fix(policy): scope Hermes messaging policies

[sandl99]

Summary

This PR scopes Hermes messaging policy so selected channels are applied without pre-enabling every Hermes messaging provider. It also makes dynamic preset application use Hermes-specific policy content, preventing Discord from falling back to generic Node-oriented allowlists on Hermes sandboxes.

Related Issue

Fixes #3981

Changes

• Filter inactive Hermes messaging policy entries from the create-time sandbox policy.
• Resolve built-in policy presets against the sandbox agent so Hermes can use Hermes-specific messaging entries.
• Record selected channel policies already present in the prepared base policy as applied presets.
• Clarify Hermes messaging entries as policy templates and add regression coverage for Discord-only Hermes policy behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional checks run:

• npm run build:cli
• npm run typecheck:cli
• npx vitest run src/lib/onboard/initial-policy.test.ts test/policies.test.ts
• Git pre-commit hooks passed during git commit
• Git pre-push hooks passed during git push

---

Signed-off-by: San Dang sdang@nvidia.com

Summary by CodeRabbit

• New Features

  • Added agent-aware policy customization enabling the Hermes agent to intelligently filter messaging channel templates based on user selections during sandbox creation.

• Tests

  • Added test coverage validating agent-specific preset loading and Hermes Discord configuration handling with channel-scoped access rules.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements agent-aware policy filtering to fix Hermes sandbox privilege escalation: sandboxes configured for Discord were retaining inactive Telegram/Slack/WeChat egress policies, and generic preset application was using Node-oriented binary allowlists instead of Hermes-specific Python rules. The PR adds infrastructure for loading agent-filtered presets, filters Hermes base policy during sandbox creation, and wires filtered preset loading through all preset application and detection call sites.

Changes

Hermes messaging policy filtering and agent-aware preset loading

Layer / File(s)	Summary
Agent-aware preset loading infrastructure src/lib/policy/index.ts	Introduces loadPresetForSandbox helper and supporting functions to parse network_policies from preset YAML, identify agent-supported keys via policyAdditionsPath, and return agent-filtered or built-in preset content based on sandbox agent identity.
Preset loading integration across call sites src/lib/policy/index.ts	Updates removePreset, applyPreset, applyPresets, and getGatewayPresets to resolve preset content via loadPresetForSandbox instead of directly loading built-in presets, enabling agent-aware filtering throughout the policy application pipeline.
Hermes messaging policy filtering setup src/lib/onboard/initial-policy.ts	Defines HERMES_MESSAGING_POLICY_KEYS constant mapping messaging channels to network policy keys, and implements isYamlObject type guard and filterHermesInactiveMessagingPolicies helper to remove inactive Hermes messaging entries from base policy YAML.
Hermes filtering integration into sandbox policy preparation src/lib/onboard/initial-policy.ts	Integrates Hermes filtering into prepareInitialSandboxCreatePolicy to detect agentName === "hermes", write filtered temporary policy, update base policy path, and de-duplicate applied presets across channel, create-time, and merged sources.
Sandbox creation entry point src/lib/onboard.ts	Extracts selected agent name and passes it as agentName option to prepareInitialSandboxCreatePolicy, triggering Hermes-specific filtering when a Hermes agent is selected.
Tests and documentation src/lib/onboard/initial-policy.test.ts, test/policies.test.ts, agents/hermes/policy-additions.yaml	Adds test cases verifying preset recording under active policies, Hermes-specific inactive policy filtering with cleanup, and Hermes-specific Discord preset application with Python binary allowlists. Updates policy documentation to explain template filtering behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3502: Reshapes applyPresets batching and preset reconciliation in the onboarding pipeline—directly connected to this PR's agent-aware preset-loading changes at the applyPresets call/apply flow level.
• NVIDIA/NemoClaw#3452: Calls policies.applyPreset when adding messaging channels to ensure the channel preset is applied before rebuild—affected by this PR's changes to preset loading in applyPreset.
• NVIDIA/NemoClaw#3512: Adds new Hermes WeChat-related network_policies presets that would be affected by this PR's agent-aware Hermes messaging policy filtering and loading logic.

