Skip to content

fix(onboard): preserve fresh DCode routing on re-onboard#6332

Merged
apurvvkumaria merged 22 commits into
mainfrom
fix/6311-fresh-reonboard-live-config
Jul 6, 2026
Merged

fix(onboard): preserve fresh DCode routing on re-onboard#6332
apurvvkumaria merged 22 commits into
mainfrom
fix/6311-fresh-reonboard-live-config

Conversation

@apurvvkumaria

@apurvvkumaria apurvvkumaria commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Keep managed Deep Agents Code runtime routing aligned with the provider/model selected during same-name re-onboarding. The fix treats the live dcode identity result as authoritative, reconciles mixed-ownership config.toml state without restoring stale routing, and publishes registry metadata only after the restored runtime is verified.

Related Issue

Closes #6311

Supersedes #6317. This incorporates and extends @chengjiew's original drift/recreate investigation; Chengjie is credited as a co-author on the commit.

Changes

  • Recreate stock managed DCode sandboxes when live route, provider, model, or endpoint identity is stale or unreadable; refuse unverifiable reuse when the registry row is absent.
  • Restore only four bounded display preferences from backed-up DCode config: three booleans and the enumerated thread sort order. Keep fresh models, update, and generated provider metadata authoritative, and drop free-form or behavior-bearing backup settings.
  • Perform the merge with bounded TOML parsing, regular-file checks, same-directory staging, inode revalidation, fsync, and atomic replacement.
  • Validate the live restored selection before writing registry/status metadata, and leave custom-image plus ordinary snapshot/rebuild restore behavior unchanged.
  • Keep generic hotspots bounded by extracting gateway failure handling, DCode resume policy, and caller-authorized state-file restore policy into focused modules.
  • Add unit, handler, restore-boundary, and orchestration regression coverage plus user-facing documentation.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent reviews checked live identity parsing, restore ordering, custom-image provenance, file safety, same-user atomic-replace assumptions, and registry publication; all confirmed blockers were resolved.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: focused CLI suites 67/67; snapshot, OpenClaw restore, and spawned gateway integrations 53/53; final restore/finalization follow-ups 22/22 and prepared-context integration 2/2.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: not applicable; this is a scoped DCode onboarding/restore fix, and the targeted suites plus normal repository hooks cover the changed boundaries.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only) — passed with 0 errors and 2 existing unspecified Fern warnings.
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Apurv Kumaria akumaria@nvidia.com

Summary by CodeRabbit

  • New Features
    • Managed Deep Agents Code onboarding and resume now verify live dcode identity to detect selection drift and recreate sandboxes when selections are unreadable or mismatched.
    • Managed restores can merge backed-up config.toml while keeping freshly generated model routing and provider metadata authoritative.
  • Bug Fixes
    • Prevents unverified managed DCode reuse when the expected registry entry is missing.
    • Improves gateway-start failure output by redacting sensitive diagnostics and printing clearer remediation commands.
  • Documentation
    • Updated quickstart and command reference for revised restore behavior and non-interactive recreation rules.
  • Tests
    • Added coverage for managed config merge ownership, selection drift, and sandbox finalization/resume flows.

Co-authored-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria apurvvkumaria added the v0.0.75 Release target label Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds DCode drift handling to onboarding and resume flows, introduces managed config.toml merge-restore behavior, defers registry publication until verification passes, updates gateway failure handling, and refreshes related docs, tests, and manifest comments.

Changes

Managed DCode onboarding and restore flow

Layer / File(s) Summary
DCode selection drift detection module
src/lib/onboard/dcode-selection-drift.ts, src/lib/onboard/dcode-selection-drift.test.ts
Parses live dcode identity output, computes expected identity, and reports provider/model drift with parsing and fail-closed tests.
Managed config.toml merge restore
src/lib/state/state-file-restore-policy.ts, src/lib/state/dcode-config-restore-input.ts, src/lib/state/dcode-config-restore-input.test.ts, src/lib/state/sandbox.ts
Adds a merge restore policy and embedded Python restore path that preserve restored user tables while keeping managed routing metadata authoritative, and wires restore customization through sandbox state restore.
Reuse and resume drift wiring
src/lib/onboard/machine/handlers/sandbox-dcode-resume.ts, src/lib/onboard/machine/handlers/sandbox.ts, src/lib/onboard/machine/handlers/sandbox-dcode-selection.test.ts, src/lib/onboard/machine/handlers/sandbox-resume.ts, src/lib/onboard/machine/handlers/sandbox-resume.test.ts, src/lib/onboard/machine/handlers/sandbox-test-fixtures.ts, src/lib/onboard/machine/core-flow-phases.test.ts, src/lib/onboard.ts, test/onboard-terminal-dashboard.test.ts
Integrates drift results into reuse/recreate decisions and resume handling, adds managed-agent registry safety checks, and updates fixtures and tests.
Sandbox finalization after verification
src/lib/onboard/created-sandbox-finalization.ts, src/lib/onboard/created-sandbox-finalization.test.ts, src/lib/onboard.ts
Adds finalizeCreatedSandbox to restore backup state, validate managed DCode drift, and publish registry metadata only after verification succeeds.
Final gateway failure handler
src/lib/onboard/gateway-start-failure.ts, src/lib/onboard/gateway-start-failure.test.ts, src/lib/onboard.ts
Adds a configurable terminal failure handler for gateway startup and switches onboarding to use it.
Config identity docs and manifest updates
agents/langchain-deepagents-code/generate-config.ts, test/langchain-deepagents-code-config.test.ts, agents/langchain-deepagents-code/manifest.yaml, docs/get-started/quickstart-langchain-deepagents-code.mdx, docs/reference/commands.mdx, docs/reference/commands-nemohermes.mdx
Updates model parsing, config-generation coverage, and onboarding docs/comments to describe colon-preserving model names and managed restore/recreate semantics.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CLI as nemoclaw onboard
  participant Onboard as onboard.ts
  participant Restore as restoreSandboxState
  participant Drift as getDcodeSelectionDrift
  participant Finalize as finalizeCreatedSandbox
  participant Registry as sandboxRegistration

  CLI->>Onboard: re-onboard --fresh sandbox
  Onboard->>Restore: restore backup with managed policy
  Restore-->>Onboard: merged config.toml
  Onboard->>Finalize: finalizeCreatedSandbox(options, deps)
  Finalize->>Drift: verify live selection
  Drift-->>Finalize: {changed, unknown}
  alt drift changed or unknown
    Finalize->>CLI: log error, exit 1
  else verified match
    Finalize->>Registry: registerCreatedSandbox(provider, model)
    Registry-->>CLI: status reflects verified live selection
  end
Loading

Possibly related issues

Possibly related PRs

  • NVIDIA/NemoClaw#1883: Also changes when registry model/provider metadata is written after sandbox creation.
  • NVIDIA/NemoClaw#1884: Also modifies the nemoclaw onboard creation flow around registry publication timing.

Suggested labels: bug-fix

Suggested reviewers: cjagwani, jyaunches

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR implements live DCode drift checks, restore allowlisting, and delayed registry publishing needed to fix #6311.
Out of Scope Changes check ✅ Passed I don't see unrelated code paths; the docs, tests, and refactors all support the onboarding and restore behavior change.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: preserving fresh DCode routing during re-onboard.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/6311-fresh-reonboard-live-config

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-3: DCode validation failure error message omits explicit rebuild recovery hint; then add or justify PRA-T1.
Open items: 1 required · 8 warnings · 8 suggestions · 8 test follow-ups
Since last review: 2 prior items resolved · 7 still apply · 2 new items found

Action checklist

  • PRA-3 Fix: DCode validation failure error message omits explicit rebuild recovery hint in src/lib/onboard/created-sandbox-finalization.ts:47
  • PRA-1 Resolve or justify: Source-of-truth review needed: src/lib/onboard/created-sandbox-finalization.ts:31-37
  • PRA-2 Resolve or justify: Source-of-truth review needed: src/lib/state/dcode-config-restore-input.ts:206-210
  • PRA-4 Resolve or justify: Credential allowlist design should be documented and tested against modern secret prefixes in src/lib/state/dcode-config-restore-input.ts:130
  • PRA-5 Resolve or justify: TOCTOU window in atomic config restore acknowledged but not mitigated in src/lib/state/dcode-config-restore-input.ts:210
  • PRA-7 Resolve or justify: Multiple overlapping PRs modify 5000+ line onboard.ts monolith creating merge conflict risk in src/lib/onboard.ts:1
  • PRA-10 Resolve or justify: Shell command injection surface in buildDcodeConfigMergeRestoreCommand in src/lib/state/dcode-config-restore-input.ts:230
  • PRA-11 Resolve or justify: requiresSelectionRecreate logic for managed DCode should be verified against product requirements in src/lib/onboard/dcode-selection-drift.ts:35
  • PRA-14 Resolve or justify: parseDcodeInferenceIdentity may accept trailing whitespace in values in src/lib/onboard/dcode-selection-drift.ts:90
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Runtime validation
  • PRA-T6 Add or justify test follow-up: Refactor test fixture to avoid global process.env mutation
  • PRA-T7 Add or justify test follow-up: src/lib/onboard/created-sandbox-finalization.ts:31-37
  • PRA-T8 Add or justify test follow-up: src/lib/state/dcode-config-restore-input.ts:206-210
  • PRA-6 In-scope improvement: ANSI normalization order fixed — CR stripped before ANSI sequences in src/lib/onboard/gateway-start-failure.ts:79
  • PRA-8 In-scope improvement: Test fixture mutates global process.env for single-use config knobs in src/lib/onboard/created-sandbox-finalization.test.ts:19
  • PRA-9 In-scope improvement: Simplified modelNameForOpenAiProvider using startsWith/slice in agents/langchain-deepagents-code/generate-config.ts:70
  • PRA-12 In-scope improvement: ANSI_RE regex duplicated across 8+ files in src/lib/onboard/ in src/lib/onboard/gateway-start-failure.ts:8
  • PRA-13 In-scope improvement: Source-of-truth workaround for partial restore should be formally tracked in src/lib/onboard/created-sandbox-finalization.ts:35
  • PRA-15 In-scope improvement: DCODE_CONFIG_MERGE_PYTHON is a large inline Python script embedded as template string in src/lib/state/dcode-config-restore-input.ts:1
  • PRA-16 In-scope improvement: Extract ANSI_RE to shared utility in src/lib/onboard/gateway-start-failure.ts:8
  • PRA-17 In-scope improvement: Refactor test fixture to avoid global process.env mutation in src/lib/onboard/created-sandbox-finalization.test.ts:19

