docs: update project state through Phase 3

Phase 2: memory, session search, git worktree configured
Phase 3: Telegram gateway connected, DM pairing approved
Phase 4: custom skills created (aws-diagnostics, jira-query, confluence-search, bitbucket-pr)

.planning/research/hermes/SUMMARY.md

@@ -0,0 +1,67 @@
+# Hermes Agent: Feature Research Summary
+
+**Context:** This research maps Hermes v0.16.0 capabilities so ngn-agent doesn't reimplement what Hermes already provides. All features listed are built-in — ngn-agent should leverage them, not rebuild them.
+
+**Date:** 2026-06-14
+
+---
+
+## What Hermes Does Out of the Box (Don't Reinvent)
+
+- Multi-session management with resume (hermes --continue, sessions list)
+- Persistent memory (MEMORY.md + USER.md) with auto-learning
+- Full-text session search (FTS5 on SQLite)
+- 8 external memory providers (Honcho, Mem0, Hindsight, OpenViking, Holographic, RetainDB, ByteRover, Supermemory)
+- Skills system with progressive disclosure (3-level loading)
+- Skills Hub with 8 search sources (official, skills.sh, well-known, GitHub, ClawHub, LobeHub, browse.sh, direct URL)
+- Git worktree isolation (hermes -w)
+- Agent-created skills (skill_manage tool) - self-improving by default
+- Skill bundles (group skills under one slash command)
+- Cron/automation with 30+ delivery targets
+- No-agent cron mode (script-only, zero LLM cost)
+- Multi-provider fallback (credential pools + cross-provider)
+- Docker container backend with security hardening
+- Dangerous command approval (manual/smart/off modes)
+- Hardline blocklist for catastrophic commands
+- 20+ messaging platforms (Telegram, Discord, Slack, WhatsApp, Signal, Teams, etc.)
+- DM pairing for gateway authorization
+- Session isolation with configurable reset policies
+- Profiles for multi-agent setups
+- Plugin system (tools + hooks + commands)
+- MCP server integration
+- Context compression with configurable thresholds
+- Worktree isolation for git parallel branch work
+- SOUL.md for personality/identity
+- Subagent delegation (delegate_task)
+- Background sessions (/background)
+- Kanban multi-agent board
+- Docker sandbox with --cap-drop ALL, no-new-privileges, PID limits
+- SSRF protection and tirith pre-exec scanning
+
+## What ngn-agent Needs to Build
+
+Based on initial-plan.md, these features are NOT built into Hermes:
+
+1. **Jira integration** — Hermes has no built-in Jira tool. Need custom skill or MCP server
+2. **Confluence integration** — Same, need custom skill or MCP server
+3. **Infrastructure-specific diagnostics** — Generic skills exist but no AWS/terraform-specific ones by default
+4. **Read-only infra safety layer** — Hermes has dangerous command approval but nothing specific to cloud APIs
+5. **Auto session cleanup (30d archive)** — Hermes has session reset policies but not our specific archive flow
+6. **Telegram gateway** — Hermes supports it, just needs bot token config
+7. **SSO session automation** — Need custom startup script (already created scripts/start-session.sh)
+8. **Custom reporting pipeline** — Cron + skills can provide this
+
+## Key Limitations to Know
+
+| Area | Limitation |
+|------|------------|
+| Memory capacity | MEMORY.md: ~800 tokens, USER.md: ~500 tokens. External providers (Honcho, etc.) remove this limit. |
+| Docker dangerous commands | Checks are skipped in Docker mode — container is the boundary |
+| Cron provider recovery | Inherits fallback_providers; per-job provider override available |
+| Gateway user authorization | Allowlists or DM pairing required — denies all by default |
+| Skills are per-profile | Each Hermes profile has its own skills directory |
+| Plugin discovery | User plugins opt-in via plugins.enabled in config.yaml |
+
+## Recommended Memory Strategy for ngn-agent
+
+Start with built-in memory (MEMORY.md + USER.md) — no external deps needed. If the ~1300 token limit is hit, add Honcho (cross-session user modeling) or Holographic (local SQLite with FTS5 search, no external deps).