fix(hermes): route Anthropic messages through managed inference

[chengjiew]

Summary

• allow Hermes managed inference policy to POST to /v1/messages for Anthropic Messages API providers
• pass NEMOCLAW_INFERENCE_API into Hermes sandbox config generation and map Anthropic/OpenAI Responses API modes for Hermes
• install Hermes native anthropic extra in the base image and add regression tests for the policy/config/provisioning path

Fixes #4230

Validation

• npm run build:cli
• ./node_modules/.bin/vitest run src/lib/onboard/dockerfile-patch.test.ts test/generate-hermes-config.test.ts test/sandbox-provisioning.test.ts test/validate-blueprint.test.ts test/validate-config-schemas.test.ts
• npm run validate:configs
• git diff --check origin/main

E2E evidence

• Linux old-policy Hermes sandbox reproduced 403 connection not allowed by policy for Anthropic-compatible routing.
• Linux fixed clean sandbox generated api_mode: anthropic_messages, imported anthropic==0.87.0, and the fake Anthropic server observed POST /v1/messages from Hermes without the policy 403.

Signed-off-by: Chengjie Wang chengjiew@nvidia.com

Summary by CodeRabbit

• New Features

  • Added support for Anthropic Messages as an inference backend and dynamic routing of inference requests based on deployment settings.

• Configuration

  • Inference API can now be specified at build/runtime; base image now includes Anthropic extras and policies now allow POST /v1/messages and POST /v1/responses for managed inference.

• Tests

  • Added regression, routing, sandbox provisioning, and validation tests, including a failure case for unsupported inference API values.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8dd6b3ea-f82e-4f47-808a-7bec59622f79

📥 Commits

Reviewing files that changed from the base of the PR and between a934490 and a0d7dd1.

📒 Files selected for processing (5)

• agents/hermes/Dockerfile.base
• agents/hermes/config/hermes-config.ts
• agents/hermes/policy-additions.yaml
• test/generate-hermes-config.test.ts
• test/validate-blueprint.test.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• agents/hermes/Dockerfile.base
• test/generate-hermes-config.test.ts
• test/validate-blueprint.test.ts
• agents/hermes/policy-additions.yaml

---

📝 Walkthrough

Walkthrough

Adds Anthropic Messages support to Hermes: accepts NEMOCLAW_INFERENCE_API at build time and exposes it at runtime, installs the anthropic uv extra, maps inference API types to Hermes api_mode in config generation, and allows POST /v1/messages in the managed_inference network policy. Tests added for Docker, config, and policy.

Changes

Anthropic Messages API Integration

Layer / File(s)	Summary
Docker build configuration and dependencies agents/hermes/Dockerfile, agents/hermes/Dockerfile.base, test/sandbox-provisioning.test.ts	Adds ARG NEMOCLAW_INFERENCE_API and propagates it via ENV; adds anthropic to HERMES_UV_EXTRAS default; tests verify Dockerfile/base values are present.
Config generation and API mode routing agents/hermes/config/hermes-config.ts, test/generate-hermes-config.test.ts	Adds local hermesApiMode() helper and refactors buildHermesConfig to build modelConfig and conditionally set model.api_mode from settings.inferenceApi; tests assert anthropic_messages and codex_responses mappings and error on unsupported values.
Network policy and validation agents/hermes/policy-additions.yaml, test/validate-blueprint.test.ts	Adds POST /v1/messages and POST /v1/responses allow rules to managed_inference policy and test fixtures/assertions validating the ordered rules and endpoint fields for the Hermes sandbox policy.

Sequence Diagram(s)

sequenceDiagram
  participant User as User/Client
  participant Hermes as Hermes runtime
  participant ConfigGen as config generator
  participant InferenceGW as inference.local (gateway)

  User->>Hermes: send message
  Hermes->>ConfigGen: read model config (NEMOCLAW_INFERENCE_API / api_mode)
  Hermes->>InferenceGW: POST /v1/messages or POST /v1/chat/completions (per api_mode)
  InferenceGW->>Hermes: model response
  Hermes->>User: deliver response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• nemoclaw inference set breaks Hermes sandboxes for Anthropic providers (Hermes sync drops the anthropic-messages wire mode) #4746 — The change to set model.api_mode from an inference API flag and propagate NEMOCLAW_INFERENCE_API appears to address the issue of Hermes omitting api_mode for Anthropic wire formats.

Possibly related PRs

• NVIDIA/NemoClaw#4718 — Modifies the same Hermes config path; both PRs update model config handling and related defaults.

Suggested labels

Provider: Anthropic

Suggested reviewers

• cv
• cjagwani

Poem

🐰 I hop with joy, configs aligned,
Build args threaded, rules defined,
Anthropic paths no longer barred,
Messages travel fast and hard,
A tiny rabbit's cheer — no 403 mind!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the primary change: enabling Anthropic messages routing through managed inference policy by fixing the /v1/messages policy path.
Linked Issues check	✅ Passed	All coding requirements from #4230 are met: policy allows /v1/messages, NEMOCLAW_INFERENCE_API is passed to Hermes config, api_mode mapping supports Anthropic and OpenAI Responses, anthropic extra is installed, and regression tests validate the full path.
Out of Scope Changes check	✅ Passed	All changes directly support #4230 objectives: policy fixes, config mapping, provisioning, and comprehensive regression tests are all in-scope for the Anthropic messages routing fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/4230_hermes_anthropic_messages_policy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-advisor-raw-output.txt

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-scenario-advisor-raw-output.txt

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Top item: PR review advisor unavailable

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• PR review advisor unavailable: The automated advisor could not complete: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt
  • Recommendation: Re-run the PR Review Advisor or perform a manual review.
  • Evidence: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt

🌱 Nice ideas

• None.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.