Skip to content

fix(e2e): repair release blocker regressions#7077

Merged
cv merged 3 commits into
mainfrom
codex/fix-hermes-validator-digest
Jul 17, 2026
Merged

fix(e2e): repair release blocker regressions#7077
cv merged 3 commits into
mainfrom
codex/fix-hermes-validator-digest

Conversation

@cjagwani

@cjagwani cjagwani commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes three persistent failures reproduced by the v0.0.85 release E2E sweep: the Hermes validator image digest was stale, the Deep Agents MCP exact-main onboarding dropped its candidate binary overrides, and the OpenShell TUI approval proof waited for a terminal label that is rendered as non-contiguous diffs.

Changes

  • Synchronize the Hermes validator SHA-256 with the copied source and enforce all three security-entrypoint digests in the image-layout test.
  • Preserve the exact-main OpenShell environment overlay through Deep Agents MCP onboarding so the stable installer cannot replace candidate components.
  • Wait for the stable Filesystem Access detail heading in the OpenShell TUI proof while retaining the exact sandbox-name assertion.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: all changes repair internal image-integrity and live-E2E proof boundaries; the required docs-writer review found no user-facing contract change.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: exact source digests are computed in the regression test, candidate binary overrides remain fixture-scoped, and the TUI proof retains exact sandbox identity.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes a Signed-off-by: line and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — npx vitest run --project integration test/hermes-final-image-layout.test.ts (7/7); npx vitest run --project e2e-support test/e2e/support/mcp-bridge-sandbox.test.ts (14/14); npx vitest run --project e2e-support test/e2e/support/issue-6194-tui-post-idle-contract.test.ts (11/11); npm run test:changed; npm run source-shape:check
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Release E2E reproduction evidence:


Signed-off-by: Charan Jagwani cjagwani@nvidia.com

Summary by CodeRabbit

  • Security

    • Strengthened Hermes image integrity verification by updating and validating SHA-256 digests for critical runtime files.
    • Improved MCP bridge onboarding to allow only approved environment overrides, preventing protected key collisions.
  • Reliability

    • Made sandbox approval UI assertions more stable by targeting the “Filesystem Access” detail panel.
    • Enhanced gateway upgrade testing logic to correctly account for legacy registry expectations across fixture versions.
  • Tests

    • Added/expanded e2e coverage for Hermes final-image layout integrity, MCP onboarding env-overlay behavior, and sandbox approval/gateway upgrade flows.

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cjagwani cjagwani self-assigned this Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c8cc46c4-cb8b-481d-872e-9674932de820

📥 Commits

Reviewing files that changed from the base of the PR and between 5f26fe0 and 18c5f58.

📒 Files selected for processing (3)
  • test/e2e/live/openshell-gateway-upgrade-helpers.ts
  • test/e2e/live/openshell-gateway-upgrade.test.ts
  • test/e2e/support/openshell-gateway-upgrade-workflow-boundary.test.ts

📝 Walkthrough

Walkthrough

Changes

Hermes and E2E contract updates

Layer / File(s) Summary
Hermes integrity verification
agents/hermes/Dockerfile, test/hermes-final-image-layout.test.ts, ci/source-shape-test-budget.json
The Hermes validator digest is updated, and tests verify source hashes and expected Dockerfile copy targets.
Environment overlay onboarding
test/e2e/live/mcp-bridge-onboard-env.ts, test/e2e/live/mcp-bridge.test.ts, test/e2e/live/openshell-exact-main-mcp-proof.ts, test/e2e/support/mcp-bridge-onboard-env.test.ts
Onboarding environments validate and merge allowed overlays, propagate the exact-main proof overlay, and test protected-key rejection.
Gateway upgrade fixture handling
test/e2e/live/openshell-gateway-upgrade-helpers.ts, test/e2e/live/openshell-gateway-upgrade.test.ts, test/e2e/support/openshell-gateway-upgrade-workflow-boundary.test.ts
Upgrade tests map legacy registry versions and stage user-local OpenShell binaries while excluding their directory from PATH.
Sandbox detail-panel synchronization
test/e2e/live/issue-6194-tui-expect.ts, test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
OpenShell approval checks synchronize on the Filesystem Access detail-panel heading instead of the Name: label.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant prepareExactMainMcpProof
  participant onboardAgent
  participant buildMcpBridgeOnboardEnv
  participant hostNemoclaw
  prepareExactMainMcpProof->>onboardAgent: envOverlay
  onboardAgent->>buildMcpBridgeOnboardEnv: onboarding options and envOverlay
  buildMcpBridgeOnboardEnv->>onboardAgent: merged ProcessEnv
  onboardAgent->>hostNemoclaw: onboard with merged environment
Loading

Possibly related PRs

Suggested labels: area: e2e, bug-fix, integration: hermes

Suggested reviewers: ericksoa

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the PR’s main goal: fixing E2E regressions that blocked the release.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-hermes-validator-digest

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.


Updated July 17, 2026 05:58 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
test/e2e/support/mcp-bridge-sandbox.test.ts (1)

307-310: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Test the runtime contract instead of source text.

Reading files and asserting literal snippets does not prove that envOverlay reaches host.nemoclaw; it also creates failures from harmless formatting or refactoring. Exercise onboardAgent with a sentinel overlay and assert the observable environment passed to the host, keeping source-shape checks only in dedicated source-contract tests.

