Skip to content

fix(mcp): harden DCode rebuild handoff#6260

Merged
cv merged 10 commits into
mainfrom
codex/reconcile-5876-latest
Jul 4, 2026
Merged

fix(mcp): harden DCode rebuild handoff#6260
cv merged 10 commits into
mainfrom
codex/reconcile-5876-latest

Conversation

@cv

@cv cv commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

Hardens the managed-MCP work merged in #5876 so DCode rebuilds validate every reconstructable input before crossing the destructive delete boundary, preserve exact policy intent, and migrate legacy managed MCP state fail-closed. Prepared rebuild artifacts and the derived MCP runtime snapshot remain ephemeral and process-local; neither is persisted in FSM or checkpoint state, so this does not implement #6224.

Related Issue

Refs #5876
Refs #6195
Refs #6218

Changes

  • Revalidate DCode route, image, Dockerfile, reasoning, web-search, and MCP inputs after preparation and before NIM stop or sandbox deletion; restore MCP state and relock shields on failure.
  • Preserve exact custom network policy replay while keeping generated MCP rules under the MCP adapter's exclusive ownership.
  • Add protocol-specific policy schema validation for REST, WebSocket, JSON-RPC, and MCP matchers, including cross-rule tools/call conflict rejection.
  • Pin Deep Agents Code 0.1.30 and load only a strict, canonicalized managed MCP projection from a process-local integrity-bound snapshot. Sealed memfd is preferred; when OpenShell seccomp blocks it, an anonymous O_TMPFILE inode is reopened read-only and bound by descriptor, device, inode, size, kind, and SHA-256, with ambient discovery disabled.
  • Bind the canonical TypeScript secret-pattern source and flags to one shared behavior corpus executed through the Bash and Python DCode enforcement boundaries, including the full ECMAScript whitespace set.
  • Add capability-v2 gating and legacy-v1 teardown/rollback that preserves unrelated user configuration and fails closed on malformed, unsafe, or drifted state.
  • Add rebuild, migration, runtime-patch, schema, snapshot, and lifecycle coverage; update the MCP, policy, security, command, and DCode documentation.

Verification notes:

  • Final DCode-adjacent run: 9 files, 187 tests passed; the focused descriptor/projection run passed 4 files and 138 tests.
  • Final review-follow-up run: 82 focused Bash/Python/TypeScript parity and descriptor-fallback tests passed, including all 25 ECMAScript whitespace code points under both C and C.UTF-8 Bash locales.
  • Full pre-squash-equivalent run: 1,068 files passed, 2 skipped; 12,149 tests passed, 35 skipped.
  • CLI coverage ratchet passed with the repository include/exclude set expressed as one Vitest glob: lines 65.24%, statements 64.45%, functions 67.06%, branches 57.21%.
  • Python compile, Biome, ShellCheck, shfmt, source-shape, test-size, repository, secret-scan, and diff checks passed. The normal push hook passed CLI typechecking.
  • Main-sync validation after merging fix(onboard): harden BuildKit prebuild validation #6265 passed: 9 CLI files/82 tests, 6 integration files/174 tests, an additional 3 preparation tests, CLI typecheck, Biome, and diff checks. Generated-context provenance was ported into the split preflight fixtures without restoring the obsolete monolith.
  • Exact-head CI for 9a31537785ef2d456901de622721ed215627fdec passed: 40 checks green, all five required contexts passed, and there were 0 failures, cancellations, or pending checks. The only skips were the expected docs-only job and two duplicate NVSkills request jobs. This includes all five CLI shards plus the aggregate, both CodeQL languages, both sandbox image builds, macOS, WSL, four self-hosted runtime checks, CodeRabbit, and both review advisors.
  • Exact-head live E2E for 9a31537785ef2d456901de622721ed215627fdec passed: mcp-bridge, mcp-bridge-dev, and ubuntu-repo-cloud-langchain-deepagents-code. Stable and dev each passed OpenClaw, Hermes, and DCode 3/3; authenticated MCP calls passed initially and after restart, credential rotation, and rebuild, then removal denied access with no provider, policy, tunnel, or credential residue. The dedicated DCode lane passed Landlock 5/5, Python egress 14/14, headless inference 10/10, secret boundary 8/8, Tavily 6/6, and TUI 4/4; BuildKit accepted the merged generated-context handoff, and invalid-credential rebuild failure remained pre-destructive with the original sandbox, marker, and route recovered. Artifact inspection found one unchanged pre-existing harness defect: two OpenShell audit-log filtering subassertions can false-pass because awk treats close as reserved; runtime-output, sandbox-log, env-file immutability, and raw-secret checks passed, and this PR does not modify that E2E file.
  • The base test-cli pre-commit invocation remains affected by Vitest 4.1.9 collapsing repeated --coverage.exclude arguments to a zero-file/invalid summary. All other commit and push hooks passed; targeted tests and the authoritative sharded CI coverage checks provide the exact-head gate.
  • npm run docs completed with 0 errors and 2 pre-existing Fern warnings. Two documentation-writer audits confirmed the final behavior is accurately documented.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent security and correctness reviews passed after fixes; destructive-boundary rollback, capability migration, the process-local integrity-bound snapshot handoff (sealed memfd preferred, anonymous O_TMPFILE fallback), cross-language secret-pattern parity, policy fidelity, and the Epic: stabilize onboarding and runtime lifecycle contracts before public extensibility #6224 boundary were checked.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes
  • Targeted tests pass for changed behavior
  • Full npm test passes (broad runtime changes only)
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

  • New Features
    • Enhanced managed MCP bridge support with managed-only configuration snapshots for safer add/restart/rebuild/teardown.
    • Network policy protocol rules now support protocol-specific matching plus stricter endpoint.path validation.
  • Bug Fixes
    • Stronger fail-fast validation for MCP server names/hostnames and endpoint details (rejected before changes are applied).
    • Rebuild flows improved to preserve/replay custom policies and validate after MCP preparation, with rollback on failure.
  • Documentation
    • Updated setup/quickstart/reference and MCP bridge/rebuild guidance for managed MCP capability v2 behavior and stricter validation rules.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv self-assigned this Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Managed MCP handling for Deep Agents Code now uses a versioned projection file, sealed descriptor-based runtime validation, and updated adapter wiring. Rebuild flows now preserve web-search settings and custom policies across backup, restore, and destroy phases. Network policy schemas now validate REST, WebSocket, JSON-RPC, and MCP rules with protocol-specific matchers.

Changes

Deep Agents Code Managed MCP v2

Layer / File(s) Summary
Wrapper and managed runtime
agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/manifest.yaml, agents/langchain-deepagents-code/managed-dcode-runtime.py
The wrapper emits capability v2, defaults managed launches to --sandbox none --no-mcp, and secret-shape detection now uses a dedicated bearer helper. The managed runtime adds strict environment, auth, URL, descriptor, and projection validation, snapshots managed MCP config into sealed or anonymous descriptors, and exposes runtime-safe path and descriptor helpers.
Patch generation and launch wiring
agents/langchain-deepagents-code/patch-managed-deepagents-code.py, agents/langchain-deepagents-code/Dockerfile, test/fixtures/langchain-deepagents-code/*
The patch script now loads the runtime helper from disk, wraps launch path absolutization to preserve managed descriptor paths, and injects server and MCP-tool patches that pass managed descriptors into server startup. The Docker image copies the runtime helper, and supporting fixture modules for app, server, and MCP tools are added.
Adapter registration, removal, and teardown
src/lib/actions/sandbox/mcp-bridge-*.ts, src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-*
Adapter mutation options and removal outcomes are expanded, Deep Agents registration and teardown logic are split into dedicated modules, and adapter scrub/rollback helpers are introduced for managed teardown flows. Registration and removal now emit and consume structured outcomes instead of relying on void calls.
Adapter and runtime tests
src/lib/actions/sandbox/mcp-bridge-*.test.ts, test/deepagents-mcp-*.test.ts, test/helpers/*, test/langchain-deepagents-code-*.test.ts
Tests cover registration, rollback, teardown, runtime capability probing, legacy lifecycle behavior, and projection safety for managed MCP configs. They also add managed-runtime hardening, secret-pattern parity, and fixture support for sealed/anonymous descriptors and MCP command execution.
Managed MCP docs and command references
docs/*, test/e2e/*, test/snapshot.test.ts
Deployment, quickstart, and command reference docs are updated to describe managed MCP capability v2 requirements, validation rules, the .nemoclaw-mcp.json projection, backup exclusions, and rebuild/destroy rollback semantics. E2E and snapshot checks are extended to cover the new managed projection file.

Rebuild Web-Search and Custom Policy Preservation

Layer / File(s) Summary
Web-search provider resolution
src/lib/actions/sandbox/rebuild-durable-config.ts, src/lib/actions/sandbox/rebuild-durable-config.test.ts
The durable config resolver derives built-in providers, handles Tavily migration and conflicts, and tests cover provider inference, shadowing, and dual-provider failure cases.
Managed image preflight threading
src/lib/actions/sandbox/rebuild-dcode-preflight.ts, src/lib/actions/sandbox/rebuild-managed-image-preflight.ts, src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts, src/lib/actions/sandbox/rebuild-preflight-phase.ts
Web search config and reasoning settings are threaded through DCode preflight and managed image preparation, while delete-edge validation now returns structured results.
Backup-phase preset normalization
src/lib/actions/sandbox/rebuild-backup-phase.ts, src/lib/actions/sandbox/rebuild-backup-phase.test.ts
The backup phase normalizes web-search presets, preserves the selected provider when needed, and tests cover durable preset retention and finalized custom-only replay.
Destroy validation and MCP ordering
src/lib/actions/sandbox/rebuild-destroy-phase.ts, src/lib/actions/sandbox/rebuild-mcp-order.ts, src/lib/actions/sandbox/rebuild-pipeline.ts, tests
The destroy phase adds optional post-MCP validation with rollback and reattachment handling, MCP preparation now runs an afterPrepare callback before best-effort NIM stop, and the pipeline wires the validation callback through.
Restore and post-restore custom policy replay
src/lib/actions/sandbox/rebuild-restore-phase.ts, src/lib/actions/sandbox/rebuild-post-restore-phase.ts, src/lib/actions/sandbox/rebuild-pipeline.ts, tests
Restore and post-restore phases now split builtin and custom policy replay, restore custom policy content directly, and derive registry state from filtered restored presets plus preserved custom policies.
Rebuild flow harness and integration tests
test/helpers/*, src/lib/actions/sandbox/rebuild-dcode-*.test.ts
The rebuild-flow harness gains MCP and gateway overrides, new spies, and cleanup hooks, while the DCode rebuild flow tests cover preflight, mutation edge, pre-delete drift, recovery, artifact drift, managed image configuration, and image verification scenarios.

Protocol-Specific Network Policy Schemas

Layer / File(s) Summary
Protocol-specific schema definitions
schemas/policy-preset.schema.json, schemas/sandbox-policy.schema.json
Endpoint path is added, and generic L7 validation is replaced with protocol-specific REST, WebSocket, JSON-RPC, and MCP rule and matcher definitions.
Schema validation test coverage
test/validate-config-schemas.test.ts
Shared matcher contract tests are added and sandbox/preset fixtures are updated for explicit endpoint paths, wildcard method handling, JSON-RPC/MCP matcher shapes, and allow/reject cases.
Policy documentation updates
docs/network-policy/customize-network-policy.mdx, docs/security/best-practices.mdx
Documentation now describes protocol-specific matcher requirements and broadens L7 inspection guidance beyond REST.

Estimated code review effort: 5 (Critical) | ~120 minutes

Suggested labels: security, bug-fix

Suggested reviewers: ericksoa

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main change: hardening the DCode rebuild/MCP handoff path.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/reconcile-5876-latest

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 9a31537 +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 69%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 9a31537 +/-
src/lib/shields...nsition-lock.ts 87%
src/lib/actions...all/run-plan.ts 81%
src/lib/state/o...oard-session.ts 78%
src/lib/state/sandbox.ts 73%
src/lib/onboard/preflight.ts 71%
src/lib/shields/index.ts 69%
src/lib/onboard...er-gpu-patch.ts 69%
src/lib/policy/index.ts 66%
src/lib/actions...licy-channel.ts 60%
src/lib/onboard.ts 22%

Updated July 04, 2026 06:00 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-6: Missing dedicated CI gate for secret pattern parity across TypeScript, Bash, and Python; then add or justify PRA-T1.
Open items: 2 required · 16 warnings · 5 suggestions · 8 test follow-ups
Since last review: 2 prior items resolved · 12 still apply · 6 new items found

Action checklist

  • PRA-6 Fix: Missing dedicated CI gate for secret pattern parity across TypeScript, Bash, and Python in .github/workflows/main.yaml:1
  • PRA-7 Fix: Descriptor liveness not re-validated at serialization boundary in agents/langchain-deepagents-code/patch-managed-deepagents-code.py:202
  • PRA-1 Resolve or justify: Source-of-truth review needed: Bash secret guard (dcode-wrapper.sh)
  • PRA-2 Resolve or justify: Source-of-truth review needed: Python _SECRET_PATTERNS (managed-dcode-runtime.py)
  • PRA-3 Resolve or justify: Source-of-truth review needed: Anonymous O_TMPFILE fallback (managed-dcode-runtime.py)
  • PRA-4 Resolve or justify: Source-of-truth review needed: Legacy v1 compatibility module (mcp-bridge-adapter-deepagents-legacy.ts)
  • PRA-5 Resolve or justify: Source-of-truth review needed: Descriptor serialization passthrough (patch-managed-deepagents-code.py)
  • PRA-8 Resolve or justify: Python _SECRET_PATTERNS structurally diverges from canonical TypeScript patterns in agents/langchain-deepagents-code/managed-dcode-runtime.py:50
  • PRA-9 Resolve or justify: Anonymous O_TMPFILE fallback weakens descriptor integrity with race window and no build-time availability check in agents/langchain-deepagents-code/managed-dcode-runtime.py:735
  • PRA-10 Resolve or justify: Legacy v1 compatibility module retained without tracked migration deadline or CI enforcement in src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1
  • PRA-11 Resolve or justify: Overlapping PR feat(agents): add progressive tool disclosure #6251 shares rebuild pipeline files — coordination needed in src/lib/actions/sandbox/rebuild-pipeline.ts:50
  • PRA-12 Resolve or justify: Missing test for chained-exception fallback allowance in _managed_mcp_fallback_allowed (PRA-15) in test/langchain-deepagents-code-managed-mcp-hardening.test.ts:1
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Runtime validation
  • PRA-T6 Add or justify test follow-up: Missing test for chained-exception fallback allowance in _managed_mcp_fallback_allowed (PRA-15)
  • PRA-T7 Add or justify test follow-up: Missing test for legacy v1 partial corruption with extra user keys (PRA-16)
  • PRA-T8 Add or justify test follow-up: Missing provider CAS race simulation test in rebuild flow (PRA-17)
  • PRA-16 In-scope improvement: OTEL_ENABLED hardcoded as string constant instead of module-level constant in agents/langchain-deepagents-code/managed-dcode-runtime.py:869
  • PRA-17 In-scope improvement: No build-time check for memfd sealing and O_TMPFILE availability in agents/langchain-deepagents-code/managed-dcode-runtime.py:1
  • PRA-21 In-scope improvement: Monolith growth: rebuild-dcode-preflight.ts orchestrates too many concerns in src/lib/actions/sandbox/rebuild-dcode-preflight.ts:441
  • PRA-22 In-scope improvement: MCP v2 documentation not fully verified against implementation in docs/reference/commands.mdx:1
  • PRA-23 In-scope improvement: Missing test for race condition in anonymous O_TMPFILE fallback creation (PRA-21) in test/langchain-deepagents-code-managed-mcp-hardening.test.ts:1

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-3 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-4 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-5 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-6 Required security .github/workflows/main.yaml:1 Add a dedicated CI job 'secret-pattern-parity' in .github/workflows that: (1) extracts regex source+flags from secret-patterns.ts, (2) parses dcode-wrapper.sh to extract Bash regex patterns from has_non_slack_secret_shape, is_secret_shaped_value, has_bearer_secret_shape, has_context_secret_shape, (3) parses managed-dcode-runtime.py _SECRET_PATTERNS tuples, (4) computes normalized fingerprints (source+flags) for each, (5) fails the build if any fingerprint diverges from the TypeScript canonical. Document removal condition: drop when upstream deepagents_code rejects secret-shaped runtime/.env or all invocations use Node entrypoint importing canonical patterns.
PRA-7 Required security agents/langchain-deepagents-code/patch-managed-deepagents-code.py:202 In _nemoclaw_absolutize_launch_relative_path (line 202) and _normalize_path (line 537), after detecting a managed path via is_managed_mcp_config_path(), call managed_mcp_config_bytes(path) to re-validate the descriptor contents and binding before returning the path. This ensures the snapshot is still intact at serialization time.
PRA-8 Resolve/justify security agents/langchain-deepagents-code/managed-dcode-runtime.py:50 Either: (a) generate Bash/Python pattern constants from secret-patterns.ts at build time (Node script emitting .sh/.py fragments), or (b) enhance the CI gate from PRA-4 to extract and compare normalized fingerprints for all three implementations, including structural equivalence checks (platform tagging, word boundaries, Unicode whitespace handling).
PRA-9 Resolve/justify security agents/langchain-deepagents-code/managed-dcode-runtime.py:735 Add a build-time check (in patch-managed-deepagents-code.py or Dockerfile) that verifies memfd_create with MFD_ALLOW_SEALING and O_TMPFILE are available; fail the image build if both are unavailable. Document the fallback as a known weakening with a tracking GitHub issue. Consider fail-closed for managed MCP config instead of silent fallback.
PRA-10 Resolve/justify architecture src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1 Add a GitHub issue tracking the migration deadline (target release) and a CI check (e.g., in static-checks) that fails if mcp-bridge-adapter-deepagents-legacy.ts exists after the target release. Reference the issue in the module header comment.
PRA-11 Resolve/justify workflow src/lib/actions/sandbox/rebuild-pipeline.ts:50 Coordinate with PR #6251 author. Run combined test suite locally. Verify no conflicting changes to shared rebuild pipeline files. Pay special attention to MCP preparation ordering in rebuild-dcode-orchestrator.ts and rebuild-managed-image-preflight.ts.
PRA-12 Resolve/justify tests test/langchain-deepagents-code-managed-mcp-hardening.test.ts:1 Add the test case to test/langchain-deepagents-code-managed-mcp-hardening.test.ts in the 'Deep Agents managed MCP runtime hardening' suite.
PRA-13 Resolve/justify tests test/deepagents-mcp-legacy-lifecycle.test.ts:1 Add the test case to test/deepagents-mcp-legacy-lifecycle.test.ts.
PRA-14 Resolve/justify tests test/helpers/rebuild-flow-harness.ts:1 Add a rebuild flow test that: (1) mocks provider get returning resource_version=4, (2) on provider update, advances resource_version to 5 and returns concurrent modification error, (3) verifies rebuild MCP preparation throws McpBridgeError and does not treat the concurrent advance as success.
PRA-15 Resolve/justify tests src/lib/actions/sandbox/rebuild-restore-phase.test.ts:1 Add the test case to rebuild-restore-phase.test.ts.
PRA-16 Improvement correctness agents/langchain-deepagents-code/managed-dcode-runtime.py:869 Define OTEL_ENABLED_VALUE = 'false' at module level and use it in assert_safe_runtime(). If the value is truly constant and never user-configurable, remove the runtime assignment and use the constant directly.
PRA-17 Improvement correctness agents/langchain-deepagents-code/managed-dcode-runtime.py:1 Add a build-time check in patch-managed-deepagents-code.py (during image build) or Dockerfile that verifies os.memfd_create with MFD_ALLOW_SEALING and os.O_TMPFILE are available; fail the build if both are unavailable. This makes the platform requirement explicit and fails fast.
PRA-18 Resolve/justify architecture agents/langchain-deepagents-code/dcode-wrapper.sh:50 Complete the source-of-truth review by: (1) filing a GitHub issue with target release for removing the Bash secret guard, (2) adding a CI check that fails if dcode-wrapper.sh secret guard code exists after the target release, (3) ensuring the parity CI gate from PRA-4 extracts and fingerprints Bash patterns.
PRA-19 Resolve/justify architecture agents/langchain-deepagents-code/managed-dcode-runtime.py:50 Complete source-of-truth review with tracking issue and CI enforcement. The parity CI gate (PRA-4) should extract and fingerprint Python patterns.
PRA-20 Resolve/justify architecture src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1 Add a GitHub issue tracking the migration deadline (target release) and a CI check that fails if mcp-bridge-adapter-deepagents-legacy.ts exists after the target release. Reference the issue in the module header.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-6 Required — Missing dedicated CI gate for secret pattern parity across TypeScript, Bash, and Python

