Skip to content

fix(connect): preserve DCode observability during probes#6506

Merged
cv merged 3 commits into
mainfrom
codex/6504-preserve-dcode-observability
Jul 8, 2026
Merged

fix(connect): preserve DCode observability during probes#6506
cv merged 3 commits into
mainfrom
codex/6504-preserve-dcode-observability

Conversation

@apurvvkumaria

@apurvvkumaria apurvvkumaria commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Make DCode inference-route health probes preserve managed observability by running them through a side-effect-free, image-owned managed-exec boundary. The new private launcher retains the trusted proxy and shell hardening from #6497, while updated clients fail closed against older images where the helper is absent.

Related Issue

Fixes #6504

Follow-up to #6497, #6412, and #6192.

Changes

  • Install a root-owned, non-symlink dcode-managed-exec copy of the reviewed DCode launcher and verify its ownership, mode, contents, and real-path execution during image build.
  • Route shared DCode status, doctor, rebuild-preflight, and connect health probes through that side-effect-free boundary instead of the stateful sandbox entrypoint.
  • Preserve enabled and disabled observability marker state while retaining managed proxy normalization, startup-file isolation, curl -q, strict output parsing, and old-image fail-closed behavior.
  • Add focused launcher, image-contract, shared health, and connect-flow regression coverage.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: this restores configured DCode observability across internal read-only route probes without changing CLI syntax, output, configuration, or documented behavior.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: nine-category security review passed on the exact eight-file diff with no findings; exact-head typed DCode and inference-routing live validation remain required before merge.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: npx vitest run --project cli over the four route/connect/health files passed 61 tests; npx vitest run --project integration over the managed-exec/proxy/image files passed 33 tests.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: not applicable; this narrow boundary fix passed CLI build/typecheck, Bash syntax, test-size, source-shape, title, project-membership, and scoped prek gates.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new doc pages only)

Signed-off-by: Apurv Kumaria akumaria@nvidia.com

Summary by CodeRabbit

  • New Features

    • Added a managed execution entrypoint for Deep Agents Code so route checks and runtime probing use a dedicated, image-baked launcher path.
  • Bug Fixes

    • Improved the launcher’s behavior to avoid altering sandbox state during route diagnostics and to fail safely when mis-invoked.
    • Updated sandbox probe and health-check commands to use the managed entrypoint consistently.
  • Tests

    • Added dedicated coverage for the managed entrypoint’s side effects and failure handling.
    • Extended image and sandbox contract tests to validate the managed binary installation and command structure.
    • Improved Deep Agents Code Tavily opt-in checks to reliably restore observability state.

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria apurvvkumaria added security Recommended Blocker Recommended release blocker for maintainer review area: cli Command line interface, flags, terminal UX, or output area: inference Inference routing, serving, model selection, or outputs area: observability Logging, metrics, tracing, diagnostics, or debug output area: routing Request routing, policy routing, model selection, or fallback logic area: security Security controls, permissions, secrets, or hardening bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior v0.0.78 Release target labels Jul 8, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 39c10731-b75a-4fd3-a3ba-06bbc9364de7

📥 Commits

Reviewing files that changed from the base of the PR and between a5dcd02 and fa54bb2.

📒 Files selected for processing (3)
  • test/dcode-managed-exec.test.ts
  • test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh
  • test/e2e/support/platform-parity-cloud-experimental.test.ts

📝 Walkthrough

Walkthrough

This PR adds a dcode-managed-exec entry point to the Deep Agents Code launcher, verifies it during image build, repoints sandbox route probes to use it, and adds E2E cleanup so Tavily opt-in checks restore managed observability state.

Changes

Managed exec launcher and build validation

Layer / File(s) Summary
Launcher managed-exec dispatch
agents/langchain-deepagents-code/dcode-launcher.sh, agents/langchain-deepagents-code/Dockerfile, test/langchain-deepagents-code-image.test.ts, test/dcode-managed-exec.test.ts
Adds MANAGED_EXEC_LAUNCHER dispatch, installs and verifies dcode-managed-exec as a non-symlink root:root 0755 copy of the launcher, runs a build-time probe, and adds launcher tests for command handling and observability-marker preservation.
Launcher fixture coverage
test/dcode-managed-exec.test.ts
Adds fixture setup and cases for observability-enabled, observability-disabled, and no-command execution paths.

Route probe path updates

Layer / File(s) Summary
Inference route probe repointed
src/lib/actions/sandbox/connect-inference-route-probe.ts, src/lib/actions/sandbox/connect-flow.test.ts, src/lib/actions/sandbox/connect-inference-route-probe.test.ts, src/lib/actions/sandbox/inference-route-health.test.ts
Switches the managed runtime launcher path to /usr/local/lib/nemoclaw/dcode-managed-exec and updates probe assertions to expect the new executable and exact openshell command shape.

Tavily opt-in restoration

Layer / File(s) Summary
Tavily restoration flow
test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh, test/e2e/support/platform-parity-cloud-experimental.test.ts
Adds observability-marker inspection, restoration helpers, an EXIT trap, a self-test branch, and platform-parity coverage for restoring managed observability after Tavily policy removal.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested labels: area: sandbox, area: e2e

Suggested reviewers: jyaunches, cv

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: preserving DCode observability during probes.
Linked Issues check ✅ Passed The changes align with #6504 by routing probes through a side-effect-free managed exec boundary and preserving observability state.
Out of Scope Changes check ✅ Passed The added Docker, launcher, and test updates all support the probe-observability fix and do not show unrelated scope creep.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/6504-preserve-dcode-observability

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 76%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 10091a3 fa54bb2 +/-
src/lib/host-ar...fact-cleanup.ts 83% 17% -66%
src/lib/actions...-add-restart.ts 19% 14% -5%
src/lib/agent/onboard.ts 71% 70% -1%
src/lib/actions...ridge-policy.ts 62% 64% +2%
src/lib/actions...lution-probe.ts 88% 94% +6%
src/lib/agent/t...ersion-drift.ts 88% 96% +8%
src/lib/actions...e-validation.ts 81% 90% +9%
src/lib/actions...x/mcp-bridge.ts 35% 44% +9%
src/lib/agent/b...availability.ts 63% 74% +11%
src/lib/sandbox...rsion-scheme.ts 73% 100% +27%

Updated July 08, 2026 23:22 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code, inference-routing
Optional E2E: cloud-onboard

Dispatch hint: targets=ubuntu-repo-cloud-langchain-deepagents-code,inference-routing

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): Required because the PR changes the Deep Agents Code sandbox image, launcher, managed exec boundary, network policy check behavior, observability state handling, and real DCode assistant flows. This existing live target onboards the LangChain Deep Agents Code sandbox from the repo and runs the Deep Agents cloud-experimental checks, including headless inference, Tavily opt-in, TUI startup, observability, and related security-policy checks.
  • inference-routing (medium): Required because the PR changes the sandbox inference route probe path and route health/connect diagnostics. The live inference-routing job provides end-to-end confidence that provider routing and inference.local health classification still work with real hosted inference.

Optional E2E

  • cloud-onboard (high): Optional broad confidence check for the hosted onboarding/install path. The more precise required Deep Agents Code target should be merge-blocking for this PR, but cloud-onboard can add coverage for general hosted onboarding regressions if maintainers want extra assurance.

New E2E recommendations

  • DCode route diagnostics state preservation (medium): Existing coverage is split between unit tests, Dockerfile build checks, and the broad Deep Agents Code live target. A focused live regression would directly prove that connect/status/doctor route probes invoke /usr/local/lib/nemoclaw/dcode-managed-exec through OpenShell exec, preserve the managed observability marker, and do not run the stateful sandbox entrypoint.
    • Suggested test: Add a focused live Deep Agents Code route-probe test or cloud-experimental check that toggles observability, runs the DCode inference route probe via the CLI path, and asserts the marker and proxy-normalized environment remain unchanged.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: targets=ubuntu-repo-cloud-langchain-deepagents-code,inference-routing

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-langchain-deepagents-code: PR changes the LangChain Deep Agents Code image/launcher, the DCode-specific managed inference route probe path, and the cloud-experimental Tavily opt-in E2E check. The smallest live-supported typed target that builds/onboards the DCode sandbox and runs the affected DCode policy/terminal/inference surfaces is ubuntu-repo-cloud-langchain-deepagents-code.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Optional E2E targets

  • None.

Relevant changed files

  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-launcher.sh
  • src/lib/actions/sandbox/connect-inference-route-probe.ts
  • test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh
  • test/e2e/support/platform-parity-cloud-experimental.test.ts

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28981357492
Workflow ref: codex/6504-preserve-dcode-observability
Requested targets: (default — all supported)
Requested jobs: inference-routing
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
inference-routing ✅ success

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Prove or constrain direct dcode-managed-exec egress.
Open items: 0 required · 1 warning · 0 suggestions · 8 test follow-ups
Since last review: 0 prior items resolved · 5 still apply · 1 new item found

Action checklist

  • PRA-1 Resolve or justify: Prove or constrain direct dcode-managed-exec egress in agents/langchain-deepagents-code/dcode-launcher.sh:123
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Runtime validation
  • PRA-T6 Add or justify test follow-up: Acceptance clause
  • PRA-T7 Add or justify test follow-up: Acceptance clause
  • PRA-T8 Add or justify test follow-up: Acceptance clause

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify security agents/langchain-deepagents-code/dcode-launcher.sh:123 Either restrict managed-exec to the expected diagnostic command shape, or add targeted policy evidence showing direct invocation of `/usr/local/lib/nemoclaw/dcode-managed-exec` with arbitrary network commands still fails closed for unapproved egress while the fixed `inference.local` route probe continues to work.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Prove or constrain direct dcode-managed-exec egress

  • Location: agents/langchain-deepagents-code/dcode-launcher.sh:123
  • Category: security
  • Problem: The new `/usr/local/lib/nemoclaw/dcode-managed-exec` mode normalizes the image-baked proxy and observability environment, then `exec "$@"`. Because the Dockerfile installs this copy as root-owned but world-executable `0755`, a sandbox user can invoke the helper directly with arbitrary commands, not only the fixed route-health probe. The intended probe path is safe and array-built, but this broader public entrypoint needs either a narrow command contract or regression evidence that direct use cannot bypass NemoClaw network policy, SSRF controls, or Tavily opt-in restrictions.
  • Impact: If the managed proxy or OpenShell policy treats this helper path differently from normal user commands, direct invocation could provide a policy-bypass or SSRF primitive for unapproved hosts. Even if lower layers already deny it, the PR currently does not prove that boundary for the newly exposed executable.
  • Recommended action: Either restrict managed-exec to the expected diagnostic command shape, or add targeted policy evidence showing direct invocation of `/usr/local/lib/nemoclaw/dcode-managed-exec` with arbitrary network commands still fails closed for unapproved egress while the fixed `inference.local` route probe continues to work.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read `agents/langchain-deepagents-code/dcode-launcher.sh` around the `$0 == "$MANAGED_EXEC_LAUNCHER"` branch and `agents/langchain-deepagents-code/Dockerfile` around the `install -o root -g root -m 0755 ... dcode-managed-exec` line; confirm the helper is callable by the sandbox user and accepts arbitrary argv.
  • Missing regression test: Add a live or policy-level regression that runs `/usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/python3 -c '...'` or `/usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/curl ...` against an unapproved host such as Tavily before opt-in or another denied endpoint, and asserts the request is blocked; keep a positive assertion that the fixed `https://inference.local/v1/models\` route probe still succeeds or returns the trusted OK/BROKEN grammar.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `agents/langchain-deepagents-code/dcode-launcher.sh` around the `$0 == "$MANAGED_EXEC_LAUNCHER"` branch and `agents/langchain-deepagents-code/Dockerfile` around the `install -o root -g root -m 0755 ... dcode-managed-exec` line; confirm the helper is callable by the sandbox user and accepts arbitrary argv.
  • Evidence: `dcode-launcher.sh` now branches on `$0` and executes arbitrary `"$@"` after proxy normalization; `Dockerfile` installs `/usr/local/lib/nemoclaw/dcode-managed-exec` with mode `0755`; added tests cover marker preservation and no-command failure but not arbitrary direct egress denial.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — In an exact-head DCode sandbox with managed observability enabled, run status, doctor, and connect route-health probes and verify `/tmp/nemoclaw-observability-enabled` remains present before and after each probe.. Static and unit coverage is strong for argv construction, parser behavior, launcher marker preservation, and local E2E cleanup. The changed Dockerfile/image/runtime path, OpenShell exec environment, network policy enforcement, and observability marker state still require behavioral validation in an exact-head sandbox.
  • PRA-T2 Runtime validation — In an exact-head DCode sandbox with managed observability disabled, run status, doctor, and connect route-health probes and verify `/tmp/nemoclaw-observability-enabled` is not created.. Static and unit coverage is strong for argv construction, parser behavior, launcher marker preservation, and local E2E cleanup. The changed Dockerfile/image/runtime path, OpenShell exec environment, network policy enforcement, and observability marker state still require behavioral validation in an exact-head sandbox.
  • PRA-T3 Runtime validation — Run an exact-head DCode route probe with `inference.local` unreachable and confirm it fails closed through `/usr/local/lib/nemoclaw/dcode-managed-exec` without executing user startup files, trusting inherited FD spoof output, or reading user `.curlrc`.. Static and unit coverage is strong for argv construction, parser behavior, launcher marker preservation, and local E2E cleanup. The changed Dockerfile/image/runtime path, OpenShell exec environment, network policy enforcement, and observability marker state still require behavioral validation in an exact-head sandbox.
  • PRA-T4 Runtime validation — Run a non-DCode OpenClaw route-health probe and confirm its argv and behavior remain the plain `sh -c` probe path.. Static and unit coverage is strong for argv construction, parser behavior, launcher marker preservation, and local E2E cleanup. The changed Dockerfile/image/runtime path, OpenShell exec environment, network policy enforcement, and observability marker state still require behavioral validation in an exact-head sandbox.
  • PRA-T5 Runtime validation — Directly invoke `/usr/local/lib/nemoclaw/dcode-managed-exec` with an arbitrary command that attempts unapproved egress, such as Tavily before opt-in, and verify OpenShell policy or the managed proxy denies the request.. Static and unit coverage is strong for argv construction, parser behavior, launcher marker preservation, and local E2E cleanup. The changed Dockerfile/image/runtime path, OpenShell exec environment, network policy enforcement, and observability marker state still require behavioral validation in an exact-head sandbox.
  • PRA-T6 Acceptance clause — Route-health probes preserve an existing managed observability marker and do not enable observability when it was disabled. — add test evidence or identify existing coverage. `dcode-launcher.sh` unsets ambient `NEMOCLAW_OBSERVABILITY`, re-enables it only from a regular non-symlink marker containing `1`, and managed-exec avoids `start.sh` marker mutation. `test/dcode-managed-exec.test.ts` covers enabled marker preservation, disabled marker non-creation, and no-command preservation. Exact-head live status/doctor/connect behavior remains a runtime-validation follow-up.
  • PRA-T7 Acceptance clause — Regression coverage exercises the real managed-launcher boundary and the status/doctor/connect probe call sites. — add test evidence or identify existing coverage. `test/dcode-managed-exec.test.ts` spawns a fixture built from the real `agents/langchain-deepagents-code/dcode-launcher.sh`; `connect-flow.test.ts` covers the connect probe argv; `inference-route-health.test.ts` covers the shared status/doctor health helper argv. There is no separate top-level status/doctor test asserting the exact argv, and live runtime validation remains recommended.
  • PRA-T8 Acceptance clause — The typed DCode live target and `inference-routing` live validation pass on the corrective PR head. — add test evidence or identify existing coverage. This clause requires live external validation. Static review did not evaluate external E2E job state; the relevant exact-head runtime checks remain listed under test-depth follow-ups.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Prove or constrain direct dcode-managed-exec egress

  • Location: agents/langchain-deepagents-code/dcode-launcher.sh:123
  • Category: security
  • Problem: The new `/usr/local/lib/nemoclaw/dcode-managed-exec` mode normalizes the image-baked proxy and observability environment, then `exec "$@"`. Because the Dockerfile installs this copy as root-owned but world-executable `0755`, a sandbox user can invoke the helper directly with arbitrary commands, not only the fixed route-health probe. The intended probe path is safe and array-built, but this broader public entrypoint needs either a narrow command contract or regression evidence that direct use cannot bypass NemoClaw network policy, SSRF controls, or Tavily opt-in restrictions.
  • Impact: If the managed proxy or OpenShell policy treats this helper path differently from normal user commands, direct invocation could provide a policy-bypass or SSRF primitive for unapproved hosts. Even if lower layers already deny it, the PR currently does not prove that boundary for the newly exposed executable.
  • Recommended action: Either restrict managed-exec to the expected diagnostic command shape, or add targeted policy evidence showing direct invocation of `/usr/local/lib/nemoclaw/dcode-managed-exec` with arbitrary network commands still fails closed for unapproved egress while the fixed `inference.local` route probe continues to work.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read `agents/langchain-deepagents-code/dcode-launcher.sh` around the `$0 == "$MANAGED_EXEC_LAUNCHER"` branch and `agents/langchain-deepagents-code/Dockerfile` around the `install -o root -g root -m 0755 ... dcode-managed-exec` line; confirm the helper is callable by the sandbox user and accepts arbitrary argv.
  • Missing regression test: Add a live or policy-level regression that runs `/usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/python3 -c '...'` or `/usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/curl ...` against an unapproved host such as Tavily before opt-in or another denied endpoint, and asserts the request is blocked; keep a positive assertion that the fixed `https://inference.local/v1/models\` route probe still succeeds or returns the trusted OK/BROKEN grammar.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `agents/langchain-deepagents-code/dcode-launcher.sh` around the `$0 == "$MANAGED_EXEC_LAUNCHER"` branch and `agents/langchain-deepagents-code/Dockerfile` around the `install -o root -g root -m 0755 ... dcode-managed-exec` line; confirm the helper is callable by the sandbox user and accepts arbitrary argv.
  • Evidence: `dcode-launcher.sh` now branches on `$0` and executes arbitrary `"$@"` after proxy normalization; `Dockerfile` installs `/usr/local/lib/nemoclaw/dcode-managed-exec` with mode `0755`; added tests cover marker preservation and no-command failure but not arbitrary direct egress denial.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/dcode-managed-exec.test.ts`:
- Around line 68-108: The parameterized test in dcode-managed-exec.test.ts now
adds two conditional branches that trigger the guardrail failure. Split the
current it.each case into two explicit tests for the enabled and disabled
observability scenarios, and move the marker setup/assertion logic into each
test so there are no if statements. Keep the same coverage by preserving the
existing launcher fixture setup, spawnSync invocation, and checks around
makeLauncherFixture, markerPath, wrapperMarkerPath, and the observability env
behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ebef184e-dd79-46bc-8e11-9ee735c846c2

📥 Commits

Reviewing files that changed from the base of the PR and between 10091a3 and a5dcd02.

