# Hermes Agent on Lightvela: Two-Server Architecture

## The Pitfall

When users access Hermes Agent through Lightvela (腾讯云轻量应用服务器 Agent 管理平台), the Agent runs on a **separate server provisioned by Lightvela** — NOT on the user's own Lighthouse instance.

| | User's Lighthouse | Lightvela Agent Server |
|---|---|---|
| Instance ID format | `lhins-xxxx` | `ins-xxxx` |
| Region | User's choice (e.g., Beijing) | Lightvela-assigned (e.g., Shanghai) |
| Visibility in 腾讯云控制台 | ✅ User's own console | ❌ Not visible to user |
| Network | User's own VPC/firewall | Isolated, all inbound ports blocked |
| SSH access | User's key | Lightvela-managed only |
| File manager access | ✅ 腾讯云控制台 Lighthouse file manager | ❌ Only via Lightvela's own file UI (per-account isolated) |

**Key symptom**: User says "I only have one server" or "I can't find /home/agentuser in the file manager" — they're looking at their own Lighthouse instance, not the Lightvela server.

## Network Isolation

The two servers CANNOT communicate directly:
- All common ports (22, 80, 443, 8080) are closed between them
- No SSH possible between them
- No file transfer possible between them

## File Sharing Solutions

### Option 1: Cloudflared tunnel web file browser (preferred)
The Agent server typically has a file browser exposed via cloudflared (e.g., `https://files.gdcjgk.net`). Team members access it via browser.

### Option 2: Package and migrate to Lighthouse
```bash
# On Agent server: package data
tar czf hermes-data.tar.gz ~/.hermes/知识库/ ~/.hermes/运营数据/ ~/project/scripts/
```

**PITFALL**: `files.gdcjgk.net` uses Cloudflare Access authentication. This blocks non-browser agents — `curl` with basic auth gets `403 Forbidden` (Cloudflare bot protection). Only browser-based downloads work.

**Workaround — GitHub API relay**: When the target server can't use a browser, upload the file to GitHub via REST API (api.github.com is usually reachable from Chinese servers) and download from `raw.githubusercontent.com` (also reachable). See `github-api-push` skill's "Cross-Server File Transfer" section. One-liner for the target server:
```bash
curl -L -o file.tar.gz https://raw.githubusercontent.com/OWNER/temp-files/main/file.tar.gz && tar -xzf file.tar.gz -C /target/
```

### Option 3: Bidirectional sync via shared directory
Create a shared directory on the Agent server outside `.hermes/` (since `.hermes/` is locked to 700), expose via cloudflared file browser.

## Hermes Directory Permission Lock

`~/.hermes/` is **automatically locked to 700** (`drwx------`) by the Hermes process. This is a security mechanism — not a bug.

- Cannot `chmod 755` or `chmod 711` — permissions are reverted within seconds
- Cannot create symlinks that bypass the permission check (kernel resolves through the path)
- The correct approach: create shared directories OUTSIDE `.hermes/`, use cron rsync for bidirectional sync

### Working sync pattern:
```bash
#!/bin/bash
# /root/sync_shared.sh — runs hourly via root crontab
DIRS=("知识库" "运营数据")
SRC=/home/agentuser/.hermes
DST=/root/.hermes/共享数据  # or any path visible to file manager

for d in "${DIRS[@]}"; do
    mkdir -p "$SRC/$d" "$DST/$d"
    rsync -a --ignore-existing "$SRC/$d/" "$DST/$d/"
    rsync -a --ignore-existing "$DST/$d/" "$SRC/$d/"
done
```

### Custom file browser discovery:
Server may have a custom web file browser (e.g., `/root/file-browser.py` on port 8088). Check its `ROOT` variable — the browser only shows files under that root. If the root is `/root/.hermes`, files must be placed there to be visible.
