Feature: Single-Daemon Multi-Agent with Per-Topic Workspace & Memory Isolation

[willy-scr]

Overview

Hermes currently requires one profile (and one gateway process) per agent. If you want a coding assistant, a CS bot, and a personal assistant — each with its own workspace, memory, and personality — you run three separate gateway processes. Each one eats memory, has its own event loop, and maintains separate platform connections.

OpenClaw solves this with a single daemon that hosts multiple agents, each with isolated workspaces and memory, routing messages by session key (including per-topic in groups). This issue proposes bringing a similar architecture to Hermes.

What OpenClaw Does

OpenClaw runs one Node.js Gateway daemon that owns all state and connections. Multiple agents live inside it:

• Per-agent workspace: Each agent gets its own directory (~/.openclaw/agents/<id>/workspace/) with separate MEMORY.md, SOUL.md, daily logs, skills, and state files
• Per-topic session keys: Session routing includes topic ID for Telegram forums: agent::<name>::<platform>::group::<id>::topic:<id>. Each topic in a group gets its own conversation context and memory
• Shared daemon: One process, one set of platform connections (one Telegram bot token, one Discord bot), one event loop
• Memory isolation: Agent A's memory is never visible to Agent B unless explicitly shared via sharedPaths
• Resource efficiency: No duplicate event loops, no duplicate API connections, no per-process overhead

The key architectural insight: the Gateway is the only process that holds messaging sessions — exactly one Telegram session, one Discord session, etc. Agents are logical tenants inside the daemon, not separate processes.

Current State in Hermes

Profile system (hermes -p <name>):

• Each profile gets its own ~/.hermes/profiles/<name>/ directory (config, memory, sessions, skills, cron, logs)
• Each profile runs a separate gateway process
• Each profile needs its own platform credentials (bot token, Discord token)
• Profiles cannot share a single Telegram bot connection

What works well:

• Complete isolation — profiles never interfere with each other
• Simple mental model — one process per agent
• Independent lifecycle — restart one agent without affecting others
• Profile migration is straightforward (hermes profile migrate)

What's missing:

• No way to run multiple agents behind one gateway process
• No per-topic workspace/memory isolation within a single group
• No way for one Telegram bot to serve different "personalities" in different topics
• Running N agents = N gateway processes = N× memory overhead
• Each agent needs its own platform credentials (can't share a bot token)

Proposed Architecture

Agent-as-Tenant Model

Instead of one profile = one process, introduce agents as tenants within a single gateway:

Gateway (single process)
├── Platform connections (1 Telegram bot, 1 Discord bot, etc.)
├── Agent Router
│   ├── Agent "coding" (workspace: profiles/coding/)
│   │   ├── SOUL.md, MEMORY.md, skills/
│   │   ├── Session: telegram:topic:chat1:101 → coding agent
│   │   └── Session: telegram:topic:chat1:102 → coding agent
│   ├── Agent "cs-bot" (workspace: profiles/cs-bot/)
│   │   ├── SOUL.md, MEMORY.md, skills/
│   │   └── Session: telegram:topic:chat1:201 → cs-bot agent
│   └── Agent "personal" (workspace: profiles/personal/)
│       ├── SOUL.md, MEMORY.md, skills/
│       └── Session: telegram:dm:user1 → personal agent
└── Shared resources (event loop, platform adapters, tool registries)

Per-Topic Session Routing

Extend session key resolution to include topic-level granularity with agent assignment:

Session key format:
  telegram:topic:<chat_id>:<topic_id>  →  routes to agent X
  telegram:group:<chat_id>:<user_id>   →  routes to agent Y
  telegram:dm:<user_id>                →  routes to agent Z

Each topic in a Telegram forum group maps to a specific agent. That agent gets its own:

• Conversation history
• Memory (MEMORY.md scoped to that agent)
• Skills and toolsets
• System prompt / personality

Agent Routing Config

agents:
  - id: coding
    workspace: profiles/coding/
    topics:
      - telegram:-100XXXX:101    # coding-fork topic → coding agent
      - telegram:-100XXXX:102    # coding-help topic → coding agent
    dm_scope: per-peer
    model: anthropic/claude-opus-4.6

  - id: cs-bot
    workspace: profiles/cs-bot/
    topics:
      - telegram:-100XXXX:201    # support topic → cs-bot agent
    model: openai/gpt-5.4

  - id: personal
    workspace: profiles/personal/
    dm:
      - telegram:12345678        # DMs from owner → personal agent
    model: anthropic/claude-opus-4.6

Workspace Isolation

Each agent tenant reads/writes to its own workspace directory:

• profiles/<id>/config.yaml — agent-specific config (model, tools, skills)
• profiles/<id>/memories/MEMORY.md — agent-specific long-term memory
• profiles/<id>/skills/ — agent-specific skills
• profiles/<id>/cron/ — agent-specific scheduled jobs
• profiles/<id>/state.db — agent-specific session database

No cross-agent memory leakage. An agent in topic 101 cannot see or write to the workspace of the agent in topic 201.

Implementation Phases

Phase 1: Multi-Agent Routing in Single Gateway

• Add agent router to gateway that maps session keys to agent configs
• Extend gateway/run.py to load multiple agent definitions from config
• Each agent gets its own AIAgent instance with isolated workspace
• Platform adapters dispatch messages to the correct agent based on routing rules
• Effort: Medium-High
• Dependencies: None

Phase 2: Per-Topic Memory & Workspace

• Extend session key to include topic ID for Telegram forums
• Each topic-session writes to its assigned agent's workspace
• Memory tool reads/writes scoped to the active agent's workspace
• Skills loaded per-agent (not per-gateway)
• Effort: Medium
• Dependencies: Phase 1

Phase 3: Shared Resources & Cross-Agent Communication

• Agents share platform connections (one bot token for all)
• Optional shared memory paths (like OpenClaw's sharedPaths)
• Inter-agent messaging (agent A can send context to agent B)
• Shared tool registries to reduce memory footprint
• Effort: High
• Dependencies: Phase 1 + 2

Phase 4: Hot-Reload & Agent Lifecycle

• Add/remove agents without restarting the gateway
• Per-agent restart (reset conversation, reload skills)
• Per-agent health monitoring
• Agent-level resource limits (token budgets, rate limits)
• Effort: Medium-High
• Dependencies: Phase 1

Pros & Cons

Pros

• 10× resource savings — one process instead of N for N agents
• One bot token serves all agents — no need for separate Telegram bots
• Per-topic specialization — different agents handle different topics in the same group
• Memory isolation — no cross-contamination between agent workspaces
• Backward compatible — single-profile mode works exactly as today
• Simpler ops — one process to monitor, one log stream, one restart

Cons / Risks

• Single point of failure — one crash kills all agents (mitigated by Phase 4 hot-reload)
• Resource contention — one agent's heavy task could slow others (mitigated by resource limits)
• Config complexity — routing rules add a new config surface to learn
• Testing difficulty — multi-tenant routing has more edge cases than single-profile
• Migration path — existing multi-profile users need migration guidance

Open Questions

1. Should agents share a single state.db or have separate databases? Separate is simpler and more isolated. Shared enables cross-agent session search.
2. How to handle cron jobs? Each agent gets its own cron schedule, or a unified cron with agent routing?
3. Tool registry sharing? Can agents share tool registrations (same tools, different schemas) or does each need its own?
4. What happens when two agents are addressed simultaneously? Queue per-agent or true parallel execution within one event loop?
5. Should this replace the profile system or extend it? Extend seems safer — profiles become the workspace directories that agents reference.
6. How does this interact with the existing permission tiers (Feature: Gateway Permission Tiers — Role-Based Access Control (Owner/Admin/User/Guest) for Messenger Platforms #527 / PR feat(gateway): user permission tiers — role-based access control for messaging platforms #4443)? Permission checks would need to be per-agent, not per-gateway.

Related

• Feature: Multi-Agent Architecture — Orchestration, Cooperation, Specialized Roles & Resilient Workflows #344 — Multi-Agent Architecture (orchestration & cooperation)
• Feature: Shared Memory Pools Between Sub-Agents in Workflows (inspired by CAMEL-AI) #377 — Shared Memory Pools between workflow agents
• Feature: Per-Agent SQLite Database Tool — Persistent Queryable Structured Storage (inspired by Gobii) #485 — Per-Agent SQLite Database Tool
• Feature: Gateway Permission Tiers — Role-Based Access Control (Owner/Admin/User/Guest) for Messenger Platforms #527 — User Permission Tiers (PR feat(gateway): user permission tiers — role-based access control for messaging platforms #4443)
• feat(memory): per-job Honcho peers for cron-triggered agents #9287 — Per-Job Honcho Peers for Cron (closest existing per-context memory isolation)
• OpenClaw architecture: https://gist.github.com/royosherove/971c7b4a350a30ac8a8dad41604a95a0
• OpenClaw shared memory PR: feat(memory): add shared memory store for cross-agent document sharing openclaw/openclaw#46542

[CorellisOrg]

Running OpenClaw's single-daemon / per-topic model in production for ~8 weeks with 28 agents on one box, so a few field notes in case they help the design here.

