policy: allow Hermes inference audio endpoints#5532
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughTwo POST egress allow rules for ChangesHermes Audio Endpoint Policy Addition
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
7aa4004 to
4feb9be
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Hermes network policy coverage for OpenAI audio endpoints so the sandbox policy allows audio transcription and speech requests.
Changes:
- Allow
POST /v1/audio/transcriptionsin Hermes network policy. - Allow
POST /v1/audio/speechin Hermes network policy. - Extend the Hermes sandbox policy test expectations to include the new endpoints.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| test/validate-blueprint.test.ts | Updates policy validation test to expect the new audio endpoint allowances. |
| agents/hermes/policy-additions.yaml | Adds the two audio endpoint allow-rules to Hermes’ network policy additions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hitting this exact limitation on Azure AI Foundry We're running Hermes inside an Azure VM with NemoClaw, routing all inference through inference.local to stay within our Azure tenant. We've deployed gpt-4o-mini-tts and whisper in Azure AI Foundry and configured Hermes TTS/STT to use https://inference.local as base URL — but every audio request gets blocked by managed_inference enforcement. The irony: the credentials, the models, and the gateway are all inside our tenant. The only missing piece is the two audio routes on the gateway side. This is blocking voice interaction for an enterprise use case where leaving the Azure tenant is not an option. A +1 on the proposed fix — same credential injection pattern as chat completions, just extended to /v1/audio/speech and /v1/audio/transcriptions. |
|
✨ Thanks for the proposed policy update allowing Hermes managed inference to call audio transcription and speech endpoints. This proposes a way to expand the Hermes policy allowlist for POST /v1/audio/transcriptions and POST /v1/audio/speech while updating the regression test. Related open issues: |
Signed-off-by: Ho Lim <subhoya@gmail.com>
Signed-off-by: Ho Lim <subhoya@gmail.com>
6e6d3ce to
ac380c2
Compare
|
Closing this as premature after an exact-head merge-gate and 9-category security review. The NemoClaw-side allow rules cannot enable this feature today:
Security review:
Merge-gate evidence on exact head
The right sequence is to implement and security-test the OpenShell routes first (including multipart upload, binary/streamed response framing, credential isolation, and denial cases), then add the Hermes allowlist together with an executable Hermes acceptance test. Issue #1520 remains open and assigned to @jyaunches. Thank you, @HOYALIM: this PR correctly identified Hermes' narrower policy layer and added a useful exact-shape regression test. That analysis and test design should be credited and reused when the upstream route dependency exists. No contributor code is being carried forward in this closure. |
Summary
inference.localpolicy to callPOST /v1/audio/transcriptionsandPOST /v1/audio/speech.Scope note
This is the NemoClaw-side policy prerequisite for #1520. The actual
inference.localproxy route owner is OpenShell, so this PR does not by itself add gateway routing for speech bodies. OpenClaw policy already permitsPOST /**for managed inference; Hermes had the narrow allowlist that would block these endpoints once OpenShell supports them.Validation
NODE_PATH=/Users/holim/code/NemoClaw/node_modules /Users/holim/code/NemoClaw/node_modules/.bin/vitest run test/validate-blueprint.test.tsgit diff --checkRefs #1520
Summary by CodeRabbit
New Features
POSTegress requests to/v1/audio/transcriptionsand/v1/audio/speech.Tests