Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
6546c08
fix(security): add one-shot credential helper
cv Jul 8, 2026
e4b81c0
docs(security): pin reviewed credential workflow
cv Jul 8, 2026
f6d20f1
test(security): linearize credential helper harness
cv Jul 8, 2026
a5d8d8b
fix(security): pin credential form descriptor
cv Jul 8, 2026
53cd27f
docs(security): repin credential helper artifact
cv Jul 8, 2026
854a132
fix(security): address credential review findings
cv Jul 8, 2026
e84eda7
docs(security): repin reviewed credential artifacts
cv Jul 8, 2026
24837cf
fix(security): sanitize approved command environment
cv Jul 8, 2026
47789c7
docs(security): repin sanitized credential artifacts
cv Jul 8, 2026
0c3f930
fix(security): accept case-insensitive script tags
cv Jul 8, 2026
f393bba
fix(security): canonicalize credential child policy
cv Jul 8, 2026
b4e6ca6
docs(security): repin reviewed credential artifacts
cv Jul 8, 2026
7868566
fix(security): isolate credential execution profiles
cv Jul 8, 2026
9254855
docs(security): repin isolated credential artifacts
cv Jul 8, 2026
78867a3
test(security): keep credential helper tests linear
cv Jul 8, 2026
a413ba3
test(security): clarify generated cleanup marker
cv Jul 8, 2026
22f6ac3
docs(starter-prompt): slim credential capture guidance (#6477)
miyoungc Jul 8, 2026
99f293e
Merge branch 'main' into codex/harden-local-credential-helper
cv Jul 8, 2026
bdf3360
Merge branch 'main' into codex/harden-local-credential-helper
cv Jul 8, 2026
dd61a30
fix(security): drop ambient credential child environment
cjagwani Jul 8, 2026
e5be9d5
docs(security): repin local credential artifacts
cjagwani Jul 8, 2026
ec50830
test(dcode): keep image suite within budget
cv Jul 8, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 20 additions & 15 deletions docs/_components/StarterPrompt.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -89,20 +89,25 @@ Instead, collect the required choices from me first, one clickable selection at

## Handle Tokens Securely and Visually

When you need an API key, bot token, app token, or other secret, prefer the checked-in NemoClaw local credential form instead of chat.

- Ask permission before opening a local credential form.
- Do not generate, rewrite, or redesign credential-form HTML. Use the repository form template from this URL exactly: https://raw.githubusercontent.com/NVIDIA/NemoClaw/c9aac7dc12bacdaa4d38af552b893021049ee836/docs/resources/local-credential-form.html
- Fetch that template or use the local repo copy when available, verify its SHA-256 digest is \`cc746703ab514cf33d7131915f16e8dc19346b26a4d953c5125be81449d6e6f6\`, write the exact bytes into a private temporary directory, then serve it from a helper bound to \`127.0.0.1\` on a random local port.
- Treat that immutable URL and digest as one reviewed trust boundary. Stop if verification fails; do not substitute a different URL, template, or digest.
- Open the served loopback URL, not the raw GitHub URL, in your coding-agent UI's browser. Configure fields with query parameters such as \`?fields=NVIDIA_INFERENCE_API_KEY:secret\` or \`?fields=NEMOCLAW_ENDPOINT_URL:text,NEMOCLAW_MODEL:text,COMPATIBLE_API_KEY:secret\`.
- Implement only the tiny loopback helper around the template: serve the HTML file, accept its \`POST /submit\` JSON payload, keep submitted values in memory, and expose no external network listener. When serving the HTML response, include the HTTP header \`Content-Security-Policy: frame-ancestors 'none'\` because browsers do not enforce that directive from a meta tag.
- Use \`:secret\` fields for secret values and \`:text\` fields for non-secret IDs such as server IDs, allowlists, endpoint URLs, and sandbox names.
- Keep submitted secrets only in memory long enough to run the approved command. Do not print them, write them to logs, commit them, or paste them into chat.
- If you must write a temporary file for the helper, use a private temporary directory, restrict permissions when possible, and delete it immediately after use.
- Show me a redacted summary before running commands, such as \`TELEGRAM_BOT_TOKEN=********\`, and ask permission to continue.
- After the command finishes, shut down the local helper and delete the temporary HTML file.
- If your environment cannot serve a loopback helper, use the local terminal, a secure secret prompt, or the local app prompt that needs the credential. Do not fall back to generated form HTML.
When you need an API key, bot token, app token, or other secret, use the checked-in NemoClaw local credential helper and form instead of chat.

