feat(hermes): add provider onboarding foundation

[ericksoa]

Summary

Replays the Hermes Provider onboarding foundation from partner PR #3237 in a branch based on current main, with the credential boundary adjusted to match NemoClaw/OpenShell security invariants.

This keeps bare nemoclaw onboard on the existing OpenClaw default while allowing nemohermes onboard / nemoclaw onboard --agent hermes to select Hermes Provider, choose Nous Portal OAuth or Nous API Key, pick from Nous-recommended models with a full/custom fallback, and register Hermes inference through OpenShell.

Security / Architecture

• NemoClaw orchestrates Hermes/Nous auth, but does not durably persist Hermes OAuth/API-key material in host-side NemoClaw files.
• Durable provider credentials are handed to OpenShell provider registration and resolved from OpenShell primitives.
• OAuth is an in-memory authorization/minting step; the minted inference credential is registered into OpenShell, and refresh/access tokens are not written under ~/.nemoclaw.
• API-key onboarding uses NOUS_API_KEY / NEMOCLAW_PROVIDER_KEY from the current process and registers it into OpenShell; NOUS_API_KEY is intentionally not added to NemoClaw's legacy host credential store allowlist.
• Rebuild preflight checks the target Hermes Provider registration in OpenShell and can register an exported NOUS_API_KEY before destructive rebuild work.
• Session state stores only non-secret Hermes metadata such as hermesAuthMethod; invalid auth methods are rejected/normalized.

Credit

Based on the Hermes Provider foundation work from @shannonsands / NousResearch in #3237. The replay commit includes Shannon as co-author and retains Shannon's signed-off-by from the original contribution.

Verification

• npm run build:cli
• npm run typecheck:cli
• git diff --cached --check
• npx vitest run src/lib/hermes-provider-auth.test.ts src/lib/oauth-device-code.test.ts src/lib/inference/config.test.ts src/lib/inference/model-prompts.test.ts src/lib/inference/nous-models.test.ts src/lib/state/onboard-session.test.ts src/lib/messaging-channel-config.test.ts src/lib/sandbox-channels.test.ts src/lib/state/sandbox-session.test.ts test/hermes-provider-foundation.test.ts test/rebuild-credential-preflight.test.ts test/generate-hermes-config.test.ts
• npx vitest run src/lib/oauth-device-code.test.ts

---

Signed-off-by: Shannon Sands shannon.sands.1979@gmail.com
Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

• New Features

  • Hermes Provider added as an inference option with API-key and OAuth onboarding, curated model defaults, remote recommended-model fetching, and installer support for "hermes-provider"
  • Slack allowlist support via SLACK_ALLOWED_USERS env

• Bug Fixes

  • Strip terminal color codes from status output
  • Redact NOUS_API_KEY in logs

• Tests

  • Expanded coverage for Hermes auth, OAuth device flow, model selection, rebuild credential preflight, and onboarding flows

• Docs

  • Documented Hermes auth env vars and aliases

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds Hermes Provider onboarding (OAuth device-code and API-key), Nous model recommendation fetching and UI integration, OpenShell provider registration/upsert, session persistence of Hermes auth method, rebuild credential preflight awareness for Hermes, Slack allowed-user config, tests, and installer/docs updates.

