fix(dcode): allow first-run name prompt while suppressing model picker#6418
Conversation
📝 WalkthroughWalkthroughReplaces onboarding-based model picker suppression with new DeepAgentsApp overrides that bypass the dependency/model picker flow. Updates the fixture, startup harnesses, e2e script, tests, and docs to treat the first-run name prompt separately from the model picker. ChangesModel picker skip override
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
PR NVIDIA#6414 suppressed the entire DCode onboarding flow including the name prompt. This restores the name prompt by removing ONBOARDING_PATCH (which forced should_run_onboarding() to False) and instead overriding _build_launch_dependencies_prompt and _prompt_launch_dependencies_then_model to return (False, None), which skips the model picker while allowing the upstream name screen to appear. Closes NVIDIA#6410 (follow-up)
d723257 to
e3c069e
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
test/deepagents-code-tui-startup-check.test.ts (1)
245-259: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winDuplicated name-prompt regex literal across files.
The pattern
"(your name \\(optional\\)|what should deep agents call you)"is hardcoded here, again at lines 155-156 in this same file, and once more intest/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh. If the production regex changes in the shell script, none of these hardcoded copies would fail loudly — they'd just silently stop reflecting production behavior. Consider extracting this pattern into a single shared constant (or reading it from the actual shell script) to keep the test honest about drift.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/deepagents-code-tui-startup-check.test.ts` around lines 245 - 259, The name-prompt regex is duplicated in the startup check test and the e2e shell check, so the test can drift from the real TUI behavior. Extract the pattern used by isNamePrompt in deepagents-code-tui-startup-check.test.ts into a shared source of truth, or read it from 10-deepagents-code-tui-startup.sh, and update the existing hardcoded copies to reference that shared constant so changes in the prompt regex stay aligned.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/deepagents-code-tui-startup-check.test.ts`:
- Around line 245-259: The name-prompt regex is duplicated in the startup check
test and the e2e shell check, so the test can drift from the real TUI behavior.
Extract the pattern used by isNamePrompt in
deepagents-code-tui-startup-check.test.ts into a shared source of truth, or read
it from 10-deepagents-code-tui-startup.sh, and update the existing hardcoded
copies to reference that shared constant so changes in the prompt regex stay
aligned.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 9e24a4e7-3833-45c4-937c-0b65000ae942
📒 Files selected for processing (7)
agents/langchain-deepagents-code/patch-managed-deepagents-code.pyci/test-file-size-budget.jsontest/deepagents-code-tui-startup-check.test.tstest/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.shtest/fixtures/langchain-deepagents-code/app.pytest/langchain-deepagents-code-direct-module-patch.test.tstest/langchain-deepagents-code-image.test.ts
cv
left a comment
There was a problem hiding this comment.
Security review of exact head b9f006359: PASS for the production delta. No security finding blocks this change.
Category results:
- Secrets and credentials: PASS. No secret material or credential path was added.
- Input validation and sanitization: PASS. The name prompt remains upstream-controlled, and the live capture continues through canonical secret redaction.
- Authentication and authorization: PASS. Auth prompts, provider selection, and credential stores remain blocked by the managed patch.
- Dependencies and third-party libraries: PASS. No dependency or pin changed.
- Error handling and logging: PASS. The TUI harness records only sanitized markers and fails closed on an unexpected model picker.
- Cryptography and data protection: PASS. No cryptographic behavior changed.
- Configuration and security posture: PASS. NemoClaw still owns model configuration; dependency and model selection screens are suppressed.
- Security testing: PASS. Direct-module, TUI state-machine, and patch-idempotence coverage passed 64/64, including the corrected unpatched-onboarding assertion.
- Holistic posture: PASS. User hooks remain disabled, no new command or network path exists, and the override matches pinned Deep Agents Code 0.1.30 launch sequencing.
Files reviewed: all PR-changed Python, TypeScript, shell, fixture, and quickstart files, plus the pinned upstream launch flow.
This is a security verdict only, not merge approval. Required CI, automated advisor review, and ubuntu-repo-cloud-langchain-deepagents-code live evidence remain pending.
|
/ok to test b9f0063 |
|
/ok to test da7c0e3 |
E2E Target Results — ❌ Some jobs failedRun: 28899544572
|
E2E Target Results — ✅ All selected jobs passedRun: 28899544572
|
cv
left a comment
There was a problem hiding this comment.
