feat: per-agent toolset restriction for orchestrator pattern (parent-scoped no_mcp)

[davidgut1982]

Problem

When running Hermes as an orchestrator that delegates to specialized sub-agents via `delegate_task` + `agent_profiles`, there is no mechanism to restrict the orchestrator's tool schemas without also blocking sub-agent tool access.

Observed behavior

With the orchestrator pattern (SOUL.md routing table + agent_profiles), the main agent:

• Makes a single routing decision (classifies intent → calls `delegate_task(profile="mail")`)
• Uses 29 completion tokens to do so
• But loads ~14,000 prompt tokens of MCP tool schemas to make that decision

The orchestrator doesn't need fastmail, proxmox, tavily, etc. — it only needs `delegate_task`. The sub-agents (spawned via profiles) need those domain tools.

What was tried

Attempt 1: `platform_toolsets.cli/api_server: [delegation, no_mcp]`

• `no_mcp` correctly strips all MCP schemas from the orchestrator platform ✓
• But `no_mcp` is platform-scoped — it also prevents sub-agents from loading their profile-defined toolsets ✗
• Result: gateway instability and broken sub-agent tool access

Attempt 2: `mcp_servers..enabled: false` on domain servers

• Reduces orchestrator token load ✓
• But `enabled: false` is global — sub-agents with `toolsets: ["mcp-fastmail"]` in their profile can't access disabled servers ✗
• Result: sub-agents silently have no domain tools

Neither mechanism supports the pattern: restrict parent, allow children.

Desired behavior

A way to say: "the orchestrator agent should not load these tool schemas, but child agents spawned via `delegate_task` with an `agent_profiles` entry that explicitly requests them should still get them."

Proposed solutions (any would work)

Option A: `inherit_mcp_toolsets` applied in reverse — profile toolsets override parent restriction

When a child is spawned with `agent_profiles..toolsets: ["mcp-fastmail"]`, the profile's explicit toolset list should always resolve against the full `mcp_servers` config, regardless of what the parent's platform toolset is.

Option B: `platform_toolsets` supports a `parent_only: true` flag

```yaml
platform_toolsets:
api_server:
toolsets: [delegation, no_mcp]
parent_only: true # child agents spawned from this platform ignore these restrictions
```

Option C: Separate `orchestrator_toolsets` config key

```yaml
orchestrator_toolsets:

• delegation
• mcp-knowledge

domain servers not listed here → not loaded for orchestrator

but still available to child agents via agent_profiles

```

Option D: `agent_profiles` toolsets always resolve from full mcp_servers config

Document (or enforce) that profile `toolsets` always resolve from the full `mcp_servers` list, bypassing parent platform restrictions. This makes `no_mcp` safe to use on the parent since child toolsets come from a different resolution path.

Context

• Discovered during production testing of the orchestrator routing pattern (SOUL.md intent routing + agent_profiles)
• Related to PR feat(delegation): agent profiles for delegate_task (#9459) #18522 (agent_profiles implementation by @w87x)
• Token impact: orchestrator call = 14K prompt tokens, 29 completion tokens (1 function call) — 99.8% of tokens are unused tool schemas
• KV cache mitigates cost but not latency or the architectural incorrectness
• The multiple-Hermes-instance workaround (separate HERMES_HOME per domain) solves this at infrastructure cost but shouldn't be required for basic orchestrator setup

Environment

• hermes-agent 0.14.0
• Production homelab deployment
• 9 MCP servers configured (~146 tools total)
• Orchestrator + 5 domain profiles (mail, search, homelab, calendar, dealfinder)

[davidgut1982]

Adding context from testing agent_profiles (PR #18522) in production — specifically the cross-framework research and product-identity framing, which I think strengthens the case for why this gap matters architecturally.

How every major framework solves this

The pattern is consistent across LangGraph, CrewAI, AutoGen, OpenAI Swarm/Agents SDK, and Pydantic AI: the orchestrator sees routing stubs only — never domain tool schemas.

Framework	Mechanism
LangGraph	Supervisor node receives transfer_to_X() stubs per subgraph. Domain schemas never appear in supervisor context.
CrewAI	Coordinator has task-assignment tools only. Crew members have domain tools. Schemas don't cross layers.
AutoGen	AssistantAgent + UserProxyAgent separation. Orchestrating agent has conversation/routing functions; domain agents have domain functions.
OpenAI Swarm / Agents SDK	Handoff model. Orchestrator has transfer_to_X stubs. On handoff, the new agent's full tool schema replaces the old one in context. User sees one coherent identity.
Pydantic AI	Explicit tool registration per Agent() instance. Orchestrators register routing functions; workers register domain functions.

This isn't coincidence — it's the only shape that keeps orchestrator token cost proportional to routing complexity, not domain tool count.

What this looks like in practice with hermes-agent today

With agent_profiles configured across 5 domains (mail, search, homelab, calendar, deals):

1. User sends: "show me my last 5 ad emails"
2. hermes-agent loads all MCP schemas — Fastmail, Tavily, Exa, Proxmox, cluster-ops, Prometheus, calendar tools, deal tools — ~12,000–14,000 tokens
3. Orchestrator decides: mail task → delegate_task(profile="mail")
4. Child agent loads only Fastmail + knowledge tools — correct, cheap

The child execution is right. The routing decision is paying for schemas it never uses.

Product-identity framing

This matters for how the fix is designed, not just whether it gets done.

hermes-agent is positioned as a personal assistant — one identity, not a visible pipeline. The user shouldn't know (or care) which sub-agent handled their request. Routing should be invisible. The voice should be consistent.

The OpenAI Swarm model is the right identity contract for this: single coherent identity, per-turn tool context switching, handoffs invisible to the user. The orchestrator's job is to hand off, not to execute.

That frames what "fixed" looks like: when the orchestrator is active, it gets routing stubs and nothing else. When a domain agent is active, it gets its domain tools and nothing else. Token cost for routing: ~500. Token cost for execution: proportional to the domain, not the sum of all domains.

Why config can't bridge this gap today

Per the testing done for #18522:

• platform_toolsets + no_mcp restricts by platform, not by active agent. It also strips MCP from children (child toolset resolution intersects against parent's loaded tools — with no_mcp parent, children get nothing).
• disabled_toolsets in config: silently ignored due to _load_config() in delegate_tool.py never reads persistent config — breaks all delegation.* settings in v0.14.0 #32671 (_load_config() never reads the delegation block at runtime).
• No per-profile orchestrator restriction exists.

So there's no workaround path — this requires the architectural change described in this issue.

What would complete the picture

Combined with #15528 (child-only MCP config) and #32671 (fix _load_config()), the minimal change that would get hermes-agent to the universal pattern:

Profile toolset resolution bypasses parent enabled_toolsets and resolves directly from mcp_servers config. Orchestrator profile configured with routing stubs only. Domain profiles configured with domain tools only.

Happy to provide token benchmarks, reproduce configs, or test cases against a patched build if that would help move this forward.