Changes

Hermes Provider OAuth & API-Key Onboarding

Layer / File(s)	Summary
OAuth Device-Code Flow src/lib/oauth-device-code.ts	Implements OAuth 2.0 device authorization grant helpers with request, polling, refresh-token, and agent-key minting functions; includes configurable timeout, browser integration, and error handling.
Hermes Provider Credential Orchestration src/lib/hermes-provider-auth.ts	Credential orchestration module providing OAuth and API-key credential paths with OpenShell provider registration, validation, and expiry tracking.
Nous Portal Model Fetching src/lib/inference/nous-models.ts	Fetch and merge Hermes provider model recommendations from Nous portal with fallback defaults, position-based sorting, and safety validation.
Inference Provider Configuration src/lib/inference/config.ts	Add Hermes provider model allowlist, defaults, and provider switch routing with credential environment mapping.
Model Selection UI src/lib/inference/model-prompts.ts	Interactive model selection with configurable top-level limit and full-list expansion control, routing to manual entry or portal recommendations.
Session State Persistence src/lib/state/onboard-session.ts	Persist Hermes authentication method through onboarding lifecycle with validation, safe updates filtering, and debug serialization.
Provider Registry Configuration src/lib/onboard/providers.ts, src/lib/agent/defs.ts	Add Hermes provider entry to remote provider configuration with endpoint, defaults, and non-interactive alias support; manifest parsing/validation and inferenceProviderOptions accessor.
Onboarding Wizard Integration src/lib/onboard.ts	Complete Hermes Provider support in interactive onboarding with auth method selection, credential staging, model resolution, and session updates.
Inference Route Setup & Rebuild Preflight src/lib/onboard.ts, src/lib/actions/sandbox/rebuild.ts	Apply Hermes provider inference configuration via OpenShell with credential preparation; rebuild preflight resolves provider from session vs registry and conditionally skips generic credential hydration for Hermes.
Slack Messaging Configuration src/lib/sandbox-channels.ts, agents/hermes/config/messaging-config.ts	Extend Slack channel definitions with allowed user ID allowlist via SLACK_ALLOWED_USERS environment variable and update env generation.
Security Redaction & Parsing src/lib/security/redact.ts, src/lib/state/sandbox-session.ts	Add NOUS_API_KEY to redaction patterns and sanitize ANSI escape sequences from OpenShell output parsing.
Installer & Docs install.sh, scripts/install.sh, docs/reference/commands.md	Document hermes-provider in installer usage and add NEMOCLAW_HERMES_AUTH_METHOD with alias envs in docs.
Integration & Unit Tests test/*, src/lib/*/*.test.ts	Add/update tests covering OAuth helpers, Hermes credential flows, Nous model helpers, model-prompt UX, onboarding flows, rebuild preflight, Slack .env generation, and manifest/inference assertions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A rabbit hopped through portal light,
Minted keys and models in the night,
Sessions kept, providers stored,
Slack friends listed — onboarding's restored.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(hermes): add provider onboarding foundation' clearly and specifically describes the main feature addition in the changeset—introducing Hermes Provider onboarding support—which aligns with the extensive refactoring across onboarding, authentication, and inference configuration files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ericksoa/hermes-provider-openshell-secrets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/inference/model-prompts.ts`:
- Around line 194-225: The prompt currently maps Enter to "Other..." when the
saved default model is outside the visibleOptions, because defaultChoice
math/regression causes the parsed index to fall through to manual entry; fix by,
after computing index (the parsed choice), add an early branch that if index ===
defaultIndex then return defaultModel (before the visibleOptions bounds checks
and the "Other..." branch). Update the code paths around deps.promptFn parsing
(the index variable) and the subsequent conditional sequence so
promptFullRemoteModelList/promptManualModelId are only reached when the user
explicitly selected those, while Enter (or a number equal to defaultIndex+1)
returns defaultModel.

In `@src/lib/oauth-device-code.ts`:
- Around line 7-10: Update the module header in oauth-device-code.ts to correct
the persistence contract: state explicitly that Hermes OAuth/API-key material
MUST NOT be durably persisted to host-side NemoClaw storage (e.g., ~/.nemoclaw);
instead describe that onboarding mints short-lived agent keys for the OpenShell
inference provider from ephemeral tokens and that the sandbox only ever receives
the OpenShell inference placeholder (never raw Hermes/Nous OAuth tokens or API
keys). Ensure the header replaces the current wording that implies refresh
tokens are stored under ~/.nemoclaw with the new invariant forbidding durable
host persistence.
- Around line 125-137: postForm currently calls fetchImpl without an AbortSignal
so long-running sockets can hang; implement a reusable timeout helper that
returns an AbortController/AbortSignal (e.g., createRequestTimeout(timeoutMs):
{signal, clear}) and use it in postForm to pass signal into fetchImpl and clear
the timeout after completion, and also update mintAgentKeyWithAccessToken to use
the same helper so token polling/refresh requests are bounded by timeoutSeconds;
reference postForm and mintAgentKeyWithAccessToken when applying the change and
ensure existing fetch headers/behavior are preserved and the timeout is cleaned
up on success or error.

In `@src/lib/onboard.ts`:
- Around line 6646-6653: The hermesAuthMethod variable can retain stale Hermes
data when the user backs out to pick another provider; when handling the Hermes
branch (the selected.key === "hermesProvider" block) and the user chooses
BACK_TO_SELECTION (before continue selectionLoop), explicitly reset
hermesAuthMethod (e.g., set to undefined or null) so it cannot leak into
non-Hermes selections, and likewise ensure any code path that switches away from
Hermes clears hermesAuthMethod to avoid returning Hermes metadata for
OpenAI/Ollama selections.
- Around line 1532-1557: When running non-interactively, promptHermesAuthMethod
currently defaults to OAuth even if a Nous API key is present; change
promptHermesAuthMethod so that if getRequestedHermesAuthMethod() returns null
but an API key env var is exported (e.g. process.env.NOUS_API_KEY or
process.env.NEMOCLAW_PROVIDER_KEY), the default method becomes
HERMES_AUTH_METHOD_API_KEY instead of HERMES_AUTH_METHOD_OAUTH; update the
non-interactive branch to choose method = requested || (apiKeyPresent ?
HERMES_AUTH_METHOD_API_KEY : HERMES_AUTH_METHOD_OAUTH) and keep the note(...)
call using hermesAuthMethodLabel(method).

In `@test/hermes-provider-foundation.test.ts`:
- Around line 44-48: The spawnSync invocations in the test (the call using
spawnSync(process.execPath, [scriptPath], { cwd: repoRoot, encoding: "utf-8",
env: buildHermeticEnv(tmpDir) })) can hang; add a bounded timeout option to
their options object (e.g., timeout: 30000) so the child is killed after a
reasonable period and the test fails deterministically; apply the same change to
the other spawnSync usages in this file (the other result = spawnSync(...)
occurrences) ensuring the timeout value is included in each options literal (and
optionally set killSignal or cwd/encoding/env unchanged).
- Around line 10-17: The helper buildHermeticEnv currently only strips DISCORD_*
and TELEGRAM_* but still inherits ambient NEMOCLAW_* and other credential/config
vars that make tests flaky; update buildHermeticEnv to remove any env keys
matching NEMOCLAW_* plus common credential/config prefixes (e.g. NEMOCLAW_,
AWS_, GCP_, GOOGLE_, GCLOUD_, AZURE_, and keys ending with _CREDENTIALS or
containing "SECRET" or "TOKEN") by iterating Object.keys(env) and deleting keys
that match those patterns so the spawned helper runs with a fully hermetic
environment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 786260ff-9c33-4727-b255-b3c1adf894a9

📥 Commits

Reviewing files that changed from the base of the PR and between 34d9f61 and f17d844.

📒 Files selected for processing (27)

• agents/hermes/config/messaging-config.ts
• install.sh
• scripts/install.sh
• src/lib/actions/sandbox/rebuild.ts
• src/lib/hermes-provider-auth.test.ts
• src/lib/hermes-provider-auth.ts
• src/lib/inference/config.test.ts
• src/lib/inference/config.ts
• src/lib/inference/model-prompts.test.ts
• src/lib/inference/model-prompts.ts
• src/lib/inference/nous-models.test.ts
• src/lib/inference/nous-models.ts
• src/lib/messaging-channel-config.test.ts
• src/lib/oauth-device-code.test.ts
• src/lib/oauth-device-code.ts
• src/lib/onboard.ts
• src/lib/onboard/providers.ts
• src/lib/sandbox-channels.test.ts
• src/lib/sandbox-channels.ts
• src/lib/security/redact.ts
• src/lib/state/onboard-session.test.ts
• src/lib/state/onboard-session.ts
• src/lib/state/sandbox-session.test.ts
• src/lib/state/sandbox-session.ts
• test/generate-hermes-config.test.ts
• test/hermes-provider-foundation.test.ts
• test/rebuild-credential-preflight.test.ts

