fix(connect): isolate DCode route probe output#6497
Conversation
(cherry picked from commit 1504f4c) Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
📝 WalkthroughWalkthroughThe sandbox inference route probe now runs the deepagents-code probe directly with stricter parsing, and tests cover the updated command shape, spoof-resistant execution, multi-line output rejection, and connectSandbox failure handling. ChangesLogin-shell preamble trust fix
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant connectSandbox
participant ProbeScript
participant Parser
connectSandbox->>ProbeScript: sh -c DCODE_INFERENCE_ROUTE_PROBE_SCRIPT
ProbeScript->>ProbeScript: validate proxy files and export proxy env
ProbeScript->>ProbeScript: load CA bundle and run HTTP probe
ProbeScript-->>Parser: OK/BROKEN 3-digit status line
Parser->>Parser: require exact full-line match
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 76%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
Review findings by urgency: 0 required fixes, 2 items to resolve/justify, 3 in-scope improvements
|
E2E Advisor RecommendationRequired E2E: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/lib/actions/sandbox/connect-inference-route-probe.test.ts (1)
82-111: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winTemp dir leaks on assertion failure.
fs.rmSync(home, ...)at Line 110 only runs if every priorexpectin the test body passes. If any assertion throws first, themkdtempSyncdirectory (Line 87) is never removed, leaking temp dirs on CI failures over time.♻️ Use try/finally (or afterEach) for guaranteed cleanup
])("isolates DCode login-shell startup output from a %s spoof (`#6192`)", (spoof) => { const home = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-dcode-probe-")); - const caBundle = path.join(home, "openshell-ca.pem"); - const profileMarker = path.join(home, "profile-ran"); - fs.writeFileSync(caBundle, "test CA boundary", "utf8"); - fs.writeFileSync( - path.join(home, ".bash_profile"), - `printf '%s\\n' ${JSON.stringify(spoof)}; printf ran > ${JSON.stringify(profileMarker)}`, - ); - const args = buildSandboxInferenceRouteProbeArgs("deep-code", { - name: "langchain-deepagents-code", - }); - const wrapper = String(args.at(-3)).replace("HOME=/sandbox", `HOME=${JSON.stringify(home)}`); - const trustedProbe = "exec 1>&3 3>&-; printf 'BROKEN 000'"; - - const result = spawnSync("sh", ["-c", wrapper, String(args.at(-2)), trustedProbe], { - encoding: "utf8", - env: { ...process.env, CURL_CA_BUNDLE: caBundle, SSL_CERT_FILE: "" }, - }); - - expect(result.status).toBe(0); - expect(result.stdout).toBe("BROKEN 000"); - expect(result.stdout).not.toContain(spoof); - expect(fs.readFileSync(profileMarker, "utf8")).toBe("ran"); - fs.rmSync(home, { force: true, recursive: true }); + try { + const caBundle = path.join(home, "openshell-ca.pem"); + const profileMarker = path.join(home, "profile-ran"); + fs.writeFileSync(caBundle, "test CA boundary", "utf8"); + fs.writeFileSync( + path.join(home, ".bash_profile"), + `printf '%s\\n' ${JSON.stringify(spoof)}; printf ran > ${JSON.stringify(profileMarker)}`, + ); + const args = buildSandboxInferenceRouteProbeArgs("deep-code", { + name: "langchain-deepagents-code", + }); + const wrapper = String(args.at(-3)).replace("HOME=/sandbox", `HOME=${JSON.stringify(home)}`); + const trustedProbe = "exec 1>&3 3>&-; printf 'BROKEN 000'"; + + const result = spawnSync("sh", ["-c", wrapper, String(args.at(-2)), trustedProbe], { + encoding: "utf8", + env: { ...process.env, CURL_CA_BUNDLE: caBundle, SSL_CERT_FILE: "" }, + }); + + expect(result.status).toBe(0); + expect(result.stdout).toBe("BROKEN 000"); + expect(result.stdout).not.toContain(spoof); + expect(fs.readFileSync(profileMarker, "utf8")).toBe("ran"); + } finally { + fs.rmSync(home, { force: true, recursive: true }); + } });🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts` around lines 82 - 111, The temp directory created in the `it.each` test is only cleaned up after all expectations pass, so failures can leak `mkdtempSync` artifacts. Update the `isolates DCode login-shell startup output...` test to guarantee cleanup by wrapping the body that uses `home`, `caBundle`, `profileMarker`, and `spawnSync` in a `try/finally`, or by moving `fs.rmSync(home, ...)` into an `afterEach` tied to this test setup.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/actions/sandbox/connect-inference-route-probe.ts`:
- Around line 39-42: FD 3 is still a spoofable trust channel in
connect-inference-route-probe because startup files can rebind stdout and emit a
fake OK/BROKEN line before the probe reads it. Update the probe flow in
connect-inference-route-probe to stop relying on a fixed shared descriptor for
trusted evidence, or otherwise ensure the parser only accepts output from a
descriptor that startup files cannot tamper with. Add a regression test around
the probe/parser behavior that mutates FD 3 during shell startup and verifies
spoofed route evidence is rejected.