- Before collecting anything, decide the exact environment-variable names and exact command argv that will receive them. Explain the command in plain language, say that the form's final confirmation runs that already-approved command immediately, and ask my permission.
- Do not generate, rewrite, or redesign the helper or form. Use this reviewed pair exactly, and verify both SHA-256 digests before use:
- Helper: https://raw.githubusercontent.com/NVIDIA/NemoClaw/dd61a307d7ddf7be99de8ff1e2678fb8ef42f8e6/scripts/local-credential-helper.mts (SHA-256 \`1a42bbe8dbc9003cb79d4e641b53760571aacd85293671aee97c09c0746fef33\`)
- Form: https://raw.githubusercontent.com/NVIDIA/NemoClaw/dd61a307d7ddf7be99de8ff1e2678fb8ef42f8e6/docs/resources/local-credential-form.html (SHA-256 \`5512a256e0ad7c63a26ab82cf4f5924e98652097172ab8a5dc9d9358dd4f6ae8\`)
- Treat the two immutable URL and digest pairs as one reviewed trust boundary. Stop if either verification fails; do not substitute another URL, helper, form, or digest. Put fetched copies in a private temporary directory restricted to the current user.
- The helper requires Node.js 22.16 or newer. If that runtime is unavailable, use a secure local terminal prompt or local app prompt instead; never ask for the value in chat and never fall back to generated code.
- Run the helper with \`--execution-profile isolated\` for stateless commands. Pass one \`--field NAME:type\` per value, then a literal \`--\` and the exact approved argv. The helper serves a one-time \`http://127.0.0.1\` form, accepts a single submission, then runs that argv; it enforces loopback-only access, requires an absolute executable, and strips ambient credential and process-control variables. Never put credentials in argv. For example:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Env-hardening wording understates the actual behavior.

The helper now inherits zero ambient environment (sanitizeInheritedChildEnvironment returns {}), so the child receives only the execution-profile environment plus explicitly submitted fields. "strips ambient credential and process-control variables" reads as selective stripping and understates the guarantee this prompt asks non-technical users to trust.

📝 Suggested wording
-it enforces loopback-only access, requires an absolute executable, and strips ambient credential and process-control variables.
+it enforces loopback-only access, requires an absolute executable, and inherits no ambient environment (the child receives only the execution-profile environment and the values I submit).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- Run the helper with \`--execution-profile isolated\` for stateless commands. Pass one \`--field NAME:type\` per value, then a literal \`--\` and the exact approved argv. The helper serves a one-time \`http://127.0.0.1\` form, accepts a single submission, then runs that argv; it enforces loopback-only access, requires an absolute executable, and strips ambient credential and process-control variables. Never put credentials in argv. For example:
- Run the helper with `--execution-profile isolated` for stateless commands. Pass one `--field NAME:type` per value, then a literal `--` and the exact approved argv. The helper serves a one-time `http://127.0.0.1` form, accepts a single submission, then runs that argv; it enforces loopback-only access, requires an absolute executable, and inherits no ambient environment (the child receives only the execution-profile environment and the values I submit). Never put credentials in argv. For example:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/_components/StarterPrompt.tsx` at line 100, Update the helper
description in StarterPrompt so it accurately states that the child process
receives no inherited ambient environment at all, not just that some credential
or process-control variables are stripped. Adjust the wording around the
stateless command helper text to reference sanitizeInheritedChildEnvironment and
describe that only the execution-profile environment plus explicitly submitted
fields are provided, keeping the rest of the behavior unchanged.


\`\`\`shell
node --experimental-strip-types <private-dir>/local-credential-helper.mts --execution-profile isolated --form <private-dir>/local-credential-form.html --field NVIDIA_INFERENCE_API_KEY:secret -- <absolute-approved-executable> <approved-args...>
\`\`\`

- Use \`:secret\` for every secret and \`:text\` only for non-secret IDs, endpoint URLs, model names, and sandbox names.
- Open only the one-time \`http://127.0.0.1\` URL the helper prints. In the form, enter the values and choose **Preview Credentials** for a redacted local-only summary, or **Edit** to re-enter them. Choose **Confirm and Run Approved Command** once that summary matches the command I approved.
- If the form says the outcome is unknown, do not retry or resubmit. Check the coding-agent terminal to see whether the command ran, then start a fresh helper session only if needed.
- Keep secrets in memory only long enough to start the command; treat this as exposure minimization, not guaranteed erasure. Do not print, log, commit, or paste them into chat, and delete the fetched copies afterward.
- For a command that must persist account state, such as a NemoClaw install or onboarding run, prefer letting that command prompt for the credential itself. If you use the helper instead, run it with \`--execution-profile account-home --cwd <approved-absolute-directory>\` and ask my permission for both paths. Do not hand-assemble a \`curl | bash\` wrapper.

Use this provider mapping for non-interactive setup:

Expand All @@ -118,7 +123,7 @@ Use this provider mapping for non-interactive setup:
| Local Ollama | \`ollama\` | Optional \`NEMOCLAW_MODEL\`; set \`NEMOCLAW_YES=1\` only if I approve model download |
| Model Router | \`routed\` | \`NVIDIA_INFERENCE_API_KEY\` |

When you have the approved values, run the installer with the environment variables on the \`bash\` side of the pipe, not before \`curl\`.
When you have the approved values, run the installer with the credentials in the environment on the \`bash\` side of the pipe, not before \`curl\`, and never in a command echoed to chat. For an install-time credential, prefer the installer's own secure prompt over routing it through the helper.
Do not offer the Hermes Provider option for OpenClaw or Deep Agents.

For example, for an approved Local Ollama setup:
Expand Down
2 changes: 1 addition & 1 deletion docs/get-started/quickstart-hermes.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ The first Hermes build can take several minutes because NemoClaw builds the Herm

Copy the starter prompt into Cursor, Claude Code, Codex, Copilot, or another local coding agent when you want the assistant to install NemoClaw with you.
The prompt points your agent to [AI Agent Docs](../resources/agent-skills), this quickstart, the Markdown docs, and the optional `nemoclaw-user-guide` skill.
It also asks your agent to confirm Hermes as the selected agent before it builds the install or onboard command, and to reuse the checked-in local credential form for secrets.
It also asks your agent to confirm Hermes as the selected agent before it builds the install or onboard command, and to use the checked-in local credential helper and form after you approve the exact command that will receive the credentials.

<StarterPromptButton />

Expand Down
2 changes: 1 addition & 1 deletion docs/get-started/quickstart-langchain-deepagents-code.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ On macOS, start Docker Desktop or Colima before you run the installer.

Copy the starter prompt into Cursor, Claude Code, Codex, Copilot, or another local coding agent when you want the assistant to install NemoClaw with you.
The prompt points your agent to [AI Agent Docs](../resources/agent-skills), this quickstart, the Markdown docs, and the optional `nemoclaw-user-guide` skill.
It also asks your agent to confirm LangChain Deep Agents Code as the selected agent before it builds the install or onboard command.
It also asks your agent to confirm LangChain Deep Agents Code as the selected agent before it builds the install or onboard command, and to use the checked-in local credential helper and form after you approve the exact command that will receive the credentials.

<StarterPromptButton />

Expand Down
2 changes: 1 addition & 1 deletion docs/get-started/quickstart.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Review the [Prerequisites](prerequisites) before following this guide.

Copy the starter prompt into Cursor, Claude Code, Codex, Copilot, or another local coding agent when you want the assistant to install NemoClaw with you.
The prompt points your agent to [AI Agent Docs](../resources/agent-skills), this quickstart, the Markdown docs, and the optional `nemoclaw-user-guide` skill.
It also tells your agent to collect choices before launching interactive commands and to reuse the checked-in local credential form for secrets.
It also tells your agent to collect choices before launching interactive commands and to use the checked-in local credential helper and form after you approve the exact command that will receive the credentials.

<StarterPromptButton />

Expand Down
2 changes: 1 addition & 1 deletion docs/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ Install NemoClaw and run the onboard wizard to get started.
### From Your Coding Agent

Copy the starter prompt and paste it into your local coding agent, such as Cursor, Claude Code, Codex, Copilot, or another assistant that can run local commands with your approval.
The prompt tells your agent to use NemoClaw skills when available, bootstrap the docs-routing skill when it is missing, fetch the Markdown docs, ask whether you want OpenClaw, Hermes, or Deep Agents, collect choices one question at a time, and reuse the checked-in local credential form instead of asking you to paste secrets into chat.
The prompt tells your agent to use NemoClaw skills when available, bootstrap the docs-routing skill when it is missing, fetch the Markdown docs, ask whether you want OpenClaw, Hermes, or Deep Agents, collect choices one question at a time, and use the checked-in local credential helper and form after you approve the exact command that will receive the credentials.

<StarterPromptButton />

Expand Down
2 changes: 1 addition & 1 deletion docs/resources/agent-skills.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Use this page when you want your agent to help with installation, inference conf
## Give Your Agent the Starter Prompt

The fastest path is to copy the starter prompt from the NemoClaw home page and paste it into your local coding agent.
The prompt tells the agent to use NemoClaw skills when available, bootstrap the docs-routing skill when missing, use the Markdown docs, ask one question at a time, run commands only with permission, and reuse the checked-in local credential form for secrets.
The prompt tells the agent to use NemoClaw skills when available, bootstrap the docs-routing skill when missing, use the Markdown docs, ask one question at a time, run commands only with permission, and use the checked-in local credential helper and form after you approve the exact command that will receive the credentials.
NemoClaw keeps the prompt text in a shared docs source so the copy button and manual fallback render the same content.

<StarterPromptButton />
Expand Down
Loading
Loading