From 4feb9beb60d0b9b037c8a41af3c45e80fcc13bbf Mon Sep 17 00:00:00 2001 From: Ho Lim Date: Tue, 16 Jun 2026 22:14:03 -0700 Subject: [PATCH 1/2] policy: allow hermes inference audio endpoints --- agents/hermes/policy-additions.yaml | 2 ++ test/validate-blueprint.test.ts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/agents/hermes/policy-additions.yaml b/agents/hermes/policy-additions.yaml index 0386ddef63..dfc7c422e7 100644 --- a/agents/hermes/policy-additions.yaml +++ b/agents/hermes/policy-additions.yaml @@ -53,6 +53,8 @@ network_policies: - allow: { method: POST, path: "/v1/chat/completions" } - allow: { method: POST, path: "/v1/messages" } - allow: { method: POST, path: "/v1/responses" } + - allow: { method: POST, path: "/v1/audio/transcriptions" } + - allow: { method: POST, path: "/v1/audio/speech" } - allow: { method: POST, path: "/v1/completions" } - allow: { method: POST, path: "/v1/embeddings" } - allow: { method: GET, path: "/v1/models" } diff --git a/test/validate-blueprint.test.ts b/test/validate-blueprint.test.ts index 76fbad0e1e..fbe01d142e 100644 --- a/test/validate-blueprint.test.ts +++ b/test/validate-blueprint.test.ts @@ -534,6 +534,8 @@ describe("Hermes sandbox policy", () => { { allow: { method: "POST", path: "/v1/chat/completions" } }, { allow: { method: "POST", path: "/v1/messages" } }, { allow: { method: "POST", path: "/v1/responses" } }, + { allow: { method: "POST", path: "/v1/audio/transcriptions" } }, + { allow: { method: "POST", path: "/v1/audio/speech" } }, { allow: { method: "POST", path: "/v1/completions" } }, { allow: { method: "POST", path: "/v1/embeddings" } }, { allow: { method: "GET", path: "/v1/models" } }, From 6e6d3ce245351f802d896b19e91ed44b5f976c7f Mon Sep 17 00:00:00 2001 From: Ho Lim Date: Wed, 17 Jun 2026 18:02:13 -0700 Subject: [PATCH 2/2] test: document Hermes inference policy helper --- test/validate-blueprint.test.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/validate-blueprint.test.ts b/test/validate-blueprint.test.ts index fbe01d142e..29287ae060 100644 --- a/test/validate-blueprint.test.ts +++ b/test/validate-blueprint.test.ts @@ -511,6 +511,10 @@ describe("permissive sandbox policy", () => { describe("Hermes sandbox policy", () => { const policy = loadYaml(HERMES_POLICY_PATH); + /** + * Verifies that Hermes managed inference keeps the same narrow allowlist + * shape as OpenClaw while including every sandbox-routed inference endpoint. + */ function expectManagedInferenceSecurityShape(): void { const np = policy.network_policies ?? {}; const managedInference = np.managed_inference;