fix(e2e): align gateway upgrade evidence matrix#7055
Conversation
Co-authored-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe OpenShell gateway upgrade E2E job now uses top-level matrix fields for identifiers, runners, shards, environment values, and artifact names. Boundary validation and PR gate tests verify the updated matrix and shard contracts. ChangesOpenShell gateway upgrade workflow
Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
PR Review Advisor — InformationalAdvisor assessment: Informational / high confidence Model lanes
Nemotron output stays in workflow artifacts and does not change the assessment above. E2E guidanceAdvisory only. E2E / PR Gate selects and runs jobs independently. Recommended E2E: 1 optional E2E recommendation
This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge. |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 80%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
|
@cv Human review requested for exact head |
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
|
Release sequencing hold: please land #7054 before this PR. #7054 fixes the native retry observer used by this workflow path, and merging #7055 first would invalidate #7054 exact-head/base evidence and force another full protected E2E cycle. Current #7055 head |
|
Sequencing update after the refresh to head
After #7065 lands, refresh this branch on the repaired |
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
|
Maintainer refresh update for the exact landing candidate:
Once ordinary CI and automated review are clean and the controller records the expected explicit maintainer-authorization requirement, the next step is an exact-SHA |
<!-- markdownlint-disable MD041 --> ## Summary This PR upgrades every stable NemoClaw OpenShell selector and consumed artifact from `0.0.72` to stable `0.0.85`, including the #6379 credential-rewrite fix and OpenShell's multiline exec contract. Stable `v0.0.85` is verified at [`3dee5570a46076a57a3b056f35f35ebc0861ac85`](NVIDIA/OpenShell@3dee557). Base-owned structured trust landed in #6778 and #6779, the exact `v0.0.85` manifest identities landed separately in #7069, and the controller-compatible legacy gateway evidence matrix landed in #7055. The branch is refreshed on current `main`. Exact-head GitHub CI, automated review, protected runtime proofs, and platform-specific acceptance are running or pending below. ## Related Issue Fixes #6379. ## Changes - [x] Audit all 13 adjacent OpenShell ranges from `v0.0.72` through `v0.0.85`: 67 commits and 283 changed paths, including the unpublished `v0.0.84` source boundary. Release notes were treated as leads rather than proof. - [x] Verify stable tag `v0.0.85` at `3dee5570`, successful producer run [`29507522595`](https://github.com/NVIDIA/OpenShell/actions/runs/29507522595), and inclusion of required credential fix `40194f93`. - [x] Advance the blueprint floor/ceiling, installer floor/ceiling/dev floor, Brev defaults, stable E2E gateway-auth pin, supervisor index, sandbox-build fallback, credential manifest, current docs, and user-visible messages to `0.0.85`. - [x] Pin all eight CLI/gateway/sandbox release archives, three component manifests, extracted release-binary identities, and the multi-arch supervisor image to immutable `v0.0.85` identities. Historical `0.0.72` and `0.0.82` references remain only where cleanup, fallback, trust, or compatibility evidence requires them. - [x] Retain both `v0.0.82` standalone sandbox digest fallbacks when host-side `--version` cannot run, and exercise the true `0.0.86` above-maximum boundary. - [x] Replace the migration ledger with `docs/security/openshell-0.0.85-migration-review.md`, covering the complete range, dependency delta, consumed contracts, evidence-backed exclusions, mitigations, and blocking runtime/release gates. - [x] Reject OpenShell's revisioned credential-name namespace before provider mutation while preserving cleanup of persisted legacy entries across host and Hermes adapters. - [x] Report OpenShell's fail-closed `CONNECT 503` as unavailable TLS credential rewriting instead of a generic curl transport error. - [x] Preserve LF, CR, CRLF, quotes, and heredocs byte-exactly across multiline exec while retaining NUL, multiline-workdir, and request-environment boundaries. - [x] Reject supervisor-only `OPENSHELL_TLS_CA`, `OPENSHELL_TLS_CERT`, and `OPENSHELL_TLS_KEY` if an entrypoint, exec, or connect child receives them. - [x] Validate that each selected OpenShell archive contains exactly one expected regular binary before extraction; reject absolute paths, traversal, duplicates, extras, links, and devices. - [ ] Prove the exact head on the supported Linux x86, macOS Docker Desktop/Colima, WSL, Colossus, and DGX Spark paths selected by CI/advisor. - [ ] On a physical Docker 27 DGX Spark arm64 host, prove honest `mcp status`, real credential substitution, an authenticated MCP tool call, rotation/rebuild/removal behavior, and absence of literal `openshell:resolve:env:` leakage. - [ ] Record the platform decision for Docker 27 versus upstream OpenShell's Docker 28 requirement. ## Release provenance - All eight consumed release archives have valid GitHub SLSA attestations bound to source commit `3dee5570`; the three published checksum manifests and all ten installer/Brev references were independently reverified after the update. - The selected supervisor image is the immutable multi-arch index `sha256:f4226253a3525c3832adac5b38b419a0f27d1e915effe565b5885e20f93cd5e9`. - GitHub currently exposes no OCI referrer/attestation/SBOM for that supervisor image, and its configs contain no source/revision/version labels. The review records that upstream provenance limitation rather than inferring missing evidence. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending exact-head maintainer review - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes DCO sign-off declarations and all 78 commits currently appear as `Verified` in GitHub - [x] Normal commit/push hooks and `npm run check:diff` passed; the generated-platform citation repair is signed, and current exact head `610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc` is GitHub-verified - [x] The checker is byte-identical to current `main`; the base-owned `scripts/check-installer-hash.sh` passed all three manifests and all ten consumed release references against published `v0.0.85` assets - [x] Focused current-head repairs passed: feature gate 15/15, installer integration 47 passed with 1 intentional skip, installer-hash and migration ledger 78/78, gateway workflow boundary 4/4, PR E2E controller 27/27, and generated platform docs 19/19 - [x] Broader compatibility, MCP boundary, Hermes, and E2E-support tests passed earlier in the migration; the opt-in version-pin live suite passed all three `gh` and curl paths - [x] The #7046 conflict refresh preserves all four gateway-upgrade shards and the typed DCode target; combined integration passed 172/172, serial E2E-support passed 1,156 with 2 intentional skips, and file-size/project-membership checks passed - [x] `npm run docs` completed successfully, including generated variants, route validation, and Fern checks (0 errors; 2 existing warnings) - [ ] Exact-head GitHub CI, automated review, and protected E2E passed — ordinary CI, both advisor lanes, and protected E2E are running or pending at head `610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc` - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) — the security review has the required SPDX header and is not a Fern page. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Apurv Kumaria <akumaria@nvidia.com> Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Summary
The trusted PR E2E controller currently cannot select the existing OpenShell gateway-upgrade job because that job uses an unsupported named matrix. This change expresses the same three upgrade fixtures with the controller-supported
matrix.includecontract and gives each fixture a unique evidence shard, allowing the exact-head gate for #6726 to proceed after this PR is merged.Changes
matrix.legacytomatrix.includewithout changing its three release fixtures.NEMOCLAW_E2E_SHARDfor each fixture and retain fixture-specific artifact names.Type of Change
Quality Gates
Verification
Signed-off-by:line and every commit appears asVerifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailabletest/pr-e2e-gate.test.ts(27 passed) and gateway/artifact E2E workflow boundary tests (11 passed).npm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — not applicable because the change is confined to one workflow job and its focused contracts.npm run docsbuilds without warnings (doc changes only)Signed-off-by: Apurv Kumaria akumaria@nvidia.com
Summary by CodeRabbit
Refactor
Tests