``mcp_github_list_issues`
- Server `my-api`, tool `fetch.data``mcp_my_api_fetch_data`
### Auto-Injection
After discovery, MCP tools are automatically injected into all `hermes-*` platform toolsets (CLI, Discord, Telegram, etc.). This means MCP tools are available in every conversation without any additional configuration.
### Connection Lifecycle
- Each server runs as a long-lived asyncio Task in a background daemon thread
- Connections persist for the lifetime of the agent process
- If a connection drops, automatic reconnection with exponential backoff kicks in (up to 5 retries, max 60s backoff)
- On agent shutdown, all connections are gracefully closed
### Idempotency
`discover_mcp_tools()` is idempotent -- calling it multiple times only connects to servers that aren't already connected. Failed servers are retried on subsequent calls.
## Transport Types
### Stdio Transport
The most common transport. Hermes launches the MCP server as a subprocess and communicates over stdin/stdout.
```yaml
mcp_servers:
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/home/user/projects"]
```
The subprocess inherits a **filtered** environment (see Security section below) plus any variables you specify in `env`.
### HTTP / StreamableHTTP Transport
For remote or shared MCP servers. Requires the `mcp` package to include HTTP client support (`mcp.client.streamable_http`).
```yaml
mcp_servers:
remote_api:
url: "https://mcp.example.com/mcp"
headers:
Authorization: "Bearer sk-..."
```
If HTTP support is not available in your installed `mcp` version, the server will fail with an ImportError and other servers will continue normally.
## Security
### Environment Variable Filtering
For stdio servers, Hermes does NOT pass your full shell environment to MCP subprocesses. Only safe baseline variables are inherited:
- `PATH`, `HOME`, `USER`, `LANG`, `LC_ALL`, `TERM`, `SHELL`, `TMPDIR`
- Any `XDG_*` variables
All other environment variables (API keys, tokens, secrets) are excluded unless you explicitly add them via the `env` config key. This prevents accidental credential leakage to untrusted MCP servers.
```yaml
mcp_servers:
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
# Only this token is passed to the subprocess
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_..."
```
### Credential Stripping in Error Messages
If an MCP tool call fails, any credential-like patterns in the error message are automatically redacted before being shown to the LLM. This covers:
- GitHub PATs (`ghp_...`)
- OpenAI-style keys (`sk-...`)
- Bearer tokens
- Generic `token=`, `key=`, `API_KEY=`, `password=`, `secret=` patterns
## Troubleshooting
### "MCP SDK not available -- skipping MCP tool discovery"
The `mcp` Python package is not installed. Install it:
```bash
pip install mcp
```
### "No MCP servers configured"
No `mcp_servers` key in `~/.hermes/config.yaml`, or it's empty. Add at least one server.
### "Failed to connect to MCP server 'X'"
Common causes:
- **Command not found**: The `command` binary isn't on PATH. Ensure `npx`, `uvx`, or the relevant command is installed.
- **Package not found**: For npx servers, the npm package may not exist or may need `-y` in args to auto-install.
- **Timeout**: The server took too long to start. Increase `connect_timeout`.
- **Port conflict**: For HTTP servers, the URL may be unreachable.
### "MCP server 'X' requires HTTP transport but mcp.client.streamable_http is not available"
Your `mcp` package version doesn't include HTTP client support. Upgrade:
```bash
pip install --upgrade mcp
```
### Tools not appearing
- Check that the server is listed under `mcp_servers` (not `mcp` or `servers`)
- Ensure the YAML indentation is correct
- Look at Hermes Agent startup logs for connection messages
- Tool names are prefixed with `mcp_{server}_{tool}` -- look for that pattern
### Connection keeps dropping
The client retries up to 5 times with exponential backoff (1s, 2s, 4s, 8s, 16s, capped at 60s). If the server is fundamentally unreachable, it gives up after 5 attempts. Check the server process and network connectivity.
## Examples
### Time Server (uvx)
```yaml
mcp_servers:
time:
command: "uvx"
args: ["mcp-server-time"]
```
Registers tools like `mcp_time_get_current_time`.
### Filesystem Server (npx)
```yaml
mcp_servers:
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/home/user/documents"]
timeout: 30
```
Registers tools like `mcp_filesystem_read_file`, `mcp_filesystem_write_file`, `mcp_filesystem_list_directory`.
### GitHub Server with Authentication
```yaml
mcp_servers:
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxxxxxxxxxx"
timeout: 60
```
Registers tools like `mcp_github_list_issues`, `mcp_github_create_pull_request`, etc.
### Remote HTTP Server
```yaml
mcp_servers:
company_api:
url: "https://mcp.mycompany.com/v1/mcp"
headers:
Authorization: "Bearer sk-xxxxxxxxxxxxxxxxxxxx"
X-Team-Id: "engineering"
timeout: 180
connect_timeout: 30
```
### Multiple Servers
```yaml
mcp_servers:
time:
command: "uvx"
args: ["mcp-server-time"]
filesystem:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
github:
command: "npx"
args: ["-y", "@modelcontextprotocol/server-github"]
env:
GITHUB_PERSONAL_ACCESS_TOKEN: "ghp_xxxxxxxxxxxxxxxxxxxx"
company_api:
url: "https://mcp.internal.company.com/mcp"
headers:
Authorization: "Bearer sk-xxxxxxxxxxxxxxxxxxxx"
timeout: 300
```
All tools from all servers are registered and available simultaneously. Each server's tools are prefixed with its name to avoid collisions.
## Notes
- MCP tools are called synchronously from the agent's perspective but run asynchronously on a dedicated background event loop
- Tool results are returned as JSON with either `{"result": "..."}` or `{"error": "..."}`
- The native MCP client is independent of `mcporter` -- you can use both simultaneously
- Server connections are persistent and shared across all conversations in the same agent process
- Adding or removing servers requires restarting the agent (no hot-reload currently)