Approving exact head da7c0e35f38ae372fc6ba8b77e47715140645629.
- All attached CI is green or expected-skipped, with no pending/failing checks and no unresolved review threads.
- The required exact-head Deep Agents Code live target passed on attempt 2: https://github.com/NVIDIA/NemoClaw/actions/runs/28899544572/job/85733616029
- The TUI proof observed the usable startup prompt, clean exit, and secret-safe capture: 4 passed, 0 failed.
- Attempt 1 was infrastructure-only: two preconfigured Microsoft apt repositories prevented installing
expect; onboarding, inference, lifecycle, policy, and secret-boundary suites had passed. The exact-head rerun installedexpectand passed the full target.
- The nine-category security review passed with no vulnerability findings.
- DCO is present and all three commits are GitHub Verified.
- The primary advisor found no blockers and recommended merging as-is. The secondary advisor's useful sequence-test suggestion is addressed at this head: the harness now models
exp_continue, and the negativenamePrompt -> firstRunpath proves the model picker cannot follow the optional name prompt. - Focused tests pass 65/65, and the docs build passes with zero errors (two pre-existing Fern warnings).
The follow-up from the reviewed production head contains tests, comments, and docs only.
## Summary Consume the official Nemotron 3 Ultra profile from `deepagents-code[nvidia]==0.1.34`, which pins `deepagents==0.7.0a6`. This keeps the managed model IDs and public behavior unchanged while preserving the optional first-run name prompt and suppressed dependency/model pickers from #6410 and #6418. ## Changes - Pin `deepagents-code[nvidia]==0.1.34` and `deepagents==0.7.0a6`; regenerate the hash-locked dependency set with only `langchain-google-genai` moving from `4.2.6` to `4.2.7`. - Remove the temporary profile source and license wiring, then retain an atomic, idempotent, fail-closed alias bridge for `openai:nvidia/nemotron-3-ultra-550b-a55b` and `openai:nvidia/nvidia/nemotron-3-ultra`. - Bind removal of that bridge to its exact DCode/Deep Agents version-and-hash gate in `dependency-review.md`; this PR intentionally does not create a separate follow-up issue. - Port the managed DCode hardening patch to the `0.1.34` package layout and direct-return MCP loader while preserving JSON diagnostics and the #6418 launch overrides. - Validate the official wheels, all 12 native middleware entries, unrelated-model isolation, complete graph compilation, and equivalent single-dispatch behavior for parser-repaired and native `execute` calls. - Update the DCode documentation and cloud acceptance checks for the released versions, native profile, TUI startup behavior, and direct/login-shell inference. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: [cv's deterministic TUI contract](#6416 (comment)) is implemented and passed exact-head server acceptance; cv also [waived a separate bridge-removal issue](#6416 (comment)) and [accepted the trusted-apt warning as nonblocking](#6416 (comment)) - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable — normal hooks and `npm run check:diff` passed - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — official-wheel hash-locked validators passed; profile patch 12/12, direct module 34 passed/1 Linux-only skip, progressive disclosure 13/13, image 75/75, TUI 19/19, independent DCode image/TUI 94/94, platform parity 10/10, managed entrypoints 24/24, workflow boundary 39/39, and updated CLI/onboarding fixtures passed; repository checks, typecheck, test-size, and `pip-audit` passed - [x] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — all exact-head Linux CI and [`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28907835011) passed for `928b50626b303b2008d35f844408a1f83a43a404` - [x] Quality Gates section completed with required justifications or waivers — 42 applicable exact-head checks passed; cv recorded the two advisor dispositions linked above - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — passed with 0 errors and 2 existing repository warnings - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only); `npm run docs:sync-agent-variants` passed - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prepares the user-facing documentation for NemoClaw v0.0.76 and closes the release-prep documentation gate. It adds the release highlights, documents the arm64 Local NIM warning and expanded image cleanup behavior, and fixes agent-specific command headings in generated guides. ## Changes - Add the v0.0.76 release-notes section and move the shared-gateway route containment entry out of the v0.0.74 history where it was incorrectly placed. - Document the advisory Linux arm64 Local NIM manifest warning in the canonical platform matrix and local-inference guidance. - Document that `gc` scans both gateway-built and locally prebuilt sandbox image repositories. - Keep OpenClaw and Hermes session headings out of the generated Deep Agents command