fix(config): harden TOML config handling#6567
Conversation
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a shared ChangesConfig format extraction and TOML support
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant CLI
participant configGet
participant configFormat
participant credentialFilter
CLI->>configGet: config get
configGet->>configFormat: parseConfig(raw, format)
configFormat->>configFormat: choose yaml, toml, or json parser
configFormat->>credentialFilter: isConfigObject / isConfigValue
configFormat-->>configGet: parsed config
configGet->>credentialFilter: redact secrets and strip gateway
configGet-->>CLI: redacted config output
Suggested labels: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 77%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
|
🌿 Preview your docs: https://nvidia-preview-pr-6567.docs.buildwithfern.com/nemoclaw |
PR Review Advisor (Nemotron Ultra) — InformationalMerge posture: Informational / low confidence Action checklist
Findings index
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
docs/get-started/quickstart-langchain-deepagents-code.mdx (1)
184-186: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider a
<Warning>callout for theconfig setlimitation.This caveat (no
config setsupport, re-onboarding required) is important operational info and fits the callout pattern used elsewhere for this kind of guidance.As per coding guidelines, "Use Fern callout components such as
<Note>,<Tip>, and<Warning>for callouts in MDX pages."📝 Proposed fix
NemoClaw parses `config.toml`, removes gateway auth data, and redacts credential-shaped values before printing it. -`config set` is not supported for this image-baked configuration; re-onboard the named sandbox to change its managed provider or model selection. + +<Warning> +`config set` is not supported for this image-baked configuration. +Re-onboard the named sandbox to change its managed provider or model selection. +</Warning>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/get-started/quickstart-langchain-deepagents-code.mdx` around lines 184 - 186, The quickstart copy currently presents the `config set` limitation as plain text; update the MDX in the `quickstart-langchain-deepagents-code` section to use a Fern `<Warning>` callout for this operational caveat. Keep the existing message about `NemoClaw`/`config.toml` behavior, but wrap the `config set is not supported` and re-onboarding guidance in the appropriate `<Warning>` component so it matches the callout pattern used elsewhere in the docs.Source: Coding guidelines
src/lib/sandbox/config-format.test.ts (1)
9-47: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winGood behavioral coverage; consider adding a TOML datetime case.
Tests exercise the public
parseConfig/serializeConfigAPI directly with real inputs rather than mocking internals, which fits the repo's testing guidance. As per path instructions, "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions." None of the current cases cover a TOML value containing a date/datetime field, which is the scenario flagged inconfig-format.tsas likely to break parsing. Adding one would catch that regression.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/sandbox/config-format.test.ts` around lines 9 - 47, The sandbox config format tests cover comment-prefixed TOML and JSON/YAML behavior, but they miss the TOML datetime case called out in config-format handling. Add a new observable test in sandbox config formats using parseConfig with a TOML date/datetime field and assert the parsed shape matches the expected value. Keep the coverage at the public API boundary by exercising parseConfig directly, similar to the existing scenarios in config-format.test.ts.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/get-started/quickstart-langchain-deepagents-code.mdx`:
- Line 185: The MDX text in the quickstart content has two sentences joined on
one line with a semicolon; split them into separate lines so each sentence
stands alone. Update the affected prose near the config set message in the
quickstart document, keeping the wording the same but placing one sentence per
line to match the Markdown/MDX guideline.
---
Nitpick comments:
In `@docs/get-started/quickstart-langchain-deepagents-code.mdx`:
- Around line 184-186: The quickstart copy currently presents the `config set`
limitation as plain text; update the MDX in the
`quickstart-langchain-deepagents-code` section to use a Fern `<Warning>` callout
for this operational caveat. Keep the existing message about
`NemoClaw`/`config.toml` behavior, but wrap the `config set is not supported`
and re-onboarding guidance in the appropriate `<Warning>` component so it
matches the callout pattern used elsewhere in the docs.
In `@src/lib/sandbox/config-format.test.ts`:
- Around line 9-47: The sandbox config format tests cover comment-prefixed TOML
and JSON/YAML behavior, but they miss the TOML datetime case called out in
config-format handling. Add a new observable test in sandbox config formats
using parseConfig with a TOML date/datetime field and assert the parsed shape
matches the expected value. Keep the coverage at the public API boundary by
exercising parseConfig directly, similar to the existing scenarios in
config-format.test.ts.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: f59addfd-a6db-4445-ad21-c353a34aacae
📒 Files selected for processing (5)
docs/get-started/quickstart-langchain-deepagents-code.mdxsrc/lib/sandbox/config-format.test.tssrc/lib/sandbox/config-format.tssrc/lib/sandbox/config-get.test.tssrc/lib/sandbox/config.ts
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
E2E Target Results — ❌ Some jobs failedRun: 29011649163
|
E2E Target Results — ❌ Some jobs failedRun: 29011824726
|
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
E2E Target Results — ✅ All selected jobs passedRun: 29011831223
|
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Exact-head code gate is complete at
I have not dispatched another live run on this head. The first attempt stopped before config behavior on the current-main gateway trust-anchor shell regression; #6560 now fixes that regression and is ready for independent approval. After #6560 lands, merge updated |
cjagwani
left a comment
There was a problem hiding this comment.
Approved on exact head 7c25ff2: all required checks are green, all commits are GitHub Verified, the trusted GPT advisor recommends merge_as_is, and the parser now fails closed without echoing credential-bearing JSON, YAML, or TOML source text. The remaining CodeRabbit note is a non-blocking MDX sentence-layout style nit.
E2E Target Results — ❌ Some jobs failedRun: 29024785928
|
E2E Target Results — ✅ All requested jobs passedRun: 29024848656
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All selected jobs passedRun: 29024848700
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| live |
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29027856709
|
E2E Target Results — ✅ All selected jobs passedRun: 29027848653
|
cjagwani
left a comment
There was a problem hiding this comment.
Approved exact head b5c346ddf62de1c211727ad61db47845b3d1d1dd: all 44 normal checks are green; DCO and all 10 GitHub-Verified commits pass; CodeRabbit is clear; the trusted GPT advisor reports merge_as_is with zero findings; typed dcode run 29027848653 passed the real JSON/keyed/YAML config reads, credential redaction, rejected immutable set, and re-onboard path; and shields-config run 29027856709 passed. The parsed-structure security fix also passed 23/23 focused tests, CLI type-check, normal hooks, and an independent adversarial audit. GitHub reports MERGEABLE; the remaining BLOCKED state is branch protection, not a content conflict.
<!-- markdownlint-disable MD041 --> ## Summary Adds the pre-tag v0.0.79 release notes entry to `docs/about/release-notes.mdx` so the release plan can be generated after docs merge. The entry summarizes the merged v0.0.79 release train across inference, diagnostics, runtime hardening, policies, onboarding recovery, and release validation. ## Changes - Added the v0.0.79 release notes section with linked follow-up documentation for OpenRouter onboarding, managed vLLM changes, completion and logging, Deep Agents runtime limits, policy updates, onboarding recovery, and release validation. - Source summary: - #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter onboarding support and links to inference/provider references. - #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell completion and structured logging highlights. - #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`: Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX Spark express-install diagnostics. - #6523, #6551, #6484, #6488, #6324, and #6542 -> `docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool parser, compaction, and timeout/readiness improvements. - #6559, #6538, #6560, #6568, #6552, #6567, and #6587 -> `docs/about/release-notes.mdx`: Documents runtime, credential, proxy, PID namespace, TOML, and provider-state hardening. - #6541, #5415, #6246, #6496, and #6573 -> `docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy, MCP allowlist, WhatsApp, and messaging-variant updates. - #6253, #6572, #6444, #6536, and #5860 -> `docs/about/release-notes.mdx`: Documents onboarding resume and create-step recovery improvements. - #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397, and #6505 -> `docs/about/release-notes.mdx`: Documents docs, release-risk, and E2E validation updates. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Release-note prose only. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests not applicable, release-note prose only. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Docs validation note: `npm run docs:check-agent-variants && npm run docs:check-routes && git diff --check` passed. Full `npm run docs` is currently blocked before Fern validation because the pinned `fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching version found`). --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for v0.0.79 with a new summary of recent improvements, including onboarding and inference options, operator/CLI diagnostics, sandbox recovery hardening, runtime limits, network policy behavior, and release validation updates. * Added updated references and links for the latest release. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- markdownlint-disable MD041 --> ## Summary Hardens the TOML configuration support introduced in NVIDIA#6552. The change centralizes format handling, keeps TOML reads sanitized, and refuses unsupported TOML writes instead of silently rewriting the file as JSON. ## Related Issue Follow-up to NVIDIA#6552. ## Changes - Extract JSON/TOML parsing and serialization behind a small format boundary. - Validate parsed configuration values as JSON-like data before exposing them to callers.\n- Replace raw TOML/JSON/YAML parser exceptions with format-specific generic errors so malformed credential-bearing source text cannot reach CLI diagnostics. - Add TOML fixtures that prove `--key` extraction works and credentials plus gateway state stay sanitized in default JSON and requested YAML output. - Reject `config set` for TOML-backed sandboxes until a lossless TOML writer is supported. - Document sanitized TOML inspection and the re-onboarding boundary for dcode users. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending exact-head independent review - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project cli src/lib/sandbox/*.test.ts` (151/151); `npx vitest run --project integration test/config-set-nested-ssrf.test.ts` (7/7); follow-up `npx vitest run --project cli src/lib/sandbox/config-format.test.ts src/lib/sandbox/config-get.test.ts` (17/17); `npm run build:cli && npm run typecheck:cli` passed - [x] Applicable broad gate passed — `npm run test:package` (292/292) - [ ] Quality Gates section completed with required justifications or waivers — exact-head independent sensitive-path review is pending - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — 0 errors; Fern reports two unrelated environment/baseline warnings (redirect authentication and existing color contrast) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a guide for inspecting managed Deep Agents Code configuration with `config get`, including redaction of credential-shaped values and omission of gateway authentication details. * **Bug Fixes** * Improved configuration parsing/validation across YAML, TOML, and JSON with clearer, safer error handling. * Ensured secrets are fully redacted in both full output and `--key` views, and prevented gateway auth data from appearing. * Rejected `config set` for TOML-format managed configurations. * **Tests** * Added parsing/serialization tests and strengthened regression coverage to verify redaction and error-message safety. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: J. Yaunches <jyaunches@nvidia.com> Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Adds the pre-tag v0.0.79 release notes entry to `docs/about/release-notes.mdx` so the release plan can be generated after docs merge. The entry summarizes the merged v0.0.79 release train across inference, diagnostics, runtime hardening, policies, onboarding recovery, and release validation. ## Changes - Added the v0.0.79 release notes section with linked follow-up documentation for OpenRouter onboarding, managed vLLM changes, completion and logging, Deep Agents runtime limits, policy updates, onboarding recovery, and release validation. - Source summary: - NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter onboarding support and links to inference/provider references. - NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell completion and structured logging highlights. - NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`: Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX Spark express-install diagnostics. - NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 -> `docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool parser, compaction, and timeout/readiness improvements. - NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 -> `docs/about/release-notes.mdx`: Documents runtime, credential, proxy, PID namespace, TOML, and provider-state hardening. - NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 -> `docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy, MCP allowlist, WhatsApp, and messaging-variant updates. - NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 -> `docs/about/release-notes.mdx`: Documents onboarding resume and create-step recovery improvements. - NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397, and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs, release-risk, and E2E validation updates. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: Release-note prose only. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: Tests not applicable, release-note prose only. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Docs validation note: `npm run docs:check-agent-variants && npm run docs:check-routes && git diff --check` passed. Full `npm run docs` is currently blocked before Fern validation because the pinned `fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching version found`). --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for v0.0.79 with a new summary of recent improvements, including onboarding and inference options, operator/CLI diagnostics, sandbox recovery hardening, runtime limits, network policy behavior, and release validation updates. * Added updated references and links for the latest release. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Summary
Hardens the TOML configuration support introduced in #6552. The change centralizes format handling, keeps TOML reads sanitized, and refuses unsupported TOML writes instead of silently rewriting the file as JSON.
Related Issue
Follow-up to #6552.
Changes
--keyextraction works and credentials plus gateway state stay sanitized in default JSON and requested YAML output.config setfor TOML-backed sandboxes until a lossless TOML writer is supported.Type of Change
Quality Gates
Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpx vitest run --project cli src/lib/sandbox/*.test.ts(151/151);npx vitest run --project integration test/config-set-nested-ssrf.test.ts(7/7); follow-upnpx vitest run --project cli src/lib/sandbox/config-format.test.ts src/lib/sandbox/config-get.test.ts(17/17);npm run build:cli && npm run typecheck:clipassednpm run test:package(292/292)npm run docsbuilds without warnings (doc changes only) — 0 errors; Fern reports two unrelated environment/baseline warnings (redirect authentication and existing color contrast)Signed-off-by: Carlos Villela cvillela@nvidia.com
Summary by CodeRabbit
Documentation
config get, including redaction of credential-shaped values and omission of gateway authentication details.Bug Fixes
--keyviews, and prevented gateway auth data from appearing.config setfor TOML-format managed configurations.Tests