Skip to content

fix(deepagents-code): report onboard upstream provider in Deep Code TUI#6462

Merged
ericksoa merged 2 commits into
mainfrom
fix/6453-dcode-provider-label
Jul 8, 2026
Merged

fix(deepagents-code): report onboard upstream provider in Deep Code TUI#6462
ericksoa merged 2 commits into
mainfrom
fix/6453-dcode-provider-label

Conversation

@laitingsheng

@laitingsheng laitingsheng commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Managed Deep Code routes all inference through the OpenAI-compatible adapter, so the TUI status bar and the model-identity system prompt reported the wire provider openai even when onboarding selected a different upstream (e.g. NVIDIA Cloud / Nemotron). This shows the onboard-selected upstream provider at those surfaces instead, while the adapter key stays openai for routing.

Related Issue

Fixes #6453

Changes

  • Add a managed_display_provider() helper to the managed runtime that maps the OpenAI-compatible adapter to the onboard-selected upstream (read from the existing NEMOCLAW_UPSTREAM_PROVIDER runtime env), falling back to the adapter name when no valid upstream is present.
  • Route the provider through that helper at the three display surfaces via the managed package patch: StatusBar.set_model (status bar), WelcomeBanner.update_model (launch banner), and build_model_identity_section (agent self-report system prompt). Add status.py and welcome.py to the patched-file set with AST symbol guards.
  • Add a behaviour test that runs the real patcher against a package fixture and asserts the substitution end to end (status bar, banner, self-report), plus the fallback cases (unset, equal-to-adapter, invalid token).
  • Extract the shared package-fixture builder into test/helpers/langchain-deepagents-code-patch-fixture.ts so the new focused test reuses it, keeping every test file within the size budget.

The displayed token mirrors the onboard upstream provider name (default nvidia) — the provider family, not the marketing string; carrying the full display label would require threading it through the onboard → Dockerfile → config chain and is out of scope here.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: corrects an internal TUI status-bar / self-report label; no documented behaviour or user-facing doc page describes the provider label.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: maintainer review requested; the change is display-only and does not alter the managed inference route, adapter key, credential handling, or the patch's fail-closed guards.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result: vitest run on langchain-deepagents-code-provider-label, -direct-module-patch, -progressive-tool-disclosure, -image, -managed-entrypoints — 169 tests passed.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

  • New Features

    • Expanded managed upstream provider labeling to additional interface surfaces (including Status and Welcome).
    • Added environment-driven mapping so the displayed provider label can reflect the upstream provider when valid.
  • Bug Fixes

    • Improved validation and fallback behavior to reliably show the managed provider label when upstream input is missing or invalid.
  • Tests

    • Added end-to-end coverage for provider label mapping and UI display behavior, including edge cases.
    • Refreshed test fixtures/harness to verify patching and corruption detection across more UI components.

Managed inference always routes through the OpenAI-compatible adapter, so
the Deep Code TUI status bar and the model-identity system prompt reported
the wire provider "openai" instead of the onboard-selected upstream. Show
the upstream provider (from NEMOCLAW_UPSTREAM_PROVIDER) at those surfaces
while the adapter key stays "openai" for routing.

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: caf47fda-a49c-4d71-8dac-5806db65b375

📥 Commits

Reviewing files that changed from the base of the PR and between 6e76905 and bfb025e.

📒 Files selected for processing (5)
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py
  • test/helpers/langchain-deepagents-code-patch-fixture.ts
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-provider-label.test.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • test/helpers/langchain-deepagents-code-patch-fixture.ts
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py

📝 Walkthrough

Walkthrough

This PR adds managed provider display handling for Deep Agents Code, applies it to agent/status/welcome patching, and updates fixtures and tests to cover the new provider-label behavior.

Changes

Managed provider label override

Layer / File(s) Summary
Runtime provider label helper
agents/langchain-deepagents-code/managed-dcode-runtime.py
Adds provider-display constants and managed_display_provider(...) to resolve the visible provider label from the environment.
Patch script overrides and validation
agents/langchain-deepagents-code/patch-managed-deepagents-code.py
Extends the agent patch plus status/welcome patches, and updates module loading, validation, and transformation for the extra upstream files.
Shared fixture and module patch tests
test/helpers/langchain-deepagents-code-patch-fixture.ts, test/langchain-deepagents-code-direct-module-patch.test.ts
Adds a shared temp-fixture helper and refactors patch tests to use it, including status/welcome patch-marker coverage.
Fixture shape and provider label test
test/langchain-deepagents-code-progressive-tool-disclosure.test.ts, test/langchain-deepagents-code-provider-label.test.ts
Updates embedded fixture sources and adds an end-to-end provider-label test across mapped, preserved, missing, and invalid upstream values.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Patcher as patch-managed-deepagents-code.py
  participant Runtime as managed_display_provider
  participant TUI as StatusBar/WelcomeBanner
  participant Agent as build_model_identity_section

  Patcher->>Runtime: inject display-provider rewrite hooks
  Agent->>Runtime: resolve provider for model identity text
  TUI->>Runtime: resolve provider for status and welcome text
  Runtime-->>Agent: mapped or original provider label
  Runtime-->>TUI: mapped or original provider label
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: fixing Deep Code TUI provider labeling for the onboard-selected upstream provider.
Linked Issues check ✅ Passed The changes address the linked issue by remapping the displayed provider in the status bar and agent self-report while leaving the model ID unchanged.
Out of Scope Changes check ✅ Passed The added fixture helpers, patch updates, and tests are all supporting the provider-label fix and do not appear unrelated.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/6453-dcode-provider-label

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File bfb025e +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 76%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File bfb025e +/-
src/lib/onboard/preflight.ts 82%
src/lib/state/o...oard-session.ts 82%
src/lib/actions...all/run-plan.ts 81%
src/lib/actions...licy-channel.ts 79%
src/lib/actions...box/snapshot.ts 79%
src/lib/state/sandbox.ts 75%
src/lib/onboard...er-gpu-patch.ts 69%
src/lib/policy/index.ts 65%
src/lib/shields/index.ts 61%
src/lib/onboard.ts 28%

Updated July 08, 2026 12:53 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@laitingsheng laitingsheng added NV QA Bugs found by the NVIDIA QA Team bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior labels Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-2: Concurrent modification of managed runtime by PR #6341 creates drift risk; then add or justify PRA-T1.
Open items: 1 required · 3 warnings · 2 suggestions · 5 test follow-ups
Since last review: 2 prior items resolved · 1 still applies · 2 new items found

Action checklist

  • PRA-2 Fix: Concurrent modification of managed runtime by PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341 creates drift risk in agents/langchain-deepagents-code/managed-dcode-runtime.py:1
  • PRA-1 Resolve or justify: Source-of-truth review needed: Darwin fcntl seal fixture extraction
  • PRA-3 Resolve or justify: Non-NVIDIA provider names pass through unchanged — potential display spoofing in agents/langchain-deepagents-code/managed-dcode-runtime.py:101
  • PRA-4 Resolve or justify: Darwin fcntl seal fixture injection still inlined in patchFixture() in test/helpers/langchain-deepagents-code-patch-fixture.ts:620
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Darwin fcntl seal fixture injection still inlined in patchFixture()
  • PRA-T4 Add or justify test follow-up: Shared test fixture consolidates ~570 lines of duplicated setup
  • PRA-T5 Add or justify test follow-up: Darwin fcntl seal fixture extraction
  • PRA-5 In-scope improvement: Shared test fixture consolidates ~570 lines of duplicated setup in test/helpers/langchain-deepagents-code-patch-fixture.ts:1
  • PRA-6 In-scope improvement: New end-to-end runtime validation test for provider label propagation chain in test/langchain-deepagents-code-provider-label.test.ts:1

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Required security agents/langchain-deepagents-code/managed-dcode-runtime.py:1 Ensure PR #6341 is merged first and this PR rebased onto it, or vice versa. Coordinate with maintainers to sequence merges.
PRA-3 Resolve/justify security agents/langchain-deepagents-code/managed-dcode-runtime.py:101 Consider restricting non-NVIDIA provider display to a known allowlist, or at minimum document the trust assumption that build-time ARGs are not user-controllable.
PRA-4 Resolve/justify tests test/helpers/langchain-deepagents-code-patch-fixture.ts:620 Move the addDarwinFcntlSealConstants call and the two string replacements into the shared helper fixture.
PRA-5 Improvement tests test/helpers/langchain-deepagents-code-patch-fixture.ts:1 No action needed — improvement already realized in this PR.
PRA-6 Improvement correctness test/langchain-deepagents-code-provider-label.test.ts:1 No action needed — test coverage added for the full chain.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-2 Required — Concurrent modification of managed runtime by PR #6341 creates drift risk

