Problem
A Hermes sandbox configured for Discord can show Telegram, Slack, and WeChat policy entries in the live OpenShell policy. That is not the expected least-privilege behavior: selecting one Hermes messaging channel should only enable that channel egress.
There is also a related Discord failure mode where applying the generic discord preset to a Hermes sandbox can leave the live policy with Node-oriented binary allowlists instead of Hermes/Python allowlists. Hermes Discord runs through Python, so Discord gateway traffic from /usr/bin/python3* or /opt/hermes/.venv/bin/python can be denied.
Example denial:
/usr/bin/python3.13 -> gateway-us-east1-d.discord.gg:443 DENIED
reason: endpoint gateway-us-east1-d.discord.gg:443 not in policy
aiohttp.client_exceptions.ClientHttpProxyError: 403
Root Cause
agents/hermes/policy-additions.yaml is used as the Hermes create-time policy, but it currently contains multiple messaging provider entries. Those entries are intended as Hermes-specific templates, but sandbox creation applies the file wholesale, so inactive providers become live policy.
Separately, built-in preset application loads nemoclaw-blueprint/policies/presets/<preset>.yaml without considering the sandbox agent. For Hermes, this can apply generic OpenClaw/Node messaging policy instead of Hermes-specific policy.
Expected Behavior
- OpenClaw/default sandboxes use the default OpenClaw base policy plus selected/default presets.
- Hermes sandboxes use the Hermes base policy for Hermes filesystem, binaries, inference, PyPI, and Nous endpoints.
- Hermes messaging policies are only applied for selected channels.
policy-add discord on a Hermes sandbox applies Hermes-specific Discord policy, including Python binary allowlists.- A Discord-only Hermes sandbox must not retain Telegram, Slack, or WeChat egress.
Acceptance Criteria
- Creating or rebuilding a Hermes sandbox with only Discord enabled results in live policy containing Discord messaging egress but not Telegram, Slack, or WeChat messaging egress.
- Applying
discord to a Hermes sandbox uses Hermes-specific Discord rules and Python binary allowlists.
- Applying
discord to a default/OpenClaw sandbox still uses the generic Discord preset.
- Existing policy preset registry behavior remains unchanged.
Problem
A Hermes sandbox configured for Discord can show Telegram, Slack, and WeChat policy entries in the live OpenShell policy. That is not the expected least-privilege behavior: selecting one Hermes messaging channel should only enable that channel egress.
There is also a related Discord failure mode where applying the generic
discordpreset to a Hermes sandbox can leave the live policy with Node-oriented binary allowlists instead of Hermes/Python allowlists. Hermes Discord runs through Python, so Discord gateway traffic from/usr/bin/python3*or/opt/hermes/.venv/bin/pythoncan be denied.Example denial:
Root Cause
agents/hermes/policy-additions.yamlis used as the Hermes create-time policy, but it currently contains multiple messaging provider entries. Those entries are intended as Hermes-specific templates, but sandbox creation applies the file wholesale, so inactive providers become live policy.Separately, built-in preset application loads
nemoclaw-blueprint/policies/presets/<preset>.yamlwithout considering the sandbox agent. For Hermes, this can apply generic OpenClaw/Node messaging policy instead of Hermes-specific policy.Expected Behavior
policy-add discordon a Hermes sandbox applies Hermes-specific Discord policy, including Python binary allowlists.Acceptance Criteria
discordto a Hermes sandbox uses Hermes-specific Discord rules and Python binary allowlists.discordto a default/OpenClaw sandbox still uses the generic Discord preset.