Skip to content

fix(dcode): allow managed OTLP collector endpoint#6575

Closed
HwangJohn wants to merge 1 commit into
NVIDIA:mainfrom
HwangJohn:fix/dcode-managed-otlp-endpoint
Closed

fix(dcode): allow managed OTLP collector endpoint#6575
HwangJohn wants to merge 1 commit into
NVIDIA:mainfrom
HwangJohn:fix/dcode-managed-otlp-endpoint

Conversation

@HwangJohn

@HwangJohn HwangJohn commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Allows the NemoClaw-managed Deep Agents Code runtime to accept the fixed, credential-free local OTLP collector endpoint without tripping the secret scanner. The change keeps arbitrary OTEL endpoints and OTEL headers blocked, and managed runtime setup still strips ambient OTEL configuration before child/server execution.

Related Issue

Fixes #6466

Changes

  • Add a narrow runtime allowlist for OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318 and the local /v1/traces endpoint in the Bash DCode wrapper.
  • Mirror the same allowlist in the Python managed runtime guard for direct-module execution.
  • Cover the allowed local collector endpoint while retaining existing rejection coverage for external endpoints, headers, and tracing replica configs.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: no new user setting or collector contract; existing docs already describe the fixed local OTLP endpoint and no custom/auth headers.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: contributor security review completed; allowlist is limited to the local OpenShell OTLP collector, .env remains fail-closed, external OTEL endpoints and headers remain rejected, and targeted security/observability tests pass.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable — command/result: DGX Spark Linux exact commit d6a7c52064b2f0e4e1bcfef94b1f6b719dfa5cfe: npm run check:diff passed.
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: DGX Spark Linux exact commit d6a7c52064b2f0e4e1bcfef94b1f6b719dfa5cfe: npx vitest run --project integration test/langchain-deepagents-code-managed-entrypoints.test.ts test/langchain-deepagents-code-direct-module-patch.test.ts passed, 87 tests; npx vitest run --project integration test/langchain-deepagents-code-secret-pattern-parity.test.ts test/langchain-deepagents-code-observability.test.ts passed, 10 tests. Actual OpenShell sandbox smoke against local vLLM Qwen/Qwen3.6-35B-A3B passed: dcode status accepted OTEL_EXPORTER_OTLP_ENDPOINT=http://host.openshell.internal:4318, rejected OTEL_EXPORTER_OTLP_ENDPOINT=https://collector.example.test:4318, and dcode -n 'Reply with exactly OK.' returned OK.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: HwangJohn angelic805@gmail.com

Summary by CodeRabbit

  • Bug Fixes
    • Allowed approved local OpenTelemetry endpoint settings to pass environment safety checks.
    • Improved handling of observability-related environment values so valid runtime settings are no longer blocked.
    • Added coverage to confirm managed runs succeed when using the supported local telemetry collector endpoint.

@copy-pr-bot

copy-pr-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6f45f99f-4028-4879-880c-6bc0c9f0728b

📥 Commits

Reviewing files that changed from the base of the PR and between 5476b9d and d6a7c52.

📒 Files selected for processing (4)
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-managed-entrypoints.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/langchain-deepagents-code-managed-entrypoints.test.ts`:
- Around line 155-159: The table in the OTLP collector endpoint test is missing
the remaining allowed variants, so expand the `it.each` cases in
`test/langchain-deepagents-code-managed-entrypoints.test.ts` to cover
`OTEL_EXPORTER_OTLP_ENDPOINT` with `/v1/traces` and
`OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` with a trailing slash. Keep the assertion
focused on the existing allowlist behavior in the test block around the `allows
the local managed OTLP collector endpoint` case.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6f45f99f-4028-4879-880c-6bc0c9f0728b

📥 Commits

Reviewing files that changed from the base of the PR and between 5476b9d and d6a7c52.

📒 Files selected for processing (4)
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-managed-entrypoints.test.ts

Comment on lines +155 to +159
it.each([
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318"],
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/"],
["OTEL_EXPORTER_OTLP_TRACES_ENDPOINT", "http://host.openshell.internal:4318/v1/traces"],
])("allows the local managed OTLP collector endpoint in %s", (name, value) => {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Cover the remaining allowed endpoint variants.

The implementation also accepts OTEL_EXPORTER_OTLP_ENDPOINT with /v1/traces and normalizes a trailing slash for OTEL_EXPORTER_OTLP_TRACES_ENDPOINT; add those table rows so the test proves the full public allowlist behavior. As per path instructions, “Review tests for behavioral confidence rather than implementation lock-in.”

Proposed test case additions
   it.each([
     ["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318"],
     ["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/"],
+    ["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/v1/traces"],
+    ["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/v1/traces/"],
     ["OTEL_EXPORTER_OTLP_TRACES_ENDPOINT", "http://host.openshell.internal:4318/v1/traces"],
+    ["OTEL_EXPORTER_OTLP_TRACES_ENDPOINT", "http://host.openshell.internal:4318/v1/traces/"],
   ])("allows the local managed OTLP collector endpoint in %s", (name, value) => {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
it.each([
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318"],
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/"],
["OTEL_EXPORTER_OTLP_TRACES_ENDPOINT", "http://host.openshell.internal:4318/v1/traces"],
])("allows the local managed OTLP collector endpoint in %s", (name, value) => {
it.each([
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318"],
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/"],
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/v1/traces"],
["OTEL_EXPORTER_OTLP_ENDPOINT", "http://host.openshell.internal:4318/v1/traces/"],
["OTEL_EXPORTER_OTLP_TRACES_ENDPOINT", "http://host.openshell.internal:4318/v1/traces"],
["OTEL_EXPORTER_OTLP_TRACES_ENDPOINT", "http://host.openshell.internal:4318/v1/traces/"],
])("allows the local managed OTLP collector endpoint in %s", (name, value) => {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-managed-entrypoints.test.ts` around lines 155
- 159, The table in the OTLP collector endpoint test is missing the remaining
allowed variants, so expand the `it.each` cases in
`test/langchain-deepagents-code-managed-entrypoints.test.ts` to cover
`OTEL_EXPORTER_OTLP_ENDPOINT` with `/v1/traces` and
`OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` with a trailing slash. Keep the assertion
focused on the existing allowlist behavior in the test block around the `allows
the local managed OTLP collector endpoint` case.

Source: Path instructions

@apurvvkumaria apurvvkumaria added the v0.0.79 Release target label Jul 9, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 9, 2026
@cjagwani

cjagwani commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Closing as superseded by #6538, which already merged the #6466 fix. Against current main, this PR only adds redundant narrower allowlists and tests; keeping a second security-sensitive allowlist would create drift without any remaining behavior to land. Thank you for the thorough verification and sign-off.

@cjagwani cjagwani closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Ubuntu 24.04][Agent&Skills] dcode refuses to start — secret scanner false positive on OTEL_EXPORTER_OTLP_ENDPOINT

3 participants