Skip to content

fix(dcode): allow plain OTLP endpoint URLs past the secret guard#6538

Merged
cv merged 9 commits into
mainfrom
fix/dcode-otlp-endpoint-secret-fp-6466
Jul 9, 2026
Merged

fix(dcode): allow plain OTLP endpoint URLs past the secret guard#6538
cv merged 9 commits into
mainfrom
fix/dcode-otlp-endpoint-secret-fp-6466

Conversation

@yanyunl1991

@yanyunl1991 yanyunl1991 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

The managed Deep Agents Code secret guard rejected any non-empty OTEL_EXPORTER_OTLP_ENDPOINT / OTEL_EXPORTER_OTLP_TRACES_ENDPOINT value, so a plain collector URL set by the documented --observability flow made dcode refuse to start with a false-positive secret error. This PR treats the OTLP _ENDPOINT variables as URLs (accept a clean bare http(s) URL, still refuse credential-bearing forms) in both the Bash wrapper and the managed Python runtime.

Closes #6466.

Reproduction

On a fresh dcode --observability sandbox:

nemoclaw <sandbox> exec -- bash -c "export OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318; dcode -n 'Reply with the single word traced.'"

Environment

  • Test machine: our Ubuntu 24.04 x86_64 test host (no GPU)
  • Fresh dcode (LangChain Deep Agents Code) --observability sandbox; the guard code on this path is identical to main
  • Fix built against main

Observed before fix

dcode: refusing to start — runtime environment variable contains a secret-shaped value in OTEL_EXPORTER_OTLP_ENDPOINT.
  Remove it from the environment, or use 'nemoclaw credentials' to register provider keys.

(With the Bash refusal removed, the managed Python runtime raised the same class of error: runtime environment variable OTEL_EXPORTER_OTLP_ENDPOINT contains a credential, confirming two layers carried the same over-broad rule.)

Observed after fix

Running task non-interactively...
App: v0.1.34 | Agent: agent (default) | Model: ...
Starting LangGraph server...
✓ Server ready

dcode now starts and proceeds normally; a credential-bearing endpoint (e.g. http://token@host:4318) is still refused.

Note on the secondary symptom (exit 0): the report also states the process exits 0 on refusal. On our test host the refusal exits 2 (the wrapper exit 2s and nemoclaw exec propagates it; verified under both a pipe and a PTY), so I could not reproduce the exit-0 behavior and this PR makes no exit-code change. Happy to look again with a strace -f -e trace=exit_group of the failing command if it still reproduces.

Analysis

has_credential_name_context() in agents/langchain-deepagents-code/dcode-wrapper.sh listed OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_EXPORTER_OTLP_TRACES_ENDPOINT alongside the _HEADERS variants, and assert_no_secret_runtime_env / assert_no_secret_env_file refuse any value >= 10 chars for a credential-named var. An OTLP endpoint value is always a URL (>= 10 chars), so every real endpoint was rejected. The managed Python runtime agents/langchain-deepagents-code/managed-dcode-runtime.py carried the identical rule via _CREDENTIAL_ENV_NAMES in _assert_safe_environment(); the Bash layer refused first, so the reporter only saw the Bash message. The _HEADERS variants legitimately carry auth material and must stay refused; only the _ENDPOINT variants are plain URLs.

Fix

Both layers now treat the OTLP _ENDPOINT variables as URLs rather than credential names:

  • Removed the two _ENDPOINT names from the blanket name-context / _CREDENTIAL_ENV_NAMES refusal (kept _HEADERS).
  • Added a helper (is_bare_http_url_without_userinfo / _is_bare_http_url_without_userinfo) that accepts only a single clean http(s) URL and refuses a value with embedded userinfo (scheme://user:pass@host) or a structured key-bearing blob (JSON/quoted/whitespace/comma). This mirrors the existing OpenClaw OTEL config contract (... must not include credentials).
  • The value-shape scan (is_secret_shaped_value / _contains_secret_shape) still runs first, so token-shaped material embedded anywhere in the URL is still caught.

Tests lock in that a plain collector URL is accepted (runtime + dotenv + direct-module) while userinfo URLs and structured key blobs are still refused; the previous test that asserted a plain URL was rejected is updated to a credential-bearing value.

Changes

  • agents/langchain-deepagents-code/dcode-wrapper.sh: OTLP endpoint URL carve-out in the runtime-env and .env-file scans.
  • agents/langchain-deepagents-code/managed-dcode-runtime.py: same carve-out in _assert_safe_environment.
  • test/langchain-deepagents-code-image-credentials.test.ts: new accept/refuse coverage for OTLP endpoints.
  • test/langchain-deepagents-code-direct-module-patch.test.ts: accept plain endpoint URLs; keep credential-bearing refusal.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

  • npx prek run passes on the changed files
  • npm test passes (touched files at minimum)
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • make docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

AI Disclosure

  • AI-assisted — tool: Claude Code

Signed-off-by: Yanyun Liao yanyunl@nvidia.com

Summary by CodeRabbit

  • Bug Fixes
    • Improved OpenTelemetry OTLP handling for OTEL_EXPORTER_OTLP_ENDPOINT / OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: managed http:///https:// collector URLs are now accepted.
    • Rejected endpoint values with credential-like or unsafe URL forms (e.g., embedded user info, malformed host/port/path).
    • Empty endpoint values are treated as unset, consistently across runtime-injected variables and .env settings; unsafe control characters in .env are now fail-closed.
  • Tests
    • Expanded regression coverage for accepted managed/plain endpoints and rejected credential-bearing and malformed variants in both runtime and dotenv modes.

The managed Deep Agents Code secret guard treated the OTLP endpoint
variables (OTEL_EXPORTER_OTLP_ENDPOINT and its _TRACES_ variant) as
credential-named vars and refused any value >=10 chars, so every real
collector URL set by the documented `--observability` flow (e.g.
http://host.openshell.internal:4318) was rejected and dcode refused to
start with a false-positive secret error. Both the Bash wrapper and the
managed Python runtime carried the same over-broad rule.

Treat the _ENDPOINT variables as URLs, not credentials: accept a clean
bare http(s) URL, but still refuse a value with embedded userinfo
(scheme://user:pass@host) or a structured key-bearing blob, mirroring
the existing OpenClaw OTEL config contract. Token-shaped material
anywhere in the value is still caught by the value-shape scan that runs
first. The _HEADERS variants stay under the credential-name refusal
because they carry auth material.

Fixes #6466

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This change fixes false-positive secret detection for OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_EXPORTER_OTLP_TRACES_ENDPOINT. The wrapper and managed runtime now accept plain http(s) collector URLs without userinfo, while still rejecting credential-shaped values; tests cover both allowed and rejected cases.