Suggested labels

enhancement: policy

Suggested reviewers

• ericksoa
• cv

Poem

🐰 A Hermes sandbox hops with joy,
Discord-only, no Telegram toy!
Presets now know their agent's name,
Python paths light up the flame. 🔥
Least privilege reigns supreme!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: scoping Hermes messaging policies to prevent unwanted provider entries from being enabled in sandboxes.
Linked Issues check	✅ Passed	The PR comprehensively addresses all requirements from issue #3981: filters inactive Hermes messaging policies at creation time, implements agent-aware preset loading for Hermes-specific policy content, and includes test coverage for Discord-only Hermes behavior.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #3981 objectives: policy filtering, agent-aware preset resolution, preset recording, and regression test coverage for Hermes messaging policies.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch u/sdang/fix-hermes-discord

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: hermes-discord-e2e, hermes-slack-e2e, network-policy-e2e
Optional E2E: messaging-providers-e2e, hermes-e2e

Dispatch hint: hermes-discord-e2e,hermes-slack-e2e,network-policy-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• hermes-discord-e2e (high): Directly exercises Hermes onboarding with Discord enabled, provider placeholder isolation, sandbox boot, and native Discord gateway/WebSocket policy rewrite; this is the highest-signal existing E2E for the changed Discord/Hermes create-time policy path.
• hermes-slack-e2e (high): Directly validates Hermes-specific Slack policy content, OpenShell providers, request-body credential rewrite, and Python/Hermes binary allowlisting; the PR changes both initial Slack create-time preset handling and agent-specific preset loading.
• network-policy-e2e (medium): Validates policy-add, dry-run, hot-reload, whitelist/deny behavior, and policy enforcement for built-in presets; src/lib/policy/index.ts changed core preset loading/application/removal behavior used by these flows.

Optional E2E

• messaging-providers-e2e (high): Useful broader confidence for Telegram/Discord/Slack provider attachment, placeholder isolation, L7 rewrite, and messaging egress behavior, though it primarily covers OpenClaw rather than Hermes-specific policy filtering.
• hermes-e2e (high): General Hermes install/onboard/health/live-inference smoke for regressions in Hermes sandbox creation caused by initial policy preparation, but it does not specifically validate per-channel messaging policy filtering.

New E2E recommendations

• Hermes inactive messaging policy filtering (high): Existing Hermes Discord/Slack E2Es validate active channel policy behavior but do not appear to assert that inactive Hermes messaging policy keys are absent from the loaded gateway policy after sandbox creation.
  • Suggested test: Add a Hermes messaging policy isolation E2E that onboards Hermes with only one messaging channel enabled, reads openshell policy get --full, and asserts the selected channel policy is present while telegram/discord/slack/wechat_bridge policies for unselected channels are absent.
• Agent-specific policy preset removal (medium): The PR changes removePreset to resolve agent-specific preset content, but existing E2E coverage mainly applies presets and does not explicitly verify removing a Hermes-specific preset deletes the correct agent policy keys without removing unrelated policies.
  • Suggested test: Add a Hermes policy-add/remove E2E that applies an agent-specific messaging preset to a Hermes sandbox, verifies the Hermes-specific network_policies keys and binary allowlist, removes it, and verifies only those keys were removed from the gateway policy and registry.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: hermes-discord-e2e,hermes-slack-e2e,network-policy-e2e

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: medium
Analyzed HEAD: 1055ffa12394d03ae2dcf17ca98a650dc910609f
Findings: 3 blocker(s), 2 warning(s), 0 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: Did not execute tests, package-manager commands, or PR scripts; review is based on trusted context, diff, and read-only repository inspection.; Git diff provided by the prompt was truncated in places; targeted files were inspected with read-only tools where needed.; No live GitHub workflow re-query was performed beyond the supplied trusted status context.; No E2E Advisor comment content was available; E2E recommendation check was still in progress.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: 1055ffa12394d03ae2dcf17ca98a650dc910609f
Recommendation: blocked
Confidence: medium

Blocked by failing CI/merge state and missing completed E2E validation for sandbox policy behavior; the code direction appears least-privilege-positive but needs gates and budget/E2E closure.

Gate status

• CI: fail — Status rollup for head SHA 1055ffa shows onboard-entrypoint-budget completed with FAILURE; multiple other checks are still IN_PROGRESS.
• Mergeability: fail — GitHub GraphQL mergeStateStatus=BLOCKED and PR reviewDecision=REVIEW_REQUIRED.
• Review threads: pending — GraphQL reviewThreads.nodes is empty, but CodeRabbit status is PENDING and the CodeRabbit comment says review is in progress.
• Risky code tested: warning — Changed runtime/sandbox policy paths include agents/hermes/policy-additions.yaml, src/lib/onboard.ts, src/lib/onboard/initial-policy.ts, and src/lib/policy/index.ts. Unit tests were added, but E2E coverage is still required for live OpenShell policy behavior.

🔴 Blockers

• Required CI is failing for this head SHA: The PR cannot be considered merge-ready while the status rollup contains a failed check. The failing context is onboard-entrypoint-budget, and mergeStateStatus is BLOCKED.
  • Recommendation: Fix the failing budget/CI check and wait for all required checks to complete successfully on head SHA 1055ffa.
  • Evidence: GraphQL statusCheckRollup: onboard-entrypoint-budget status=COMPLETED conclusion=FAILURE; mergeStateStatus=BLOCKED.
• Policy monolith grew past the large-file budget (src/lib/policy/index.ts:73): src/lib/policy/index.ts is already a large hotspot and grew by 86 lines in this PR. The gathered monolith delta marks this as a blocker, and the CI budget check is failing.
  • Recommendation: Extract the new agent-specific preset resolution helpers into a focused module or otherwise offset the growth before merge.
  • Evidence: Trusted monolith delta: src/lib/policy/index.ts baseLines=1114 headLines=1200 delta=86 severity=blocker; onboard-entrypoint-budget failed.
• E2E validation is required but not completed for sandbox policy changes: This PR changes create-time and runtime OpenShell policy behavior for Hermes sandboxes. Unit tests exercise YAML transformations and mocked policy application, but they cannot prove live sandbox rebuild, gateway policy loading, credential rewrite, or real egress denial/allow behavior.
  • Recommendation: Wait for the E2E Advisor recommendation and required E2E jobs, then confirm the required jobs pass for this exact head SHA. At minimum, cover Hermes Discord-only sandbox creation/rebuild and dynamic policy-add discord behavior in a live sandbox.
  • Evidence: E2E recommendation, wsl-e2e, and macos-e2e are IN_PROGRESS in the status rollup; no E2E Advisor comments were found; trusted testDepth verdict is e2e_required.

🟡 Warnings

• High overlap with active onboarding and policy PRs (src/lib/onboard.ts:5265): The changed files still exist and the patch targets active code, but there are many open PR overlaps on src/lib/onboard.ts plus overlaps on src/lib/policy/index.ts and test/policies.test.ts. This increases rebase and behavior-drift risk in onboarding/host glue.
  • Recommendation: Coordinate with overlapping PR owners and rebase/refresh semantic tests after nearby onboarding and policy work lands.
  • Evidence: Open PR overlaps include chore: upgrade agent runtime dependencies #3925 on src/lib/onboard.ts, src/lib/policy/index.ts, test/policies.test.ts; fix(onboard): preserve slack messaging policy #3862 on src/lib/onboard.ts and src/lib/onboard/initial-policy.ts; and many other active onboard.ts refactor/fix PRs.
• Default/OpenClaw generic Discord behavior lacks an explicit regression test (test/policies.test.ts:457): The implementation appears to fall back to built-in preset content when a sandbox has no agent, which should preserve OpenClaw/default behavior, but the new regression coverage focuses on Hermes-specific Discord application. The linked issue explicitly requires default/OpenClaw to continue using the generic Discord preset.
  • Recommendation: Add a regression test that applies discord to a non-agent or OpenClaw sandbox and asserts the generic preset is used, including generic Node binary allowlists and non-Hermes content.
  • Evidence: New test covers 'uses agent-specific preset content for Hermes Discord'; loadAgentPresetContent returns null when sandbox?.agent is absent, causing loadPresetForSandbox to fall back to builtin content, but no explicit negative/default test is shown in the diff.

🔵 Suggestions

• None.