📒 Files selected for processing (8)
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-launcher.sh
  • src/lib/actions/sandbox/connect-flow.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.ts
  • src/lib/actions/sandbox/inference-route-health.test.ts
  • test/dcode-managed-exec.test.ts
  • test/langchain-deepagents-code-image.test.ts

Comment thread test/dcode-managed-exec.test.ts Outdated
@apurvvkumaria
apurvvkumaria enabled auto-merge (squash) July 8, 2026 22:59
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Informational

Merge posture: Informational / low confidence
Primary next action: Fix PRA-2: Review finding; then add or justify PRA-T1.
Open items: 2 required · 4 warnings · 2 suggestions · 1 test follow-up
Since last review: 0 prior items resolved · 1 still applies · 3 new items found

Action checklist

  • PRA-2 Fix: Review finding in agents/langchain-deepagents-code/dcode-launcher.sh:126-133
  • PRA-3 Fix: Review finding in agents/langchain-deepagents-code/Dockerfile:53-57,117
  • PRA-1 Resolve or justify: PR review advisor retry failed
  • PRA-4 Resolve or justify: Review finding in src/lib/actions/sandbox/connect-inference-route-probe.ts:51
  • PRA-5 Resolve or justify: Review finding in test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:61-102
  • PRA-6 Resolve or justify: Review finding in agents/langchain-deepagents-code/Dockerfile:1
  • PRA-T1 Add or justify test follow-up: Review finding
  • PRA-7 In-scope improvement: Review finding in test/dcode-managed-exec.test.ts
  • PRA-8 In-scope improvement: Review finding in src/lib/actions/sandbox/connect-inference-route-probe.ts:51

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify workflow Treat this result as lower confidence, inspect the raw retry artifact, and rerun the advisor if the preserved findings are unclear.
PRA-2 Required security agents/langchain-deepagents-code/dcode-launcher.sh:126-133 No action needed — security posture improved. Verify wrapperMarkerPath is not created in test/dcode-managed-exec.test.ts lines 63, 91, 121.
PRA-3 Required security agents/langchain-deepagents-code/Dockerfile:53-57,117 No action needed — version-skew protection correctly implemented. Consider adding build-time probe smoke test with mock curl (PRA-2 from prior review) for deeper integration confidence.
PRA-4 Resolve/justify security src/lib/actions/sandbox/connect-inference-route-probe.ts:51 Rename constant to DCODE_MANAGED_EXEC_LAUNCHER in connect-inference-route-probe.ts and update comment. Low risk, local to changed code.
PRA-5 Resolve/justify security test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:61-102 No action needed — proper cleanup and state restoration. Verify self-test mode 'restore-denial' exercises the restoration path (lines 104-123).
PRA-6 Resolve/justify workflow agents/langchain-deepagents-code/Dockerfile:1 Coordinate with authors of overlapping PRs. Rebase or resolve conflicts before merge. This is a process coordination item, not a code defect.
PRA-7 Improvement tests test/dcode-managed-exec.test.ts Add integration test in test/e2e/ or test/integration/ that builds the image and invokes the managed-exec entry point directly. Prefer current-PR fix when local to changed code; defer only with rationale.
PRA-8 Improvement architecture src/lib/actions/sandbox/connect-inference-route-probe.ts:51 Rename constant for clarity. Safe simplification — only constant rename, all call sites updated.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-2 Required — Review finding

  • Location: agents/langchain-deepagents-code/dcode-launcher.sh:126-133
  • Category: security
  • Problem: Managed exec mode correctly implements side-effect-free probe path: validates proxy from root-owned files, preserves observability marker (does not consume it), executes command directly without wrapper invocation, and fails closed (exit 64) when no command provided.
  • Impact: No impact provided.
  • Required action: No action needed — security posture improved. Verify wrapperMarkerPath is not created in test/dcode-managed-exec.test.ts lines 63, 91, 121.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Check dcode-launcher.sh lines 126-133: if [ "$0" = "$MANAGED_EXEC_LAUNCHER" ]; then ... exec "$@"; fi — wrapper not invoked. Check test/dcode-managed-exec.test.ts expects wrapperMarkerPath to not exist.
  • Missing regression test: test/dcode-managed-exec.test.ts already covers: observability preservation (enabled/disabled), wrapper non-invocation, fail-closed on missing command.
  • Done when: The required change is committed and verification passes: Check dcode-launcher.sh lines 126-133: if [ "$0" = "$MANAGED_EXEC_LAUNCHER" ]; then ... exec "$@"; fi — wrapper not invoked. Check test/dcode-managed-exec.test.ts expects wrapperMarkerPath to not exist.
  • Evidence: No evidence provided.

PRA-3 Required — Review finding

  • Location: agents/langchain-deepagents-code/Dockerfile:53-57,117
  • Category: security
  • Problem: dcode-managed-exec installed as separate root-owned regular file (not symlink) with validated ownership/mode/content equality to launcher. Build-time test runs `/usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true` proving the entry point works. Older images lack this file → newer CLI probing them fails fast (ENOENT) before stateful entrypoint/wrapper runs.
  • Impact: No impact provided.
  • Required action: No action needed — version-skew protection correctly implemented. Consider adding build-time probe smoke test with mock curl (PRA-2 from prior review) for deeper integration confidence.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Dockerfile lines 53-57: install + test -f + test ! -L + stat 0:0:755 + cmp -s. Line 117: /usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true.
  • Missing regression test: PRA-2 suggests build-time probe smoke test with mock curl exercising full probe argv. PRA-3 suggests negative test for version skew: probe argv against missing managed-exec → fail-closed.
  • Done when: The required change is committed and verification passes: Dockerfile lines 53-57: install + test -f + test ! -L + stat 0:0:755 + cmp -s. Line 117: /usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true.
  • Evidence: No evidence provided.
Review findings by urgency: 2 required fixes, 4 items to resolve/justify, 2 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — PR review advisor retry failed

  • Location: not file-specific
  • Category: workflow
  • Problem: The first advisor response parsed, but a quality-improvement retry failed; this result preserves the first-pass review.
  • Impact: Maintainers still have the first-pass findings, but low-quality structured fields may remain until a future advisor run succeeds.
  • Recommended action: Treat this result as lower confidence, inspect the raw retry artifact, and rerun the advisor if the preserved findings are unclear.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Open pr-review-advisor-retry-raw-output.txt and the workflow logs to inspect the retry failure.
  • Missing regression test: Keep unit coverage that proves a retry failure preserves the first normalized review with this limitation.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Open pr-review-advisor-retry-raw-output.txt and the workflow logs to inspect the retry failure.
  • Evidence: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor-nemotron-ultra/pr-review-advisor-retry-raw-output.txt

PRA-4 Resolve/justify — Review finding

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:51
  • Category: security
  • Problem: Constant named DCODE_MANAGED_RUNTIME_LAUNCHER but points to dcode-managed-exec (not a runtime launcher). Prior review PRA-4 recommended rename to DCODE_MANAGED_EXEC_LAUNCHER for clarity. Not a security issue but improves code clarity and matches actual file name.
  • Impact: No impact provided.
  • Recommended action: Rename constant to DCODE_MANAGED_EXEC_LAUNCHER in connect-inference-route-probe.ts and update comment. Low risk, local to changed code.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: grep -n DCODE_MANAGED_RUNTIME_LAUNCHER src/lib/actions/sandbox/connect-inference-route-probe.ts — used at line 51 (def) and 65 (use).
  • Missing regression test: None — cosmetic only; existing tests cover behavior.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: grep -n DCODE_MANAGED_RUNTIME_LAUNCHER src/lib/actions/sandbox/connect-inference-route-probe.ts — used at line 51 (def) and 65 (use).
  • Evidence: No evidence provided.

PRA-5 Resolve/justify — Review finding

  • Location: test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:61-102
  • Category: security
  • Problem: Tavily opt-in check adds observability state restoration after policy-remove. Captures marker before policy-remove, restores via `NEMOCLAW_OBSERVABILITY=1 /usr/local/bin/nemoclaw-start /usr/bin/true` if marker was lost. Self-test modes validate restoration logic. Uses trap EXIT for cleanup.
  • Impact: No impact provided.
  • Recommended action: No action needed — proper cleanup and state restoration. Verify self-test mode 'restore-denial' exercises the restoration path (lines 104-123).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check restore_observability_state() function lines 61-83 and restore_tavily_denial() lines 85-102. Self-test at lines 104-123 mocks openshell/nemoclaw_cli to verify marker restoration.
  • Missing regression test: Platform parity test added at test/e2e/support/platform-parity-cloud-experimental.test.ts lines 232-247 with 3 parametrized cases for restore-denial logic.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check restore_observability_state() function lines 61-83 and restore_tavily_denial() lines 85-102. Self-test at lines 104-123 mocks openshell/nemoclaw_cli to verify marker restoration.
  • Evidence: No evidence provided.

PRA-6 Resolve/justify — Review finding

  • Location: agents/langchain-deepagents-code/Dockerfile:1
  • Category: workflow
  • Problem: Merge conflict risk with 5 overlapping PRs (fix(dcode): harden Nemotron Ultra tool requests #6494, fix(dcode): route fetch_url through managed proxy #6495, feat(performance): add progressive disclosure tests and compositional routing acceptance #6341, fix(dcode): preserve state across policy reloads #6503, fix(dcode): require Landlock enforcement #5812) modifying same files (Dockerfile, dcode-launcher.sh, test files). Prior review PRA-5 flagged this. This PR's changes are minimal and localized (new entry point + probe switch), so rebasing should be straightforward.
  • Impact: No impact provided.
  • Recommended action: Coordinate with authors of overlapping PRs. Rebase or resolve conflicts before merge. This is a process coordination item, not a code defect.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check git merge-base and diff against each overlapping PR branch: `git fetch origin pull/6341/head:pr6341 && git diff pr6341...HEAD -- agents/langchain-deepagents-code/Dockerfile agents/langchain-deepagents-code/dcode-launcher.sh`
  • Missing regression test: N/A — process coordination.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check git merge-base and diff against each overlapping PR branch: `git fetch origin pull/6341/head:pr6341 && git diff pr6341...HEAD -- agents/langchain-deepagents-code/Dockerfile agents/langchain-deepagents-code/dcode-launcher.sh`.
  • Evidence: No evidence provided.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-7 Improvement — Review finding

  • Location: test/dcode-managed-exec.test.ts
  • Category: tests
  • Problem: Unit tests use string replacement on launcher source for isolation. An integration test building the DCode image and running `dcode-managed-exec /usr/bin/true` and `dcode-managed-exec /bin/sh -c 'exit 0'` in-container would verify the actual installed entry point works end-to-end (PRA-1 from prior review).
  • Impact: No impact provided.
  • Suggested action: Add integration test in test/e2e/ or test/integration/ that builds the image and invokes the managed-exec entry point directly. Prefer current-PR fix when local to changed code; defer only with rationale.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check if test/e2e/ has a DCode image build + probe test; run `docker build -t nemoclaw-dcode-test agents/langchain-deepagents-code && docker run --rm nemoclaw-dcode-test /usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true`
  • Missing regression test: Integration test exercising actual Docker image entry point for dcode-managed-exec
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: No evidence provided.

PRA-8 Improvement — Review finding

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:51
  • Category: architecture
  • Problem: Simplification opportunity: rename constant DCODE_MANAGED_RUNTIME_LAUNCHER to DCODE_MANAGED_EXEC_LAUNCHER (shrink — net 0 lines, no behavioral change). Prior review PRA-4 identified this.
  • Impact: No impact provided.
  • Suggested action: Rename constant for clarity. Safe simplification — only constant rename, all call sites updated.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: grep -n DCODE_MANAGED_RUNTIME_LAUNCHER src/lib/actions/sandbox/connect-inference-route-probe.ts
  • Missing regression test: None — cosmetic only; existing tests cover behavior.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: No evidence provided.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Review finding — Add integration test in test/e2e/ or test/integration/ that builds the image and invokes the managed-exec entry point directly. Prefer current-PR fix when local to changed code; defer only with rationale.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — PR review advisor retry failed

  • Location: not file-specific
  • Category: workflow
  • Problem: The first advisor response parsed, but a quality-improvement retry failed; this result preserves the first-pass review.
  • Impact: Maintainers still have the first-pass findings, but low-quality structured fields may remain until a future advisor run succeeds.
  • Recommended action: Treat this result as lower confidence, inspect the raw retry artifact, and rerun the advisor if the preserved findings are unclear.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Open pr-review-advisor-retry-raw-output.txt and the workflow logs to inspect the retry failure.
  • Missing regression test: Keep unit coverage that proves a retry failure preserves the first normalized review with this limitation.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Open pr-review-advisor-retry-raw-output.txt and the workflow logs to inspect the retry failure.
  • Evidence: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor-nemotron-ultra/pr-review-advisor-retry-raw-output.txt

PRA-2 Required — Review finding

  • Location: agents/langchain-deepagents-code/dcode-launcher.sh:126-133
  • Category: security
  • Problem: Managed exec mode correctly implements side-effect-free probe path: validates proxy from root-owned files, preserves observability marker (does not consume it), executes command directly without wrapper invocation, and fails closed (exit 64) when no command provided.
  • Impact: No impact provided.
  • Required action: No action needed — security posture improved. Verify wrapperMarkerPath is not created in test/dcode-managed-exec.test.ts lines 63, 91, 121.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Check dcode-launcher.sh lines 126-133: if [ "$0" = "$MANAGED_EXEC_LAUNCHER" ]; then ... exec "$@"; fi — wrapper not invoked. Check test/dcode-managed-exec.test.ts expects wrapperMarkerPath to not exist.
  • Missing regression test: test/dcode-managed-exec.test.ts already covers: observability preservation (enabled/disabled), wrapper non-invocation, fail-closed on missing command.
  • Done when: The required change is committed and verification passes: Check dcode-launcher.sh lines 126-133: if [ "$0" = "$MANAGED_EXEC_LAUNCHER" ]; then ... exec "$@"; fi — wrapper not invoked. Check test/dcode-managed-exec.test.ts expects wrapperMarkerPath to not exist.
  • Evidence: No evidence provided.

PRA-3 Required — Review finding

  • Location: agents/langchain-deepagents-code/Dockerfile:53-57,117
  • Category: security
  • Problem: dcode-managed-exec installed as separate root-owned regular file (not symlink) with validated ownership/mode/content equality to launcher. Build-time test runs `/usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true` proving the entry point works. Older images lack this file → newer CLI probing them fails fast (ENOENT) before stateful entrypoint/wrapper runs.
  • Impact: No impact provided.
  • Required action: No action needed — version-skew protection correctly implemented. Consider adding build-time probe smoke test with mock curl (PRA-2 from prior review) for deeper integration confidence.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Dockerfile lines 53-57: install + test -f + test ! -L + stat 0:0:755 + cmp -s. Line 117: /usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true.
  • Missing regression test: PRA-2 suggests build-time probe smoke test with mock curl exercising full probe argv. PRA-3 suggests negative test for version skew: probe argv against missing managed-exec → fail-closed.
  • Done when: The required change is committed and verification passes: Dockerfile lines 53-57: install + test -f + test ! -L + stat 0:0:755 + cmp -s. Line 117: /usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true.
  • Evidence: No evidence provided.

PRA-4 Resolve/justify — Review finding

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:51
  • Category: security
  • Problem: Constant named DCODE_MANAGED_RUNTIME_LAUNCHER but points to dcode-managed-exec (not a runtime launcher). Prior review PRA-4 recommended rename to DCODE_MANAGED_EXEC_LAUNCHER for clarity. Not a security issue but improves code clarity and matches actual file name.
  • Impact: No impact provided.
  • Recommended action: Rename constant to DCODE_MANAGED_EXEC_LAUNCHER in connect-inference-route-probe.ts and update comment. Low risk, local to changed code.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: grep -n DCODE_MANAGED_RUNTIME_LAUNCHER src/lib/actions/sandbox/connect-inference-route-probe.ts — used at line 51 (def) and 65 (use).
  • Missing regression test: None — cosmetic only; existing tests cover behavior.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: grep -n DCODE_MANAGED_RUNTIME_LAUNCHER src/lib/actions/sandbox/connect-inference-route-probe.ts — used at line 51 (def) and 65 (use).
  • Evidence: No evidence provided.

PRA-5 Resolve/justify — Review finding

  • Location: test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:61-102
  • Category: security
  • Problem: Tavily opt-in check adds observability state restoration after policy-remove. Captures marker before policy-remove, restores via `NEMOCLAW_OBSERVABILITY=1 /usr/local/bin/nemoclaw-start /usr/bin/true` if marker was lost. Self-test modes validate restoration logic. Uses trap EXIT for cleanup.
  • Impact: No impact provided.
  • Recommended action: No action needed — proper cleanup and state restoration. Verify self-test mode 'restore-denial' exercises the restoration path (lines 104-123).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check restore_observability_state() function lines 61-83 and restore_tavily_denial() lines 85-102. Self-test at lines 104-123 mocks openshell/nemoclaw_cli to verify marker restoration.
  • Missing regression test: Platform parity test added at test/e2e/support/platform-parity-cloud-experimental.test.ts lines 232-247 with 3 parametrized cases for restore-denial logic.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check restore_observability_state() function lines 61-83 and restore_tavily_denial() lines 85-102. Self-test at lines 104-123 mocks openshell/nemoclaw_cli to verify marker restoration.
  • Evidence: No evidence provided.

PRA-6 Resolve/justify — Review finding

  • Location: agents/langchain-deepagents-code/Dockerfile:1
  • Category: workflow
  • Problem: Merge conflict risk with 5 overlapping PRs (fix(dcode): harden Nemotron Ultra tool requests #6494, fix(dcode): route fetch_url through managed proxy #6495, feat(performance): add progressive disclosure tests and compositional routing acceptance #6341, fix(dcode): preserve state across policy reloads #6503, fix(dcode): require Landlock enforcement #5812) modifying same files (Dockerfile, dcode-launcher.sh, test files). Prior review PRA-5 flagged this. This PR's changes are minimal and localized (new entry point + probe switch), so rebasing should be straightforward.
  • Impact: No impact provided.
  • Recommended action: Coordinate with authors of overlapping PRs. Rebase or resolve conflicts before merge. This is a process coordination item, not a code defect.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check git merge-base and diff against each overlapping PR branch: `git fetch origin pull/6341/head:pr6341 && git diff pr6341...HEAD -- agents/langchain-deepagents-code/Dockerfile agents/langchain-deepagents-code/dcode-launcher.sh`
  • Missing regression test: N/A — process coordination.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check git merge-base and diff against each overlapping PR branch: `git fetch origin pull/6341/head:pr6341 && git diff pr6341...HEAD -- agents/langchain-deepagents-code/Dockerfile agents/langchain-deepagents-code/dcode-launcher.sh`.
  • Evidence: No evidence provided.

PRA-7 Improvement — Review finding

  • Location: test/dcode-managed-exec.test.ts
  • Category: tests
  • Problem: Unit tests use string replacement on launcher source for isolation. An integration test building the DCode image and running `dcode-managed-exec /usr/bin/true` and `dcode-managed-exec /bin/sh -c 'exit 0'` in-container would verify the actual installed entry point works end-to-end (PRA-1 from prior review).
  • Impact: No impact provided.
  • Suggested action: Add integration test in test/e2e/ or test/integration/ that builds the image and invokes the managed-exec entry point directly. Prefer current-PR fix when local to changed code; defer only with rationale.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check if test/e2e/ has a DCode image build + probe test; run `docker build -t nemoclaw-dcode-test agents/langchain-deepagents-code && docker run --rm nemoclaw-dcode-test /usr/local/lib/nemoclaw/dcode-managed-exec /usr/bin/true`
  • Missing regression test: Integration test exercising actual Docker image entry point for dcode-managed-exec
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: No evidence provided.

PRA-8 Improvement — Review finding

  • Location: src/lib/actions/sandbox/connect-inference-route-probe.ts:51
  • Category: architecture
  • Problem: Simplification opportunity: rename constant DCODE_MANAGED_RUNTIME_LAUNCHER to DCODE_MANAGED_EXEC_LAUNCHER (shrink — net 0 lines, no behavioral change). Prior review PRA-4 identified this.
  • Impact: No impact provided.
  • Suggested action: Rename constant for clarity. Safe simplification — only constant rename, all call sites updated.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: grep -n DCODE_MANAGED_RUNTIME_LAUNCHER src/lib/actions/sandbox/connect-inference-route-probe.ts
  • Missing regression test: None — cosmetic only; existing tests cover behavior.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: No evidence provided.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28981352252
Workflow ref: codex/6504-preserve-dcode-observability
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

Signed-off-by: cjagwani <cjagwani@nvidia.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28981807457
Workflow ref: codex/6504-preserve-dcode-observability
Requested targets: (default — all supported)
Requested jobs: inference-routing
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
inference-routing ✅ success

@cjagwani

cjagwani commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Exact-head babysitting follow-up: DCode run 28981352252 passed the managed-observability boundary through check 11, then failed check 12 because check 09 left the Tavily opt-in active. Signed commit fa54bb2 ports only the hermetic check-09 cleanup from draft #6503 (including preservation of the pre-cleanup observability marker); #6503's credential and prerequisite changes remain in that draft. Local verification: 20/20 focused platform/managed-exec tests under the fixture's expected umask, source-shape and test-size ratchets, Bash syntax, ShellCheck, shfmt, and Biome. Fresh exact-head runs: DCode 28981806191 and inference-routing 28981807457 (passed); full CI rerun in progress.

@cv
cv disabled auto-merge July 8, 2026 23:10
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28982027565
Workflow ref: codex/6504-preserve-dcode-observability
Requested targets: (default — all supported)
Requested jobs: inference-routing
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
inference-routing ✅ success

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28981806191
Workflow ref: codex/6504-preserve-dcode-observability
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 28982022601
Workflow ref: codex/6504-preserve-dcode-observability
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
live ⚠️ cancelled

@cv
cv enabled auto-merge (squash) July 8, 2026 23:16
@cv
cv merged commit 6f45d84 into main Jul 8, 2026
371 of 386 checks passed
@cv
cv deleted the codex/6504-preserve-dcode-observability branch July 8, 2026 23:22
@cjagwani
cjagwani requested review from cv and removed request for cv July 8, 2026 23:23
cv pushed a commit that referenced this pull request Jul 8, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
Add exact live-policy evidence that directly invoking DCode's public
managed-exec helper with managed Python cannot bypass the default Tavily
denial. This closes the remaining security-review evidence gap from
#6506 without changing runtime behavior.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->
Follow-up to #6506 and completed issue #6504.

## Changes
<!-- Bullet list of key changes. -->
- Extend the existing DCode Python-egress live check to run the managed
helper directly with `/opt/venv/bin/python3` and require confirmed
Tavily policy-denial evidence before opt-in.
- Preserve command-shape coverage for both ordinary Python and
helper-prefixed Python, with static image-contract assertions for the
new boundary proof.
- Rename the internal DCode launcher constant to match the
`dcode-managed-exec` entrypoint it identifies.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this adds regression evidence
for an existing network-policy contract and makes an internal constant
rename; no user-facing command, configuration, output, schema, or
runtime behavior changes.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: independent reviews
confirmed that direct live-policy evidence is safer and less brittle
than hard-coding the generated probe argv; command construction uses
quoted argv assembly, and the existing positive `connect --probe-only`
live check remains the allowed-route counterpart.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: 97
focused CLI, integration/image-contract, and E2E-support tests passed;
Bash syntax, CLI build/typecheck, repository ratchets, and scoped prek
also passed.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; this is
one additional assertion in an existing typed live check plus
static/command-shape coverage.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved Python egress handling so direct execution through the
managed wrapper is correctly blocked when policy requires it.
* Updated probe execution so command formatting stays single-line and
consistent across supported launch paths.

* **Tests**
* Expanded end-to-end coverage for Python reachability checks, including
managed-exec invocation.
* Updated policy-behavior checks to reflect the latest command execution
flow.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@cjagwani cjagwani mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prepares the user documentation for NemoClaw v0.0.78 by replacing the
unreleased section with release highlights and synchronizing the
affected inference, lifecycle, messaging, and CLI reference pages with
merged behavior.

## Changes

- Publish the v0.0.78 release-notes section with links to the most
specific user guides for each shipped behavior.
- Document authoritative Deep Agents route health, Nemotron Ultra
profile behavior, and Hermes compatible-endpoint context metadata.
- Document forced rebuild recovery after total backup failure and the
ownership-safe tunnel/full-stop behavior.
- Keep command examples and shared agent variants aligned with the
current OpenClaw, Hermes, and Deep Agents interfaces.

Source mapping:

- [#3787](#3787) ->
`docs/about/release-notes.mdx`: Record reliable workspace template
seeding during sandbox startup.
- [#4960](#4960) ->
`docs/about/release-notes.mdx`: Record safer detection of rewritten
OpenClaw gateway processes.
- [#5676](#5676) ->
`docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON
handling.
- [#5857](#5857) ->
`docs/about/release-notes.mdx`: Record synchronization of explicit
OpenClaw main-agent model state.
- [#5929](#5929) ->
`docs/about/release-notes.mdx`: Record copyable SSH port-forward
guidance for remote dashboards.
- [#6068](#6068) ->
`docs/about/release-notes.mdx`: Record custom-image plugin provenance
reconciliation.
- [#6116](#6116) ->
`docs/about/release-notes.mdx`: Record live-loopback dashboard-forward
recovery.
- [#6122](#6122) ->
`docs/about/release-notes.mdx`: Announce validated, round-trippable
policy YAML output.
- [#6211](#6211) ->
`docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`,
`docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild
--force` recovery boundary.
- [#6283](#6283) ->
`docs/about/release-notes.mdx`: Record Hermes WebUI port alignment.
- [#6293](#6293) ->
`docs/inference/switch-inference-providers.mdx`,
`docs/about/release-notes.mdx`: Document compatible-endpoint
context-length probing for Hermes.
- [#6320](#6320) ->
`docs/about/release-notes.mdx`: Record bounded gateway-recovery waits.
- [#6377](#6377) ->
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain
rebuild diagnostics and prepared MCP-destroy recovery.
- [#6412](#6412) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document authoritative agent-visible
inference route health.
- [#6421](#6421) ->
`docs/about/release-notes.mdx`: Record the longer quiet-pull window for
managed vLLM images.
- [#6431](#6431) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document the version-pinned Nemotron
Ultra profile plugin.
- [#6439](#6439) ->
`docs/about/release-notes.mdx`: Summarize the authenticated, pinned
credential-capture helper boundary.
- [#6450](#6450) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document
host-forward cleanup and ownership-safe gateway-port release.
- [#6474](#6474) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/about/release-notes.mdx`: Record composable OpenClaw messaging
runtime loaders.
- [#6475](#6475) ->
`docs/about/release-notes.mdx`: Record removal of the unavailable Kimi
K2.6 production endpoint option.
- [#6480](#6480) ->
`docs/about/release-notes.mdx`: Record stderr routing for the plugin
registration banner.
- [#6481](#6481) ->
`docs/about/release-notes.mdx`: Record post-pull Ollama model discovery
checks.
- [#6482](#6482) ->
`docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon
restart.
- [#6486](#6486) ->
`docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep
Agents auto-approval boundary.
- [#6490](#6490) ->
`docs/about/release-notes.mdx`: Record diagnostics for custom images
missing the managed runtime.
- [#6494](#6494) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document nonempty tool-call content
preservation and placeholder rejection.
- [#6497](#6497) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document isolated Deep Agents
route-probe output.
- [#6506](#6506) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document observability-preserving
managed route probes.
- [#6508](#6508) ->
`docs/about/release-notes.mdx`: Link the new extension taxonomy and
SDK-readiness reference from the release summary.

Release-source verification: GitHub reports all 29 cited source PRs as
merged with base `main`, and every merge commit is an ancestor of
`origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No
source-mapping mismatches were found.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep changes; `npm run docs` validates variants, routes, and
Fern content.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
are not applicable to this documentation-only change set.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — exited
0 with zero errors; Fern reported the existing unauthenticated
redirect-check and light-mode contrast warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: cjagwani <cjagwani@nvidia.com>
cv added a commit that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Follow-up to #6431 for exact-head validation failures that completed
immediately before that PR merged. This isolates sequential DCode E2E
state, preserves observability across policy-only reloads, lets generic
OpenClaw cloud-onboard runs skip DCode-only TUI prerequisites, and
closes the remaining valid advisor requests without changing user-facing
behavior.