  • Location: .github/workflows/main.yaml:1
  • Category: security
  • Problem: Canonical secret patterns live in src/lib/security/secret-patterns.ts (TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS) but are mirrored with structural divergences in dcode-wrapper.sh (Bash regexes) and managed-dcode-runtime.py (_SECRET_PATTERNS tuples). Parity tests exist but run only in the integration suite; no dedicated CI job extracts fingerprints from all three implementations and fails on divergence.
  • Impact: A pattern change in the canonical TypeScript source can silently desync the Bash or Python mirrors, allowing secret-shaped values to bypass the guard in one enforcement boundary while being caught in another.
  • Required action: Add a dedicated CI job 'secret-pattern-parity' in .github/workflows that: (1) extracts regex source+flags from secret-patterns.ts, (2) parses dcode-wrapper.sh to extract Bash regex patterns from has_non_slack_secret_shape, is_secret_shaped_value, has_bearer_secret_shape, has_context_secret_shape, (3) parses managed-dcode-runtime.py _SECRET_PATTERNS tuples, (4) computes normalized fingerprints (source+flags) for each, (5) fails the build if any fingerprint diverges from the TypeScript canonical. Document removal condition: drop when upstream deepagents_code rejects secret-shaped runtime/.env or all invocations use Node entrypoint importing canonical patterns.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Search .github/workflows for a job named 'secret-pattern-parity' that runs fingerprint extraction; verify it fails when a pattern in dcode-wrapper.sh or managed-dcode-runtime.py diverges from secret-patterns.ts.
  • Missing regression test: The parity test (test/langchain-deepagents-code-secret-pattern-parity.test.ts) validates positive corpus matches but is not a dedicated CI gate. The gate must be a separate workflow job that fails the build on fingerprint mismatch, not just a test that runs in the integration suite.
  • Done when: The required change is committed and verification passes: Search .github/workflows for a job named 'secret-pattern-parity' that runs fingerprint extraction; verify it fails when a pattern in dcode-wrapper.sh or managed-dcode-runtime.py diverges from secret-patterns.ts.
  • Evidence: secret-patterns.ts lines 13-72 (canonical); dcode-wrapper.sh lines 144-260 (Bash mirrors); managed-dcode-runtime.py lines 50-105 (_SECRET_PATTERNS tuples); test/langchain-deepagents-code-secret-pattern-parity.test.ts lines 1-60 (parity test exists but no CI gate)

PRA-7 Required — Descriptor liveness not re-validated at serialization boundary

  • Location: agents/langchain-deepagents-code/patch-managed-deepagents-code.py:202
  • Category: security
  • Problem: The patched functions _nemoclaw_absolutize_launch_relative_path (line 202) and _normalize_path (line 537) check if a path is a managed MCP descriptor via is_managed_mcp_config_path() but do NOT call managed_mcp_config_bytes(path) to re-validate the descriptor's integrity (size, SHA-256, seal state, inode binding) before returning it. A tampered or drifted descriptor could pass through the serialization boundary unchecked.
  • Impact: If a managed MCP descriptor is tampered with (content mutated, fd replaced, seal broken) between creation and serialization during launch config generation, the tampered descriptor would be passed to Deep Agents Code and its child MCP servers without detection.
  • Required action: In _nemoclaw_absolutize_launch_relative_path (line 202) and _normalize_path (line 537), after detecting a managed path via is_managed_mcp_config_path(), call managed_mcp_config_bytes(path) to re-validate the descriptor contents and binding before returning the path. This ensures the snapshot is still intact at serialization time.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Read patch-managed-deepagents-code.py lines 202-211 (_nemoclaw_absolutize_launch_relative_path) and 537-549 (_normalize_path); verify they call managed_mcp_config_bytes(path) after is_managed_mcp_config_path() check.
  • Missing regression test: Add a test that: (1) creates a valid managed MCP descriptor, (2) tampers with the underlying descriptor (e.g., mutates content or replaces fd), (3) calls the patched _absolutize_launch_relative_path or _normalize_path, (4) expects a RuntimeError because the descriptor binding changed.
  • Done when: The required change is committed and verification passes: Read patch-managed-deepagents-code.py lines 202-211 (_nemoclaw_absolutize_launch_relative_path) and 537-549 (_normalize_path); verify they call managed_mcp_config_bytes(path) after is_managed_mcp_config_path() check.
  • Evidence: patch-managed-deepagents-code.py lines 202-211 and 537-549; managed-dcode-runtime.py lines 580-620 (managed_mcp_config_bytes implementation)
Review findings by urgency: 2 required fixes, 16 items to resolve/justify, 5 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: Bash secret guard (dcode-wrapper.sh)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-image.test.ts feeds canonical positive corpus through wrapper; test/langchain-deepagents-code-secret-pattern-parity.test.ts fingerprints canonical patterns
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: dcode-wrapper.sh lines 50-350 (comment and implementation)

PRA-2 Resolve/justify — Source-of-truth review needed: Python _SECRET_PATTERNS (managed-dcode-runtime.py)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-secret-pattern-parity.test.ts fingerprints canonical groups and runs shared positive corpus through both canonical and _contains_secret_shape
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: managed-dcode-runtime.py lines 50-105 (_SECRET_PATTERNS comment and tuples)

PRA-3 Resolve/justify — Source-of-truth review needed: Anonymous O_TMPFILE fallback (managed-dcode-runtime.py)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-managed-mcp-hardening.test.ts: 'anonymous-fallback-ok', 'fallback-fail-closed-ok'
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: managed-dcode-runtime.py lines 735-780 (_anonymous_managed_mcp_snapshot), 808-820 (_managed_mcp_fallback_allowed)

PRA-4 Resolve/justify — Source-of-truth review needed: Legacy v1 compatibility module (mcp-bridge-adapter-deepagents-legacy.ts)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/deepagents-mcp-legacy-lifecycle.test.ts (8 tests); test/mcp-bridge-adapter-deepagents-runtime-guards.test.ts (4 tests)
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: mcp-bridge-adapter-deepagents-legacy.ts lines 1-50 (header comment)

PRA-5 Resolve/justify — Source-of-truth review needed: Descriptor serialization passthrough (patch-managed-deepagents-code.py)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as missing.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Missing (PRA-9)
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: patch-managed-deepagents-code.py lines 202-211 (_nemoclaw_absolutize_launch_relative_path) and 537-549 (_normalize_path)

PRA-8 Resolve/justify — Python _SECRET_PATTERNS structurally diverges from canonical TypeScript patterns

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:50
  • Category: security
  • Problem: Python _SECRET_PATTERNS consolidates token prefixes into fewer combined regexes (e.g., nvapi|nvcf|ghp_|hf_|glpat|gsk|pypi|tvly in one pattern) vs separate TypeScript patterns; uses platform-tagged tuples for slack/telegram/discord enabling _contains_other_platform_secret logic (TypeScript has no platform concept); Bearer pattern explicitly lists Unicode whitespace codepoints (TypeScript uses \s in lookbehind); context pattern includes ['"]? and \s (TypeScript uses [= :] in lookbehind); TypeScript has word boundaries (\b) for telegram/discord, Python/Bash lack them; TypeScript has separate xox[bpas]- and xapp- patterns, Python has them as platform-specific, Bash has them in is_secret_shaped_value but not in has_non_slack_secret_shape.
  • Impact: Semantic differences in pattern matching could allow secret-shaped values to pass in one language while being caught in another, or produce false positives/negatives at enforcement boundaries.
  • Recommended action: Either: (a) generate Bash/Python pattern constants from secret-patterns.ts at build time (Node script emitting .sh/.py fragments), or (b) enhance the CI gate from PRA-4 to extract and compare normalized fingerprints for all three implementations, including structural equivalence checks (platform tagging, word boundaries, Unicode whitespace handling).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Compare the regex source strings in secret-patterns.ts (TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS) against managed-dcode-runtime.py _SECRET_PATTERNS tuples and dcode-wrapper.sh regexes in has_non_slack_secret_shape/is_secret_shaped_value/has_bearer_secret_shape/has_context_secret_shape. Note structural differences in consolidation, platform tagging, word boundaries, and Unicode whitespace.
  • Missing regression test: The parity test validates positive corpus matches but does not verify fingerprint equivalence or structural parity. The CI gate from PRA-4 must compute and compare fingerprints for all three languages.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Compare the regex source strings in secret-patterns.ts (TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS) against managed-dcode-runtime.py _SECRET_PATTERNS tuples and dcode-wrapper.sh regexes in has_non_slack_secret_shape/is_secret_shaped_value/has_bearer_secret_shape/has_context_secret_shape. Note structural differences in consolidation, platform tagging, word boundaries, and Unicode whitespace.
  • Evidence: secret-patterns.ts lines 13-72; managed-dcode-runtime.py lines 50-105; dcode-wrapper.sh lines 144-260

PRA-9 Resolve/justify — Anonymous O_TMPFILE fallback weakens descriptor integrity with race window and no build-time availability check

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:735
  • Category: security
  • Problem: The _anonymous_managed_mcp_snapshot function creates a writer fd with O_TMPFILE, writes payload, fsyncs, opens reader via /proc/self/fd/writer, verifies inode match, then closes writer and returns reader. Between os.close(writer) and caller receiving the reader, the inode has nlink=0 and mode=0 — a window where the descriptor is vulnerable to /proc pid fd enumeration or kernel reuse. The fallback is allowed for EPERM, EACCES, EINVAL, ENOSYS but masks the primary sealed-memfd failure. No build-time check exists to fail if neither memfd_create+sealing nor O_TMPFILE are available.
  • Impact: An attacker with /proc access during the race window could potentially read the MCP config snapshot. Operators don't see why sealed memfd failed (masked by fallback). Deployment on a system lacking both primitives would silently use the weaker fallback.
  • Recommended action: Add a build-time check (in patch-managed-deepagents-code.py or Dockerfile) that verifies memfd_create with MFD_ALLOW_SEALING and O_TMPFILE are available; fail the image build if both are unavailable. Document the fallback as a known weakening with a tracking GitHub issue. Consider fail-closed for managed MCP config instead of silent fallback.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check managed-dcode-runtime.py _anonymous_managed_mcp_snapshot (line 735) and _managed_mcp_fallback_allowed (line 808). Verify no build-time check exists in patch-managed-deepagents-code.py or Dockerfile for memfd_create+sealing or O_TMPFILE availability.
  • Missing regression test: Add a test that simulates the race window: create anonymous descriptor, close writer, then verify reader still validates correctly via _read_bound_managed_mcp_descriptor. Also test that build fails on a system without memfd_create+sealing and O_TMPFILE (may require mocking).
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check managed-dcode-runtime.py _anonymous_managed_mcp_snapshot (line 735) and _managed_mcp_fallback_allowed (line 808). Verify no build-time check exists in patch-managed-deepagents-code.py or Dockerfile for memfd_create+sealing or O_TMPFILE availability.
  • Evidence: managed-dcode-runtime.py lines 735-780 (_anonymous_managed_mcp_snapshot), 808-820 (_managed_mcp_fallback_allowed); test/langchain-deepagents-code-managed-mcp-hardening.test.ts lines 223-310 (anonymous fallback tests)

PRA-10 Resolve/justify — Legacy v1 compatibility module retained without tracked migration deadline or CI enforcement

  • Location: src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1
  • Category: architecture
  • Problem: The module mcp-bridge-adapter-deepagents-legacy.ts handles scrubbing registry-owned entries from the old .mcp.json path but has no GitHub issue tracking its removal target release, no CI check that fails if the file exists after the target release, and no reference to a tracking issue in the module header comment.
  • Impact: Legacy compatibility code accumulates indefinitely, increasing attack surface and maintenance burden. Without a deadline, there is no forcing function to complete the migration.
  • Recommended action: Add a GitHub issue tracking the migration deadline (target release) and a CI check (e.g., in static-checks) that fails if mcp-bridge-adapter-deepagents-legacy.ts exists after the target release. Reference the issue in the module header comment.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for a GitHub issue reference with target release. Check .github/actions/ci-static-checks/action.yaml or a new workflow job for a check that fails on legacy module existence post-deadline.
  • Missing regression test: Add a static-checks step that greps for the legacy module and fails if current release >= target release. The test is the CI check itself.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for a GitHub issue reference with target release. Check .github/actions/ci-static-checks/action.yaml or a new workflow job for a check that fails on legacy module existence post-deadline.
  • Evidence: mcp-bridge-adapter-deepagents-legacy.ts lines 1-50 (header comment documents removal condition but no issue reference); .github/actions/ci-static-checks/action.yaml (no legacy module check)

PRA-11 Resolve/justify — Overlapping PR #6251 shares rebuild pipeline files — coordination needed

  • Location: src/lib/actions/sandbox/rebuild-pipeline.ts:50
  • Category: workflow
  • Problem: PR feat(agents): add progressive tool disclosure #6251 shares many files: rebuild-dcode-orchestrator.ts, rebuild-dcode-preflight.ts, rebuild-durable-config.ts, rebuild-pipeline.ts, rebuild-managed-image-preflight.ts, rebuild-preflight-phase.ts, rebuild-dcode-flow.test.ts, etc. Rebuild checkpoint ordering, MCP preparation sequence, and image verification logic must be verified compatible. Previous review required running combined test suite locally before either merges.
  • Impact: Conflicting changes to shared rebuild pipeline logic could break MCP preparation ordering, cause double-mutation of providers, or skip critical pre-delete validation.
  • Recommended action: Coordinate with PR feat(agents): add progressive tool disclosure #6251 author. Run combined test suite locally. Verify no conflicting changes to shared rebuild pipeline files. Pay special attention to MCP preparation ordering in rebuild-dcode-orchestrator.ts and rebuild-managed-image-preflight.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check git log for both PRs on shared files. Run 'npm run test:integration' locally with both PR changes applied. Verify rebuild-dcode-orchestrator.ts MCP preparation sequence matches PR feat(agents): add progressive tool disclosure #6251 expectations.
  • Missing regression test: Run full rebuild test suite with both PR changes; add integration test if conflicting MCP preparation logic found.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check git log for both PRs on shared files. Run 'npm run test:integration' locally with both PR changes applied. Verify rebuild-dcode-orchestrator.ts MCP preparation sequence matches PR feat(agents): add progressive tool disclosure #6251 expectations.
  • Evidence: pr_review_drift_context openPrOverlaps shows PR feat(agents): add progressive tool disclosure #6251 with sameFiles list; rebuild-dcode-orchestrator.ts and rebuild-managed-image-preflight.ts are shared

PRA-12 Resolve/justify — Missing test for chained-exception fallback allowance in _managed_mcp_fallback_allowed (PRA-15)

  • Location: test/langchain-deepagents-code-managed-mcp-hardening.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test case: wrap OSError(errno.EPERM) in a RuntimeError, call _managed_mcp_fallback_allowed, assert returns True. This test does not exist.
  • Impact: The chained-exception path (RuntimeError caused by OSError(EPERM)) is a realistic failure mode when sealed memfd creation fails due to seccomp; without a test, a refactor could accidentally break fallback allowance for this case.
  • Recommended action: Add the test case to test/langchain-deepagents-code-managed-mcp-hardening.test.ts in the 'Deep Agents managed MCP runtime hardening' suite.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/langchain-deepagents-code-managed-mcp-hardening.test.ts for 'chained' or 'RuntimeError.*EPERM' or 'fallback_allowed' test case wrapping OSError in RuntimeError.
  • Missing regression test: Add test: exc = RuntimeError('sealed failed'); exc.__cause__ = OSError(errno.EPERM, 'blocked'); assert managed._managed_mcp_fallback_allowed(exc) === True.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/langchain-deepagents-code-managed-mcp-hardening.test.ts for 'chained' or 'RuntimeError.*EPERM' or 'fallback_allowed' test case wrapping OSError in RuntimeError.
  • Evidence: managed-dcode-runtime.py lines 808-820 (_managed_mcp_fallback_allowed); test/langchain-deepagents-code-managed-mcp-hardening.test.ts (no chained-exception test)

PRA-13 Resolve/justify — Missing test for legacy v1 partial corruption with extra user keys (PRA-16)

