refactor(dcode): replace Nemotron source patch with profile plugin#6431
Conversation
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…tra-profile-plugin Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (7)
🚧 Files skipped from review as they are similar to previous changes (6)
📝 WalkthroughWalkthroughThis PR replaces the Nemotron Ultra bootstrap patch with a managed profile plugin, adds a stripped-base import gate, expands PASS-aware secret handling, and renames OpenClaw correlation fields from ChangesManaged Profile Plugin Replacement
PASS Secret-Pattern Expansion
OpenClaw Reply-Marker Correlation
Estimated code review effort: 5 (Critical) | ~120 minutes Sequence Diagram(s)sequenceDiagram
participant Dockerfile as DCode Dockerfile
participant Plugin as nemoclaw_deepagents_profile
participant DeepAgents as deepagents package
participant Validator as validate-nemotron-ultra-profile.py
Dockerfile->>Plugin: pip install profile-plugin (offline, hash-checked)
Dockerfile->>Plugin: isolated python -I import gate
Plugin->>DeepAgents: verify versions and source hashes
Plugin->>DeepAgents: register() via harness_profiles entry point
DeepAgents-->>Plugin: canonical profile mapped to two alias keys
Dockerfile->>Validator: run validator after build
Validator->>DeepAgents: re-verify entry point and official sources
Validator->>Validator: compare repaired vs native dispatch parity
sequenceDiagram
participant CI as check-dcode-profile-import-gate.sh
participant BaseImage as Dockerfile.base
participant Stripped as Dockerfile.dcode-profile-missing-dependencies
participant Prod as DCode production Dockerfile
CI->>BaseImage: build source-base image
CI->>Stripped: build stripped image (removes deepagents deps)
CI->>Prod: build production image with BASE_IMAGE=stripped
Prod-->>CI: fails at NEMOCLAW_DCODE_PROFILE_IMPORT_GATE marker
CI->>CI: assert ModuleNotFoundError present in build log
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 76%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
E2E Target Results —
|
| Job | Result |
|---|---|
| live |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
E2E Target Results — ✅ All selected jobs passedRun: 28913263513
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts`:
- Around line 319-334: The parametrized test in the official source file check
introduces a new TS-level conditional that violates the conditionals guardrail.
Refactor the `it.each(... )` body to avoid the `if (mode === "missing")` /
`else` branch in favor of a branchless mode-to-action lookup while keeping the
same `runPlugin(fixture)` assertions and coverage for both `missing` and
`linked` cases.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: b26a0595-d815-49b1-bb4e-3dd22019aa69
📒 Files selected for processing (12)
agents/langchain-deepagents-code/Dockerfileagents/langchain-deepagents-code/dependency-review.mdagents/langchain-deepagents-code/patch-nemotron-ultra-profile.pyagents/langchain-deepagents-code/profile-plugin/.gitignoreagents/langchain-deepagents-code/profile-plugin/pyproject.tomlagents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/__init__.pyagents/langchain-deepagents-code/validate-nemotron-ultra-profile.pytest/e2e/e2e-cloud-experimental/checks/03-deepagents-code-nemotron-ultra-profile.shtest/e2e/support/platform-parity-cloud-experimental.test.tstest/langchain-deepagents-code-image.test.tstest/langchain-deepagents-code-nemotron-profile-patch.test.tstest/langchain-deepagents-code-nemotron-profile-plugin.test.ts
💤 Files with no reviewable changes (2)
- test/langchain-deepagents-code-nemotron-profile-patch.test.ts
- agents/langchain-deepagents-code/patch-nemotron-ultra-profile.py
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
There was a problem hiding this comment.
🧹 Nitpick comments (2)
test/langchain-deepagents-code-nemotron-profile-plugin.test.ts (2)
313-315: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winPrefer behavioral coverage over source-text assertions on the validator/plugin.
These cases assert on raw source text (substrings,
validate_official_sources()call count, ordering,"prove the adapter never") of the plugin and validator rather than on observable behavior. They lock in implementation wording and break on benign refactors even when the security behavior is intact. The subprocess-driven cases (runEntryPointValidation,runPlugin) already exercise the real discovery/source/rejection paths, so consider trimming the text-shape assertions in favor of those observable outcomes.As per path instructions: "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions."
Also applies to: 318-348
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts` around lines 313 - 315, The validator/plugin tests rely too much on raw source-text and mock-shape assertions instead of observable behavior, so trim those expectations in the plugin/validator spec and keep the subprocess-based coverage as the source of truth. Update the affected assertions around runPlugin, runEntryPointValidation, and validate_official_sources() to verify the public outcomes they produce (accepted/rejected cases and discovery behavior) rather than specific substrings, call counts, or ordering tied to implementation wording.Source: Path instructions
259-262: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winUse the literal POSIX separator for
PYTHONPATHto match the siblingPATHentry.Line 259 builds
PATHwith a literal:, but the adjacentPYTHONPATHjoin usespath.delimiter. These unit tests only run on Linux runners, sopath.delimiteradds no portability here and diverges from the established convention.♻️ Suggested alignment
- PYTHONPATH: [...(options.additionalPythonRoots ?? []), fixture.root, pluginRoot].join( - path.delimiter, - ), + PYTHONPATH: [...(options.additionalPythonRoots ?? []), fixture.root, pluginRoot].join(":"),Based on learnings: prefer the established POSIX PATH separator
:when constructing PATH-style env vars in these tests; do not replace it withpath.delimiter, because they only run on Linux runners in CI.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts` around lines 259 - 262, The test setup for the environment variables is inconsistent: `PATH` uses a literal POSIX separator while `PYTHONPATH` in the same fixture uses `path.delimiter`. Update the `PYTHONPATH` construction in this test to use the literal `:` separator so it matches the sibling `PATH` entry and the Linux-only runner environment; keep the change localized to the env setup near the `PYTHONPATH` assignment.Source: Learnings
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts`:
- Around line 313-315: The validator/plugin tests rely too much on raw
source-text and mock-shape assertions instead of observable behavior, so trim
those expectations in the plugin/validator spec and keep the subprocess-based
coverage as the source of truth. Update the affected assertions around
runPlugin, runEntryPointValidation, and validate_official_sources() to verify
the public outcomes they produce (accepted/rejected cases and discovery
behavior) rather than specific substrings, call counts, or ordering tied to
implementation wording.
- Around line 259-262: The test setup for the environment variables is
inconsistent: `PATH` uses a literal POSIX separator while `PYTHONPATH` in the
same fixture uses `path.delimiter`. Update the `PYTHONPATH` construction in this
test to use the literal `:` separator so it matches the sibling `PATH` entry and
the Linux-only runner environment; keep the change localized to the env setup
near the `PYTHONPATH` assignment.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 8aab9bb9-d2af-4516-93fd-4577ace865d6
📒 Files selected for processing (6)
agents/langchain-deepagents-code/Dockerfileagents/langchain-deepagents-code/dependency-review.mdagents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/__init__.pyagents/langchain-deepagents-code/validate-nemotron-ultra-profile.pytest/langchain-deepagents-code-image.test.tstest/langchain-deepagents-code-nemotron-profile-plugin.test.ts
✅ Files skipped from review due to trivial changes (1)
- agents/langchain-deepagents-code/dependency-review.md
🚧 Files skipped from review as they are similar to previous changes (3)
- test/langchain-deepagents-code-image.test.ts
- agents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/init.py
- agents/langchain-deepagents-code/Dockerfile
E2E Target Results —
|
| Job | Result |
|---|---|
| live |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…tra-profile-plugin Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| live |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
test/e2e/support/platform-parity-cloud-experimental.test.ts (1)
298-306: 🎯 Functional Correctness | 🔵 Trivial | ⚖️ Poor tradeoffSource-text assertion instead of behavioral verification.
This test asserts on raw script text (
toContain/not.toMatch) rather than an observable runtime outcome. It replaces the prior deep content checks with a similarly text-based approach, and the negative regex assertion (not.toMatch(/\.(?:invoke|ainvoke|stream|astream)\(/)) can pass trivially if the script is rewritten to avoid these literal method-call patterns while still invoking a model indirectly (e.g., via a wrapper function), without truly proving "local-only" behavior.If this script cannot be executed directly in this test suite, consider at least asserting more precisely (e.g., verifying the script does not reference a model/API key env var, or running it in a sandboxed dry-run) to reduce the risk of a test that passes without meaningfully exercising the claim.