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

src/lib/agent/defs.ts (1)

88-89: ⚡ Quick win

Tighten inferenceProviderOptions type to non-optional

This accessor always returns an array (Line 388-390), so keeping it optional in AgentDefinition weakens the contract and introduces unnecessary undefined checks for callers.

💡 Suggested type update

-  readonly inferenceProviderOptions?: string[];
+  readonly inferenceProviderOptions: string[];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/agent/defs.ts` around lines 88 - 89, The AgentDefinition interface
currently declares readonly inferenceProviderOptions?: string[] but the accessor
always returns an array, so change the type to readonly
inferenceProviderOptions: string[] to tighten the contract; update any
constructors/defaults or places that create AgentDefinition instances (e.g., the
factory or new AgentDefinition(...) calls and any object literals) to provide an
empty array when none are specified, and remove redundant undefined checks where
callers use inferenceProviderOptions, ensuring code paths that assumed undefined
now treat it as an empty array.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/agent/defs.ts`:
- Around line 262-270: readInference currently tolerates malformed manifest
fields and silently returns undefined/filtered arrays; change it to fail fast by
validating the shape of the "inference" object and throwing a descriptive Error
when fields are wrong. Specifically, inside readInference (which uses
readObject/readString/readStringArray), check that provider_type is a string and
provider_options is an array of strings; if either check fails throw an Error
referencing the ManifestRecord (or record.id if available) and the offending key
(provider_type or provider_options) so callers can detect bad manifests
immediately. Ensure AgentInference is only returned when both validations pass.

In `@src/lib/onboard.ts`:
- Around line 6699-6710: The call to nousModels.getHermesProviderModelOptions()
can reject and currently aborts onboarding; wrap that call in a try/catch, log
or surface a non-fatal warning, and on failure set hermesProviderModels to a
safe fallback (e.g., undefined or an empty array) so
promptRemoteModel(remoteConfig.label, selected.key, defaultModel, null, {
otherShowsFullList: true, remoteModelOptions: { [selected.key]:
hermesProviderModels }, topLevelModelLimit: 10 }) still runs and falls back to
the documented full/custom model behavior; ensure the catch does not rethrow and
that promptRemoteModel receives a well-formed remoteModelOptions (omit the key
or pass an empty list) so the existing fallback paths remain available.
- Around line 7480-7538: The code only calls
ensureHermesProviderApiKeyCredentials/ensureHermesProviderOAuthCredentials when
isHermesProviderRegistered(...) is false, which leaves existing Hermes
registrations stale when the auth method or NOUS_API_KEY changes; update the
logic so credential reconciliation always runs (or runs when the
resolvedHermesAuthMethod or credentialEnv differs) by invoking
ensureHermesProviderApiKeyCredentials or ensureHermesProviderOAuthCredentials
regardless of isHermesProviderRegistered, using resolvedHermesAuthMethod,
resolveHermesNousApiKey, and runOpenshell to refresh credentials; keep the
existing error handling (hermesAuthMethodLabel, process.exit, retry) and only
skip re-applying the provider registration when you can detect no change.

In `@test/onboard.test.ts`:
- Around line 2793-2827: The test currently deletes process.env.NOUS_API_KEY and
process.env.OPENAI_API_KEY which makes the "not forwarded" assertion weak;
instead seed sentinel values (e.g., process.env.NOUS_API_KEY = "SENTINEL_NOUS"
and process.env.OPENAI_API_KEY = "SENTINEL_OPENAI") before requiring/setuping
the script that calls setupInference, then update the assertions that inspect
the captured commands (via parseStdoutJson, CommandEntry and the commands array)
to assert that none of the command.env values or command.command/argv strings
contain those sentinel tokens (and still assert no provider create/update
occurred and expected commands exist). This ensures secrets were present in the
environment but never forwarded to child commands.

