test(hermes): tighten stale verifier allowlist

ericksoa · ericksoa · commit 535341d7f3ea · 2026-06-26T16:30:46.000-07:00
Signed-off-by: Aaron Erickson &lt;aerickson@nvidia.com&gt;
diff --git a/scripts/verify-hermes-stale-openclaw-image.sh b/scripts/verify-hermes-stale-openclaw-image.sh
@@ -52,9 +52,6 @@ require_safe_image_ref() {
   if [[ "$ref" == ghcr.io/nvidia/nemoclaw/hermes-sandbox-base* ]]; then
     fail "Hermes base image ref is not an allowed Hermes base form: $ref"
   fi
-  if [[ ! "$ref" =~ ^[A-Za-z0-9][A-Za-z0-9._/-]*([:@][A-Za-z0-9._:-]+)?$ ]]; then
-    fail "Hermes base image ref is not a supported Docker reference: $ref"
-  fi
   fail "Hermes base image ref is outside the allowed Hermes base images: $ref"
 }
 
diff --git a/test/hermes-stale-openclaw-guard.test.ts b/test/hermes-stale-openclaw-guard.test.ts
@@ -78,7 +78,7 @@ describe("Hermes stale OpenClaw guardrails", () => {
     fs.mkdirSync(fakeBin);
     fs.writeFileSync(
       path.join(fakeBin, "docker"),
-      "#!/usr/bin/env bash\nprintf 'docker %s\\n' \"$*\" >> \"$NEMOCLAW_FAKE_DOCKER_LOG\"\nexit 99\n",
+      '#!/usr/bin/env bash\nprintf \'docker %s\\n\' "$*" >> "$NEMOCLAW_FAKE_DOCKER_LOG"\nexit 99\n',
       { mode: 0o700 },
     );
 

Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,6 @@ require_safe_image_ref() {`
`52`	`52`	`if [[ "$ref" == ghcr.io/nvidia/nemoclaw/hermes-sandbox-base* ]]; then`
`53`	`53`	`fail "Hermes base image ref is not an allowed Hermes base form: $ref"`
`54`	`54`	`fi`
`55`		`- if [[ ! "$ref" =~ ^[A-Za-z0-9][A-Za-z0-9._/-]*([:@][A-Za-z0-9._:-]+)?$ ]]; then`
`56`		`- fail "Hermes base image ref is not a supported Docker reference: $ref"`
`57`		`- fi`
`58`	`55`	`fail "Hermes base image ref is outside the allowed Hermes base images: $ref"`
`59`	`56`	`}`
`60`	`57`