As per path instructions: "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions" and "Flag ... conditionals that make a test pass without exercising its claim."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/e2e/support/platform-parity-cloud-experimental.test.ts` around lines 298 - 306, The Nemotron profile check is currently verified by reading script text, which is too brittle and can pass without proving local-only behavior. Update the E2E test in the platform-parity-cloud-experimental suite to assert an observable outcome through the public boundary instead of raw source content; if direct execution is not possible, use a sandboxed dry-run or stronger checks that the script does not depend on model/API-key env vars. Keep the test centered on DEEPAGENTS_CLOUD_EXPERIMENTAL_CHECKS and the profileCheck expectation, but replace the toContain/notToMatch source-text assertions with behavior-based validation.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/e2e/support/platform-parity-cloud-experimental.test.ts`:
- Around line 298-306: The Nemotron profile check is currently verified by
reading script text, which is too brittle and can pass without proving
local-only behavior. Update the E2E test in the
platform-parity-cloud-experimental suite to assert an observable outcome through
the public boundary instead of raw source content; if direct execution is not
possible, use a sandboxed dry-run or stronger checks that the script does not
depend on model/API-key env vars. Keep the test centered on
DEEPAGENTS_CLOUD_EXPERIMENTAL_CHECKS and the profileCheck expectation, but
replace the toContain/notToMatch source-text assertions with behavior-based
validation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 132c7302-ab6a-4ff5-9e3e-8320fdd431f1
📒 Files selected for processing (2)
test/e2e/support/platform-parity-cloud-experimental.test.tstest/langchain-deepagents-code-nemotron-profile-plugin.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- test/langchain-deepagents-code-nemotron-profile-plugin.test.ts
E2E Target Results — ✅ All selected jobs passedRun: 28914382391
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| live |
E2E Target Results —
|
| Job | Result |
|---|---|
| cloud-onboard |
Signed-off-by: cjagwani <cjagwani@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| live |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…-plugin' into fix/dcode-nemotron-ultra-profile-plugin
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
E2E Target Results — ❌ Some jobs failedRun: 28977647781
|
E2E Target Results — ✅ All requested jobs passedRun: 28977649904
|
…tra-profile-plugin # Conflicts: # test/e2e/support/platform-parity-cloud-experimental.test.ts
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/security/redact.ts`:
- Line 188: The redaction pattern in redact.ts does not correctly handle quoted
secret values that contain spaces, so matching stops too early and leaves part
of the secret visible. Update the regex used by the redaction logic to
distinguish quoted from unquoted values, and when quotes are present consume
everything through the closing quote instead of stopping at whitespace. Add a
regression test covering a multi-word password case through the redaction path
to verify UserPassword-style values are fully masked.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 5cd7dcef-4017-4856-845a-7f4d2007a564
📒 Files selected for processing (19)
agents/langchain-deepagents-code/Dockerfileagents/langchain-deepagents-code/dcode-wrapper.shagents/langchain-deepagents-code/dependency-review.mdagents/langchain-deepagents-code/managed-dcode-runtime.pyagents/langchain-deepagents-code/nemoclaw_observability.pysrc/lib/security/redact.test.tssrc/lib/security/redact.tssrc/lib/security/secret-patterns.tstest/deepagents-code-tui-startup-check.test.tstest/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.shtest/e2e/fixtures/redaction.tstest/e2e/live/openclaw-tui-chat-correlation.test.tstest/e2e/support/e2e-redaction-entry.test.tstest/fixtures/deepagents-observability-harness.pytest/langchain-deepagents-code-image-credentials.test.tstest/langchain-deepagents-code-image.test.tstest/langchain-deepagents-code-observability.test.tstest/langchain-deepagents-code-secret-pattern-parity.test.tstest/openclaw-tui-chat-correlation.test.ts
💤 Files with no reviewable changes (2)
- agents/langchain-deepagents-code/managed-dcode-runtime.py
- agents/langchain-deepagents-code/dcode-wrapper.sh
✅ Files skipped from review due to trivial changes (2)
- test/langchain-deepagents-code-observability.test.ts
- test/fixtures/deepagents-observability-harness.py
🚧 Files skipped from review as they are similar to previous changes (12)
- test/deepagents-code-tui-startup-check.test.ts
- test/e2e/support/e2e-redaction-entry.test.ts
- test/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh
- agents/langchain-deepagents-code/Dockerfile
- src/lib/security/secret-patterns.ts
- src/lib/security/redact.test.ts
- test/langchain-deepagents-code-secret-pattern-parity.test.ts
- agents/langchain-deepagents-code/nemoclaw_observability.py
- test/langchain-deepagents-code-image.test.ts
- test/langchain-deepagents-code-image-credentials.test.ts
- test/e2e/fixtures/redaction.ts
- agents/langchain-deepagents-code/dependency-review.md
| ], | ||
| [ | ||
| /((?:"|')?(?:api[_-]?key|token|secret|password|credential)(?:"|')?\s*[:=]\s*(?:"|')?)[^"',}\s]+((?:"|')?)/gi, | ||
| /((?:^|[^A-Za-z0-9])(?:[A-Za-z0-9]{1,128}(?:Token|Secret|Credential)|[A-Za-z0-9]{0,128}(?:[Aa]ccess|[Rr]efresh|[Cc]lient|[Bb]earer|[Aa]uth|[Aa][Pp][Ii]|[Pp]rivate|[Ss]igning|[Ss]ession|[Bb]ot|[Aa]pp|[Rr]esolved)Key|[A-Za-z0-9]{1,128}(?:Password|Passwd|Pass))["']?(?:[ \t]{0,32}[=:][ \t]{0,32}|[ \t]{1,32})["']?)[^\s'"]+((?:"|')?)/g, |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '## current full-redaction assignment patterns\n'
sed -n '179,190p' src/lib/security/redact.ts
printf '\n## existing quoted-password whitespace coverage\n'
rg -n 'correct horse|quoted.*password|UserPassword|Password=.* ' src/lib/security/redact.test.ts test --glob '*.test.ts'Repository: NVIDIA/NemoClaw
Length of output: 1005
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '## redact.ts matcher block\n'
sed -n '170,205p' src/lib/security/redact.ts
printf '\n## redact.test.ts around redaction cases\n'
ast-grep outline src/lib/security/redact.test.ts --view expanded || true
printf '\n'
rg -n 'REDACT|redact|password|token|secret|credential|pass|quote|whitespace|spaces' src/lib/security/redact.test.ts
printf '\n## any tests mentioning UserPassword in repo\n'
rg -n 'UserPassword|correct horse battery|horse battery|quoted password|password.*space|space.*password' src --glob '*.test.ts' --glob '*.ts'Repository: NVIDIA/NemoClaw
Length of output: 7567
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '## broader redact pattern list around the matcher\n'
sed -n '130,205p' src/lib/security/redact.ts
printf '\n## test file structure\n'
ast-grep outline src/lib/security/redact.test.ts --view expanded || true
printf '\n## test cases touching redaction and quoting\n'
rg -n 'redact\\(|toContain\\(|toEqual\\(|UserPassword|Password|token|secret|credential|quoted|space|whitespace' src/lib/security/redact.test.tsRepository: NVIDIA/NemoClaw
Length of output: 3454
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '## SECRET_PATTERNS definition\n'
rg -n 'const SECRET_PATTERNS|SECRET_BLOCK_PATTERNS|TOKEN_PREFIX_PATTERNS|FULL_REDACT_PATTERNS|redactSensitiveText|redactFull' src/lib/security/redact.ts
printf '\n## run a small regex probe on the exact pattern\n'
python3 - <<'PY'
import re
pat = re.compile(r'((?:^|[^A-Za-z0-9])(?:[A-Za-z0-9]{1,128}(?:Token|Secret|Credential)|[A-Za-z0-9]{0,128}(?:[Aa]ccess|[Rr]efresh|[Cc]lient|[Bb]earer|[Aa]uth|[Aa][Pp][Ii]|[Pp]rivate|[Ss]igning|[Ss]ession|[Bb]ot|[Aa]pp|[Rr]esolved)Key|[A-Za-z0-9]{1,128}(?:Password|Passwd|Pass))["\']?(?:[ \t]{0,32}[=:][ \t]{0,32}|[ \t]{1,32})["\']?)[^\s\'"]+((?:"|\')?)', re.I)
samples = [
'UserPassword="correct horse battery"',
'UserPassword="correct horse battery',
'UserPassword=correct horse battery',
'UserPassword="correct"',
'UserPassword="correct horse" extra',
]
for s in samples:
m = pat.search(s)
print("INPUT:", s)
print("MATCH:", bool(m))
if m:
print("GROUP1:", m.group(1))
print("GROUP2:", m.group(2))
print("REPLACED:", pat.sub(r'\\1<REDACTED>\\2', s))
print("-" * 40)
PY
printf '\n## any alternate quoted-string redaction patterns in security module\n'
rg -n '"[^"]*<REDACTED>|<REDACTED>.*\\"|\\[[^\\]]*REDACTED' src/lib/security/redact.ts src/lib/security -g '*.ts'Repository: NVIDIA/NemoClaw
Length of output: 7218
Handle quoted secrets with spaces. Quoted values still stop at the first space, so UserPassword="correct horse battery" leaves the remainder visible. Split quoted/unquoted handling or consume through the closing quote, and add a regression test for multi-word passwords.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/lib/security/redact.ts` at line 188, The redaction pattern in redact.ts
does not correctly handle quoted secret values that contain spaces, so matching
stops too early and leaves part of the secret visible. Update the regex used by
the redaction logic to distinguish quoted from unquoted values, and when quotes
are present consume everything through the closing quote instead of stopping at
whitespace. Add a regression test covering a multi-word password case through
the redaction path to verify UserPassword-style values are fully masked.