  • Location: test/deepagents-mcp-legacy-lifecycle.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test case: legacy .mcp.json contains both a registry-owned server (exact match) and user-owned servers; verify teardown removes only the registry-owned entry and preserves user keys. This test does not exist.
  • Impact: If a legacy config has mixed registry/user entries and teardown incorrectly removes user-owned entries, user configuration is lost. Conversely, if it fails to remove the registry-owned entry, the provider/policy may be stranded.
  • Recommended action: Add the test case to test/deepagents-mcp-legacy-lifecycle.test.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/deepagents-mcp-legacy-lifecycle.test.ts for 'extra user keys' or 'user-owned' or 'partial corruption' test case with mixed registry/user entries in legacy .mcp.json.
  • Missing regression test: Add test: legacy .mcp.json with {'mcpServers': {'github': registryOwned, 'user-server': userOwned}}; run teardown; verify only 'github' removed, 'user-server' preserved.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/deepagents-mcp-legacy-lifecycle.test.ts for 'extra user keys' or 'user-owned' or 'partial corruption' test case with mixed registry/user entries in legacy .mcp.json.
  • Evidence: deepagents-mcp-legacy-lifecycle.test.ts lines 1-103 (8 existing tests); mcp-bridge-adapter-deepagents-legacy.ts lines 50-200 (teardown logic)

PRA-14 Resolve/justify — Missing provider CAS race simulation test in rebuild flow (PRA-17)

  • Location: test/helpers/rebuild-flow-harness.ts:1
  • Category: tests
  • Problem: Previous review requested a test in rebuild-flow-harness.ts or rebuild-dcode-recovery.test.ts simulating version advance between provider read and write during rebuild MCP preparation; verify McpBridgeError thrown. This test does not exist. (There is a provider ownership test in mcp-provider-ownership.test.ts but not integrated into the rebuild flow harness.)
  • Impact: If a concurrent writer advances the provider resource_version during rebuild MCP preparation, the rebuild could incorrectly treat the failure as success or leave the provider in an inconsistent state.
  • Recommended action: Add a rebuild flow test that: (1) mocks provider get returning resource_version=4, (2) on provider update, advances resource_version to 5 and returns concurrent modification error, (3) verifies rebuild MCP preparation throws McpBridgeError and does not treat the concurrent advance as success.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/helpers/rebuild-flow-harness.ts and test/actions/sandbox/rebuild-dcode-recovery.test.ts for 'resource.version' or 'CAS' or 'concurrent.*provider' test in rebuild MCP preparation.
  • Missing regression test: Add test in rebuild-dcode-recovery.test.ts using rebuildFlowHarness with mcpPreparation override that simulates provider version advance on update.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/helpers/rebuild-flow-harness.ts and test/actions/sandbox/rebuild-dcode-recovery.test.ts for 'resource.version' or 'CAS' or 'concurrent.*provider' test in rebuild MCP preparation.
  • Evidence: rebuild-flow-harness.ts lines 1-300 (mcpPreparation override exists); mcp-provider-ownership.test.ts lines 432-500 (CAS race test exists but not in rebuild harness)

PRA-15 Resolve/justify — Missing custom policy replay fidelity test during stale recovery with MCP entries (PRA-18)

  • Location: src/lib/actions/sandbox/rebuild-restore-phase.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test in rebuild-restore-phase.test.ts with custom policies + MCP entries; simulate stale recovery; assert restored policies byte-match original. This test does not exist.
  • Impact: If custom policy content is not byte-identical after stale recovery, the sandbox's network policy enforcement could diverge from the intended configuration, potentially exposing unintended egress paths.
  • Recommended action: Add the test case to rebuild-restore-phase.test.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search rebuild-restore-phase.test.ts for 'custom policy' or 'policy fidelity' or 'stale recovery' with MCP entries test.
  • Missing regression test: Add test: sandbox with custom policy preset + managed MCP entries; simulate stale recovery (corrupted state); run restore phase; assert restored custom policy content byte-matches original.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search rebuild-restore-phase.test.ts for 'custom policy' or 'policy fidelity' or 'stale recovery' with MCP entries test.
  • Evidence: rebuild-restore-phase.test.ts lines 1-148 (5 existing tests); rebuild-restore-phase.ts lines 1-105 (restore logic)

PRA-18 Resolve/justify — Source-of-truth review incomplete for Bash secret guard

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:50
  • Category: architecture
  • Problem: The comment documents invalid state, source boundary, source-fix constraint, and regression test, but does not identify: (1) a GitHub issue tracking the removal condition with target release, (2) a CI check that fails if dcode-wrapper.sh exists after the target release, (3) confirmation that the parity CI gate (PRA-4) covers Bash pattern extraction.
  • Impact: The Bash secret guard is a localized workaround that must be tracked for removal. Without a deadline and CI enforcement, it persists indefinitely.
  • Recommended action: Complete the source-of-truth review by: (1) filing a GitHub issue with target release for removing the Bash secret guard, (2) adding a CI check that fails if dcode-wrapper.sh secret guard code exists after the target release, (3) ensuring the parity CI gate from PRA-4 extracts and fingerprints Bash patterns.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check dcode-wrapper.sh header comment for GitHub issue reference with target release. Check CI for a check that fails on Bash secret guard existence post-deadline. Verify PRA-4 CI gate includes Bash pattern extraction.
  • Missing regression test: The parity test (test/langchain-deepagents-code-image.test.ts) feeds the canonical corpus through the wrapper but does not extract Bash regex fingerprints. The CI gate must do fingerprint extraction.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check dcode-wrapper.sh header comment for GitHub issue reference with target release. Check CI for a check that fails on Bash secret guard existence post-deadline. Verify PRA-4 CI gate includes Bash pattern extraction.
  • Evidence: dcode-wrapper.sh lines 50-350 (secret guard comment and implementation)

PRA-19 Resolve/justify — Source-of-truth review incomplete for Python _SECRET_PATTERNS

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:50
  • Category: architecture
  • Problem: The comment documents the source boundary and regression gate but does not identify: (1) a GitHub issue tracking the removal condition with target release, (2) a CI check that fails if _SECRET_PATTERNS exists after the target release, (3) confirmation that the parity CI gate covers Python pattern extraction.
  • Impact: The Python pattern mirror is a localized workaround that must be tracked for removal. Without a deadline and CI enforcement, it persists indefinitely.
  • Recommended action: Complete source-of-truth review with tracking issue and CI enforcement. The parity CI gate (PRA-4) should extract and fingerprint Python patterns.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check managed-dcode-runtime.py _SECRET_PATTERNS comment for GitHub issue reference with target release. Check CI for Python pattern extraction in parity gate.
  • Missing regression test: The parity test runs Python _contains_secret_shape against canonical vectors but does not extract Python regex fingerprints for comparison. The CI gate must do fingerprint extraction.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check managed-dcode-runtime.py _SECRET_PATTERNS comment for GitHub issue reference with target release. Check CI for Python pattern extraction in parity gate.
  • Evidence: managed-dcode-runtime.py lines 50-105 (_SECRET_PATTERNS comment and tuples)

PRA-20 Resolve/justify — Source-of-truth review incomplete for legacy v1 compatibility module

  • Location: src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1
  • Category: architecture
  • Problem: The comment documents invalid state, source boundary, and removal condition but does not identify: (1) a GitHub issue tracking the migration deadline, (2) a CI check that fails if the module exists after the deadline.
  • Impact: Legacy module persists without tracking; migration deadline unenforced.
  • Recommended action: Add a GitHub issue tracking the migration deadline (target release) and a CI check that fails if mcp-bridge-adapter-deepagents-legacy.ts exists after the target release. Reference the issue in the module header.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for GitHub issue with target release. Check CI for legacy module existence check.
  • Missing regression test: Add static-checks step that fails if legacy module exists and current release >= target release.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for GitHub issue with target release. Check CI for legacy module existence check.
  • Evidence: mcp-bridge-adapter-deepagents-legacy.ts lines 1-30 (header comment)

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-16 Improvement — OTEL_ENABLED hardcoded as string constant instead of module-level constant

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:869
  • Category: correctness
  • Problem: The value 'false' is assigned directly in assert_safe_runtime() function body. Previous review suggested replacing with module-level constant unless users/CI set alternate value.
  • Impact: Minor code clarity issue; the constant is never user-configurable and appears as a magic string in the function.
  • Suggested action: Define OTEL_ENABLED_VALUE = 'false' at module level and use it in assert_safe_runtime(). If the value is truly constant and never user-configurable, remove the runtime assignment and use the constant directly.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check managed-dcode-runtime.py line 869 for os.environ["OTEL_ENABLED"] = "false" and verify a module-level constant exists above.
  • Missing regression test: Not a testable behavior change; verify via code inspection that the constant is defined at module level.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: managed-dcode-runtime.py line 869

PRA-17 Improvement — No build-time check for memfd sealing and O_TMPFILE availability

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:1
  • Category: correctness
  • Problem: The code attempts memfd_create with MFD_ALLOW_SEALING at runtime and falls back to O_TMPFILE on specific errnos. Previous review requested a build-time check that fails the image build if neither is available, rather than silent runtime fallback.
  • Impact: Deployments on kernels without memfd sealing or O_TMPFILE support would silently use the weaker anonymous fallback, reducing descriptor integrity guarantees.
  • Suggested action: Add a build-time check in patch-managed-deepagents-code.py (during image build) or Dockerfile that verifies os.memfd_create with MFD_ALLOW_SEALING and os.O_TMPFILE are available; fail the build if both are unavailable. This makes the platform requirement explicit and fails fast.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check patch-managed-deepagents-code.py main() or Dockerfile for a build-time check that imports os and verifies hasattr(os, 'memfd_create') and hasattr(os, 'MFD_ALLOW_SEALING') and hasattr(os, 'O_TMPFILE').
  • Missing regression test: Add a test that mocks missing memfd_create/O_TMPFILE and verifies the build fails (may require integration test with Docker build).
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: managed-dcode-runtime.py lines 666-680 (_sealed_managed_mcp_snapshot), 735-780 (_anonymous_managed_mcp_snapshot); patch-managed-deepagents-code.py main() (no such check)

PRA-21 Improvement — Monolith growth: rebuild-dcode-preflight.ts orchestrates too many concerns

  • Location: src/lib/actions/sandbox/rebuild-dcode-preflight.ts:441
  • Category: correctness
  • Problem: The file grew by 7 lines in this PR (434→441). It orchestrates target selection, image preparation, inference preflight, MCP preparation, gateway recovery. Previous review recommended extracting ensureDcodeRebuildTargetGatewaySelected and resolveTarget into a dedicated rebuild-dcode-target-selection.ts.
  • Impact: Large monolithic files are harder to review, test, and maintain. Separation of concerns improves auditability of security-critical paths.
  • Suggested action: Extract target selection logic (ensureDcodeRebuildTargetGatewaySelected, resolveTarget, resolveDcodeRebuildTarget) into a separate module rebuild-dcode-target-selection.ts to keep preflight focused on validation/preparation.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check if rebuild-dcode-target-selection.ts exists and contains the extracted target selection functions. Verify rebuild-dcode-preflight.ts imports from it.
  • Missing regression test: No new test needed; verify existing tests pass after extraction.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: rebuild-dcode-preflight.ts lines 1-441; monolithDeltas shows +7 lines growth

PRA-22 Improvement — MCP v2 documentation not fully verified against implementation

  • Location: docs/reference/commands.mdx:1
  • Category: docs
  • Problem: Documentation in commands.mdx and commands-nemohermes.mdx now references 'managed MCP capability v2' but the implementation details (capability probe, v1/v2 detection, rollback behavior) should be audited for accuracy.
  • Impact: Operators may rely on inaccurate documentation for troubleshooting MCP lifecycle commands.
  • Suggested action: Audit commands.mdx and commands-nemohermes.mdx MCP sections against the three implementation files (mcp-bridge-adapter-deepagents-registration.ts, mcp-bridge-adapter-deepagents-teardown.ts, mcp-bridge-adapter-deepagents-legacy.ts); update docs to match exact behavior.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Compare docs/reference/commands.mdx MCP sections (search for 'managed MCP capability v2') against src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-registration.ts (capability probe), mcp-bridge-adapter-deepagents-legacy.ts (v1 handling), and mcp-bridge-adapter-deepagents-teardown.ts (scrub behavior).
  • Missing regression test: Add a documentation validation test that checks key claims against implementation (e.g., capability probe output format, v1/v2 detection logic, rollback behavior).
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: docs/reference/commands.mdx and commands-nemohermes.mdx MCP sections; implementation files in src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-*.ts

PRA-23 Improvement — Missing test for race condition in anonymous O_TMPFILE fallback creation (PRA-21)

  • Location: test/langchain-deepagents-code-managed-mcp-hardening.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test for the race window between writer close and reader open in _anonymous_managed_mcp_snapshot.
  • Impact: The race window (nlink=0, mode=0 between writer close and reader open) is a theoretical vulnerability; a test would either expose it or document why it's not exploitable.
  • Suggested action: Add a test that stresses the anonymous fallback creation path to expose potential races, or documents why the race is not exploitable in practice.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search test/langchain-deepagents-code-managed-mcp-hardening.test.ts for 'race' or 'anonymous.*creation' test case.
  • Missing regression test: Add test that creates multiple anonymous snapshots concurrently and verifies each gets a distinct, valid descriptor with correct binding.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: managed-dcode-runtime.py lines 735-780 (_anonymous_managed_mcp_snapshot); test/langchain-deepagents-code-managed-mcp-hardening.test.ts (no race stress test)
Simplification opportunities: 1 possible cut, net -80 lines possible

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-21 shrink (src/lib/actions/sandbox/rebuild-dcode-preflight.ts:441): ensureDcodeRebuildTargetGatewaySelected, resolveTarget, resolveDcodeRebuildTarget functions and their imports
    • Replacement: Import from new rebuild-dcode-target-selection.ts module
    • Net: -80 lines
    • Safety boundary: Target selection logic is pure validation/selection; no credential handling, policy mutation, or sandbox destruction. Extraction preserves all security boundaries.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — chained-exception fallback allowance in _managed_mcp_fallback_allowed. Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/manifest.yaml, agents/langchain-deepagents-code/patch-managed-deepagents-code.py, docs/deployment/set-up-mcp-bridge.mdx, docs/get-started/quickstart-langchain-deepagents-code.mdx, docs/network-policy/customize-network-policy.mdx.
  • PRA-T2 Runtime validation — legacy v1 partial corruption with extra user keys. Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/manifest.yaml, agents/langchain-deepagents-code/patch-managed-deepagents-code.py, docs/deployment/set-up-mcp-bridge.mdx, docs/get-started/quickstart-langchain-deepagents-code.mdx, docs/network-policy/customize-network-policy.mdx.
  • PRA-T3 Runtime validation — provider CAS race during rebuild MCP preparation. Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/manifest.yaml, agents/langchain-deepagents-code/patch-managed-deepagents-code.py, docs/deployment/set-up-mcp-bridge.mdx, docs/get-started/quickstart-langchain-deepagents-code.mdx, docs/network-policy/customize-network-policy.mdx.
  • PRA-T4 Runtime validation — custom policy replay fidelity during stale recovery with MCP entries. Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/manifest.yaml, agents/langchain-deepagents-code/patch-managed-deepagents-code.py, docs/deployment/set-up-mcp-bridge.mdx, docs/get-started/quickstart-langchain-deepagents-code.mdx, docs/network-policy/customize-network-policy.mdx.
  • PRA-T5 Runtime validation — descriptor liveness re-validation at serialization boundary. Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/manifest.yaml, agents/langchain-deepagents-code/patch-managed-deepagents-code.py, docs/deployment/set-up-mcp-bridge.mdx, docs/get-started/quickstart-langchain-deepagents-code.mdx, docs/network-policy/customize-network-policy.mdx.
  • PRA-T6 Missing test for chained-exception fallback allowance in _managed_mcp_fallback_allowed (PRA-15) — Add the test case to test/langchain-deepagents-code-managed-mcp-hardening.test.ts in the 'Deep Agents managed MCP runtime hardening' suite.
  • PRA-T7 Missing test for legacy v1 partial corruption with extra user keys (PRA-16) — Add the test case to test/deepagents-mcp-legacy-lifecycle.test.ts.
  • PRA-T8 Missing provider CAS race simulation test in rebuild flow (PRA-17) — Add a rebuild flow test that: (1) mocks provider get returning resource_version=4, (2) on provider update, advances resource_version to 5 and returns concurrent modification error, (3) verifies rebuild MCP preparation throws McpBridgeError and does not treat the concurrent advance as success.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: Bash secret guard (dcode-wrapper.sh)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-image.test.ts feeds canonical positive corpus through wrapper; test/langchain-deepagents-code-secret-pattern-parity.test.ts fingerprints canonical patterns
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: dcode-wrapper.sh lines 50-350 (comment and implementation)

PRA-2 Resolve/justify — Source-of-truth review needed: Python _SECRET_PATTERNS (managed-dcode-runtime.py)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-secret-pattern-parity.test.ts fingerprints canonical groups and runs shared positive corpus through both canonical and _contains_secret_shape
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: managed-dcode-runtime.py lines 50-105 (_SECRET_PATTERNS comment and tuples)

PRA-3 Resolve/justify — Source-of-truth review needed: Anonymous O_TMPFILE fallback (managed-dcode-runtime.py)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-managed-mcp-hardening.test.ts: 'anonymous-fallback-ok', 'fallback-fail-closed-ok'
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: managed-dcode-runtime.py lines 735-780 (_anonymous_managed_mcp_snapshot), 808-820 (_managed_mcp_fallback_allowed)

PRA-4 Resolve/justify — Source-of-truth review needed: Legacy v1 compatibility module (mcp-bridge-adapter-deepagents-legacy.ts)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/deepagents-mcp-legacy-lifecycle.test.ts (8 tests); test/mcp-bridge-adapter-deepagents-runtime-guards.test.ts (4 tests)
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: mcp-bridge-adapter-deepagents-legacy.ts lines 1-50 (header comment)

PRA-5 Resolve/justify — Source-of-truth review needed: Descriptor serialization passthrough (patch-managed-deepagents-code.py)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as missing.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Missing (PRA-9)
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: patch-managed-deepagents-code.py lines 202-211 (_nemoclaw_absolutize_launch_relative_path) and 537-549 (_normalize_path)

PRA-6 Required — Missing dedicated CI gate for secret pattern parity across TypeScript, Bash, and Python