## Related Issue
Follow-up to #6431, which closed #6424. No new issue.

## Changes
- Remove the durable Tavily preset after check 09, arm cleanup on
`EXIT`, and fail unless managed DCode Python returns to the default
network denial.
- Move check 12's `expect`, Node, and timeout prerequisites after its
DCode sandbox guard. Generic `cloud-onboard` therefore skips correctly;
typed DCode jobs continue to require and install `expect`.
- Keep the credential-free observability enable marker in managed
`/sandbox/.deepagents` state for exec/login recovery. Current `main` now
owns the durable lifecycle: absent entrypoint env preserves the bit
across policy-only restarts, while create/rebuild/clone pass an explicit
authoritative `1` or `0`. Check 09 requires the host registry's DCode
`observabilityEnabled=true` intent and the exact persistent marker to
agree before and after Tavily policy mutation; it fails rather than
reconstructing intent from sandbox-writable state. Host-managed network
policy remains the egress boundary.
- Reject a pre-existing non-regular or symlink marker target with a
clear startup error, and use no-target-directory replacement so a raced
directory cannot absorb the enabled marker. Fixtures cover both enabled
and disabled startup.
- In live check 11, remove only `observability-otlp-local`, recreate the
exact marker as the sandbox user, and prove both the normally allowed
raw route and marker-triggered deterministic instrumentation produce
zero host captures. Restore only from an exactly inactive policy state
before the existing positive trace checks.
- Replace repeated credential-name limit literals with
`CREDENTIAL_NAME_PREFIX_MAX_LENGTH` and prove every Bash quantifier
remains equal to the canonical TypeScript context-pattern limit.
- Cover exact 128/129 context-prefix behavior, oversized OpenShell
placeholders, and Tavily cleanup-command failures through the real
wrapper/self-test boundaries.
- Preserve the merged #6494 Nemotron Ultra request hardening and its
observability create/snapshot lifecycle while resolving the overlapping
follow-up checks against current `main`.
- Keep standalone DCode Tavily persistence and rebuild behavior
unchanged.
- Avoid the rejected alternative of adding a privileged 47-line
apt/workflow boundary to the generic cloud job.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI, configuration,
model-ID, policy, or user-visible behavior changes
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — fresh exact-head review pending
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
none currently accepted

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — after merging current `main`, focused
DCode integration suites pass 210/210 and focused E2E-support suites
pass 37/37. Bash syntax, ShellCheck, source-shape, test-size, build,
TypeScript typecheck, commit, and pre-push hooks pass
- [ ] Applicable broad gate passed — fresh exact-head CI, advisors,
focused DCode E2E, cloud-onboard, and credential-sanitization pending
- [ ] Quality Gates section completed with required justifications or
waivers — exact-head sensitive-path review pending
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## Advisor dispositions
- Source-of-truth review: the invalid state is a managed DCode exec
losing host-selected observability because raw exec/login processes do
not inherit entrypoint environment and policy mutation reloads do not
re-run the entrypoint. Current `main` now owns `start.sh`
materialization plus `dcode-launcher.sh` recovery under
`/sandbox/.deepagents`; create/rebuild/clone carry the registry's
explicit `1`/`0` intent, and snapshot restore honors that authoritative
registry state so an earlier enabled snapshot does not override a later
opt-out. This PR adds fail-closed registry/marker agreement checks and
the no-policy export proof. Remove the bridge only when OpenShell both
propagates the bit to exec/login processes and preserves it through
policy reloads or re-runs the entrypoint.
- Sequential Tavily isolation is exercised by the required typed target
on one sandbox: check 09 proves denial immediately after cleanup; checks
10 and 11 do not mutate Tavily; check 12 rebuilds and then invokes check
06, which proves both managed and project-venv Python remain denied from
`api.tavily.com`. This gives immediate and post-rebuild denial evidence
without redundant probes after non-mutating checks.
- The marker integration test runs the transformed `start.sh` with
`NEMOCLAW_OBSERVABILITY=1`, verifies the
`/sandbox/.deepagents/.nemoclaw-observability-enabled` value and mode,
removes volatile runtime state, proves absent-env restart and launcher
recovery, and proves explicit `0` removal. Live check 11 verifies the
literal sandbox path.
- The `/sandbox/.deepagents` marker is intentionally untrusted
convenience state, not authorization. A sandbox user can request local
instrumentation by recreating the exact marker, but cannot grant OTLP
egress; the fixed exporter route remains subject to host-managed
`observability-otlp-local` policy. Live check 11 removes that host
policy, recreates the marker as the sandbox user, proves the exact raw
route is denied without capture, and runs real marker-triggered
deterministic instrumentation with zero captures before restoring the
policy. It also retains alternate host/path/method/port and
unmanaged-binary denials with policy active.
- Check 09 no longer repairs observability by re-running the stateful
entrypoint. The host registry is authoritative, the persistent marker is
derived convenience state, and disagreement fails closed both before and
after policy mutation. Merged #6506 prevents status/connect route probes
from clearing that marker by using the side-effect-free managed-exec
boundary.
- Startup rejects directory, symlink, and other non-regular marker
targets before either the enabled or disabled branch. Enabled
replacement treats the destination as a file, closing the
directory-descent edge case raised by the exact-head advisor.
- Current `main` includes #6506's side-effect-free managed-exec boundary
and #6494's durable observability lifecycle. Both are retained together
with this PR's host-registry agreement checks and no-policy proof; no
contributor work was replaced.
- The proxy env file remains intentionally volatile in `/tmp`: each
stateful entrypoint reconstructs it from root-owned image proxy inputs,
while the observability marker under `/sandbox/.deepagents` must survive
policy-only reloads that do not carry the sandbox-create environment.
Their different locations reflect different lifetime contracts, not
inconsistent authority.

## Exact-head validation plan
- Re-run automatic CI, CodeRabbit, GPT, and Nemotron advisors on
`0570b876d6e85bcb110823d5f8b6a5553d266f34`.
- Re-run `ubuntu-repo-cloud-langchain-deepagents-code` to prove Tavily
is denied after check 09 cleanup and remains denied across the check 12
rebuild.
- Re-run `cloud-onboard` to prove the non-DCode sandbox skips before
requiring `expect`.
- Re-run `credential-sanitization` for the named-limit parity change.
- Hold merge until tomorrow even if all gates pass earlier.

## Failure evidence addressed
- Focused DCode run
[28978277604](https://github.com/NVIDIA/NemoClaw/actions/runs/28978277604):
check 09 left durable Tavily state that check 12 correctly replayed
before the strict egress boundary.
- Cloud/credential run
[28978281322](https://github.com/NVIDIA/NemoClaw/actions/runs/28978281322):
generic OpenClaw cloud-onboard required `expect` before reaching its
DCode-only skip; credential-sanitization passed.
- Superseded follow-up run
[28980032707](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032707):
Tavily cleanup and strict egress passed, then check 11 proved that
policy reload had cleared the runtime-functional `/tmp` observability
marker. The current head retains current `main`'s durable marker under
`/sandbox/.deepagents`.
- Superseded follow-up run
[28980032711](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032711):
cloud-onboard and credential-sanitization both passed.
- Superseded follow-up run
[28981014655](https://github.com/NVIDIA/NemoClaw/actions/runs/28981014655):
after the marker moved to `/sandbox`, check 11 proved that Tavily policy
cleanup could still reconstruct runtime convenience state and remove it.
The current head uses current `main`'s absent-env-preserves lifecycle
and fails if the authoritative registry and derived marker disagree;
check 09 does not repair drift.
- Superseded follow-up run
[28981369440](https://github.com/NVIDIA/NemoClaw/actions/runs/28981369440):
cloud-onboard and credential-sanitization both passed on the
collaborator head; exact-head rerun pending.
- Superseded follow-up run
[28981690759](https://github.com/NVIDIA/NemoClaw/actions/runs/28981690759):
check 09 restored Tavily but sampled observability after policy-add had
already reloaded the sandbox, so check 11 found the marker absent. This
showed that sandbox marker sampling cannot be the authoritative source
of host intent.
- Superseded follow-up run
[28982642290](https://github.com/NVIDIA/NemoClaw/actions/runs/28982642290):
check 09 restored Tavily and check 10 passed, but check 11 found the
marker absent because a pre-#6506 status/connect route probe had already
invoked the stateful entrypoint without observability. Current `main`
supplies #6506's side-effect-free managed-exec probe and #6494's
explicit observability lifecycle, while this head compares the host
registry and persistent marker before and after policy mutation instead
of masking drift with a repair.
- Superseded exact-head focused run
[28983221993](https://github.com/NVIDIA/NemoClaw/actions/runs/28983221993)
passed every typed DCode check 03–12: check 09 reported 9/9, check 11
reported 11/11, and check 12 proved post-rebuild denial. Combined run
[28983222022](https://github.com/NVIDIA/NemoClaw/actions/runs/28983222022)
passed cloud-onboard and credential sanitization. These runs were
invalidated only to address the advisor's unsafe-target edge case and
add the stricter no-host-policy leak proof now running on the current
head.
- Superseded advisor run
[28983777162](https://github.com/NVIDIA/NemoClaw/actions/runs/28983777162)
rated the safety changes `merge_as_is` from GPT with no findings;
Nemotron agreed both substantive findings were resolved and requested
only the `/tmp` versus `/sandbox` lifetime cross-reference now present
on the current head.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved validation for credential names and context placeholders,
including oversized names.
* Strengthened proxy environment file handling to prevent
destination-path issues.
  * Clarified and stabilized observability policy and marker handling.

* **Tests**
* Expanded end-to-end coverage for observability, Tavily access,
tracing, and auto-approval behavior.
* Standardized test environment paths and added boundary-case validation
for credential patterns.
  * Improved platform-specific launcher test reliability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
Make DCode inference-route health probes preserve managed observability
by running them through a side-effect-free, image-owned managed-exec
boundary. The new private launcher retains the trusted proxy and shell
hardening from NVIDIA#6497, while updated clients fail closed against older
images where the helper is absent.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->
Fixes NVIDIA#6504

Follow-up to NVIDIA#6497, NVIDIA#6412, and NVIDIA#6192.

## Changes
<!-- Bullet list of key changes. -->
- Install a root-owned, non-symlink `dcode-managed-exec` copy of the
reviewed DCode launcher and verify its ownership, mode, contents, and
real-path execution during image build.
- Route shared DCode status, doctor, rebuild-preflight, and connect
health probes through that side-effect-free boundary instead of the
stateful sandbox entrypoint.
- Preserve enabled and disabled observability marker state while
retaining managed proxy normalization, startup-file isolation, `curl
-q`, strict output parsing, and old-image fail-closed behavior.
- Add focused launcher, image-contract, shared health, and connect-flow
regression coverage.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this restores configured
DCode observability across internal read-only route probes without
changing CLI syntax, output, configuration, or documented behavior.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: nine-category security
review passed on the exact eight-file diff with no findings; exact-head
typed DCode and inference-routing live validation remain required before
merge.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: `npx
vitest run --project cli` over the four route/connect/health files
passed 61 tests; `npx vitest run --project integration` over the
managed-exec/proxy/image files passed 33 tests.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; this
narrow boundary fix passed CLI build/typecheck, Bash syntax, test-size,
source-shape, title, project-membership, and scoped prek gates.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new doc pages
only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a managed execution entrypoint for Deep Agents Code so route
checks and runtime probing use a dedicated, image-baked launcher path.

* **Bug Fixes**
* Improved the launcher’s behavior to avoid altering sandbox state
during route diagnostics and to fail safely when mis-invoked.
* Updated sandbox probe and health-check commands to use the managed
entrypoint consistently.

* **Tests**
* Added dedicated coverage for the managed entrypoint’s side effects and
failure handling.
* Extended image and sandbox contract tests to validate the managed
binary installation and command structure.
* Improved Deep Agents Code Tavily opt-in checks to reliably restore
observability state.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
Add exact live-policy evidence that directly invoking DCode's public
managed-exec helper with managed Python cannot bypass the default Tavily
denial. This closes the remaining security-review evidence gap from
NVIDIA#6506 without changing runtime behavior.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->
Follow-up to NVIDIA#6506 and completed issue NVIDIA#6504.

## Changes
<!-- Bullet list of key changes. -->
- Extend the existing DCode Python-egress live check to run the managed
helper directly with `/opt/venv/bin/python3` and require confirmed
Tavily policy-denial evidence before opt-in.
- Preserve command-shape coverage for both ordinary Python and
helper-prefixed Python, with static image-contract assertions for the
new boundary proof.
- Rename the internal DCode launcher constant to match the
`dcode-managed-exec` entrypoint it identifies.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this adds regression evidence
for an existing network-policy contract and makes an internal constant
rename; no user-facing command, configuration, output, schema, or
runtime behavior changes.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: independent reviews
confirmed that direct live-policy evidence is safer and less brittle
than hard-coding the generated probe argv; command construction uses
quoted argv assembly, and the existing positive `connect --probe-only`
live check remains the allowed-route counterpart.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: 97
focused CLI, integration/image-contract, and E2E-support tests passed;
Bash syntax, CLI build/typecheck, repository ratchets, and scoped prek
also passed.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; this is
one additional assertion in an existing typed live check plus
static/command-shape coverage.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved Python egress handling so direct execution through the
managed wrapper is correctly blocked when policy requires it.
* Updated probe execution so command formatting stays single-line and
consistent across supported launch paths.

* **Tests**
* Expanded end-to-end coverage for Python reachability checks, including
managed-exec invocation.
* Updated policy-behavior checks to reflect the latest command execution
flow.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Prepares the user documentation for NemoClaw v0.0.78 by replacing the
unreleased section with release highlights and synchronizing the
affected inference, lifecycle, messaging, and CLI reference pages with
merged behavior.

## Changes

- Publish the v0.0.78 release-notes section with links to the most
specific user guides for each shipped behavior.
- Document authoritative Deep Agents route health, Nemotron Ultra
profile behavior, and Hermes compatible-endpoint context metadata.
- Document forced rebuild recovery after total backup failure and the
ownership-safe tunnel/full-stop behavior.
- Keep command examples and shared agent variants aligned with the
current OpenClaw, Hermes, and Deep Agents interfaces.

Source mapping:

- [NVIDIA#3787](NVIDIA#3787) ->
`docs/about/release-notes.mdx`: Record reliable workspace template
seeding during sandbox startup.
- [NVIDIA#4960](NVIDIA#4960) ->
`docs/about/release-notes.mdx`: Record safer detection of rewritten
OpenClaw gateway processes.
- [NVIDIA#5676](NVIDIA#5676) ->
`docs/about/release-notes.mdx`: Record warning-tolerant agent-list JSON
handling.
- [NVIDIA#5857](NVIDIA#5857) ->
`docs/about/release-notes.mdx`: Record synchronization of explicit
OpenClaw main-agent model state.
- [NVIDIA#5929](NVIDIA#5929) ->
`docs/about/release-notes.mdx`: Record copyable SSH port-forward
guidance for remote dashboards.
- [NVIDIA#6068](NVIDIA#6068) ->
`docs/about/release-notes.mdx`: Record custom-image plugin provenance
reconciliation.
- [NVIDIA#6116](NVIDIA#6116) ->
`docs/about/release-notes.mdx`: Record live-loopback dashboard-forward
recovery.
- [NVIDIA#6122](NVIDIA#6122) ->
`docs/about/release-notes.mdx`: Announce validated, round-trippable
policy YAML output.
- [NVIDIA#6211](NVIDIA#6211) ->
`docs/manage-sandboxes/lifecycle.mdx`, `docs/reference/commands.mdx`,
`docs/about/release-notes.mdx`: Explain the explicit no-backup `rebuild
--force` recovery boundary.
- [NVIDIA#6283](NVIDIA#6283) ->
`docs/about/release-notes.mdx`: Record Hermes WebUI port alignment.
- [NVIDIA#6293](NVIDIA#6293) ->
`docs/inference/switch-inference-providers.mdx`,
`docs/about/release-notes.mdx`: Document compatible-endpoint
context-length probing for Hermes.
- [NVIDIA#6320](NVIDIA#6320) ->
`docs/about/release-notes.mdx`: Record bounded gateway-recovery waits.
- [NVIDIA#6377](NVIDIA#6377) ->
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Explain
rebuild diagnostics and prepared MCP-destroy recovery.
- [NVIDIA#6412](NVIDIA#6412) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document authoritative agent-visible
inference route health.
- [NVIDIA#6421](NVIDIA#6421) ->
`docs/about/release-notes.mdx`: Record the longer quiet-pull window for
managed vLLM images.
- [NVIDIA#6431](NVIDIA#6431) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document the version-pinned Nemotron
Ultra profile plugin.
- [NVIDIA#6439](NVIDIA#6439) ->
`docs/about/release-notes.mdx`: Summarize the authenticated, pinned
credential-capture helper boundary.
- [NVIDIA#6450](NVIDIA#6450) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document
host-forward cleanup and ownership-safe gateway-port release.
- [NVIDIA#6474](NVIDIA#6474) ->
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/about/release-notes.mdx`: Record composable OpenClaw messaging
runtime loaders.
- [NVIDIA#6475](NVIDIA#6475) ->
`docs/about/release-notes.mdx`: Record removal of the unavailable Kimi
K2.6 production endpoint option.
- [NVIDIA#6480](NVIDIA#6480) ->
`docs/about/release-notes.mdx`: Record stderr routing for the plugin
registration banner.
- [NVIDIA#6481](NVIDIA#6481) ->
`docs/about/release-notes.mdx`: Record post-pull Ollama model discovery
checks.
- [NVIDIA#6482](NVIDIA#6482) ->
`docs/about/release-notes.mdx`: Record Ollama model warm-up after daemon
restart.
- [NVIDIA#6486](NVIDIA#6486) ->
`docs/about/release-notes.mdx`: Publish the opt-in, thread-scoped Deep
Agents auto-approval boundary.
- [NVIDIA#6490](NVIDIA#6490) ->
`docs/about/release-notes.mdx`: Record diagnostics for custom images
missing the managed runtime.
- [NVIDIA#6494](NVIDIA#6494) ->
`docs/inference/model-capability-audit.mdx`,
`docs/about/release-notes.mdx`: Document nonempty tool-call content
preservation and placeholder rejection.
- [NVIDIA#6497](NVIDIA#6497) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document isolated Deep Agents
route-probe output.
- [NVIDIA#6506](NVIDIA#6506) ->
`docs/get-started/quickstart-langchain-deepagents-code.mdx`,
`docs/about/release-notes.mdx`: Document observability-preserving
managed route probes.
- [NVIDIA#6508](NVIDIA#6508) ->
`docs/about/release-notes.mdx`: Link the new extension taxonomy and
SDK-readiness reference from the release summary.

Release-source verification: GitHub reports all 29 cited source PRs as
merged with base `main`, and every merge commit is an ancestor of
`origin/main` at `17bf9a6a9688b3b1d69cf4b37d3f23110acb055e`. No
source-mapping mismatches were found.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Documentation-only
release-prep changes; `npm run docs` validates variants, routes, and
Fern content.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
are not applicable to this documentation-only change set.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — exited
0 with zero errors; Fern reported the existing unauthenticated
redirect-check and light-mode contrast warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Follow-up to NVIDIA#6431 for exact-head validation failures that completed
immediately before that PR merged. This isolates sequential DCode E2E
state, preserves observability across policy-only reloads, lets generic
OpenClaw cloud-onboard runs skip DCode-only TUI prerequisites, and
closes the remaining valid advisor requests without changing user-facing
behavior.

