Skip to content

refactor(dcode): replace Nemotron source patch with profile plugin#6431

Merged
cv merged 57 commits into
mainfrom
fix/dcode-nemotron-ultra-profile-plugin
Jul 8, 2026
Merged

refactor(dcode): replace Nemotron source patch with profile plugin#6431
cv merged 57 commits into
mainfrom
fix/dcode-nemotron-ultra-profile-plugin

Conversation

@ericksoa

@ericksoa ericksoa commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Replaces NemoClaw's build-time mutation of the released Deep Agents bootstrap with a first-party deepagents.harness_profiles plugin for deepagents-code==0.1.34 / deepagents==0.7.0a6. The two managed OpenAI-compatible model keys continue to receive the released native Nemotron 3 Ultra profile, with exact version/source gates and no third-party source changes.

Related Issue

Fixes #6424

Changes

  • Add and install nemoclaw-deepagents-profile==0.1.0 through Deep Agents' supported profile entry-point lifecycle.
  • Register only the two NemoClaw-managed aliases against the released canonical Ultra profile, atomically and idempotently.
  • Fail the image build on missing or unimportable dependencies, mismatched distribution/package roots, copied/installed adapter-source drift, or released-profile/bootstrap drift.
  • Run a DCode-only negative Docker build from the current hash-locked base, strip both upstream distributions, and prove failure occurs at the isolated import gate before the later dependency check.
  • Build and install a real unreviewed-version plugin wheel and prove the actual validator rejects it.
  • Verify entry-point discovery, all 12 middleware entries, unrelated-model isolation, graph compilation, and allowed/denied execute-dispatch parity against the official wheels.
  • Split image/runtime and credential-boundary contracts into balanced 756/755-line suites with a 113-line shared helper, preserving all 75 original tests and substantial per-file size headroom.
  • Remove the installed-bootstrap patcher and document that the adapter must be removed, not rehashed, once reviewed dependencies provide both exact aliases.
  • Preserve the merged DCode hardening and paced /agents first-run TUI behavior from [Brev][DCode] Interactive TUI shows model picker despite managed config.toml having default model set #6410 / fix(dcode): allow first-run name prompt while suppressing model picker #6418.

Automated review dispositions

  • License metadata: the production package keeps the PEP 639 SPDX string and builds unchanged with lock-pinned setuptools==82.0.1; the production validator now requires exact installed-wheel License-Expression: Apache-2.0 metadata, with a negative metadata-drift test. The legacy conversion is a localized offline wrong-version fixture with explicit source-boundary and removal-condition documentation. Remove the fixture-only conversion once runner setuptools accepts PEP 639 strings; production never uses it.
  • Plain-progress build output: plain progress remains necessary to prove the exact import-failure marker. Before Docker runs, the gate now rejects every Docker ARG name outside a complete reviewed allowlist, while tests pin the only passed build arguments to the two public BASE_IMAGE references. Behavior tests inject unreviewed uppercase, lowercase, and continued ARG declarations across all three Dockerfiles and prove rejection occurs before any build; the targeted DCode E2E job runs the same script with real Docker before live tests.
  • Adapter build-layer retention: Docker can retain the copied project tree in an image layer or failed local build cache. This is accepted because it contains only public, first-party Apache-2.0 source and metadata, while the installed Python module necessarily ships the same source; revisit if any adapter input becomes secret-bearing or non-public.
  • Credential redaction parity: PASS/PASSWD, quoted/space-separated assignments, punctuation-bearing values, and bounded camel/acronym aliases now share the same fail-closed policy across the Bash wrapper, managed Python runtime, observability scrubber, config filter, full/sensitive-text redactors, structured-log classifier, TUI sanitizer, and E2E redactors. The separator lookbehind is capped at 32 horizontal characters to prevent attacker-controlled scans; private-key blocks are scrubbed before assignment matching. Positive tests cover customPass, DBPass, and known secret *Key families, while COMPASS/BYPASS, TOPSECRET/SUBTOKEN, pass-rate fields, publicKey, and customKey remain untouched.
  • OpenShell TLS key provenance: the canonical mounted path is intentionally accepted only from the supervisor-owned runtime environment and rejected from the mutable DCode .env. The split credential suite now proves both sides explicitly, matching the existing wrapper-identity coverage; allowing it in .env would weaken the boundary.
  • Docker auth cleanup: the shared workflow validator requires exactly one canonical cleanup with if: always() as the final job step. A DCode-specific mutation test now also rejects moving cleanup before the import gate.
  • Private-key and fixture helpers: multiline private-key matching is consolidated into the live generic matcher with a required-newline mode, preserving comment behavior while removing 12 lines. Profile-hash fixture replacement is now whitespace/quote tolerant while still requiring one exact reviewed constant and digest. A focused regression covers both formatting variants and duplicate-definition rejection; use an AST transform only if the current two-constant scope grows.

Current-head security review

  • Plugin build inputs: the Dockerfile copies only pyproject.toml and
    src/nemoclaw_deepagents_profile/__init__.py, rejects any other regular
    file in the build tree, and hash-verifies both before the offline install.
    The image contract pins those exact two COPY directives and the manifest
    gate; there is no directory-wide plugin copy.
  • replyToken source fix: test-owned correlation metadata caused a global
    secret-name exception that could preserve a real opaque credential. Test
    correlation now uses correlationMarker; exact replyToken values are
    redacted or rejected in TypeScript, Python, Bash, observability, TUI, and
    E2E boundaries, with structured, text, runtime, and real-wrapper regressions.
  • Fail-closed credential names: opaque accessToken, sessionToken,
    clientSecret, bare KEY/PASS/PASSWD, and uppercase *_KEY remain
    intentional credential contexts. They are not safe OAuth exceptions.
    Near-miss tests preserve COMPASS/BYPASS, pass-rate fields, publicKey,
    customKey, and correlationMarker.
  • Cross-runtime parity: canonical pattern fingerprints plus the shared
    positive corpus exercise the actual managed Python runtime, observability
    scrubber, and real Bash wrapper; a private-function-only Bash test would be
    weaker than the current entrypoint coverage.
  • Import-gate/fixture scope: the reviewed ARG allowlist handles Docker ARG
    casing, defaults, and continuation used by the three gated Dockerfiles and
    rejects unknown names before Docker runs. The legacy license conversion is
    confined to an offline wrong-version test fixture; production builds with
    pinned setuptools 82.0.1 and validates installed License-Expression.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — current security/image integration suite 188/188; CLI redaction 19/19; E2E redaction boundary 28/28; npm run build:cli and npm run check:diff passed
  • Applicable broad gate passed — fresh exact-head CI, advisors, and hosted Deep Agents Code E2E are pending for the new security-review head
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Exact-head validation

  • Previous exact-head evidence is superseded by the current security-review
    commits and will not be used for merge.
  • Fresh regular CI, GPT/Nemotron advisors, CodeRabbit, and the hosted
    ubuntu-repo-cloud-langchain-deepagents-code target will run on the exact
    pushed SHA.
  • The only failure on the superseded head was an unrelated five-second
    policy-channel-list test timeout; the changed security/image suites pass
    locally as recorded above.

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

  • New Features
    • Added a managed profile-plugin workflow for Nemotron Ultra with hash-verified offline installation and entry-point-based alias registration, plus isolated profile validation.
    • Expanded workflow/E2E checks to cover the DCode profile import gate, startup validation ordering, and dispatch/parser parity.
  • Bug Fixes
    • Improved secret detection and redaction for expanded pass/passwd credential variants, PEM private keys, and related credential/token patterns; added stricter near-miss handling.
    • Strengthened fail-closed validation so builds/tests stop if trusted profile sources, plugins, or imports don’t match expected integrity gates.

ericksoa added 3 commits July 7, 2026 18:50
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…tra-profile-plugin

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@ericksoa ericksoa self-assigned this Jul 8, 2026
@ericksoa ericksoa added refactor PR restructures code without intended behavior change area: inference Inference routing, serving, model selection, or outputs area: packaging Packages, images, registries, installers, or distribution integration: dcode LangChain Deep Code integration behavior v0.0.77 Release target labels Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 16ea5231-68c7-4027-9cd5-75e98b0f855e

📥 Commits

Reviewing files that changed from the base of the PR and between 39bfc83 and 79c3d85.

📒 Files selected for processing (7)
  • .github/workflows/e2e.yaml
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • scripts/check-dcode-profile-import-gate.sh
  • test/e2e/support/platform-parity-cloud-experimental.test.ts
  • test/langchain-deepagents-code-image.test.ts
🚧 Files skipped from review as they are similar to previous changes (6)
  • test/langchain-deepagents-code-image.test.ts
  • .github/workflows/e2e.yaml
  • agents/langchain-deepagents-code/Dockerfile
  • scripts/check-dcode-profile-import-gate.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/dcode-wrapper.sh

📝 Walkthrough

Walkthrough

This PR replaces the Nemotron Ultra bootstrap patch with a managed profile plugin, adds a stripped-base import gate, expands PASS-aware secret handling, and renames OpenClaw correlation fields from replyToken to replyMarker across tests and runtime checks.

Changes

Managed Profile Plugin Replacement

Layer / File(s) Summary
Plugin package and registration
agents/langchain-deepagents-code/profile-plugin/.gitignore, agents/langchain-deepagents-code/profile-plugin/pyproject.toml, agents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/__init__.py
Adds the first-party harness-profile plugin package and its version-gated, hash-checked alias registration logic with rollback.
Validator and import gate
agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py, scripts/check-dcode-profile-import-gate.sh, .github/workflows/e2e.yaml, tools/e2e/workflow-boundary.mts, test/Dockerfile.dcode-profile-missing-dependencies
Adds trusted source discovery, entry-point validation, dispatch parity checks, the DCode import-gate script, workflow boundary enforcement, and the stripped-base Docker fixture.
Plugin validation and build gate tests
test/langchain-deepagents-code-nemotron-profile-plugin.test.ts, test/langchain-deepagents-code-profile-build-gate.test.ts, test/e2e/support/dcode-profile-import-gate-workflow-boundary.test.ts, test/e2e/e2e-cloud-experimental/checks/03-deepagents-code-nemotron-ultra-profile.sh, test/e2e/support/platform-parity-cloud-experimental.test.ts, test/langchain-deepagents-code-image.test.ts, agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/patch-nemotron-ultra-profile.py (removed)
Adds isolated fixture tests for plugin metadata, entry-point validation, alias registration, rollback, source preservation, and fake-docker gate simulation, and updates the Dockerfile contract to install the plugin instead of running the removed patch script.
Dependency review and release narrative
agents/langchain-deepagents-code/dependency-review.md
Updates the reviewed profile contract narrative, version/hash expectations, and fail-closed validator description around the plugin-based flow.

PASS Secret-Pattern Expansion

Layer / File(s) Summary
Runtime and redaction patterns
agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/nemoclaw_observability.py, src/lib/security/secret-patterns.ts, src/lib/security/redact.ts, src/lib/security/credential-filter.ts
Broadens PASS/PASSWD detection and redaction across shell, Python, and shared TypeScript security code, including updated regex character classes and key classification.
Parity and fixture coverage
src/lib/security/credential-filter-secret-patterns.test.ts, src/lib/security/redact.test.ts, test/deepagents-code-tui-startup-check.test.ts, test/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh, test/e2e/fixtures/redaction.ts, test/e2e/support/e2e-redaction-entry.test.ts, test/fixtures/deepagents-observability-harness.py, test/helpers/langchain-deepagents-code-secret-patterns.ts, test/langchain-deepagents-code-observability.test.ts, test/langchain-deepagents-code-secret-pattern-parity.test.ts, test/langchain-deepagents-code-image-credentials.test.ts, agents/langchain-deepagents-code/validate-observability.py, src/lib/security/credential-filter.test.ts
Adds PASS-positive vectors, benign near-miss assertions, and broader redaction fixtures and parity checks across managed runtime, observability scrubbing, and image credential handling.

OpenClaw Reply-Marker Correlation

Layer / File(s) Summary
Trace shapes and correlation logic
test/e2e/live/openclaw-tui-chat-correlation.test.ts, test/openclaw-tui-chat-correlation.test.ts
Renames correlation fields from replyToken to replyMarker throughout the trace model, analysis logic, live repro script, and assertions.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Dockerfile as DCode Dockerfile
  participant Plugin as nemoclaw_deepagents_profile
  participant DeepAgents as deepagents package
  participant Validator as validate-nemotron-ultra-profile.py
  Dockerfile->>Plugin: pip install profile-plugin (offline, hash-checked)
  Dockerfile->>Plugin: isolated python -I import gate
  Plugin->>DeepAgents: verify versions and source hashes
  Plugin->>DeepAgents: register() via harness_profiles entry point
  DeepAgents-->>Plugin: canonical profile mapped to two alias keys
  Dockerfile->>Validator: run validator after build
  Validator->>DeepAgents: re-verify entry point and official sources
  Validator->>Validator: compare repaired vs native dispatch parity
Loading
sequenceDiagram
  participant CI as check-dcode-profile-import-gate.sh
  participant BaseImage as Dockerfile.base
  participant Stripped as Dockerfile.dcode-profile-missing-dependencies
  participant Prod as DCode production Dockerfile
  CI->>BaseImage: build source-base image
  CI->>Stripped: build stripped image (removes deepagents deps)
  CI->>Prod: build production image with BASE_IMAGE=stripped
  Prod-->>CI: fails at NEMOCLAW_DCODE_PROFILE_IMPORT_GATE marker
  CI->>CI: assert ModuleNotFoundError present in build log
Loading

Suggested labels: area: architecture, security

Suggested reviewers: jyaunches, cv

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The PR also changes unrelated security/redaction and OpenClaw replyMarker code outside #6424's plugin-migration scope. Split unrelated redaction/correlation work into separate PRs, or add explicit issue links and rationale if it is intentionally part of this change.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: replacing the Nemotron source patch with a profile plugin.
Linked Issues check ✅ Passed The plugin, hash gates, atomic registration, patch removal, and focused tests align with #6424's acceptance criteria.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dcode-nemotron-ultra-profile-plugin

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 76%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 0e0807d 79c3d85 +/-
src/lib/actions...-add-restart.ts 19% 14% -5%
src/lib/inference/config.ts 100% 97% -3%
src/lib/runner.ts 83% 80% -3%
src/lib/adapters/http/probe.ts 91% 89% -2%
src/lib/actions...ridge-policy.ts 62% 64% +2%
src/lib/state/config-io.ts 88% 93% +5%
src/lib/actions...lution-probe.ts 88% 94% +6%
src/lib/actions...e-validation.ts 81% 90% +9%
src/lib/actions...x/mcp-bridge.ts 35% 44% +9%
src/lib/actions...ge-preflight.ts 74% 89% +15%

Updated July 08, 2026 22:00 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28913153343
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
live ⚠️ cancelled

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code, credential-sanitization, credential-migration, openclaw-tui-chat-correlation, cloud-onboard
Optional E2E: inference-routing, mcp-bridge

Dispatch hint: targets=ubuntu-repo-cloud-langchain-deepagents-code; jobs=credential-sanitization,credential-migration,openclaw-tui-chat-correlation

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): Required because the PR changes the DCode sandbox image, runtime wrapper, managed profile plugin, observability boundary, TUI startup check, and the workflow-only DCode profile import gate. This registry target performs real cloud onboarding for langchain-deepagents-code and runs the DCode profile, secret-boundary, headless inference, observability, TUI startup, and rebuild/credential lifecycle checks.
  • credential-sanitization (high): Required because canonical redaction, credential filtering, secret patterns, fixture redaction, and DCode/observability redaction mirrors changed. This live job runs install/onboard against a real sandbox and verifies hosted-credential sanitization and redacted artifact/log handling.
  • credential-migration (medium): Required because credential-filter.ts is used to strip credential-bearing config during migration/backup paths. This live job exercises legacy credential migration into the current OpenShell/NemoClaw credential model and verifies secrets are not baked into sandbox state.
  • openclaw-tui-chat-correlation (high): Required because the PR changes the live OpenClaw TUI chat correlation test itself. This job validates the updated real assistant websocket/chat-history correlation contract against hosted inference.
  • cloud-onboard (high): Changed onboard, trace timing, scorecard, or E2E workflow code can affect cloud onboard wall-clock behavior and should refresh the trusted cloud-onboard trace timing signal.

Optional E2E

  • inference-routing (medium): Useful adjacent confidence for provider-route classification and cleanup because the PR changes managed model/profile routing and secret-pattern handling, but the DCode registry target already exercises the affected live DCode inference route.
  • mcp-bridge (high): Useful adjacent confidence if maintainers want extra coverage of credential-bearing MCP config and the DCode adapter, since credential filtering and DCode managed runtime secret checks changed. Not merge-blocking because the changed MCP-specific runtime code is not the primary diff and required credential/DCode jobs cover the core boundaries.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: targets=ubuntu-repo-cloud-langchain-deepagents-code; jobs=credential-sanitization,credential-migration,openclaw-tui-chat-correlation

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: openclaw-tui-chat-correlation, e2e-all
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation
  • gh workflow run e2e.yaml --ref <pr-head-ref>

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • openclaw-tui-chat-correlation: Focused free-standing E2E job wired for changed live test test/e2e/live/openclaw-tui-chat-correlation.test.ts.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation
  • e2e-all: The PR changes shared E2E target workflow machinery in .github/workflows/e2e.yaml and shared test/e2e fixtures/support, including redaction fixtures and workflow-boundary support. Those surfaces can affect matrix execution and multiple live-supported registry targets, so run the full supported E2E target fan-out.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref>

Optional E2E targets

  • None.

Relevant changed files

  • .github/workflows/e2e.yaml
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/nemoclaw_observability.py
  • agents/langchain-deepagents-code/patch-nemotron-ultra-profile.py
  • agents/langchain-deepagents-code/profile-plugin/.gitignore
  • agents/langchain-deepagents-code/profile-plugin/pyproject.toml
  • agents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/__init__.py
  • agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py
  • agents/langchain-deepagents-code/validate-observability.py
  • scripts/check-dcode-profile-import-gate.sh
  • src/lib/security/credential-filter.ts
  • src/lib/security/redact.ts
  • src/lib/security/secret-patterns.ts
  • test/Dockerfile.dcode-profile-missing-dependencies
  • test/e2e/e2e-cloud-experimental/checks/03-deepagents-code-nemotron-ultra-profile.sh
  • test/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh
  • test/e2e/fixtures/redaction.ts
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/support/dcode-profile-import-gate-workflow-boundary.test.ts
  • test/e2e/support/e2e-redaction-entry.test.ts
  • test/e2e/support/platform-parity-cloud-experimental.test.ts
  • tools/e2e/workflow-boundary.mts

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-2: Missing positive test vectors for new camelCase and KEY standalone secret patterns; then add or justify PRA-T1.
Open items: 2 required · 4 warnings · 3 suggestions · 8 test follow-ups
Since last review: 1 prior item resolved · 5 still apply · 6 new items found

Action checklist

  • PRA-2 Fix: Missing positive test vectors for new camelCase and KEY standalone secret patterns in test/helpers/langchain-deepagents-code-secret-patterns.ts:1
  • PRA-3 Fix: Magic number 128 in Bash credential-name prefix regex not extracted to named constant in agents/langchain-deepagents-code/dcode-wrapper.sh:150
  • PRA-1 Resolve or justify: Source-of-truth review needed: Legacy license conversion in real-wheel test
  • PRA-4 Resolve or justify: Awk-based ARG parser may miss Dockerfile syntax variations in scripts/check-dcode-profile-import-gate.sh:28
  • PRA-5 Resolve or justify: Validator double-runs full validation instead of targeted re-check in agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py:180
  • PRA-6 Resolve or justify: Test fixture uses custom regex parser for hash substitution in test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:40
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Missing positive test vectors for new camelCase and KEY standalone secret patterns
  • PRA-T6 Add or justify test follow-up: Test fixture uses custom regex parser for hash substitution
  • PRA-T7 Add or justify test follow-up: No real Docker build test for hash verification failure
  • PRA-T8 Add or justify test follow-up: Legacy license conversion in real-wheel test
  • PRA-7 In-scope improvement: Real-wheel test substitutes PEP 639 license with legacy format for older runner setuptools in test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:199
  • PRA-8 In-scope improvement: No real Docker build test for hash verification failure in test/langchain-deepagents-code-profile-build-gate.test.ts:1
  • PRA-9 In-scope improvement: Dependency review documentation is verbose but serves as executable supply-chain record in agents/langchain-deepagents-code/dependency-review.md:25

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Required tests test/helpers/langchain-deepagents-code-secret-patterns.ts:1 Add positive test vectors for each new pattern group in CANONICAL_SECRET_POSITIVE_VECTORS with patternGroup: 'context' and correct patternIndex (2 for camelCase, 3 for KEY standalone). Include vectors like 'accessToken=opaqueSecret123', 'clientSecret=opaqueSecret123', 'customPass=opaqueSecret123' for index 2 and 'KEY=opaqueSecret123' for index 3.
PRA-3 Required security agents/langchain-deepagents-code/dcode-wrapper.sh:150 Extract 128 to a readonly variable at top of script (e.g., readonly MAX_CRED_NAME_PREFIX=128) with comment explaining it mirrors TypeScript CONTEXT_PATTERNS maximum prefix length. Update all three occurrences in has_context_secret_shape() and is_openshell_env_placeholder_for_name().
PRA-4 Resolve/justify workflow scripts/check-dcode-profile-import-gate.sh:28 Accept as documented localized workaround. The allowlist is small and stable (12 ARGs). Consider replacing with 'docker build --print-build-args' or Python Dockerfile parser if syntax variations become problematic. The workflow-boundary test pins the gate script and ARG allowlist.
PRA-5 Resolve/justify correctness agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py:180 Either make second validation targeted (re-verify only plugin hash and bootstrap) as suggested in previous review, or keep as-is with clearer comment that full re-validation is deliberate defense-in-depth against any state mutation between import and graph compilation.
PRA-6 Resolve/justify tests test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:40 Document as test-only limitation with clear comment. The two-constant scope is stable. If scope grows, replace with AST-based transform.
PRA-7 Improvement architecture test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:199 Add CI step that checks runner setuptools version and fails if >= 61.0.0 (first PEP 639 support) but legacy conversion remains. Document removal condition clearly in test and dependency-review.md.
PRA-8 Improvement tests test/langchain-deepagents-code-profile-build-gate.test.ts:1 Add test to test/langchain-deepagents-code-profile-build-gate.test.ts that builds the production Dockerfile with an extra file in profile-plugin/ and asserts the build fails at the hash verification step (the 'find' command that checks exactly two files).
PRA-9 Improvement architecture agents/langchain-deepagents-code/dependency-review.md:25 Keep as-is. This is not a simplification target — it's the authoritative record for the adapter's reviewed state.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-2 Required — Missing positive test vectors for new camelCase and KEY standalone secret patterns

  • Location: test/helpers/langchain-deepagents-code-secret-patterns.ts:1
  • Category: tests
  • Problem: The CANONICAL_SECRET_POSITIVE_VECTORS array lacks entries for CONTEXT_PATTERNS indices 2 (camelCase credential suffixes: Token/Secret/Credential/Password/Passwd/Pass) and 3 (KEY standalone pattern). The parity test validates coveredIndices against pattern length but passes because no vectors reference these indices, allowing silent drift across TypeScript, Bash, and Python mirrors.
  • Impact: If canonical patterns at indices 2 or 3 are broken or diverge from the TypeScript source, the parity test will not detect it. Secret-shaped values matching these new patterns could bypass detection in the Bash wrapper, managed Python runtime, or observability scrubber.
  • Required action: Add positive test vectors for each new pattern group in CANONICAL_SECRET_POSITIVE_VECTORS with patternGroup: 'context' and correct patternIndex (2 for camelCase, 3 for KEY standalone). Include vectors like 'accessToken=opaqueSecret123', 'clientSecret=opaqueSecret123', 'customPass=opaqueSecret123' for index 2 and 'KEY=opaqueSecret123' for index 3.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Run test/langchain-deepagents-code-secret-pattern-parity.test.ts — it validates coveredIndices equals pattern length at lines 95-110. After adding vectors, the test will fail if any canonical pattern index lacks a positive vector.
  • Missing regression test: Positive vectors for camelCase patterns (patternIndex 2) and KEY standalone pattern (patternIndex 3) in CANONICAL_SECRET_POSITIVE_VECTORS
  • Done when: The required change is committed and verification passes: Run test/langchain-deepagents-code-secret-pattern-parity.test.ts — it validates coveredIndices equals pattern length at lines 95-110. After adding vectors, the test will fail if any canonical pattern index lacks a positive vector.
  • Evidence: CONTEXT_PATTERNS in secret-patterns.ts has 4 entries (indices 0-3). CANONICAL_SECRET_POSITIVE_VECTORS only has vectors for indices 0 (Bearer) and 1 (UPPER_SNAKE_CASE assignment). No vectors reference index 2 (camelCase) or index 3 (KEY standalone).

PRA-3 Required — Magic number 128 in Bash credential-name prefix regex not extracted to named constant

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:150
  • Category: security
  • Problem: The Bash wrapper uses {1,128} quantifier in three regexes (lines 150, 151, 375) to bound credential name prefix length, mirroring TypeScript CONTEXT_PATTERNS. No named constant exists; if TypeScript changes the limit, the Bash mirror silently diverges.
  • Impact: Silent divergence between TypeScript and Bash credential detection could allow secret-shaped values with longer prefixes to bypass the wrapper's runtime/env-file guard and reach the managed inference plane.
  • Required action: Extract 128 to a readonly variable at top of script (e.g., readonly MAX_CRED_NAME_PREFIX=128) with comment explaining it mirrors TypeScript CONTEXT_PATTERNS maximum prefix length. Update all three occurrences in has_context_secret_shape() and is_openshell_env_placeholder_for_name().
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Check dcode-wrapper.sh lines 150, 151, 375 — all three regexes use {1,128} directly. No named constant exists in the script.
  • Missing regression test: Parity test already validates pattern source/flags match; add a check that the numeric quantifier in Bash regex matches TypeScript pattern source
  • Done when: The required change is committed and verification passes: Check dcode-wrapper.sh lines 150, 151, 375 — all three regexes use {1,128} directly. No named constant exists in the script.
  • Evidence: dcode-wrapper.sh lines 148-152 show three regexes with {1,128}. Line 375 validates env name length <= 128. TypeScript CONTEXT_PATTERNS uses {1,128} in lookbehind assertions.
Review findings by urgency: 2 required fixes, 4 items to resolve/justify, 3 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: Legacy license conversion in real-wheel test

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Test documents conversion; CI step needed to detect runner upgrade
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: dependency-review.md documents invalidState, sourceBoundary, whyNotSourceFix, regressionTest, removalCondition

PRA-4 Resolve/justify — Awk-based ARG parser may miss Dockerfile syntax variations

  • Location: scripts/check-dcode-profile-import-gate.sh:28
  • Category: workflow
  • Problem: The import gate script uses awk to extract ARG names from three Dockerfiles for the allowlist gate. Awk may miss Dockerfile syntax variations (continued lines with comments, mixed case, ARG with default values containing =). The allowlist is small and stable but this is a known parser limitation.
  • Impact: If a reviewed Dockerfile adds an ARG with syntax that awk doesn't parse, the allowlist gate could either reject a valid build or allow an unreviewed ARG through.
  • Recommended action: Accept as documented localized workaround. The allowlist is small and stable (12 ARGs). Consider replacing with 'docker build --print-build-args' or Python Dockerfile parser if syntax variations become problematic. The workflow-boundary test pins the gate script and ARG allowlist.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check scripts/check-dcode-profile-import-gate.sh lines 28-55: awk extracts ARG names; case statement validates against hardcoded allowlist. The script comment documents this limitation.
  • Missing regression test: test/e2e/support/dcode-profile-import-gate-workflow-boundary.test.ts validates workflow boundary; consider adding unit test for awk parser against Dockerfile syntax variations
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check scripts/check-dcode-profile-import-gate.sh lines 28-55: awk extracts ARG names; case statement validates against hardcoded allowlist. The script comment documents this limitation.
  • Evidence: Script comment: 'The primary security boundary is the exact ARG-name allowlist below, which covers agents/langchain-deepagents-code/Dockerfile.base, test/Dockerfile.dcode-profile-missing-dependencies, and agents/langchain-deepagents-code/Dockerfile. Those three reviewed Dockerfiles contain no secret-bearing ARGs.'

