fix(hermes): normalize Discord pairing access#5814
Conversation
|
✨ Thanks for normalizing Hermes Discord guild access before generating build-time env/config and patching the bundled pairing approval help to show the NemoHermes Related open issues: |
Manual PR Review Advisor resultThis PR Review Advisor analysis was run manually via Run: https://github.com/NVIDIA/NemoClaw/actions/runs/28209656446 Recommendation:
PR Review AdvisorThe config-level fix and patch helper are well covered, but the linked Discord acceptance path still needs runtime validation or an explicit justification because the bug occurs in Hermes' live DM/pairing behavior. Required before merge
Resolve or justify before merge
In-scope improvements
Test follow-ups to resolve or justify
What looks good
|
There was a problem hiding this comment.
I believe we should avoid the build-time Hermes source patch here.
The patch-pairing-message.py approach scans and mutates the unpacked upstream Hermes tree under /opt/hermes, which is a brittle source-boundary workaround and does not fit the manifest-first messaging model. The pinned Hermes sources I checked already emit hermes pairing approve ..., so this patch is either a no-op for the current pin or masking an unclear version/source mismatch.
For the actual Discord empty-allowlist behavior, this belongs in the Discord messaging manifest/template path rather than a Hermes-specific config generator or Docker patch. The current architecture already has the right ownership boundary under src/lib/messaging/channels/ discord: the manifest renders DISCORD_ALLOW_ALL_USERS, DISCORD_ALLOWED_USERS, and NEMOCLAW_DISCORD_GUILD_IDS, and the Discord template resolver should normalize blank guild IDs before deciding whether to emit allow-all.
Recommended change:
- Drop
agents/hermes/patch-pairing-message.pyand the Dockerfile invocation. - Move/keep the blank-guild normalization in the Discord manifest resolver/runtime render path under
src/lib/messaging/channels/discord. - Add a focused regression test proving:
- blank-only Discord guild config emits no guild IDs, no allowed users, and no
DISCORD_ALLOW_ALL_USERS; - valid guild + empty user allowlist emits
NEMOCLAW_DISCORD_GUILD_IDS=<id>andDISCORD_ALLOW_ALL_USERS=true; - valid guild + explicit users emits
DISCORD_ALLOWED_USERSand does not emit allow-all.
- blank-only Discord guild config emits no guild IDs, no allowed users, and no
I would not use a Discord runtime hook for the pairing-message text: Hermes gateway is Python, the existing NemoClaw runtime preload path is Node-oriented, and the relevant Hermes plugin hook runs before authorization, not after the unauthorized DM pairing response is generated.
@cv Please don't merge PR until @chengjiew address above comments.
|
Close PR as #4070 already closed without any action |
Summary
Normalize Hermes Discord guild access before generating build-time env/config so blank guild keys cannot turn an empty user allowlist into pairing-gated behavior. Also patches the bundled Hermes pairing approval help to show the NemoHermes
hermes pairing approvecommand instead ofopenclaw pairing approve.Related Issue
Fixes #4070
Changes
NEMOCLAW_DISCORD_GUILD_IDS,DISCORD_ALLOWED_USERS,DISCORD_ALLOW_ALL_USERS, anddiscord.require_mention.DISCORD_ALLOW_ALL_USERS=true.openclaw pairing approvetohermes pairing approve.Type of Change
Verification
Focused checks passed. Full
npm testandnpx prek run --all-fileswere attempted but did not pass in this local worktree due unrelated project-wide environment/setup failures: missing compiled/plugin artifacts or dependency (dist/*,nemoclaw/node_modules/json5), local OpenShell gateway/version drift expectations, macOS installer fixture assumptions, and local HTTP fixture 403/timeouts.npx prek run --all-filespassesnpm testpassesnpm run docsbuilds without warnings (doc changes only)Additional focused verification run locally:
npm test -- --run test/generate-hermes-config.test.ts test/hermes-pairing-message-patch.test.tspassed: 2 files, 22 tests.npm run typecheck:clipassed.git diff --checkpassed.Signed-off-by: Chengjie Wang chengjiew@nvidia.com