## Related Issue
Follow-up to NVIDIA#6431, which closed NVIDIA#6424. No new issue.

## Changes
- Remove the durable Tavily preset after check 09, arm cleanup on
`EXIT`, and fail unless managed DCode Python returns to the default
network denial.
- Move check 12's `expect`, Node, and timeout prerequisites after its
DCode sandbox guard. Generic `cloud-onboard` therefore skips correctly;
typed DCode jobs continue to require and install `expect`.
- Keep the credential-free observability enable marker in managed
`/sandbox/.deepagents` state for exec/login recovery. Current `main` now
owns the durable lifecycle: absent entrypoint env preserves the bit
across policy-only restarts, while create/rebuild/clone pass an explicit
authoritative `1` or `0`. Check 09 requires the host registry's DCode
`observabilityEnabled=true` intent and the exact persistent marker to
agree before and after Tavily policy mutation; it fails rather than
reconstructing intent from sandbox-writable state. Host-managed network
policy remains the egress boundary.
- Reject a pre-existing non-regular or symlink marker target with a
clear startup error, and use no-target-directory replacement so a raced
directory cannot absorb the enabled marker. Fixtures cover both enabled
and disabled startup.
- In live check 11, remove only `observability-otlp-local`, recreate the
exact marker as the sandbox user, and prove both the normally allowed
raw route and marker-triggered deterministic instrumentation produce
zero host captures. Restore only from an exactly inactive policy state
before the existing positive trace checks.
- Replace repeated credential-name limit literals with
`CREDENTIAL_NAME_PREFIX_MAX_LENGTH` and prove every Bash quantifier
remains equal to the canonical TypeScript context-pattern limit.
- Cover exact 128/129 context-prefix behavior, oversized OpenShell
placeholders, and Tavily cleanup-command failures through the real
wrapper/self-test boundaries.
- Preserve the merged NVIDIA#6494 Nemotron Ultra request hardening and its
observability create/snapshot lifecycle while resolving the overlapping
follow-up checks against current `main`.
- Keep standalone DCode Tavily persistence and rebuild behavior
unchanged.
- Avoid the rejected alternative of adding a privileged 47-line
apt/workflow boundary to the generic cloud job.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI, configuration,
model-ID, policy, or user-visible behavior changes
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — fresh exact-head review pending
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
none currently accepted

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — after merging current `main`, focused
DCode integration suites pass 210/210 and focused E2E-support suites
pass 37/37. Bash syntax, ShellCheck, source-shape, test-size, build,
TypeScript typecheck, commit, and pre-push hooks pass
- [ ] Applicable broad gate passed — fresh exact-head CI, advisors,
focused DCode E2E, cloud-onboard, and credential-sanitization pending
- [ ] Quality Gates section completed with required justifications or
waivers — exact-head sensitive-path review pending
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## Advisor dispositions
- Source-of-truth review: the invalid state is a managed DCode exec
losing host-selected observability because raw exec/login processes do
not inherit entrypoint environment and policy mutation reloads do not
re-run the entrypoint. Current `main` now owns `start.sh`
materialization plus `dcode-launcher.sh` recovery under
`/sandbox/.deepagents`; create/rebuild/clone carry the registry's
explicit `1`/`0` intent, and snapshot restore honors that authoritative
registry state so an earlier enabled snapshot does not override a later
opt-out. This PR adds fail-closed registry/marker agreement checks and
the no-policy export proof. Remove the bridge only when OpenShell both
propagates the bit to exec/login processes and preserves it through
policy reloads or re-runs the entrypoint.
- Sequential Tavily isolation is exercised by the required typed target
on one sandbox: check 09 proves denial immediately after cleanup; checks
10 and 11 do not mutate Tavily; check 12 rebuilds and then invokes check
06, which proves both managed and project-venv Python remain denied from
`api.tavily.com`. This gives immediate and post-rebuild denial evidence
without redundant probes after non-mutating checks.
- The marker integration test runs the transformed `start.sh` with
`NEMOCLAW_OBSERVABILITY=1`, verifies the
`/sandbox/.deepagents/.nemoclaw-observability-enabled` value and mode,
removes volatile runtime state, proves absent-env restart and launcher
recovery, and proves explicit `0` removal. Live check 11 verifies the
literal sandbox path.
- The `/sandbox/.deepagents` marker is intentionally untrusted
convenience state, not authorization. A sandbox user can request local
instrumentation by recreating the exact marker, but cannot grant OTLP
egress; the fixed exporter route remains subject to host-managed
`observability-otlp-local` policy. Live check 11 removes that host
policy, recreates the marker as the sandbox user, proves the exact raw
route is denied without capture, and runs real marker-triggered
deterministic instrumentation with zero captures before restoring the
policy. It also retains alternate host/path/method/port and
unmanaged-binary denials with policy active.
- Check 09 no longer repairs observability by re-running the stateful
entrypoint. The host registry is authoritative, the persistent marker is
derived convenience state, and disagreement fails closed both before and
after policy mutation. Merged NVIDIA#6506 prevents status/connect route probes
from clearing that marker by using the side-effect-free managed-exec
boundary.
- Startup rejects directory, symlink, and other non-regular marker
targets before either the enabled or disabled branch. Enabled
replacement treats the destination as a file, closing the
directory-descent edge case raised by the exact-head advisor.
- Current `main` includes NVIDIA#6506's side-effect-free managed-exec boundary
and NVIDIA#6494's durable observability lifecycle. Both are retained together
with this PR's host-registry agreement checks and no-policy proof; no
contributor work was replaced.
- The proxy env file remains intentionally volatile in `/tmp`: each
stateful entrypoint reconstructs it from root-owned image proxy inputs,
while the observability marker under `/sandbox/.deepagents` must survive
policy-only reloads that do not carry the sandbox-create environment.
Their different locations reflect different lifetime contracts, not
inconsistent authority.

## Exact-head validation plan
- Re-run automatic CI, CodeRabbit, GPT, and Nemotron advisors on
`0570b876d6e85bcb110823d5f8b6a5553d266f34`.
- Re-run `ubuntu-repo-cloud-langchain-deepagents-code` to prove Tavily
is denied after check 09 cleanup and remains denied across the check 12
rebuild.
- Re-run `cloud-onboard` to prove the non-DCode sandbox skips before
requiring `expect`.
- Re-run `credential-sanitization` for the named-limit parity change.
- Hold merge until tomorrow even if all gates pass earlier.

## Failure evidence addressed
- Focused DCode run
[28978277604](https://github.com/NVIDIA/NemoClaw/actions/runs/28978277604):
check 09 left durable Tavily state that check 12 correctly replayed
before the strict egress boundary.
- Cloud/credential run
[28978281322](https://github.com/NVIDIA/NemoClaw/actions/runs/28978281322):
generic OpenClaw cloud-onboard required `expect` before reaching its
DCode-only skip; credential-sanitization passed.
- Superseded follow-up run
[28980032707](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032707):
Tavily cleanup and strict egress passed, then check 11 proved that
policy reload had cleared the runtime-functional `/tmp` observability
marker. The current head retains current `main`'s durable marker under
`/sandbox/.deepagents`.
- Superseded follow-up run
[28980032711](https://github.com/NVIDIA/NemoClaw/actions/runs/28980032711):
cloud-onboard and credential-sanitization both passed.
- Superseded follow-up run
[28981014655](https://github.com/NVIDIA/NemoClaw/actions/runs/28981014655):
after the marker moved to `/sandbox`, check 11 proved that Tavily policy
cleanup could still reconstruct runtime convenience state and remove it.
The current head uses current `main`'s absent-env-preserves lifecycle
and fails if the authoritative registry and derived marker disagree;
check 09 does not repair drift.
- Superseded follow-up run
[28981369440](https://github.com/NVIDIA/NemoClaw/actions/runs/28981369440):
cloud-onboard and credential-sanitization both passed on the
collaborator head; exact-head rerun pending.
- Superseded follow-up run
[28981690759](https://github.com/NVIDIA/NemoClaw/actions/runs/28981690759):
check 09 restored Tavily but sampled observability after policy-add had
already reloaded the sandbox, so check 11 found the marker absent. This
showed that sandbox marker sampling cannot be the authoritative source
of host intent.
- Superseded follow-up run
[28982642290](https://github.com/NVIDIA/NemoClaw/actions/runs/28982642290):
check 09 restored Tavily and check 10 passed, but check 11 found the
marker absent because a pre-NVIDIA#6506 status/connect route probe had already
invoked the stateful entrypoint without observability. Current `main`
supplies NVIDIA#6506's side-effect-free managed-exec probe and NVIDIA#6494's
explicit observability lifecycle, while this head compares the host
registry and persistent marker before and after policy mutation instead
of masking drift with a repair.
- Superseded exact-head focused run
[28983221993](https://github.com/NVIDIA/NemoClaw/actions/runs/28983221993)
passed every typed DCode check 03–12: check 09 reported 9/9, check 11
reported 11/11, and check 12 proved post-rebuild denial. Combined run
[28983222022](https://github.com/NVIDIA/NemoClaw/actions/runs/28983222022)
passed cloud-onboard and credential sanitization. These runs were
invalidated only to address the advisor's unsafe-target edge case and
add the stricter no-host-policy leak proof now running on the current
head.
- Superseded advisor run
[28983777162](https://github.com/NVIDIA/NemoClaw/actions/runs/28983777162)
rated the safety changes `merge_as_is` from GPT with no findings;
Nemotron agreed both substantive findings were resolved and requested
only the `/tmp` versus `/sandbox` lifetime cross-reference now present
on the current head.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved validation for credential names and context placeholders,
including oversized names.
* Strengthened proxy environment file handling to prevent
destination-path issues.
  * Clarified and stabilized observability policy and marker handling.

* **Tests**
* Expanded end-to-end coverage for observability, Tavily access,
tracing, and auto-approval behavior.
* Standardized test environment paths and added boundary-case validation
for credential patterns.
  * Improved platform-specific launcher test reliability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: cli Command line interface, flags, terminal UX, or output area: inference Inference routing, serving, model selection, or outputs area: observability Logging, metrics, tracing, diagnostics, or debug output area: routing Request routing, policy routing, model selection, or fallback logic area: security Security controls, permissions, secrets, or hardening bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior Recommended Blocker Recommended release blocker for maintainer review v0.0.78 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

DCode route health probes disable managed observability

4 participants