PRA-5 Resolve/justify — Validator double-runs full validation instead of targeted re-check

  • Location: agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py:180
  • Category: correctness
  • Problem: validate_profile_entry_point() and validate_official_sources() run once before graph/dispatch checks and again after. Comment says this 'closes the install/import-to-validation window' but full re-validation adds ~200ms. Previous review suggested targeted re-verification (plugin hash + bootstrap only).
  • Impact: Double validation adds ~200ms to image build time. Not a security issue, but the comment doesn't explain why full re-validation is needed vs targeted re-check of plugin hash + bootstrap.
  • Recommended action: Either make second validation targeted (re-verify only plugin hash and bootstrap) as suggested in previous review, or keep as-is with clearer comment that full re-validation is deliberate defense-in-depth against any state mutation between import and graph compilation.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check validate-nemotron-ultra-profile.py main(): validate_profile_entry_point() and validate_official_sources() called at lines ~180 and again at lines ~390-395.
  • Missing regression test: No specific test for double-validation behavior; validator tests cover overall pass/fail
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check validate-nemotron-ultra-profile.py main(): validate_profile_entry_point() and validate_official_sources() called at lines ~180 and again at lines ~390-395.
  • Evidence: Validator main() calls validate_profile_entry_point() and validate_official_sources() at line ~180, then again at lines ~390-395 with comment 'Final source re-verification matches Dockerfile's import-gate marker: re-bind and re-hash the plugin plus both official files after graph and dispatch checks to close the install/import-to-validation window.'

PRA-6 Resolve/justify — Test fixture uses custom regex parser for hash substitution

  • Location: test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:40
  • Category: tests
  • Problem: Test fixture uses custom replaceHashDefinitions() regex parser to substitute SHA256 constants in plugin source. This is a test-only parser that deliberately fails on source-shape drift. Comment says 'replace it with an AST transform if the two-constant scope grows.'
  • Impact: If the two-constant scope grows beyond EXPECTED_NATIVE_PROFILE_SHA256 and EXPECTED_BOOTSTRAP_SHA256, the regex parser may fail to handle formatting variations. Currently stable but technical debt.
  • Recommended action: Document as test-only limitation with clear comment. The two-constant scope is stable. If scope grows, replace with AST-based transform.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check test file lines 40-60: replaceHashDefinitions function uses regex to find and replace hash definitions. It asserts exactly one match per constant.
  • Missing regression test: Test already validates the parser behavior; no additional test needed unless scope expands
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check test file lines 40-60: replaceHashDefinitions function uses regex to find and replace hash definitions. It asserts exactly one match per constant.
  • Evidence: Test comment: 'This test-only parser deliberately fails on source-shape drift or duplicate definitions; replace it with an AST transform if the two-constant scope grows.'

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-7 Improvement — Real-wheel test substitutes PEP 639 license with legacy format for older runner setuptools

  • Location: test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:199
  • Category: architecture
  • Problem: Real-wheel test substitutes PEP 639 'license = "Apache-2.0"' with legacy 'license = { text = "Apache-2.0" }' for runner's older system setuptools. This is a test fixture limitation, not production metadata. Documented in dependency-review.md with removal condition.
  • Impact: Test fixture diverges from production metadata format; if runner setuptools is upgraded without removing the conversion, the test will silently test a configuration that production never uses.
  • Suggested action: Add CI step that checks runner setuptools version and fails if >= 61.0.0 (first PEP 639 support) but legacy conversion remains. Document removal condition clearly in test and dependency-review.md.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check test file lines 199-205: project.replace('license = "Apache-2.0"', 'license = { text = "Apache-2.0" }'). Check dependency-review.md lines 34-43 for documented removal condition.
  • Missing regression test: CI step to detect when runner setuptools supports PEP 639 and legacy conversion can be removed
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: dependency-review.md lines 34-43 documents invalidState, sourceBoundary, whyNotSourceFix, regressionTest, removalCondition for the test-only legacy license conversion.

PRA-8 Improvement — No real Docker build test for hash verification failure

  • Location: test/langchain-deepagents-code-profile-build-gate.test.ts:1
  • Category: tests
  • Problem: New test file covers import gate script with fake Docker (excellent). However, it tests the fake-Docker failure paths but the real Docker integration is only exercised by the E2E workflow gate step. No test builds the actual production Dockerfile with an extra file in profile-plugin/ and asserts build fails at hash verification.
  • Impact: The hash verification step (find+sort check for exactly two files) is only tested via the E2E workflow. A real Docker build test would catch regressions in the Dockerfile's supply-chain enforcement earlier and independently.
  • Suggested action: Add test to test/langchain-deepagents-code-profile-build-gate.test.ts that builds the production Dockerfile with an extra file in profile-plugin/ and asserts the build fails at the hash verification step (the 'find' command that checks exactly two files).
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check test/langchain-deepagents-code-profile-build-gate.test.ts — it uses fake Docker to test gate script logic. The Dockerfile hash verification is at line ~45 of Dockerfile: test "$(find /opt/nemoclaw-deepagents-profile-plugin -type f -print | LC_ALL=C sort)" = "$(printf '%s\n' ...)"
  • Missing regression test: Real Docker build test that adds extra file to profile-plugin/ and asserts hash verification fails
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Dockerfile lines 15-35: COPY two files, find+sort check, sha256sum -c, pip install --no-deps, import gate marker, pip check, rm -rf plugin dir.

PRA-9 Improvement — Dependency review documentation is verbose but serves as executable supply-chain record

  • Location: agents/langchain-deepagents-code/dependency-review.md:25
  • Category: architecture
  • Problem: The dependency-review.md contains extensive documentation of the adapter's hashes, license, audit results, and test-only limitations. This is not runtime code but a required governance artifact.
  • Impact: No runtime impact. The documentation is necessary for supply-chain auditability and removal accountability.
  • Suggested action: Keep as-is. This is not a simplification target — it's the authoritative record for the adapter's reviewed state.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Review dependency-review.md — it documents adapter hashes, license, audit, test-only limitation, and removal condition per NemoClaw supply-chain policy.
  • Missing regression test: N/A — governance documentation
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: dependency-review.md lines 25-114 document adapter metadata, test-only limitation, and lifecycle policy.
Simplification opportunities: 1 possible cut

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-9 yagni (agents/langchain-deepagents-code/dependency-review.md:25): None — this is required governance documentation, not runtime code
    • Replacement: N/A
    • Net: 0 lines
    • Safety boundary: Supply-chain auditability and removal accountability per NemoClaw policy
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add real Docker build test: build production Dockerfile with extra file in profile-plugin/, assert failure at hash verification (find+sort check). Runtime/sandbox/infrastructure paths need behavioral runtime validation: .github/workflows/e2e.yaml, agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/nemoclaw_observability.py. Strong unit/fake-Docker coverage exists but real Docker integration and parity completeness gaps remain.
  • PRA-T2 Runtime validation — Add parity test vectors for CONTEXT_PATTERNS indices 2 (camelCase) and 3 (KEY standalone) in CANONICAL_SECRET_POSITIVE_VECTORS. Runtime/sandbox/infrastructure paths need behavioral runtime validation: .github/workflows/e2e.yaml, agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/nemoclaw_observability.py. Strong unit/fake-Docker coverage exists but real Docker integration and parity completeness gaps remain.
  • PRA-T3 Runtime validation — Add test asserting named constant for 128 exists in Bash wrapper and matches TypeScript pattern quantifier. Runtime/sandbox/infrastructure paths need behavioral runtime validation: .github/workflows/e2e.yaml, agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/nemoclaw_observability.py. Strong unit/fake-Docker coverage exists but real Docker integration and parity completeness gaps remain.
  • PRA-T4 Runtime validation — If validator second pass made targeted: add test asserting only plugin hash + bootstrap re-verified. Runtime/sandbox/infrastructure paths need behavioral runtime validation: .github/workflows/e2e.yaml, agents/langchain-deepagents-code/Dockerfile, agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/nemoclaw_observability.py. Strong unit/fake-Docker coverage exists but real Docker integration and parity completeness gaps remain.
  • PRA-T5 Missing positive test vectors for new camelCase and KEY standalone secret patterns — Add positive test vectors for each new pattern group in CANONICAL_SECRET_POSITIVE_VECTORS with patternGroup: 'context' and correct patternIndex (2 for camelCase, 3 for KEY standalone). Include vectors like 'accessToken=opaqueSecret123', 'clientSecret=opaqueSecret123', 'customPass=opaqueSecret123' for index 2 and 'KEY=opaqueSecret123' for index 3.
  • PRA-T6 Test fixture uses custom regex parser for hash substitution — Document as test-only limitation with clear comment. The two-constant scope is stable. If scope grows, replace with AST-based transform.
  • PRA-T7 No real Docker build test for hash verification failure — Add test to test/langchain-deepagents-code-profile-build-gate.test.ts that builds the production Dockerfile with an extra file in profile-plugin/ and asserts the build fails at the hash verification step (the 'find' command that checks exactly two files).
  • PRA-T8 Legacy license conversion in real-wheel test — Test documents conversion; CI step needed to detect runner upgrade. dependency-review.md documents invalidState, sourceBoundary, whyNotSourceFix, regressionTest, removalCondition
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: Legacy license conversion in real-wheel test

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Test documents conversion; CI step needed to detect runner upgrade
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: dependency-review.md documents invalidState, sourceBoundary, whyNotSourceFix, regressionTest, removalCondition

PRA-2 Required — Missing positive test vectors for new camelCase and KEY standalone secret patterns

  • Location: test/helpers/langchain-deepagents-code-secret-patterns.ts:1
  • Category: tests
  • Problem: The CANONICAL_SECRET_POSITIVE_VECTORS array lacks entries for CONTEXT_PATTERNS indices 2 (camelCase credential suffixes: Token/Secret/Credential/Password/Passwd/Pass) and 3 (KEY standalone pattern). The parity test validates coveredIndices against pattern length but passes because no vectors reference these indices, allowing silent drift across TypeScript, Bash, and Python mirrors.
  • Impact: If canonical patterns at indices 2 or 3 are broken or diverge from the TypeScript source, the parity test will not detect it. Secret-shaped values matching these new patterns could bypass detection in the Bash wrapper, managed Python runtime, or observability scrubber.
  • Required action: Add positive test vectors for each new pattern group in CANONICAL_SECRET_POSITIVE_VECTORS with patternGroup: 'context' and correct patternIndex (2 for camelCase, 3 for KEY standalone). Include vectors like 'accessToken=opaqueSecret123', 'clientSecret=opaqueSecret123', 'customPass=opaqueSecret123' for index 2 and 'KEY=opaqueSecret123' for index 3.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Run test/langchain-deepagents-code-secret-pattern-parity.test.ts — it validates coveredIndices equals pattern length at lines 95-110. After adding vectors, the test will fail if any canonical pattern index lacks a positive vector.
  • Missing regression test: Positive vectors for camelCase patterns (patternIndex 2) and KEY standalone pattern (patternIndex 3) in CANONICAL_SECRET_POSITIVE_VECTORS
  • Done when: The required change is committed and verification passes: Run test/langchain-deepagents-code-secret-pattern-parity.test.ts — it validates coveredIndices equals pattern length at lines 95-110. After adding vectors, the test will fail if any canonical pattern index lacks a positive vector.
  • Evidence: CONTEXT_PATTERNS in secret-patterns.ts has 4 entries (indices 0-3). CANONICAL_SECRET_POSITIVE_VECTORS only has vectors for indices 0 (Bearer) and 1 (UPPER_SNAKE_CASE assignment). No vectors reference index 2 (camelCase) or index 3 (KEY standalone).

PRA-3 Required — Magic number 128 in Bash credential-name prefix regex not extracted to named constant

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:150
  • Category: security
  • Problem: The Bash wrapper uses {1,128} quantifier in three regexes (lines 150, 151, 375) to bound credential name prefix length, mirroring TypeScript CONTEXT_PATTERNS. No named constant exists; if TypeScript changes the limit, the Bash mirror silently diverges.
  • Impact: Silent divergence between TypeScript and Bash credential detection could allow secret-shaped values with longer prefixes to bypass the wrapper's runtime/env-file guard and reach the managed inference plane.
  • Required action: Extract 128 to a readonly variable at top of script (e.g., readonly MAX_CRED_NAME_PREFIX=128) with comment explaining it mirrors TypeScript CONTEXT_PATTERNS maximum prefix length. Update all three occurrences in has_context_secret_shape() and is_openshell_env_placeholder_for_name().
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Check dcode-wrapper.sh lines 150, 151, 375 — all three regexes use {1,128} directly. No named constant exists in the script.
  • Missing regression test: Parity test already validates pattern source/flags match; add a check that the numeric quantifier in Bash regex matches TypeScript pattern source
  • Done when: The required change is committed and verification passes: Check dcode-wrapper.sh lines 150, 151, 375 — all three regexes use {1,128} directly. No named constant exists in the script.
  • Evidence: dcode-wrapper.sh lines 148-152 show three regexes with {1,128}. Line 375 validates env name length <= 128. TypeScript CONTEXT_PATTERNS uses {1,128} in lookbehind assertions.

PRA-4 Resolve/justify — Awk-based ARG parser may miss Dockerfile syntax variations

  • Location: scripts/check-dcode-profile-import-gate.sh:28
  • Category: workflow
  • Problem: The import gate script uses awk to extract ARG names from three Dockerfiles for the allowlist gate. Awk may miss Dockerfile syntax variations (continued lines with comments, mixed case, ARG with default values containing =). The allowlist is small and stable but this is a known parser limitation.
  • Impact: If a reviewed Dockerfile adds an ARG with syntax that awk doesn't parse, the allowlist gate could either reject a valid build or allow an unreviewed ARG through.
  • Recommended action: Accept as documented localized workaround. The allowlist is small and stable (12 ARGs). Consider replacing with 'docker build --print-build-args' or Python Dockerfile parser if syntax variations become problematic. The workflow-boundary test pins the gate script and ARG allowlist.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check scripts/check-dcode-profile-import-gate.sh lines 28-55: awk extracts ARG names; case statement validates against hardcoded allowlist. The script comment documents this limitation.
  • Missing regression test: test/e2e/support/dcode-profile-import-gate-workflow-boundary.test.ts validates workflow boundary; consider adding unit test for awk parser against Dockerfile syntax variations
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check scripts/check-dcode-profile-import-gate.sh lines 28-55: awk extracts ARG names; case statement validates against hardcoded allowlist. The script comment documents this limitation.
  • Evidence: Script comment: 'The primary security boundary is the exact ARG-name allowlist below, which covers agents/langchain-deepagents-code/Dockerfile.base, test/Dockerfile.dcode-profile-missing-dependencies, and agents/langchain-deepagents-code/Dockerfile. Those three reviewed Dockerfiles contain no secret-bearing ARGs.'

PRA-5 Resolve/justify — Validator double-runs full validation instead of targeted re-check

  • Location: agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py:180
  • Category: correctness
  • Problem: validate_profile_entry_point() and validate_official_sources() run once before graph/dispatch checks and again after. Comment says this 'closes the install/import-to-validation window' but full re-validation adds ~200ms. Previous review suggested targeted re-verification (plugin hash + bootstrap only).
  • Impact: Double validation adds ~200ms to image build time. Not a security issue, but the comment doesn't explain why full re-validation is needed vs targeted re-check of plugin hash + bootstrap.
  • Recommended action: Either make second validation targeted (re-verify only plugin hash and bootstrap) as suggested in previous review, or keep as-is with clearer comment that full re-validation is deliberate defense-in-depth against any state mutation between import and graph compilation.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check validate-nemotron-ultra-profile.py main(): validate_profile_entry_point() and validate_official_sources() called at lines ~180 and again at lines ~390-395.
  • Missing regression test: No specific test for double-validation behavior; validator tests cover overall pass/fail
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check validate-nemotron-ultra-profile.py main(): validate_profile_entry_point() and validate_official_sources() called at lines ~180 and again at lines ~390-395.
  • Evidence: Validator main() calls validate_profile_entry_point() and validate_official_sources() at line ~180, then again at lines ~390-395 with comment 'Final source re-verification matches Dockerfile's import-gate marker: re-bind and re-hash the plugin plus both official files after graph and dispatch checks to close the install/import-to-validation window.'

PRA-6 Resolve/justify — Test fixture uses custom regex parser for hash substitution

  • Location: test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:40
  • Category: tests
  • Problem: Test fixture uses custom replaceHashDefinitions() regex parser to substitute SHA256 constants in plugin source. This is a test-only parser that deliberately fails on source-shape drift. Comment says 'replace it with an AST transform if the two-constant scope grows.'
  • Impact: If the two-constant scope grows beyond EXPECTED_NATIVE_PROFILE_SHA256 and EXPECTED_BOOTSTRAP_SHA256, the regex parser may fail to handle formatting variations. Currently stable but technical debt.
  • Recommended action: Document as test-only limitation with clear comment. The two-constant scope is stable. If scope grows, replace with AST-based transform.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check test file lines 40-60: replaceHashDefinitions function uses regex to find and replace hash definitions. It asserts exactly one match per constant.
  • Missing regression test: Test already validates the parser behavior; no additional test needed unless scope expands
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check test file lines 40-60: replaceHashDefinitions function uses regex to find and replace hash definitions. It asserts exactly one match per constant.
  • Evidence: Test comment: 'This test-only parser deliberately fails on source-shape drift or duplicate definitions; replace it with an AST transform if the two-constant scope grows.'

PRA-7 Improvement — Real-wheel test substitutes PEP 639 license with legacy format for older runner setuptools

  • Location: test/langchain-deepagents-code-nemotron-profile-plugin.test.ts:199
  • Category: architecture
  • Problem: Real-wheel test substitutes PEP 639 'license = "Apache-2.0"' with legacy 'license = { text = "Apache-2.0" }' for runner's older system setuptools. This is a test fixture limitation, not production metadata. Documented in dependency-review.md with removal condition.
  • Impact: Test fixture diverges from production metadata format; if runner setuptools is upgraded without removing the conversion, the test will silently test a configuration that production never uses.
  • Suggested action: Add CI step that checks runner setuptools version and fails if >= 61.0.0 (first PEP 639 support) but legacy conversion remains. Document removal condition clearly in test and dependency-review.md.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check test file lines 199-205: project.replace('license = "Apache-2.0"', 'license = { text = "Apache-2.0" }'). Check dependency-review.md lines 34-43 for documented removal condition.
  • Missing regression test: CI step to detect when runner setuptools supports PEP 639 and legacy conversion can be removed
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: dependency-review.md lines 34-43 documents invalidState, sourceBoundary, whyNotSourceFix, regressionTest, removalCondition for the test-only legacy license conversion.

PRA-8 Improvement — No real Docker build test for hash verification failure

  • Location: test/langchain-deepagents-code-profile-build-gate.test.ts:1
  • Category: tests
  • Problem: New test file covers import gate script with fake Docker (excellent). However, it tests the fake-Docker failure paths but the real Docker integration is only exercised by the E2E workflow gate step. No test builds the actual production Dockerfile with an extra file in profile-plugin/ and asserts build fails at hash verification.
  • Impact: The hash verification step (find+sort check for exactly two files) is only tested via the E2E workflow. A real Docker build test would catch regressions in the Dockerfile's supply-chain enforcement earlier and independently.
  • Suggested action: Add test to test/langchain-deepagents-code-profile-build-gate.test.ts that builds the production Dockerfile with an extra file in profile-plugin/ and asserts the build fails at the hash verification step (the 'find' command that checks exactly two files).
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check test/langchain-deepagents-code-profile-build-gate.test.ts — it uses fake Docker to test gate script logic. The Dockerfile hash verification is at line ~45 of Dockerfile: test "$(find /opt/nemoclaw-deepagents-profile-plugin -type f -print | LC_ALL=C sort)" = "$(printf '%s\n' ...)"
  • Missing regression test: Real Docker build test that adds extra file to profile-plugin/ and asserts hash verification fails
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Dockerfile lines 15-35: COPY two files, find+sort check, sha256sum -c, pip install --no-deps, import gate marker, pip check, rm -rf plugin dir.

PRA-9 Improvement — Dependency review documentation is verbose but serves as executable supply-chain record

  • Location: agents/langchain-deepagents-code/dependency-review.md:25
  • Category: architecture
  • Problem: The dependency-review.md contains extensive documentation of the adapter's hashes, license, audit results, and test-only limitations. This is not runtime code but a required governance artifact.
  • Impact: No runtime impact. The documentation is necessary for supply-chain auditability and removal accountability.
  • Suggested action: Keep as-is. This is not a simplification target — it's the authoritative record for the adapter's reviewed state.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Review dependency-review.md — it documents adapter hashes, license, audit, test-only limitation, and removal condition per NemoClaw supply-chain policy.
  • Missing regression test: N/A — governance documentation
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: dependency-review.md lines 25-114 document adapter metadata, test-only limitation, and lifecycle policy.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 2 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Acceptance clause
  • PRA-T2 Add or justify test follow-up: Acceptance clause
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Acceptance clause — Dependency review, image-contract tests, focused profile tests, and the `ubuntu-repo-cloud-langchain-deepagents-code` E2E target pass on the final SHA. — add test evidence or identify existing coverage. Dependency review and focused image/profile/E2E target files are updated in this diff; external E2E job pass/fail and final-SHA CI status are intentionally not evaluated by this advisor surface.
  • PRA-T2 Acceptance clause — Direct/login-shell headless inference and interactive TUI acceptance remain green. — add test evidence or identify existing coverage. The headless and TUI acceptance scripts/tests are retained and updated, and image tests assert their expected content; external runtime pass/fail is intentionally not evaluated here.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28913263513
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts`:
- Around line 319-334: The parametrized test in the official source file check
introduces a new TS-level conditional that violates the conditionals guardrail.
Refactor the `it.each(... )` body to avoid the `if (mode === "missing")` /
`else` branch in favor of a branchless mode-to-action lookup while keeping the
same `runPlugin(fixture)` assertions and coverage for both `missing` and
`linked` cases.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b26a0595-d815-49b1-bb4e-3dd22019aa69

📥 Commits

Reviewing files that changed from the base of the PR and between 0662be4 and c999f82.

📒 Files selected for processing (12)
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dependency-review.md
  • agents/langchain-deepagents-code/patch-nemotron-ultra-profile.py
  • agents/langchain-deepagents-code/profile-plugin/.gitignore
  • agents/langchain-deepagents-code/profile-plugin/pyproject.toml
  • agents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/__init__.py
  • agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py
  • test/e2e/e2e-cloud-experimental/checks/03-deepagents-code-nemotron-ultra-profile.sh
  • test/e2e/support/platform-parity-cloud-experimental.test.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-nemotron-profile-patch.test.ts
  • test/langchain-deepagents-code-nemotron-profile-plugin.test.ts
💤 Files with no reviewable changes (2)
  • test/langchain-deepagents-code-nemotron-profile-patch.test.ts
  • agents/langchain-deepagents-code/patch-nemotron-ultra-profile.py

Comment thread test/langchain-deepagents-code-nemotron-profile-plugin.test.ts Outdated
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/langchain-deepagents-code-nemotron-profile-plugin.test.ts (2)

313-315: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Prefer behavioral coverage over source-text assertions on the validator/plugin.

These cases assert on raw source text (substrings, validate_official_sources() call count, ordering, "prove the adapter never") of the plugin and validator rather than on observable behavior. They lock in implementation wording and break on benign refactors even when the security behavior is intact. The subprocess-driven cases (runEntryPointValidation, runPlugin) already exercise the real discovery/source/rejection paths, so consider trimming the text-shape assertions in favor of those observable outcomes.

As per path instructions: "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions."

Also applies to: 318-348

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts` around lines
313 - 315, The validator/plugin tests rely too much on raw source-text and
mock-shape assertions instead of observable behavior, so trim those expectations
in the plugin/validator spec and keep the subprocess-based coverage as the
source of truth. Update the affected assertions around runPlugin,
runEntryPointValidation, and validate_official_sources() to verify the public
outcomes they produce (accepted/rejected cases and discovery behavior) rather
than specific substrings, call counts, or ordering tied to implementation
wording.

Source: Path instructions


259-262: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use the literal POSIX separator for PYTHONPATH to match the sibling PATH entry.

Line 259 builds PATH with a literal :, but the adjacent PYTHONPATH join uses path.delimiter. These unit tests only run on Linux runners, so path.delimiter adds no portability here and diverges from the established convention.

♻️ Suggested alignment
-      PYTHONPATH: [...(options.additionalPythonRoots ?? []), fixture.root, pluginRoot].join(
-        path.delimiter,
-      ),
+      PYTHONPATH: [...(options.additionalPythonRoots ?? []), fixture.root, pluginRoot].join(":"),

Based on learnings: prefer the established POSIX PATH separator : when constructing PATH-style env vars in these tests; do not replace it with path.delimiter, because they only run on Linux runners in CI.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts` around lines
259 - 262, The test setup for the environment variables is inconsistent: `PATH`
uses a literal POSIX separator while `PYTHONPATH` in the same fixture uses
`path.delimiter`. Update the `PYTHONPATH` construction in this test to use the
literal `:` separator so it matches the sibling `PATH` entry and the Linux-only
runner environment; keep the change localized to the env setup near the
`PYTHONPATH` assignment.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/langchain-deepagents-code-nemotron-profile-plugin.test.ts`:
- Around line 313-315: The validator/plugin tests rely too much on raw
source-text and mock-shape assertions instead of observable behavior, so trim
those expectations in the plugin/validator spec and keep the subprocess-based
coverage as the source of truth. Update the affected assertions around
runPlugin, runEntryPointValidation, and validate_official_sources() to verify
the public outcomes they produce (accepted/rejected cases and discovery
behavior) rather than specific substrings, call counts, or ordering tied to
implementation wording.
- Around line 259-262: The test setup for the environment variables is
inconsistent: `PATH` uses a literal POSIX separator while `PYTHONPATH` in the
same fixture uses `path.delimiter`. Update the `PYTHONPATH` construction in this
test to use the literal `:` separator so it matches the sibling `PATH` entry and
the Linux-only runner environment; keep the change localized to the env setup
near the `PYTHONPATH` assignment.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8aab9bb9-d2af-4516-93fd-4577ace865d6

📥 Commits

Reviewing files that changed from the base of the PR and between e338b57 and 59850e3.

📒 Files selected for processing (6)
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dependency-review.md
  • agents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/__init__.py
  • agents/langchain-deepagents-code/validate-nemotron-ultra-profile.py
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-nemotron-profile-plugin.test.ts
✅ Files skipped from review due to trivial changes (1)
  • agents/langchain-deepagents-code/dependency-review.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • test/langchain-deepagents-code-image.test.ts
  • agents/langchain-deepagents-code/profile-plugin/src/nemoclaw_deepagents_profile/init.py
  • agents/langchain-deepagents-code/Dockerfile

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28914013747
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
live ⚠️ cancelled

ericksoa added 2 commits July 7, 2026 20:00
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…tra-profile-plugin

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28914328481
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
live ⚠️ cancelled

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/e2e/support/platform-parity-cloud-experimental.test.ts (1)

298-306: 🎯 Functional Correctness | 🔵 Trivial | ⚖️ Poor tradeoff

Source-text assertion instead of behavioral verification.

This test asserts on raw script text (toContain/not.toMatch) rather than an observable runtime outcome. It replaces the prior deep content checks with a similarly text-based approach, and the negative regex assertion (not.toMatch(/\.(?:invoke|ainvoke|stream|astream)\(/)) can pass trivially if the script is rewritten to avoid these literal method-call patterns while still invoking a model indirectly (e.g., via a wrapper function), without truly proving "local-only" behavior.

