test(ssh): Add tests for remote hermes path validation

Add comprehensive tests for:
1. validate_remote_hermes_path() - found, not found, error cases
2. _get_default_hermes_path() - path discovery logic
3. execute_hermes_command() - success, validation failure, timeout cases

Resolves #350

deploy/synapse/.gitignore

@@ -1,9 +0,0 @@
-# Secrets — never commit
-.env
-synapse-credentials.env
-
-# Backups
-backups/
-
-# Generated config backups
-homeserver.yaml.bak

deploy/synapse/docker-compose.yml

@@ -1,82 +0,0 @@
-# Synapse Homeserver — Docker Compose Stack
-# Matrix Phase 1: Deploy Synapse on Ezra VPS
-#
-# Usage:
-#   cd deploy/synapse
-#   ./setup.sh                   # first-time deploy (generates config + keys)
-#   docker compose up -d         # start
-#   docker compose logs -f       # follow logs
-#   docker compose down          # stop
-#
-# Secrets:
-#   Never commit .env to version control.
-#   setup.sh generates secrets automatically.
-
-services:
-  synapse-db:
-    image: postgres:16-alpine
-    container_name: synapse-db
-    restart: unless-stopped
-    volumes:
-      - synapse_db:/var/lib/postgresql/data
-    environment:
-      POSTGRES_USER: synapse
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}
-      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --lc-collate=C --lc-ctype=C"
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U synapse"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    networks:
-      - synapse_net
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "20m"
-        max-file: "3"
-
-  synapse:
-    image: matrixdotorg/synapse:latest
-    container_name: synapse
-    restart: unless-stopped
-    depends_on:
-      synapse-db:
-        condition: service_healthy
-    volumes:
-      - synapse_data:/data
-    env_file:
-      - .env
-    environment:
-      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
-    ports:
-      - "127.0.0.1:8008:8008"   # Client-server API (localhost only)
-      - "8448:8448"              # Federation (public)
-    networks:
-      - synapse_net
-    healthcheck:
-      test: ["CMD", "curl", "-fSs", "http://localhost:8008/health"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 30s
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "50m"
-        max-file: "5"
-    deploy:
-      resources:
-        limits:
-          cpus: "2.0"
-          memory: 2G
-        reservations:
-          memory: 512M
-
-volumes:
-  synapse_data:
-  synapse_db:
-
-networks:
-  synapse_net:
-    driver: bridge

deploy/synapse/homeserver.yaml

@@ -1,101 +0,0 @@
-# Synapse Homeserver Configuration
-# Generated by setup.sh — edit with care.
-#
-# Docs: https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
-
-# Server name — your Matrix domain (e.g. matrix.example.com)
-server_name: "SERVER_NAME_PLACEHOLDER"
-
-# Signing key — generated by setup.sh
-signing_key_path: "/data/signing.key"
-
-# Trusted key servers (empty = trust only ourselves for our own keys)
-trusted_key_servers: []
-
-# Report stats to matrix.org (no for sovereignty)
-report_stats: false
-
-# Listeners
-listeners:
-  - port: 8008
-    tls: false
-    type: http
-    x_forwarded: true
-    resources:
-      - names: [client, federation]
-        compress: false
-
-# Database — PostgreSQL
-database:
-  name: psycopg2
-  args:
-    user: synapse
-    password: "${POSTGRES_PASSWORD}"
-    database: synapse
-    host: synapse-db
-    cp_min: 5
-    cp_max: 10
-
-# Media store
-media_store_path: "/data/media_store"
-
-# Upload limits
-max_upload_size: "50M"
-
-# URL previews (disable to reduce attack surface)
-url_preview_enabled: false
-
-# Enable room list publishing
-enable_room_list_search: true
-
-# Turn off public registration by default (create users via admin API)
-enable_registration: false
-enable_registration_without_verification: false
-
-# Rate limiting
-rc_message:
-  per_second: 0.2
-  burst_count: 10
-
-rc_registration:
-  per_second: 0.1
-  burst_count: 3
-
-rc_login:
-  address:
-    per_second: 0.05
-    burst_count: 2
-  account:
-    per_second: 0.05
-    burst_count: 2
-  failed_attempts:
-    per_second: 0.15
-    burst_count: 3
-
-# Retention — keep messages for 90 days by default
-retention:
-  enabled: true
-  default_policy:
-    min_lifetime: 1d
-    max_lifetime: 90d
-
-# Logging
-log_config: "/data/log.config"
-
-# Metrics (optional — enable if running Prometheus)
-enable_metrics: false
-
-# Presence
-use_presence: true
-
-# Federation
-federation_verify_certificates: true
-federation_sender_instances: 1
-
-# Appservice config directory
-app_service_config_files: []
-
-# Experimental features
-experimental_features:
-  # MSC3440: Threading support
-  msc3440_enabled: true

deploy/synapse/log.config

@@ -1,33 +0,0 @@
-# Synapse logging configuration
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config
-
-version: 1
-
-formatters:
-  precise:
-    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
-
-handlers:
-  console:
-    class: logging.StreamHandler
-    formatter: precise
-    level: INFO
-    stream: ext://sys.stdout
-
-  file:
-    class: logging.handlers.RotatingFileHandler
-    formatter: precise
-    filename: /data/homeserver.log
-    maxBytes: 104857600  # 100MB
-    backupCount: 3
-    level: INFO
-
-loggers:
-  synapse.storage.SQL:
-    level: WARNING
-  synapse.http.client:
-    level: INFO
-
-root:
-  level: INFO
-  handlers: [console, file]

