Skip to content

fix(dcode): require Landlock enforcement#5812

Open
chengjiew wants to merge 46 commits into
mainfrom
fix/5795_landlock_min_kernel
Open

fix(dcode): require Landlock enforcement#5812
chengjiew wants to merge 46 commits into
mainfrom
fix/5795_landlock_min_kernel

Conversation

@chengjiew

@chengjiew chengjiew commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Deep Agents Code now selects OpenShell's exact hard_requirement Landlock mode, while OpenClaw and Hermes retain their intentional best_effort behavior. NemoClaw treats sandbox-process startup as the enforcement boundary and no longer uses a host kernel-version heuristic as proof for a hard-required sandbox.

This PR is not ready to merge until a released OpenShell runtime provides the positive hard-requirement path and transactional failed-create cleanup described below, NemoClaw pins that release, and the required live E2E matrix passes.

This update preserves @chengjiew's original commit and credits Chengjie Wang as co-author of the corrective implementation.

Related Issue

Fixes #5795

Upstream runtime blocker: NVIDIA/OpenShell#2218

Changes

  • Set the Deep Agents Code filesystem policy to compatibility: hard_requirement and constrain the policy schema to OpenShell's supported best_effort and hard_requirement values.
  • Explicitly reject the legacy strict spelling. OpenShell does not recognize it as fail-closed, so accepting it as an alias would silently select best-effort behavior.
  • Preserve the hard requirement through real onboarding policy composition.
  • Treat successful Deep Agents Code sandbox startup as the authoritative Landlock probe while retaining the preliminary host warning for best-effort agents only.
  • Classify the pinned OpenShell Landlock failure formats, preserve the original nonzero exit, redact failure diagnostics, and avoid registering a failed sandbox as Ready.
  • Do not authorize destructive cleanup from unstructured Created sandbox: <name> output. When exact create-operation identity is unavailable, NemoClaw retains the resource for operator inspection rather than risking deletion of an unrelated same-name sandbox.
  • Extend the PR-selectable DCode live target to prove both sides of the contract: a forced hard-requirement failure must exit nonzero and leave no OpenShell/NemoClaw resource, then normal onboarding must reach Ready, enforce Landlock, and complete inference.
  • Document Deep Agents Code fail-closed behavior separately from OpenClaw and Hermes best-effort behavior.

Runtime acceptance gate

The currently pinned OpenShell 0.0.72 applies directory-only Landlock rights to non-directory policy entries such as /dev/urandom and /dev/null; hard-requirement startup therefore cannot complete successfully. OpenShell also does not yet expose an identity-bound failed-create cleanup contract. The correct completion path is:

  1. OpenShell applies file-type-correct rights while preserving true hard-requirement failures.
  2. OpenShell transactionally removes a resource that fails during create, or exposes an identity-bound conditional cleanup operation.
  3. OpenShell publishes a release containing both contracts.
  4. NemoClaw pins that exact release and refreshes version-pinned failure fixtures.
  5. The required credentialed E2E jobs pass on the exact PR head, including ubuntu-repo-cloud-langchain-deepagents-code.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — pending maintainer re-review after the released OpenShell pin and live E2E evidence.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: none requested.

Verification

  • PR description includes DCO sign-off declarations and every takeover commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed on the latest takeover commits
  • Targeted CLI, integration, and E2E-support tests pass for the current behavior
  • Full npm test passes (broad runtime changes only) — exact-head CI is running
  • Required credentialed live E2E passes — blocked on the released OpenShell contracts above
  • Quality Gates section completed with required justifications or waivers — pending sensitive-path maintainer re-review
  • No secrets, API keys, or credentials committed
  • npm run docs builds with zero errors; two unrelated pre-existing warnings remain
  • Doc pages follow the style guide
  • New doc pages include SPDX header and frontmatter (new pages only) — no new pages

Current focused verification:

  • npx vitest run --project cli src/lib/onboard/sandbox-gpu-create-flow.test.ts src/lib/onboard/created-sandbox-failure.test.ts src/lib/validation.sandbox-create-landlock.test.ts (67 tests)
  • npx vitest run --project integration test/dcode-landlock-contract.test.ts test/onboard-landlock-failure.test.ts test/onboard-sandbox-create-failure.test.ts (8 tests)
  • npx vitest run --project e2e-support test/e2e/support/e2e-phase-onboarding.test.ts (23 tests)
  • npm run typecheck:cli
  • npm run test:projects:check (1,602 candidate files across 8 exact projects)
  • npm run docs
  • git diff --check

Signed-off-by: Chengjie Wang chengjiew@nvidia.com
Signed-off-by: Apurv Kumaria akumaria@nvidia.com
Signed-off-by: Julie Yaunches jyaunches@nvidia.com

@github-code-quality

github-code-quality Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 80%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 468fade ac459f2 +/-
src/lib/messagi...ate-resolver.ts 89% 67% -22%
src/lib/messagi...ate-resolver.ts 94% 82% -12%
src/lib/messagi...onfig-parser.ts 100% 93% -7%
src/lib/messagi...nes/template.ts 100% 95% -5%
src/lib/adapter.../docker/pull.ts 86% 83% -3%
src/lib/security/redact-url.ts 99% 97% -2%
src/lib/adapter...ocker/volume.ts 70% 85% +15%
src/lib/messagi...onfig-parser.ts 77% 92% +15%
src/lib/core/pr...mpt-activity.ts 67% 92% +25%
src/lib/onboard...lock-warning.ts 0% 83% +83%

Updated July 15, 2026 16:58 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Landlock onboarding now fails closed for Deep Agents Code on unsupported or unenforceable setups. Policy, schema, tests, and docs were updated to use hard_requirement for that mode while keeping best_effort behavior for other agents.

Changes

Landlock onboarding hardening

Layer / File(s) Summary
Kernel support check and tests
src/lib/onboard/landlock-warning.ts, src/lib/onboard/landlock-warning.test.ts
warnIfLandlockUnsupported now throws remediation text for unsupported kernels, and tests cover unsupported and supported Linux kernels.
Policy schema and agent defaults
agents/langchain-deepagents-code/policy-additions.yaml, schemas/sandbox-policy.schema.json, src/lib/onboard.ts
landlock.compatibility changes to hard_requirement, the schema enum accepts it, and onboarding passes the selected compatibility mode into the Landlock check.
Onboarding failure path test
test/onboard-landlock-failure.test.ts
A new test verifies hard_requirement failure exits nonzero, deletes the sandbox, and does not record readiness.
Documentation updates
docs/deployment/sandbox-hardening.mdx, docs/reference/enterprise-readiness.mdx, docs/reference/troubleshooting.mdx, docs/security/best-practices.mdx
Landlock docs now describe agent-specific best_effort versus hard_requirement behavior, startup failure cases, and runtime log-based verification.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested labels: security, bug-fix

Suggested reviewers: ericksoa

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR satisfies #5795 by failing closed for Deep Agents Code when Landlock is unsupported and returning a nonzero exit instead of silently degrading.
Out of Scope Changes check ✅ Passed The changes are scoped to Landlock enforcement, related schema/policy updates, tests, and docs; no unrelated functionality appears added.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: Deep Agents Code now requires Landlock enforcement and fails closed when it cannot be applied.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/5795_landlock_min_kernel

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: onboard-resume-vitest, onboard-repair-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

  • onboard-resume-vitest: The PR changes onboarding sandbox creation/reuse ordering and Landlock fail-closed behavior in src/lib/onboard.ts and src/lib/onboard/landlock-warning.ts. This can affect onboarding resume/session bootstrap paths, so the wired onboard-resume live Vitest job is required.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • onboard-repair-vitest: The same onboarding reuse gate can affect repair/backstop execution from persisted sandbox state, especially because the Landlock check now runs before live sandbox reuse handling. The onboarding resume compatibility rule makes repair required for this persisted-session path.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Optional Vitest E2E scenarios

  • None.

Relevant changed files

  • src/lib/onboard.ts
  • src/lib/onboard/landlock-warning.ts
  • src/lib/onboard/landlock-warning.test.ts

@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Blocking findings reported

Advisor assessment: Blockers require maintainer review
Next action: Review the blockers below.
Findings: 1 blocker · 0 warnings · 0 suggestions

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 1 blocker · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (second opinion): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Model comparison: normalized findings differ; normalized E2E selections differ; Nemotron reported 1 fewer blocker, the same number of warnings, the same number of suggestions.

