feat(mcp): add OpenShell-managed MCP servers#5876
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR implements end-to-end MCP (Model Context Protocol) Streamable HTTP bridge support for NemoClaw sandboxed agents. It adds a ChangesMCP Streamable HTTP Bridge
Estimated code review effort🎯 5 (Critical) | ⏱️ ~180 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage in the branch is 96%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
TypeScript / code-coverage/cliThe overall coverage in the branch is 69%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
Updated |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
Vitest E2E Scenario RecommendationRequired Vitest E2E scenarios: Dispatch required Vitest E2E scenarios:
Full Vitest E2E advisor summaryVitest E2E Scenario AdvisorBase: Required Vitest E2E scenarios
Optional Vitest E2E scenarios
Relevant changed files
|
PR Review Advisor — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements
|
|
🌿 Preview your docs: https://nvidia-preview-pr-5876.docs.buildwithfern.com/nemoclaw |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/lib/onboard/openshell-install.ts (1)
162-174: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winMirror the new MCP-L7 feature gate in onboarding.
Line 162 raises the fallback floor to
0.0.72, butneedsUpgradestill only checks version, dev-channel, and Docker-driver binaries. An already-installed0.0.72binary that lacksallow_all_known_mcp_methodswill pass this path even thoughscripts/install-openshell.shnow rejects it, so onboarding can continue with an unsupported OpenShell build. Please add the same capability check before you skip reinstall/failure.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/openshell-install.ts` around lines 162 - 174, The onboarding upgrade check in openshell-install.ts is missing the new MCP-L7 capability gate, so an installed OpenShell at the minimum version can still be treated as valid even if it lacks allow_all_known_mcp_methods. Update the needsUpgrade logic in the openshell install flow to also verify the same capability check used by scripts/install-openshell.sh, and treat the install as needing upgrade/failure when that feature is absent. Use the existing currentVersionOutput/version checks and the relevant helpers in openshell-install.ts so the new gate is applied before skipping reinstall.
🧹 Nitpick comments (2)
schemas/policy-preset.schema.json (1)
51-56: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd focused schema tests for the new MCP and JSON-RPC branches.
The provided schema tests only show compile coverage plus a legacy
restnegative case, so these newjson-rpc/mcp/deny_rulespaths can regress without a precise failure. Please add explicit accept/reject cases for the new protocol values, matcher shapes, and option objects.Also applies to: 68-72, 86-144
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@schemas/policy-preset.schema.json` around lines 51 - 56, Add focused schema validation tests for the new policy-preset branches so regressions are caught directly: update the schema test coverage around the protocol enum and the $defs used by jsonRpcOptions, mcpOptions, and denyRulesMatcher to include explicit accept/reject cases for json-rpc and mcp values, their expected matcher shapes, and the associated option objects. Keep the existing compile/legacy rest coverage, but add targeted positive and negative assertions that exercise the new branches in policy-preset.schema.json rather than relying on broad compile-only checks.test/fetch-guard-patch-regression.test.ts (1)
135-141: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAssert the base-image
mcporterpin too.This helper only reads
Dockerfile, so the new regression still passes ifDockerfile.basedrifts. Since the base image now also bakesmcporter, please compare both files here (or source the version from one place) so the test guards the cross-file contract instead of just the runtime layer.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/fetch-guard-patch-regression.test.ts` around lines 135 - 141, The regression helper only checks the mcporter version in Dockerfile, so it can miss drift in Dockerfile.base; update readDockerfileMcporterVersion and the related test assertion to validate the mcporter pin in both files or derive both from a single shared source. Make sure the fetch-guard regression test covers the cross-file contract introduced by the base-image mcporter baking, not just the runtime layer.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile`:
- Around line 149-153: The mcporter repair path still installs over the baked-in
copy without clearing the stale binary first, unlike the openclaw flow. Update
the mcporter handling in the Dockerfile so it uses the same pre-delete pattern
as openclaw before running npm install, using the mcporter version check block
to ensure stale base-image layers heal instead of failing on
overlayfs/atomic-move errors.
In `@docs/reference/commands-nemohermes.mdx`:
- Around line 1004-1050: The new `nemohermes <name> mcp
add|status|restart|remove` sections read like supported workflows, but Hermes
does not support MCP bridges, so update these docs to clearly mark the commands
as unsupported on Hermes. Keep the command names for reference, but remove the
OpenClaw bridge/proxy/policy/registry operational details and replace them with
a concise note that MCP bridge support is disabled for Hermes users.
In `@schemas/sandbox-policy.schema.json`:
- Around line 76-81: The endpoint schema currently allows json-rpc and mcp
protocols to validate without any L7 policy, so update the conditional
validation in sandbox-policy.schema.json to require the same allow/deny contract
for these new protocols as for rest and websocket. Adjust the relevant endpoint
schema logic around the protocol/access/rules validation, using the json_rpc and
mcp schema branches as the anchor, so json-rpc and mcp endpoints cannot omit
rules or equivalent L7 controls.
In `@src/lib/actions/sandbox/mcp-bridge.ts`:
- Around line 392-405: Make MCP port allocation atomic in
allocateMcpPort()/startProxy by ensuring the chosen port is reserved under the
same lock/critical section that records bridge state, so concurrent mcp add
calls cannot pick the same free port. Move the registry scan and port selection
into the protected reservation flow, or keep a temporary listener bound until
the proxy child has taken ownership, and keep using bridgeState/bridgePidFile
cleanup only after the reservation is secured.
- Around line 451-463: The restart flow in stopProxy()/restartMcpBridge() starts
the replacement proxy too soon after SIGTERM, which can leave 127.0.0.1:<port>
temporarily bound. Update restartMcpBridge() to wait for the old process or port
to fully exit before calling startProxy(), using the PID returned by stopProxy()
or a port-availability poll. Keep the fix localized to the stopProxy and
restartMcpBridge path so the new proxy only binds after the previous one has
released the port.
- Around line 1022-1058: The subcommand dispatcher in mcp-bridge currently
accepts extra positional tokens because `list`, `status`, `restart`, and
`remove` only inspect part of `rest`. Add explicit leftover-argument validation
in the command handling block for these cases, so any unexpected tokens after
parsing flags trigger a `McpBridgeError` usage message instead of being ignored;
use the existing `parseJsonFlag`, `statusMcpBridge`, `restartMcpBridge`, and
`removeMcpBridge` branches to locate the fix.
In `@src/lib/state/registry.ts`:
- Around line 439-443: normalizeSandboxMcpState() is keeping the original
bridges map key even after normalizeMcpBridgeEntry() falls back to entry.server,
which can leave a malformed persisted key in the normalized state. Re-key the
bridges object by the normalized server name (or omit invalid entries entirely)
when rebuilding the map from Object.entries(bridgesValue), so statusMcpBridge()
and bridgeRuntimeDir() validate against the same key that is stored.
In `@src/mcp-proxy.ts`:
- Around line 366-369: The startup logging in mcp-proxy should not print raw
child-process bridge arguments, because config.args may contain sensitive
values. Update the logging around the proxy startup output in src/mcp-proxy.ts
to remove the direct args dump or replace it with a sanitized summary, while
keeping the existing command/env context in a redacted form. Use the mcp-proxy
startup log block near config.command, config.args, and config.env to make the
change.
- Around line 266-320: The HTTP handler in mcp-proxy keeps an inflight MCP
request alive even after the client disconnects, which can leave stale slots
occupied until timeout. Update the request flow in the server callback to
register a req.on("close", ...) handler that cancels or clears the pending
client.call invocation immediately, and make sure it only affects the active
request identified by request.id so healthy traffic is not blocked when
MCP_PROXY_MAX_INFLIGHT is reached.
---
Outside diff comments:
In `@src/lib/onboard/openshell-install.ts`:
- Around line 162-174: The onboarding upgrade check in openshell-install.ts is
missing the new MCP-L7 capability gate, so an installed OpenShell at the minimum
version can still be treated as valid even if it lacks
allow_all_known_mcp_methods. Update the needsUpgrade logic in the openshell
install flow to also verify the same capability check used by
scripts/install-openshell.sh, and treat the install as needing upgrade/failure
when that feature is absent. Use the existing currentVersionOutput/version
checks and the relevant helpers in openshell-install.ts so the new gate is
applied before skipping reinstall.
---
Nitpick comments:
In `@schemas/policy-preset.schema.json`:
- Around line 51-56: Add focused schema validation tests for the new
policy-preset branches so regressions are caught directly: update the schema
test coverage around the protocol enum and the $defs used by jsonRpcOptions,
mcpOptions, and denyRulesMatcher to include explicit accept/reject cases for
json-rpc and mcp values, their expected matcher shapes, and the associated
option objects. Keep the existing compile/legacy rest coverage, but add targeted
positive and negative assertions that exercise the new branches in
policy-preset.schema.json rather than relying on broad compile-only checks.
