Skip to content

fix(ci): run selected typed targets in PR E2E#7046

Merged
apurvvkumaria merged 13 commits into
mainfrom
codex/fix-pr-e2e-typed-target
Jul 17, 2026
Merged

fix(ci): run selected typed targets in PR E2E#7046
apurvvkumaria merged 13 commits into
mainfrom
codex/fix-pr-e2e-typed-target

Conversation

@cv

@cv cv commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

PR E2E risk plans now select the exact Deep Agents Code typed target when its headless-inference check changes, so #7032 can receive its required live regression instead of only the control-plane floor jobs. The controller dispatches jobs and that target in one bound run while preserving exact-SHA authorization, fork, stale-revision, and secret-scope boundaries.

Changes

  • Extend deterministic risk plan v4 with requiredTargets for the current Deep Agents Code check-to-target requirement. The PR gate consumes this field because a free-standing workflow job cannot address the registry target; pr-risk-plan.test.ts and pr-e2e-gate-typed-target.test.ts protect the mapping and evidence contract.
  • Permit one workflow run to combine selected jobs with the exact allowlisted ubuntu-repo-cloud-langchain-deepagents-code target. The trusted workflow independently rejects unapproved controller target input and requires the generated matrix IDs to exactly match that selection before exposing any matrix output or starting credential-bearing work.
  • Bind typed-target evidence to matrix.id, upload its default-shard signal, and fail closed for missing, duplicate, skipped, malformed, stale, or unauthorized evidence.
  • Carry targets through E2E recommendations and PR review context, and update the maintainer runbook and merge-gate guidance for combined selections.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: This changes internal maintainer CI selection and evidence. Maintainer runbooks were updated; the documentation review found no supported product behavior, Fern page, or changelog change.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: The exact target is independently allowlisted in the trusted controller workflow and gate code, and the workflow requires exact equality between the trusted controller selection and the PR-generated matrix before any credential-bearing job. PR-modified execution remains behind exact-head/base run-control-plane authorization, forks and stale revisions do not dispatch, and the NVIDIA inference secret remains scoped to the existing live-test step.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes a Signed-off-by: line and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — focused controller integration: 161 passed; workflow/E2E support: 81 passed; advisor consumers: 123 passed; final split target-gate regression: 29 passed; npm run test:changed: 208 passed; npm run build:cli && npm run typecheck:cli: passed. After binding the generated matrix to the controller selection: focused controller integration: 142 passed; workflow/E2E support: 113 passed; npm run typecheck:cli: passed. CodeRabbit PATH follow-up: workflow-boundary test 31 passed.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: Focused control-plane contracts and the changed-test lane were used for this narrow prerequisite.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

  • New Features
    • Added typed E2E target selection alongside jobs, supporting combined job+target plans and unified PR E2E gate dispatch/state handling.
    • Risk planning now tracks and recommends required targets (including Deep Agents headless typed checks).
  • Bug Fixes
    • Strengthened gate authorization and “fail-closed” behavior for both jobs and typed targets.
    • Improved controller-vs-matrix correlation, including stricter selector/matrix consistency checks.
  • Documentation
    • Updated the PR E2E gate workflow contract to reflect typed targets and “no run” semantics.
  • Tests
    • Expanded E2E/PR-gate coverage for typed targets, trusted controller matrix validation, and risk-signal/artifact contracts.

Signed-off-by: Charan Jagwani cjagwani@nvidia.com

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv added the area: security Security controls, permissions, secrets, or hardening label Jul 16, 2026
@cv cv self-assigned this Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The PR adds allowlisted typed-target selection across E2E risk plans, workflow dispatch, PR gate state, evidence validation, controller orchestration, tests, and maintainer documentation. Jobs and typed targets can now be dispatched and evaluated together.

Changes

Typed-target E2E gate

Layer / File(s) Summary
Risk-plan typed-target contracts
tools/advisors/risk-plan.mts, tools/advisors/e2e-recommendations.mts, tools/pr-review-advisor/analyze.mts, test/pr-risk-plan.test.ts
Risk plans detect the DeepAgents typed target, include target requirements in hashes and recommendations, and expose target data to review analysis.
Combined workflow selector execution
.github/workflows/e2e.yaml, tools/e2e/workflow-plan.mts, tools/e2e/workflow-boundary.mts, tools/e2e/operations-workflow-boundary.mts, tools/e2e/upload-e2e-artifacts-workflow-boundary.mts, test/e2e/support/*
Workflow dispatch accepts approved jobs and targets together, validates matrix/controller consistency, binds matrix target identity, and uploads risk-signal.json.
PR gate target state and evidence contracts
tools/e2e/pr-e2e-gate.mts, test/pr-e2e-gate*.test.ts
Gate state, dispatch inputs, expected shards, signal validation, and evidence classification now cover typed targets and combined selections.
Combined selection orchestration and maintainer flows
test/e2e/README.md, test/pr-e2e-gate-fork-skip.test.ts, .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md
Fork handling, authorization, lifecycle output, skip procedures, and evidence wording now describe jobs and targets as E2E checks.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PRController
  participant RiskPlan
  participant E2EWorkflow
  participant LiveVitest
  participant PRGate
  PRController->>RiskPlan: Build jobs and typed-target requirements
  RiskPlan->>PRController: Required selections and plan hash
  PRController->>E2EWorkflow: Dispatch jobs and approved targets
  E2EWorkflow->>LiveVitest: Run generated matrix target
  LiveVitest->>PRGate: Publish risk-signal evidence
  PRGate->>PRController: Classify evidence and update gate
Loading

Possibly related PRs

Suggested labels: bug-fix, area: ci, area: e2e

Suggested reviewers: apurvvkumaria, ericksoa, jyaunches

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately summarizes the main change: running selected typed targets in PR E2E.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-pr-e2e-typed-target

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.


Updated July 17, 2026 04:16 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@cv cv added the v0.0.85 Release target label Jul 16, 2026
@cv
cv requested review from ericksoa and jyaunches July 16, 2026 20:42

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md:
- Line 39: The E2E control-plane automatic-dispatch boundary is missing
tools/e2e/pr-e2e-required.mts. Update the “E2E control-plane authorization”
description in MERGE-GATE.md to include that file alongside
.github/workflows/pr-e2e-gate.yaml and tools/e2e/pr-e2e-gate.mts, preserving the
existing trusted-boundary behavior.

In @.github/workflows/e2e.yaml:
- Around line 164-171: Validate the matrix produced by workflow-plan.mts at the
controller-dispatch boundary before launching any credential-bearing jobs. For
controller dispatches, require the sorted matrix[].id set to exactly match
TARGETS, including an empty matrix when TARGETS is empty, and reject any
PR-generated or unallowlisted target. Add the same invariant coverage to the
workflow-boundary tests.

In `@test/pr-e2e-gate-typed-target.test.ts`:
- Around line 58-94: Append the required local issue reference as a final
“(`#1234`)” suffix to the parent describe title in
test/pr-e2e-gate-typed-target.test.ts. Also update test/pr-e2e-gate.test.ts at
the cited site by appending the same suffix to its title or ensuring its
enclosing describe provides it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 97f2e5b4-24d1-47ba-ac20-de6ade7c1b44

📥 Commits

Reviewing files that changed from the base of the PR and between 41a5885 and 9ce7faa.

📒 Files selected for processing (19)
  • .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md
  • .github/workflows/e2e.yaml
  • test/e2e/README.md
  • test/e2e/support/e2e-workflow.test.ts
  • test/e2e/support/workflow-plan.test.ts
  • test/pr-e2e-gate-fork-skip.test.ts
  • test/pr-e2e-gate-lifecycle.test.ts
  • test/pr-e2e-gate-typed-target.test.ts
  • test/pr-e2e-gate-workflow.test.ts
  • test/pr-e2e-gate.test.ts
  • test/pr-risk-plan.test.ts
  • tools/advisors/e2e-recommendations.mts
  • tools/advisors/risk-plan.mts
  • tools/e2e/operations-workflow-boundary.mts
  • tools/e2e/pr-e2e-gate.mts
  • tools/e2e/upload-e2e-artifacts-workflow-boundary.mts
  • tools/e2e/workflow-boundary.mts
  • tools/e2e/workflow-plan.mts
  • tools/pr-review-advisor/analyze.mts

Comment thread .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md Outdated
Comment thread .github/workflows/e2e.yaml
Comment thread test/pr-e2e-gate-typed-target.test.ts Outdated
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / high confidence
Next action: No advisor follow-up needed.
Findings: 0 blockers · 0 warnings · 0 suggestions
Status: No actionable findings remain in the canonical review ledger.

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (second opinion): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Model comparison: normalized findings match; normalized E2E selections differ; severity counts match.

Nemotron output stays in workflow artifacts and does not change the assessment above.

E2E guidance

Advisory only. E2E / PR Gate selects and runs jobs independently.

Recommended E2E: cloud-onboard, credential-sanitization, security-posture, ubuntu-repo-cloud-langchain-deepagents-code

2 optional E2E recommendations
  • inference-routing
  • network-policy

Workflow run details

This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/e2e/support/e2e-report-to-pr-workflow-boundary.test.ts (1)

82-82: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Use a POSIX : separator for this Bash test.

Line 82 uses path.delimiter, which becomes ; under Windows Node even though the generated script runs under Bash and requires :. Use ${binDirectory}:${process.env.PATH ?? ""} to keep the fake npx discoverable.

Based on learnings, this repository’s tests use the POSIX : separator because CI runs on Linux/WSL.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/support/e2e-report-to-pr-workflow-boundary.test.ts` at line 82,
Update the PATH assignment in the test environment setup to use a literal POSIX
colon separator instead of path.delimiter, ensuring the generated Bash script
can discover the fake npx executable. Preserve the existing binDirectory prefix
and empty-PATH fallback.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/support/e2e-report-to-pr-workflow-boundary.test.ts`:
- Line 82: Update the PATH assignment in the test environment setup to use a
literal POSIX colon separator instead of path.delimiter, ensuring the generated
Bash script can discover the fake npx executable. Preserve the existing
binDirectory prefix and empty-PATH fallback.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 879deb41-2046-403c-96ab-a7995b347277

📥 Commits

Reviewing files that changed from the base of the PR and between 9ce7faa and 7e2251e.

📒 Files selected for processing (8)
  • .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md
  • .github/workflows/e2e.yaml
  • test/e2e/README.md
  • test/e2e/support/e2e-report-to-pr-workflow-boundary.test.ts
  • test/e2e/support/e2e-workflow.test.ts
  • test/pr-e2e-gate-typed-target.test.ts
  • test/pr-e2e-gate.test.ts
  • tools/e2e/workflow-boundary.mts
🚧 Files skipped from review as they are similar to previous changes (6)
  • test/e2e/support/e2e-workflow.test.ts
  • test/pr-e2e-gate-typed-target.test.ts
  • .github/workflows/e2e.yaml
  • test/e2e/README.md
  • test/pr-e2e-gate.test.ts
  • tools/e2e/workflow-boundary.mts

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv
cv requested a review from apurvvkumaria July 16, 2026 21:38
cjagwani added 2 commits July 16, 2026 14:42
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
cjagwani and others added 3 commits July 16, 2026 19:29
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@apurvvkumaria
apurvvkumaria enabled auto-merge (squash) July 17, 2026 01:19
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cjagwani
cjagwani disabled auto-merge July 17, 2026 03:20
@apurvvkumaria
apurvvkumaria enabled auto-merge (squash) July 17, 2026 03:25
@cv

cv commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator Author

Maintainer exact-head update for the landing candidate:

The prior approval is attached to parent head 7ae234b798ac242bd30422b3ba9a7d31c0a0ad69. @apurvvkumaria @jyaunches @ericksoa, please review/approve the final exact head 30f3a6cdb3f7a65ec3c0e4bfdac2de717bcb3c53 once the native E2E observer turns green. Human merge remains separate.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator Author

The first credentialed gate for 30f3a6cdb3f7a65ec3c0e4bfdac2de717bcb3c53 failed only in the Hermes security-posture shard during automatic recovery; the other selected shards passed. That failure is outside this PR's runtime/test diff and the same shard passed on the immediately preceding release candidate.

I pushed signed, Verified commit 43e53e75fa6fc0dd8f96a767698841907da2da21 to create a fresh immutable gate target. Its tree is exactly identical to 30f3a6cdb3f7a65ec3c0e4bfdac2de717bcb3c53 (1817487afd8accabebb56f6b68e273b389f944d0); there is no code change. Per the fail-closed policy, this is the single retry. If Hermes recovery fails again, we will stop and fix the underlying issue instead of retrying.

Please attach/confirm human approval on exact head 43e53e75fa6fc0dd8f96a767698841907da2da21 after the fresh checks are green.

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@apurvvkumaria
apurvvkumaria merged commit c84cb72 into main Jul 17, 2026
66 of 69 checks passed
@apurvvkumaria
apurvvkumaria deleted the codex/fix-pr-e2e-typed-target branch July 17, 2026 04:17
cjagwani added a commit that referenced this pull request Jul 17, 2026
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
apurvvkumaria added a commit that referenced this pull request Jul 17, 2026
<!-- markdownlint-disable MD041 -->
## Summary

This PR upgrades every stable NemoClaw OpenShell selector and consumed
artifact from `0.0.72` to stable `0.0.85`, including the #6379
credential-rewrite fix and OpenShell's multiline exec contract. Stable
`v0.0.85` is verified at
[`3dee5570a46076a57a3b056f35f35ebc0861ac85`](NVIDIA/OpenShell@3dee557).
Base-owned structured trust landed in #6778 and #6779, the exact
`v0.0.85` manifest identities landed separately in #7069, and the
controller-compatible legacy gateway evidence matrix landed in #7055.

The branch is refreshed on current `main`. Exact-head GitHub CI,
automated review, protected runtime proofs, and platform-specific
acceptance are running or pending below.

## Related Issue

Fixes #6379.

## Changes

- [x] Audit all 13 adjacent OpenShell ranges from `v0.0.72` through
`v0.0.85`: 67 commits and 283 changed paths, including the unpublished
`v0.0.84` source boundary. Release notes were treated as leads rather
than proof.
- [x] Verify stable tag `v0.0.85` at `3dee5570`, successful producer run
[`29507522595`](https://github.com/NVIDIA/OpenShell/actions/runs/29507522595),
and inclusion of required credential fix `40194f93`.
- [x] Advance the blueprint floor/ceiling, installer floor/ceiling/dev
floor, Brev defaults, stable E2E gateway-auth pin, supervisor index,
sandbox-build fallback, credential manifest, current docs, and
user-visible messages to `0.0.85`.
- [x] Pin all eight CLI/gateway/sandbox release archives, three
component manifests, extracted release-binary identities, and the
multi-arch supervisor image to immutable `v0.0.85` identities.
Historical `0.0.72` and `0.0.82` references remain only where cleanup,
fallback, trust, or compatibility evidence requires them.
- [x] Retain both `v0.0.82` standalone sandbox digest fallbacks when
host-side `--version` cannot run, and exercise the true `0.0.86`
above-maximum boundary.
- [x] Replace the migration ledger with
`docs/security/openshell-0.0.85-migration-review.md`, covering the
complete range, dependency delta, consumed contracts, evidence-backed
exclusions, mitigations, and blocking runtime/release gates.
- [x] Reject OpenShell's revisioned credential-name namespace before
provider mutation while preserving cleanup of persisted legacy entries
across host and Hermes adapters.
- [x] Report OpenShell's fail-closed `CONNECT 503` as unavailable TLS
credential rewriting instead of a generic curl transport error.
- [x] Preserve LF, CR, CRLF, quotes, and heredocs byte-exactly across
multiline exec while retaining NUL, multiline-workdir, and
request-environment boundaries.
- [x] Reject supervisor-only `OPENSHELL_TLS_CA`, `OPENSHELL_TLS_CERT`,
and `OPENSHELL_TLS_KEY` if an entrypoint, exec, or connect child
receives them.
- [x] Validate that each selected OpenShell archive contains exactly one
expected regular binary before extraction; reject absolute paths,
traversal, duplicates, extras, links, and devices.
- [ ] Prove the exact head on the supported Linux x86, macOS Docker
Desktop/Colima, WSL, Colossus, and DGX Spark paths selected by
CI/advisor.
- [ ] On a physical Docker 27 DGX Spark arm64 host, prove honest `mcp
status`, real credential substitution, an authenticated MCP tool call,
rotation/rebuild/removal behavior, and absence of literal
`openshell:resolve:env:` leakage.
- [ ] Record the platform decision for Docker 27 versus upstream
OpenShell's Docker 28 requirement.

## Release provenance

- All eight consumed release archives have valid GitHub SLSA
attestations bound to source commit `3dee5570`; the three published
checksum manifests and all ten installer/Brev references were
independently reverified after the update.
- The selected supervisor image is the immutable multi-arch index
`sha256:f4226253a3525c3832adac5b38b419a0f27d1e915effe565b5885e20f93cd5e9`.
- GitHub currently exposes no OCI referrer/attestation/SBOM for that
supervisor image, and its configs contain no source/revision/version
labels. The review records that upstream provenance limitation rather
than inferring missing evidence.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: pending exact-head
maintainer review
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes DCO sign-off declarations and all 78
commits currently appear as `Verified` in GitHub
- [x] Normal commit/push hooks and `npm run check:diff` passed; the
generated-platform citation repair is signed, and current exact head
`610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc` is GitHub-verified
- [x] The checker is byte-identical to current `main`; the base-owned
`scripts/check-installer-hash.sh` passed all three manifests and all ten
consumed release references against published `v0.0.85` assets
- [x] Focused current-head repairs passed: feature gate 15/15, installer
integration 47 passed with 1 intentional skip, installer-hash and
migration ledger 78/78, gateway workflow boundary 4/4, PR E2E controller
27/27, and generated platform docs 19/19
- [x] Broader compatibility, MCP boundary, Hermes, and E2E-support tests
passed earlier in the migration; the opt-in version-pin live suite
passed all three `gh` and curl paths
- [x] The #7046 conflict refresh preserves all four gateway-upgrade
shards and the typed DCode target; combined integration passed 172/172,
serial E2E-support passed 1,156 with 2 intentional skips, and
file-size/project-membership checks passed
- [x] `npm run docs` completed successfully, including generated
variants, route validation, and Fern checks (0 errors; 2 existing
warnings)
- [ ] Exact-head GitHub CI, automated review, and protected E2E passed —
ordinary CI, both advisor lanes, and protected E2E are running or
pending at head `610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc`
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
— the security review has the required SPDX header and is not a Fern
page.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: security Security controls, permissions, secrets, or hardening v0.0.85 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants