Skip to content

fix(rebuild): verify Hermes post-restore health#7117

Merged
apurvvkumaria merged 11 commits into
mainfrom
codex/fix-7084-hermes-rebuild-qa
Jul 17, 2026
Merged

fix(rebuild): verify Hermes post-restore health#7117
apurvvkumaria merged 11 commits into
mainfrom
codex/fix-7084-hermes-rebuild-qa

Conversation

@apurvvkumaria

@apurvvkumaria apurvvkumaria commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

Rebuild no longer reports a restored Hermes sandbox as ready before its saved agent identity, managed MCP configuration, and gateway health are verified. If those postconditions cannot be restored and proven, rebuild now exits nonzero with recovery guidance instead of returning a partial success. Credit to @mercl-lau for the public reproduction and expected-result report.

Related Issue

Fixes #7084

Changes

  • Pin the authoritative target agent before restore and reject missing or mismatched recreated registry/runtime identities before later mutations.
  • Restore managed MCP state, then prove or recover the Hermes gateway after restored state is in place.
  • Propagate an explicit failure when final Hermes or MCP health cannot be verified.
  • Add regression coverage for successful recovery, missing/mismatched agent identity, and post-restore failure paths.
  • Document the final post-restore verification behavior and recovery outcome.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Maintainer self-review audited agent-identity pinning, post-restore ordering, MCP restoration, gateway recovery, and nonzero failure propagation; dedicated regression tests cover each boundary.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes a Signed-off-by: line and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: 98/98 focused rebuild tests passed (rebuild-hermes-post-restore, rebuild-mcp-phase, and rebuild-flow); CLI typecheck passed.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: Targeted sandbox-rebuild suites were used because this is a scoped post-restore behavior change.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only) — Build passed with 0 errors and 2 pre-existing Fern warnings.
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Apurv Kumaria akumaria@nvidia.com

Summary by CodeRabbit

  • Bug Fixes
    • Strengthened Hermes sandbox rebuild post-restore verification with gateway health/recovery checks and managed MCP configuration reconciliation.
    • Rebuild now fails with clearer errors when final Hermes/MCP verification can’t be confirmed or can’t reconcile, including stricter identity verification for the targeted agent.
  • Documentation
    • Expanded Hermes rebuild docs to describe preserved state, MCP restore behavior, nonzero exit conditions, and recommended follow-up commands for incomplete restorations.
  • Tests
    • Added dedicated Hermes post-restore verification coverage and enhanced rebuild harness support for targeted agent identity and sandbox process recovery scenarios.

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria apurvvkumaria added the v0.0.86 Release target label Jul 17, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 17, 2026
@apurvvkumaria apurvvkumaria added bug-fix PR fixes a bug or regression Recommended Blocker Recommended release blocker for maintainer review integration: hermes Hermes integration behavior area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery platform: dgx-station Affects DGX Station hardware or workflows labels Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Hermes sandbox rebuilds now validate recreated identity, restore and verify gateway health, reconcile managed MCP configuration, and fail when post-restore checks remain unverified. Tests, harnesses, and documentation cover the behavior.

Changes

Hermes rebuild verification

Layer / File(s) Summary
Target identity and pipeline wiring
src/lib/actions/sandbox/rebuild-pipeline.ts, src/lib/actions/sandbox/rebuild-post-restore-phase.ts, src/lib/actions/sandbox/rebuild-post-restore-phase.test.ts
The rebuild pipeline passes an explicit target agent, validates recreated registry and runtime identities, and uses that target for agent-specific processing.
Hermes gateway and completion checks
src/lib/actions/sandbox/rebuild-hermes-post-restore.ts, src/lib/actions/sandbox/rebuild-post-restore-phase.ts, src/lib/actions/sandbox/rebuild-mcp-phase.ts
Post-restore execution classifies Hermes gateway health, reports recovery status, and blocks completion when gateway or managed MCP verification is unverified.
Test coverage, harness controls, and documentation
src/lib/actions/sandbox/rebuild-hermes-post-restore.test.ts, test/helpers/rebuild-flow-*, docs/manage-sandboxes/recover-rebuild-sandboxes.mdx
Tests and harness overrides cover recovery, MCP, identity, and failure outcomes; documentation describes Hermes MCP restoration and verification failures.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • NVIDIA/NemoClaw#5595 — Both changes modify the rebuild pipeline around sandbox recreation and post-restore handling.
  • NVIDIA/NemoClaw#7109 — Both changes modify post-restore orchestration in rebuild-post-restore-phase.ts.

