fix(onboard): harden BuildKit prebuild validation#6265
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (13)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (4)
📝 WalkthroughWalkthroughThis PR moves cold-onboard performance checks into ChangesOnboard performance and staged build-context hardening
Estimated code review effort: 4 (Complex) | ~60 minutes Possibly related issues
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage in the branch is 96%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
TypeScript / code-coverage/cliThe overall coverage in the branch is 69%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
Updated |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
There was a problem hiding this comment.
🧹 Nitpick comments (4)
test/e2e/fixtures/onboard-performance.ts (1)
83-89: 🩺 Stability & Availability | 🔵 Trivial | 💤 Low valueMinor:
Math.max(...)spread on unbounded array.
boundaries.slice(1).map(...)is spread intoMath.max, which can throwRangeErrorif the events array is very large (many thousands of output lines). Unlikely in practice for this test, butreduceavoids the risk entirely.♻️ Optional defensive refactor
- const boundaries = [startedAtMs, ...outputTimes, finishedAtMs]; - return Math.max(...boundaries.slice(1).map((atMs, index) => atMs - boundaries[index])); + const boundaries = [startedAtMs, ...outputTimes, finishedAtMs]; + return boundaries + .slice(1) + .reduce((max, atMs, index) => Math.max(max, atMs - boundaries[index]), -Infinity);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/e2e/fixtures/onboard-performance.ts` around lines 83 - 89, The duration calculation in the helper that builds `outputTimes` and `boundaries` uses a spread into `Math.max`, which can fail on very large event sets. Refactor the return logic to compute the maximum gap with a `reduce`-style pass over `boundaries` (or equivalent iterative logic) inside this fixture helper so it no longer depends on spreading the whole array, while preserving the same `startedAtMs`/`finishedAtMs` behavior.src/lib/onboard/sandbox-prebuild.ts (3)
58-58: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win"nemoclaw-build-" prefix is a magic string duplicated across files.
This literal also appears in
sandbox-prebuild.test.tsandsandbox-create-launch.test.ts(and presumably the staging code that creates these directories). Extracting it to a shared exported constant would prevent silent validation breakage if the prefix ever changes in only one location.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/sandbox-prebuild.ts` at line 58, The build-directory prefix check in sandbox-prebuild currently hardcodes the "nemoclaw-build-" string, and the same literal is duplicated in related sandbox tests. Extract this prefix into a shared exported constant and update the validation in sandbox-prebuild plus the corresponding references in sandbox-prebuild.test and sandbox-create-launch.test (and any creator code) to use that constant so the prefix stays consistent across the codebase.
141-161: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winSilent fallback: no log when the staged context is rejected as untrusted.
logis declared at line 163, after both early-return checks (lines 151-157 and 158-161). This means the--frommismatch and untrusted-context paths return silently, giving no signal for why local BuildKit prebuild was skipped — unlike the latercatch/non-zero-status paths, which do log a reason. This makes the failure mode this PR is specifically hardening against harder to diagnose in the field.♻️ Move `log` earlier and add a diagnostic message
const fromIndex = createArgs.indexOf("--from"); const fromDockerfile = createArgs[fromIndex + 1]; + const log = input.log ?? console.log; if ( fromIndex < 0 || !fromDockerfile || path.resolve(fromDockerfile) !== path.resolve(input.buildCtx, "Dockerfile") ) { + log(" Local BuildKit build skipped: --from argument does not match the staged Dockerfile."); return { createArgs, imageRef: null }; } const trustedContext = resolveTrustedStagedBuildContext(input.buildCtx); if (!trustedContext) { + log(" Local BuildKit build skipped: staged build context failed trust validation."); return { createArgs, imageRef: null }; } - - const log = input.log ?? console.log; const imageRef = sandboxLocalImageRef(input.sandboxName, input.buildId);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/sandbox-prebuild.ts` around lines 141 - 161, The early-return paths in prebuildSandboxImageIfEligible are skipping logging, so BuildKit prebuild can be silently disabled when the --from check fails or resolveTrustedStagedBuildContext rejects the staged context. Move the log setup earlier in prebuildSandboxImageIfEligible and emit a diagnostic message before returning null imageRef for these cases, using the existing log variable and the trusted-context / fromDockerfile checks to report why prebuild was skipped.
51-84: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSolid TOCTOU-aware validation; consider two hardening follow-ups.
The realpath → lstat → O_NOFOLLOW-open → dev/ino comparison correctly defends against symlink swaps between the initial checks and the open. Two residual gaps worth tracking:
- The validated file descriptor is closed in
finally(line 82), and the actualdocker build -f ...subprocess later reopens the path by string (lines 184-185). This reintroduces a narrow TOCTOU window between validation and use, sincedocker buildcan't consume a pre-opened fd. This is an inherent limitation of shelling out to the Docker CLI rather than a fixable bug here.- There's no check that the resolved directory (or its ancestors) isn't group/world-writable, which matters on shared/multi-tenant hosts where other local users could pre-stage a directory before the intended context's
mkdtempoutput.Neither blocks this PR, but worth a follow-up if the threat model includes shared/multi-user build hosts.
🛡️ Optional permission-bit hardening
if ( path.dirname(resolvedBuildCtx) !== temporaryRoot || !path.basename(resolvedBuildCtx).startsWith("nemoclaw-build-") || !fs.statSync(resolvedBuildCtx).isDirectory() ) { return null; } + const dirStat = fs.statSync(resolvedBuildCtx); + if ((dirStat.mode & 0o022) !== 0) return null; // reject group/world-writable staging dirs🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/sandbox-prebuild.ts` around lines 51 - 84, The current validation in resolveTrustedStagedBuildContext only checks realpath, basename, and Dockerfile symlink/file state; add a permissions hardening step that rejects build contexts whose resolved directory, or required parent chain, is group/world-writable before returning TrustedStagedBuildContext. Keep the existing O_NOFOLLOW and dev/ino TOCTOU checks intact, and do not try to address the later docker build path reopen here since that is an inherent CLI limitation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/lib/onboard/sandbox-prebuild.ts`:
- Line 58: The build-directory prefix check in sandbox-prebuild currently
hardcodes the "nemoclaw-build-" string, and the same literal is duplicated in
related sandbox tests. Extract this prefix into a shared exported constant and
update the validation in sandbox-prebuild plus the corresponding references in
sandbox-prebuild.test and sandbox-create-launch.test (and any creator code) to
use that constant so the prefix stays consistent across the codebase.
- Around line 141-161: The early-return paths in prebuildSandboxImageIfEligible
are skipping logging, so BuildKit prebuild can be silently disabled when the
--from check fails or resolveTrustedStagedBuildContext rejects the staged
context. Move the log setup earlier in prebuildSandboxImageIfEligible and emit a
diagnostic message before returning null imageRef for these cases, using the
existing log variable and the trusted-context / fromDockerfile checks to report
why prebuild was skipped.
- Around line 51-84: The current validation in resolveTrustedStagedBuildContext
only checks realpath, basename, and Dockerfile symlink/file state; add a
permissions hardening step that rejects build contexts whose resolved directory,
or required parent chain, is group/world-writable before returning
TrustedStagedBuildContext. Keep the existing O_NOFOLLOW and dev/ino TOCTOU
checks intact, and do not try to address the later docker build path reopen here
since that is an inherent CLI limitation.
In `@test/e2e/fixtures/onboard-performance.ts`:
- Around line 83-89: The duration calculation in the helper that builds
`outputTimes` and `boundaries` uses a spread into `Math.max`, which can fail on
very large event sets. Refactor the return logic to compute the maximum gap with
a `reduce`-style pass over `boundaries` (or equivalent iterative logic) inside
this fixture helper so it no longer depends on spreading the whole array, while
preserving the same `startedAtMs`/`finishedAtMs` behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: fd56bd15-7d9c-4a4c-b613-8121ac059d57
📒 Files selected for processing (11)
.github/workflows/e2e.yamlsrc/lib/onboard/machine/live-flow-slice.test.tssrc/lib/onboard/sandbox-create-launch.test.tssrc/lib/onboard/sandbox-prebuild.test.tssrc/lib/onboard/sandbox-prebuild.tstest/e2e-release-gate-workflow.test.tstest/e2e/README.mdtest/e2e/fixtures/onboard-performance.tstest/e2e/live/full-e2e.test.tstest/e2e/live/onboard-progress-budget.test.tstest/e2e/support/onboard-performance.test.ts
💤 Files with no reviewable changes (2)
- .github/workflows/e2e.yaml
- test/e2e/live/onboard-progress-budget.test.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Addressed the automated review findings in c51290a.
Two suggested changes were intentionally not applied:
Verification: signed/Verified commit; pre-commit CLI coverage + ratchet passed; pre-push CLI typecheck passed; focused 44 CLI, 11 integration, and 11 E2E-support tests passed; project overlap, source-shape, test-size/title, Biome, and live-test collection passed. Required live validation is running at https://github.com/NVIDIA/NemoClaw/actions/runs/28694920002 ( |
|
🌿 Preview your docs: https://nvidia-preview-pr-6265.docs.buildwithfern.com/nemoclaw |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
test/e2e/live/full-e2e.test.ts (1)
122-132: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winPreserve raw trace evidence when parsing fails.
Line 130 deletes
traceDirectoryeven whenJSON.parseorreadOnboardTraceWindowthrows, which removes the best artifact for debugging malformed/missing trace failures. Delete only after a successful parse, or copy the raw trace into artifacts before cleanup.Proposed adjustment
function readAndDeleteTraceWindow(traceFile: string, traceDirectory: string): OnboardTraceWindow { try { - return readOnboardTraceWindow(JSON.parse(fs.readFileSync(traceFile, "utf8")) as unknown); + const traceWindow = readOnboardTraceWindow(JSON.parse(fs.readFileSync(traceFile, "utf8")) as unknown); + fs.rmSync(traceDirectory, { recursive: true, force: true }); + return traceWindow; } catch (error) { throw new Error( `Cold onboard evidence requires a valid trace file with one successful nemoclaw.onboard root span: ${error instanceof Error ? error.message : String(error)}`, { cause: error }, ); - } finally { - fs.rmSync(traceDirectory, { recursive: true, force: true }); } }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/e2e/live/full-e2e.test.ts` around lines 122 - 132, The cleanup in readAndDeleteTraceWindow is deleting traceDirectory in the finally block even when JSON.parse or readOnboardTraceWindow fails, which destroys the raw evidence needed for debugging. Move the fs.rmSync cleanup so it only runs after a successful parse/return, or preserve the raw trace in an artifact before removing it. Keep the error handling in readAndDeleteTraceWindow focused on surfacing the parse failure while leaving malformed trace files available for inspection.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/e2e/live/full-e2e.test.ts`:
- Around line 216-219: The acceptance check for the sentinel first agent reply
is too loose because `toContain(EXPECTED_FIRST_REPLY)` allows extra text to
pass. Update the assertion in the `full-e2e.test.ts` sentinel check to compare
`compactAssistantReply` directly against `EXPECTED_FIRST_REPLY` so the test
enforces an exact reply, using the existing `compactAssistantReply` and
`EXPECTED_FIRST_REPLY` symbols to locate the change.
---
Nitpick comments:
In `@test/e2e/live/full-e2e.test.ts`:
- Around line 122-132: The cleanup in readAndDeleteTraceWindow is deleting
traceDirectory in the finally block even when JSON.parse or
readOnboardTraceWindow fails, which destroys the raw evidence needed for
debugging. Move the fs.rmSync cleanup so it only runs after a successful
parse/return, or preserve the raw trace in an artifact before removing it. Keep
the error handling in readAndDeleteTraceWindow focused on surfacing the parse
failure while leaving malformed trace files available for inspection.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 7a59ecf2-14bf-445f-8673-2e831027dcd6
📒 Files selected for processing (16)
docs/deployment/install-openclaw-plugins.mdxdocs/manage-sandboxes/install-plugins-hermes.mdxdocs/reference/commands-nemohermes.mdxdocs/reference/commands.mdxsrc/lib/agent/base-image.tssrc/lib/onboard.tssrc/lib/onboard/build-context-stage.tssrc/lib/onboard/sandbox-create-launch.test.tssrc/lib/onboard/sandbox-prebuild.test.tssrc/lib/onboard/sandbox-prebuild.tssrc/lib/sandbox/build-context.tstest/e2e/README.mdtest/e2e/fixtures/onboard-performance.tstest/e2e/live/agent-turn-latency-helpers.tstest/e2e/live/full-e2e.test.tstest/e2e/support/onboard-performance.test.ts
✅ Files skipped from review due to trivial changes (6)
- docs/deployment/install-openclaw-plugins.mdx
- docs/manage-sandboxes/install-plugins-hermes.mdx
- src/lib/onboard/build-context-stage.ts
- docs/reference/commands-nemohermes.mdx
- docs/reference/commands.mdx
- test/e2e/README.md
🚧 Files skipped from review as they are similar to previous changes (3)
- src/lib/onboard/sandbox-create-launch.test.ts
- test/e2e/fixtures/onboard-performance.ts
- src/lib/onboard/sandbox-prebuild.test.ts
E2E Target Results — ✅ All requested jobs passedRun: 28694920002
|
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Follow-up CI fix: 39774f2 carries the generated/custom provenance on the staged build-context result itself and reuses one Docker-gateway decision in the onboarding entrypoint. This preserves the trust boundary while making Verification for this commit: 73 focused CLI tests, 5 prepared-context integration tests, CLI typecheck, test-size/source-shape/title checks, full pre-commit CLI coverage + ratchet, and pre-push typecheck all pass. One unrelated The first required live run passed |
|
Final-head review disposition and runtime evidence:
Nemotron items reviewed but not changed:
The first required live run passed all selected jobs, and the exact-final-head rerun is at https://github.com/NVIDIA/NemoClaw/actions/runs/28695769833. |
E2E Target Results — ❌ Some jobs failedRun: 28695769833
|
E2E Target Results — ✅ All requested jobs passedRun: 28695769833
|
|
Final follow-up on the exact head:
No source changes were made after the final-head live evidence was collected. |
## Summary Hardens the managed-MCP work merged in #5876 so DCode rebuilds validate every reconstructable input before crossing the destructive delete boundary, preserve exact policy intent, and migrate legacy managed MCP state fail-closed. Prepared rebuild artifacts and the derived MCP runtime snapshot remain ephemeral and process-local; neither is persisted in FSM or checkpoint state, so this does not implement #6224. ## Related Issue Refs #5876 Refs #6195 Refs #6218 ## Changes - Revalidate DCode route, image, Dockerfile, reasoning, web-search, and MCP inputs after preparation and before NIM stop or sandbox deletion; restore MCP state and relock shields on failure. - Preserve exact custom network policy replay while keeping generated MCP rules under the MCP adapter's exclusive ownership. - Add protocol-specific policy schema validation for REST, WebSocket, JSON-RPC, and MCP matchers, including cross-rule `tools/call` conflict rejection. - Pin Deep Agents Code 0.1.30 and load only a strict, canonicalized managed MCP projection from a process-local integrity-bound snapshot. Sealed memfd is preferred; when OpenShell seccomp blocks it, an anonymous `O_TMPFILE` inode is reopened read-only and bound by descriptor, device, inode, size, kind, and SHA-256, with ambient discovery disabled. - Bind the canonical TypeScript secret-pattern source and flags to one shared behavior corpus executed through the Bash and Python DCode enforcement boundaries, including the full ECMAScript whitespace set. - Add capability-v2 gating and legacy-v1 teardown/rollback that preserves unrelated user configuration and fails closed on malformed, unsafe, or drifted state. - Add rebuild, migration, runtime-patch, schema, snapshot, and lifecycle coverage; update the MCP, policy, security, command, and DCode documentation. Verification notes: - Final DCode-adjacent run: 9 files, 187 tests passed; the focused descriptor/projection run passed 4 files and 138 tests. - Final review-follow-up run: 82 focused Bash/Python/TypeScript parity and descriptor-fallback tests passed, including all 25 ECMAScript whitespace code points under both `C` and `C.UTF-8` Bash locales. - Full pre-squash-equivalent run: 1,068 files passed, 2 skipped; 12,149 tests passed, 35 skipped. - CLI coverage ratchet passed with the repository include/exclude set expressed as one Vitest glob: lines 65.24%, statements 64.45%, functions 67.06%, branches 57.21%. - Python compile, Biome, ShellCheck, shfmt, source-shape, test-size, repository, secret-scan, and diff checks passed. The normal push hook passed CLI typechecking. - Main-sync validation after merging #6265 passed: 9 CLI files/82 tests, 6 integration files/174 tests, an additional 3 preparation tests, CLI typecheck, Biome, and diff checks. Generated-context provenance was ported into the split preflight fixtures without restoring the obsolete monolith. - Exact-head CI for `9a31537785ef2d456901de622721ed215627fdec` passed: 40 checks green, all five required contexts passed, and there were 0 failures, cancellations, or pending checks. The only skips were the expected docs-only job and two duplicate NVSkills request jobs. This includes all five CLI shards plus the aggregate, both CodeQL languages, both sandbox image builds, macOS, WSL, four self-hosted runtime checks, CodeRabbit, and both review advisors. - Exact-head live E2E for `9a31537785ef2d456901de622721ed215627fdec` passed: [`mcp-bridge`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844701), [`mcp-bridge-dev`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844719), and [`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844639). Stable and dev each passed OpenClaw, Hermes, and DCode 3/3; authenticated MCP calls passed initially and after restart, credential rotation, and rebuild, then removal denied access with no provider, policy, tunnel, or credential residue. The dedicated DCode lane passed Landlock 5/5, Python egress 14/14, headless inference 10/10, secret boundary 8/8, Tavily 6/6, and TUI 4/4; BuildKit accepted the merged generated-context handoff, and invalid-credential rebuild failure remained pre-destructive with the original sandbox, marker, and route recovered. Artifact inspection found one unchanged pre-existing harness defect: two OpenShell audit-log filtering subassertions can false-pass because awk treats `close` as reserved; runtime-output, sandbox-log, env-file immutability, and raw-secret checks passed, and this PR does not modify that E2E file. - The base `test-cli` pre-commit invocation remains affected by Vitest 4.1.9 collapsing repeated `--coverage.exclude` arguments to a zero-file/invalid summary. All other commit and push hooks passed; targeted tests and the authoritative sharded CI coverage checks provide the exact-head gate. - `npm run docs` completed with 0 errors and 2 pre-existing Fern warnings. Two documentation-writer audits confirmed the final behavior is accurately documented. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent security and correctness reviews passed after fixes; destructive-boundary rollback, capability migration, the process-local integrity-bound snapshot handoff (sealed memfd preferred, anonymous `O_TMPFILE` fallback), cross-language secret-pattern parity, policy fidelity, and the #6224 boundary were checked. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [x] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced managed MCP bridge support with managed-only configuration snapshots for safer add/restart/rebuild/teardown. * Network policy protocol rules now support protocol-specific matching plus stricter `endpoint.path` validation. * **Bug Fixes** * Stronger fail-fast validation for MCP server names/hostnames and endpoint details (rejected before changes are applied). * Rebuild flows improved to preserve/replay custom policies and validate after MCP preparation, with rollback on failure. * **Documentation** * Updated setup/quickstart/reference and MCP bridge/rebuild guidance for managed MCP capability v2 behavior and stricter validation rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary This PR prepares the user-facing documentation for v0.0.74 before the release plan is frozen. It expands the release notes across the 56-commit train and closes durable documentation gaps found during the pre-tag commit scan. ## Changes - Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed MCP, progressive tool disclosure, LangChain Deep Agents Code, onboarding, local inference, messaging, recovery, and contributor workflows. - Correct the `destroy` contract for retained per-name volumes, gateway-unreachable `--force` cleanup, managed MCP ownership, and same-name recovery. - Document separate remediation for an unreachable container DNS resolver versus one that answers with `NXDOMAIN` or `REFUSED`. - Document the Windows on Arm N1X automatic Ollama safeguard and its remaining large-model limitations. - State that messaging conflicts abort rebuild before backup or deletion, leaving the original sandbox intact. - Link the agent-runnable value benchmark from the contributor task index. - Synchronize generated agent command variants. - Validate with `npm run docs:sync-agent-variants` and `npm run docs`; Fern completed with 0 errors and 2 existing warnings. - Source summary: - [#6020](#6020) and [#5876](#5876) -> `docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy boundary and managed MCP lifecycle. - [#6251](#6251) and [#5989](#5989) -> `docs/about/release-notes.mdx`: Summarize progressive tool disclosure and sandbox-first inference controls. - [#6232](#6232), [#6082](#6082), [#6219](#6219), [#6214](#6214), [#6215](#6215), [#6230](#6230), and [#6260](#6260) -> `docs/about/release-notes.mdx`: Summarize the experimental LangChain Deep Agents Code status, secret, version, rebuild, snapshot, and MCP boundaries. - [#6166](#6166), [#6254](#6254), [#6265](#6265), [#6164](#6164), and [#6017](#6017) -> `docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated image reuse, bounded readiness, and preflight improvements. - [#6150](#6150) -> `docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`: Separate unreachable-resolver remediation from reachable-but-rejected DNS responses. - [#6234](#6234) -> `docs/about/release-notes.mdx`, `docs/inference/use-local-inference.mdx`, and `docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B selection and the remaining explicit-large-model boundary. - [#6129](#6129), [#5987](#5987), [#5955](#5955), and [#6220](#6220) -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Document messaging policy persistence, status, and the pre-destructive conflict check. - [#5963](#5963), [#6050](#6050), [#6094](#6094), [#6238](#6238), [#5988](#5988), [#6235](#6235), [#6181](#6181), and [#5986](#5986) -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and clarify retained-volume and local-only destroy semantics. - [#6200](#6200), [#6248](#6248), [#6168](#6168), [#6270](#6270), and [#5649](#5649) -> `docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize contributor setup and verification improvements and expose the advisory value benchmark. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: documentation-only release preparation; generated-variant synchronization and the Fern docs build validate the changed pages and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable to this documentation-only change; `npm run docs` validates the source and generated routes. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Expanded setup guidance for Windows on Arm devices with safer default local model selection. * Clarified local inference and sandbox messaging behavior, including conflict checks before rebuilds and safer recovery steps. * Updated destroy/rebuild/reference docs with more detailed warnings, failure handling, and volume-retention guidance. * Improved troubleshooting instructions for Docker DNS issues with clearer paths for unreachable vs. blocked resolvers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…nce (#6002) (#6663) ## Summary Raise the `full-e2e` cold-onboard acceptance budget (`ONBOARD_BUDGET_SECS`) from **180s → 205s**. This is the umbrella PR for today's live-E2E failures on `main`; scope and evidence per job below. ## Failure triage (main, 2026-07-10) A full `E2E` dispatch on `main` (run [29124128082](https://github.com/NVIDIA/NemoClaw/actions/runs/29124128082)) came back **78 passed / 5 skipped / 3 failed**. Each failure was root-caused, not retried blindly: | Job | Verdict | Root cause | |-----|---------|-----------| | `agent-turn-latency` | ✅ flake, self-cleared | Passed on first retry — hosted-inference timing variance. | | `full-e2e` | 🔧 **fixed here** | Consistent ~1s overshoot of a too-tight 180s onboard budget (see below). | | `rebuild-hermes` | ⏳ **verification pending** | Both observed failures were infra (`operation was canceled`, `runner lost communication with the server`) — **not** a test assertion or image-build error. Retry on post-bump `main` in flight ([29129133666](https://github.com/NVIDIA/NemoClaw/actions/runs/29129133666)). See "Hermes v0.18" below. | ## `full-e2e` — full analysis (no gaps) **Symptom.** The `[1/8]-to-first-response` gate (`full-e2e.test.ts:215`) failed **3 consecutive times**: | Run | to-first-response | vs 180s budget | |-----|-------------------|----------------| | [29124128082](https://github.com/NVIDIA/NemoClaw/actions/runs/29124128082) | 180,829 ms | +0.8s | | [29125880976](https://github.com/NVIDIA/NemoClaw/actions/runs/29125880976) | 181,550 ms | +1.5s | | [29127670707](https://github.com/NVIDIA/NemoClaw/actions/runs/29127670707) | 180,602 ms | +0.6s | **Not flake, not inference, not a code regression** — proven by the `onboard-progress-budget.json` artifact decomposition: | | `onboardSecs` | `totalSecs` | headroom | notes | |---|---|---|---|---| | Passing run [29128496025](https://github.com/NVIDIA/NemoClaw/actions/runs/29128496025) (`f4cd7ea9`) | **163** | 168 | +12s | BuildKit prebuild ✓, 0 classic steps | | Failing run [29127670707](https://github.com/NVIDIA/NemoClaw/actions/runs/29127670707) (`fcc121d5`) | **173** | 181 | −1s | BuildKit prebuild ✓, 0 classic steps | - The entire delta is in the **cold onboard/BuildKit image-build phase** (163s → 173s, a ~10s run-to-run swing) on **identical, post-#6265 `main`** — both heads are after the Hermes v0.18 bump, so the bump is not the cause. - The first hosted agent turn is only **~5–8s** (`totalSecs − onboardSecs`); inference is a rounding error. - The 180s cap (introduced 4 days ago in #6265) left only ~7s of headroom against a phase that varies ~10s with Docker Hub pull speed and hosted-runner I/O — so slow-build runs tip over. **Fix.** Raise to **205s**: covers the observed 173s worst case plus build-variance headroom, while still catching gross onboard regressions (a real regression blows well past 205s; `MAX_SILENCE_SECS` and BuildKit-fallback assertions are unchanged). ## Hermes v0.18 context Today's `main` includes `feat(hermes): upgrade to v0.18 and enable Slack Block Kit` (#6507, 17:45Z), plus `#6624` (release-matched sandbox bases) and `#6623` (surface cluster image build failures). Because `rebuild-hermes` rebuilds the Hermes image, a v0.18-induced regression *could* in principle surface as runner resource-exhaustion. **This PR does not yet claim `rebuild-hermes` is a flake** — the in-flight retry on post-bump `main` is the deciding evidence: - retry **passes** → confirmed infra flake, no code change needed, this PR ships as-is; - retry **fails** (build error / OOM / repeat comms-loss) → v0.18 is implicated and a fix is added to this branch before merge. ## Test evidence - `commitlint`, `gitleaks`, test-size/shape budgets: passed (pre-commit). - No product-code change; single test-constant edit. Behavioral proof is the artifact decomposition above. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Adjusted end-to-end onboarding timing thresholds by increasing the “acceptance budget” to allow for typical variability in image build times. * Updated test parity mappings to ensure the added live coverage is correctly linked with the corresponding faster test set. * Added inline guidance for why timing can fluctuate between runs, and why the previous cap needed more headroom. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
<!-- markdownlint-disable MD041 --> ## Summary This follow-up to NVIDIA#6166 validates the staged context before invoking host BuildKit and moves the hard NVIDIA#6002 cold-path acceptance assertions into the existing `full-e2e` lifecycle. It removes the redundant second onboarding run while preserving a distinct merge-failing signal alongside the advisory warm-system scorecard budget. ## Related Issue Follow-up to NVIDIA#6166 and NVIDIA#6002. ## Changes - Resolve and validate BuildKit contexts as private direct `os.tmpdir()/nemoclaw-build-*` staging directories with a no-follow regular Dockerfile, falling back to the gateway builder when validation fails. - Carry generated/custom provenance into the handoff so user-supplied `--from` Dockerfiles remain on the OpenShell gateway-builder trust boundary. - Cover custom provenance, outside-temp, wrong-prefix, writable-directory, symlink, non-regular-file, path-escape, inspection-error logging, environment sanitization, and compatibility-heartbeat behavior. - Measure BuildKit success, fallback absence, output silence, and the first real agent response during the job's first `full-e2e` onboarding instead of running a second warm-cache onboarding test. - Remove the redundant Vitest invocation from `e2e.yaml` and document the hard 180-second cold-path contract separately from the advisory 390-second warm-system scorecard budget. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check all that apply. For any "covered by existing tests", "not applicable", or waiver entry, add a brief justification on the same line or in the Changes section. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Reviewed every production context stager against the new contract; explicit provenance keeps custom Dockerfiles off host BuildKit, focused negative tests cover each trust-boundary case, and the unavoidable post-validation Docker pathname reopen is mitigated by private `mkdtemp` staging. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added optional cold-onboarding performance measurement to the live end-to-end flow, including trace-based evidence output. * **Bug Fixes** * Hardened local prebuild handling for NemoClaw-generated staged build contexts and tightened eligibility/`--from` validation behavior. * Improved sandbox build-context metadata propagation and reused Docker-driver gateway detection. * **Tests** * Expanded/refocused live end-to-end coverage and performance assertions; added trace/probe parsing fixtures; improved test isolation and cleanup. * Updated e2e workflow and release-gate checks to target the correct live Vitest test. * **Documentation** * Clarified `--from` build-context routing vs local BuildKit behavior on local Docker-driver gateways. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com>
## Summary Hardens the managed-MCP work merged in NVIDIA#5876 so DCode rebuilds validate every reconstructable input before crossing the destructive delete boundary, preserve exact policy intent, and migrate legacy managed MCP state fail-closed. Prepared rebuild artifacts and the derived MCP runtime snapshot remain ephemeral and process-local; neither is persisted in FSM or checkpoint state, so this does not implement NVIDIA#6224. ## Related Issue Refs NVIDIA#5876 Refs NVIDIA#6195 Refs NVIDIA#6218 ## Changes - Revalidate DCode route, image, Dockerfile, reasoning, web-search, and MCP inputs after preparation and before NIM stop or sandbox deletion; restore MCP state and relock shields on failure. - Preserve exact custom network policy replay while keeping generated MCP rules under the MCP adapter's exclusive ownership. - Add protocol-specific policy schema validation for REST, WebSocket, JSON-RPC, and MCP matchers, including cross-rule `tools/call` conflict rejection. - Pin Deep Agents Code 0.1.30 and load only a strict, canonicalized managed MCP projection from a process-local integrity-bound snapshot. Sealed memfd is preferred; when OpenShell seccomp blocks it, an anonymous `O_TMPFILE` inode is reopened read-only and bound by descriptor, device, inode, size, kind, and SHA-256, with ambient discovery disabled. - Bind the canonical TypeScript secret-pattern source and flags to one shared behavior corpus executed through the Bash and Python DCode enforcement boundaries, including the full ECMAScript whitespace set. - Add capability-v2 gating and legacy-v1 teardown/rollback that preserves unrelated user configuration and fails closed on malformed, unsafe, or drifted state. - Add rebuild, migration, runtime-patch, schema, snapshot, and lifecycle coverage; update the MCP, policy, security, command, and DCode documentation. Verification notes: - Final DCode-adjacent run: 9 files, 187 tests passed; the focused descriptor/projection run passed 4 files and 138 tests. - Final review-follow-up run: 82 focused Bash/Python/TypeScript parity and descriptor-fallback tests passed, including all 25 ECMAScript whitespace code points under both `C` and `C.UTF-8` Bash locales. - Full pre-squash-equivalent run: 1,068 files passed, 2 skipped; 12,149 tests passed, 35 skipped. - CLI coverage ratchet passed with the repository include/exclude set expressed as one Vitest glob: lines 65.24%, statements 64.45%, functions 67.06%, branches 57.21%. - Python compile, Biome, ShellCheck, shfmt, source-shape, test-size, repository, secret-scan, and diff checks passed. The normal push hook passed CLI typechecking. - Main-sync validation after merging NVIDIA#6265 passed: 9 CLI files/82 tests, 6 integration files/174 tests, an additional 3 preparation tests, CLI typecheck, Biome, and diff checks. Generated-context provenance was ported into the split preflight fixtures without restoring the obsolete monolith. - Exact-head CI for `9a31537785ef2d456901de622721ed215627fdec` passed: 40 checks green, all five required contexts passed, and there were 0 failures, cancellations, or pending checks. The only skips were the expected docs-only job and two duplicate NVSkills request jobs. This includes all five CLI shards plus the aggregate, both CodeQL languages, both sandbox image builds, macOS, WSL, four self-hosted runtime checks, CodeRabbit, and both review advisors. - Exact-head live E2E for `9a31537785ef2d456901de622721ed215627fdec` passed: [`mcp-bridge`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844701), [`mcp-bridge-dev`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844719), and [`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28696844639). Stable and dev each passed OpenClaw, Hermes, and DCode 3/3; authenticated MCP calls passed initially and after restart, credential rotation, and rebuild, then removal denied access with no provider, policy, tunnel, or credential residue. The dedicated DCode lane passed Landlock 5/5, Python egress 14/14, headless inference 10/10, secret boundary 8/8, Tavily 6/6, and TUI 4/4; BuildKit accepted the merged generated-context handoff, and invalid-credential rebuild failure remained pre-destructive with the original sandbox, marker, and route recovered. Artifact inspection found one unchanged pre-existing harness defect: two OpenShell audit-log filtering subassertions can false-pass because awk treats `close` as reserved; runtime-output, sandbox-log, env-file immutability, and raw-secret checks passed, and this PR does not modify that E2E file. - The base `test-cli` pre-commit invocation remains affected by Vitest 4.1.9 collapsing repeated `--coverage.exclude` arguments to a zero-file/invalid summary. All other commit and push hooks passed; targeted tests and the authoritative sharded CI coverage checks provide the exact-head gate. - `npm run docs` completed with 0 errors and 2 pre-existing Fern warnings. Two documentation-writer audits confirmed the final behavior is accurately documented. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent security and correctness reviews passed after fixes; destructive-boundary rollback, capability migration, the process-local integrity-bound snapshot handoff (sealed memfd preferred, anonymous `O_TMPFILE` fallback), cross-language secret-pattern parity, policy fidelity, and the NVIDIA#6224 boundary were checked. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [x] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enhanced managed MCP bridge support with managed-only configuration snapshots for safer add/restart/rebuild/teardown. * Network policy protocol rules now support protocol-specific matching plus stricter `endpoint.path` validation. * **Bug Fixes** * Stronger fail-fast validation for MCP server names/hostnames and endpoint details (rejected before changes are applied). * Rebuild flows improved to preserve/replay custom policies and validate after MCP preparation, with rollback on failure. * **Documentation** * Updated setup/quickstart/reference and MCP bridge/rebuild guidance for managed MCP capability v2 behavior and stricter validation rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary This PR prepares the user-facing documentation for v0.0.74 before the release plan is frozen. It expands the release notes across the 56-commit train and closes durable documentation gaps found during the pre-tag commit scan. ## Changes - Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed MCP, progressive tool disclosure, LangChain Deep Agents Code, onboarding, local inference, messaging, recovery, and contributor workflows. - Correct the `destroy` contract for retained per-name volumes, gateway-unreachable `--force` cleanup, managed MCP ownership, and same-name recovery. - Document separate remediation for an unreachable container DNS resolver versus one that answers with `NXDOMAIN` or `REFUSED`. - Document the Windows on Arm N1X automatic Ollama safeguard and its remaining large-model limitations. - State that messaging conflicts abort rebuild before backup or deletion, leaving the original sandbox intact. - Link the agent-runnable value benchmark from the contributor task index. - Synchronize generated agent command variants. - Validate with `npm run docs:sync-agent-variants` and `npm run docs`; Fern completed with 0 errors and 2 existing warnings. - Source summary: - [NVIDIA#6020](NVIDIA#6020) and [NVIDIA#5876](NVIDIA#5876) -> `docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy boundary and managed MCP lifecycle. - [NVIDIA#6251](NVIDIA#6251) and [NVIDIA#5989](NVIDIA#5989) -> `docs/about/release-notes.mdx`: Summarize progressive tool disclosure and sandbox-first inference controls. - [NVIDIA#6232](NVIDIA#6232), [NVIDIA#6082](NVIDIA#6082), [NVIDIA#6219](NVIDIA#6219), [NVIDIA#6214](NVIDIA#6214), [NVIDIA#6215](NVIDIA#6215), [NVIDIA#6230](NVIDIA#6230), and [NVIDIA#6260](NVIDIA#6260) -> `docs/about/release-notes.mdx`: Summarize the experimental LangChain Deep Agents Code status, secret, version, rebuild, snapshot, and MCP boundaries. - [NVIDIA#6166](NVIDIA#6166), [NVIDIA#6254](NVIDIA#6254), [NVIDIA#6265](NVIDIA#6265), [NVIDIA#6164](NVIDIA#6164), and [NVIDIA#6017](NVIDIA#6017) -> `docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated image reuse, bounded readiness, and preflight improvements. - [NVIDIA#6150](NVIDIA#6150) -> `docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`: Separate unreachable-resolver remediation from reachable-but-rejected DNS responses. - [NVIDIA#6234](NVIDIA#6234) -> `docs/about/release-notes.mdx`, `docs/inference/use-local-inference.mdx`, and `docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B selection and the remaining explicit-large-model boundary. - [NVIDIA#6129](NVIDIA#6129), [NVIDIA#5987](NVIDIA#5987), [NVIDIA#5955](NVIDIA#5955), and [NVIDIA#6220](NVIDIA#6220) -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Document messaging policy persistence, status, and the pre-destructive conflict check. - [NVIDIA#5963](NVIDIA#5963), [NVIDIA#6050](NVIDIA#6050), [NVIDIA#6094](NVIDIA#6094), [NVIDIA#6238](NVIDIA#6238), [NVIDIA#5988](NVIDIA#5988), [NVIDIA#6235](NVIDIA#6235), [NVIDIA#6181](NVIDIA#6181), and [NVIDIA#5986](NVIDIA#5986) -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and `docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and clarify retained-volume and local-only destroy semantics. - [NVIDIA#6200](NVIDIA#6200), [NVIDIA#6248](NVIDIA#6248), [NVIDIA#6168](NVIDIA#6168), [NVIDIA#6270](NVIDIA#6270), and [NVIDIA#5649](NVIDIA#5649) -> `docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize contributor setup and verification improvements and expose the advisory value benchmark. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: documentation-only release preparation; generated-variant synchronization and the Fern docs build validate the changed pages and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: tests are not applicable to this documentation-only change; `npm run docs` validates the source and generated routes. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Expanded setup guidance for Windows on Arm devices with safer default local model selection. * Clarified local inference and sandbox messaging behavior, including conflict checks before rebuilds and safer recovery steps. * Updated destroy/rebuild/reference docs with more detailed warnings, failure handling, and volume-retention guidance. * Improved troubleshooting instructions for Docker DNS issues with clearer paths for unreachable vs. blocked resolvers. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…nce (NVIDIA#6002) (NVIDIA#6663) ## Summary Raise the `full-e2e` cold-onboard acceptance budget (`ONBOARD_BUDGET_SECS`) from **180s → 205s**. This is the umbrella PR for today's live-E2E failures on `main`; scope and evidence per job below. ## Failure triage (main, 2026-07-10) A full `E2E` dispatch on `main` (run [29124128082](https://github.com/NVIDIA/NemoClaw/actions/runs/29124128082)) came back **78 passed / 5 skipped / 3 failed**. Each failure was root-caused, not retried blindly: | Job | Verdict | Root cause | |-----|---------|-----------| | `agent-turn-latency` | ✅ flake, self-cleared | Passed on first retry — hosted-inference timing variance. | | `full-e2e` | 🔧 **fixed here** | Consistent ~1s overshoot of a too-tight 180s onboard budget (see below). | | `rebuild-hermes` | ⏳ **verification pending** | Both observed failures were infra (`operation was canceled`, `runner lost communication with the server`) — **not** a test assertion or image-build error. Retry on post-bump `main` in flight ([29129133666](https://github.com/NVIDIA/NemoClaw/actions/runs/29129133666)). See "Hermes v0.18" below. | ## `full-e2e` — full analysis (no gaps) **Symptom.** The `[1/8]-to-first-response` gate (`full-e2e.test.ts:215`) failed **3 consecutive times**: | Run | to-first-response | vs 180s budget | |-----|-------------------|----------------| | [29124128082](https://github.com/NVIDIA/NemoClaw/actions/runs/29124128082) | 180,829 ms | +0.8s | | [29125880976](https://github.com/NVIDIA/NemoClaw/actions/runs/29125880976) | 181,550 ms | +1.5s | | [29127670707](https://github.com/NVIDIA/NemoClaw/actions/runs/29127670707) | 180,602 ms | +0.6s | **Not flake, not inference, not a code regression** — proven by the `onboard-progress-budget.json` artifact decomposition: | | `onboardSecs` | `totalSecs` | headroom | notes | |---|---|---|---|---| | Passing run [29128496025](https://github.com/NVIDIA/NemoClaw/actions/runs/29128496025) (`f4cd7ea9`) | **163** | 168 | +12s | BuildKit prebuild ✓, 0 classic steps | | Failing run [29127670707](https://github.com/NVIDIA/NemoClaw/actions/runs/29127670707) (`fcc121d5`) | **173** | 181 | −1s | BuildKit prebuild ✓, 0 classic steps | - The entire delta is in the **cold onboard/BuildKit image-build phase** (163s → 173s, a ~10s run-to-run swing) on **identical, post-NVIDIA#6265 `main`** — both heads are after the Hermes v0.18 bump, so the bump is not the cause. - The first hosted agent turn is only **~5–8s** (`totalSecs − onboardSecs`); inference is a rounding error. - The 180s cap (introduced 4 days ago in NVIDIA#6265) left only ~7s of headroom against a phase that varies ~10s with Docker Hub pull speed and hosted-runner I/O — so slow-build runs tip over. **Fix.** Raise to **205s**: covers the observed 173s worst case plus build-variance headroom, while still catching gross onboard regressions (a real regression blows well past 205s; `MAX_SILENCE_SECS` and BuildKit-fallback assertions are unchanged). ## Hermes v0.18 context Today's `main` includes `feat(hermes): upgrade to v0.18 and enable Slack Block Kit` (NVIDIA#6507, 17:45Z), plus `NVIDIA#6624` (release-matched sandbox bases) and `NVIDIA#6623` (surface cluster image build failures). Because `rebuild-hermes` rebuilds the Hermes image, a v0.18-induced regression *could* in principle surface as runner resource-exhaustion. **This PR does not yet claim `rebuild-hermes` is a flake** — the in-flight retry on post-bump `main` is the deciding evidence: - retry **passes** → confirmed infra flake, no code change needed, this PR ships as-is; - retry **fails** (build error / OOM / repeat comms-loss) → v0.18 is implicated and a fix is added to this branch before merge. ## Test evidence - `commitlint`, `gitleaks`, test-size/shape budgets: passed (pre-commit). - No product-code change; single test-constant edit. Behavioral proof is the artifact decomposition above. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Adjusted end-to-end onboarding timing thresholds by increasing the “acceptance budget” to allow for typical variability in image build times. * Updated test parity mappings to ensure the added live coverage is correctly linked with the corresponding faster test set. * Added inline guidance for why timing can fluctuate between runs, and why the previous cap needed more headroom. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
This follow-up to #6166 validates the staged context before invoking host BuildKit and moves the hard #6002 cold-path acceptance assertions into the existing
full-e2elifecycle. It removes the redundant second onboarding run while preserving a distinct merge-failing signal alongside the advisory warm-system scorecard budget.Related Issue
Follow-up to #6166 and #6002.
Changes
os.tmpdir()/nemoclaw-build-*staging directories with a no-follow regular Dockerfile, falling back to the gateway builder when validation fails.--fromDockerfiles remain on the OpenShell gateway-builder trust boundary.full-e2eonboarding instead of running a second warm-cache onboarding test.e2e.yamland document the hard 180-second cold-path contract separately from the advisory 390-second warm-system scorecard budget.Type of Change
Quality Gates
mkdtempstaging.Verification
Verifiedin GitHubnpx prek run --from-ref main --to-ref HEADpassesnpm testpasses (broad runtime changes only)npm run docsbuilds without warnings (doc changes only)Signed-off-by: Carlos Villela cvillela@nvidia.com
Summary by CodeRabbit
--fromvalidation behavior.--frombuild-context routing vs local BuildKit behavior on local Docker-driver gateways.