Skip to content

fix(hermes): preserve proxy api key on inference switch#4854

Merged
cv merged 4 commits into
mainfrom
fix/4765-hermes-inference-set-api-key
Jun 5, 2026
Merged

fix(hermes): preserve proxy api key on inference switch#4854
cv merged 4 commits into
mainfrom
fix/4765-hermes-inference-set-api-key

Conversation

@cv
Copy link
Copy Markdown
Collaborator

@cv cv commented Jun 5, 2026
edited by coderabbitai Bot
Loading

Summary

Hermes inference switches now keep the OpenShell proxy rewrite API-key placeholder in model.api_key. This prevents Hermes dashboard/TUI sessions from resolving provider: custom with the upstream no-key-required fallback after nemohermes inference set rewrites /sandbox/.hermes/config.yaml.

Related Issue

Related to #4765.

Changes

  • Add a Hermes proxy API-key placeholder in patchHermesInferenceConfig().
  • Update Hermes inference-switch unit tests to assert model.api_key: sk-OPENSHELL-PROXY-REWRITE across OpenAI-compatible, Anthropic Messages, and Bedrock-compatible routes.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

  • npx prek run --all-files passes
  • npm test passes
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Additional validation run:

  • npm run build:cli passes
  • npm run typecheck:cli passes after rebuilding dist/
  • npx vitest run src/lib/actions/inference-set.test.ts --maxWorkers=1 --testTimeout=30000 passes
  • npx prek run --files src/lib/actions/inference-set.ts src/lib/actions/inference-set.test.ts passes
  • Full pre-commit test hook was attempted and hit the existing/environmental test/onboard-selection.test.ts -t "returns to provider selection when Ollama manual entry chooses back" failure; that test passed when rerun in isolation.

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

  • New Features

    • Introduced API key placeholder constant for Hermes proxy authentication configuration.
    • Updated Hermes inference configuration patching to consistently apply the placeholder.

  • Tests

    • Updated test assertions to verify correct placeholder usage in Hermes configuration patching.
    • Synchronized test expectations for configuration generation and inference switching to use the placeholder.

@cv
fix(hermes): preserve proxy api key on inference switch
ed76b70 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv self-assigned this Jun 5, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

Wondering what really moved? Review this PR in Change Stack to inspect semantic changes, definitions, and references.

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 87e5aace-dc38-4a01-88b7-9ee31115d6d2

📥 Commits

Reviewing files that changed from the base of the PR and between 18be269 and 5e20255.

📒 Files selected for processing (4)
  • src/lib/actions/inference-set.test.ts
  • src/lib/actions/inference-set.ts
  • src/lib/hermes-proxy-api-key.ts
  • test/generate-hermes-config.test.ts
📝 Walkthrough

Walkthrough

This PR centralizes the Hermes/OpenShell proxy API key placeholder by introducing a shared constant and updating inference-set patching and config-generation tests to use it consistently. The placeholder sentinel replaces hard-coded token strings and ensures API key handling is uniform across inference config patching and Hermes config generation.

Changes

Hermes Proxy API Key Placeholder Centralization

Layer / File(s) Summary
Placeholder constant definition
src/lib/hermes-proxy-api-key.ts		 New module exports HERMES_PROXY_API_KEY_PLACEHOLDER constant with value "sk-OPENSHELL-PROXY-REWRITE" and documentation describing its use as a sentinel for credential-shaped gating in Hermes/LiteLLM.
Inference set patching implementation
src/lib/actions/inference-set.ts		 Imports the placeholder constant and updates patchHermesInferenceConfig to set modelConfig.api_key to the placeholder, ensuring the patched Hermes inference config always includes the expected API key sentinel.
Inference set test updates
src/lib/actions/inference-set.test.ts		 Imports placeholder constant and updates patchHermesInferenceConfig and runInferenceSet test expectations to verify the API key is set to the placeholder in various Hermes routing and config-sync scenarios, including a new test for replacing stale API keys.
Hermes config generation test updates
test/generate-hermes-config.test.ts		 Imports placeholder constant and replaces hard-coded API key strings with the shared constant in test assertions, including tightened checks to assert exact placeholder equality and a sync verification between generated and inference-switched Hermes proxy placeholders.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • NVIDIA/NemoClaw#4718: Both PRs update Hermes configuration to ensure model.api_key is set to the OpenShell/LiteLLM sk-OPENSHELL-PROXY-REWRITE placeholder (main PR centralizes it via HERMES_PROXY_API_KEY_PLACEHOLDER and patches inference config; related PR sets the placeholder directly in buildHermesConfig and adds sk- gate assertions).
  • NVIDIA/NemoClaw#4847: Both PRs modify the Hermes inference config patching logic in src/lib/actions/inference-set.ts (the main PR changes the patched model.api_key, while the related PR changes patched model.api_mode/runtime route behavior via patchHermesInferenceConfig/hermesApiMode).

Suggested labels

integration: hermes, area: inference, bug-fix, provider: anthropic

Suggested reviewers

  • prekshivyas

Poem

🐰 A sentinel is born, so neat,
sk-OPENSHELL-PROXY complete,
From scattered strings, now unified and strong,
The Hermes placeholders right where they belong! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: preserving a proxy API key placeholder during Hermes inference switching, which is the core purpose of this fix across all modified files.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/4765-hermes-inference-set-api-key

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

PR Review Advisor

Findings: 1 needs attention, 2 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 2 new items found

Review findings

🛠️ Needs attention

  • Extract or offset growth in the inference-set test monolith (src/lib/actions/inference-set.test.ts:1): This PR adds 25 lines to `src/lib/actions/inference-set.test.ts`, which is already a large 900-line test file. The deterministic monolith check flags growth of 20 or more lines in this hotspot as needing attention before merge.
    • Recommendation: Move the new Hermes proxy API-key cases into a smaller focused test module, or extract existing Hermes inference-switch tests so this PR does not further grow the monolith.
    • Evidence: Monolith delta: `src/lib/actions/inference-set.test.ts` baseLines=900, headLines=925, delta=25, severity=blocker.

🔎 Worth checking

  • Source-of-truth review needed: Hermes proxy API-key placeholder for config generation and inference switching: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: The workaround behavior is covered, but `agents/hermes/config/hermes-config.ts` still hardcodes the sentinel separately from `src/lib/hermes-proxy-api-key.ts`, leaving a source-of-truth follow-up.
  • Proxy API-key sentinel still has two implementation sources (agents/hermes/config/hermes-config.ts:53): The new `src/lib/hermes-proxy-api-key.ts` constant is used by the inference-switch path and tests, but the Hermes config generator still hardcodes the same `sk-OPENSHELL-PROXY-REWRITE` literal. The current test catches drift, but the security-boundary sentinel remains duplicated in production code, so a future edit could break OpenShell rewrite assumptions or reintroduce stale-key behavior.
    • Recommendation: Prefer a single production source for the sentinel if packaging permits. If the Docker config-generator path cannot import from `src/lib`, document that boundary near both definitions and keep the drift test as an explicit guard.
    • Evidence: `src/lib/hermes-proxy-api-key.ts` exports `HERMES_PROXY_API_KEY_PLACEHOLDER`, while `agents/hermes/config/hermes-config.ts:53` still writes `api_key: "sk-OPENSHELL-PROXY-REWRITE"` directly.

