Skip to content

fix(connect): isolate DCode route probe output#6497

Merged
apurvvkumaria merged 5 commits into
mainfrom
codex/6412-dcode-probe-output-hardening
Jul 8, 2026
Merged

fix(connect): isolate DCode route probe output#6497
apurvvkumaria merged 5 commits into
mainfrom
codex/6412-dcode-probe-output-hardening

Conversation

@apurvvkumaria

@apurvvkumaria apurvvkumaria commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Prevent DCode sandbox-user startup files and curl configuration from impersonating authoritative inference.local route-probe evidence. This post-merge follow-up to #6412 keeps connect fail closed by using the image-baked managed runtime launcher instead of a login shell or inherited output descriptor, while rejecting multiline or preamble-contaminated results.

Related Issue

Follow-up to #6192 and merged PR #6412.

Changes

  • Run the DCode probe through /usr/local/bin/nemoclaw-start /bin/sh -c, which reconstructs the managed proxy from root-owned image state without loading sandbox-user startup files or exposing an inherited fd-3 evidence channel.
  • Pass -q to the fixed curl probe so sandbox-user curl configuration cannot alter the request or output contract.
  • Require one probe-result line after known OpenShell framing normalization; reject multiline and preamble output while retaining supported same-line diagnostic suffixes.
  • Add adversarial regressions proving hostile profile, curl-config, and multiline output cannot report false health, authorize repair, or open SSH.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: This tightens the existing documented fail-closed trust boundary without changing commands, output states, recovery guidance, or supported workflows.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: The post-merge security review of fix(status): make inference route health authoritative #6412 identified the startup-output spoof boundary. The replacement removes the login-shell/fd-3 trust channel, reuses the image-baked managed launcher, ignores user curl configuration, and is covered by profile-spoof, curl-config, multiline-output, no-repair, and no-SSH regressions.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — 56 focused connect/probe tests and 80 launcher, image, and status integration tests passed.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Apurv Kumaria akumaria@nvidia.com

(cherry picked from commit 1504f4c)

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria apurvvkumaria added security area: cli Command line interface, flags, terminal UX, or output area: inference Inference routing, serving, model selection, or outputs area: routing Request routing, policy routing, model selection, or fallback logic area: security Security controls, permissions, secrets, or hardening bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior v0.0.78 Release target labels Jul 8, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The sandbox inference route probe now runs the deepagents-code probe directly with stricter parsing, and tests cover the updated command shape, spoof-resistant execution, multi-line output rejection, and connectSandbox failure handling.

Changes

Login-shell preamble trust fix

Layer / File(s) Summary
Probe script and parser changes
src/lib/actions/sandbox/connect-inference-route-probe.ts
Replaces the wrapper-based DCODE probe path with a direct shell script that validates proxy files, exports proxy environment variables, injects CA setup, and runs the shared probe, while tightening probe parsing to accept only exact OK/BROKEN status lines.
Probe spoofing and contract tests
src/lib/actions/sandbox/connect-inference-route-probe.test.ts, src/lib/actions/sandbox/connect-flow.test.ts, src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts
Extends argv assertions, updates the OpenShell curl expectation, adds a temp-HOME integration test for spoofed profile and curlrc side effects, adds a parser test for multi-line preamble output, and adds a connectSandbox failure test for untrusted probe evidence.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant connectSandbox
  participant ProbeScript
  participant Parser
  connectSandbox->>ProbeScript: sh -c DCODE_INFERENCE_ROUTE_PROBE_SCRIPT
  ProbeScript->>ProbeScript: validate proxy files and export proxy env
  ProbeScript->>ProbeScript: load CA bundle and run HTTP probe
  ProbeScript-->>Parser: OK/BROKEN 3-digit status line
  Parser->>Parser: require exact full-line match
Loading

Suggested reviewers: jyaunches, ericksoa

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: hardening and isolating DCode route probe output against spoofing.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/6412-dcode-probe-output-hardening

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 76%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 0e0807d 4c43035 +/-
src/lib/actions...onnect-probe.ts 77% 46% -31%
src/lib/sandbox...rsion-scheme.ts 100% 73% -27%
src/lib/agent/b...availability.ts 74% 63% -11%
src/lib/actions...-monkeypatch.ts 81% 72% -9%
src/lib/inference/config.ts 100% 96% -4%
src/lib/runner.ts 83% 80% -3%
src/lib/adapters/http/probe.ts 91% 89% -2%
src/lib/actions...dbox/connect.ts 76% 75% -1%
src/lib/state/config-io.ts 88% 93% +5%
src/lib/messagi...ate-resolver.ts 71% 88% +17%

Updated July 08, 2026 22:04 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 2 test follow-ups

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Validate in a real DCode sandbox that `openshell sandbox exec -- /usr/local/bin/nemoclaw-start /bin/sh -c <route-probe-script>` ignores hostile `.bash_profile`, `BASH_ENV`, `ENV`, `.curlrc`, and ambient proxy variables while returning only the real single-line `OK` or `BROKEN` probe result.. The changed source has strong focused unit and harness coverage, but the behavior crosses an actual OpenShell sandbox exec, the DCode image entrypoint, managed proxy reconstruction, curl, and CA injection, so a runtime validation pass would improve confidence in the integrated boundary.
  • PRA-T2 Runtime validation — Validate in a real connect flow that multiline or preamble-contaminated DCode route-probe output is treated as unavailable and does not trigger DNS/proxy repair or open the interactive shell.. The changed source has strong focused unit and harness coverage, but the behavior crosses an actual OpenShell sandbox exec, the DCode image entrypoint, managed proxy reconstruction, curl, and CA injection, so a runtime validation pass would improve confidence in the integrated boundary.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Source-of-truth review needed: Managed launcher workaround for missing OpenShell proxy env inheritance.
Open items: 0 required · 2 warnings · 3 suggestions · 5 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 3 new items found

Action checklist

  • PRA-1 Resolve or justify: Source-of-truth review needed: Managed launcher workaround for missing OpenShell proxy env inheritance
  • PRA-2 Resolve or justify: Hardcoded launcher path lacks runtime verification in src/lib/actions/sandbox/connect-inference-route-probe.ts:48
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Hostile-profile test uses local launcher stub, not real image launcher
  • PRA-T4 Add or justify test follow-up: Single-use test config NEMOCLAW_TEST_NO_SLEEP could be a constant
  • PRA-T5 Add or justify test follow-up: Managed launcher workaround for missing OpenShell proxy env inheritance
  • PRA-3 In-scope improvement: Hostile-profile test uses local launcher stub, not real image launcher in src/lib/actions/sandbox/connect-inference-route-probe.test.ts:85
  • PRA-4 In-scope improvement: Managed launcher workaround not linked to upstream OpenShell tracking in src/lib/actions/sandbox/connect-inference-route-probe.ts:32
  • PRA-5 In-scope improvement: Single-use test config NEMOCLAW_TEST_NO_SLEEP could be a constant in src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts:17

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Resolve/justify security src/lib/actions/sandbox/connect-inference-route-probe.ts:48 Add a build-time assertion in the Dockerfile/CI that validates nemoclaw-start is installed with correct ownership, permissions, and content (unsets BASH_ENV/ENV, execs args). Alternatively, add a runtime check in the probe that fails fast with a clear diagnostic if the launcher is missing or malformed.
PRA-3 Improvement tests src/lib/actions/sandbox/connect-inference-route-probe.test.ts:85 Add an e2e or image-validation test that runs the probe against a real built sandbox image using the actual /usr/local/bin/nemoclaw-start. This can be a separate test suite (test/e2e or image-validation) to avoid slowing unit tests.
PRA-4 Improvement architecture src/lib/actions/sandbox/connect-inference-route-probe.ts:32 Add a TODO comment with a link to the OpenShell issue/PR tracking proxy env inheritance in sandbox exec. If no issue exists, file one and reference it here.
PRA-5 Improvement tests src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts:17 Replace with a module-level constant or remove if the code under test no longer needs it (check connect-flow.ts for NEMOCLAW_TEST_NO_SLEEP usage).
Review findings by urgency: 0 required fixes, 2 items to resolve/justify, 3 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: Managed launcher workaround for missing OpenShell proxy env inheritance

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Hostile-profile test at connect-inference-route-probe.test.ts:85-147 proves spoofing blocked via local launcher stub
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Lines 32-41 in connect-inference-route-probe.ts document the workaround and removal condition

PRA-2 Resolve/justify — Hardcoded launcher path lacks runtime verification

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:48
  • Category: security
  • Problem: The constant DCODE_MANAGED_RUNTIME_LAUNCHER = '/usr/local/bin/nemoclaw-start' assumes the sandbox image bakes this launcher correctly (root-owned, mode 0444, unsets BASH_ENV/ENV before exec). No runtime check verifies the launcher exists or behaves as the trust boundary requires.
  • Impact: If the image build omits or misconfigures the launcher, the DCode probe falls back to an unverified path or fails mysteriously, weakening the spoofing defense.
  • Recommended action: Add a build-time assertion in the Dockerfile/CI that validates nemoclaw-start is installed with correct ownership, permissions, and content (unsets BASH_ENV/ENV, execs args). Alternatively, add a runtime check in the probe that fails fast with a clear diagnostic if the launcher is missing or malformed.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check Dockerfile/image build for nemoclaw-start installation; verify launcher script content with `cat /usr/local/bin/nemoclaw-start` in a built image.
  • Missing regression test: Integration test that spawns the actual /usr/local/bin/nemoclaw-start from a built sandbox image and confirms it rejects BASH_ENV/ENV, does not source .bash_profile/.curlrc, and reconstructs the managed proxy from root-owned files.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check Dockerfile/image build for nemoclaw-start installation; verify launcher script content with `cat /usr/local/bin/nemoclaw-start` in a built image.
  • Evidence: Line 48 declares const DCODE_MANAGED_RUNTIME_LAUNCHER = '/usr/local/bin/nemoclaw-start'; lines 32-41 document the source-fix constraint but no verification exists.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-3 Improvement — Hostile-profile test uses local launcher stub, not real image launcher

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.test.ts:85
  • Category: tests
  • Problem: The adversarial test at lines 85-147 creates a temporary nemoclaw-start stub that mimics expected behavior, but does not exercise the actual /usr/local/bin/nemoclaw-start from the sandbox image.
  • Impact: The test passes even if the real image-baked launcher has different behavior (e.g., doesn't unset BASH_ENV, sources profiles). The security boundary is only verified against a mock.
  • Suggested action: Add an e2e or image-validation test that runs the probe against a real built sandbox image using the actual /usr/local/bin/nemoclaw-start. This can be a separate test suite (test/e2e or image-validation) to avoid slowing unit tests.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Run the existing hostile-profile test and confirm it uses a local stub; verify no test in the repo exercises the real image-baked launcher.
  • Missing regression test: E2E test using a real sandbox image that validates the launcher's trust boundary properties (root-owned, mode 0444, unsets BASH_ENV/ENV, no profile sourcing, reconstructs proxy).
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Test at line 108 writes a local launcher stub: `fs.writeFileSync(launcher, '#!/bin/bash -p\nset -eu\nunset BASH_ENV ENV\nexec "$@"\n', { mode: 0o755 })`.

PRA-4 Improvement — Managed launcher workaround not linked to upstream OpenShell tracking

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:32
  • Category: architecture
  • Problem: The comment at lines 32-41 documents that nemoclaw-start is a workaround because raw OpenShell exec doesn't inherit the trusted proxy environment. No link to the upstream OpenShell issue/PR that would make this removable.
  • Impact: The workaround may persist indefinitely without visibility into when the root cause can be fixed upstream. No removal condition tracking.
  • Suggested action: Add a TODO comment with a link to the OpenShell issue/PR tracking proxy env inheritance in sandbox exec. If no issue exists, file one and reference it here.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search for OpenShell issue/PR about proxy env inheritance in sandbox exec; confirm none is linked in the comment.
  • Missing regression test: N/A — architectural tracking item. No automated test can verify upstream issue tracking.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 32-41: 'Invalid state: a DCode login shell runs sandbox-user startup files... Source-fix constraint: raw OpenShell exec does not inherit the entrypoint's trusted proxy contract... Removal condition: use a raw probe only when OpenShell provides the same trusted proxy environment to every sandbox exec process without shell startup.'

PRA-5 Improvement — Single-use test config NEMOCLAW_TEST_NO_SLEEP could be a constant

  • Location: src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts:17
  • Category: tests
  • Problem: The test sets process.env.NEMOCLAW_TEST_NO_SLEEP = '1' in beforeEach and deletes it in afterEach, but this appears to be a test-only constant not used by users or CI.
  • Impact: Minor test complexity; the env var manipulation adds noise without configurable value.
  • Suggested action: Replace with a module-level constant or remove if the code under test no longer needs it (check connect-flow.ts for NEMOCLAW_TEST_NO_SLEEP usage).
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: grep -r NEMOCLAW_TEST_NO_SLEEP in src/ to see if production code reads it; if not, it's test-only.
  • Missing regression test: N/A — test hygiene improvement.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 17 and 30 set/delete the env var; no other references in the test file.
Simplification opportunities: 2 possible cuts, net -10 lines possible

