fix(hermes): install root Node dependencies in base image

[ericksoa]

Summary

Follows up on NousResearch's dependency-bootstrap proposal in #2834 and the maintainer-side #2846 by carrying the remaining root Node dependency install into the Hermes base image. The existing uv sync step covers the supported Python integration extras; this adds deterministic npm ci from the Hermes root lockfile so browser tooling such as agent-browser is available in the extracted Hermes tree.

Credit

Thanks to Ben Barclay and the NousResearch team for the original PR #2834. They identified the Hermes dependency-bootstrap gap and proposed the direction this follow-up carries into the current NemoClaw base-image flow.

Related Issue

Follow-up to #2834 and #2846.

Changes

• Install Hermes root Node dependencies with npm ci --prefer-offline --no-audit --no-fund after the existing uv sync step.
• Remove transient /tmp/camoufox-* installer downloads in the same Docker layer so large temporary archives do not persist into the image.
• Document why the root Node install belongs in the Hermes base image.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional validation:

• git diff --check
• docker build --progress=plain --output=type=cacheonly -f agents/hermes/Dockerfile.base .
  • validated the uv sync step
  • validated the new npm ci step
  • validated /usr/local/bin/hermes --version reports Hermes Agent v0.11.0 (2026.4.23)

---

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

• Chores
  • Optimized the container image build by removing temporary build artifacts to reduce clutter and image size.
  • Made tooling dependencies for browser-related features explicit so tooling is reliably present during build.
  • Ensured Node package installation runs deterministically during image creation to improve build stability and reproducibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 69011e90-ea0c-4883-b510-6498192cfcac

📥 Commits

Reviewing files that changed from the base of the PR and between 8074b3f and 1b58ea0.

📒 Files selected for processing (1)

• agents/hermes/Dockerfile.base

🚧 Files skipped from review as they are similar to previous changes (1)

• agents/hermes/Dockerfile.base

---

📝 Walkthrough

Walkthrough

Adds a clarifying build comment to the Hermes Dockerfile and inserts an explicit npm ci --prefer-offline --no-audit --no-fund install step followed by removal of /tmp/camoufox-* temporary artifacts during the image build (two small edits to agents/hermes/Dockerfile.base).

Changes

Hermes Dockerfile build

Layer / File(s)	Summary
Clarifying comment agents/hermes/Dockerfile.base	Inserts a build-time comment indicating root Node dependencies provide Hermes browser tooling (e.g., agent-browser).
Dependency install agents/hermes/Dockerfile.base	Adds npm ci --prefer-offline --no-audit --no-fund to the Hermes setup RUN block after uv sync to install Node dependencies during image build.
Build artifact cleanup agents/hermes/Dockerfile.base	Adds rm -rf /tmp/camoufox-* to remove temporary camoufox artifacts after install to avoid leaving them in image layers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I nibble bytes in twilight’s hush,
A Dockerfile whisper, quick and plush,
I run a clean npm ci with care,
Sweep camoufox crumbs from layers bare,
Small hops, light images — joy to share. 🐇✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: installing root Node dependencies in the Hermes base Docker image, which aligns with the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aerickson/hermes-npm-ci-followup-2834

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

agents/hermes/Dockerfile.base (1)

147-148: Run Hermes E2E workflows for this base-image dependency bootstrap change.

Since this touches agents/hermes/** install/bootstrap behavior, I recommend running hermes-e2e and rebuild-hermes-e2e before merge to validate onboarding, health probes, and upgrade path end-to-end.

As per coding guidelines, "agents/hermes/**: This directory contains the Hermes agent. Changes affect multi-agent onboarding, health probes, and inference routing." and the recommended selective run is gh workflow run nightly-e2e.yaml --ref <branch> -f jobs=hermes-e2e,rebuild-hermes-e2e.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/hermes/Dockerfile.base` around lines 147 - 148, This change touches
agents/hermes/Dockerfile.base (the npm ci and cleanup lines shown), which can
affect Hermes onboarding and runtime; before merging, run the Hermes end-to-end
workflows to validate onboarding, health probes, and upgrade path by triggering
the nightly-e2e.yaml workflow with only the hermes-e2e and rebuild-hermes-e2e
jobs (for example: run nightly-e2e.yaml --ref <branch> -f
jobs=hermes-e2e,rebuild-hermes-e2e) and address any failures observed in the
Hermes agent bootstrap or probes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@agents/hermes/Dockerfile.base`:
- Around line 147-148: This change touches agents/hermes/Dockerfile.base (the
npm ci and cleanup lines shown), which can affect Hermes onboarding and runtime;
before merging, run the Hermes end-to-end workflows to validate onboarding,
health probes, and upgrade path by triggering the nightly-e2e.yaml workflow with
only the hermes-e2e and rebuild-hermes-e2e jobs (for example: run
nightly-e2e.yaml --ref <branch> -f jobs=hermes-e2e,rebuild-hermes-e2e) and
address any failures observed in the Hermes agent bootstrap or probes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 162ff5c0-039a-430c-84c3-fcd83d363670

📥 Commits

Reviewing files that changed from the base of the PR and between 7dd5fb3 and 0132e37.

📒 Files selected for processing (1)

• agents/hermes/Dockerfile.base