Suggested reviewers: jyaunches, yanyunl1991

Sequence Diagram(s)

sequenceDiagram
  participant RebuildPipeline
  participant PostRestorePhase
  participant MCPBridge
  participant ProcessRecovery
  participant RebuildResult
  RebuildPipeline->>PostRestorePhase: pass target agent
  PostRestorePhase->>MCPBridge: restore managed Hermes MCP configuration
  PostRestorePhase->>ProcessRecovery: verify and recover gateway processes
  ProcessRecovery-->>PostRestorePhase: health, recovery, and refusal flags
  PostRestorePhase->>RebuildResult: accept or reject post-restore completion
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately summarizes the Hermes rebuild health verification change.
Linked Issues check ✅ Passed The changes verify Hermes gateway health and restored MCP state before reporting rebuild readiness, matching issue #7084.
Out of Scope Changes check ✅ Passed The diff stays focused on Hermes rebuild verification, documentation, and tests without unrelated feature work.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-7084-hermes-rebuild-qa

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 80%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 0c98550 8afd836 +/-
src/lib/actions...ld-mcp-phase.ts 94% 94% 0%
src/lib/actions...rget-runtime.ts 95% 95% 0%
src/lib/agent/defs.ts 81% 81% 0%
src/lib/agent/s...store-reader.ts 90% 90% 0%
src/lib/adapter...shell/client.ts 88% 90% +2%
src/lib/actions...estore-phase.ts 87% 90% +3%
src/lib/actions...arget-config.ts 80% 83% +3%
src/lib/inferen...er-lifecycle.ts 65% 71% +6%
src/lib/inferen...lama/process.ts 50% 100% +50%
src/lib/actions...post-restore.ts 0% 60% +60%

Updated July 17, 2026 22:00 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/actions/sandbox/rebuild-hermes-post-restore.test.ts`:
- Around line 22-37: Update the test setup around
restoreMcpBridgesAfterRebuildSpy in the gateway-health failure case so MCP
bridge restoration succeeds instead of rejecting. Keep the unrecovered gateway
state from checkAndRecoverSandboxProcesses unchanged, allowing this test to
isolate gateway verification as the sole readiness blocker; leave MCP failure
coverage to the later test.

In `@src/lib/actions/sandbox/rebuild-post-restore-phase.ts`:
- Around line 129-145: Update the recreated identity checks around
recreatedRegistryAgentName and recreatedRuntimeAgentName to preserve undefined
values when registry or runtime identities are absent, and require both values
to exist and exactly equal targetAgentName before proceeding. Add a regression
case covering a missing runtime identity with targetAgentName set to OpenClaw,
ensuring the rebuild fails rather than reporting success.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2b99a635-14f8-4b7c-b246-7a0ba82b587b

📥 Commits

Reviewing files that changed from the base of the PR and between 522ad1e and 595ace9.

📒 Files selected for processing (9)
  • docs/manage-sandboxes/recover-rebuild-sandboxes.mdx
  • src/lib/actions/sandbox/rebuild-hermes-post-restore.test.ts
  • src/lib/actions/sandbox/rebuild-hermes-post-restore.ts
  • src/lib/actions/sandbox/rebuild-mcp-phase.ts
  • src/lib/actions/sandbox/rebuild-pipeline.ts
  • src/lib/actions/sandbox/rebuild-post-restore-phase.ts
  • test/helpers/rebuild-flow-harness.ts
  • test/helpers/rebuild-flow-test-harness.ts
  • test/helpers/rebuild-flow-test-support.ts

Comment thread src/lib/actions/sandbox/rebuild-hermes-post-restore.test.ts Outdated
Comment thread src/lib/actions/sandbox/rebuild-post-restore-phase.ts
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / high confidence
Next action: No advisor follow-up needed.
Findings: 0 blockers · 0 warnings · 0 suggestions
Status: No actionable findings remain in the canonical review ledger.

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (second opinion): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Model comparison: normalized findings match; normalized E2E selections differ; severity counts match.

Nemotron output stays in workflow artifacts and does not change the assessment above.

E2E guidance

Advisory only. E2E / PR Gate selects and runs jobs independently.

Recommended E2E: onboard-repair, onboard-resume, state-backup-restore, upgrade-stale-sandbox

2 optional E2E recommendations
  • rebuild-hermes
  • mcp-bridge

Workflow run details

This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge.

@apurvvkumaria
apurvvkumaria enabled auto-merge (squash) July 17, 2026 18:02
@apurvvkumaria
apurvvkumaria requested a review from jyaunches July 17, 2026 18:02
@apurvvkumaria apurvvkumaria added v0.0.87 Release target and removed v0.0.86 Release target labels Jul 17, 2026
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/lib/actions/sandbox/rebuild-post-restore-phase.test.ts (1)

102-109: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Strengthen test 2 against false positives from early bail.

Test 2 only asserts that two functions were not called. If runRebuildPostRestorePhase bails early (e.g., identity mismatch from a mock setup bug), the test passes without actually exercising the hermes path. Test 1 implicitly guards against this via the full order assertion, but test 2 has no equivalent check.

Capture the input and assert bail was not called:

🛡️ Proposed fix
   it("does not run OpenClaw session reconciliation for another agent", async () => {
     agentName = "hermes";

-    await runRebuildPostRestorePhase(input());
+    const args = input();
+    await runRebuildPostRestorePhase(args);

+    expect(args.bail).not.toHaveBeenCalled();
     expect(sessionModels.reconcileStalePinnedSessionModelsAfterRebuild).not.toHaveBeenCalled();
     expect(processRecovery.executeSandboxCommand).not.toHaveBeenCalled();
   });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/rebuild-post-restore-phase.test.ts` around lines 102
- 109, Strengthen the “does not run OpenClaw session reconciliation for another
agent” test by capturing the value returned from input() and asserting its bail
function was not called after runRebuildPostRestorePhase completes. Keep the
existing negative assertions for reconcileStalePinnedSessionModelsAfterRebuild
and executeSandboxCommand.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/actions/sandbox/rebuild-post-restore-phase.test.ts`:
- Around line 102-109: Strengthen the “does not run OpenClaw session
reconciliation for another agent” test by capturing the value returned from
input() and asserting its bail function was not called after
runRebuildPostRestorePhase completes. Keep the existing negative assertions for
reconcileStalePinnedSessionModelsAfterRebuild and executeSandboxCommand.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 26992a6d-d260-4579-a08c-79e06951b44b

📥 Commits

Reviewing files that changed from the base of the PR and between f12c7f7 and c21c793.

📒 Files selected for processing (2)
  • src/lib/actions/sandbox/rebuild-post-restore-phase.test.ts
  • src/lib/actions/sandbox/rebuild-post-restore-phase.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/actions/sandbox/rebuild-post-restore-phase.ts

Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

@jyaunches jyaunches left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the current exact head 8afd836 against base 0c98550. The Hermes rebuild now fails closed when recreated identity, final gateway health, or managed MCP restoration cannot be verified. Focused post-restore tests pass (11/11), CLI type-check and normal hooks pass, required CI and all four selected trusted E2E scenarios are green, CodeRabbit threads are resolved, the PR Review Advisor reports zero findings, and the security review found no blocking issues.