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:1
  • Category: security
  • Problem: PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341 (feat(performance): add progressive disclosure tests and compositional routing acceptance) also modifies managed-dcode-runtime.py. Both PRs change the same file concurrently, creating risk of merge conflicts and semantic drift in the managed runtime boundary.
  • Impact: If merged out of order, one PR's changes to the managed runtime could be lost or produce invalid combined state, potentially weakening sandbox boundaries.
  • Required action: Ensure PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341 is merged first and this PR rebased onto it, or vice versa. Coordinate with maintainers to sequence merges.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare git diff main...HEAD for both PRs on agents/langchain-deepagents-code/managed-dcode-runtime.py; verify no overlapping hunks after rebase.
  • Missing regression test: No automated cross-PR drift test exists; relies on CI merge queue ordering and maintainer coordination.
  • Done when: The required change is committed and verification passes: Compare git diff main...HEAD for both PRs on agents/langchain-deepagents-code/managed-dcode-runtime.py; verify no overlapping hunks after rebase.
  • Evidence: pr_review_drift_context shows openPrOverlaps with sameFiles: ["agents/langchain-deepagents-code/managed-dcode-runtime.py"] for PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341
Review findings by urgency: 1 required fix, 3 items to resolve/justify, 2 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: Darwin fcntl seal fixture extraction

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: No new test needed — existing tests verify patcher works on both Linux and Darwin
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: patchFixture() at test/helpers/langchain-deepagents-code-patch-fixture.ts:615-625 contains inline addDarwinFcntlSealConstants call and string replacements

PRA-3 Resolve/justify — Non-NVIDIA provider names pass through unchanged — potential display spoofing

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:101
  • Category: security
  • Problem: managed_display_provider allows non-NVIDIA provider names matching regex [A-Za-z0-9][A-Za-z0-9._-]{0,63} to pass through unchanged. An upstream value like "nvidia.fake" would display as "nvidia.fake" not "nvidia", creating a potential phishing/display spoofing risk in TUI status bar and model identity. Mitigated by the fact that NEMOCLAW_UPSTREAM_PROVIDER comes from Dockerfile build args controlled by NemoClaw onboarding, not runtime user input.
  • Impact: If build-time trust assumption is violated (supply chain compromise, manual Dockerfile build), an attacker could spoof the NVIDIA provider family prefix in user-visible surfaces.
  • Recommended action: Consider restricting non-NVIDIA provider display to a known allowlist, or at minimum document the trust assumption that build-time ARGs are not user-controllable.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Run the provider-label test with upstream="nvidia.fake" and observe it displays as "nvidia.fake" in status bar and identity.
  • Missing regression test: Add test case for spoofing attempt: upstream="nvidia.fake" should not display with nvidia prefix unless explicitly allowlisted.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Run the provider-label test with upstream="nvidia.fake" and observe it displays as "nvidia.fake" in status bar and identity.
  • Evidence: managed_display_provider function at managed-dcode-runtime.py:101 returns upstream unchanged when not in _NVIDIA_DISPLAY_PROVIDER_ALIASES

PRA-4 Resolve/justify — Darwin fcntl seal fixture injection still inlined in patchFixture()

  • Location: test/helpers/langchain-deepagents-code-patch-fixture.ts:620
  • Category: tests
  • Problem: The addDarwinFcntlSealConstants call and two string replacements (base URL path, UID) remain inlined in patchFixture() rather than extracted to the shared helper. Previous review (PRA-T2) recommended extracting for further consolidation.
  • Impact: Test infrastructure duplication; inconsistent fixture setup across test files.
  • Recommended action: Move the addDarwinFcntlSealConstants call and the two string replacements into the shared helper fixture.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check patchFixture() in test/helpers/langchain-deepagents-code-patch-fixture.ts lines 615-625; the darwin-fcntl-seal injection and string replacements are inlined.
  • Missing regression test: No new test needed — this is test infrastructure consolidation.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check patchFixture() in test/helpers/langchain-deepagents-code-patch-fixture.ts lines 615-625; the darwin-fcntl-seal injection and string replacements are inlined.
  • Evidence: patchFixture function at lines 615-625 contains inline darwin-fcntl-seal injection and string replacements

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-5 Improvement — Shared test fixture consolidates ~570 lines of duplicated setup

  • Location: test/helpers/langchain-deepagents-code-patch-fixture.ts:1
  • Category: tests
  • Problem: New helper test/helpers/langchain-deepagents-code-patch-fixture.ts extracts common package fixture creation and patching logic used by direct-module-patch.test.ts and progressive-tool-disclosure.test.ts, reducing duplication and improving maintainability.
  • Impact: Reduces test maintenance burden; ensures consistent fixture state across test files; direct-module-patch.test.ts reduced from 695 to 130 lines.
  • Suggested action: No action needed — improvement already realized in this PR.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Compare test file line counts before/after: direct-module-patch.test.ts 695→130 lines, progressive-tool-disclosure.test.ts updated to use shared fixture.
  • Missing regression test: No new test needed — this is test infrastructure consolidation.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: test/helpers/langchain-deepagents-code-patch-fixture.ts exports createPackageFixture and patchFixture used by both test files