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-4 shrink (src/lib/actions/sandbox/connect-inference-route-probe.ts:32): Extended comment documenting workaround rationale (lines 32-41)
    • Replacement: Single-line comment with link to upstream issue: // Workaround for OpenShell proxy env inheritance; see upstream issue #XXXX. Remove when OpenShell provides trusted proxy to raw exec.
    • Net: -8 lines
    • Safety boundary: Must retain the launcher constant and its use in buildSandboxInferenceRouteProbeArgs; the trust boundary logic must not be simplified away.
  • PRA-5 delete (src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts:17): Lines 17 and 30: process.env.NEMOCLAW_TEST_NO_SLEEP = '1' and delete process.env.NEMOCLAW_TEST_NO_SLEEP
    • Replacement: Remove both lines; if the production code needs a no-sleep mode, use a test-only constant or mock the sleep function directly.
    • Net: -2 lines
    • Safety boundary: Verify production code doesn't depend on this env var before removing.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Integration test with real sandbox image validating /usr/local/bin/nemoclaw-start trust boundary (root-owned, mode 0444, unsets BASH_ENV/ENV, no profile sourcing, reconstructs proxy from root-owned files). Unit and integration tests for probe parsing and connect-flow logic are excellent. However, the trust boundary depends on the actual /usr/local/bin/nemoclaw-start from the built sandbox image having correct behavior (root-owned, mode 0444, unsets BASH_ENV/ENV, no profile sourcing). The hostile-profile test uses a local stub that mimics expected behavior but does not prove the real image-baked launcher behaves identically.
  • PRA-T2 Runtime validation — Build-time assertion in Dockerfile/CI that nemoclaw-start is installed with correct permissions and content. Unit and integration tests for probe parsing and connect-flow logic are excellent. However, the trust boundary depends on the actual /usr/local/bin/nemoclaw-start from the built sandbox image having correct behavior (root-owned, mode 0444, unsets BASH_ENV/ENV, no profile sourcing). The hostile-profile test uses a local stub that mimics expected behavior but does not prove the real image-baked launcher behaves identically.
  • PRA-T3 Hostile-profile test uses local launcher stub, not real image launcher — Add an e2e or image-validation test that runs the probe against a real built sandbox image using the actual /usr/local/bin/nemoclaw-start. This can be a separate test suite (test/e2e or image-validation) to avoid slowing unit tests.
  • PRA-T4 Single-use test config NEMOCLAW_TEST_NO_SLEEP could be a constant — Replace with a module-level constant or remove if the code under test no longer needs it (check connect-flow.ts for NEMOCLAW_TEST_NO_SLEEP usage).
  • PRA-T5 Managed launcher workaround for missing OpenShell proxy env inheritance — Hostile-profile test at connect-inference-route-probe.test.ts:85-147 proves spoofing blocked via local launcher stub. Lines 32-41 in connect-inference-route-probe.ts document the workaround and removal condition
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: Managed launcher workaround for missing OpenShell proxy env inheritance

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Hostile-profile test at connect-inference-route-probe.test.ts:85-147 proves spoofing blocked via local launcher stub
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Lines 32-41 in connect-inference-route-probe.ts document the workaround and removal condition

PRA-2 Resolve/justify — Hardcoded launcher path lacks runtime verification

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:48
  • Category: security
  • Problem: The constant DCODE_MANAGED_RUNTIME_LAUNCHER = '/usr/local/bin/nemoclaw-start' assumes the sandbox image bakes this launcher correctly (root-owned, mode 0444, unsets BASH_ENV/ENV before exec). No runtime check verifies the launcher exists or behaves as the trust boundary requires.
  • Impact: If the image build omits or misconfigures the launcher, the DCode probe falls back to an unverified path or fails mysteriously, weakening the spoofing defense.
  • Recommended action: Add a build-time assertion in the Dockerfile/CI that validates nemoclaw-start is installed with correct ownership, permissions, and content (unsets BASH_ENV/ENV, execs args). Alternatively, add a runtime check in the probe that fails fast with a clear diagnostic if the launcher is missing or malformed.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check Dockerfile/image build for nemoclaw-start installation; verify launcher script content with `cat /usr/local/bin/nemoclaw-start` in a built image.
  • Missing regression test: Integration test that spawns the actual /usr/local/bin/nemoclaw-start from a built sandbox image and confirms it rejects BASH_ENV/ENV, does not source .bash_profile/.curlrc, and reconstructs the managed proxy from root-owned files.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check Dockerfile/image build for nemoclaw-start installation; verify launcher script content with `cat /usr/local/bin/nemoclaw-start` in a built image.
  • Evidence: Line 48 declares const DCODE_MANAGED_RUNTIME_LAUNCHER = '/usr/local/bin/nemoclaw-start'; lines 32-41 document the source-fix constraint but no verification exists.

PRA-3 Improvement — Hostile-profile test uses local launcher stub, not real image launcher

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.test.ts:85
  • Category: tests
  • Problem: The adversarial test at lines 85-147 creates a temporary nemoclaw-start stub that mimics expected behavior, but does not exercise the actual /usr/local/bin/nemoclaw-start from the sandbox image.
  • Impact: The test passes even if the real image-baked launcher has different behavior (e.g., doesn't unset BASH_ENV, sources profiles). The security boundary is only verified against a mock.
  • Suggested action: Add an e2e or image-validation test that runs the probe against a real built sandbox image using the actual /usr/local/bin/nemoclaw-start. This can be a separate test suite (test/e2e or image-validation) to avoid slowing unit tests.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Run the existing hostile-profile test and confirm it uses a local stub; verify no test in the repo exercises the real image-baked launcher.
  • Missing regression test: E2E test using a real sandbox image that validates the launcher's trust boundary properties (root-owned, mode 0444, unsets BASH_ENV/ENV, no profile sourcing, reconstructs proxy).
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Test at line 108 writes a local launcher stub: `fs.writeFileSync(launcher, '#!/bin/bash -p\nset -eu\nunset BASH_ENV ENV\nexec "$@"\n', { mode: 0o755 })`.

PRA-4 Improvement — Managed launcher workaround not linked to upstream OpenShell tracking

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:32
  • Category: architecture
  • Problem: The comment at lines 32-41 documents that nemoclaw-start is a workaround because raw OpenShell exec doesn't inherit the trusted proxy environment. No link to the upstream OpenShell issue/PR that would make this removable.
  • Impact: The workaround may persist indefinitely without visibility into when the root cause can be fixed upstream. No removal condition tracking.
  • Suggested action: Add a TODO comment with a link to the OpenShell issue/PR tracking proxy env inheritance in sandbox exec. If no issue exists, file one and reference it here.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search for OpenShell issue/PR about proxy env inheritance in sandbox exec; confirm none is linked in the comment.
  • Missing regression test: N/A — architectural tracking item. No automated test can verify upstream issue tracking.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 32-41: 'Invalid state: a DCode login shell runs sandbox-user startup files... Source-fix constraint: raw OpenShell exec does not inherit the entrypoint's trusted proxy contract... Removal condition: use a raw probe only when OpenShell provides the same trusted proxy environment to every sandbox exec process without shell startup.'

PRA-5 Improvement — Single-use test config NEMOCLAW_TEST_NO_SLEEP could be a constant

  • Location: src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts:17
  • Category: tests
  • Problem: The test sets process.env.NEMOCLAW_TEST_NO_SLEEP = '1' in beforeEach and deletes it in afterEach, but this appears to be a test-only constant not used by users or CI.
  • Impact: Minor test complexity; the env var manipulation adds noise without configurable value.
  • Suggested action: Replace with a module-level constant or remove if the code under test no longer needs it (check connect-flow.ts for NEMOCLAW_TEST_NO_SLEEP usage).
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: grep -r NEMOCLAW_TEST_NO_SLEEP in src/ to see if production code reads it; if not, it's test-only.
  • Missing regression test: N/A — test hygiene improvement.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Lines 17 and 30 set/delete the env var; no other references in the test file.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E: inference-routing, issue-4434-tui-unreachable-inference

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): Required because the source change is specific to the LangChain Deep Agents Code/DCode connect route probe boundary. This registry target onboards the DCode agent, runs the deepagents headless inference checks, and includes a real nemoclaw connect --probe-only assertion against the managed inference route.

Optional E2E

  • inference-routing (medium): Useful adjacent coverage for the broader inference.local routing surface and hosted/custom provider route semantics affected by route probe behavior, but it does not exercise the DCode managed launcher path directly.
  • issue-4434-tui-unreachable-inference (high): Optional fail-closed confidence for connect probing around unreachable inference and TUI diagnostics. It exercises connect --probe-only with real sandbox networking, but is heavier and not DCode-specific.

New E2E recommendations

  • DCode connect probe spoof hardening (medium): Existing live DCode coverage verifies the happy-path managed route, but there does not appear to be a live E2E that mutates a real DCode sandbox with hostile shell startup/curl config output and proves nemoclaw connect --probe-only rejects preamble spoofing without repair.
    • Suggested test: Add a focused live DCode connect-probe spoof test that onboards langchain-deepagents-code, writes hostile sandbox-user startup/curl config evidence, runs nemoclaw <sandbox> connect --probe-only, and asserts only trusted single-line probe output can authorize connect or repair.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-langchain-deepagents-code: The PR changes the DCode-specific sandbox connect inference-route probe boundary and parser. This live-supported typed target onboards LangChain Deep Agents Code and runs the Deep Agents Code headless inference check, including nemoclaw connect --probe-only, which exercises the changed managed runtime route-probe path.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Optional E2E targets

  • None.

Relevant changed files

  • src/lib/actions/sandbox/connect-inference-route-probe.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/lib/actions/sandbox/connect-inference-route-probe.test.ts (1)

82-111: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Temp dir leaks on assertion failure.

fs.rmSync(home, ...) at Line 110 only runs if every prior expect in the test body passes. If any assertion throws first, the mkdtempSync directory (Line 87) is never removed, leaking temp dirs on CI failures over time.

♻️ Use try/finally (or afterEach) for guaranteed cleanup
   ])("isolates DCode login-shell startup output from a %s spoof (`#6192`)", (spoof) => {
     const home = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-dcode-probe-"));
-    const caBundle = path.join(home, "openshell-ca.pem");
-    const profileMarker = path.join(home, "profile-ran");
-    fs.writeFileSync(caBundle, "test CA boundary", "utf8");
-    fs.writeFileSync(
-      path.join(home, ".bash_profile"),
-      `printf '%s\\n' ${JSON.stringify(spoof)}; printf ran > ${JSON.stringify(profileMarker)}`,
-    );
-    const args = buildSandboxInferenceRouteProbeArgs("deep-code", {
-      name: "langchain-deepagents-code",
-    });
-    const wrapper = String(args.at(-3)).replace("HOME=/sandbox", `HOME=${JSON.stringify(home)}`);
-    const trustedProbe = "exec 1>&3 3>&-; printf 'BROKEN 000'";
-
-    const result = spawnSync("sh", ["-c", wrapper, String(args.at(-2)), trustedProbe], {
-      encoding: "utf8",
-      env: { ...process.env, CURL_CA_BUNDLE: caBundle, SSL_CERT_FILE: "" },
-    });
-
-    expect(result.status).toBe(0);
-    expect(result.stdout).toBe("BROKEN 000");
-    expect(result.stdout).not.toContain(spoof);
-    expect(fs.readFileSync(profileMarker, "utf8")).toBe("ran");
-    fs.rmSync(home, { force: true, recursive: true });
+    try {
+      const caBundle = path.join(home, "openshell-ca.pem");
+      const profileMarker = path.join(home, "profile-ran");
+      fs.writeFileSync(caBundle, "test CA boundary", "utf8");
+      fs.writeFileSync(
+        path.join(home, ".bash_profile"),
+        `printf '%s\\n' ${JSON.stringify(spoof)}; printf ran > ${JSON.stringify(profileMarker)}`,
+      );
+      const args = buildSandboxInferenceRouteProbeArgs("deep-code", {
+        name: "langchain-deepagents-code",
+      });
+      const wrapper = String(args.at(-3)).replace("HOME=/sandbox", `HOME=${JSON.stringify(home)}`);
+      const trustedProbe = "exec 1>&3 3>&-; printf 'BROKEN 000'";
+
+      const result = spawnSync("sh", ["-c", wrapper, String(args.at(-2)), trustedProbe], {
+        encoding: "utf8",
+        env: { ...process.env, CURL_CA_BUNDLE: caBundle, SSL_CERT_FILE: "" },
+      });
+
+      expect(result.status).toBe(0);
+      expect(result.stdout).toBe("BROKEN 000");
+      expect(result.stdout).not.toContain(spoof);
+      expect(fs.readFileSync(profileMarker, "utf8")).toBe("ran");
+    } finally {
+      fs.rmSync(home, { force: true, recursive: true });
+    }
   });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts` around lines
82 - 111, The temp directory created in the `it.each` test is only cleaned up
after all expectations pass, so failures can leak `mkdtempSync` artifacts.
Update the `isolates DCode login-shell startup output...` test to guarantee
cleanup by wrapping the body that uses `home`, `caBundle`, `profileMarker`, and
`spawnSync` in a `try/finally`, or by moving `fs.rmSync(home, ...)` into an
`afterEach` tied to this test setup.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/actions/sandbox/connect-inference-route-probe.ts`:
- Around line 39-42: FD 3 is still a spoofable trust channel in
connect-inference-route-probe because startup files can rebind stdout and emit a
fake OK/BROKEN line before the probe reads it. Update the probe flow in
connect-inference-route-probe to stop relying on a fixed shared descriptor for
trusted evidence, or otherwise ensure the parser only accepts output from a
descriptor that startup files cannot tamper with. Add a regression test around
the probe/parser behavior that mutates FD 3 during shell startup and verifies
spoofed route evidence is rejected.