  • Location: .github/workflows/main.yaml:1
  • Category: security
  • Problem: Canonical secret patterns live in src/lib/security/secret-patterns.ts (TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS) but are mirrored with structural divergences in dcode-wrapper.sh (Bash regexes) and managed-dcode-runtime.py (_SECRET_PATTERNS tuples). Parity tests exist but run only in the integration suite; no dedicated CI job extracts fingerprints from all three implementations and fails on divergence.
  • Impact: A pattern change in the canonical TypeScript source can silently desync the Bash or Python mirrors, allowing secret-shaped values to bypass the guard in one enforcement boundary while being caught in another.
  • Required action: Add a dedicated CI job 'secret-pattern-parity' in .github/workflows that: (1) extracts regex source+flags from secret-patterns.ts, (2) parses dcode-wrapper.sh to extract Bash regex patterns from has_non_slack_secret_shape, is_secret_shaped_value, has_bearer_secret_shape, has_context_secret_shape, (3) parses managed-dcode-runtime.py _SECRET_PATTERNS tuples, (4) computes normalized fingerprints (source+flags) for each, (5) fails the build if any fingerprint diverges from the TypeScript canonical. Document removal condition: drop when upstream deepagents_code rejects secret-shaped runtime/.env or all invocations use Node entrypoint importing canonical patterns.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Search .github/workflows for a job named 'secret-pattern-parity' that runs fingerprint extraction; verify it fails when a pattern in dcode-wrapper.sh or managed-dcode-runtime.py diverges from secret-patterns.ts.
  • Missing regression test: The parity test (test/langchain-deepagents-code-secret-pattern-parity.test.ts) validates positive corpus matches but is not a dedicated CI gate. The gate must be a separate workflow job that fails the build on fingerprint mismatch, not just a test that runs in the integration suite.
  • Done when: The required change is committed and verification passes: Search .github/workflows for a job named 'secret-pattern-parity' that runs fingerprint extraction; verify it fails when a pattern in dcode-wrapper.sh or managed-dcode-runtime.py diverges from secret-patterns.ts.
  • Evidence: secret-patterns.ts lines 13-72 (canonical); dcode-wrapper.sh lines 144-260 (Bash mirrors); managed-dcode-runtime.py lines 50-105 (_SECRET_PATTERNS tuples); test/langchain-deepagents-code-secret-pattern-parity.test.ts lines 1-60 (parity test exists but no CI gate)

PRA-7 Required — Descriptor liveness not re-validated at serialization boundary

  • Location: agents/langchain-deepagents-code/patch-managed-deepagents-code.py:202
  • Category: security
  • Problem: The patched functions _nemoclaw_absolutize_launch_relative_path (line 202) and _normalize_path (line 537) check if a path is a managed MCP descriptor via is_managed_mcp_config_path() but do NOT call managed_mcp_config_bytes(path) to re-validate the descriptor's integrity (size, SHA-256, seal state, inode binding) before returning it. A tampered or drifted descriptor could pass through the serialization boundary unchecked.
  • Impact: If a managed MCP descriptor is tampered with (content mutated, fd replaced, seal broken) between creation and serialization during launch config generation, the tampered descriptor would be passed to Deep Agents Code and its child MCP servers without detection.
  • Required action: In _nemoclaw_absolutize_launch_relative_path (line 202) and _normalize_path (line 537), after detecting a managed path via is_managed_mcp_config_path(), call managed_mcp_config_bytes(path) to re-validate the descriptor contents and binding before returning the path. This ensures the snapshot is still intact at serialization time.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Read patch-managed-deepagents-code.py lines 202-211 (_nemoclaw_absolutize_launch_relative_path) and 537-549 (_normalize_path); verify they call managed_mcp_config_bytes(path) after is_managed_mcp_config_path() check.
  • Missing regression test: Add a test that: (1) creates a valid managed MCP descriptor, (2) tampers with the underlying descriptor (e.g., mutates content or replaces fd), (3) calls the patched _absolutize_launch_relative_path or _normalize_path, (4) expects a RuntimeError because the descriptor binding changed.
  • Done when: The required change is committed and verification passes: Read patch-managed-deepagents-code.py lines 202-211 (_nemoclaw_absolutize_launch_relative_path) and 537-549 (_normalize_path); verify they call managed_mcp_config_bytes(path) after is_managed_mcp_config_path() check.
  • Evidence: patch-managed-deepagents-code.py lines 202-211 and 537-549; managed-dcode-runtime.py lines 580-620 (managed_mcp_config_bytes implementation)

PRA-8 Resolve/justify — Python _SECRET_PATTERNS structurally diverges from canonical TypeScript patterns

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:50
  • Category: security
  • Problem: Python _SECRET_PATTERNS consolidates token prefixes into fewer combined regexes (e.g., nvapi|nvcf|ghp_|hf_|glpat|gsk|pypi|tvly in one pattern) vs separate TypeScript patterns; uses platform-tagged tuples for slack/telegram/discord enabling _contains_other_platform_secret logic (TypeScript has no platform concept); Bearer pattern explicitly lists Unicode whitespace codepoints (TypeScript uses \s in lookbehind); context pattern includes ['"]? and \s (TypeScript uses [= :] in lookbehind); TypeScript has word boundaries (\b) for telegram/discord, Python/Bash lack them; TypeScript has separate xox[bpas]- and xapp- patterns, Python has them as platform-specific, Bash has them in is_secret_shaped_value but not in has_non_slack_secret_shape.
  • Impact: Semantic differences in pattern matching could allow secret-shaped values to pass in one language while being caught in another, or produce false positives/negatives at enforcement boundaries.
  • Recommended action: Either: (a) generate Bash/Python pattern constants from secret-patterns.ts at build time (Node script emitting .sh/.py fragments), or (b) enhance the CI gate from PRA-4 to extract and compare normalized fingerprints for all three implementations, including structural equivalence checks (platform tagging, word boundaries, Unicode whitespace handling).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Compare the regex source strings in secret-patterns.ts (TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS) against managed-dcode-runtime.py _SECRET_PATTERNS tuples and dcode-wrapper.sh regexes in has_non_slack_secret_shape/is_secret_shaped_value/has_bearer_secret_shape/has_context_secret_shape. Note structural differences in consolidation, platform tagging, word boundaries, and Unicode whitespace.
  • Missing regression test: The parity test validates positive corpus matches but does not verify fingerprint equivalence or structural parity. The CI gate from PRA-4 must compute and compare fingerprints for all three languages.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Compare the regex source strings in secret-patterns.ts (TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS) against managed-dcode-runtime.py _SECRET_PATTERNS tuples and dcode-wrapper.sh regexes in has_non_slack_secret_shape/is_secret_shaped_value/has_bearer_secret_shape/has_context_secret_shape. Note structural differences in consolidation, platform tagging, word boundaries, and Unicode whitespace.
  • Evidence: secret-patterns.ts lines 13-72; managed-dcode-runtime.py lines 50-105; dcode-wrapper.sh lines 144-260

PRA-9 Resolve/justify — Anonymous O_TMPFILE fallback weakens descriptor integrity with race window and no build-time availability check

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:735
  • Category: security
  • Problem: The _anonymous_managed_mcp_snapshot function creates a writer fd with O_TMPFILE, writes payload, fsyncs, opens reader via /proc/self/fd/writer, verifies inode match, then closes writer and returns reader. Between os.close(writer) and caller receiving the reader, the inode has nlink=0 and mode=0 — a window where the descriptor is vulnerable to /proc pid fd enumeration or kernel reuse. The fallback is allowed for EPERM, EACCES, EINVAL, ENOSYS but masks the primary sealed-memfd failure. No build-time check exists to fail if neither memfd_create+sealing nor O_TMPFILE are available.
  • Impact: An attacker with /proc access during the race window could potentially read the MCP config snapshot. Operators don't see why sealed memfd failed (masked by fallback). Deployment on a system lacking both primitives would silently use the weaker fallback.
  • Recommended action: Add a build-time check (in patch-managed-deepagents-code.py or Dockerfile) that verifies memfd_create with MFD_ALLOW_SEALING and O_TMPFILE are available; fail the image build if both are unavailable. Document the fallback as a known weakening with a tracking GitHub issue. Consider fail-closed for managed MCP config instead of silent fallback.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check managed-dcode-runtime.py _anonymous_managed_mcp_snapshot (line 735) and _managed_mcp_fallback_allowed (line 808). Verify no build-time check exists in patch-managed-deepagents-code.py or Dockerfile for memfd_create+sealing or O_TMPFILE availability.
  • Missing regression test: Add a test that simulates the race window: create anonymous descriptor, close writer, then verify reader still validates correctly via _read_bound_managed_mcp_descriptor. Also test that build fails on a system without memfd_create+sealing and O_TMPFILE (may require mocking).
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check managed-dcode-runtime.py _anonymous_managed_mcp_snapshot (line 735) and _managed_mcp_fallback_allowed (line 808). Verify no build-time check exists in patch-managed-deepagents-code.py or Dockerfile for memfd_create+sealing or O_TMPFILE availability.
  • Evidence: managed-dcode-runtime.py lines 735-780 (_anonymous_managed_mcp_snapshot), 808-820 (_managed_mcp_fallback_allowed); test/langchain-deepagents-code-managed-mcp-hardening.test.ts lines 223-310 (anonymous fallback tests)

PRA-10 Resolve/justify — Legacy v1 compatibility module retained without tracked migration deadline or CI enforcement

  • Location: src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1
  • Category: architecture
  • Problem: The module mcp-bridge-adapter-deepagents-legacy.ts handles scrubbing registry-owned entries from the old .mcp.json path but has no GitHub issue tracking its removal target release, no CI check that fails if the file exists after the target release, and no reference to a tracking issue in the module header comment.
  • Impact: Legacy compatibility code accumulates indefinitely, increasing attack surface and maintenance burden. Without a deadline, there is no forcing function to complete the migration.
  • Recommended action: Add a GitHub issue tracking the migration deadline (target release) and a CI check (e.g., in static-checks) that fails if mcp-bridge-adapter-deepagents-legacy.ts exists after the target release. Reference the issue in the module header comment.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for a GitHub issue reference with target release. Check .github/actions/ci-static-checks/action.yaml or a new workflow job for a check that fails on legacy module existence post-deadline.
  • Missing regression test: Add a static-checks step that greps for the legacy module and fails if current release >= target release. The test is the CI check itself.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for a GitHub issue reference with target release. Check .github/actions/ci-static-checks/action.yaml or a new workflow job for a check that fails on legacy module existence post-deadline.
  • Evidence: mcp-bridge-adapter-deepagents-legacy.ts lines 1-50 (header comment documents removal condition but no issue reference); .github/actions/ci-static-checks/action.yaml (no legacy module check)

PRA-11 Resolve/justify — Overlapping PR #6251 shares rebuild pipeline files — coordination needed

  • Location: src/lib/actions/sandbox/rebuild-pipeline.ts:50
  • Category: workflow
  • Problem: PR feat(agents): add progressive tool disclosure #6251 shares many files: rebuild-dcode-orchestrator.ts, rebuild-dcode-preflight.ts, rebuild-durable-config.ts, rebuild-pipeline.ts, rebuild-managed-image-preflight.ts, rebuild-preflight-phase.ts, rebuild-dcode-flow.test.ts, etc. Rebuild checkpoint ordering, MCP preparation sequence, and image verification logic must be verified compatible. Previous review required running combined test suite locally before either merges.
  • Impact: Conflicting changes to shared rebuild pipeline logic could break MCP preparation ordering, cause double-mutation of providers, or skip critical pre-delete validation.
  • Recommended action: Coordinate with PR feat(agents): add progressive tool disclosure #6251 author. Run combined test suite locally. Verify no conflicting changes to shared rebuild pipeline files. Pay special attention to MCP preparation ordering in rebuild-dcode-orchestrator.ts and rebuild-managed-image-preflight.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check git log for both PRs on shared files. Run 'npm run test:integration' locally with both PR changes applied. Verify rebuild-dcode-orchestrator.ts MCP preparation sequence matches PR feat(agents): add progressive tool disclosure #6251 expectations.
  • Missing regression test: Run full rebuild test suite with both PR changes; add integration test if conflicting MCP preparation logic found.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check git log for both PRs on shared files. Run 'npm run test:integration' locally with both PR changes applied. Verify rebuild-dcode-orchestrator.ts MCP preparation sequence matches PR feat(agents): add progressive tool disclosure #6251 expectations.
  • Evidence: pr_review_drift_context openPrOverlaps shows PR feat(agents): add progressive tool disclosure #6251 with sameFiles list; rebuild-dcode-orchestrator.ts and rebuild-managed-image-preflight.ts are shared

PRA-12 Resolve/justify — Missing test for chained-exception fallback allowance in _managed_mcp_fallback_allowed (PRA-15)

  • Location: test/langchain-deepagents-code-managed-mcp-hardening.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test case: wrap OSError(errno.EPERM) in a RuntimeError, call _managed_mcp_fallback_allowed, assert returns True. This test does not exist.
  • Impact: The chained-exception path (RuntimeError caused by OSError(EPERM)) is a realistic failure mode when sealed memfd creation fails due to seccomp; without a test, a refactor could accidentally break fallback allowance for this case.
  • Recommended action: Add the test case to test/langchain-deepagents-code-managed-mcp-hardening.test.ts in the 'Deep Agents managed MCP runtime hardening' suite.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/langchain-deepagents-code-managed-mcp-hardening.test.ts for 'chained' or 'RuntimeError.*EPERM' or 'fallback_allowed' test case wrapping OSError in RuntimeError.
  • Missing regression test: Add test: exc = RuntimeError('sealed failed'); exc.__cause__ = OSError(errno.EPERM, 'blocked'); assert managed._managed_mcp_fallback_allowed(exc) === True.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/langchain-deepagents-code-managed-mcp-hardening.test.ts for 'chained' or 'RuntimeError.*EPERM' or 'fallback_allowed' test case wrapping OSError in RuntimeError.
  • Evidence: managed-dcode-runtime.py lines 808-820 (_managed_mcp_fallback_allowed); test/langchain-deepagents-code-managed-mcp-hardening.test.ts (no chained-exception test)

PRA-13 Resolve/justify — Missing test for legacy v1 partial corruption with extra user keys (PRA-16)

  • Location: test/deepagents-mcp-legacy-lifecycle.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test case: legacy .mcp.json contains both a registry-owned server (exact match) and user-owned servers; verify teardown removes only the registry-owned entry and preserves user keys. This test does not exist.
  • Impact: If a legacy config has mixed registry/user entries and teardown incorrectly removes user-owned entries, user configuration is lost. Conversely, if it fails to remove the registry-owned entry, the provider/policy may be stranded.
  • Recommended action: Add the test case to test/deepagents-mcp-legacy-lifecycle.test.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/deepagents-mcp-legacy-lifecycle.test.ts for 'extra user keys' or 'user-owned' or 'partial corruption' test case with mixed registry/user entries in legacy .mcp.json.
  • Missing regression test: Add test: legacy .mcp.json with {'mcpServers': {'github': registryOwned, 'user-server': userOwned}}; run teardown; verify only 'github' removed, 'user-server' preserved.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/deepagents-mcp-legacy-lifecycle.test.ts for 'extra user keys' or 'user-owned' or 'partial corruption' test case with mixed registry/user entries in legacy .mcp.json.
  • Evidence: deepagents-mcp-legacy-lifecycle.test.ts lines 1-103 (8 existing tests); mcp-bridge-adapter-deepagents-legacy.ts lines 50-200 (teardown logic)

PRA-14 Resolve/justify — Missing provider CAS race simulation test in rebuild flow (PRA-17)

  • Location: test/helpers/rebuild-flow-harness.ts:1
  • Category: tests
  • Problem: Previous review requested a test in rebuild-flow-harness.ts or rebuild-dcode-recovery.test.ts simulating version advance between provider read and write during rebuild MCP preparation; verify McpBridgeError thrown. This test does not exist. (There is a provider ownership test in mcp-provider-ownership.test.ts but not integrated into the rebuild flow harness.)
  • Impact: If a concurrent writer advances the provider resource_version during rebuild MCP preparation, the rebuild could incorrectly treat the failure as success or leave the provider in an inconsistent state.
  • Recommended action: Add a rebuild flow test that: (1) mocks provider get returning resource_version=4, (2) on provider update, advances resource_version to 5 and returns concurrent modification error, (3) verifies rebuild MCP preparation throws McpBridgeError and does not treat the concurrent advance as success.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/helpers/rebuild-flow-harness.ts and test/actions/sandbox/rebuild-dcode-recovery.test.ts for 'resource.version' or 'CAS' or 'concurrent.*provider' test in rebuild MCP preparation.
  • Missing regression test: Add test in rebuild-dcode-recovery.test.ts using rebuildFlowHarness with mcpPreparation override that simulates provider version advance on update.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/helpers/rebuild-flow-harness.ts and test/actions/sandbox/rebuild-dcode-recovery.test.ts for 'resource.version' or 'CAS' or 'concurrent.*provider' test in rebuild MCP preparation.
  • Evidence: rebuild-flow-harness.ts lines 1-300 (mcpPreparation override exists); mcp-provider-ownership.test.ts lines 432-500 (CAS race test exists but not in rebuild harness)

PRA-15 Resolve/justify — Missing custom policy replay fidelity test during stale recovery with MCP entries (PRA-18)

  • Location: src/lib/actions/sandbox/rebuild-restore-phase.test.ts:1
  • Category: tests
  • Problem: Previous review requested a test in rebuild-restore-phase.test.ts with custom policies + MCP entries; simulate stale recovery; assert restored policies byte-match original. This test does not exist.
  • Impact: If custom policy content is not byte-identical after stale recovery, the sandbox's network policy enforcement could diverge from the intended configuration, potentially exposing unintended egress paths.
  • Recommended action: Add the test case to rebuild-restore-phase.test.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search rebuild-restore-phase.test.ts for 'custom policy' or 'policy fidelity' or 'stale recovery' with MCP entries test.
  • Missing regression test: Add test: sandbox with custom policy preset + managed MCP entries; simulate stale recovery (corrupted state); run restore phase; assert restored custom policy content byte-matches original.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search rebuild-restore-phase.test.ts for 'custom policy' or 'policy fidelity' or 'stale recovery' with MCP entries test.
  • Evidence: rebuild-restore-phase.test.ts lines 1-148 (5 existing tests); rebuild-restore-phase.ts lines 1-105 (restore logic)

PRA-16 Improvement — OTEL_ENABLED hardcoded as string constant instead of module-level constant

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:869
  • Category: correctness
  • Problem: The value 'false' is assigned directly in assert_safe_runtime() function body. Previous review suggested replacing with module-level constant unless users/CI set alternate value.
  • Impact: Minor code clarity issue; the constant is never user-configurable and appears as a magic string in the function.
  • Suggested action: Define OTEL_ENABLED_VALUE = 'false' at module level and use it in assert_safe_runtime(). If the value is truly constant and never user-configurable, remove the runtime assignment and use the constant directly.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check managed-dcode-runtime.py line 869 for os.environ["OTEL_ENABLED"] = "false" and verify a module-level constant exists above.
  • Missing regression test: Not a testable behavior change; verify via code inspection that the constant is defined at module level.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: managed-dcode-runtime.py line 869

PRA-17 Improvement — No build-time check for memfd sealing and O_TMPFILE availability

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:1
  • Category: correctness
  • Problem: The code attempts memfd_create with MFD_ALLOW_SEALING at runtime and falls back to O_TMPFILE on specific errnos. Previous review requested a build-time check that fails the image build if neither is available, rather than silent runtime fallback.
  • Impact: Deployments on kernels without memfd sealing or O_TMPFILE support would silently use the weaker anonymous fallback, reducing descriptor integrity guarantees.
  • Suggested action: Add a build-time check in patch-managed-deepagents-code.py (during image build) or Dockerfile that verifies os.memfd_create with MFD_ALLOW_SEALING and os.O_TMPFILE are available; fail the build if both are unavailable. This makes the platform requirement explicit and fails fast.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check patch-managed-deepagents-code.py main() or Dockerfile for a build-time check that imports os and verifies hasattr(os, 'memfd_create') and hasattr(os, 'MFD_ALLOW_SEALING') and hasattr(os, 'O_TMPFILE').
  • Missing regression test: Add a test that mocks missing memfd_create/O_TMPFILE and verifies the build fails (may require integration test with Docker build).
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: managed-dcode-runtime.py lines 666-680 (_sealed_managed_mcp_snapshot), 735-780 (_anonymous_managed_mcp_snapshot); patch-managed-deepagents-code.py main() (no such check)

PRA-18 Resolve/justify — Source-of-truth review incomplete for Bash secret guard

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:50
  • Category: architecture
  • Problem: The comment documents invalid state, source boundary, source-fix constraint, and regression test, but does not identify: (1) a GitHub issue tracking the removal condition with target release, (2) a CI check that fails if dcode-wrapper.sh exists after the target release, (3) confirmation that the parity CI gate (PRA-4) covers Bash pattern extraction.
  • Impact: The Bash secret guard is a localized workaround that must be tracked for removal. Without a deadline and CI enforcement, it persists indefinitely.
  • Recommended action: Complete the source-of-truth review by: (1) filing a GitHub issue with target release for removing the Bash secret guard, (2) adding a CI check that fails if dcode-wrapper.sh secret guard code exists after the target release, (3) ensuring the parity CI gate from PRA-4 extracts and fingerprints Bash patterns.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check dcode-wrapper.sh header comment for GitHub issue reference with target release. Check CI for a check that fails on Bash secret guard existence post-deadline. Verify PRA-4 CI gate includes Bash pattern extraction.
  • Missing regression test: The parity test (test/langchain-deepagents-code-image.test.ts) feeds the canonical corpus through the wrapper but does not extract Bash regex fingerprints. The CI gate must do fingerprint extraction.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check dcode-wrapper.sh header comment for GitHub issue reference with target release. Check CI for a check that fails on Bash secret guard existence post-deadline. Verify PRA-4 CI gate includes Bash pattern extraction.
  • Evidence: dcode-wrapper.sh lines 50-350 (secret guard comment and implementation)

PRA-19 Resolve/justify — Source-of-truth review incomplete for Python _SECRET_PATTERNS

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:50
  • Category: architecture
  • Problem: The comment documents the source boundary and regression gate but does not identify: (1) a GitHub issue tracking the removal condition with target release, (2) a CI check that fails if _SECRET_PATTERNS exists after the target release, (3) confirmation that the parity CI gate covers Python pattern extraction.
  • Impact: The Python pattern mirror is a localized workaround that must be tracked for removal. Without a deadline and CI enforcement, it persists indefinitely.
  • Recommended action: Complete source-of-truth review with tracking issue and CI enforcement. The parity CI gate (PRA-4) should extract and fingerprint Python patterns.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check managed-dcode-runtime.py _SECRET_PATTERNS comment for GitHub issue reference with target release. Check CI for Python pattern extraction in parity gate.
  • Missing regression test: The parity test runs Python _contains_secret_shape against canonical vectors but does not extract Python regex fingerprints for comparison. The CI gate must do fingerprint extraction.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check managed-dcode-runtime.py _SECRET_PATTERNS comment for GitHub issue reference with target release. Check CI for Python pattern extraction in parity gate.
  • Evidence: managed-dcode-runtime.py lines 50-105 (_SECRET_PATTERNS comment and tuples)

PRA-20 Resolve/justify — Source-of-truth review incomplete for legacy v1 compatibility module

  • Location: src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts:1
  • Category: architecture
  • Problem: The comment documents invalid state, source boundary, and removal condition but does not identify: (1) a GitHub issue tracking the migration deadline, (2) a CI check that fails if the module exists after the deadline.
  • Impact: Legacy module persists without tracking; migration deadline unenforced.
  • Recommended action: Add a GitHub issue tracking the migration deadline (target release) and a CI check that fails if mcp-bridge-adapter-deepagents-legacy.ts exists after the target release. Reference the issue in the module header.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for GitHub issue with target release. Check CI for legacy module existence check.
  • Missing regression test: Add static-checks step that fails if legacy module exists and current release >= target release.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check mcp-bridge-adapter-deepagents-legacy.ts header for GitHub issue with target release. Check CI for legacy module existence check.
  • Evidence: mcp-bridge-adapter-deepagents-legacy.ts lines 1-30 (header comment)

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code, mcp-bridge, sandbox-rebuild, network-policy, cloud-onboard
Optional E2E: mcp-bridge-dev, security-posture, inference-routing

Dispatch hint: targets=ubuntu-repo-cloud-langchain-deepagents-code,mcp-bridge,sandbox-rebuild,network-policy,cloud-onboard

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): Required because the PR changes the Deep Agents Code image/runtime, managed inference route, secret boundary, and dcode rebuild lifecycle. This typed target onboards a real LangChain Deep Agents Code sandbox and runs smoke, inference, terminal-agent, deepagents-code-policy, and dcode lifecycle coverage.
  • mcp-bridge (high): Required because the PR changes MCP bridge adapters, Deep Agents MCP capability/projection/registration/teardown, URL validation, rebuild/restart/remove/status flows, and the live MCP bridge test itself. This is the existing live job that exercises real MCP bridge lifecycle and credential-placeholder boundaries, including the Deep Agents adapter matrix.
  • sandbox-rebuild (high): Required because the PR changes generic sandbox rebuild phases, backup/restore/destroy flow, durable config, managed image preflight/preparation/verification, and MCP ordering. This existing live job runs the real rebuild command and verifies state preservation, registry refresh, and backup credential hygiene.
  • network-policy (high): Required because sandbox policy schemas and network-policy-related docs changed. This live job validates real policy allow/deny behavior at the sandbox boundary rather than only schema/unit parsing.
  • cloud-onboard (high): Required because the PR changes deployment/user-facing docs, policy schemas, and sandbox runtime security boundaries that can affect the public install plus hosted onboarding path. This validates the public installer, real onboarding, sandbox health, inference.local, and hosted security checks.

Optional E2E

  • mcp-bridge-dev (high): Useful compatibility confidence for the same MCP bridge changes against moving OpenShell dev artifacts, but it is explicit-only and should not block merge unless maintainers want extra forward-compatibility signal.
  • security-posture (high): Adjacent confidence for sandbox credential/security posture across OpenClaw and Hermes. It does not directly cover Deep Agents Code, so it is optional relative to the Deep Agents target and MCP bridge job.
  • inference-routing (medium): Useful adjacent confidence because the Deep Agents runtime changes managed OPENAI_BASE_URL/NEMOCLAW_INFERENCE_BASE_URL handling, but the Deep Agents typed target already exercises the direct affected agent route.

New E2E recommendations

  • Deep Agents Code managed MCP descriptor integrity (high): This PR introduces process-local managed MCP snapshots, sealed memfd/O_TMPFILE fallback, descriptor binding, and pass_fds behavior across Deep Agents Code/LangGraph child processes. Existing mcp-bridge coverage should exercise the functional bridge path, but a focused live regression that mutates/replaces .deepagents/.nemoclaw-mcp.json during dcode startup and restart would better prove the descriptor integrity boundary.
    • Suggested test: Add a focused Deep Agents Code live E2E that onboards a dcode sandbox, registers an MCP bridge, starts headless dcode, races mutation/replacement of .deepagents/.nemoclaw-mcp.json, restarts the LangGraph server path if applicable, and asserts the child consumes only the validated snapshot while rejecting tampered descriptors.
  • Deep Agents Code rebuild with MCP bridge preservation (medium): The PR changes dcode rebuild orchestration and MCP restoration ordering. Existing rebuild and MCP bridge tests cover those areas separately; coverage would be stronger with one live scenario that combines a Deep Agents Code MCP bridge, rebuild, and post-rebuild headless tool call.
    • Suggested test: Add a Deep Agents Code rebuild+MCP live E2E that creates a dcode sandbox, registers a managed MCP bridge, runs nemoclaw <sandbox> rebuild --yes, and verifies the managed MCP projection, credential placeholders, and headless dcode MCP tool call still work after restore.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: targets=ubuntu-repo-cloud-langchain-deepagents-code,mcp-bridge,sandbox-rebuild,network-policy,cloud-onboard

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: mcp-bridge, mcp-bridge-dev, ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=mcp-bridge
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=mcp-bridge-dev
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • mcp-bridge: Focused free-standing E2E job wired for changed live test test/e2e/live/mcp-bridge.test.ts.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=mcp-bridge
  • mcp-bridge-dev: Focused free-standing E2E job wired for changed live test test/e2e/live/mcp-bridge.test.ts.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=mcp-bridge-dev
  • ubuntu-repo-cloud-langchain-deepagents-code: The PR changes the LangChain Deep Agents Code managed image, manifest, wrapper/runtime hardening, MCP projection, and dcode rebuild paths; this live-supported typed target exercises the Deep Agents Code onboarding and policy/runtime surface.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Optional E2E targets

  • None.

Relevant changed files

  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/manifest.yaml
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-capability.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-command.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-registration.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-teardown.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-status.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-teardown.ts
  • src/lib/actions/sandbox/mcp-bridge-adapters.ts
  • src/lib/actions/sandbox/mcp-bridge-destroy.ts
  • src/lib/actions/sandbox/mcp-bridge-rebuild.ts
  • src/lib/actions/sandbox/mcp-bridge-remove.ts
  • src/lib/actions/sandbox/mcp-bridge-restart.ts
  • src/lib/actions/sandbox/mcp-bridge-status.ts
  • src/lib/actions/sandbox/mcp-bridge-url-validation.ts
  • src/lib/actions/sandbox/rebuild-backup-phase.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
  • src/lib/actions/sandbox/rebuild-dcode-preflight.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.ts
  • src/lib/actions/sandbox/rebuild-durable-config.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preflight.ts
  • src/lib/actions/sandbox/rebuild-mcp-order.ts
  • src/lib/actions/sandbox/rebuild-pipeline.ts
  • src/lib/actions/sandbox/rebuild-post-restore-phase.ts
  • src/lib/actions/sandbox/rebuild-preflight-phase.ts
  • src/lib/actions/sandbox/rebuild-restore-phase.ts
  • test/e2e/live/mcp-bridge.test.ts

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 6 test follow-ups
Since last review: 1 prior item resolved · 5 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Runtime validation
  • PRA-T6 Add or justify test follow-up: Acceptance clause
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Real DCode v2 MCP add/restart launches the LangGraph child with the inherited /proc/self/fd managed MCP snapshot and continues using that snapshot after /sandbox/.deepagents/.nemoclaw-mcp.json is mutated.. Static and unit coverage is extensive and behavior-specific for DCode MCP projection safety, descriptor binding, strict URL/secret validation, legacy teardown, runtime capability gating, schema constraints, and rebuild rollback. Runtime validation is still recommended because this PR changes Docker image assembly, Bash launchers, patched third-party Python modules, OpenShell sandbox exec, LangGraph child pass_fds inheritance, and destructive rebuild ordering.
  • PRA-T2 Runtime validation — Real DCode server restart passes NEMOCLAW_DCODE_MCP_BINDING and pass_fds to the restarted LangGraph child and rejects a foreign same-sized descriptor.. Static and unit coverage is extensive and behavior-specific for DCode MCP projection safety, descriptor binding, strict URL/secret validation, legacy teardown, runtime capability gating, schema constraints, and rebuild rollback. Runtime validation is still recommended because this PR changes Docker image assembly, Bash launchers, patched third-party Python modules, OpenShell sandbox exec, LangGraph child pass_fds inheritance, and destructive rebuild ordering.
  • PRA-T3 Runtime validation — Real legacy v1 Deep Agents MCP remove, rebuild, and destroy scrub only the exact registry-owned /sandbox/.deepagents/.mcp.json server entry, preserve unrelated user MCP content, and do not require the v2 capability marker.. Static and unit coverage is extensive and behavior-specific for DCode MCP projection safety, descriptor binding, strict URL/secret validation, legacy teardown, runtime capability gating, schema constraints, and rebuild rollback. Runtime validation is still recommended because this PR changes Docker image assembly, Bash launchers, patched third-party Python modules, OpenShell sandbox exec, LangGraph child pass_fds inheritance, and destructive rebuild ordering.
  • PRA-T4 Runtime validation — Real DCode rebuild with managed MCP aborts before sandbox deletion and restores adapter/provider state when the prepared replacement route, image, or build context drifts after MCP preparation.. Static and unit coverage is extensive and behavior-specific for DCode MCP projection safety, descriptor binding, strict URL/secret validation, legacy teardown, runtime capability gating, schema constraints, and rebuild rollback. Runtime validation is still recommended because this PR changes Docker image assembly, Bash launchers, patched third-party Python modules, OpenShell sandbox exec, LangGraph child pass_fds inheritance, and destructive rebuild ordering.
  • PRA-T5 Runtime validation — Real sandbox Deep Agents MCP register, status, and remove handoffs invoke /opt/venv/bin/python3 -I with a fixed absolute path even when PATH contains a fake python3 earlier than the managed interpreter.. Static and unit coverage is extensive and behavior-specific for DCode MCP projection safety, descriptor binding, strict URL/secret validation, legacy teardown, runtime capability gating, schema constraints, and rebuild rollback. Runtime validation is still recommended because this PR changes Docker image assembly, Bash launchers, patched third-party Python modules, OpenShell sandbox exec, LangGraph child pass_fds inheritance, and destructive rebuild ordering.
  • PRA-T6 Acceptance clause — No deterministic linked issue acceptance clauses or issue comments were available in the validation context. — add test evidence or identify existing coverage. The deterministic context reported linkedIssues: []; PR body references to feat(mcp): add OpenShell-managed MCP servers #5876, [Ubuntu 24.04][Sandbox] Deep Agents nemoclaw <dcode-sb> rebuild is non-atomic — destroys sandbox before validating recreate config (sibling OpenClaw fix does not cover langchain-deepagents-code) #6195, and refactor(onboard): separate sandbox intent from effects #6218 were treated as untrusted PR-provided evidence rather than normative acceptance clauses. Diff/test evidence was therefore reviewed against changed behavior, not issue acceptance text.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts (1)

232-240: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Symlink reads need the same O_NOFOLLOW guard as legacy.

The v2 register/rollback/remove paths still do is_symlink() and then reopen with read_text(), so a path swap between the check and the read can redirect the config read. Use the legacy O_NOFOLLOW/fingerprint pattern for the managed projection too.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts` around lines 232 -
240, The managed projection read path still relies on is_symlink() followed by
read_text(), which leaves a race window before the file is reopened. Update the
v2 register/rollback/remove handling in mcp-bridge-adapter-deepagents to use the
same O_NOFOLLOW plus fingerprint verification pattern as the legacy path, so the
config is opened safely and validated after the open rather than before it. Keep
the existing config_path validation flow, but route the actual read through the
hardened helper logic used for the legacy projection.
🧹 Nitpick comments (5)
src/lib/actions/sandbox/rebuild-durable-config.ts (1)

28-29: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Import DCODE_AGENT_NAME instead of duplicating the literal.
rebuild-durable-config.ts re-declares the same "langchain-deepagents-code" value already exported from rebuild-dcode-target.ts; share the export to keep the agent name authoritative.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/rebuild-durable-config.ts` around lines 28 - 29, The
agent name literal is duplicated in rebuild-durable-config.ts instead of reusing
the shared export. Update the code in rebuild-durable-config.ts to import
DCODE_AGENT_NAME from rebuild-dcode-target.ts and use that symbol directly so
the name stays authoritative in one place.

Source: Path instructions

src/lib/actions/sandbox/rebuild-destroy-phase.ts (1)

71-80: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Log the swallowed error before falling back to the generic message.

checkAtDeleteEdge already converts expected bail outcomes into { ok: false, message, code }; it only throws for genuinely unexpected faults. Discarding that error here collapses the only diagnostic for an unexpected failure on the destructive pre-delete path into a fixed string, making a rare rebuild abort hard to triage.

🩹 Proposed change to retain diagnostics
         try {
           validation = await validateAfterMcpPreparation();
-        } catch {
+        } catch (error) {
+          log(
+            `DCode delete-edge validation threw unexpectedly: ${error instanceof Error ? error.message : String(error)}`,
+          );
           validation = {
             ok: false,
             message: "DCode replacement validation failed before sandbox deletion.",
           };
         }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/rebuild-destroy-phase.ts` around lines 71 - 80, The
validation fallback in rebuild-destroy-phase should not swallow unexpected
errors from validateAfterMcpPreparation. In the try/catch around
validateAfterMcpPreparation, capture the thrown error and log it before
assigning the generic RebuildDeleteValidationResult fallback, so the destructive
pre-delete path retains diagnostics. Use the existing
validateAfterMcpPreparation and validation handling in rebuild-destroy-phase to
add the error details to the log while still returning the same fallback
message.
src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts (1)

79-113: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Hardcoded 64 duplicates DEEPAGENTS_MCP_MAX_SERVERS.

The rollback script embeds the server cap as a literal 64 in the generated Python ("if is_v2 and len(payload['expectedServers']) > 64:") instead of interpolating the DEEPAGENTS_MCP_MAX_SERVERS constant already defined in this file. If the constant ever changes, the two values will silently drift.

♻️ Suggested fix
-    "if is_v2 and len(payload['expectedServers']) > 64:",
-    "    print('Managed MCP v2 supports at most 64 servers', file=sys.stderr)",
+    `if is_v2 and len(payload['expectedServers']) > ${String(DEEPAGENTS_MCP_MAX_SERVERS)}:`,
+    `    print('Managed MCP v2 supports at most ${String(DEEPAGENTS_MCP_MAX_SERVERS)} servers', file=sys.stderr)`,
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts` around lines 79 -
113, The rollback command in buildDeepAgentsMcpRollbackRegisterCommand hardcodes
the Managed MCP server limit as 64, which can drift from
DEEPAGENTS_MCP_MAX_SERVERS. Replace the literal in the generated Python check
with the shared DEEPAGENTS_MCP_MAX_SERVERS constant from this module, so the
limit stays consistent wherever the rollback script is built.
src/lib/actions/sandbox/mcp-bridge-destroy.ts (1)

108-210: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract shared scrub/rollback helper to avoid destroy/rebuild drift.

