feat(hermes): expose built-in dashboard

[shannonsands]

Summary

Expose the Hermes Agent built-in dashboard as NemoClaw's browser surface and keep the OpenAI-compatible API on its existing route. The image now prebakes Hermes dashboard assets and exports HERMES_WEB_DIST so hermes dashboard works inside the sandbox without trying to run npm at runtime.

Changes

• Add Hermes dashboard metadata, dashboard URL plumbing, verification, and CLI output for the browser dashboard port.
• Launch the Hermes dashboard alongside the gateway and forward it separately from the OpenAI-compatible API.
• Prebuild Hermes dashboard assets in both base and final image paths, including stale-base compatibility, and export HERMES_WEB_DIST for service and connect shells.
• Update quickstart/command docs and regression coverage for dashboard contract, onboarding, rebuild, and image/startup behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

Focused checks run: npm run build:cli; git diff --check; npx vitest run test/sandbox-provisioning.test.ts test/hermes-start.test.ts test/onboard-dashboard.test.ts src/lib/dashboard/contract.test.ts src/lib/dashboard-url-command.test.ts src/lib/verify-deployment.test.ts src/lib/agent/defs.test.ts src/lib/agent/onboard.test.ts src/lib/agent/runtime.test.ts test/onboard.test.ts --maxWorkers=1 --testTimeout=30000; local rebuild/smoke of nemohermes hermes rebuild --yes --verbose; in-sandbox hermes dashboard smoke.

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Shannon Sands shannon.sands.1979@gmail.com

Summary by CodeRabbit

• New Features

  • Hermes includes a baked-in browser dashboard served alongside the API, with its own public port and session-based auth support.

• Behavior Changes

  • Dashboard and API health/ports are probed and forwarded separately; dashboard-url now prints a plain browser URL for session-authenticated dashboards (no token).

• Documentation

  • Quickstart and CLI docs updated with dashboard access instructions.

• Tests

  • Added/updated tests covering dashboard build, forwarding, probing, and URL behavior.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7703169f-26b2-4ec7-82a9-8fd6a0b87960

📥 Commits

Reviewing files that changed from the base of the PR and between 4bda63f and 359d441.

📒 Files selected for processing (2)

• src/lib/onboard/dashboard.ts
• test/onboard-dashboard.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/onboard/dashboard.ts

---

📝 Walkthrough

Walkthrough

Adds a baked Hermes browser dashboard and treats it as a first-class UI: builds the web bundle into images, updates manifest/dashboard metadata (auth/health), manages separate dashboard port forwarding and socat forwarders, wires verification probes per-dashboard, returns plain dashboard URLs for session-auth agents, and updates tests/docs.

