Conversation
Signed-off-by: Angel Mata <amata@nvidia.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a reusable DNS-aware keep-alive HTTP validation session, native OpenAI-like probing with legacy fallback, model-specific payload helpers, sanitized extra headers, and asynchronous onboarding integration with expanded tests. ChangesProvider validation transport
OpenAI-like probing
Asynchronous onboarding integration
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Onboarding
participant OptimizedProbe
participant ValidationSession
participant OpenAIEndpoint
participant LegacyProbe
Onboarding->>OptimizedProbe: validate endpoint
OptimizedProbe->>ValidationSession: create native session
ValidationSession->>OpenAIEndpoint: send Responses or Chat request
OpenAIEndpoint-->>ValidationSession: return response
OptimizedProbe->>LegacyProbe: replay on native failure
OptimizedProbe-->>Onboarding: return validation result
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/lib/inference/openai-validation-session.ts (1)
171-199: 🚀 Performance & Scalability | 🔵 TrivialWorst-case validation latency compounds: native retries then legacy retries.
When a provider returns persistent retriable statuses (429/502/503/504), the native path exhausts
RETRY_DELAYS_MS(up to ~50s per probe) and then routes todeps.legacyProbe, which runs its own probe sequence with a second independent retry/backoff. For a genuinely-degraded endpoint this can noticeably extend the onboarding hang versus the previous single-transport behavior. Please confirm this is acceptable given issue#3771explicitly excludes timeout-policy changes, or consider suppressing the legacy retry when the native path already exhausted the same backoff schedule.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/inference/openai-validation-session.ts` around lines 171 - 199, Review the fallback flow from requestWithHttpRetry and the native validation path into deps.legacyProbe: avoid running the legacy probe’s independent retry/backoff after the native request has exhausted RETRY_DELAYS_MS for retriable HTTP statuses, while preserving existing timeout policy. Track or propagate the native retry-exhaustion state and suppress only the redundant legacy retry sequence; retain legacy fallback behavior for non-retriable failures and update relevant tests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/lib/inference/openai-validation-session.ts`:
- Around line 171-199: Review the fallback flow from requestWithHttpRetry and
the native validation path into deps.legacyProbe: avoid running the legacy
probe’s independent retry/backoff after the native request has exhausted
RETRY_DELAYS_MS for retriable HTTP statuses, while preserving existing timeout
policy. Track or propagate the native retry-exhaustion state and suppress only
the redundant legacy retry sequence; retain legacy fallback behavior for
non-retriable failures and update relevant tests.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 945856e4-0c92-43b4-b931-2862b12c1c46
📒 Files selected for processing (15)
src/lib/adapters/http/validation-session.test.tssrc/lib/adapters/http/validation-session.tssrc/lib/inference/onboard-probes.tssrc/lib/inference/openai-probe-models.tssrc/lib/inference/openai-validation-session.test.tssrc/lib/inference/openai-validation-session.tssrc/lib/onboard/bedrock-runtime.tssrc/lib/onboard/inference-providers/hermes.tssrc/lib/onboard/inference-providers/remote.tssrc/lib/onboard/inference-providers/types.tssrc/lib/onboard/inference-selection-validation.test.tssrc/lib/onboard/inference-selection-validation.tssrc/lib/onboard/setup-inference.tstest/helpers/onboard-smoke-verifier-harness.tstest/onboard-smoke-verifier.test.ts
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 78%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
Review findings by urgency: 0 required fixes, 2 items to resolve/justify, 1 in-scope improvement
|
Signed-off-by: Angel Mata <amata@nvidia.com>
Signed-off-by: Angel Mata <amata@nvidia.com>
Signed-off-by: Angel Mata <amata@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/adapters/http/auth-config.ts`:
- Around line 141-151: Update parseOpenAiLikeExtraHeaders to trim the extracted
header name before validation, reject empty names, and enforce valid HTTP token
syntax; only return the parsed header after this validation so inputs such as "
: value" cannot produce an empty header name.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 0914e886-7ccd-4881-808f-ab5daee77889
📒 Files selected for processing (3)
src/lib/adapters/http/auth-config.tssrc/lib/inference/openai-validation-session.test.tssrc/lib/inference/openai-validation-session.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/lib/inference/openai-validation-session.ts