---
Nitpick comments:
In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts`:
- Around line 82-111: The temp directory created in the `it.each` test is only
cleaned up after all expectations pass, so failures can leak `mkdtempSync`
artifacts. Update the `isolates DCode login-shell startup output...` test to
guarantee cleanup by wrapping the body that uses `home`, `caBundle`,
`profileMarker`, and `spawnSync` in a `try/finally`, or by moving
`fs.rmSync(home, ...)` into an `afterEach` tied to this test setup.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4bc2d298-29d9-463a-9039-95310159b2f3
📒 Files selected for processing (3)
src/lib/actions/sandbox/connect-flow.test.tssrc/lib/actions/sandbox/connect-inference-route-probe.test.tssrc/lib/actions/sandbox/connect-inference-route-probe.ts
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts (1)
34-64: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winWeaken-proof gap:
not.toHaveBeenCalledWithdoesn't guarantee SSH wasn't opened.Line 55-59 asserts
spawnSyncSpywas not called with the exact["openshell", "sandbox", "connect", "alpha"]args. If the fix regresses andopenshellis invoked with slightly different args (extra flags, different sandbox-name casing, etc.) while still opening an SSH session, this assertion still passes and silently hides the exact regression this adversarial test is meant to catch. Prefer asserting the spy was not called at all if it's not exercised for any other legitimate purpose in this flow, which gives a stronger guarantee that the untrusted-probe path never reaches thespawnSyncboundary.🧪 Suggested stronger assertion (if `spawnSyncSpy` has no other legitimate use on this path)
- expect(harness.spawnSyncSpy).not.toHaveBeenCalledWith( - "openshell", - ["sandbox", "connect", "alpha"], - expect.any(Object), - ); + expect(harness.spawnSyncSpy).not.toHaveBeenCalled();As per path instructions, tests should "Flag ... conditionals that make a test pass without exercising its claim," and this assertion's narrow argument match is weaker than the claim ("without repair or SSH") implies.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts` around lines 34 - 64, The test in connect-flow-dcode-probe-preamble.test.ts is only checking that spawnSyncSpy was not called with one exact openshell argument list, which still allows SSH to be opened with different flags or args. Update the assertion around spawnSyncSpy in the rejects login-shell preamble evidence case to verify the SSH path is not exercised at all, using the existing createConnectHarness/connectSandbox flow and keeping the other spies unchanged, so the adversarial test truly covers the no-repair/no-SSH claim.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts`:
- Around line 34-64: The test in connect-flow-dcode-probe-preamble.test.ts is
only checking that spawnSyncSpy was not called with one exact openshell argument
list, which still allows SSH to be opened with different flags or args. Update
the assertion around spawnSyncSpy in the rejects login-shell preamble evidence
case to verify the SSH path is not exercised at all, using the existing
createConnectHarness/connectSandbox flow and keeping the other spies unchanged,
so the adversarial test truly covers the no-repair/no-SSH claim.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 963b1c3d-b28a-41ec-b283-1091665e8671
📒 Files selected for processing (2)
src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.tssrc/lib/actions/sandbox/connect-inference-route-probe.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/lib/actions/sandbox/connect-inference-route-probe.test.ts
E2E Target Results —
|
| Job | Result |
|---|---|
| agent-turn-latency | |
| bedrock-runtime-compatible-anthropic | |
| brave-search | |
| channels-add-remove | |
| channels-stop-start | |
| cloud-inference | |
| cloud-onboard | |
| common-egress-agent | |
| concurrent-gateway-ports | |
| credential-migration | |
| credential-sanitization | |
| cron-preflight-inference-local | |
| device-auth-health | |
| diagnostics | |
| docs-validation | |
| double-onboard | |
| full-e2e | |
| gateway-drift-preflight | |
| gateway-guard-recovery | |
| gateway-health-honest | |
| generate-matrix | |
| gpu-double-onboard | |
| gpu-e2e | |
| hermes-dashboard | |
| hermes-discord | |
| hermes-e2e | |
| hermes-gpu-startup | |
| hermes-inference-switch | |
| hermes-shields-config | |
| hermes-slack | |
| inference-routing | |
| issue-2478-crash-loop-recovery | |
| issue-4434-tui-unreachable-inference | |
| issue-4462-scope-upgrade-approval | |
| jetson-nvmap-gpu | |
| kimi-inference-compat | |
| launchable-smoke | |
| live | |
| mcp-bridge | |
| mcp-bridge-dev | |
| messaging-compatible-endpoint | |
| messaging-providers | |
| model-router-provider-routed-inference | |
| network-policy | |
| ollama-auth-proxy | |
| onboard-negative-paths | |
| onboard-repair | |
| onboard-resume | |
| openclaw-discord-pairing | |
| openclaw-inference-switch | |
| openclaw-plugin-runtime-exdev | |
| openclaw-skill-cli | |
| openclaw-slack-pairing | |
| openclaw-tui-chat-correlation | |
| openshell-gateway-auth-contract | |
| openshell-gateway-upgrade | |
| openshell-version-pin | |
| overlayfs-autofix | |
| rebuild-hermes | |
| rebuild-hermes-stale-base | |
| rebuild-openclaw | |
| sandbox-operations | |
| sandbox-rebuild | |
| sandbox-rlimits-connect | |
| sandbox-survival | |
| security-posture | |
| sessions-agents-cli | |
| shields-config | |
| skill-agent | |
| snapshot-commands | |
| spark-install | |
| state-backup-restore | |
| telegram-injection | |
| token-rotation | |
| tunnel-lifecycle | |
| upgrade-stale-sandbox |
Explicit-only jobs skipped:
openshell-gateway-auth-contract(default dispatch excludes the resource-heavy OpenShell auth-contract probe unless selected; validate withjobs=openshell-gateway-auth-contractortargets=openshell-gateway-auth-contract),mcp-bridge-dev(default dispatch excludes moving OpenShell dev artifacts unless explicitly selected; validate withjobs=mcp-bridge-devortargets=mcp-bridge-dev),hermes-gpu-startup(default dispatch excludes this explicit-only job unless selected; validate withjobs=hermes-gpu-startuportargets=hermes-gpu-startup),sandbox-rlimits-connect(default dispatch excludes the destructive rlimit fork/connect probe unless selected; validate withjobs=sandbox-rlimits-connectortargets=sandbox-rlimits-connect),jetson-nvmap-gpu(default dispatch excludes Jetson until a stable Jetson runner is available; validate withjobs=jetson-nvmap-gpuortargets=jetson-nvmap-gpu).
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
E2E Target Results — ✅ All selected jobs passedRun: 28978130260
|
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
E2E Target Results — ❌ Some jobs failedRun: 28978561865
|
E2E Target Results — ✅ All requested jobs passedRun: 28978646448
|
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/lib/actions/sandbox/connect-inference-route-probe.test.ts (1)
89-146: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winUse a launcher stand-in that still exercises the shell-startup path.
#!/bin/bash -pskipsBASH_ENV/ENV, so this case can’t fail if the DCode probe itself regresses; it only proves the wrapper suppresses the hostile startup file. Replace it with a plainexec "$@"stand-in, or run the real launcher behavior, so the injected.bash_profilepath remains testable.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts` around lines 89 - 146, The sandbox probe test is using a launcher stand-in that bypasses shell startup, so it can’t detect regressions in the DCode probe path. Update the test in connect-inference-route-probe.test.ts around buildSandboxInferenceRouteProbeArgs and spawnSync to use a plain exec "$@" wrapper, or otherwise preserve real shell startup behavior, so the injected .bash_profile/BASH_ENV/ENV path remains exercised and the hostile startup checks are meaningful.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts`:
- Around line 89-146: The sandbox probe test is using a launcher stand-in that
bypasses shell startup, so it can’t detect regressions in the DCode probe path.
Update the test in connect-inference-route-probe.test.ts around
buildSandboxInferenceRouteProbeArgs and spawnSync to use a plain exec "$@"
wrapper, or otherwise preserve real shell startup behavior, so the injected
.bash_profile/BASH_ENV/ENV path remains exercised and the hostile startup checks
are meaningful.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: a1633775-e2ba-49b5-81a2-ccd21665f7e2
📒 Files selected for processing (4)
src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.tssrc/lib/actions/sandbox/connect-flow.test.tssrc/lib/actions/sandbox/connect-inference-route-probe.test.tssrc/lib/actions/sandbox/connect-inference-route-probe.ts
🚧 Files skipped from review as they are similar to previous changes (2)
- src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts
- src/lib/actions/sandbox/connect-flow.test.ts
E2E Target Results — ❌ Some jobs failedRun: 28978644987
|
<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Make DCode inference-route health probes preserve managed observability by running them through a side-effect-free, image-owned managed-exec boundary. The new private launcher retains the trusted proxy and shell hardening from #6497, while updated clients fail closed against older images where the helper is absent. ## Related Issue <!-- Fixes #NNN or Closes #NNN. Remove this section if none. --> Fixes #6504 Follow-up to #6497, #6412, and #6192. ## Changes <!-- Bullet list of key changes. --> - Install a root-owned, non-symlink `dcode-managed-exec` copy of the reviewed DCode launcher and verify its ownership, mode, contents, and real-path execution during image build. - Route shared DCode status, doctor, rebuild-preflight, and connect health probes through that side-effect-free boundary instead of the stateful sandbox entrypoint. - Preserve enabled and disabled observability marker state while retaining managed proxy normalization, startup-file isolation, `curl -q`, strict output parsing, and old-image fail-closed behavior. - Add focused launcher, image-contract, shared health, and connect-flow regression coverage. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: this restores configured DCode observability across internal read-only route probes without changing CLI syntax, output, configuration, or documented behavior. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: nine-category security review passed on the exact eight-file diff with no findings; exact-head typed DCode and inference-routing live validation remain required before merge. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: `npx vitest run --project cli` over the four route/connect/health files passed 61 tests; `npx vitest run --project integration` over the managed-exec/proxy/image files passed 33 tests. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not applicable; this narrow boundary fix passed CLI build/typecheck, Bash syntax, test-size, source-shape, title, project-membership, and scoped prek gates. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new doc pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a managed execution entrypoint for Deep Agents Code so route checks and runtime probing use a dedicated, image-baked launcher path. * **Bug Fixes** * Improved the launcher’s behavior to avoid altering sandbox state during route diagnostics and to fail safely when mis-invoked. * Updated sandbox probe and health-check commands to use the managed entrypoint consistently. * **Tests** * Added dedicated coverage for the managed entrypoint’s side effects and failure handling. * Extended image and sandbox contract tests to validate the managed binary installation and command structure. * Improved Deep Agents Code Tavily opt-in checks to reliably restore observability state. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prepares the user documentation for NemoClaw v0.0.78 by replacing the unreleased section with release highlights and synchronizing the affected inference, lifecycle, messaging, and CLI reference pages with merged behavior. ## Changes - Publish the v0.0.78 release-notes section with links to the most specific user guides for each shipped behavior. - Document authoritative Deep Agents route health, Nemotron Ultra profile behavior, and Hermes compatible-endpoint context metadata. - Document forced rebuild recovery after total backup failure and the ownership-safe tunnel/full-stop behavior. - Keep command examples and shared agent variants aligned with the current OpenClaw, Hermes, and Deep Agents interfaces. Source mapping: - [#3787](#3787) -> `docs/about/release-notes.mdx`: Record reliable workspace template seeding during sandbox startup. - [#4960](#4960) -> `docs/about/release-notes.mdx`: Record safer detection of rewritten OpenClaw gateway processes. - [#5676](#5676) -> `docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON handling. - [#5857](#5857) -> `docs/about/release-notes.mdx`: Record synchronization of explicit OpenClaw main-agent model state. - [#5929](#5929) -> `docs/about/release-notes.mdx`: Record copyable SSH port-forward guidance for remote dashboards. - [#6068](#6068) -> `docs/about/release-notes.mdx`: Record custom-image plugin provenance reconciliation. - [#6116](#6116) -> `docs/about/release-notes.mdx`: Record live-loopback dashboard-forward recovery. - [#6122](#6122) -> `docs/about/release-notes.mdx`: Announce validated, round-trippable policy YAML output. - [#6211](#6211) -> `docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild --force` recovery boundary. - [#6283](#6283) -> `docs/about/release-notes.mdx`: Record Hermes WebUI port alignment. - [#6293](#6293) -> `docs/inference/switch-inference-providers.mdx`, `docs/about/release-notes.mdx`: Document compatible-endpoint context-length probing for Hermes. - [#6320](#6320) -> `docs/about/release-notes.mdx`: Record bounded gateway-recovery waits. - [#6377](#6377) -> `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain rebuild diagnostics and prepared MCP-destroy recovery. - [#6412](#6412) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document authoritative agent-visible inference route health. - [#6421](#6421) -> `docs/about/release-notes.mdx`: Record the longer quiet-pull window for managed vLLM images. - [#6431](#6431) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document the version-pinned Nemotron Ultra profile plugin. - [#6439](#6439) -> `docs/about/release-notes.mdx`: Summarize the authenticated, pinned credential-capture helper boundary. - [#6450](#6450) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document host-forward cleanup and ownership-safe gateway-port release. - [#6474](#6474) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/about/release-notes.mdx`: Record composable OpenClaw messaging runtime loaders. - [#6475](#6475) -> `docs/about/release-notes.mdx`: Record removal of the unavailable Kimi K2.6 production endpoint option. - [#6480](#6480) -> `docs/about/release-notes.mdx`: Record stderr routing for the plugin registration banner. - [#6481](#6481) -> `docs/about/release-notes.mdx`: Record post-pull Ollama model discovery checks. - [#6482](#6482) -> `docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon restart. - [#6486](#6486) -> `docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep Agents auto-approval boundary. - [#6490](#6490) -> `docs/about/release-notes.mdx`: Record diagnostics for custom images missing the managed runtime. - [#6494](#6494) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document nonempty tool-call content preservation and placeholder rejection. - [#6497](#6497) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document isolated Deep Agents route-probe output. - [#6506](#6506) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document observability-preserving managed route probes. - [#6508](#6508) -> `docs/about/release-notes.mdx`: Link the new extension taxonomy and SDK-readiness reference from the release summary. Release-source verification: GitHub reports all 29 cited source PRs as merged with base `main`, and every merge commit is an ancestor of `origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No source-mapping mismatches were found. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Documentation-only release-prep changes; `npm run docs` validates variants, routes, and Fern content. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests are not applicable to this documentation-only change set. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — exited 0 with zero errors; Fern reported the existing unauthenticated redirect-check and light-mode contrast warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> --------- Signed-off-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prevent DCode login-shell startup output from impersonating authoritative `inference.local` route-probe evidence. This post-merge follow-up to NVIDIA#6412 keeps `connect` fail closed by suppressing profile stdout until the real probe restores its capture descriptor and by rejecting multiline or preamble-contaminated results. ## Related Issue Follow-up to NVIDIA#6192 and merged PR NVIDIA#6412. ## Changes - Preserve the probe capture stream on file descriptor 3 while discarding DCode login-shell startup stdout. - Restore stdout only inside the trusted inner probe before it emits `OK` or `BROKEN` evidence. - Require a single complete probe-result line after known OpenShell framing normalization. - Add adversarial regressions proving profile output and multiline evidence cannot report false health, authorize repair, or open SSH. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: This tightens the existing documented fail-closed trust boundary without changing commands, output states, recovery guidance, or supported workflows. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: A post-merge security review of NVIDIA#6412 identified the startup-output spoof boundary; the fix was reviewed as fail-closed and is covered by profile-spoof, multiline-output, no-repair, and no-SSH regressions. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — 54 focused connect/probe tests and 18 status JSON/text integration tests passed. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved sandbox connectivity/inference-route probing so login-shell preamble output can’t be misread as the health check result. * Tightened probe output validation to accept only a single, clean `OK/BROKEN` status line (no extra text), reducing incorrect “healthy/broken” determinations. * **Tests** * Added coverage for spoofing attempts via crafted shell and curl configuration in an isolated temp home, including validation that marker side effects do not occur. * Extended parsing and preamble-boundary tests to ensure untrusted composite outputs are classified as unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Make DCode inference-route health probes preserve managed observability by running them through a side-effect-free, image-owned managed-exec boundary. The new private launcher retains the trusted proxy and shell hardening from NVIDIA#6497, while updated clients fail closed against older images where the helper is absent. ## Related Issue <!-- Fixes #NNN or Closes #NNN. Remove this section if none. --> Fixes NVIDIA#6504 Follow-up to NVIDIA#6497, NVIDIA#6412, and NVIDIA#6192. ## Changes <!-- Bullet list of key changes. --> - Install a root-owned, non-symlink `dcode-managed-exec` copy of the reviewed DCode launcher and verify its ownership, mode, contents, and real-path execution during image build. - Route shared DCode status, doctor, rebuild-preflight, and connect health probes through that side-effect-free boundary instead of the stateful sandbox entrypoint. - Preserve enabled and disabled observability marker state while retaining managed proxy normalization, startup-file isolation, `curl -q`, strict output parsing, and old-image fail-closed behavior. - Add focused launcher, image-contract, shared health, and connect-flow regression coverage. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: this restores configured DCode observability across internal read-only route probes without changing CLI syntax, output, configuration, or documented behavior. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: nine-category security review passed on the exact eight-file diff with no findings; exact-head typed DCode and inference-routing live validation remain required before merge. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: `npx vitest run --project cli` over the four route/connect/health files passed 61 tests; `npx vitest run --project integration` over the managed-exec/proxy/image files passed 33 tests. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not applicable; this narrow boundary fix passed CLI build/typecheck, Bash syntax, test-size, source-shape, title, project-membership, and scoped prek gates. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new doc pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a managed execution entrypoint for Deep Agents Code so route checks and runtime probing use a dedicated, image-baked launcher path. * **Bug Fixes** * Improved the launcher’s behavior to avoid altering sandbox state during route diagnostics and to fail safely when mis-invoked. * Updated sandbox probe and health-check commands to use the managed entrypoint consistently. * **Tests** * Added dedicated coverage for the managed entrypoint’s side effects and failure handling. * Extended image and sandbox contract tests to validate the managed binary installation and command structure. * Improved Deep Agents Code Tavily opt-in checks to reliably restore observability state. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: cjagwani <cjagwani@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Prepares the user documentation for NemoClaw v0.0.78 by replacing the unreleased section with release highlights and synchronizing the affected inference, lifecycle, messaging, and CLI reference pages with merged behavior. ## Changes - Publish the v0.0.78 release-notes section with links to the most specific user guides for each shipped behavior. - Document authoritative Deep Agents route health, Nemotron Ultra profile behavior, and Hermes compatible-endpoint context metadata. - Document forced rebuild recovery after total backup failure and the ownership-safe tunnel/full-stop behavior. - Keep command examples and shared agent variants aligned with the current OpenClaw, Hermes, and Deep Agents interfaces. Source mapping: - [NVIDIA#3787](NVIDIA#3787) -> `docs/about/release-notes.mdx`: Record reliable workspace template seeding during sandbox startup. - [NVIDIA#4960](NVIDIA#4960) -> `docs/about/release-notes.mdx`: Record safer detection of rewritten OpenClaw gateway processes. - [NVIDIA#5676](NVIDIA#5676) -> `docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON handling. - [NVIDIA#5857](NVIDIA#5857) -> `docs/about/release-notes.mdx`: Record synchronization of explicit OpenClaw main-agent model state. - [NVIDIA#5929](NVIDIA#5929) -> `docs/about/release-notes.mdx`: Record copyable SSH port-forward guidance for remote dashboards. - [NVIDIA#6068](NVIDIA#6068) -> `docs/about/release-notes.mdx`: Record custom-image plugin provenance reconciliation. - [NVIDIA#6116](NVIDIA#6116) -> `docs/about/release-notes.mdx`: Record live-loopback dashboard-forward recovery. - [NVIDIA#6122](NVIDIA#6122) -> `docs/about/release-notes.mdx`: Announce validated, round-trippable policy YAML output. - [NVIDIA#6211](NVIDIA#6211) -> `docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild --force` recovery boundary. - [NVIDIA#6283](NVIDIA#6283) -> `docs/about/release-notes.mdx`: Record Hermes WebUI port alignment. - [NVIDIA#6293](NVIDIA#6293) -> `docs/inference/switch-inference-providers.mdx`, `docs/about/release-notes.mdx`: Document compatible-endpoint context-length probing for Hermes. - [NVIDIA#6320](NVIDIA#6320) -> `docs/about/release-notes.mdx`: Record bounded gateway-recovery waits. - [NVIDIA#6377](NVIDIA#6377) -> `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain rebuild diagnostics and prepared MCP-destroy recovery. - [NVIDIA#6412](NVIDIA#6412) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document authoritative agent-visible inference route health. - [NVIDIA#6421](NVIDIA#6421) -> `docs/about/release-notes.mdx`: Record the longer quiet-pull window for managed vLLM images. - [NVIDIA#6431](NVIDIA#6431) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document the version-pinned Nemotron Ultra profile plugin. - [NVIDIA#6439](NVIDIA#6439) -> `docs/about/release-notes.mdx`: Summarize the authenticated, pinned credential-capture helper boundary. - [NVIDIA#6450](NVIDIA#6450) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document host-forward cleanup and ownership-safe gateway-port release. - [NVIDIA#6474](NVIDIA#6474) -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/about/release-notes.mdx`: Record composable OpenClaw messaging runtime loaders. - [NVIDIA#6475](NVIDIA#6475) -> `docs/about/release-notes.mdx`: Record removal of the unavailable Kimi K2.6 production endpoint option. - [NVIDIA#6480](NVIDIA#6480) -> `docs/about/release-notes.mdx`: Record stderr routing for the plugin registration banner. - [NVIDIA#6481](NVIDIA#6481) -> `docs/about/release-notes.mdx`: Record post-pull Ollama model discovery checks. - [NVIDIA#6482](NVIDIA#6482) -> `docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon restart. - [NVIDIA#6486](NVIDIA#6486) -> `docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep Agents auto-approval boundary. - [NVIDIA#6490](NVIDIA#6490) -> `docs/about/release-notes.mdx`: Record diagnostics for custom images missing the managed runtime. - [NVIDIA#6494](NVIDIA#6494) -> `docs/inference/model-capability-audit.mdx`, `docs/about/release-notes.mdx`: Document nonempty tool-call content preservation and placeholder rejection. - [NVIDIA#6497](NVIDIA#6497) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document isolated Deep Agents route-probe output. - [NVIDIA#6506](NVIDIA#6506) -> `docs/get-started/quickstart-langchain-deepagents-code.mdx`, `docs/about/release-notes.mdx`: Document observability-preserving managed route probes. - [NVIDIA#6508](NVIDIA#6508) -> `docs/about/release-notes.mdx`: Link the new extension taxonomy and SDK-readiness reference from the release summary. Release-source verification: GitHub reports all 29 cited source PRs as merged with base `main`, and every merge commit is an ancestor of `origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No source-mapping mismatches were found. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Documentation-only release-prep changes; `npm run docs` validates variants, routes, and Fern content. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests are not applicable to this documentation-only change set. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — exited 0 with zero errors; Fern reported the existing unauthenticated redirect-check and light-mode contrast warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> --------- Signed-off-by: cjagwani <cjagwani@nvidia.com>
Summary
Prevent DCode sandbox-user startup files and curl configuration from impersonating authoritative
inference.localroute-probe evidence. This post-merge follow-up to #6412 keepsconnectfail closed by using the image-baked managed runtime launcher instead of a login shell or inherited output descriptor, while rejecting multiline or preamble-contaminated results.Related Issue
Follow-up to #6192 and merged PR #6412.
Changes
/usr/local/bin/nemoclaw-start /bin/sh -c, which reconstructs the managed proxy from root-owned image state without loading sandbox-user startup files or exposing an inherited fd-3 evidence channel.-qto the fixed curl probe so sandbox-user curl configuration cannot alter the request or output contract.Type of Change
Quality Gates
Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result:npm run docsbuilds without warnings (doc changes only)Signed-off-by: Apurv Kumaria akumaria@nvidia.com