hermes - 💡(How to fix) Fix [Feature]: update should support rollback and auto-rollback (commit/confirm with timeout) [1 participants]

Problem or Use Case

Problem

/update and hermes update have no rollback mechanism. If an update breaks the gateway, the agent, or a critical tool, the user must manually SSH in and run git reflog / git reset --hard to recover. Worse, if the update breaks gateway startup, the user loses their remote control channel entirely — the very channel they used to trigger the update.

Current Behavior

• Update does git pull --ff-only (or git reset --hard origin/main if histories diverge)
• Local changes are stashed, but there's no record of the pre-update commit for easy reversion
• If the new version is broken, recovery requires terminal access and git knowledge
• No health check after update — "it deployed" ≠ "it works"

Proposed Behavior: Commit/Confirm Pattern

Inspired by JunOS commit confirmed <timeout> — a well-proven pattern for remote configuration changes where a bad change can lock you out of the management channel:

/update
→ (shows changelog — see companion issue)
→ /update confirm
→ "⚕ Updating... gateway will restart.
    You have 10 minutes to send /confirm.
    If I don't hear from you, I'll auto-rollback to <commit-sha>."
→ (update, restart)
→ (gateway comes back up)
→ "✓ Update complete! Running <new-version>.
    Send /confirm within 9m to keep this version,
    or I'll auto-rollback."

/confirm
→ "✓ Update confirmed. Rollback timer cancelled."

If no /confirm arrives within the timeout:

→ (auto-rollback to saved commit SHA)
→ (pip install, gateway restart)
→ "⚠ No /confirm received — rolled back to <old-version>.
    The update may have caused issues. You can retry with /update
    or investigate with /debug."

Implementation Sketch

Pre-update checkpoint:

# In cmd_update(), before git pull:
pre_update_sha = subprocess.check_output(
    ["git", "rev-parse", "HEAD"], cwd=PROJECT_ROOT
).decode().strip()
# Save to ~/.hermes/.update_checkpoint.json
{
    "pre_update_sha": pre_update_sha,
    "timestamp": "...",
    "timeout_seconds": 600,
    "confirmed": false
}

Post-restart watchdog:

• Gateway startup checks for .update_checkpoint.json
• If found and confirmed == false, starts a countdown timer
• Timer sends a reminder at T-2min, T-1min
• On expiry: runs git reset --hard <pre_update_sha>, reinstalls deps, restarts gateway

/confirm command:

• Sets confirmed = true in checkpoint file
• Cancels the watchdog timer
• Deletes the checkpoint file

Manual rollback:

/rollback update    — immediately revert to pre-update commit

Edge Cases

1. Gateway won't start after update — The watchdog can't run inside a dead gateway. Options:

   • A separate lightweight watchdog process spawned before the update (like a cron job or systemd timer)
   • hermes update itself sets a system-level timer (at command or temp systemd timer) as a dead-man's switch

2. User is slow but update is fine — Reminder messages help; timeout should be configurable (/update --timeout 30m)

3. Multiple rapid updates — Each update overwrites the checkpoint; only the most recent pre-update SHA is saved

4. Stashed local changes — The existing stash mechanism should be preserved; rollback should also restore the stash

Motivation

Any system where applying a change can break the management channel needs a dead-man's switch. This is standard practice in network operations (JunOS commit confirmed, IOS XE configure replace ... revert trigger timer). Hermes is in the same category — /update modifies the very codebase that handles /update, and the gateway restart means there's a window where a broken update = total loss of remote control.

[This enhancement request generated by Hermes agent at my behest]

Proposed Solution

Enhance request to improve robustness of /update command, especially when operated remotely over a gateway.

Alternatives Considered

No response

Feature Type

New bundled skill

Scope

Medium (few files, < 300 lines)

Contribution

• I'd like to implement this myself and submit a PR

Debug Report (optional)