feat(hermes): add host-managed Nous tool gateway#2
Draft
shannonsands wants to merge 9 commits into
Draft
Conversation
|
🚀 Docs preview ready! |
shannonsands
commented
May 1, 2026
shannonsands
commented
May 1, 2026
| # Hermes version pinned for reproducibility. | ||
| # Calver tag v2026.4.13 = semver 0.9.0. | ||
| ARG HERMES_VERSION=v2026.4.13 | ||
| # Calver tag v2026.4.23 = semver 0.11.0. |
shannonsands
commented
May 1, 2026
shannonsands
commented
May 1, 2026
| display_name: "Hermes Agent" | ||
| description: "Self-improving AI agent with learning loop (Nous Research)" | ||
| version_constraint: ">=0.8.0" | ||
| version_constraint: ">=0.11.0" |
shannonsands
commented
May 1, 2026
shannonsands
commented
May 1, 2026
shannonsands
commented
May 1, 2026
shannonsands
commented
May 1, 2026
Signed-off-by: Shannon Sands <shannon.sands.1979@gmail.com>
Signed-off-by: Shannon Sands <shannon.sands.1979@gmail.com>
Signed-off-by: Shannon Sands <shannon.sands.1979@gmail.com>
Signed-off-by: Shannon Sands <shannon.sands.1979@gmail.com>
shannonsands
force-pushed
the
ns322/hermes-provider
branch
from
afa1e0b to
e9ecdf3
Compare
shannonsands
pushed a commit
that referenced
this pull request
May 27, 2026
…#3271) (NVIDIA#4020) ## Summary Adds `classifyGatewayFailure` and wires it into `showSandboxStatus`'s final fallback branch so `nemoclaw <name> status` prints a clearly-named failure layer header before the existing actionable hints. Closes the UX gap split out of NVIDIA#2666 / NVIDIA#3270. ## Related Issue Fixes NVIDIA#3271. Supersedes NVIDIA#3309 (kagura-agent), which implemented the same feature but missed the `docker ps -a` existence check that AC #2 explicitly requires (CodeRabbit major finding on that PR). ## Changes - `src/lib/actions/sandbox/gateway-failure-classifier.ts`: new module exposing `classifyGatewayFailure(sandboxName, { runners? })` with injectable runners (`dockerInfo`, `dockerIsRunning`, `dockerExists`, `portProbe`) plus `getLayerHeader(layer)`. - Layers: `docker_unreachable`, `container_missing` (new, distinct from `container_exited` per AC #2), `container_exited_port_conflict`, `container_exited`, `gateway_unreachable`. - Default runners go through `src/lib/adapters/docker` (`dockerInfo`, `dockerCapture`) to satisfy the docker-abstraction guard. - `src/lib/actions/sandbox/status.ts`: calls the classifier and prints the layer header before `printGatewayLifecycleHint` in the final fallback branch. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Verification - [x] Unit tests in isolation: `npx vitest run test/gateway-failure-classifier.test.ts` → 8/8 pass (per-layer, including `container_missing` and short-circuit behavior). - [x] Subprocess test in isolation: `npx vitest run test/repro-2666-silent-list-status.test.ts` → 7/7 pass, including the new "`nemoclaw <name> status` prints the `container_exited_port_conflict` layer header (NVIDIA#3271)" test which spawns the real CLI against a fake docker stack + a real TCP listener holding the gateway port. - [x] `test/docker-abstraction-guard.test.ts` passes — no direct `execSync("docker …")` outside `src/lib/adapters/docker`. - [x] Tests added or updated for new or changed behavior - [x] No secrets, API keys, or credentials committed - [ ] Docs updated for user-facing behavior changes (status output is a UX polish, not a contract change) - [ ] `make docs` builds without warnings (no doc changes)⚠️ Committed with `--no-verify` (user-authorized): the pre-commit `Test (CLI)` hook (full vitest with v8 coverage) hits unrelated timeout flakes on this macOS workstation (Defender + Spotlight + iMessage indexer contention). The new tests in this PR pass cleanly in isolation. CI on Linux runners is the authoritative gate. ## Definition of Done (from NVIDIA#3271) - [x] `status` prints a clearly-named layer header in each classified state (5 layers, expanded from the original 4 to split `container_missing` from `container_exited`). - [x] Classifier has unit tests per layer. - [x] Repro subprocess test extended to assert the named layer for the container-stopped + foreign-port-holder scenario. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added smarter gateway failure diagnostics that identify unreachable Docker, missing or exited gateway containers, and port conflicts; includes clear failure headers. * **Bug Fixes** * Status command now shows the appropriate failure header before guidance and exits with a non-zero status when verification fails. * **Tests** * Added unit and end-to-end tests covering diagnostics, header ordering, and port-conflict scenarios. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4020?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Aaron Erickson <aerickson@nvidia.com>
](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4020?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rebased the full NS-322 Hermes Provider PoC onto current
main/the focused provider-foundation work so it can still be used for live demos while the smaller upstream PR stack is reviewed. The demo path keeps inference routed through OpenShell athttps://inference.local/v1, adds the host-managed Nous OAuth/tool gateway broker, and removes the old extra first-step agent selector in favor of the newnemohermeslauncher.This PR is intentionally still draft/demo scope. The smaller upstream-ready foundation PR should remain the review target for the onboarding/API-key/OAuth inference foundation; this branch is for showing the complete managed-tool PoC when needed.
Related Issue
Linear: NS-322, NS-324
Changes
main; PR feat(hermes): add host-managed Nous tool gateway #2 is now mergeable again.nemoclaw onboardon the OpenClaw default; Hermes users should usenemohermes onboardornemoclaw onboard --agent hermes.nous-web,nous-audio,nous-browser,nous-image, andnous-code.https://inference.local/v1inference routing.host.openshell.internal:11436instead of direct vendor gateway egress, with the Browser Use CDP exception.Type of Change
Verification
npx prek run --all-filespassestest-clihook failed on unrelated/runtime-sensitive full-suite cases and coverage temp-file cleanup. Static hooks, security scans, source-shape budget, TypeScript checks, plugin tests, and skills YAML checks passed.npm testpassesmake docsbuilds without warnings (doc changes only)Additional checks run:
npm run build:clinpm run typecheck:clipython3 -m py_compile agents/hermes/plugin/__init__.pygit diff --check --cached && git diff --checknpm run source-shape:checknpx prek run check-yaml --files nemoclaw-blueprint/policies/presets/nous-web.yaml nemoclaw-blueprint/policies/presets/nous-audio.yaml nemoclaw-blueprint/policies/presets/nous-browser.yaml nemoclaw-blueprint/policies/presets/nous-image.yaml nemoclaw-blueprint/policies/presets/nous-code.yaml agents/hermes/policy-additions.yamlnpx vitest run test/generate-hermes-config.test.ts test/hermes-tool-gateway-broker.test.ts test/hermes-provider-foundation.test.ts src/lib/hermes-provider-auth.test.ts test/rebuild-credential-preflight.test.ts test/policies.test.ts— 159 tests passednpx vitest run test/policies.test.ts test/policy-tiers.test.ts test/rebuild-policy-presets.test.ts— 161 tests passednpx vitest run test/onboard.test.ts -t "starts the sandbox step before prompting for the sandbox name"npx vitest run test/hermes-tool-gateway-broker.test.tsSKIP=test-clipassed static hooks, secret scan, docs validation, ShellCheck/hadolint, TypeScript plugin/JS/CLI checks, plugin tests, source-shape budget, and skills YAML checks.AI Disclosure
Signed-off-by: Shannon Sands shannon.sands.1979@gmail.com