guide. - Add a focused variant regression test for the agent-specific session headings. ### Source summary | Merged sources | Documentation coverage | | --- | --- | | [#6414](#6414), [#6418](#6418), [#6416](#6416), [#6344](#6344) | v0.0.76 release notes and the Deep Agents quickstart/inference routes | | [#6340](#6340) | v0.0.76 release notes and existing Deep Agents observability guidance | | [#6338](#6338), [#6378](#6378), [#6297](#6297) | v0.0.76 release notes and existing inference/troubleshooting guidance | | [#6362](#6362) | v0.0.76 release notes and existing lifecycle, command, and credential guidance | | [#6330](#6330), [#6307](#6307), [#6008](#6008) | v0.0.76 release notes and existing security, troubleshooting, and command guidance | | [#6382](#6382) | v0.0.76 release notes and existing MCP/command guidance | | [#6326](#6326), [#5868](#5868), [#5539](#5539) | v0.0.76 release notes, platform matrix, inference options, and local-inference guidance | | [#6396](#6396), [#6390](#6390), [#6007](#6007) | v0.0.76 release notes and existing messaging guidance | | [#5388](#5388), [#6249](#6249), [#6303](#6303), [#6306](#6306) | v0.0.76 release notes and command/lifecycle guidance | ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project integration test/generate-platform-docs.test.ts test/agent-variant-docs.test.ts test/sync-agent-variant-docs.test.ts` (3 files, 29 tests passed) - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — completed with 0 errors and 2 pre-existing Fern warnings - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added v0.0.76 release notes content, and removed an older conflicting bullet from the surrounding release history. * Expanded Local NVIDIA NIM guidance across inference/provider docs, including an advisory for Linux arm64 DGX Spark/DGX Station hosts when a matching `linux/arm64` image manifest is unavailable. * Updated the command reference for correct session-section rendering and clarified `gc` image cleanup sources. * **Tests** * Added coverage ensuring Deep Agents omits sessions headings while Hermes includes them. * **CI** * Refreshed Local NVIDIA NIM provider notes used in the platform matrix. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
…6431) <!-- markdownlint-disable MD041 --> ## Summary Replaces NemoClaw's build-time mutation of the released Deep Agents bootstrap with a first-party `deepagents.harness_profiles` plugin for `deepagents-code==0.1.34` / `deepagents==0.7.0a6`. The two managed OpenAI-compatible model keys continue to receive the released native Nemotron 3 Ultra profile, with exact version/source gates and no third-party source changes. ## Related Issue Fixes #6424 ## Changes - Add and install `nemoclaw-deepagents-profile==0.1.0` through Deep Agents' supported profile entry-point lifecycle. - Register only the two NemoClaw-managed aliases against the released canonical Ultra profile, atomically and idempotently. - Fail the image build on missing or unimportable dependencies, mismatched distribution/package roots, copied/installed adapter-source drift, or released-profile/bootstrap drift. - Run a DCode-only negative Docker build from the current hash-locked base, strip both upstream distributions, and prove failure occurs at the isolated import gate before the later dependency check. - Build and install a real unreviewed-version plugin wheel and prove the actual validator rejects it. - Verify entry-point discovery, all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute-dispatch parity against the official wheels. - Split image/runtime and credential-boundary contracts into balanced 756/755-line suites with a 113-line shared helper, preserving all 75 original tests and substantial per-file size headroom. - Remove the installed-bootstrap patcher and document that the adapter must be removed, not rehashed, once reviewed dependencies provide both exact aliases. - Preserve the merged DCode hardening and paced `/agents` first-run TUI behavior from #6410 / #6418. ## Automated review dispositions - **License metadata:** the production package keeps the PEP 639 SPDX string and builds unchanged with lock-pinned `setuptools==82.0.1`; the production validator now requires exact installed-wheel `License-Expression: Apache-2.0` metadata, with a negative metadata-drift test. The legacy conversion is a localized offline wrong-version fixture with explicit source-boundary and removal-condition documentation. Remove the fixture-only conversion once runner setuptools accepts PEP 639 strings; production never uses it. - **Plain-progress build output:** plain progress remains necessary to prove the exact import-failure marker. Before Docker runs, the gate now rejects every Docker `ARG` name outside a complete reviewed allowlist, while tests pin the only passed build arguments to the two public `BASE_IMAGE` references. Behavior tests inject unreviewed uppercase, lowercase, and continued ARG declarations across all three Dockerfiles and prove