The scrub-adapter-with-unowned-check loop and the corresponding rollback registration loop are duplicated almost verbatim between prepareMcpBridgesForDestroy here and prepareMcpBridgesForRebuild in mcp-bridge-rebuild.ts. This PR had to land the same hardening in both places; a shared helper (e.g. scrubManagedAdapterOrThrow/rollbackScrubbedAdapters) would remove that duplication risk for future changes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-destroy.ts` around lines 108 - 210, The
scrub-and-rollback logic in prepareMcpBridgesForDestroy is duplicated with
prepareMcpBridgesForRebuild, so extract the shared adapter scrub and rollback
behavior into a common helper. Move the repeated
unregisterAgentAdapter/isAgentMcpAdapter/getBridgeAdapter flow and the rollback
registerAgentAdapter flow into reusable functions such as
scrubManagedAdapterOrThrow and rollbackScrubbedAdapters, then call them from
both prepareMcpBridgesForDestroy and prepareMcpBridgesForRebuild to keep the
destroy/rebuild paths in sync.
agents/langchain-deepagents-code/patch-managed-deepagents-code.py (1)

532-593: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Sealed-descriptor validation duplicated between SERVER_POPEN_PATCH and the helper's _sealed_managed_mcp_snapshot.

The required_seals bitmask and fstat/seal-check logic in SERVER_POPEN_PATCH (Lines 561-583) reimplement the same checks performed when the descriptor is originally sealed in _sealed_managed_mcp_snapshot (Lines 1156-1194). If the required seal set or size cap changes in one location without the other, the server subprocess boundary could silently accept a descriptor that no longer matches the sealing invariant the rest of the system assumes.

Consider exposing a single validate_sealed_mcp_descriptor(descriptor: int) -> None helper in _nemoclaw_managed.py (or a shared constant for required_seals/262_144) and importing it from the injected SERVER_POPEN_PATCH, so both call sites stay in lockstep.

♻️ Illustrative direction (not a drop-in diff, since both blocks are raw string patches)
-required_seals = (
-    fcntl.F_SEAL_WRITE
-    | fcntl.F_SEAL_GROW
-    | fcntl.F_SEAL_SHRINK
-    | fcntl.F_SEAL_SEAL
-)
+from deepagents_code._nemoclaw_managed import REQUIRED_MCP_SEALS as required_seals
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/langchain-deepagents-code/patch-managed-deepagents-code.py` around
lines 532 - 593, `SERVER_POPEN_PATCH` duplicates the sealed MCP descriptor
validation already enforced by `_sealed_managed_mcp_snapshot`, so the two paths
can drift. Extract the seal/size/fstat checks into a shared helper such as
`validate_sealed_mcp_descriptor(descriptor: int) -> None` in
`_nemoclaw_managed.py` (or shared constants for `required_seals` and the size
cap), then call that helper from both `_sealed_managed_mcp_snapshot` and the
`SERVER_POPEN_PATCH` startup path before `subprocess.Popen`. Keep the `pass_fds`
wiring in `SERVER_POPEN_PATCH`, but move the validation logic out so both call
sites stay consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts`:
- Around line 226-227: The register path in mcp-bridge-adapter-deepagents still
shells out through the bare python3 interpreter, unlike the rollback/remove
flows that use the isolated /opt/venv/bin/python3 -I invocation. Update the
command construction in the registration logic so it uses the same isolated
interpreter and flags as the other paths, keeping the behavior consistent in the
managed MCP projection and avoiding PATH/PYTHONPATH or local-site shadowing.

---

Outside diff comments:
In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts`:
- Around line 232-240: The managed projection read path still relies on
is_symlink() followed by read_text(), which leaves a race window before the file
is reopened. Update the v2 register/rollback/remove handling in
mcp-bridge-adapter-deepagents to use the same O_NOFOLLOW plus fingerprint
verification pattern as the legacy path, so the config is opened safely and
validated after the open rather than before it. Keep the existing config_path
validation flow, but route the actual read through the hardened helper logic
used for the legacy projection.

---

Nitpick comments:
In `@agents/langchain-deepagents-code/patch-managed-deepagents-code.py`:
- Around line 532-593: `SERVER_POPEN_PATCH` duplicates the sealed MCP descriptor
validation already enforced by `_sealed_managed_mcp_snapshot`, so the two paths
can drift. Extract the seal/size/fstat checks into a shared helper such as
`validate_sealed_mcp_descriptor(descriptor: int) -> None` in
`_nemoclaw_managed.py` (or shared constants for `required_seals` and the size
cap), then call that helper from both `_sealed_managed_mcp_snapshot` and the
`SERVER_POPEN_PATCH` startup path before `subprocess.Popen`. Keep the `pass_fds`
wiring in `SERVER_POPEN_PATCH`, but move the validation logic out so both call
sites stay consistent.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts`:
- Around line 79-113: The rollback command in
buildDeepAgentsMcpRollbackRegisterCommand hardcodes the Managed MCP server limit
as 64, which can drift from DEEPAGENTS_MCP_MAX_SERVERS. Replace the literal in
the generated Python check with the shared DEEPAGENTS_MCP_MAX_SERVERS constant
from this module, so the limit stays consistent wherever the rollback script is
built.

In `@src/lib/actions/sandbox/mcp-bridge-destroy.ts`:
- Around line 108-210: The scrub-and-rollback logic in
prepareMcpBridgesForDestroy is duplicated with prepareMcpBridgesForRebuild, so
extract the shared adapter scrub and rollback behavior into a common helper.
Move the repeated unregisterAgentAdapter/isAgentMcpAdapter/getBridgeAdapter flow
and the rollback registerAgentAdapter flow into reusable functions such as
scrubManagedAdapterOrThrow and rollbackScrubbedAdapters, then call them from
both prepareMcpBridgesForDestroy and prepareMcpBridgesForRebuild to keep the
destroy/rebuild paths in sync.

In `@src/lib/actions/sandbox/rebuild-destroy-phase.ts`:
- Around line 71-80: The validation fallback in rebuild-destroy-phase should not
swallow unexpected errors from validateAfterMcpPreparation. In the try/catch
around validateAfterMcpPreparation, capture the thrown error and log it before
assigning the generic RebuildDeleteValidationResult fallback, so the destructive
pre-delete path retains diagnostics. Use the existing
validateAfterMcpPreparation and validation handling in rebuild-destroy-phase to
add the error details to the log while still returning the same fallback
message.

In `@src/lib/actions/sandbox/rebuild-durable-config.ts`:
- Around line 28-29: The agent name literal is duplicated in
rebuild-durable-config.ts instead of reusing the shared export. Update the code
in rebuild-durable-config.ts to import DCODE_AGENT_NAME from
rebuild-dcode-target.ts and use that symbol directly so the name stays
authoritative in one place.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ab00d379-3a80-4b24-9856-98e861adb76e

📥 Commits

Reviewing files that changed from the base of the PR and between dd4c335 and bed83e7.

📒 Files selected for processing (49)
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/manifest.yaml
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py
  • docs/deployment/set-up-mcp-bridge.mdx
  • docs/get-started/quickstart-langchain-deepagents-code.mdx
  • docs/network-policy/customize-network-policy.mdx
  • docs/reference/commands-nemohermes.mdx
  • docs/reference/commands.mdx
  • docs/security/best-practices.mdx
  • schemas/policy-preset.schema.json
  • schemas/sandbox-policy.schema.json
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-status.ts
  • src/lib/actions/sandbox/mcp-bridge-adapters.ts
  • src/lib/actions/sandbox/mcp-bridge-destroy.ts
  • src/lib/actions/sandbox/mcp-bridge-input-validation.test.ts
  • src/lib/actions/sandbox/mcp-bridge-rebuild.ts
  • src/lib/actions/sandbox/mcp-bridge-remove.ts
  • src/lib/actions/sandbox/mcp-bridge-restart.ts
  • src/lib/actions/sandbox/mcp-bridge-url-validation.ts
  • src/lib/actions/sandbox/rebuild-backup-phase.test.ts
  • src/lib/actions/sandbox/rebuild-backup-phase.ts
  • src/lib/actions/sandbox/rebuild-dcode-flow.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
  • src/lib/actions/sandbox/rebuild-dcode-preflight.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.ts
  • src/lib/actions/sandbox/rebuild-durable-config.test.ts
  • src/lib/actions/sandbox/rebuild-durable-config.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preflight.ts
  • src/lib/actions/sandbox/rebuild-mcp-order.test.ts
  • src/lib/actions/sandbox/rebuild-mcp-order.ts
  • src/lib/actions/sandbox/rebuild-pipeline.ts
  • src/lib/actions/sandbox/rebuild-post-restore-phase.ts
  • src/lib/actions/sandbox/rebuild-preflight-phase.ts
  • src/lib/actions/sandbox/rebuild-restore-phase.test.ts
  • src/lib/actions/sandbox/rebuild-restore-phase.ts
  • test/deepagents-mcp-legacy-lifecycle.test.ts
  • test/deepagents-mcp-runtime-capability.test.ts
  • test/e2e/e2e-cloud-experimental/checks/07-deepagents-code-headless-inference.sh
  • test/e2e/live/mcp-bridge.test.ts
  • test/helpers/rebuild-flow-harness.ts
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-managed-entrypoints.test.ts
  • test/snapshot.test.ts
  • test/validate-config-schemas.test.ts

Comment thread src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts Outdated
cv added 3 commits July 3, 2026 19:23
Signed-off-by: Carlos Villela <cvillela@nvidia.com>

# Conflicts:
#	src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator Author

Review follow-up — 46181866e

Pushed as ordinary signed commits on top of the published branch; no history rewrite or force-push. All four PR commits are GitHub Verified.

Required architecture findings

  • PRA-5: mcp-bridge-adapter-deepagents.ts is now a 13-line facade. Capability, command execution, inspection, registration, legacy compatibility, teardown, projection safety, and status live in focused modules; the new/changed production modules are 161/137/185/192 lines at most.
  • PRA-6: the 526-line adapter test was removed and split by registration, legacy teardown, rollback, runtime guards, v2 removal, and projection safety.
  • PRA-7: the 597-line DCode flow test was removed and split by artifact drift, mutation edge, pre-delete drift, recovery, preflight, and orchestration.
  • PRA-8: the 414-line managed-image test was removed and split into preparation, configuration, and verification suites.
  • The source-shape budget, test-size budget, changed-test conditional guard, project membership, import boundary, and title checks all pass. The GitHub codebase-growth-guardrails check is green on this head.

Security and source-of-truth findings

  • Bare Python / GPT PRA-1: register, status, rollback, and remove now use /opt/venv/bin/python3 -I; command-prefix and executable fixture coverage were added. The inline CodeRabbit thread is fixed and resolved.
  • V2 projection TOCTOU: reads use O_NOFOLLOW | O_NONBLOCK plus stable inode/metadata checks. Existing files are rewritten only through the validated open O_RDWR descriptor, with pathname↔inode verification before and after; no v2 existing-path unlink/replace remains. Absent creation is fail-if-present. Force rejects symlinks, FIFOs, unsafe modes, hardlinks, and nonregular state.
  • Last removal: writes the strict {"mcpServers":{}} tombstone through the pinned descriptor. DCode interprets only that strict shape as no managed MCP state and creates no memfd.
  • Sealed handoff: one helper now validates type, size, seals, and exact process-local _MANAGED_MCP_FD provenance for initial start and restart.
  • 64-server limit: one exported constant drives normal registration and v2 rollback.
  • Destroy/rebuild duplication: both flows now use the same adapter resolution, scrub, and rollback helpers without changing provider ordering or registry transactions.
  • Diagnostics / constants: unexpected delete-edge errors are retained through full redaction, and DCode agent identity comes from the shared export.
  • Legacy .mcp.json (PRA-1/PRA-13): the compatibility module now records the invalid state, source boundary, source-fix constraint, regression suite, and removal condition. It remains only for surviving v1 sandboxes; exact-entry teardown/rollback fails closed and preserves unrelated user content. Docs and mutation errors require rebuild to v2.
  • Sandbox-scoped placeholders (PRA-2/PRA-10): the source boundary and removal condition are recorded in mcp-bridge-status.ts; status and security docs retain the sandbox-scope warning until OpenShell provides endpoint-exclusive binding plus Host/scheme/query enforcement.
  • Bash/Python mirror (PRA-3/PRA-9): the wrapper records why the pre-exec Bash boundary cannot import the TypeScript source. CI pins canonical pattern fingerprints and executes every canonical token family; removal is gated on upstream rejection or a Node entrypoint.
  • Third-party patch surface (PRA-4/PRA-11): DCode remains pinned, every patch site is AST/shape-gated, and the 77 image-contract plus 33 direct-module tests fail closed on upstream drift. This goes away only when the relevant hardening is upstream.
  • feat(agents): add progressive tool disclosure #6251 overlap (PRA-12): feat(agents): add progressive tool disclosure #6251 remains sequenced after this PR and must rebase/port onto the decomposed pipeline; it should not be merged against the pre-fix(mcp): harden DCode rebuild handoff #6260 layout.

Two independent security passes reviewed the final descriptor-bound design across all nine categories and returned PASS — no blockers.

Test follow-ups

  • GPT T1: generated register/status commands are pinned to the absolute isolated interpreter and executed by the projection suite.
  • GPT T2: the direct-module test starts and restarts from one sealed snapshot, mutates the original file between them, and proves both children retain the snapshot.
  • GPT T3: legacy remove, rebuild, and destroy are exercised without a v2 marker and preserve exact ownership semantics.
  • Nemotron T2/T7: mcp-provider-ownership.test.ts already advances the live OpenShell resource version during update and proves the ambiguous mutation fails closed; add crash-consistency coverage handles the provider-create/ID-persistence boundary.
  • Nemotron T3/T8: start/restart reject unsealed, zero-length, oversized, and foreign fully sealed descriptors; provenance is bound to the live process-local fd.
  • Nemotron T5/PRA-18: stale DCode recovery proves exact custom-policy replay without a backup, while the restore-boundary test proves generated MCP policies are excluded from custom replay and left exclusively to MCP restoration.
  • Nemotron T1/T6: both add and rebuild enter the same filesystem-backed lifecycle lock. The lock suite covers async-context reentrancy, cross-process exclusion, stale-owner reclamation, identity reuse, timeout, and cleanup. A command-level parallel mock would duplicate this boundary without exercising additional production branching, so it is not added here.
  • Nemotron T4/PRA-17: v1 status-specific presentation is deferred with the transitional v1 compatibility path; all v1 mutations already return explicit rebuild guidance, and docs require rebuilding to capability v2. The compatibility module has a concrete removal condition.

Final local evidence: 29 changed test files / 426 tests passed; dependent destroy/adapter suites 39/39; final security suites 178/178; typecheck, Biome, Python compile, full non-coverage hook set, size/shape/import/project/title gates, and diff checks passed.

Required live E2E dispatches:

Comment thread src/lib/actions/sandbox/rebuild-managed-image-verification.test.ts Fixed
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28693440273
Workflow ref: codex/reconcile-5876-latest
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (6)
src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts (1)

26-47: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Source-text assertions duplicate the executed race/attack tests below.

This test asserts on literal substrings inside the generated Python source (os.O_NOFOLLOW, os.fstat(descriptor), etc.) without executing the command, which is implementation lock-in rather than an observable-behavior check. The later tests in this file (duplicate-JSON, symlink, race-condition cases) already exercise these same guarantees behaviorally by running the generated command and asserting on exit status/stderr/file state — consider relying on those and trimming this to only what can't be proven behaviorally (e.g., the isolated-interpreter prefix check).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts`
around lines 26 - 47, The test in
mcp-bridge-adapter-deepagents-projection.test.ts is over-asserting generated
Python source strings instead of behavior, and it duplicates the protection
already covered by the executed race/attack tests. Trim the assertions in the
affected `it("uses the isolated runtime and one stable-read contract for every
v2 mutation")` case to only check what can’t be verified behaviorally, such as
the `buildDeepAgentsMcpStatusCommand`/registration command isolated-interpreter
prefix, and remove the literal substring checks for internals like
`os.O_NOFOLLOW`, `os.fstat(descriptor)`, `assert_managed_source_stable(path,
identity)`, `os.link(...)`, and `os.ftruncate(...)`.

Source: Path instructions

src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-command.ts (1)

10-28: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Move the sandbox process call behind an adapter runDeepAgentsAdapterCommand still invokes executeSandboxCommand from src/lib/actions/sandbox, while src/lib/adapters/README.md says host-boundary calls belong in adapters. If this helper is meant to own execution, relocate it under src/lib/adapters/** and keep actions orchestration-only.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-command.ts` around
lines 10 - 28, runDeepAgentsAdapterCommand is still making a host-boundary
sandbox call directly through executeSandboxCommand, which belongs in an adapter
layer. Move the execution responsibility into an adapter under
src/lib/adapters/** and keep this helper in actions limited to
orchestration/redaction/error handling. Preserve the current behavior by having
runDeepAgentsAdapterCommand call the new adapter entry point instead of
importing executeSandboxCommand directly, and update any related adapter symbols
such as McpBridgeError and redactBridgeSecretsForDisplay usage as needed.

Source: Path instructions

src/lib/actions/sandbox/rebuild-dcode-mutation-edge.test.ts (1)

55-78: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Ordering assertions rely on positional destructuring without a length guard.

invocationCallOrder is destructured into four named variables assuming exactly four calls occurred; if the implementation's call count regresses, destructured values become undefined and toBeLessThan comparisons will fail with a less-informative error rather than clearly reporting a call-count mismatch. This is low-risk since toHaveBeenCalledTimes(4) at line 37 already validates the count before the destructuring.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/rebuild-dcode-mutation-edge.test.ts` around lines 55
- 78, The ordering assertions in the rebuild-dcode-mutation-edge test rely on
destructuring invocationCallOrder without an explicit guard, so keep the
existing call-count check before using firstRouteOrder, preBackupRouteOrder,
preMcpRouteOrder, and deleteEdgeRouteOrder. In the test around
harness.preflightDcodeRouteSpy and the other spy orders, make sure the sequence
assertions only run after verifying the expected number of calls so failures
report a clear count mismatch rather than undefined comparison noise.
test/langchain-deepagents-code-managed-mcp-hardening.test.ts (1)

44-49: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy lift

Prefer the managed runtime’s public boundary over private globals.

