fix(hermes): ship stock Hermes default soul + move env info to env-hint

[teknium1]

Summary

Ship the stock Hermes default soul in agents/hermes/Dockerfile and move the OpenShell/NemoClaw environment description into Hermes's dedicated environment-hint slot.

The default SOUL.md was a hand-written placeholder. In Hermes, SOUL.md is the agent identity slot (slot # 1 of the system prompt) — it should carry the stock Hermes default soul verbatim, not a custom blurb. Execution-environment facts (sandbox, proxy, credential handling, mount layout) belong in Hermes's environment-hints block instead.

Changes

• SOUL.md now contains Hermes's DEFAULT_SOUL_MD (hermes_cli/default_soul.py) verbatim — the same identity every Hermes install ships with.
• The OpenShell/NemoClaw environment description moves to ENV HERMES_ENVIRONMENT_HINT=.... Hermes appends this to the system prompt's environment-hints block (agent/prompt_builder.py:build_environment_hints), reading it once at prompt-build time so it stays in the cache-safe portion of the prompt.

Why

• Identity vs environment separation. Hermes deliberately separates who the agent is (SOUL.md) from where it runs (environment hints — the same slot used for WSL, docker, and other remote backends). Mixing environment facts into the identity slot diverges from upstream Hermes for no benefit.
• Stock identity. Sandboxed Hermes now presents the same identity as any other Hermes deployment.

Dependency note

HERMES_ENVIRONMENT_HINT is introduced upstream in NousResearch/hermes-agent#34574. Until the sandbox base image includes that build, the env var is simply ignored (unknown env vars are a no-op), so this change is safe to merge ahead of the base-image bump — the environment text just won't appear in the prompt until Hermes ships the hook. Once the base image picks up the upstream release, the hint takes effect automatically.

Validation

• printf '%s' '<DEFAULT_SOUL_MD>' rendered end-to-end through bash: clean output, no quoting breakage (single-quoted, no embedded apostrophes).
• SOUL.md content matches hermes_cli/default_soul.py DEFAULT_SOUL_MD byte-for-byte.

Summary by CodeRabbit

• Chores
  • Updated the initialization process for the Hermes agent's default identity configuration bootstrap mechanism during the build phase.
  • Added environment variable that explicitly documents the complete runtime execution environment context, including sandbox infrastructure details, inference routing configuration, tool egress through proxy services, and the mutable configuration and persistent memory storage location.

Signed-off-by: Aaron Erickson aerickson@nvidia.com

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the Hermes agent's initialization configuration in Docker. It replaces the SOUL.md default identity text with stock Hermes defaults and introduces a new HERMES_ENVIRONMENT_HINT environment variable that describes the sandboxed execution environment, including OpenShell sandbox context, NemoClaw inference routing, tool egress through OpenShell L7 proxy, and the mutable config/memories location.

Changes

Hermes Agent Identity and Environment Setup

Layer / File(s)	Summary
Hermes Identity and Environment Configuration agents/hermes/Dockerfile	SOUL.md bootstrap text is updated to stock Hermes default identity, and HERMES_ENVIRONMENT_HINT environment variable is added to embed execution-environment context that Hermes will incorporate into its system prompt.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

fix, Integration: Hermes

Poem

🐰 A soul rewrites its story clear,
In Docker's realm, new context appears,
Hermes knows where sandbox walls stand,
NemoClaw routes with clever hand. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main changes: updating Hermes's default soul identity and moving environment information to an environment variable.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

agents/hermes/Dockerfile (1)

130-145: Run the Hermes E2E subset before merge.

This change affects identity/environment prompt wiring, so run the recommended Hermes onboarding/health/inference E2Es on this branch.