rejection occurs before any build; the targeted DCode E2E job runs the same script with real Docker before live tests. - **Adapter build-layer retention:** Docker can retain the copied project tree in an image layer or failed local build cache. This is accepted because it contains only public, first-party Apache-2.0 source and metadata, while the installed Python module necessarily ships the same source; revisit if any adapter input becomes secret-bearing or non-public. - **Credential redaction parity:** `PASS`/`PASSWD`, quoted/space-separated assignments, punctuation-bearing values, and bounded camel/acronym aliases now share the same fail-closed policy across the Bash wrapper, managed Python runtime, observability scrubber, config filter, full/sensitive-text redactors, structured-log classifier, TUI sanitizer, and E2E redactors. The separator lookbehind is capped at 32 horizontal characters to prevent attacker-controlled scans; private-key blocks are scrubbed before assignment matching. Positive tests cover `customPass`, `DBPass`, and known secret `*Key` families, while `COMPASS`/`BYPASS`, `TOPSECRET`/`SUBTOKEN`, pass-rate fields, `publicKey`, and `customKey` remain untouched. - **OpenShell TLS key provenance:** the canonical mounted path is intentionally accepted only from the supervisor-owned runtime environment and rejected from the mutable DCode `.env`. The split credential suite now proves both sides explicitly, matching the existing wrapper-identity coverage; allowing it in `.env` would weaken the boundary. - **Docker auth cleanup:** the shared workflow validator requires exactly one canonical cleanup with `if: always()` as the final job step. A DCode-specific mutation test now also rejects moving cleanup before the import gate. - **Private-key and fixture helpers:** multiline private-key matching is consolidated into the live generic matcher with a required-newline mode, preserving comment behavior while removing 12 lines. Profile-hash fixture replacement is now whitespace/quote tolerant while still requiring one exact reviewed constant and digest. A focused regression covers both formatting variants and duplicate-definition rejection; use an AST transform only if the current two-constant scope grows. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: public CLI, configuration, model IDs, and user-visible behavior are unchanged; the existing DCode quickstart is implementation-neutral. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — the prior security and supply-chain approval is #6431 (review); fresh exact-head re-review will be requested after the current full fan-out because the head changed. - [x] Non-success, skipped, or missing CI check accepted by maintainer — `e2e-all` baseline failures accepted in #6431 (review); follow-ups #6381/#6384 and #6467/#6474. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npm run check:diff` passed on `e78d3ef7`; the independently runnable image/runtime and credential-boundary suites passed 18 of 18 and 123 of 123; the final cross-surface security/parity audit passed 96 of 96; fresh-cache real-wheel validation and the isolated three-package import probe passed. - [ ] Applicable broad gate passed — exact-head focused DCode run [28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788) and cloud-onboard run [28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739) passed on `e78d3ef7`; full fan-out run [28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045) is in progress. The prior full run [28919686103](https://github.com/NVIDIA/NemoClaw/actions/runs/28919686103) passed 77 of 79 applicable jobs; its two failures reproduced identically on retry and `main` run [28911441118](https://github.com/NVIDIA/NemoClaw/actions/runs/28911441118), with the prior maintainer waiver recorded [here](#6431 (review)). - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) ## Exact-head advisor evidence - [`ubuntu-repo-cloud-langchain-deepagents-code` run 28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788) passed on exact head `e78d3ef7f43f3242486dedc4b5b2b42e0585d041`. The production-image validator covered plugin discovery and installed-distribution binding, official source hashes, both aliases and all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute dispatch parity. - The same exact-head run passed the real-Docker stripped-dependency import gate before live E2E, then passed image version checks (`deepagents-code==0.1.34`, `deepagents==0.7.0a6`), direct and login-shell headless `PONG`, and interactive TUI acceptance with the optional name prompt and no model picker. - The advisor-required [`cloud-onboard` run 28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739) also passed on that exact SHA. - CodeRabbit is green with no unresolved threads. Exact-head advisor run 28971565095 reported zero GPT findings but requested the runtime evidence above; Nemotron's two attempts were non-advisory JSON-parse failures. Both advisors will be rerun against this updated evidence. - The localized import-gate removal condition is tracked in #6424 rather than a new cleanup issue. - Exact-head full fan-out run [28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045) is in progress; the prior baseline waiver remains applicable only if the same two unrelated failures recur. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a first-party Nemotron 3 Ultra profile plugin that registers managed model aliases. * **Bug Fixes / Security** * Strengthened fail-closed validation for the released profile, including integrity checks and managed vs native dispatch parity (with denied-shell behavior). * Hardened secret/credential detection and redaction so `PASS`-keyed values are treated as sensitive. * **CI / Quality** * Added build-time and workflow-boundary checks ensuring images reject missing base dependencies. * **Tests** * Expanded plugin/profile-contract, image behavior, and end-to-end/workflow coverage. * **Chores** * Updated the container build flow to install and validate the plugin artifact at build time, removing the standalone patch approach. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
NVIDIA#6418) ## Summary Restores the optional Deep Agents Code first-run name prompt while keeping dependency and model selection under NemoClaw control. This follows NVIDIA#6414 by replacing blanket onboarding suppression with pinned launch-flow overrides that continue directly to the NemoClaw-selected model. ## Changes - Stop patching `onboarding.py` so the upstream optional name prompt can run. - Override the dependency/model launch boundaries to return no selection screen and a resolved `(False, None)` result. - Teach the live TUI check to submit an empty optional name, continue to readiness, and still fail if the model picker appears. - Add direct-module, TUI state-machine, and patch-idempotence coverage for the revised behavior. - Update the Deep Agents Code quickstart to describe the retained name prompt and suppressed dependency/model screens. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: @cv reviewed the production delta at `b9f006359`; follow-up `da7c0e35f` adds only tests, comments, and docs. All nine security categories pass, and the live DCode target remains required before approval. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `vitest --project integration` passed 65/65 across the progressive-disclosure, direct-module, and TUI startup suites. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Additional evidence: `npm run docs` passed with zero errors; Fern reported two existing warnings. The author also reported a successful DGX Spark first-run proof, but the required auditable live workflow is still pending. --- Signed-off-by: Senthil Ravichandran <senthilr@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Improved DeepAgents Code first-run flow: the optional “name” prompt can appear, while the model picker and dependency/model selection screens are skipped for a smoother start. * **Bug Fixes** * Fixed managed interactive-session startup to avoid mis-handling first-run screen sequencing (now continues after naming rather than pausing for picker prompts). * **Documentation** * Updated the DeepAgents Code quickstart to match the revised first-run behavior. * **Tests** * Expanded/adjusted TUI startup and progressive-disclosure test coverage for the new first-run name prompt flow and updated patched-module expectations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Carlos Villela <cvillela@nvidia.com>
## Summary Consume the official Nemotron 3 Ultra profile from `deepagents-code[nvidia]==0.1.34`, which pins `deepagents==0.7.0a6`. This keeps the managed model IDs and public behavior unchanged while preserving the optional first-run name prompt and suppressed dependency/model pickers from NVIDIA#6410 and NVIDIA#6418. ## Changes - Pin `deepagents-code[nvidia]==0.1.34` and `deepagents==0.7.0a6`; regenerate the hash-locked dependency set with only `langchain-google-genai` moving from `4.2.6` to `4.2.7`. - Remove the temporary profile source and license wiring, then retain an atomic, idempotent, fail-closed alias bridge for `openai:nvidia/nemotron-3-ultra-550b-a55b` and `openai:nvidia/nvidia/nemotron-3-ultra`. - Bind removal of that bridge to its exact DCode/Deep Agents version-and-hash gate in `dependency-review.md`; this PR intentionally does not create a separate follow-up issue. - Port the managed DCode hardening patch to the `0.1.34` package layout and direct-return MCP loader while preserving JSON diagnostics and the NVIDIA#6418 launch overrides. - Validate the official wheels, all 12 native middleware entries, unrelated-model isolation, complete graph compilation, and equivalent single-dispatch behavior for parser-repaired and native `execute` calls. - Update the DCode documentation and cloud acceptance checks for the released versions, native profile, TUI startup behavior, and direct/login-shell inference. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: [cv's deterministic TUI contract](NVIDIA#6416 (comment)) is implemented and passed exact-head server acceptance; cv also [waived a separate bridge-removal issue](NVIDIA#6416 (comment)) and [accepted the trusted-apt warning as nonblocking](NVIDIA#6416 (comment)) - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable — normal hooks and `npm run check:diff` passed - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — official-wheel hash-locked validators passed; profile patch 12/12, direct module 34 passed/1 Linux-only skip, progressive disclosure 13/13, image 75/75, TUI 19/19, independent DCode image/TUI 94/94, platform parity 10/10, managed entrypoints 24/24, workflow boundary 39/39, and updated CLI/onboarding fixtures passed; repository checks, typecheck, test-size, and `pip-audit` passed - [x] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — all exact-head Linux CI and [`ubuntu-repo-cloud-langchain-deepagents-code`](https://github.com/NVIDIA/NemoClaw/actions/runs/28907835011) passed for `928b50626b303b2008d35f844408a1f83a43a404` - [x] Quality Gates section completed with required justifications or waivers — 42 applicable exact-head checks passed; cv recorded the two advisor dispositions linked above - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — passed with 0 errors and 2 existing repository warnings - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only); `npm run docs:sync-agent-variants` passed - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prepares the user-facing documentation for NemoClaw v0.0.76 and closes the release-prep documentation gate. It adds the release highlights, documents the arm64 Local NIM warning and expanded image cleanup behavior, and fixes agent-specific command headings in generated guides. ## Changes - Add the v0.0.76 release-notes section and move the shared-gateway route containment entry out of the v0.0.74 history where it was incorrectly placed. - Document the advisory Linux arm64 Local NIM manifest warning in the canonical platform matrix and local-inference guidance. - Document that `gc` scans both gateway-built and locally prebuilt sandbox image repositories. - Keep OpenClaw and Hermes session headings out of the generated Deep Agents command guide. - Add a focused variant regression test for the agent-specific session headings. ### Source summary | Merged sources | Documentation coverage | | --- | --- | | [NVIDIA#6414](NVIDIA#6414), [NVIDIA#6418](NVIDIA#6418), [NVIDIA#6416](NVIDIA#6416), [NVIDIA#6344](NVIDIA#6344) | v0.0.76 release notes and the Deep Agents quickstart/inference routes | | [NVIDIA#6340](NVIDIA#6340) | v0.0.76 release notes and existing Deep Agents observability guidance | | [NVIDIA#6338](NVIDIA#6338), [NVIDIA#6378](NVIDIA#6378), [NVIDIA#6297](NVIDIA#6297) | v0.0.76 release notes and existing inference/troubleshooting guidance | | [NVIDIA#6362](NVIDIA#6362) | v0.0.76 release notes and existing lifecycle, command, and credential guidance | | [NVIDIA#6330](NVIDIA#6330), [NVIDIA#6307](NVIDIA#6307), [NVIDIA#6008](NVIDIA#6008) | v0.0.76 release notes and existing security, troubleshooting, and command guidance | | [NVIDIA#6382](NVIDIA#6382) | v0.0.76 release notes and existing MCP/command guidance | | [NVIDIA#6326](NVIDIA#6326), [NVIDIA#5868](NVIDIA#5868), [NVIDIA#5539](NVIDIA#5539) | v0.0.76 release notes, platform matrix, inference options, and local-inference guidance | | [NVIDIA#6396](NVIDIA#6396), [NVIDIA#6390](NVIDIA#6390), [NVIDIA#6007](NVIDIA#6007) | v0.0.76 release notes and existing messaging guidance | | [NVIDIA#5388](NVIDIA#5388), [NVIDIA#6249](NVIDIA#6249), [NVIDIA#6303](NVIDIA#6303), [NVIDIA#6306](NVIDIA#6306) | v0.0.76 release notes and command/lifecycle guidance | ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project integration test/generate-platform-docs.test.ts test/agent-variant-docs.test.ts test/sync-agent-variant-docs.test.ts` (3 files, 29 tests passed) - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — completed with 0 errors and 2 pre-existing Fern warnings - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added v0.0.76 release notes content, and removed an older conflicting bullet from the surrounding release history. * Expanded Local NVIDIA NIM guidance across inference/provider docs, including an advisory for Linux arm64 DGX Spark/DGX Station hosts when a matching `linux/arm64` image manifest is unavailable. * Updated the command reference for correct session-section rendering and clarified `gc` image cleanup sources. * **Tests** * Added coverage ensuring Deep Agents omits sessions headings while Hermes includes them. * **CI** * Refreshed Local NVIDIA NIM provider notes used in the platform matrix. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
…VIDIA#6431) <!-- markdownlint-disable MD041 --> ## Summary Replaces NemoClaw's build-time mutation of the released Deep Agents bootstrap with a first-party `deepagents.harness_profiles` plugin for `deepagents-code==0.1.34` / `deepagents==0.7.0a6`. The two managed OpenAI-compatible model keys continue to receive the released native Nemotron 3 Ultra profile, with exact version/source gates and no third-party source changes. ## Related Issue Fixes NVIDIA#6424 ## Changes - Add and install `nemoclaw-deepagents-profile==0.1.0` through Deep Agents' supported profile entry-point lifecycle. - Register only the two NemoClaw-managed aliases against the released canonical Ultra profile, atomically and idempotently. - Fail the image build on missing or unimportable dependencies, mismatched distribution/package roots, copied/installed adapter-source drift, or released-profile/bootstrap drift. - Run a DCode-only negative Docker build from the current hash-locked base, strip both upstream distributions, and prove failure occurs at the isolated import gate before the later dependency check. - Build and install a real unreviewed-version plugin wheel and prove the actual validator rejects it. - Verify entry-point discovery, all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute-dispatch parity against the official wheels. - Split image/runtime and credential-boundary contracts into balanced 756/755-line suites with a 113-line shared helper, preserving all 75 original tests and substantial per-file size headroom. - Remove the installed-bootstrap patcher and document that the adapter must be removed, not rehashed, once reviewed dependencies provide both exact aliases. - Preserve the merged DCode hardening and paced `/agents` first-run TUI behavior from NVIDIA#6410 / NVIDIA#6418. ## Automated review dispositions - **License metadata:** the production package keeps the PEP 639 SPDX string and builds unchanged with lock-pinned `setuptools==82.0.1`; the production validator now requires exact installed-wheel `License-Expression: Apache-2.0` metadata, with a negative metadata-drift test. The legacy conversion is a localized offline wrong-version fixture with explicit source-boundary and removal-condition documentation. Remove the fixture-only conversion once runner setuptools accepts PEP 639 strings; production never uses it. - **Plain-progress build output:** plain progress remains necessary to prove the exact import-failure marker. Before Docker runs, the gate now rejects every Docker `ARG` name outside a complete reviewed allowlist, while tests pin the only passed build arguments to the two public `BASE_IMAGE` references. Behavior tests inject unreviewed uppercase, lowercase, and continued ARG declarations across all three Dockerfiles and prove rejection occurs before any build; the targeted DCode E2E job runs the same script with real Docker before live tests. - **Adapter build-layer retention:** Docker can retain the copied project tree in an image layer or failed local build cache. This is accepted because it contains only public, first-party Apache-2.0 source and metadata, while the installed Python module necessarily ships the same source; revisit if any adapter input becomes secret-bearing or non-public. - **Credential redaction parity:** `PASS`/`PASSWD`, quoted/space-separated assignments, punctuation-bearing values, and bounded camel/acronym aliases now share the same fail-closed policy across the Bash wrapper, managed Python runtime, observability scrubber, config filter, full/sensitive-text redactors, structured-log classifier, TUI sanitizer, and E2E redactors. The separator lookbehind is capped at 32 horizontal characters to prevent attacker-controlled scans; private-key blocks are scrubbed before assignment matching. Positive tests cover `customPass`, `DBPass`, and known secret `*Key` families, while `COMPASS`/`BYPASS`, `TOPSECRET`/`SUBTOKEN`, pass-rate fields, `publicKey`, and `customKey` remain untouched. - **OpenShell TLS key provenance:** the canonical mounted path is intentionally accepted only from the supervisor-owned runtime environment and rejected from the mutable DCode `.env`. The split credential suite now proves both sides explicitly, matching the existing wrapper-identity coverage; allowing it in `.env` would weaken the boundary. - **Docker auth cleanup:** the shared workflow validator requires exactly one canonical cleanup with `if: always()` as the final job step. A DCode-specific mutation test now also rejects moving cleanup before the import gate. - **Private-key and fixture helpers:** multiline private-key matching is consolidated into the live generic matcher with a required-newline mode, preserving comment behavior while removing 12 lines. Profile-hash fixture replacement is now whitespace/quote tolerant while still requiring one exact reviewed constant and digest. A focused regression covers both formatting variants and duplicate-definition rejection; use an AST transform only if the current two-constant scope grows. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: public CLI, configuration, model IDs, and user-visible behavior are unchanged; the existing DCode quickstart is implementation-neutral. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — the prior security and supply-chain approval is NVIDIA#6431 (review); fresh exact-head re-review will be requested after the current full fan-out because the head changed. - [x] Non-success, skipped, or missing CI check accepted by maintainer — `e2e-all` baseline failures accepted in NVIDIA#6431 (review); follow-ups NVIDIA#6381/NVIDIA#6384 and NVIDIA#6467/NVIDIA#6474. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npm run check:diff` passed on `e78d3ef7`; the independently runnable image/runtime and credential-boundary suites passed 18 of 18 and 123 of 123; the final cross-surface security/parity audit passed 96 of 96; fresh-cache real-wheel validation and the isolated three-package import probe passed. - [ ] Applicable broad gate passed — exact-head focused DCode run [28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788) and cloud-onboard run [28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739) passed on `e78d3ef7`; full fan-out run [28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045) is in progress. The prior full run [28919686103](https://github.com/NVIDIA/NemoClaw/actions/runs/28919686103) passed 77 of 79 applicable jobs; its two failures reproduced identically on retry and `main` run [28911441118](https://github.com/NVIDIA/NemoClaw/actions/runs/28911441118), with the prior maintainer waiver recorded [here](NVIDIA#6431 (review)). - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) ## Exact-head advisor evidence - [`ubuntu-repo-cloud-langchain-deepagents-code` run 28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788) passed on exact head `e78d3ef7f43f3242486dedc4b5b2b42e0585d041`. The production-image validator covered plugin discovery and installed-distribution binding, official source hashes, both aliases and all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute dispatch parity. - The same exact-head run passed the real-Docker stripped-dependency import gate before live E2E, then passed image version checks (`deepagents-code==0.1.34`, `deepagents==0.7.0a6`), direct and login-shell headless `PONG`, and interactive TUI acceptance with the optional name prompt and no model picker. - The advisor-required [`cloud-onboard` run 28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739) also passed on that exact SHA. - CodeRabbit is green with no unresolved threads. Exact-head advisor run 28971565095 reported zero GPT findings but requested the runtime evidence above; Nemotron's two attempts were non-advisory JSON-parse failures. Both advisors will be rerun against this updated evidence. - The localized import-gate removal condition is tracked in NVIDIA#6424 rather than a new cleanup issue. - Exact-head full fan-out run [28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045) is in progress; the prior baseline waiver remains applicable only if the same two unrelated failures recur. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a first-party Nemotron 3 Ultra profile plugin that registers managed model aliases. * **Bug Fixes / Security** * Strengthened fail-closed validation for the released profile, including integrity checks and managed vs native dispatch parity (with denied-shell behavior). * Hardened secret/credential detection and redaction so `PASS`-keyed values are treated as sensitive. * **CI / Quality** * Added build-time and workflow-boundary checks ensuring images reject missing base dependencies. * **Tests** * Expanded plugin/profile-contract, image behavior, and end-to-end/workflow coverage. * **Chores** * Updated the container build flow to install and validate the plugin artifact at build time, removing the standalone patch approach. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
Summary
Restores the optional Deep Agents Code first-run name prompt while keeping dependency and model selection under NemoClaw control.
This follows #6414 by replacing blanket onboarding suppression with pinned launch-flow overrides that continue directly to the NemoClaw-selected model.
Changes
onboarding.pyso the upstream optional name prompt can run.(False, None)result.Type of Change
Quality Gates
b9f006359; follow-upda7c0e35fadds only tests, comments, and docs. All nine security categories pass, and the live DCode target remains required before approval.Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablevitest --project integrationpassed 65/65 across the progressive-disclosure, direct-module, and TUI startup suites.npm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result:npm run docsbuilds without warnings (doc changes only)Additional evidence:
npm run docspassed with zero errors; Fern reported two existing warnings. The author also reported a successful DGX Spark first-run proof, but the required auditable live workflow is still pending.Signed-off-by: Senthil Ravichandran senthilr@nvidia.com
Summary by CodeRabbit