PRA-6 Improvement — New end-to-end runtime validation test for provider label propagation chain

  • Location: test/langchain-deepagents-code-provider-label.test.ts:1
  • Category: correctness
  • Problem: New provider-label.test.ts provides end-to-end runtime validation of the provider label propagation chain: onboarding → Dockerfile → config.toml → managed runtime → TUI status bar → welcome banner → model identity. This addresses previous review's PRA-T1 runtime validation follow-up.
  • Impact: Confirms the full behavioral chain works correctly; catches regressions in display substitution across all three surfaces.
  • Suggested action: No action needed — test coverage added for the full chain.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Run test/langchain-deepagents-code-provider-label.test.ts and verify it passes; it exercises managed_display_provider, StatusBar.set_model, WelcomeBanner.update_model, and build_model_identity_section.
  • Missing regression test: Test already added in this PR.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: provider-label.test.ts validates status bar, banner, and model identity all show "nvidia" when upstream is nvidia-prod
Simplification opportunities: 1 possible cut, net -570 lines possible

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-5 shrink (test/helpers/langchain-deepagents-code-patch-fixture.ts:1): Duplicated fixture builder code in direct-module-patch.test.ts and progressive-tool-disclosure.test.ts
    • Replacement: Shared createPackageFixture() and patchFixture() from test/helpers/langchain-deepagents-code-patch-fixture.ts
    • Net: -570 lines
    • Safety boundary: Test behavior unchanged — fixture produces identical package structure and patching result
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add spoofing test case: upstream="nvidia.fake" should not display with nvidia prefix (covers PRA-3). Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/patch-managed-deepagents-code.py. Provider label test runs actual patched code via execFileSync against package fixture — satisfies runtime validation for this change. Recommend maintaining this pattern for future managed runtime changes.
  • PRA-T2 Runtime validation — Add cross-PR drift detection test for managed-dcode-runtime.py (covers PRA-1). Runtime/sandbox/infrastructure paths need behavioral runtime validation: agents/langchain-deepagents-code/managed-dcode-runtime.py, agents/langchain-deepagents-code/patch-managed-deepagents-code.py. Provider label test runs actual patched code via execFileSync against package fixture — satisfies runtime validation for this change. Recommend maintaining this pattern for future managed runtime changes.
  • PRA-T3 Darwin fcntl seal fixture injection still inlined in patchFixture() — Move the addDarwinFcntlSealConstants call and the two string replacements into the shared helper fixture.
  • PRA-T4 Shared test fixture consolidates ~570 lines of duplicated setup — No action needed — improvement already realized in this PR.
  • PRA-T5 Darwin fcntl seal fixture extraction — No new test needed — existing tests verify patcher works on both Linux and Darwin. patchFixture() at test/helpers/langchain-deepagents-code-patch-fixture.ts:615-625 contains inline addDarwinFcntlSealConstants call and string replacements
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: Darwin fcntl seal fixture extraction

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: No new test needed — existing tests verify patcher works on both Linux and Darwin
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: patchFixture() at test/helpers/langchain-deepagents-code-patch-fixture.ts:615-625 contains inline addDarwinFcntlSealConstants call and string replacements

PRA-2 Required — Concurrent modification of managed runtime by PR #6341 creates drift risk

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:1
  • Category: security
  • Problem: PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341 (feat(performance): add progressive disclosure tests and compositional routing acceptance) also modifies managed-dcode-runtime.py. Both PRs change the same file concurrently, creating risk of merge conflicts and semantic drift in the managed runtime boundary.
  • Impact: If merged out of order, one PR's changes to the managed runtime could be lost or produce invalid combined state, potentially weakening sandbox boundaries.
  • Required action: Ensure PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341 is merged first and this PR rebased onto it, or vice versa. Coordinate with maintainers to sequence merges.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare git diff main...HEAD for both PRs on agents/langchain-deepagents-code/managed-dcode-runtime.py; verify no overlapping hunks after rebase.
  • Missing regression test: No automated cross-PR drift test exists; relies on CI merge queue ordering and maintainer coordination.
  • Done when: The required change is committed and verification passes: Compare git diff main...HEAD for both PRs on agents/langchain-deepagents-code/managed-dcode-runtime.py; verify no overlapping hunks after rebase.
  • Evidence: pr_review_drift_context shows openPrOverlaps with sameFiles: ["agents/langchain-deepagents-code/managed-dcode-runtime.py"] for PR feat(performance): add progressive disclosure tests and compositional routing acceptance #6341