🌱 Nice ideas

  • None.
Consider writing more tests for
  • **Runtime validation** — Hermes sandbox config rewritten by `nemohermes inference set` persists `model.api_key: sk-OPENSHELL-PROXY-REWRITE` on disk and refreshes the config hash.. Unit coverage is good for `patchHermesInferenceConfig()`, but this touches sandbox config and the OpenShell credential rewrite boundary, where runtime behavior can differ from object-level tests.
  • **Runtime validation** — Hermes/OpenShell egress strips `sk-OPENSHELL-PROXY-REWRITE` and sends the registered provider credential, not the sentinel or a stale literal key.. Unit coverage is good for `patchHermesInferenceConfig()`, but this touches sandbox config and the OpenShell credential rewrite boundary, where runtime behavior can differ from object-level tests.
  • **Runtime validation** — Generated Hermes config and inference-switch rewritten config use the same proxy sentinel after switching from an older config containing `no-key-required`.. Unit coverage is good for `patchHermesInferenceConfig()`, but this touches sandbox config and the OpenShell credential rewrite boundary, where runtime behavior can differ from object-level tests.
  • **Acceptance clause:** Related to [All Platforms][Agent&Skills] Hermes Dashboard chat shows "Chat unavailable" — does not recognize NemoClaw OpenShell proxy inference route #4765. — add test evidence or identify existing coverage. The PR body references [All Platforms][Agent&Skills] Hermes Dashboard chat shows "Chat unavailable" — does not recognize NemoClaw OpenShell proxy inference route #4765, but deterministic context did not include linked issue body or comments (`linkedIssues: []`), so literal issue acceptance clauses could not be extracted or mapped.
  • **Acceptance clause:** This prevents Hermes dashboard/TUI sessions from resolving `provider: custom` with the upstream `no-key-required` fallback after `nemohermes inference set` rewrites `/sandbox/.hermes/config.yaml`. — add test evidence or identify existing coverage. Unit coverage now verifies `patchHermesInferenceConfig()` replaces `no-key-required` and a real-looking stale key with the OpenShell proxy placeholder. Runtime/sandbox evidence that Hermes/OpenShell strips the sentinel and injects the registered route credential at egress was not available in the reviewed diff.
  • **Hermes proxy API-key placeholder for config generation and inference switching** — `src/lib/actions/inference-set.test.ts` now verifies stale `api_key` values are replaced and route-family switches keep the placeholder; `test/generate-hermes-config.test.ts` verifies generated config output matches the exported constant.. The workaround behavior is covered, but `agents/hermes/config/hermes-config.ts` still hardcodes the sentinel separately from `src/lib/hermes-proxy-api-key.ts`, leaving a source-of-truth follow-up.
Since last review details

Current findings:

  • Source-of-truth review needed: Hermes proxy API-key placeholder for config generation and inference switching: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: The workaround behavior is covered, but `agents/hermes/config/hermes-config.ts` still hardcodes the sentinel separately from `src/lib/hermes-proxy-api-key.ts`, leaving a source-of-truth follow-up.
  • Extract or offset growth in the inference-set test monolith (src/lib/actions/inference-set.test.ts:1): This PR adds 25 lines to `src/lib/actions/inference-set.test.ts`, which is already a large 900-line test file. The deterministic monolith check flags growth of 20 or more lines in this hotspot as needing attention before merge.
    • Recommendation: Move the new Hermes proxy API-key cases into a smaller focused test module, or extract existing Hermes inference-switch tests so this PR does not further grow the monolith.
    • Evidence: Monolith delta: `src/lib/actions/inference-set.test.ts` baseLines=900, headLines=925, delta=25, severity=blocker.
  • Proxy API-key sentinel still has two implementation sources (agents/hermes/config/hermes-config.ts:53): The new `src/lib/hermes-proxy-api-key.ts` constant is used by the inference-switch path and tests, but the Hermes config generator still hardcodes the same `sk-OPENSHELL-PROXY-REWRITE` literal. The current test catches drift, but the security-boundary sentinel remains duplicated in production code, so a future edit could break OpenShell rewrite assumptions or reintroduce stale-key behavior.
    • Recommendation: Prefer a single production source for the sentinel if packaging permits. If the Docker config-generator path cannot import from `src/lib`, document that boundary near both definitions and keep the drift test as an explicit guard.
    • Evidence: `src/lib/hermes-proxy-api-key.ts` exports `HERMES_PROXY_API_KEY_PLACEHOLDER`, while `agents/hermes/config/hermes-config.ts:53` still writes `api_key: "sk-OPENSHELL-PROXY-REWRITE"` directly.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

E2E Advisor Recommendation

Required E2E: hermes-inference-switch-e2e, hermes-anthropic-inference-switch-e2e
Optional E2E: hermes-e2e, openclaw-inference-switch-e2e

Dispatch hint: hermes-inference-switch-e2e,hermes-anthropic-inference-switch-e2e

Auto-dispatched E2E: hermes-inference-switch-e2e, hermes-anthropic-inference-switch-e2e via nightly-e2e.yaml at 5e2025522f8f7196a43d58209c3fedfece283229nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • hermes-inference-switch-e2e (high): Directly covers the changed runtime path: installs/runs a Hermes sandbox, executes nemohermes inference set, verifies config.yaml and hashes, then sends live requests through the switched route. This should catch placeholder-related breakage in Hermes/LiteLLM or OpenShell proxy rewrite.
  • hermes-anthropic-inference-switch-e2e (high): The same Hermes config patch path also handles Anthropic Messages mode and base URL differences. The diff updates expectations for Anthropic Hermes routes, so this switched-route variant is required to verify api_key, api_mode, base_url, and live traffic behavior together.

Optional E2E

  • hermes-e2e (high): Useful adjacent confidence for initial Hermes onboarding and generated config.yaml with the same proxy placeholder, though the changed production code is primarily the inference-switch path.
  • openclaw-inference-switch-e2e (high): Shared runInferenceSet code was touched, but the functional change is Hermes-only. Run if extra confidence is desired that OpenClaw inference switching was not regressed by the shared action edit.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/nightly-e2e.yaml
  • jobs input: hermes-inference-switch-e2e,hermes-anthropic-inference-switch-e2e

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-hermes
Optional scenario E2E: None

Dispatch required scenario E2E:

  • gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required scenario E2E

  • ubuntu-repo-cloud-hermes: The PR changes Hermes inference configuration patching and introduces a shared Hermes proxy API-key placeholder. The Ubuntu Hermes scenario is the smallest dispatchable scenario that onboards a Hermes sandbox and validates the Hermes runtime/inference path using the generated Hermes config surface.
    • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Optional scenario E2E

  • None.

Relevant changed files

  • src/lib/actions/inference-set.ts
  • src/lib/hermes-proxy-api-key.ts

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27031958476
Target ref: ed76b701269ac2c2918dcea36e10bdb482203734
Workflow ref: main
Requested jobs: hermes-inference-switch-e2e,hermes-anthropic-inference-switch-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job Result
hermes-anthropic-inference-switch-e2e ✅ success
hermes-inference-switch-e2e ✅ success

@cv
test(hermes): cover proxy api key sentinel contract
ef5fc22 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv
Copy link
Copy Markdown
Collaborator Author

cv commented Jun 5, 2026

Addressed the PR review advisor feedback in ef5fc22:

  • Moved the Hermes proxy rewrite sentinel into a dedicated no-dependency source module with a source-of-truth comment explaining that it is non-secret, why the sk- prefix is required, the OpenShell egress rewrite boundary, and the removal condition.
  • Updated patchHermesInferenceConfig() to import that sentinel instead of owning a local hardcoded value.
  • Added regression coverage that stale model.api_key: no-key-required and a real-looking stale key are replaced with the proxy sentinel.
  • Added a generated-config/inference-switch contract test so initial Hermes config generation and inference switches stay aligned on the same placeholder.

Validation after changes:

  • npm run build:cli
  • npm run typecheck:cli
  • npx vitest run src/lib/actions/inference-set.test.ts test/generate-hermes-config.test.ts --maxWorkers=1 --testTimeout=30000
  • npx prek run --files src/lib/hermes-proxy-api-key.ts src/lib/actions/inference-set.ts src/lib/actions/inference-set.test.ts test/generate-hermes-config.test.ts

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27033884574
Target ref: ef5fc22bf5263fb1219bc5229902892ce6b93631
Workflow ref: main
Requested jobs: hermes-inference-switch-e2e,hermes-anthropic-inference-switch-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job Result
hermes-anthropic-inference-switch-e2e ✅ success
hermes-inference-switch-e2e ⚠️ cancelled

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27034108864
Target ref: 24b4a2199a76dabc6f4221c503c4244518dd530f
Workflow ref: main
Requested jobs: hermes-inference-switch-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job Result
hermes-inference-switch-e2e ✅ success

@cv cv requested review from cjagwani and prekshivyas June 5, 2026 19:27
cjagwani
cjagwani approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cjagwani cjagwani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@cv cv enabled auto-merge (squash) June 5, 2026 19:29
@cv cv merged commit 1fb2221 into main Jun 5, 2026
33 checks passed
@cv cv deleted the fix/4765-hermes-inference-set-api-key branch June 5, 2026 19:35
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27035830540
Target ref: 5e2025522f8f7196a43d58209c3fedfece283229
Workflow ref: main
Requested jobs: hermes-inference-switch-e2e,hermes-anthropic-inference-switch-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job Result
hermes-anthropic-inference-switch-e2e ✅ success
hermes-inference-switch-e2e ✅ success

@miyoungc miyoungc mentioned this pull request Jun 6, 2026
Merged
miyoungc added a commit that referenced this pull request Jun 6, 2026
@miyoungc @cv
docs: refresh v0.0.60 release notes (#4879)
1f0b4c5 
## Summary
- Adds the `v0.0.60` section to `docs/about/release-notes.mdx` using the
dev announcement from discussion #4877.
- Fills the source-doc gaps found during release-prep review across
inference, policy tiers, command behavior, security boundaries, Hermes
dashboard/tooling, runtime context, and troubleshooting.
- Refreshes generated agent skills under `.agents/skills/` from the
current Fern docs output and upgrades Fern from `5.44.3` to `5.45.0`.