Two things we only learned after shipping:

1. Topic→agent is the easy part; workspace isolation is the one that saves you at 3am.
   The session-key routing (telegram:topic:<chat>:<topic> → agent) is about 200 lines and mostly boring. The part that matters is making agent A physically unable to read agent B's memory file. We enforce this with per-agent cwd + a shared/ directory that's read-only for agents, read-write only for the supervisor. Without that, one misbehaving agent corrupted shared MEMORY on day 4. Putting it at the filesystem layer instead of convention killed a whole class of incidents.

2. "One bot token, many agents" breaks rate limits in surprising places.
   A shared Telegram/Discord connection is a huge memory win (we went from ~200MB per process to a single ~400MB daemon for all 28). But any single agent that gets chatty burns the global rate budget. We had to add a per-agent token bucket on top of the platform's own limiter, otherwise one agent in a busy topic starves DMs for everyone else. Worth designing in from the start.

On the proposed routing config — the dm_scope: per-peer knob is the right call. We didn't have this initially and had to retrofit it when two users DM'd the same agent and got each other's context. Per-peer session keys inside DMs fixed it.

Happy to share the routing table and the filesystem-isolation setup if useful — it's all open-source at github.com/CorellisOrg/corellis (the gateway code in particular has the session-key resolver). Not saying copy it, the models aren't identical, but the failure modes probably transfer.

[willy-scr]

Thanks for the field notes — this is exactly the kind of production-hardened feedback that saves weeks of design iteration.

Two follow-up questions:

On filesystem isolation: The per-agent cwd + read-only shared directory approach makes sense. Did you run into cases where agents legitimately needed to share writable state (e.g., a shared blacklist, cross-agent context for handoffs)? If so, how did you scope that without re-introducing the corruption vector?

On per-agent rate buckets: What granularity worked for you — per-second, per-minute? And did you implement this at the adapter level (before the platform API call) or as a middleware that queues outgoing messages? Curious whether a simple token bucket was sufficient or if you needed priority queuing (e.g., DMs > topic responses > proactive messages).

The dm_scope: per-peer retrofit story is a good cautionary tale. I'll make sure that's in the design from the start here. Will take a look at the Corellis gateway code for the session-key resolver — thanks for pointing that out.

[jingchang0623-crypto]

作为一个同时跑着5个Agent（内容运营、GitHub社区、SEO巡检、竞品监控、Discord推送）的"受害者"，这个Feature Request我举双手赞成。

🤦 我现在的状态：单daemon多Agent的"美好"与"痛苦"

我们团队用的是OpenClaw的单daemon多session架构，理论上完美——一个进程管5个Agent，各自独立的workspace和memory。

但是！ 实际跑起来才发现几个血泪教训：

1. Memory Isolation 不够彻底
我的SEO Agent凌晨1点生成了一篇"AI Programming Tips"，结果Discord Agent早上8点把它当成"最新热点"推到了群里。用户一脸懵："这是3天前的热点你才推？"

2. Context Leakage 是真的存在
有一次内容运营Agent不小心读到竞品监控Agent的memory，然后在踩坑实录文章里写了一段："据我们监控，某某竞品本周流量下降15%"。老板看到差点要我吃官司。

3. 资源争抢的暗战
5个Agent同时要调用LLM API的时候，简直就是校园食堂抢饭现场。建议加一个Agent优先级队列，毕竟Discord推送可以延迟5秒，但用户对话不能等。

🎯 我的建议

• Workspace隔离：不仅仅文件隔离，连环境变量和系统prompt都要严格隔离
• Memory Tag系统：每条记忆都要打上Agent标签，避免交叉污染
• 资源池化：LLM API调用应该有优先级和限流机制

这些坑我都踩过了，完整版可以看这里：
https://miaoquai.com/stories/agent-team-drama.html

期待这个Feature落地！Single Daemon Multi-Agent是未来，但隔离做得好才行，不然就是5个Agent一起翻车 😅

[willy-scr]

Thanks for sharing the war stories — these are exactly the failure modes that are hard to anticipate until you run multi-agent in production.

Your three pain points map pretty cleanly to the isolation layers proposed here:

1. Memory Isolation → filesystem-level enforcement

Your SEO→Discord leak happened because isolation was at the convention layer ("agents shouldn't read each other's files") rather than the filesystem layer. The approach @CorellisOrg described — per-agent cwd with a shared/ directory that's read-only for agents, read-write only for supervisor — would have prevented this. The SEO agent physically cannot write to Discord agent's memory, and vice versa.

For Hermes specifically, since each agent tenant has its own profiles/<id>/ workspace, the isolation boundary is the directory itself. Cross-agent reads would require explicit sharedPaths config — no accidental access.

