[macOS][Policy&Network] Hermes Agent with Anthropic-compatible provider gets HTTP 403 "connection not allowed by policy" — managed_inference policy missing /v1/messages path

[mercl-lau]

Description

When onboarding NemoHermes with an Anthropic-compatible provider (e.g. aws/anthropic/bedrock-claude-opus-4-6 via NVIDIA Inference API), the inference smoke test during onboard passes (runs outside sandbox), but chatting inside the sandbox fails with HTTP 403 "connection not allowed by policy".

The root cause is that the Hermes managed_inference policy (agents/hermes/policy-additions.yaml L40-56) only whitelists OpenAI-style API paths (/v1/chat/completions, /v1/completions, /v1/embeddings, /v1/models) but does NOT include the Anthropic Messages API path /v1/messages. Since the hermes binary is in the policy binaries whitelist, OpenShell enforces L7 path checking and blocks the request. curl from the same sandbox works because curl is not in the binaries whitelist, so L7 enforcement is bypassed. OpenClaw does not have this issue because its policy uses wildcard /** for inference paths.

Environment

Device:        MacBook Pro (Apple Silicon M4 Pro)
OS:            macOS 26.0.1 (Darwin, arm64)
Architecture:  arm64
Node.js:       v22.22.1
npm:           10.9.4
Docker:        29.2.1
OpenShell CLI: 0.0.44
NemoClaw:      v0.0.50
Hermes Agent:  v2026.5.16

Steps to Reproduce

1. nemoclaw onboard --agent hermes
2. Select "Other Anthropic-compatible endpoint"
3. Enter base URL: https://inference-api.nvidia.com
4. Enter API key and model: aws/anthropic/bedrock-claude-opus-4-6
5. Complete wizard (inference smoke test passes at step [4/8])
6. nemoclaw hermes connect
7. hermes
8. Send any message (e.g. "hello")

Expected Result

Hermes Agent sends the message to the Anthropic-compatible provider via inference.local gateway and receives a model response.

Actual Result

API call failed (attempt 1/3): PermissionDeniedError [HTTP 403]
  Provider: custom  Model: aws/anthropic/bedrock-claude-opus-4-6
  Endpoint: https://inference.local
  Error: HTTP 403: Error code: 403 - {'error': 'connection not allowed by policy'}
  Details: connection not allowed by policy
Non-retryable error (HTTP 403) — trying fallback...
Non-retryable client error (HTTP 403). Aborting.

Meanwhile, curl from the same sandbox succeeds:

curl -s -X POST https://inference.local/v1/messages \
  -H "Content-Type: application/json" \
  -H "anthropic-version: 2023-06-01" \
  -d '{"model":"aws/anthropic/bedrock-claude-opus-4-6","messages":[{"role":"user","content":"hi"}],"max_tokens":20}'
# → 200 OK with valid model response

Logs

Policy from nemoclaw hermes status (managed_inference section):

- host: inference.local
  port: 443
  protocol: rest
  enforcement: enforce
  rules:
  - allow: { method: POST, path: /v1/chat/completions }
  - allow: { method: POST, path: /v1/completions }
  - allow: { method: POST, path: /v1/embeddings }
  - allow: { method: GET, path: /v1/models }
  - allow: { method: GET, path: /v1/models/** }
  # NO /v1/messages — Anthropic Messages API path missing
binaries:
- path: /usr/local/bin/hermes
- path: /usr/bin/python3*
- path: /opt/hermes/.venv/bin/python

Source: agents/hermes/policy-additions.yaml lines 40-56

---

NVB#6222538

[chengjiew]

take a first look.

[chengjiew]

Thanks for the report. I have this queued for a fix. Current open PR capacity is limited, so I am holding off on opening another PR immediately, but I expect to upload the fix within the next 1-2 days.