These assertions call underscored helpers and mutate _MANAGED_MCP_* state directly, which locks the test to implementation shape. Where possible, set up descriptor/config inputs and assert the observable managed_mcp_config_path() / managed_mcp_server_descriptor() outcomes instead.

As per path instructions, tests should prefer “observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions.”

Also applies to: 86-99

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-managed-mcp-hardening.test.ts` around lines 44
- 49, The test is asserting behavior through private helpers and globals instead
of the managed runtime’s public boundary. Update the affected cases to drive
setup through descriptor/config inputs and verify observable outcomes via
managed_mcp_config_path() and managed_mcp_server_descriptor() rather than
calling _canonicalize_managed_mcp_config(), _read_managed_mcp_config(), or
mutating _MANAGED_MCP_* directly. Use the same approach in the other referenced
block so the test stays aligned with the public contract of the managed runtime.

Source: Path instructions

src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-runtime-guards.test.ts (1)

87-94: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Split the command-specific expectations.

Line 93 allows either command to pass on any status 2, which can hide an unrelated failure while still claiming “does not mutate.” Assert the teardown and rollback outcomes separately.

Proposed test tightening
-    for (const command of [
-      buildDeepAgentsMcpRemoveCommand(baseEntry, true, true),
-      buildDeepAgentsMcpRegisterCommand(baseEntry, true, [baseEntry], true),
-    ]) {
-      const result = runDeepAgentsConfigCommand(command, undefined, "legacy", legacyConfig, 0o644);
-      expect(result.legacyConfigText).toBe(original);
-      expect(result.status === 2 || result.stdout.includes("REMOVAL=unowned")).toBe(true);
-    }
+    const removal = runDeepAgentsConfigCommand(
+      buildDeepAgentsMcpRemoveCommand(baseEntry, true, true),
+      undefined,
+      "legacy",
+      legacyConfig,
+      0o644,
+    );
+    expect(removal.legacyConfigText).toBe(original);
+    expect(removal.status, removal.stderr).toBe(0);
+    expect(removal.stdout).toContain("NEMOCLAW_DEEPAGENTS_MCP_REMOVAL=unowned");
+
+    const rollback = runDeepAgentsConfigCommand(
+      buildDeepAgentsMcpRegisterCommand(baseEntry, true, [baseEntry], true),
+      undefined,
+      "legacy",
+      legacyConfig,
+      0o644,
+    );
+    expect(rollback.legacyConfigText).toBe(original);
+    expect(rollback.status, rollback.stderr).toBe(2);
+    expect(rollback.stderr).toContain("unsafe");

As per path instructions, “Flag ... conditionals that make a test pass without exercising its claim.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-runtime-guards.test.ts`
around lines 87 - 94, The loop in the deep agents runtime guards test is masking
command-specific failures by accepting either status 2 or a rollback marker for
both commands. Split the assertions for buildDeepAgentsMcpRemoveCommand and
buildDeepAgentsMcpRegisterCommand in
mcp-bridge-adapter-deepagents-runtime-guards.test so each command separately
verifies its expected teardown or rollback behavior, and keep the
legacyConfigText unchanged check for each case without allowing a generic pass
condition.

Source: Path instructions

src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts (1)

16-26: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Bound the legacy compatibility window with a retirement reference.

The retained v1 path has a removal condition, but no GitHub issue/PR link or observable exit criteria. Add the retirement reference and concrete criteria, or mark this as an explicitly bounded rollback window.

As per path instructions, retaining an old path requires linking the retirement issue or PR and stating observable exit criteria.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts` around lines
16 - 26, The legacy compatibility note in mcp-bridge-adapter-deepagents-legacy
needs a concrete retirement anchor and exit criteria. Update the retirement
guidance near the removalCondition/sourceBoundary comments to include the GitHub
issue or PR that tracks deprecation, or explicitly state this is a bounded
rollback window. Make the criteria observable by tying deletion of the
compatibility module to specific supported-release or registry-owned v1 entry
conditions, and keep the reference close to the existing legacy-path comments so
it’s easy to find.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts`:
- Around line 44-46: The ordering assertion in the MCP bridge projection test
can pass even when one or both substrings are missing because it uses indexOf
directly. Update the test around registrationCommand to first assert that both
"len(payload) > MANAGED_MCP_MAX_BYTES" and "os.ftruncate(descriptor, 0)" are
present, then compare their positions so the ordering check in
src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts
actually fails when either marker is absent.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.ts`:
- Around line 109-121: The managed projection rewrite in
mcp-bridge-adapter-deepagents-projection should not truncate the live file in
place, because failures in the write/fsync/verification path can leave
.nemoclaw-mcp.json empty or partial. Update the rewrite flow around the managed
projection logic to keep the opened descriptor only as the identity anchor,
write the new payload to a 0600 temp file, re-check
assert_managed_source_stable(path, identity) before publishing, then atomically
replace the target and verify the published content. Ensure the failure path
preserves state invariants and avoids destructive in-place updates.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-v2-removal.test.ts`:
- Around line 13-22: The test is asserting on the generated command’s source
text instead of the observable behavior of the Deep Agents removal flow. Update
the mcp-bridge-adapter-deepagents-v2-removal test to use
runDeepAgentsConfigCommand with a corrupted v2 projection fixture, and verify
the actual exit status and resulting config/state outcome rather than checking
substrings like Invalid managed MCP v2 projection, raise SystemExit(2), or the
force flag serialization. Use buildDeepAgentsMcpRemoveCommand only as the
command generator under test, but validate through the public execution boundary
like the other tests in this file.

In `@test/langchain-deepagents-code-managed-mcp-hardening.test.ts`:
- Around line 17-31: The temp directory cleanup in runManagedHelper is only
protected after the helper file is written, so failures in the setup path can
leak tempDir. Move the cleanup into a broader try/finally that wraps all setup
work in runManagedHelper, including the readFileSync, helperSource
extraction/assertion, and writeFileSync steps, so tempDir is always removed even
if those operations throw.

---

Nitpick comments:
In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-command.ts`:
- Around line 10-28: runDeepAgentsAdapterCommand is still making a host-boundary
sandbox call directly through executeSandboxCommand, which belongs in an adapter
layer. Move the execution responsibility into an adapter under
src/lib/adapters/** and keep this helper in actions limited to
orchestration/redaction/error handling. Preserve the current behavior by having
runDeepAgentsAdapterCommand call the new adapter entry point instead of
importing executeSandboxCommand directly, and update any related adapter symbols
such as McpBridgeError and redactBridgeSecretsForDisplay usage as needed.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts`:
- Around line 16-26: The legacy compatibility note in
mcp-bridge-adapter-deepagents-legacy needs a concrete retirement anchor and exit
criteria. Update the retirement guidance near the
removalCondition/sourceBoundary comments to include the GitHub issue or PR that
tracks deprecation, or explicitly state this is a bounded rollback window. Make
the criteria observable by tying deletion of the compatibility module to
specific supported-release or registry-owned v1 entry conditions, and keep the
reference close to the existing legacy-path comments so it’s easy to find.

In `@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts`:
- Around line 26-47: The test in
mcp-bridge-adapter-deepagents-projection.test.ts is over-asserting generated
Python source strings instead of behavior, and it duplicates the protection
already covered by the executed race/attack tests. Trim the assertions in the
affected `it("uses the isolated runtime and one stable-read contract for every
v2 mutation")` case to only check what can’t be verified behaviorally, such as
the `buildDeepAgentsMcpStatusCommand`/registration command isolated-interpreter
prefix, and remove the literal substring checks for internals like
`os.O_NOFOLLOW`, `os.fstat(descriptor)`, `assert_managed_source_stable(path,
identity)`, `os.link(...)`, and `os.ftruncate(...)`.

In
`@src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-runtime-guards.test.ts`:
- Around line 87-94: The loop in the deep agents runtime guards test is masking
command-specific failures by accepting either status 2 or a rollback marker for
both commands. Split the assertions for buildDeepAgentsMcpRemoveCommand and
buildDeepAgentsMcpRegisterCommand in
mcp-bridge-adapter-deepagents-runtime-guards.test so each command separately
verifies its expected teardown or rollback behavior, and keep the
legacyConfigText unchanged check for each case without allowing a generic pass
condition.

In `@src/lib/actions/sandbox/rebuild-dcode-mutation-edge.test.ts`:
- Around line 55-78: The ordering assertions in the rebuild-dcode-mutation-edge
test rely on destructuring invocationCallOrder without an explicit guard, so
keep the existing call-count check before using firstRouteOrder,
preBackupRouteOrder, preMcpRouteOrder, and deleteEdgeRouteOrder. In the test
around harness.preflightDcodeRouteSpy and the other spy orders, make sure the
sequence assertions only run after verifying the expected number of calls so
failures report a clear count mismatch rather than undefined comparison noise.

In `@test/langchain-deepagents-code-managed-mcp-hardening.test.ts`:
- Around line 44-49: The test is asserting behavior through private helpers and
globals instead of the managed runtime’s public boundary. Update the affected
cases to drive setup through descriptor/config inputs and verify observable
outcomes via managed_mcp_config_path() and managed_mcp_server_descriptor()
rather than calling _canonicalize_managed_mcp_config(),
_read_managed_mcp_config(), or mutating _MANAGED_MCP_* directly. Use the same
approach in the other referenced block so the test stays aligned with the public
contract of the managed runtime.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1fba9007-07ce-4bea-8b79-a4ebc9dfcabc

📥 Commits

Reviewing files that changed from the base of the PR and between bed83e7 and 4618186.

📒 Files selected for processing (47)
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py
  • docs/reference/commands-nemohermes.mdx
  • docs/reference/commands.mdx
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-capability.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-command.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy-teardown.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-registration.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-registration.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-rollback.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-runtime-guards.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-teardown.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-v2-removal.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-status.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-teardown.ts
  • src/lib/actions/sandbox/mcp-bridge-destroy.ts
  • src/lib/actions/sandbox/mcp-bridge-rebuild.ts
  • src/lib/actions/sandbox/mcp-bridge-status.ts
  • src/lib/actions/sandbox/rebuild-dcode-artifact-drift.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-flow.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-mutation-edge.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
  • src/lib/actions/sandbox/rebuild-dcode-pre-delete-drift.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-recovery.test.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.test.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.ts
  • src/lib/actions/sandbox/rebuild-durable-config.ts
  • src/lib/actions/sandbox/rebuild-managed-image-configuration.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preparation.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-verification.test.ts
  • test/deepagents-mcp-legacy-lifecycle.test.ts
  • test/helpers/mcp-bridge-adapter-deepagents-fixture.ts
  • test/helpers/rebuild-dcode-flow-support.ts
  • test/helpers/rebuild-flow-harness.ts
  • test/helpers/rebuild-managed-image-preflight-harness.ts
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-managed-entrypoints.test.ts
  • test/langchain-deepagents-code-managed-mcp-hardening.test.ts
💤 Files with no reviewable changes (3)
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-flow.test.ts
✅ Files skipped from review due to trivial changes (2)
  • src/lib/actions/sandbox/mcp-bridge-status.ts
  • docs/reference/commands.mdx
🚧 Files skipped from review as they are similar to previous changes (9)
  • test/langchain-deepagents-code-managed-entrypoints.test.ts
  • src/lib/actions/sandbox/rebuild-durable-config.ts
  • test/deepagents-mcp-legacy-lifecycle.test.ts
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-image.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.ts
  • test/helpers/rebuild-flow-harness.ts
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py

Comment thread src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts Outdated
Comment thread src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.ts
Comment thread test/langchain-deepagents-code-managed-mcp-hardening.test.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28693440345
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge ❌ failure

Failed jobs: mcp-bridge. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28693937143
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: sandbox-rebuild,network-policy
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
network-policy ✅ success
sandbox-rebuild ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28693440291
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge-dev
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge-dev ❌ failure

Failed jobs: mcp-bridge-dev. Check run artifacts for logs.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Comment thread agents/langchain-deepagents-code/managed-dcode-runtime.py Fixed
Comment thread test/fixtures/langchain-deepagents-code/app.py Fixed
Comment thread test/fixtures/langchain-deepagents-code/app.py Fixed
Comment thread test/fixtures/langchain-deepagents-code/app.py Fixed
Comment thread test/fixtures/langchain-deepagents-code/app.py Fixed
Comment thread agents/langchain-deepagents-code/managed-dcode-runtime.py Fixed
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28694837746
Workflow ref: codex/reconcile-5876-latest
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28694882305
Workflow ref: codex/reconcile-5876-latest
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28694837778
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge-dev
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge-dev ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28694837793
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge ✅ success

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28694882243
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28694882228
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge-dev
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge-dev ❌ failure

Failed jobs: mcp-bridge-dev. Check run artifacts for logs.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator Author

Follow-up to the Nemotron Ultra review on the previous head:

  • PRA-4 / PRA-1 / PRA-2 / PRA-5: fixed in a27d98ccf. Exact regex text is not portable across JavaScript, POSIX ERE, and Python, so CI now pins the canonical TypeScript source+flags and binds every token/context/block pattern to one shared positive corpus executed through both enforcement mirrors. The corpus includes every current ECMAScript whitespace code point; Bash passes under both C and C.UTF-8. Source boundary, regression gate, and removal condition are documented beside both mirrors.
  • PRA-T1 / PRA-6: the actual child-serialization boundary is managed_mcp_server_binding, which calls managed_mcp_config_bytes immediately before serializing the binding. The direct-module restart test exercises both sealed and anonymous snapshots through normalization, child start, restart, inherited binding validation, and invalid-descriptor rejection. The earlier path-normalization hook is not the serialization boundary.
  • PRA-3 / PRA-8 / PRA-T2: OpenShell seccomp blocks memfd_create, so the anonymous O_TMPFILE path is required. Its writer descriptor is process-local and never exposed; synchronous setup reopens the exact inode read-only, sets mode 000, closes the writer, and only then publishes the binding. Every parent/child read revalidates fd/dev/inode/UID/kind/size/metadata plus SHA-256. Existing coverage forces a same-size post-publication overwrite and proves both parent and child fail closed. A hypothetical compromise of the creating parent before publication already controls the payload and is outside the descriptor handoff boundary.
  • PRA-T3 / PRA-T6: added in a27d98ccf; a wrapped EPERM cause takes the real anonymous fallback, while wrapped EMFILE remains fail-closed.
  • PRA-7 / PRA-T4 / PRA-T7: v1 teardown is needed for indefinitely retained pre-v2 images, so a calendar-based deletion check would strand upgrades. mcp-bridge-adapter-deepagents-legacy-teardown.test.ts already proves exact-entry removal preserves other servers and unrelated top-level content, including drift/force behavior.
  • PRA-T5 / PRA-T8: test/mcp-provider-ownership.test.ts already simulates a concurrent resource-version advance and requires the mutation to fail as concurrently modified without exposing the credential.
  • PRA-9: feat(agents): add progressive tool disclosure #6251 remains an independent overlapping PR. The safe sequence is this correctness/security fix first, followed by feat(agents): add progressive tool disclosure #6251 rebasing onto the landed architecture and rerunning its combined overlap suites.
  • PRA-10: the stable OpenShell limitations section already states that these checks are not compare-and-swap and explicitly says not to mutate a managed provider through another OpenShell client during an MCP lifecycle command.

The follow-up also addresses every CodeRabbit/CodeQL inline item in 3c8f6d5e2; all eight threads now have evidence and are resolved. Exact-head CI and live E2E are running on a27d98ccf2f55cb6cd044b93ec98caaefa793468.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28696027039
Workflow ref: codex/reconcile-5876-latest
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
agents/langchain-deepagents-code/dcode-wrapper.sh (1)

144-183: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider finishing the extraction: has_non_slack_secret_shape and is_secret_shaped_value still duplicate ~10 prefix checks.

This PR extracted the bearer/context checks into shared helpers (has_bearer_secret_shape, has_context_secret_shape), but the remaining prefix-pattern checks (nvapi-, ghp_, AKIA/ASIA, bot-token, JWT, etc.) are still copy-pasted verbatim between these two functions. Given the PR's explicit goal of closing secret-pattern parity gaps, extracting the shared prefix list into one helper (parameterized by whether Slack's own xox*/xapp- prefixes should be excluded) would remove the remaining drift risk between the two call sites.

♻️ Sketch of consolidation
+has_common_secret_shape() {
+  local value="$1"
+  if has_private_key_block_shape "$value"; then return 0; fi
+  if [[ "$value" =~ (sk-proj-|sk-ant-)[A-Za-z0-9_-]{10,} ]]; then return 0; fi
+  if [[ "$value" =~ sk-[A-Za-z0-9_-]{20,} ]]; then return 0; fi
+  if [[ "$value" =~ (nvapi-|nvcf-|ghp_|hf_|glpat-|gsk_|pypi-|tvly-)[A-Za-z0-9_-]{10,} ]]; then return 0; fi
+  if [[ "$value" =~ github_pat_[A-Za-z0-9_]{30,} ]]; then return 0; fi
+  if [[ "$value" =~ A(K|S)IA[A-Z0-9]{16} ]]; then return 0; fi
+  if [[ "$value" =~ bot[0-9]{8,10}:[A-Za-z0-9_-]{35} ]]; then return 0; fi
+  if [[ "$value" =~ [0-9]{8,10}:[A-Za-z0-9_-]{35} ]]; then return 0; fi
+  if [[ "$value" =~ [A-Za-z0-9]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,} ]]; then return 0; fi
+  return 1
+}

Also applies to: 235-280

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/langchain-deepagents-code/dcode-wrapper.sh` around lines 144 - 183,
The secret-shape checks are still duplicated between has_non_slack_secret_shape
and is_secret_shaped_value, so consolidate the remaining prefix/regex list into
a shared helper. Extract the common non-Slack secret patterns (for example
nvapi-, ghp_, AKIA/ASIA, bot-token, JWT, lsv2_, etc.) into one function and have
both call sites reuse it, keeping the Slack-specific xox*/xapp- exclusions only
where needed to avoid drift.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@agents/langchain-deepagents-code/dcode-wrapper.sh`:
- Around line 144-183: The secret-shape checks are still duplicated between
has_non_slack_secret_shape and is_secret_shaped_value, so consolidate the
remaining prefix/regex list into a shared helper. Extract the common non-Slack
secret patterns (for example nvapi-, ghp_, AKIA/ASIA, bot-token, JWT, lsv2_,
etc.) into one function and have both call sites reuse it, keeping the
Slack-specific xox*/xapp- exclusions only where needed to avoid drift.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8d06258-f982-43ca-9e28-885dd33691ca

📥 Commits

Reviewing files that changed from the base of the PR and between b2c671a and a27d98c.

