fix(sandbox/recover): Revert "enforce Hermes env-file secret boundary on probe path"

[sandl99]

#5530 break nemohermes connect. Reverts #5530

---

Signed-off-by: San Dang sdang@nvidia.com

Summary by CodeRabbit

Summary by CodeRabbit

• Refactor

  • Removed Hermes secret-boundary enforcement from sandbox connection and recovery flows, so recovery now continues directly to health probing and re-establishment.

• Documentation

  • Removed reference material describing per-run secret-boundary re-evaluation behavior, including handling of raw secret-shaped values and legacy Hermes boundary warnings.

• Tests

  • Removed secret-boundary–specific test coverage and adjusted remaining recovery test mocks.
  • Increased a workflow scenario test timeout to 20 seconds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 042c1ea5-056e-47cc-b1f0-2b042489cb7a

📥 Commits

Reviewing files that changed from the base of the PR and between 91d51db and 65d4669.

📒 Files selected for processing (1)

• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts

---

📝 Walkthrough

Walkthrough

Removes the Hermes secret-boundary enforcement feature end-to-end: deletes exported marker constants and the buildHermesEnvFileBoundaryStandaloneCheck function from hermes-recovery-boundary.ts, strips the boundary-gating branch from checkAndRecoverSandboxProcesses and the secretBoundaryRefused handling from connectSandbox/runSandboxConnectProbe, and deletes all associated tests and documentation paragraphs.

Changes

Hermes Secret-Boundary Enforcement Removal

Layer / File(s)	Summary
Boundary module: remove exported constants and standalone check src/lib/agent/hermes-recovery-boundary.ts, src/lib/agent/runtime-hermes-secret-boundary-behavioural.test.ts	Removes the three exported marker constants (SECRET_BOUNDARY_REFUSED_MARKER, SECRET_BOUNDARY_OK_MARKER, SECRET_BOUNDARY_VALIDATOR_MISSING_MARKER) and buildHermesEnvFileBoundaryStandaloneCheck(), updates the __testing export to expose only the two remaining guard builders, and deletes the standalone env-file check test cases.
Process recovery: remove secret-boundary gating and test cases src/lib/actions/sandbox/process-recovery.ts, test/process-recovery.test.ts	Removes the boundary-validator import, the enforcement helper, and the early-return refusal branch from checkAndRecoverSandboxProcesses so the alive path proceeds to forward/process health checks. Simplifies five spawnSync mocks to unconditional mockReturnValue and deletes ~528 lines of secret-boundary test cases.
Connect flow: remove secretBoundaryRefused handling src/lib/actions/sandbox/connect.ts, src/lib/actions/sandbox/connect-flow.test.ts	Relocates an import, deletes exitOnSecretBoundaryRefusal, removes the secretBoundaryRefused branch from runSandboxConnectProbe and connectSandbox, and removes the matching processCheck fields and test cases from the connect harness.
Documentation: remove secret-boundary recover paragraphs docs/reference/commands-nemohermes.mdx, docs/reference/commands.mdx	Removes the Hermes-specific recover sub-sections describing per-run boundary re-evaluation, raw-secret rejection, and older-image warning/skip behavior from both reference pages.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5530: Directly inverse — that PR adds the buildHermesEnvFileBoundaryStandaloneCheck() function, the exported marker constants, and the secretBoundaryRefused handling in connect.ts/process-recovery.ts that this PR removes.
• NVIDIA/NemoClaw#5342: Touches the same Hermes recovery behavioural test file and recovery-script env sourcing in the same secret-boundary test area being pruned here.
• NVIDIA/NemoClaw#5485: Modifies the same connect-flow.test.ts createConnectHarness/processCheck-driven flow outcomes including probe-only behavior.

Suggested labels

bug-fix, integration: hermes, area: sandbox

Suggested reviewers

• cv

🐇 Hop, hop, the boundary's gone,
No more secret gates to fret upon!
The gateway wakes and checks proceed,
No validator script to impede.
Less code to guard, more room to run — ✨
The warren tidied, cleanup done!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: reverting a specific enforcement of Hermes env-file secret boundary on the probe path, with the referenced PR number providing clear context.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert-5530-fix/hermes-secret-boundary-on-recover-probe

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the revert-5530-fix/herm... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	revert-5530-fix/herm... 65d4669	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the revert-5530-fix/herm... branch is 46%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	revert-5530-fix/herm... 65d4669	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	76%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/actions...dbox/rebuild.ts	—	67%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/actions...licy-channel.ts	—	56%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/onboard...er-gpu-patch.ts	—	50%	—
src/lib/policy/index.ts	—	49%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 19, 2026 13:11 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-5547.docs.buildwithfern.com/nemoclaw

[github-actions]

PR Review Advisor

Findings: 2 needs attention, 2 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 3 still apply, 0 new items found

Review findings

🛠️ Needs attention

• Restore Hermes env-file boundary enforcement on the already-running recovery path (src/lib/actions/sandbox/process-recovery.ts:496): When `isSandboxGatewayRunning()` returns true, `checkAndRecoverSandboxProcesses()` now proceeds directly into dashboard and port-forward checks and can return success without re-validating `/sandbox/.hermes/.env`. The removed standalone validator previously failed closed for raw-secret and inconclusive outcomes, and `connect --probe-only` / non-probe `connect` stopped before downstream work. This reopens the path where a Hermes gateway remains healthy after raw secret-shaped values are introduced into the persisted env file, while `recover` or `connect --probe-only` can still report success.
  • Recommendation: Restore or replace the running-gateway Hermes env-file boundary check before reporting success for `running === true`. Keep fail-closed handling for raw-secret and inconclusive validator outcomes, preserve diagnostics that identify the offending key without printing secret values, and only remove this check if code and tests prove the invalid env-file state is impossible at its source.
  • Evidence: The diff removes `enforceHermesSecretBoundaryOnRunningGateway()`, the standalone `buildHermesEnvFileBoundaryStandaloneCheck()` marker contract, the `secretBoundaryRefused` return fields, and `exitOnSecretBoundaryRefusal()` handling in `connect.ts`. The remaining guards in `hermes-recovery-boundary.ts` protect relaunch/manual recovery snippets, but the already-running branch does not invoke them.
• Restore negative coverage for Hermes boundary refusal and fail-safe outcomes (test/process-recovery.test.ts): The PR deletes the tests that proved the running Hermes recovery path refused raw secret-shaped env files, failed safe when the agent definition or root exec channel was unavailable, treated validator crashes as inconclusive, skipped Hermes checks for OpenClaw sandboxes, and stopped connect/probe before auto-pair, Ollama proxy, inference-route repair, or SSH. No replacement coverage demonstrates that the remaining relaunch-only guards are sufficient for the already-running path.
  • Recommendation: Reintroduce behavior-specific tests around the restored or replacement boundary check. Cover raw-secret refusal, inconclusive validator failure, missing-validator policy, non-Hermes skip behavior, and connect/probe caller behavior that must not continue after refusal.
  • Evidence: Deleted coverage spans `test/process-recovery.test.ts`, `src/lib/actions/sandbox/connect-flow.test.ts`, and `src/lib/agent/runtime-hermes-secret-boundary-behavioural.test.ts`; the remaining tests only cover relaunch guard snippets and unrelated forward recovery behavior.

🔎 Worth checking

• Source-of-truth review needed: Hermes recover/connect handling for already-running gateways: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `checkAndRecoverSandboxProcesses()` now returns success from the `running` branch without invoking an env-file validator; relaunch guards remain only in `hermes-recovery-boundary.ts` snippets.
• Probe/connect callers no longer have a refusal contract for boundary failures (src/lib/actions/sandbox/connect.ts:173): `runSandboxConnectProbe()` now treats any checked/running result as success and may run inference-route repair plus auto-pair approval, while normal `connectSandbox()` continues to Ollama proxy setup and SSH after `checkAndRecoverSandboxProcesses()`. With the refusal fields removed, callers cannot distinguish a healthy Hermes gateway from a security-boundary refusal or inconclusive validator state.
  • Recommendation: Keep an explicit return contract for boundary refusal or throw a typed error from recovery, and have probe and normal connect stop before any downstream repair, approval, proxy, or SSH work when the boundary cannot be confirmed.
  • Evidence: The diff removes the `secretBoundaryRefused` / `secretBoundaryReason` checks from `runSandboxConnectProbe()` and `connectSandbox()`, along with the tests that asserted no auto-pair, Ollama proxy, or SSH occurred after refusal.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — `recover` / `connect --probe-only` refuses a running Hermes gateway when `/sandbox/.hermes/.env` contains raw secret-shaped values and surfaces the offending key name without printing the secret value.. Sandbox recovery and Hermes credential-boundary paths depend on live sandbox state, root exec availability, gateway health, and mutated in-sandbox env files. Unit tests are also needed to preserve caller/callee refusal contracts.
• **Runtime validation** — The running Hermes boundary check fails closed when validator execution is unreachable, returns no known marker, or crashes.. Sandbox recovery and Hermes credential-boundary paths depend on live sandbox state, root exec availability, gateway health, and mutated in-sandbox env files. Unit tests are also needed to preserve caller/callee refusal contracts.
• **Runtime validation** — Non-probe `connect` stops before Ollama proxy startup, inference-route repair, auto-pair approval, and SSH when the Hermes boundary refuses.. Sandbox recovery and Hermes credential-boundary paths depend on live sandbox state, root exec availability, gateway health, and mutated in-sandbox env files. Unit tests are also needed to preserve caller/callee refusal contracts.
• **Runtime validation** — OpenClaw sandboxes skip Hermes-only env-file boundary checks.. Sandbox recovery and Hermes credential-boundary paths depend on live sandbox state, root exec availability, gateway health, and mutated in-sandbox env files. Unit tests are also needed to preserve caller/callee refusal contracts.
• **Runtime validation** — Legacy Hermes images without the validator follow the intended compatibility policy and emit the expected operator warning or fail-closed remediation.. Sandbox recovery and Hermes credential-boundary paths depend on live sandbox state, root exec availability, gateway health, and mutated in-sandbox env files. Unit tests are also needed to preserve caller/callee refusal contracts.
• **Restore negative coverage for Hermes boundary refusal and fail-safe outcomes** — Reintroduce behavior-specific tests around the restored or replacement boundary check. Cover raw-secret refusal, inconclusive validator failure, missing-validator policy, non-Hermes skip behavior, and connect/probe caller behavior that must not continue after refusal.
• **Hermes recover/connect handling for already-running gateways** — Missing. The PR deletes the regression tests for raw-secret refusal and inconclusive running-gateway states rather than replacing them with source-boundary tests.. `checkAndRecoverSandboxProcesses()` now returns success from the `running` branch without invoking an env-file validator; relaunch guards remain only in `hermes-recovery-boundary.ts` snippets.

Since last review details

Current findings:

• Source-of-truth review needed: Hermes recover/connect handling for already-running gateways: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `checkAndRecoverSandboxProcesses()` now returns success from the `running` branch without invoking an env-file validator; relaunch guards remain only in `hermes-recovery-boundary.ts` snippets.
• Restore Hermes env-file boundary enforcement on the already-running recovery path (src/lib/actions/sandbox/process-recovery.ts:496): When `isSandboxGatewayRunning()` returns true, `checkAndRecoverSandboxProcesses()` now proceeds directly into dashboard and port-forward checks and can return success without re-validating `/sandbox/.hermes/.env`. The removed standalone validator previously failed closed for raw-secret and inconclusive outcomes, and `connect --probe-only` / non-probe `connect` stopped before downstream work. This reopens the path where a Hermes gateway remains healthy after raw secret-shaped values are introduced into the persisted env file, while `recover` or `connect --probe-only` can still report success.
  • Recommendation: Restore or replace the running-gateway Hermes env-file boundary check before reporting success for `running === true`. Keep fail-closed handling for raw-secret and inconclusive validator outcomes, preserve diagnostics that identify the offending key without printing secret values, and only remove this check if code and tests prove the invalid env-file state is impossible at its source.
  • Evidence: The diff removes `enforceHermesSecretBoundaryOnRunningGateway()`, the standalone `buildHermesEnvFileBoundaryStandaloneCheck()` marker contract, the `secretBoundaryRefused` return fields, and `exitOnSecretBoundaryRefusal()` handling in `connect.ts`. The remaining guards in `hermes-recovery-boundary.ts` protect relaunch/manual recovery snippets, but the already-running branch does not invoke them.
• Restore negative coverage for Hermes boundary refusal and fail-safe outcomes (test/process-recovery.test.ts): The PR deletes the tests that proved the running Hermes recovery path refused raw secret-shaped env files, failed safe when the agent definition or root exec channel was unavailable, treated validator crashes as inconclusive, skipped Hermes checks for OpenClaw sandboxes, and stopped connect/probe before auto-pair, Ollama proxy, inference-route repair, or SSH. No replacement coverage demonstrates that the remaining relaunch-only guards are sufficient for the already-running path.
  • Recommendation: Reintroduce behavior-specific tests around the restored or replacement boundary check. Cover raw-secret refusal, inconclusive validator failure, missing-validator policy, non-Hermes skip behavior, and connect/probe caller behavior that must not continue after refusal.
  • Evidence: Deleted coverage spans `test/process-recovery.test.ts`, `src/lib/actions/sandbox/connect-flow.test.ts`, and `src/lib/agent/runtime-hermes-secret-boundary-behavioural.test.ts`; the remaining tests only cover relaunch guard snippets and unrelated forward recovery behavior.
• Probe/connect callers no longer have a refusal contract for boundary failures (src/lib/actions/sandbox/connect.ts:173): `runSandboxConnectProbe()` now treats any checked/running result as success and may run inference-route repair plus auto-pair approval, while normal `connectSandbox()` continues to Ollama proxy setup and SSH after `checkAndRecoverSandboxProcesses()`. With the refusal fields removed, callers cannot distinguish a healthy Hermes gateway from a security-boundary refusal or inconclusive validator state.
  • Recommendation: Keep an explicit return contract for boundary refusal or throw a typed error from recovery, and have probe and normal connect stop before any downstream repair, approval, proxy, or SSH work when the boundary cannot be confirmed.
  • Evidence: The diff removes the `secretBoundaryRefused` / `secretBoundaryReason` checks from `runSandboxConnectProbe()` and `connectSandbox()`, along with the tests that asserted no auto-pair, Ollama proxy, or SSH occurred after refusal.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: hermes-e2e-vitest, issue-2478-crash-loop-recovery-vitest
Optional E2E: gateway-guard-recovery, sandbox-survival-vitest

Dispatch hint: hermes-e2e-vitest,issue-2478-crash-loop-recovery-vitest

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• hermes-e2e-vitest (high): Required because the PR changes Hermes recovery/security-boundary code and docs. This is the existing live Hermes job that onboards a real Hermes sandbox, verifies Hermes health, 8642/API and dashboard forwards, policy state, and live inference through the Hermes runtime.
• issue-2478-crash-loop-recovery-vitest (high): Required because checkAndRecoverSandboxProcesses and connect --probe-only are changed. This job exercises the production gateway recovery path against a real sandbox after disruption and validates recovery stability rather than only mocked unit behavior.

Optional E2E

• gateway-guard-recovery (high): Optional adjacent confidence for the shared connect --probe-only recovery route and guard-chain restoration after a pod-recreate-equivalent wipe. Useful because process-recovery.ts changed, but it is primarily OpenClaw guard-chain coverage rather than Hermes secret-boundary coverage.
• sandbox-survival-vitest (high): Optional broader lifecycle confidence that sandbox exec/SSH, registry/status, and inference survive gateway stop/start. It is adjacent to the recovery changes but less directly targeted than the required recovery jobs.

New E2E recommendations

• Hermes recover secret-boundary enforcement (high): No existing live E2E appears to poison /sandbox/.hermes/.env in an already-running Hermes sandbox and then run nemoclaw <sandbox> recover or connect --probe-only to assert the intended behavior. The PR specifically changes/removes that standalone running-gateway boundary check, so unit tests are not enough to prove the real sandbox security contract.
  • Suggested test: Add a live Hermes recovery/security E2E that onboards Hermes, injects a raw secret-shaped value into /sandbox/.hermes/.env while the gateway is healthy, runs nemoclaw <sandbox> recover or connect --probe-only, and asserts the documented expected result, including gateway health and diagnostic output.

Dispatch hint

• Workflow: .github/workflows/e2e-vitest-scenarios.yaml
• jobs input: hermes-e2e-vitest,issue-2478-crash-loop-recovery-vitest

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: issue-2478-crash-loop-recovery-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-2478-crash-loop-recovery-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• issue-2478-crash-loop-recovery-vitest: The PR changes the production connect/recover/process-recovery path, including connect --probe-only behavior. This free-standing live Vitest job directly exercises gateway crash-loop recovery through nemoclaw <sandbox> connect --probe-only and validates the recovered runtime remains healthy.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-2478-crash-loop-recovery-vitest

Optional Vitest E2E scenarios

• None.

Relevant changed files

• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/process-recovery.ts
• src/lib/agent/hermes-recovery-boundary.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/actions/sandbox/process-recovery.ts`:
- Line 490: The fail-closed Hermes boundary check was removed from the
live-gateway recovery path, allowing dashboard and forward recovery for
already-running gateways to proceed without re-validating the Hermes environment
file at `/sandbox/.hermes/.env`. This can leave a poisoned Hermes environment in
place without proper validation failure. Restore the deleted running-gateway
validator check or add an equivalent fail-closed boundary gate before any
dashboard or forward recovery operations in the affected code block (around line
506 and throughout the recovery logic in lines 502-568) to ensure the Hermes
environment is properly validated and `SECRET_BOUNDARY_REFUSED` is emitted when
appropriate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 066c32a2-d2ec-4ac6-a269-3daf3c6e9e4b

📥 Commits

Reviewing files that changed from the base of the PR and between 9cb773e and 91d51db.

📒 Files selected for processing (8)

• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx
• src/lib/actions/sandbox/connect-flow.test.ts
• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/process-recovery.ts
• src/lib/agent/hermes-recovery-boundary.ts
• src/lib/agent/runtime-hermes-secret-boundary-behavioural.test.ts
• test/process-recovery.test.ts

💤 Files with no reviewable changes (5)

• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx
• src/lib/actions/sandbox/connect-flow.test.ts
• src/lib/agent/runtime-hermes-secret-boundary-behavioural.test.ts
• src/lib/agent/hermes-recovery-boundary.ts