Skip to content

chore(openshell): trust v0.0.85 release manifests#7069

Merged
apurvvkumaria merged 1 commit into
mainfrom
codex/openshell-v0.0.85-trust
Jul 17, 2026
Merged

chore(openshell): trust v0.0.85 release manifests#7069
apurvvkumaria merged 1 commit into
mainfrom
codex/openshell-v0.0.85-trust

Conversation

@cjagwani

@cjagwani cjagwani commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR extends the base-owned OpenShell release-manifest trust anchor to stable v0.0.85. It is the narrow prerequisite that allows PR #6726 to verify the v0.0.85 checksums, gateway, and sandbox manifests before proposed branch code executes.

Changes

  • Retain the existing v0.0.72 and v0.0.82 trusted manifest identities.
  • Add the three published v0.0.85 manifest SHA-256 identities independently verified against the stable release.
  • Keep the candidate version selectors and consumed artifact pins out of this base-owned trust change; those remain in PR chore(openshell): upgrade supported version to 0.0.85 #6726.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification: test/installer-hash-check.test.ts enforces the manifest allowlist contract, and the base-owned checker passed all three manifests plus all ten consumed v0.0.85 artifact references from PR chore(openshell): upgrade supported version to 0.0.85 #6726.
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: this is an internal release-manifest trust prerequisite; the OpenShell version migration and user-facing documentation remain in PR chore(openshell): upgrade supported version to 0.0.85 #6726.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes a Signed-off-by: line and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — npx vitest run --project integration test/installer-hash-check.test.ts (69 passed); NEMOCLAW_INSTALLER_HASH_REPO_ROOT=/private/tmp/nemoclaw-pr6726-v85.cJMI5J/wt scripts/check-installer-hash.sh (3 manifests and 10 consumed references passed)
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Charan Jagwani cjagwani@nvidia.com

Summary by CodeRabbit

  • Chores
    • Updated trusted release verification data for OpenShell version 0.0.85.
    • Installer integrity checks now recognize the official checksum manifests for this release.

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cjagwani cjagwani added area: security Security controls, permissions, secrets, or hardening chore Build, CI, dependency, or tooling maintenance v0.0.85 Release target labels Jul 17, 2026
@cjagwani cjagwani self-assigned this Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 73ca6a76-40f1-4f0f-95ba-9f7b4a0cecc7

📥 Commits

Reviewing files that changed from the base of the PR and between a9fac78 and 20a4b98.

📒 Files selected for processing (1)
  • scripts/check-installer-hash.sh

📝 Walkthrough

Walkthrough

The installer hash verification script adds three pinned OpenShell 0.0.85 checksum manifest digests to its trusted allowlist without changing validation logic or control flow.

Changes

Installer hash verification

Layer / File(s) Summary
Update trusted checksum manifests
scripts/check-installer-hash.sh
Adds pinned SHA-256 digests for the OpenShell 0.0.85 checksum manifests to the trusted allowlist.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: ericksoa

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely reflects the main change: trusting the OpenShell v0.0.85 release manifests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/openshell-v0.0.85-trust

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.


Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@apurvvkumaria
apurvvkumaria merged commit 8297d20 into main Jul 17, 2026
73 of 75 checks passed
@apurvvkumaria
apurvvkumaria deleted the codex/openshell-v0.0.85-trust branch July 17, 2026 03:14
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / high confidence
Next action: No advisor follow-up needed.
Findings: 0 blockers · 0 warnings · 0 suggestions
Status: No actionable findings remain in the canonical review ledger.

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (second opinion): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Model comparison: normalized findings match; normalized E2E selections differ; severity counts match.

Nemotron output stays in workflow artifacts and does not change the assessment above.

E2E guidance

Advisory only. E2E / PR Gate selects and runs jobs independently.

Recommended E2E: None

1 optional E2E recommendation
  • openshell-version-pin

Workflow run details

This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge.

apurvvkumaria added a commit that referenced this pull request Jul 17, 2026
<!-- markdownlint-disable MD041 -->
## Summary

This PR upgrades every stable NemoClaw OpenShell selector and consumed
artifact from `0.0.72` to stable `0.0.85`, including the #6379
credential-rewrite fix and OpenShell's multiline exec contract. Stable
`v0.0.85` is verified at
[`3dee5570a46076a57a3b056f35f35ebc0861ac85`](NVIDIA/OpenShell@3dee557).
Base-owned structured trust landed in #6778 and #6779, the exact
`v0.0.85` manifest identities landed separately in #7069, and the
controller-compatible legacy gateway evidence matrix landed in #7055.

The branch is refreshed on current `main`. Exact-head GitHub CI,
automated review, protected runtime proofs, and platform-specific
acceptance are running or pending below.

## Related Issue

Fixes #6379.

## Changes

- [x] Audit all 13 adjacent OpenShell ranges from `v0.0.72` through
`v0.0.85`: 67 commits and 283 changed paths, including the unpublished
`v0.0.84` source boundary. Release notes were treated as leads rather
than proof.
- [x] Verify stable tag `v0.0.85` at `3dee5570`, successful producer run
[`29507522595`](https://github.com/NVIDIA/OpenShell/actions/runs/29507522595),
and inclusion of required credential fix `40194f93`.
- [x] Advance the blueprint floor/ceiling, installer floor/ceiling/dev
floor, Brev defaults, stable E2E gateway-auth pin, supervisor index,
sandbox-build fallback, credential manifest, current docs, and
user-visible messages to `0.0.85`.
- [x] Pin all eight CLI/gateway/sandbox release archives, three
component manifests, extracted release-binary identities, and the
multi-arch supervisor image to immutable `v0.0.85` identities.
Historical `0.0.72` and `0.0.82` references remain only where cleanup,
fallback, trust, or compatibility evidence requires them.
- [x] Retain both `v0.0.82` standalone sandbox digest fallbacks when
host-side `--version` cannot run, and exercise the true `0.0.86`
above-maximum boundary.
- [x] Replace the migration ledger with
`docs/security/openshell-0.0.85-migration-review.md`, covering the
complete range, dependency delta, consumed contracts, evidence-backed
exclusions, mitigations, and blocking runtime/release gates.
- [x] Reject OpenShell's revisioned credential-name namespace before
provider mutation while preserving cleanup of persisted legacy entries
across host and Hermes adapters.
- [x] Report OpenShell's fail-closed `CONNECT 503` as unavailable TLS
credential rewriting instead of a generic curl transport error.
- [x] Preserve LF, CR, CRLF, quotes, and heredocs byte-exactly across
multiline exec while retaining NUL, multiline-workdir, and
request-environment boundaries.
- [x] Reject supervisor-only `OPENSHELL_TLS_CA`, `OPENSHELL_TLS_CERT`,
and `OPENSHELL_TLS_KEY` if an entrypoint, exec, or connect child
receives them.
- [x] Validate that each selected OpenShell archive contains exactly one
expected regular binary before extraction; reject absolute paths,
traversal, duplicates, extras, links, and devices.
- [ ] Prove the exact head on the supported Linux x86, macOS Docker
Desktop/Colima, WSL, Colossus, and DGX Spark paths selected by
CI/advisor.
- [ ] On a physical Docker 27 DGX Spark arm64 host, prove honest `mcp
status`, real credential substitution, an authenticated MCP tool call,
rotation/rebuild/removal behavior, and absence of literal
`openshell:resolve:env:` leakage.
- [ ] Record the platform decision for Docker 27 versus upstream
OpenShell's Docker 28 requirement.

## Release provenance

- All eight consumed release archives have valid GitHub SLSA
attestations bound to source commit `3dee5570`; the three published
checksum manifests and all ten installer/Brev references were
independently reverified after the update.
- The selected supervisor image is the immutable multi-arch index
`sha256:f4226253a3525c3832adac5b38b419a0f27d1e915effe565b5885e20f93cd5e9`.
- GitHub currently exposes no OCI referrer/attestation/SBOM for that
supervisor image, and its configs contain no source/revision/version
labels. The review records that upstream provenance limitation rather
than inferring missing evidence.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: pending exact-head
maintainer review
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes DCO sign-off declarations and all 78
commits currently appear as `Verified` in GitHub
- [x] Normal commit/push hooks and `npm run check:diff` passed; the
generated-platform citation repair is signed, and current exact head
`610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc` is GitHub-verified
- [x] The checker is byte-identical to current `main`; the base-owned
`scripts/check-installer-hash.sh` passed all three manifests and all ten
consumed release references against published `v0.0.85` assets
- [x] Focused current-head repairs passed: feature gate 15/15, installer
integration 47 passed with 1 intentional skip, installer-hash and
migration ledger 78/78, gateway workflow boundary 4/4, PR E2E controller
27/27, and generated platform docs 19/19
- [x] Broader compatibility, MCP boundary, Hermes, and E2E-support tests
passed earlier in the migration; the opt-in version-pin live suite
passed all three `gh` and curl paths
- [x] The #7046 conflict refresh preserves all four gateway-upgrade
shards and the typed DCode target; combined integration passed 172/172,
serial E2E-support passed 1,156 with 2 intentional skips, and
file-size/project-membership checks passed
- [x] `npm run docs` completed successfully, including generated
variants, route validation, and Fern checks (0 errors; 2 existing
warnings)
- [ ] Exact-head GitHub CI, automated review, and protected E2E passed —
ordinary CI, both advisor lanes, and protected E2E are running or
pending at head `610f7cd9ff9cc8d3fdc47f40271d0b56b452a0cc`
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
— the security review has the required SPDX header and is not a Fern
page.

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: security Security controls, permissions, secrets, or hardening chore Build, CI, dependency, or tooling maintenance v0.0.85 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants