[codex] policy: allow Hermes inference audio endpoints

[HOYALIM]

Summary

• Allows Hermes managed inference.local policy to call POST /v1/audio/transcriptions and POST /v1/audio/speech.
• Updates the Hermes policy shape regression test so speech endpoints stay in the allowlist.

Scope note

This is the NemoClaw-side policy prerequisite for #1520. The actual inference.local proxy route owner is OpenShell, so this PR does not by itself add gateway routing for speech bodies. OpenClaw policy already permits POST /** for managed inference; Hermes had the narrow allowlist that would block these endpoints once OpenShell supports them.

Validation

• NODE_PATH=/Users/holim/code/NemoClaw/node_modules /Users/holim/code/NemoClaw/node_modules/.bin/vitest run test/validate-blueprint.test.ts
• git diff --check

Refs #1520

Summary by CodeRabbit

• New Features

  • Expanded access to the audio transcription and audio speech API endpoints, allowing additional POST requests for these routes.

• Tests

  • Updated policy validation tests to reflect the tightened allowlist shape for the new audio endpoint permissions.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5bfeaae8-eec0-4685-bf25-88776cc286cc

📥 Commits

Reviewing files that changed from the base of the PR and between 4feb9be and 6e6d3ce.

📒 Files selected for processing (1)

• test/validate-blueprint.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/validate-blueprint.test.ts

---

📝 Walkthrough

Walkthrough

Two POST egress allow rules for /v1/audio/transcriptions and /v1/audio/speech are added to the Hermes managed_inference network policy in policy-additions.yaml. The blueprint validation test is updated to assert these two new paths in the managed_inference allowlist.

Changes

Hermes Audio Endpoint Policy

Layer / File(s)	Summary
managed_inference audio endpoint rules and test coverage agents/hermes/policy-additions.yaml, test/validate-blueprint.test.ts	Adds POST allow rules for /v1/audio/transcriptions and /v1/audio/speech on inference.local:443 to the policy file, and extends the managed_inference allowlist assertion in the blueprint test to cover both new paths.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hop hop, two new paths appear,
Audio speech and transcriptions here!
The policy yaml grows by two lines small,
The test asserts them, confirming all.
With ears perked up, the rabbit cheers —
New audio routes! The blueprint clears. 🎤

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: allowing Hermes inference audio endpoints. It directly corresponds to the core modifications in the policy configuration and test files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds Hermes network policy coverage for OpenAI audio endpoints so the sandbox policy allows audio transcription and speech requests.

Changes:

• Allow POST /v1/audio/transcriptions in Hermes network policy.
• Allow POST /v1/audio/speech in Hermes network policy.
• Extend the Hermes sandbox policy test expectations to include the new endpoints.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
test/validate-blueprint.test.ts	Updates policy validation test to expect the new audio endpoint allowances.
agents/hermes/policy-additions.yaml	Adds the two audio endpoint allow-rules to Hermes’ network policy additions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[AnaMoreno-PI]

Hitting this exact limitation on Azure AI Foundry

We're running Hermes inside an Azure VM with NemoClaw, routing all inference through inference.local to stay within our Azure tenant. We've deployed gpt-4o-mini-tts and whisper in Azure AI Foundry and configured Hermes TTS/STT to use https://inference.local as base URL — but every audio request gets blocked by managed_inference enforcement.

The irony: the credentials, the models, and the gateway are all inside our tenant. The only missing piece is the two audio routes on the gateway side.

This is blocking voice interaction for an enterprise use case where leaving the Azure tenant is not an option. A +1 on the proposed fix — same credential injection pattern as chat completions, just extended to /v1/audio/speech and /v1/audio/transcriptions.