Nemotron output stays in workflow artifacts and does not change the assessment above.

E2E guidance

Advisory only. E2E / PR Gate selects and runs jobs independently.

Recommended E2E: cloud-onboard, credential-sanitization, security-posture, onboard-repair, onboard-resume, ubuntu-repo-cloud-langchain-deepagents-code

Blockers

PRA-1 Blocker — Clean up the failed DCode resource using an authoritative identity

  • Location: src/lib/onboard/created-sandbox-failure.ts:55
  • Category: acceptance
  • Problem: The hard-required Landlock path treats a nonzero create stream as terminal and exits before readiness or cleanup. The checked-in DCode flow test asserts that it never invokes `openshell sandbox delete` even when create output says `Created sandbox`. Consequently, if OpenShell allocated a failed resource before reporting its enforcement failure, onboarding leaves it behind despite the recorded [Linux][Onboard] nemoclaw onboard silently degrades to best_effort Landlock mode on kernel < 5.13 instead of aborting — sandbox created with reduced isolation #5795 exit condition requiring cleanup and no Ready registry state.
  • Impact: Failed DCode onboarding can accumulate a failed sandbox resource which may retain its name or lifecycle state and obstruct retry/recovery, contrary to the specified fail-closed cleanup outcome.
  • Fix: Obtain an authoritative resource identifier from OpenShell’s structured create/result or a post-failure exact-identity query, then delete only that identified failed resource before exiting. Do not restore name-only deletion.
  • Verification: Inspect the hard-Landlock create failure path from `reportSandboxCreateFailure` through `createSandboxWithBaseImageResolution` and confirm whether any successful OpenShell allocation is deleted using an ID bound to this create attempt.
  • Test coverage: Add a flow test where OpenShell returns an authoritative created sandbox ID followed by a hard-requirement failure; assert that exactly that ID is deleted, registry registration is absent, and a same-name pre-existing resource is not deleted.
  • Evidence: Issue [Linux][Onboard] nemoclaw onboard silently degrades to best_effort Landlock mode on kernel < 5.13 instead of aborting — sandbox created with reduced isolation #5795 collaborator decision states exit requires "nonzero fail-closed behavior with cleanup and no Ready registry state on an unsupported kernel." `test/onboard-landlock-failure.test.ts` hard-failure cases assert no `openshell sandbox delete dcode-landlock-flow` command despite `Created sandbox:` output. `src/lib/onboard/created-sandbox-failure.ts:55-67` reports a non-incomplete create failure and exits without a cleanup operation.

Workflow run details

This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (5)
docs/deployment/sandbox-hardening.mdx (2)

147-147: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use active voice here.

is required by onboarding reads passive. Say directly that onboarding requires kernel 5.13+ with Landlock enabled.

As per path instructions, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment/sandbox-hardening.mdx` at line 147, The sentence in the
sandbox-hardening documentation uses passive voice; rewrite it in active voice
so onboarding is the subject, e.g. have onboarding directly require kernel 5.13+
with Landlock enabled. Update the wording in the affected prose block to keep
the same meaning while removing the passive construction.

Source: Path instructions


138-138: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use the shared CLI placeholder here.

This reads like shared guidance, so a concrete nemoclaw example will render the wrong command name for other agent aliases.

Suggested fix
-On such kernels, `nemoclaw onboard` aborts before creating or reusing a sandbox.
+On such kernels, `$$nemoclaw onboard` aborts before creating or reusing a sandbox.

As per coding guidelines, "Use $$nemoclaw for host CLI command examples on shared OpenClaw and Hermes pages." As per path instructions, "When a docs PR adds a command-line example that works across all NemoClaw agent aliases, comment if it uses a concrete alias such as nemoclaw or nemohermes; ask the author to use $$nemoclaw instead."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment/sandbox-hardening.mdx` at line 138, The CLI example in the
shared sandbox-hardening guidance uses a concrete agent alias and should be
generalized for all aliases. Update the command example in the relevant docs
section to use the shared placeholder symbol $$nemoclaw instead of a specific
command name like nemoclaw, so the rendered guidance is correct across OpenClaw
and Hermes variants. Locate the host CLI example in the sandbox-hardening
content and replace the alias-specific invocation with the shared placeholder
consistently.