@apurvvkumaria
apurvvkumaria merged commit be8bf72 into main Jul 17, 2026
54 checks passed
@apurvvkumaria
apurvvkumaria deleted the codex/fix-7084-hermes-rebuild-qa branch July 17, 2026 22:12
@jyaunches jyaunches mentioned this pull request Jul 18, 2026
21 tasks
apurvvkumaria pushed a commit that referenced this pull request Jul 18, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Add the v0.0.87 changelog entry and align the DGX Station,
platform-support, and rebuild documentation with behavior merged since
v0.0.86.
The Station documentation retains the Deferred support status while
recording the two exact factory-image qualification profiles and the
post-reboot receipt compatibility fix from #7130.

## Changes

- Add the v0.0.87 changelog summary, including the merged Station resume
receipt fix, with links to the owning documentation pages.
- Document the exact April 2026 Colossus BaseOS and June 2026 AI
Developer Tools Station identities, validation boundaries, and permitted
host preparation.
- Synchronize those Station qualification paths into the canonical
platform matrix and generated provider/platform pages.
- Document how an OpenClaw rebuild clears stale managed-provider
session-model pins after an inference switch.

### Source summary

- [#7130](#7130) ->
`docs/changelog/2026-07-17.mdx`: Document compatibility with current
six-field and legacy three-field Station resume receipts after host
preparation.
- [#7128](#7128) ->
`docs/changelog/2026-07-17.mdx`: Document restart-safe managed DCode
startup and required Docker resource limits.
- [#7126](#7126) ->
`docs/changelog/2026-07-17.mdx`,
`docs/get-started/dgx-station-preparation.mdx`,
`ci/platform-matrix.json`: Document the two bounded Station
factory-image qualification profiles without promoting Deferred support
and synchronize the generated platform/provider references.
- [#6947](#6947) ->
`docs/changelog/2026-07-17.mdx`: Document streaming sandbox backup
archive creation.
- [#7117](#7117) ->
`docs/changelog/2026-07-17.mdx`: Document Hermes post-restore gateway
and managed MCP health verification.
- [#7109](#7109) ->
`docs/changelog/2026-07-17.mdx`,
`docs/manage-sandboxes/recover-rebuild-sandboxes.mdx`: Document stale
managed session-model pin reconciliation after rebuild.
- [#7068](#7068) ->
`docs/changelog/2026-07-17.mdx`: Document strict-provider compatibility
for Hermes tool schemas.
- [#6965](#6965) ->
`docs/changelog/2026-07-17.mdx`: Document managed vLLM download storage
estimation.
- [#7114](#7114) ->
`docs/changelog/2026-07-17.mdx`: Document preserved, redacted rebuild
diagnostics.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep update; the changelog, platform-generation contracts, and
docs build validate the changed pages and links.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes a `Signed-off-by:` line and every commit
appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npx vitest run
test/generate-platform-docs.test.ts test/station-doc-ownership.test.ts
test/changelog-docs.test.ts`: 29 passed; `python3
scripts/generate-platform-docs.py --check`: all generated tables in sync
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [x] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Added filesystem-aware managed vLLM storage preflight (cold download
sizing; interactive vs non-interactive capacity checks).
- Improved tool-schema compatibility for strict OpenAI-compatible
providers (including Gemini schema handling) using a strict single
envelope.
- Enhanced sandbox backup creation with streamed archive generation and
incremental entry validation.
- **Bug Fixes**
- Strengthened rebuild/recovery checks with Hermes sandbox health
validation and cleanup of stale managed-provider session pins.
- Persisted onboarding startup commands with required `nproc`/`nofile`
limits across sandbox recreation.
- Improved replacement-image rebuild diagnostics with bounded, redacted
output handling.
- For OpenCLAW “rebuild while preserving state,” stale model/provider
pins are cleared when appropriate.
- **Documentation**
- Expanded DGX Station GB300 no-OTA factory profile/qualification
criteria and clarified managed vLLM provider/sandbox constraints.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression integration: hermes Hermes integration behavior platform: dgx-station Affects DGX Station hardware or workflows Recommended Blocker Recommended release blocker for maintainer review v0.0.87 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[DGX Station][Sandbox] rebuild reports Hermes ready while required services and Blender MCP configuration are unavailable

2 participants