PRA-3 Resolve/justify — Non-NVIDIA provider names pass through unchanged — potential display spoofing

  • Location: agents/langchain-deepagents-code/managed-dcode-runtime.py:101
  • Category: security
  • Problem: managed_display_provider allows non-NVIDIA provider names matching regex [A-Za-z0-9][A-Za-z0-9._-]{0,63} to pass through unchanged. An upstream value like "nvidia.fake" would display as "nvidia.fake" not "nvidia", creating a potential phishing/display spoofing risk in TUI status bar and model identity. Mitigated by the fact that NEMOCLAW_UPSTREAM_PROVIDER comes from Dockerfile build args controlled by NemoClaw onboarding, not runtime user input.
  • Impact: If build-time trust assumption is violated (supply chain compromise, manual Dockerfile build), an attacker could spoof the NVIDIA provider family prefix in user-visible surfaces.
  • Recommended action: Consider restricting non-NVIDIA provider display to a known allowlist, or at minimum document the trust assumption that build-time ARGs are not user-controllable.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Run the provider-label test with upstream="nvidia.fake" and observe it displays as "nvidia.fake" in status bar and identity.
  • Missing regression test: Add test case for spoofing attempt: upstream="nvidia.fake" should not display with nvidia prefix unless explicitly allowlisted.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Run the provider-label test with upstream="nvidia.fake" and observe it displays as "nvidia.fake" in status bar and identity.
  • Evidence: managed_display_provider function at managed-dcode-runtime.py:101 returns upstream unchanged when not in _NVIDIA_DISPLAY_PROVIDER_ALIASES

PRA-4 Resolve/justify — Darwin fcntl seal fixture injection still inlined in patchFixture()

  • Location: test/helpers/langchain-deepagents-code-patch-fixture.ts:620
  • Category: tests
  • Problem: The addDarwinFcntlSealConstants call and two string replacements (base URL path, UID) remain inlined in patchFixture() rather than extracted to the shared helper. Previous review (PRA-T2) recommended extracting for further consolidation.
  • Impact: Test infrastructure duplication; inconsistent fixture setup across test files.
  • Recommended action: Move the addDarwinFcntlSealConstants call and the two string replacements into the shared helper fixture.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check patchFixture() in test/helpers/langchain-deepagents-code-patch-fixture.ts lines 615-625; the darwin-fcntl-seal injection and string replacements are inlined.
  • Missing regression test: No new test needed — this is test infrastructure consolidation.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check patchFixture() in test/helpers/langchain-deepagents-code-patch-fixture.ts lines 615-625; the darwin-fcntl-seal injection and string replacements are inlined.
  • Evidence: patchFixture function at lines 615-625 contains inline darwin-fcntl-seal injection and string replacements

PRA-5 Improvement — Shared test fixture consolidates ~570 lines of duplicated setup

  • Location: test/helpers/langchain-deepagents-code-patch-fixture.ts:1
  • Category: tests
  • Problem: New helper test/helpers/langchain-deepagents-code-patch-fixture.ts extracts common package fixture creation and patching logic used by direct-module-patch.test.ts and progressive-tool-disclosure.test.ts, reducing duplication and improving maintainability.
  • Impact: Reduces test maintenance burden; ensures consistent fixture state across test files; direct-module-patch.test.ts reduced from 695 to 130 lines.
  • Suggested action: No action needed — improvement already realized in this PR.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Compare test file line counts before/after: direct-module-patch.test.ts 695→130 lines, progressive-tool-disclosure.test.ts updated to use shared fixture.
  • Missing regression test: No new test needed — this is test infrastructure consolidation.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: test/helpers/langchain-deepagents-code-patch-fixture.ts exports createPackageFixture and patchFixture used by both test files

PRA-6 Improvement — New end-to-end runtime validation test for provider label propagation chain

  • Location: test/langchain-deepagents-code-provider-label.test.ts:1
  • Category: correctness
  • Problem: New provider-label.test.ts provides end-to-end runtime validation of the provider label propagation chain: onboarding → Dockerfile → config.toml → managed runtime → TUI status bar → welcome banner → model identity. This addresses previous review's PRA-T1 runtime validation follow-up.
  • Impact: Confirms the full behavioral chain works correctly; catches regressions in display substitution across all three surfaces.
  • Suggested action: No action needed — test coverage added for the full chain.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Run test/langchain-deepagents-code-provider-label.test.ts and verify it passes; it exercises managed_display_provider, StatusBar.set_model, WelcomeBanner.update_model, and build_model_identity_section.
  • Missing regression test: Test already added in this PR.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: provider-label.test.ts validates status bar, banner, and model identity all show "nvidia" when upstream is nvidia-prod