Sources: Coding guidelines, Path instructions

docs/reference/troubleshooting.mdx (1)

1062-1062: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use active voice here.

prevents a new sandbox from being created is passive. Say directly that the check prevents NemoClaw from creating a sandbox with reduced filesystem isolation.

As per path instructions, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/troubleshooting.mdx` at line 1062, The sentence uses passive
voice; rewrite it in active voice by naming the actor directly, using the
surrounding troubleshooting text to state that the check prevents NemoClaw from
creating a sandbox with reduced filesystem isolation. Keep the meaning the same,
but avoid constructions like “is created” or “being created” in this section.

Source: Path instructions

src/lib/onboard.ts (1)

2646-2646: 🩺 Stability & Availability | 🔵 Trivial

Please rerun the onboarding E2E slice for this gate move.

This now short-circuits the core onboard flow before reuse/delete/create paths, so cloud-e2e, sandbox-operations-e2e, rebuild-openclaw-e2e, and channels-stop-start-e2e are the highest-value checks before merge.

As per path instructions, "src/lib/onboard.ts: This file contains core onboarding logic. Changes here affect the full sandbox creation and configuration flow."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` at line 2646, The change in onboard flow around
warnIfLandlockUnsupported should be validated by rerunning the onboarding E2E
slice, since it now short-circuits before reuse/delete/create paths. Re-run the
highest-value checks for cloud-e2e, sandbox-operations-e2e,
rebuild-openclaw-e2e, and channels-stop-start-e2e, and confirm the core flow in
src/lib/onboard.ts still behaves correctly after the gate move.

Source: Path instructions

docs/security/best-practices.mdx (1)

276-276: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use active voice in this row.

managed sandboxes are not created is passive. Say that NemoClaw does not create managed sandboxes in reduced Landlock mode.

As per path instructions, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 276, The “Default” table row uses
passive voice in the NemoClaw onboarding description, so rewrite that sentence
in active voice. Update the row text to say that NemoClaw does not create
managed sandboxes in reduced Landlock mode when it detects a host or Docker VM
kernel older than 5.13, keeping the same meaning while removing “are not
created.”

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard/landlock-warning.ts`:
- Around line 12-15: The Landlock support check is currently failing open when
kernel parsing or probing cannot be verified, which allows onboarding to
continue and reuse/create sandbox state unsafely. Update
unsupportedLandlockMessage and the surrounding probe/validation flow so that
parse failures, catch paths, and any inability to confirm support are treated as
blocking conditions instead of returning null; keep the fail-closed behavior in
the Landlock warning path and ensure callers of unsupportedLandlockMessage,
parseKernelMajorMinor, and the probe logic do not proceed when verification is
inconclusive.
- Line 46: The retry hint in landlock-warning.ts hardcodes the command name
instead of using the active CLI alias. Update the message in the onboarding
warning flow to build the retry command from cliName() or cliDisplayName(),
matching the rest of the user-facing onboarding text, so alternate aliases show
the correct `onboard` command. Use the landlock-warning helper that assembles
the warning copy to locate and thread the dynamic CLI name through this string.

---

Nitpick comments:
In `@docs/deployment/sandbox-hardening.mdx`:
- Line 147: The sentence in the sandbox-hardening documentation uses passive
voice; rewrite it in active voice so onboarding is the subject, e.g. have
onboarding directly require kernel 5.13+ with Landlock enabled. Update the
wording in the affected prose block to keep the same meaning while removing the
passive construction.
- Line 138: The CLI example in the shared sandbox-hardening guidance uses a
concrete agent alias and should be generalized for all aliases. Update the
command example in the relevant docs section to use the shared placeholder
symbol $$nemoclaw instead of a specific command name like nemoclaw, so the
rendered guidance is correct across OpenClaw and Hermes variants. Locate the
host CLI example in the sandbox-hardening content and replace the alias-specific
invocation with the shared placeholder consistently.

