Skip to content

fix(dcode): enforce sandbox process and file descriptor limits#6559

Merged
jyaunches merged 14 commits into
mainfrom
fix/6545-dcode-sandbox-resource-limits
Jul 9, 2026
Merged

fix(dcode): enforce sandbox process and file descriptor limits#6559
jyaunches merged 14 commits into
mainfrom
fix/6545-dcode-sandbox-resource-limits

Conversation

@laitingsheng

@laitingsheng laitingsheng commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

The langchain-deepagents-code (dcode) sandbox ran at container default resource limits (unlimited nproc, 1024 nofile) because its image inherited neither the entrypoint hardening nor the system-wide shell hook that the OpenClaw and Hermes sandboxes use. This applies the documented nproc 512 / nofile 65536 caps to dcode, closing a fork-bomb / file-descriptor exposure.

Related Issue

Fixes #6545

Changes

  • Copy scripts/lib/sandbox-rlimits.sh into the Deep Agents Code base image and install the /etc/profile.d/nemoclaw-rlimits.sh (login) and /etc/bash.bashrc (interactive) hooks so openshell sandbox exec and login shells enforce the limits — this closes the reproduced bash -lc gap.
  • Source the shared library and call harden_resource_limits from the dcode entrypoint to harden the non-root PID 1 process tree, matching the OpenClaw and Hermes entrypoints.
  • Extend test/sandbox-rlimit-hooks.test.ts with Deep Agents Code base-image coverage asserting login and interactive shells enforce nproc <= 4096 / nofile <= 65536 and deny raising them.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: the security best-practices docs already state these limits apply to all sandboxes; this change makes dcode match the documented behaviour, so there is no user-facing doc change.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: awaiting maintainer security review (sandbox image + resource limits).
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result: npx vitest run test/sandbox-rlimit-hooks.test.ts test/langchain-deepagents-code-image.test.ts test/langchain-deepagents-code-managed-entrypoints.test.ts -> 58 passed.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: not applicable; change is scoped to the dcode base image, entrypoint, and one test, and the targeted suites above cover it.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

  • Bug Fixes
    • Hardened sandbox resource limits for the long-running entrypoint and managed launches, including launcher/entrypoint refuse-to-start behavior when the limits helper is missing.
    • Added system-wide Bash hooks so login and interactive shells attempt verification and emit a clear [SECURITY] warning on failure, while continuing shell execution.
    • Improved keep-alive startup to use a named process for clearer runtime behavior.
  • Documentation
    • Added Deep Agents Resource Limit Enforcement guidance, including fail/warn behavior.
  • Tests
    • Expanded security and integration coverage for helper installation, refuse-to-launch, and RLIMIT contract checks across multiple execution modes (including headless e2e).

The langchain-deepagents-code sandbox shipped without the nproc/nofile
hardening that the OpenClaw and Hermes sandboxes apply. Its image is
built on its own node base, so it inherited neither the entrypoint call
to harden_resource_limits nor the system-wide shell hook that lowers the
limits for connect and login shells, leaving dcode sandboxes at the
container defaults (unlimited nproc, 1024 nofile).

Copy sandbox-rlimits.sh into the Deep Agents Code base image and install
the /etc/profile.d and /etc/bash.bashrc hooks so exec and login shells
enforce nproc 512 / nofile 65536, and harden the entrypoint process tree
as the non-root sandbox user. Add base-image coverage to the rlimit hook
test.

Fixes #6545

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds RLIMIT hardening to the Deep Agents Code image, startup paths, and launcher. Login and interactive shells now verify limits, direct launches refuse missing helpers, and the test suite and docs cover the new hardening and warning behavior.

Changes

Sandbox resource limit hardening

Layer / File(s) Summary
Image hook installation
agents/langchain-deepagents-code/Dockerfile.base, test/sandbox-rlimit-hooks.test.ts
Copies the RLIMIT helper into the image and writes login-shell and interactive-shell hooks that source it, harden limits, and warn on verification failure; tests cover the hook behavior.
Startup and launcher hardening
agents/langchain-deepagents-code/dcode-launcher.sh, agents/langchain-deepagents-code/start.sh, docs/security/best-practices.mdx, test/support/dcode-start-script-fixture.ts, test/langchain-deepagents-code-proxy-launcher.test.ts
The entrypoint and managed launcher locate the helper, hard-fail if it is missing, source it before continuing, and rename the idle tail process; fixture and docs updates track the new contract.
Managed exec and headless validation
test/dcode-managed-exec.test.ts, test/dcode-start-keepalive.test.ts, test/e2e/e2e-cloud-experimental/checks/07-deepagents-code-headless-inference.sh, test/helpers/langchain-deepagents-code-headless.ts, test/langchain-deepagents-code-image.test.ts
Adds RLIMIT-aware fixtures and assertions for startup refusal, hardening markers, process-tree limits, shell limit probes, and direct managed-exec verification across the test suite.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested labels: security, platform: ubuntu

Suggested reviewers: cv, ericksoa

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: enforcing sandbox process and file descriptor limits for dcode.
Linked Issues check ✅ Passed The PR implements the linked issue’s requirements by sourcing the rlimits helper, calling harden_resource_limits(), and covering the 512/65536 limits.
Out of Scope Changes check ✅ Passed The documented code, test, and docs changes all support the dcode rlimits fix; no unrelated scope creep is evident.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/6545-dcode-sandbox-resource-limits

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Warn-and-continue RLIMIT exception for OpenShell exec/connect shells lacks tracked removal condition.
Open items: 0 required · 1 warning · 0 suggestions · 4 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 1 new item found

Action checklist

  • PRA-1 Resolve or justify: Warn-and-continue RLIMIT exception for OpenShell exec/connect shells lacks tracked removal condition in agents/langchain-deepagents-code/Dockerfile.base:58
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Warn-and-continue RLIMIT exception for OpenShell exec/connect shells

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify correctness agents/langchain-deepagents-code/Dockerfile.base:58 Add a regression test that fails when the warn-and-continue exception is still present but the removal condition (OpenShell propagating limits to exec/connect or exposing fail-closed contract) has been met. Alternatively, link the exception to a tracked GitHub issue with a milestone and add a test that asserts the exception's presence matches the issue's open state.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Warn-and-continue RLIMIT exception for OpenShell exec/connect shells lacks tracked removal condition

  • Location: agents/langchain-deepagents-code/Dockerfile.base:58
  • Category: correctness
  • Problem: The system-wide profile/bashrc hooks installed in Dockerfile.base emit a warning but allow the shell to continue when RLIMIT hardening fails or the helper is missing. This is documented as a temporary compatibility exception until OpenShell propagates limits to exec/connect processes or exposes a fail-closed contract. However, no regression test, issue link, or automated check ensures this exception is revisited. The exception effectively allows a sandbox shell to run without the documented nproc=512/nofile=65536 contract.
  • Impact: An attacker who gains access to an OpenShell exec or connect shell could operate without process/file-descriptor limits, enabling fork bombs or FD exhaustion within that shell session. The main entrypoint and direct launcher remain fail-closed, but the shell escape path is open.
  • Recommended action: Add a regression test that fails when the warn-and-continue exception is still present but the removal condition (OpenShell propagating limits to exec/connect or exposing fail-closed contract) has been met. Alternatively, link the exception to a tracked GitHub issue with a milestone and add a test that asserts the exception's presence matches the issue's open state.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check agents/langchain-deepagents-code/Dockerfile.base lines 58-78 for the profile.d and bashrc hook installation; verify the comment documents the removal condition. Search for any test or issue reference that would cause this exception to be removed.
  • Missing regression test: A test that asserts the warn-and-continue exception exists only while a specific GitHub issue (tracking OpenShell limit propagation) remains open, or a test that runs against a sandbox with OpenShell's limit propagation enabled and expects the exception to be removed.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check agents/langchain-deepagents-code/Dockerfile.base lines 58-78 for the profile.d and bashrc hook installation; verify the comment documents the removal condition. Search for any test or issue reference that would cause this exception to be removed.
  • Evidence: agents/langchain-deepagents-code/Dockerfile.base:58-78 (profile.d/nemoclaw-rlimits.sh and bashrc hook installation with warn-and-continue)

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `cloud-onboard` E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: `agents/langchain-deepagents-code/Dockerfile.base`.. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install family (Dockerfile.base change) requires cloud-onboard E2E job as validation floor. All new behaviors have comprehensive unit + e2E coverage (14+ new test cases).
  • PRA-T2 Runtime validation — Run the cloud-onboard E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: agents/langchain-deepagents-code/Dockerfile.base.. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install family (Dockerfile.base change) requires cloud-onboard E2E job as validation floor. All new behaviors have comprehensive unit + e2E coverage (14+ new test cases).
  • PRA-T3 Runtime validation — Edge case: Test exact verification behavior when container runtime provides lower nofile default (e.g., 1024) — docs note this fails closed, but no test exercises it.. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install family (Dockerfile.base change) requires cloud-onboard E2E job as validation floor. All new behaviors have comprehensive unit + e2E coverage (14+ new test cases).
  • PRA-T4 Warn-and-continue RLIMIT exception for OpenShell exec/connect shells — test/sandbox-rlimit-hooks.test.ts covers the warn-and-continue behavior (expectDcodeRlimitHookWarnsWhenVerificationFails, expectDcodeRlimitHookWarnsWhenHelperIsMissing) but does not assert the exception's removal condition.. agents/langchain-deepagents-code/Dockerfile.base:58-78 (profile.d and bashrc hook installation with warn-and-continue); docs/security/best-practices.mdx:526 (documents removal condition)
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Warn-and-continue RLIMIT exception for OpenShell exec/connect shells lacks tracked removal condition

  • Location: agents/langchain-deepagents-code/Dockerfile.base:58
  • Category: correctness
  • Problem: The system-wide profile/bashrc hooks installed in Dockerfile.base emit a warning but allow the shell to continue when RLIMIT hardening fails or the helper is missing. This is documented as a temporary compatibility exception until OpenShell propagates limits to exec/connect processes or exposes a fail-closed contract. However, no regression test, issue link, or automated check ensures this exception is revisited. The exception effectively allows a sandbox shell to run without the documented nproc=512/nofile=65536 contract.
  • Impact: An attacker who gains access to an OpenShell exec or connect shell could operate without process/file-descriptor limits, enabling fork bombs or FD exhaustion within that shell session. The main entrypoint and direct launcher remain fail-closed, but the shell escape path is open.
  • Recommended action: Add a regression test that fails when the warn-and-continue exception is still present but the removal condition (OpenShell propagating limits to exec/connect or exposing fail-closed contract) has been met. Alternatively, link the exception to a tracked GitHub issue with a milestone and add a test that asserts the exception's presence matches the issue's open state.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check agents/langchain-deepagents-code/Dockerfile.base lines 58-78 for the profile.d and bashrc hook installation; verify the comment documents the removal condition. Search for any test or issue reference that would cause this exception to be removed.
  • Missing regression test: A test that asserts the warn-and-continue exception exists only while a specific GitHub issue (tracking OpenShell limit propagation) remains open, or a test that runs against a sandbox with OpenShell's limit propagation enabled and expects the exception to be removed.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check agents/langchain-deepagents-code/Dockerfile.base lines 58-78 for the profile.d and bashrc hook installation; verify the comment documents the removal condition. Search for any test or issue reference that would cause this exception to be removed.
  • Evidence: agents/langchain-deepagents-code/Dockerfile.base:58-78 (profile.d/nemoclaw-rlimits.sh and bashrc hook installation with warn-and-continue)

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-code-quality

github-code-quality Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 77%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 4df9fc2 a786389 +/-
src/lib/actions...e-validation.ts 90% 81% -9%
src/lib/actions...x/mcp-bridge.ts 44% 35% -9%
src/lib/runner.ts 80% 72% -8%
src/lib/actions...lution-probe.ts 94% 88% -6%
src/lib/inference/config.ts 98% 93% -5%
src/lib/messagi.../persistence.ts 95% 92% -3%
src/lib/credentials/store.ts 61% 59% -2%
src/lib/actions...ridge-policy.ts 64% 62% -2%
src/lib/actions...-add-restart.ts 14% 19% +5%
src/lib/sandbox...rsion-scheme.ts 73% 100% +27%

Updated July 09, 2026 17:11 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

Comment thread agents/langchain-deepagents-code/start.sh Fixed
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: cloud-onboard, sandbox-rlimits-connect
Optional E2E: security-posture

Dispatch hint: cloud-onboard,sandbox-rlimits-connect

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • cloud-onboard (high): Deterministic risk plan requires cloud-onboard for the Deep Agents Code base image change. It also runs the cloud experimental Deep Agents checks, including the modified 07-deepagents-code-headless-inference path that validates managed dcode inference, shell/entrypoint RLIMIT enforcement, proxy routing, and credential leak boundaries.
  • sandbox-rlimits-connect (medium): The shared scripts/lib/sandbox-rlimits.sh behavior changed. This explicit RLIMIT live job is the existing coverage for connect/login/interactive shell resource-limit enforcement in rebuilt OpenClaw runtime paths, guarding against regressions outside the Deep Agents Code cloud-onboard path.

Optional E2E

  • security-posture (medium): Useful adjacent confidence for sandbox hardening and security posture after resource-limit and shell-hook changes, though cloud-onboard plus sandbox-rlimits-connect are the required validation floor for this PR.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: cloud-onboard,sandbox-rlimits-connect

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: cloud-onboard
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=cloud-onboard

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • cloud-onboard: Installer and platform changes must work on a clean supported host with the pinned runtime dependencies.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=cloud-onboard

Optional E2E targets

  • None.

Relevant changed files

  • agents/langchain-deepagents-code/Dockerfile.base
  • agents/langchain-deepagents-code/dcode-launcher.sh
  • agents/langchain-deepagents-code/start.sh
  • scripts/lib/sandbox-rlimits.sh
  • test/e2e/e2e-cloud-experimental/checks/07-deepagents-code-headless-inference.sh

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 2 test follow-ups

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `cloud-onboard` E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: `agents/langchain-deepagents-code/Dockerfile.base`.. Deterministic regression risks require live validation: platform-install. Static/unit/E2E coverage is strong for the changed RLIMIT behavior, including positive, negative, exact-verification, shell-hook, and live acceptance checks. Because `agents/langchain-deepagents-code/Dockerfile.base` changed, the deterministic risk plan still requires clean-host platform-install runtime validation as a floor.
  • PRA-T2 Runtime validation — Run the required `cloud-onboard` E2E job for a clean Deep Agents Code onboard/image build to validate the Dockerfile.base platform-install invariant end-to-end.. Deterministic regression risks require live validation: platform-install. Static/unit/E2E coverage is strong for the changed RLIMIT behavior, including positive, negative, exact-verification, shell-hook, and live acceptance checks. Because `agents/langchain-deepagents-code/Dockerfile.base` changed, the deterministic risk plan still requires clean-host platform-install runtime validation as a floor.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
test/sandbox-rlimit-hooks.test.ts (1)

370-394: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Test seeds pre-existing bashrc content but never verifies it's preserved.

bashrc is written with "# existing dcode bashrc\n" before running the extracted RUN block, which implies the intent is to confirm the Dockerfile logic prepends the hook rather than clobbering the existing file. However, the only assertions on bashrc (lines 386, 388) check for the new shim content — the sentinel line is never checked. A regression that overwrote /etc/bash.bashrc instead of preserving it would pass this test undetected.

✅ Suggested added assertion
       expect(fs.readFileSync(rlimitHook, "utf-8")).toContain(expectedRlimitShim);
       expect(fs.readFileSync(bashrc, "utf-8")).toContain(expectedRlimitShim);
+      expect(fs.readFileSync(bashrc, "utf-8")).toContain("# existing dcode bashrc");
       expectSystemRlimitHookEnforcesLimits(rlimitHook);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/sandbox-rlimit-hooks.test.ts` around lines 370 - 394, The sandbox RLIMIT
hook test seeds bashrc with existing content but never verifies that content
survives, so a regression that overwrites /etc/bash.bashrc would still pass. In
the test around runLoggedDockerShell and the existing bashrc assertions, add a
check that bashrc still contains the seeded sentinel line after the Docker RUN
block executes, alongside the existing expectedRlimitShim checks, to confirm the
hook prepends without clobbering prior content.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/langchain-deepagents-code/start.sh`:
- Around line 38-47: The resource-limits bootstrap in start.sh can fail open
when sandbox-rlimits.sh is not found, so update the _NEMOCLAW_SANDBOX_RLIMITS
lookup path handling to emit a clear diagnostic instead of silently skipping
hardening. Use the existing shell flow around the _NEMOCLAW_SANDBOX_RLIMITS
variable, the fallback path resolution, and the harden_resource_limits call to
add a warning or error when neither location exists, while keeping the current
sourced-helper behavior unchanged when found.

---

Nitpick comments:
In `@test/sandbox-rlimit-hooks.test.ts`:
- Around line 370-394: The sandbox RLIMIT hook test seeds bashrc with existing
content but never verifies that content survives, so a regression that
overwrites /etc/bash.bashrc would still pass. In the test around
runLoggedDockerShell and the existing bashrc assertions, add a check that bashrc
still contains the seeded sentinel line after the Docker RUN block executes,
alongside the existing expectedRlimitShim checks, to confirm the hook prepends
without clobbering prior content.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a8e148c7-373d-40e2-9d21-d7fe1d6d10b0

📥 Commits

Reviewing files that changed from the base of the PR and between 7215882 and 8634166.

📒 Files selected for processing (3)
  • agents/langchain-deepagents-code/Dockerfile.base
  • agents/langchain-deepagents-code/start.sh
  • test/sandbox-rlimit-hooks.test.ts

Comment thread agents/langchain-deepagents-code/start.sh
The rlimit hardening block silently no-opped when sandbox-rlimits.sh
could not be located at either the installed or dev-fallback path,
which would defeat the fork-bomb/fd-exhaustion guard without any way
to notice at runtime. Emit a stderr diagnostic in that branch instead.

Also silence a shellcheck SC2119 false positive on the now-adjacent
harden_resource_limits call: its optional $1 selects quiet mode and is
never meant to forward the entrypoint's own arguments. Assert that the
base-image rlimit hook test's pre-seeded bashrc content survives hook
installation instead of only checking the new shim was appended.

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
@laitingsheng laitingsheng added NV QA Bugs found by the NVIDIA QA Team area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression v0.0.79 Release target labels Jul 9, 2026

@cjagwani cjagwani left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manual security review on exact head ad9c2bda93d73eedac615f7653079bd66e0da386 completed after both automated advisor models failed inside their canonical-ledger tooling.

Nine-category result: no blocking security finding. The three-file diff adds no secret/credential, user-input, auth, dependency, or cryptographic surface; installs the RLIMIT helper as root-owned read-only image content; uses the same system hook pattern as the existing OpenClaw/Hermes images; and improves the sandbox denial-of-service posture. The fixed production helper path is not sandbox-user writable, and the prior CodeRabbit missing-helper diagnostic finding is resolved.

Test evidence: the focused integration suite test/sandbox-rlimit-hooks.test.ts passed 6/6 locally on this exact head, including negative checks that a shell cannot raise the hardened limits. All current standard checks are green and all commits are Verified.

This is not an approval: the E2E advisor requires cloud-onboard and sandbox-rlimits-connect; exact-head dispatch https://github.com/NVIDIA/NemoClaw/actions/runs/29024102565 is still queued/running. Approval remains on hold until that live evidence settles and the merge gate is re-evaluated.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29024102565
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
sandbox-rlimits-connect ✅ success

@jyaunches
jyaunches self-requested a review July 9, 2026 15:32

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/dcode-start-keepalive.test.ts`:
- Around line 100-125: The keepalive test is not hermetic because `spawnSync`
inherits the parent environment, so `PROXY_HOST` may already be set and break
the `proxy_host=__unset__` assertion. Update the `hardens resource limits before
managed proxy startup work` test to pass an explicit child `env` that clears
`PROXY_HOST` before invoking `makeStartFixture`/the spawned script. Keep the
existing ordering assertion intact by validating the output from
`harden_resource_limits` and the `spawnSync` result, but ensure the child
process cannot see ambient proxy configuration.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 679d3ea4-a338-486f-80b7-9d9855a3c741

📥 Commits

Reviewing files that changed from the base of the PR and between ad9c2bd and 3145e01.

📒 Files selected for processing (1)
  • test/dcode-start-keepalive.test.ts

Comment thread test/dcode-start-keepalive.test.ts
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Run cancelled — no signal

Run: 29031545742
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 0 passed, 0 failed, 2 cancelled, 0 skipped

Job Result
cloud-onboard ⚠️ cancelled
sandbox-rlimits-connect ⚠️ cancelled

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
docs/security/best-practices.mdx (1)

517-517: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Numeric formatting inconsistency: "65,536" vs "65536" elsewhere in the same doc.

Rest of this file (and the actual NEMOCLAW_SANDBOX_NOFILE_LIMIT constant) uses the unformatted 65536. The comma here is inconsistent and could confuse readers cross-referencing the constant value.

✏️ Suggested fix
-The managed Deep Agents image applies the 512-process and 65,536-file-descriptor caps to the long-running sandbox entrypoint tree and to direct managed `dcode` launches.
+The managed Deep Agents image applies the 512-process and 65536-file-descriptor caps to the long-running sandbox entrypoint tree and to direct managed `dcode` launches.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 517, The numeric formatting in the
Deep Agents image description is inconsistent with the rest of the document and
the NEMOCLAW_SANDBOX_NOFILE_LIMIT constant. Update the text in the security
best-practices doc to use 65536 instead of 65,536 so the value matches the
constant and other references.
test/support/dcode-start-script-fixture.ts (1)

23-30: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider extracting the rlimit-stub boilerplate.

The "create temp sandbox-rlimits.sh, replace the hardcoded path, write a stub harden_resource_limits" pattern is repeated near-verbatim in this file, dcode-start-keepalive.test.ts, dcode-managed-exec.test.ts, and langchain-deepagents-code-proxy-launcher.test.ts. Since this file already serves as shared test support, exporting a small helper (e.g. writeRlimitHelperStub(tempDir, content?)) here would let the other three files reuse it and reduce future drift risk if the production path/marker contract changes.

Also applies to: 54-54

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/support/dcode-start-script-fixture.ts` around lines 23 - 30, The
rlimit-stub setup is duplicated across this shared test fixture and the related
tests, so extract it into a reusable helper in dcode-start-script-fixture.ts.
Create a small helper such as writeRlimitHelperStub(tempDir, content?) that
creates the temp sandbox-rlimits.sh path, applies the hardcoded-path
replacement, and writes the harden_resource_limits stub, then update the callers
in dcode-start-keepalive.test.ts, dcode-managed-exec.test.ts, and
langchain-deepagents-code-proxy-launcher.test.ts to use it. Keep the helper
centered around the existing START_SCRIPT replacement logic and the
sandbox-rlimits.sh / harden_resource_limits symbols so the contract stays in one
place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 517: The numeric formatting in the Deep Agents image description is
inconsistent with the rest of the document and the NEMOCLAW_SANDBOX_NOFILE_LIMIT
constant. Update the text in the security best-practices doc to use 65536
instead of 65,536 so the value matches the constant and other references.

In `@test/support/dcode-start-script-fixture.ts`:
- Around line 23-30: The rlimit-stub setup is duplicated across this shared test
fixture and the related tests, so extract it into a reusable helper in
dcode-start-script-fixture.ts. Create a small helper such as
writeRlimitHelperStub(tempDir, content?) that creates the temp
sandbox-rlimits.sh path, applies the hardcoded-path replacement, and writes the
harden_resource_limits stub, then update the callers in
dcode-start-keepalive.test.ts, dcode-managed-exec.test.ts, and
langchain-deepagents-code-proxy-launcher.test.ts to use it. Keep the helper
centered around the existing START_SCRIPT replacement logic and the
sandbox-rlimits.sh / harden_resource_limits symbols so the contract stays in one
place.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 437cf208-594f-42c2-8679-da91547848ec

📥 Commits

Reviewing files that changed from the base of the PR and between 3145e01 and 20ed18d.

📒 Files selected for processing (12)
  • agents/langchain-deepagents-code/Dockerfile.base
  • agents/langchain-deepagents-code/dcode-launcher.sh
  • agents/langchain-deepagents-code/start.sh
  • docs/security/best-practices.mdx
  • test/dcode-managed-exec.test.ts
  • test/dcode-start-keepalive.test.ts
  • test/e2e/e2e-cloud-experimental/checks/07-deepagents-code-headless-inference.sh
  • test/helpers/langchain-deepagents-code-headless.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-proxy-launcher.test.ts
  • test/sandbox-rlimit-hooks.test.ts
  • test/support/dcode-start-script-fixture.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • agents/langchain-deepagents-code/Dockerfile.base

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29031827196
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
sandbox-rlimits-connect ✅ success

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/dcode-managed-exec.test.ts (1)

18-25: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Hoist the shared rlimit helper stub into test/support/

RlimitHelperInstaller and installDefaultRlimitHelper are duplicated in test/dcode-start-keepalive.test.ts. Moving the stub beside test/support/dcode-start-script-fixture.ts would keep the rlimit contract in one place as more dcode tests adopt it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/dcode-managed-exec.test.ts` around lines 18 - 25, Hoist the shared
rlimit helper stub out of test/dcode-managed-exec.test.ts and place it under
test/support/ next to dcode-start-script-fixture so both dcode tests can reuse
one implementation. Move the RlimitHelperInstaller type and
installDefaultRlimitHelper helper into the shared support module, then update
dcode-managed-exec.test.ts and dcode-start-keepalive.test.ts to import and use
that shared stub instead of duplicating it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/dcode-managed-exec.test.ts`:
- Around line 18-25: Hoist the shared rlimit helper stub out of
test/dcode-managed-exec.test.ts and place it under test/support/ next to
dcode-start-script-fixture so both dcode tests can reuse one implementation.
Move the RlimitHelperInstaller type and installDefaultRlimitHelper helper into
the shared support module, then update dcode-managed-exec.test.ts and
dcode-start-keepalive.test.ts to import and use that shared stub instead of
duplicating it.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bf99e2cb-8599-4199-bcb7-4b3a55adc568

📥 Commits

Reviewing files that changed from the base of the PR and between 20ed18d and 1f58f26.

📒 Files selected for processing (2)
  • test/dcode-managed-exec.test.ts
  • test/dcode-start-keepalive.test.ts

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Comment thread agents/langchain-deepagents-code/dcode-launcher.sh Fixed
Comment thread agents/langchain-deepagents-code/start.sh Fixed
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29032997653
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
sandbox-rlimits-connect ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 29033123705
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
live ❌ failure

Failed jobs: live. Check run artifacts for logs.

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Comment thread test/sandbox-rlimit-hooks.test.ts Fixed
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29034150550
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
sandbox-rlimits-connect ✅ success

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29034691714
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: ubuntu-repo-cloud-langchain-deepagents-code
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

Comment thread test/sandbox-rlimit-hooks.test.ts Fixed
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29035016146
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
sandbox-rlimits-connect ✅ success

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29035532119
Workflow ref: fix/6545-dcode-sandbox-resource-limits
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,sandbox-rlimits-connect
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
sandbox-rlimits-connect ✅ success

@cjagwani

cjagwani commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Maintainer resolution for the exact head a7863895ff58df7177b5ff8e71d72089efb8a1f3:

  • PRA-1 / PRA-T1 / PRA-T2 / PRA-T4: satisfied by exact-head E2E 29035532119. Both cloud-onboard and sandbox-rlimits-connect passed. The DCode live checks require the entrypoint, login/connect shells, and direct launcher to expose soft+hard nproc=512 and nofile=65536, and verify the limits cannot be raised.
  • PRA-2 (overlap): feat(performance): add progressive disclosure tests and compositional routing acceptance #6341 and fix(dcode): preserve state across policy reloads #6503 are both drafts; fix(dcode): preserve state across policy reloads #6503 is also currently conflicting. This security fix is intentionally sequenced first. Those draft branches must rebase after it lands and preserve the exact-limit calls plus their regression tests. No production overlap is being accepted concurrently.
  • PRA-3 / PRA-T3 / PRA-T5: defer the proposed deliberately-lower runtime integration variant. Fail-closed ordering is already covered by negative entrypoint/launcher fixtures before proxy or user code, exact helper tests cover lower effective values, and the live jobs cover the supported production defaults. A 256:256 container is an intentionally incompatible runtime configuration, not a supported successful mode.
  • PRA-4: accept the small loader duplication as deliberate YAGNI. Entry point and direct launcher are separate trust boundaries and must remain independently executable; both branches are covered. A third loader file would add another image artifact/integrity boundary without changing behavior.
  • Security scanning: CodeQL alerts Non-interactive onboard fails with sk-* keys from Inference Hub #1380 and fix: use current Brev create flags #1383 are fixed on this head. All nine probes now read trusted scripts through sh/bash -s and keep dynamic paths as quoted positional data; the regression includes a literal command-substitution path.

The independent nine-category security review passed, the docs writer confirmed the exact DCode contract, and all commits are signed off and GitHub Verified. No merge was performed.

@cjagwani cjagwani left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved exact head a7863895ff58df7177b5ff8e71d72089efb8a1f3 after maintainer salvage and fresh evidence.

  • All 43 standard checks are green; DCO is present and all 14 commits are GitHub Verified.
  • Exact-head E2E 29035532119 passed cloud-onboard and sandbox-rlimits-connect, including exact soft+hard nproc=512 / nofile=65536 across the DCode entrypoint, shell, and direct-launch paths.
  • GPT exact-head rerun is merge_as_is with zero required items, warnings, or suggestions.
  • CodeQL #1380/#1383 are fixed, CodeRabbit is green, no unresolved threads remain, and the independent nine-category security review passed.
  • Documentation now describes exact verification plus fail-closed entrypoint/launcher behavior; the docs writer confirmed the final test-only hardening needs no further docs.

Nemotron has zero required fixes and one lifecycle-tracking warning for the warn-and-continue profile-hook compatibility path. I accept that warning for this PR: normal exact hardening is proven live; the entrypoint and direct managed launcher fail closed; source and user docs state the precise removal condition; and unit tests intentionally pin both warning cases, so a future OpenShell propagation/fail-closed contract change requires an explicit code-and-test update. The shell exception remains operator-visible and does not weaken the managed launch boundary.

Both overlapping DCode PRs (#6341 and #6503) are drafts, and #6503 is conflicting; they must rebase after this security fix and preserve these controls/tests.

No merge performed.

@jyaunches
jyaunches merged commit e2777f8 into main Jul 9, 2026
123 checks passed
@jyaunches
jyaunches deleted the fix/6545-dcode-sandbox-resource-limits branch July 9, 2026 17:16
cv added a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Adds explicit #6194 regression coverage for the OpenClaw terminal TUI
timeout-after-connected-idle failure mode. The existing live correlation
target drives the real OpenClaw TUI after connected idle, verifies chat
and /nemoclaw status, and confirms a bounded clean exit. It then
separately drives the supported host-side OpenShell terminal UI and a
direct sandbox curl to prove deterministic network-rule approval without
using assistant prose as an oracle. After the UI acknowledges the
approval, the target retries the exact documented Atlassian probe and
requires its unauthenticated HTTP 401 response to prove that the running
policy was actually updated.

The historical report used NemoClaw v0.0.72. This target guards the
current branch against the same post-idle regression instead of
reinstalling that known-bad release, and reuses the existing #2603/#3145
provisioned sandbox to avoid a second long cloud setup.

## Related Issue

Refs #6194 — current-branch regression guard for the supported OpenClaw
TUI and OpenShell approval surfaces.

## Changes

- Add a dedicated Expect flow for chat, status, and a bounded two-step
Ctrl+C exit after connected idle.
- Pin the host-side OpenShell Expect PTY to xterm-256color at 40x120,
bind every multi-pattern wait to its intended spawn, and keep failure
cleanup nonblocking.
- Add a separate OpenShell terminal approval phase with an argv-bounded
direct curl, empty-pending-queue preflight, exact sandbox/host/binary
checks, and supported approval action.
- Match stable sandbox-detail labels and strip OpenShell SGR styling
before parsing CLI rule evidence.
- Use the fixed Atlassian URL as the deny-by-default pending-rule
trigger, then retry that exact full URL after approval and require the
documented unauthenticated HTTP 401 success signal.
- Parse the policy revision from the approval acknowledgement and
bounded-poll its read-only status until that exact revision is loaded
and active before retrying the request.
- Publish a separate post-approval capture plus structured endpoint,
expected-status, observed-status, and running-policy marker fields
before assertions.
- Declare all three combined live boundaries explicitly: OpenClaw
websocket correlation, OpenClaw post-idle terminal input, and OpenShell
network-rule terminal approval.
- Extend openclaw-tui-chat-correlation so the new flow reuses its
provisioned cloud sandbox.
- Add fast e2e-support contracts for marker ordering, complete boundary
metadata, secret redaction, trusted host-command use, spawn binding,
ANSI normalization, the two-step exit, fail-closed capture diagnostics,
and post-approval policy proof ordering.
- Precreate terminal captures, publish structured missing/empty/marker
diagnostics before assertions, and redact raw captures before writing
artifacts.
- Install the single allowlisted expect host dependency in the selected
live job, with a pinned workflow-boundary regression contract.
- Remove unrelated config-dispatch and auto-pair test changes during
maintainer salvage.

## Original Author Credit

@chengjiew authored the #6194 reproduction design and implementation.
The maintainer synchronization and scope-cleanup commits preserve that
work; the scope-cleanup commit also records Chengjie Wang as co-author.

## Maintainer Gate Disposition

- The combined target is deliberate. The existing correlation target
already provisions the real cloud sandbox, gateway, hosted inference
route, and OpenClaw runtime needed by all three boundaries. Running the
#6194 phases sequentially against that one sandbox avoids a second
expensive onboard and avoids cross-run state variance. Diagnostics
remain isolated by boundary: the OpenClaw TUI and OpenShell approval
phases have separate Expect scripts, spawn IDs, exit-code ranges,
structured result JSON, raw/plain captures, and shell result artifacts.
A failure identifies its owning phase and marker instead of collapsing
into one transcript.
- The fast contract tests inspect the generated Tcl because several
safety invariants are source boundaries that one successful PTY run
cannot prove: every multi-pattern wait must bind to the intended spawn,
host commands must retain exact argv boundaries, markers and timeouts
must remain ordered, cleanup must stay nonblocking, pending-rule
evidence must match the exact sandbox/endpoint/binary, assistant prose
must not become an approval oracle, the exact post-approval retry must
follow the UI acknowledgement, and redaction/diagnostic artifacts must
precede assertions. These are focused mutation guards for concrete
failures encountered while stabilizing the live path. The exact live job
supplies the complementary behavior proof.
- Exact-head run
[29034353469](https://github.com/NVIDIA/NemoClaw/actions/runs/29034353469)
proved the new fail-closed check by rejecting an immediate HTTP 000
retry after approval. Follow-up run
[29035248442](https://github.com/NVIDIA/NemoClaw/actions/runs/29035248442)
proved the read-only synchronization path and no-curl-before-loaded
invariant: cloud-onboard passed, while all captured policy samples still
showed acknowledged revision 4 pending with active revision 3, so the
final curl did not run. Behavior-tested head
d1ea65a uses OpenShell's supported
60-second policy-load deadline. Run
[29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193)
passed both required jobs on that head. Its audited OpenClaw artifact
reports acknowledged revision 4 loaded and active on polling attempt 10,
then exactly one retry of the documented Atlassian endpoint returning
HTTP 401, with `policyUpdated: true` and successful cleanup. The
independently audited cloud-onboard artifact installs that exact SHA on
a clean hosted runner, exits 0 after deployment verification reports a
healthy gateway and dashboard, and verifies cleanup. Artifact digests:
`sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd`
(OpenClaw) and
`sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7`
(cloud-onboard). Current head aff5821
is a GitHub-Verified merge-only commit of d1ea65a and current main
e2777f8 (#6559): all six PR files retain identical Git blobs, and the
only added main changes are the already-merged DCode resource-limit
work. The [merge
audit](#6296 (comment))
records why the prior cloud/TUI evidence remains behaviorally applicable
while fresh ordinary CI and advisors run on aff5821.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-only regression
coverage; no user-facing behavior changed.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — test/workflow-only change; maintainer review verified the
host-side OpenShell approval boundary, transcript isolation, and
fail-closed artifact contracts.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] Required live E2E behavior evidence with merge-only reuse audit —
[run
29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193)
passed cloud-onboard and openclaw-tui-chat-correlation on
d1ea65a; audited artifacts prove
clean-host install/deployment, revision 4 loaded and active before the
exact Atlassian retry returned HTTP 401, and successful cleanup. Current
head aff5821 changes none of those PR
files and only merges current main's already-landed #6559 DCode work;
see the linked merge audit above.
- [x] Current-head phase attribution and post-approval contracts —
focused 11/11 and full e2e-support 869/869 passed.
- [x] PR description includes DCO declarations and every commit is
GitHub Verified
- [x] Normal pre-commit, commit-msg, and pre-push hooks passed on the
salvaged head
- [x] Focused final TUI PTY, metadata, capture-diagnostic, and
post-approval contract — 11/11 passed
- [x] Full e2e-support suite — 869/869 passed on the current head
- [x] npm run build:cli — passed
- [x] cd nemoclaw && npm run build — passed
- [x] Quality Gates section completed with required justifications
- [x] No secrets, API keys, or credentials committed
- [ ] npm run docs builds without warnings (doc changes only)
- [ ] Doc pages follow the style guide (doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

---------

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
@jyaunches jyaunches mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- #6523, #6551, #6484, #6488, #6324, and #6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- #6559, #6538, #6560, #6568, #6552, #6567, and #6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- #6541, #5415, #6246, #6496, and #6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- #6253, #6572, #6444, #6536, and #5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397,
and #6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…A#6559)

## Summary

The `langchain-deepagents-code` (dcode) sandbox ran at container default
resource limits (unlimited nproc, 1024 nofile) because its image
inherited neither the entrypoint hardening nor the system-wide shell
hook that the OpenClaw and Hermes sandboxes use. This applies the
documented nproc 512 / nofile 65536 caps to dcode, closing a fork-bomb /
file-descriptor exposure.

## Related Issue

Fixes NVIDIA#6545

## Changes

- Copy `scripts/lib/sandbox-rlimits.sh` into the Deep Agents Code base
image and install the `/etc/profile.d/nemoclaw-rlimits.sh` (login) and
`/etc/bash.bashrc` (interactive) hooks so `openshell sandbox exec` and
login shells enforce the limits — this closes the reproduced `bash -lc`
gap.
- Source the shared library and call `harden_resource_limits` from the
dcode entrypoint to harden the non-root PID 1 process tree, matching the
OpenClaw and Hermes entrypoints.
- Extend `test/sandbox-rlimit-hooks.test.ts` with Deep Agents Code
base-image coverage asserting login and interactive shells enforce
`nproc <= 4096` / `nofile <= 65536` and deny raising them.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: the security best-practices
docs already state these limits apply to all sandboxes; this change
makes dcode match the documented behaviour, so there is no user-facing
doc change.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: awaiting maintainer
security review (sandbox image + resource limits).
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result: `npx vitest run
test/sandbox-rlimit-hooks.test.ts
test/langchain-deepagents-code-image.test.ts
test/langchain-deepagents-code-managed-entrypoints.test.ts` -> 58
passed.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable; change is
scoped to the dcode base image, entrypoint, and one test, and the
targeted suites above cover it.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Hardened sandbox resource limits for the long-running entrypoint and
managed launches, including launcher/entrypoint refuse-to-start behavior
when the limits helper is missing.
* Added system-wide Bash hooks so login and interactive shells attempt
verification and emit a clear `[SECURITY]` warning on failure, while
continuing shell execution.
* Improved keep-alive startup to use a named process for clearer runtime
behavior.
* **Documentation**
* Added Deep Agents Resource Limit Enforcement guidance, including
fail/warn behavior.
* **Tests**
* Expanded security and integration coverage for helper installation,
refuse-to-launch, and RLIMIT contract checks across multiple execution
modes (including headless e2e).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Adds explicit NVIDIA#6194 regression coverage for the OpenClaw terminal TUI
timeout-after-connected-idle failure mode. The existing live correlation
target drives the real OpenClaw TUI after connected idle, verifies chat
and /nemoclaw status, and confirms a bounded clean exit. It then
separately drives the supported host-side OpenShell terminal UI and a
direct sandbox curl to prove deterministic network-rule approval without
using assistant prose as an oracle. After the UI acknowledges the
approval, the target retries the exact documented Atlassian probe and
requires its unauthenticated HTTP 401 response to prove that the running
policy was actually updated.

The historical report used NemoClaw v0.0.72. This target guards the
current branch against the same post-idle regression instead of
reinstalling that known-bad release, and reuses the existing NVIDIA#2603/NVIDIA#3145
provisioned sandbox to avoid a second long cloud setup.

## Related Issue

Refs NVIDIA#6194 — current-branch regression guard for the supported OpenClaw
TUI and OpenShell approval surfaces.

## Changes

- Add a dedicated Expect flow for chat, status, and a bounded two-step
Ctrl+C exit after connected idle.
- Pin the host-side OpenShell Expect PTY to xterm-256color at 40x120,
bind every multi-pattern wait to its intended spawn, and keep failure
cleanup nonblocking.
- Add a separate OpenShell terminal approval phase with an argv-bounded
direct curl, empty-pending-queue preflight, exact sandbox/host/binary
checks, and supported approval action.
- Match stable sandbox-detail labels and strip OpenShell SGR styling
before parsing CLI rule evidence.
- Use the fixed Atlassian URL as the deny-by-default pending-rule
trigger, then retry that exact full URL after approval and require the
documented unauthenticated HTTP 401 success signal.
- Parse the policy revision from the approval acknowledgement and
bounded-poll its read-only status until that exact revision is loaded
and active before retrying the request.
- Publish a separate post-approval capture plus structured endpoint,
expected-status, observed-status, and running-policy marker fields
before assertions.
- Declare all three combined live boundaries explicitly: OpenClaw
websocket correlation, OpenClaw post-idle terminal input, and OpenShell
network-rule terminal approval.
- Extend openclaw-tui-chat-correlation so the new flow reuses its
provisioned cloud sandbox.
- Add fast e2e-support contracts for marker ordering, complete boundary
metadata, secret redaction, trusted host-command use, spawn binding,
ANSI normalization, the two-step exit, fail-closed capture diagnostics,
and post-approval policy proof ordering.
- Precreate terminal captures, publish structured missing/empty/marker
diagnostics before assertions, and redact raw captures before writing
artifacts.
- Install the single allowlisted expect host dependency in the selected
live job, with a pinned workflow-boundary regression contract.
- Remove unrelated config-dispatch and auto-pair test changes during
maintainer salvage.

## Original Author Credit

@chengjiew authored the NVIDIA#6194 reproduction design and implementation.
The maintainer synchronization and scope-cleanup commits preserve that
work; the scope-cleanup commit also records Chengjie Wang as co-author.

## Maintainer Gate Disposition

- The combined target is deliberate. The existing correlation target
already provisions the real cloud sandbox, gateway, hosted inference
route, and OpenClaw runtime needed by all three boundaries. Running the
NVIDIA#6194 phases sequentially against that one sandbox avoids a second
expensive onboard and avoids cross-run state variance. Diagnostics
remain isolated by boundary: the OpenClaw TUI and OpenShell approval
phases have separate Expect scripts, spawn IDs, exit-code ranges,
structured result JSON, raw/plain captures, and shell result artifacts.
A failure identifies its owning phase and marker instead of collapsing
into one transcript.
- The fast contract tests inspect the generated Tcl because several
safety invariants are source boundaries that one successful PTY run
cannot prove: every multi-pattern wait must bind to the intended spawn,
host commands must retain exact argv boundaries, markers and timeouts
must remain ordered, cleanup must stay nonblocking, pending-rule
evidence must match the exact sandbox/endpoint/binary, assistant prose
must not become an approval oracle, the exact post-approval retry must
follow the UI acknowledgement, and redaction/diagnostic artifacts must
precede assertions. These are focused mutation guards for concrete
failures encountered while stabilizing the live path. The exact live job
supplies the complementary behavior proof.
- Exact-head run
[29034353469](https://github.com/NVIDIA/NemoClaw/actions/runs/29034353469)
proved the new fail-closed check by rejecting an immediate HTTP 000
retry after approval. Follow-up run
[29035248442](https://github.com/NVIDIA/NemoClaw/actions/runs/29035248442)
proved the read-only synchronization path and no-curl-before-loaded
invariant: cloud-onboard passed, while all captured policy samples still
showed acknowledged revision 4 pending with active revision 3, so the
final curl did not run. Behavior-tested head
d1ea65a uses OpenShell's supported
60-second policy-load deadline. Run
[29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193)
passed both required jobs on that head. Its audited OpenClaw artifact
reports acknowledged revision 4 loaded and active on polling attempt 10,
then exactly one retry of the documented Atlassian endpoint returning
HTTP 401, with `policyUpdated: true` and successful cleanup. The
independently audited cloud-onboard artifact installs that exact SHA on
a clean hosted runner, exits 0 after deployment verification reports a
healthy gateway and dashboard, and verifies cleanup. Artifact digests:
`sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd`
(OpenClaw) and
`sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7`
(cloud-onboard). Current head aff5821
is a GitHub-Verified merge-only commit of d1ea65a and current main
e2777f8 (NVIDIA#6559): all six PR files retain identical Git blobs, and the
only added main changes are the already-merged DCode resource-limit
work. The [merge
audit](NVIDIA#6296 (comment))
records why the prior cloud/TUI evidence remains behaviorally applicable
while fresh ordinary CI and advisors run on aff5821.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-only regression
coverage; no user-facing behavior changed.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — test/workflow-only change; maintainer review verified the
host-side OpenShell approval boundary, transcript isolation, and
fail-closed artifact contracts.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] Required live E2E behavior evidence with merge-only reuse audit —
[run
29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193)
passed cloud-onboard and openclaw-tui-chat-correlation on
d1ea65a; audited artifacts prove
clean-host install/deployment, revision 4 loaded and active before the
exact Atlassian retry returned HTTP 401, and successful cleanup. Current
head aff5821 changes none of those PR
files and only merges current main's already-landed NVIDIA#6559 DCode work;
see the linked merge audit above.
- [x] Current-head phase attribution and post-approval contracts —
focused 11/11 and full e2e-support 869/869 passed.
- [x] PR description includes DCO declarations and every commit is
GitHub Verified
- [x] Normal pre-commit, commit-msg, and pre-push hooks passed on the
salvaged head
- [x] Focused final TUI PTY, metadata, capture-diagnostic, and
post-approval contract — 11/11 passed
- [x] Full e2e-support suite — 869/869 passed on the current head
- [x] npm run build:cli — passed
- [x] cd nemoclaw && npm run build — passed
- [x] Quality Gates section completed with required justifications
- [x] No secrets, API keys, or credentials committed
- [ ] npm run docs builds without warnings (doc changes only)
- [ ] Doc pages follow the style guide (doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

---------

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397,
and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression NV QA Bugs found by the NVIDIA QA Team v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Ubuntu 24.04][Security] langchain-deepagents-code sandbox does not apply process and file descriptor resource limits

4 participants