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-3 Required correctness src/lib/onboard/created-sandbox-finalization.ts:47 Add explicit recovery hint to the error message at lines 47-58: 'To recover: nemoclaw <name> rebuild or manual config.toml fix.'
PRA-4 Resolve/justify security src/lib/state/dcode-config-restore-input.ts:130 Add code comment documenting allowlist-only design as primary credential defense. Add test case with modern secret formats verifying they are dropped by the allowlist merge.
PRA-5 Resolve/justify architecture src/lib/state/dcode-config-restore-input.ts:210 Either explicitly justify accepting the low-risk window in a code comment (same sandbox user, same authority) or implement O_EXCL staging with inode re-verification before os.replace.
PRA-6 Improvement security src/lib/onboard/gateway-start-failure.ts:79 No action needed — fix is correct and reduces risk.
PRA-7 Resolve/justify architecture src/lib/onboard.ts:1 Coordinate with overlapping PR authors to sequence merges or rebase. Continue extracting DCode-specific logic to reduce onboard.ts surface area.
PRA-8 Improvement correctness src/lib/onboard/created-sandbox-finalization.test.ts:19 Refactor fixture to use a dedicated helper (e.g., withDcodeEnvironment(fn)) that sets up PATH/OPENSHELL_BIN locally via subprocess env rather than mutating global process.env.
PRA-9 Improvement correctness agents/langchain-deepagents-code/generate-config.ts:70 No action needed — simplification is correct and reduces complexity.
PRA-10 Resolve/justify security src/lib/state/dcode-config-restore-input.ts:230 Consider using Python's tempfile module directly instead of shell mktemp, or add explicit validation that the generated command contains only expected patterns.
PRA-11 Resolve/justify correctness src/lib/onboard/dcode-selection-drift.ts:35 Confirm with product/design that managed DCode should fail closed on unknown selection drift (unreadable identity) while other agents reuse by default.
PRA-12 Improvement architecture src/lib/onboard/gateway-start-failure.ts:8 Extract ANSI_RE to a shared utility (e.g., src/lib/onboard/ansi.ts) and import where needed.
PRA-13 Improvement architecture src/lib/onboard/created-sandbox-finalization.ts:35 Formalize this workaround tracking in a centralized location (e.g., WORKAROUNDS.md or code owners file) with a target removal milestone.
PRA-14 Resolve/justify correctness src/lib/onboard/dcode-selection-drift.ts:90 Verify actual dcode identity output format matches the parser expectations. Add test with actual dcode identity output if available.
PRA-15 Improvement architecture src/lib/state/dcode-config-restore-input.ts:1 Extract the Python merge script to a separate file (e.g., scripts/dcode-config-merge.py) and embed it at build time or load as resource.
PRA-16 Improvement architecture src/lib/onboard/gateway-start-failure.ts:8 Create src/lib/onboard/ansi.ts exporting ANSI_RE and stripAnsi() helper; update all 8+ files to import.
PRA-17 Improvement tests src/lib/onboard/created-sandbox-finalization.test.ts:19 Extract withDcodeEnvironment(fn) helper that passes env via subprocess options.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-3 Required — DCode validation failure error message omits explicit rebuild recovery hint

  • Location: src/lib/onboard/created-sandbox-finalization.ts:47
  • Category: correctness
  • Problem: When live validation fails (lines 47-58), the error states 'A NemoClaw rebuild is unsafe here because no verified registry metadata exists' but does not provide the actionable recovery command 'nemoclaw <name> rebuild' or 'manual config.toml fix'. Users hitting this failure may unnecessarily destroy/recreate instead of using rebuild which preserves restored workspace state.
  • Impact: Operational confusion — users hitting validation failure may destroy/recreate unnecessarily instead of using rebuild which preserves the restored workspace state.
  • Required action: Add explicit recovery hint to the error message at lines 47-58: 'To recover: nemoclaw <name> rebuild or manual config.toml fix.'
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Read src/lib/onboard/created-sandbox-finalization.ts:47-58 and verify error message contains 'rebuild' recovery command
  • Missing regression test: Add test in created-sandbox-finalization.test.ts verifying error message contains 'rebuild' recovery hint when validation fails
  • Done when: The required change is committed and verification passes: Read src/lib/onboard/created-sandbox-finalization.ts:47-58 and verify error message contains 'rebuild' recovery command.
  • Evidence: Current error at lines 47-55: 'DCode live model/provider validation failed for sandbox ...; registry metadata was not updated. Manual recovery: <path>' — missing sandbox state context and rebuild suggestion.
Review findings by urgency: 1 required fix, 8 items to resolve/justify, 8 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: src/lib/onboard/created-sandbox-finalization.ts:31-37

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: The partial-workspace-restore test validates fresh config before registration
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Code comment lines 31-37 documents this fallback with removal condition

PRA-2 Resolve/justify — Source-of-truth review needed: src/lib/state/dcode-config-restore-input.ts:206-210

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as missing.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: No test exists — TOCTOU races are difficult to test reliably
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Comment at lines 206-208 acknowledges window and trust boundary; no mitigation implemented

PRA-4 Resolve/justify — Credential allowlist design should be documented and tested against modern secret prefixes

  • Location: src/lib/state/dcode-config-restore-input.ts:130
  • Category: security
  • Problem: The DCode config merge uses an allowlist-only approach (only show_scrollbar, show_url_open_toast, relative_time, sort_order restored) — no deny-list CREDENTIAL_SHAPE_PATTERN exists. Tests verify ghp_, sk-, lsv2_, Bearer secrets are dropped. Modern prefixes (xoxe.xoxp.xoxb- Slack tokens, sk-ant- Anthropic keys, AWS_SESSION_TOKEN, CFPAT_ Cloudflare tokens) are not tested. Documentation gap may mislead future reviewers.
  • Impact: If a backup contains a credential with a modern prefix not covered by test cases, it could be merged if the allowlist logic has a gap. Documentation gap may mislead future reviewers.
  • Recommended action: Add code comment documenting allowlist-only design as primary credential defense. Add test case with modern secret formats verifying they are dropped by the allowlist merge.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts safe_ui/safe_threads functions (lines 130-155) and test 'drops free-form themes, executable, routing, and unknown backup data' to confirm allowlist-only design
  • Missing regression test: Add test case with modern secret format (e.g., 'xoxe.xoxp.xoxb-' Slack token, 'sk-ant-' Anthropic key, 'AWS_SESSION_TOKEN=...') verifying it is dropped by the allowlist merge
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/state/dcode-config-restore-input.ts safe_ui/safe_threads functions (lines 130-155) and test 'drops free-form themes, executable, routing, and unknown backup data' to confirm allowlist-only design.
  • Evidence: No CREDENTIAL_SHAPE_PATTERN exists in current code. safe_ui (lines 130-138) and safe_threads (lines 140-150) extract only allowlisted keys. Test at line 220-240 verifies known prefixes but not modern ones.

PRA-5 Resolve/justify — TOCTOU window in atomic config restore acknowledged but not mitigated

  • Location: src/lib/state/dcode-config-restore-input.ts:210
  • Category: architecture
  • Problem: Python script checks inode before os.replace but there's a window where target could be swapped. Comment acknowledges risk: 'This check catches accidental target drift; os.replace atomically replaces the directory entry without following a swapped destination symlink. Hostile same-UID writes have the same config authority immediately before and after this operation.' Previous review suggested os.open() with O_EXCL on staged file and verify target inode before replace.
  • Impact: Low-risk TOCTOU: same sandbox user owns directory; hostile writes have same authority pre/post. However, defense-in-depth improvement possible.
  • Recommended action: Either explicitly justify accepting the low-risk window in a code comment (same sandbox user, same authority) or implement O_EXCL staging with inode re-verification before os.replace.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts write_staged_and_replace function (lines 195-225) for the atomic replace logic and inode check
  • Missing regression test: Test for TOCTOU race would require concurrent filesystem manipulation — difficult to test reliably. Document acceptance rationale in code comment instead.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/state/dcode-config-restore-input.ts write_staged_and_replace function (lines 195-225) for the atomic replace logic and inode check.
  • Evidence: Lines 205-210: inode check before os.replace. Comment at 206-208 acknowledges window and trust boundary.

PRA-7 Resolve/justify — Multiple overlapping PRs modify 5000+ line onboard.ts monolith creating merge conflict risk

PRA-10 Resolve/justify — Shell command injection surface in buildDcodeConfigMergeRestoreCommand

  • Location: src/lib/state/dcode-config-restore-input.ts:230
  • Category: security
  • Problem: The function constructs a shell command string using mktemp, cat, and python3 -I with shellQuote. While shellQuote is used, the command string is executed via SSH in the sandbox. Consider using Python's tempfile module directly instead of shell mktemp, or add explicit validation that the generated command contains only expected patterns.
  • Impact: If shellQuote is bypassed or paths manipulated, arbitrary command execution in sandbox context.
  • Recommended action: Consider using Python's tempfile module directly instead of shell mktemp, or add explicit validation that the generated command contains only expected patterns.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts buildDcodeConfigMergeRestoreCommand function (lines 230-250) for the shell command construction
  • Missing regression test: Add test verifying generated command structure contains only expected patterns (mktemp, cat, python3 -I, no user-controlled interpolation)
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/state/dcode-config-restore-input.ts buildDcodeConfigMergeRestoreCommand function (lines 230-250) for the shell command construction.
  • Evidence: Lines 230-250: shell command string with mktemp, cat, python3 -I, shellQuote on paths only

PRA-11 Resolve/justify — requiresSelectionRecreate logic for managed DCode should be verified against product requirements

  • Location: src/lib/onboard/dcode-selection-drift.ts:35
  • Category: correctness
  • Problem: Managed DCode fails closed on ANY selection drift (known or unknown) to enforce routing integrity; ordinary agents recreate only on confirmed known drift. This is a significant behavioral difference that should be confirmed with product/design.
  • Impact: Managed DCode sandboxes recreate on unreadable identity while other agents reuse — may surprise users expecting consistent behavior.
  • Recommended action: Confirm with product/design that managed DCode should fail closed on unknown selection drift (unreadable identity) while other agents reuse by default.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/onboard/dcode-selection-drift.ts requiresSelectionRecreate function (lines 35-40) and compare with decideSandboxResume in sandbox-resume.ts
  • Missing regression test: Add test documenting the expected behavioral difference between managed DCode and other agents for unknown drift
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/onboard/dcode-selection-drift.ts requiresSelectionRecreate function (lines 35-40) and compare with decideSandboxResume in sandbox-resume.ts.
  • Evidence: Line 35-40: `return drift.changed && (!drift.unknown || managedDcode);` — managedDcode=true causes recreate on unknown drift

PRA-14 Resolve/justify — parseDcodeInferenceIdentity may accept trailing whitespace in values

  • Location: src/lib/onboard/dcode-selection-drift.ts:90
  • Category: correctness
  • Problem: The regex `(\S(?:.*\S)?)` captures non-whitespace start/end but allows internal whitespace. This is likely intentional for model IDs with colons, but should be verified against actual dcode identity output format.
  • Impact: Parser may accept malformed output that real dcode identity never produces, or reject valid output with trailing spaces.
  • Recommended action: Verify actual dcode identity output format matches the parser expectations. Add test with actual dcode identity output if available.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Run dcode identity in a managed sandbox and compare output format with parser regex
  • Missing regression test: Add integration test with real dcode identity output
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Run dcode identity in a managed sandbox and compare output format with parser regex.
  • Evidence: Line 90: `const match = line.match(/^(Route|Provider|Model|Endpoint):[ \t]+(\S(?:.*\S)?)$/u);`

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-6 Improvement — ANSI normalization order fixed — CR stripped before ANSI sequences

  • Location: src/lib/onboard/gateway-start-failure.ts:79
  • Category: security
  • Problem: The new code at line 79 uses `.replace(/\r/g, "").replace(ANSI_RE, "")` which is the correct defense-in-depth order (was previously ANSI then CR). This resolves the prior concern.
  • Impact: Defense-in-depth improvement for log sanitization; no functional regression.
  • Suggested action: No action needed — fix is correct and reduces risk.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/onboard/gateway-start-failure.ts:79 and verify CR normalization precedes ANSI_RE replacement
  • Missing regression test: Existing test 'normalizes diagnostics before redacting secrets split by terminal control bytes' in gateway-start-failure.test.ts covers this
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Line 79: `const normalizedLogs = String(collectDiagnostics() || "").replace(/\r/g, "").replace(ANSI_RE, "");`

PRA-8 Improvement — Test fixture mutates global process.env for single-use config knobs

  • Location: src/lib/onboard/created-sandbox-finalization.test.ts:19
  • Category: correctness
  • Problem: The makeRestoreFixture() function modifies process.env.NEMOCLAW_OPENSHELL_BIN and process.env.PATH globally, which can leak between tests despite afterEach cleanup.
  • Impact: Test pollution risk; flaky tests if fixtures run in different order.
  • Suggested action: Refactor fixture to use a dedicated helper (e.g., withDcodeEnvironment(fn)) that sets up PATH/OPENSHELL_BIN locally via subprocess env rather than mutating global process.env.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/onboard/created-sandbox-finalization.test.ts makeRestoreFixture function and observe process.env mutations
  • Missing regression test: N/A — test hygiene improvement
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 19, 39, 189, 190, 256, 345: process.env.NEMOCLAW_OPENSHELL_BIN and process.env.PATH assigned and restored in afterEach

PRA-9 Improvement — Simplified modelNameForOpenAiProvider using startsWith/slice

  • Location: agents/langchain-deepagents-code/generate-config.ts:70
  • Category: correctness
  • Problem: The new implementation `trimmed.startsWith("openai:") ? trimmed.slice("openai:".length) : trimmed` is correct and reduces complexity compared to the previous indexOf/slice approach.
  • Impact: Reduced cognitive load; fewer edge cases (no off-by-one on indexOf).
  • Suggested action: No action needed — simplification is correct and reduces complexity.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read agents/langchain-deepagents-code/generate-config.ts:70 and verify the simplification
  • Missing regression test: Existing tests in langchain-deepagents-code-config.test.ts cover model name normalization
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Line 70: `return trimmed.startsWith("openai:") ? trimmed.slice("openai:".length) : trimmed;`

PRA-12 Improvement — ANSI_RE regex duplicated across 8+ files in src/lib/onboard/

  • Location: src/lib/onboard/gateway-start-failure.ts:8
  • Category: architecture
  • Problem: The same regex appears in gateway-start-failure.ts, dashboard.ts, sandbox-create-failure.ts, dashboard-port.ts, gateway-lifecycle.ts, docker-gpu-supervisor-reconnect.ts, docker-gpu-patch.ts, and potentially others.
  • Impact: Maintenance burden; inconsistent updates; copy-paste drift risk.
  • Suggested action: Extract ANSI_RE to a shared utility (e.g., src/lib/onboard/ansi.ts) and import where needed.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Run the grep for ANSI_RE across src/lib/onboard/ to see all occurrences
  • Missing regression test: N/A — code deduplication
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: grep shows 8 files with identical or near-identical ANSI_RE regex

PRA-13 Improvement — Source-of-truth workaround for partial restore should be formally tracked

  • Location: src/lib/onboard/created-sandbox-finalization.ts:35
  • Category: architecture
  • Problem: The code comment at lines 31-37 documents a fallback for partial workspace restore with removal condition, but this is not tracked in a centralized location (e.g., WORKAROUNDS.md or code owners file) with a target removal milestone.
  • Impact: Workaround may persist indefinitely without ownership; removal condition not visible to maintainers.
  • Suggested action: Formalize this workaround tracking in a centralized location (e.g., WORKAROUNDS.md or code owners file) with a target removal milestone.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/onboard/created-sandbox-finalization.ts lines 31-37 for the source-of-truth review comment
  • Missing regression test: N/A — documentation/process improvement
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 31-37: comment block with 'Source-of-truth review:' and removal condition

PRA-15 Improvement — DCODE_CONFIG_MERGE_PYTHON is a large inline Python script embedded as template string

  • Location: src/lib/state/dcode-config-restore-input.ts:1
  • Category: architecture
  • Problem: DCODE_CONFIG_MERGE_PYTHON is a large inline Python script (200+ lines) embedded as a template string. This makes review, testing, and maintenance harder.
  • Impact: Hard to review diffs; syntax highlighting doesn't work; testing requires string extraction; maintenance error-prone.
  • Suggested action: Extract the Python merge script to a separate file (e.g., scripts/dcode-config-merge.py) and embed it at build time or load as resource.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts DCODE_CONFIG_MERGE_PYTHON constant (lines 40-200)
  • Missing regression test: N/A — maintainability improvement
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 40-200: 160+ line template string with Python logic

PRA-16 Improvement — Extract ANSI_RE to shared utility

  • Location: src/lib/onboard/gateway-start-failure.ts:8
  • Category: architecture
  • Problem: ANSI_RE regex duplicated across 8+ files. Extract to shared utility to eliminate duplication.
  • Impact: Single source of truth for ANSI stripping; easier to update if terminal output formats change.
  • Suggested action: Create src/lib/onboard/ansi.ts exporting ANSI_RE and stripAnsi() helper; update all 8+ files to import.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: grep ANSI_RE src/lib/onboard/ --include="*.ts" | head -20
  • Missing regression test: N/A — code deduplication
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: 8 files with identical regex

PRA-17 Improvement — Refactor test fixture to avoid global process.env mutation

  • Location: src/lib/onboard/created-sandbox-finalization.test.ts:19
  • Category: tests
  • Problem: makeRestoreFixture() mutates process.env.NEMOCLAW_OPENSHELL_BIN and process.env.PATH globally.
  • Impact: Test pollution risk; flaky tests if fixtures run in different order.
  • Suggested action: Extract withDcodeEnvironment(fn) helper that passes env via subprocess options.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read makeRestoreFixture() and observe process.env assignments
  • Missing regression test: N/A — test hygiene
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 19, 39, 189, 190, 256, 345
Simplification opportunities: 3 possible cuts, net -226 lines possible

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-15 shrink (src/lib/state/dcode-config-restore-input.ts:1): DCODE_CONFIG_MERGE_PYTHON template string (lines 40-200)
    • Replacement: Import from separate .py file embedded at build time via fs.readFileSync or bundler
    • Net: -160 lines
    • Safety boundary: Must preserve exact Python semantics: O_NOFOLLOW, inode checks, size limits, TOML validation, atomic replace with fsync
  • PRA-16 stdlib (src/lib/onboard/gateway-start-failure.ts:8): const ANSI_RE = /\x1B(?:[...])/g; duplicated in 8 files
    • Replacement: import { ANSI_RE } from './ansi';
    • Net: -56 lines
    • Safety boundary: Must not change regex behavior; all current usages must produce identical output
  • PRA-17 delete (src/lib/onboard/created-sandbox-finalization.test.ts:19): process.env.NEMOCLAW_OPENSHELL_BIN = ...; process.env.PATH = ...; delete process.env.NEMOCLAW_OPENSHELL_BIN; process.env.PATH = oldPath;
    • Replacement: withDcodeEnvironment(() => { ... }) passing env via child_process options
    • Net: -10 lines
    • Safety boundary: Must preserve exact same subprocess environment for openshell/ssh/python3 resolution
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — dcode identity output format matches parser expectations. Unit tests mock deps and validate logic well. Runtime validation needed for: (1) real dcode identity output format compatibility, (2) end-to-end --fresh re-onboard flow with real sandbox, (3) Python merge script with real tomllib/tomli_w.
  • PRA-T2 Runtime validation — --fresh re-onboard switches model in config.toml and status. Unit tests mock deps and validate logic well. Runtime validation needed for: (1) real dcode identity output format compatibility, (2) end-to-end --fresh re-onboard flow with real sandbox, (3) Python merge script with real tomllib/tomli_w.
  • PRA-T3 Runtime validation — Python merge script handles real TOML arrays/tables. Unit tests mock deps and validate logic well. Runtime validation needed for: (1) real dcode identity output format compatibility, (2) end-to-end --fresh re-onboard flow with real sandbox, (3) Python merge script with real tomllib/tomli_w.
  • PRA-T4 Runtime validation — Partial restore exception during copy. Unit tests mock deps and validate logic well. Runtime validation needed for: (1) real dcode identity output format compatibility, (2) end-to-end --fresh re-onboard flow with real sandbox, (3) Python merge script with real tomllib/tomli_w.
  • PRA-T5 Runtime validation — Concurrent config modification during restore (if feasible). Unit tests mock deps and validate logic well. Runtime validation needed for: (1) real dcode identity output format compatibility, (2) end-to-end --fresh re-onboard flow with real sandbox, (3) Python merge script with real tomllib/tomli_w.
  • PRA-T6 Refactor test fixture to avoid global process.env mutation — Extract withDcodeEnvironment(fn) helper that passes env via subprocess options.
  • PRA-T7 src/lib/onboard/created-sandbox-finalization.ts:31-37 — The partial-workspace-restore test validates fresh config before registration. Code comment lines 31-37 documents this fallback with removal condition
  • PRA-T8 src/lib/state/dcode-config-restore-input.ts:206-210 — No test exists — TOCTOU races are difficult to test reliably. Comment at lines 206-208 acknowledges window and trust boundary; no mitigation implemented
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: src/lib/onboard/created-sandbox-finalization.ts:31-37

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: The partial-workspace-restore test validates fresh config before registration
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Code comment lines 31-37 documents this fallback with removal condition

PRA-2 Resolve/justify — Source-of-truth review needed: src/lib/state/dcode-config-restore-input.ts:206-210

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as missing.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: No test exists — TOCTOU races are difficult to test reliably
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Comment at lines 206-208 acknowledges window and trust boundary; no mitigation implemented

PRA-3 Required — DCode validation failure error message omits explicit rebuild recovery hint

  • Location: src/lib/onboard/created-sandbox-finalization.ts:47
  • Category: correctness
  • Problem: When live validation fails (lines 47-58), the error states 'A NemoClaw rebuild is unsafe here because no verified registry metadata exists' but does not provide the actionable recovery command 'nemoclaw <name> rebuild' or 'manual config.toml fix'. Users hitting this failure may unnecessarily destroy/recreate instead of using rebuild which preserves restored workspace state.
  • Impact: Operational confusion — users hitting validation failure may destroy/recreate unnecessarily instead of using rebuild which preserves the restored workspace state.
  • Required action: Add explicit recovery hint to the error message at lines 47-58: 'To recover: nemoclaw <name> rebuild or manual config.toml fix.'
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Read src/lib/onboard/created-sandbox-finalization.ts:47-58 and verify error message contains 'rebuild' recovery command
  • Missing regression test: Add test in created-sandbox-finalization.test.ts verifying error message contains 'rebuild' recovery hint when validation fails
  • Done when: The required change is committed and verification passes: Read src/lib/onboard/created-sandbox-finalization.ts:47-58 and verify error message contains 'rebuild' recovery command.
  • Evidence: Current error at lines 47-55: 'DCode live model/provider validation failed for sandbox ...; registry metadata was not updated. Manual recovery: <path>' — missing sandbox state context and rebuild suggestion.