## Source summary
- #4037 -> `docs/reference/architecture.mdx`,
`docs/about/how-it-works.mdx`, `docs/about/release-notes.mdx`: Documents
system-only runtime context that stays out of visible chat.
- #4875 -> `docs/reference/architecture.mdx`,
`docs/about/how-it-works.mdx`, `docs/about/release-notes.mdx`: Documents
try-first sandbox network/filesystem guidance and clearer failure
classification.
- #4788 -> `docs/security/best-practices.mdx`,
`docs/about/release-notes.mdx`: Documents shared OpenClaw
device-approval policy for startup and connect.
- #4768 -> `docs/reference/network-policies.mdx`,
`docs/network-policy/integration-policy-examples.mdx`,
`docs/get-started/quickstart.mdx`,
`docs/get-started/quickstart-hermes.mdx`, `docs/reference/commands.mdx`:
Documents `weather`, `public-reference`, and Hermes managed-tool gateway
preset behavior.
- #3788 and #4864 -> `docs/reference/network-policies.mdx`,
`docs/reference/commands.mdx`: Documents non-interactive policy-tier
fail-fast behavior and interactive prompt fallback.
- #4756 and #4866 -> `docs/reference/commands.mdx`: Documents env-aware
default sandbox resolution for `list`, `status`, and `tunnel` commands.
- #4320 -> `docs/reference/commands.mdx`: Documents `$$nemoclaw tunnel
status` behavior.
- #4328 -> `docs/reference/commands.mdx`: Documents line-scoped policy
preset descriptions in `policy-list`.
- #4580 and #4748 -> `docs/reference/architecture.mdx`: Documents
package-managed OpenShell gateway service and Docker-driver
gateway-marker behavior.
- #4598 -> `docs/manage-sandboxes/lifecycle.mdx`: Documents concurrent
gateway/dashboard cleanup isolation by sandbox name and port.
- #4777 -> `docs/reference/troubleshooting.mdx`: Documents Docker GPU
patch rollback behavior.
- #4610 -> `docs/reference/troubleshooting.mdx`,
`docs/reference/commands.mdx`: Keeps mutable OpenClaw config permission
guidance aligned and removes skipped experimental wording.
- #4868 -> `docs/reference/commands.mdx`: Keeps `.dockerignore` handling
for custom `onboard --from <Dockerfile>` contexts in generated skills.
- #4870 -> `docs/reference/commands.mdx`,
`docs/manage-sandboxes/runtime-controls.mdx`: Documents
`NEMOCLAW_MINIMAL_BOOTSTRAP` and generated skill coverage.
- #4641 -> `docs/inference/inference-options.mdx`,
`docs/reference/troubleshooting.mdx`: Documents local NVIDIA NIM
platform-digest pulls and served-model id adoption.
- #4810 and #4867 -> `docs/inference/inference-options.mdx`: Documents
stable NGC managed-vLLM image lineage and DGX Station DeepSeek V4 Flash
coverage.
- #4852 -> `docs/inference/use-local-inference.mdx`,
`docs/reference/troubleshooting.mdx`: Documents Ollama model fit
filtering, 16K context floor, cold-load retry, and failed-model
exclusion.
- #4847 -> `docs/inference/switch-inference-providers.mdx`: Documents
API-family sync, Hermes `api_mode`, and Bedrock Runtime exception.
- #4800 -> `docs/inference/tool-calling-reliability.mdx`: Documents
Nemotron managed-inference native tool-search fallback.
- #4333 -> `docs/inference/switch-inference-providers.mdx`: Documents
interactive multimodal input prompting.
- #4086 -> `docs/reference/troubleshooting.mdx`: Keeps proxy bypass
normalization in generated troubleshooting coverage.
- #4811 and #4855 -> `docs/get-started/quickstart-hermes.mdx`: Documents
prebuilt Hermes dashboard assets and TUI recovery without runtime
rebuilds.
- #4854 -> `docs/inference/switch-inference-providers.mdx`,
`docs/reference/commands.mdx`: Documents Hermes proxy API-key
placeholder preservation during inference switches.
- #4248 -> `docs/manage-sandboxes/messaging-channels.mdx`,
`.agents/skills/`: Keeps messaging enrollment behavior aligned with
manifest-hook implementation.
- #4771 -> `docs/security/best-practices.mdx`,
`docs/security/credential-storage.mdx`: Documents Hermes
placeholder-only secret boundary for sandbox-visible runtime files.
- #4787 -> `docs/security/best-practices.mdx`,
`docs/about/release-notes.mdx`: Documents expanded memory scanner
examples for OpenAI project keys and Slack app-level tokens.
- #4848 -> `docs/reference/commands.mdx`: Documents OpenClaw skill
install mirroring into the agent home directory.
- #4790 -> `docs/about/release-notes.mdx`: Uses the prior release-prep
structure and generated `.agents/skills/` refresh as the template for
this release.

## Verification
- `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix
nemoclaw-user --doc-platform fern-mdx`
- `python3 scripts/docs-to-skills.py docs/ .agents/skills/ skills/
--prefix nemoclaw-user --doc-platform fern-mdx --dry-run`
- `npm run docs`
- `git diff --check`
- skip-term scan across `docs/`, `.agents/skills/`, and `skills/`
- `npm run build:cli`
- `npm run typecheck:cli`
- Commit and pre-push hook suites, including markdownlint, gitleaks,
env-var docs gate, docs-to-skills verification, and skills YAML tests

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* DeepSeek-V4-Flash now available as default inference model for DGX
Station.
* Hermes dashboard improved with dedicated port and OAuth-authenticated
tool gateway selection.
* Added weather and public-reference policy presets for expanded agent
capabilities.
* Enhanced Ollama model selection with GPU memory filtering and
automatic retry for timeouts.

* **Bug Fixes**
  * Improved policy tier validation to prevent invalid configurations.
* Better sandbox cleanup scoping by port to prevent conflicts across
deployments.
  * Added GPU patch failure recovery with automatic rollback.

* **Documentation**
* Expanded troubleshooting guides for inference, security, and sandbox
lifecycle.
  * Added .dockerignore best practices for custom deployments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cjagwani cjagwani cjagwani approved these changes

@prekshivyas prekshivyas Awaiting requested review from prekshivyas

Assignees

@cv cv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cv @cjagwani