In `@test/fetch-guard-patch-regression.test.ts`:
- Around line 135-141: The regression helper only checks the mcporter version in
Dockerfile, so it can miss drift in Dockerfile.base; update
readDockerfileMcporterVersion and the related test assertion to validate the
mcporter pin in both files or derive both from a single shared source. Make sure
the fetch-guard regression test covers the cross-file contract introduced by the
base-image mcporter baking, not just the runtime layer.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4ab8d0a0-fbf6-4f79-b175-ea6d6865841a
📒 Files selected for processing (38)
.github/workflows/regression-e2e.yamlDockerfileDockerfile.baseagents/hermes/manifest.yamlagents/langchain-deepagents-code/manifest.yamlagents/openclaw/manifest.yamldocs/reference/commands-nemohermes.mdxdocs/reference/commands.mdxnemoclaw-blueprint/blueprint.yamlschemas/policy-preset.schema.jsonschemas/sandbox-policy.schema.jsonscripts/brev-launchable-ci-cpu.shscripts/install-openshell.shsrc/commands/sandbox/mcp.tssrc/lib/actions/sandbox/mcp-bridge.test.tssrc/lib/actions/sandbox/mcp-bridge.tssrc/lib/agent/base-image.test.tssrc/lib/agent/defs.test.tssrc/lib/agent/defs.tssrc/lib/agent/hermes-recovery-boundary-fixtures.tssrc/lib/agent/onboard.test.tssrc/lib/agent/runtime.test.tssrc/lib/cli/command-display.tssrc/lib/cli/command-registry.test.tssrc/lib/cli/command-registry.tssrc/lib/cli/public-argv-translation.test.tssrc/lib/cli/public-display-defaults.tssrc/lib/onboard/openshell-install.tssrc/lib/onboard/openshell-version.tssrc/lib/state/registry.tssrc/mcp-proxy.test.tssrc/mcp-proxy.tstest/e2e-scenario/live/openshell-version-pin.test.tstest/e2e/test-openshell-version-pin.shtest/fetch-guard-patch-regression.test.tstest/install-openshell-version-check.test.tstest/install-preflight.test.tstest/registry.test.ts
Selective E2E Results — ❌ Some jobs failedRun: 28269095222
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28269095075
|
Selective E2E Results — ❌ Some jobs failedRun: 28269143340
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28269143284
|
Selective E2E Results — ❌ Some jobs failedRun: 28269290981
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28269290870
|
Selective E2E Results — ❌ Some jobs failedRun: 28269537374
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28269537216
|
Selective E2E Results — ❌ Some jobs failedRun: 28270356785
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28270355861
|
Selective E2E Results — ❌ Some jobs failedRun: 28270636453
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28270635514
|
Vitest E2E Target Results —
|
| Job | Result |
|---|---|
| hermes-e2e | |
| mcp-bridge |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Vitest E2E Target Results — ✅ All selected jobs passedRun: 28682976259
|
Vitest E2E Target Results — ❌ Some jobs failedRun: 28682975290
|
Vitest E2E Target Results — ✅ All selected jobs passedRun: 28683194786
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Vitest E2E Target Results —
|
| Job | Result |
|---|---|
| hermes-e2e | |
| mcp-bridge |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Vitest E2E Target Results — ✅ All selected jobs passedRun: 28683611376
|
## Summary Hardens the managed-MCP work merged in #5876 so DCode rebuilds validate every reconstructable input before crossing the destructive delete boundary, preserve exact policy intent, and migrate legacy managed MCP state fail-closed. Prepared rebuild artifacts and the derived MCP runtime snapshot remain ephemeral and process-local; neither is persisted in FSM or checkpoint state, so this does not implement #6224. ## Related Issue Refs #5876 Refs #6195 Refs #6218 ## Changes - Revalidate DCode route, image, Dockerfile, reasoning, web-search, and MCP inputs after preparation and before NIM stop or sandbox deletion; restore MCP state and relock shields on failure. - Preserve exact custom network policy replay while keeping generated MCP rules under the MCP adapter's exclusive ownership. - Add protocol-specific policy schema validation for REST, WebSocket, JSON-RPC, and MCP matchers, including cross-rule `tools/call` conflict rejection. - Pin Deep Agents Code 0.1.30 and load only a strict, canonicalized managed MCP projection from a process-local integrity-bound snapshot. Sealed memfd is preferred; when OpenShell seccomp blocks it, an anonymous `O_TMPFILE` inode is reopened read-only and bound by descriptor, device, inode, size, kind, and SHA-256, with ambient discovery disabled. - Bind the canonical TypeScript secret-pattern source and flags to one shared behavior corpus executed through the Bash and Python DCode enforcement boundaries, including the full ECMAScript whitespace set. - Add capability-v2 gating and legacy-v1 teardown/rollback that preserves unrelated user configuration and fails closed on malformed, unsafe, or drifted state. - Add rebuild, migration, runtime-patch, schema, snapshot, and lifecycle coverage; update the MCP, policy, security, command, and DCode documentation. Verification notes: - Final DCode-adjacent run: 9 files, 187 tests passed; the focused descriptor/projection run passed 4 files and 138 tests. - Final review-follow-up run: 82 focused Bash/Python/TypeScript parity and descriptor-fallback tests passed, including all 25 ECMAScript whitespace code points under both `C` and `C.UTF-8` Bash locales. - Full pre-squash-equivalent run: 1,068 files passed, 2 skipped; 12,149 tests passed, 35 skipped. - CLI coverage ratchet passed with the repository include/exclude set expressed as one Vitest glob: lines 65.24%, statements 64.45%, functions 67.06%, branches 57.21%. - Python compile, Biome, ShellCheck, shfmt, source-shape, test-size, repository, secret-scan, and diff checks passed. The normal push hook passed CLI typechecking. - Main-sync validation after merging #6265 passed: 9 CLI files/82 tests, 6 integration files/174 tests, an additional 3 preparation tests, CLI typecheck, Biome, and diff checks. Generated-context provenance was ported into the split preflight fixtures without restoring the obsolete monolith. - Exact-head CI for `9a31537785ef2d456901de622721ed215627fdec` passed: 40 checks green, all five required contexts passed, and there were 0 failures, cancellations, or pending checks. The only skips were the expected docs-only job and two duplicate NVSkills request jobs. This includes all five CLI shards plus the aggregate, both CodeQL languages, both sandbox image builds, macOS, WSL, four self-hosted runtime checks, CodeRabbit, and both review advisors. - Exact-head live E2E for `9a31537785ef2d456901de622721ed215627fdec` passed: [`mcp-bridge`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844701), [`mcp-bridge-dev`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844719), and [`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844639). Stable and dev each passed OpenClaw, Hermes, and DCode 3/3; authenticated MCP calls passed initially and after restart, credential rotation, and rebuild, then removal denied access with no provider, policy, tunnel, or credential residue. The dedicated DCode lane passed Landlock 5/5, Python egress 14/14, headless inference 10/10, secret boundary 8/8, Tavily 6/6, and TUI 4/4; BuildKit accepted the merged generated-context handoff, and invalid-credential rebuild failure remained pre-destructive with the original sandbox, marker, and route recovered. Artifact inspection found one unchanged pre-existing harness defect: two OpenShell audit-log filtering subassertions can false-pass because awk treats `close` as reserved; runtime-output, sandbox-log, env-file immutability, and raw-secret checks passed, and this PR does not modify that E2E file. - The base `test-cli` pre-commit invocation remains affected by Vitest 4.1.9 collapsing repeated `--coverage.exclude` arguments to a zero-file/invalid summary. All other commit and push hooks passed; targeted tests and the authoritative sharded CI coverage checks provide the exact-head gate. - `npm run docs` completed with 0 errors and 2 pre-existing Fern warnings. Two documentation-writer audits confirmed the final behavior is accurately documented. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent security and correctness reviews passed after fixes; destructive-boundary rollback, capability migration, the process-local integrity-bound snapshot handoff (sealed memfd preferred, anonymous `O_TMPFILE` fallback), cross-language secret-pattern parity, policy fidelity, and the #6224 boundary were checked. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [x] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced managed MCP bridge support with managed-only configuration snapshots for safer add/restart/rebuild/teardown. * Network policy protocol rules now support protocol-specific matching plus stricter `endpoint.path` validation. * **Bug Fixes** * Stronger fail-fast validation for MCP server names/hostnames and endpoint details (rejected before changes are applied). * Rebuild flows improved to preserve/replay custom policies and validate after MCP preparation, with rollback on failure. * **Documentation** * Updated setup/quickstart/reference and MCP bridge/rebuild guidance for managed MCP capability v2 behavior and stricter validation rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds a shared tool-disclosure mode across Deep Agents Code, Hermes, and OpenClaw. New sandboxes default to `progressive`; `--tool-disclosure direct` or `NEMOCLAW_TOOL_DISCLOSURE=direct` restores the prior fully visible catalog. The mode persists through resume and transactional rebuilds. The design follows [LangChain progressive disclosure](https://support.langchain.com/articles/8488719552-progressive-tool-disclosure-with-deep-agents), [Hermes Tool Search](https://hermes-agent.nousresearch.com/docs/user-guide/features/tool-search), and the pinned [OpenClaw v2026.5.27 Tool Search contract](https://github.com/openclaw/openclaw/blob/v2026.5.27/docs/tools/tool-search.md). This is the v0.0.74 bundle. Exact head `e4214144c11dd47b9d3185f19c1c73ec4e690552` includes `main` at `6f5ccbcbaa87367f7b521318fbc940467045b601`. ## Related Issue #5876 is merged. This PR has no remaining stacked dependency and preserves its managed-MCP ownership contract. ## Changes - Add the shared `--tool-disclosure progressive|direct` onboarding and rebuild option, with `NEMOCLAW_TOOL_DISCLOSURE` as the environment equivalent. CLI input takes precedence and fresh sandboxes default to `progressive`. - Persist the selected mode in session and registry state. Resume, recreation, and MCP-bearing rebuilds preserve or transactionally change it in either direction. - Add bounded `search_tools` middleware to Deep Agents Code when at least one MCP tool loads successfully. Core tools remain visible, discovery state survives checkpointing, and only model requests are filtered; the complete executor registry and existing authorization controls remain intact. - Enable Hermes native Tool Search with opinionated 5/20 result limits and direct core tools. - Enable OpenClaw native structured `mode: "tools"` discovery with 8/20 limits while retaining model-specific compatibility safeguards. - Patch and validate the exact pinned `deepagents-code==0.1.30` runtime with fail-closed, idempotent anchors and separate middleware instances for the main agent and local subagents. - Add build-time/runtime validators, lifecycle and overflow coverage, transactional custom-image handling, and user-facing documentation for progressive/direct behavior. ### Managed MCP boundary This PR does not change MCP configuration, credential placeholders, bridge ownership, policy generation, MCP CLI behavior, or registry schemas from #5876. Managed OpenClaw MCP remains registered in mcporter's home registry. Pinned OpenClaw Tool Search reads native bundle and `mcp.servers` catalogs, and NemoClaw does not currently synchronize those ownership stores. The OpenClaw runtime validator therefore proves native search, describe, and call behavior for eligible hidden catalog tools, while the existing live MCP scenario separately proves mcporter execution, credential rewriting and rotation, restart/rebuild behavior, policy enforcement, DNS-rebinding protection, and secret boundaries. A fixture-only projection between those stores would not represent shipped behavior. ### Apurv security review resolution 1. **Callable namespace:** Deep Agents Code rejects every duplicate resolved callable name and every non-managed owner of a reserved core name before the original factory in progressive and direct modes. Coverage includes regular/regular, regular/MCP, cross-MCP-server, direct-mode, and schema/executor mismatch cases. 2. **Build-context seal:** fingerprints require a real directory root and encode portable mode bits, nanosecond modification times, link counts, and deterministic hardlink topology. Pre-delete and final one-shot tests cover hardlink, timestamp, permission, and root-symlink mutations. 3. **Dockerfile patch boundary:** patching anchors and revalidates the staging parent, rejects multi-link files, writes a fresh private same-directory file, and atomically replaces the staged Dockerfile without truncating an attacker-selectable inode. 4. **Chunk-safe diagnostics:** raw cloudflared child output is not emitted in failures. Only bounded per-stream carry is retained for origin discovery, with split-event credential regressions proving fragments and reconstructed secrets remain absent. ### CodeRabbit and CodeQL resolution - Every CodeRabbit finding is implemented or explicitly dispositioned with repository evidence, including URL-token punctuation, the intentional private hosted model identifier, and the final Darwin fixture fail-fast nit. GraphQL reports zero unresolved review threads; exact-head CodeRabbit status is green. - [CodeQL alert #1210](https://github.com/NVIDIA/NemoClaw/security/code-scanning/1210) is dismissed as a false positive. The flagged sink opens an existing directory read-only with `O_DIRECTORY | O_NOFOLLOW | O_NONBLOCK`; it does not use `O_CREAT`. The real replacement file remains UUID-named, `O_CREAT | O_EXCL | O_NOFOLLOW`, mode `0600`, descriptor/path identity checked, single-link validated, fsynced, and atomically renamed. Exact-head CodeQL is green with no open branch alerts. ### Validation - Local focused matrix: 19 files / 327 tests passed; one true Linux-only `memfd`/`O_TMPFILE` restart case was skipped on macOS. - Exact pinned Deep Agents Code/LangChain patch and runtime validator passed: `progressive-disclosure-runtime-ok`. - Both TypeScript typechecks, build, repository checks, source-shape/test-size guards, Biome, Ruff/Python compilation, secret scanning, push checks, and `git diff --check` passed. - Final-head standard validation is green: [PR CI](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184882), [growth guardrails](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184428), [WSL](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184879), [macOS](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184874), [security](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184917), [CodeQL](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184138), [review advisors](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184863), and the [E2E advisor](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184880). The original exact-head check set and subsequent metadata checks are all green, with only the two expected skips. - The exact-head [typed OpenClaw and Deep Agents targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28700290435) passed. - The exact-head [production-image workflow](https://github.com/NVIDIA/NemoClaw/actions/runs/28700292369) passed both requested image builds and all four downstream image E2E checks. - In the exact-head [advisor-selected live union](https://github.com/NVIDIA/NemoClaw/actions/runs/28700286465), 18 of 19 concrete jobs passed. The sole Hermes security-posture failure occurred in its deliberate gateway-recovery probe after restart, secret-boundary, and disclosure assertions had passed. The isolated exact-head [security retry](https://github.com/NVIDIA/NemoClaw/actions/runs/28700509914) passed both Hermes and OpenClaw legs, so every selected live lane has passing final-head evidence. - The GPT review advisor's remaining OpenClaw MCP model-loop warning is explicitly dispositioned by the managed-MCP ownership boundary above: the native OpenClaw catalog and mcporter registry are separate shipped stores, and a test-only projection would claim behavior the production bridge does not provide. ### Remaining - Obtain Apurv's exact-head re-review to clear the formal `CHANGES_REQUESTED` state and complete sensitive-path approval. - Rebuild affected existing sandboxes after this change ships; newly created sandboxes default to progressive disclosure. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Apurv exact-head re-review pending after all four requested fixes. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: no waiver requested; exact-head security retry is green. ## Verification - [x] PR description includes the DCO sign-off declaration and every feature commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes — all applicable hooks passed; the known hanging local unsharded `test-cli` coverage hook was skipped and exact-head sharded Linux CI is authoritative. - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [ ] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only; current build has two pre-existing warnings) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [x] New doc pages include SPDX header and frontmatter (new pages only; no new doc pages) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary This PR prepares the user-facing documentation for v0.0.74 before the release plan is frozen. It expands the release notes across the 56-commit train and closes durable documentation gaps found during the pre-tag commit scan. ## Changes - Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed MCP, progressive tool disclosure, LangChain Deep Agents Code, onboarding, local inference, messaging, recovery, and contributor workflows. - Correct the `destroy` contract for retained per-name volumes, gateway-unreachable `--force` cleanup, managed MCP ownership, and same-name recovery. - Document separate remediation for an unreachable container DNS resolver versus one that answers with `NXDOMAIN` or `REFUSED`. - Document the Windows on Arm N1X automatic Ollama safeguard and its remaining large-model limitations. - State that messaging conflicts abort rebuild before backup or deletion, leaving the original sandbox intact. - Link the agent-runnable value benchmark from the contributor task index. - Synchronize generated agent command variants. - Validate with `npm run docs:sync-agent-variants` and `npm run docs`; Fern completed with 0 errors and 2 existing warnings. - Source summary: - [#6020](#6020) and [#5876](#5876) -> `docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy boundary and managed MCP lifecycle. - [#6251](#6251) and [#5989](#5989) -> `docs/about/release-notes.mdx`: Summarize progressive tool disclosure and sandbox-first inference controls. - [#6232](#6232), [#6082](#6082), [#6219](#6219), [#6214](#6214), [#6215](#6215), [#6230](#6230), and [#6260](#6260) -> `docs/about/release-notes.mdx`: Summarize the experimental LangChain Deep Agents Code status, secret, version, rebuild, snapshot, and MCP boundaries. - [#6166](#6166), [#6254](#6254), [#6265](#6265), [#6164](#6164), and [#6017](#6017) -> `docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated image reuse, bounded readiness, and preflight improvements. - [#6150](#6150) -> `docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`: Separate unreachable-resolver remediation from reachable-but-rejected DNS responses. - [#6234](#6234) -> `docs/about/release-notes.mdx`, `docs/inference/use-local-inference.mdx`, and `docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B selection and the remaining explicit-large-model boundary. - [#6129](#6129), [#5987](#5987), [#5955](#5955), and [#6220](#6220) -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Document messaging policy persistence, status, and the pre-destructive conflict check. - [#5963](#5963), [#6050](#6050), [#6094](#6094), [#6238](#6238), [#5988](#5988), [#6235](#6235), [#6181](#6181), and [#5986](#5986) -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and clarify retained-volume and local-only destroy semantics. - [#6200](#6200), [#6248](#6248), [#6168](#6168), [#6270](#6270), and [#5649](#5649) -> `docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize contributor setup and verification improvements and expose the advisory value benchmark. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: documentation-only release preparation; generated-variant synchronization and the Fern docs build validate the changed pages and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable to this documentation-only change; `npm run docs` validates the source and generated routes. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Expanded setup guidance for Windows on Arm devices with safer default local model selection. * Clarified local inference and sandbox messaging behavior, including conflict checks before rebuilds and safer recovery steps. * Updated destroy/rebuild/reference docs with more detailed warnings, failure handling, and volume-retention guidance. * Improved troubleshooting instructions for Docker DNS issues with clearer paths for unreachable vs. blocked resolvers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
## Summary Routes ordinary native CDI Linux through OpenShell 0.0.71's native `--gpu` path instead of the legacy Docker container swap. The legacy path remains available for WSL, Jetson, and explicit `NEMOCLAW_DOCKER_GPU_PATCH=1`, with its OpenShell supervisor command boundary and rollback diagnostics hardened. ## Related Issue Related to NVIDIA#6110 ## Changes - Use native OpenShell GPU injection by default on ordinary native CDI Linux. - Document the `NEMOCLAW_DOCKER_GPU_PATCH` auto, forced-legacy, and native-routing behavior for ordinary native Linux, Docker Desktop WSL, and Jetson/Tegra. - Keep `NEMOCLAW_DOCKER_GPU_PATCH=1` as the explicit legacy-swap force control and `=0` as the existing native opt-out; Docker Desktop WSL still ignores `=0`, and Jetson keeps its compatibility default. - Preserve OpenShell's supervisor entrypoint on the legacy swap: Docker receives no command tail, while the workload stays in `OPENSHELL_SANDBOX_COMMAND`. - Validate legacy startup tokens before stopping or renaming the original container and serialize extra-placeholder keys as one comma-delimited token. - Defer every legacy recreate through the same supervisor-wait/finalize boundary so failed clones are captured before rollback on both create timing paths. - Persist only allowlisted/redacted failed-clone topology, state, process, network, and log evidence, with a 10-second total / 2-second per-call budget so diagnostics cannot materially delay rollback. - Permit only the canonical OpenShell Docker/Podman TLS key path in the Hermes runtime environment; arbitrary values and persisted `.env` entries remain rejected. - Refresh the Dockerfile integrity pin for the changed validator so production Hermes images fail closed on any later digest drift. - Prove native and legacy Docker command boundaries separately, including Ready/CUDA status, supervisor PID 1, placeholder transport, config hashes, no backup-container leak, and inference requests. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent exact-diff review found no remaining substantive issue after startup-envelope secret redaction, bounded pre-rollback capture, unified finalize ordering, and route-specific live assertions - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Local exact-candidate verification at `d76f1647a5f354ba04737a6a049b82bfbf6d5454`: - CLI build and typecheck passed. - Hermes GPU support/client/workflow coverage passed 48/48; the built gateway-cleanup module resolves through Node, and runtime cleanup, registration removal, and bind availability remain fail-closed. - The shared Docker GPU diagnostic collector owns redaction for every text/JSON artifact and returned summary; direct conventional `*_KEY` and custom-placeholder canaries, JSON-validity, inspect-before-write, exhausted-budget, and collector-owned top regressions pass. - All 12 Docker GPU suites pass 126/126; the exact-head focused E2E-support set passes 39/39, including six process-token self-match regressions, the scrubbed integrity-proof environment, and total forbidden-marker count. - Conditional scan, source-shape, test-size, Biome, repository checks, commit hooks, and push typecheck passed for the final harness correction; only the documented macOS-invalid full CLI hook lane was excluded. - The forbidden-marker request sensor support suite passed 14/14 and records counts only, never raw request bodies or marker values. - OpenShell transport-boundary coverage passed 4/4; Docker GPU command-envelope coverage passed 6/6; extra-placeholder parsing coverage passed 16/16. - Hermes validator and wrapper integrity pins match their source SHA256 digests; hadolint and diff checks pass. - Hermes startup/boundary coverage passed 43/43 locally; the Linux-only wrapper cases are delegated to exact-head CI. - The full local CLI hook is not a valid gate on this macOS Node 22 host: unchanged `a1fc52c7` TypeScript entrypoints fail through the CommonJS preload with `ERR_UNKNOWN_FILE_EXTENSION`; exact-head Linux CI remains required. - Hermes runtime-guard plus current-main docs regression tests: 24/24 passed. - Hermes workflow-boundary test passed. - Project-boundary, project-membership, test-title, source-shape, test-size, targeted Biome, and diff checks passed. - `npm run docs:sync-agent-variants`, `npm run docs:check-agent-variants`, and `npm run docs` pass; Fern reports 0 errors and 2 existing warnings. Live A/B evidence: - Forced legacy swap at `97e3e7e1`: [run 28554699811](https://github.com/NVIDIA/NemoClaw/actions/runs/28554699811) reproduced sustained OpenShell `Error` followed by safe rollback. It also exposed and now closes a lifecycle instrumentation gap: the post-create `ensureApplied()` branch bypassed pre-rollback capture. - Native OpenShell route at signed diagnostic SHA `15f50182`: [run 28555110558](https://github.com/NVIDIA/NemoClaw/actions/runs/28555110558) completed onboarding with exit 0, reached `Phase: Ready`, reported `CUDA verified`, and sent authenticated Hermes chat-completions requests to the hermetic inference endpoint. The job's only failure was the now-fixed test regex not stripping ANSI around `Ready`. - Prior native evidence at `7cb219d9`: [full run 28559814959](https://github.com/NVIDIA/NemoClaw/actions/runs/28559814959) and [second pass 28559816026](https://github.com/NVIDIA/NemoClaw/actions/runs/28559816026) both reached Ready/CUDA with clean runtime and teardown; their Hermes proof stopped on the now-fixed ANSI matcher before downstream assertions. - Prior forced-legacy diagnostic on production parent `a1fc52c7` plus workflow-only child `6d0cf6a5`: [run 28561607207](https://github.com/NVIDIA/NemoClaw/actions/runs/28561607207) selected the legacy swap and rolled back cleanly, but failed because the Hermes boundary rejected the driver-owned OpenShell `OPENSHELL_TLS_KEY` path. Candidate `54cf259d` adds an exact runtime-only allowance with negative boundary tests. - Prior exact-head set at `a1fc52c7`: [run 28561548749](https://github.com/NVIDIA/NemoClaw/actions/runs/28561548749) proved the GPU and security companion jobs, while Hermes GPU stopped at a sandbox-user `/proc` permission probe after Ready/CUDA. Candidate `54cf259d` keeps the same proof but runs it as root and restricts the match to the exact `nemoclaw-start` process. - Prior second native pass at `a1fc52c7`: [run 28561555945](https://github.com/NVIDIA/NemoClaw/actions/runs/28561555945) reproduced only the same harness permission failure after Ready/CUDA, correct PID 1 topology, authenticated inference, zero forbidden-marker matches, and clean teardown. - Superseded six-job set at `54cf259d`: [run 28564960504](https://github.com/NVIDIA/NemoClaw/actions/runs/28564960504) exposed the stale Dockerfile validator digest and was canceled before runtime proof. Candidate `970803a4` updates the integrity pin, retained by final head `c5a67c4c`. - Superseded second native pass at `54cf259d`: [run 28564973806](https://github.com/NVIDIA/NemoClaw/actions/runs/28564973806) was canceled during pre-cleanup and supplies no acceptance evidence. - Superseded forced-legacy proof on production parent `54cf259d` plus child `69f4e1b2`: [run 28564983760](https://github.com/NVIDIA/NemoClaw/actions/runs/28564983760) was canceled during pre-cleanup and supplies no acceptance evidence. - Superseded six-job set at `970803a4`: [run 28565197328](https://github.com/NVIDIA/NemoClaw/actions/runs/28565197328) was canceled before acceptance execution when the canonical placeholder-format advisor fix advanced the head. - Superseded second native pass at `970803a4`: [run 28565207911](https://github.com/NVIDIA/NemoClaw/actions/runs/28565207911) was canceled before runner assignment and supplies no acceptance evidence. - Superseded forced-legacy proof on production parent `970803a4` plus child `b4d5679e`: [run 28565222881](https://github.com/NVIDIA/NemoClaw/actions/runs/28565222881) was canceled before runner assignment and supplies no acceptance evidence. - Superseded six-job set at `7335903b`: [run 28565576066](https://github.com/NVIDIA/NemoClaw/actions/runs/28565576066) was intentionally canceled when the documentation gap advanced the candidate; the root-entrypoint smoke passed, but the remaining lanes provide no complete acceptance proof. - Superseded second native pass at `7335903b`: [run 28565587094](https://github.com/NVIDIA/NemoClaw/actions/runs/28565587094) was canceled before acceptance execution and supplies no acceptance evidence. - Superseded forced-legacy proof on production parent `7335903b` plus child `091e16fd`: [run 28565603460](https://github.com/NVIDIA/NemoClaw/actions/runs/28565603460) was canceled before acceptance execution and supplies no acceptance evidence. - Superseded six-job set at `c5a67c4c`: [run 28566083673](https://github.com/NVIDIA/NemoClaw/actions/runs/28566083673) reached the native GPU/runtime proofs before the obsolete raw strict-hash assertion failed; messaging independently hit the process-probe self-match fixed by merged NVIDIA#6167. GPU, root-entrypoint, secret-boundary, and credential companion lanes passed. - Superseded second native pass at `c5a67c4c`: [run 28566083641](https://github.com/NVIDIA/NemoClaw/actions/runs/28566083641) proved native routing, Ready/CUDA, `nvidia-smi`, `/proc`, `cuInit(0)=0`, PID 1, authenticated inference, and cleanup, then failed only the obsolete raw strict-hash assertion. - Superseded forced-legacy proof on production parent `c5a67c4c` plus child `48c46a7f`: [run 28566083589](https://github.com/NVIDIA/NemoClaw/actions/runs/28566083589) proved the same runtime boundary on the legacy route, then failed only the obsolete raw strict-hash assertion. - Superseded six-job set at `a04a70ac`: [run 28568069499](https://github.com/NVIDIA/NemoClaw/actions/runs/28568069499) exposed a pre-onboarding harness defect: direct Vitest import of the production cleanup helper could not resolve its lazy CommonJS TypeScript dependencies. Companion results do not count as final-head evidence. - Superseded second native pass at `a04a70ac`: [run 28568069558](https://github.com/NVIDIA/NemoClaw/actions/runs/28568069558) failed at the same pre-onboarding cleanup boundary and supplies no runtime acceptance evidence. - Superseded forced-legacy proof on production parent `a04a70ac` plus child `085a3b7d`: [run 28568069530](https://github.com/NVIDIA/NemoClaw/actions/runs/28568069530) failed at the same pre-onboarding cleanup boundary and supplies no runtime acceptance evidence. - Superseded six-job set at `6ac4ebc8`: [run 28568490864](https://github.com/NVIDIA/NemoClaw/actions/runs/28568490864) exposed a clean-runner preinstall edge: the compiled cleanup child was invoked before OpenShell existed and failed before onboarding. Companion results do not count as final-head evidence. - Superseded second native pass at `6ac4ebc8`: [run 28568494928](https://github.com/NVIDIA/NemoClaw/actions/runs/28568494928) failed at the same pre-onboarding cleanup boundary and supplies no runtime acceptance evidence. - Superseded forced-legacy proof on production parent `6ac4ebc8` plus child `5d3742a7`: [run 28568501430](https://github.com/NVIDIA/NemoClaw/actions/runs/28568501430) failed at the same pre-onboarding cleanup boundary and supplies no runtime acceptance evidence. - Superseded six-job set at `65b06d64`: [run 28568954862](https://github.com/NVIDIA/NemoClaw/actions/runs/28568954862) passed all six jobs, but the candidate advanced to close the advisor-confirmed shared diagnostic-redaction boundary and two proof-hardening review threads. - Superseded second native pass at `65b06d64`: [run 28568959028](https://github.com/NVIDIA/NemoClaw/actions/runs/28568959028) passed the full native runtime proof but is not final-head evidence. - Superseded forced-legacy proof on production parent `65b06d64` plus child `2c6dca1b`: [run 28568966557](https://github.com/NVIDIA/NemoClaw/actions/runs/28568966557) passed but is not final-parent evidence. - Final six-job exact-head set at `d76f1647`: [run 28601346031](https://github.com/NVIDIA/NemoClaw/actions/runs/28601346031) passed all six requested jobs. Native GPU, Hermes startup, root-entrypoint, secret-boundary, credential-sanitization, and messaging proofs are green; all 21 messaging raw-token surface probes are `ABSENT`, and every cleanup record has zero failures. - Final second native Hermes GPU pass at `d76f1647`: [run 28601348023](https://github.com/NVIDIA/NemoClaw/actions/runs/28601348023) passed 9/9 assertions. Artifact `8043702467` (`sha256:0ef929fa2478f5c9579ad2f282c46de8fe4d6eefb04acb062de1af29b4eb002c`) proves native routing, Ready/CUDA, `nvidia-smi`, `/proc`, successful `cuInit(0)`, OpenShell PID 1, one container/no backup, authenticated inference with zero forbidden-marker matches, and clean teardown. - Final failed-clone rollback proof checks out exact production SHA `d76f1647` from signed workflow-only child `4c49b5bc`: [run 28602166456](https://github.com/NVIDIA/NemoClaw/actions/runs/28602166456) passed. Artifact `8044114375` (`sha256:b5cff9cc7e7cf361f55e074a265c8cfefd3e6dc21ad0d300b140d2a749cde00b`) records clone exit 137 with `failure_kind=patched_container_failed` and `rolled_back=no` before finalize, then `rolled_back=yes`, exactly one running original container, no backup leak, guard-observed clone removal, clean canary scans, and clean fixture teardown. - Final forced-legacy success proof on exact production parent `d76f1647` plus signed workflow-only child `078a372d`: [run 28603335692](https://github.com/NVIDIA/NemoClaw/actions/runs/28603335692) passed 9/9 assertions. Artifact `8044550700` (`sha256:56d97c5caa8536ebff735ff600399ac7fafa2fed71206de1f5470e7d15549f6f`) proves `gpuRoute=legacy-patch`, `--device nvidia.com/gpu=all`, Ready/CUDA with all three GPU probes, correct OpenShell PID 1/command envelope, one container/no backup, integrity and negative guard checks, two authenticated inference requests with zero forbidden-marker matches, a clean artifact canary scan, and clean teardown. Source-of-truth review for the retained compatibility path: - **Invalid state:** the legacy swap temporarily leaves a stopped backup and running clone with the same OpenShell sandbox ID. - **Source boundary:** OpenShell's Docker driver reconciles container summaries into a map keyed only by sandbox ID; 0.0.71 can let the stopped backup overwrite the running clone and drive the gateway into terminal `Error`. - **Source-fix constraint:** the NemoClaw-supported OpenShell release does not contain deterministic active-container selection. The focused source fix is open as [NVIDIA/OpenShell#2116](NVIDIA/OpenShell#2116) and passes 96/96 Docker-driver tests, strict clippy, and formatting, but is not yet released or pinned here. - **Regression coverage:** routing tests pin native auto / forced legacy / WSL / Jetson behavior; recreate tests pin capture-before-finalize on both create timing paths; the secret canary uses the actual single `OPENSHELL_SANDBOX_COMMAND=env ...` envelope; the live test pins native and legacy runtime topology separately. - **Removal condition:** remove the legacy swap and its rollback/diagnostic modules after WSL and Jetson are proven on native OpenShell GPU injection and the supported OpenShell floor contains deterministic duplicate-container reconciliation. - **WSL boundary:** Docker Desktop WSL does not expose a usable native CDI route to this flow, so WSL retains the compatibility path and ignores `NEMOCLAW_DOCKER_GPU_PATCH=0`; routing tests lock that behavior. Remove it when Docker Desktop exposes usable `nvidia.com/gpu` CDI devices to the WSL distro. - **Jetson boundary:** Tegra `/dev/nvmap` and `/dev/nvhost-*` device ownership requires host group propagation for the non-root sandbox user; group-add tests lock that behavior. Remove it only when the platform/runtime supplies equivalent access without the compatibility recreate. Diagnostic redaction boundary: - **Source-of-truth invariant:** `collectDockerGpuPatchDiagnostics()` constructs the trusted per-bundle redactor, discovers conventional and custom-placeholder values from every known/discovered full inspect before writing, recursively redacts JSON values, and publishes every summary, Docker, OpenShell, and pre-rollback top artifact through that boundary. - **Bounded pre-rollback path:** the caller contributes only additive values discovered from the failed clone before snapshot capture so the shared 10-second budget cannot hide opaque values; the collector still performs its own discovery and owns every write. Direct raw-caller and exhausted-budget regressions scan all artifacts and returned summaries. - **Removal condition:** remove the additive pre-rollback discovery only when the shared collector can own snapshot capture inside the same budget without delaying rollback. Advisor architecture and follow-up rationale: - `docker-gpu-patch.ts` grows 58 lines to keep token validation before container mutation and bounded failed-clone capture before rollback. Splitting this security-critical ordering during the release-blocker fix would add cross-module state transfer; extract it when the legacy swap is retired after WSL and Jetson native proof. - `docker-gpu-local-inference.test.ts` grows 32 lines so bridge-probe routing assertions stay beside the behavior under test. Extract a bridge-probe module and focused test file if that surface grows again. - `docker-gpu-local-inference.ts` grows 15 lines to keep the bridge-probe/host-network decision beside its caller-facing contract; extract it with the tests if that surface grows again. - `docker-gpu-patch.test.ts` grows 13 lines and remains below 1,350 lines; split the mode-routing cases on the next growth. - The live fixture now supplies the canonical comma-delimited placeholder transport. Whitespace compatibility remains covered by parser unit tests and the messaging-provider scenario; the live proof intentionally matches the exact canonical startup environ token. - Dedicated `OPENSHELL_TLS_KEY` tests prove exact runtime acceptance, arbitrary/PEM/relative/near-miss rejection, persisted `.env` rejection, and continued rejection of supervisor identity tokens. The exact allowed path is sourced from `NVIDIA/OpenShell@v0.0.71` (`a242f84bb367d6df7d4d133e95a93857406c67f7`), where `driver_utils.rs::TLS_KEY_MOUNT_PATH` defines `/etc/openshell/tls/client/tls.key` and the Docker/Podman drivers inject it. This PR does not claim NVIDIA#6110 resolved until the reporter-class DGX Spark aarch64 or DGX Station GB300 NVIDIA Endpoints path passes. No such runner is declared in this repository, and organization runner inventory is not visible with the current permissions. Missing reporter hardware is an external acceptance blocker, not a passing result. The NVIDIA#6155 docs regression fix and current `main` through `9fe45362` are integrated. A refreshed pairwise merge-tree audit at `d76f1647` is clean with NVIDIA#5595 and NVIDIA#6153. NVIDIA#5876 directly conflicts in `e2e.yaml` and related Hermes/docs/workflow-boundary files; its resolution must union `hermes-gpu-startup` and `mcp-bridge-dev` selectors/result summaries and recompute uploader validation. NVIDIA#6020 already conflicts with current `main` and also overlaps NVIDIA#6142 outside `e2e.yaml`; NVIDIA#6053 is mergeable with `main` but conflicts pairwise in the uploader boundary. Those later branches must preserve NVIDIA#6142's explicit-only inventory and artifact contracts during retargeting; NVIDIA#6142 itself remains mergeable/CLEAN. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Strengthened Hermes GPU startup proof and managed startup integrity assertions, plus added a skipped-by-default GPU live E2E run for startup readiness. * **Bug Fixes** * Tightened PID 1 identity validation to block runtime mutation under a foreign PID 1. * Improved Docker GPU/OpenShell sandbox command and placeholder handling; enhanced GPU failure diagnostics with safer redaction. * **Documentation** * Refined GPU passthrough and `NEMOCLAW_DOCKER_GPU_PATCH` guidance across native Linux, Docker Desktop WSL, and Jetson/Tegra. * **Tests** * Expanded unit/E2E coverage for placeholder parsing, readiness refusal, env/secret boundary enforcement, and diagnostic redaction. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary NemoClaw `v0.0.74` will ship stable OpenShell `v0.0.72`. This dependency layer advances the supported OpenShell contract from `0.0.71` to `0.0.72`, pins every consumed release artifact, preserves round-trippable policy state, and hardens installer verification so pull-request code cannot authorize its own pins. ## Related Issue Refs NVIDIA#5591. Follow-up to merged NVIDIA#5596. Dependency layer for NVIDIA#5876 and the accepted MCP design in NVIDIA#566. ## Changes - Pin stable OpenShell `0.0.72` across the supported version floor/ceiling, installer, Brev launchable, blueprint, supervisor image, workflow, and live-E2E contracts. OpenShell development builds remain compatibility evidence, not the shipping runtime. - Pin all consumed CLI, gateway, and sandbox archives plus both Brev CLI references to the official `v0.0.72` checksum manifests. - Read mutation input from `openshell policy get --base`, strip reserved `_provider_*` entries before `policy set`, retain `--full` only for read-only diagnostics, and preserve future mapping sections plus MCP/JSON-RPC fields during merges. - Route the CommonJS CLI and ESM plugin through one generated OpenShell policy boundary and exact-pin `yaml` `2.8.3` in both production package graphs. - Normalize that boundary for both compiled CommonJS and source-mode `tsx` loading. A subprocess package-contract test reproduces the live source-loader path that exposed the mismatch. - Run installer verification from base-trusted code. The introducing PR falls back only to immutable commit `cb5e9aefab2b16fedc0995149fc3520da0d5e0c7`, verified as tree `1fdf59efe40b78c407e222fd42043b23a61e199a`, with an enforced expiry at `2026-12-29T19:35:41Z`. - Treat PR-head installer files as data only. The trusted parser rejects symbolic links, a symbolic-link `scripts` parent, non-regular files, changed inode/device identity, and input over 1 MiB; it opens with `O_NOFOLLOW` and performs a bounded descriptor read. - Fail installer verification closed on missing, duplicate, mismatched, incomplete, or unreachable OpenShell/Brev pin data. - Publish the OpenShell `0.0.72` compatibility review and align version, policy, gateway-authentication, and troubleshooting documentation. ### Exact-head evidence - PR head: `2d06fa01b624b63813fe558ce36b29d47ad31e36`, based exactly on current `main` `dc96deb24d67eeeb2cb7b2bb42c7c53f000507f3`. The final signed merge incorporates the release-boundary revert that defers unrelated dcode-status work, so this dependency PR does not reintroduce NVIDIA#6202 outside its scope. - GitHub verifies the new merge commit signature, DCO is green, the prior maintainer approval remains recorded at [review 4611344448](NVIDIA#6020 (review)), and GitHub reports the PR graph as `MERGEABLE`. - Post-restack local validation passes `build:cli`, full and CLI typechecks, repository checks, generated agent-doc synchronization, affected Deep Agents image contracts, and `git diff --check`. - All exact-head ordinary PR checks are terminal green (33 successful, three skipped/neutral, zero failures), including macOS/WSL E2E, every CLI shard and aggregate, static/security scans, DCO, and both PR Review Advisor jobs. GitHub reports `APPROVED` and `MERGEABLE/CLEAN`. - Exact-head selected OpenShell [E2E run 28632123304](https://github.com/NVIDIA/NemoClaw/actions/runs/28632123304) is terminal green: version pin, gateway-auth contract, network policy, gateway upgrade/state restoration, scorecard, and the no-comment reporter all passed from a temporary no-PR ref at the identical commit. The temporary ref was deleted after completion. - Exact-head PR Review [run 28632002111](https://github.com/NVIDIA/NemoClaw/actions/runs/28632002111) and E2E Advisor [run 28632002140](https://github.com/NVIDIA/NemoClaw/actions/runs/28632002140) are green. GPT reports no actionable finding; Nemotron's check passed but both JSON synthesis attempts were unparseable, so that model's artifact is incomplete rather than clearance. E2E Advisor reports high confidence and selects the four live lanes linked above. ### Trust-boundary notes - The immutable bootstrap is intentionally used only while the PR base lacks the trusted action. Once that action exists on the base, executing the newer base-trusted verifier is the stronger boundary; the expiring bootstrap should then be removed rather than run redundantly. - No untrusted PR process executes alongside the parser. GitHub checks out inert PR data, then trusted code validates and reads the already-opened descriptor. The link/type/identity/bounds checks cover repository-controlled redirection and exhaustion inputs without claiming protection from a privileged concurrent host writer. - Stable OpenShell `0.0.72` accepts an unmarked policy root only when it contains `version` or `network_policies`; metadata-only and malformed documents fail closed. Versionless `network_policies` is retained for the supported compatibility contract. ### Advisor disposition - GPT reported no required findings and one warning about the mutable default `BASE_IMAGE` tag. That `ARG BASE_IMAGE=ghcr.io/nvidia/nemoclaw/sandbox-base:latest` line is unchanged from current `main`; this dependency PR neither introduces nor broadens that repository-wide build default. - Nemotron's bootstrap finding would weaken the intended trust transition: the immutable bootstrap exists only for the introducing PR. Once the action is present on the base, the newer base-trusted action must replace the older bootstrap; both paths are immutable for the current event and are contract-tested. - Nemotron's parser race assumes an untrusted concurrent filesystem writer. PR code is never executed in this job: GitHub checks out inert data, then trusted code rejects links/special files, checks the opened descriptor's device/inode, bounds the read, and closes it. A privileged host writer is outside this PR-input threat model. - Nemotron's checksum finding is not circular. The trusted checker pins the SHA-256 of each upstream checksum manifest, verifies that immutable manifest before reading it, and compares every embedded installer pin with exactly one manifest entry. At install time each named archive must exist and match its pinned digest, so a missing asset still fails closed without downloading all archives during every PR check. - The generated-boundary auditor executes in the Docker builder stage exercised by ordinary `build-sandbox-images` CI. The exact source-mode `.cts` versus generated `.cjs` mismatch found by live proof is now covered directly by the subprocess package-contract test and the compiled runner suites. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [x] Existing tests cover changed behavior — justification: policy mutation, package boundary, installer trust, workflow selection, and runtime upgrade/state-restoration have focused coverage; final selected E2E is linked above. - [ ] Tests not applicable — justification: not applicable; this changes security-sensitive installer, policy, and runtime compatibility behavior. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: not applicable; supported OpenShell versions and policy behavior are user-facing. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: the linked approval predates the current head; exact-head human review or an explicit carried-approval decision remains required, and no waiver is requested. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: no waiver is requested; exact-head ordinary CI is green, and the selected run's comment-only reporter caveat is documented above and is not a required PR check. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [x] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Preksha Vyas <prekshiv@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds native OpenShell-managed authenticated HTTPS Streamable HTTP MCP server lifecycle for OpenClaw, Hermes, and LangChain Deep Agents Code. It exposes `mcp add|list|status|restart|remove`, integrates crash-safe rebuild and destroy recovery, and keeps raw credentials out of sandbox files and NemoClaw registry state. Stable OpenShell `0.0.72` is the shipping dependency for NemoClaw `v0.0.74`. ## Related Issue Closes NVIDIA#566. Refs NVIDIA#6195. Implements the [accepted native OpenShell design decision](NVIDIA#566 (comment)). Supersedes the closed host-proxy implementation in NVIDIA#565. ## Changes - Support OpenClaw, Hermes, and LangChain Deep Agents Code with `mcp add|list|status|restart|remove`; normal sandbox rebuild and destroy participate in lifecycle reconciliation. - Accept only authenticated canonical HTTPS Streamable HTTP endpoints with exactly one host-side `--env KEY` credential reference per server. - Use native OpenShell `protocol: mcp` policy enforcement and provider-backed credential replacement. NemoClaw starts no MCP proxy, relay, listener, stdio adapter, or persistent secret-bearing host process. - Persist only credential names and opaque ownership metadata. Agent configuration contains `Bearer openshell:resolve:env:KEY`; raw values are supplied only to the allowlisted OpenShell provider subprocess. - Fail closed on private/local/special-use targets, unsupported host aliases, userinfo, query, fragment, percent characters, non-canonical paths, ambiguous provider/policy/adapter state, and ownership drift. - Serialize supported per-sandbox writers with one cross-process mutation lock and exact-check policy/provider state before and after mutation. - Preserve owned MCP intent across rebuild, recover interrupted add/remove/destroy transactions, and delete shared state only after exact ownership verification. - Add stable and explicit dev-channel live lanes, artifact credential scanning, workflow boundary tests, operator documentation, and focused security/lifecycle regression coverage. ### Apurv review feedback addressed - [x] [Use the checked-in Hermes `BASE_IMAGE` pin](NVIDIA#5876 (comment)): validation now reads the single immutable `ARG BASE_IMAGE=...@sha256:...` from the actual final Dockerfile, accepts only that official digest, and rejects a different digest. The obsolete `NEMOCLAW_STALE_OPENCLAW_BASE_DIGEST` guard is removed. - [x] [Preserve falsey non-map YAML roots](NVIDIA#5876 (comment)): both Hermes transaction paths normalize only `None` to `{}`. `[]`, `false`, `0`, and `""` reach the object-root guard and fail without a write; tests prove byte preservation and zero writes. - [x] [Block rebuild while MCP destroy is incomplete](NVIDIA#5876 (comment)): live rebuild and absent-sandbox onboarding reject both `destroyPreparedAt` and `destroyPendingAt` before policy, adapter, provider, gateway, pruning, or recreation work. - [x] [Reject every percent character and retain legacy cleanup](NVIDIA#5876 (comment)): host and Hermes add validation reject `%`, `%GG`, `%2`, and valid percent escapes before side effects. Forced Hermes cleanup validates the action and server name, then removes the exact legacy key without re-rejecting its already-persisted URL. - [x] [Recheck exact policy content and serialize supported writers](NVIDIA#5876 (comment)): the fresh policy read deep-compares the live key with the exact previously owned content and refuses changed or removed values before `policy set`; a post-set exact read gates ownership commit. Supported NemoClaw policy, channel, shields, inference, snapshot, onboarding, and config writers share the per-sandbox lock. - [x] [Keep credential revision proof host-side](NVIDIA#5876 (comment)): the sandbox-writable revision snapshot is removed. Fresh OpenShell-mediated execs return only bounded `absent`, `canonical`, or `vN` observations; the host retains the prior value and requires a changed, non-absent revision after update. The review fixes landed in signed commit `299efb5c1eaeec21f9b91d7d1ce9874b6768d8e8` and remain present on final exact head `f9283fe624a479796ee1dcba35e5e95fde182ab2`. ### Release boundary and residual-risk disposition - Stable OpenShell `0.0.72` is the only supported and shipped OpenShell version for NemoClaw `v0.0.74`; installer, blueprint, workflow, and credential-boundary data are aligned to that version. - OpenShell `0.0.72` attributes some script clients to Node/Python interpreters rather than immutable package entrypoints. Exact destination, literal path, MCP method profile, request-size bound, public-IP pins, provider ownership, and runtime checks narrow that grant. Remove interpreter grants when OpenShell exposes stable package-entrypoint attribution. - Static provider credentials are sandbox-scoped rather than endpoint-exclusive. Every managed server requires a unique credential name and a least-privilege token; operators must not grant the same runtime a broader route capable of resolving that placeholder. - Supported NemoClaw writers are serialized, and external drift visible before or after mutation is rejected by exact reads. A direct external `openshell policy set` does not participate in NemoClaw's lock, and OpenShell `0.0.72` exposes no policy compare-and-swap/version precondition. If an external set lands in the narrow interval after the fresh read and loses the final write race, it can be overwritten. Closing that arbitrary-client race requires an upstream OpenShell CAS primitive; this PR does not claim atomicity beyond supported NemoClaw writers. - OpenShell policy does not bind URL scheme, HTTP `Host`, or query parameters. NemoClaw therefore accepts only canonical HTTPS URLs and rejects userinfo, query, fragment, percent characters, credential-shaped paths, and unsupported aliases. - Stable OpenShell cannot safely parse bracketed IPv6 literals in HTTPS CONNECT targets. Direct IPv6 literals are rejected; DNS AAAA destinations remain supported through resolve/validate/connect and exact public-address pins. - The explicit compatibility-only dev lane consumed mutable OpenShell `0.0.76-dev.3+g6461677c`. OpenClaw and Deep Agents passed, but Hermes rebuild exited during pre-delete MCP preservation. The same exact NemoClaw head passed the identical Hermes rebuild with supported stable `0.0.72`. Because the dev lane is non-default, unverified, outside the `v0.0.74` support range, and not a required PR check, this PR does not add speculative compatibility code for the moving artifact; compatibility should be re-evaluated with OpenShell before NemoClaw widens its supported range. ### Exact-head verification - PR head `f9283fe624a479796ee1dcba35e5e95fde182ab2` is signed and GitHub-verified, based on current `main` `fdf1d585666c95429c4ca2222288dd8a5ce7830a`, and labeled `v0.0.74`. - The final restack integrates current-main DCode `0.1.30` runtime hardening while preserving managed MCP in interactive and headless paths. The complete sandbox-writable MCP file is validated fail-closed as HTTPS-only registry-owned shape before launch; stdio commands, extra headers, raw credentials, mismatched placeholders, unsafe ownership/mode, and unrelated top-level configuration are rejected. - Final local validation passed build, typecheck, all 44 config schemas, repository checks, commit/push hooks, 290/290 focused CLI tests, 192/192 MCP integration tests, 77/77 DCode image-contract tests, and the affected DCode direct-entrypoint, snapshot, rebuild, proxy, and legacy-lifecycle suites. The third-party-notice harness passes 14/14 DCode rebuild tests. Two Linux-only test fixtures needed adaptation after the current-main DCode wrapper added isolated managed-MCP validation: `bf9100f` stubs every isolated Python invocation in the empty-prompt fixture, and `f9283fe` uses the established exact validator stub in the identity fixture before its existing launch stub. Both fixes are test-only; formatting, repository growth, fixture-transform, commit, and push guards pass. - Exact-head [CI / Pull Request run 28683600527](https://github.com/NVIDIA/NemoClaw/actions/runs/28683600527) and the standard PR check rollup are in progress. - Exact-head selective E2E runs [28683610226](https://github.com/NVIDIA/NemoClaw/actions/runs/28683610226) (`mcp-bridge`, `hermes-e2e`) and [28683611376](https://github.com/NVIDIA/NemoClaw/actions/runs/28683611376) (`ubuntu-repo-cloud-langchain-deepagents-code`) are in progress. - Exact-head [Sandbox Images and E2E run 28683612355](https://github.com/NVIDIA/NemoClaw/actions/runs/28683612355) is in progress. - Results will be recorded here after completion; no required-check waiver is requested. GitHub reports the graph `MERGEABLE`. The prior `CHANGES_REQUESTED` state is being re-requested after the six addressed threads are dispositioned; no review waiver is requested. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [x] Existing tests cover changed behavior — justification: focused coverage exercises adapter, policy, credential, ownership, race, crash/rebuild/destroy, Hermes transaction/reload, workflow, and live-runtime boundaries. - [ ] Tests not applicable — justification: not applicable; this adds security-sensitive credential and sandbox lifecycle behavior. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: not applicable; MCP setup and stable limitations are user-facing. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Apurv's six findings are addressed and dispositioned; refreshed human approval is pending, and no waiver is requested. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: no required-check waiver is needed. Required checks are running on the final restacked head; no waiver is requested. The non-required mutable dev-channel compatibility result disclosed above remains outside the `v0.0.74` release boundary. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [x] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
## Summary Hardens the managed-MCP work merged in NVIDIA#5876 so DCode rebuilds validate every reconstructable input before crossing the destructive delete boundary, preserve exact policy intent, and migrate legacy managed MCP state fail-closed. Prepared rebuild artifacts and the derived MCP runtime snapshot remain ephemeral and process-local; neither is persisted in FSM or checkpoint state, so this does not implement NVIDIA#6224. ## Related Issue Refs NVIDIA#5876 Refs NVIDIA#6195 Refs NVIDIA#6218 ## Changes - Revalidate DCode route, image, Dockerfile, reasoning, web-search, and MCP inputs after preparation and before NIM stop or sandbox deletion; restore MCP state and relock shields on failure. - Preserve exact custom network policy replay while keeping generated MCP rules under the MCP adapter's exclusive ownership. - Add protocol-specific policy schema validation for REST, WebSocket, JSON-RPC, and MCP matchers, including cross-rule `tools/call` conflict rejection. - Pin Deep Agents Code 0.1.30 and load only a strict, canonicalized managed MCP projection from a process-local integrity-bound snapshot. Sealed memfd is preferred; when OpenShell seccomp blocks it, an anonymous `O_TMPFILE` inode is reopened read-only and bound by descriptor, device, inode, size, kind, and SHA-256, with ambient discovery disabled. - Bind the canonical TypeScript secret-pattern source and flags to one shared behavior corpus executed through the Bash and Python DCode enforcement boundaries, including the full ECMAScript whitespace set. - Add capability-v2 gating and legacy-v1 teardown/rollback that preserves unrelated user configuration and fails closed on malformed, unsafe, or drifted state. - Add rebuild, migration, runtime-patch, schema, snapshot, and lifecycle coverage; update the MCP, policy, security, command, and DCode documentation. Verification notes: - Final DCode-adjacent run: 9 files, 187 tests passed; the focused descriptor/projection run passed 4 files and 138 tests. - Final review-follow-up run: 82 focused Bash/Python/TypeScript parity and descriptor-fallback tests passed, including all 25 ECMAScript whitespace code points under both `C` and `C.UTF-8` Bash locales. - Full pre-squash-equivalent run: 1,068 files passed, 2 skipped; 12,149 tests passed, 35 skipped. - CLI coverage ratchet passed with the repository include/exclude set expressed as one Vitest glob: lines 65.24%, statements 64.45%, functions 67.06%, branches 57.21%. - Python compile, Biome, ShellCheck, shfmt, source-shape, test-size, repository, secret-scan, and diff checks passed. The normal push hook passed CLI typechecking. - Main-sync validation after merging NVIDIA#6265 passed: 9 CLI files/82 tests, 6 integration files/174 tests, an additional 3 preparation tests, CLI typecheck, Biome, and diff checks. Generated-context provenance was ported into the split preflight fixtures without restoring the obsolete monolith. - Exact-head CI for `9a31537785ef2d456901de622721ed215627fdec` passed: 40 checks green, all five required contexts passed, and there were 0 failures, cancellations, or pending checks. The only skips were the expected docs-only job and two duplicate NVSkills request jobs. This includes all five CLI shards plus the aggregate, both CodeQL languages, both sandbox image builds, macOS, WSL, four self-hosted runtime checks, CodeRabbit, and both review advisors. - Exact-head live E2E for `9a31537785ef2d456901de622721ed215627fdec` passed: [`mcp-bridge`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844701), [`mcp-bridge-dev`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844719), and [`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844639). Stable and dev each passed OpenClaw, Hermes, and DCode 3/3; authenticated MCP calls passed initially and after restart, credential rotation, and rebuild, then removal denied access with no provider, policy, tunnel, or credential residue. The dedicated DCode lane passed Landlock 5/5, Python egress 14/14, headless inference 10/10, secret boundary 8/8, Tavily 6/6, and TUI 4/4; BuildKit accepted the merged generated-context handoff, and invalid-credential rebuild failure remained pre-destructive with the original sandbox, marker, and route recovered. Artifact inspection found one unchanged pre-existing harness defect: two OpenShell audit-log filtering subassertions can false-pass because awk treats `close` as reserved; runtime-output, sandbox-log, env-file immutability, and raw-secret checks passed, and this PR does not modify that E2E file. - The base `test-cli` pre-commit invocation remains affected by Vitest 4.1.9 collapsing repeated `--coverage.exclude` arguments to a zero-file/invalid summary. All other commit and push hooks passed; targeted tests and the authoritative sharded CI coverage checks provide the exact-head gate. - `npm run docs` completed with 0 errors and 2 pre-existing Fern warnings. Two documentation-writer audits confirmed the final behavior is accurately documented. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent security and correctness reviews passed after fixes; destructive-boundary rollback, capability migration, the process-local integrity-bound snapshot handoff (sealed memfd preferred, anonymous `O_TMPFILE` fallback), cross-language secret-pattern parity, policy fidelity, and the NVIDIA#6224 boundary were checked. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [x] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced managed MCP bridge support with managed-only configuration snapshots for safer add/restart/rebuild/teardown. * Network policy protocol rules now support protocol-specific matching plus stricter `endpoint.path` validation. * **Bug Fixes** * Stronger fail-fast validation for MCP server names/hostnames and endpoint details (rejected before changes are applied). * Rebuild flows improved to preserve/replay custom policies and validate after MCP preparation, with rollback on failure. * **Documentation** * Updated setup/quickstart/reference and MCP bridge/rebuild guidance for managed MCP capability v2 behavior and stricter validation rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds a shared tool-disclosure mode across Deep Agents Code, Hermes, and OpenClaw. New sandboxes default to `progressive`; `--tool-disclosure direct` or `NEMOCLAW_TOOL_DISCLOSURE=direct` restores the prior fully visible catalog. The mode persists through resume and transactional rebuilds. The design follows [LangChain progressive disclosure](https://support.langchain.com/articles/8488719552-progressive-tool-disclosure-with-deep-agents), [Hermes Tool Search](https://hermes-agent.nousresearch.com/docs/user-guide/features/tool-search), and the pinned [OpenClaw v2026.5.27 Tool Search contract](https://github.com/openclaw/openclaw/blob/v2026.5.27/docs/tools/tool-search.md). This is the v0.0.74 bundle. Exact head `e4214144c11dd47b9d3185f19c1c73ec4e690552` includes `main` at `6f5ccbcbaa87367f7b521318fbc940467045b601`. ## Related Issue NVIDIA#5876 is merged. This PR has no remaining stacked dependency and preserves its managed-MCP ownership contract. ## Changes - Add the shared `--tool-disclosure progressive|direct` onboarding and rebuild option, with `NEMOCLAW_TOOL_DISCLOSURE` as the environment equivalent. CLI input takes precedence and fresh sandboxes default to `progressive`. - Persist the selected mode in session and registry state. Resume, recreation, and MCP-bearing rebuilds preserve or transactionally change it in either direction. - Add bounded `search_tools` middleware to Deep Agents Code when at least one MCP tool loads successfully. Core tools remain visible, discovery state survives checkpointing, and only model requests are filtered; the complete executor registry and existing authorization controls remain intact. - Enable Hermes native Tool Search with opinionated 5/20 result limits and direct core tools. - Enable OpenClaw native structured `mode: "tools"` discovery with 8/20 limits while retaining model-specific compatibility safeguards. - Patch and validate the exact pinned `deepagents-code==0.1.30` runtime with fail-closed, idempotent anchors and separate middleware instances for the main agent and local subagents. - Add build-time/runtime validators, lifecycle and overflow coverage, transactional custom-image handling, and user-facing documentation for progressive/direct behavior. ### Managed MCP boundary This PR does not change MCP configuration, credential placeholders, bridge ownership, policy generation, MCP CLI behavior, or registry schemas from NVIDIA#5876. Managed OpenClaw MCP remains registered in mcporter's home registry. Pinned OpenClaw Tool Search reads native bundle and `mcp.servers` catalogs, and NemoClaw does not currently synchronize those ownership stores. The OpenClaw runtime validator therefore proves native search, describe, and call behavior for eligible hidden catalog tools, while the existing live MCP scenario separately proves mcporter execution, credential rewriting and rotation, restart/rebuild behavior, policy enforcement, DNS-rebinding protection, and secret boundaries. A fixture-only projection between those stores would not represent shipped behavior. ### Apurv security review resolution 1. **Callable namespace:** Deep Agents Code rejects every duplicate resolved callable name and every non-managed owner of a reserved core name before the original factory in progressive and direct modes. Coverage includes regular/regular, regular/MCP, cross-MCP-server, direct-mode, and schema/executor mismatch cases. 2. **Build-context seal:** fingerprints require a real directory root and encode portable mode bits, nanosecond modification times, link counts, and deterministic hardlink topology. Pre-delete and final one-shot tests cover hardlink, timestamp, permission, and root-symlink mutations. 3. **Dockerfile patch boundary:** patching anchors and revalidates the staging parent, rejects multi-link files, writes a fresh private same-directory file, and atomically replaces the staged Dockerfile without truncating an attacker-selectable inode. 4. **Chunk-safe diagnostics:** raw cloudflared child output is not emitted in failures. Only bounded per-stream carry is retained for origin discovery, with split-event credential regressions proving fragments and reconstructed secrets remain absent. ### CodeRabbit and CodeQL resolution - Every CodeRabbit finding is implemented or explicitly dispositioned with repository evidence, including URL-token punctuation, the intentional private hosted model identifier, and the final Darwin fixture fail-fast nit. GraphQL reports zero unresolved review threads; exact-head CodeRabbit status is green. - [CodeQL alert NVIDIA#1210](https://github.com/NVIDIA/NemoClaw/security/code-scanning/1210) is dismissed as a false positive. The flagged sink opens an existing directory read-only with `O_DIRECTORY | O_NOFOLLOW | O_NONBLOCK`; it does not use `O_CREAT`. The real replacement file remains UUID-named, `O_CREAT | O_EXCL | O_NOFOLLOW`, mode `0600`, descriptor/path identity checked, single-link validated, fsynced, and atomically renamed. Exact-head CodeQL is green with no open branch alerts. ### Validation - Local focused matrix: 19 files / 327 tests passed; one true Linux-only `memfd`/`O_TMPFILE` restart case was skipped on macOS. - Exact pinned Deep Agents Code/LangChain patch and runtime validator passed: `progressive-disclosure-runtime-ok`. - Both TypeScript typechecks, build, repository checks, source-shape/test-size guards, Biome, Ruff/Python compilation, secret scanning, push checks, and `git diff --check` passed. - Final-head standard validation is green: [PR CI](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184882), [growth guardrails](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184428), [WSL](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184879), [macOS](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184874), [security](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184917), [CodeQL](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184138), [review advisors](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184863), and the [E2E advisor](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184880). The original exact-head check set and subsequent metadata checks are all green, with only the two expected skips. - The exact-head [typed OpenClaw and Deep Agents targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28700290435) passed. - The exact-head [production-image workflow](https://github.com/NVIDIA/NemoClaw/actions/runs/28700292369) passed both requested image builds and all four downstream image E2E checks. - In the exact-head [advisor-selected live union](https://github.com/NVIDIA/NemoClaw/actions/runs/28700286465), 18 of 19 concrete jobs passed. The sole Hermes security-posture failure occurred in its deliberate gateway-recovery probe after restart, secret-boundary, and disclosure assertions had passed. The isolated exact-head [security retry](https://github.com/NVIDIA/NemoClaw/actions/runs/28700509914) passed both Hermes and OpenClaw legs, so every selected live lane has passing final-head evidence. - The GPT review advisor's remaining OpenClaw MCP model-loop warning is explicitly dispositioned by the managed-MCP ownership boundary above: the native OpenClaw catalog and mcporter registry are separate shipped stores, and a test-only projection would claim behavior the production bridge does not provide. ### Remaining - Obtain Apurv's exact-head re-review to clear the formal `CHANGES_REQUESTED` state and complete sensitive-path approval. - Rebuild affected existing sandboxes after this change ships; newly created sandboxes default to progressive disclosure. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Apurv exact-head re-review pending after all four requested fixes. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: no waiver requested; exact-head security retry is green. ## Verification - [x] PR description includes the DCO sign-off declaration and every feature commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes — all applicable hooks passed; the known hanging local unsharded `test-cli` coverage hook was skipped and exact-head sharded Linux CI is authoritative. - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [ ] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only; current build has two pre-existing warnings) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [x] New doc pages include SPDX header and frontmatter (new pages only; no new doc pages) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary This PR prepares the user-facing documentation for v0.0.74 before the release plan is frozen. It expands the release notes across the 56-commit train and closes durable documentation gaps found during the pre-tag commit scan. ## Changes - Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed MCP, progressive tool disclosure, LangChain Deep Agents Code, onboarding, local inference, messaging, recovery, and contributor workflows. - Correct the `destroy` contract for retained per-name volumes, gateway-unreachable `--force` cleanup, managed MCP ownership, and same-name recovery. - Document separate remediation for an unreachable container DNS resolver versus one that answers with `NXDOMAIN` or `REFUSED`. - Document the Windows on Arm N1X automatic Ollama safeguard and its remaining large-model limitations. - State that messaging conflicts abort rebuild before backup or deletion, leaving the original sandbox intact. - Link the agent-runnable value benchmark from the contributor task index. - Synchronize generated agent command variants. - Validate with `npm run docs:sync-agent-variants` and `npm run docs`; Fern completed with 0 errors and 2 existing warnings. - Source summary: - [NVIDIA#6020](NVIDIA#6020) and [NVIDIA#5876](NVIDIA#5876) -> `docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy boundary and managed MCP lifecycle. - [NVIDIA#6251](NVIDIA#6251) and [NVIDIA#5989](NVIDIA#5989) -> `docs/about/release-notes.mdx`: Summarize progressive tool disclosure and sandbox-first inference controls. - [NVIDIA#6232](NVIDIA#6232), [NVIDIA#6082](NVIDIA#6082), [NVIDIA#6219](NVIDIA#6219), [NVIDIA#6214](NVIDIA#6214), [NVIDIA#6215](NVIDIA#6215), [NVIDIA#6230](NVIDIA#6230), and [NVIDIA#6260](NVIDIA#6260) -> `docs/about/release-notes.mdx`: Summarize the experimental LangChain Deep Agents Code status, secret, version, rebuild, snapshot, and MCP boundaries. - [NVIDIA#6166](NVIDIA#6166), [NVIDIA#6254](NVIDIA#6254), [NVIDIA#6265](NVIDIA#6265), [NVIDIA#6164](NVIDIA#6164), and [NVIDIA#6017](NVIDIA#6017) -> `docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated image reuse, bounded readiness, and preflight improvements. - [NVIDIA#6150](NVIDIA#6150) -> `docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`: Separate unreachable-resolver remediation from reachable-but-rejected DNS responses. - [NVIDIA#6234](NVIDIA#6234) -> `docs/about/release-notes.mdx`, `docs/inference/use-local-inference.mdx`, and `docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B selection and the remaining explicit-large-model boundary. - [NVIDIA#6129](NVIDIA#6129), [NVIDIA#5987](NVIDIA#5987), [NVIDIA#5955](NVIDIA#5955), and [NVIDIA#6220](NVIDIA#6220) -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Document messaging policy persistence, status, and the pre-destructive conflict check. - [NVIDIA#5963](NVIDIA#5963), [NVIDIA#6050](NVIDIA#6050), [NVIDIA#6094](NVIDIA#6094), [NVIDIA#6238](NVIDIA#6238), [NVIDIA#5988](NVIDIA#5988), [NVIDIA#6235](NVIDIA#6235), [NVIDIA#6181](NVIDIA#6181), and [NVIDIA#5986](NVIDIA#5986) -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and clarify retained-volume and local-only destroy semantics. - [NVIDIA#6200](NVIDIA#6200), [NVIDIA#6248](NVIDIA#6248), [NVIDIA#6168](NVIDIA#6168), [NVIDIA#6270](NVIDIA#6270), and [NVIDIA#5649](NVIDIA#5649) -> `docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize contributor setup and verification improvements and expose the advisory value benchmark. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: documentation-only release preparation; generated-variant synchronization and the Fern docs build validate the changed pages and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable to this documentation-only change; `npm run docs` validates the source and generated routes. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Expanded setup guidance for Windows on Arm devices with safer default local model selection. * Clarified local inference and sandbox messaging behavior, including conflict checks before rebuilds and safer recovery steps. * Updated destroy/rebuild/reference docs with more detailed warnings, failure handling, and volume-retention guidance. * Improved troubleshooting instructions for Docker DNS issues with clearer paths for unreachable vs. blocked resolvers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Summary
Adds native OpenShell-managed authenticated HTTPS Streamable HTTP MCP server lifecycle for OpenClaw, Hermes, and LangChain Deep Agents Code. It exposes
mcp add|list|status|restart|remove, integrates crash-safe rebuild and destroy recovery, and keeps raw credentials out of sandbox files and NemoClaw registry state. Stable OpenShell0.0.72is the shipping dependency for NemoClawv0.0.74.Related Issue
Closes #566.
Refs #6195.
Implements the accepted native OpenShell design decision.
Supersedes the closed host-proxy implementation in #565.
Changes
mcp add|list|status|restart|remove; normal sandbox rebuild and destroy participate in lifecycle reconciliation.--env KEYcredential reference per server.protocol: mcppolicy enforcement and provider-backed credential replacement. NemoClaw starts no MCP proxy, relay, listener, stdio adapter, or persistent secret-bearing host process.Bearer openshell:resolve:env:KEY; raw values are supplied only to the allowlisted OpenShell provider subprocess.Apurv review feedback addressed
BASE_IMAGEpin: validation now reads the single immutableARG BASE_IMAGE=...@sha256:...from the actual final Dockerfile, accepts only that official digest, and rejects a different digest. The obsoleteNEMOCLAW_STALE_OPENCLAW_BASE_DIGESTguard is removed.Noneto{}.[],false,0, and""reach the object-root guard and fail without a write; tests prove byte preservation and zero writes.destroyPreparedAtanddestroyPendingAtbefore policy, adapter, provider, gateway, pruning, or recreation work.%,%GG,%2, and valid percent escapes before side effects. Forced Hermes cleanup validates the action and server name, then removes the exact legacy key without re-rejecting its already-persisted URL.policy set; a post-set exact read gates ownership commit. Supported NemoClaw policy, channel, shields, inference, snapshot, onboarding, and config writers share the per-sandbox lock.absent,canonical, orvNobservations; the host retains the prior value and requires a changed, non-absent revision after update.The review fixes landed in signed commit
299efb5c1eaeec21f9b91d7d1ce9874b6768d8e8and remain present on final exact headf9283fe624a479796ee1dcba35e5e95fde182ab2.Release boundary and residual-risk disposition
0.0.72is the only supported and shipped OpenShell version for NemoClawv0.0.74; installer, blueprint, workflow, and credential-boundary data are aligned to that version.0.0.72attributes some script clients to Node/Python interpreters rather than immutable package entrypoints. Exact destination, literal path, MCP method profile, request-size bound, public-IP pins, provider ownership, and runtime checks narrow that grant. Remove interpreter grants when OpenShell exposes stable package-entrypoint attribution.openshell policy setdoes not participate in NemoClaw's lock, and OpenShell0.0.72exposes no policy compare-and-swap/version precondition. If an external set lands in the narrow interval after the fresh read and loses the final write race, it can be overwritten. Closing that arbitrary-client race requires an upstream OpenShell CAS primitive; this PR does not claim atomicity beyond supported NemoClaw writers.Host, or query parameters. NemoClaw therefore accepts only canonical HTTPS URLs and rejects userinfo, query, fragment, percent characters, credential-shaped paths, and unsupported aliases.0.0.76-dev.3+g6461677c. OpenClaw and Deep Agents passed, but Hermes rebuild exited during pre-delete MCP preservation. The same exact NemoClaw head passed the identical Hermes rebuild with supported stable0.0.72. Because the dev lane is non-default, unverified, outside thev0.0.74support range, and not a required PR check, this PR does not add speculative compatibility code for the moving artifact; compatibility should be re-evaluated with OpenShell before NemoClaw widens its supported range.Exact-head verification
f9283fe624a479796ee1dcba35e5e95fde182ab2is signed and GitHub-verified, labeledv0.0.74, approved by Apurv, and merged tomainasbddbb3e2418766015b931829571202f443a788f1. Immediately before merge,mainadvanced by heading-only commitcc532e5; the overlap audit andmerge-treewere clean.0.1.30runtime hardening while preserving managed MCP in interactive and headless paths. The complete sandbox-writable MCP file is validated fail-closed as HTTPS-only registry-owned shape before launch; stdio commands, extra headers, raw credentials, mismatched placeholders, unsafe ownership/mode, and unrelated top-level configuration are rejected.bf9100fstubs every isolated Python invocation in the empty-prompt fixture, andf9283feuses the established exact validator stub in the identity fixture before its existing launch stub. Both fixes are test-only; formatting, repository growth, fixture-transform, commit, and push guards pass.cli-tests, and requiredchecks; the standard PR check rollup completed with no failures.ubuntu-repo-cloud-langchain-deepagents-code.mcp-bridgeandhermes-e2e. The workflow-level conclusion is failure only because the post-testreport-to-prjob correctly refused to comment after PR feat(mcp): add OpenShell-managed MCP servers #5876 had already merged; the scorecard also passed.Apurv approved the exact final head after all six findings were addressed, then merged it to
main; issue #566 closed with the merge.Type of Change
Quality Gates
f9283feafter all six findings were addressed; no waiver was used.v0.0.74release boundary.Verification
Verifiedin GitHubnpx prek run --from-ref main --to-ref HEADpassesnpm testpasses (broad runtime changes only)npm run docsbuilds without warnings (doc changes only)Signed-off-by: Aaron Erickson aerickson@nvidia.com