Feature: read-only GitHub bridge for Hermes Kanban

[steezkelly]

Feature Description

Add a read-only-first GitHub bridge for Hermes Kanban so Hermes can monitor linked GitHub issues/PRs/checks without making GitHub a competing task source of truth.

Motivation

Hermes Kanban is the canonical internal execution/control plane. GitHub is the public collaboration and upstream artifact layer.

We need integration between them, but the safe architectural boundary is:

Hermes Kanban = internal task truth
GitHub Issues/PRs = external collaboration/upstream state
Bridge = metadata sync and status monitor, not a replacement planner

This would help with workflows like:

• Track PR CI/review status from a Kanban card.
• Link a Kanban task to a GitHub issue or PR.
• Surface action-required CI states.
• Attach worker logs/test summaries to PR comments when explicitly requested.
• Close or unblock Kanban cards when upstream PRs merge.

Proposed Phases

Phase 1: Read-only import/monitoring

• Configure watched repositories.
• Link existing Kanban cards to GitHub issue/PR URLs.
• Poll or webhook GitHub state into Kanban metadata/comments:
  • PR open/closed/merged
  • mergeability
  • review decision
  • check suite status
  • action_required state for fork PR workflows
• No automatic writes to GitHub.

Phase 2: Explicit outbound comments

• Allow a user/agent to explicitly post:
  • local test summary
  • worker log summary
  • review-required status
  • CI diagnosis
• Require an explicit command/action for GitHub writes.
• Redact secrets before any outbound comment.

Phase 3: Card lifecycle integration

• If linked PR merges, mark card ready for verification or done depending on card policy.
• If linked PR closes unmerged, block or reopen the card with reason.
• If CI fails, move/keep card blocked with check-run evidence.

Phase 4: Optional issue/PR creation from Kanban

• Promote a Kanban finding into a GitHub issue.
• Promote a branch/worktree into a PR.
• Keep generated issue/PR URL stored in card metadata.

Non-Goals

• Do not replace Hermes Kanban with GitHub Projects.
• Do not make GitHub Issues the internal task queue.
• Do not automatically post internal logs to GitHub without explicit consent.
• Do not run arbitrary code from GitHub webhooks.

Safety / Security Requirements

• Secret redaction before any GitHub write.
• Read-only default token scope where possible.
• Explicit per-repo allowlist.
• Webhook signatures verified if webhook mode is supported.
• Rate-limit and backoff behavior for polling.
• Clear audit trail in Kanban comments/metadata.

Acceptance Criteria

• A Kanban card can store a linked GitHub issue/PR URL.
• Hermes can refresh and display GitHub state for linked cards.
• Fork PR action_required workflow state is detected and surfaced.
• No GitHub write occurs unless explicitly requested.
• The bridge preserves Hermes Kanban as the single internal source of truth.

[teknium1]

Closing as out of scope for core — this is plugin-shape work, not kanban-kernel work. The architectural framing in your issue is right (Kanban = internal truth, GitHub = external collaboration, bridge ≠ replacement planner) and the phased plan is a sane shape; what's moved on main since you filed it is that the primitives a bridge would need are now all available, just not assembled into a single feature.

Already in place on main:

• Five bundled GitHub skills — github-auth, github-issues, github-pr-workflow, github-repo-management, github-code-review. Workers can be assigned tasks like "review PR test(tools): add unit tests for memory_tool.py #123" with kanban_create(skills=["github-code-review"]) and the agent uses gh CLI through its terminal toolset.
• hermes webhook subscribe — inbound HTTP webhooks already route to agent runs. GitHub webhooks (push, PR opened, CI complete) can trigger Hermes today via this surface.
• kanban_comment(body=...) — durable annotation channel for arbitrary structured metadata (PR url, CI status snapshot, review decision, etc.). No schema work needed for the free-form path.
• kanban_create(skills=[...]) — per-task skill attachment, so a task can carry the GitHub-aware skill without the assignee profile needing it permanently.

Why a plugin and not core:

1. The kanban kernel intentionally doesn't know about external systems. Adding a github_url column / GitHub state polling / PR-merge-closes-card semantics into the kernel would couple it to one upstream collaboration system; the next ask would be GitLab, Forgejo, etc.
2. The plugin surface already supports periodic background hooks (on_session_start / on_session_end / scheduled via cronjob), custom CLI subcommands, and dashboard tabs (the kanban dashboard itself is a plugin — plugins/kanban/).
3. Per the project rule "plugins NEVER add code to the core codebase": if the plugin needs a capability the framework doesn't support (richer plugin hook events, kanban metadata schema for external links, etc.), the right move is expanding the generic plugin surface, not GitHub-specific kernel work.

What a plugins/kanban-github-bridge/ would look like for a future implementer:

• Periodic poller (cronjob-driven) or webhook receiver that watches a configured repo/owner allowlist from ~/.hermes/config.yaml under kanban.github_bridge:.
• When it sees a state change on a PR/issue whose URL appears in a kanban card's comments or metadata.github_url, it adds a kanban_comment with the new state and (if configured) flips status — kanban_block(reason="ci-failed: ...") on red CI, kanban_complete on PR merge if the card policy allows it.
• Token resolution via gh auth status (already part of the agent's GitHub skill suite).
• Read-only by default; explicit --allow-write or per-card opt-in for outbound comments / PR creation.
• Dashboard tab (under plugins/kanban-github-bridge/dashboard/) showing linked PRs and their last-seen state, mirroring the plugins/kanban/dashboard/ shape.

Reopening this is welcome if/when a contributor (or you) wants to build the plugin. The contract above is the rough sketch; specifics are open.

Thanks @steezkelly — the architectural sketch was the kind of "here's how I want the boundary to look" framing that's useful even when the answer is "build it outside core."