PRA-4 Resolve/justify — Credential allowlist design should be documented and tested against modern secret prefixes

  • Location: src/lib/state/dcode-config-restore-input.ts:130
  • Category: security
  • Problem: The DCode config merge uses an allowlist-only approach (only show_scrollbar, show_url_open_toast, relative_time, sort_order restored) — no deny-list CREDENTIAL_SHAPE_PATTERN exists. Tests verify ghp_, sk-, lsv2_, Bearer secrets are dropped. Modern prefixes (xoxe.xoxp.xoxb- Slack tokens, sk-ant- Anthropic keys, AWS_SESSION_TOKEN, CFPAT_ Cloudflare tokens) are not tested. Documentation gap may mislead future reviewers.
  • Impact: If a backup contains a credential with a modern prefix not covered by test cases, it could be merged if the allowlist logic has a gap. Documentation gap may mislead future reviewers.
  • Recommended action: Add code comment documenting allowlist-only design as primary credential defense. Add test case with modern secret formats verifying they are dropped by the allowlist merge.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts safe_ui/safe_threads functions (lines 130-155) and test 'drops free-form themes, executable, routing, and unknown backup data' to confirm allowlist-only design
  • Missing regression test: Add test case with modern secret format (e.g., 'xoxe.xoxp.xoxb-' Slack token, 'sk-ant-' Anthropic key, 'AWS_SESSION_TOKEN=...') verifying it is dropped by the allowlist merge
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/state/dcode-config-restore-input.ts safe_ui/safe_threads functions (lines 130-155) and test 'drops free-form themes, executable, routing, and unknown backup data' to confirm allowlist-only design.
  • Evidence: No CREDENTIAL_SHAPE_PATTERN exists in current code. safe_ui (lines 130-138) and safe_threads (lines 140-150) extract only allowlisted keys. Test at line 220-240 verifies known prefixes but not modern ones.

PRA-5 Resolve/justify — TOCTOU window in atomic config restore acknowledged but not mitigated

  • Location: src/lib/state/dcode-config-restore-input.ts:210
  • Category: architecture
  • Problem: Python script checks inode before os.replace but there's a window where target could be swapped. Comment acknowledges risk: 'This check catches accidental target drift; os.replace atomically replaces the directory entry without following a swapped destination symlink. Hostile same-UID writes have the same config authority immediately before and after this operation.' Previous review suggested os.open() with O_EXCL on staged file and verify target inode before replace.
  • Impact: Low-risk TOCTOU: same sandbox user owns directory; hostile writes have same authority pre/post. However, defense-in-depth improvement possible.
  • Recommended action: Either explicitly justify accepting the low-risk window in a code comment (same sandbox user, same authority) or implement O_EXCL staging with inode re-verification before os.replace.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts write_staged_and_replace function (lines 195-225) for the atomic replace logic and inode check
  • Missing regression test: Test for TOCTOU race would require concurrent filesystem manipulation — difficult to test reliably. Document acceptance rationale in code comment instead.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/state/dcode-config-restore-input.ts write_staged_and_replace function (lines 195-225) for the atomic replace logic and inode check.
  • Evidence: Lines 205-210: inode check before os.replace. Comment at 206-208 acknowledges window and trust boundary.

PRA-6 Improvement — ANSI normalization order fixed — CR stripped before ANSI sequences

  • Location: src/lib/onboard/gateway-start-failure.ts:79
  • Category: security
  • Problem: The new code at line 79 uses `.replace(/\r/g, "").replace(ANSI_RE, "")` which is the correct defense-in-depth order (was previously ANSI then CR). This resolves the prior concern.
  • Impact: Defense-in-depth improvement for log sanitization; no functional regression.
  • Suggested action: No action needed — fix is correct and reduces risk.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/onboard/gateway-start-failure.ts:79 and verify CR normalization precedes ANSI_RE replacement
  • Missing regression test: Existing test 'normalizes diagnostics before redacting secrets split by terminal control bytes' in gateway-start-failure.test.ts covers this
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Line 79: `const normalizedLogs = String(collectDiagnostics() || "").replace(/\r/g, "").replace(ANSI_RE, "");`

PRA-7 Resolve/justify — Multiple overlapping PRs modify 5000+ line onboard.ts monolith creating merge conflict risk

PRA-8 Improvement — Test fixture mutates global process.env for single-use config knobs

  • Location: src/lib/onboard/created-sandbox-finalization.test.ts:19
  • Category: correctness
  • Problem: The makeRestoreFixture() function modifies process.env.NEMOCLAW_OPENSHELL_BIN and process.env.PATH globally, which can leak between tests despite afterEach cleanup.
  • Impact: Test pollution risk; flaky tests if fixtures run in different order.
  • Suggested action: Refactor fixture to use a dedicated helper (e.g., withDcodeEnvironment(fn)) that sets up PATH/OPENSHELL_BIN locally via subprocess env rather than mutating global process.env.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/onboard/created-sandbox-finalization.test.ts makeRestoreFixture function and observe process.env mutations
  • Missing regression test: N/A — test hygiene improvement
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 19, 39, 189, 190, 256, 345: process.env.NEMOCLAW_OPENSHELL_BIN and process.env.PATH assigned and restored in afterEach

PRA-9 Improvement — Simplified modelNameForOpenAiProvider using startsWith/slice

  • Location: agents/langchain-deepagents-code/generate-config.ts:70
  • Category: correctness
  • Problem: The new implementation `trimmed.startsWith("openai:") ? trimmed.slice("openai:".length) : trimmed` is correct and reduces complexity compared to the previous indexOf/slice approach.
  • Impact: Reduced cognitive load; fewer edge cases (no off-by-one on indexOf).
  • Suggested action: No action needed — simplification is correct and reduces complexity.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read agents/langchain-deepagents-code/generate-config.ts:70 and verify the simplification
  • Missing regression test: Existing tests in langchain-deepagents-code-config.test.ts cover model name normalization
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Line 70: `return trimmed.startsWith("openai:") ? trimmed.slice("openai:".length) : trimmed;`

PRA-10 Resolve/justify — Shell command injection surface in buildDcodeConfigMergeRestoreCommand

  • Location: src/lib/state/dcode-config-restore-input.ts:230
  • Category: security
  • Problem: The function constructs a shell command string using mktemp, cat, and python3 -I with shellQuote. While shellQuote is used, the command string is executed via SSH in the sandbox. Consider using Python's tempfile module directly instead of shell mktemp, or add explicit validation that the generated command contains only expected patterns.
  • Impact: If shellQuote is bypassed or paths manipulated, arbitrary command execution in sandbox context.
  • Recommended action: Consider using Python's tempfile module directly instead of shell mktemp, or add explicit validation that the generated command contains only expected patterns.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts buildDcodeConfigMergeRestoreCommand function (lines 230-250) for the shell command construction
  • Missing regression test: Add test verifying generated command structure contains only expected patterns (mktemp, cat, python3 -I, no user-controlled interpolation)
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/state/dcode-config-restore-input.ts buildDcodeConfigMergeRestoreCommand function (lines 230-250) for the shell command construction.
  • Evidence: Lines 230-250: shell command string with mktemp, cat, python3 -I, shellQuote on paths only

PRA-11 Resolve/justify — requiresSelectionRecreate logic for managed DCode should be verified against product requirements

  • Location: src/lib/onboard/dcode-selection-drift.ts:35
  • Category: correctness
  • Problem: Managed DCode fails closed on ANY selection drift (known or unknown) to enforce routing integrity; ordinary agents recreate only on confirmed known drift. This is a significant behavioral difference that should be confirmed with product/design.
  • Impact: Managed DCode sandboxes recreate on unreadable identity while other agents reuse — may surprise users expecting consistent behavior.
  • Recommended action: Confirm with product/design that managed DCode should fail closed on unknown selection drift (unreadable identity) while other agents reuse by default.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read src/lib/onboard/dcode-selection-drift.ts requiresSelectionRecreate function (lines 35-40) and compare with decideSandboxResume in sandbox-resume.ts
  • Missing regression test: Add test documenting the expected behavioral difference between managed DCode and other agents for unknown drift
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read src/lib/onboard/dcode-selection-drift.ts requiresSelectionRecreate function (lines 35-40) and compare with decideSandboxResume in sandbox-resume.ts.
  • Evidence: Line 35-40: `return drift.changed && (!drift.unknown || managedDcode);` — managedDcode=true causes recreate on unknown drift

PRA-12 Improvement — ANSI_RE regex duplicated across 8+ files in src/lib/onboard/

  • Location: src/lib/onboard/gateway-start-failure.ts:8
  • Category: architecture
  • Problem: The same regex appears in gateway-start-failure.ts, dashboard.ts, sandbox-create-failure.ts, dashboard-port.ts, gateway-lifecycle.ts, docker-gpu-supervisor-reconnect.ts, docker-gpu-patch.ts, and potentially others.
  • Impact: Maintenance burden; inconsistent updates; copy-paste drift risk.
  • Suggested action: Extract ANSI_RE to a shared utility (e.g., src/lib/onboard/ansi.ts) and import where needed.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Run the grep for ANSI_RE across src/lib/onboard/ to see all occurrences
  • Missing regression test: N/A — code deduplication
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: grep shows 8 files with identical or near-identical ANSI_RE regex

PRA-13 Improvement — Source-of-truth workaround for partial restore should be formally tracked

  • Location: src/lib/onboard/created-sandbox-finalization.ts:35
  • Category: architecture
  • Problem: The code comment at lines 31-37 documents a fallback for partial workspace restore with removal condition, but this is not tracked in a centralized location (e.g., WORKAROUNDS.md or code owners file) with a target removal milestone.
  • Impact: Workaround may persist indefinitely without ownership; removal condition not visible to maintainers.
  • Suggested action: Formalize this workaround tracking in a centralized location (e.g., WORKAROUNDS.md or code owners file) with a target removal milestone.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/onboard/created-sandbox-finalization.ts lines 31-37 for the source-of-truth review comment
  • Missing regression test: N/A — documentation/process improvement
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 31-37: comment block with 'Source-of-truth review:' and removal condition

PRA-14 Resolve/justify — parseDcodeInferenceIdentity may accept trailing whitespace in values

  • Location: src/lib/onboard/dcode-selection-drift.ts:90
  • Category: correctness
  • Problem: The regex `(\S(?:.*\S)?)` captures non-whitespace start/end but allows internal whitespace. This is likely intentional for model IDs with colons, but should be verified against actual dcode identity output format.
  • Impact: Parser may accept malformed output that real dcode identity never produces, or reject valid output with trailing spaces.
  • Recommended action: Verify actual dcode identity output format matches the parser expectations. Add test with actual dcode identity output if available.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Run dcode identity in a managed sandbox and compare output format with parser regex
  • Missing regression test: Add integration test with real dcode identity output
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Run dcode identity in a managed sandbox and compare output format with parser regex.
  • Evidence: Line 90: `const match = line.match(/^(Route|Provider|Model|Endpoint):[ \t]+(\S(?:.*\S)?)$/u);`

PRA-15 Improvement — DCODE_CONFIG_MERGE_PYTHON is a large inline Python script embedded as template string

  • Location: src/lib/state/dcode-config-restore-input.ts:1
  • Category: architecture
  • Problem: DCODE_CONFIG_MERGE_PYTHON is a large inline Python script (200+ lines) embedded as a template string. This makes review, testing, and maintenance harder.
  • Impact: Hard to review diffs; syntax highlighting doesn't work; testing requires string extraction; maintenance error-prone.
  • Suggested action: Extract the Python merge script to a separate file (e.g., scripts/dcode-config-merge.py) and embed it at build time or load as resource.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read src/lib/state/dcode-config-restore-input.ts DCODE_CONFIG_MERGE_PYTHON constant (lines 40-200)
  • Missing regression test: N/A — maintainability improvement
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 40-200: 160+ line template string with Python logic

PRA-16 Improvement — Extract ANSI_RE to shared utility

  • Location: src/lib/onboard/gateway-start-failure.ts:8
  • Category: architecture
  • Problem: ANSI_RE regex duplicated across 8+ files. Extract to shared utility to eliminate duplication.
  • Impact: Single source of truth for ANSI stripping; easier to update if terminal output formats change.
  • Suggested action: Create src/lib/onboard/ansi.ts exporting ANSI_RE and stripAnsi() helper; update all 8+ files to import.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: grep ANSI_RE src/lib/onboard/ --include="*.ts" | head -20
  • Missing regression test: N/A — code deduplication
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: 8 files with identical regex

PRA-17 Improvement — Refactor test fixture to avoid global process.env mutation

  • Location: src/lib/onboard/created-sandbox-finalization.test.ts:19
  • Category: tests
  • Problem: makeRestoreFixture() mutates process.env.NEMOCLAW_OPENSHELL_BIN and process.env.PATH globally.
  • Impact: Test pollution risk; flaky tests if fixtures run in different order.
  • Suggested action: Extract withDcodeEnvironment(fn) helper that passes env via subprocess options.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read makeRestoreFixture() and observe process.env assignments
  • Missing regression test: N/A — test hygiene
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 19, 39, 189, 190, 256, 345

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@github-code-quality

github-code-quality Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File da29660 +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 73%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File da29660 +/-
src/lib/shields...nsition-lock.ts 87%
src/lib/onboard/preflight.ts 83%
src/lib/actions...all/run-plan.ts 81%
src/lib/state/o...oard-session.ts 81%
src/lib/state/sandbox.ts 75%
src/lib/onboard...er-gpu-patch.ts 69%
src/lib/shields/index.ts 68%
src/lib/policy/index.ts 66%
src/lib/actions...licy-channel.ts 63%
src/lib/onboard.ts 28%

Updated July 06, 2026 19:34 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: onboard-resume, onboard-repair, cloud-onboard, ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E: state-backup-restore, sandbox-rebuild

Dispatch hint: targets=onboard-resume,onboard-repair,cloud-onboard,ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • onboard-resume (medium): Required by the onboarding resume rule: non-test changes affect sandbox resume handlers, DCode resume selection, and onboard core flow orchestration.
  • onboard-repair (high): Required by the onboarding resume rule: the same state-machine and resume/repair paths can alter how interrupted or corrupted onboarding sessions are repaired.
  • cloud-onboard (high): createSandbox finalization, hosted onboarding registry publication, restore ordering, and managed DCode identity validation can affect the clean public install plus hosted onboarding path.
  • ubuntu-repo-cloud-langchain-deepagents-code (high): The PR changes the Deep Agents Code manifest/config, DCode selection drift, restore policy, and cloud-experimental fresh re-onboard checks. This typed live target validates the real DCode cloud onboarding, inference, terminal-agent, policy, and fresh re-onboard user flows.

Optional E2E

  • state-backup-restore (medium): Useful adjacent confidence for the generic backup/restore machinery touched in src/lib/state/sandbox.ts and restore policy code, though the current required DCode target is more directly relevant.
  • sandbox-rebuild (high): Optional sandbox lifecycle coverage because finalization and state restore changes are adjacent to rebuild/recreate preservation semantics.

New E2E recommendations

  • deepagents-code-finalization-failure-rollback (medium): Existing required coverage exercises DCode onboarding and re-onboard, but there is not an obvious live E2E dedicated to the new finalization invariant: restore succeeds, managed DCode identity validation fails, registry/default publication must not occur, and the user receives actionable recovery output.
    • Suggested test: Add a Deep Agents Code live E2E that forces post-restore DCode identity drift or unreadable identity during created-sandbox finalization and asserts no registry/default entry is published for the unverified sandbox.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: targets=onboard-resume,onboard-repair,cloud-onboard,ubuntu-repo-cloud-langchain-deepagents-code

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-langchain-deepagents-code, onboard-resume, onboard-repair, state-backup-restore
Optional E2E targets: ubuntu-repo-cloud-openclaw

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-resume
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-repair
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=state-backup-restore

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-langchain-deepagents-code: Exercises the live-supported Deep Agents Code typed target affected by the agent manifest/config generation changes, DCode selection-drift/finalization paths, DCode state restore policy, and the changed cloud-experimental fresh re-onboard check wiring.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code
  • onboard-resume: Required by the onboarding resume rule: the PR changes src/lib/onboard/machine resume orchestration and sandbox resume handlers, including DCode resume handling.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-resume
  • onboard-repair: Required by the onboarding resume rule because the changed state-machine resume paths can affect repair/backstop execution from persisted onboarding sessions.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-repair
  • state-backup-restore: Covers the changed state backup/restore surface, including DCode config restore input filtering, state file restore policy, sandbox state restore behavior, and manifest-declared Deep Agents Code state files.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=state-backup-restore

Optional E2E targets

  • ubuntu-repo-cloud-openclaw: Optional baseline coverage for shared onboarding/create-sandbox and gateway-start-failure changes outside the DCode-specific path.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw

Relevant changed files

  • agents/langchain-deepagents-code/generate-config.ts
  • agents/langchain-deepagents-code/manifest.yaml
  • src/lib/onboard.ts
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/onboard/dcode-selection-drift.ts
  • src/lib/onboard/gateway-start-failure.ts
  • src/lib/onboard/machine/core-flow-phases.test.ts
  • src/lib/onboard/machine/handlers/sandbox-dcode-resume.ts
  • src/lib/onboard/machine/handlers/sandbox-resume.ts
  • src/lib/onboard/machine/handlers/sandbox-test-fixtures.ts
  • src/lib/onboard/machine/handlers/sandbox.ts
  • src/lib/state/dcode-config-restore-input.ts
  • src/lib/state/sandbox.ts
  • src/lib/state/state-file-restore-policy.ts
  • test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
  • test/e2e/live/cloud-experimental-check-list.ts
  • test/e2e/live/cloud-experimental-checks.ts
  • test/e2e/support/platform-parity-cloud-experimental.test.ts

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
src/lib/onboard/dcode-selection-drift.ts (1)

111-119: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Possibly unnecessary try/catch around a non-throwing boundary call.

deps.runCaptureOpenshell is invoked here with ignoreError: true, yet every other call site of runCaptureOpenshell with the same option in src/lib/onboard.ts (e.g. forward list, sandbox list, --version) is used directly with no surrounding try/catch. This suggests ignoreError: true already prevents throwing, making this try/catch dead defensive code.

Based on learnings, "avoid adding 'defensive' error handling (e.g., try/catch wrappers, fallbacks, or extra validation) around internal helper logic when there is no realistic throwing path or failure mode... otherwise remove unnecessary try/catch that doesn't handle any actionable error."

♻️ Suggested simplification (pending confirmation that runCaptureOpenshell cannot throw with ignoreError:true)
-  let output: string | null | undefined;
-  try {
-    output = deps.runCaptureOpenshell(
-      ["sandbox", "exec", "-n", sandboxName, "--", "dcode", "identity"],
-      { ignoreError: true },
-    );
-  } catch {
-    return { ...UNKNOWN_SELECTION_DRIFT };
-  }
+  const output = deps.runCaptureOpenshell(
+    ["sandbox", "exec", "-n", sandboxName, "--", "dcode", "identity"],
+    { ignoreError: true },
+  );
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/dcode-selection-drift.ts` around lines 111 - 119, The
try/catch around deps.runCaptureOpenshell in dcode-selection-drift.ts appears
unnecessary because ignoreError: true is already used and similar call sites in
onboard.ts call the same helper directly. Remove the dead defensive wrapper and
keep the sandbox exec "dcode identity" call as a straightforward assignment to
output, while preserving the existing UNKNOWN_SELECTION_DRIFT fallback only if
the helper can truly throw without ignoreError.

Source: Learnings

src/lib/state/dcode-config-restore-input.test.ts (1)

20-50: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider sharing the TOML test double with created-sandbox-finalization.test.ts.

This file and created-sandbox-finalization.test.ts each define an independent fake tomllib/tomli_w shim for exercising the same DCODE_CONFIG_MERGE_PYTHON script. Consolidating into one shared test helper would reduce the risk of the two fakes drifting apart and masking a real regression that only one of them would catch.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/state/dcode-config-restore-input.test.ts` around lines 20 - 50, The
TOML test double is duplicated here and in created-sandbox-finalization.test.ts,
which can let the two shims drift apart. Extract the shared fake tomllib/tomli_w
setup from PYTHON_TEST_WRAPPER into a common test helper and reuse it in both
tests, keeping the DCODE_CONFIG_MERGE_PYTHON execution path identical across
them.
src/lib/onboard/created-sandbox-finalization.ts (1)

4-4: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Reuse the shared sandbox restore types RestoreOptions and RestoreResult already live in src/lib/state/sandbox.ts; importing them here avoids a second copy drifting from the canonical shape.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/created-sandbox-finalization.ts` at line 4, The sandbox
finalization code is importing a separate type instead of reusing the canonical
restore types. Update the imports in created-sandbox-finalization to use
RestoreOptions and RestoreResult from sandbox.ts, and remove the duplicated
local shape so the restore flow stays aligned with the shared state types. Keep
the existing finalization logic, but make any references in the module use the
shared type names consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard/created-sandbox-finalization.ts`:
- Around line 6-14: Duplicate local RestoreOptions/RestoreResult definitions in
created-sandbox-finalization should be removed and replaced with imports from
the canonical sandbox state module. Update the code around
createdSandboxFinalization to use the exported RestoreOptions and RestoreResult
from state/sandbox.ts so there is a single source of truth, and adjust any
references in the finalization logic to match the full RestoreResult shape
including failedDirs and failedFiles.

---

Nitpick comments:
In `@src/lib/onboard/created-sandbox-finalization.ts`:
- Line 4: The sandbox finalization code is importing a separate type instead of
reusing the canonical restore types. Update the imports in
created-sandbox-finalization to use RestoreOptions and RestoreResult from
sandbox.ts, and remove the duplicated local shape so the restore flow stays
aligned with the shared state types. Keep the existing finalization logic, but
make any references in the module use the shared type names consistently.

In `@src/lib/onboard/dcode-selection-drift.ts`:
- Around line 111-119: The try/catch around deps.runCaptureOpenshell in
dcode-selection-drift.ts appears unnecessary because ignoreError: true is
already used and similar call sites in onboard.ts call the same helper directly.
Remove the dead defensive wrapper and keep the sandbox exec "dcode identity"
call as a straightforward assignment to output, while preserving the existing
UNKNOWN_SELECTION_DRIFT fallback only if the helper can truly throw without
ignoreError.

In `@src/lib/state/dcode-config-restore-input.test.ts`:
- Around line 20-50: The TOML test double is duplicated here and in
created-sandbox-finalization.test.ts, which can let the two shims drift apart.
Extract the shared fake tomllib/tomli_w setup from PYTHON_TEST_WRAPPER into a
common test helper and reuse it in both tests, keeping the
DCODE_CONFIG_MERGE_PYTHON execution path identical across them.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 02f9551a-6662-47d4-ac88-03f684f3df40

📥 Commits

Reviewing files that changed from the base of the PR and between 7d3aada and 30ec889.

📒 Files selected for processing (18)
  • agents/langchain-deepagents-code/manifest.yaml
  • docs/get-started/quickstart-langchain-deepagents-code.mdx
  • docs/reference/commands-nemohermes.mdx
  • docs/reference/commands.mdx
  • src/lib/onboard.ts
  • src/lib/onboard/created-sandbox-finalization.test.ts
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/onboard/dcode-selection-drift.test.ts
  • src/lib/onboard/dcode-selection-drift.ts
  • src/lib/onboard/machine/core-flow-phases.test.ts
  • src/lib/onboard/machine/handlers/sandbox-dcode-selection.test.ts
  • src/lib/onboard/machine/handlers/sandbox-resume.test.ts
  • src/lib/onboard/machine/handlers/sandbox-resume.ts
  • src/lib/onboard/machine/handlers/sandbox-test-fixtures.ts
  • src/lib/onboard/machine/handlers/sandbox.ts
  • src/lib/state/dcode-config-restore-input.test.ts
  • src/lib/state/dcode-config-restore-input.ts
  • src/lib/state/sandbox.ts

Comment thread src/lib/onboard/created-sandbox-finalization.ts Outdated
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: No advisor follow-up required beyond maintainer review.
Open items: 0 required · 0 warnings · 0 suggestions · 0 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 0 new items found

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard/gateway-start-failure.ts`:
- Around line 76-90: The gateway diagnostics path currently redacts before
normalizing text, which can let ANSI/CR sequences interfere with plain-token and
KEY= matching. Update the gateway-start-failure flow around
collectDiagnostics(), redact(), and the line processing in
gateway-start-failure.ts to strip carriage returns and ANSI escapes first, then
pass the cleaned text into redact() before printing. Use the existing ANSI_RE
handling and redact() call site as the main place to adjust the order of
operations.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 65754065-4fe9-479d-acd6-8d1ed45d845e

📥 Commits

Reviewing files that changed from the base of the PR and between 30ec889 and 621dcae.

📒 Files selected for processing (3)
  • src/lib/onboard.ts
  • src/lib/onboard/created-sandbox-finalization.test.ts
  • src/lib/onboard/gateway-start-failure.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/onboard/created-sandbox-finalization.test.ts

Comment thread src/lib/onboard/gateway-start-failure.ts
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/lib/onboard/created-sandbox-finalization.test.ts (1)

224-227: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Prefer observable restore behavior over call-shape lock-in.

These assertions pin the exact policy object/argument shape instead of proving the restore boundary outcome. Assert the resulting config/registry behavior for managed vs custom restore so refactors of restoreSandboxState do not break tests without changing behavior. As per path instructions, tests should prefer observable outcomes through the public boundary over mock-call assertions.

Also applies to: 322-326

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/created-sandbox-finalization.test.ts` around lines 224 - 227,
The test is overfitting to the internal call shape of restoreSandboxState
instead of verifying behavior. Update the created-sandbox-finalization tests to
assert the observable restore outcome through the public boundary, such as the
resulting config/registry state for managed versus custom restore, and remove
the expectation on options?.stateFileRestorePolicy in the mocked
restoreSandboxState wrapper. Use the existing restoreSandboxState,
managedDcodeConfigRestorePolicy, and sandboxState references to keep the
assertions focused on behavior rather than implementation details.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/onboard/created-sandbox-finalization.test.ts`:
- Around line 224-227: The test is overfitting to the internal call shape of
restoreSandboxState instead of verifying behavior. Update the
created-sandbox-finalization tests to assert the observable restore outcome
through the public boundary, such as the resulting config/registry state for
managed versus custom restore, and remove the expectation on
options?.stateFileRestorePolicy in the mocked restoreSandboxState wrapper. Use
the existing restoreSandboxState, managedDcodeConfigRestorePolicy, and
sandboxState references to keep the assertions focused on behavior rather than
implementation details.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 36347e4a-9875-4ad7-a73e-5f1b0987afde

📥 Commits

Reviewing files that changed from the base of the PR and between 621dcae and 4d05d1c.

📒 Files selected for processing (8)
  • src/lib/onboard/created-sandbox-finalization.test.ts
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/onboard/machine/handlers/sandbox-dcode-resume.ts
  • src/lib/onboard/machine/handlers/sandbox.ts
  • src/lib/state/dcode-config-restore-input.test.ts
  • src/lib/state/dcode-config-restore-input.ts
  • src/lib/state/sandbox.ts
  • src/lib/state/state-file-restore-policy.ts
✅ Files skipped from review due to trivial changes (1)
  • src/lib/state/state-file-restore-policy.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/state/dcode-config-restore-input.test.ts

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard/gateway-start-failure.test.ts`:
- Around line 7-10: The legacy gateway-start failure path is still being
invoked, so onboarding is not using only the final failure handler yet. Update
the gateway start failure flow in the onboarding logic to stop calling
reportLegacyGatewayStartResultFailure on non-zero starts and route failures
through createFinalGatewayStartFailureHandler instead; make sure any remaining
references in gateway-start-failure are removed or replaced so the final handler
is the only active branch.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bdc96664-5fbe-4760-8bd6-590c1e6dd145

📥 Commits

Reviewing files that changed from the base of the PR and between 4d05d1c and da93bfe.

📒 Files selected for processing (4)
  • src/lib/onboard/created-sandbox-finalization.test.ts
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/onboard/gateway-start-failure.test.ts
  • src/lib/onboard/gateway-start-failure.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/onboard/created-sandbox-finalization.test.ts
  • src/lib/onboard/gateway-start-failure.ts

Comment thread src/lib/onboard/gateway-start-failure.test.ts
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28817114802
Workflow ref: fix/6311-fresh-reonboard-live-config
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28817457576
Workflow ref: fix/6311-fresh-reonboard-live-config
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@apurvvkumaria
apurvvkumaria merged commit 48e680b into main Jul 6, 2026
119 checks passed
@apurvvkumaria
apurvvkumaria deleted the fix/6311-fresh-reonboard-live-config branch July 6, 2026 19:50
prekshivyas added a commit that referenced this pull request Jul 6, 2026
The cloud-experimental check-04 (fresh DCode re-onboard) captures
`dcode identity` stdout+stderr into a shell variable via command
substitution, but the `|| fail` handler prints only a generic message and
discards the captured output. When `dcode identity` exits non-zero the real
reason is lost — CI logs and result.json show stdout "" — which is why the
current cloud-onboard failure on main (introduced with this check in #6332)
cannot be diagnosed.

Print the captured output to stdout (so it lands in result.json) before
failing, on both the initial and post-re-onboard identity reads. No behavior
change to the check's pass/fail logic; this only makes the existing failure
observable so the root cause in the managed DCode onboarding flow can be found.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
prekshivyas added a commit that referenced this pull request Jul 6, 2026
…rd check

check-04 read the live identity with `openshell sandbox exec -- dcode identity`.
That runs without a login shell, so /usr/local/bin is not on PATH and `dcode`
resolves to "command not found" — the real reason cloud-onboard has failed on
main since #6332 added this check (surfaced by the preceding observability
commit). The image installs the launcher at /usr/local/bin/dcode, so invoke it
by absolute path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
cv pushed a commit that referenced this pull request Jul 6, 2026
…board dcode identity failure (#6343)

## Summary
Fixes two E2E-harness problems surfaced by the E2E dispatch on `main`:

1. **e2e-live source require hook** — the `hermes-inference-switch` live
suite (added in #6335) failed at collection with `Cannot find module
'../runner'` because the `e2e-live` Vitest project never loaded the
typed-source require hook.
2. **cloud-onboard observability** — the cloud-experimental check-04
(added in #6332) fails on `main` with `could not read initial dcode
identity`, but the real `dcode identity` error is captured into a shell
var and discarded, so it can't be diagnosed.

## Changes
- `vitest.config.ts`: add `setupFiles:
["test/helpers/onboard-script-mocks.cjs"]` to the `e2e-live` project
(mirrors `cli`). Registers the typed-source `.ts` require hook
**in-process** — deliberately not via `env.NODE_OPTIONS`, so `--require`
never leaks into the real CLI subprocesses live tests spawn.
-
`test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh`:
on both `dcode identity` reads, print the captured stdout+stderr to
stdout (so it lands in `result.json`) before `fail`. No change to
pass/fail logic — only makes the existing failure observable.

### Root cause — #1 (fixed here)
`hermes-inference-switch` is the first `e2e-live` suite to import a deep
`src` graph — its helpers import `src/lib/inference/config.ts`, which
transitively loads `ollama-runtime-context.ts`'s runtime
`require("../runner")`. Without the require hook, Node's native CJS
resolver can't resolve the extensionless `.ts` → suite throws at
collection (`0 tests`, ~37s). Only this suite hit it; others drive the
CLI as a subprocess and import only fixtures. `runner.ts` has no
circular dependency on the inference graph, so the in-process hook
resolves it fully.

### Root cause — #2 (observability only; product root cause pending)
`cloud-onboard` was green on `main` through 2026-07-06 00:56 UTC and
failed on the first main E2E after #6332 landed (19:50 UTC) — #6332
added check-04, which has never passed on main. `dcode identity` is the
NemoClaw wrapper (`agents/langchain-deepagents-code/dcode-wrapper.sh`);
its identity path returns 0 in isolation and #6332 did not modify it, so
the non-zero exit is a runtime condition in #6332's new "recreate/verify
live identity" onboarding flow. That can't be pinned without the
swallowed stderr — which this change surfaces. Product root cause is for
the #6332 author to fix once the next run shows the real error.

## Type of Change
- [x] Code change (feature, bug fix, or refactor)

## Quality Gates
- [x] Existing tests cover changed behavior — justification: both
changes are E2E-harness config/diagnostics. #1: the `e2e-live` suites
exercise the hook — verified the previously-failing
`hermes-inference-switch` suite now collects and all `e2e-live` suites
report 0 collection errors, and the full `e2e-all` dispatch ran the
switch job (hosted) green. #2: pure diagnostic output; no pass/fail
change.
- [x] Docs not applicable — justification: internal test-harness
config/diagnostics; no user-facing behavior.
- [x] Sensitive paths changed (onboarding/inference/runner adjacent via
test config)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — justification: changes are confined to Vitest test-runner
setup (`vitest.config.ts`) and an E2E diagnostic print; no product
runtime code path is altered. The require hook is in-process only and
does not touch product CLI subprocesses.

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed —
note: `pre-push` `tsc-cli` skipped for a pre-existing local-only
`noImplicitAny` false-positive in
`test/helpers/mcp-lifecycle-lock-properties.ts` and
`src/lib/state/mcp-lifecycle-lock-identity.test.ts` (unrelated to this
diff); CI `tsc-cli` covers it. Check-04 passed `bash -n` and the
`shellcheck`/`shfmt` pre-commit hooks.
- [x] Targeted behavior tests pass — command/result:
`NEMOCLAW_RUN_LIVE_E2E=1 npx vitest list --project e2e-live` → switch
suite collects; whole project 0 collection errors (before the fix it
reproduced `Cannot find module '../runner'`). Full `e2e-all` dispatch on
this branch ran `hermes-inference-switch (hosted)` green.
- [x] No secrets, API keys, or credentials committed

---
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved reliability of live end-to-end test runs by loading the
required hook inside the test process, avoiding leakage into real CLI
subprocesses.
* Made identity checks in sandboxed cloud experimental flows more
robust, with clearer diagnostics when identity lookup fails.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
cv pushed a commit that referenced this pull request Jul 7, 2026
## Summary
Add the v0.0.75 release-notes entry for the release train, summarizing
the user-facing fixes merged since v0.0.74. Release-prep docs for the
`nemoclaw-maintainer-cut-release-tag` gate.

## Related Issue
Release prep for v0.0.75. Remove this section if none.

## Changes
- `docs/about/release-notes.mdx`: add the `## v0.0.75` section (themed
intro + grouped bullets with source-page links), matching the existing
v0.0.74 style.

### Source summary (doc-impacting PRs → doc page)
- #6370 -> `docs/about/release-notes.mdx`: prepared-backup recovery
restores gateway state and defers the live route check to onboarding, so
upgrade recovery no longer fails on an unset gateway route.
- #6305 -> `docs/about/release-notes.mdx`: in-place upgrades recover
gateway-orphaned sandboxes.
- #6332 -> `docs/about/release-notes.mdx`: same-name `--fresh`
re-onboard preserves fresh LangChain Deep Agents Code routing.
- #6335 -> `docs/about/release-notes.mdx`: custom Anthropic-compatible
inference uses the OpenAI frontend.
- #6298 -> `docs/about/release-notes.mdx`: OpenAI-only agents keep the
`/v1` base URL on Anthropic-compatible endpoints.
- #6304 -> `docs/about/release-notes.mdx`: local docker-driver gateway
credentials no longer expire.
- #6261 -> `docs/about/release-notes.mdx`: Hermes runtime and managed
MCP state reconcile after a runtime change.
- #6318 -> `docs/about/release-notes.mdx`: Hermes installs accept a
pinned base platform digest.
- #6291 -> `docs/about/release-notes.mdx`: OpenClaw local CLI pairing
restores its previous connection path.

Test-performance, CI, and chore commits since v0.0.74 are excluded as
non-user-facing.

## Type of Change
- [x] Doc only (prose changes, no code sample modifications)

## Quality Gates
- [x] Tests not applicable — justification: documentation-only change
(release notes prose).
- [x] Docs updated for user-facing behavior changes

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] `npm run docs` builds without warnings introduced by this change —
command/result: "Found 0 errors and 2 warnings" (the 2 warnings
pre-exist this change).
- [x] Doc pages follow the style guide (active voice, no numbered/colon
titles, correct NVIDIA/NemoClaw/OpenShell capitalization; skip-terms
avoided).
- [x] No secrets, API keys, or credentials committed

---
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Added a new **v0.0.75** section to the release notes, highlighting
improved sandbox upgrade hardening and prepared-backup recovery, updated
inference routing for Anthropic-compatible endpoints, longer-lasting
local gateway credential handling, and restored CLI pairing reconnection
without re-pairing. Also includes cross-links to related NemoClaw CLI
and documentation pages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@wscurran wscurran added area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior labels Jul 7, 2026
jyaunches added a commit that referenced this pull request Jul 9, 2026
…e step into modules (#6444)

<!-- markdownlint-disable MD041 -->
## Summary

Extracts cohesive units of the sandbox create/register orchestration out
of the ~4,900-line `src/lib/onboard.ts` entrypoint into focused modules
under `src/lib/onboard/`, following the injected-deps boundary style
established by `created-sandbox-finalization.ts` (#6332). The primary
goal is maintainability and independent unit-test coverage for the
create path, with intentional safety/behavior refinements discovered
during review: redacted create-output failure echoing, preservation of
non-zero create-stream status when readiness fails, direct argv spawning
for trusted create paths, fail-closed Docker-GPU create-poll side-effect
handling, and redacted trace reporting for poll/readiness errors.

Note on the issue's premise: #6258 cites a `+27 net lines` growth-guard
violation from #6166. That premise is stale — the merged #6166 left
`onboard.ts` net-smaller, and #6276/#6332 shrank it further, so the
guard (`.github/workflows/codebase-growth-guardrails.yaml`, a per-PR
net-neutral diff gate) is not currently red. This PR is therefore
incremental maintainability work; it keeps `onboard.ts`
net-neutral-or-smaller so the gate stays green.

## Related Issue

Refs #6258

<!-- Refs (not Fixes): this PR lands two increments of a larger
extraction; the remaining create/finalize wiring is left for follow-ups,
so the issue should stay open. -->

## Changes

- Add `src/lib/onboard/created-sandbox-failure.ts`:
`reportSandboxCreateFailure` (warns-and-continues on an incomplete
create; otherwise prints diagnostics + recovery hints and exits) and
`reportSandboxReadinessFailure` (prints the readiness failure, defers
cleanup to the Docker-GPU patch or deletes the failed sandbox, then
exits). `onboard.ts` replaces the two inline blocks with module calls —
net −2 lines.
- Add `src/lib/onboard/sandbox-create-step.ts`: `runSandboxCreateStep`
encapsulates the BuildKit prebuild handoff → Docker-GPU create-patch
provisioning → create-stream behind a context + injected-deps boundary.
This move is **line-neutral** on `onboard.ts`; its value is a named,
unit-testable boundary (the `prepare → patch → stream` sequence is now
testable without standing up the entrypoint), not a size reduction.
Build-context and exit-listener cleanup stay with the caller that armed
them.
- Add focused unit tests across `created-sandbox-failure.test.ts`,
`sandbox-create-step.test.ts`, `sandbox-create-launch.test.ts`,
`create-stream.test.ts`, `create-stream-argv.test.ts`, and
`create-stream-ready-gate.test.ts` covering failure branches, redaction,
exit-code preservation, GPU vs non-GPU readiness cleanup,
prebuild/patch/stream wiring, direct argv spawn boundaries,
terminal-agent/default-driver ready-check gating, fail-closed `onPoll`
error handling, and redacted poll/readiness trace behavior.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI flags, commands,
configuration, or documented user workflow changed. The user-visible
differences are limited to safer failure-path diagnostics (credential
redaction), more accurate readiness-failure exit status, and fail-closed
create-poll error handling.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: onboarding/sandbox
path. Extraction boundaries were verified against the pre-extraction
source; intentional safety refinements are explicitly covered by tests:
create output is redacted before failure logging, readiness failure
preserves a non-zero create-stream status instead of flattening to `1`,
Docker-GPU during-create polling is isolated from readiness detection
via `onPoll`, escaping poll errors abort create with classified/generic
failure text plus redacted trace emission, and ready-check exceptions
emit redacted trace evidence without falsely forcing Ready. Requesting
maintainer sensitive-path review.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result: `npx vitest run
--project cli src/lib/actions/sandbox/snapshot.test.ts
src/lib/onboard/created-sandbox-failure.test.ts
src/lib/onboard/sandbox-create-launch.test.ts
src/lib/onboard/sandbox-create-step.test.ts
src/lib/sandbox/create-stream.test.ts
src/lib/sandbox/create-stream-ready-gate.test.ts
src/lib/sandbox/create-stream-argv.test.ts` → 107 passed; `npx tsc
--noEmit --pretty false --project tsconfig.cli.json` → clean; `npm run
test-size:check` → passed; `npx prek run --all-files --stage pre-commit
--skip source-shape-test-budget --skip test-skills-yaml` → passed; `npm
run test-conditionals:scan -- --top 25` → no new changed-file
conditional failures; `git diff --check` → clean.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: Required live E2E run
[29021019725](https://github.com/NVIDIA/NemoClaw/actions/runs/29021019725)
passed on exact head `82518f7e6f69c39d9bc04f63a365753aac7b1b6d`:
`cloud-onboard`, `onboard-repair`, `onboard-resume`,
`state-backup-restore`, `upgrade-stale-sandbox`, and `snapshot-commands`
all succeeded. PR CI checks also passed on the same head after rerunning
flaky `policy-channel-list.test.ts` shard timeout (`cli-test-shards
(3)`).
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Dongni Yang <dongniy@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Improved sandbox onboarding using a dedicated creation step that
centralizes prebuild handoff, streaming create execution, GPU patch
wiring, and readiness capture.
* **Bug Fixes**
* More consistent, centralized handling for both create failures and
readiness failures, including redacted output, clearer diagnostics, and
reliable retry guidance.
* Safer cleanup on readiness failures to avoid same-name collisions,
with correct behavior for GPU-enabled flows.
* **Tests**
* Added coverage for create/readiness failure reporting, exit-code
fallback, cleanup/command messaging, and early-detach behavior in
create-stream.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
## Summary

Keep managed Deep Agents Code runtime routing aligned with the
provider/model selected during same-name re-onboarding. The fix treats
the live `dcode identity` result as authoritative, reconciles
mixed-ownership `config.toml` state without restoring stale routing, and
publishes registry metadata only after the restored runtime is verified.

## Related Issue

Closes NVIDIA#6311

Supersedes NVIDIA#6317. This incorporates and extends @chengjiew's original
drift/recreate investigation; Chengjie is credited as a co-author on the
commit.

## Changes

- Recreate stock managed DCode sandboxes when live route, provider,
model, or endpoint identity is stale or unreadable; refuse unverifiable
reuse when the registry row is absent.
- Restore only four bounded display preferences from backed-up DCode
config: three booleans and the enumerated thread sort order. Keep fresh
`models`, `update`, and generated provider metadata authoritative, and
drop free-form or behavior-bearing backup settings.
- Perform the merge with bounded TOML parsing, regular-file checks,
same-directory staging, inode revalidation, `fsync`, and atomic
replacement.
- Validate the live restored selection before writing registry/status
metadata, and leave custom-image plus ordinary snapshot/rebuild restore
behavior unchanged.
- Keep generic hotspots bounded by extracting gateway failure handling,
DCode resume policy, and caller-authorized state-file restore policy
into focused modules.
- Add unit, handler, restore-boundary, and orchestration regression
coverage plus user-facing documentation.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: independent reviews
checked live identity parsing, restore ordering, custom-image
provenance, file safety, same-user atomic-replace assumptions, and
registry publication; all confirmed blockers were resolved.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification:
focused CLI suites 67/67; snapshot, OpenClaw restore, and spawned
gateway integrations 53/53; final restore/finalization follow-ups 22/22
and prepared-context integration 2/2.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; this is a
scoped DCode onboarding/restore fix, and the targeted suites plus normal
repository hooks cover the changed boundaries.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — passed
with 0 errors and 2 existing unspecified Fern warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Managed Deep Agents Code onboarding and resume now verify live `dcode
identity` to detect selection drift and recreate sandboxes when
selections are unreadable or mismatched.
* Managed restores can merge backed-up `config.toml` while keeping
freshly generated model routing and provider metadata authoritative.
* **Bug Fixes**
* Prevents unverified managed DCode reuse when the expected registry
entry is missing.
* Improves gateway-start failure output by redacting sensitive
diagnostics and printing clearer remediation commands.
* **Documentation**
* Updated quickstart and command reference for revised restore behavior
and non-interactive recreation rules.
* **Tests**
* Added coverage for managed config merge ownership, selection drift,
and sandbox finalization/resume flows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Chengjie Wang <chengjiew@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…board dcode identity failure (NVIDIA#6343)

## Summary
Fixes two E2E-harness problems surfaced by the E2E dispatch on `main`:

1. **e2e-live source require hook** — the `hermes-inference-switch` live
suite (added in NVIDIA#6335) failed at collection with `Cannot find module
'../runner'` because the `e2e-live` Vitest project never loaded the
typed-source require hook.
2. **cloud-onboard observability** — the cloud-experimental check-04
(added in NVIDIA#6332) fails on `main` with `could not read initial dcode
identity`, but the real `dcode identity` error is captured into a shell
var and discarded, so it can't be diagnosed.

## Changes
- `vitest.config.ts`: add `setupFiles:
["test/helpers/onboard-script-mocks.cjs"]` to the `e2e-live` project
(mirrors `cli`). Registers the typed-source `.ts` require hook
**in-process** — deliberately not via `env.NODE_OPTIONS`, so `--require`
never leaks into the real CLI subprocesses live tests spawn.
-
`test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh`:
on both `dcode identity` reads, print the captured stdout+stderr to
stdout (so it lands in `result.json`) before `fail`. No change to
pass/fail logic — only makes the existing failure observable.

### Root cause — rh-ai-quickstart#1 (fixed here)
`hermes-inference-switch` is the first `e2e-live` suite to import a deep
`src` graph — its helpers import `src/lib/inference/config.ts`, which
transitively loads `ollama-runtime-context.ts`'s runtime
`require("../runner")`. Without the require hook, Node's native CJS
resolver can't resolve the extensionless `.ts` → suite throws at
collection (`0 tests`, ~37s). Only this suite hit it; others drive the
CLI as a subprocess and import only fixtures. `runner.ts` has no
circular dependency on the inference graph, so the in-process hook
resolves it fully.

### Root cause — NVIDIA#2 (observability only; product root cause pending)
`cloud-onboard` was green on `main` through 2026-07-06 00:56 UTC and
failed on the first main E2E after NVIDIA#6332 landed (19:50 UTC) — NVIDIA#6332
added check-04, which has never passed on main. `dcode identity` is the
NemoClaw wrapper (`agents/langchain-deepagents-code/dcode-wrapper.sh`);
its identity path returns 0 in isolation and NVIDIA#6332 did not modify it, so
the non-zero exit is a runtime condition in NVIDIA#6332's new "recreate/verify
live identity" onboarding flow. That can't be pinned without the
swallowed stderr — which this change surfaces. Product root cause is for
the NVIDIA#6332 author to fix once the next run shows the real error.

## Type of Change
- [x] Code change (feature, bug fix, or refactor)

## Quality Gates
- [x] Existing tests cover changed behavior — justification: both
changes are E2E-harness config/diagnostics. rh-ai-quickstart#1: the `e2e-live` suites
exercise the hook — verified the previously-failing
`hermes-inference-switch` suite now collects and all `e2e-live` suites
report 0 collection errors, and the full `e2e-all` dispatch ran the
switch job (hosted) green. NVIDIA#2: pure diagnostic output; no pass/fail
change.
- [x] Docs not applicable — justification: internal test-harness
config/diagnostics; no user-facing behavior.
- [x] Sensitive paths changed (onboarding/inference/runner adjacent via
test config)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — justification: changes are confined to Vitest test-runner
setup (`vitest.config.ts`) and an E2E diagnostic print; no product
runtime code path is altered. The require hook is in-process only and
does not touch product CLI subprocesses.

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed —
note: `pre-push` `tsc-cli` skipped for a pre-existing local-only
`noImplicitAny` false-positive in
`test/helpers/mcp-lifecycle-lock-properties.ts` and
`src/lib/state/mcp-lifecycle-lock-identity.test.ts` (unrelated to this
diff); CI `tsc-cli` covers it. Check-04 passed `bash -n` and the
`shellcheck`/`shfmt` pre-commit hooks.
- [x] Targeted behavior tests pass — command/result:
`NEMOCLAW_RUN_LIVE_E2E=1 npx vitest list --project e2e-live` → switch
suite collects; whole project 0 collection errors (before the fix it
reproduced `Cannot find module '../runner'`). Full `e2e-all` dispatch on
this branch ran `hermes-inference-switch (hosted)` green.
- [x] No secrets, API keys, or credentials committed

---
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved reliability of live end-to-end test runs by loading the
required hook inside the test process, avoiding leakage into real CLI
subprocesses.
* Made identity checks in sandboxed cloud experimental flows more
robust, with clearer diagnostics when identity lookup fails.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
## Summary
Add the v0.0.75 release-notes entry for the release train, summarizing
the user-facing fixes merged since v0.0.74. Release-prep docs for the
`nemoclaw-maintainer-cut-release-tag` gate.

## Related Issue
Release prep for v0.0.75. Remove this section if none.

## Changes
- `docs/about/release-notes.mdx`: add the `## v0.0.75` section (themed
intro + grouped bullets with source-page links), matching the existing
v0.0.74 style.

### Source summary (doc-impacting PRs → doc page)
- NVIDIA#6370 -> `docs/about/release-notes.mdx`: prepared-backup recovery
restores gateway state and defers the live route check to onboarding, so
upgrade recovery no longer fails on an unset gateway route.
- NVIDIA#6305 -> `docs/about/release-notes.mdx`: in-place upgrades recover
gateway-orphaned sandboxes.
- NVIDIA#6332 -> `docs/about/release-notes.mdx`: same-name `--fresh`
re-onboard preserves fresh LangChain Deep Agents Code routing.
- NVIDIA#6335 -> `docs/about/release-notes.mdx`: custom Anthropic-compatible
inference uses the OpenAI frontend.
- NVIDIA#6298 -> `docs/about/release-notes.mdx`: OpenAI-only agents keep the
`/v1` base URL on Anthropic-compatible endpoints.
- NVIDIA#6304 -> `docs/about/release-notes.mdx`: local docker-driver gateway
credentials no longer expire.
- NVIDIA#6261 -> `docs/about/release-notes.mdx`: Hermes runtime and managed
MCP state reconcile after a runtime change.
- NVIDIA#6318 -> `docs/about/release-notes.mdx`: Hermes installs accept a
pinned base platform digest.
- NVIDIA#6291 -> `docs/about/release-notes.mdx`: OpenClaw local CLI pairing
restores its previous connection path.

Test-performance, CI, and chore commits since v0.0.74 are excluded as
non-user-facing.

## Type of Change
- [x] Doc only (prose changes, no code sample modifications)

## Quality Gates
- [x] Tests not applicable — justification: documentation-only change
(release notes prose).
- [x] Docs updated for user-facing behavior changes

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] `npm run docs` builds without warnings introduced by this change —
command/result: "Found 0 errors and 2 warnings" (the 2 warnings
pre-exist this change).
- [x] Doc pages follow the style guide (active voice, no numbered/colon
titles, correct NVIDIA/NemoClaw/OpenShell capitalization; skip-terms
avoided).
- [x] No secrets, API keys, or credentials committed

---
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Added a new **v0.0.75** section to the release notes, highlighting
improved sandbox upgrade hardening and prepared-backup recovery, updated
inference routing for Anthropic-compatible endpoints, longer-lasting
local gateway credential handling, and restored CLI pairing reconnection
without re-pairing. Also includes cross-links to related NemoClaw CLI
and documentation pages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…e step into modules (NVIDIA#6444)

<!-- markdownlint-disable MD041 -->
## Summary

Extracts cohesive units of the sandbox create/register orchestration out
of the ~4,900-line `src/lib/onboard.ts` entrypoint into focused modules
under `src/lib/onboard/`, following the injected-deps boundary style
established by `created-sandbox-finalization.ts` (NVIDIA#6332). The primary
goal is maintainability and independent unit-test coverage for the
create path, with intentional safety/behavior refinements discovered
during review: redacted create-output failure echoing, preservation of
non-zero create-stream status when readiness fails, direct argv spawning
for trusted create paths, fail-closed Docker-GPU create-poll side-effect
handling, and redacted trace reporting for poll/readiness errors.

Note on the issue's premise: NVIDIA#6258 cites a `+27 net lines` growth-guard
violation from NVIDIA#6166. That premise is stale — the merged NVIDIA#6166 left
`onboard.ts` net-smaller, and NVIDIA#6276/NVIDIA#6332 shrank it further, so the
guard (`.github/workflows/codebase-growth-guardrails.yaml`, a per-PR
net-neutral diff gate) is not currently red. This PR is therefore
incremental maintainability work; it keeps `onboard.ts`
net-neutral-or-smaller so the gate stays green.

## Related Issue

Refs NVIDIA#6258

<!-- Refs (not Fixes): this PR lands two increments of a larger
extraction; the remaining create/finalize wiring is left for follow-ups,
so the issue should stay open. -->

## Changes

- Add `src/lib/onboard/created-sandbox-failure.ts`:
`reportSandboxCreateFailure` (warns-and-continues on an incomplete
create; otherwise prints diagnostics + recovery hints and exits) and
`reportSandboxReadinessFailure` (prints the readiness failure, defers
cleanup to the Docker-GPU patch or deletes the failed sandbox, then
exits). `onboard.ts` replaces the two inline blocks with module calls —
net −2 lines.
- Add `src/lib/onboard/sandbox-create-step.ts`: `runSandboxCreateStep`
encapsulates the BuildKit prebuild handoff → Docker-GPU create-patch
provisioning → create-stream behind a context + injected-deps boundary.
This move is **line-neutral** on `onboard.ts`; its value is a named,
unit-testable boundary (the `prepare → patch → stream` sequence is now
testable without standing up the entrypoint), not a size reduction.
Build-context and exit-listener cleanup stay with the caller that armed
them.
- Add focused unit tests across `created-sandbox-failure.test.ts`,
`sandbox-create-step.test.ts`, `sandbox-create-launch.test.ts`,
`create-stream.test.ts`, `create-stream-argv.test.ts`, and
`create-stream-ready-gate.test.ts` covering failure branches, redaction,
exit-code preservation, GPU vs non-GPU readiness cleanup,
prebuild/patch/stream wiring, direct argv spawn boundaries,
terminal-agent/default-driver ready-check gating, fail-closed `onPoll`
error handling, and redacted poll/readiness trace behavior.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI flags, commands,
configuration, or documented user workflow changed. The user-visible
differences are limited to safer failure-path diagnostics (credential
redaction), more accurate readiness-failure exit status, and fail-closed
create-poll error handling.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: onboarding/sandbox
path. Extraction boundaries were verified against the pre-extraction
source; intentional safety refinements are explicitly covered by tests:
create output is redacted before failure logging, readiness failure
preserves a non-zero create-stream status instead of flattening to `1`,
Docker-GPU during-create polling is isolated from readiness detection
via `onPoll`, escaping poll errors abort create with classified/generic
failure text plus redacted trace emission, and ready-check exceptions
emit redacted trace evidence without falsely forcing Ready. Requesting
maintainer sensitive-path review.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result: `npx vitest run
--project cli src/lib/actions/sandbox/snapshot.test.ts
src/lib/onboard/created-sandbox-failure.test.ts
src/lib/onboard/sandbox-create-launch.test.ts
src/lib/onboard/sandbox-create-step.test.ts
src/lib/sandbox/create-stream.test.ts
src/lib/sandbox/create-stream-ready-gate.test.ts
src/lib/sandbox/create-stream-argv.test.ts` → 107 passed; `npx tsc
--noEmit --pretty false --project tsconfig.cli.json` → clean; `npm run
test-size:check` → passed; `npx prek run --all-files --stage pre-commit
--skip source-shape-test-budget --skip test-skills-yaml` → passed; `npm
run test-conditionals:scan -- --top 25` → no new changed-file
conditional failures; `git diff --check` → clean.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: Required live E2E run
[29021019725](https://github.com/NVIDIA/NemoClaw/actions/runs/29021019725)
passed on exact head `82518f7e6f69c39d9bc04f63a365753aac7b1b6d`:
`cloud-onboard`, `onboard-repair`, `onboard-resume`,
`state-backup-restore`, `upgrade-stale-sandbox`, and `snapshot-commands`
all succeeded. PR CI checks also passed on the same head after rerunning
flaky `policy-channel-list.test.ts` shard timeout (`cli-test-shards
(3)`).
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Dongni Yang <dongniy@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Improved sandbox onboarding using a dedicated creation step that
centralizes prebuild handoff, streaming create execution, GPU patch
wiring, and readiness capture.
* **Bug Fixes**
* More consistent, centralized handling for both create failures and
readiness failures, including redacted output, clearer diagnostics, and
reliable retry guidance.
* Safer cleanup on readiness failures to avoid same-name collisions,
with correct behavior for GPU-enabled flows.
* **Tests**
* Added coverage for create/readiness failure reporting, exit-code
fallback, cleanup/command messaging, and early-detach behavior in
create-stream.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior v0.0.75 Release target

Projects

None yet

4 participants