---

Nitpick comments:
In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts`:
- Around line 82-111: The temp directory created in the `it.each` test is only
cleaned up after all expectations pass, so failures can leak `mkdtempSync`
artifacts. Update the `isolates DCode login-shell startup output...` test to
guarantee cleanup by wrapping the body that uses `home`, `caBundle`,
`profileMarker`, and `spawnSync` in a `try/finally`, or by moving
`fs.rmSync(home, ...)` into an `afterEach` tied to this test setup.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4bc2d298-29d9-463a-9039-95310159b2f3

📥 Commits

Reviewing files that changed from the base of the PR and between 7dc1f2f and 3fff912.

📒 Files selected for processing (3)
  • src/lib/actions/sandbox/connect-flow.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.ts

Comment thread src/lib/actions/sandbox/connect-inference-route-probe.ts Outdated
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria
apurvvkumaria requested a review from cv July 8, 2026 21:40

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts (1)

34-64: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Weaken-proof gap: not.toHaveBeenCalledWith doesn't guarantee SSH wasn't opened.

Line 55-59 asserts spawnSyncSpy was not called with the exact ["openshell", "sandbox", "connect", "alpha"] args. If the fix regresses and openshell is invoked with slightly different args (extra flags, different sandbox-name casing, etc.) while still opening an SSH session, this assertion still passes and silently hides the exact regression this adversarial test is meant to catch. Prefer asserting the spy was not called at all if it's not exercised for any other legitimate purpose in this flow, which gives a stronger guarantee that the untrusted-probe path never reaches the spawnSync boundary.

🧪 Suggested stronger assertion (if `spawnSyncSpy` has no other legitimate use on this path)
-    expect(harness.spawnSyncSpy).not.toHaveBeenCalledWith(
-      "openshell",
-      ["sandbox", "connect", "alpha"],
-      expect.any(Object),
-    );
+    expect(harness.spawnSyncSpy).not.toHaveBeenCalled();

As per path instructions, tests should "Flag ... conditionals that make a test pass without exercising its claim," and this assertion's narrow argument match is weaker than the claim ("without repair or SSH") implies.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts` around
lines 34 - 64, The test in connect-flow-dcode-probe-preamble.test.ts is only
checking that spawnSyncSpy was not called with one exact openshell argument
list, which still allows SSH to be opened with different flags or args. Update
the assertion around spawnSyncSpy in the rejects login-shell preamble evidence
case to verify the SSH path is not exercised at all, using the existing
createConnectHarness/connectSandbox flow and keeping the other spies unchanged,
so the adversarial test truly covers the no-repair/no-SSH claim.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts`:
- Around line 34-64: The test in connect-flow-dcode-probe-preamble.test.ts is
only checking that spawnSyncSpy was not called with one exact openshell argument
list, which still allows SSH to be opened with different flags or args. Update
the assertion around spawnSyncSpy in the rejects login-shell preamble evidence
case to verify the SSH path is not exercised at all, using the existing
createConnectHarness/connectSandbox flow and keeping the other spies unchanged,
so the adversarial test truly covers the no-repair/no-SSH claim.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 963b1c3d-b28a-41ec-b283-1091665e8671

📥 Commits

Reviewing files that changed from the base of the PR and between 3fff912 and 9b996d9.

📒 Files selected for processing (2)
  • src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/actions/sandbox/connect-inference-route-probe.test.ts

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28977799522
Workflow ref: codex/6412-dcode-probe-output-hardening
Requested targets: (default — all supported)
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 76 cancelled, 0 skipped

Job Result
agent-turn-latency ⚠️ cancelled
bedrock-runtime-compatible-anthropic ⚠️ cancelled
brave-search ⚠️ cancelled
channels-add-remove ⚠️ cancelled
channels-stop-start ⚠️ cancelled
cloud-inference ⚠️ cancelled
cloud-onboard ⚠️ cancelled
common-egress-agent ⚠️ cancelled
concurrent-gateway-ports ⚠️ cancelled
credential-migration ⚠️ cancelled
credential-sanitization ⚠️ cancelled
cron-preflight-inference-local ⚠️ cancelled
device-auth-health ⚠️ cancelled
diagnostics ⚠️ cancelled
docs-validation ⚠️ cancelled
double-onboard ⚠️ cancelled
full-e2e ⚠️ cancelled
gateway-drift-preflight ⚠️ cancelled
gateway-guard-recovery ⚠️ cancelled
gateway-health-honest ⚠️ cancelled
generate-matrix ⚠️ cancelled
gpu-double-onboard ⚠️ cancelled
gpu-e2e ⚠️ cancelled
hermes-dashboard ⚠️ cancelled
hermes-discord ⚠️ cancelled
hermes-e2e ⚠️ cancelled
hermes-gpu-startup ⚠️ cancelled
hermes-inference-switch ⚠️ cancelled
hermes-shields-config ⚠️ cancelled
hermes-slack ⚠️ cancelled
inference-routing ⚠️ cancelled
issue-2478-crash-loop-recovery ⚠️ cancelled
issue-4434-tui-unreachable-inference ⚠️ cancelled
issue-4462-scope-upgrade-approval ⚠️ cancelled
jetson-nvmap-gpu ⚠️ cancelled
kimi-inference-compat ⚠️ cancelled
launchable-smoke ⚠️ cancelled
live ⚠️ cancelled
mcp-bridge ⚠️ cancelled
mcp-bridge-dev ⚠️ cancelled
messaging-compatible-endpoint ⚠️ cancelled
messaging-providers ⚠️ cancelled
model-router-provider-routed-inference ⚠️ cancelled
network-policy ⚠️ cancelled
ollama-auth-proxy ⚠️ cancelled
onboard-negative-paths ⚠️ cancelled
onboard-repair ⚠️ cancelled
onboard-resume ⚠️ cancelled
openclaw-discord-pairing ⚠️ cancelled
openclaw-inference-switch ⚠️ cancelled
openclaw-plugin-runtime-exdev ⚠️ cancelled
openclaw-skill-cli ⚠️ cancelled
openclaw-slack-pairing ⚠️ cancelled
openclaw-tui-chat-correlation ⚠️ cancelled
openshell-gateway-auth-contract ⚠️ cancelled
openshell-gateway-upgrade ⚠️ cancelled
openshell-version-pin ⚠️ cancelled
overlayfs-autofix ⚠️ cancelled
rebuild-hermes ⚠️ cancelled
rebuild-hermes-stale-base ⚠️ cancelled
rebuild-openclaw ⚠️ cancelled
sandbox-operations ⚠️ cancelled
sandbox-rebuild ⚠️ cancelled
sandbox-rlimits-connect ⚠️ cancelled
sandbox-survival ⚠️ cancelled
security-posture ⚠️ cancelled
sessions-agents-cli ⚠️ cancelled
shields-config ⚠️ cancelled
skill-agent ⚠️ cancelled
snapshot-commands ⚠️ cancelled
spark-install ⚠️ cancelled
state-backup-restore ⚠️ cancelled
telegram-injection ⚠️ cancelled
token-rotation ⚠️ cancelled
tunnel-lifecycle ⚠️ cancelled
upgrade-stale-sandbox ⚠️ cancelled

Explicit-only jobs skipped: openshell-gateway-auth-contract (default dispatch excludes the resource-heavy OpenShell auth-contract probe unless selected; validate with jobs=openshell-gateway-auth-contract or targets=openshell-gateway-auth-contract), mcp-bridge-dev (default dispatch excludes moving OpenShell dev artifacts unless explicitly selected; validate with jobs=mcp-bridge-dev or targets=mcp-bridge-dev), hermes-gpu-startup (default dispatch excludes this explicit-only job unless selected; validate with jobs=hermes-gpu-startup or targets=hermes-gpu-startup), sandbox-rlimits-connect (default dispatch excludes the destructive rlimit fork/connect probe unless selected; validate with jobs=sandbox-rlimits-connect or targets=sandbox-rlimits-connect), jetson-nvmap-gpu (default dispatch excludes Jetson until a stable Jetson runner is available; validate with jobs=jetson-nvmap-gpu or targets=jetson-nvmap-gpu).

cjagwani and others added 2 commits July 8, 2026 21:47
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28978130260
Workflow ref: codex/6412-dcode-probe-output-hardening
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code,inference-routing
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
inference-routing ✅ success
live ✅ success

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria
apurvvkumaria enabled auto-merge (squash) July 8, 2026 21:55
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28978561865
Workflow ref: codex/6412-dcode-probe-output-hardening
Requested targets: (selector rejected by workflow validation)
Requested jobs: (selector rejected by workflow validation)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
generate-matrix ❌ failure

Failed jobs: generate-matrix. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28978646448
Workflow ref: codex/6412-dcode-probe-output-hardening
Requested targets: (default — all supported)
Requested jobs: inference-routing
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
inference-routing ✅ success

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/lib/actions/sandbox/connect-inference-route-probe.test.ts (1)

89-146: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Use a launcher stand-in that still exercises the shell-startup path.
#!/bin/bash -p skips BASH_ENV/ENV, so this case can’t fail if the DCode probe itself regresses; it only proves the wrapper suppresses the hostile startup file. Replace it with a plain exec "$@" stand-in, or run the real launcher behavior, so the injected .bash_profile path remains testable.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts` around lines
89 - 146, The sandbox probe test is using a launcher stand-in that bypasses
shell startup, so it can’t detect regressions in the DCode probe path. Update
the test in connect-inference-route-probe.test.ts around
buildSandboxInferenceRouteProbeArgs and spawnSync to use a plain exec "$@"
wrapper, or otherwise preserve real shell startup behavior, so the injected
.bash_profile/BASH_ENV/ENV path remains exercised and the hostile startup checks
are meaningful.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/actions/sandbox/connect-inference-route-probe.test.ts`:
- Around line 89-146: The sandbox probe test is using a launcher stand-in that
bypasses shell startup, so it can’t detect regressions in the DCode probe path.
Update the test in connect-inference-route-probe.test.ts around
buildSandboxInferenceRouteProbeArgs and spawnSync to use a plain exec "$@"
wrapper, or otherwise preserve real shell startup behavior, so the injected
.bash_profile/BASH_ENV/ENV path remains exercised and the hostile startup checks
are meaningful.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a1633775-e2ba-49b5-81a2-ccd21665f7e2

📥 Commits

Reviewing files that changed from the base of the PR and between 71dc79e and 4c43035.

📒 Files selected for processing (4)
  • src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts
  • src/lib/actions/sandbox/connect-flow.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/lib/actions/sandbox/connect-flow-dcode-probe-preamble.test.ts
  • src/lib/actions/sandbox/connect-flow.test.ts

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28978644987
Workflow ref: codex/6412-dcode-probe-output-hardening
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code,ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

@apurvvkumaria
apurvvkumaria merged commit fed4604 into main Jul 8, 2026
284 of 286 checks passed
@apurvvkumaria
apurvvkumaria deleted the codex/6412-dcode-probe-output-hardening branch July 8, 2026 22:04
cv pushed a commit that referenced this pull request Jul 8, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
Make DCode inference-route health probes preserve managed observability
by running them through a side-effect-free, image-owned managed-exec
boundary. The new private launcher retains the trusted proxy and shell
hardening from #6497, while updated clients fail closed against older
images where the helper is absent.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->
Fixes #6504

Follow-up to #6497, #6412, and #6192.

## Changes
<!-- Bullet list of key changes. -->
- Install a root-owned, non-symlink `dcode-managed-exec` copy of the
reviewed DCode launcher and verify its ownership, mode, contents, and
real-path execution during image build.
- Route shared DCode status, doctor, rebuild-preflight, and connect
health probes through that side-effect-free boundary instead of the
stateful sandbox entrypoint.
- Preserve enabled and disabled observability marker state while
retaining managed proxy normalization, startup-file isolation, `curl
-q`, strict output parsing, and old-image fail-closed behavior.
- Add focused launcher, image-contract, shared health, and connect-flow
regression coverage.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this restores configured
DCode observability across internal read-only route probes without
changing CLI syntax, output, configuration, or documented behavior.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: nine-category security
review passed on the exact eight-file diff with no findings; exact-head
typed DCode and inference-routing live validation remain required before
merge.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: `npx
vitest run --project cli` over the four route/connect/health files
passed 61 tests; `npx vitest run --project integration` over the
managed-exec/proxy/image files passed 33 tests.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; this
narrow boundary fix passed CLI build/typecheck, Bash syntax, test-size,
source-shape, title, project-membership, and scoped prek gates.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new doc pages
only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a managed execution entrypoint for Deep Agents Code so route
checks and runtime probing use a dedicated, image-baked launcher path.

* **Bug Fixes**
* Improved the launcher’s behavior to avoid altering sandbox state
during route diagnostics and to fail safely when mis-invoked.
* Updated sandbox probe and health-check commands to use the managed
entrypoint consistently.

* **Tests**
* Added dedicated coverage for the managed entrypoint’s side effects and
failure handling.
* Extended image and sandbox contract tests to validate the managed
binary installation and command structure.
* Improved Deep Agents Code Tavily opt-in checks to reliably restore
observability state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
@cjagwani cjagwani mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prepares the user documentation for NemoClaw v0.0.78 by replacing the
unreleased section with release highlights and synchronizing the
affected inference, lifecycle, messaging, and CLI reference pages with
merged behavior.

## Changes

- Publish the v0.0.78 release-notes section with links to the most
specific user guides for each shipped behavior.
- Document authoritative Deep Agents route health, Nemotron Ultra
profile behavior, and Hermes compatible-endpoint context metadata.
- Document forced rebuild recovery after total backup failure and the
ownership-safe tunnel/full-stop behavior.
- Keep command examples and shared agent variants aligned with the
current OpenClaw, Hermes, and Deep Agents interfaces.

Source mapping:

- [#3787](#3787) ->
`docs/about/release-notes.mdx`: Record reliable workspace template
seeding during sandbox startup.
- [#4960](#4960) ->
`docs/about/release-notes.mdx`: Record safer detection of rewritten
OpenClaw gateway processes.
- [#5676](#5676) ->
`docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON
handling.
- [#5857](#5857) ->
`docs/about/release-notes.mdx`: Record synchronization of explicit
OpenClaw main-agent model state.
- [#5929](#5929) ->
`docs/about/release-notes.mdx`: Record copyable SSH port-forward
guidance for remote dashboards.
- [#6068](#6068) ->
`docs/about/release-notes.mdx`: Record custom-image plugin provenance
reconciliation.
- [#6116](#6116) ->
`docs/about/release-notes.mdx`: Record live-loopback dashboard-forward
recovery.
- [#6122](#6122) ->
`docs/about/release-notes.mdx`: Announce validated, round-trippable
policy YAML output.
- [#6211](#6211) ->
`docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`,
`docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild
--force` recovery boundary.
- [#6283](#6283) ->
`docs/about/release-notes.mdx`: Record Hermes WebUI port alignment.
- [#6293](#6293) ->
`docs/inference/switch-inference-providers.mdx`,
`docs/about/release-notes.mdx`: Document compatible-endpoint
context-length probing for Hermes.
- [#6320](#6320) ->
`docs/about/release-notes.mdx`: Record bounded gateway-recovery waits.
- [#6377](#6377) ->
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain
rebuild diagnostics and prepared MCP-destroy recovery.
- [#6412](#6412) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document authoritative agent-visible
inference route health.
- [#6421](#6421) ->
`docs/about/release-notes.mdx`: Record the longer quiet-pull window for
managed vLLM images.
- [#6431](#6431) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document the version-pinned Nemotron
Ultra profile plugin.
- [#6439](#6439) ->
`docs/about/release-notes.mdx`: Summarize the authenticated, pinned
credential-capture helper boundary.
- [#6450](#6450) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document
host-forward cleanup and ownership-safe gateway-port release.
- [#6474](#6474) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/about/release-notes.mdx`: Record composable OpenClaw messaging
runtime loaders.
- [#6475](#6475) ->
`docs/about/release-notes.mdx`: Record removal of the unavailable Kimi
K2.6 production endpoint option.
- [#6480](#6480) ->
`docs/about/release-notes.mdx`: Record stderr routing for the plugin
registration banner.
- [#6481](#6481) ->
`docs/about/release-notes.mdx`: Record post-pull Ollama model discovery
checks.
- [#6482](#6482) ->
`docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon
restart.
- [#6486](#6486) ->
`docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep
Agents auto-approval boundary.
- [#6490](#6490) ->
`docs/about/release-notes.mdx`: Record diagnostics for custom images
missing the managed runtime.
- [#6494](#6494) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document nonempty tool-call content
preservation and placeholder rejection.
- [#6497](#6497) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document isolated Deep Agents
route-probe output.
- [#6506](#6506) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document observability-preserving
managed route probes.
- [#6508](#6508) ->
`docs/about/release-notes.mdx`: Link the new extension taxonomy and
SDK-readiness reference from the release summary.

Release-source verification: GitHub reports all 29 cited source PRs as
merged with base `main`, and every merge commit is an ancestor of
`origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No
source-mapping mismatches were found.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep changes; `npm run docs` validates variants, routes, and
Fern content.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
are not applicable to this documentation-only change set.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — exited
0 with zero errors; Fern reported the existing unauthenticated
redirect-check and light-mode contrast warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prevent DCode login-shell startup output from impersonating
authoritative `inference.local` route-probe evidence. This post-merge
follow-up to NVIDIA#6412 keeps `connect` fail closed by suppressing profile
stdout until the real probe restores its capture descriptor and by
rejecting multiline or preamble-contaminated results.

## Related Issue

Follow-up to NVIDIA#6192 and merged PR NVIDIA#6412.

## Changes

- Preserve the probe capture stream on file descriptor 3 while
discarding DCode login-shell startup stdout.
- Restore stdout only inside the trusted inner probe before it emits
`OK` or `BROKEN` evidence.
- Require a single complete probe-result line after known OpenShell
framing normalization.
- Add adversarial regressions proving profile output and multiline
evidence cannot report false health, authorize repair, or open SSH.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: This tightens the existing
documented fail-closed trust boundary without changing commands, output
states, recovery guidance, or supported workflows.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: A post-merge security
review of NVIDIA#6412 identified the startup-output spoof boundary; the fix
was reviewed as fail-closed and is covered by profile-spoof,
multiline-output, no-repair, and no-SSH regressions.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — 54 focused connect/probe tests and 18
status JSON/text integration tests passed.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved sandbox connectivity/inference-route probing so login-shell
preamble output can’t be misread as the health check result.
* Tightened probe output validation to accept only a single, clean
`OK/BROKEN` status line (no extra text), reducing incorrect
“healthy/broken” determinations.
* **Tests**
* Added coverage for spoofing attempts via crafted shell and curl
configuration in an isolated temp home, including validation that marker
side effects do not occur.
* Extended parsing and preamble-boundary tests to ensure untrusted
composite outputs are classified as unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
Make DCode inference-route health probes preserve managed observability
by running them through a side-effect-free, image-owned managed-exec
boundary. The new private launcher retains the trusted proxy and shell
hardening from NVIDIA#6497, while updated clients fail closed against older
images where the helper is absent.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->
Fixes NVIDIA#6504

Follow-up to NVIDIA#6497, NVIDIA#6412, and NVIDIA#6192.

## Changes
<!-- Bullet list of key changes. -->
- Install a root-owned, non-symlink `dcode-managed-exec` copy of the
reviewed DCode launcher and verify its ownership, mode, contents, and
real-path execution during image build.
- Route shared DCode status, doctor, rebuild-preflight, and connect
health probes through that side-effect-free boundary instead of the
stateful sandbox entrypoint.
- Preserve enabled and disabled observability marker state while
retaining managed proxy normalization, startup-file isolation, `curl
-q`, strict output parsing, and old-image fail-closed behavior.
- Add focused launcher, image-contract, shared health, and connect-flow
regression coverage.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this restores configured
DCode observability across internal read-only route probes without
changing CLI syntax, output, configuration, or documented behavior.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: nine-category security
review passed on the exact eight-file diff with no findings; exact-head
typed DCode and inference-routing live validation remain required before
merge.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: `npx
vitest run --project cli` over the four route/connect/health files
passed 61 tests; `npx vitest run --project integration` over the
managed-exec/proxy/image files passed 33 tests.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; this
narrow boundary fix passed CLI build/typecheck, Bash syntax, test-size,
source-shape, title, project-membership, and scoped prek gates.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new doc pages
only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a managed execution entrypoint for Deep Agents Code so route
checks and runtime probing use a dedicated, image-baked launcher path.

* **Bug Fixes**
* Improved the launcher’s behavior to avoid altering sandbox state
during route diagnostics and to fail safely when mis-invoked.
* Updated sandbox probe and health-check commands to use the managed
entrypoint consistently.

* **Tests**
* Added dedicated coverage for the managed entrypoint’s side effects and
failure handling.
* Extended image and sandbox contract tests to validate the managed
binary installation and command structure.
* Improved Deep Agents Code Tavily opt-in checks to reliably restore
observability state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prepares the user documentation for NemoClaw v0.0.78 by replacing the
unreleased section with release highlights and synchronizing the
affected inference, lifecycle, messaging, and CLI reference pages with
merged behavior.

## Changes

- Publish the v0.0.78 release-notes section with links to the most
specific user guides for each shipped behavior.
- Document authoritative Deep Agents route health, Nemotron Ultra
profile behavior, and Hermes compatible-endpoint context metadata.
- Document forced rebuild recovery after total backup failure and the
ownership-safe tunnel/full-stop behavior.
- Keep command examples and shared agent variants aligned with the
current OpenClaw, Hermes, and Deep Agents interfaces.

Source mapping:

- [NVIDIA#3787](NVIDIA#3787) ->
`docs/about/release-notes.mdx`: Record reliable workspace template
seeding during sandbox startup.
- [NVIDIA#4960](NVIDIA#4960) ->
`docs/about/release-notes.mdx`: Record safer detection of rewritten
OpenClaw gateway processes.
- [NVIDIA#5676](NVIDIA#5676) ->
`docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON
handling.
- [NVIDIA#5857](NVIDIA#5857) ->
`docs/about/release-notes.mdx`: Record synchronization of explicit
OpenClaw main-agent model state.
- [NVIDIA#5929](NVIDIA#5929) ->
`docs/about/release-notes.mdx`: Record copyable SSH port-forward
guidance for remote dashboards.
- [NVIDIA#6068](NVIDIA#6068) ->
`docs/about/release-notes.mdx`: Record custom-image plugin provenance
reconciliation.
- [NVIDIA#6116](NVIDIA#6116) ->
`docs/about/release-notes.mdx`: Record live-loopback dashboard-forward
recovery.
- [NVIDIA#6122](NVIDIA#6122) ->
`docs/about/release-notes.mdx`: Announce validated, round-trippable
policy YAML output.
- [NVIDIA#6211](NVIDIA#6211) ->
`docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`,
`docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild
--force` recovery boundary.
- [NVIDIA#6283](NVIDIA#6283) ->
`docs/about/release-notes.mdx`: Record Hermes WebUI port alignment.
- [NVIDIA#6293](NVIDIA#6293) ->
`docs/inference/switch-inference-providers.mdx`,
`docs/about/release-notes.mdx`: Document compatible-endpoint
context-length probing for Hermes.
- [NVIDIA#6320](NVIDIA#6320) ->
`docs/about/release-notes.mdx`: Record bounded gateway-recovery waits.
- [NVIDIA#6377](NVIDIA#6377) ->
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain
rebuild diagnostics and prepared MCP-destroy recovery.
- [NVIDIA#6412](NVIDIA#6412) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document authoritative agent-visible
inference route health.
- [NVIDIA#6421](NVIDIA#6421) ->
`docs/about/release-notes.mdx`: Record the longer quiet-pull window for
managed vLLM images.
- [NVIDIA#6431](NVIDIA#6431) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document the version-pinned Nemotron
Ultra profile plugin.
- [NVIDIA#6439](NVIDIA#6439) ->
`docs/about/release-notes.mdx`: Summarize the authenticated, pinned
credential-capture helper boundary.
- [NVIDIA#6450](NVIDIA#6450) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document
host-forward cleanup and ownership-safe gateway-port release.
- [NVIDIA#6474](NVIDIA#6474) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/about/release-notes.mdx`: Record composable OpenClaw messaging
runtime loaders.
- [NVIDIA#6475](NVIDIA#6475) ->
`docs/about/release-notes.mdx`: Record removal of the unavailable Kimi
K2.6 production endpoint option.
- [NVIDIA#6480](NVIDIA#6480) ->
`docs/about/release-notes.mdx`: Record stderr routing for the plugin
registration banner.
- [NVIDIA#6481](NVIDIA#6481) ->
`docs/about/release-notes.mdx`: Record post-pull Ollama model discovery
checks.
- [NVIDIA#6482](NVIDIA#6482) ->
`docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon
restart.
- [NVIDIA#6486](NVIDIA#6486) ->
`docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep
Agents auto-approval boundary.
- [NVIDIA#6490](NVIDIA#6490) ->
`docs/about/release-notes.mdx`: Record diagnostics for custom images
missing the managed runtime.
- [NVIDIA#6494](NVIDIA#6494) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document nonempty tool-call content
preservation and placeholder rejection.
- [NVIDIA#6497](NVIDIA#6497) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document isolated Deep Agents
route-probe output.
- [NVIDIA#6506](NVIDIA#6506) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document observability-preserving
managed route probes.
- [NVIDIA#6508](NVIDIA#6508) ->
`docs/about/release-notes.mdx`: Link the new extension taxonomy and
SDK-readiness reference from the release summary.

Release-source verification: GitHub reports all 29 cited source PRs as
merged with base `main`, and every merge commit is an ancestor of
`origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No
source-mapping mismatches were found.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep changes; `npm run docs` validates variants, routes, and
Fern content.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
are not applicable to this documentation-only change set.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — exited
0 with zero errors; Fern reported the existing unauthenticated
redirect-check and light-mode contrast warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: cjagwani <cjagwani@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: cli Command line interface, flags, terminal UX, or output area: inference Inference routing, serving, model selection, or outputs area: routing Request routing, policy routing, model selection, or fallback logic area: security Security controls, permissions, secrets, or hardening bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior v0.0.78 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants