fix(hermes): enable macOS VM rootfs compat

[ericksoa]

Summary

• add the Darwin VM compatibility ARG to the Hermes sandbox Dockerfile
• relax Hermes mutable state and trusted rc files only when NEMOCLAW_DARWIN_VM_COMPAT=1, matching the macOS OpenShell VM ownership-repair path while preserving Linux/Docker defaults
• extend the OpenShell gateway upgrade regression guard so Hermes is checked alongside OpenClaw

Validation

• git diff --check
• bash -n test/e2e/test-openshell-gateway-upgrade.sh
• shellcheck test/e2e/test-openshell-gateway-upgrade.sh
• docker build -f agents/hermes/Dockerfile --build-arg NEMOCLAW_DARWIN_VM_COMPAT=1 -t nemoclaw-hermes-darwin-compat-test:local .
• docker run --rm --entrypoint /bin/sh nemoclaw-hermes-darwin-compat-test:local -lc 'stat -c "%a %U:%G %n" /sandbox/.bashrc /sandbox/.profile /sandbox/.hermes /sandbox/.hermes/config.yaml /sandbox/.hermes/.env /sandbox/.hermes/.config-hash /sandbox/.hermes/runtime'\n\n## Notes\nThe observed macOS failure happened after the image build completed: OpenShell VM rootfs ownership repair exited on root-owned read-only /sandbox/.bashrc and /sandbox/.profile in the Hermes image. Ubuntu Docker nightly coverage does not hit this VM repair path.

Summary by CodeRabbit

Release Notes

• Chores

  • Enhanced macOS virtual machine backend support with improved permission handling for platform-specific environments.

• Tests

  • Expanded end-to-end tests to verify macOS virtual machine environment compatibility requirements.

[github-actions]

E2E Advisor Recommendation

Required E2E: openshell-gateway-upgrade-e2e, rebuild-hermes-e2e, macos-e2e
Optional E2E: hermes-e2e, rebuild-hermes-stale-base-e2e, shields-config-e2e

Dispatch hint: openshell-gateway-upgrade-e2e,rebuild-hermes-e2e

Workflow run

Full advisor summary

Pi Semantic E2E Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• openshell-gateway-upgrade-e2e: This PR directly edits test/e2e/test-openshell-gateway-upgrade.sh (adds Hermes Dockerfile assertions inside exercise_macos_vm_rootfs_permission_regression). The test must run to validate the new assertions pass.
• rebuild-hermes-e2e: agents/hermes/Dockerfile is modified. rebuild-hermes-e2e exercises a full Hermes sandbox image rebuild plus upgrade flow, the closest end-to-end coverage that the new ARG/RUN does not regress Hermes image construction or startup.
• macos-e2e: The new code path is Darwin-only (NEMOCLAW_DARWIN_VM_COMPAT=1 is patched in by onboard.ts when process.platform === 'darwin'). macos-e2e is the only job that exercises the Hermes/OpenClaw build through the macOS VM driver where the chmod a+rwX branch actually executes.

Optional E2E

• hermes-e2e: General Hermes sandbox happy-path; useful confidence that the modified Dockerfile still produces a working Hermes agent with default (Linux) permissions when DARWIN_VM_COMPAT=0.
• rebuild-hermes-stale-base-e2e: Extra coverage that a stale cached Hermes base image is correctly refreshed before the new conditional Dockerfile layer is applied during rebuild.
• shields-config-e2e: Hermes Dockerfile changes touch /sandbox/.hermes permissions and the runtime symlink layout near the config-hash pinning. shields-config-e2e validates immutability/integrity expectations on those files.

New E2E recommendations

• darwin-vm-hermes-runtime (medium): Existing macOS E2E exercises the OpenClaw Darwin VM compat path via test-full-e2e.sh, but there is no dedicated test that boots a Hermes sandbox under the OpenShell macOS VM driver and asserts /sandbox/.hermes ends up usable when the host VM remaps rootfs ownership. Static greps in test-openshell-gateway-upgrade.sh only verify the Dockerfile text, not runtime behavior.
  • Suggested test: test/e2e/test-hermes-darwin-vm-compat.sh: build the Hermes image with NEMOCLAW_DARWIN_VM_COMPAT=1, simulate the macOS VM uid/gid remap on /sandbox/.hermes, then start the Hermes agent and assert config.yaml/.env are readable, runtime/ symlinks resolve, and the gateway can write to /sandbox/.hermes/runtime as the gateway user.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: openshell-gateway-upgrade-e2e,rebuild-hermes-e2e

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 383d53fc-4276-4408-bea9-8e414c2bdea1

📥 Commits

Reviewing files that changed from the base of the PR and between e6077ca and 84e5cb7.

📒 Files selected for processing (2)

• agents/hermes/Dockerfile
• test/e2e/test-openshell-gateway-upgrade.sh

---

📝 Walkthrough

Walkthrough

The PR adds macOS VM sandbox compatibility to the Hermes Dockerfile by introducing a conditional build argument and permission-relaxation step that accommodates OpenShell macOS VM backend ownership remapping. An e2e test is updated to validate the new Dockerfile behavior.

Changes

macOS VM Compatibility

Layer / File(s)	Summary
Hermes Dockerfile Darwin VM compatibility agents/hermes/Dockerfile	Build argument NEMOCLAW_DARWIN_VM_COMPAT defaults to 0; when set to 1, a conditional RUN block uses chmod and find to relax permissions on /sandbox/.hermes, /sandbox/.bashrc, and /sandbox/.profile to support OpenShell macOS VM backend ownership remapping.
E2E test validation for Hermes Darwin VM compatibility test/e2e/test-openshell-gateway-upgrade.sh	Test assertions are extended to verify the Hermes Dockerfile includes NEMOCLAW_DARWIN_VM_COMPAT=0 ARG, permission relaxation under /sandbox/.hermes, and permission repairs on shell rc files (.bashrc, .profile).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3438: Adjusts the expected patched ARG injection via Dockerfile patching logic to align with the NEMOCLAW_DARWIN_VM_COMPAT ARG introduced here and tested in the extended e2e assertions.

Suggested labels

fix, E2E, OpenShell

Poem

🐰 A rabbit hops through Darwin's gate,
Where permissions need relax and wait,
With chmod's touch and find's gentle scan,
macOS VM compatibility—that's the plan!
The Dockerfile now knows the way,
To keep those sandboxes safe and gay! 🎩✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(hermes): enable macOS VM rootfs compat' directly and clearly summarizes the main change—adding macOS VM rootfs compatibility to Hermes with a conditional build argument.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/hermes-darwin-vm-rootfs-compat

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}