Changes

Hermes TUI Dashboard Implementation

Layer / File(s)	Summary
Agent Dashboard Metadata Contract src/lib/agent/defs.ts, src/lib/agent/base-image.test.ts, src/lib/agent/onboard.test.ts, src/lib/agent/runtime.test.ts	AgentDashboard gains healthPath and auth; AgentDefinition.dashboard computes/normalizes these fields from manifest and defaults auth by kind.
Docker Prebuild & Web Bundle agents/hermes/Dockerfile, agents/hermes/Dockerfile.base, test/sandbox-provisioning.test.ts	If missing, Hermes web is built during image build (npm ci/npm run build --prefix web), node_modules removed, and ENV HERMES_WEB_DIST set; CHAT_UI_URL ARG default changed to http://127.0.0.1:18789.
Manifest Dashboard Definition & Ports agents/hermes/manifest.yaml	Dashboard redefined as kind: ui with path: /, health_path and auth: session; forwarded ports include 18789 alongside existing API port.
Dashboard Health Contract & buildChain src/lib/dashboard/contract.ts, src/lib/dashboard/contract.test.ts	Adds dashboardHealthEndpoint, gatewayPort, and gatewayHealthEndpoint to hints/chain; adds normalizeEndpointPath and expands buildChain to return dashboard/gateway-specific fields.
Verification & Probe Wiring src/lib/onboard.ts, src/lib/verify-deployment.ts, src/lib/verify-deployment.test.ts	Adds endpointPathFromUrl; buildVerifyChain passes agent-specific dashboard/gateway endpoints to buildChain; verify-deployment probes gateway and dashboard endpoints/ports separately.
Onboard: Forward Preservation & Multi-port Support src/lib/onboard/dashboard.ts, test/onboard-dashboard.test.ts	ensureDashboardForward gains preserveSandboxPorts and allowPortReallocation; ensureAgentDashboardForward supports agent.forward_ports, preserves declared ports, and updates CHAT_UI_URL to the allocated primary port.
Start Script: Dashboard Launch & Forwarding agents/hermes/start.sh, test/hermes-start.test.ts	Parses/validates dashboard public port (from env or CHAT_UI_URL), blocks reserved 8642, computes internal collision-adjusted ports, generalizes start_socat_forwarder for API/dashboard with separate PIDs, tails /tmp/dashboard.log, exports HERMES_WEB_DIST, and launches Hermes with --tui dashboard.
CLI: dashboard-url & Plain URL Output src/lib/dashboard-url-command.ts, src/lib/dashboard-url-command.test.ts, src/commands/sandbox/dashboard-url.ts	Adds buildPlainDashboardUrl; for non-OpenClaw/session-auth agents returns plain browser dashboard URL (trailing slash), updates tests and help text; tokenized OpenClaw flow remains as fallback.
printDashboardUi Output Handling src/lib/agent/onboard.ts, src/lib/agent/onboard.test.ts	printDashboardUi branches on dashboard.auth; for url_token falls through to token logic, otherwise prints dashboard label/forwarding guidance without token handling.
Documentation & Quickstart docs/get-started/quickstart-hermes.mdx, docs/reference/commands.mdx	Quickstart now documents dashboard access on 18789, adds "Open the Dashboard" guidance and dashboard-url usage; commands doc clarifies tokenized vs plain dashboard URLs and refines security warning scope.
Tests & Supporting Changes test/onboard.test.ts, test/sandbox-provisioning.test.ts, test/hermes-start.test.ts, test/onboard-dashboard.test.ts, scripts/convert-docs-to-fern.mjs, test/cli.test.ts	Test fixtures updated for dual-port setup; new tests cover Dockerfile prebuild, forward retry/preservation, dashboard launch flags, separate health probes; small tooling/timeout adjustments.

Sequence Diagram

sequenceDiagram
  participant User as User / CLI
  participant Start as agents/hermes/start.sh
  participant Hermes as hermes CLI
  participant Socat as socat
  participant Host as Host

  User->>Start: onboard sandbox
  Start->>Start: resolve ports (API:8642, Dashboard:18789)
  Start->>Hermes: launch hermes --tui dashboard (bind to internal ports)
  Start->>Socat: start_socat_forwarder Dashboard 18789->DASHBOARD_INTERNAL_PORT
  Start->>Socat: start_socat_forwarder API 8642->API_INTERNAL_PORT
  Socat->>Host: expose 0.0.0.0:18789 and 0.0.0.0:8642
  User->>User: run `nemohermes <name> dashboard-url`
  User-->>User: receives http://127.0.0.1:18789/ (plain URL for session-auth agents)
  Note over Hermes,Host: verification probes target dashboard and gateway health endpoints separately

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4261: Related changes to src/lib/onboard/dashboard.ts concerning dashboard URL/token handling.
• NVIDIA/NemoClaw#1618: Prior Hermes integration work touching agents/hermes Dockerfile/base and start logic.
• NVIDIA/NemoClaw#4072: Overlaps on dashboard forward orchestration and forward-list/polling logic.

Suggested labels

enhancement: feature, Sandbox, Integration: OpenClaw, NemoClaw CLI

Suggested reviewers

• ericksoa
• jyaunches
• cjagwani

Poem

🐰 I baked your dashboard, warm and bright,
Ports set, probes ready, logs at night.
No tokens needed for a sessioned view,
Launch, browse, and say hello anew.
Hop on, click, the Hermesian light—hip hop hooray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 31.25% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely describes the main objective: exposing Hermes's built-in dashboard to users, which aligns with the core changes across Dockerfile, manifests, startup scripts, and documentation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/reference/commands.mdx (1)

471-473: 💤 Low value

Consider clarifying the subject for improved readability.

Lines 472-473 use "this" as the subject. While grammatically correct, explicitly naming "the command" or "the URL" would make these sentences more direct and easier to scan.

✍️ Suggested rewording

 Print the browser dashboard URL for a running sandbox.
-For OpenClaw sandboxes this includes the authenticated URL fragment.
-For agent dashboards that manage their own session, such as Hermes Agent, this prints the plain dashboard URL.
+For OpenClaw sandboxes, the command prints the authenticated URL fragment.
+For agent dashboards that manage their own session, such as Hermes Agent, the command prints the plain dashboard URL.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands.mdx` around lines 471 - 473, Replace the vague
pronoun "this" in the two explanatory sentences so the subject is explicit:
change "For OpenClaw sandboxes this includes the authenticated URL fragment." to
something like "For OpenClaw sandboxes, the command prints the authenticated URL
fragment." and change "For agent dashboards that manage their own session, such
as Hermes Agent, this prints the plain dashboard URL." to "For agent dashboards
that manage their own session, such as Hermes Agent, the command prints the
plain dashboard URL." so readers immediately know the subject being described.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard/dashboard.ts`:
- Around line 239-249: The code currently marks a port as stopped in
stoppedPorts before calling bestEffortForwardStopForSandbox; change
stopForwardForSandbox so it first checks stoppedPorts and returns null if
present, then call bestEffortForwardStopForSandbox (using deps.runOpenshell and
the runCapture wrapper) and only if that call indicates success add the portKey
to stoppedPorts and return the result; ensure you treat the specific failure
sentinel (e.g., "list-failed") as a non-success and do not add to stoppedPorts,
preserving the original return value from bestEffortForwardStopForSandbox and
keeping the same parameter names (stopForwardForSandbox, stoppedPorts,
bestEffortForwardStopForSandbox, deps.runOpenshell, deps.runCaptureOpenshell,
sandboxName).

---

Nitpick comments:
In `@docs/reference/commands.mdx`:
- Around line 471-473: Replace the vague pronoun "this" in the two explanatory
sentences so the subject is explicit: change "For OpenClaw sandboxes this
includes the authenticated URL fragment." to something like "For OpenClaw
sandboxes, the command prints the authenticated URL fragment." and change "For
agent dashboards that manage their own session, such as Hermes Agent, this
prints the plain dashboard URL." to "For agent dashboards that manage their own
session, such as Hermes Agent, the command prints the plain dashboard URL." so
readers immediately know the subject being described.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6239ed9e-6724-467a-9747-c5a4c138d042

📥 Commits

Reviewing files that changed from the base of the PR and between 1daf081 and 93ae823.

📒 Files selected for processing (29)

• agents/hermes/Dockerfile
• agents/hermes/Dockerfile.base
• agents/hermes/manifest.yaml
• agents/hermes/start.sh
• docs/get-started/quickstart-hermes.mdx
• docs/reference/commands.mdx
• scripts/convert-docs-to-fern.mjs
• src/commands/sandbox/dashboard-url.ts
• src/lib/agent/base-image.test.ts
• src/lib/agent/defs.test.ts
• src/lib/agent/defs.ts
• src/lib/agent/onboard.test.ts
• src/lib/agent/onboard.ts
• src/lib/agent/runtime.test.ts
• src/lib/dashboard-url-command.test.ts
• src/lib/dashboard-url-command.ts
• src/lib/dashboard/contract.test.ts
• src/lib/dashboard/contract.ts
• src/lib/inference/local.test.ts
• src/lib/inference/local.ts
• src/lib/onboard.ts
• src/lib/onboard/dashboard.ts
• src/lib/verify-deployment.test.ts
• src/lib/verify-deployment.ts
• test/cli.test.ts
• test/hermes-start.test.ts
• test/onboard-dashboard.test.ts
• test/onboard.test.ts
• test/sandbox-provisioning.test.ts

[wscurran]

✨ Thanks for submitting this detailed PR that exposes the Hermes Agent built-in dashboard as NemoClaw's browser surface. This proposes a way to improve the onboarding experience by providing a built-in dashboard and updates the documentation to reflect the changes.

[cv]

Opened salvage PR #4811 with the rebased/conflict-resolved Hermes dashboard changes: #4811