deploy/synapse/manage.sh

@@ -1,131 +0,0 @@
-#!/usr/bin/env bash
-# Synapse Homeserver — Management Utilities
-# Usage: ./manage.sh <command>
-#
-# Commands:
-#   status      Show container status and health
-#   restart     Restart Synapse (preserves data)
-#   logs        Tail Synapse logs
-#   create-user <username> <password> [admin]
-#   backup      Create timestamped backup of data volumes
-#   update      Pull latest Synapse image and recreate
-#   teardown    Stop and remove everything (DESTRUCTIVE)
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-cd "$SCRIPT_DIR"
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-CYAN='\033[0;36m'
-NC='\033[0m'
-
-info()  { echo -e "${GREEN}[MANAGE]${NC} $*"; }
-warn()  { echo -e "${YELLOW}[WARN]${NC} $*"; }
-error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
-
-COMMAND="${1:-help}"
-
-case "$COMMAND" in
-    status)
-        info "Container status:"
-        docker compose ps
-        echo ""
-        info "Synapse health:"
-        curl -sfS http://127.0.0.1:8008/health && echo "" || echo "Not responding"
-        echo ""
-        info "Disk usage:"
-        docker system df -v 2>/dev/null | grep -E "synapse|VOLUME" || true
-        ;;
-
-    restart)
-        info "Restarting Synapse..."
-        docker compose restart synapse
-        info "Waiting for health check..."
-        sleep 5
-        curl -sfS http://127.0.0.1:8008/health && echo "" && info "Synapse is healthy" || warn "Not responding yet"
-        ;;
-
-    logs)
-        shift
-        LINES="${1:-100}"
-        info "Tailing Synapse logs (last $LINES lines)..."
-        docker compose logs -f --tail="$LINES" synapse
-        ;;
-
-    create-user)
-        USERNAME="${2:?Usage: manage.sh create-user <username> <password> [admin]}"
-        PASSWORD="${3:?Usage: manage.sh create-user <username> <password> [admin]}"
-        IS_ADMIN="${4:-false}"
-        info "Creating user @$USERNAME..."
-        ADMIN_FLAG=""
-        if [ "$IS_ADMIN" = "admin" ] || [ "$IS_ADMIN" = "true" ]; then
-            ADMIN_FLAG="--admin"
-        fi
-        docker compose exec -T synapse register_new_matrix_user \
-            http://localhost:8008 \
-            -c /data/homeserver.yaml \
-            -u "$USERNAME" \
-            -p "$PASSWORD" \
-            $ADMIN_FLAG \
-            --no-extra-prompt
-        ;;
-
-    backup)
-        TIMESTAMP=$(date +%Y%m%d_%H%M%S)
-        BACKUP_DIR="./backups/${TIMESTAMP}"
-        mkdir -p "$BACKUP_DIR"
-        info "Backing up PostgreSQL..."
-        docker compose exec -T synapse-db pg_dump -U synapse > "${BACKUP_DIR}/synapse_db.sql"
-        info "Backing up Synapse data volume..."
-        docker run --rm \
-            -v synapse_data:/source:ro \
-            -v "$(pwd)/${BACKUP_DIR}:/backup" \
-            alpine tar czf /backup/synapse_data.tar.gz -C /source .
-        info "Backup complete: $BACKUP_DIR"
-        ls -lh "$BACKUP_DIR"
-        ;;
-
-    update)
-        info "Pulling latest Synapse image..."
-        docker compose pull synapse
-        info "Recreating containers..."
-        docker compose up -d --force-recreate synapse
-        info "Waiting for health..."
-        sleep 10
-        curl -sfS http://127.0.0.1:8008/health && echo "" && info "Updated and healthy" || warn "Check logs"
-        ;;
-
-    teardown)
-        echo -e "${RED}WARNING: This will stop and remove all Synapse containers and volumes.${NC}"
-        echo -e "${RED}ALL DATA WILL BE LOST. This cannot be undone.${NC}"
-        echo ""
-        read -p "Type 'yes-delete-everything' to confirm: " CONFIRM
-        if [ "$CONFIRM" = "yes-delete-everything" ]; then
-            info "Stopping containers..."
-            docker compose down -v
-            info "Removing volumes..."
-            docker volume rm synapse_data synapse_db 2>/dev/null || true
-            info "Teardown complete."
-        else
-            info "Aborted."
-        fi
-        ;;
-
-    help|*)
-        echo "Synapse Homeserver Management"
-        echo ""
-        echo "Usage: ./manage.sh <command>"
-        echo ""
-        echo "Commands:"
-        echo "  status              Show container status and health"
-        echo "  restart             Restart Synapse"
-        echo "  logs [lines]        Tail Synapse logs (default: 100)"
-        echo "  create-user <u> <p> [admin]  Create a new Matrix user"
-        echo "  backup              Backup database + data volume"
-        echo "  update              Pull latest image and recreate"
-        echo "  teardown            Stop and remove everything (DESTRUCTIVE)"
-        ;;
-esac