If this script cannot be executed directly in this test suite, consider at least asserting more precisely (e.g., verifying the script does not reference a model/API key env var, or running it in a sandboxed dry-run) to reduce the risk of a test that passes without meaningfully exercising the claim.

As per path instructions: "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions" and "Flag ... conditionals that make a test pass without exercising its claim."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/support/platform-parity-cloud-experimental.test.ts` around lines 298
- 306, The Nemotron profile check is currently verified by reading script text,
which is too brittle and can pass without proving local-only behavior. Update
the E2E test in the platform-parity-cloud-experimental suite to assert an
observable outcome through the public boundary instead of raw source content; if
direct execution is not possible, use a sandboxed dry-run or stronger checks
that the script does not depend on model/API-key env vars. Keep the test
centered on DEEPAGENTS_CLOUD_EXPERIMENTAL_CHECKS and the profileCheck
expectation, but replace the toContain/notToMatch source-text assertions with
behavior-based validation.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/support/platform-parity-cloud-experimental.test.ts`:
- Around line 298-306: The Nemotron profile check is currently verified by
reading script text, which is too brittle and can pass without proving
local-only behavior. Update the E2E test in the
platform-parity-cloud-experimental suite to assert an observable outcome through
the public boundary instead of raw source content; if direct execution is not
possible, use a sandboxed dry-run or stronger checks that the script does not
depend on model/API-key env vars. Keep the test centered on
DEEPAGENTS_CLOUD_EXPERIMENTAL_CHECKS and the profileCheck expectation, but
replace the toContain/notToMatch source-text assertions with behavior-based
validation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 132c7302-ab6a-4ff5-9e3e-8320fdd431f1

📥 Commits

Reviewing files that changed from the base of the PR and between 59850e3 and 1563670.

📒 Files selected for processing (2)
  • test/e2e/support/platform-parity-cloud-experimental.test.ts
  • test/langchain-deepagents-code-nemotron-profile-plugin.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/langchain-deepagents-code-nemotron-profile-plugin.test.ts

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28914382391
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@ericksoa ericksoa added area: ci CI workflows, checks, release automation, or GitHub Actions area: e2e End-to-end tests, nightly failures, or validation infrastructure labels Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28976621841
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
live ⚠️ cancelled

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28977298390
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: (default — all supported)
Requested jobs: cloud-onboard
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
cloud-onboard ⚠️ cancelled

Signed-off-by: cjagwani <cjagwani@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28977517187
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
live ⚠️ cancelled

ericksoa added 3 commits July 8, 2026 14:40
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…-plugin' into fix/dcode-nemotron-ultra-profile-plugin
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28977647781
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28977649904
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: (default — all supported)
Requested jobs: credential-sanitization,cloud-onboard
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
credential-sanitization ✅ success

…tra-profile-plugin

# Conflicts:
#	test/e2e/support/platform-parity-cloud-experimental.test.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/security/redact.ts`:
- Line 188: The redaction pattern in redact.ts does not correctly handle quoted
secret values that contain spaces, so matching stops too early and leaves part
of the secret visible. Update the regex used by the redaction logic to
distinguish quoted from unquoted values, and when quotes are present consume
everything through the closing quote instead of stopping at whitespace. Add a
regression test covering a multi-word password case through the redaction path
to verify UserPassword-style values are fully masked.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5cd7dcef-4017-4856-845a-7f4d2007a564

📥 Commits

Reviewing files that changed from the base of the PR and between 30917bf and 39bfc83.

📒 Files selected for processing (19)
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/dependency-review.md
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/nemoclaw_observability.py
  • src/lib/security/redact.test.ts
  • src/lib/security/redact.ts
  • src/lib/security/secret-patterns.ts
  • test/deepagents-code-tui-startup-check.test.ts
  • test/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh
  • test/e2e/fixtures/redaction.ts
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/support/e2e-redaction-entry.test.ts
  • test/fixtures/deepagents-observability-harness.py
  • test/langchain-deepagents-code-image-credentials.test.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-observability.test.ts
  • test/langchain-deepagents-code-secret-pattern-parity.test.ts
  • test/openclaw-tui-chat-correlation.test.ts
💤 Files with no reviewable changes (2)
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/dcode-wrapper.sh
✅ Files skipped from review due to trivial changes (2)
  • test/langchain-deepagents-code-observability.test.ts
  • test/fixtures/deepagents-observability-harness.py
🚧 Files skipped from review as they are similar to previous changes (12)
  • test/deepagents-code-tui-startup-check.test.ts
  • test/e2e/support/e2e-redaction-entry.test.ts
  • test/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh
  • agents/langchain-deepagents-code/Dockerfile
  • src/lib/security/secret-patterns.ts
  • src/lib/security/redact.test.ts
  • test/langchain-deepagents-code-secret-pattern-parity.test.ts
  • agents/langchain-deepagents-code/nemoclaw_observability.py
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-image-credentials.test.ts
  • test/e2e/fixtures/redaction.ts
  • agents/langchain-deepagents-code/dependency-review.md

],
[
/((?:"|')?(?:api[_-]?key|token|secret|password|credential)(?:"|')?\s*[:=]\s*(?:"|')?)[^"',}\s]+((?:"|')?)/gi,
/((?:^|[^A-Za-z0-9])(?:[A-Za-z0-9]{1,128}(?:Token|Secret|Credential)|[A-Za-z0-9]{0,128}(?:[Aa]ccess|[Rr]efresh|[Cc]lient|[Bb]earer|[Aa]uth|[Aa][Pp][Ii]|[Pp]rivate|[Ss]igning|[Ss]ession|[Bb]ot|[Aa]pp|[Rr]esolved)Key|[A-Za-z0-9]{1,128}(?:Password|Passwd|Pass))["']?(?:[ \t]{0,32}[=:][ \t]{0,32}|[ \t]{1,32})["']?)[^\s'"]+((?:"|')?)/g,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '## current full-redaction assignment patterns\n'
sed -n '179,190p' src/lib/security/redact.ts

printf '\n## existing quoted-password whitespace coverage\n'
rg -n 'correct horse|quoted.*password|UserPassword|Password=.* ' src/lib/security/redact.test.ts test --glob '*.test.ts'

Repository: NVIDIA/NemoClaw

Length of output: 1005


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '## redact.ts matcher block\n'
sed -n '170,205p' src/lib/security/redact.ts

printf '\n## redact.test.ts around redaction cases\n'
ast-grep outline src/lib/security/redact.test.ts --view expanded || true
printf '\n'
rg -n 'REDACT|redact|password|token|secret|credential|pass|quote|whitespace|spaces' src/lib/security/redact.test.ts

printf '\n## any tests mentioning UserPassword in repo\n'
rg -n 'UserPassword|correct horse battery|horse battery|quoted password|password.*space|space.*password' src --glob '*.test.ts' --glob '*.ts'

Repository: NVIDIA/NemoClaw

Length of output: 7567


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '## broader redact pattern list around the matcher\n'
sed -n '130,205p' src/lib/security/redact.ts

printf '\n## test file structure\n'
ast-grep outline src/lib/security/redact.test.ts --view expanded || true

printf '\n## test cases touching redaction and quoting\n'
rg -n 'redact\\(|toContain\\(|toEqual\\(|UserPassword|Password|token|secret|credential|quoted|space|whitespace' src/lib/security/redact.test.ts

Repository: NVIDIA/NemoClaw

Length of output: 3454


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '## SECRET_PATTERNS definition\n'
rg -n 'const SECRET_PATTERNS|SECRET_BLOCK_PATTERNS|TOKEN_PREFIX_PATTERNS|FULL_REDACT_PATTERNS|redactSensitiveText|redactFull' src/lib/security/redact.ts

printf '\n## run a small regex probe on the exact pattern\n'
python3 - <<'PY'
import re

pat = re.compile(r'((?:^|[^A-Za-z0-9])(?:[A-Za-z0-9]{1,128}(?:Token|Secret|Credential)|[A-Za-z0-9]{0,128}(?:[Aa]ccess|[Rr]efresh|[Cc]lient|[Bb]earer|[Aa]uth|[Aa][Pp][Ii]|[Pp]rivate|[Ss]igning|[Ss]ession|[Bb]ot|[Aa]pp|[Rr]esolved)Key|[A-Za-z0-9]{1,128}(?:Password|Passwd|Pass))["\']?(?:[ \t]{0,32}[=:][ \t]{0,32}|[ \t]{1,32})["\']?)[^\s\'"]+((?:"|\')?)', re.I)

samples = [
    'UserPassword="correct horse battery"',
    'UserPassword="correct horse battery',
    'UserPassword=correct horse battery',
    'UserPassword="correct"',
    'UserPassword="correct horse" extra',
]
for s in samples:
    m = pat.search(s)
    print("INPUT:", s)
    print("MATCH:", bool(m))
    if m:
        print("GROUP1:", m.group(1))
        print("GROUP2:", m.group(2))
        print("REPLACED:", pat.sub(r'\\1<REDACTED>\\2', s))
    print("-" * 40)
PY

printf '\n## any alternate quoted-string redaction patterns in security module\n'
rg -n '"[^"]*<REDACTED>|<REDACTED>.*\\"|\\[[^\\]]*REDACTED' src/lib/security/redact.ts src/lib/security -g '*.ts'

Repository: NVIDIA/NemoClaw

Length of output: 7218


Handle quoted secrets with spaces. Quoted values still stop at the first space, so UserPassword="correct horse battery" leaves the remainder visible. Split quoted/unquoted handling or consume through the closing quote, and add a regression test for multi-word passwords.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/security/redact.ts` at line 188, The redaction pattern in redact.ts
does not correctly handle quoted secret values that contain spaces, so matching
stops too early and leaves part of the secret visible. Update the regex used by
the redaction logic to distinguish quoted from unquoted values, and when quotes
are present consume everything through the closing quote instead of stopping at
whitespace. Add a regression test covering a multi-word password case through
the redaction path to verify UserPassword-style values are fully masked.

Source: Path instructions

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28978117617
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

Signed-off-by: cjagwani <cjagwani@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28978119263
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: (default — all supported)
Requested jobs: cloud-onboard
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
cloud-onboard ⚠️ cancelled

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28978324342
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: (default — all supported)
Requested jobs: cloud-onboard
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
cloud-onboard ⚠️ cancelled

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28978281322
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: credential-sanitization,cloud-onboard
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ❌ failure
credential-sanitization ✅ success

Failed jobs: cloud-onboard. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28978277604
Workflow ref: fix/dcode-nemotron-ultra-profile-plugin
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

@cv
cv merged commit e79de55 into main Jul 8, 2026
278 of 281 checks passed
@cv
cv deleted the fix/dcode-nemotron-ultra-profile-plugin branch July 8, 2026 22:00
cjagwani added a commit that referenced this pull request Jul 8, 2026
Record main's squash of #6431; its tree is byte-identical to the already reviewed stack parent.

Signed-off-by: cjagwani <cjagwani@nvidia.com>
ericksoa added a commit that referenced this pull request Jul 8, 2026
## Summary

Harden the managed Nemotron 3 Ultra DCode aliases at two separate
compatibility
boundaries: emit the model-specific nonempty-content template argument
required
for reasoning-plus-tool-call requests, and reject the observed literal
`[content]` execute placeholder before it reaches shell dispatch.

#6431 is merged; this PR is based directly on current `main`. It leaves
the
canonical NVIDIA profile and all unrelated models unchanged.

## Source boundary and lifecycle

- `force_nonempty_content`: the invalid empty-assistant-content state
originates
in the Ultra serving template. NemoClaw owns only the generated
per-model
request configuration. Remove the override after a reviewed
serving/client
update works for both managed Ultra IDs without it and the live DCode
E2E passes.
- Execute guard: the invalid state is a model-produced tool call whose
complete
`execute.command` is the literal `[content]` (ignoring ASCII whitespace
around the token and
brackets, and case). NemoClaw owns the managed alias middleware
immediately before dispatch,
not the model, serving template, or hash-locked canonical Deep Agents
profile.
Remove the guard only after those upstream paths no longer produce or
convert
  the placeholder and the focused plus live tests pass with it deleted.

## Changes

- Generate `force_nonempty_content = true` only for the two managed
Ultra model IDs.
- Add a managed-alias-only sync/async middleware guard for the exact
placeholder;
  concrete execute commands and other tools pass through unchanged.
- Validate rejection through the pinned LangChain `ToolMessage.content`
API in
  the image validator, fixture, and hosted E2E probe.
- Preserve atomic/idempotent profile registration with the process-local
  registry as source of truth and a lock around multi-key registration.
- Persist the credential-free observability enable bit across
environment-less
policy restarts; create/rebuild/clone paths pass an explicit `1` or `0`.
- Record invalid-state sources, regression evidence, and removal
conditions in
  the dependency review.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI, setting,
supported-model choice, or operator workflow changes; the internal
dependency review is updated
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: pending maintainer
review
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — combined Ultra, lifecycle,
current-main, and acceptance suites passed 159/159; the post-hook
launcher/acceptance subset passed 33/33
- [ ] Applicable broad gate passed — final exact-head regular CI and
hosted Deep Agents Code E2E are running
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added model-specific “Ultra” configuration for selected
OpenAI-compatible model IDs to enforce non-empty tool-call/reasoning
content.
* Added managed execute placeholder guard behavior and deeper end-to-end
validation for Tavily policy remove/restore ordering and observability
recovery.
* **Bug Fixes**
* Hardened managed execute handling to reject placeholder `execute`
calls (including async/sync parity) while allowing concrete commands.
* Improved managed alias registration for safer atomic idempotence and
rollback.
* **Documentation**
* Updated compatibility/validation guidance and the dependency advisory
review hash.
* **Tests**
* Expanded E2E/profile/config contract tests, including workflow
host-dependency step ordering and guard dispatch assertions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
@cjagwani cjagwani mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prepares the user documentation for NemoClaw v0.0.78 by replacing the
unreleased section with release highlights and synchronizing the
affected inference, lifecycle, messaging, and CLI reference pages with
merged behavior.