Signed-off-by: Angel Mata <amata@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/adapters/http/auth-config.test.ts`:
- Around line 110-113: Expand the fixture in the test named “accepts every HTTP
token character in an OpenAI-like provider header name” to include all digits
(0–9), uppercase letters (A–Z), and lowercase letters (a–z), while retaining the
punctuation characters already covered. Keep the assertion through the public
parseOpenAiLikeExtraHeaders boundary and update the expected header name
accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 1e7fa82d-9a1f-4c3a-8f18-d576ecd2e243
📒 Files selected for processing (2)
src/lib/adapters/http/auth-config.test.tssrc/lib/adapters/http/auth-config.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/lib/adapters/http/auth-config.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/inference/openai-validation-session.test-helpers.ts`:
- Around line 24-30: Update the server-start helper’s Promise in the returned
function to reject on `server` errors by registering an error listener before
calling `listen`; resolve only after successful startup, then remove the
listener once resolved or rejected. Preserve the existing address validation and
port return logic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 8d8c82a1-08c0-48c1-8eea-c9beaee5f93d
📒 Files selected for processing (5)
src/lib/adapters/http/auth-config.test.tssrc/lib/inference/openai-validation-session-auth.test.tssrc/lib/inference/openai-validation-session-fallback.test.tssrc/lib/inference/openai-validation-session.test-helpers.tssrc/lib/inference/openai-validation-session.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/lib/adapters/http/auth-config.test.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
E2E Target Results —
|
| Job | Result |
|---|---|
| cloud-onboard | |
| inference-routing | ✅ success |
| network-policy | |
| onboard-repair | |
| onboard-resume |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
@coderabbitai review |
✅ Action performedReview finished.
|
E2E Target Results —
|
| Job | Result |
|---|---|
| bedrock-runtime-compatible-anthropic | |
| cloud-onboard | |
| inference-routing | ✅ success |
| network-policy | |
| onboard-repair | |
| onboard-resume |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
@coderabbitai review |
✅ Action performedReview finished.
|
E2E Target Results —
|
| Job | Result |
|---|---|
| bedrock-runtime-compatible-anthropic | |
| cloud-onboard | |
| inference-routing | ✅ success |
| network-policy | |
| onboard-repair | |
| onboard-resume |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/inference/openai-validation-session-fallback.test.ts`:
- Around line 24-34: Remove the conditional from the mock server handler in the
test using the request-count-driven response mechanism expected by the
guardrail, such as a predefined sequence of status codes and bodies indexed by
request count. Preserve the 503, 429, and successful responses while keeping the
handler linear and without branching.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: c93e1380-e94e-489c-828a-8dab8661eee1
📒 Files selected for processing (6)
src/lib/adapters/http/auth-config.test.tssrc/lib/inference/onboard-probes.tssrc/lib/inference/openai-validation-session-auth.test.tssrc/lib/inference/openai-validation-session-fallback.test.tssrc/lib/inference/openai-validation-session.test-helpers.tssrc/lib/inference/openai-validation-session.test.ts
🚧 Files skipped from review as they are similar to previous changes (4)
- src/lib/adapters/http/auth-config.test.ts
- src/lib/inference/openai-validation-session.test-helpers.ts
- src/lib/inference/openai-validation-session.test.ts
- src/lib/inference/onboard-probes.ts
|
Maintainer acceptance for the linked #3771 metadata clause: #2001 is closed and locked, so I accept this PR's checked-in implementation, trace events, and exact-head test evidence as the required substitute for a direct #2001 update. The evidence includes validation_transport_selected, validation_dns_lookup, validation_socket_opened, validation_socket_reused, validation_transport_fallback, and validation_transport_closed events; focused connection-reuse/fallback/auth/model/retry coverage; and the required live inference, network, lifecycle, hosted-onboard, and Bedrock runs. No additional #2001 comment or repository documentation is required for this acceptance criterion. The remaining provider-specific deferred/rejected smoke-test recommendation is non-blocking: those providers use the same awaited VerifyOnboardInferenceSmoke contract and the exact-head live Bedrock variants plus onboard repair/resume validate the changed async boundary. A provider-local unit expansion can be considered separately if a concrete branch-specific regression appears. |
E2E Target Results — ✅ All selected jobs passedRun: 29140576783
|
|
Maintainer exact-head adjudication for
These items are explicitly resolved by maintainer rationale at the exact head. Please evaluate this adjudication on rerun. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Advisor remediation at exact head
Verification: 88/88 focused CLI tests passed across Bedrock, Hermes, native validation, curl fallback, and probe models; strict CLI typecheck, Biome, conditional scan, normal pre-commit hooks, pre-push CLI typecheck, and package/tag sync passed. Both new commits are signed, signed off, and GitHub Verified. The broader architecture migrations and speculative tracking issues suggested by Nemotron remain outside #3771 scope; existing exact-head live coverage will be refreshed for this new head. |
|
Maintainer exact-head adjudication for
I also reviewed the transport boundary for credentials, origin confinement, DNS/address pinning, hostname-based TLS verification, response limits, cleanup, and fallback behavior. I found no code or security change warranted by the remaining advisor items. Rerunning the exact-head advisor so it can evaluate this rationale. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Maintainer follow-up pushed at exact head The reported write is not final success metadata: The existing containment regression now proves the async form directly:
This is a test-only clarification; production behavior is unchanged from the previously live-validated head. Focused CLI tests passed 4/4, Biome, CLI typecheck, title checks, normal pre-commit/pre-push hooks, and independent review passed. The docs writer confirmed no user-facing change. GitHub reports the signed commit as Verified. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
cv
left a comment
There was a problem hiding this comment.
Approved on exact head f6ee326. All five required checks pass; DCO/signatures are verified; CodeRabbit threads are resolved. Exact trusted E2E run 29146238988 passed inference-routing, network-policy, onboard-repair, and onboard-resume. GPT is merge_as_is with zero findings. Nemotron warnings are adjudicated: DeepSeek V4 Pro intentionally keeps its established legacy compatibility path, production probe call sites await the sync/async union and no bypass exists, and @ts-nocheck is pre-existing debt. Page-limit/incomplete-signal checks are controller evidence-plumbing failures.
<!-- markdownlint-disable MD041 --> ## Summary Release-prep documentation for v0.0.81 now summarizes user-facing changes merged since v0.0.80. It also closes the Hermes dashboard-profile backup gap and distinguishes direct blueprint-runner actions from public host CLI commands. ## Changes - Add the `v0.0.81` section to `docs/about/release-notes.mdx` with links to the detailed user guides. - Document that Hermes rebuilds preserve `.hermes/dashboard-home/`, including Dashboard `MEMORY.md` and `USER.md`. - Update Hermes manual backup and restore examples to transfer those two profile files without copying generated configuration or the secret-bearing dashboard `.env`. - Explain the new per-item backup failure causes. - Clarify that migration snapshot retention fragments are direct-runner arguments and are not exposed by the host `nemoclaw` CLI. ### Source summary - #6445 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Summarize manifest-owned key-level restore and current-config authority. - #6617 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Record the fail-closed `/proc` fallback used to verify an idle Deep Agents runtime before snapshot creation. - #6685 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Document Hermes Web Dashboard profile persistence and safe manual transfer. - #6649 -> `docs/about/release-notes.mdx`: Summarize host-validated loopback compatible-endpoint routing through the sandbox gateway. - #6643 -> `docs/about/release-notes.mdx`: Summarize automatic `max_completion_tokens` handling for GPT-5 and o-series models. - #6661 -> `docs/about/release-notes.mdx`: Summarize bounded connection reuse for eligible provider-validation probes. - #6704 -> `docs/about/release-notes.mdx`: Record that direct blueprint apply stops instead of persisting incomplete state after provider or inference setup fails. - #6677 -> `docs/about/release-notes.mdx`: Summarize transactional recovery for legacy Docker containers whose managed supervisor disappeared after restart. - #6625 -> `docs/about/release-notes.mdx`: Record Hermes managed-startup persistence across direct Docker restarts. - #6597 -> `docs/about/release-notes.mdx`: Record final-sandbox gateway cleanup on macOS. - #6680 -> `docs/about/release-notes.mdx`: Summarize managed Deep Agents first-run and process-tree cleanup improvements. - #6647 -> `docs/about/release-notes.mdx`: Record fail-closed validation for the managed Deep Agents fetch CA bundle. - #6645 -> `docs/about/release-notes.mdx`: Summarize WhatsApp loopback pairing and trusted npm plugin provenance. - #6673 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document stopped-sandbox backup remediation. - #6631 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document per-item backup failure causes. - #6620 -> `docs/about/release-notes.mdx`: Record the created-but-not-ready sandbox lifecycle receipt. - #6664 -> `docs/about/release-notes.mdx`: Record prompt-aware onboarding progress output. - #6598 -> `docs/about/release-notes.mdx`: Summarize stale replay-result invalidation during resumed onboarding. - #6593 -> `docs/about/release-notes.mdx`: Summarize contextual OpenClaw audit findings for managed dashboard compatibility settings. - #6650 -> `docs/about/release-notes.mdx`: Record redaction of token-shaped URL query values. - #6638 -> `docs/about/release-notes.mdx`: Record the exact-path MCP `DELETE` policy recipe for session termination. - #5453 -> `docs/reference/host-files-and-state.mdx`: Clarify that snapshot retention actions belong to direct runner integrations and are not standalone host CLI commands. ### Skipped from docs-skip - #6633 matched the `openclaw-sandbox-permissive.yaml` path in `docs/.docs-skip` and produced no documentation in this update. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: This is a documentation-only release-prep update; behavior is protected by the merged source PRs, and the documentation build validates the changed examples and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — tests are not applicable for this documentation-only change; `npm run docs` completed successfully. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not run for this documentation-only change. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — 0 errors; two existing Fern warnings remain. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) — no new pages. --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Added release notes for v0.0.81 covering state preservation, inference setup, sandbox recovery, session setup, pairing, diagnostics, and security policy updates. - Expanded backup and restore guidance to include dashboard profile files and clarify files that must not be copied. - Added dashboard profile persistence details to workspace and rebuild documentation. - Clarified snapshot retention guidance and the distinction between host CLI capabilities and direct runner actions. - Added more detailed backup failure reporting information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Reuse DNS resolution and HTTP(S) connections across related OpenAI-compatible provider-validation probes during onboarding. Eligible direct endpoints use a sequence-scoped Node keepalive transport, while unsupported, unsafe, or failed optimized paths retain the existing curl behavior. ## Related Issue Fixes NVIDIA#3771 ## Changes - Add a sequence-scoped Node HTTP(S) validation transport with DNS pre-resolution, keepalive connection reuse, bounded response buffering, and deterministic cleanup. - Reuse connections across Responses API, streaming validation, Chat Completions fallback, and transient HTTP retries. - Preserve hostname-based TLS verification and support multiple resolved address families. - Fall back to curl for proxies, curl-specific TLS configuration, local or sandbox endpoints, IP literals, DNS failures, connection failures, and specialized DeepSeek streaming validation. - Preserve existing timeout budgets, provider ordering, recovery prompts, authentication modes, and curl failure diagnostics. - Add trace events for transport selection, DNS resolution, socket creation/reuse, cleanup, and fallback reasons without recording credentials. - Convert affected onboarding validation and smoke-check boundaries to support asynchronous probes. - Add tests covering connection reuse, reconnects, DNS failure, proxy and TLS exclusions, origin confinement, authentication modes, streaming fallback, connection resets, and resource cleanup. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: This changes internal provider-validation transport behavior without changing commands, configuration, or documented user workflows. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Manual sensitive-path review confirmed that credentials remain request-scoped and absent from traces, sessions are confined to one origin, TLS hostname verification remains enabled, response sizes and timeouts are bounded, and uncertain paths fall back to the existing curl implementation. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [ ] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — 169 tests passed across the focused CLI, integration, and package-contract suites, including provider selection, WSL2 timeout behavior, smoke verification, fallback semantics, and connection lifecycle coverage. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: Not run; `npm run typecheck:cli` and `npm run build:cli` passed. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Additional verification: - `npm run source-shape:check` — passed with zero source-shape cases. - `npm run source-shape:scan` — reported zero cases, assertions, and files. - `npm run test-size:check` — passed across 1,311 test files. - `git diff --check` — passed. - No new `.js`, `.cjs`, or `.mjs` files were added. - Top-level `src/lib/onboard.ts` is unchanged. - Controlled three-request benchmark with 20 ms injected DNS latency: - Keepalive session: 21.5 ms median, 22.6 ms p95. - Fresh session per request: 62.5 ms median, 65.0 ms p95. ## Parent Issue Evidence Parent issue NVIDIA#2001 is closed and locked, so implementation notes cannot be added there directly. This PR addresses its provider-validation connection-reuse work through a sequence-scoped Node HTTP(S) keepalive transport that reuses DNS resolution and connections across related probes while preserving the established curl fallback paths. Trace evidence is available through `validation_transport_selected`, `validation_dns_lookup`, `validation_socket_opened`, `validation_socket_reused`, `validation_transport_fallback`, and `validation_transport_closed`. Credentials and response bodies are not recorded in these trace attributes. A controlled three-request benchmark with 20 ms injected DNS latency measured 21.5 ms median and 22.6 ms p95 with connection reuse, compared with 62.5 ms median and 65.0 ms p95 when creating a fresh session for each request. --- Signed-off-by: Angel Mata <amata@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added an optimized OpenAI-compatible endpoint validation flow for **Responses** and **Chat Completions**, including model-specific probing for DeepSeek V4 Pro and Kimi K2.6. * Introduced an HTTP **validation session** with keep-alive behavior and stricter endpoint gating. * **Improvements** * Enforced safer request rules (origin checks, localhost/private blocking), per-request timeouts, and an 8MB response size limit. * Enhanced streaming validation plus curl-style retry/fallback behavior. * Made onboarding “smoke” verification properly async and improved execution ordering; improved sanitization/parsing for extra OpenAI-like headers. * **Tests** * Expanded coverage for keep-alive, DNS/proxy rules, authentication/header behavior, streaming/fallback logic, and async smoke verification. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Angel Mata <amata@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Release-prep documentation for v0.0.81 now summarizes user-facing changes merged since v0.0.80. It also closes the Hermes dashboard-profile backup gap and distinguishes direct blueprint-runner actions from public host CLI commands. ## Changes - Add the `v0.0.81` section to `docs/about/release-notes.mdx` with links to the detailed user guides. - Document that Hermes rebuilds preserve `.hermes/dashboard-home/`, including Dashboard `MEMORY.md` and `USER.md`. - Update Hermes manual backup and restore examples to transfer those two profile files without copying generated configuration or the secret-bearing dashboard `.env`. - Explain the new per-item backup failure causes. - Clarify that migration snapshot retention fragments are direct-runner arguments and are not exposed by the host `nemoclaw` CLI. ### Source summary - NVIDIA#6445 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Summarize manifest-owned key-level restore and current-config authority. - NVIDIA#6617 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Record the fail-closed `/proc` fallback used to verify an idle Deep Agents runtime before snapshot creation. - NVIDIA#6685 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Document Hermes Web Dashboard profile persistence and safe manual transfer. - NVIDIA#6649 -> `docs/about/release-notes.mdx`: Summarize host-validated loopback compatible-endpoint routing through the sandbox gateway. - NVIDIA#6643 -> `docs/about/release-notes.mdx`: Summarize automatic `max_completion_tokens` handling for GPT-5 and o-series models. - NVIDIA#6661 -> `docs/about/release-notes.mdx`: Summarize bounded connection reuse for eligible provider-validation probes. - NVIDIA#6704 -> `docs/about/release-notes.mdx`: Record that direct blueprint apply stops instead of persisting incomplete state after provider or inference setup fails. - NVIDIA#6677 -> `docs/about/release-notes.mdx`: Summarize transactional recovery for legacy Docker containers whose managed supervisor disappeared after restart. - NVIDIA#6625 -> `docs/about/release-notes.mdx`: Record Hermes managed-startup persistence across direct Docker restarts. - NVIDIA#6597 -> `docs/about/release-notes.mdx`: Record final-sandbox gateway cleanup on macOS. - NVIDIA#6680 -> `docs/about/release-notes.mdx`: Summarize managed Deep Agents first-run and process-tree cleanup improvements. - NVIDIA#6647 -> `docs/about/release-notes.mdx`: Record fail-closed validation for the managed Deep Agents fetch CA bundle. - NVIDIA#6645 -> `docs/about/release-notes.mdx`: Summarize WhatsApp loopback pairing and trusted npm plugin provenance. - NVIDIA#6673 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document stopped-sandbox backup remediation. - NVIDIA#6631 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document per-item backup failure causes. - NVIDIA#6620 -> `docs/about/release-notes.mdx`: Record the created-but-not-ready sandbox lifecycle receipt. - NVIDIA#6664 -> `docs/about/release-notes.mdx`: Record prompt-aware onboarding progress output. - NVIDIA#6598 -> `docs/about/release-notes.mdx`: Summarize stale replay-result invalidation during resumed onboarding. - NVIDIA#6593 -> `docs/about/release-notes.mdx`: Summarize contextual OpenClaw audit findings for managed dashboard compatibility settings. - NVIDIA#6650 -> `docs/about/release-notes.mdx`: Record redaction of token-shaped URL query values. - NVIDIA#6638 -> `docs/about/release-notes.mdx`: Record the exact-path MCP `DELETE` policy recipe for session termination. - NVIDIA#5453 -> `docs/reference/host-files-and-state.mdx`: Clarify that snapshot retention actions belong to direct runner integrations and are not standalone host CLI commands. ### Skipped from docs-skip - NVIDIA#6633 matched the `openclaw-sandbox-permissive.yaml` path in `docs/.docs-skip` and produced no documentation in this update. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: This is a documentation-only release-prep update; behavior is protected by the merged source PRs, and the documentation build validates the changed examples and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — tests are not applicable for this documentation-only change; `npm run docs` completed successfully. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not run for this documentation-only change. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — 0 errors; two existing Fern warnings remain. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) — no new pages. --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Added release notes for v0.0.81 covering state preservation, inference setup, sandbox recovery, session setup, pairing, diagnostics, and security policy updates. - Expanded backup and restore guidance to include dashboard profile files and clarify files that must not be copied. - Added dashboard profile persistence details to workspace and rebuild documentation. - Clarified snapshot retention guidance and the distinction between host CLI capabilities and direct runner actions. - Added more detailed backup failure reporting information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Summary
Reuse DNS resolution and HTTP(S) connections across related OpenAI-compatible provider-validation probes during onboarding. Eligible direct endpoints use a sequence-scoped Node keepalive transport, while unsupported, unsafe, or failed optimized paths retain the existing curl behavior.
Related Issue
Fixes #3771
Changes
Type of Change
Quality Gates
Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result: Not run;npm run typecheck:cliandnpm run build:clipassed.npm run docsbuilds without warnings (doc changes only)Additional verification:
npm run source-shape:check— passed with zero source-shape cases.npm run source-shape:scan— reported zero cases, assertions, and files.npm run test-size:check— passed across 1,311 test files.git diff --check— passed..js,.cjs, or.mjsfiles were added.src/lib/onboard.tsis unchanged.Parent Issue Evidence
Parent issue #2001 is closed and locked, so implementation notes cannot be added there directly. This PR addresses its provider-validation connection-reuse work through a sequence-scoped Node HTTP(S) keepalive transport that reuses DNS resolution and connections across related probes while preserving the established curl fallback paths.
Trace evidence is available through
validation_transport_selected,validation_dns_lookup,validation_socket_opened,validation_socket_reused,validation_transport_fallback, andvalidation_transport_closed. Credentials and response bodies are not recorded in these trace attributes.A controlled three-request benchmark with 20 ms injected DNS latency measured 21.5 ms median and 22.6 ms p95 with connection reuse, compared with 62.5 ms median and 65.0 ms p95 when creating a fresh session for each request.
Signed-off-by: Angel Mata amata@nvidia.com
Summary by CodeRabbit
New Features
Improvements
Tests