Acceptance coverage

• partial — Creating or rebuilding a Hermes sandbox with only Discord enabled results in live policy containing Discord messaging egress but not Telegram, Slack, or WeChat messaging egress.: src/lib/onboard/initial-policy.ts filters HERMES_MESSAGING_POLICY_KEYS for inactive channels when options.agentName === "hermes"; src/lib/onboard/initial-policy.test.ts adds 'filters inactive Hermes messaging policies from the create-time policy' asserting pypi and discord remain while telegram/slack/wechat_bridge are removed. Live create/rebuild E2E evidence is still missing.
• met — Applying discord to a Hermes sandbox uses Hermes-specific Discord rules and Python binary allowlists.: src/lib/policy/index.ts loadPresetForSandbox/loadAgentPresetContent resolves preset content from the sandbox agent policy additions; test/policies.test.ts adds 'uses agent-specific preset content for Hermes Discord' and asserts /usr/bin/python3*, /opt/hermes/.venv/bin/python, and Hermes Discord mutation rules are present.
• partial — Applying discord to a default/OpenClaw sandbox still uses the generic Discord preset.: Code path falls back to builtin preset content when registry.getSandbox(sandboxName) has no agent, but the diff does not add an explicit default/OpenClaw regression test. Existing generic applyPresets test covers npm+pypi only, not discord.
• partial — Existing policy preset registry behavior remains unchanged.: Existing applyPresets test still asserts registry.policies becomes ["npm", "pypi"], and the Hermes Discord test asserts registry.policies becomes ["discord"]. However getGatewayPresets/removePreset now resolve agent-specific content, and no live gateway/registry E2E evidence is available yet.

Security review

• pass — Category 1: Secrets and Credentials: No hardcoded secrets, tokens, PEMs, or credential files are introduced. Messaging credential handling remains provider/placeholder based, and tests use temp files only.
• pass — Category 2: Input Validation and Data Sanitization: Preset names continue to flow through loadPreset path traversal checks, sandbox names are validated before policy mutation in applyPresets/applyPresetContent/removePreset, and YAML parsing uses the yaml library rather than eval/unsafe deserialization. Agent policy key selection is based on exact keys/names from trusted in-repo agent definitions.
• pass — Category 3: Authentication and Authorization: No new authenticated endpoints or token validation paths are added. The change affects local CLI policy preparation/application for already registered sandboxes.
• pass — Category 4: Dependencies and Third-Party Libraries: No new dependencies or registry sources are added.
• pass — Category 5: Error Handling and Logging: The change does not log secrets. Existing endpoint disclosure logging remains host-only. New helper failures fall back to builtin preset content rather than crashing, though maintainers may want observability for debugging.
• pass — Category 6: Cryptography and Data Protection: Not applicable — no cryptographic operations are added or modified.
• pass — Category 7: Configuration and Security Headers: The policy configuration change narrows Hermes create-time messaging egress by removing inactive channel policies and routes Hermes dynamic presets to agent-specific allowlists. No new container image, port exposure, CORS, or HTTP header configuration is introduced.
• warning — Category 8: Security Testing: Unit tests cover the key YAML filtering and Hermes Discord preset selection, but live OpenShell sandbox policy behavior, rebuild behavior, gateway enforcement, and egress denial/allow behavior remain unproven until E2E jobs pass.
• warning — Category 9: Holistic Security Posture: The intended posture is least-privilege-positive, reducing inactive Hermes messaging egress. However the PR touches sandbox policy/onboarding glue, CI is failing, E2E is incomplete, and there are many overlapping active onboarding PRs, so merge readiness is not established.

Test / E2E status

• Test depth: e2e_required — Runtime/sandbox/infrastructure paths need real execution coverage: agents/hermes/policy-additions.yaml, src/lib/onboard.ts, src/lib/onboard/initial-policy.ts, and src/lib/policy/index.ts. Added unit tests are useful but cannot prove live OpenShell policy enforcement or rebuild behavior.
• E2E Advisor: missing
• Required E2E jobs: wsl-e2e, macos-e2e
• Missing for analyzed SHA: E2E recommendation, wsl-e2e, macos-e2e

✅ What looks good

• The patch addresses a least-privilege issue by filtering inactive Hermes messaging policy templates at create time.
• Hermes dynamic preset application now has a code path to use agent-specific policy content rather than generic Node-oriented presets.
• Regression tests were added for inactive Hermes messaging policy filtering and Hermes Discord Python allowlists.
• Existing secure temp file mode 0o600 is used for generated policy files, and cleanup hooks are maintained.

Review completeness

• Did not execute tests, package-manager commands, or PR scripts; review is based on trusted context, diff, and read-only repository inspection.
• Git diff provided by the prompt was truncated in places; targeted files were inspected with read-only tools where needed.
• No live GitHub workflow re-query was performed beyond the supplied trusted status context.
• No E2E Advisor comment content was available; E2E recommendation check was still in progress.
• Human maintainer review required: yes

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/onboard.ts (1)

5257-5265: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

CI line-budget gate is blocking this PR

Line 5264 introduced a net +1 line in src/lib/onboard.ts, and onboard-entrypoint-budget is failing. Please keep this file net-neutral so CI can pass.

Possible net-neutral tweak

-      additionalPresets: hermesToolGateways,
-      agentName: agent?.name || null,
+      additionalPresets: hermesToolGateways, agentName: agent?.name || null,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 5257 - 5265, The new parameter line
"agentName: agent?.name || null," added to the options object passed to
prepareInitialSandboxCreatePolicy caused a +1 net line; make the change
net-neutral by moving that key onto the previous line (or combining it with
another property) so the object stays the same but total lines do not increase.
Edit the call site where initialSandboxPolicy is created (the
prepareInitialSandboxCreatePolicy invocation) and merge "agentName: agent?.name
|| null" into the same line as "additionalPresets: hermesToolGateways," (or
another neighbouring property) so the object contents are unchanged but the file
line count remains neutral.

🧹 Nitpick comments (1)

src/lib/onboard/initial-policy.ts (1)

262-264: 💤 Low value

Consider using HERMES_MESSAGING_POLICY_KEYS for consistent channel-to-key mapping.

The lookup checks if the channel name exists directly as a policy key, but HERMES_MESSAGING_POLICY_KEYS shows wechat maps to wechat_bridge. This means the wechat channel won't be detected in existingChannelPresets even when its policy is present.

Since wechat isn't in CREATE_TIME_POLICY_PRESETS_BY_CHANNEL, this likely has no functional impact currently—just incomplete appliedPresets metadata if wechat support is later added to create-time presets.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/initial-policy.ts` around lines 262 - 264,
existingChannelPresets currently checks activeMessagingChannels against
basePolicyNames directly, which misses channels like "wechat" that map to a
different policy key; update the filter to map each channel via
HERMES_MESSAGING_POLICY_KEYS (falling back to the channel name if no mapping)
before checking basePolicyNames so channels with alias keys (e.g., wechat ->
wechat_bridge) are detected; ensure this change is applied where
existingChannelPresets is computed and that
appliedPresets/CREATE_TIME_POLICY_PRESETS_BY_CHANNEL logic continues to use the
mapped key for lookups.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/onboard.ts`:
- Around line 5257-5265: The new parameter line "agentName: agent?.name ||
null," added to the options object passed to prepareInitialSandboxCreatePolicy
caused a +1 net line; make the change net-neutral by moving that key onto the
previous line (or combining it with another property) so the object stays the
same but total lines do not increase. Edit the call site where
initialSandboxPolicy is created (the prepareInitialSandboxCreatePolicy
invocation) and merge "agentName: agent?.name || null" into the same line as
"additionalPresets: hermesToolGateways," (or another neighbouring property) so
the object contents are unchanged but the file line count remains neutral.

---

Nitpick comments:
In `@src/lib/onboard/initial-policy.ts`:
- Around line 262-264: existingChannelPresets currently checks
activeMessagingChannels against basePolicyNames directly, which misses channels
like "wechat" that map to a different policy key; update the filter to map each
channel via HERMES_MESSAGING_POLICY_KEYS (falling back to the channel name if no
mapping) before checking basePolicyNames so channels with alias keys (e.g.,
wechat -> wechat_bridge) are detected; ensure this change is applied where
existingChannelPresets is computed and that
appliedPresets/CREATE_TIME_POLICY_PRESETS_BY_CHANNEL logic continues to use the
mapped key for lookups.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 036d70c6-2e6c-4049-99ab-eb935110dd35

📥 Commits

Reviewing files that changed from the base of the PR and between 18c7265 and 1055ffa.

📒 Files selected for processing (6)

• agents/hermes/policy-additions.yaml
• src/lib/onboard.ts
• src/lib/onboard/initial-policy.test.ts
• src/lib/onboard/initial-policy.ts
• src/lib/policy/index.ts
• test/policies.test.ts