chore: upgrade Hermes to v2026.5.16

[ericksoa]

Summary

• upgrade Hermes Agent from v2026.4.23 / semver 0.11.0 to v2026.5.16 / semver 0.14.0
• update the pinned upstream tarball SHA-256 and Hermes manifest expected version
• bump the generated Hermes config schema version to 23
• precreate new upstream HERMES_HOME directories: logs/curator, hooks, image_cache, and audio_cache
• preserve user-installed Hermes hooks across rebuilds via manifest state_dirs

Validation

• git diff --check
• npm ci --ignore-scripts
• npx vitest run test/hermes.test.ts test/nemohermes-alias.test.ts test/rebuild-credential-preflight.test.ts test/rebuild-credential-hydration.test.ts test/sandbox-provisioning.test.ts
• npm run validate:configs
• npm run source-shape:check
• npm run typecheck:cli
• npx vitest run src/lib/agent/defs.test.ts src/lib/agent/base-image.test.ts src/lib/sandbox/version.test.ts test/validate-config-schemas.test.ts
• npm run build:cli
• uv sync --frozen --no-dev --extra messaging --extra web --no-cache (in unpacked upstream Hermes v2026.5.16 source)
• npm ci --prefer-offline --no-audit --no-fund --ignore-scripts (in unpacked upstream Hermes v2026.5.16 source)
• .venv/bin/hermes --version (reported Hermes Agent v0.14.0 / 2026.5.16)

Summary by CodeRabbit

• Chores

  • Updated Hermes Agent to v2026.5.16 and bumped generated config version.

• New Features

  • Added persistent gateway hooks directory and new runtime cache directories for image, audio, and curator logs.
  • Ensured these runtime directories receive correct writable permissions for the sandbox.

• Tests

  • Expanded unit and E2E tests to verify config version, directory permissions, and hooks persistence across rebuilds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ceb882b5-313c-4a0f-aefc-71531621d37b

📥 Commits

Reviewing files that changed from the base of the PR and between fd5bcbe and d689156.

📒 Files selected for processing (3)

• agents/hermes/manifest.yaml
• test/e2e/test-rebuild-hermes.sh
• test/sandbox-provisioning.test.ts

---

📝 Walkthrough

Walkthrough

This PR upgrades the Hermes agent to v2026.5.16, adds sandbox runtime subdirectories (logs/curator, hooks, image_cache, audio_cache) across Docker images, bumps emitted config _config_version to 23, updates the manifest to preserve hooks, and extends unit and E2E tests to verify permissions and rebuild persistence.

Changes

Hermes Agent Version and Runtime Update

Layer / File(s)	Summary
Version pinning and manifest declaration agents/hermes/Dockerfile.base, agents/hermes/manifest.yaml, agents/hermes/config/hermes-config.ts	Hermes pinned to v2026.5.16 (tarball SHA updated). Manifest expected_version updated and state_dirs extended with hooks. Inline config comment updated to reference the new Hermes version.
Runtime directory creation & permissions agents/hermes/Dockerfile, agents/hermes/Dockerfile.base	Both Dockerfiles create /sandbox/.hermes subdirectories: logs/curator, hooks, image_cache, audio_cache. Permission-setting chmod 770 blocks are extended to include these directories.
Config schema bump and unit test agents/hermes/config/hermes-config.ts, test/generate-hermes-config.test.ts	buildHermesConfig now emits _config_version: 23. The API-server config unit test asserts the new config version.
Sandbox provisioning & rebuild E2E updates test/sandbox-provisioning.test.ts, test/e2e/test-rebuild-hermes.sh	Sandbox provisioning test expands the set of .hermes subdirectories whose permissions are verified. E2E rebuild test adds a hooks marker file write/read and verifies it survives rebuild.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3442: Modifies /sandbox/.hermes permission logic in Dockerfile and relates to the same chmod/permissions area.

Suggested labels

Integration: Hermes, v0.0.46

Suggested reviewers

• cv

Poem

🐰 I hopped through Hermes' sandbox den,
New hooks and caches sprouted again.
Version bumped and markers write,
Permissions set so things run right —
Rebuilds keep hooks safe — hop, hop, grin! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: upgrade Hermes to v2026.5.16' directly and accurately describes the primary change—upgrading the Hermes agent from v2026.4.23 to v2026.5.16, which is the main objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/hermes-2026.5.16

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: hermes-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e
Optional E2E: hermes-discord-e2e, hermes-inference-switch-e2e

