fix(hermes): use OpenAI frontend for custom Anthropic#6335
Conversation
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Co-authored-by: Chengjie Wang <chengjiew@nvidia.com> Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
|
Authorship and contributor credit:
Thank you all for the original diagnosis and investigation that informed this fix. |
📝 WalkthroughWalkthroughAdds Hermes-specific inference routing for compatible Anthropic endpoints to use the managed OpenAI frontend, then threads that behavior through inference-set, onboarding, rebuild/resume, sandbox resume drift detection, docs, and end-to-end tests. ChangesHermes Anthropic-compatible route mapping
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Operator
participant runInferenceSetWithoutHostLock
participant resolveAgentInferenceApi
participant OpenShell
participant Registry
Operator->>runInferenceSetWithoutHostLock: set inference for Hermes compatible-anthropic-endpoint
runInferenceSetWithoutHostLock->>runInferenceSetWithoutHostLock: reject explicit non-openai-completions requests
runInferenceSetWithoutHostLock->>OpenShell: provider get / verify binding
OpenShell-->>runInferenceSetWithoutHostLock: gateway metadata
runInferenceSetWithoutHostLock->>resolveAgentInferenceApi: resolve preferredInferenceApi
resolveAgentInferenceApi-->>runInferenceSetWithoutHostLock: openai-completions
runInferenceSetWithoutHostLock->>Registry: persist updated preferredInferenceApi
sequenceDiagram
participant sandbox.ts
participant hasHermesCompatibleAnthropicInferenceRouteDrift
participant decideSandboxResume
participant Sandbox
sandbox.ts->>hasHermesCompatibleAnthropicInferenceRouteDrift: compare registryEntry and requested route
hasHermesCompatibleAnthropicInferenceRouteDrift-->>sandbox.ts: inferenceRouteConfigChanged
sandbox.ts->>decideSandboxResume: signals include inferenceRouteConfigChanged
decideSandboxResume-->>sandbox.ts: recreate sandbox
Sandbox-->>sandbox.ts: resume uses recreated sandbox path
Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
src/lib/actions/inference-set.ts (1)
712-739: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueRedundant double
resolveAgentInferenceApiapplication.The fallback branch (
explicitPreferredInferenceApi ?? resolveRuntimeInferenceApi(...)) is wrapped again inresolveAgentInferenceApi, butresolveRuntimeInferenceApialready applies the same resolver internally at its start. This is idempotent so no functional bug, just a redundant call.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/actions/inference-set.ts` around lines 712 - 739, Remove the redundant outer resolveAgentInferenceApi call in inference-set’s preferredInferenceApi assignment: resolveRuntimeInferenceApi already normalizes the fallback path internally, so keep resolveAgentInferenceApi only where needed for the registry update and use the explicitPreferredInferenceApi ?? resolveRuntimeInferenceApi(...) result directly when computing preferredInferenceApi.src/lib/onboard/machine/handlers/sandbox-resume.test.ts (1)
58-77: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd direct guard-clause coverage for
hasHermesCompatibleAnthropicInferenceRouteDrift.Only the positive-drift path is exercised directly. Since this function gates a destructive sandbox recreate decision, consider adding cases for: non-Hermes agent, non-
compatible-anthropic-endpointprovider,preferredInferenceApialready"openai-completions", and missingmodel— each should returnfalseearly.As per path instructions, tests should provide "behavioral confidence rather than implementation lock-in" by covering observable outcomes at the public boundary.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/machine/handlers/sandbox-resume.test.ts` around lines 58 - 77, Add direct behavioral test coverage for the guard clauses in hasHermesCompatibleAnthropicInferenceRouteDrift: create cases for a non-hermes agent, a provider other than compatible-anthropic-endpoint, preferredInferenceApi already set to openai-completions, and a missing model, and assert each returns false. Keep the tests at the public boundary by exercising the function through observable inputs rather than internal implementation details.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/e2e/live/hermes-inference-switch-helpers.ts`:
- Around line 42-45: The helper in hermesRuntimeSwitchApi is duplicating
production API-mapping logic instead of reusing the real resolver, which can
drift from resolveAgentInferenceApi over time. Update this test helper to
delegate to or import resolveAgentInferenceApi from the inference config module,
and keep RUNTIME_SWITCH_API based on that shared source so both
hermes-inference-switch.test and hermes-inference-switch-command-shape.test
validate the same production behavior.
In `@test/e2e/support/hermes-inference-switch-command-shape.test.ts`:
- Around line 42-50: The new Hermes tests are verifying a duplicated helper
instead of the real command-shape behavior. Update the assertions in
hermes-inference-switch-command-shape.test.ts to exercise the production path by
calling resolveAgentInferenceApi directly, or the real command-argument builder
that consumes it, rather than hermesRuntimeSwitchApi from the test-only helper.
Keep the test focused on the actual boundary so it fails if the real resolver or
CLI shape regresses.
---
Nitpick comments:
In `@src/lib/actions/inference-set.ts`:
- Around line 712-739: Remove the redundant outer resolveAgentInferenceApi call
in inference-set’s preferredInferenceApi assignment: resolveRuntimeInferenceApi
already normalizes the fallback path internally, so keep
resolveAgentInferenceApi only where needed for the registry update and use the
explicitPreferredInferenceApi ?? resolveRuntimeInferenceApi(...) result directly
when computing preferredInferenceApi.
In `@src/lib/onboard/machine/handlers/sandbox-resume.test.ts`:
- Around line 58-77: Add direct behavioral test coverage for the guard clauses
in hasHermesCompatibleAnthropicInferenceRouteDrift: create cases for a
non-hermes agent, a provider other than compatible-anthropic-endpoint,
preferredInferenceApi already set to openai-completions, and a missing model,
and assert each returns false. Keep the tests at the public boundary by
exercising the function through observable inputs rather than internal
implementation details.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 9f357f4d-4a19-4201-9eca-e913f8a59127
📒 Files selected for processing (21)
docs/inference/inference-options.mdxdocs/inference/switch-inference-providers.mdxsrc/lib/actions/inference-route-api.test.tssrc/lib/actions/inference-route-api.tssrc/lib/actions/inference-set-hermes-run.test.tssrc/lib/actions/inference-set.tssrc/lib/actions/sandbox/rebuild-resume-config.test.tssrc/lib/actions/sandbox/rebuild-resume-config.tssrc/lib/inference/config.test.tssrc/lib/inference/config.tssrc/lib/onboard/machine/handlers/provider-inference.test.tssrc/lib/onboard/machine/handlers/provider-inference.tssrc/lib/onboard/machine/handlers/sandbox-resume.test.tssrc/lib/onboard/machine/handlers/sandbox-resume.tssrc/lib/onboard/machine/handlers/sandbox.test.tssrc/lib/onboard/machine/handlers/sandbox.tssrc/lib/onboard/providers.test.tstest/e2e/live/hermes-inference-switch-helpers.tstest/e2e/live/hermes-inference-switch.test.tstest/e2e/support/hermes-inference-switch-command-shape.test.tstest/generate-hermes-config.test.ts
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage in the branch is 96%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
TypeScript / code-coverage/cliThe overall coverage in the branch is 73%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
Updated |
|
🌿 Preview your docs: https://nvidia-preview-pr-6335.docs.buildwithfern.com/nemoclaw |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
|
Heads-up: the Root cause: this is the first The suite change here is fine — this exposed a pre-existing gap in the Fix: #6343 adds Worth noting the PR/E2E advisors run a different matrix than the full dispatch, which is why this passed pre-merge. |
…board dcode identity failure (#6343) ## Summary Fixes two E2E-harness problems surfaced by the E2E dispatch on `main`: 1. **e2e-live source require hook** — the `hermes-inference-switch` live suite (added in #6335) failed at collection with `Cannot find module '../runner'` because the `e2e-live` Vitest project never loaded the typed-source require hook. 2. **cloud-onboard observability** — the cloud-experimental check-04 (added in #6332) fails on `main` with `could not read initial dcode identity`, but the real `dcode identity` error is captured into a shell var and discarded, so it can't be diagnosed. ## Changes - `vitest.config.ts`: add `setupFiles: ["test/helpers/onboard-script-mocks.cjs"]` to the `e2e-live` project (mirrors `cli`). Registers the typed-source `.ts` require hook **in-process** — deliberately not via `env.NODE_OPTIONS`, so `--require` never leaks into the real CLI subprocesses live tests spawn. - `test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh`: on both `dcode identity` reads, print the captured stdout+stderr to stdout (so it lands in `result.json`) before `fail`. No change to pass/fail logic — only makes the existing failure observable. ### Root cause — #1 (fixed here) `hermes-inference-switch` is the first `e2e-live` suite to import a deep `src` graph — its helpers import `src/lib/inference/config.ts`, which transitively loads `ollama-runtime-context.ts`'s runtime `require("../runner")`. Without the require hook, Node's native CJS resolver can't resolve the extensionless `.ts` → suite throws at collection (`0 tests`, ~37s). Only this suite hit it; others drive the CLI as a subprocess and import only fixtures. `runner.ts` has no circular dependency on the inference graph, so the in-process hook resolves it fully. ### Root cause — #2 (observability only; product root cause pending) `cloud-onboard` was green on `main` through 2026-07-06 00:56 UTC and failed on the first main E2E after #6332 landed (19:50 UTC) — #6332 added check-04, which has never passed on main. `dcode identity` is the NemoClaw wrapper (`agents/langchain-deepagents-code/dcode-wrapper.sh`); its identity path returns 0 in isolation and #6332 did not modify it, so the non-zero exit is a runtime condition in #6332's new "recreate/verify live identity" onboarding flow. That can't be pinned without the swallowed stderr — which this change surfaces. Product root cause is for the #6332 author to fix once the next run shows the real error. ## Type of Change - [x] Code change (feature, bug fix, or refactor) ## Quality Gates - [x] Existing tests cover changed behavior — justification: both changes are E2E-harness config/diagnostics. #1: the `e2e-live` suites exercise the hook — verified the previously-failing `hermes-inference-switch` suite now collects and all `e2e-live` suites report 0 collection errors, and the full `e2e-all` dispatch ran the switch job (hosted) green. #2: pure diagnostic output; no pass/fail change. - [x] Docs not applicable — justification: internal test-harness config/diagnostics; no user-facing behavior. - [x] Sensitive paths changed (onboarding/inference/runner adjacent via test config) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — justification: changes are confined to Vitest test-runner setup (`vitest.config.ts`) and an E2E diagnostic print; no product runtime code path is altered. The require hook is in-process only and does not touch product CLI subprocesses. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed — note: `pre-push` `tsc-cli` skipped for a pre-existing local-only `noImplicitAny` false-positive in `test/helpers/mcp-lifecycle-lock-properties.ts` and `src/lib/state/mcp-lifecycle-lock-identity.test.ts` (unrelated to this diff); CI `tsc-cli` covers it. Check-04 passed `bash -n` and the `shellcheck`/`shfmt` pre-commit hooks. - [x] Targeted behavior tests pass — command/result: `NEMOCLAW_RUN_LIVE_E2E=1 npx vitest list --project e2e-live` → switch suite collects; whole project 0 collection errors (before the fix it reproduced `Cannot find module '../runner'`). Full `e2e-all` dispatch on this branch ran `hermes-inference-switch (hosted)` green. - [x] No secrets, API keys, or credentials committed --- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved reliability of live end-to-end test runs by loading the required hook inside the test process, avoiding leakage into real CLI subprocesses. * Made identity checks in sandboxed cloud experimental flows more robust, with clearer diagnostics when identity lookup fails. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Summary Add the v0.0.75 release-notes entry for the release train, summarizing the user-facing fixes merged since v0.0.74. Release-prep docs for the `nemoclaw-maintainer-cut-release-tag` gate. ## Related Issue Release prep for v0.0.75. Remove this section if none. ## Changes - `docs/about/release-notes.mdx`: add the `## v0.0.75` section (themed intro + grouped bullets with source-page links), matching the existing v0.0.74 style. ### Source summary (doc-impacting PRs → doc page) - #6370 -> `docs/about/release-notes.mdx`: prepared-backup recovery restores gateway state and defers the live route check to onboarding, so upgrade recovery no longer fails on an unset gateway route. - #6305 -> `docs/about/release-notes.mdx`: in-place upgrades recover gateway-orphaned sandboxes. - #6332 -> `docs/about/release-notes.mdx`: same-name `--fresh` re-onboard preserves fresh LangChain Deep Agents Code routing. - #6335 -> `docs/about/release-notes.mdx`: custom Anthropic-compatible inference uses the OpenAI frontend. - #6298 -> `docs/about/release-notes.mdx`: OpenAI-only agents keep the `/v1` base URL on Anthropic-compatible endpoints. - #6304 -> `docs/about/release-notes.mdx`: local docker-driver gateway credentials no longer expire. - #6261 -> `docs/about/release-notes.mdx`: Hermes runtime and managed MCP state reconcile after a runtime change. - #6318 -> `docs/about/release-notes.mdx`: Hermes installs accept a pinned base platform digest. - #6291 -> `docs/about/release-notes.mdx`: OpenClaw local CLI pairing restores its previous connection path. Test-performance, CI, and chore commits since v0.0.74 are excluded as non-user-facing. ## Type of Change - [x] Doc only (prose changes, no code sample modifications) ## Quality Gates - [x] Tests not applicable — justification: documentation-only change (release notes prose). - [x] Docs updated for user-facing behavior changes ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] `npm run docs` builds without warnings introduced by this change — command/result: "Found 0 errors and 2 warnings" (the 2 warnings pre-exist this change). - [x] Doc pages follow the style guide (active voice, no numbered/colon titles, correct NVIDIA/NemoClaw/OpenShell capitalization; skip-terms avoided). - [x] No secrets, API keys, or credentials committed --- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a new **v0.0.75** section to the release notes, highlighting improved sandbox upgrade hardening and prepared-backup recovery, updated inference routing for Anthropic-compatible endpoints, longer-lasting local gateway credential handling, and restored CLI pairing reconnection without re-pairing. Also includes cross-links to related NemoClaw CLI and documentation pages. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Correct the v0.0.75 release-note entry merged in #6371 before the release tag is cut. This follow-up restores the omitted OpenClaw `2026.6.10` upgrade and narrows three claims to the runtime contracts that actually shipped. ## Changes <!-- Bullet list of key changes. --> - #5595 -> `docs/about/release-notes.mdx`: add the bundled OpenClaw `2026.6.10` upgrade and its reviewed package, pairing, and recovery boundaries. - #6370 -> `docs/about/release-notes.mdx`: state that authoritative onboarding restores the gateway provider and inference route during rebuild, before sandbox recreation. - #6335 and #6298 -> `docs/about/release-notes.mdx`: scope the OpenAI frontend to Hermes while retaining the separate OpenAI-only-agent behavior. - #6304 -> `docs/about/release-notes.mdx`: name the non-expiring local Docker-driver sandbox JWT contract precisely and link its gateway-auth review. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: prose-only release-note corrections with no runtime behavior or code samples. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable; `npm run docs` passed with 0 errors and 2 pre-existing warnings. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — result: 0 errors and 2 pre-existing warnings (missing authenticated redirects check and existing light-theme accent contrast). - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated the `v0.0.75` release notes with clearer wording and expanded details. * Added more specific notes about the runtime upgrade, sandbox recovery behavior, and routing safeguards. * Refined the description of inference routing behavior and local Docker-driver sandbox authentication handling. * Adjusted the linked references and final release-note wording for consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
## Summary Fix Hermes custom Anthropic routing by using the endpoint's verified OpenAI Chat Completions surface end to end. NemoClaw selects `https://inference.local/v1`, verifies `/v1/chat/completions`, and aligns the OpenShell provider to `type=openai` with `OPENAI_BASE_URL`, avoiding the duplicate Anthropic SSE `message_start` sequence that caused `hermes -z` to finish with `no final response`. The core managed-frontend direction was first proposed by @chengjiew in NVIDIA#6295, and Chengjie Wang is included as a commit co-author. @TonyLuo-NV's NVIDIA#6297 contributed streaming-failure investigation and regression analysis. Thanks to @hulynn for the reproducible managed-proxy report. ## Related Issue Fixes NVIDIA#6289 ## Changes - Resolve Hermes `compatible-anthropic-endpoint` routes to the managed `openai-completions` frontend and reuse NVIDIA#6298's verified OpenAI-surface provider registration while retaining `COMPATIBLE_ANTHROPIC_API_KEY` as the credential binding. - Persist the normalized frontend during fresh onboarding; repair stale provider identity, registry metadata, and sandbox configuration during rebuild or resume. - Reject conflicting explicit API choices and legacy `type=anthropic` runtime switches before mutating OpenShell, registry, or in-sandbox state. - Preserve native Anthropic Messages routing for OpenClaw custom endpoints and first-party Anthropic routes; preserve the existing AWS Bedrock adapter behavior. - Extend unit, integration, command-shape, and live E2E coverage, including the reported `hermes -z` path; document the verified-surface requirement and rebuild migration. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent final review found no blockers. Endpoint probing and provider replacement reuse the fail-closed NVIDIA#6298 boundary; this PR adds exact non-secret provider identity checks and introduces no credential values. Human maintainer approval remains required. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — 289 CLI tests, 7 OpenAI-surface onboarding integration tests, 1 focused Hermes config integration test, and 18 E2E support tests passed - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — required GitHub Actions checks pending - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — completed with 0 errors and 2 existing Fern warnings - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Additional local verification: - `npm run build:cli` - `npm run typecheck:cli` - `npm run checks` - `npm run test-size:check` - `npm run test:titles:check` - `npm run source-shape:check` - `npm run test:projects:check` - `npm run test:imports:check` - `npm run docs` (0 errors; 2 existing warnings) --- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> --------- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> Co-authored-by: Chengjie Wang <chengjiew@nvidia.com>
…board dcode identity failure (NVIDIA#6343) ## Summary Fixes two E2E-harness problems surfaced by the E2E dispatch on `main`: 1. **e2e-live source require hook** — the `hermes-inference-switch` live suite (added in NVIDIA#6335) failed at collection with `Cannot find module '../runner'` because the `e2e-live` Vitest project never loaded the typed-source require hook. 2. **cloud-onboard observability** — the cloud-experimental check-04 (added in NVIDIA#6332) fails on `main` with `could not read initial dcode identity`, but the real `dcode identity` error is captured into a shell var and discarded, so it can't be diagnosed. ## Changes - `vitest.config.ts`: add `setupFiles: ["test/helpers/onboard-script-mocks.cjs"]` to the `e2e-live` project (mirrors `cli`). Registers the typed-source `.ts` require hook **in-process** — deliberately not via `env.NODE_OPTIONS`, so `--require` never leaks into the real CLI subprocesses live tests spawn. - `test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh`: on both `dcode identity` reads, print the captured stdout+stderr to stdout (so it lands in `result.json`) before `fail`. No change to pass/fail logic — only makes the existing failure observable. ### Root cause — rh-ai-quickstart#1 (fixed here) `hermes-inference-switch` is the first `e2e-live` suite to import a deep `src` graph — its helpers import `src/lib/inference/config.ts`, which transitively loads `ollama-runtime-context.ts`'s runtime `require("../runner")`. Without the require hook, Node's native CJS resolver can't resolve the extensionless `.ts` → suite throws at collection (`0 tests`, ~37s). Only this suite hit it; others drive the CLI as a subprocess and import only fixtures. `runner.ts` has no circular dependency on the inference graph, so the in-process hook resolves it fully. ### Root cause — NVIDIA#2 (observability only; product root cause pending) `cloud-onboard` was green on `main` through 2026-07-06 00:56 UTC and failed on the first main E2E after NVIDIA#6332 landed (19:50 UTC) — NVIDIA#6332 added check-04, which has never passed on main. `dcode identity` is the NemoClaw wrapper (`agents/langchain-deepagents-code/dcode-wrapper.sh`); its identity path returns 0 in isolation and NVIDIA#6332 did not modify it, so the non-zero exit is a runtime condition in NVIDIA#6332's new "recreate/verify live identity" onboarding flow. That can't be pinned without the swallowed stderr — which this change surfaces. Product root cause is for the NVIDIA#6332 author to fix once the next run shows the real error. ## Type of Change - [x] Code change (feature, bug fix, or refactor) ## Quality Gates - [x] Existing tests cover changed behavior — justification: both changes are E2E-harness config/diagnostics. rh-ai-quickstart#1: the `e2e-live` suites exercise the hook — verified the previously-failing `hermes-inference-switch` suite now collects and all `e2e-live` suites report 0 collection errors, and the full `e2e-all` dispatch ran the switch job (hosted) green. NVIDIA#2: pure diagnostic output; no pass/fail change. - [x] Docs not applicable — justification: internal test-harness config/diagnostics; no user-facing behavior. - [x] Sensitive paths changed (onboarding/inference/runner adjacent via test config) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — justification: changes are confined to Vitest test-runner setup (`vitest.config.ts`) and an E2E diagnostic print; no product runtime code path is altered. The require hook is in-process only and does not touch product CLI subprocesses. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed — note: `pre-push` `tsc-cli` skipped for a pre-existing local-only `noImplicitAny` false-positive in `test/helpers/mcp-lifecycle-lock-properties.ts` and `src/lib/state/mcp-lifecycle-lock-identity.test.ts` (unrelated to this diff); CI `tsc-cli` covers it. Check-04 passed `bash -n` and the `shellcheck`/`shfmt` pre-commit hooks. - [x] Targeted behavior tests pass — command/result: `NEMOCLAW_RUN_LIVE_E2E=1 npx vitest list --project e2e-live` → switch suite collects; whole project 0 collection errors (before the fix it reproduced `Cannot find module '../runner'`). Full `e2e-all` dispatch on this branch ran `hermes-inference-switch (hosted)` green. - [x] No secrets, API keys, or credentials committed --- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved reliability of live end-to-end test runs by loading the required hook inside the test process, avoiding leakage into real CLI subprocesses. * Made identity checks in sandboxed cloud experimental flows more robust, with clearer diagnostics when identity lookup fails. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Summary Add the v0.0.75 release-notes entry for the release train, summarizing the user-facing fixes merged since v0.0.74. Release-prep docs for the `nemoclaw-maintainer-cut-release-tag` gate. ## Related Issue Release prep for v0.0.75. Remove this section if none. ## Changes - `docs/about/release-notes.mdx`: add the `## v0.0.75` section (themed intro + grouped bullets with source-page links), matching the existing v0.0.74 style. ### Source summary (doc-impacting PRs → doc page) - NVIDIA#6370 -> `docs/about/release-notes.mdx`: prepared-backup recovery restores gateway state and defers the live route check to onboarding, so upgrade recovery no longer fails on an unset gateway route. - NVIDIA#6305 -> `docs/about/release-notes.mdx`: in-place upgrades recover gateway-orphaned sandboxes. - NVIDIA#6332 -> `docs/about/release-notes.mdx`: same-name `--fresh` re-onboard preserves fresh LangChain Deep Agents Code routing. - NVIDIA#6335 -> `docs/about/release-notes.mdx`: custom Anthropic-compatible inference uses the OpenAI frontend. - NVIDIA#6298 -> `docs/about/release-notes.mdx`: OpenAI-only agents keep the `/v1` base URL on Anthropic-compatible endpoints. - NVIDIA#6304 -> `docs/about/release-notes.mdx`: local docker-driver gateway credentials no longer expire. - NVIDIA#6261 -> `docs/about/release-notes.mdx`: Hermes runtime and managed MCP state reconcile after a runtime change. - NVIDIA#6318 -> `docs/about/release-notes.mdx`: Hermes installs accept a pinned base platform digest. - NVIDIA#6291 -> `docs/about/release-notes.mdx`: OpenClaw local CLI pairing restores its previous connection path. Test-performance, CI, and chore commits since v0.0.74 are excluded as non-user-facing. ## Type of Change - [x] Doc only (prose changes, no code sample modifications) ## Quality Gates - [x] Tests not applicable — justification: documentation-only change (release notes prose). - [x] Docs updated for user-facing behavior changes ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] `npm run docs` builds without warnings introduced by this change — command/result: "Found 0 errors and 2 warnings" (the 2 warnings pre-exist this change). - [x] Doc pages follow the style guide (active voice, no numbered/colon titles, correct NVIDIA/NemoClaw/OpenShell capitalization; skip-terms avoided). - [x] No secrets, API keys, or credentials committed --- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a new **v0.0.75** section to the release notes, highlighting improved sandbox upgrade hardening and prepared-backup recovery, updated inference routing for Anthropic-compatible endpoints, longer-lasting local gateway credential handling, and restored CLI pairing reconnection without re-pairing. Also includes cross-links to related NemoClaw CLI and documentation pages. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Correct the v0.0.75 release-note entry merged in NVIDIA#6371 before the release tag is cut. This follow-up restores the omitted OpenClaw `2026.6.10` upgrade and narrows three claims to the runtime contracts that actually shipped. ## Changes <!-- Bullet list of key changes. --> - NVIDIA#5595 -> `docs/about/release-notes.mdx`: add the bundled OpenClaw `2026.6.10` upgrade and its reviewed package, pairing, and recovery boundaries. - NVIDIA#6370 -> `docs/about/release-notes.mdx`: state that authoritative onboarding restores the gateway provider and inference route during rebuild, before sandbox recreation. - NVIDIA#6335 and NVIDIA#6298 -> `docs/about/release-notes.mdx`: scope the OpenAI frontend to Hermes while retaining the separate OpenAI-only-agent behavior. - NVIDIA#6304 -> `docs/about/release-notes.mdx`: name the non-expiring local Docker-driver sandbox JWT contract precisely and link its gateway-auth review. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: prose-only release-note corrections with no runtime behavior or code samples. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable; `npm run docs` passed with 0 errors and 2 pre-existing warnings. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — result: 0 errors and 2 pre-existing warnings (missing authenticated redirects check and existing light-theme accent contrast). - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated the `v0.0.75` release notes with clearer wording and expanded details. * Added more specific notes about the runtime upgrade, sandbox recovery behavior, and routing safeguards. * Refined the description of inference routing behavior and local Docker-driver sandbox authentication handling. * Adjusted the linked references and final release-note wording for consistency. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Summary
Fix Hermes custom Anthropic routing by using the endpoint's verified OpenAI Chat Completions surface end to end. NemoClaw selects
https://inference.local/v1, verifies/v1/chat/completions, and aligns the OpenShell provider totype=openaiwithOPENAI_BASE_URL, avoiding the duplicate Anthropic SSEmessage_startsequence that causedhermes -zto finish withno final response.The core managed-frontend direction was first proposed by @chengjiew in #6295, and Chengjie Wang is included as a commit co-author. @TonyLuo-NV's #6297 contributed streaming-failure investigation and regression analysis. Thanks to @hulynn for the reproducible managed-proxy report.
Related Issue
Fixes #6289
Changes
compatible-anthropic-endpointroutes to the managedopenai-completionsfrontend and reuse fix(inference): keep /v1 base URL for OpenAI-only agents on Anthropic-compatible endpoints #6298's verified OpenAI-surface provider registration while retainingCOMPATIBLE_ANTHROPIC_API_KEYas the credential binding.type=anthropicruntime switches before mutating OpenShell, registry, or in-sandbox state.hermes -zpath; document the verified-surface requirement and rebuild migration.Type of Change
Quality Gates
Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — required GitHub Actions checks pendingnpm run docsbuilds without warnings (doc changes only) — completed with 0 errors and 2 existing Fern warningsAdditional local verification:
npm run build:clinpm run typecheck:clinpm run checksnpm run test-size:checknpm run test:titles:checknpm run source-shape:checknpm run test:projects:checknpm run test:imports:checknpm run docs(0 errors; 2 existing warnings)Signed-off-by: Apurv Kumaria akumaria@nvidia.com