---

Nitpick comments:
In `@src/lib/agent/defs.ts`:
- Around line 88-89: The AgentDefinition interface currently declares readonly
inferenceProviderOptions?: string[] but the accessor always returns an array, so
change the type to readonly inferenceProviderOptions: string[] to tighten the
contract; update any constructors/defaults or places that create AgentDefinition
instances (e.g., the factory or new AgentDefinition(...) calls and any object
literals) to provide an empty array when none are specified, and remove
redundant undefined checks where callers use inferenceProviderOptions, ensuring
code paths that assumed undefined now treat it as an empty array.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8ee0793f-9f4b-4893-a97a-6a8360308618

📥 Commits

Reviewing files that changed from the base of the PR and between 05c4c9d and 0f232a1.

📒 Files selected for processing (7)

• agents/hermes/manifest.yaml
• src/lib/agent/defs.test.ts
• src/lib/agent/defs.ts
• src/lib/inference/model-prompts.test.ts
• src/lib/inference/model-prompts.ts
• src/lib/onboard.ts
• test/onboard.test.ts

✅ Files skipped from review due to trivial changes (1)

• agents/hermes/manifest.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• src/lib/inference/model-prompts.test.ts
• src/lib/inference/model-prompts.ts

[ericksoa]

CodeRabbit feedback response for latest push 4a073c96e55ccbec52321f29ee16ada8d2ddb58c:

• Kept Enter bound to the current/default remote model: already addressed in the prior model prompt fix; regression coverage is in src/lib/inference/model-prompts.test.ts.
• Corrected OAuth persistence contract and added request-level abort timeouts: the OAuth helper now documents that Hermes/Nous material must not be durably persisted in host-side NemoClaw storage, and outbound OAuth/agent-key requests use AbortSignal timeouts independent of the device-flow approval window.
• Non-interactive API-key auth default: already addressed; an exported NOUS_API_KEY / NEMOCLAW_PROVIDER_KEY selects the API-key path without requiring a second auth-method env var.
• Reset stale hermesAuthMethod state between provider-selection loop iterations.
• Hardened Hermes selection tests: hermetic env cleanup and spawn timeouts were already present; the new follow-up also seeds sentinel host secrets and asserts they do not appear in argv/env when reusing an existing OpenShell provider.
• Tightened agent manifest inference typing and validation: inferenceProviderOptions is non-optional and malformed inference.provider_type / inference.provider_options now fail fast.
• Added Nous model catalog fallback: if model recommendations cannot be loaded, onboarding warns and falls back to the current/default model path instead of aborting.
• Reconciled existing Hermes provider registrations only when there is an explicit fresh credential source: existing OpenShell provider state is reused by default, but a selected API-key flow with a shell-provided Nous key updates the OpenShell provider through env, never argv.

Local validation run before push:

• npm run build:cli
• npm run typecheck:cli
• npm run checks
• npx vitest run src/lib/agent/defs.test.ts src/lib/oauth-device-code.test.ts src/lib/inference/model-prompts.test.ts test/hermes-provider-foundation.test.ts test/no-direct-credential-env.test.ts test/check-env-var-docs.test.ts
• npx vitest run test/onboard.test.ts -t "reuses a registered Hermes Provider without re-collecting host credentials|reconciles a registered Hermes Provider when a fresh shell Nous key is selected|passes credential names to openshell without embedding secret values in argv"

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25679224745
Branch: ericksoa/hermes-provider-openshell-secrets
Requested jobs: all (no filter)
Summary: 35 passed, 0 failed, 2 skipped

Job	Result
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
deployment-services-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/inference/config.ts (1)

47-47: ⚡ Quick win

Make the Hermes default model explicit instead of index-based.

Line 47 ties behavior to array order; reordering the curated list would silently change onboarding defaults.

Proposed refactor

-export const HERMES_PROVIDER_MODEL_OPTIONS = [
-  "moonshotai/kimi-k2.6",
+export const DEFAULT_HERMES_PROVIDER_MODEL = "moonshotai/kimi-k2.6";
+export const HERMES_PROVIDER_MODEL_OPTIONS = [
+  DEFAULT_HERMES_PROVIDER_MODEL,
   "xiaomi/mimo-v2.5-pro",
   "xiaomi/mimo-v2.5",
   "tencent/hy3-preview",
   "anthropic/claude-opus-4.7",
   "anthropic/claude-opus-4.6",
   "anthropic/claude-sonnet-4.6",
   "anthropic/claude-sonnet-4.5",
   "anthropic/claude-haiku-4.5",
   "openai/gpt-5.5",
   "openai/gpt-5.4-mini",
   "openai/gpt-5.3-codex",
   "google/gemini-3-pro-preview",
   "google/gemini-3-flash-preview",
   "google/gemini-3.1-pro-preview",
   "google/gemini-3.1-flash-lite-preview",
   "qwen/qwen3.5-plus-02-15",
   "qwen/qwen3.5-35b-a3b",
   "stepfun/step-3.5-flash",
   "minimax/minimax-m2.7",
   "minimax/minimax-m2.5",
   "minimax/minimax-m2.5:free",
   "z-ai/glm-5.1",
   "z-ai/glm-5v-turbo",
   "z-ai/glm-5-turbo",
   "x-ai/grok-4.20-beta",
   "nvidia/nemotron-3-super-120b-a12b",
   "arcee-ai/trinity-large-thinking",
   "openai/gpt-5.5-pro",
   "openai/gpt-5.4-nano",
 ] as const;
-export const DEFAULT_HERMES_PROVIDER_MODEL = HERMES_PROVIDER_MODEL_OPTIONS[0];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/inference/config.ts` at line 47, DEFAULT_HERMES_PROVIDER_MODEL is set
from HERMES_PROVIDER_MODEL_OPTIONS[0], which couples the default to array order;
change it to an explicit, named default value instead (e.g., the intended model
string or an exported constant) rather than indexing the array. Replace the
assignment to DEFAULT_HERMES_PROVIDER_MODEL so it references the explicit model
identifier you want as the default (or uses a find by model name on
HERMES_PROVIDER_MODEL_OPTIONS if you must derive it), and keep the symbol names
DEFAULT_HERMES_PROVIDER_MODEL and HERMES_PROVIDER_MODEL_OPTIONS to locate/verify
the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/inference/config.ts`:
- Line 47: DEFAULT_HERMES_PROVIDER_MODEL is set from
HERMES_PROVIDER_MODEL_OPTIONS[0], which couples the default to array order;
change it to an explicit, named default value instead (e.g., the intended model
string or an exported constant) rather than indexing the array. Replace the
assignment to DEFAULT_HERMES_PROVIDER_MODEL so it references the explicit model
identifier you want as the default (or uses a find by model name on
HERMES_PROVIDER_MODEL_OPTIONS if you must derive it), and keep the symbol names
DEFAULT_HERMES_PROVIDER_MODEL and HERMES_PROVIDER_MODEL_OPTIONS to locate/verify
the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1ae78979-7a5b-4809-ad20-7273a1acef38

📥 Commits

Reviewing files that changed from the base of the PR and between 4a073c9 and 23ad5cf.

📒 Files selected for processing (4)

• docs/reference/commands.md
• src/lib/actions/inference-set.test.ts
• src/lib/inference/config.ts
• src/lib/onboard/providers.ts

✅ Files skipped from review due to trivial changes (2)

• src/lib/actions/inference-set.test.ts
• docs/reference/commands.md