In `@docs/reference/troubleshooting.mdx`:
- Line 1062: The sentence uses passive voice; rewrite it in active voice by
naming the actor directly, using the surrounding troubleshooting text to state
that the check prevents NemoClaw from creating a sandbox with reduced filesystem
isolation. Keep the meaning the same, but avoid constructions like “is created”
or “being created” in this section.

In `@docs/security/best-practices.mdx`:
- Line 276: The “Default” table row uses passive voice in the NemoClaw
onboarding description, so rewrite that sentence in active voice. Update the row
text to say that NemoClaw does not create managed sandboxes in reduced Landlock
mode when it detects a host or Docker VM kernel older than 5.13, keeping the
same meaning while removing “are not created.”

In `@src/lib/onboard.ts`:
- Line 2646: The change in onboard flow around warnIfLandlockUnsupported should
be validated by rerunning the onboarding E2E slice, since it now short-circuits
before reuse/delete/create paths. Re-run the highest-value checks for cloud-e2e,
sandbox-operations-e2e, rebuild-openclaw-e2e, and channels-stop-start-e2e, and
confirm the core flow in src/lib/onboard.ts still behaves correctly after the
gate move.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cf7d7a3e-9759-4dbd-b2c6-7da90bfbe2c6

📥 Commits

Reviewing files that changed from the base of the PR and between e521f6a and 36ee0b8.

📒 Files selected for processing (7)
  • docs/deployment/sandbox-hardening.mdx
  • docs/reference/enterprise-readiness.mdx
  • docs/reference/troubleshooting.mdx
  • docs/security/best-practices.mdx
  • src/lib/onboard.ts
  • src/lib/onboard/landlock-warning.test.ts
  • src/lib/onboard/landlock-warning.ts

Comment thread src/lib/onboard/landlock-warning.ts Outdated
Comment thread src/lib/onboard/landlock-warning.ts Outdated
@wscurran wscurran added area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression labels Jun 25, 2026
@wscurran

Copy link
Copy Markdown
Contributor

@wscurran wscurran added v0.0.69 NV QA Bugs found by the NVIDIA QA Team labels Jun 25, 2026

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after addressing feedback comments

@wscurran wscurran added the integration: dcode LangChain Deep Code integration behavior label Jun 26, 2026
@cv cv added v0.0.71 and removed v0.0.69 labels Jun 28, 2026

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — Landlock gate is not authoritative

Do not merge exact head 36ee0b89c3f269df446fcd21e106bc0b74d25b01.

  1. The source contract remains wrong. agents/langchain-deepagents-code/policy-additions.yaml uses compatibility: strict, and the NemoClaw schema permits that value. Pinned OpenShell v0.0.44 recognizes only exact hard_requirement; every other string maps to BestEffort (source). OpenShell v0.0.71 retains the same contract. Therefore #5596 is not a prerequisite for this fix and does not change the relevant policy/schema files.

  2. The new heuristic fails open and can inspect the wrong kernel. Empty or unparseable probe output and probe exceptions all continue onboarding. A version at or above 5.13 does not prove that Landlock is compiled in, active, syscall-accessible, successfully prepared, or enforced. On Linux, host uname -r is also not authoritative for a remote Docker daemon, OpenShell gateway, or Kubernetes node. The check applies globally even though other agent policies intentionally use best_effort.

  3. The security/lifecycle evidence is incomplete. The two unit tests cover only known 5.12 and 5.13 strings. There is no create/reuse/delete/registry boundary test. The PR Review Advisor remains Blocked, both CodeRabbit threads remain unresolved, and the required E2E advisor jobs were recommended but not run.

Minimal salvage:

  • Change the dcode policy from strict to upstream hard_requirement, and change the schema enum to best_effort | hard_requirement.
  • Add policy/schema regressions that reject strict, plus a focused onboarding failure test proving no Ready registry entry or stale sandbox when OpenShell rejects Landlock.
  • Remove the global host-kernel heuristic, or keep it only as scoped, non-authoritative dcode UX; treat OpenShell sandbox-process enforcement as the security boundary.
  • Rewrite the documentation as dcode-specific and resolve the two current documentation conflicts after the behavior is correct.
  • Run focused config/dcode/onboarding tests, then a supported-kernel dcode Landlock E2E and the advised negative-path E2E.

