feat(agents): add progressive tool disclosure#6251
Conversation
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Merge current main and the final OpenShell 0.0.72 compatibility fixes into the MCP feature while preserving the NemoClaw v0.0.73 release target. Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com> # Conflicts: # .github/workflows/e2e.yaml # test/pr-workflow-contract.test.ts
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
|
Exact head 6cf1aa4 addresses CodeQL alert #1210. The flagged call opens an existing staging directory read-only with O_DIRECTORY, O_NOFOLLOW, and O_NONBLOCK; it does not create a temporary file. The actual atomic-replacement file remains UUID-named, O_CREAT|O_EXCL|O_NOFOLLOW, mode 0600, and descriptor/path identity plus single-link validated. I added the repository-standard narrowly scoped CodeQL annotation at the false-positive sink with this rationale. Biome, CLI typecheck, 46 focused Dockerfile security/patch tests, commit hooks, and push checks pass. @coderabbitai review |
|
✅ Action performedReview finished.
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
test/langchain-deepagents-code-direct-module-patch.test.ts (1)
12-40: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueSilent no-op if the injection marker text doesn't match.
helper.replace("import fcntl\n", ...)silently returns the original string unchanged if that exact literal isn't found (e.g., generated helper reformats the import line). On Darwin this would leavefcntl.F_SEAL_*undefined, producing a confusing downstreamAttributeErrorat import time rather than a clear diagnostic pointing at the patch itself.♻️ Proposed fix to fail fast with a clear message
function addDarwinFcntlSealConstants(helper: string): string { - return process.platform !== "darwin" || helper.includes(DARWIN_FCNTL_FIXTURE_MARKER) - ? helper - : helper.replace( - "import fcntl\n", - `import fcntl + if (process.platform !== "darwin" || helper.includes(DARWIN_FCNTL_FIXTURE_MARKER)) { + return helper; + } + const patched = helper.replace( + "import fcntl\n", + `import fcntl ${DARWIN_FCNTL_FIXTURE_MARKER} for _name, _value in ( ("F_ADD_SEALS", 1033), ("F_GET_SEALS", 1034), ("F_SEAL_SEAL", 0x0001), ("F_SEAL_SHRINK", 0x0002), ("F_SEAL_GROW", 0x0004), ("F_SEAL_WRITE", 0x0008), ): if not hasattr(fcntl, _name): setattr(fcntl, _name, _value) `, - ); + ); + if (patched === helper) { + throw new Error("Darwin fcntl seal shim injection point not found in helper module"); + } + return patched; }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/langchain-deepagents-code-direct-module-patch.test.ts` around lines 12 - 40, The addDarwinFcntlSealConstants helper can silently do nothing when the exact import marker is missing, which leaves the Darwin seal constants unset. Update this function to fail fast with a clear error if the expected injection point is not found in the helper text, instead of returning the original string unchanged. Use the existing addDarwinFcntlSealConstants and DARWIN_FCNTL_FIXTURE_MARKER symbols to locate the logic, and make the failure explicit so the patch problem is reported immediately.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/langchain-deepagents-code-direct-module-patch.test.ts`:
- Around line 12-40: The addDarwinFcntlSealConstants helper can silently do
nothing when the exact import marker is missing, which leaves the Darwin seal
constants unset. Update this function to fail fast with a clear error if the
expected injection point is not found in the helper text, instead of returning
the original string unchanged. Use the existing addDarwinFcntlSealConstants and
DARWIN_FCNTL_FIXTURE_MARKER symbols to locate the logic, and make the failure
explicit so the patch problem is reported immediately.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: fcfbc3e8-3919-4bad-8c87-65d4ec749df8
📒 Files selected for processing (24)
agents/langchain-deepagents-code/Dockerfileagents/langchain-deepagents-code/patch-managed-deepagents-code.pydocs/reference/commands-nemohermes.mdxdocs/reference/commands.mdxsrc/lib/actions/sandbox/rebuild-dcode-mutation-edge.test.tssrc/lib/actions/sandbox/rebuild-dcode-orchestrator.test.tssrc/lib/actions/sandbox/rebuild-dcode-orchestrator.tssrc/lib/actions/sandbox/rebuild-dcode-pre-delete-drift.test.tssrc/lib/actions/sandbox/rebuild-dcode-preflight.tssrc/lib/actions/sandbox/rebuild-durable-config.test.tssrc/lib/actions/sandbox/rebuild-durable-config.tssrc/lib/actions/sandbox/rebuild-managed-image-preflight.tssrc/lib/actions/sandbox/rebuild-managed-image-preparation.test.tssrc/lib/actions/sandbox/rebuild-managed-image-verification.test.tssrc/lib/actions/sandbox/rebuild-pipeline.tssrc/lib/actions/sandbox/rebuild-preflight-phase.tssrc/lib/onboard/dockerfile-tool-disclosure-contract.tssrc/lib/security/redact.test.tssrc/lib/security/redact.tstest/e2e/live/mcp-bridge.test.tstest/helpers/rebuild-managed-image-preflight-harness.tstest/langchain-deepagents-code-direct-module-patch.test.tstest/langchain-deepagents-code-image.test.tstest/langchain-deepagents-code-progressive-tool-disclosure.test.ts
🚧 Files skipped from review as they are similar to previous changes (14)
- src/lib/security/redact.test.ts
- src/lib/actions/sandbox/rebuild-dcode-orchestrator.test.ts
- src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
- src/lib/actions/sandbox/rebuild-durable-config.test.ts
- src/lib/actions/sandbox/rebuild-preflight-phase.ts
- agents/langchain-deepagents-code/Dockerfile
- test/e2e/live/mcp-bridge.test.ts
- src/lib/security/redact.ts
- src/lib/actions/sandbox/rebuild-durable-config.ts
- src/lib/actions/sandbox/rebuild-pipeline.ts
- src/lib/actions/sandbox/rebuild-dcode-preflight.ts
- docs/reference/commands.mdx
- docs/reference/commands-nemohermes.mdx
- src/lib/actions/sandbox/rebuild-managed-image-preflight.ts
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
|
Exact head b9801ff replaces the unrecognized CodeQL marker with the repository-proven lgtm[js/insecure-temporary-file] form immediately before the same read-only existing-directory open. The adjacent rationale and all O_DIRECTORY/O_NOFOLLOW hardening remain unchanged; 46 focused Dockerfile tests, Biome, both typechecks, hooks, and push checks pass. PRA-1 disposition: the requested managed-OpenClaw MCP model-loop test is explicitly not applicable to this PR boundary. NemoClaw managed OpenClaw MCP remains the mcporter-only adapter merged in #5876, which writes the mcporter home registry. Pinned OpenClaw Tool Search reads native mcp.servers and enabled bundle catalogs; there is no production synchronizer between those ownership stores. A fixture-only native projection would falsely imply the shipped nemoclaw mcp path is model-visible. This PR intentionally leaves MCP configuration, bridge ownership, policy generation, CLI, and registry schemas unchanged. The committed pinned-runtime validator proves search, describe, and call for eligible hidden OpenClaw catalog tools; the existing live MCP scenario separately preserves mcporter credential rewrite, restart, rotation, rebuild, policy, DNS-rebinding, and secret-boundary proof. Combining those paths is a separate transactional dual-projection design requiring add/remove/restart ownership, rollback/crash consistency, config-hash and rebuild semantics—not a safe test-only change. @coderabbitai review |
|
Triggering a fresh review on exact head ✅ Action performedReview finished.
|
E2E Target Results — ✅ All selected jobs passedRun: 28699693265
|
E2E Target Results — ✅ All requested jobs passedRun: 28699904436
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
|
Exact head |
|
Your plan includes PR reviews subject to rate limits. Reviews are available now. |
E2E Target Results — ❌ Some jobs failedRun: 28699691367
|
E2E Target Results — ✅ All selected jobs passedRun: 28700290435
|
E2E Target Results — ✅ All requested jobs passedRun: 28700509914
|
E2E Target Results — ❌ Some jobs failedRun: 28700286465
|
E2E Target Results — ✅ All requested jobs passedRun: 28700286465
|
<!-- markdownlint-disable MD041 --> ## Summary This PR prepares the user-facing documentation for v0.0.74 before the release plan is frozen. It expands the release notes across the 56-commit train and closes durable documentation gaps found during the pre-tag commit scan. ## Changes - Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed MCP, progressive tool disclosure, LangChain Deep Agents Code, onboarding, local inference, messaging, recovery, and contributor workflows. - Correct the `destroy` contract for retained per-name volumes, gateway-unreachable `--force` cleanup, managed MCP ownership, and same-name recovery. - Document separate remediation for an unreachable container DNS resolver versus one that answers with `NXDOMAIN` or `REFUSED`. - Document the Windows on Arm N1X automatic Ollama safeguard and its remaining large-model limitations. - State that messaging conflicts abort rebuild before backup or deletion, leaving the original sandbox intact. - Link the agent-runnable value benchmark from the contributor task index. - Synchronize generated agent command variants. - Validate with `npm run docs:sync-agent-variants` and `npm run docs`; Fern completed with 0 errors and 2 existing warnings. - Source summary: - [#6020](#6020) and [#5876](#5876) -> `docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy boundary and managed MCP lifecycle. - [#6251](#6251) and [#5989](#5989) -> `docs/about/release-notes.mdx`: Summarize progressive tool disclosure and sandbox-first inference controls. - [#6232](#6232), [#6082](#6082), [#6219](#6219), [#6214](#6214), [#6215](#6215), [#6230](#6230), and [#6260](#6260) -> `docs/about/release-notes.mdx`: Summarize the experimental LangChain Deep Agents Code status, secret, version, rebuild, snapshot, and MCP boundaries. - [#6166](#6166), [#6254](#6254), [#6265](#6265), [#6164](#6164), and [#6017](#6017) -> `docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated image reuse, bounded readiness, and preflight improvements. - [#6150](#6150) -> `docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`: Separate unreachable-resolver remediation from reachable-but-rejected DNS responses. - [#6234](#6234) -> `docs/about/release-notes.mdx`, `docs/inference/use-local-inference.mdx`, and `docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B selection and the remaining explicit-large-model boundary. - [#6129](#6129), [#5987](#5987), [#5955](#5955), and [#6220](#6220) -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Document messaging policy persistence, status, and the pre-destructive conflict check. - [#5963](#5963), [#6050](#6050), [#6094](#6094), [#6238](#6238), [#5988](#5988), [#6235](#6235), [#6181](#6181), and [#5986](#5986) -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and clarify retained-volume and local-only destroy semantics. - [#6200](#6200), [#6248](#6248), [#6168](#6168), [#6270](#6270), and [#5649](#5649) -> `docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize contributor setup and verification improvements and expose the advisory value benchmark. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: documentation-only release preparation; generated-variant synchronization and the Fern docs build validate the changed pages and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable to this documentation-only change; `npm run docs` validates the source and generated routes. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Expanded setup guidance for Windows on Arm devices with safer default local model selection. * Clarified local inference and sandbox messaging behavior, including conflict checks before rebuilds and safer recovery steps. * Updated destroy/rebuild/reference docs with more detailed warnings, failure handling, and volume-retention guidance. * Improved troubleshooting instructions for Docker DNS issues with clearer paths for unreachable vs. blocked resolvers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds a shared tool-disclosure mode across Deep Agents Code, Hermes, and OpenClaw. New sandboxes default to `progressive`; `--tool-disclosure direct` or `NEMOCLAW_TOOL_DISCLOSURE=direct` restores the prior fully visible catalog. The mode persists through resume and transactional rebuilds. The design follows [LangChain progressive disclosure](https://support.langchain.com/articles/8488719552-progressive-tool-disclosure-with-deep-agents), [Hermes Tool Search](https://hermes-agent.nousresearch.com/docs/user-guide/features/tool-search), and the pinned [OpenClaw v2026.5.27 Tool Search contract](https://github.com/openclaw/openclaw/blob/v2026.5.27/docs/tools/tool-search.md). This is the v0.0.74 bundle. Exact head `e4214144c11dd47b9d3185f19c1c73ec4e690552` includes `main` at `6f5ccbcbaa87367f7b521318fbc940467045b601`. ## Related Issue NVIDIA#5876 is merged. This PR has no remaining stacked dependency and preserves its managed-MCP ownership contract. ## Changes - Add the shared `--tool-disclosure progressive|direct` onboarding and rebuild option, with `NEMOCLAW_TOOL_DISCLOSURE` as the environment equivalent. CLI input takes precedence and fresh sandboxes default to `progressive`. - Persist the selected mode in session and registry state. Resume, recreation, and MCP-bearing rebuilds preserve or transactionally change it in either direction. - Add bounded `search_tools` middleware to Deep Agents Code when at least one MCP tool loads successfully. Core tools remain visible, discovery state survives checkpointing, and only model requests are filtered; the complete executor registry and existing authorization controls remain intact. - Enable Hermes native Tool Search with opinionated 5/20 result limits and direct core tools. - Enable OpenClaw native structured `mode: "tools"` discovery with 8/20 limits while retaining model-specific compatibility safeguards. - Patch and validate the exact pinned `deepagents-code==0.1.30` runtime with fail-closed, idempotent anchors and separate middleware instances for the main agent and local subagents. - Add build-time/runtime validators, lifecycle and overflow coverage, transactional custom-image handling, and user-facing documentation for progressive/direct behavior. ### Managed MCP boundary This PR does not change MCP configuration, credential placeholders, bridge ownership, policy generation, MCP CLI behavior, or registry schemas from NVIDIA#5876. Managed OpenClaw MCP remains registered in mcporter's home registry. Pinned OpenClaw Tool Search reads native bundle and `mcp.servers` catalogs, and NemoClaw does not currently synchronize those ownership stores. The OpenClaw runtime validator therefore proves native search, describe, and call behavior for eligible hidden catalog tools, while the existing live MCP scenario separately proves mcporter execution, credential rewriting and rotation, restart/rebuild behavior, policy enforcement, DNS-rebinding protection, and secret boundaries. A fixture-only projection between those stores would not represent shipped behavior. ### Apurv security review resolution 1. **Callable namespace:** Deep Agents Code rejects every duplicate resolved callable name and every non-managed owner of a reserved core name before the original factory in progressive and direct modes. Coverage includes regular/regular, regular/MCP, cross-MCP-server, direct-mode, and schema/executor mismatch cases. 2. **Build-context seal:** fingerprints require a real directory root and encode portable mode bits, nanosecond modification times, link counts, and deterministic hardlink topology. Pre-delete and final one-shot tests cover hardlink, timestamp, permission, and root-symlink mutations. 3. **Dockerfile patch boundary:** patching anchors and revalidates the staging parent, rejects multi-link files, writes a fresh private same-directory file, and atomically replaces the staged Dockerfile without truncating an attacker-selectable inode. 4. **Chunk-safe diagnostics:** raw cloudflared child output is not emitted in failures. Only bounded per-stream carry is retained for origin discovery, with split-event credential regressions proving fragments and reconstructed secrets remain absent. ### CodeRabbit and CodeQL resolution - Every CodeRabbit finding is implemented or explicitly dispositioned with repository evidence, including URL-token punctuation, the intentional private hosted model identifier, and the final Darwin fixture fail-fast nit. GraphQL reports zero unresolved review threads; exact-head CodeRabbit status is green. - [CodeQL alert NVIDIA#1210](https://github.com/NVIDIA/NemoClaw/security/code-scanning/1210) is dismissed as a false positive. The flagged sink opens an existing directory read-only with `O_DIRECTORY | O_NOFOLLOW | O_NONBLOCK`; it does not use `O_CREAT`. The real replacement file remains UUID-named, `O_CREAT | O_EXCL | O_NOFOLLOW`, mode `0600`, descriptor/path identity checked, single-link validated, fsynced, and atomically renamed. Exact-head CodeQL is green with no open branch alerts. ### Validation - Local focused matrix: 19 files / 327 tests passed; one true Linux-only `memfd`/`O_TMPFILE` restart case was skipped on macOS. - Exact pinned Deep Agents Code/LangChain patch and runtime validator passed: `progressive-disclosure-runtime-ok`. - Both TypeScript typechecks, build, repository checks, source-shape/test-size guards, Biome, Ruff/Python compilation, secret scanning, push checks, and `git diff --check` passed. - Final-head standard validation is green: [PR CI](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184882), [growth guardrails](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184428), [WSL](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184879), [macOS](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184874), [security](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184917), [CodeQL](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184138), [review advisors](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184863), and the [E2E advisor](https://github.com/NVIDIA/NemoClaw/actions/runs/28700184880). The original exact-head check set and subsequent metadata checks are all green, with only the two expected skips. - The exact-head [typed OpenClaw and Deep Agents targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28700290435) passed. - The exact-head [production-image workflow](https://github.com/NVIDIA/NemoClaw/actions/runs/28700292369) passed both requested image builds and all four downstream image E2E checks. - In the exact-head [advisor-selected live union](https://github.com/NVIDIA/NemoClaw/actions/runs/28700286465), 18 of 19 concrete jobs passed. The sole Hermes security-posture failure occurred in its deliberate gateway-recovery probe after restart, secret-boundary, and disclosure assertions had passed. The isolated exact-head [security retry](https://github.com/NVIDIA/NemoClaw/actions/runs/28700509914) passed both Hermes and OpenClaw legs, so every selected live lane has passing final-head evidence. - The GPT review advisor's remaining OpenClaw MCP model-loop warning is explicitly dispositioned by the managed-MCP ownership boundary above: the native OpenClaw catalog and mcporter registry are separate shipped stores, and a test-only projection would claim behavior the production bridge does not provide. ### Remaining - Obtain Apurv's exact-head re-review to clear the formal `CHANGES_REQUESTED` state and complete sensitive-path approval. - Rebuild affected existing sandboxes after this change ships; newly created sandboxes default to progressive disclosure. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Apurv exact-head re-review pending after all four requested fixes. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: no waiver requested; exact-head security retry is green. ## Verification - [x] PR description includes the DCO sign-off declaration and every feature commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes — all applicable hooks passed; the known hanging local unsharded `test-cli` coverage hook was skipped and exact-head sharded Linux CI is authoritative. - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [ ] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only; current build has two pre-existing warnings) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [x] New doc pages include SPDX header and frontmatter (new pages only; no new doc pages) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary This PR prepares the user-facing documentation for v0.0.74 before the release plan is frozen. It expands the release notes across the 56-commit train and closes durable documentation gaps found during the pre-tag commit scan. ## Changes - Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed MCP, progressive tool disclosure, LangChain Deep Agents Code, onboarding, local inference, messaging, recovery, and contributor workflows. - Correct the `destroy` contract for retained per-name volumes, gateway-unreachable `--force` cleanup, managed MCP ownership, and same-name recovery. - Document separate remediation for an unreachable container DNS resolver versus one that answers with `NXDOMAIN` or `REFUSED`. - Document the Windows on Arm N1X automatic Ollama safeguard and its remaining large-model limitations. - State that messaging conflicts abort rebuild before backup or deletion, leaving the original sandbox intact. - Link the agent-runnable value benchmark from the contributor task index. - Synchronize generated agent command variants. - Validate with `npm run docs:sync-agent-variants` and `npm run docs`; Fern completed with 0 errors and 2 existing warnings. - Source summary: - [NVIDIA#6020](NVIDIA#6020) and [NVIDIA#5876](NVIDIA#5876) -> `docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy boundary and managed MCP lifecycle. - [NVIDIA#6251](NVIDIA#6251) and [NVIDIA#5989](NVIDIA#5989) -> `docs/about/release-notes.mdx`: Summarize progressive tool disclosure and sandbox-first inference controls. - [NVIDIA#6232](NVIDIA#6232), [NVIDIA#6082](NVIDIA#6082), [NVIDIA#6219](NVIDIA#6219), [NVIDIA#6214](NVIDIA#6214), [NVIDIA#6215](NVIDIA#6215), [NVIDIA#6230](NVIDIA#6230), and [NVIDIA#6260](NVIDIA#6260) -> `docs/about/release-notes.mdx`: Summarize the experimental LangChain Deep Agents Code status, secret, version, rebuild, snapshot, and MCP boundaries. - [NVIDIA#6166](NVIDIA#6166), [NVIDIA#6254](NVIDIA#6254), [NVIDIA#6265](NVIDIA#6265), [NVIDIA#6164](NVIDIA#6164), and [NVIDIA#6017](NVIDIA#6017) -> `docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated image reuse, bounded readiness, and preflight improvements. - [NVIDIA#6150](NVIDIA#6150) -> `docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`: Separate unreachable-resolver remediation from reachable-but-rejected DNS responses. - [NVIDIA#6234](NVIDIA#6234) -> `docs/about/release-notes.mdx`, `docs/inference/use-local-inference.mdx`, and `docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B selection and the remaining explicit-large-model boundary. - [NVIDIA#6129](NVIDIA#6129), [NVIDIA#5987](NVIDIA#5987), [NVIDIA#5955](NVIDIA#5955), and [NVIDIA#6220](NVIDIA#6220) -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Document messaging policy persistence, status, and the pre-destructive conflict check. - [NVIDIA#5963](NVIDIA#5963), [NVIDIA#6050](NVIDIA#6050), [NVIDIA#6094](NVIDIA#6094), [NVIDIA#6238](NVIDIA#6238), [NVIDIA#5988](NVIDIA#5988), [NVIDIA#6235](NVIDIA#6235), [NVIDIA#6181](NVIDIA#6181), and [NVIDIA#5986](NVIDIA#5986) -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and clarify retained-volume and local-only destroy semantics. - [NVIDIA#6200](NVIDIA#6200), [NVIDIA#6248](NVIDIA#6248), [NVIDIA#6168](NVIDIA#6168), [NVIDIA#6270](NVIDIA#6270), and [NVIDIA#5649](NVIDIA#5649) -> `docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize contributor setup and verification improvements and expose the advisory value benchmark. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: documentation-only release preparation; generated-variant synchronization and the Fern docs build validate the changed pages and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable to this documentation-only change; `npm run docs` validates the source and generated routes. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Expanded setup guidance for Windows on Arm devices with safer default local model selection. * Clarified local inference and sandbox messaging behavior, including conflict checks before rebuilds and safer recovery steps. * Updated destroy/rebuild/reference docs with more detailed warnings, failure handling, and volume-retention guidance. * Improved troubleshooting instructions for Docker DNS issues with clearer paths for unreachable vs. blocked resolvers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Summary
Adds a shared tool-disclosure mode across Deep Agents Code, Hermes, and OpenClaw. New sandboxes default to
progressive;--tool-disclosure directorNEMOCLAW_TOOL_DISCLOSURE=directrestores the prior fully visible catalog. The mode persists through resume and transactional rebuilds.The design follows LangChain progressive disclosure, Hermes Tool Search, and the pinned OpenClaw v2026.5.27 Tool Search contract. This is the v0.0.74 bundle.
Exact head
e4214144c11dd47b9d3185f19c1c73ec4e690552includesmainat6f5ccbcbaa87367f7b521318fbc940467045b601.Related Issue
#5876 is merged. This PR has no remaining stacked dependency and preserves its managed-MCP ownership contract.
Changes
--tool-disclosure progressive|directonboarding and rebuild option, withNEMOCLAW_TOOL_DISCLOSUREas the environment equivalent. CLI input takes precedence and fresh sandboxes default toprogressive.search_toolsmiddleware to Deep Agents Code when at least one MCP tool loads successfully. Core tools remain visible, discovery state survives checkpointing, and only model requests are filtered; the complete executor registry and existing authorization controls remain intact.mode: "tools"discovery with 8/20 limits while retaining model-specific compatibility safeguards.deepagents-code==0.1.30runtime with fail-closed, idempotent anchors and separate middleware instances for the main agent and local subagents.Managed MCP boundary
This PR does not change MCP configuration, credential placeholders, bridge ownership, policy generation, MCP CLI behavior, or registry schemas from #5876.
Managed OpenClaw MCP remains registered in mcporter's home registry. Pinned OpenClaw Tool Search reads native bundle and
mcp.serverscatalogs, and NemoClaw does not currently synchronize those ownership stores. The OpenClaw runtime validator therefore proves native search, describe, and call behavior for eligible hidden catalog tools, while the existing live MCP scenario separately proves mcporter execution, credential rewriting and rotation, restart/rebuild behavior, policy enforcement, DNS-rebinding protection, and secret boundaries. A fixture-only projection between those stores would not represent shipped behavior.Apurv security review resolution
CodeRabbit and CodeQL resolution
O_DIRECTORY | O_NOFOLLOW | O_NONBLOCK; it does not useO_CREAT. The real replacement file remains UUID-named,O_CREAT | O_EXCL | O_NOFOLLOW, mode0600, descriptor/path identity checked, single-link validated, fsynced, and atomically renamed. Exact-head CodeQL is green with no open branch alerts.Validation
memfd/O_TMPFILErestart case was skipped on macOS.progressive-disclosure-runtime-ok.git diff --checkpassed.Remaining
CHANGES_REQUESTEDstate and complete sensitive-path approval.Type of Change
Quality Gates
Verification
Verifiedin GitHubnpx prek run --from-ref main --to-ref HEADpasses — all applicable hooks passed; the known hanging local unshardedtest-clicoverage hook was skipped and exact-head sharded Linux CI is authoritative.npm testpasses (broad runtime changes only)npm run docsbuilds without warnings (doc changes only; current build has two pre-existing warnings)Signed-off-by: Aaron Erickson aerickson@nvidia.com