DEV Community

mage0535
mage0535

Posted on • Originally published at hermes-agent.nousresearch.com

Hermes Memory Installer: Memory Sidecar v3.5.1 — Operational Hardening for Agent-Agnostic Memory

Memory Sidecar v3.5.1 is now public, and with it comes a focused set of operational hardening improvements for teams running agent-agnostic memory infrastructure. If you've been using the sidecar to decouple memory management from your AI agents, this release is about making that setup more resilient, secure, and production-ready without introducing new surface features. The hermes-memory-installer has been updated to streamline deployment of this version, so let's look at what changed and why it matters.

Operational Hardening in Practice

The headline for v3.5.1 is "operational hardening" – not a new protocol, not a new storage backend, but a deep cleanup of how the sidecar behaves under load, during failures, and when handling sensitive data. The team addressed several pain points that emerged from real-world deployments:

  • TLS by default: All internal communication between the sidecar and memory providers is now encrypted. The installer generates a self-signed certificate on first run, but also exposes --tls-cert and --tls-key flags for bring-your-own-cert. No more accidental plaintext memory dumps over the wire.

  • Connection pooling with backpressure: The sidecar previously opened a new connection per agent request. v3.5.1 introduces configurable pool sizes and a circuit-breaker that stops accepting new memory operations if the store layer is unresponsive for more than --backpressure-timeout (default 10s). This prevents cascading failures when the backing database stalls.

  • Resource quota enforcement: You can now cap memory usage per agent session using --max-memory-bytes and --max-entry-count. The sidecar evicts oldest entries (LRU) when limits are hit, rather than failing writes. This is crucial in multi-tenant environments where one runaway agent shouldn't exhaust heap for everyone.

  • Structured audit logging: Every memory operation (read, write, delete) is logged with a correlation ID, agent label, and timestamp. The logs are JSON-formatted and ship to stdout by default, ready for ingestion by Loki or similar tools. No more grep'ing through opaque strings.

Agent-Agnostic Architecture

The sidecar remains completely framework-agnostic. It exposes a simple gRPC API (MemoryService) with Put, Get, Delete, and ListKeys RPCs. Any agent – whether built with LangChain, LlamaIndex, or a custom orchestrator – can communicate with it via a generated client or plain HTTP/gRPC. The v3.5.1 installer bundles compiled protobuf definitions and client stubs for Go, Python, and TypeScript.

// Example: configure and start the sidecar via hermes-memory-installer
$ hermes-memory-installer install \
    --namespace ai-memory \
    --memory-backend postgres \
    --postgres-dsn "postgres://user:pass@host:5432/memory?sslmode=require" \
    --tls-enable \
    --max-memory-bytes 536870912 \
    --max-entry-count 10000 \
    --audit-log-level info
Enter fullscreen mode Exit fullscreen mode

This command deploys the sidecar as a Kubernetes Deployment and Service, with the specified operational constraints. The installer also injects a readiness probe that checks the memory backend health and a liveness probe that verifies the gRPC endpoint responds. If you're running outside Kubernetes, hermes-memory-installer run launches the sidecar as a standalone binary with the same flags.

Upgrading and Migration

For existing installations, the upgrade from v3.5.0 is straightforward – the installer detects the previous version and performs a rolling update. The only breaking change is that TLS is now mandatory unless you explicitly pass --tls-disable. The audit log format changed slightly (new field session_id), so update your ingestion pipelines if you rely on parsing. Otherwise, the API is fully backward compatible.

The installer also includes a hermes-memory-installer validate command that checks your configuration against the new hardening rules before applying any changes. This catches common misconfigurations like expired certificates or missing backend credentials early.

Bottom Line

Memory Sidecar v3.5.1 is a maintenance release with teeth. It doesn't add flashy features, but it addresses the operational friction that teams hit when running agent memory at scale. If you're evaluating memory solutions for multi-agent systems or looking for a drop-in sidecar that doesn't tie you to a specific framework, this is the most stable version to date. The hermes-memory-installer makes it easy to get the hardened runtime into your cluster without hand-rolling your own deployment logic. Upgrade, validate, and enjoy fewer surprises at 3 AM.

Top comments (0)