fix(hermes): restore share-mount package parity

[ericksoa]

Summary

• Replays fix(hermes): restore share-mount package parity #2975 from @Iamkewl / Suryaansh to restore Hermes share-mount package parity.
• Adds the pinned gnupg, procps, and openssh-sftp-server packages to agents/hermes/Dockerfile.base, matching the main sandbox base image package contract.
• Replaces the original source-text regression with a behavior-style test that executes the Hermes base apt layer under a stubbed apt-get, so the source-shape budget stays at zero.

Attribution

This is a maintainer replay of #2975 for issue #2947 because the original contributor branch is cross-repo and not maintainer-writable. The original author and Signed-off-by trailer are preserved on the replay commit; the maintainer adjustment is limited to the test shape required by CI.

Closes #2947
Replaces #2975

Verification

• ./node_modules/.bin/vitest run test/hermes-share-mount-deps.test.ts
• ./node_modules/.bin/vitest run test/sandbox-provisioning.test.ts test/hermes-share-mount-deps.test.ts src/lib/share-command.test.ts
• npm run source-shape:check
• npm run typecheck:cli
• git diff --check origin/main...HEAD

Summary by CodeRabbit

• Chores

  • Updated the container base image to include additional system utilities.

• Tests

  • Added automated validation to verify system utilities are correctly installed in the container environment.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds missing system packages (gnupg, procps, openssh-sftp-server) to the Hermes base Dockerfile and introduces a test to verify the packages are correctly specified with pinned versions, ensuring share mount functionality.

Changes

Dockerfile and Dependency Test

Layer / File(s)	Summary
Dockerfile Package Updates agents/hermes/Dockerfile.base	Adds three packages to apt-get install: gnupg, procps, and openssh-sftp-server with pinned versions.
Dependency Validation Test test/hermes-share-mount-deps.test.ts	New Vitest suite that extracts the apt-get install RUN command from the Dockerfile via regex, executes it in a bash wrapper that logs apt calls, and asserts exit success and presence of expected pinned package version strings. Includes temp directory cleanup.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Three packages hid in the sandbox deep,
But gnupg, procps, and ssh's keep
Were missing from Hermes' mighty base—
Now tested and pinned in their rightful place! 📦✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(hermes): restore share-mount package parity' directly and clearly summarizes the main change: restoring Hermes image parity with missing packages for share-mount functionality.
Linked Issues check	✅ Passed	The PR fulfills the core coding objectives: adds gnupg, procps, and openssh-sftp-server packages to the Hermes Dockerfile.base to restore share-mount functionality parity with the main sandbox image, matching the requirements from issue #2947.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to restoring Hermes share-mount package parity: Dockerfile.base package additions and a focused test verifying the apt-get installation of those specific packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/hermes-share-mount-parity-2947-replay

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

agents/hermes/Dockerfile.base (1)

32-46: Run the Hermes e2e pair for this base-image dependency change.

This edit is in agents/hermes/**, so validating with both onboarding and rebuild Hermes e2e flows is the right operational guardrail before merge.

As per coding guidelines: agents/hermes/** changes should run hermes-e2e and rebuild-hermes-e2e.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/hermes/Dockerfile.base` around lines 32 - 46, This change updates
base-image packages in the Hermes Dockerfile; before merging, run the Hermes
end-to-end validations: execute the hermes-e2e onboarding flow and the
rebuild-hermes-e2e flow to verify the updated dependencies; if either fails,
capture logs, revert or adjust the package versions in Dockerfile.base (the RUN
apt-get ... block) and iterate until both hermes-e2e and rebuild-hermes-e2e
pass.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@agents/hermes/Dockerfile.base`:
- Around line 32-46: This change updates base-image packages in the Hermes
Dockerfile; before merging, run the Hermes end-to-end validations: execute the
hermes-e2e onboarding flow and the rebuild-hermes-e2e flow to verify the updated
dependencies; if either fails, capture logs, revert or adjust the package
versions in Dockerfile.base (the RUN apt-get ... block) and iterate until both
hermes-e2e and rebuild-hermes-e2e pass.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 71d884c1-aa28-4bd5-a10a-e96b43fe6640

📥 Commits

Reviewing files that changed from the base of the PR and between 9471322 and 570d85d.

📒 Files selected for processing (2)

• agents/hermes/Dockerfile.base
• test/hermes-share-mount-deps.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25338232939
Branch: fix/hermes-share-mount-parity-2947-replay
Requested jobs: hermes-e2e,rebuild-hermes-e2e
Summary: 2 passed, 0 failed, 20 skipped

Job	Result
cloud-e2e	⏭️ skipped
cloud-inference-e2e	⏭️ skipped
cloud-onboard-e2e	⏭️ skipped
deployment-services-e2e	⏭️ skipped
diagnostics-e2e	⏭️ skipped
docs-validation-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-e2e	✅ success
inference-routing-e2e	⏭️ skipped
messaging-compatible-endpoint-e2e	⏭️ skipped
messaging-providers-e2e	⏭️ skipped
network-policy-e2e	⏭️ skipped
overlayfs-autofix-e2e	⏭️ skipped
rebuild-hermes-e2e	✅ success
rebuild-openclaw-e2e	⏭️ skipped
sandbox-operations-e2e	⏭️ skipped
sandbox-survival-e2e	⏭️ skipped
shields-config-e2e	⏭️ skipped
skill-agent-e2e	⏭️ skipped
snapshot-commands-e2e	⏭️ skipped
token-rotation-e2e	⏭️ skipped
upgrade-stale-sandbox-e2e	⏭️ skipped