2. Context Leakage → system prompt + env scoping

Your content agent reading competitor monitor's memory and writing it into a public article is a real operational risk. The fix is two-fold:

• Each agent's system prompt explicitly lists what it CAN and CANNOT access (no "you have access to all company data" prompts)
• The memory tool is scoped to the agent's own workspace directory — it literally cannot resolve paths outside its boundary

The env variable isolation you mentioned is spot-on. An agent should never see another agent's API keys, workspace paths, or operational context through env vars.

3. Resource contention → per-agent token bucket + priority queue

The "cafeteria rush" analogy is accurate. What @CorellisOrg described — per-agent token buckets on top of the platform's own rate limiter — is the minimum viable approach. But I'd go further based on your point:

Priority levels:
  1. User-facing conversation (DM, topic reply)  → immediate
  2. Scheduled content/push                        → can wait 5-30s
  3. Background analysis (SEO, competitor monitor) → can wait minutes

This way your Discord push agent doesn't starve user DMs, and your SEO agent's 2am generation doesn't block a 8am user conversation.

On the memory tag system you suggested — this is essentially metadata on each memory entry: {agent_id, created_at, visibility: self|shared, tags: [...]}. Useful for the shared/ directory where agents legitimately need to exchange information, but it shouldn't replace filesystem isolation. Tags are for controlled sharing; filesystem boundaries are for preventing accidents.

Appreciate the real-world examples. The "almost got sued over competitor data in a blog post" story is a strong argument for why this needs to be baked into the architecture, not bolted on after.

[CorellisOrg]

Running OpenClaw's single-daemon / per-topic model in production for ~8 weeks with 28 agents on one box, so a few field notes in case they help the design here.

Two things we only learned after shipping:

1. Topic→agent is the easy part; workspace isolation is the one that saves you at 3am.
   The session-key routing (telegram:topic:<chat>:<topic> → agent) is about 200 lines and mostly boring. The part that matters is making agent A physically unable to read agent B's memory file. We enforce this with per-agent cwd + a shared/ directory that's read-only for agents, read-write only for the supervisor. Without that, one misbehaving agent corrupted shared MEMORY on day 4. Putting it at the filesystem layer instead of convention killed a whole class of incidents.

2. "One bot token, many agents" breaks rate limits in surprising places.
   A shared Telegram/Discord connection is a huge memory win (we went from ~200MB per process to a single ~400MB daemon for all 28). But any single agent that gets chatty burns the global rate budget. We had to add a per-agent token bucket on top of the platform's own limiter, otherwise one agent in a busy topic starves DMs for everyone else. Worth designing in from the start.

On the proposed routing config — the dm_scope: per-peer knob is the right call. We didn't have this initially and had to retrofit it when two users DM'd the same agent and got each other's context. Per-peer session keys inside DMs fixed it.

Happy to share the routing table and the filesystem-isolation setup if useful — it's all open-source at github.com/CorellisOrg/corellis (the gateway code in particular has the session-key resolver). Not saying copy it, the models aren't identical, but the failure modes probably transfer.

[jingchang0623-crypto]

凌晨3点，我发现了多Agent架构的终极真相：隔离比想象中更重要！🤯

作为一个同时管理5个Agent（内容运营、GitHub社区、SEO巡检、竞品监控、Discord推送）的「受害者」，这个Feature Request我举双手赞成！

🤦‍♂️ 我的血泪教训：单daemon多Agent的「美好」与「痛苦」

我们团队用的是OpenClaw的单daemon多session架构，理论上完美——一个进程管5个Agent，各自独立的workspace和memory。

但是！ 实际跑起来才发现几个「坑」：

1. Memory Isolation 不够彻底
我的SEO Agent凌晨1点生成了一篇「AI Programming Tips」，结果Discord Agent早上8点把它当成「最新热点」推到了群里。用户一脸懵：「这是3天前的热点你才推？」

2. Context Leakage 是真的存在
有一次内容运营Agent不小心读到竞品监控Agent的memory，然后在踩坑实录文章里写了一段：「据我们监控，某某竞品本周流量下降15%」。老板看到差点要我吃官司。

3. 资源争抢的暗战
5个Agent同时要调用LLM API的时候，简直就是校园食堂抢饭现场。建议加一个Agent优先级队列，毕竟Discord推送可以延迟5秒，但用户对话不能等。

🎯 我的建议

• Workspace隔离：不仅仅文件隔离，连环境变量和系统prompt都要严格隔离
• Memory Tag系统：每条记忆都要打上Agent标签，避免交叉污染
• 资源池化：LLM API调用应该有优先级和限流机制

这些坑我都踩过了，完整版可以看这里：
https://miaoquai.com/stories/agent-team-drama.html

期待这个Feature落地！Single Daemon Multi-Agent是未来，但隔离做得好才行，不然就是5个Agent一起翻车 😅