`nemoclaw hermes rebuild` loses secrets and config

[benbarclay]

Description

If I create a Hermes Agent sandbox, then trigger a rebuild, I lose significant pieces of configuration associated with that container.

From the description Upgrade sandbox to current agent version I would have expected all state to be maintained, but the agent container to be updated.

Reproduction Steps

1. ./bin/nemoclaw.js onboard --agent hermes -> connect to Discord (or similar)
2. ./bin/nemoclaw.js hermes connect
3. cat /sandbox/.hermes/.env -> verify DISCORD_BOT_TOKEN is set
4. cat /sandbox/.hermes/config.yaml -> verify platforms.discord is set (that is not the correct config, but I'll make a different issue for that)
5. ctrl-c to exit sandbox
6. ./bin/nemoclaw.js hermes rebuild -> Proceed
7. Rebuild preflight failed: provider credential not found.
8. COMPATIBLE_API_KEY=<REDACTED> ./bin/nemoclaw.js hermes rebuild -> Proceed
9. ./bin/nemoclaw.js hermes connect
10. cat /sandbox/.hermes/.env -> verify DISCORD_BOT_TOKEN is unset
11. cat /sandbox/.hermes/config.yaml -> verify platforms.discord is unset

Environment

• OS: Arch Linux
• Node: 24.13.1
• Python: 3.12.12
• Docker: 29.4.1
• NemoClaw: main branch

Debug Output

Logs

~/n/NemoClaw (main)> ./bin/nemoclaw.js onboard --agent hermes
<snip>
Applied preset: discord

  ──────────────────────────────────────────────────
  Sandbox      hermes (Landlock + seccomp + netns)
  Model        anthropic/claude-opus-4.7 (Other OpenAI-compatible endpoint)
  ──────────────────────────────────────────────────
  Run:         nemoclaw hermes connect
  Status:      nemoclaw hermes status
  Logs:        nemoclaw hermes logs --follow

  Hermes Agent OpenAI-compatible API
  Port 8642 must be forwarded before connecting.
  http://127.0.0.1:8642/v1
  ──────────────────────────────────────────────────

  To change settings later:
    Model:       openshell inference set -g nemoclaw --model <model> --provider <provider>
    Policies:    nemoclaw hermes policy-add
    Credentials: nemoclaw credentials reset <KEY>  then  nemoclaw onboard

~/n/NemoClaw (main)> ./bin/nemoclaw.js hermes connect

  ✓ Connecting to sandbox 'hermes'
  Inside the sandbox, run `hermes` to start chatting with the agent.
  Type `/exit` to leave the chat, then `exit` to return to the host shell.

cat /sandbox/.hermes/.env
API_SERVER_PORT=18642
API_SERVER_HOST=127.0.0.1
DISCORD_BOT_TOKEN=openshell:resolve:env:DISCORD_BOT_TOKEN
sandbox@hermes:~$ cat /sandbox/.hermes/config.yaml
_config_version: 12
model:
  default: anthropic/claude-opus-4.7
  provider: custom
  base_url: "https://inference.local/v1"
terminal:
  backend: local
  timeout: 180
agent:
  max_turns: 60
  reasoning_effort: medium
memory:
  memory_enabled: true
  user_profile_enabled: true
skills:
  creation_nudge_interval: 15
display:
  compact: false
  tool_progress: all
platforms:
  discord:
    enabled: true
    token: "openshell:resolve:env:DISCORD_BOT_TOKEN"
  api_server:
    enabled: true
    extra:
      port: 18642
      host: 127.0.0.1


~/n/NemoClaw (main)> ./bin/nemoclaw.js hermes rebuild

  Rebuild sandbox 'hermes'
    Current:  Hermes Agent v2026.4.30
    Target:   Hermes Agent v2026.4.30

  This will:
    1. Back up workspace state
    2. Destroy and recreate the sandbox with the current image
    3. Restore workspace state into the new sandbox

  Proceed? [y/N]: y

  Rebuild preflight failed: provider credential not found.
  The non-interactive recreate step requires COMPATIBLE_API_KEY,
  but it is not set in the environment.

  To fix, do one of:
    export COMPATIBLE_API_KEY=<your-key>
    nemoclaw onboard          # re-enter the key interactively

  Sandbox is untouched — no data was lost.



COMPATIBLE_API_KEY=<REDACTED> ./bin/nemoclaw.js hermes rebuild

  Rebuild sandbox 'hermes'
    Current:  Hermes Agent v2026.4.30
    Target:   Hermes Agent v2026.4.30

  This will:
    1. Back up workspace state
    2. Destroy and recreate the sandbox with the current image
    3. Restore workspace state into the new sandbox

  Proceed? [y/N]: y
  Backing up sandbox state...
  ✓ State backed up (0 directories)
    Backup: /home/ben/.nemoclaw/rebuild-backups/hermes/2026-05-05T09-34-36-339Z
  Deleting old sandbox...
Error response from daemon: No such image: openshell/sandbox-from:1777973067290
  ⚠ Failed to remove Docker image openshell/sandbox-from:1777973067290; run 'nemoclaw gc' to clean up.
  ✓ Old sandbox deleted

  Creating new sandbox with current image...
<snip>
Sandbox 'hermes' rebuilt successfully
    Now running: Hermes Agent v2026.4.30

~/n/NemoClaw (main)> ./bin/nemoclaw.js hermes connect
sandbox@hermes:~$ cat /sandbox/.hermes/.env
API_SERVER_PORT=18642
API_SERVER_HOST=127.0.0.1
sandbox@hermes:~$ cat /sandbox/.hermes/config.yaml
_config_version: 12
model:
  default: anthropic/claude-opus-4.7
  provider: custom
  base_url: "https://inference.local/v1"
terminal:
  backend: local
  timeout: 180
agent:
  max_turns: 60
  reasoning_effort: medium
memory:
  memory_enabled: true
  user_profile_enabled: true
skills:
  creation_nudge_interval: 15
display:
  compact: false
  tool_progress: all
platforms:
  api_server:
    enabled: true
    extra:
      port: 18642
      host: 127.0.0.1

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[wscurran]

✨ Thanks for submitting this issue that reports losing secrets and configuration when rebuilding a Hermes Agent sandbox. This bug involves the loss of significant configuration pieces associated with the container, which could impact the functionality of the agent.