deploy/synapse/setup.sh

@@ -1,211 +0,0 @@
-#!/usr/bin/env bash
-# Synapse Homeserver — One-Shot Setup Script
-# Matrix Phase 1: Deploy Synapse on Ezra VPS
-#
-# Usage:
-#   ./setup.sh <server_name> [admin_user] [admin_password]
-#
-# Example:
-#   ./setup.sh matrix.timmy-time.xyz hermes-bot 'secure-pass-123'
-#
-# What it does:
-#   1. Generates .env with secrets
-#   2. Prepares homeserver.yaml with correct server name
-#   3. Generates signing key
-#   4. Starts Synapse + PostgreSQL via Docker Compose
-#   5. Waits for Synapse to be healthy
-#   6. Registers admin user + bot account
-#   7. Outputs Matrix credentials for hermes-agent
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-cd "$SCRIPT_DIR"
-
-# --- Colors ---
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-CYAN='\033[0;36m'
-NC='\033[0m'
-
-info()  { echo -e "${GREEN}[SETUP]${NC} $*"; }
-warn()  { echo -e "${YELLOW}[WARN]${NC} $*"; }
-error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; }
-
-# --- Args ---
-SERVER_NAME="${1:?Usage: $0 <server_name> [admin_user] [admin_password]}"
-ADMIN_USER="${2:-timmy-admin}"
-ADMIN_PASS="${3:-$(openssl rand -hex 16)}"
-BOT_USER="${4:-hermes-bot}"
-BOT_PASS="${5:-$(openssl rand -hex 16)}"
-
-echo -e "${CYAN}"
-echo "╔══════════════════════════════════════════════════╗"
-echo "║   Synapse Homeserver — Matrix Phase 1 Deploy    ║"
-echo "╚══════════════════════════════════════════════════╝"
-echo -e "${NC}"
-info "Server name:  $SERVER_NAME"
-info "Admin user:   @$ADMIN_USER:$SERVER_NAME"
-info "Bot user:     @$BOT_USER:$SERVER_NAME"
-echo ""
-
-# --- Preflight ---
-info "Preflight checks..."
-command -v docker >/dev/null 2>&1 || error "docker not found. Install Docker first."
-command -v docker compose version >/dev/null 2>&1 || error "docker compose not found. Install Docker Compose plugin."
-info "Docker: $(docker --version | head -1)"
-info "Compose: $(docker compose version | head -1)"
-
-# --- Generate .env ---
-info "Generating .env..."
-POSTGRES_PASSWORD=$(openssl rand -hex 24)
-REGISTRATION_SECRET=$(openssl rand -hex 16)
-
-cat > .env <<EOF
-# Synapse deployment — generated $(date -u +%Y-%m-%dT%H:%M:%SZ)
-# DO NOT COMMIT THIS FILE
-
-POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-SYNAPSE_SERVER_NAME=${SERVER_NAME}
-SYNAPSE_REPORT_STATS=no
-REGISTRATION_SECRET=${REGISTRATION_SECRET}
-EOF
-chmod 600 .env
-info ".env written with secure permissions"
-
-# --- Prepare homeserver.yaml ---
-info "Preparing homeserver.yaml..."
-sed -i.bak "s/SERVER_NAME_PLACEHOLDER/${SERVER_NAME}/g" homeserver.yaml
-rm -f homeserver.yaml.bak
-info "Server name set to: $SERVER_NAME"
-
-# --- Generate signing key ---
-info "Generating signing key..."
-# Synapse will generate its own key on first run if missing
-# But we pre-create the data volume structure
-docker volume create synapse_data >/dev/null 2>&1 || true
-docker volume create synapse_db >/dev/null 2>&1 || true
-
-# --- Start the stack ---
-info "Starting Synapse + PostgreSQL..."
-docker compose up -d
-
-# --- Wait for Synapse to be healthy ---
-info "Waiting for Synapse to start (up to 120s)..."
-MAX_WAIT=120
-ELAPSED=0
-while [ $ELAPSED -lt $MAX_WAIT ]; do
-    if curl -sfS http://127.0.0.1:8008/health >/dev/null 2>&1; then
-        info "Synapse is healthy!"
-        break
-    fi
-    sleep 3
-    ELAPSED=$((ELAPSED + 3))
-    if [ $((ELAPSED % 15)) -eq 0 ]; then
-        info "Still waiting... (${ELAPSED}s)"
-    fi
-done
-
-if [ $ELAPSED -ge $MAX_WAIT ]; then
-    warn "Synapse did not respond within ${MAX_WAIT}s. Check logs:"
-    echo "  docker compose logs synapse"
-    error "Aborting registration."
-fi
-
-# --- Register admin user ---
-info "Registering admin user @$ADMIN_USER:$SERVER_NAME..."
-docker compose exec -T synapse register_new_matrix_user \
-    http://localhost:8008 \
-    -c /data/homeserver.yaml \
-    -u "$ADMIN_USER" \
-    -p "$ADMIN_PASS" \
-    --admin \
-    --no-extra-prompt 2>&1 || {
-    # User might already exist if re-running
-    warn "Admin user registration returned non-zero (may already exist)"
-}
-
-# --- Register bot user ---
-info "Registering bot user @$BOT_USER:$SERVER_NAME..."
-docker compose exec -T synapse register_new_matrix_user \
-    http://localhost:8008 \
-    -c /data/homeserver.yaml \
-    -u "$BOT_USER" \
-    -p "$BOT_PASS" \
-    --no-admin \
-    --no-extra-prompt 2>&1 || {
-    warn "Bot user registration returned non-zero (may already exist)"
-}
-
-# --- Get bot access token ---
-info "Acquiring bot access token..."
-BOT_TOKEN_RESPONSE=$(curl -sfS -X POST "http://127.0.0.1:8008/_matrix/client/v3/login" \
-    -H 'Content-Type: application/json' \
-    -d "{
-        \"type\": \"m.login.password\",
-        \"identifier\": {
-            \"type\": \"m.id.user\",
-            \"user\": \"${BOT_USER}\"
-        },
-        \"password\": \"${BOT_PASS}\",
-        \"device_name\": \"Hermes Agent\"
-    }")
-
-BOT_ACCESS_TOKEN=$(echo "$BOT_TOKEN_RESPONSE" | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])" 2>/dev/null || echo "FAILED_TO_EXTRACT")
-BOT_DEVICE_ID=$(echo "$BOT_TOKEN_RESPONSE" | python3 -c "import sys,json; print(json.load(sys.stdin)['device_id'])" 2>/dev/null || echo "UNKNOWN")
-
-if [ "$BOT_ACCESS_TOKEN" = "FAILED_TO_EXTRACT" ]; then
-    warn "Could not extract bot access token automatically."
-    warn "Login manually: curl -X POST http://127.0.0.1:8008/_matrix/client/v3/login ..."
-fi
-
-# --- Write credentials file ---
-CREDENTIALS_FILE="synapse-credentials.env"
-cat > "$CREDENTIALS_FILE" <<EOF
-# Synapse Credentials — generated $(date -u +%Y-%m-%dT%H:%M:%SZ)
-# Add these to hermes-agent's ~/.hermes/.env
-
-# Matrix integration
-MATRIX_HOMESERVER=http://${SERVER_NAME}:8008
-MATRIX_ACCESS_TOKEN=${BOT_ACCESS_TOKEN}
-MATRIX_USER_ID=@${BOT_USER}:${SERVER_NAME}
-MATRIX_DEVICE_ID=${BOT_DEVICE_ID}
-MATRIX_ENCRYPTION=true
-
-# Admin credentials (for user management)
-SYNAPSE_ADMIN_USER=@${ADMIN_USER}:${SERVER_NAME}
-SYNAPSE_ADMIN_PASSWORD=${ADMIN_PASS}
-
-# Bot credentials
-SYNAPSE_BOT_USER=@${BOT_USER}:${SERVER_NAME}
-SYNAPSE_BOT_PASSWORD=${BOT_PASS}
-EOF
-chmod 600 "$CREDENTIALS_FILE"
-info "Credentials written to: $CREDENTIALS_FILE"
-
-# --- Summary ---
-echo ""
-echo -e "${GREEN}╔══════════════════════════════════════════════════╗${NC}"
-echo -e "${GREEN}║          Synapse Deployed Successfully!         ║${NC}"
-echo -e "${GREEN}╚══════════════════════════════════════════════════╝${NC}"
-echo ""
-echo -e "  Server:       ${CYAN}https://${SERVER_NAME}${NC}"
-echo -e "  Client API:   ${CYAN}http://127.0.0.1:8008${NC}"
-echo -e "  Federation:   ${CYAN}https://${SERVER_NAME}:8448${NC}"
-echo ""
-echo -e "  Admin:        ${YELLOW}@${ADMIN_USER}:${SERVER_NAME}${NC}"
-echo -e "  Bot:          ${YELLOW}@${BOT_USER}:${SERVER_NAME}${NC}"
-echo -e "  Bot Token:    ${YELLOW}${BOT_ACCESS_TOKEN:0:20}...${NC}"
-echo ""
-echo -e "  Credentials:  ${CYAN}${SCRIPT_DIR}/${CREDENTIALS_FILE}${NC}"
-echo ""
-echo -e "${GREEN}Next steps:${NC}"
-echo "  1. Point DNS: ${SERVER_NAME} → $(curl -s ifconfig.me 2>/dev/null || echo '<VPS_IP>')"
-echo "  2. Set up TLS: nginx/certbot reverse proxy for :8008 and :8448"
-echo "  3. Copy credentials to hermes-agent: cp ${CREDENTIALS_FILE} ~/.hermes/.env"
-echo "  4. Start hermes: hermes gateway --platform matrix"
-echo ""
-echo "  Manage: docker compose logs -f | docker compose restart | docker compose down"
-echo "  Users:  docker compose exec synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml -u <user> -p <pass>"
-echo ""