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E: inference-routing

Dispatch hint: targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): This typed live target onboards a real LangChain Deep Agents Code sandbox from the repo, builds/applies the managed package patch, verifies hosted NVIDIA inference, terminal-agent behavior, and the deepagents-code-policy suite, and runs the Deep Agents Code cloud-experimental checks including headless inference, TUI startup, secret boundary, Landlock/read-only, fresh re-onboard, and observability. It is the closest existing E2E coverage for the changed managed runtime/patcher and real assistant user surfaces.

Optional E2E

  • inference-routing (medium): Useful adjacent confidence for hosted inference routing and provider configuration, but the PR's highest-risk behavior is specific to Deep Agents Code's managed adapter/display boundary, which is covered more directly by ubuntu-repo-cloud-langchain-deepagents-code.

New E2E recommendations

  • Deep Agents Code provider label UX (medium): Existing live Deep Agents Code E2E starts the TUI and verifies inference/policy boundaries, but it does not appear to assert that the real TUI status bar, welcome banner, or model identity prompt display the upstream provider label while retaining the OpenAI-compatible route.
    • Suggested test: Extend the Deep Agents Code live target or 10-deepagents-code-tui-startup/headless checks to capture/assert the visible provider label and model identity for a hosted NVIDIA route.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: targets=ubuntu-repo-cloud-langchain-deepagents-code

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-langchain-deepagents-code: The PR changes the managed LangChain Deep Agents Code runtime and package patching surfaces that are built into the Deep Agents Code onboarding image, including provider display relabeling in status, welcome, and model identity paths. The live-supported typed target that exercises this managed DCode onboarding/image path is ubuntu-repo-cloud-langchain-deepagents-code.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Optional E2E targets

  • None.

Relevant changed files

  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: No advisor follow-up required beyond maintainer review.
Open items: 0 required · 0 warnings · 0 suggestions · 0 test follow-ups
Since last review: 2 prior items resolved · 0 still apply · 0 new items found

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
test/helpers/langchain-deepagents-code-patch-fixture.ts (1)

20-22: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

No cleanup for generated fixture temp directories.

createPackageFixture() creates a new mkdtempSync directory on every call but nothing removes it afterward. This helper is now shared across the direct-module-patch, progressive-disclosure-adjacent, and provider-label tests, so every test run accumulates additional temp directories under the OS tmp dir with no teardown.

Consider returning a disposer (or exporting a cleanupFixture(tempDir) helper) that callers invoke in afterEach/finally.

♻️ Suggested cleanup helper
 export function createPackageFixture(version = "0.1.34"): string {
   const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-dcode-patch-"));
   ...
   return tempDir;
 }
+
+export function cleanupFixture(tempDir: string): void {
+  fs.rmSync(tempDir, { recursive: true, force: true });
+}

Also applies to: 604-605

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/helpers/langchain-deepagents-code-patch-fixture.ts` around lines 20 -
22, The createPackageFixture helper is leaking temporary directories because it
calls mkdtempSync but never removes the generated tempDir. Update
createPackageFixture (and any shared callers in the direct-module-patch,
progressive-disclosure-adjacent, and provider-label tests) to return or expose a
disposer such as cleanupFixture(tempDir), then invoke it in afterEach/finally so
the temp directory is always deleted after use.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/langchain-deepagents-code/managed-dcode-runtime.py`:
- Around line 872-878: The provider selection logic in managed-dcode-runtime.py
is too broad: the upstream display override in the adapter selection block is
applied to any provider string, which can relabel non-managed providers.
Restrict the substitution to the managed OpenAI-compatible adapter by checking
the adapter value in the same path that uses adapter_provider and
_UPSTREAM_PROVIDER_ENV, and only return upstream when the wire adapter matches
the specific managed adapter this fix targets; otherwise keep returning the
original adapter.

In `@agents/langchain-deepagents-code/patch-managed-deepagents-code.py`:
- Around line 1116-1117: The fast path in patch-managed-deepagents-code.py only
checks AGENT_PATCH, so partial or corrupt edits in status.py or welcome.py can
still be treated as fully patched. Update the early-return logic around the
marker_states check to verify the new UI patches explicitly, using the status
and welcome marker_states entries in addition to AGENT_PATCH before returning.
Keep the fix localized to the patch detection flow so the existing provider
label fix is only considered active when all required markers are present.

---

Nitpick comments:
In `@test/helpers/langchain-deepagents-code-patch-fixture.ts`:
- Around line 20-22: The createPackageFixture helper is leaking temporary
directories because it calls mkdtempSync but never removes the generated
tempDir. Update createPackageFixture (and any shared callers in the
direct-module-patch, progressive-disclosure-adjacent, and provider-label tests)
to return or expose a disposer such as cleanupFixture(tempDir), then invoke it
in afterEach/finally so the temp directory is always deleted after use.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 94e66c93-df1a-4551-9e4e-2912c73dbe35

📥 Commits

Reviewing files that changed from the base of the PR and between be3e7cc and 6e76905.

📒 Files selected for processing (6)
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py
  • test/helpers/langchain-deepagents-code-patch-fixture.ts
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-progressive-tool-disclosure.test.ts
  • test/langchain-deepagents-code-provider-label.test.ts

Comment thread agents/langchain-deepagents-code/managed-dcode-runtime.py
Comment thread agents/langchain-deepagents-code/patch-managed-deepagents-code.py
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28944667744
Workflow ref: fix/6453-dcode-provider-label
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@ericksoa

ericksoa commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Maintainer sequencing override for Nemotron Ultra PRA-2 on exact head bfb025e80f6d672c59fa17360c0a9aaabe205633:

PR #6462 is intentionally sequenced before draft PR #6341. A current-main merge-tree audit shows that their changes to agents/langchain-deepagents-code/managed-dcode-runtime.py are in disjoint hunks and that file auto-merges. The only current merge-tree conflict for #6341 is in test/langchain-deepagents-code-proxy-launcher.test.ts, which #6462 does not modify; it is inherited from the stale #6341 base. #6341 must refresh/rebase after #6462 lands.

The remaining Ultra findings were reviewed as follows:

  • PRA-1 / PRA-4 are not applicable to the current tree: the Darwin constants, base-URL adaptation, and UID adaptation live in the shared fixture helper; callers no longer carry duplicate fixture setup.
  • PRA-3 is intentional product behavior: NVIDIA route aliases canonicalize to nvidia, while other syntactically valid upstream provider tokens are preserved. The metadata is validated, root-owned build metadata used only for presentation; routing, credentials, the openai adapter, and https://inference.local/v1 remain unchanged.
  • Runtime coverage is present in the real-patcher chain test for nvidia-prod + Super 120B across config, footer, welcome banner, and model identity. The advisor-required live DCode target also passed on this exact head: run 28944667744.

This explicitly overrides the #6341 sequencing recommendation with rationale; it does not make #6462 depend on #6341.

@ericksoa
ericksoa merged commit abc1a1d into main Jul 8, 2026
122 checks passed
@ericksoa
ericksoa deleted the fix/6453-dcode-provider-label branch July 8, 2026 13:09
@github-actions github-actions Bot added the v0.0.77 Release target label Jul 8, 2026
@miyoungc miyoungc mentioned this pull request Jul 8, 2026
21 tasks
miyoungc added a commit that referenced this pull request Jul 8, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the v0.0.77 release-note section from the shipped release
announcement and release commit range.
This is post-release docs recovery, so the PR is labeled for the next
patch release train.

## Changes
- Added `v0.0.77` to `docs/about/release-notes.mdx` with links to the
deeper Deep Agents, architecture, inference, security, and agent-docs
pages.
- Source summary:
- #6469 -> `docs/about/release-notes.mdx`: Documents Deep Agents Code
base-image publication and stale-version validation.
- #6471 -> `docs/about/release-notes.mdx`: Documents the managed runtime
disabling LangGraph CLI analytics.
- #6462 -> `docs/about/release-notes.mdx`: Documents the TUI, launch
banner, and model-identity provider display behavior.
- #6460 -> `docs/about/release-notes.mdx`: Documents bounded,
best-effort OTLP trace credential scrubbing and the remaining
collector-side redaction requirement.
- #6423 -> `docs/about/release-notes.mdx`: Documents the checked-in
loopback-only local credential form used by starter prompts.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: release-note prose only, no
runtime behavior or code samples changed.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: tests
not applicable for release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Verification note: `npm run docs` passed. `fern check --warnings`
reports the existing light-mode accent color contrast warning: `2.41:1`,
expected at least `3:1`.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added a new release-notes entry for **v0.0.77** at the top of the
changelog.
* Highlighted improved package validation, tighter handling of telemetry
and trace data, and safer starter prompt behavior with stronger
redaction and local-only submission.


<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…UI (NVIDIA#6462)

## Summary

Managed Deep Code routes all inference through the OpenAI-compatible
adapter, so the TUI status bar and the model-identity system prompt
reported the wire provider `openai` even when onboarding selected a
different upstream (e.g. NVIDIA Cloud / Nemotron). This shows the
onboard-selected upstream provider at those surfaces instead, while the
adapter key stays `openai` for routing.

## Related Issue

Fixes NVIDIA#6453

## Changes

- Add a `managed_display_provider()` helper to the managed runtime that
maps the OpenAI-compatible adapter to the onboard-selected upstream
(read from the existing `NEMOCLAW_UPSTREAM_PROVIDER` runtime env),
falling back to the adapter name when no valid upstream is present.
- Route the provider through that helper at the three display surfaces
via the managed package patch: `StatusBar.set_model` (status bar),
`WelcomeBanner.update_model` (launch banner), and
`build_model_identity_section` (agent self-report system prompt). Add
`status.py` and `welcome.py` to the patched-file set with AST symbol
guards.
- Add a behaviour test that runs the real patcher against a package
fixture and asserts the substitution end to end (status bar, banner,
self-report), plus the fallback cases (unset, equal-to-adapter, invalid
token).
- Extract the shared package-fixture builder into
`test/helpers/langchain-deepagents-code-patch-fixture.ts` so the new
focused test reuses it, keeping every test file within the size budget.

The displayed token mirrors the onboard upstream provider name (default
`nvidia`) — the provider family, not the marketing string; carrying the
full display label would require threading it through the onboard →
Dockerfile → config chain and is out of scope here.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: corrects an internal TUI
status-bar / self-report label; no documented behaviour or user-facing
doc page describes the provider label.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: maintainer review
requested; the change is display-only and does not alter the managed
inference route, adapter key, credential handling, or the patch's
fail-closed guards.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result: `vitest run` on
`langchain-deepagents-code-provider-label`, `-direct-module-patch`,
`-progressive-tool-disclosure`, `-image`, `-managed-entrypoints` — 169
tests passed.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Expanded managed upstream provider labeling to additional interface
surfaces (including Status and Welcome).
* Added environment-driven mapping so the displayed provider label can
reflect the upstream provider when valid.

* **Bug Fixes**
* Improved validation and fallback behavior to reliably show the managed
provider label when upstream input is missing or invalid.

* **Tests**
* Added end-to-end coverage for provider label mapping and UI display
behavior, including edge cases.
* Refreshed test fixtures/harness to verify patching and corruption
detection across more UI components.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Co-authored-by: Aaron Erickson <aerickson@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the v0.0.77 release-note section from the shipped release
announcement and release commit range.
This is post-release docs recovery, so the PR is labeled for the next
patch release train.

## Changes
- Added `v0.0.77` to `docs/about/release-notes.mdx` with links to the
deeper Deep Agents, architecture, inference, security, and agent-docs
pages.
- Source summary:
- NVIDIA#6469 -> `docs/about/release-notes.mdx`: Documents Deep Agents Code
base-image publication and stale-version validation.
- NVIDIA#6471 -> `docs/about/release-notes.mdx`: Documents the managed runtime
disabling LangGraph CLI analytics.
- NVIDIA#6462 -> `docs/about/release-notes.mdx`: Documents the TUI, launch
banner, and model-identity provider display behavior.
- NVIDIA#6460 -> `docs/about/release-notes.mdx`: Documents bounded,
best-effort OTLP trace credential scrubbing and the remaining
collector-side redaction requirement.
- NVIDIA#6423 -> `docs/about/release-notes.mdx`: Documents the checked-in
loopback-only local credential form used by starter prompts.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: release-note prose only, no
runtime behavior or code samples changed.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: tests
not applicable for release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Verification note: `npm run docs` passed. `fern check --warnings`
reports the existing light-mode accent color contrast warning: `2.41:1`,
expected at least `3:1`.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added a new release-notes entry for **v0.0.77** at the top of the
changelog.
* Highlighted improved package validation, tighter handling of telemetry
and trace data, and safer starter prompt behavior with stronger
redaction and local-only submission.


<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior NV QA Bugs found by the NVIDIA QA Team v0.0.77 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Brev][Launchable] Deep Code TUI reports provider "openai" after onboarding with NVIDIA Cloud (Nemotron 3 Super 120B)

3 participants