Dispatch hint: hermes-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e

Auto-dispatched E2E: hermes-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e via nightly-e2e.yaml at d68915673c58240a5e050370e02a7280c98b77b0 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• hermes-e2e (high (~60 min timeout; live NVIDIA API and Docker/OpenShell)): Runs the primary Hermes user journey: install from source, onboard with --agent hermes, verify the Hermes health probe, and perform live inference. This is required because the PR bumps the Hermes runtime version and config schema and changes the shipped image layout.
• rebuild-hermes-e2e (high (~60 min timeout; builds Hermes images and uses live NVIDIA API)): Directly validates the touched rebuild path: old Hermes sandbox creation, current image rebuild, state restore, version upgrade to manifest expected_version, Discord placeholder preservation, credential leak checks, and the newly added hooks state marker preservation.
• rebuild-hermes-stale-base-e2e (high (~60 min timeout; builds Hermes images and exercises stale-base upgrade mode)): Required for this Hermes base-image version bump because it verifies that rebuild refreshes a stale cached ghcr.io/nvidia/nemoclaw/hermes-sandbox-base:latest before recreating the sandbox, preventing users from remaining on the old Hermes base after upgrade.

Optional E2E

• hermes-discord-e2e (high (~60 min timeout; Docker/OpenShell with fake Discord token and live NVIDIA key)): Useful adjacent coverage because the Hermes config generator and rebuild test preserve Discord placeholder/top-level schema behavior, while the underlying Hermes version changed. Not merge-blocking unless reviewers are specifically concerned about messaging regressions.
• hermes-inference-switch-e2e (high (~60 min timeout; live NVIDIA API and Docker/OpenShell)): Useful confidence for config hashing and config.yaml mutation after the Hermes config version bump, but no inference-switch implementation or route-selection code is directly changed.

New E2E recommendations

• None.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: hermes-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26126965610
Target ref: fd5bcbe11c4e47a0e4b394386b3930450abe62a5
Workflow ref: main
Requested jobs: hermes-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
hermes-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26126903658
Target ref: upgrade/hermes-2026.5.16
Workflow ref: upgrade/hermes-2026.5.16
Requested jobs: all (no filter)
Summary: 42 passed, 1 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-stop-start-e2e	❌ failure
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: channels-stop-start-e2e. Check run artifacts for logs.

[github-actions]

PR Review Advisor

Recommendation: info only
Confidence: low
Analyzed HEAD: d68915673c58240a5e050370e02a7280c98b77b0
Findings: 0 blocker(s), 1 warning(s), 0 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: Advisor execution failed: Could not configure advisor model openai/openai/gpt-5.5

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: d68915673c58240a5e050370e02a7280c98b77b0
Recommendation: info only
Confidence: low

PR review advisor failed: Could not configure advisor model openai/openai/gpt-5.5

Gate status

• CI: pending — 12 status context(s) appear pending.
• Mergeability: fail — mergeStateStatus=BLOCKED
• Review threads: unknown — No review thread state was available.
• Risky code tested: pass — No risky code areas detected by path heuristics.

🔴 Blockers

• None.

🟡 Warnings

• PR review advisor unavailable: The automated advisor could not complete: Could not configure advisor model openai/openai/gpt-5.5
  • Recommendation: Re-run the PR Review Advisor or perform a manual review.
  • Evidence: Could not configure advisor model openai/openai/gpt-5.5

🔵 Suggestions

• None.

Acceptance coverage

• No linked acceptance clauses were analyzed.

Security review

• warning — Secrets and Credentials: Advisor unavailable; human review required.
• warning — Input Validation and Data Sanitization: Advisor unavailable; human review required.
• warning — Authentication and Authorization: Advisor unavailable; human review required.
• warning — Dependencies and Third-Party Libraries: Advisor unavailable; human review required.
• warning — Error Handling and Logging: Advisor unavailable; human review required.
• warning — Cryptography and Data Protection: Advisor unavailable; human review required.
• warning — Configuration and Security Headers: Advisor unavailable; human review required.
• warning — Security Testing: Advisor unavailable; human review required.
• warning — Holistic Security Posture: Advisor unavailable; human review required.

Test / E2E status

• Test depth: e2e_required — Runtime/sandbox/infrastructure paths need real execution coverage: agents/hermes/Dockerfile, agents/hermes/Dockerfile.base, agents/hermes/config/hermes-config.ts, agents/hermes/manifest.yaml.
• E2E Advisor: not_found (not found)

✅ What looks good

• No positives were identified by the advisor.

Review completeness

• Advisor execution failed: Could not configure advisor model openai/openai/gpt-5.5
• Human maintainer review required: yes

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26170218281
Target ref: d68915673c58240a5e050370e02a7280c98b77b0
Workflow ref: main
Requested jobs: hermes-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
hermes-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success