Source: Path instructions
E2E Target Results — ❌ Some jobs failedRun: 28978117617
|
Signed-off-by: cjagwani <cjagwani@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| cloud-onboard |
E2E Target Results —
|
| Job | Result |
|---|---|
| cloud-onboard |
E2E Target Results — ❌ Some jobs failedRun: 28978281322
|
E2E Target Results — ❌ Some jobs failedRun: 28978277604
|
Record main's squash of #6431; its tree is byte-identical to the already reviewed stack parent. Signed-off-by: cjagwani <cjagwani@nvidia.com>
## Summary Harden the managed Nemotron 3 Ultra DCode aliases at two separate compatibility boundaries: emit the model-specific nonempty-content template argument required for reasoning-plus-tool-call requests, and reject the observed literal `[content]` execute placeholder before it reaches shell dispatch. #6431 is merged; this PR is based directly on current `main`. It leaves the canonical NVIDIA profile and all unrelated models unchanged. ## Source boundary and lifecycle - `force_nonempty_content`: the invalid empty-assistant-content state originates in the Ultra serving template. NemoClaw owns only the generated per-model request configuration. Remove the override after a reviewed serving/client update works for both managed Ultra IDs without it and the live DCode E2E passes. - Execute guard: the invalid state is a model-produced tool call whose complete `execute.command` is the literal `[content]` (ignoring ASCII whitespace around the token and brackets, and case). NemoClaw owns the managed alias middleware immediately before dispatch, not the model, serving template, or hash-locked canonical Deep Agents profile. Remove the guard only after those upstream paths no longer produce or convert the placeholder and the focused plus live tests pass with it deleted. ## Changes - Generate `force_nonempty_content = true` only for the two managed Ultra model IDs. - Add a managed-alias-only sync/async middleware guard for the exact placeholder; concrete execute commands and other tools pass through unchanged. - Validate rejection through the pinned LangChain `ToolMessage.content` API in the image validator, fixture, and hosted E2E probe. - Preserve atomic/idempotent profile registration with the process-local registry as source of truth and a lock around multi-key registration. - Persist the credential-free observability enable bit across environment-less policy restarts; create/rebuild/clone paths pass an explicit `1` or `0`. - Record invalid-state sources, regression evidence, and removal conditions in the dependency review. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: no CLI, setting, supported-model choice, or operator workflow changes; the internal dependency review is updated - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — combined Ultra, lifecycle, current-main, and acceptance suites passed 159/159; the post-hook launcher/acceptance subset passed 33/33 - [ ] Applicable broad gate passed — final exact-head regular CI and hosted Deep Agents Code E2E are running - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added model-specific “Ultra” configuration for selected OpenAI-compatible model IDs to enforce non-empty tool-call/reasoning content. * Added managed execute placeholder guard behavior and deeper end-to-end validation for Tavily policy remove/restore ordering and observability recovery. * **Bug Fixes** * Hardened managed execute handling to reject placeholder `execute` calls (including async/sync parity) while allowing concrete commands. * Improved managed alias registration for safer atomic idempotence and rollback. * **Documentation** * Updated compatibility/validation guidance and the dependency advisory review hash. * **Tests** * Expanded E2E/profile/config contract tests, including workflow host-dependency step ordering and guard dispatch assertions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prepares the user documentation for NemoClaw v0.0.78 by replacing the unreleased section with release highlights and synchronizing the affected inference, lifecycle, messaging, and CLI reference pages with merged behavior. ## Changes - Publish the v0.0.78 release-notes section with links to the most specific user guides for each shipped behavior. - Document authoritative Deep Agents route health, Nemotron Ultra profile behavior, and Hermes compatible-endpoint context metadata. - Document forced rebuild recovery after total backup failure and the ownership-safe tunnel/full-stop behavior. - Keep command examples and shared agent variants aligned with the current OpenClaw, Hermes, and Deep Agents interfaces. Source mapping: - [#3787](#3787) -> `docs/about/release-notes.mdx`: Record reliable workspace template seeding during sandbox startup. - [#4960](#4960) -> `docs/about/release-notes.mdx`: Record safer detection of rewritten OpenClaw gateway processes. - [#5676](#5676) -> `docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON handling. - [#5857](#5857) -> `docs/about/release-notes.mdx`: Record synchronization of explicit OpenClaw main-agent model state. - [#5929](#5929) -> `docs/about/release-notes.mdx`: Record copyable SSH port-forward guidance for remote dashboards. - [#6068](#6068) -> `docs/about/release-notes.mdx`: Record custom-image plugin provenance reconciliation. - [#6116](#6116) -> `docs/about/release-notes.mdx`: Record live-loopback dashboard-forward recovery. - [#6122](#6122) -> `docs/about/release-notes.mdx`: Announce validated, round-trippable policy YAML output. - [#6211](#6211) -> `docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild --force` recovery boundary. - [#6283](#6283) -> `docs/about/release-notes.mdx`: Record Hermes WebUI port alignment. - [#6293](#6293) -> `docs/inference/switch-inference-providers.mdx`, `docs/about/release-notes.mdx`: Document compatible-endpoint context-length probing for Hermes. - [#6320](#6320) -> `docs/about/release-notes.mdx`: Record bounded gateway-recovery waits. - [#6377](#6377) -> `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain rebuild diagnostics and prepared MCP-destroy recovery. - [#6412](#6412) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document authoritative agent-visible inference route health. - [#6421](#6421) -> `docs/about/release-notes.mdx`: Record the longer quiet-pull window for managed vLLM images. - [#6431](#6431) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document the version-pinned Nemotron Ultra profile plugin. - [#6439](#6439) -> `docs/about/release-notes.mdx`: Summarize the authenticated, pinned credential-capture helper boundary. - [#6450](#6450) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document host-forward cleanup and ownership-safe gateway-port release. - [#6474](#6474) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/about/release-notes.mdx`: Record composable OpenClaw messaging runtime loaders. - [#6475](#6475) -> `docs/about/release-notes.mdx`: Record removal of the unavailable Kimi K2.6 production endpoint option. - [#6480](#6480) -> `docs/about/release-notes.mdx`: Record stderr routing for the plugin registration banner. - [#6481](#6481) -> `docs/about/release-notes.mdx`: Record post-pull Ollama model discovery checks. - [#6482](#6482) -> `docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon restart. - [#6486](#6486) -> `docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep Agents auto-approval boundary. - [#6490](#6490) -> `docs/about/release-notes.mdx`: Record diagnostics for custom images missing the managed runtime. - [#6494](#6494) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document nonempty tool-call content preservation and placeholder rejection. - [#6497](#6497) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document isolated Deep Agents route-probe output. - [#6506](#6506) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document observability-preserving managed route probes. - [#6508](#6508) -> `docs/about/release-notes.mdx`: Link the new extension taxonomy and SDK-readiness reference from the release summary. Release-source verification: GitHub reports all 29 cited source PRs as merged with base `main`, and every merge commit is an ancestor of `origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No source-mapping mismatches were found. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Documentation-only release-prep changes; `npm run docs` validates variants, routes, and Fern content. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests are not applicable to this documentation-only change set. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — exited 0 with zero errors; Fern reported the existing unauthenticated redirect-check and light-mode contrast warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> --------- Signed-off-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Follow-up to #6431 for exact-head validation failures that completed immediately before that PR merged. This isolates sequential DCode E2E state, preserves observability across policy-only reloads, lets generic OpenClaw cloud-onboard runs skip DCode-only TUI prerequisites, and closes the remaining valid advisor requests without changing user-facing behavior. ## Related Issue Follow-up to #6431, which closed #6424. No new issue. ## Changes - Remove the durable Tavily preset after check 09, arm cleanup on `EXIT`, and fail unless managed DCode Python returns to the default network denial. - Move check 12's `expect`, Node, and timeout prerequisites after its DCode sandbox guard. Generic `cloud-onboard` therefore skips correctly; typed DCode jobs continue to require and install `expect`. - Keep the credential-free observability enable marker in managed `/sandbox/.deepagents` state for exec/login recovery. Current `main` now owns the durable lifecycle: absent entrypoint env preserves the bit across policy-only restarts, while create/rebuild/clone pass an explicit authoritative `1` or `0`. Check 09 requires the host registry's DCode `observabilityEnabled=true` intent and the exact persistent marker to agree before and after Tavily policy mutation; it fails rather than reconstructing intent from sandbox-writable state. Host-managed network policy remains the egress boundary. - Reject a pre-existing non-regular or symlink marker target with a clear startup error, and use no-target-directory replacement so a raced directory cannot absorb the enabled marker. Fixtures cover both enabled and disabled startup. - In live check 11, remove only `observability-otlp-local`, recreate the exact marker as the sandbox user, and prove both the normally allowed raw route and marker-triggered deterministic instrumentation produce zero host captures. Restore only from an exactly inactive policy state before the existing positive trace checks. - Replace repeated credential-name limit literals with `CREDENTIAL_NAME_PREFIX_MAX_LENGTH` and prove every Bash quantifier remains equal to the canonical TypeScript context-pattern limit. - Cover exact 128/129 context-prefix behavior, oversized OpenShell placeholders, and Tavily cleanup-command failures through the real wrapper/self-test boundaries. - Preserve the merged #6494 Nemotron Ultra request hardening and its observability create/snapshot lifecycle while resolving the overlapping follow-up checks against current `main`. - Keep standalone DCode Tavily persistence and rebuild behavior unchanged. - Avoid the rejected alternative of adding a privileged 47-line apt/workflow boundary to the generic cloud job. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: no CLI, configuration, model-ID, policy, or user-visible behavior changes - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — fresh exact-head review pending - [ ] Non-success, skipped, or missing CI check accepted by maintainer — none currently accepted ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — after merging current `main`, focused DCode integration suites pass 210/210 and focused E2E-support suites pass 37/37. Bash syntax, ShellCheck, source-shape, test-size, build, TypeScript typecheck, commit, and pre-push hooks pass - [ ] Applicable broad gate passed — fresh exact-head CI, advisors, focused DCode E2E, cloud-onboard, and credential-sanitization pending - [ ] Quality Gates section completed with required justifications or waivers — exact-head sensitive-path review pending - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) ## Advisor dispositions - Source-of-truth review: the invalid state is a managed DCode exec losing host-selected observability because raw exec/login processes do not inherit entrypoint environment and policy mutation reloads do not re-run the entrypoint. Current `main` now owns `start.sh` materialization plus `dcode-launcher.sh` recovery under `/sandbox/.deepagents`; create/rebuild/clone carry the registry's explicit `1`/`0` intent, and snapshot restore honors that authoritative registry state so an earlier enabled snapshot does not override a later opt-out. This PR adds fail-closed registry/marker agreement checks and the no-policy export proof. Remove the bridge only when OpenShell both propagates the bit to exec/login processes and preserves it through policy reloads or re-runs the entrypoint. - Sequential Tavily isolation is exercised by the required typed target on one sandbox: check 09 proves denial immediately after cleanup; checks 10 and 11 do not mutate Tavily; check 12 rebuilds and then invokes check 06, which proves both managed and project-venv Python remain denied from `api.tavily.com`. This gives immediate and post-rebuild denial evidence without redundant probes after non-mutating checks. - The marker integration test runs the transformed `start.sh` with `NEMOCLAW_OBSERVABILITY=1`, verifies the `/sandbox/.deepagents/.nemoclaw-observability-enabled` value and mode, removes volatile runtime state, proves absent-env restart and launcher recovery, and proves explicit `0` removal. Live check 11 verifies the literal sandbox path. - The `/sandbox/.deepagents` marker is intentionally untrusted convenience state, not authorization. A sandbox user can request local instrumentation by recreating the exact marker, but cannot grant OTLP egress; the fixed exporter route remains subject to host-managed `observability-otlp-local` policy. Live check 11 removes that host policy, recreates the marker as the sandbox user, proves the exact raw route is denied without capture, and runs real marker-triggered deterministic instrumentation with zero captures before restoring the policy. It also retains alternate host/path/method/port and unmanaged-binary denials with policy active. - Check 09 no longer repairs observability by re-running the stateful entrypoint. The host registry is authoritative, the persistent marker is derived convenience state, and disagreement fails closed both before and after policy mutation. Merged #6506 prevents status/connect route probes from clearing that marker by using the side-effect-free managed-exec boundary. - Startup rejects directory, symlink, and other non-regular marker targets before either the enabled or disabled branch. Enabled replacement treats the destination as a file, closing the directory-descent edge case raised by the exact-head advisor. - Current `main` includes #6506's side-effect-free managed-exec boundary and #6494's durable observability lifecycle. Both are retained together with this PR's host-registry agreement checks and no-policy proof; no contributor work was replaced. - The proxy env file remains intentionally volatile in `/tmp`: each stateful entrypoint reconstructs it from root-owned image proxy inputs, while the observability marker under `/sandbox/.deepagents` must survive policy-only reloads that do not carry the sandbox-create environment. Their different locations reflect different lifetime contracts, not inconsistent authority. ## Exact-head validation plan - Re-run automatic CI, CodeRabbit, GPT, and Nemotron advisors on `0570b876d6e85bcb110823d5f8b6a5553d266f34`. - Re-run `ubuntu-repo-cloud-langchain-deepagents-code` to prove Tavily is denied after check 09 cleanup and remains denied across the check 12 rebuild. - Re-run `cloud-onboard` to prove the non-DCode sandbox skips before requiring `expect`. - Re-run `credential-sanitization` for the named-limit parity change. - Hold merge until tomorrow even if all gates pass earlier. ## Failure evidence addressed - Focused DCode run [28978277604](https://github.com/NVIDIA/NemoClaw/actions/runs/28978277604): check 09 left durable Tavily state that check 12 correctly replayed before the strict egress boundary. - Cloud/credential run [28978281322](https://github.com/NVIDIA/NemoClaw/actions/runs/28978281322): generic OpenClaw cloud-onboard required `expect` before reaching its DCode-only skip; credential-sanitization passed. - Superseded follow-up run [28980032707](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032707): Tavily cleanup and strict egress passed, then check 11 proved that policy reload had cleared the runtime-functional `/tmp` observability marker. The current head retains current `main`'s durable marker under `/sandbox/.deepagents`. - Superseded follow-up run [28980032711](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032711): cloud-onboard and credential-sanitization both passed. - Superseded follow-up run [28981014655](https://github.com/NVIDIA/NemoClaw/actions/runs/28981014655): after the marker moved to `/sandbox`, check 11 proved that Tavily policy cleanup could still reconstruct runtime convenience state and remove it. The current head uses current `main`'s absent-env-preserves lifecycle and fails if the authoritative registry and derived marker disagree; check 09 does not repair drift. - Superseded follow-up run [28981369440](https://github.com/NVIDIA/NemoClaw/actions/runs/28981369440): cloud-onboard and credential-sanitization both passed on the collaborator head; exact-head rerun pending. - Superseded follow-up run [28981690759](https://github.com/NVIDIA/NemoClaw/actions/runs/28981690759): check 09 restored Tavily but sampled observability after policy-add had already reloaded the sandbox, so check 11 found the marker absent. This showed that sandbox marker sampling cannot be the authoritative source of host intent. - Superseded follow-up run [28982642290](https://github.com/NVIDIA/NemoClaw/actions/runs/28982642290): check 09 restored Tavily and check 10 passed, but check 11 found the marker absent because a pre-#6506 status/connect route probe had already invoked the stateful entrypoint without observability. Current `main` supplies #6506's side-effect-free managed-exec probe and #6494's explicit observability lifecycle, while this head compares the host registry and persistent marker before and after policy mutation instead of masking drift with a repair. - Superseded exact-head focused run [28983221993](https://github.com/NVIDIA/NemoClaw/actions/runs/28983221993) passed every typed DCode check 03–12: check 09 reported 9/9, check 11 reported 11/11, and check 12 proved post-rebuild denial. Combined run [28983222022](https://github.com/NVIDIA/NemoClaw/actions/runs/28983222022) passed cloud-onboard and credential sanitization. These runs were invalidated only to address the advisor's unsafe-target edge case and add the stricter no-host-policy leak proof now running on the current head. - Superseded advisor run [28983777162](https://github.com/NVIDIA/NemoClaw/actions/runs/28983777162) rated the safety changes `merge_as_is` from GPT with no findings; Nemotron agreed both substantive findings were resolved and requested only the `/tmp` versus `/sandbox` lifetime cross-reference now present on the current head. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved validation for credential names and context placeholders, including oversized names. * Strengthened proxy environment file handling to prevent destination-path issues. * Clarified and stabilized observability policy and marker handling. * **Tests** * Expanded end-to-end coverage for observability, Tavily access, tracing, and auto-approval behavior. * Standardized test environment paths and added boundary-case validation for credential patterns. * Improved platform-specific launcher test reliability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Splits the oversized Deep Agents Code image contract test into focused image and credential-boundary suites, with shared wrapper fixtures. This extracts the test-only split from NVIDIA#6431 so it can land independently and restores the 1,500-line budget without changing assertions or adding an exception. ## Changes - Move all 57 credential-boundary tests byte-for-byte into `test/langchain-deepagents-code-image-credentials.test.ts`, leaving 18 image contracts in the original suite. - Extract shared Deep Agents Code file and wrapper fixtures into `test/helpers/langchain-deepagents-code-image.ts`. - Update source comments that identify the canonical secret-corpus regression test. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [x] Existing tests cover changed behavior — justification: this structural split preserves all 75 existing test cases and assertions; both focused suites pass together. - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: no product behavior changed, and documentation review confirmed the existing `SECURITY.md` reference remains accurate. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: credential assertions moved byte-for-byte, source changes are comment-only, and the focused 75-test integration run passed. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: `npx vitest run --project integration test/langchain-deepagents-code-image.test.ts test/langchain-deepagents-code-image-credentials.test.ts` (2 files, 75 tests passed); `npm run test-size:check`, `npm run test:projects:check`, `npm run test:titles:check`, and `npm run source-shape:check` passed. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Added shared integration-test utilities to create temporary wrapper fixtures and execute them in a controlled environment. * Introduced a dedicated credential boundary test suite to verify secret-shape rejection, strict placeholder matching, token-format exceptions, auth/credential store fail-closed behavior, and disallowed mutation/command inputs. * Updated the existing image test suite to reuse the shared helpers and remove redundant scenarios. * **Documentation** * Updated a SECURITY/guard comment to reference the correct regression test corpus for secret-pattern parity. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
…VIDIA#6431) <!-- markdownlint-disable MD041 --> ## Summary Replaces NemoClaw's build-time mutation of the released Deep Agents bootstrap with a first-party `deepagents.harness_profiles` plugin for `deepagents-code==0.1.34` / `deepagents==0.7.0a6`. The two managed OpenAI-compatible model keys continue to receive the released native Nemotron 3 Ultra profile, with exact version/source gates and no third-party source changes. ## Related Issue Fixes NVIDIA#6424 ## Changes - Add and install `nemoclaw-deepagents-profile==0.1.0` through Deep Agents' supported profile entry-point lifecycle. - Register only the two NemoClaw-managed aliases against the released canonical Ultra profile, atomically and idempotently. - Fail the image build on missing or unimportable dependencies, mismatched distribution/package roots, copied/installed adapter-source drift, or released-profile/bootstrap drift. - Run a DCode-only negative Docker build from the current hash-locked base, strip both upstream distributions, and prove failure occurs at the isolated import gate before the later dependency check. - Build and install a real unreviewed-version plugin wheel and prove the actual validator rejects it. - Verify entry-point discovery, all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute-dispatch parity against the official wheels. - Split image/runtime and credential-boundary contracts into balanced 756/755-line suites with a 113-line shared helper, preserving all 75 original tests and substantial per-file size headroom. - Remove the installed-bootstrap patcher and document that the adapter must be removed, not rehashed, once reviewed dependencies provide both exact aliases. - Preserve the merged DCode hardening and paced `/agents` first-run TUI behavior from NVIDIA#6410 / NVIDIA#6418. ## Automated review dispositions - **License metadata:** the production package keeps the PEP 639 SPDX string and builds unchanged with lock-pinned `setuptools==82.0.1`; the production validator now requires exact installed-wheel `License-Expression: Apache-2.0` metadata, with a negative metadata-drift test. The legacy conversion is a localized offline wrong-version fixture with explicit source-boundary and removal-condition documentation. Remove the fixture-only conversion once runner setuptools accepts PEP 639 strings; production never uses it. - **Plain-progress build output:** plain progress remains necessary to prove the exact import-failure marker. Before Docker runs, the gate now rejects every Docker `ARG` name outside a complete reviewed allowlist, while tests pin the only passed build arguments to the two public `BASE_IMAGE` references. Behavior tests inject unreviewed uppercase, lowercase, and continued ARG declarations across all three Dockerfiles and prove rejection occurs before any build; the targeted DCode E2E job runs the same script with real Docker before live tests. - **Adapter build-layer retention:** Docker can retain the copied project tree in an image layer or failed local build cache. This is accepted because it contains only public, first-party Apache-2.0 source and metadata, while the installed Python module necessarily ships the same source; revisit if any adapter input becomes secret-bearing or non-public. - **Credential redaction parity:** `PASS`/`PASSWD`, quoted/space-separated assignments, punctuation-bearing values, and bounded camel/acronym aliases now share the same fail-closed policy across the Bash wrapper, managed Python runtime, observability scrubber, config filter, full/sensitive-text redactors, structured-log classifier, TUI sanitizer, and E2E redactors. The separator lookbehind is capped at 32 horizontal characters to prevent attacker-controlled scans; private-key blocks are scrubbed before assignment matching. Positive tests cover `customPass`, `DBPass`, and known secret `*Key` families, while `COMPASS`/`BYPASS`, `TOPSECRET`/`SUBTOKEN`, pass-rate fields, `publicKey`, and `customKey` remain untouched. - **OpenShell TLS key provenance:** the canonical mounted path is intentionally accepted only from the supervisor-owned runtime environment and rejected from the mutable DCode `.env`. The split credential suite now proves both sides explicitly, matching the existing wrapper-identity coverage; allowing it in `.env` would weaken the boundary. - **Docker auth cleanup:** the shared workflow validator requires exactly one canonical cleanup with `if: always()` as the final job step. A DCode-specific mutation test now also rejects moving cleanup before the import gate. - **Private-key and fixture helpers:** multiline private-key matching is consolidated into the live generic matcher with a required-newline mode, preserving comment behavior while removing 12 lines. Profile-hash fixture replacement is now whitespace/quote tolerant while still requiring one exact reviewed constant and digest. A focused regression covers both formatting variants and duplicate-definition rejection; use an AST transform only if the current two-constant scope grows. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: public CLI, configuration, model IDs, and user-visible behavior are unchanged; the existing DCode quickstart is implementation-neutral. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — the prior security and supply-chain approval is NVIDIA#6431 (review); fresh exact-head re-review will be requested after the current full fan-out because the head changed. - [x] Non-success, skipped, or missing CI check accepted by maintainer — `e2e-all` baseline failures accepted in NVIDIA#6431 (review); follow-ups NVIDIA#6381/NVIDIA#6384 and NVIDIA#6467/NVIDIA#6474. ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npm run check:diff` passed on `e78d3ef7`; the independently runnable image/runtime and credential-boundary suites passed 18 of 18 and 123 of 123; the final cross-surface security/parity audit passed 96 of 96; fresh-cache real-wheel validation and the isolated three-package import probe passed. - [ ] Applicable broad gate passed — exact-head focused DCode run [28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788) and cloud-onboard run [28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739) passed on `e78d3ef7`; full fan-out run [28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045) is in progress. The prior full run [28919686103](https://github.com/NVIDIA/NemoClaw/actions/runs/28919686103) passed 77 of 79 applicable jobs; its two failures reproduced identically on retry and `main` run [28911441118](https://github.com/NVIDIA/NemoClaw/actions/runs/28911441118), with the prior maintainer waiver recorded [here](NVIDIA#6431 (review)). - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) ## Exact-head advisor evidence - [`ubuntu-repo-cloud-langchain-deepagents-code` run 28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788) passed on exact head `e78d3ef7f43f3242486dedc4b5b2b42e0585d041`. The production-image validator covered plugin discovery and installed-distribution binding, official source hashes, both aliases and all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute dispatch parity. - The same exact-head run passed the real-Docker stripped-dependency import gate before live E2E, then passed image version checks (`deepagents-code==0.1.34`, `deepagents==0.7.0a6`), direct and login-shell headless `PONG`, and interactive TUI acceptance with the optional name prompt and no model picker. - The advisor-required [`cloud-onboard` run 28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739) also passed on that exact SHA. - CodeRabbit is green with no unresolved threads. Exact-head advisor run 28971565095 reported zero GPT findings but requested the runtime evidence above; Nemotron's two attempts were non-advisory JSON-parse failures. Both advisors will be rerun against this updated evidence. - The localized import-gate removal condition is tracked in NVIDIA#6424 rather than a new cleanup issue. - Exact-head full fan-out run [28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045) is in progress; the prior baseline waiver remains applicable only if the same two unrelated failures recur. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a first-party Nemotron 3 Ultra profile plugin that registers managed model aliases. * **Bug Fixes / Security** * Strengthened fail-closed validation for the released profile, including integrity checks and managed vs native dispatch parity (with denied-shell behavior). * Hardened secret/credential detection and redaction so `PASS`-keyed values are treated as sensitive. * **CI / Quality** * Added build-time and workflow-boundary checks ensuring images reject missing base dependencies. * **Tests** * Expanded plugin/profile-contract, image behavior, and end-to-end/workflow coverage. * **Chores** * Updated the container build flow to install and validate the plugin artifact at build time, removing the standalone patch approach. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
## Summary Harden the managed Nemotron 3 Ultra DCode aliases at two separate compatibility boundaries: emit the model-specific nonempty-content template argument required for reasoning-plus-tool-call requests, and reject the observed literal `[content]` execute placeholder before it reaches shell dispatch. NVIDIA#6431 is merged; this PR is based directly on current `main`. It leaves the canonical NVIDIA profile and all unrelated models unchanged. ## Source boundary and lifecycle - `force_nonempty_content`: the invalid empty-assistant-content state originates in the Ultra serving template. NemoClaw owns only the generated per-model request configuration. Remove the override after a reviewed serving/client update works for both managed Ultra IDs without it and the live DCode E2E passes. - Execute guard: the invalid state is a model-produced tool call whose complete `execute.command` is the literal `[content]` (ignoring ASCII whitespace around the token and brackets, and case). NemoClaw owns the managed alias middleware immediately before dispatch, not the model, serving template, or hash-locked canonical Deep Agents profile. Remove the guard only after those upstream paths no longer produce or convert the placeholder and the focused plus live tests pass with it deleted. ## Changes - Generate `force_nonempty_content = true` only for the two managed Ultra model IDs. - Add a managed-alias-only sync/async middleware guard for the exact placeholder; concrete execute commands and other tools pass through unchanged. - Validate rejection through the pinned LangChain `ToolMessage.content` API in the image validator, fixture, and hosted E2E probe. - Preserve atomic/idempotent profile registration with the process-local registry as source of truth and a lock around multi-key registration. - Persist the credential-free observability enable bit across environment-less policy restarts; create/rebuild/clone paths pass an explicit `1` or `0`. - Record invalid-state sources, regression evidence, and removal conditions in the dependency review. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: no CLI, setting, supported-model choice, or operator workflow changes; the internal dependency review is updated - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — combined Ultra, lifecycle, current-main, and acceptance suites passed 159/159; the post-hook launcher/acceptance subset passed 33/33 - [ ] Applicable broad gate passed — final exact-head regular CI and hosted Deep Agents Code E2E are running - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added model-specific “Ultra” configuration for selected OpenAI-compatible model IDs to enforce non-empty tool-call/reasoning content. * Added managed execute placeholder guard behavior and deeper end-to-end validation for Tavily policy remove/restore ordering and observability recovery. * **Bug Fixes** * Hardened managed execute handling to reject placeholder `execute` calls (including async/sync parity) while allowing concrete commands. * Improved managed alias registration for safer atomic idempotence and rollback. * **Documentation** * Updated compatibility/validation guidance and the dependency advisory review hash. * **Tests** * Expanded E2E/profile/config contract tests, including workflow host-dependency step ordering and guard dispatch assertions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prepares the user documentation for NemoClaw v0.0.78 by replacing the unreleased section with release highlights and synchronizing the affected inference, lifecycle, messaging, and CLI reference pages with merged behavior. ## Changes - Publish the v0.0.78 release-notes section with links to the most specific user guides for each shipped behavior. - Document authoritative Deep Agents route health, Nemotron Ultra profile behavior, and Hermes compatible-endpoint context metadata. - Document forced rebuild recovery after total backup failure and the ownership-safe tunnel/full-stop behavior. - Keep command examples and shared agent variants aligned with the current OpenClaw, Hermes, and Deep Agents interfaces. Source mapping: - [NVIDIA#3787](NVIDIA#3787) -> `docs/about/release-notes.mdx`: Record reliable workspace template seeding during sandbox startup. - [NVIDIA#4960](NVIDIA#4960) -> `docs/about/release-notes.mdx`: Record safer detection of rewritten OpenClaw gateway processes. - [NVIDIA#5676](NVIDIA#5676) -> `docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON handling. - [NVIDIA#5857](NVIDIA#5857) -> `docs/about/release-notes.mdx`: Record synchronization of explicit OpenClaw main-agent model state. - [NVIDIA#5929](NVIDIA#5929) -> `docs/about/release-notes.mdx`: Record copyable SSH port-forward guidance for remote dashboards. - [NVIDIA#6068](NVIDIA#6068) -> `docs/about/release-notes.mdx`: Record custom-image plugin provenance reconciliation. - [NVIDIA#6116](NVIDIA#6116) -> `docs/about/release-notes.mdx`: Record live-loopback dashboard-forward recovery. - [NVIDIA#6122](NVIDIA#6122) -> `docs/about/release-notes.mdx`: Announce validated, round-trippable policy YAML output. - [NVIDIA#6211](NVIDIA#6211) -> `docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild --force` recovery boundary. - [NVIDIA#6283](NVIDIA#6283) -> `docs/about/release-notes.mdx`: Record Hermes WebUI port alignment. - [NVIDIA#6293](NVIDIA#6293) -> `docs/inference/switch-inference-providers.mdx`, `docs/about/release-notes.mdx`: Document compatible-endpoint context-length probing for Hermes. - [NVIDIA#6320](NVIDIA#6320) -> `docs/about/release-notes.mdx`: Record bounded gateway-recovery waits. - [NVIDIA#6377](NVIDIA#6377) -> `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain rebuild diagnostics and prepared MCP-destroy recovery. - [NVIDIA#6412](NVIDIA#6412) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document authoritative agent-visible inference route health. - [NVIDIA#6421](NVIDIA#6421) -> `docs/about/release-notes.mdx`: Record the longer quiet-pull window for managed vLLM images. - [NVIDIA#6431](NVIDIA#6431) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document the version-pinned Nemotron Ultra profile plugin. - [NVIDIA#6439](NVIDIA#6439) -> `docs/about/release-notes.mdx`: Summarize the authenticated, pinned credential-capture helper boundary. - [NVIDIA#6450](NVIDIA#6450) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document host-forward cleanup and ownership-safe gateway-port release. - [NVIDIA#6474](NVIDIA#6474) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/about/release-notes.mdx`: Record composable OpenClaw messaging runtime loaders. - [NVIDIA#6475](NVIDIA#6475) -> `docs/about/release-notes.mdx`: Record removal of the unavailable Kimi K2.6 production endpoint option. - [NVIDIA#6480](NVIDIA#6480) -> `docs/about/release-notes.mdx`: Record stderr routing for the plugin registration banner. - [NVIDIA#6481](NVIDIA#6481) -> `docs/about/release-notes.mdx`: Record post-pull Ollama model discovery checks. - [NVIDIA#6482](NVIDIA#6482) -> `docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon restart. - [NVIDIA#6486](NVIDIA#6486) -> `docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep Agents auto-approval boundary. - [NVIDIA#6490](NVIDIA#6490) -> `docs/about/release-notes.mdx`: Record diagnostics for custom images missing the managed runtime. - [NVIDIA#6494](NVIDIA#6494) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document nonempty tool-call content preservation and placeholder rejection. - [NVIDIA#6497](NVIDIA#6497) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document isolated Deep Agents route-probe output. - [NVIDIA#6506](NVIDIA#6506) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document observability-preserving managed route probes. - [NVIDIA#6508](NVIDIA#6508) -> `docs/about/release-notes.mdx`: Link the new extension taxonomy and SDK-readiness reference from the release summary. Release-source verification: GitHub reports all 29 cited source PRs as merged with base `main`, and every merge commit is an ancestor of `origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No source-mapping mismatches were found. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Documentation-only release-prep changes; `npm run docs` validates variants, routes, and Fern content. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests are not applicable to this documentation-only change set. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — exited 0 with zero errors; Fern reported the existing unauthenticated redirect-check and light-mode contrast warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> --------- Signed-off-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Follow-up to NVIDIA#6431 for exact-head validation failures that completed immediately before that PR merged. This isolates sequential DCode E2E state, preserves observability across policy-only reloads, lets generic OpenClaw cloud-onboard runs skip DCode-only TUI prerequisites, and closes the remaining valid advisor requests without changing user-facing behavior. ## Related Issue Follow-up to NVIDIA#6431, which closed NVIDIA#6424. No new issue. ## Changes - Remove the durable Tavily preset after check 09, arm cleanup on `EXIT`, and fail unless managed DCode Python returns to the default network denial. - Move check 12's `expect`, Node, and timeout prerequisites after its DCode sandbox guard. Generic `cloud-onboard` therefore skips correctly; typed DCode jobs continue to require and install `expect`. - Keep the credential-free observability enable marker in managed `/sandbox/.deepagents` state for exec/login recovery. Current `main` now owns the durable lifecycle: absent entrypoint env preserves the bit across policy-only restarts, while create/rebuild/clone pass an explicit authoritative `1` or `0`. Check 09 requires the host registry's DCode `observabilityEnabled=true` intent and the exact persistent marker to agree before and after Tavily policy mutation; it fails rather than reconstructing intent from sandbox-writable state. Host-managed network policy remains the egress boundary. - Reject a pre-existing non-regular or symlink marker target with a clear startup error, and use no-target-directory replacement so a raced directory cannot absorb the enabled marker. Fixtures cover both enabled and disabled startup. - In live check 11, remove only `observability-otlp-local`, recreate the exact marker as the sandbox user, and prove both the normally allowed raw route and marker-triggered deterministic instrumentation produce zero host captures. Restore only from an exactly inactive policy state before the existing positive trace checks. - Replace repeated credential-name limit literals with `CREDENTIAL_NAME_PREFIX_MAX_LENGTH` and prove every Bash quantifier remains equal to the canonical TypeScript context-pattern limit. - Cover exact 128/129 context-prefix behavior, oversized OpenShell placeholders, and Tavily cleanup-command failures through the real wrapper/self-test boundaries. - Preserve the merged NVIDIA#6494 Nemotron Ultra request hardening and its observability create/snapshot lifecycle while resolving the overlapping follow-up checks against current `main`. - Keep standalone DCode Tavily persistence and rebuild behavior unchanged. - Avoid the rejected alternative of adding a privileged 47-line apt/workflow boundary to the generic cloud job. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: no CLI, configuration, model-ID, policy, or user-visible behavior changes - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — fresh exact-head review pending - [ ] Non-success, skipped, or missing CI check accepted by maintainer — none currently accepted ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — after merging current `main`, focused DCode integration suites pass 210/210 and focused E2E-support suites pass 37/37. Bash syntax, ShellCheck, source-shape, test-size, build, TypeScript typecheck, commit, and pre-push hooks pass - [ ] Applicable broad gate passed — fresh exact-head CI, advisors, focused DCode E2E, cloud-onboard, and credential-sanitization pending - [ ] Quality Gates section completed with required justifications or waivers — exact-head sensitive-path review pending - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) ## Advisor dispositions - Source-of-truth review: the invalid state is a managed DCode exec losing host-selected observability because raw exec/login processes do not inherit entrypoint environment and policy mutation reloads do not re-run the entrypoint. Current `main` now owns `start.sh` materialization plus `dcode-launcher.sh` recovery under `/sandbox/.deepagents`; create/rebuild/clone carry the registry's explicit `1`/`0` intent, and snapshot restore honors that authoritative registry state so an earlier enabled snapshot does not override a later opt-out. This PR adds fail-closed registry/marker agreement checks and the no-policy export proof. Remove the bridge only when OpenShell both propagates the bit to exec/login processes and preserves it through policy reloads or re-runs the entrypoint. - Sequential Tavily isolation is exercised by the required typed target on one sandbox: check 09 proves denial immediately after cleanup; checks 10 and 11 do not mutate Tavily; check 12 rebuilds and then invokes check 06, which proves both managed and project-venv Python remain denied from `api.tavily.com`. This gives immediate and post-rebuild denial evidence without redundant probes after non-mutating checks. - The marker integration test runs the transformed `start.sh` with `NEMOCLAW_OBSERVABILITY=1`, verifies the `/sandbox/.deepagents/.nemoclaw-observability-enabled` value and mode, removes volatile runtime state, proves absent-env restart and launcher recovery, and proves explicit `0` removal. Live check 11 verifies the literal sandbox path. - The `/sandbox/.deepagents` marker is intentionally untrusted convenience state, not authorization. A sandbox user can request local instrumentation by recreating the exact marker, but cannot grant OTLP egress; the fixed exporter route remains subject to host-managed `observability-otlp-local` policy. Live check 11 removes that host policy, recreates the marker as the sandbox user, proves the exact raw route is denied without capture, and runs real marker-triggered deterministic instrumentation with zero captures before restoring the policy. It also retains alternate host/path/method/port and unmanaged-binary denials with policy active. - Check 09 no longer repairs observability by re-running the stateful entrypoint. The host registry is authoritative, the persistent marker is derived convenience state, and disagreement fails closed both before and after policy mutation. Merged NVIDIA#6506 prevents status/connect route probes from clearing that marker by using the side-effect-free managed-exec boundary. - Startup rejects directory, symlink, and other non-regular marker targets before either the enabled or disabled branch. Enabled replacement treats the destination as a file, closing the directory-descent edge case raised by the exact-head advisor. - Current `main` includes NVIDIA#6506's side-effect-free managed-exec boundary and NVIDIA#6494's durable observability lifecycle. Both are retained together with this PR's host-registry agreement checks and no-policy proof; no contributor work was replaced. - The proxy env file remains intentionally volatile in `/tmp`: each stateful entrypoint reconstructs it from root-owned image proxy inputs, while the observability marker under `/sandbox/.deepagents` must survive policy-only reloads that do not carry the sandbox-create environment. Their different locations reflect different lifetime contracts, not inconsistent authority. ## Exact-head validation plan - Re-run automatic CI, CodeRabbit, GPT, and Nemotron advisors on `0570b876d6e85bcb110823d5f8b6a5553d266f34`. - Re-run `ubuntu-repo-cloud-langchain-deepagents-code` to prove Tavily is denied after check 09 cleanup and remains denied across the check 12 rebuild. - Re-run `cloud-onboard` to prove the non-DCode sandbox skips before requiring `expect`. - Re-run `credential-sanitization` for the named-limit parity change. - Hold merge until tomorrow even if all gates pass earlier. ## Failure evidence addressed - Focused DCode run [28978277604](https://github.com/NVIDIA/NemoClaw/actions/runs/28978277604): check 09 left durable Tavily state that check 12 correctly replayed before the strict egress boundary. - Cloud/credential run [28978281322](https://github.com/NVIDIA/NemoClaw/actions/runs/28978281322): generic OpenClaw cloud-onboard required `expect` before reaching its DCode-only skip; credential-sanitization passed. - Superseded follow-up run [28980032707](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032707): Tavily cleanup and strict egress passed, then check 11 proved that policy reload had cleared the runtime-functional `/tmp` observability marker. The current head retains current `main`'s durable marker under `/sandbox/.deepagents`. - Superseded follow-up run [28980032711](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032711): cloud-onboard and credential-sanitization both passed. - Superseded follow-up run [28981014655](https://github.com/NVIDIA/NemoClaw/actions/runs/28981014655): after the marker moved to `/sandbox`, check 11 proved that Tavily policy cleanup could still reconstruct runtime convenience state and remove it. The current head uses current `main`'s absent-env-preserves lifecycle and fails if the authoritative registry and derived marker disagree; check 09 does not repair drift. - Superseded follow-up run [28981369440](https://github.com/NVIDIA/NemoClaw/actions/runs/28981369440): cloud-onboard and credential-sanitization both passed on the collaborator head; exact-head rerun pending. - Superseded follow-up run [28981690759](https://github.com/NVIDIA/NemoClaw/actions/runs/28981690759): check 09 restored Tavily but sampled observability after policy-add had already reloaded the sandbox, so check 11 found the marker absent. This showed that sandbox marker sampling cannot be the authoritative source of host intent. - Superseded follow-up run [28982642290](https://github.com/NVIDIA/NemoClaw/actions/runs/28982642290): check 09 restored Tavily and check 10 passed, but check 11 found the marker absent because a pre-NVIDIA#6506 status/connect route probe had already invoked the stateful entrypoint without observability. Current `main` supplies NVIDIA#6506's side-effect-free managed-exec probe and NVIDIA#6494's explicit observability lifecycle, while this head compares the host registry and persistent marker before and after policy mutation instead of masking drift with a repair. - Superseded exact-head focused run [28983221993](https://github.com/NVIDIA/NemoClaw/actions/runs/28983221993) passed every typed DCode check 03–12: check 09 reported 9/9, check 11 reported 11/11, and check 12 proved post-rebuild denial. Combined run [28983222022](https://github.com/NVIDIA/NemoClaw/actions/runs/28983222022) passed cloud-onboard and credential sanitization. These runs were invalidated only to address the advisor's unsafe-target edge case and add the stricter no-host-policy leak proof now running on the current head. - Superseded advisor run [28983777162](https://github.com/NVIDIA/NemoClaw/actions/runs/28983777162) rated the safety changes `merge_as_is` from GPT with no findings; Nemotron agreed both substantive findings were resolved and requested only the `/tmp` versus `/sandbox` lifetime cross-reference now present on the current head. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved validation for credential names and context placeholders, including oversized names. * Strengthened proxy environment file handling to prevent destination-path issues. * Clarified and stabilized observability policy and marker handling. * **Tests** * Expanded end-to-end coverage for observability, Tavily access, tracing, and auto-approval behavior. * Standardized test environment paths and added boundary-case validation for credential patterns. * Improved platform-specific launcher test reliability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Summary
Replaces NemoClaw's build-time mutation of the released Deep Agents bootstrap with a first-party
deepagents.harness_profilesplugin fordeepagents-code==0.1.34/deepagents==0.7.0a6. The two managed OpenAI-compatible model keys continue to receive the released native Nemotron 3 Ultra profile, with exact version/source gates and no third-party source changes.Related Issue
Fixes #6424
Changes
nemoclaw-deepagents-profile==0.1.0through Deep Agents' supported profile entry-point lifecycle./agentsfirst-run TUI behavior from [Brev][DCode] Interactive TUI shows model picker despite managed config.toml having default model set #6410 / fix(dcode): allow first-run name prompt while suppressing model picker #6418.Automated review dispositions
setuptools==82.0.1; the production validator now requires exact installed-wheelLicense-Expression: Apache-2.0metadata, with a negative metadata-drift test. The legacy conversion is a localized offline wrong-version fixture with explicit source-boundary and removal-condition documentation. Remove the fixture-only conversion once runner setuptools accepts PEP 639 strings; production never uses it.ARGname outside a complete reviewed allowlist, while tests pin the only passed build arguments to the two publicBASE_IMAGEreferences. Behavior tests inject unreviewed uppercase, lowercase, and continued ARG declarations across all three Dockerfiles and prove rejection occurs before any build; the targeted DCode E2E job runs the same script with real Docker before live tests.PASS/PASSWD, quoted/space-separated assignments, punctuation-bearing values, and bounded camel/acronym aliases now share the same fail-closed policy across the Bash wrapper, managed Python runtime, observability scrubber, config filter, full/sensitive-text redactors, structured-log classifier, TUI sanitizer, and E2E redactors. The separator lookbehind is capped at 32 horizontal characters to prevent attacker-controlled scans; private-key blocks are scrubbed before assignment matching. Positive tests covercustomPass,DBPass, and known secret*Keyfamilies, whileCOMPASS/BYPASS,TOPSECRET/SUBTOKEN, pass-rate fields,publicKey, andcustomKeyremain untouched..env. The split credential suite now proves both sides explicitly, matching the existing wrapper-identity coverage; allowing it in.envwould weaken the boundary.if: always()as the final job step. A DCode-specific mutation test now also rejects moving cleanup before the import gate.Current-head security review
pyproject.tomlandsrc/nemoclaw_deepagents_profile/__init__.py, rejects any other regularfile in the build tree, and hash-verifies both before the offline install.
The image contract pins those exact two COPY directives and the manifest
gate; there is no directory-wide plugin copy.
replyTokensource fix: test-owned correlation metadata caused a globalsecret-name exception that could preserve a real opaque credential. Test
correlation now uses
correlationMarker; exactreplyTokenvalues areredacted or rejected in TypeScript, Python, Bash, observability, TUI, and
E2E boundaries, with structured, text, runtime, and real-wrapper regressions.
accessToken,sessionToken,clientSecret, bareKEY/PASS/PASSWD, and uppercase*_KEYremainintentional credential contexts. They are not safe OAuth exceptions.
Near-miss tests preserve
COMPASS/BYPASS, pass-rate fields,publicKey,customKey, andcorrelationMarker.positive corpus exercise the actual managed Python runtime, observability
scrubber, and real Bash wrapper; a private-function-only Bash test would be
weaker than the current entrypoint coverage.
casing, defaults, and continuation used by the three gated Dockerfiles and
rejects unknown names before Docker runs. The legacy license conversion is
confined to an offline wrong-version test fixture; production builds with
pinned setuptools 82.0.1 and validates installed License-Expression.
Type of Change
Quality Gates
e2e-allbaseline failures accepted in refactor(dcode): replace Nemotron source patch with profile plugin #6431 (review); follow-ups [Ubuntu 24.04][Sandbox] nemohermes shields down fails on fresh Hermes sandbox — strict hash verification failed for Hermes restart seal #6381/fix(shields): reconcile startup API key on first Hermes shields down (#6381) #6384 and test(e2e): fix empty OpenClaw Slack runtime proof #6467/fix(messaging): compose OpenClaw runtime loaders #6474.Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpm run build:cliandnpm run check:diffpassednpm run docsbuilds without warnings (doc changes only)Exact-head validation
commits and will not be used for merge.
ubuntu-repo-cloud-langchain-deepagents-codetarget will run on the exactpushed SHA.
policy-channel-listtest timeout; the changed security/image suites passlocally as recorded above.
Signed-off-by: Aaron Erickson aerickson@nvidia.com
Summary by CodeRabbit
pass/passwdcredential variants, PEM private keys, and related credential/token patterns; added stricter near-miss handling.