📒 Files selected for processing (9)
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-v2-removal.test.ts
  • test/fixtures/langchain-deepagents-code/app.py
  • test/helpers/langchain-deepagents-code-secret-patterns.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-managed-mcp-hardening.test.ts
  • test/langchain-deepagents-code-secret-pattern-parity.test.ts
✅ Files skipped from review due to trivial changes (1)
  • test/helpers/langchain-deepagents-code-secret-patterns.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts
  • test/fixtures/langchain-deepagents-code/app.py
  • agents/langchain-deepagents-code/managed-dcode-runtime.py

@cv

cv commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator Author

Final automated-review dispositions on exact head a27d98ccf:

  • Nemotron PRA-4: declining the requested textual cross-dialect fingerprint job. The security invariant is inclusion of every canonical TypeScript match in both enforcement mirrors, not source-string equality. The Bash and Python regexes are intentional conservative supersets in different regex dialects; a normalization job would either reject safe strengthening or falsely claim equivalence. The integration CI gate pins every canonical source+flag, requires a vector for every canonical regex index, and executes the same corpus through Bash and Python. The full ECMAScript whitespace set is covered under both C and C.UTF-8. A future declarative generated manifest/property corpus may improve change ergonomics, but no current false-negative remains.
  • Anonymous O_TMPFILE construction window: same-UID handle theft can create a detected availability failure, not undetected config injection. The inode is unlinked, and every handoff/read verifies identity, size, metadata, and SHA-256; tampering fails closed. Since sandboxed agent code can already self-deny service, this is accepted as a nonblocking availability residual.
  • CodeRabbit duplication nit: valid maintainability cleanup, but no behavior defect. The two call sites intentionally differ for Slack allowlisting, and consolidating the remaining security-sensitive matcher after exact-head green would be a separate refactor. The new shared behavior gate already prevents an unreviewed canonical-family change, so this nit is deferred rather than adding late churn.

GPT-5.5 recommends merge_as_is; all required CI is green. Human approval remains the final project gate.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28696027101
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge-dev
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge-dev ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28696027070
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge ✅ success

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28696844639
Workflow ref: codex/reconcile-5876-latest
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28696844719
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge-dev
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge-dev ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28696844701
Workflow ref: codex/reconcile-5876-latest
Requested targets: (default — all supported)
Requested jobs: mcp-bridge
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
mcp-bridge ✅ success

@cv

cv commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator Author

Exact-head follow-up for 9a31537785ef2d456901de622721ed215627fdec:

  • Synced current main with a regular signed merge commit. No rebase, amend, or force-push was used.
  • Resolved the fix(onboard): harden BuildKit prebuild validation #6265 modify/delete conflict by keeping the obsolete preflight monolith deleted and porting origin: "generated" into the split preparation/configuration fixtures and shared harness. Local merge validation passed 82 CLI tests, 174 integration tests, 3 additional preparation tests, CLI typecheck, Biome, and diff checks.
  • Standard CI is fully settled: 40 green checks, all five required contexts passed, expected skips only, and no failures/cancellations/pending checks.
  • Fresh exact-head live E2E passed: stable MCP, dev MCP, and DCode. Artifact inspection confirmed restart, credential rotation, rebuild, removal denial, cleanup, generated-context BuildKit handoff, and pre-destructive invalid-credential recovery.
  • GPT-5.5 reports merge_as_is; CodeQL and CodeRabbit are green; there are zero unresolved review threads.

Nemotron PRA-6/PRA-7 disposition:

  • PRA-6 requests textual fingerprint equality across ECMAScript, POSIX Bash, and Python regexes. That is not a sound cross-dialect invariant. The required integration gate instead pins the canonical TypeScript source/flags and executes a shared per-pattern behavior corpus through both runtime boundaries; the Bash/Python mirrors intentionally remain conservative detection supersets.
  • PRA-7 requests descriptor revalidation in path serialization helpers. Those helpers only preserve the fd path. managed_mcp_server_binding validates the exact process-local descriptor binding and contents immediately before Popen/pass_fds; an earlier duplicate check would not strengthen the final handoff or close a later race.

No code change is warranted for either request. One unchanged pre-existing DCode E2E awk defect found during artifact inspection is now disclosed in the PR verification notes; it does not affect the runtime-output, sandbox-log, env-file immutability, or raw-secret proofs from these runs.

@cv
cv merged commit 1efef0a into main Jul 4, 2026
278 of 279 checks passed
@cv
cv deleted the codex/reconcile-5876-latest branch July 4, 2026 06:47
@cv cv added the v0.0.74 Release target label Jul 4, 2026
ericksoa added a commit that referenced this pull request Jul 4, 2026
<!-- markdownlint-disable MD041 -->
## Summary
This PR prepares the user-facing documentation for v0.0.74 before the
release plan is frozen.
It expands the release notes across the 56-commit train and closes
durable documentation gaps found during the pre-tag commit scan.

## Changes
- Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed
MCP, progressive tool disclosure, LangChain Deep Agents Code,
onboarding, local inference, messaging, recovery, and contributor
workflows.
- Correct the `destroy` contract for retained per-name volumes,
gateway-unreachable `--force` cleanup, managed MCP ownership, and
same-name recovery.
- Document separate remediation for an unreachable container DNS
resolver versus one that answers with `NXDOMAIN` or `REFUSED`.
- Document the Windows on Arm N1X automatic Ollama safeguard and its
remaining large-model limitations.
- State that messaging conflicts abort rebuild before backup or
deletion, leaving the original sandbox intact.
- Link the agent-runnable value benchmark from the contributor task
index.
- Synchronize generated agent command variants.
- Validate with `npm run docs:sync-agent-variants` and `npm run docs`;
Fern completed with 0 errors and 2 existing warnings.
- Source summary:
- [#6020](#6020) and
[#5876](#5876) ->
`docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy
boundary and managed MCP lifecycle.
- [#6251](#6251) and
[#5989](#5989) ->
`docs/about/release-notes.mdx`: Summarize progressive tool disclosure
and sandbox-first inference controls.
- [#6232](#6232),
[#6082](#6082),
[#6219](#6219),
[#6214](#6214),
[#6215](#6215),
[#6230](#6230), and
[#6260](#6260) ->
`docs/about/release-notes.mdx`: Summarize the experimental LangChain
Deep Agents Code status, secret, version, rebuild, snapshot, and MCP
boundaries.
- [#6166](#6166),
[#6254](#6254),
[#6265](#6265),
[#6164](#6164), and
[#6017](#6017) ->
`docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated
image reuse, bounded readiness, and preflight improvements.
- [#6150](#6150) ->
`docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`:
Separate unreachable-resolver remediation from reachable-but-rejected
DNS responses.
- [#6234](#6234) ->
`docs/about/release-notes.mdx`,
`docs/inference/use-local-inference.mdx`, and
`docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B
selection and the remaining explicit-large-model boundary.
- [#6129](#6129),
[#5987](#5987),
[#5955](#5955), and
[#6220](#6220) ->
`docs/about/release-notes.mdx`,
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, and
`docs/reference/commands-nemohermes.mdx`: Document messaging policy
persistence, status, and the pre-destructive conflict check.
- [#5963](#5963),
[#6050](#6050),
[#6094](#6094),
[#6238](#6238),
[#5988](#5988),
[#6235](#6235),
[#6181](#6181), and
[#5986](#5986) ->
`docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and
`docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and
clarify retained-volume and local-only destroy semantics.
- [#6200](#6200),
[#6248](#6248),
[#6168](#6168),
[#6270](#6270), and
[#5649](#5649) ->
`docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize
contributor setup and verification improvements and expose the advisory
value benchmark.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: documentation-only release
preparation; generated-variant synchronization and the Fern docs build
validate the changed pages and routes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: tests
are not applicable to this documentation-only change; `npm run docs`
validates the source and generated routes.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Expanded setup guidance for Windows on Arm devices with safer default
local model selection.
* Clarified local inference and sandbox messaging behavior, including
conflict checks before rebuilds and safer recovery steps.
* Updated destroy/rebuild/reference docs with more detailed warnings,
failure handling, and volume-retention guidance.
* Improved troubleshooting instructions for Docker DNS issues with
clearer paths for unreachable vs. blocked resolvers.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
## Summary

Hardens the managed-MCP work merged in NVIDIA#5876 so DCode rebuilds validate
every reconstructable input before crossing the destructive delete
boundary, preserve exact policy intent, and migrate legacy managed MCP
state fail-closed. Prepared rebuild artifacts and the derived MCP
runtime snapshot remain ephemeral and process-local; neither is
persisted in FSM or checkpoint state, so this does not implement NVIDIA#6224.

## Related Issue

Refs NVIDIA#5876
Refs NVIDIA#6195
Refs NVIDIA#6218

## Changes

- Revalidate DCode route, image, Dockerfile, reasoning, web-search, and
MCP inputs after preparation and before NIM stop or sandbox deletion;
restore MCP state and relock shields on failure.
- Preserve exact custom network policy replay while keeping generated
MCP rules under the MCP adapter's exclusive ownership.
- Add protocol-specific policy schema validation for REST, WebSocket,
JSON-RPC, and MCP matchers, including cross-rule `tools/call` conflict
rejection.
- Pin Deep Agents Code 0.1.30 and load only a strict, canonicalized
managed MCP projection from a process-local integrity-bound snapshot.
Sealed memfd is preferred; when OpenShell seccomp blocks it, an
anonymous `O_TMPFILE` inode is reopened read-only and bound by
descriptor, device, inode, size, kind, and SHA-256, with ambient
discovery disabled.
- Bind the canonical TypeScript secret-pattern source and flags to one
shared behavior corpus executed through the Bash and Python DCode
enforcement boundaries, including the full ECMAScript whitespace set.
- Add capability-v2 gating and legacy-v1 teardown/rollback that
preserves unrelated user configuration and fails closed on malformed,
unsafe, or drifted state.
- Add rebuild, migration, runtime-patch, schema, snapshot, and lifecycle
coverage; update the MCP, policy, security, command, and DCode
documentation.

Verification notes:

- Final DCode-adjacent run: 9 files, 187 tests passed; the focused
descriptor/projection run passed 4 files and 138 tests.
- Final review-follow-up run: 82 focused Bash/Python/TypeScript parity
and descriptor-fallback tests passed, including all 25 ECMAScript
whitespace code points under both `C` and `C.UTF-8` Bash locales.
- Full pre-squash-equivalent run: 1,068 files passed, 2 skipped; 12,149
tests passed, 35 skipped.
- CLI coverage ratchet passed with the repository include/exclude set
expressed as one Vitest glob: lines 65.24%, statements 64.45%, functions
67.06%, branches 57.21%.
- Python compile, Biome, ShellCheck, shfmt, source-shape, test-size,
repository, secret-scan, and diff checks passed. The normal push hook
passed CLI typechecking.
- Main-sync validation after merging NVIDIA#6265 passed: 9 CLI files/82 tests,
6 integration files/174 tests, an additional 3 preparation tests, CLI
typecheck, Biome, and diff checks. Generated-context provenance was
ported into the split preflight fixtures without restoring the obsolete
monolith.
- Exact-head CI for `9a31537785ef2d456901de622721ed215627fdec` passed:
40 checks green, all five required contexts passed, and there were 0
failures, cancellations, or pending checks. The only skips were the
expected docs-only job and two duplicate NVSkills request jobs. This
includes all five CLI shards plus the aggregate, both CodeQL languages,
both sandbox image builds, macOS, WSL, four self-hosted runtime checks,
CodeRabbit, and both review advisors.
- Exact-head live E2E for `9a31537785ef2d456901de622721ed215627fdec`
passed:
[`mcp-bridge`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844701),
[`mcp-bridge-dev`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844719),
and
[`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844639).
Stable and dev each passed OpenClaw, Hermes, and DCode 3/3;
authenticated MCP calls passed initially and after restart, credential
rotation, and rebuild, then removal denied access with no provider,
policy, tunnel, or credential residue. The dedicated DCode lane passed
Landlock 5/5, Python egress 14/14, headless inference 10/10, secret
boundary 8/8, Tavily 6/6, and TUI 4/4; BuildKit accepted the merged
generated-context handoff, and invalid-credential rebuild failure
remained pre-destructive with the original sandbox, marker, and route
recovered. Artifact inspection found one unchanged pre-existing harness
defect: two OpenShell audit-log filtering subassertions can false-pass
because awk treats `close` as reserved; runtime-output, sandbox-log,
env-file immutability, and raw-secret checks passed, and this PR does
not modify that E2E file.
- The base `test-cli` pre-commit invocation remains affected by Vitest
4.1.9 collapsing repeated `--coverage.exclude` arguments to a
zero-file/invalid summary. All other commit and push hooks passed;
targeted tests and the authoritative sharded CI coverage checks provide
the exact-head gate.
- `npm run docs` completed with 0 errors and 2 pre-existing Fern
warnings. Two documentation-writer audits confirmed the final behavior
is accurately documented.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: independent security
and correctness reviews passed after fixes; destructive-boundary
rollback, capability migration, the process-local integrity-bound
snapshot handoff (sealed memfd preferred, anonymous `O_TMPFILE`
fallback), cross-language secret-pattern parity, policy fidelity, and
the NVIDIA#6224 boundary were checked.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [x] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Enhanced managed MCP bridge support with managed-only configuration
snapshots for safer add/restart/rebuild/teardown.
* Network policy protocol rules now support protocol-specific matching
plus stricter `endpoint.path` validation.
* **Bug Fixes**
* Stronger fail-fast validation for MCP server names/hostnames and
endpoint details (rejected before changes are applied).
* Rebuild flows improved to preserve/replay custom policies and validate
after MCP preparation, with rollback on failure.
* **Documentation**
* Updated setup/quickstart/reference and MCP bridge/rebuild guidance for
managed MCP capability v2 behavior and stricter validation rules.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
This PR prepares the user-facing documentation for v0.0.74 before the
release plan is frozen.
It expands the release notes across the 56-commit train and closes
durable documentation gaps found during the pre-tag commit scan.

## Changes
- Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed
MCP, progressive tool disclosure, LangChain Deep Agents Code,
onboarding, local inference, messaging, recovery, and contributor
workflows.
- Correct the `destroy` contract for retained per-name volumes,
gateway-unreachable `--force` cleanup, managed MCP ownership, and
same-name recovery.
- Document separate remediation for an unreachable container DNS
resolver versus one that answers with `NXDOMAIN` or `REFUSED`.
- Document the Windows on Arm N1X automatic Ollama safeguard and its
remaining large-model limitations.
- State that messaging conflicts abort rebuild before backup or
deletion, leaving the original sandbox intact.
- Link the agent-runnable value benchmark from the contributor task
index.
- Synchronize generated agent command variants.
- Validate with `npm run docs:sync-agent-variants` and `npm run docs`;
Fern completed with 0 errors and 2 existing warnings.
- Source summary:
- [NVIDIA#6020](NVIDIA#6020) and
[NVIDIA#5876](NVIDIA#5876) ->
`docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy
boundary and managed MCP lifecycle.
- [NVIDIA#6251](NVIDIA#6251) and
[NVIDIA#5989](NVIDIA#5989) ->
`docs/about/release-notes.mdx`: Summarize progressive tool disclosure
and sandbox-first inference controls.
- [NVIDIA#6232](NVIDIA#6232),
[NVIDIA#6082](NVIDIA#6082),
[NVIDIA#6219](NVIDIA#6219),
[NVIDIA#6214](NVIDIA#6214),
[NVIDIA#6215](NVIDIA#6215),
[NVIDIA#6230](NVIDIA#6230), and
[NVIDIA#6260](NVIDIA#6260) ->
`docs/about/release-notes.mdx`: Summarize the experimental LangChain
Deep Agents Code status, secret, version, rebuild, snapshot, and MCP
boundaries.
- [NVIDIA#6166](NVIDIA#6166),
[NVIDIA#6254](NVIDIA#6254),
[NVIDIA#6265](NVIDIA#6265),
[NVIDIA#6164](NVIDIA#6164), and
[NVIDIA#6017](NVIDIA#6017) ->
`docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated
image reuse, bounded readiness, and preflight improvements.
- [NVIDIA#6150](NVIDIA#6150) ->
`docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`:
Separate unreachable-resolver remediation from reachable-but-rejected
DNS responses.
- [NVIDIA#6234](NVIDIA#6234) ->
`docs/about/release-notes.mdx`,
`docs/inference/use-local-inference.mdx`, and
`docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B
selection and the remaining explicit-large-model boundary.
- [NVIDIA#6129](NVIDIA#6129),
[NVIDIA#5987](NVIDIA#5987),
[NVIDIA#5955](NVIDIA#5955), and
[NVIDIA#6220](NVIDIA#6220) ->
`docs/about/release-notes.mdx`,
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, and
`docs/reference/commands-nemohermes.mdx`: Document messaging policy
persistence, status, and the pre-destructive conflict check.
- [NVIDIA#5963](NVIDIA#5963),
[NVIDIA#6050](NVIDIA#6050),
[NVIDIA#6094](NVIDIA#6094),
[NVIDIA#6238](NVIDIA#6238),
[NVIDIA#5988](NVIDIA#5988),
[NVIDIA#6235](NVIDIA#6235),
[NVIDIA#6181](NVIDIA#6181), and
[NVIDIA#5986](NVIDIA#5986) ->
`docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and
`docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and
clarify retained-volume and local-only destroy semantics.
- [NVIDIA#6200](NVIDIA#6200),
[NVIDIA#6248](NVIDIA#6248),
[NVIDIA#6168](NVIDIA#6168),
[NVIDIA#6270](NVIDIA#6270), and
[NVIDIA#5649](NVIDIA#5649) ->
`docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize
contributor setup and verification improvements and expose the advisory
value benchmark.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: documentation-only release
preparation; generated-variant synchronization and the Fern docs build
validate the changed pages and routes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: tests
are not applicable to this documentation-only change; `npm run docs`
validates the source and generated routes.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Expanded setup guidance for Windows on Arm devices with safer default
local model selection.
* Clarified local inference and sandbox messaging behavior, including
conflict checks before rebuilds and safer recovery steps.
* Updated destroy/rebuild/reference docs with more detailed warnings,
failure handling, and volume-retention guidance.
* Improved troubleshooting instructions for Docker DNS issues with
clearer paths for unreachable vs. blocked resolvers.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.74 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants