fix(dcode): enforce sandbox process and file descriptor limits#6559
Conversation
The langchain-deepagents-code sandbox shipped without the nproc/nofile hardening that the OpenClaw and Hermes sandboxes apply. Its image is built on its own node base, so it inherited neither the entrypoint call to harden_resource_limits nor the system-wide shell hook that lowers the limits for connect and login shells, leaving dcode sandboxes at the container defaults (unlimited nproc, 1024 nofile). Copy sandbox-rlimits.sh into the Deep Agents Code base image and install the /etc/profile.d and /etc/bash.bashrc hooks so exec and login shells enforce nproc 512 / nofile 65536, and harden the entrypoint process tree as the non-root sandbox user. Add base-image coverage to the rlimit hook test. Fixes #6545 Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds RLIMIT hardening to the Deep Agents Code image, startup paths, and launcher. Login and interactive shells now verify limits, direct launches refuse missing helpers, and the test suite and docs cover the new hardening and warning behavior. ChangesSandbox resource limit hardening
Estimated code review effort: 4 (Complex) | ~45 minutes Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements
|
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 77%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
test/sandbox-rlimit-hooks.test.ts (1)
370-394: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winTest seeds pre-existing bashrc content but never verifies it's preserved.
bashrcis written with"# existing dcode bashrc\n"before running the extracted RUN block, which implies the intent is to confirm the Dockerfile logic prepends the hook rather than clobbering the existing file. However, the only assertions onbashrc(lines 386, 388) check for the new shim content — the sentinel line is never checked. A regression that overwrote/etc/bash.bashrcinstead of preserving it would pass this test undetected.✅ Suggested added assertion
expect(fs.readFileSync(rlimitHook, "utf-8")).toContain(expectedRlimitShim); expect(fs.readFileSync(bashrc, "utf-8")).toContain(expectedRlimitShim); + expect(fs.readFileSync(bashrc, "utf-8")).toContain("# existing dcode bashrc"); expectSystemRlimitHookEnforcesLimits(rlimitHook);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/sandbox-rlimit-hooks.test.ts` around lines 370 - 394, The sandbox RLIMIT hook test seeds bashrc with existing content but never verifies that content survives, so a regression that overwrites /etc/bash.bashrc would still pass. In the test around runLoggedDockerShell and the existing bashrc assertions, add a check that bashrc still contains the seeded sentinel line after the Docker RUN block executes, alongside the existing expectedRlimitShim checks, to confirm the hook prepends without clobbering prior content.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@agents/langchain-deepagents-code/start.sh`:
- Around line 38-47: The resource-limits bootstrap in start.sh can fail open
when sandbox-rlimits.sh is not found, so update the _NEMOCLAW_SANDBOX_RLIMITS
lookup path handling to emit a clear diagnostic instead of silently skipping
hardening. Use the existing shell flow around the _NEMOCLAW_SANDBOX_RLIMITS
variable, the fallback path resolution, and the harden_resource_limits call to
add a warning or error when neither location exists, while keeping the current
sourced-helper behavior unchanged when found.
---
Nitpick comments:
In `@test/sandbox-rlimit-hooks.test.ts`:
- Around line 370-394: The sandbox RLIMIT hook test seeds bashrc with existing
content but never verifies that content survives, so a regression that
overwrites /etc/bash.bashrc would still pass. In the test around
runLoggedDockerShell and the existing bashrc assertions, add a check that bashrc
still contains the seeded sentinel line after the Docker RUN block executes,
alongside the existing expectedRlimitShim checks, to confirm the hook prepends
without clobbering prior content.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: a8e148c7-373d-40e2-9d21-d7fe1d6d10b0
📒 Files selected for processing (3)
agents/langchain-deepagents-code/Dockerfile.baseagents/langchain-deepagents-code/start.shtest/sandbox-rlimit-hooks.test.ts
The rlimit hardening block silently no-opped when sandbox-rlimits.sh could not be located at either the installed or dev-fallback path, which would defeat the fork-bomb/fd-exhaustion guard without any way to notice at runtime. Emit a stderr diagnostic in that branch instead. Also silence a shellcheck SC2119 false positive on the now-adjacent harden_resource_limits call: its optional $1 selects quiet mode and is never meant to forward the entrypoint's own arguments. Assert that the base-image rlimit hook test's pre-seeded bashrc content survives hook installation instead of only checking the new shim was appended. Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
…x-resource-limits
cjagwani
left a comment
There was a problem hiding this comment.
Manual security review on exact head ad9c2bda93d73eedac615f7653079bd66e0da386 completed after both automated advisor models failed inside their canonical-ledger tooling.
Nine-category result: no blocking security finding. The three-file diff adds no secret/credential, user-input, auth, dependency, or cryptographic surface; installs the RLIMIT helper as root-owned read-only image content; uses the same system hook pattern as the existing OpenClaw/Hermes images; and improves the sandbox denial-of-service posture. The fixed production helper path is not sandbox-user writable, and the prior CodeRabbit missing-helper diagnostic finding is resolved.
Test evidence: the focused integration suite test/sandbox-rlimit-hooks.test.ts passed 6/6 locally on this exact head, including negative checks that a shell cannot raise the hardened limits. All current standard checks are green and all commits are Verified.
This is not an approval: the E2E advisor requires cloud-onboard and sandbox-rlimits-connect; exact-head dispatch https://github.com/NVIDIA/NemoClaw/actions/runs/29024102565 is still queued/running. Approval remains on hold until that live evidence settles and the merge gate is re-evaluated.
E2E Target Results — ✅ All requested jobs passedRun: 29024102565
|
…x-resource-limits
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/dcode-start-keepalive.test.ts`:
- Around line 100-125: The keepalive test is not hermetic because `spawnSync`
inherits the parent environment, so `PROXY_HOST` may already be set and break
the `proxy_host=__unset__` assertion. Update the `hardens resource limits before
managed proxy startup work` test to pass an explicit child `env` that clears
`PROXY_HOST` before invoking `makeStartFixture`/the spawned script. Keep the
existing ordering assertion intact by validating the output from
`harden_resource_limits` and the `spawnSync` result, but ensure the child
process cannot see ambient proxy configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 679d3ea4-a338-486f-80b7-9d9855a3c741
📒 Files selected for processing (1)
test/dcode-start-keepalive.test.ts
|
🌿 Preview your docs: https://nvidia-preview-pr-6559.docs.buildwithfern.com/nemoclaw |
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| cloud-onboard | |
| sandbox-rlimits-connect |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
docs/security/best-practices.mdx (1)
517-517: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winNumeric formatting inconsistency: "65,536" vs "65536" elsewhere in the same doc.
Rest of this file (and the actual
NEMOCLAW_SANDBOX_NOFILE_LIMITconstant) uses the unformatted65536. The comma here is inconsistent and could confuse readers cross-referencing the constant value.✏️ Suggested fix
-The managed Deep Agents image applies the 512-process and 65,536-file-descriptor caps to the long-running sandbox entrypoint tree and to direct managed `dcode` launches. +The managed Deep Agents image applies the 512-process and 65536-file-descriptor caps to the long-running sandbox entrypoint tree and to direct managed `dcode` launches.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/security/best-practices.mdx` at line 517, The numeric formatting in the Deep Agents image description is inconsistent with the rest of the document and the NEMOCLAW_SANDBOX_NOFILE_LIMIT constant. Update the text in the security best-practices doc to use 65536 instead of 65,536 so the value matches the constant and other references.test/support/dcode-start-script-fixture.ts (1)
23-30: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider extracting the rlimit-stub boilerplate.
The "create temp
sandbox-rlimits.sh, replace the hardcoded path, write a stubharden_resource_limits" pattern is repeated near-verbatim in this file,dcode-start-keepalive.test.ts,dcode-managed-exec.test.ts, andlangchain-deepagents-code-proxy-launcher.test.ts. Since this file already serves as shared test support, exporting a small helper (e.g.writeRlimitHelperStub(tempDir, content?)) here would let the other three files reuse it and reduce future drift risk if the production path/marker contract changes.Also applies to: 54-54
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/support/dcode-start-script-fixture.ts` around lines 23 - 30, The rlimit-stub setup is duplicated across this shared test fixture and the related tests, so extract it into a reusable helper in dcode-start-script-fixture.ts. Create a small helper such as writeRlimitHelperStub(tempDir, content?) that creates the temp sandbox-rlimits.sh path, applies the hardcoded-path replacement, and writes the harden_resource_limits stub, then update the callers in dcode-start-keepalive.test.ts, dcode-managed-exec.test.ts, and langchain-deepagents-code-proxy-launcher.test.ts to use it. Keep the helper centered around the existing START_SCRIPT replacement logic and the sandbox-rlimits.sh / harden_resource_limits symbols so the contract stays in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 517: The numeric formatting in the Deep Agents image description is
inconsistent with the rest of the document and the NEMOCLAW_SANDBOX_NOFILE_LIMIT
constant. Update the text in the security best-practices doc to use 65536
instead of 65,536 so the value matches the constant and other references.
In `@test/support/dcode-start-script-fixture.ts`:
- Around line 23-30: The rlimit-stub setup is duplicated across this shared test
fixture and the related tests, so extract it into a reusable helper in
dcode-start-script-fixture.ts. Create a small helper such as
writeRlimitHelperStub(tempDir, content?) that creates the temp
sandbox-rlimits.sh path, applies the hardcoded-path replacement, and writes the
harden_resource_limits stub, then update the callers in
dcode-start-keepalive.test.ts, dcode-managed-exec.test.ts, and
langchain-deepagents-code-proxy-launcher.test.ts to use it. Keep the helper
centered around the existing START_SCRIPT replacement logic and the
sandbox-rlimits.sh / harden_resource_limits symbols so the contract stays in one
place.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 437cf208-594f-42c2-8679-da91547848ec
📒 Files selected for processing (12)
agents/langchain-deepagents-code/Dockerfile.baseagents/langchain-deepagents-code/dcode-launcher.shagents/langchain-deepagents-code/start.shdocs/security/best-practices.mdxtest/dcode-managed-exec.test.tstest/dcode-start-keepalive.test.tstest/e2e/e2e-cloud-experimental/checks/07-deepagents-code-headless-inference.shtest/helpers/langchain-deepagents-code-headless.tstest/langchain-deepagents-code-image.test.tstest/langchain-deepagents-code-proxy-launcher.test.tstest/sandbox-rlimit-hooks.test.tstest/support/dcode-start-script-fixture.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- agents/langchain-deepagents-code/Dockerfile.base
E2E Target Results — ✅ All requested jobs passedRun: 29031827196
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
test/dcode-managed-exec.test.ts (1)
18-25: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoffHoist the shared rlimit helper stub into
test/support/
RlimitHelperInstallerandinstallDefaultRlimitHelperare duplicated intest/dcode-start-keepalive.test.ts. Moving the stub besidetest/support/dcode-start-script-fixture.tswould keep the rlimit contract in one place as more dcode tests adopt it.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/dcode-managed-exec.test.ts` around lines 18 - 25, Hoist the shared rlimit helper stub out of test/dcode-managed-exec.test.ts and place it under test/support/ next to dcode-start-script-fixture so both dcode tests can reuse one implementation. Move the RlimitHelperInstaller type and installDefaultRlimitHelper helper into the shared support module, then update dcode-managed-exec.test.ts and dcode-start-keepalive.test.ts to import and use that shared stub instead of duplicating it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/dcode-managed-exec.test.ts`:
- Around line 18-25: Hoist the shared rlimit helper stub out of
test/dcode-managed-exec.test.ts and place it under test/support/ next to
dcode-start-script-fixture so both dcode tests can reuse one implementation.
Move the RlimitHelperInstaller type and installDefaultRlimitHelper helper into
the shared support module, then update dcode-managed-exec.test.ts and
dcode-start-keepalive.test.ts to import and use that shared stub instead of
duplicating it.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: bf99e2cb-8599-4199-bcb7-4b3a55adc568
📒 Files selected for processing (2)
test/dcode-managed-exec.test.tstest/dcode-start-keepalive.test.ts
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29032997653
|
E2E Target Results — ❌ Some jobs failedRun: 29033123705
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29034150550
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All selected jobs passedRun: 29034691714
|
E2E Target Results — ✅ All requested jobs passedRun: 29035016146
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29035532119
|
|
Maintainer resolution for the exact head
The independent nine-category security review passed, the docs writer confirmed the exact DCode contract, and all commits are signed off and GitHub Verified. No merge was performed. |
cjagwani
left a comment
There was a problem hiding this comment.
Approved exact head a7863895ff58df7177b5ff8e71d72089efb8a1f3 after maintainer salvage and fresh evidence.
- All 43 standard checks are green; DCO is present and all 14 commits are GitHub Verified.
- Exact-head E2E 29035532119 passed
cloud-onboardandsandbox-rlimits-connect, including exact soft+hardnproc=512/nofile=65536across the DCode entrypoint, shell, and direct-launch paths. - GPT exact-head rerun is
merge_as_iswith zero required items, warnings, or suggestions. - CodeQL #1380/#1383 are fixed, CodeRabbit is green, no unresolved threads remain, and the independent nine-category security review passed.
- Documentation now describes exact verification plus fail-closed entrypoint/launcher behavior; the docs writer confirmed the final test-only hardening needs no further docs.
Nemotron has zero required fixes and one lifecycle-tracking warning for the warn-and-continue profile-hook compatibility path. I accept that warning for this PR: normal exact hardening is proven live; the entrypoint and direct managed launcher fail closed; source and user docs state the precise removal condition; and unit tests intentionally pin both warning cases, so a future OpenShell propagation/fail-closed contract change requires an explicit code-and-test update. The shell exception remains operator-visible and does not weaken the managed launch boundary.
Both overlapping DCode PRs (#6341 and #6503) are drafts, and #6503 is conflicting; they must rebase after this security fix and preserve these controls/tests.
No merge performed.
<!-- markdownlint-disable MD041 --> ## Summary Adds explicit #6194 regression coverage for the OpenClaw terminal TUI timeout-after-connected-idle failure mode. The existing live correlation target drives the real OpenClaw TUI after connected idle, verifies chat and /nemoclaw status, and confirms a bounded clean exit. It then separately drives the supported host-side OpenShell terminal UI and a direct sandbox curl to prove deterministic network-rule approval without using assistant prose as an oracle. After the UI acknowledges the approval, the target retries the exact documented Atlassian probe and requires its unauthenticated HTTP 401 response to prove that the running policy was actually updated. The historical report used NemoClaw v0.0.72. This target guards the current branch against the same post-idle regression instead of reinstalling that known-bad release, and reuses the existing #2603/#3145 provisioned sandbox to avoid a second long cloud setup. ## Related Issue Refs #6194 — current-branch regression guard for the supported OpenClaw TUI and OpenShell approval surfaces. ## Changes - Add a dedicated Expect flow for chat, status, and a bounded two-step Ctrl+C exit after connected idle. - Pin the host-side OpenShell Expect PTY to xterm-256color at 40x120, bind every multi-pattern wait to its intended spawn, and keep failure cleanup nonblocking. - Add a separate OpenShell terminal approval phase with an argv-bounded direct curl, empty-pending-queue preflight, exact sandbox/host/binary checks, and supported approval action. - Match stable sandbox-detail labels and strip OpenShell SGR styling before parsing CLI rule evidence. - Use the fixed Atlassian URL as the deny-by-default pending-rule trigger, then retry that exact full URL after approval and require the documented unauthenticated HTTP 401 success signal. - Parse the policy revision from the approval acknowledgement and bounded-poll its read-only status until that exact revision is loaded and active before retrying the request. - Publish a separate post-approval capture plus structured endpoint, expected-status, observed-status, and running-policy marker fields before assertions. - Declare all three combined live boundaries explicitly: OpenClaw websocket correlation, OpenClaw post-idle terminal input, and OpenShell network-rule terminal approval. - Extend openclaw-tui-chat-correlation so the new flow reuses its provisioned cloud sandbox. - Add fast e2e-support contracts for marker ordering, complete boundary metadata, secret redaction, trusted host-command use, spawn binding, ANSI normalization, the two-step exit, fail-closed capture diagnostics, and post-approval policy proof ordering. - Precreate terminal captures, publish structured missing/empty/marker diagnostics before assertions, and redact raw captures before writing artifacts. - Install the single allowlisted expect host dependency in the selected live job, with a pinned workflow-boundary regression contract. - Remove unrelated config-dispatch and auto-pair test changes during maintainer salvage. ## Original Author Credit @chengjiew authored the #6194 reproduction design and implementation. The maintainer synchronization and scope-cleanup commits preserve that work; the scope-cleanup commit also records Chengjie Wang as co-author. ## Maintainer Gate Disposition - The combined target is deliberate. The existing correlation target already provisions the real cloud sandbox, gateway, hosted inference route, and OpenClaw runtime needed by all three boundaries. Running the #6194 phases sequentially against that one sandbox avoids a second expensive onboard and avoids cross-run state variance. Diagnostics remain isolated by boundary: the OpenClaw TUI and OpenShell approval phases have separate Expect scripts, spawn IDs, exit-code ranges, structured result JSON, raw/plain captures, and shell result artifacts. A failure identifies its owning phase and marker instead of collapsing into one transcript. - The fast contract tests inspect the generated Tcl because several safety invariants are source boundaries that one successful PTY run cannot prove: every multi-pattern wait must bind to the intended spawn, host commands must retain exact argv boundaries, markers and timeouts must remain ordered, cleanup must stay nonblocking, pending-rule evidence must match the exact sandbox/endpoint/binary, assistant prose must not become an approval oracle, the exact post-approval retry must follow the UI acknowledgement, and redaction/diagnostic artifacts must precede assertions. These are focused mutation guards for concrete failures encountered while stabilizing the live path. The exact live job supplies the complementary behavior proof. - Exact-head run [29034353469](https://github.com/NVIDIA/NemoClaw/actions/runs/29034353469) proved the new fail-closed check by rejecting an immediate HTTP 000 retry after approval. Follow-up run [29035248442](https://github.com/NVIDIA/NemoClaw/actions/runs/29035248442) proved the read-only synchronization path and no-curl-before-loaded invariant: cloud-onboard passed, while all captured policy samples still showed acknowledged revision 4 pending with active revision 3, so the final curl did not run. Behavior-tested head d1ea65a uses OpenShell's supported 60-second policy-load deadline. Run [29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193) passed both required jobs on that head. Its audited OpenClaw artifact reports acknowledged revision 4 loaded and active on polling attempt 10, then exactly one retry of the documented Atlassian endpoint returning HTTP 401, with `policyUpdated: true` and successful cleanup. The independently audited cloud-onboard artifact installs that exact SHA on a clean hosted runner, exits 0 after deployment verification reports a healthy gateway and dashboard, and verifies cleanup. Artifact digests: `sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd` (OpenClaw) and `sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7` (cloud-onboard). Current head aff5821 is a GitHub-Verified merge-only commit of d1ea65a and current main e2777f8 (#6559): all six PR files retain identical Git blobs, and the only added main changes are the already-merged DCode resource-limit work. The [merge audit](#6296 (comment)) records why the prior cloud/TUI evidence remains behaviorally applicable while fresh ordinary CI and advisors run on aff5821. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: test-only regression coverage; no user-facing behavior changed. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — test/workflow-only change; maintainer review verified the host-side OpenShell approval boundary, transcript isolation, and fail-closed artifact contracts. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] Required live E2E behavior evidence with merge-only reuse audit — [run 29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193) passed cloud-onboard and openclaw-tui-chat-correlation on d1ea65a; audited artifacts prove clean-host install/deployment, revision 4 loaded and active before the exact Atlassian retry returned HTTP 401, and successful cleanup. Current head aff5821 changes none of those PR files and only merges current main's already-landed #6559 DCode work; see the linked merge audit above. - [x] Current-head phase attribution and post-approval contracts — focused 11/11 and full e2e-support 869/869 passed. - [x] PR description includes DCO declarations and every commit is GitHub Verified - [x] Normal pre-commit, commit-msg, and pre-push hooks passed on the salvaged head - [x] Focused final TUI PTY, metadata, capture-diagnostic, and post-approval contract — 11/11 passed - [x] Full e2e-support suite — 869/869 passed on the current head - [x] npm run build:cli — passed - [x] cd nemoclaw && npm run build — passed - [x] Quality Gates section completed with required justifications - [x] No secrets, API keys, or credentials committed - [ ] npm run docs builds without warnings (doc changes only) - [ ] Doc pages follow the style guide (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> --------- Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Apurv Kumaria <akumaria@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds the pre-tag v0.0.79 release notes entry to `docs/about/release-notes.mdx` so the release plan can be generated after docs merge. The entry summarizes the merged v0.0.79 release train across inference, diagnostics, runtime hardening, policies, onboarding recovery, and release validation. ## Changes - Added the v0.0.79 release notes section with linked follow-up documentation for OpenRouter onboarding, managed vLLM changes, completion and logging, Deep Agents runtime limits, policy updates, onboarding recovery, and release validation. - Source summary: - #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter onboarding support and links to inference/provider references. - #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell completion and structured logging highlights. - #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`: Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX Spark express-install diagnostics. - #6523, #6551, #6484, #6488, #6324, and #6542 -> `docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool parser, compaction, and timeout/readiness improvements. - #6559, #6538, #6560, #6568, #6552, #6567, and #6587 -> `docs/about/release-notes.mdx`: Documents runtime, credential, proxy, PID namespace, TOML, and provider-state hardening. - #6541, #5415, #6246, #6496, and #6573 -> `docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy, MCP allowlist, WhatsApp, and messaging-variant updates. - #6253, #6572, #6444, #6536, and #5860 -> `docs/about/release-notes.mdx`: Documents onboarding resume and create-step recovery improvements. - #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397, and #6505 -> `docs/about/release-notes.mdx`: Documents docs, release-risk, and E2E validation updates. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Release-note prose only. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests not applicable, release-note prose only. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Docs validation note: `npm run docs:check-agent-variants && npm run docs:check-routes && git diff --check` passed. Full `npm run docs` is currently blocked before Fern validation because the pinned `fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching version found`). --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for v0.0.79 with a new summary of recent improvements, including onboarding and inference options, operator/CLI diagnostics, sandbox recovery hardening, runtime limits, network policy behavior, and release validation updates. * Added updated references and links for the latest release. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
…A#6559) ## Summary The `langchain-deepagents-code` (dcode) sandbox ran at container default resource limits (unlimited nproc, 1024 nofile) because its image inherited neither the entrypoint hardening nor the system-wide shell hook that the OpenClaw and Hermes sandboxes use. This applies the documented nproc 512 / nofile 65536 caps to dcode, closing a fork-bomb / file-descriptor exposure. ## Related Issue Fixes NVIDIA#6545 ## Changes - Copy `scripts/lib/sandbox-rlimits.sh` into the Deep Agents Code base image and install the `/etc/profile.d/nemoclaw-rlimits.sh` (login) and `/etc/bash.bashrc` (interactive) hooks so `openshell sandbox exec` and login shells enforce the limits — this closes the reproduced `bash -lc` gap. - Source the shared library and call `harden_resource_limits` from the dcode entrypoint to harden the non-root PID 1 process tree, matching the OpenClaw and Hermes entrypoints. - Extend `test/sandbox-rlimit-hooks.test.ts` with Deep Agents Code base-image coverage asserting login and interactive shells enforce `nproc <= 4096` / `nofile <= 65536` and deny raising them. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: the security best-practices docs already state these limits apply to all sandboxes; this change makes dcode match the documented behaviour, so there is no user-facing doc change. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: awaiting maintainer security review (sandbox image + resource limits). - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result: `npx vitest run test/sandbox-rlimit-hooks.test.ts test/langchain-deepagents-code-image.test.ts test/langchain-deepagents-code-managed-entrypoints.test.ts` -> 58 passed. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not applicable; change is scoped to the dcode base image, entrypoint, and one test, and the targeted suites above cover it. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Tinson Lai <tinsonl@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Hardened sandbox resource limits for the long-running entrypoint and managed launches, including launcher/entrypoint refuse-to-start behavior when the limits helper is missing. * Added system-wide Bash hooks so login and interactive shells attempt verification and emit a clear `[SECURITY]` warning on failure, while continuing shell execution. * Improved keep-alive startup to use a named process for clearer runtime behavior. * **Documentation** * Added Deep Agents Resource Limit Enforcement guidance, including fail/warn behavior. * **Tests** * Expanded security and integration coverage for helper installation, refuse-to-launch, and RLIMIT contract checks across multiple execution modes (including headless e2e). <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Tinson Lai <tinsonl@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds explicit NVIDIA#6194 regression coverage for the OpenClaw terminal TUI timeout-after-connected-idle failure mode. The existing live correlation target drives the real OpenClaw TUI after connected idle, verifies chat and /nemoclaw status, and confirms a bounded clean exit. It then separately drives the supported host-side OpenShell terminal UI and a direct sandbox curl to prove deterministic network-rule approval without using assistant prose as an oracle. After the UI acknowledges the approval, the target retries the exact documented Atlassian probe and requires its unauthenticated HTTP 401 response to prove that the running policy was actually updated. The historical report used NemoClaw v0.0.72. This target guards the current branch against the same post-idle regression instead of reinstalling that known-bad release, and reuses the existing NVIDIA#2603/NVIDIA#3145 provisioned sandbox to avoid a second long cloud setup. ## Related Issue Refs NVIDIA#6194 — current-branch regression guard for the supported OpenClaw TUI and OpenShell approval surfaces. ## Changes - Add a dedicated Expect flow for chat, status, and a bounded two-step Ctrl+C exit after connected idle. - Pin the host-side OpenShell Expect PTY to xterm-256color at 40x120, bind every multi-pattern wait to its intended spawn, and keep failure cleanup nonblocking. - Add a separate OpenShell terminal approval phase with an argv-bounded direct curl, empty-pending-queue preflight, exact sandbox/host/binary checks, and supported approval action. - Match stable sandbox-detail labels and strip OpenShell SGR styling before parsing CLI rule evidence. - Use the fixed Atlassian URL as the deny-by-default pending-rule trigger, then retry that exact full URL after approval and require the documented unauthenticated HTTP 401 success signal. - Parse the policy revision from the approval acknowledgement and bounded-poll its read-only status until that exact revision is loaded and active before retrying the request. - Publish a separate post-approval capture plus structured endpoint, expected-status, observed-status, and running-policy marker fields before assertions. - Declare all three combined live boundaries explicitly: OpenClaw websocket correlation, OpenClaw post-idle terminal input, and OpenShell network-rule terminal approval. - Extend openclaw-tui-chat-correlation so the new flow reuses its provisioned cloud sandbox. - Add fast e2e-support contracts for marker ordering, complete boundary metadata, secret redaction, trusted host-command use, spawn binding, ANSI normalization, the two-step exit, fail-closed capture diagnostics, and post-approval policy proof ordering. - Precreate terminal captures, publish structured missing/empty/marker diagnostics before assertions, and redact raw captures before writing artifacts. - Install the single allowlisted expect host dependency in the selected live job, with a pinned workflow-boundary regression contract. - Remove unrelated config-dispatch and auto-pair test changes during maintainer salvage. ## Original Author Credit @chengjiew authored the NVIDIA#6194 reproduction design and implementation. The maintainer synchronization and scope-cleanup commits preserve that work; the scope-cleanup commit also records Chengjie Wang as co-author. ## Maintainer Gate Disposition - The combined target is deliberate. The existing correlation target already provisions the real cloud sandbox, gateway, hosted inference route, and OpenClaw runtime needed by all three boundaries. Running the NVIDIA#6194 phases sequentially against that one sandbox avoids a second expensive onboard and avoids cross-run state variance. Diagnostics remain isolated by boundary: the OpenClaw TUI and OpenShell approval phases have separate Expect scripts, spawn IDs, exit-code ranges, structured result JSON, raw/plain captures, and shell result artifacts. A failure identifies its owning phase and marker instead of collapsing into one transcript. - The fast contract tests inspect the generated Tcl because several safety invariants are source boundaries that one successful PTY run cannot prove: every multi-pattern wait must bind to the intended spawn, host commands must retain exact argv boundaries, markers and timeouts must remain ordered, cleanup must stay nonblocking, pending-rule evidence must match the exact sandbox/endpoint/binary, assistant prose must not become an approval oracle, the exact post-approval retry must follow the UI acknowledgement, and redaction/diagnostic artifacts must precede assertions. These are focused mutation guards for concrete failures encountered while stabilizing the live path. The exact live job supplies the complementary behavior proof. - Exact-head run [29034353469](https://github.com/NVIDIA/NemoClaw/actions/runs/29034353469) proved the new fail-closed check by rejecting an immediate HTTP 000 retry after approval. Follow-up run [29035248442](https://github.com/NVIDIA/NemoClaw/actions/runs/29035248442) proved the read-only synchronization path and no-curl-before-loaded invariant: cloud-onboard passed, while all captured policy samples still showed acknowledged revision 4 pending with active revision 3, so the final curl did not run. Behavior-tested head d1ea65a uses OpenShell's supported 60-second policy-load deadline. Run [29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193) passed both required jobs on that head. Its audited OpenClaw artifact reports acknowledged revision 4 loaded and active on polling attempt 10, then exactly one retry of the documented Atlassian endpoint returning HTTP 401, with `policyUpdated: true` and successful cleanup. The independently audited cloud-onboard artifact installs that exact SHA on a clean hosted runner, exits 0 after deployment verification reports a healthy gateway and dashboard, and verifies cleanup. Artifact digests: `sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd` (OpenClaw) and `sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7` (cloud-onboard). Current head aff5821 is a GitHub-Verified merge-only commit of d1ea65a and current main e2777f8 (NVIDIA#6559): all six PR files retain identical Git blobs, and the only added main changes are the already-merged DCode resource-limit work. The [merge audit](NVIDIA#6296 (comment)) records why the prior cloud/TUI evidence remains behaviorally applicable while fresh ordinary CI and advisors run on aff5821. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: test-only regression coverage; no user-facing behavior changed. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — test/workflow-only change; maintainer review verified the host-side OpenShell approval boundary, transcript isolation, and fail-closed artifact contracts. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] Required live E2E behavior evidence with merge-only reuse audit — [run 29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193) passed cloud-onboard and openclaw-tui-chat-correlation on d1ea65a; audited artifacts prove clean-host install/deployment, revision 4 loaded and active before the exact Atlassian retry returned HTTP 401, and successful cleanup. Current head aff5821 changes none of those PR files and only merges current main's already-landed NVIDIA#6559 DCode work; see the linked merge audit above. - [x] Current-head phase attribution and post-approval contracts — focused 11/11 and full e2e-support 869/869 passed. - [x] PR description includes DCO declarations and every commit is GitHub Verified - [x] Normal pre-commit, commit-msg, and pre-push hooks passed on the salvaged head - [x] Focused final TUI PTY, metadata, capture-diagnostic, and post-approval contract — 11/11 passed - [x] Full e2e-support suite — 869/869 passed on the current head - [x] npm run build:cli — passed - [x] cd nemoclaw && npm run build — passed - [x] Quality Gates section completed with required justifications - [x] No secrets, API keys, or credentials committed - [ ] npm run docs builds without warnings (doc changes only) - [ ] Doc pages follow the style guide (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> --------- Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Apurv Kumaria <akumaria@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds the pre-tag v0.0.79 release notes entry to `docs/about/release-notes.mdx` so the release plan can be generated after docs merge. The entry summarizes the merged v0.0.79 release train across inference, diagnostics, runtime hardening, policies, onboarding recovery, and release validation. ## Changes - Added the v0.0.79 release notes section with linked follow-up documentation for OpenRouter onboarding, managed vLLM changes, completion and logging, Deep Agents runtime limits, policy updates, onboarding recovery, and release validation. - Source summary: - NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter onboarding support and links to inference/provider references. - NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell completion and structured logging highlights. - NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`: Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX Spark express-install diagnostics. - NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 -> `docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool parser, compaction, and timeout/readiness improvements. - NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 -> `docs/about/release-notes.mdx`: Documents runtime, credential, proxy, PID namespace, TOML, and provider-state hardening. - NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 -> `docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy, MCP allowlist, WhatsApp, and messaging-variant updates. - NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 -> `docs/about/release-notes.mdx`: Documents onboarding resume and create-step recovery improvements. - NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397, and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs, release-risk, and E2E validation updates. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Release-note prose only. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests not applicable, release-note prose only. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Docs validation note: `npm run docs:check-agent-variants && npm run docs:check-routes && git diff --check` passed. Full `npm run docs` is currently blocked before Fern validation because the pinned `fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching version found`). --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for v0.0.79 with a new summary of recent improvements, including onboarding and inference options, operator/CLI diagnostics, sandbox recovery hardening, runtime limits, network policy behavior, and release validation updates. * Added updated references and links for the latest release. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Summary
The
langchain-deepagents-code(dcode) sandbox ran at container default resource limits (unlimited nproc, 1024 nofile) because its image inherited neither the entrypoint hardening nor the system-wide shell hook that the OpenClaw and Hermes sandboxes use. This applies the documented nproc 512 / nofile 65536 caps to dcode, closing a fork-bomb / file-descriptor exposure.Related Issue
Fixes #6545
Changes
scripts/lib/sandbox-rlimits.shinto the Deep Agents Code base image and install the/etc/profile.d/nemoclaw-rlimits.sh(login) and/etc/bash.bashrc(interactive) hooks soopenshell sandbox execand login shells enforce the limits — this closes the reproducedbash -lcgap.harden_resource_limitsfrom the dcode entrypoint to harden the non-root PID 1 process tree, matching the OpenClaw and Hermes entrypoints.test/sandbox-rlimit-hooks.test.tswith Deep Agents Code base-image coverage asserting login and interactive shells enforcenproc <= 4096/nofile <= 65536and deny raising them.Type of Change
Quality Gates
Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpx vitest run test/sandbox-rlimit-hooks.test.ts test/langchain-deepagents-code-image.test.ts test/langchain-deepagents-code-managed-entrypoints.test.ts-> 58 passed.npm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result: not applicable; change is scoped to the dcode base image, entrypoint, and one test, and the targeted suites above cover it.npm run docsbuilds without warnings (doc changes only)Signed-off-by: Tinson Lai tinsonl@nvidia.com
Summary by CodeRabbit
[SECURITY]warning on failure, while continuing shell execution.