chore(openshell): trust v0.0.85 release manifests#7069
Conversation
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe installer hash verification script adds three pinned OpenShell 0.0.85 checksum manifest digests to its trusted allowlist without changing validation logic or control flow. ChangesInstaller hash verification
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. Code Coverage is in Public Preview. Learn more and provide us with your feedback. |
PR Review Advisor — InformationalAdvisor assessment: Informational / high confidence Model lanes
Nemotron output stays in workflow artifacts and does not change the assessment above. E2E guidanceAdvisory only. E2E / PR Gate selects and runs jobs independently. Recommended E2E: None 1 optional E2E recommendation
This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge. |
<!-- markdownlint-disable MD041 --> ## Summary This PR upgrades every stable NemoClaw OpenShell selector and consumed artifact from `0.0.72` to stable `0.0.85`, including the #6379 credential-rewrite fix and OpenShell's multiline exec contract. Stable `v0.0.85` is verified at [`3dee5570a46076a57a3b056f35f35ebc0861ac85`](NVIDIA/OpenShell@3dee557). Base-owned structured trust landed in #6778 and #6779, the exact `v0.0.85` manifest identities landed separately in #7069, and the controller-compatible legacy gateway evidence matrix landed in #7055. The branch is refreshed on current `main`. Exact-head GitHub CI, automated review, protected runtime proofs, and platform-specific acceptance are running or pending below. ## Related Issue Fixes #6379. ## Changes - [x] Audit all 13 adjacent OpenShell ranges from `v0.0.72` through `v0.0.85`: 67 commits and 283 changed paths, including the unpublished `v0.0.84` source boundary. Release notes were treated as leads rather than proof. - [x] Verify stable tag `v0.0.85` at `3dee5570`, successful producer run [`29507522595`](https://github.com/NVIDIA/OpenShell/actions/runs/29507522595), and inclusion of required credential fix `40194f93`. - [x] Advance the blueprint floor/ceiling, installer floor/ceiling/dev floor, Brev defaults, stable E2E gateway-auth pin, supervisor index, sandbox-build fallback, credential manifest, current docs, and user-visible messages to `0.0.85`. - [x] Pin all eight CLI/gateway/sandbox release archives, three component manifests, extracted release-binary identities, and the multi-arch supervisor image to immutable `v0.0.85` identities. Historical `0.0.72` and `0.0.82` references remain only where cleanup, fallback, trust, or compatibility evidence requires them. - [x] Retain both `v0.0.82` standalone sandbox digest fallbacks when host-side `--version` cannot run, and exercise the true `0.0.86` above-maximum boundary. - [x] Replace the migration ledger with `docs/security/openshell-0.0.85-migration-review.md`, covering the complete range, dependency delta, consumed contracts, evidence-backed exclusions, mitigations, and blocking runtime/release gates. - [x] Reject OpenShell's revisioned credential-name namespace before provider mutation while preserving cleanup of persisted legacy entries across host and Hermes adapters. - [x] Report OpenShell's fail-closed `CONNECT 503` as unavailable TLS credential rewriting instead of a generic curl transport error. - [x] Preserve LF, CR, CRLF, quotes, and heredocs byte-exactly across multiline exec while retaining NUL, multiline-workdir, and request-environment boundaries. - [x] Reject supervisor-only `OPENSHELL_TLS_CA`, `OPENSHELL_TLS_CERT`, and `OPENSHELL_TLS_KEY` if an entrypoint, exec, or connect child receives them. - [x] Validate that each selected OpenShell archive contains exactly one expected regular binary before extraction; reject absolute paths, traversal, duplicates, extras, links, and devices. - [ ] Prove the exact head on the supported Linux x86, macOS Docker Desktop/Colima, WSL, Colossus, and DGX Spark paths selected by CI/advisor. - [ ] On a physical Docker 27 DGX Spark arm64 host, prove honest `mcp status`, real credential substitution, an authenticated MCP tool call, rotation/rebuild/removal behavior, and absence of literal `openshell:resolve:env:` leakage. - [ ] Record the platform decision for Docker 27 versus upstream OpenShell's Docker 28 requirement. ## Release provenance - All eight consumed release archives have valid GitHub SLSA attestations bound to source commit `3dee5570`; the three published checksum manifests and all ten installer/Brev references were independently reverified after the update. - The selected supervisor image is the immutable multi-arch index `sha256:f4226253a3525c3832adac5b38b419a0f27d1e915effe565b5885e20f93cd5e9`. - GitHub currently exposes no OCI referrer/attestation/SBOM for that supervisor image, and its configs contain no source/revision/version labels. The review records that upstream provenance limitation rather than inferring missing evidence. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending exact-head maintainer review - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes DCO sign-off declarations and all 78 commits currently appear as `Verified` in GitHub - [x] Normal commit/push hooks and `npm run check:diff` passed; the generated-platform citation repair is signed, and current exact head `610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc` is GitHub-verified - [x] The checker is byte-identical to current `main`; the base-owned `scripts/check-installer-hash.sh` passed all three manifests and all ten consumed release references against published `v0.0.85` assets - [x] Focused current-head repairs passed: feature gate 15/15, installer integration 47 passed with 1 intentional skip, installer-hash and migration ledger 78/78, gateway workflow boundary 4/4, PR E2E controller 27/27, and generated platform docs 19/19 - [x] Broader compatibility, MCP boundary, Hermes, and E2E-support tests passed earlier in the migration; the opt-in version-pin live suite passed all three `gh` and curl paths - [x] The #7046 conflict refresh preserves all four gateway-upgrade shards and the typed DCode target; combined integration passed 172/172, serial E2E-support passed 1,156 with 2 intentional skips, and file-size/project-membership checks passed - [x] `npm run docs` completed successfully, including generated variants, route validation, and Fern checks (0 errors; 2 existing warnings) - [ ] Exact-head GitHub CI, automated review, and protected E2E passed — ordinary CI, both advisor lanes, and protected E2E are running or pending at head `610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc` - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) — the security review has the required SPDX header and is not a Fern page. --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Signed-off-by: Apurv Kumaria <akumaria@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Apurv Kumaria <akumaria@nvidia.com> Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Summary
This PR extends the base-owned OpenShell release-manifest trust anchor to stable
v0.0.85. It is the narrow prerequisite that allows PR #6726 to verify thev0.0.85checksums, gateway, and sandbox manifests before proposed branch code executes.Changes
v0.0.72andv0.0.82trusted manifest identities.v0.0.85manifest SHA-256 identities independently verified against the stable release.Type of Change
Quality Gates
test/installer-hash-check.test.tsenforces the manifest allowlist contract, and the base-owned checker passed all three manifests plus all ten consumedv0.0.85artifact references from PR chore(openshell): upgrade supported version to 0.0.85 #6726.Verification
Signed-off-by:line and every commit appears asVerifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpx vitest run --project integration test/installer-hash-check.test.ts(69 passed);NEMOCLAW_INSTALLER_HASH_REPO_ROOT=/private/tmp/nemoclaw-pr6726-v85.cJMI5J/wt scripts/check-installer-hash.sh(3 manifests and 10 consumed references passed)npm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result:npm run docsbuilds without warnings (doc changes only)Signed-off-by: Charan Jagwani cjagwani@nvidia.com
Summary by CodeRabbit