chore(openshell): upgrade supported version to 0.0.85#6726
Conversation
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughOpenShell is pinned from 0.0.72 to 0.0.82 across installers, manifests, blueprint constraints, tests, and documentation. Sandbox execution now supports native multiline argv transport. Supervisor-only TLS variables are rejected, and credential-generation-window and exact-main runtime proofs are integrated into MCP E2E workflows. ChangesOpenShell 0.0.82 migration
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
PR Review Advisor — InformationalAdvisor assessment: Informational / high confidence Model lanes
Nemotron output stays in workflow artifacts and does not change the assessment above. Since last review: 0 prior items resolved · 0 still apply · 0 new items found E2E guidanceAdvisory only. E2E / PR Gate selects and runs jobs independently. Recommended E2E: 1 optional E2E recommendation
This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge. |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 80%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
|
🌿 Preview your docs: https://nvidia-preview-pr-6726.docs.buildwithfern.com/nemoclaw |
E2E Target Results — ❌ Some tests failedRun: 29207131689
|
E2E Target Results — ✅ All requested tests passedRun: 29207131689
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary This PR extends the base-owned OpenShell release-manifest trust anchor to stable `v0.0.85`. It is the narrow prerequisite that allows PR #6726 to verify the `v0.0.85` checksums, gateway, and sandbox manifests before proposed branch code executes. ## Changes - Retain the existing `v0.0.72` and `v0.0.82` trusted manifest identities. - Add the three published `v0.0.85` manifest SHA-256 identities independently verified against the stable release. - Keep the candidate version selectors and consumed artifact pins out of this base-owned trust change; those remain in PR #6726. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [x] Existing tests cover changed behavior — justification: `test/installer-hash-check.test.ts` enforces the manifest allowlist contract, and the base-owned checker passed all three manifests plus all ten consumed `v0.0.85` artifact references from PR #6726. - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: this is an internal release-manifest trust prerequisite; the OpenShell version migration and user-facing documentation remain in PR #6726. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes a `Signed-off-by:` line and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project integration test/installer-hash-check.test.ts` (69 passed); `NEMOCLAW_INSTALLER_HASH_REPO_ROOT=/private/tmp/nemoclaw-pr6726-v85.cJMI5J/wt scripts/check-installer-hash.sh` (3 manifests and 10 consumed references passed) - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated trusted release verification data for OpenShell version 0.0.85. * Installer integrity checks now recognize the official checksum manifests for this release. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary The trusted PR E2E controller currently cannot select the existing OpenShell gateway-upgrade job because that job uses an unsupported named matrix. This change expresses the same three upgrade fixtures with the controller-supported `matrix.include` contract and gives each fixture a unique evidence shard, allowing the exact-head gate for #6726 to proceed after this PR is merged. ## Changes - Convert the existing OpenShell gateway-upgrade matrix from `matrix.legacy` to `matrix.include` without changing its three release fixtures. - Publish a unique, safe `NEMOCLAW_E2E_SHARD` for each fixture and retain fixture-specific artifact names. - Update the gateway-upgrade boundary and PR controller tests to enforce the supported evidence contract. - Preserve and credit the original gateway-upgrade contributors, Aaron Erickson and Prekshi Vyas, as co-authors. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: this only changes the internal trusted E2E evidence matrix and controller contract; user-facing behavior is unchanged. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending human review of the trusted workflow change. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes a `Signed-off-by:` line and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `test/pr-e2e-gate.test.ts` (27 passed) and gateway/artifact E2E workflow boundary tests (11 passed). - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — not applicable because the change is confined to one workflow job and its focused contracts. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Streamlined the OpenShell gateway upgrade workflow matrix configuration. * Updated job, runner, shard, environment, and artifact handling to use the revised matrix fields. * **Tests** * Updated workflow validation coverage for runner, shard, fixture, and artifact requirements. * Added validation for expected upgrade workflow signal shards. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Co-authored-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: cjagwani <cjagwani@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
…85-6726 # Conflicts: # test/e2e/support/openshell-gateway-upgrade-workflow-boundary.test.ts # test/pr-e2e-gate.test.ts # tools/e2e/openshell-gateway-upgrade-workflow-boundary.mts
|
@coderabbitai review |
✅ Action performedReview finished.
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
|
@cv Exact-head handoff after resolving the #7046 conflict: current head
The sole check still pending is protected E2E coordination. A maintainer/admin should run E2E / PR Gate Controller from
This supersedes all earlier dispatch requests. After protected E2E, the stale |
<!-- markdownlint-disable MD041 --> ## Summary Add the canonical dated changelog entry required before the v0.0.85 release plan can be generated. The entry summarizes the user-visible OpenShell, DGX Station, inference, MCP, onboarding, and recovery changes merged since v0.0.84 and links to their owning guides. ## Changes - Add `docs/changelog/2026-07-16.mdx` with the exact `## v0.0.85` heading, parser-safe SPDX comment, release summary, and detailed bullets. - Link every documented theme to its most specific published OpenClaw guide routes. - Reconcile the release entry with these merged source PRs: - #6726 -> `docs/changelog/2026-07-16.mdx`: Document the supported OpenShell v0.0.85 upgrade, immutable consumed artifacts, multiline exec, credential rewrite diagnostics, and child-process TLS boundary. - #6986 -> `docs/changelog/2026-07-16.mdx`: Document managed MCP behavior shared across supported agents. - #6991 and #7045 -> `docs/changelog/2026-07-16.mdx`: Document qualified DGX Station host preparation and the interactive-terminal boundary for `--station-deepseek`. - #6992, #7001, #7006, and #7044 -> `docs/changelog/2026-07-16.mdx`: Document managed-model reasoning behavior, safe inference route mutation, and verified vLLM served aliases. - #6865, #7010, and #7028 -> `docs/changelog/2026-07-16.mdx`: Document onboarding DNS recovery, explicit notice acceptance, and upgrades with user-local OpenShell. - #7005, #7021, #7029, and #7049 -> `docs/changelog/2026-07-16.mdx`: Document rebuild backup safety, no-dashboard state, managed gateway discovery, and Hermes shields topology checks. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [x] Existing tests cover changed behavior — justification: `test/changelog-docs.test.ts` validates the canonical heading, parser-safe SPDX comment, and detailed entry structure; the docs build validates published routes. - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes a `Signed-off-by:` line and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run test/changelog-docs.test.ts` passed 6/6. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — not applicable to this doc-only entry. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — passed with 0 errors and 2 pre-existing Fern warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [x] New doc pages include SPDX header and frontmatter (new pages only) — native changelog entries use the required parser-safe MDX SPDX comment instead of frontmatter. --- Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for NemoClaw v0.0.85. * Documented improvements to compatibility, credential handling, setup validation, recovery workflows, endpoint configuration, gateway discovery, and runtime validation. * Added links to relevant user-guide sections. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Summary
This PR upgrades every stable NemoClaw OpenShell selector and consumed artifact from
0.0.72to stable0.0.85, including the #6379 credential-rewrite fix and OpenShell's multiline exec contract. Stablev0.0.85is verified at3dee5570a46076a57a3b056f35f35ebc0861ac85. Base-owned structured trust landed in #6778 and #6779, the exactv0.0.85manifest identities landed separately in #7069, and the controller-compatible legacy gateway evidence matrix landed in #7055.The branch is refreshed on current
main. Exact-head GitHub CI, automated review, protected runtime proofs, and platform-specific acceptance are running or pending below.Related Issue
Fixes #6379.
Changes
v0.0.72throughv0.0.85: 67 commits and 283 changed paths, including the unpublishedv0.0.84source boundary. Release notes were treated as leads rather than proof.v0.0.85at3dee5570, successful producer run29507522595, and inclusion of required credential fix40194f93.0.0.85.v0.0.85identities. Historical0.0.72and0.0.82references remain only where cleanup, fallback, trust, or compatibility evidence requires them.v0.0.82standalone sandbox digest fallbacks when host-side--versioncannot run, and exercise the true0.0.86above-maximum boundary.docs/security/openshell-0.0.85-migration-review.md, covering the complete range, dependency delta, consumed contracts, evidence-backed exclusions, mitigations, and blocking runtime/release gates.CONNECT 503as unavailable TLS credential rewriting instead of a generic curl transport error.OPENSHELL_TLS_CA,OPENSHELL_TLS_CERT, andOPENSHELL_TLS_KEYif an entrypoint, exec, or connect child receives them.mcp status, real credential substitution, an authenticated MCP tool call, rotation/rebuild/removal behavior, and absence of literalopenshell:resolve:env:leakage.Release provenance
3dee5570; the three published checksum manifests and all ten installer/Brev references were independently reverified after the update.sha256:f4226253a3525c3832adac5b38b419a0f27d1e915effe565b5885e20f93cd5e9.Type of Change
Quality Gates
Verification
Verifiedin GitHubnpm run check:diffpassed; the generated-platform citation repair is signed, and current exact head610f7cd9ff9cc8d3fdc47f40271d0b56b452a0ccis GitHub-verifiedmain; the base-ownedscripts/check-installer-hash.shpassed all three manifests and all ten consumed release references against publishedv0.0.85assetsghand curl pathsnpm run docscompleted successfully, including generated variants, route validation, and Fern checks (0 errors; 2 existing warnings)610f7cd9ff9cc8d3fdc47f40271d0b56b452a0ccSigned-off-by: Aaron Erickson aerickson@nvidia.com
Signed-off-by: Charan Jagwani cjagwani@nvidia.com