Changes

OTLP Endpoint Credential Scanner Fix

Layer / File(s) Summary
Wrapper: OTLP endpoint name gate and bare-URL validator
agents/langchain-deepagents-code/dcode-wrapper.sh
Documents the OTLP endpoint allowance, narrows the OTLP credential-name match to headers, and adds OTLP endpoint naming and URL validation helpers plus control-character detection.
Wrapper: applying the OTLP validator to runtime env and .env scans
agents/langchain-deepagents-code/dcode-wrapper.sh
assert_no_secret_runtime_env and assert_no_secret_env_file route OTLP endpoint variables through the OTLP URL validator, preserve raw dotenv values for control-character checks, and skip the generic credential-name refusal when validation passes.
Python runtime: OTLP allowlist and validation
agents/langchain-deepagents-code/managed-dcode-runtime.py
Removes OTLP endpoints from the credential-name set, adds the managed OTLP endpoint allowlist and URL validator, and rejects unsafe OTLP endpoint values during environment bootstrap.
Tests: allowed vs rejected OTLP endpoints
test/langchain-deepagents-code-direct-module-patch.test.ts, test/langchain-deepagents-code-image-credentials.test.ts
Direct-module and image-credential tests update OTLP rejection cases to use credential-bearing URLs and add acceptance/rejection coverage for plain OTLP endpoints in runtime and dotenv modes.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant dcode-wrapper.sh
  participant managed-dcode-runtime.py

  User->>dcode-wrapper.sh: Launch dcode with OTEL_EXPORTER_OTLP_ENDPOINT
  dcode-wrapper.sh->>dcode-wrapper.sh: is_otlp_endpoint_name(name)
  dcode-wrapper.sh->>dcode-wrapper.sh: is_safe_otlp_endpoint_url(value)
  dcode-wrapper.sh->>managed-dcode-runtime.py: Start process with env value
  managed-dcode-runtime.py->>managed-dcode-runtime.py: _assert_safe_environment()
  managed-dcode-runtime.py->>managed-dcode-runtime.py: _is_safe_otlp_endpoint_url(value)
  alt plain managed URL
    managed-dcode-runtime.py-->>User: Process starts
  else credential-shaped value
    dcode-wrapper.sh-->>User: Refuse start
  end
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the main change: allowing plain OTLP endpoint URLs through the secret guard.
Linked Issues check ✅ Passed The PR addresses the reported false positive by allowing the OTLP collector endpoint in both Bash and Python paths and adds matching tests.
Out of Scope Changes check ✅ Passed The changes stay focused on OTLP endpoint handling and matching tests, with no obvious unrelated additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dcode-otlp-endpoint-secret-fp-6466

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E: network-policy

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): Required because this PR changes the Deep Agents Code managed wrapper/runtime credential and OTLP observability boundary. The live typed target onboards a real LangChain Deep Agents Code sandbox and runs the cloud-experimental checks, including 08-deepagents-code-secret-boundary.sh and 11-deepagents-code-observability.sh, validating real dcode startup, secret refusal, managed OTLP allow/deny behavior, and inference-path health.

Optional E2E

  • network-policy (medium): Optional adjacent confidence for OpenShell egress-denial and network-policy behavior. The PR is DCode-specific, so the Deep Agents Code target is the merge-blocking floor, but this can help if reviewers are concerned about broader OTLP/network-policy assumptions.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: ``

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-langchain-deepagents-code: Changes modify the managed LangChain Deep Agents Code wrapper/runtime credential and OTLP endpoint boundary, which is exercised by the live Deep Agents Code onboarding target and its policy/runtime assertions.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Optional E2E targets

  • None.

Relevant changed files

  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
test/langchain-deepagents-code-image-credentials.test.ts (1)

89-89: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Missing (#6466) suffix in test title.

The issue reference is only in the inline comment, not the title itself.

✏️ Proposed fix
-  it("allows plain OTLP endpoint URLs but rejects credential-bearing endpoint values", () => {
+  it("allows plain OTLP endpoint URLs but rejects credential-bearing endpoint values (`#6466`)", () => {

As per coding guidelines, "**/*.test.ts: Write behavior-oriented test titles, and put local issue references in a final (#1234) suffix."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-image-credentials.test.ts` at line 89, The
test title in the behavior-oriented spec should include the local issue
reference as a final suffix. Update the `it(...)` description in
`langchain-deepagents-code-image-credentials.test.ts` so it ends with `(`#6466`)`,
keeping the existing behavior-focused wording in place and preserving the test
intent.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/langchain-deepagents-code/dcode-wrapper.sh`:
- Around line 490-494: Allow empty OTLP endpoint values in the OTLP endpoint
handling paths inside dcode-wrapper.sh. In the is_otlp_endpoint_name branch,
make sure an empty $value bypasses is_bare_http_url_without_userinfo so
OTEL_EXPORTER_OTLP_ENDPOINT= is treated as unset instead of rejected. Apply the
same empty-value guard at both OTLP endpoint wiring sites, keeping the existing
refuse_secret_env behavior only for non-empty values.

---

Nitpick comments:
In `@test/langchain-deepagents-code-image-credentials.test.ts`:
- Line 89: The test title in the behavior-oriented spec should include the local
issue reference as a final suffix. Update the `it(...)` description in
`langchain-deepagents-code-image-credentials.test.ts` so it ends with `(`#6466`)`,
keeping the existing behavior-focused wording in place and preserving the test
intent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4d0ff75d-ffb5-4b17-8ff5-99d127e21083

📥 Commits

Reviewing files that changed from the base of the PR and between e962d05 and 96e6f00.

📒 Files selected for processing (4)
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-image-credentials.test.ts

Comment thread agents/langchain-deepagents-code/dcode-wrapper.sh
@github-code-quality

github-code-quality Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 76%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 26bfdfb 4909174 +/-
src/lib/shields/index.ts 60% 60% 0%
src/lib/credentials/store.ts 59% 61% +2%
src/lib/messagi.../persistence.ts 92% 95% +3%

Updated July 09, 2026 07:27 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Source-of-truth review needed: dcode-wrapper.sh secret guard (mirrored canonical patterns).
Open items: 0 required · 4 warnings · 2 suggestions · 3 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 5 new items found

Action checklist

  • PRA-1 Resolve or justify: Source-of-truth review needed: dcode-wrapper.sh secret guard (mirrored canonical patterns)
  • PRA-2 Resolve or justify: Dual-maintenance validator drift risk between Bash wrapper and Python runtime in agents/langchain-deepagents-code/dcode-wrapper.sh:294
  • PRA-3 Resolve or justify: PR fix(dcode): allow local OTLP endpoint env #6533 overlap creates conflicting OTLP allowlist on same trust boundary in agents/langchain-deepagents-code/dcode-wrapper.sh:38
  • PRA-4 Resolve or justify: Source-of-truth workaround extended: mirrored secret patterns instead of upstream fix in agents/langchain-deepagents-code/dcode-wrapper.sh:38
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Acceptance clause
  • PRA-T3 Add or justify test follow-up: dcode-wrapper.sh secret guard (mirrored canonical patterns)
  • PRA-5 In-scope improvement: Exit code 0 discrepancy on refusal (issue [Ubuntu 24.04][Agent&Skills] dcode refuses to start — secret scanner false positive on OTEL_EXPORTER_OTLP_ENDPOINT #6466) not reproducible
  • PRA-6 In-scope improvement: Docs checklist unchecked; --observability docs should note exact OTLP endpoint

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Resolve/justify security agents/langchain-deepagents-code/dcode-wrapper.sh:294 Add a Vitest that runs the accept/refuse matrix against both the wrapper fixture (via makeWrapperFixture) and the direct-module runtime (via python -m deepagents_code), asserting identical accept/reject decisions for every case.
PRA-3 Resolve/justify correctness agents/langchain-deepagents-code/dcode-wrapper.sh:38 Coordinate with PR #6533 author to consolidate into one PR or establish merge order. Decide whether the allowlist is exact-host (host.openshell.internal) or includes localhost, then update both layers and tests once.
PRA-4 Resolve/justify architecture agents/langchain-deepagents-code/dcode-wrapper.sh:38 File a tracked issue to implement upstream validation in deepagents_code or migrate to a Node entrypoint that imports canonical patterns directly. In the meantime, the parity test (Finding 1) mitigates drift risk.
PRA-5 Improvement correctness If the reporter can still reproduce exit 0 without a pipe after this fix lands, investigate nemoclaw exec propagation with strace -f -e trace=exit_group. Otherwise document pipefail requirement in troubleshooting docs.
PRA-6 Improvement docs Update the --observability documentation (likely in docs/ or agent onboarding guides) to state that OTEL_EXPORTER_OTLP_ENDPOINT must be exactly http://host.openshell.internal:4318 or https://host.openshell.internal:4318\[/path\] with no userinfo, query, fragment, or percent-encoding.
Review findings by urgency: 0 required fixes, 4 items to resolve/justify, 2 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: dcode-wrapper.sh secret guard (mirrored canonical patterns)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-secret-pattern-parity.test.ts pins canonical TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS fingerprints (source + flags). test/langchain-deepagents-code-image-credentials.test.ts feeds shared positive corpus through wrapper. Live no-network acceptance clause covered by test/e2e/e2e-cloud-experimental/checks/08-deepagents-code-secret-boundary.sh.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Wrapper lines 38-100 (security comment block) documents invalid state, source boundary, source-fix constraint, scope, regression, and removal condition.

PRA-2 Resolve/justify — Dual-maintenance validator drift risk between Bash wrapper and Python runtime

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:294
  • Category: security
  • Problem: Both dcode-wrapper.sh (is_safe_otlp_endpoint_url) and managed-dcode-runtime.py (_is_safe_otlp_endpoint_url) implement identical exact-host allowlist logic for OTLP endpoints but share no code. Comments reference fix(dcode): allow plain OTLP endpoint URLs past the secret guard #6538 review for byte-for-byte parity; tests exercise both independently but no parity test feeds a shared corpus to both validators. If one layer updates without the other, an SSRF/policy bypass window opens.
  • Impact: Validator drift could allow malicious OTLP endpoints through one layer while the other rejects, breaking the two-layer defense-in-depth and potentially enabling sandbox escape via SSRF to arbitrary collectors.
  • Recommended action: Add a Vitest that runs the accept/refuse matrix against both the wrapper fixture (via makeWrapperFixture) and the direct-module runtime (via python -m deepagents_code), asserting identical accept/reject decisions for every case.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: grep -n 'is_safe_otlp_endpoint_url\|_is_safe_otlp_endpoint_url' agents/langchain-deepagents-code/dcode-wrapper.sh agents/langchain-deepagents-code/managed-dcode-runtime.py shows two separate implementations with no shared helper.
  • Missing regression test: Add test/langchain-deepagents-code-otlp-parity.test.ts that iterates the 14 reject values + 3 accept values + empty + control chars for both OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_EXPORTER_OTLP_TRACES_ENDPOINT, runs each through both the wrapper and the Python runtime, and asserts identical exit-code/acceptance outcomes.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: grep -n 'is_safe_otlp_endpoint_url\|_is_safe_otlp_endpoint_url' agents/langchain-deepagents-code/dcode-wrapper.sh agents/langchain-deepagents-code/managed-dcode-runtime.py shows two separate implementations with no shared helper.
  • Evidence: Wrapper lines 294-325 (is_safe_otlp_endpoint_url) and runtime lines 257-290 (_is_safe_otlp_endpoint_url) implement near-identical logic independently; both referenced in comments as mirroring each other per fix(dcode): allow plain OTLP endpoint URLs past the secret guard #6538 review.

PRA-3 Resolve/justify — PR #6533 overlap creates conflicting OTLP allowlist on same trust boundary

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:38
  • Category: correctness
  • Problem: Open PR fix(dcode): allow local OTLP endpoint env #6533 'allow local OTLP endpoint env' modifies the same 4 files (dcode-wrapper.sh, managed-dcode-runtime.py, both test files). This PR allows only host.openshell.internal; fix(dcode): allow local OTLP endpoint env #6533 likely allows localhost/configurable. If both merge, validator conflict = broken --observability flow.
  • Impact: Conflicting allowlists would cause one PR's tests to fail after the other merges, and the runtime would have ambiguous/broken OTLP endpoint validation.
  • Recommended action: Coordinate with PR fix(dcode): allow local OTLP endpoint env #6533 author to consolidate into one PR or establish merge order. Decide whether the allowlist is exact-host (host.openshell.internal) or includes localhost, then update both layers and tests once.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: gh pr view 6533 --json files shows same file list: agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, test/langchain-deepagents-code-direct-module-patch.test.ts, test/langchain-deepagents-code-image-credentials.test.ts
  • Missing regression test: After consolidation, ensure the unified accept/refuse matrix covers the final agreed allowlist and is tested on both Bash and Python paths.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: gh pr view 6533 --json files shows same file list: agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, test/langchain-deepagents-code-direct-module-patch.test.ts, test/langchain-deepagents-code-image-credentials.test.ts.
  • Evidence: PR fix(dcode): allow local OTLP endpoint env #6533 listed in openPrOverlaps with sameFiles matching all 4 changed files in this PR.

PRA-4 Resolve/justify — Source-of-truth workaround extended: mirrored secret patterns instead of upstream fix

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:38
  • Category: architecture
  • Problem: Wrapper comment documents: 'upstream deepagents_code is third-party Python; canonical secret-pattern contract lives at src/lib/security/secret-patterns.ts. Neither is callable from Bash before exec, so this matcher mirrors canonical patterns.' Removal condition: '(a) upstream rejects secret-shaped values, or (b) all invocations route through Node entrypoint importing canonical patterns.' This PR extends the workaround (adds OTLP URL validation to both mirrored layers) rather than fixing the source.
  • Impact: Continued maintenance burden of dual regex implementations (Bash + Python) mirroring TypeScript canonical patterns. Risk of drift from canonical patterns over time.
  • Recommended action: File a tracked issue to implement upstream validation in deepagents_code or migrate to a Node entrypoint that imports canonical patterns directly. In the meantime, the parity test (Finding 1) mitigates drift risk.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read dcode-wrapper.sh lines 38-100 (security comment block) for the documented workaround rationale and removal conditions.
  • Missing regression test: The secret-pattern parity test (test/langchain-deepagents-code-secret-pattern-parity.test.ts) pins canonical TOKEN_PREFIX_PATTERNS/CONTEXT_PATTERNS/SECRET_BLOCK_PATTERNS fingerprints; ensure it runs on every PR and trips when canonical patterns change.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read dcode-wrapper.sh lines 38-100 (security comment block) for the documented workaround rationale and removal conditions.
  • Evidence: Wrapper security comment block lines 38-100 explicitly describes the workaround and removal conditions.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-5 Improvement — Exit code 0 discrepancy on refusal (issue #6466) not reproducible

PRA-6 Improvement — Docs checklist unchecked; --observability docs should note exact OTLP endpoint

  • Location: not file-specific
  • Category: docs
  • Problem: PR checklist shows 'Docs updated for user-facing behavior changes' unchecked. The fix restores documented --observability flow (was broken). No migration needed. Minor: update --observability docs to note OTLP endpoint auto-configures to host.openshell.internal:4318 and user-provided values must match exactly.
  • Impact: Users configuring custom OTLP endpoints may not know the strict allowlist requirement.
  • Suggested action: Update the --observability documentation (likely in docs/ or agent onboarding guides) to state that OTEL_EXPORTER_OTLP_ENDPOINT must be exactly http://host.openshell.internal:4318 or https://host.openshell.internal:4318\[/path\] with no userinfo, query, fragment, or percent-encoding.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search docs/ for 'observability' or 'OTEL_EXPORTER_OTLP_ENDPOINT' to find relevant pages.
  • Missing regression test: N/A - documentation update.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: PR checklist item unchecked; no doc changes in diff.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add test/langchain-deepagents-code-otlp-parity.test.ts that runs the full accept/refuse matrix (3 accept URLs, 14 reject values, empty, 5 control chars) for both OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_EXPORTER_OTLP_TRACES_ENDPOINT against both the wrapper fixture (makeWrapperFixture + runWrapper) and the direct-module runtime (python -m deepagents_code with PYTHONPATH fixture), asserting identical exit-code/acceptance outcomes for every case.. Strong unit coverage (111 new cases across both test files) for the OTLP accept/refuse contract on both Bash wrapper and Python runtime paths. The gap is a cross-validator parity test: no test feeds a shared corpus to both validators and asserts identical decisions, which is needed to catch dual-maintenance drift (Finding 1).
  • PRA-T2 Acceptance clause — Process should exit non-zero on refusal (exit code 0 was observed by reporter) — add test evidence or identify existing coverage. Wrapper exits 2; PR author could not reproduce exit 0. No code change for this. Discrepancy documented but unresolved.
  • PRA-T3 dcode-wrapper.sh secret guard (mirrored canonical patterns) — test/langchain-deepagents-code-secret-pattern-parity.test.ts pins canonical TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS fingerprints (source + flags). test/langchain-deepagents-code-image-credentials.test.ts feeds shared positive corpus through wrapper. Live no-network acceptance clause covered by test/e2e/e2e-cloud-experimental/checks/08-deepagents-code-secret-boundary.sh.. Wrapper lines 38-100 (security comment block) documents invalid state, source boundary, source-fix constraint, scope, regression, and removal condition.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: dcode-wrapper.sh secret guard (mirrored canonical patterns)

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: test/langchain-deepagents-code-secret-pattern-parity.test.ts pins canonical TOKEN_PREFIX_PATTERNS, CONTEXT_PATTERNS, SECRET_BLOCK_PATTERNS fingerprints (source + flags). test/langchain-deepagents-code-image-credentials.test.ts feeds shared positive corpus through wrapper. Live no-network acceptance clause covered by test/e2e/e2e-cloud-experimental/checks/08-deepagents-code-secret-boundary.sh.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: Wrapper lines 38-100 (security comment block) documents invalid state, source boundary, source-fix constraint, scope, regression, and removal condition.

PRA-2 Resolve/justify — Dual-maintenance validator drift risk between Bash wrapper and Python runtime

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:294
  • Category: security
  • Problem: Both dcode-wrapper.sh (is_safe_otlp_endpoint_url) and managed-dcode-runtime.py (_is_safe_otlp_endpoint_url) implement identical exact-host allowlist logic for OTLP endpoints but share no code. Comments reference fix(dcode): allow plain OTLP endpoint URLs past the secret guard #6538 review for byte-for-byte parity; tests exercise both independently but no parity test feeds a shared corpus to both validators. If one layer updates without the other, an SSRF/policy bypass window opens.
  • Impact: Validator drift could allow malicious OTLP endpoints through one layer while the other rejects, breaking the two-layer defense-in-depth and potentially enabling sandbox escape via SSRF to arbitrary collectors.
  • Recommended action: Add a Vitest that runs the accept/refuse matrix against both the wrapper fixture (via makeWrapperFixture) and the direct-module runtime (via python -m deepagents_code), asserting identical accept/reject decisions for every case.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: grep -n 'is_safe_otlp_endpoint_url\|_is_safe_otlp_endpoint_url' agents/langchain-deepagents-code/dcode-wrapper.sh agents/langchain-deepagents-code/managed-dcode-runtime.py shows two separate implementations with no shared helper.
  • Missing regression test: Add test/langchain-deepagents-code-otlp-parity.test.ts that iterates the 14 reject values + 3 accept values + empty + control chars for both OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_EXPORTER_OTLP_TRACES_ENDPOINT, runs each through both the wrapper and the Python runtime, and asserts identical exit-code/acceptance outcomes.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: grep -n 'is_safe_otlp_endpoint_url\|_is_safe_otlp_endpoint_url' agents/langchain-deepagents-code/dcode-wrapper.sh agents/langchain-deepagents-code/managed-dcode-runtime.py shows two separate implementations with no shared helper.
  • Evidence: Wrapper lines 294-325 (is_safe_otlp_endpoint_url) and runtime lines 257-290 (_is_safe_otlp_endpoint_url) implement near-identical logic independently; both referenced in comments as mirroring each other per fix(dcode): allow plain OTLP endpoint URLs past the secret guard #6538 review.

PRA-3 Resolve/justify — PR #6533 overlap creates conflicting OTLP allowlist on same trust boundary

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:38
  • Category: correctness
  • Problem: Open PR fix(dcode): allow local OTLP endpoint env #6533 'allow local OTLP endpoint env' modifies the same 4 files (dcode-wrapper.sh, managed-dcode-runtime.py, both test files). This PR allows only host.openshell.internal; fix(dcode): allow local OTLP endpoint env #6533 likely allows localhost/configurable. If both merge, validator conflict = broken --observability flow.
  • Impact: Conflicting allowlists would cause one PR's tests to fail after the other merges, and the runtime would have ambiguous/broken OTLP endpoint validation.
  • Recommended action: Coordinate with PR fix(dcode): allow local OTLP endpoint env #6533 author to consolidate into one PR or establish merge order. Decide whether the allowlist is exact-host (host.openshell.internal) or includes localhost, then update both layers and tests once.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: gh pr view 6533 --json files shows same file list: agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, test/langchain-deepagents-code-direct-module-patch.test.ts, test/langchain-deepagents-code-image-credentials.test.ts
  • Missing regression test: After consolidation, ensure the unified accept/refuse matrix covers the final agreed allowlist and is tested on both Bash and Python paths.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: gh pr view 6533 --json files shows same file list: agents/langchain-deepagents-code/dcode-wrapper.sh, agents/langchain-deepagents-code/managed-dcode-runtime.py, test/langchain-deepagents-code-direct-module-patch.test.ts, test/langchain-deepagents-code-image-credentials.test.ts.
  • Evidence: PR fix(dcode): allow local OTLP endpoint env #6533 listed in openPrOverlaps with sameFiles matching all 4 changed files in this PR.

PRA-4 Resolve/justify — Source-of-truth workaround extended: mirrored secret patterns instead of upstream fix

  • Location: agents/langchain-deepagents-code/dcode-wrapper.sh:38
  • Category: architecture
  • Problem: Wrapper comment documents: 'upstream deepagents_code is third-party Python; canonical secret-pattern contract lives at src/lib/security/secret-patterns.ts. Neither is callable from Bash before exec, so this matcher mirrors canonical patterns.' Removal condition: '(a) upstream rejects secret-shaped values, or (b) all invocations route through Node entrypoint importing canonical patterns.' This PR extends the workaround (adds OTLP URL validation to both mirrored layers) rather than fixing the source.
  • Impact: Continued maintenance burden of dual regex implementations (Bash + Python) mirroring TypeScript canonical patterns. Risk of drift from canonical patterns over time.
  • Recommended action: File a tracked issue to implement upstream validation in deepagents_code or migrate to a Node entrypoint that imports canonical patterns directly. In the meantime, the parity test (Finding 1) mitigates drift risk.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read dcode-wrapper.sh lines 38-100 (security comment block) for the documented workaround rationale and removal conditions.
  • Missing regression test: The secret-pattern parity test (test/langchain-deepagents-code-secret-pattern-parity.test.ts) pins canonical TOKEN_PREFIX_PATTERNS/CONTEXT_PATTERNS/SECRET_BLOCK_PATTERNS fingerprints; ensure it runs on every PR and trips when canonical patterns change.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read dcode-wrapper.sh lines 38-100 (security comment block) for the documented workaround rationale and removal conditions.
  • Evidence: Wrapper security comment block lines 38-100 explicitly describes the workaround and removal conditions.

PRA-5 Improvement — Exit code 0 discrepancy on refusal (issue #6466) not reproducible

PRA-6 Improvement — Docs checklist unchecked; --observability docs should note exact OTLP endpoint

  • Location: not file-specific
  • Category: docs
  • Problem: PR checklist shows 'Docs updated for user-facing behavior changes' unchecked. The fix restores documented --observability flow (was broken). No migration needed. Minor: update --observability docs to note OTLP endpoint auto-configures to host.openshell.internal:4318 and user-provided values must match exactly.
  • Impact: Users configuring custom OTLP endpoints may not know the strict allowlist requirement.
  • Suggested action: Update the --observability documentation (likely in docs/ or agent onboarding guides) to state that OTEL_EXPORTER_OTLP_ENDPOINT must be exactly http://host.openshell.internal:4318 or https://host.openshell.internal:4318\[/path\] with no userinfo, query, fragment, or percent-encoding.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search docs/ for 'observability' or 'OTEL_EXPORTER_OTLP_ENDPOINT' to find relevant pages.
  • Missing regression test: N/A - documentation update.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: PR checklist item unchecked; no doc changes in diff.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Add or justify real observability-path regression evidence.
Open items: 0 required · 1 warning · 0 suggestions · 7 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 1 new item found

Action checklist

  • PRA-1 Resolve or justify: Add or justify real observability-path regression evidence
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Acceptance clause
  • PRA-T4 Add or justify test follow-up: Acceptance clause
  • PRA-T5 Add or justify test follow-up: Acceptance clause
  • PRA-T6 Add or justify test follow-up: Acceptance clause
  • PRA-T7 Add or justify test follow-up: Acceptance clause

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify acceptance Add a targeted runtime/integration regression for the documented observability path, or explicitly justify why wrapper/direct-module fixture coverage is the intended acceptance boundary for this PR.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Add or justify real observability-path regression evidence

  • Location: not file-specific
  • Category: acceptance
  • Problem: The changed tests prove the Bash wrapper and Python direct-module secret guards allow the managed OTLP endpoint and reject unsafe endpoint forms, but they do not exercise the original documented `nemoclaw ... --observability` path or prove an OTLP export attempt reaches the managed collector. The linked issue's expected result explicitly includes both startup and trace export.
  • Impact: A future regression in the real sandbox observability handoff, outer `nemoclaw exec` exit propagation, or collector wiring could remain undetected even though the local guard fixtures pass.
  • Recommended action: Add a targeted runtime/integration regression for the documented observability path, or explicitly justify why wrapper/direct-module fixture coverage is the intended acceptance boundary for this PR.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read the changed tests in `test/langchain-deepagents-code-image-credentials.test.ts` and `test/langchain-deepagents-code-direct-module-patch.test.ts`; they use local fixtures/stubs and do not launch a real `nemoclaw`/OpenShell dcode `--observability` sandbox or assert collector receipt/export.
  • Missing regression test: Add a behavior-specific integration test that starts a dcode observability sandbox with `OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318\`, asserts startup proceeds past the secret guard, confirms an OTLP export attempt or collector receipt, and includes a negative `http://token&#64;host.openshell.internal:4318\` case that exits non-zero before dcode starts.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read the changed tests in `test/langchain-deepagents-code-image-credentials.test.ts` and `test/langchain-deepagents-code-direct-module-patch.test.ts`; they use local fixtures/stubs and do not launch a real `nemoclaw`/OpenShell dcode `--observability` sandbox or assert collector receipt/export.
  • Evidence: Linked issue [Ubuntu 24.04][Agent&Skills] dcode refuses to start — secret scanner false positive on OTEL_EXPORTER_OTLP_ENDPOINT #6466 expected result says: "`dcode` starts normally and exports OTLP traces to the specified local endpoint." The diff adds fixture tests for accepted/rejected endpoint values, but no changed test invokes the original `nemoclaw ... --observability` command or validates trace export.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add a targeted integration test that launches the documented dcode `--observability` path with `OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318\`, asserts startup proceeds past the secret guard, and confirms an OTLP export attempt or collector receipt.. Unit/fixture coverage is strong for the changed Bash and Python validators, including positive, negative, empty, error, and no-value-echo branches. The remaining gap is runtime acceptance evidence for the original NemoClaw/OpenShell observability path and actual OTLP export behavior.
  • PRA-T2 Runtime validation — In the same runtime boundary, add a negative case for `OTEL_EXPORTER_OTLP_ENDPOINT=http://token&#64;host.openshell.internal:4318\` that asserts non-zero refusal before dcode starts and no rejected value is echoed.. Unit/fixture coverage is strong for the changed Bash and Python validators, including positive, negative, empty, error, and no-value-echo branches. The remaining gap is runtime acceptance evidence for the original NemoClaw/OpenShell observability path and actual OTLP export behavior.
  • PRA-T3 Acceptance clause — Additionally, the process exits with code 0 despite refusing to start. — add test evidence or identify existing coverage. The PR does not change outer `nemoclaw exec` exit propagation. Wrapper tests now assert invalid OTLP endpoint refusals return status 2, but no changed test proves the original outer command's exit behavior.
  • PRA-T4 Acceptance clause — Platform scope: Reproduced on Ubuntu 24.04 only; other platforms not tested — add test evidence or identify existing coverage. The changed tests use local fixtures and do not establish platform-specific behavior. The Bash validator uses `LC_ALL=C`; no platform migration or workflow change is present.
  • PRA-T5 Acceptance clause — Regression: Unknown — earlier versions not tested — add test evidence or identify existing coverage. No historical version comparison is part of the diff; this is informational issue context rather than a directly testable PR acceptance clause.
  • PRA-T6 Acceptance clause — 1. ```bash nemoclaw onboard --agent dcode --name dcode-obs-docs --non-interactive --yes --fresh --observability ``` — add test evidence or identify existing coverage. No changed test runs this onboard command. The code change targets the guard encountered after such a sandbox exists.
  • PRA-T7 Acceptance clause — 2. ```bash nemoclaw dcode-obs-docs exec -- bash -c "export OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318; dcode -n 'Reply with the single word traced.'" ``` — add test evidence or identify existing coverage. Fixture tests exercise `dcode-wrapper.sh` and direct Python module startup with this endpoint value, but no changed test runs the full `nemoclaw ... exec` command.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Add or justify real observability-path regression evidence

  • Location: not file-specific
  • Category: acceptance
  • Problem: The changed tests prove the Bash wrapper and Python direct-module secret guards allow the managed OTLP endpoint and reject unsafe endpoint forms, but they do not exercise the original documented `nemoclaw ... --observability` path or prove an OTLP export attempt reaches the managed collector. The linked issue's expected result explicitly includes both startup and trace export.
  • Impact: A future regression in the real sandbox observability handoff, outer `nemoclaw exec` exit propagation, or collector wiring could remain undetected even though the local guard fixtures pass.
  • Recommended action: Add a targeted runtime/integration regression for the documented observability path, or explicitly justify why wrapper/direct-module fixture coverage is the intended acceptance boundary for this PR.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read the changed tests in `test/langchain-deepagents-code-image-credentials.test.ts` and `test/langchain-deepagents-code-direct-module-patch.test.ts`; they use local fixtures/stubs and do not launch a real `nemoclaw`/OpenShell dcode `--observability` sandbox or assert collector receipt/export.
  • Missing regression test: Add a behavior-specific integration test that starts a dcode observability sandbox with `OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318\`, asserts startup proceeds past the secret guard, confirms an OTLP export attempt or collector receipt, and includes a negative `http://token&#64;host.openshell.internal:4318\` case that exits non-zero before dcode starts.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read the changed tests in `test/langchain-deepagents-code-image-credentials.test.ts` and `test/langchain-deepagents-code-direct-module-patch.test.ts`; they use local fixtures/stubs and do not launch a real `nemoclaw`/OpenShell dcode `--observability` sandbox or assert collector receipt/export.
  • Evidence: Linked issue [Ubuntu 24.04][Agent&Skills] dcode refuses to start — secret scanner false positive on OTEL_EXPORTER_OTLP_ENDPOINT #6466 expected result says: "`dcode` starts normally and exports OTLP traces to the specified local endpoint." The diff adds fixture tests for accepted/rejected endpoint values, but no changed test invokes the original `nemoclaw ... --observability` command or validates trace export.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

Follow-up to review: an empty OTEL_EXPORTER_OTLP_ENDPOINT= is unset, not
a credential. The managed Python runtime already skips the URL check for
an empty value; make the Bash wrapper consistent at both OTLP endpoint
sites and only scan a non-empty value. Adds an empty-value acceptance
case to the wrapper test.

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>
Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exact-head security review at 245da0d137 found a merge-blocking fail-open in the new OTLP endpoint exception.

The helpers at agents/langchain-deepagents-code/dcode-wrapper.sh:379-393 and agents/langchain-deepagents-code/managed-dcode-runtime.py:243-257 check only the scheme prefix, a small delimiter set, and literal @; they do not establish one canonical credential-free URL. Full-entry probes are accepted by the direct module, wrapper runtime, and wrapper dotenv paths for percent-encoded known-token query material (?x=sk%2D...), opaque query credentials (?apikey=opaquevalue12345), percent-encoded userinfo-like authorities, hostless http://, semicolon-joined URLs, and ESC controls. Python also accepts VT/FF values that Bash rejects. Literal userinfo and raw ?token= are rejected, but the encoded and parser-differential cases contradict the claimed trust boundary.

The managed runtime later strips these OTLP variables before launching the child, so this review did not confirm credential exfiltration. The classifier is still materially fail-open and its tests currently overstate the assurance.

Please replace the hand-rolled predicate with canonical parsing or a conservative documented-endpoint allowlist. At minimum require a non-empty valid host/port, reject userinfo/query/fragment, reject all C0 controls/DEL/non-ASCII/backslashes/oversized inputs, and apply the secret scan to a safely decoded or normalized representation with Bash/Python parity. Add the adversarial corpus for both endpoint names across runtime, dotenv, and direct-module paths; rejected wrapper cases should exit exactly 2, never run the stub, and never echo the value.

The prior OTLP endpoint predicate checked only a scheme prefix, a small
delimiter set, and literal `@`, so it accepted several credential-bearing
forms: percent-encoded tokens (`?x=sk%2D...`), opaque query credentials
(`?apikey=...`), percent-encoded userinfo, hostless `http://`,
semicolon-joined URLs, and control chars. Bash and Python also disagreed
on VT/FF because the Bash side used `[[:space:]]` while Python spelled out
a narrower set.

Replace both the Bash `is_safe_otlp_endpoint_url` and the Python
`_is_safe_otlp_endpoint_url` with a strict allowlist that accepts only a
bounded `scheme://host[:port][/path]` URL built from an identical ASCII
charset, rejecting userinfo, query, fragment, percent-encoding, C0
controls, DEL, non-ASCII, backslashes, and oversized inputs. The Bash side
runs under `LC_ALL=C` so locale collation cannot fold non-ASCII bytes into
`[A-Za-z0-9]`, keeping byte-for-byte parity with Python. The value-shape
secret scan still runs first, so token material in any accepted field is
still caught.

Adds adversarial accept/reject coverage for both the wrapper and the
managed runtime that would have caught each fail-open case.

Fixes #6466

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>
@yanyunl1991

Copy link
Copy Markdown
Contributor Author

Thanks for the careful review — you're right, the predicate was fail-open. Replaced the hand-rolled check in both dcode-wrapper.sh (is_safe_otlp_endpoint_url) and managed-dcode-runtime.py (_is_safe_otlp_endpoint_url) with a strict allowlist that accepts only a bounded scheme://host[:port][/path] URL from an identical ASCII charset:

  • Requires a non-empty host and optional numeric port; rejects userinfo, query, and fragment outright (no @, ?, #).
  • Rejects percent-encoding entirely (% is not in the charset), so ?x=sk%2D..., percent-encoded userinfo, and similar encoded material can't slip through — there is nothing to decode, and the value-shape scan still runs first on the raw value.
  • Rejects C0 controls, DEL, non-ASCII, backslashes, whitespace, and oversized inputs (>2048).
  • Rejects hostless http:///http:///path and semicolon-joined authorities.
  • Bash/Python parity: both use the exact same anchored charset, and the Bash side runs under LC_ALL=C so locale collation cannot fold non-ASCII bytes into [A-Za-z0-9] (this was the VT/FF and héllo-host differential). I verified a 24-case adversarial corpus classifies byte-for-byte identically across the two runtimes.

Added adversarial accept/reject coverage that exercises the real wrapper and the real managed runtime for each of the cases you listed (percent-encoded token, opaque query cred, encoded userinfo, hostless, semicolon-joined, fragment, non-ASCII host, oversized). Ready for another look.

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exact-head follow-up at b3739eacd3: the new conservative grammar and adversarial tests do fix the original encoded/query/fragment/userinfo/control fail-open corpus across the Python module and wrapper runtime paths. Thank you.

Three merge-blocking pieces remain:

  1. The prior request required a non-empty valid host/port. The current [A-Za-z0-9.-]+(:[0-9]+)? grammar still accepts malformed authorities such as ., -, a..b, leading/trailing dots or hyphens, invalid IPv4 text, and ports 0, 65536, or arbitrarily large decimal strings. Please validate a real DNS/IPv4 host and a port in the supported range, with identical Bash/Python behavior. If path dot segments are intentionally allowed, document that boundary; otherwise reject them too.
  2. Pin the full wrapper refusal contract in committed tests, not only local probes: exact status 2, stub/ran marker absent, variable name present, and rejected value absent. Cover both endpoint names for runtime and dotenv invalid values, plus dotenv empty values. The exact-head advisor independently flags these as PRA-1/PRA-2.
  3. The “all C0 controls with Bash/Python parity” clause is not yet true for dotenv input: raw NUL is silently dropped by Bash and quoted trailing TAB/VT/FF/CR can be trimmed rather than rejected. Add byte-level dotenv coverage and fail closed before normalization, or narrow and justify the claimed boundary.

Local exact-head evidence: 185 submitted tests pass, and the original adversarial corpus now refuses with status 2 and no value echo. The required ubuntu-repo-cloud-langchain-deepagents-code target is still outstanding; it is reasonable to run that after these code/test items land.

cv and others added 3 commits July 8, 2026 23:59
…ract

Address the exact-head review on the OTLP endpoint exception:

- Host/port: replace the permissive `[A-Za-z0-9.-]+(:[0-9]+)?` grammar with
  an exact-host allowlist of the one collector a managed sandbox can reach
  (`host.openshell.internal`), plus an in-range 1..65535 port and a clean
  path. This refuses malformed hosts (`.`, `-`, `a..b`, `999.999.999.999`),
  subdomain/suffix confusion, and ports `0`/`65536`/oversized by
  construction, with trivial Bash/Python parity (verified byte-for-byte on a
  31-case adversarial corpus). Path dot segments are documented as
  intentional: the path reaches only the exact managed host.
- Dotenv controls: fail closed on any C0 control/DEL carried in the raw
  dotenv value before trim/unquote could silently strip a smuggled trailing
  TAB/VT/FF/ESC/CR. NUL cannot reach the check (Bash drops it), noted in the
  boundary comment.
- Tests: pin the full refusal contract in committed tests — exact status 2,
  variable name present, rejected value absent (no echo), no run — across
  both endpoint names and both the runtime and dotenv paths, plus dotenv
  empty-value acceptance and byte-level control coverage.

Fixes #6466

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>
…VIDIA/NemoClaw into fix/dcode-otlp-endpoint-secret-fp-6466
@yanyunl1991

Copy link
Copy Markdown
Contributor Author

Thanks — addressed all three:

1. Valid host/port. Rather than hand-roll DNS/IPv4/port validation in two runtimes (a parity hazard), I restricted to the one collector a managed sandbox can actually reach: the observability egress preset opens exactly host.openshell.internal, and the runtime hardcodes it. is_safe_otlp_endpoint_url / _is_safe_otlp_endpoint_url now accept only http(s)://host.openshell.internal[:port][/path], with an exact host compare (so subdomain evil.host.openshell.internal and suffix host.openshell.internal.evil.com are refused), a 1..65535 port with no leading zero (refuses 0, 65536, oversized), and a strict path charset. Malformed authorities (., -, a..b, 999.999.999.999) fall out by construction. Verified a 31-case adversarial corpus classifies byte-for-byte identically in Bash and Python. Path dot segments are intentionally allowed and documented: the path reaches only the exact managed host, so it cannot traverse to another origin.

2. Full refusal contract in committed tests. pins the OTLP endpoint accept/refuse contract on runtime and dotenv paths now asserts exact status 2, variable name present, rejected value absent (no echo), and no stub/ran marker — across both endpoint names and both the runtime and dotenv paths, plus dotenv empty-value acceptance. The Python direct-module suite gets the matching malformed-host/port corpus.

3. Dotenv controls fail closed. The dotenv branch now rejects any C0 control/DEL carried in the raw value before trim/unquote could strip a smuggled trailing TAB/VT/FF/ESC/CR, with byte-level test coverage. NUL cannot reach the check — Bash drops it from the line at read time — which I've noted as an explicit boundary in the comment.

Local: the touched suites pass and the adversarial corpus refuses with status 2 and no value echo. Agreed the ubuntu-repo-cloud-langchain-deepagents-code target is best run after these land.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/langchain-deepagents-code-image-credentials.test.ts (1)

110-111: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Reject-case comments overstate what's exercised.

http://999.999.999.999:4318 and http://héllo:4318 are already rejected by the exact-host allowlist check (host ≠ host.openshell.internal) before any IPv4/non-ASCII-specific validation would run, per the PR's "exact host matching" design. The inline comments ("invalid IPv4", "non-ASCII host") imply these test dedicated format-validation branches, but they're functionally redundant with the "non-managed host" case at Line 101. Not a correctness bug — the security boundary is still verified — but if isolating those specific sub-checks matters, use a value with the correct host and a malformed remainder (e.g., http://host.openshell.internal:999.999.999.999 or non-ASCII path segment).

As per path instructions, "Flag copied production algorithms, broad mocks that bypass the behavior under test, and conditionals that make a test pass without exercising its claim."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-image-credentials.test.ts` around lines 110 -
111, The reject-case assertions in the credential URL tests are overstating what
they cover, because `http://999.999.999.999:4318` and `http://héllo:4318` are
rejected earlier by the exact-host allowlist logic in the same test flow. Update
the cases near the existing `host.openshell.internal` checks in
`test/langchain-deepagents-code-image-credentials.test.ts` so they actually
exercise the intended IPv4/non-ASCII validation branch, or remove the misleading
inline labels if you want them to remain generic non-managed-host rejections.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/langchain-deepagents-code-image-credentials.test.ts`:
- Around line 110-111: The reject-case assertions in the credential URL tests
are overstating what they cover, because `http://999.999.999.999:4318` and
`http://héllo:4318` are rejected earlier by the exact-host allowlist logic in
the same test flow. Update the cases near the existing `host.openshell.internal`
checks in `test/langchain-deepagents-code-image-credentials.test.ts` so they
actually exercise the intended IPv4/non-ASCII validation branch, or remove the
misleading inline labels if you want them to remain generic non-managed-host
rejections.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1b911a7e-5e5b-4c69-be7c-4a83dd637a41

📥 Commits

Reviewing files that changed from the base of the PR and between b3739ea and 4909174.

📒 Files selected for processing (4)
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-image-credentials.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • agents/langchain-deepagents-code/dcode-wrapper.sh

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29001622636
Workflow ref: fix/dcode-otlp-endpoint-secret-fp-6466
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@cv
cv merged commit 72f2fbb into main Jul 9, 2026
126 checks passed
@cv
cv deleted the fix/dcode-otlp-endpoint-secret-fp-6466 branch July 9, 2026 07:40
@jyaunches jyaunches mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- #6523, #6551, #6484, #6488, #6324, and #6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- #6559, #6538, #6560, #6568, #6552, #6567, and #6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- #6541, #5415, #6246, #6496, and #6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- #6253, #6572, #6444, #6536, and #5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397,
and #6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…DIA#6538)

<!-- markdownlint-disable MD041 -->
## Summary
The managed Deep Agents Code secret guard rejected any non-empty
`OTEL_EXPORTER_OTLP_ENDPOINT` / `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT`
value, so a plain collector URL set by the documented `--observability`
flow made `dcode` refuse to start with a false-positive secret error.
This PR treats the OTLP `_ENDPOINT` variables as URLs (accept a clean
bare http(s) URL, still refuse credential-bearing forms) in both the
Bash wrapper and the managed Python runtime.

Closes NVIDIA#6466.

## Reproduction
On a fresh dcode `--observability` sandbox:
```bash
nemoclaw <sandbox> exec -- bash -c "export OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318; dcode -n 'Reply with the single word traced.'"
```

**Environment**
- Test machine: our Ubuntu 24.04 x86_64 test host (no GPU)
- Fresh dcode (LangChain Deep Agents Code) `--observability` sandbox;
the guard code on this path is identical to `main`
- Fix built against `main`

**Observed before fix**
```
dcode: refusing to start — runtime environment variable contains a secret-shaped value in OTEL_EXPORTER_OTLP_ENDPOINT.
  Remove it from the environment, or use 'nemoclaw credentials' to register provider keys.
```
(With the Bash refusal removed, the managed Python runtime raised the
same class of error: `runtime environment variable
OTEL_EXPORTER_OTLP_ENDPOINT contains a credential`, confirming two
layers carried the same over-broad rule.)

**Observed after fix**
```
Running task non-interactively...
App: v0.1.34 | Agent: agent (default) | Model: ...
Starting LangGraph server...
✓ Server ready
```
`dcode` now starts and proceeds normally; a credential-bearing endpoint
(e.g. `http://token@host:4318`) is still refused.

**Note on the secondary symptom (exit 0):** the report also states the
process exits `0` on refusal. On our test host the refusal exits `2`
(the wrapper `exit 2`s and `nemoclaw exec` propagates it; verified under
both a pipe and a PTY), so I could not reproduce the exit-`0` behavior
and this PR makes no exit-code change. Happy to look again with a
`strace -f -e trace=exit_group` of the failing command if it still
reproduces.

## Analysis
`has_credential_name_context()` in
`agents/langchain-deepagents-code/dcode-wrapper.sh` listed
`OTEL_EXPORTER_OTLP_ENDPOINT` and `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT`
alongside the `_HEADERS` variants, and `assert_no_secret_runtime_env` /
`assert_no_secret_env_file` refuse any value `>= 10` chars for a
credential-named var. An OTLP endpoint value is always a URL (`>= 10`
chars), so every real endpoint was rejected. The managed Python runtime
`agents/langchain-deepagents-code/managed-dcode-runtime.py` carried the
identical rule via `_CREDENTIAL_ENV_NAMES` in
`_assert_safe_environment()`; the Bash layer refused first, so the
reporter only saw the Bash message. The `_HEADERS` variants legitimately
carry auth material and must stay refused; only the `_ENDPOINT` variants
are plain URLs.

## Fix
Both layers now treat the OTLP `_ENDPOINT` variables as URLs rather than
credential names:
- Removed the two `_ENDPOINT` names from the blanket name-context /
`_CREDENTIAL_ENV_NAMES` refusal (kept `_HEADERS`).
- Added a helper (`is_bare_http_url_without_userinfo` /
`_is_bare_http_url_without_userinfo`) that accepts only a single clean
http(s) URL and refuses a value with embedded userinfo
(`scheme://user:pass@host`) or a structured key-bearing blob
(JSON/quoted/whitespace/comma). This mirrors the existing OpenClaw OTEL
config contract (`... must not include credentials`).
- The value-shape scan (`is_secret_shaped_value` /
`_contains_secret_shape`) still runs first, so token-shaped material
embedded anywhere in the URL is still caught.

Tests lock in that a plain collector URL is accepted (runtime + dotenv +
direct-module) while userinfo URLs and structured key blobs are still
refused; the previous test that asserted a plain URL was rejected is
updated to a credential-bearing value.

## Changes
- `agents/langchain-deepagents-code/dcode-wrapper.sh`: OTLP endpoint URL
carve-out in the runtime-env and .env-file scans.
- `agents/langchain-deepagents-code/managed-dcode-runtime.py`: same
carve-out in `_assert_safe_environment`.
- `test/langchain-deepagents-code-image-credentials.test.ts`: new
accept/refuse coverage for OTLP endpoints.
- `test/langchain-deepagents-code-direct-module-patch.test.ts`: accept
plain endpoint URLs; keep credential-bearing refusal.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Verification

- [x] `npx prek run` passes on the changed files
- [x] `npm test` passes (touched files at minimum)
- [x] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [ ] Docs updated for user-facing behavior changes
- [ ] `make docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the style guide (doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## AI Disclosure
- [x] AI-assisted — tool: Claude Code

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved OpenTelemetry OTLP handling for `OTEL_EXPORTER_OTLP_ENDPOINT`
/ `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT`: managed `http://`/`https://`
collector URLs are now accepted.
* Rejected endpoint values with credential-like or unsafe URL forms
(e.g., embedded user info, malformed host/port/path).
* Empty endpoint values are treated as unset, consistently across
runtime-injected variables and `.env` settings; unsafe control
characters in `.env` are now fail-closed.
* **Tests**
* Expanded regression coverage for accepted managed/plain endpoints and
rejected credential-bearing and malformed variants in both runtime and
dotenv modes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397,
and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Ubuntu 24.04][Agent&Skills] dcode refuses to start — secret scanner false positive on OTEL_EXPORTER_OTLP_ENDPOINT

3 participants