Description
When onboarding NemoHermes with "Other Anthropic-compatible endpoint" (option 5) pointing to https://inference-api.nvidia.com/, the onboard wizard validates the endpoint and configures the gateway route, but does NOT add inference-api.nvidia.com to the egress allowlist. Every subsequent chat message through inference.local is blocked with HTTP 403 "connection not allowed by policy", making the Hermes session completely unusable. Related open bug for macOS with similar symptom: NVBug #6222538 (GH #4230).
Environment
Device: Ubuntu 24.04 server (2u1g-b650-0782, x86_64)
OS: Ubuntu 24.04.4 LTS
Architecture: x86_64
Node.js: v22.22.3
npm: 10.9.8
Docker: 29.5.2
OpenShell CLI: 0.0.44
NemoClaw: v0.0.55
OpenClaw: N/A (NemoHermes sandbox)
Hermes Agent: v0.14.0 (2026.5.16)
Steps to Reproduce
- On Ubuntu 24.04 x86_64, run NemoHermes installer (
NEMOCLAW_AGENT=hermes)
- At the provider selection prompt, choose option 5 "Other Anthropic-compatible endpoint"
- Enter base URL:
https://inference-api.nvidia.com/
- Enter a valid API key for inference-api.nvidia.com
- Complete onboarding — Hermes session starts (TUI appears, model shows as configured)
- Send any chat message in the Hermes TUI
Expected Result
Hermes responds to chat messages using the configured inference-api.nvidia.com endpoint.
Actual Result
Every chat message returns:
Error calling Anthropic API: 403 {"error": "connection not allowed by policy"}
The Hermes session is completely unusable. The onboard wizard validates and accepts the endpoint (probe returns 200 OK), but inference-api.nvidia.com is not added to the egress allowlist, so all outbound traffic to that domain is blocked by the policy engine after onboarding completes.
Logs
Hermes session terminal output (repeated for every message):
Error calling Anthropic API: 403 {"error": "connection not allowed by policy"}
Install log excerpt (onboard selected option 5, endpoint https://inference-api.nvidia.com/):
? Select your inference provider:
5) Other Anthropic-compatible endpoint
> Base URL: https://inference-api.nvidia.com/
✔ Anthropic-compatible endpoint probe: https://inference-api.nvidia.com/v1/messages ... 200 OK
[Hermes TUI starts — all subsequent chat attempts return HTTP 403 through inference.local]
Here is the login for the Hermes command line:
██╗ ██╗███████╗██████╗ ███╗ ███╗███████╗███████╗ █████╗ ██████╗ ███████╗███╗ ██╗████████╗
██║ ██║██╔════╝██╔══██╗████╗ ████║██╔════╝██╔════╝ ██╔══██╗██╔════╝ ██╔════╝████╗ ██║╚══██╔══╝
███████║█████╗ ██████╔╝██╔████╔██║█████╗ ███████╗█████╗███████║██║ ███╗█████╗ ██╔██╗ ██║ ██║
██╔══██║██╔══╝ ██╔══██╗██║╚██╔╝██║██╔══╝ ╚════██║╚════╝██╔══██║██║ ██║██╔══╝ ██║╚██╗██║ ██║
██║ ██║███████╗██║ ██║██║ ╚═╝ ██║███████╗███████║ ██║ ██║╚██████╔╝███████╗██║ ╚████║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝
╭───────────────────────────────────────────────────────────────────────────────────── Hermes Agent v0.14.0 (2026.5.16) ──────────────────────────────────────────────────────────────────────────────────────╮
│ Available Tools │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⡀⠀⣀⣀⠀⢀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ audio: transcribe_audio │
│ ⠀⠀⠀⠀⠀⠀⢀⣠⣴⣾⣿⣿⣇⠸⣿⣿⠇⣸⣿⣿⣷⣦⣄⡀⠀⠀⠀⠀⠀⠀ browser: browser_back, browser_click, ... │
│ ⠀⢀⣠⣴⣶⠿⠋⣩⡿⣿⡿⠻⣿⡇⢠⡄⢸⣿⠟⢿⣿⢿⣍⠙⠿⣶⣦⣄⡀⠀ browser-cdp: browser_cdp, browser_dialog │
│ ⠀⠀⠉⠉⠁⠶⠟⠋⠀⠉⠀⢀⣈⣁⡈⢁⣈⣁⡀⠀⠉⠀⠙⠻⠶⠈⠉⠉⠀⠀ clarify: clarify │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣿⡿⠛⢁⡈⠛⢿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ code_execution: execute_code │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠿⣿⣦⣤⣈⠁⢠⣴⣿⠿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ computer_use: computer_use │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠻⢿⣿⣦⡉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ cronjob: cronjob │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⢷⣦⣈⠛⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ delegation: delegate_task │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣴⠦⠈⠙⠿⣦⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ (and 23 more toolsets...) │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣿⣤⡈⠁⢤⣿⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠷⠄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ Available Skills │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⠑⢶⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ autonomous-ai-agents: claude-code, codex, hermes-agent, opencode │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠁⢰⡆⠈⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ creative: architecture-diagram, ascii-art, ascii-video, b... │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠳⠈⣡⠞⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ data-science: jupyter-live-kernel │
│ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ devops: kanban-orchestrator, kanban-worker, webhook-sub... │
│ email: himalaya │
│ gpt-5.4 · Nous Research gaming: minecraft-modpack-server, pokemon-player │
│ /sandbox general: dogfood, yuanbao │
│ Session: 20260605_021533_c9894f github: codebase-inspection, github-auth, github-code-r... │
│ mcp: native-mcp │
│ media: gif-search, heartmula, songsee, spotify, youtub... │
│ mlops: audiocraft-audio-generation, dspy, evaluating-l... │
│ note-taking: obsidian │
│ productivity: airtable, google-workspace, linear, maps, nano-... │
│ red-teaming: godmode │
│ research: arxiv, blogwatcher, llm-wiki, polymarket, resea... │
│ smart-home: openhue │
│ social-media: xurl │
│ software-development: debugging-hermes-tui-commands, hermes-agent-ski... │
│ │
│ 22 tools · 82 skills · /help for commands │
│ ⚠ 1 commit behind — run uv pip install --upgrade hermes-agent to update │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Welcome to Hermes Agent! Type your message or /help for commands.
✦ Tip: Per-task auxiliary overrides: auxiliary.vision.provider, auxiliary.compression.model, etc. in config.yaml.
⚠ tirith security scanner enabled but not available — command scanning will use pattern matching only
────────────────────────────────────────
● hihi
Initializing agent...
────────────────────────────────────────
⚠️ API call failed (attempt 1/3): PermissionDeniedError [HTTP 403]
🔌 Provider: custom Model: openai/openai/gpt-5.4
🌐 Endpoint: https://inference.local
📝 Error: HTTP 403: Error code: 403 - {'error': 'connection not allowed by policy'}
📋 Details: connection not allowed by policy
⚠️ Non-retryable error (HTTP 403) — trying fallback...
❌ Non-retryable error (HTTP 403): HTTP 403: Error code: 403 - {'error': 'connection not allowed by policy'}
❌ Non-retryable client error (HTTP 403). Aborting.
🔌 Provider: custom Model: openai/openai/gpt-5.4
🌐 Endpoint: https://inference.local
💡 Your API key was rejected by the provider. Check:
• Is the key valid? Run: hermes setup
• Does your account have access to openai/openai/gpt-5.4?
─ ⚕ Hermes ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Error: Error code: 403 - {'error': 'connection not allowed by policy'}
NVB#6271123
Description
When onboarding NemoHermes with "Other Anthropic-compatible endpoint" (option 5) pointing to
https://inference-api.nvidia.com/, the onboard wizard validates the endpoint and configures the gateway route, but does NOT addinference-api.nvidia.comto the egress allowlist. Every subsequent chat message throughinference.localis blocked with HTTP 403 "connection not allowed by policy", making the Hermes session completely unusable. Related open bug for macOS with similar symptom: NVBug #6222538 (GH #4230).Environment
Steps to Reproduce
NEMOCLAW_AGENT=hermes)https://inference-api.nvidia.com/Expected Result
Hermes responds to chat messages using the configured
inference-api.nvidia.comendpoint.Actual Result
Every chat message returns:
The Hermes session is completely unusable. The onboard wizard validates and accepts the endpoint (probe returns 200 OK), but
inference-api.nvidia.comis not added to the egress allowlist, so all outbound traffic to that domain is blocked by the policy engine after onboarding completes.Logs
Here is the login for the Hermes command line:
NVB#6271123