apurvvkumaria and others added 2 commits July 3, 2026 13:23
Co-authored-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@cv cv added v0.0.83 Release target v0.0.84 Release target and removed v0.0.83 Release target labels Jul 14, 2026
@cv cv assigned jyaunches and unassigned cv Jul 14, 2026
@jyaunches

jyaunches commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Maintainer takeover plan for exact head e6fc1fea:

  1. Close the positive-runtime gap at the real boundary: require a released OpenShell build with file-type-aware Landlock rights (tracked by supervisor: Landlock hard_requirement aborts with "incompatible directory-only access-rights: ReadDir" for real directories on RHEL 9.6 (kernel 5.14) ABI OpenShell#2218), then audit and pin that immutable release.
  2. Reconcile this branch with current main and port the change onto the current sandbox create/GPU fallback/finalization/registry flow. Preserve fail-closed hard_requirement, delete only with exact create evidence, keep failed sandboxes out of Ready state, replace synthetic fixtures with exact runtime output, and redact copied/printed diagnostics.
  3. Run the required exact-head CI/advisor set plus live DCode proofs: successful startup + inference on a capable runtime, and controlled Landlock rejection with cleanup and no Ready registry entry.
  4. Once the PR is green, build the staging nemoclaw-image artifact and validate the resulting GCP image through a real Brev launchable.

I will keep progress comments concise. Barring a material maintainer decision or blocker, my next PR comment will link the green staging GCP/Brev launchable build.

@prekshivyas prekshivyas assigned prekshivyas and unassigned jyaunches Jul 15, 2026
@jyaunches

Copy link
Copy Markdown
Contributor

Status handoff for @prekshivyas:

  • Exact head is ac459f2592ae4c479ef959401415cdf853548ba6, signed/Verified, merged with current main, and GitHub reports the PR mergeable. At handoff time, 42 checks pass, 5 are pending, and none fail.
  • The downstream solution now uses OpenShell's exact hard_requirement contract, rejects the fail-open legacy strict spelling, removes the nonexistent DCode /app path, treats sandbox startup as the enforcement boundary, redacts persisted diagnostics with private modes, and never authorizes deletion from unstructured Created sandbox: text.
  • Focused verification passes: 67 CLI tests, 8 integration tests, 23 E2E-support tests, CLI type-check, exact Vitest project membership, docs validation, and normal commit/push hooks.
  • All advisor suggestions are addressed. The exact-head primary advisor now reports one real acceptance blocker: failed-create cleanup needs an authoritative OpenShell resource/create-operation identity. Do not restore name-only deletion. The secondary advisor rerun is still completing after its first analysis attempt failed internally.
  • Positive runtime remains blocked upstream: supervisor: Landlock hard_requirement aborts with "incompatible directory-only access-rights: ReadDir" for real directories on RHEL 9.6 (kernel 5.14) ABI OpenShell#2218 needs file-type-correct Landlock rights, and OpenShell needs transactional failed-create cleanup (or an identity-bound conditional delete). The latest published OpenShell v0.0.83 does not contain those contracts, so the PR intentionally still pins the known runtime and staging has not started.
  • After a fixed OpenShell release exists: pin it here, refresh the version-bound fixture, and run the required credentialed E2E set: cloud-onboard, credential-sanitization, security-posture, onboard-repair, onboard-resume, and ubuntu-repo-cloud-langchain-deepagents-code. The DCode target proves both nonzero/absent failed-resource behavior and positive Ready/Landlock/inference behavior.
  • Once the exact PR head is green, dispatch the nemoclaw-image staging GCP build with that SHA, validate the resulting image in a real Brev launchable, and post the successful immutable build link here.

@cv cv added v0.0.85 Release target and removed v0.0.84 Release target labels Jul 15, 2026
@prekshivyas prekshivyas assigned jyaunches and unassigned prekshivyas Jul 16, 2026
@cjagwani cjagwani added v0.0.86 Release target and removed v0.0.85 Release target labels Jul 16, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 17, 2026
@wscurran wscurran added v0.0.88 Release target and removed v0.0.86 Release target labels Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior needs: unblock Blocked item needs dependency or decision resolved NV QA Bugs found by the NVIDIA QA Team v0.0.88 Release target

Projects

None yet

9 participants