As per coding guidelines: "E2E test recommendation: hermes-e2e, hermes-inference-switch-e2e, hermes-discord-e2e, hermes-slack-e2e, hermes-onboard-security-posture-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/hermes/Dockerfile` around lines 130 - 145, This change touches Hermes
identity and environment wiring (the /sandbox/.hermes/SOUL.md write and the
HERMES_ENVIRONMENT_HINT ENV), so before merging run the recommended Hermes E2E
suites to validate onboarding, health, and inference flows: execute hermes-e2e,
hermes-inference-switch-e2e, hermes-discord-e2e, hermes-slack-e2e,
hermes-onboard-security-posture-e2e, rebuild-hermes-e2e, and
rebuild-hermes-stale-base-e2e (ensure tests exercise the SOUL.md content and
HERMES_ENVIRONMENT_HINT behavior in prompt_builder.build_environment_hints and
the sandbox runtime).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@agents/hermes/Dockerfile`:
- Around line 130-145: This change touches Hermes identity and environment
wiring (the /sandbox/.hermes/SOUL.md write and the HERMES_ENVIRONMENT_HINT ENV),
so before merging run the recommended Hermes E2E suites to validate onboarding,
health, and inference flows: execute hermes-e2e, hermes-inference-switch-e2e,
hermes-discord-e2e, hermes-slack-e2e, hermes-onboard-security-posture-e2e,
rebuild-hermes-e2e, and rebuild-hermes-stale-base-e2e (ensure tests exercise the
SOUL.md content and HERMES_ENVIRONMENT_HINT behavior in
prompt_builder.build_environment_hints and the sandbox runtime).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ff47ae43-a854-4d78-a7a8-2c32e9a78268

📥 Commits

Reviewing files that changed from the base of the PR and between faa0b8e and 2ce3f6d.

📒 Files selected for processing (1)

• agents/hermes/Dockerfile

[teknium1]

The HERMES_ENVIRONMENT_HINT mechanism this PR relies on has now landed upstream in Hermes:

• PR: feat: embedder environment-hint hook for the system prompt NousResearch/hermes-agent#34574 ("feat: embedder environment-hint hook for the system prompt")
• Merge commit on main: e4b9532c1827e3c51ca03e6e35512d2cade4d905

Hermes reads HERMES_ENVIRONMENT_HINT once at prompt-build time and appends it to the system prompt's environment-hints block (agent/prompt_builder.py:build_environment_hints), keeping it in the cache-safe portion of the prompt and out of the identity slot (SOUL.md).

To take effect, the hermes-sandbox-base image needs a Hermes build that includes commit e4b9532c1827e3c51ca03e6e35512d2cade4d905 (or any release cut after it). Until then this PR is still safe to merge — an unrecognized env var is a no-op, so SOUL.md ships the stock identity and the environment hint simply won't appear in the prompt until the base image picks up the upstream change.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26650633562
Target ref: 2ce3f6d4208daaf87be151f7308118510a8ae326
Workflow ref: main
Requested jobs: hermes-e2e,hermes-inference-switch-e2e,hermes-discord-e2e,hermes-slack-e2e,hermes-onboard-security-posture-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
hermes-discord-e2e	⚠️ cancelled
hermes-e2e	⚠️ cancelled
hermes-inference-switch-e2e	⚠️ cancelled
hermes-onboard-security-posture-e2e	⚠️ cancelled
hermes-slack-e2e	⚠️ cancelled
rebuild-hermes-e2e	⚠️ cancelled
rebuild-hermes-stale-base-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26650737978
Target ref: 22ec125e4680dcb7c7f7f9604a09c22d22bfc3c2
Workflow ref: main
Requested jobs: hermes-e2e,hermes-inference-switch-e2e,hermes-discord-e2e,hermes-slack-e2e,hermes-onboard-security-posture-e2e,rebuild-hermes-e2e,rebuild-hermes-stale-base-e2e
Summary: 7 passed, 0 failed, 0 skipped

Job	Result
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-slack-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success

[ericksoa]

Approved after merging current main into the PR branch, confirming DCO on the PR body, and validating the Hermes-focused nightly slice on head 22ec125. The selected Hermes E2Es all passed in https://github.com/NVIDIA/NemoClaw/actions/runs/26650737978, and current PR checks/review threads are clean.