As per path instructions, tests should prioritize behavioral confidence over implementation lock-in.

Also applies to: 322-323

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/support/mcp-bridge-sandbox.test.ts` around lines 307 - 310, Replace
the source-text assertions around exactMainProofSource with a behavioral test of
onboardAgent: provide a sentinel envOverlay, run the onboarding flow, and
capture the environment passed to host.nemoclaw, then assert the sentinel
reaches it. Remove the corresponding literal source checks while preserving any
dedicated source-contract coverage.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/live/mcp-bridge.test.ts`:
- Line 141: The environment merge in the MCP bridge test must preserve approved
envOverlay overrides without allowing protected COMPATIBLE_* or NEMOCLAW_*
values to replace fixed defaults. Update the options.envOverlay handling to
filter or reject collisions with those protected keys, merge permitted overlay
values after the defaults, and add a regression test covering an exact-main
protected-key collision.

---

Nitpick comments:
In `@test/e2e/support/mcp-bridge-sandbox.test.ts`:
- Around line 307-310: Replace the source-text assertions around
exactMainProofSource with a behavioral test of onboardAgent: provide a sentinel
envOverlay, run the onboarding flow, and capture the environment passed to
host.nemoclaw, then assert the sentinel reaches it. Remove the corresponding
literal source checks while preserving any dedicated source-contract coverage.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 770e475f-cc4d-42d9-b8cb-c0ed54d23159

📥 Commits

Reviewing files that changed from the base of the PR and between b47c81e and e5df8f1.

📒 Files selected for processing (8)
  • agents/hermes/Dockerfile
  • ci/source-shape-test-budget.json
  • test/e2e/live/issue-6194-tui-expect.ts
  • test/e2e/live/mcp-bridge.test.ts
  • test/e2e/live/openshell-exact-main-mcp-proof.ts
  • test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
  • test/e2e/support/mcp-bridge-sandbox.test.ts
  • test/hermes-final-image-layout.test.ts

Comment thread test/e2e/live/mcp-bridge.test.ts Outdated
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / high confidence
Next action: No advisor follow-up needed.
Findings: 0 blockers · 0 warnings · 0 suggestions
Status: No actionable findings remain in the canonical review ledger.

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (second opinion): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Model comparison: normalized findings match; normalized E2E selections differ; severity counts match.

Nemotron output stays in workflow artifacts and does not change the assessment above.

E2E guidance

Advisory only. E2E / PR Gate selects and runs jobs independently.

Recommended E2E: cloud-onboard, credential-sanitization, full-e2e, hermes-e2e, security-posture, mcp-bridge, mcp-bridge-dev, openshell-gateway-upgrade

Workflow run details

This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge.

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cjagwani
cjagwani requested a review from cv July 17, 2026 05:50
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cv
cv merged commit 0393691 into main Jul 17, 2026
136 of 145 checks passed
@cv
cv deleted the codex/fix-hermes-validator-digest branch July 17, 2026 05:59
@github-actions github-actions Bot added the v0.0.85 Release target label Jul 17, 2026
cv pushed a commit that referenced this pull request Jul 17, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Follow up #7077 and #7028 by completing direct historical gateway
upgrades. After a strict backup, the installer now retires a running
gateway whenever its installed OpenShell is outside the prepared current
release's supported range, preventing the new CLI from encountering the
old gateway schema during recovery.

## Changes

- Replace the setup-only conditional with an equivalent boolean
invariant assertion.
- Preserve the requirement that the `v0.0.55` fixture records the
original OpenShell directory before hiding it from `PATH`.
- Pin the `v0.0.74` registry contract to both `nemoclawVersion:
"0.0.74"` and `fromDockerfile: null`, as proven by selective live E2E
artifacts.
- Keep earlier historical fixtures pinned to absent registry metadata.
- Resolve the current OpenShell min/max range from the prepared current
source after backup.
- Retire the selected gateway only when the installed OpenShell falls
below or above that range; keep a supported gateway running.
- Fail closed after backup and before gateway retirement when the
supported range is missing, malformed, or inverted.
- Document the expanded gateway-retirement boundary in the quickstart,
command reference, and sandbox-update guide.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: #7028's maintainer
approval established the strict-backup and managed-image recovery
boundary for #6114. This follow-up retains those guards, scopes
retirement to the selected gateway only after backup, preserves
supported gateways, and fails closed on invalid range data.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes a `Signed-off-by:` line and every commit
appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — installer recovery integration tests
(38 passed), gateway support tests (5 passed), and final focused
installer test after hook formatting (26 passed)
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — passed
with 0 errors; Fern reported the existing unauthenticated-redirect and
accent-contrast warnings
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Tests**
* Improved end-to-end coverage for OpenShell gateway upgrades by
verifying structured legacy registry metadata (instead of only version
values).
* Expanded upgrade prompt/preinstall guard scenarios to confirm “keep vs
retire” based on the blueprint-supported OpenShell version window,
including invalid/unknown ranges and safer legacy gateway stop behavior.
* **Documentation**
* Updated the quickstart, sandbox update guide, and command reference to
reflect conditional gateway retirement/retention and fail-closed
behavior.
* **Chores**
* Refined the installer’s gateway retirement logic to rely on the
blueprint-defined compatibility range, with a Linux-only PID-validated
fallback to stop the legacy gateway process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.85 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants