docs: Hermes MCP integration — client + server architecture (#1121)

Resolves #1121. Comprehensive documentation for Model Context
Protocol integration into Hermes.

Covers:
- MCP client: loading servers from config, tool discovery, routing
- MCP server: exposing Hermes tools to external MCP clients
- Configuration schema (mcp_servers.json, mcp_server_config.json)
- Supported transports (stdio, HTTP/SSE)
- Poka-yoke error handling
- Security: auth tokens, tool exposure whitelist
- Testing with MCP inspector
- Troubleshooting guide
- Existing code inventory

docs/hermes-mcp.md

@@ -0,0 +1,175 @@
+# Hermes MCP Integration — Model Context Protocol
+
+Issue #1121. Integrating MCP natively into Hermes for cross-agent tool compatibility.
+
+## What is MCP?
+
+Model Context Protocol (MCP) is the "USB-C for AI tools" — a standardized protocol for AI agents to discover, invoke, and expose tools. Claude Desktop, Cursor, and a growing ecosystem speak it.
+
+Hermes currently has a bespoke tool system (`tools/*.py`). Adding MCP makes us compatible with the broader agent ecosystem without rewriting every integration.
+
+## Architecture
+
+```
+┌─────────────────────────────────────┐
+│         Hermes Agent                │
+│  ┌───────────┐  ┌───────────────┐  │
+│  │ MCP Client│  │  MCP Server   │  │
+│  │ (outbound)│  │  (inbound)    │  │
+│  └─────┬─────┘  └───────┬───────┘  │
+│        │                │          │
+│  ┌─────┴─────┐  ┌───────┴───────┐  │
+│  │ External  │  │ External      │  │
+│  │ MCP       │  │ MCP Clients   │  │
+│  │ Servers   │  │ (Claude,      │  │
+│  │ (tools)   │  │  Cursor, etc) │  │
+│  └───────────┘  └───────────────┘  │
+└─────────────────────────────────────┘
+```
+
+## Phase 1: MCP Client — Call External Servers
+
+### Configuration
+
+Hermes loads MCP servers from `~/.hermes/mcp_servers.json`:
+
+```json
+{
+  "mcpServers": {
+    "desktop-control": {
+      "command": "python3",
+      "args": ["mcp_servers/desktop_control_server.py"]
+    },
+    "steam-info": {
+      "command": "python3",
+      "args": ["mcp_servers/steam_info_server.py"]
+    },
+    "github": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "env": {
+        "GITHUB_TOKEN": "${GITHUB_TOKEN}"
+      }
+    }
+  }
+}
+```
+
+### How It Works
+
+1. On startup, `tools/mcp_tool.py` reads `mcp_servers.json`
+2. For each server, spawns the process and initializes MCP connection
+3. Discovers tools via MCP `tools/list` endpoint
+4. Registers discovered tools in the Hermes tool registry
+5. Routes tool calls to the appropriate MCP server via `tools/call`
+
+### Supported Transports
+
+- **stdio**: Server communicates via stdin/stdout (most common)
+- **HTTP/SSE**: Server exposes HTTP endpoint with Server-Sent Events
+
+### Error Handling
+
+- If an MCP server fails to start, Hermes logs the error but continues
+- If a tool call to an MCP server fails, the error is returned to the agent
+- Server health is checked on each tool call; dead servers are restarted
+
+## Phase 2: MCP Server — Expose Hermes Tools
+
+### Running the Server
+
+```bash
+python -m hermes.mcp_server
+```
+
+Or from the-nexus:
+
+```bash
+python3 mcp_servers/desktop_control_server.py
+```
+
+### Exposed Tools
+
+Hermes exposes selected tools via MCP:
+
+| Tool | Description | MCP Schema |
+|------|-------------|------------|
+| session_search | Search past conversations | Query + limit |
+| skill_view | Load a skill's content | Skill name |
+| terminal | Run shell commands | Command string |
+| file_read | Read a file | Path |
+| web_search | Search the web | Query |
+
+### Configuration
+
+Tools to expose are configured in `~/.hermes/mcp_server_config.json`:
+
+```json
+{
+  "expose_tools": ["session_search", "skill_view", "terminal", "file_read"],
+  "require_auth": true,
+  "auth_token": "${MCP_SERVER_TOKEN}"
+}
+```
+
+## Phase 3: Integration + Hardening
+
+### Poka-Yoke (Error-Proofing)
+
+1. **Server startup failure**: Log error, don't crash, continue with other servers
+2. **Tool discovery failure**: Skip that server's tools, log warning
+3. **Tool call timeout**: Return error to agent, don't hang
+4. **Invalid MCP response**: Log and return structured error
+
+### Security
+
+- MCP servers run in isolated processes (not in-agent)
+- Auth tokens for remote servers stored in `~/.hermes/.env`
+- Tool calls are logged for audit
+- Dangerous tools (terminal, file write) are NOT exposed via MCP server by default
+
+### Testing
+
+```bash
+# Test MCP client
+pytest tests/test_mcp.py -v -k client
+
+# Test MCP server
+pytest tests/test_mcp.py -v -k server
+
+# Test with inspector
+npx @modelcontextprotocol/inspector python -m hermes.mcp_server
+```
+
+## Existing MCP Code
+
+| File | Purpose |
+|------|---------|
+| `tools/mcp_tool.py` | MCP client tool implementation |
+| `tools/mcp_oauth.py` | OAuth support for remote MCP servers |
+| `mcp_config.json` | Server configuration (the-nexus) |
+| `mcp_servers/desktop_control_server.py` | Desktop control MCP server |
+| `mcp_servers/steam_info_server.py` | Steam info MCP server |
+
+## Setup
+
+1. Install MCP SDK: `pip install mcp>=1.0.0`
+2. Configure servers: edit `~/.hermes/mcp_servers.json`
+3. Start Hermes: MCP servers are loaded automatically
+4. Verify: run `hermes tools list` to see MCP-discovered tools
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| MCP server won't start | Check command path, run manually to see error |
+| Tools not discovered | Check server responds to `tools/list` |
+| Tool call fails | Check server logs, verify auth tokens |
+| Hermes hangs on startup | MCP server timeout — increase or disable slow server |
+
+## Sources
+
+- MCP Specification: https://modelcontextprotocol.io
+- Issue #1121: MCP integration requirements
+- Issue #1120: Linked epic
+- tools/mcp_tool.py: Existing Hermes MCP implementation