## Changes

- Publish the v0.0.78 release-notes section with links to the most
specific user guides for each shipped behavior.
- Document authoritative Deep Agents route health, Nemotron Ultra
profile behavior, and Hermes compatible-endpoint context metadata.
- Document forced rebuild recovery after total backup failure and the
ownership-safe tunnel/full-stop behavior.
- Keep command examples and shared agent variants aligned with the
current OpenClaw, Hermes, and Deep Agents interfaces.

Source mapping:

- [#3787](#3787) ->
`docs/about/release-notes.mdx`: Record reliable workspace template
seeding during sandbox startup.
- [#4960](#4960) ->
`docs/about/release-notes.mdx`: Record safer detection of rewritten
OpenClaw gateway processes.
- [#5676](#5676) ->
`docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON
handling.
- [#5857](#5857) ->
`docs/about/release-notes.mdx`: Record synchronization of explicit
OpenClaw main-agent model state.
- [#5929](#5929) ->
`docs/about/release-notes.mdx`: Record copyable SSH port-forward
guidance for remote dashboards.
- [#6068](#6068) ->
`docs/about/release-notes.mdx`: Record custom-image plugin provenance
reconciliation.
- [#6116](#6116) ->
`docs/about/release-notes.mdx`: Record live-loopback dashboard-forward
recovery.
- [#6122](#6122) ->
`docs/about/release-notes.mdx`: Announce validated, round-trippable
policy YAML output.
- [#6211](#6211) ->
`docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`,
`docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild
--force` recovery boundary.
- [#6283](#6283) ->
`docs/about/release-notes.mdx`: Record Hermes WebUI port alignment.
- [#6293](#6293) ->
`docs/inference/switch-inference-providers.mdx`,
`docs/about/release-notes.mdx`: Document compatible-endpoint
context-length probing for Hermes.
- [#6320](#6320) ->
`docs/about/release-notes.mdx`: Record bounded gateway-recovery waits.
- [#6377](#6377) ->
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain
rebuild diagnostics and prepared MCP-destroy recovery.
- [#6412](#6412) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document authoritative agent-visible
inference route health.
- [#6421](#6421) ->
`docs/about/release-notes.mdx`: Record the longer quiet-pull window for
managed vLLM images.
- [#6431](#6431) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document the version-pinned Nemotron
Ultra profile plugin.
- [#6439](#6439) ->
`docs/about/release-notes.mdx`: Summarize the authenticated, pinned
credential-capture helper boundary.
- [#6450](#6450) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document
host-forward cleanup and ownership-safe gateway-port release.
- [#6474](#6474) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/about/release-notes.mdx`: Record composable OpenClaw messaging
runtime loaders.
- [#6475](#6475) ->
`docs/about/release-notes.mdx`: Record removal of the unavailable Kimi
K2.6 production endpoint option.
- [#6480](#6480) ->
`docs/about/release-notes.mdx`: Record stderr routing for the plugin
registration banner.
- [#6481](#6481) ->
`docs/about/release-notes.mdx`: Record post-pull Ollama model discovery
checks.
- [#6482](#6482) ->
`docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon
restart.
- [#6486](#6486) ->
`docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep
Agents auto-approval boundary.
- [#6490](#6490) ->
`docs/about/release-notes.mdx`: Record diagnostics for custom images
missing the managed runtime.
- [#6494](#6494) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document nonempty tool-call content
preservation and placeholder rejection.
- [#6497](#6497) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document isolated Deep Agents
route-probe output.
- [#6506](#6506) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document observability-preserving
managed route probes.
- [#6508](#6508) ->
`docs/about/release-notes.mdx`: Link the new extension taxonomy and
SDK-readiness reference from the release summary.

Release-source verification: GitHub reports all 29 cited source PRs as
merged with base `main`, and every merge commit is an ancestor of
`origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No
source-mapping mismatches were found.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep changes; `npm run docs` validates variants, routes, and
Fern content.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
are not applicable to this documentation-only change set.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — exited
0 with zero errors; Fern reported the existing unauthenticated
redirect-check and light-mode contrast warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: cjagwani <cjagwani@nvidia.com>
cv added a commit that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Follow-up to #6431 for exact-head validation failures that completed
immediately before that PR merged. This isolates sequential DCode E2E
state, preserves observability across policy-only reloads, lets generic
OpenClaw cloud-onboard runs skip DCode-only TUI prerequisites, and
closes the remaining valid advisor requests without changing user-facing
behavior.

## Related Issue
Follow-up to #6431, which closed #6424. No new issue.

## Changes
- Remove the durable Tavily preset after check 09, arm cleanup on
`EXIT`, and fail unless managed DCode Python returns to the default
network denial.
- Move check 12's `expect`, Node, and timeout prerequisites after its
DCode sandbox guard. Generic `cloud-onboard` therefore skips correctly;
typed DCode jobs continue to require and install `expect`.
- Keep the credential-free observability enable marker in managed
`/sandbox/.deepagents` state for exec/login recovery. Current `main` now
owns the durable lifecycle: absent entrypoint env preserves the bit
across policy-only restarts, while create/rebuild/clone pass an explicit
authoritative `1` or `0`. Check 09 requires the host registry's DCode
`observabilityEnabled=true` intent and the exact persistent marker to
agree before and after Tavily policy mutation; it fails rather than
reconstructing intent from sandbox-writable state. Host-managed network
policy remains the egress boundary.
- Reject a pre-existing non-regular or symlink marker target with a
clear startup error, and use no-target-directory replacement so a raced
directory cannot absorb the enabled marker. Fixtures cover both enabled
and disabled startup.
- In live check 11, remove only `observability-otlp-local`, recreate the
exact marker as the sandbox user, and prove both the normally allowed
raw route and marker-triggered deterministic instrumentation produce
zero host captures. Restore only from an exactly inactive policy state
before the existing positive trace checks.
- Replace repeated credential-name limit literals with
`CREDENTIAL_NAME_PREFIX_MAX_LENGTH` and prove every Bash quantifier
remains equal to the canonical TypeScript context-pattern limit.
- Cover exact 128/129 context-prefix behavior, oversized OpenShell
placeholders, and Tavily cleanup-command failures through the real
wrapper/self-test boundaries.
- Preserve the merged #6494 Nemotron Ultra request hardening and its
observability create/snapshot lifecycle while resolving the overlapping
follow-up checks against current `main`.
- Keep standalone DCode Tavily persistence and rebuild behavior
unchanged.
- Avoid the rejected alternative of adding a privileged 47-line
apt/workflow boundary to the generic cloud job.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI, configuration,
model-ID, policy, or user-visible behavior changes
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — fresh exact-head review pending
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
none currently accepted

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — after merging current `main`, focused
DCode integration suites pass 210/210 and focused E2E-support suites
pass 37/37. Bash syntax, ShellCheck, source-shape, test-size, build,
TypeScript typecheck, commit, and pre-push hooks pass
- [ ] Applicable broad gate passed — fresh exact-head CI, advisors,
focused DCode E2E, cloud-onboard, and credential-sanitization pending
- [ ] Quality Gates section completed with required justifications or
waivers — exact-head sensitive-path review pending
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## Advisor dispositions
- Source-of-truth review: the invalid state is a managed DCode exec
losing host-selected observability because raw exec/login processes do
not inherit entrypoint environment and policy mutation reloads do not
re-run the entrypoint. Current `main` now owns `start.sh`
materialization plus `dcode-launcher.sh` recovery under
`/sandbox/.deepagents`; create/rebuild/clone carry the registry's
explicit `1`/`0` intent, and snapshot restore honors that authoritative
registry state so an earlier enabled snapshot does not override a later
opt-out. This PR adds fail-closed registry/marker agreement checks and
the no-policy export proof. Remove the bridge only when OpenShell both
propagates the bit to exec/login processes and preserves it through
policy reloads or re-runs the entrypoint.
- Sequential Tavily isolation is exercised by the required typed target
on one sandbox: check 09 proves denial immediately after cleanup; checks
10 and 11 do not mutate Tavily; check 12 rebuilds and then invokes check
06, which proves both managed and project-venv Python remain denied from
`api.tavily.com`. This gives immediate and post-rebuild denial evidence
without redundant probes after non-mutating checks.
- The marker integration test runs the transformed `start.sh` with
`NEMOCLAW_OBSERVABILITY=1`, verifies the
`/sandbox/.deepagents/.nemoclaw-observability-enabled` value and mode,
removes volatile runtime state, proves absent-env restart and launcher
recovery, and proves explicit `0` removal. Live check 11 verifies the
literal sandbox path.
- The `/sandbox/.deepagents` marker is intentionally untrusted
convenience state, not authorization. A sandbox user can request local
instrumentation by recreating the exact marker, but cannot grant OTLP
egress; the fixed exporter route remains subject to host-managed
`observability-otlp-local` policy. Live check 11 removes that host
policy, recreates the marker as the sandbox user, proves the exact raw
route is denied without capture, and runs real marker-triggered
deterministic instrumentation with zero captures before restoring the
policy. It also retains alternate host/path/method/port and
unmanaged-binary denials with policy active.
- Check 09 no longer repairs observability by re-running the stateful
entrypoint. The host registry is authoritative, the persistent marker is
derived convenience state, and disagreement fails closed both before and
after policy mutation. Merged #6506 prevents status/connect route probes
from clearing that marker by using the side-effect-free managed-exec
boundary.
- Startup rejects directory, symlink, and other non-regular marker
targets before either the enabled or disabled branch. Enabled
replacement treats the destination as a file, closing the
directory-descent edge case raised by the exact-head advisor.
- Current `main` includes #6506's side-effect-free managed-exec boundary
and #6494's durable observability lifecycle. Both are retained together
with this PR's host-registry agreement checks and no-policy proof; no
contributor work was replaced.
- The proxy env file remains intentionally volatile in `/tmp`: each
stateful entrypoint reconstructs it from root-owned image proxy inputs,
while the observability marker under `/sandbox/.deepagents` must survive
policy-only reloads that do not carry the sandbox-create environment.
Their different locations reflect different lifetime contracts, not
inconsistent authority.

## Exact-head validation plan
- Re-run automatic CI, CodeRabbit, GPT, and Nemotron advisors on
`0570b876d6e85bcb110823d5f8b6a5553d266f34`.
- Re-run `ubuntu-repo-cloud-langchain-deepagents-code` to prove Tavily
is denied after check 09 cleanup and remains denied across the check 12
rebuild.
- Re-run `cloud-onboard` to prove the non-DCode sandbox skips before
requiring `expect`.
- Re-run `credential-sanitization` for the named-limit parity change.
- Hold merge until tomorrow even if all gates pass earlier.

## Failure evidence addressed
- Focused DCode run
[28978277604](https://github.com/NVIDIA/NemoClaw/actions/runs/28978277604):
check 09 left durable Tavily state that check 12 correctly replayed
before the strict egress boundary.
- Cloud/credential run
[28978281322](https://github.com/NVIDIA/NemoClaw/actions/runs/28978281322):
generic OpenClaw cloud-onboard required `expect` before reaching its
DCode-only skip; credential-sanitization passed.
- Superseded follow-up run
[28980032707](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032707):
Tavily cleanup and strict egress passed, then check 11 proved that
policy reload had cleared the runtime-functional `/tmp` observability
marker. The current head retains current `main`'s durable marker under
`/sandbox/.deepagents`.
- Superseded follow-up run
[28980032711](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032711):
cloud-onboard and credential-sanitization both passed.
- Superseded follow-up run
[28981014655](https://github.com/NVIDIA/NemoClaw/actions/runs/28981014655):
after the marker moved to `/sandbox`, check 11 proved that Tavily policy
cleanup could still reconstruct runtime convenience state and remove it.
The current head uses current `main`'s absent-env-preserves lifecycle
and fails if the authoritative registry and derived marker disagree;
check 09 does not repair drift.
- Superseded follow-up run
[28981369440](https://github.com/NVIDIA/NemoClaw/actions/runs/28981369440):
cloud-onboard and credential-sanitization both passed on the
collaborator head; exact-head rerun pending.
- Superseded follow-up run
[28981690759](https://github.com/NVIDIA/NemoClaw/actions/runs/28981690759):
check 09 restored Tavily but sampled observability after policy-add had
already reloaded the sandbox, so check 11 found the marker absent. This
showed that sandbox marker sampling cannot be the authoritative source
of host intent.
- Superseded follow-up run
[28982642290](https://github.com/NVIDIA/NemoClaw/actions/runs/28982642290):
check 09 restored Tavily and check 10 passed, but check 11 found the
marker absent because a pre-#6506 status/connect route probe had already
invoked the stateful entrypoint without observability. Current `main`
supplies #6506's side-effect-free managed-exec probe and #6494's
explicit observability lifecycle, while this head compares the host
registry and persistent marker before and after policy mutation instead
of masking drift with a repair.
- Superseded exact-head focused run
[28983221993](https://github.com/NVIDIA/NemoClaw/actions/runs/28983221993)
passed every typed DCode check 03–12: check 09 reported 9/9, check 11
reported 11/11, and check 12 proved post-rebuild denial. Combined run
[28983222022](https://github.com/NVIDIA/NemoClaw/actions/runs/28983222022)
passed cloud-onboard and credential sanitization. These runs were
invalidated only to address the advisor's unsafe-target edge case and
add the stricter no-host-policy leak proof now running on the current
head.
- Superseded advisor run
[28983777162](https://github.com/NVIDIA/NemoClaw/actions/runs/28983777162)
rated the safety changes `merge_as_is` from GPT with no findings;
Nemotron agreed both substantive findings were resolved and requested
only the `/tmp` versus `/sandbox` lifetime cross-reference now present
on the current head.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved validation for credential names and context placeholders,
including oversized names.
* Strengthened proxy environment file handling to prevent
destination-path issues.
  * Clarified and stabilized observability policy and marker handling.

* **Tests**
* Expanded end-to-end coverage for observability, Tavily access,
tracing, and auto-approval behavior.
* Standardized test environment paths and added boundary-case validation
for credential patterns.
  * Improved platform-specific launcher test reliability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Splits the oversized Deep Agents Code image contract test into focused
image and credential-boundary suites, with shared wrapper fixtures. This
extracts the test-only split from NVIDIA#6431 so it can land independently and
restores the 1,500-line budget without changing assertions or adding an
exception.