docs/synapse-deployment.md

@@ -1,251 +0,0 @@
-# Synapse Homeserver Deployment Guide
-
-## Matrix Phase 1: Deploy Synapse on Ezra VPS
-
-Part of [Epic #269: Matrix Integration — Sovereign Messaging for Timmy](https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/269).
-
-## Architecture
-
-```
-┌─────────────────────────────────────────────────┐
-│ Ezra VPS (143.198.27.163)                       │
-│                                                 │
-│  ┌──────────┐     ┌─────────────────────────┐   │
-│  │  Nginx   │────▶│ Synapse (Docker)        │   │
-│  │ :443→8008│     │ Client API: localhost:8008│  │
-│  │ :8448→8448│    │ Federation: 0.0.0.0:8448│   │
-│  └──────────┘     └──────────┬──────────────┘   │
-│                              │                   │
-│                     ┌────────▼──────────┐        │
-│                     │ PostgreSQL 16     │        │
-│                     │ (Docker volume)   │        │
-│                     └───────────────────┘        │
-│                                                 │
-│  ┌──────────────────────────────────────────┐   │
-│  │ hermes-agent (gateway)                   │   │
-│  │ MATRIX_HOMESERVER=http://localhost:8008   │   │
-│  └──────────────────────────────────────────┘   │
-└─────────────────────────────────────────────────┘
-```
-
-## Prerequisites
-
-- Docker + Docker Compose plugin on Ezra VPS
-- SSH access: `ssh root@143.198.27.163`
-- DNS A record pointing to the VPS IP
-- (Recommended) Nginx + Certbot for TLS termination
-
-## Quick Start
-
-```bash
-# SSH into Ezra
-ssh root@143.198.27.163
-
-# Clone hermes-agent (if not present)
-cd /root
-git clone https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent.git
-cd hermes-agent/deploy/synapse
-
-# Deploy Synapse
-chmod +x setup.sh
-./setup.sh matrix.timmy-time.xyz
-
-# This will:
-#   1. Generate .env with database password
-#   2. Prepare homeserver.yaml
-#   3. Start Synapse + PostgreSQL via Docker Compose
-#   4. Wait for health
-#   5. Register admin + bot accounts
-#   6. Acquire bot access token
-#   7. Write synapse-credentials.env
-```
-
-## Step-by-Step
-
-### 1. DNS Configuration
-
-Point your Matrix domain to Ezra's IP:
-
-```
-Type  Name    Value
-A     matrix  143.198.27.163
-```
-
-Federation uses SRV records for port discovery, but direct `:8448` works without them.
-
-### 2. Deploy Synapse
-
-```bash
-cd /root/hermes-agent/deploy/synapse
-./setup.sh matrix.timmy-time.xyz hermes-bot 'your-secure-password'
-```
-
-Arguments:
-| Arg | Default | Description |
-|-----|---------|-------------|
-| `server_name` | (required) | Matrix domain (e.g., `matrix.timmy-time.xyz`) |
-| `admin_user` | `timmy-admin` | Admin account username |
-| `admin_password` | (random) | Admin account password |
-| `bot_user` | `hermes-bot` | Bot account username |
-| `bot_password` | (random) | Bot account password |
-
-### 3. TLS Termination (Nginx)
-
-Install Nginx + Certbot:
-
-```bash
-apt install -y nginx certbot python3-certbot-nginx
-
-# Client-server API
-cat > /etc/nginx/sites-available/matrix <<'EOF'
-server {
-    listen 443 ssl http2;
-    server_name matrix.timmy-time.xyz;
-
-    ssl_certificate /etc/letsencrypt/live/matrix.timmy-time.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/matrix.timmy-time.xyz/privkey.pem;
-
-    location / {
-        proxy_pass http://127.0.0.1:8008;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        client_max_body_size 50M;
-    }
-}
-
-server {
-    listen 8448 ssl http2;
-    server_name matrix.timmy-time.xyz;
-
-    ssl_certificate /etc/letsencrypt/live/matrix.timmy-time.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/matrix.timmy-time.xyz/privkey.pem;
-
-    location / {
-        proxy_pass http://127.0.0.1:8008;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-EOF
-
-ln -sf /etc/nginx/sites-available/matrix /etc/nginx/sites-enabled/
-nginx -t && systemctl reload nginx
-
-# Get cert
-certbot --nginx -d matrix.timmy-time.xyz
-```
-
-### 4. Wire Hermes Agent
-
-Copy the generated credentials to hermes-agent's environment:
-
-```bash
-# From synapse-credentials.env, add to ~/.hermes/.env:
-MATRIX_HOMESERVER=https://matrix.timmy-time.xyz
-MATRIX_ACCESS_TOKEN=<from synapse-credentials.env>
-MATRIX_USER_ID=@hermes-bot:matrix.timmy-time.xyz
-MATRIX_DEVICE_ID=<from synapse-credentials.env>
-MATRIX_ENCRYPTION=true
-```
-
-Then start the gateway:
-
-```bash
-hermes gateway --platform matrix
-```
-
-### 5. Verify
-
-```bash
-# Check Synapse health
-curl -s https://matrix.timmy-time.xyz/_matrix/client/versions
-
-# Check federation
-curl -s https://matrix.timmy-time.xyz:8448/_matrix/federation/v1/version
-
-# Check bot is connected
-# (should appear online in Element or any Matrix client)
-```
-
-## Management
-
-Use the management script for day-to-day operations:
-
-```bash
-cd /root/hermes-agent/deploy/synapse
-
-./manage.sh status        # container health
-./manage.sh logs          # tail logs
-./manage.sh restart       # restart Synapse
-./manage.sh backup        # backup DB + data
-./manage.sh update        # pull latest image
-./manage.sh create-user alice 'password123'
-./manage.sh create-user admin 'secret' admin
-```
-
-## Backups
-
-```bash
-./manage.sh backup
-# Creates: backups/YYYYMMDD_HHMMSS/
-#   ├── synapse_db.sql       (PostgreSQL dump)
-#   └── synapse_data.tar.gz  (media store + keys)
-```
-
-Automate with cron:
-
-```bash
-# Daily backup at 3 AM
-0 3 * * * cd /root/hermes-agent/deploy/synapse && ./manage.sh backup >> /var/log/synapse-backup.log 2>&1
-```
-
-## Troubleshooting
-
-### Synapse won't start
-```bash
-docker compose logs synapse
-# Common: PostgreSQL not ready. Wait for healthcheck.
-```
-
-### Bot can't connect
-```bash
-# Verify token is valid
-curl -H "Authorization: Bearer $MATRIX_ACCESS_TOKEN" \
-  https://matrix.timmy-time.xyz/_matrix/client/v3/account/whoami
-```
-
-### Federation not working
-```bash
-# Check port 8448 is open
-ss -tlnp | grep 8448
-# Check firewall
-ufw status
-```
-
-### High memory usage
-```bash
-# Check resource limits in docker-compose.yml
-docker stats synapse
-# Tune in homeserver.yaml: event_cache_size, caches
-```
-
-## Security Notes
-
-- Registration is disabled by default (`enable_registration: false`)
-- Rate limiting is enforced on login, registration, and messages
-- Federation certificate verification is enabled
-- `.env` and `synapse-credentials.env` are `chmod 600`
-- Client API binds to `127.0.0.1` only (use Nginx for public access)
-- Consider: firewall rules, fail2ban, regular backups
-
-## References
-
-- [Synapse Documentation](https://matrix-org.github.io/synapse/latest/)
-- [Matrix Spec](https://spec.matrix.org/)
-- [Epic #269: Matrix Integration](https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/269)
-- [Issue #272: Deploy Synapse on Ezra](https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/issues/272)
-- [Hermes Matrix Setup Guide](docs/matrix-setup.md)

hermes_state.py

@@ -32,7 +32,7 @@ T = TypeVar("T")
 
 DEFAULT_DB_PATH = get_hermes_home() / "state.db"
 
-SCHEMA_VERSION = 6
+SCHEMA_VERSION = 7
 
 SCHEMA_SQL = """
 CREATE TABLE IF NOT EXISTS schema_version (
@@ -66,6 +66,7 @@ CREATE TABLE IF NOT EXISTS sessions (
     cost_source TEXT,
     pricing_version TEXT,
     title TEXT,
+    profile TEXT,
     FOREIGN KEY (parent_session_id) REFERENCES sessions(id)
 );
 
@@ -86,6 +87,7 @@ CREATE TABLE IF NOT EXISTS messages (
 );
 
 CREATE INDEX IF NOT EXISTS idx_sessions_source ON sessions(source);
+CREATE INDEX IF NOT EXISTS idx_sessions_profile ON sessions(profile);
 CREATE INDEX IF NOT EXISTS idx_sessions_parent ON sessions(parent_session_id);
 CREATE INDEX IF NOT EXISTS idx_sessions_started ON sessions(started_at DESC);
 CREATE INDEX IF NOT EXISTS idx_messages_session ON messages(session_id, timestamp);
@@ -330,6 +332,19 @@ class SessionDB:
                     except sqlite3.OperationalError:
                         pass  # Column already exists
                 cursor.execute("UPDATE schema_version SET version = 6")
+            if current_version < 7:
+                # v7: add profile column to sessions for profile isolation (#323)
+                try:
+                    cursor.execute('ALTER TABLE sessions ADD COLUMN "profile" TEXT')
+                except sqlite3.OperationalError:
+                    pass  # Column already exists
+                try:
+                    cursor.execute(
+                        "CREATE INDEX IF NOT EXISTS idx_sessions_profile ON sessions(profile)"
+                    )
+                except sqlite3.OperationalError:
+                    pass
+                cursor.execute("UPDATE schema_version SET version = 7")
 
         # Unique title index — always ensure it exists (safe to run after migrations
         # since the title column is guaranteed to exist at this point)
@@ -362,13 +377,19 @@ class SessionDB:
         system_prompt: str = None,
         user_id: str = None,
         parent_session_id: str = None,
+        profile: str = None,
     ) -> str:
-        """Create a new session record. Returns the session_id."""
+        """Create a new session record. Returns the session_id.
+
+        Args:
+            profile: Profile name for session isolation. When set, sessions
+                are tagged so queries can filter by profile. (#323)
+        """
         def _do(conn):
             conn.execute(
                 """INSERT OR IGNORE INTO sessions (id, source, user_id, model, model_config,
-                   system_prompt, parent_session_id, started_at)
-                   VALUES (?, ?, ?, ?, ?, ?, ?, ?)""",
+                   system_prompt, parent_session_id, profile, started_at)
+                   VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)""",
                 (
                     session_id,
                     source,
@@ -377,6 +398,7 @@ class SessionDB:
                     json.dumps(model_config) if model_config else None,
                     system_prompt,
                     parent_session_id,
+                    profile,
                     time.time(),
                 ),
             )
@@ -505,19 +527,23 @@ class SessionDB:
         session_id: str,
         source: str = "unknown",
         model: str = None,
+        profile: str = None,
     ) -> None:
         """Ensure a session row exists, creating it with minimal metadata if absent.
 
         Used by _flush_messages_to_session_db to recover from a failed
         create_session() call (e.g. transient SQLite lock at agent startup).
         INSERT OR IGNORE is safe to call even when the row already exists.
+
+        Args:
+            profile: Profile name for session isolation. (#323)
         """
         def _do(conn):
             conn.execute(
                 """INSERT OR IGNORE INTO sessions
-                   (id, source, model, started_at)
-                   VALUES (?, ?, ?, ?)""",
-                (session_id, source, model, time.time()),
+                   (id, source, model, profile, started_at)
+                   VALUES (?, ?, ?, ?, ?)""",
+                (session_id, source, model, profile, time.time()),
             )
         self._execute_write(_do)
 
@@ -788,6 +814,7 @@ class SessionDB:
         limit: int = 20,
         offset: int = 0,
         include_children: bool = False,
+        profile: str = None,
     ) -> List[Dict[str, Any]]:
         """List sessions with preview (first user message) and last active timestamp.
 
@@ -799,6 +826,10 @@ class SessionDB:
 
         By default, child sessions (subagent runs, compression continuations)
         are excluded.  Pass ``include_children=True`` to include them.
+
+        Args:
+            profile: Filter sessions to this profile name. Pass None to see all.
+                (#323)
         """
         where_clauses = []
         params = []
@@ -813,6 +844,9 @@ class SessionDB:
             placeholders = ",".join("?" for _ in exclude_sources)
             where_clauses.append(f"s.source NOT IN ({placeholders})")
             params.extend(exclude_sources)
+        if profile:
+            where_clauses.append("s.profile = ?")
+            params.append(profile)
 
         where_sql = f"WHERE {' AND '.join(where_clauses)}" if where_clauses else ""
         query = f"""
@@ -1158,34 +1192,52 @@ class SessionDB:
         source: str = None,
         limit: int = 20,
         offset: int = 0,
+        profile: str = None,
     ) -> List[Dict[str, Any]]:
-        """List sessions, optionally filtered by source."""
+        """List sessions, optionally filtered by source and profile.
+
+        Args:
+            profile: Filter sessions to this profile name. Pass None to see all.
+                (#323)
+        """
+        where_clauses = []
+        params = []
+        if source:
+            where_clauses.append("source = ?")
+            params.append(source)
+        if profile:
+            where_clauses.append("profile = ?")
+            params.append(profile)
+
+        where_sql = f"WHERE {' AND '.join(where_clauses)}" if where_clauses else ""
+        query = f"SELECT * FROM sessions {where_sql} ORDER BY started_at DESC LIMIT ? OFFSET ?"
+        params.extend([limit, offset])
         with self._lock:
-            if source:
-                cursor = self._conn.execute(
-                    "SELECT * FROM sessions WHERE source = ? ORDER BY started_at DESC LIMIT ? OFFSET ?",
-                    (source, limit, offset),
-                )
-            else:
-                cursor = self._conn.execute(
-                    "SELECT * FROM sessions ORDER BY started_at DESC LIMIT ? OFFSET ?",
-                    (limit, offset),
-                )
+            cursor = self._conn.execute(query, params)
             return [dict(row) for row in cursor.fetchall()]
 
     # =========================================================================
     # Utility
     # =========================================================================
 
-    def session_count(self, source: str = None) -> int:
-        """Count sessions, optionally filtered by source."""
+    def session_count(self, source: str = None, profile: str = None) -> int:
+        """Count sessions, optionally filtered by source and profile.
+
+        Args:
+            profile: Filter to this profile name. Pass None to count all. (#323)
+        """
+        where_clauses = []
+        params = []
+        if source:
+            where_clauses.append("source = ?")
+            params.append(source)
+        if profile:
+            where_clauses.append("profile = ?")
+            params.append(profile)
+
+        where_sql = f"WHERE {' AND '.join(where_clauses)}" if where_clauses else ""
         with self._lock:
-            if source:
-                cursor = self._conn.execute(
-                    "SELECT COUNT(*) FROM sessions WHERE source = ?", (source,)
-                )
-            else:
-                cursor = self._conn.execute("SELECT COUNT(*) FROM sessions")
+            cursor = self._conn.execute(f"SELECT COUNT(*) FROM sessions {where_sql}", params)
             return cursor.fetchone()[0]
 
     def message_count(self, session_id: str = None) -> int:

tests/test_ssh_hermes_validation.py

@@ -0,0 +1,129 @@
+"""
+Test remote hermes path validation functions.
+"""
+
+import pytest
+import subprocess
+from unittest.mock import Mock, patch
+from tools.environments.ssh import SSHEnvironment
+
+
+class TestHermesPathValidation:
+    """Test hermes path validation functions."""
+    
+    def test_validate_remote_hermes_path_found(self):
+        """Test validation when hermes binary exists."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        ssh_env.run = Mock(return_value="FOUND")
+        
+        # Call validation
+        result = SSHEnvironment.validate_remote_hermes_path(ssh_env, "/usr/local/bin/hermes")
+        
+        # Verify result
+        assert result["available"] is True
+        assert result["path"] == "/usr/local/bin/hermes"
+        assert result["error"] is None
+    
+    def test_validate_remote_hermes_path_not_found(self):
+        """Test validation when hermes binary doesn't exist."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        ssh_env.run = Mock(return_value="NOT_FOUND")
+        
+        # Call validation
+        result = SSHEnvironment.validate_remote_hermes_path(ssh_env, "/invalid/path/hermes")
+        
+        # Verify result
+        assert result["available"] is False
+        assert result["path"] == "/invalid/path/hermes"
+        assert "not found" in result["error"].lower()
+    
+    def test_validate_remote_hermes_path_error(self):
+        """Test validation when SSH command fails."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        ssh_env.run = Mock(side_effect=subprocess.TimeoutExpired("cmd", 10))
+        
+        # Call validation
+        result = SSHEnvironment.validate_remote_hermes_path(ssh_env, "/usr/local/bin/hermes")
+        
+        # Verify result
+        assert result["available"] is False
+        assert "error" in result["error"].lower()
+    
+    def test_get_default_hermes_path(self):
+        """Test getting default hermes path."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        
+        # Test with local bin path found
+        ssh_env.run = Mock(return_value="/home/user/.local/bin/hermes")
+        result = SSHEnvironment._get_default_hermes_path(ssh_env)
+        assert result == "/home/user/.local/bin/hermes"
+        
+        # Test with wizard pattern
+        ssh_env.run = Mock(side_effect=["", "/root/wizards/ezra/hermes-agent/venv/bin/hermes"])
+        result = SSHEnvironment._get_default_hermes_path(ssh_env)
+        assert result == "/root/wizards/ezra/hermes-agent/venv/bin/hermes"
+    
+    def test_execute_hermes_command_success(self):
+        """Test successful hermes command execution."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        ssh_env.run = Mock(return_value="Job output here")
+        ssh_env.validate_remote_hermes_path = Mock(return_value={
+            "available": True,
+            "path": "/usr/local/bin/hermes",
+            "error": None
+        })
+        
+        # Call execution
+        result = SSHEnvironment.execute_hermes_command(ssh_env, "cron list", validate_path=True)
+        
+        # Verify result
+        assert result["success"] is True
+        assert result["stdout"] == "Job output here"
+        assert result["exit_code"] == 0
+        assert result["error"] is None
+    
+    def test_execute_hermes_command_validation_failed(self):
+        """Test hermes command execution when validation fails."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        ssh_env.validate_remote_hermes_path = Mock(return_value={
+            "available": False,
+            "path": "/invalid/path/hermes",
+            "error": "Hermes binary not found"
+        })
+        
+        # Call execution
+        result = SSHEnvironment.execute_hermes_command(ssh_env, "cron list", validate_path=True)
+        
+        # Verify result
+        assert result["success"] is False
+        assert "not found" in result["error"].lower()
+        assert result["exit_code"] == 1
+    
+    def test_execute_hermes_command_timeout(self):
+        """Test hermes command execution timeout."""
+        # Mock SSHEnvironment
+        ssh_env = Mock(spec=SSHEnvironment)
+        ssh_env.run = Mock(side_effect=subprocess.TimeoutExpired("cmd", 300))
+        ssh_env.validate_remote_hermes_path = Mock(return_value={
+            "available": True,
+            "path": "/usr/local/bin/hermes",
+            "error": None
+        })
+        
+        # Call execution
+        result = SSHEnvironment.execute_hermes_command(ssh_env, "cron list", validate_path=True)
+        
+        # Verify result
+        assert result["success"] is False
+        assert "timeout" in result["error"].lower()
+        assert result["exit_code"] == -1
+
+
+if __name__ == "__main__":
+    pytest.main([__file__])

tools/environments/ssh.py

@@ -311,3 +311,152 @@ class SSHEnvironment(PersistentShellMixin, BaseEnvironment):
                 self.control_socket.unlink()
             except OSError:
                 pass
+
+
+
+    def validate_remote_hermes_path(self, hermes_path: str = None) -> dict:
+        """
+        Validate that hermes binary exists and is executable on the remote host.
+        
+        Args:
+            hermes_path: Path to hermes binary. If None, uses default path.
+            
+        Returns:
+            dict with keys:
+                - available: bool (True if hermes is available)
+                - path: str (actual path found)
+                - error: str (error message if not available)
+        """
+        if hermes_path is None:
+            hermes_path = self._get_default_hermes_path()
+        
+        # Check if hermes binary exists and is executable
+        check_cmd = f"test -x {hermes_path} && echo 'FOUND' || echo 'NOT_FOUND'"
+        
+        try:
+            result = self.run(check_cmd, timeout=10)
+            if "FOUND" in result:
+                return {
+                    "available": True,
+                    "path": hermes_path,
+                    "error": None
+                }
+            else:
+                return {
+                    "available": False,
+                    "path": hermes_path,
+                    "error": f"Hermes binary not found or not executable: {hermes_path}"
+                }
+        except Exception as e:
+            return {
+                "available": False,
+                "path": hermes_path,
+                "error": f"Error validating hermes path: {str(e)}"
+            }
+    
+    def _get_default_hermes_path(self) -> str:
+        """Get the default hermes path for this host."""
+        # Try common paths in order of preference
+        paths_to_try = [
+            "~/.local/bin/hermes",  # Standard install location
+            "/root/wizards/*/hermes-agent/venv/bin/hermes",  # Wizard pattern
+            "/usr/local/bin/hermes",  # System install
+        ]
+        
+        for path_pattern in paths_to_try:
+            if "*" in path_pattern:
+                # Use find for glob patterns
+                find_cmd = f"find {path_pattern.replace('*', '*')} -maxdepth 0 2>/dev/null | head -1"
+                try:
+                    result = self.run(find_cmd, timeout=5)
+                    if result.strip():
+                        return result.strip()
+                except:
+                    continue
+            else:
+                # Direct path check
+                check_cmd = f"test -x {path_pattern} && echo {path_pattern}"
+                try:
+                    result = self.run(check_cmd, timeout=5)
+                    if result.strip():
+                        return result.strip()
+                except:
+                    continue
+        
+        # Fallback to wizard pattern
+        return "/root/wizards/*/hermes-agent/venv/bin/hermes"
+    
+    def execute_hermes_command(self, command: str, validate_path: bool = True) -> dict:
+        """
+        Execute a hermes command on the remote host with proper validation.
+        
+        Args:
+            command: Hermes command to execute (e.g., "cron list")
+            validate_path: Whether to validate hermes path before execution
+            
+        Returns:
+            dict with keys:
+                - success: bool (True if command executed successfully)
+                - stdout: str (command output)
+                - stderr: str (error output)
+                - exit_code: int (command exit code)
+                - error: str (error message if failed)
+        """
+        # Validate hermes path if requested
+        if validate_path:
+            validation = self.validate_remote_hermes_path()
+            if not validation["available"]:
+                return {
+                    "success": False,
+                    "stdout": "",
+                    "stderr": validation["error"],
+                    "exit_code": 1,
+                    "error": validation["error"]
+                }
+            hermes_path = validation["path"]
+        else:
+            hermes_path = self._get_default_hermes_path()
+        
+        # Build full command
+        full_command = f"{hermes_path} {command}"
+        
+        try:
+            # Execute command
+            result = self.run(full_command, timeout=300)
+            
+            # Check exit code - only mark success if exit code is 0
+            # Note: self.run() raises an exception on non-zero exit code,
+            # so if we get here, the command succeeded
+            return {
+                "success": True,
+                "stdout": result,
+                "stderr": "",
+                "exit_code": 0,
+                "error": None
+            }
+            
+        except subprocess.CalledProcessError as e:
+            # Command failed with non-zero exit code
+            return {
+                "success": False,
+                "stdout": e.stdout or "",
+                "stderr": e.stderr or "",
+                "exit_code": e.returncode,
+                "error": f"Command failed with exit code {e.returncode}"
+            }
+        except subprocess.TimeoutExpired:
+            return {
+                "success": False,
+                "stdout": "",
+                "stderr": "",
+                "exit_code": -1,
+                "error": "Command timed out"
+            }
+        except Exception as e:
+            return {
+                "success": False,
+                "stdout": "",
+                "stderr": "",
+                "exit_code": -1,
+                "error": f"Error executing command: {str(e)}"
+            }