## Changes
- Move all 57 credential-boundary tests byte-for-byte into
`test/langchain-deepagents-code-image-credentials.test.ts`, leaving 18
image contracts in the original suite.
- Extract shared Deep Agents Code file and wrapper fixtures into
`test/helpers/langchain-deepagents-code-image.ts`.
- Update source comments that identify the canonical secret-corpus
regression test.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [x] Existing tests cover changed behavior — justification: this
structural split preserves all 75 existing test cases and assertions;
both focused suites pass together.
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no product behavior changed,
and documentation review confirmed the existing `SECURITY.md` reference
remains accurate.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: credential assertions
moved byte-for-byte, source changes are comment-only, and the focused
75-test integration run passed.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: `npx
vitest run --project integration
test/langchain-deepagents-code-image.test.ts
test/langchain-deepagents-code-image-credentials.test.ts` (2 files, 75
tests passed); `npm run test-size:check`, `npm run test:projects:check`,
`npm run test:titles:check`, and `npm run source-shape:check` passed.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Tests**
* Added shared integration-test utilities to create temporary wrapper
fixtures and execute them in a controlled environment.
* Introduced a dedicated credential boundary test suite to verify
secret-shape rejection, strict placeholder matching, token-format
exceptions, auth/credential store fail-closed behavior, and disallowed
mutation/command inputs.
* Updated the existing image test suite to reuse the shared helpers and
remove redundant scenarios.
* **Documentation**
* Updated a SECURITY/guard comment to reference the correct regression
test corpus for secret-pattern parity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Aaron Erickson <aerickson@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…VIDIA#6431)

<!-- markdownlint-disable MD041 -->
## Summary
Replaces NemoClaw's build-time mutation of the released Deep Agents
bootstrap with a first-party `deepagents.harness_profiles` plugin for
`deepagents-code==0.1.34` / `deepagents==0.7.0a6`. The two managed
OpenAI-compatible model keys continue to receive the released native
Nemotron 3 Ultra profile, with exact version/source gates and no
third-party source changes.

## Related Issue
Fixes NVIDIA#6424

## Changes
- Add and install `nemoclaw-deepagents-profile==0.1.0` through Deep
Agents' supported profile entry-point lifecycle.
- Register only the two NemoClaw-managed aliases against the released
canonical Ultra profile, atomically and idempotently.
- Fail the image build on missing or unimportable dependencies,
mismatched distribution/package roots, copied/installed adapter-source
drift, or released-profile/bootstrap drift.
- Run a DCode-only negative Docker build from the current hash-locked
base, strip both upstream distributions, and prove failure occurs at the
isolated import gate before the later dependency check.
- Build and install a real unreviewed-version plugin wheel and prove the
actual validator rejects it.
- Verify entry-point discovery, all 12 middleware entries,
unrelated-model isolation, graph compilation, and allowed/denied
execute-dispatch parity against the official wheels.
- Split image/runtime and credential-boundary contracts into balanced
756/755-line suites with a 113-line shared helper, preserving all 75
original tests and substantial per-file size headroom.
- Remove the installed-bootstrap patcher and document that the adapter
must be removed, not rehashed, once reviewed dependencies provide both
exact aliases.
- Preserve the merged DCode hardening and paced `/agents` first-run TUI
behavior from NVIDIA#6410 / NVIDIA#6418.

## Automated review dispositions

- **License metadata:** the production package keeps the PEP 639 SPDX
string and builds unchanged with lock-pinned `setuptools==82.0.1`; the
production validator now requires exact installed-wheel
`License-Expression: Apache-2.0` metadata, with a negative
metadata-drift test. The legacy conversion is a localized offline
wrong-version fixture with explicit source-boundary and
removal-condition documentation. Remove the fixture-only conversion once
runner setuptools accepts PEP 639 strings; production never uses it.
- **Plain-progress build output:** plain progress remains necessary to
prove the exact import-failure marker. Before Docker runs, the gate now
rejects every Docker `ARG` name outside a complete reviewed allowlist,
while tests pin the only passed build arguments to the two public
`BASE_IMAGE` references. Behavior tests inject unreviewed uppercase,
lowercase, and continued ARG declarations across all three Dockerfiles
and prove rejection occurs before any build; the targeted DCode E2E job
runs the same script with real Docker before live tests.
- **Adapter build-layer retention:** Docker can retain the copied
project tree in an image layer or failed local build cache. This is
accepted because it contains only public, first-party Apache-2.0 source
and metadata, while the installed Python module necessarily ships the
same source; revisit if any adapter input becomes secret-bearing or
non-public.
- **Credential redaction parity:** `PASS`/`PASSWD`,
quoted/space-separated assignments, punctuation-bearing values, and
bounded camel/acronym aliases now share the same fail-closed policy
across the Bash wrapper, managed Python runtime, observability scrubber,
config filter, full/sensitive-text redactors, structured-log classifier,
TUI sanitizer, and E2E redactors. The separator lookbehind is capped at
32 horizontal characters to prevent attacker-controlled scans;
private-key blocks are scrubbed before assignment matching. Positive
tests cover `customPass`, `DBPass`, and known secret `*Key` families,
while `COMPASS`/`BYPASS`, `TOPSECRET`/`SUBTOKEN`, pass-rate fields,
`publicKey`, and `customKey` remain untouched.
- **OpenShell TLS key provenance:** the canonical mounted path is
intentionally accepted only from the supervisor-owned runtime
environment and rejected from the mutable DCode `.env`. The split
credential suite now proves both sides explicitly, matching the existing
wrapper-identity coverage; allowing it in `.env` would weaken the
boundary.
- **Docker auth cleanup:** the shared workflow validator requires
exactly one canonical cleanup with `if: always()` as the final job step.
A DCode-specific mutation test now also rejects moving cleanup before
the import gate.
- **Private-key and fixture helpers:** multiline private-key matching is
consolidated into the live generic matcher with a required-newline mode,
preserving comment behavior while removing 12 lines. Profile-hash
fixture replacement is now whitespace/quote tolerant while still
requiring one exact reviewed constant and digest. A focused regression
covers both formatting variants and duplicate-definition rejection; use
an AST transform only if the current two-constant scope grows.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: public CLI, configuration,
model IDs, and user-visible behavior are unchanged; the existing DCode
quickstart is implementation-neutral.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — the prior security and supply-chain approval is
NVIDIA#6431 (review);
fresh exact-head re-review will be requested after the current full
fan-out because the head changed.
- [x] Non-success, skipped, or missing CI check accepted by maintainer —
`e2e-all` baseline failures accepted in
NVIDIA#6431 (review);
follow-ups NVIDIA#6381/NVIDIA#6384 and NVIDIA#6467/NVIDIA#6474.

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npm run check:diff` passed on
`e78d3ef7`; the independently runnable image/runtime and
credential-boundary suites passed 18 of 18 and 123 of 123; the final
cross-surface security/parity audit passed 96 of 96; fresh-cache
real-wheel validation and the isolated three-package import probe
passed.
- [ ] Applicable broad gate passed — exact-head focused DCode run
[28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788)
and cloud-onboard run
[28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739)
passed on `e78d3ef7`; full fan-out run
[28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045)
is in progress. The prior full run
[28919686103](https://github.com/NVIDIA/NemoClaw/actions/runs/28919686103)
passed 77 of 79 applicable jobs; its two failures reproduced identically
on retry and `main` run
[28911441118](https://github.com/NVIDIA/NemoClaw/actions/runs/28911441118),
with the prior maintainer waiver recorded
[here](NVIDIA#6431 (review)).
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## Exact-head advisor evidence

- [`ubuntu-repo-cloud-langchain-deepagents-code` run
28971629788](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629788)
passed on exact head `e78d3ef7f43f3242486dedc4b5b2b42e0585d041`. The
production-image validator covered plugin discovery and
installed-distribution binding, official source hashes, both aliases and
all 12 middleware entries, unrelated-model isolation, graph compilation,
and allowed/denied execute dispatch parity.
- The same exact-head run passed the real-Docker stripped-dependency
import gate before live E2E, then passed image version checks
(`deepagents-code==0.1.34`, `deepagents==0.7.0a6`), direct and
login-shell headless `PONG`, and interactive TUI acceptance with the
optional name prompt and no model picker.
- The advisor-required [`cloud-onboard` run
28971629739](https://github.com/NVIDIA/NemoClaw/actions/runs/28971629739)
also passed on that exact SHA.
- CodeRabbit is green with no unresolved threads. Exact-head advisor run
28971565095 reported zero GPT findings but requested the runtime
evidence above; Nemotron's two attempts were non-advisory JSON-parse
failures. Both advisors will be rerun against this updated evidence.
- The localized import-gate removal condition is tracked in NVIDIA#6424 rather
than a new cleanup issue.
- Exact-head full fan-out run
[28972330045](https://github.com/NVIDIA/NemoClaw/actions/runs/28972330045)
is in progress; the prior baseline waiver remains applicable only if the
same two unrelated failures recur.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a first-party Nemotron 3 Ultra profile plugin that registers
managed model aliases.
* **Bug Fixes / Security**
* Strengthened fail-closed validation for the released profile,
including integrity checks and managed vs native dispatch parity (with
denied-shell behavior).
* Hardened secret/credential detection and redaction so `PASS`-keyed
values are treated as sensitive.
* **CI / Quality**
* Added build-time and workflow-boundary checks ensuring images reject
missing base dependencies.
* **Tests**
* Expanded plugin/profile-contract, image behavior, and
end-to-end/workflow coverage.
* **Chores**
* Updated the container build flow to install and validate the plugin
artifact at build time, removing the standalone patch approach.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
## Summary

Harden the managed Nemotron 3 Ultra DCode aliases at two separate
compatibility
boundaries: emit the model-specific nonempty-content template argument
required
for reasoning-plus-tool-call requests, and reject the observed literal
`[content]` execute placeholder before it reaches shell dispatch.

NVIDIA#6431 is merged; this PR is based directly on current `main`. It leaves
the
canonical NVIDIA profile and all unrelated models unchanged.

## Source boundary and lifecycle

- `force_nonempty_content`: the invalid empty-assistant-content state
originates
in the Ultra serving template. NemoClaw owns only the generated
per-model
request configuration. Remove the override after a reviewed
serving/client
update works for both managed Ultra IDs without it and the live DCode
E2E passes.
- Execute guard: the invalid state is a model-produced tool call whose
complete
`execute.command` is the literal `[content]` (ignoring ASCII whitespace
around the token and
brackets, and case). NemoClaw owns the managed alias middleware
immediately before dispatch,
not the model, serving template, or hash-locked canonical Deep Agents
profile.
Remove the guard only after those upstream paths no longer produce or
convert
  the placeholder and the focused plus live tests pass with it deleted.

## Changes

- Generate `force_nonempty_content = true` only for the two managed
Ultra model IDs.
- Add a managed-alias-only sync/async middleware guard for the exact
placeholder;
  concrete execute commands and other tools pass through unchanged.
- Validate rejection through the pinned LangChain `ToolMessage.content`
API in
  the image validator, fixture, and hosted E2E probe.
- Preserve atomic/idempotent profile registration with the process-local
  registry as source of truth and a lock around multi-key registration.
- Persist the credential-free observability enable bit across
environment-less
policy restarts; create/rebuild/clone paths pass an explicit `1` or `0`.
- Record invalid-state sources, regression evidence, and removal
conditions in
  the dependency review.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI, setting,
supported-model choice, or operator workflow changes; the internal
dependency review is updated
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: pending maintainer
review
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — combined Ultra, lifecycle,
current-main, and acceptance suites passed 159/159; the post-hook
launcher/acceptance subset passed 33/33
- [ ] Applicable broad gate passed — final exact-head regular CI and
hosted Deep Agents Code E2E are running
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added model-specific “Ultra” configuration for selected
OpenAI-compatible model IDs to enforce non-empty tool-call/reasoning
content.
* Added managed execute placeholder guard behavior and deeper end-to-end
validation for Tavily policy remove/restore ordering and observability
recovery.
* **Bug Fixes**
* Hardened managed execute handling to reject placeholder `execute`
calls (including async/sync parity) while allowing concrete commands.
* Improved managed alias registration for safer atomic idempotence and
rollback.
* **Documentation**
* Updated compatibility/validation guidance and the dependency advisory
review hash.
* **Tests**
* Expanded E2E/profile/config contract tests, including workflow
host-dependency step ordering and guard dispatch assertions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prepares the user documentation for NemoClaw v0.0.78 by replacing the
unreleased section with release highlights and synchronizing the
affected inference, lifecycle, messaging, and CLI reference pages with
merged behavior.

## Changes

- Publish the v0.0.78 release-notes section with links to the most
specific user guides for each shipped behavior.
- Document authoritative Deep Agents route health, Nemotron Ultra
profile behavior, and Hermes compatible-endpoint context metadata.
- Document forced rebuild recovery after total backup failure and the
ownership-safe tunnel/full-stop behavior.
- Keep command examples and shared agent variants aligned with the
current OpenClaw, Hermes, and Deep Agents interfaces.

Source mapping:

- [NVIDIA#3787](NVIDIA#3787) ->
`docs/about/release-notes.mdx`: Record reliable workspace template
seeding during sandbox startup.
- [NVIDIA#4960](NVIDIA#4960) ->
`docs/about/release-notes.mdx`: Record safer detection of rewritten
OpenClaw gateway processes.
- [NVIDIA#5676](NVIDIA#5676) ->
`docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON
handling.
- [NVIDIA#5857](NVIDIA#5857) ->
`docs/about/release-notes.mdx`: Record synchronization of explicit
OpenClaw main-agent model state.
- [NVIDIA#5929](NVIDIA#5929) ->
`docs/about/release-notes.mdx`: Record copyable SSH port-forward
guidance for remote dashboards.
- [NVIDIA#6068](NVIDIA#6068) ->
`docs/about/release-notes.mdx`: Record custom-image plugin provenance
reconciliation.
- [NVIDIA#6116](NVIDIA#6116) ->
`docs/about/release-notes.mdx`: Record live-loopback dashboard-forward
recovery.
- [NVIDIA#6122](NVIDIA#6122) ->
`docs/about/release-notes.mdx`: Announce validated, round-trippable
policy YAML output.
- [NVIDIA#6211](NVIDIA#6211) ->
`docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`,
`docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild
--force` recovery boundary.
- [NVIDIA#6283](NVIDIA#6283) ->
`docs/about/release-notes.mdx`: Record Hermes WebUI port alignment.
- [NVIDIA#6293](NVIDIA#6293) ->
`docs/inference/switch-inference-providers.mdx`,
`docs/about/release-notes.mdx`: Document compatible-endpoint
context-length probing for Hermes.
- [NVIDIA#6320](NVIDIA#6320) ->
`docs/about/release-notes.mdx`: Record bounded gateway-recovery waits.
- [NVIDIA#6377](NVIDIA#6377) ->
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain
rebuild diagnostics and prepared MCP-destroy recovery.
- [NVIDIA#6412](NVIDIA#6412) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document authoritative agent-visible
inference route health.
- [NVIDIA#6421](NVIDIA#6421) ->
`docs/about/release-notes.mdx`: Record the longer quiet-pull window for
managed vLLM images.
- [NVIDIA#6431](NVIDIA#6431) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document the version-pinned Nemotron
Ultra profile plugin.
- [NVIDIA#6439](NVIDIA#6439) ->
`docs/about/release-notes.mdx`: Summarize the authenticated, pinned
credential-capture helper boundary.
- [NVIDIA#6450](NVIDIA#6450) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document
host-forward cleanup and ownership-safe gateway-port release.
- [NVIDIA#6474](NVIDIA#6474) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/about/release-notes.mdx`: Record composable OpenClaw messaging
runtime loaders.
- [NVIDIA#6475](NVIDIA#6475) ->
`docs/about/release-notes.mdx`: Record removal of the unavailable Kimi
K2.6 production endpoint option.
- [NVIDIA#6480](NVIDIA#6480) ->
`docs/about/release-notes.mdx`: Record stderr routing for the plugin
registration banner.
- [NVIDIA#6481](NVIDIA#6481) ->
`docs/about/release-notes.mdx`: Record post-pull Ollama model discovery
checks.
- [NVIDIA#6482](NVIDIA#6482) ->
`docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon
restart.
- [NVIDIA#6486](NVIDIA#6486) ->
`docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep
Agents auto-approval boundary.
- [NVIDIA#6490](NVIDIA#6490) ->
`docs/about/release-notes.mdx`: Record diagnostics for custom images
missing the managed runtime.
- [NVIDIA#6494](NVIDIA#6494) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document nonempty tool-call content
preservation and placeholder rejection.
- [NVIDIA#6497](NVIDIA#6497) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document isolated Deep Agents
route-probe output.
- [NVIDIA#6506](NVIDIA#6506) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document observability-preserving
managed route probes.
- [NVIDIA#6508](NVIDIA#6508) ->
`docs/about/release-notes.mdx`: Link the new extension taxonomy and
SDK-readiness reference from the release summary.

Release-source verification: GitHub reports all 29 cited source PRs as
merged with base `main`, and every merge commit is an ancestor of
`origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No
source-mapping mismatches were found.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep changes; `npm run docs` validates variants, routes, and
Fern content.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
are not applicable to this documentation-only change set.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — exited
0 with zero errors; Fern reported the existing unauthenticated
redirect-check and light-mode contrast warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Follow-up to NVIDIA#6431 for exact-head validation failures that completed
immediately before that PR merged. This isolates sequential DCode E2E
state, preserves observability across policy-only reloads, lets generic
OpenClaw cloud-onboard runs skip DCode-only TUI prerequisites, and
closes the remaining valid advisor requests without changing user-facing
behavior.

## Related Issue
Follow-up to NVIDIA#6431, which closed NVIDIA#6424. No new issue.

## Changes
- Remove the durable Tavily preset after check 09, arm cleanup on
`EXIT`, and fail unless managed DCode Python returns to the default
network denial.
- Move check 12's `expect`, Node, and timeout prerequisites after its
DCode sandbox guard. Generic `cloud-onboard` therefore skips correctly;
typed DCode jobs continue to require and install `expect`.
- Keep the credential-free observability enable marker in managed
`/sandbox/.deepagents` state for exec/login recovery. Current `main` now
owns the durable lifecycle: absent entrypoint env preserves the bit
across policy-only restarts, while create/rebuild/clone pass an explicit
authoritative `1` or `0`. Check 09 requires the host registry's DCode
`observabilityEnabled=true` intent and the exact persistent marker to
agree before and after Tavily policy mutation; it fails rather than
reconstructing intent from sandbox-writable state. Host-managed network
policy remains the egress boundary.
- Reject a pre-existing non-regular or symlink marker target with a
clear startup error, and use no-target-directory replacement so a raced
directory cannot absorb the enabled marker. Fixtures cover both enabled
and disabled startup.
- In live check 11, remove only `observability-otlp-local`, recreate the
exact marker as the sandbox user, and prove both the normally allowed
raw route and marker-triggered deterministic instrumentation produce
zero host captures. Restore only from an exactly inactive policy state
before the existing positive trace checks.
- Replace repeated credential-name limit literals with
`CREDENTIAL_NAME_PREFIX_MAX_LENGTH` and prove every Bash quantifier
remains equal to the canonical TypeScript context-pattern limit.
- Cover exact 128/129 context-prefix behavior, oversized OpenShell
placeholders, and Tavily cleanup-command failures through the real
wrapper/self-test boundaries.
- Preserve the merged NVIDIA#6494 Nemotron Ultra request hardening and its
observability create/snapshot lifecycle while resolving the overlapping
follow-up checks against current `main`.
- Keep standalone DCode Tavily persistence and rebuild behavior
unchanged.
- Avoid the rejected alternative of adding a privileged 47-line
apt/workflow boundary to the generic cloud job.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI, configuration,
model-ID, policy, or user-visible behavior changes
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — fresh exact-head review pending
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
none currently accepted

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — after merging current `main`, focused
DCode integration suites pass 210/210 and focused E2E-support suites
pass 37/37. Bash syntax, ShellCheck, source-shape, test-size, build,
TypeScript typecheck, commit, and pre-push hooks pass
- [ ] Applicable broad gate passed — fresh exact-head CI, advisors,
focused DCode E2E, cloud-onboard, and credential-sanitization pending
- [ ] Quality Gates section completed with required justifications or
waivers — exact-head sensitive-path review pending
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## Advisor dispositions
- Source-of-truth review: the invalid state is a managed DCode exec
losing host-selected observability because raw exec/login processes do
not inherit entrypoint environment and policy mutation reloads do not
re-run the entrypoint. Current `main` now owns `start.sh`
materialization plus `dcode-launcher.sh` recovery under
`/sandbox/.deepagents`; create/rebuild/clone carry the registry's
explicit `1`/`0` intent, and snapshot restore honors that authoritative
registry state so an earlier enabled snapshot does not override a later
opt-out. This PR adds fail-closed registry/marker agreement checks and
the no-policy export proof. Remove the bridge only when OpenShell both
propagates the bit to exec/login processes and preserves it through
policy reloads or re-runs the entrypoint.
- Sequential Tavily isolation is exercised by the required typed target
on one sandbox: check 09 proves denial immediately after cleanup; checks
10 and 11 do not mutate Tavily; check 12 rebuilds and then invokes check
06, which proves both managed and project-venv Python remain denied from
`api.tavily.com`. This gives immediate and post-rebuild denial evidence
without redundant probes after non-mutating checks.
- The marker integration test runs the transformed `start.sh` with
`NEMOCLAW_OBSERVABILITY=1`, verifies the
`/sandbox/.deepagents/.nemoclaw-observability-enabled` value and mode,
removes volatile runtime state, proves absent-env restart and launcher
recovery, and proves explicit `0` removal. Live check 11 verifies the
literal sandbox path.
- The `/sandbox/.deepagents` marker is intentionally untrusted
convenience state, not authorization. A sandbox user can request local
instrumentation by recreating the exact marker, but cannot grant OTLP
egress; the fixed exporter route remains subject to host-managed
`observability-otlp-local` policy. Live check 11 removes that host
policy, recreates the marker as the sandbox user, proves the exact raw
route is denied without capture, and runs real marker-triggered
deterministic instrumentation with zero captures before restoring the
policy. It also retains alternate host/path/method/port and
unmanaged-binary denials with policy active.
- Check 09 no longer repairs observability by re-running the stateful
entrypoint. The host registry is authoritative, the persistent marker is
derived convenience state, and disagreement fails closed both before and
after policy mutation. Merged NVIDIA#6506 prevents status/connect route probes
from clearing that marker by using the side-effect-free managed-exec
boundary.
- Startup rejects directory, symlink, and other non-regular marker
targets before either the enabled or disabled branch. Enabled
replacement treats the destination as a file, closing the
directory-descent edge case raised by the exact-head advisor.
- Current `main` includes NVIDIA#6506's side-effect-free managed-exec boundary
and NVIDIA#6494's durable observability lifecycle. Both are retained together
with this PR's host-registry agreement checks and no-policy proof; no
contributor work was replaced.
- The proxy env file remains intentionally volatile in `/tmp`: each
stateful entrypoint reconstructs it from root-owned image proxy inputs,
while the observability marker under `/sandbox/.deepagents` must survive
policy-only reloads that do not carry the sandbox-create environment.
Their different locations reflect different lifetime contracts, not
inconsistent authority.

## Exact-head validation plan
- Re-run automatic CI, CodeRabbit, GPT, and Nemotron advisors on
`0570b876d6e85bcb110823d5f8b6a5553d266f34`.
- Re-run `ubuntu-repo-cloud-langchain-deepagents-code` to prove Tavily
is denied after check 09 cleanup and remains denied across the check 12
rebuild.
- Re-run `cloud-onboard` to prove the non-DCode sandbox skips before
requiring `expect`.
- Re-run `credential-sanitization` for the named-limit parity change.
- Hold merge until tomorrow even if all gates pass earlier.

## Failure evidence addressed
- Focused DCode run
[28978277604](https://github.com/NVIDIA/NemoClaw/actions/runs/28978277604):
check 09 left durable Tavily state that check 12 correctly replayed
before the strict egress boundary.
- Cloud/credential run
[28978281322](https://github.com/NVIDIA/NemoClaw/actions/runs/28978281322):
generic OpenClaw cloud-onboard required `expect` before reaching its
DCode-only skip; credential-sanitization passed.
- Superseded follow-up run
[28980032707](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032707):
Tavily cleanup and strict egress passed, then check 11 proved that
policy reload had cleared the runtime-functional `/tmp` observability
marker. The current head retains current `main`'s durable marker under
`/sandbox/.deepagents`.
- Superseded follow-up run
[28980032711](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032711):
cloud-onboard and credential-sanitization both passed.
- Superseded follow-up run
[28981014655](https://github.com/NVIDIA/NemoClaw/actions/runs/28981014655):
after the marker moved to `/sandbox`, check 11 proved that Tavily policy
cleanup could still reconstruct runtime convenience state and remove it.
The current head uses current `main`'s absent-env-preserves lifecycle
and fails if the authoritative registry and derived marker disagree;
check 09 does not repair drift.
- Superseded follow-up run
[28981369440](https://github.com/NVIDIA/NemoClaw/actions/runs/28981369440):
cloud-onboard and credential-sanitization both passed on the
collaborator head; exact-head rerun pending.
- Superseded follow-up run
[28981690759](https://github.com/NVIDIA/NemoClaw/actions/runs/28981690759):
check 09 restored Tavily but sampled observability after policy-add had
already reloaded the sandbox, so check 11 found the marker absent. This
showed that sandbox marker sampling cannot be the authoritative source
of host intent.
- Superseded follow-up run
[28982642290](https://github.com/NVIDIA/NemoClaw/actions/runs/28982642290):
check 09 restored Tavily and check 10 passed, but check 11 found the
marker absent because a pre-NVIDIA#6506 status/connect route probe had already
invoked the stateful entrypoint without observability. Current `main`
supplies NVIDIA#6506's side-effect-free managed-exec probe and NVIDIA#6494's
explicit observability lifecycle, while this head compares the host
registry and persistent marker before and after policy mutation instead
of masking drift with a repair.
- Superseded exact-head focused run
[28983221993](https://github.com/NVIDIA/NemoClaw/actions/runs/28983221993)
passed every typed DCode check 03–12: check 09 reported 9/9, check 11
reported 11/11, and check 12 proved post-rebuild denial. Combined run
[28983222022](https://github.com/NVIDIA/NemoClaw/actions/runs/28983222022)
passed cloud-onboard and credential sanitization. These runs were
invalidated only to address the advisor's unsafe-target edge case and
add the stricter no-host-policy leak proof now running on the current
head.
- Superseded advisor run
[28983777162](https://github.com/NVIDIA/NemoClaw/actions/runs/28983777162)
rated the safety changes `merge_as_is` from GPT with no findings;
Nemotron agreed both substantive findings were resolved and requested
only the `/tmp` versus `/sandbox` lifetime cross-reference now present
on the current head.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved validation for credential names and context placeholders,
including oversized names.
* Strengthened proxy environment file handling to prevent
destination-path issues.
  * Clarified and stabilized observability policy and marker handling.

* **Tests**
* Expanded end-to-end coverage for observability, Tavily access,
tracing, and auto-approval behavior.
* Standardized test environment paths and added boundary-case validation
for credential patterns.
  * Improved platform-specific launcher test reliability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: ci CI workflows, checks, release automation, or GitHub Actions area: e2e End-to-end tests, nightly failures, or validation infrastructure area: inference Inference routing, serving, model selection, or outputs area: packaging Packages, images, registries, installers, or distribution integration: dcode LangChain Deep Code integration behavior refactor PR restructures code without intended behavior change v0.0.78 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace the DCode Nemotron Ultra source patch with a managed profile plugin

4 participants