Skip to content

fix(onboard): preserve structured Docker tmpfs mounts#7137

Merged
apurvvkumaria merged 17 commits into
mainfrom
codex/fix-dcode-inspect-mounts
Jul 18, 2026
Merged

fix(onboard): preserve structured Docker tmpfs mounts#7137
apurvvkumaria merged 17 commits into
mainfrom
codex/fix-dcode-inspect-mounts

Conversation

@jyaunches

@jyaunches jyaunches commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Deep Agents Code recreation converted OpenShell's structured tmpfs mount into Docker's legacy --tmpfs representation, so the recreated container no longer exposed the mount through .HostConfig.Mounts. Keep supported tmpfs mounts structured across recreation, fail closed on unsupported options, and ensure every sandbox base image contains the nft runtime OpenShell uses to enforce direct-bypass rejection.

Changes

  • Translate inspected tmpfs mounts to Docker --mount type=tmpfs arguments while preserving target, size, mode, and the supported noexec, nosuid, and nodev options.
  • Reject unsupported tmpfs options before mutating the container.
  • Pin nftables=1.1.3-1 in the OpenClaw, Hermes, and Deep Agents base images so OpenShell can install its bypass-enforcement rules in each agent topology.
  • Extend the exact-main live proof to validate structured mount persistence before and after gateway restart and rebuild, direct TCP/UDP bypass rejection, effective nft rules, and live /proc/<pid>/exe identity across on-disk replacement.
  • Harden the E2E fixture for live OpenShell output and topology: u64 revisions, empty /proc fields, stale namespaces, sidecar namespaces, nft JSON family variants, immediate denial errno values, exact component paths during rebuild, and bounded transient proxy reconnects.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: Three repository-required documentation reviews confirmed this repairs the internal recreation and live-proof contracts without changing commands, configuration, defaults, schemas, or documented policy behavior.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: The implementation fails before mutation on unsupported tmpfs options, retains read-only supervisor/auth/TLS mounts, adds the missing enforcement binary to all base images, and preserves the credential-redaction boundary. CodeQL, CodeRabbit, both PR Review Advisor checks, and the full credentialed MCP bridge live target are green.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes a Signed-off-by: line and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — 30/30 mount clone/validation/recreation tests; 61/61 sandbox provisioning tests; 37/37 focused MCP/exact-main E2E-support tests; npm run typecheck:cli; bash scripts/check-production-build-args.sh
  • Applicable broad gate passed — GitHub PR CI passed all 38 applicable checks, including aggregate checks, eight CLI shards, plugin tests, installer integration, static checks, CodeQL, DCO, and commit lint
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Live E2E evidence: MCP bridge run 29630429324 passed for Deep Agents, Hermes, and OpenClaw.


Signed-off-by: Julie Yaunches jyaunches@nvidia.com

Summary by CodeRabbit

  • New Features

    • Added pinned nftables tooling to supported sandbox base images.
    • Improved tmpfs recreation to use Docker structured --mount syntax.
    • Centralized “exact-main” MCP bridge environment overlay construction.
  • Bug Fixes

    • Reject structured tmpfs recreation when non-default tmpfs options are present.
    • Strengthened live runtime policy and nftables inspection, including CONNECT retry behavior and bypass denial handling.
  • Tests

    • Expanded e2e coverage for mount verification, env-overlay correctness, and more defensive embedded process-status parsing.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 18, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@jyaunches jyaunches added the v0.0.87 Release target label Jul 18, 2026
@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 09308d31-9a80-4357-be7a-8d6aef49be48

📥 Commits

Reviewing files that changed from the base of the PR and between 3d6f5d2 and 77219a8.

📒 Files selected for processing (1)
  • test/sandbox-provisioning.test.ts

📝 Walkthrough

Walkthrough

The changes switch Docker tmpfs recreation to structured mounts, tighten tmpfs option validation, centralize exact-main MCP environment overlays, strengthen runtime probes, add namespace-aware nft inspection, and install pinned nftables packages across agent base images.

Changes

Sandbox runtime and exact-main validation

Layer / File(s) Summary
Structured tmpfs recreation
src/lib/onboard/docker-gpu-patch-clone.ts, src/lib/onboard/docker-gpu-patch-clone.test.ts, src/lib/onboard/docker-gpu-patch-validation.test.ts, test/e2e/live/openshell-exact-main-driver-config.ts
Docker recreation now uses structured --mount tmpfs arguments, preserves approved options, rejects unsupported options, and validates structured mount inspection.
Exact-main runtime contracts
test/e2e/live/openshell-exact-main-*, test/e2e/support/openshell-exact-main-*
Runtime probes, policy parsing, nft rule matching, namespace-aware nft inspection, CONNECT retries, and direct bypass denial checks are updated and covered by generated-script tests.
MCP bridge environment flow
test/e2e/live/mcp-bridge-onboard-env.ts, test/e2e/live/mcp-bridge.test.ts, test/e2e/support/mcp-bridge-onboard-env.test.ts
Exact-main overlay construction and validation are centralized and reused by the deepagents rebuild path.
Base-image nftables provisioning
Dockerfile.base, agents/hermes/Dockerfile.base, agents/langchain-deepagents-code/Dockerfile.base, test/sandbox-provisioning.test.ts
The three agent base images install pinned nftables=1.1.3-1, with parameterized coverage confirming each Dockerfile declaration.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • NVIDIA/NemoClaw#7119: Covers related structured Docker tmpfs remount expectations in exact-main driver configuration tests.
  • NVIDIA/NemoClaw#7135: Modifies the same GPU sandbox recreation codepaths and structured mount validation.

Suggested labels: bug-fix, area: security

Suggested reviewers: ericksoa, cv, chengjiew

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Accurately summarizes the main change: preserving structured Docker tmpfs mounts during onboard sandbox recreation.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-dcode-inspect-mounts

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.


Updated July 18, 2026 05:00 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / high confidence
Next action: No advisor follow-up needed.
Findings: 0 blockers · 0 warnings · 0 suggestions
Status: No actionable findings remain in the canonical review ledger.

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (second opinion): Failed after a partial review · low confidence · 0 blockers · 3 warnings · 0 suggestions

Nemotron output stays in workflow artifacts and does not change the assessment above.

E2E guidance

Advisory only. E2E / PR Gate selects and runs jobs independently.

Recommended E2E: cloud-onboard, credential-sanitization, full-e2e, hermes-e2e, security-posture, mcp-bridge, mcp-bridge-dev, onboard-repair, onboard-resume

Workflow run details

This automated review informs maintainers. Warnings and suggestions do not require a response. A maintainer decides whether to merge.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29626746071
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 8m 41s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29627004991
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 7m 21s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29627277222
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 6m 34s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29627515601
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 7m 15s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm when ready

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29627940692
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 4m 52s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29628183802
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 5m 3s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29628405201
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 4m 59s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29628609846
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 4m 47s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@apurvvkumaria apurvvkumaria self-assigned this Jul 18, 2026
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29628853604
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 5m 8s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29629079209
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 4m 50s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29629276579
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 9m 40s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29629789840
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 6m 11s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29630211337
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ❌ failure 5m 1s

Failed tests: mcp-bridge. Check the workflow run for all logs and artifacts.

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested tests passed

Run: 29630429324
Workflow ref: codex/fix-dcode-inspect-mounts
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result Total wall clock time
mcp-bridge ✅ success 20m 23s

@jyaunches jyaunches changed the title fix(onboard): preserve raw Docker inspect mounts fix(onboard): preserve structured Docker tmpfs mounts Jul 18, 2026
@jyaunches
jyaunches marked this pull request as ready for review July 18, 2026 04:43

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
test/e2e/support/openshell-exact-main-child-contracts.test.ts (1)

67-67: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy lift

Test generated probes by executing their behavior.

These assertions lock tests to source fragments and can pass while the generated probe’s relevant branch is broken.

  • test/e2e/support/openshell-exact-main-child-contracts.test.ts#L67-L67: replace the substring assertion with fixture-driven execution for the applicable generated probes.
  • test/e2e/support/openshell-exact-main-runtime-contracts.test.ts#L138-L158: execute the nft script against controlled command fixtures and assert namespace selection and emitted nft invocation.
  • test/e2e/support/openshell-exact-main-runtime-contracts.test.ts#L177-L182: exercise the generated CONNECT script against controlled status responses and assert retry/status outcomes.

As per path instructions, tests should prefer observable public-boundary outcomes and flag source-text assertions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/support/openshell-exact-main-child-contracts.test.ts` at line 67,
Replace the source-text assertion at
test/e2e/support/openshell-exact-main-child-contracts.test.ts:67-67 with
fixture-driven execution of the applicable generated probe and assert its
observable behavior. In
test/e2e/support/openshell-exact-main-runtime-contracts.test.ts:138-158, execute
the generated nft script with controlled command fixtures and verify namespace
selection plus the emitted nft invocation; at :177-182, execute the generated
CONNECT script with controlled status responses and verify retry and status
outcomes. Prefer public-boundary behavior assertions at all three sites.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/live/openshell-exact-main-driver-config.ts`:
- Around line 348-359: Update the exact-main-driver-config test around the
inspectJson calls to retain and assert both HostConfig results instead of
discarding them. Verify HostConfig.Mounts contains the expected tmpfs target
with its required size and mode, and verify HostConfig.Tmpfs does not contain
that target, proving the legacy --tmpfs path is not used.

In `@test/e2e/live/openshell-exact-main-runtime-contracts.ts`:
- Around line 76-79: Preserve config_revision losslessly in the runtime contract
validation and status-report flow, using its exact decimal-string representation
rather than a JavaScript number; update
test/e2e/live/openshell-exact-main-runtime-contracts.ts at lines 76-79 to
validate and retain that representation, and update
test/e2e/support/openshell-exact-main-runtime-contracts.test.ts at lines 119-126
to assert exact round-trip equality with the emitted revision instead of only
integer validity.

In `@test/sandbox-provisioning.test.ts`:
- Around line 1035-1044: Update the parameterized test around the “installs
pinned nftables” case to extract the active apt-get install block from each
Dockerfile and assert that the nftables pin appears within that block. Avoid
asserting against the entire Dockerfile so comments or unrelated text cannot
satisfy the test.

---

Nitpick comments:
In `@test/e2e/support/openshell-exact-main-child-contracts.test.ts`:
- Line 67: Replace the source-text assertion at
test/e2e/support/openshell-exact-main-child-contracts.test.ts:67-67 with
fixture-driven execution of the applicable generated probe and assert its
observable behavior. In
test/e2e/support/openshell-exact-main-runtime-contracts.test.ts:138-158, execute
the generated nft script with controlled command fixtures and verify namespace
selection plus the emitted nft invocation; at :177-182, execute the generated
CONNECT script with controlled status responses and verify retry and status
outcomes. Prefer public-boundary behavior assertions at all three sites.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3998a0e5-9146-4bb5-8f33-f05aa7ea83f7

📥 Commits

Reviewing files that changed from the base of the PR and between 55fb266 and 326f7cf.

📒 Files selected for processing (15)
  • Dockerfile.base
  • agents/hermes/Dockerfile.base
  • agents/langchain-deepagents-code/Dockerfile.base
  • src/lib/onboard/docker-gpu-patch-clone.test.ts
  • src/lib/onboard/docker-gpu-patch-clone.ts
  • src/lib/onboard/docker-gpu-patch-validation.test.ts
  • test/e2e/live/mcp-bridge-onboard-env.ts
  • test/e2e/live/mcp-bridge.test.ts
  • test/e2e/live/openshell-exact-main-driver-config.ts
  • test/e2e/live/openshell-exact-main-exec.ts
  • test/e2e/live/openshell-exact-main-runtime-contracts.ts
  • test/e2e/support/mcp-bridge-onboard-env.test.ts
  • test/e2e/support/openshell-exact-main-child-contracts.test.ts
  • test/e2e/support/openshell-exact-main-runtime-contracts.test.ts
  • test/sandbox-provisioning.test.ts

Comment thread test/e2e/live/openshell-exact-main-driver-config.ts Outdated
Comment thread test/e2e/live/openshell-exact-main-runtime-contracts.ts Outdated
Comment thread test/sandbox-provisioning.test.ts
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
test/e2e/support/openshell-exact-main-runtime-contracts.test.ts (1)

137-157: 🎯 Functional Correctness | 🔵 Trivial | 🏗️ Heavy lift

Exercise generated probes at their behavioral boundary.

These assertions only check source substrings and shell syntax, so dead or incorrectly wired branches can still pass. Add focused fixture-based execution for the nft inspection, bypass probe, and CONNECT transition scripts, asserting their observable outputs/statuses rather than exact implementation text.

Also applies to: 176-181

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/support/openshell-exact-main-runtime-contracts.test.ts` around lines
137 - 157, Replace the source-substring checks in the tests for
buildExactMainNftInspectionScript, DIRECT_BYPASS_PROBE_CODE, and the CONNECT
transition script with focused fixture-based executions. Assert each generated
probe’s observable output and exit status across the supported nft topologies,
bypass outcomes, and CONNECT transition cases, while retaining only syntax
validation where appropriate.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/sandbox-provisioning.test.ts`:
- Around line 63-77: Update dockerRunCommandStartingWith to search Dockerfile
lines individually and select only a trimmed line that begins with startMarker,
rather than using indexOf on the full text. Start collecting the matched
instruction and its continuation lines from that line, preserving the existing
validation and error behavior.

---

Nitpick comments:
In `@test/e2e/support/openshell-exact-main-runtime-contracts.test.ts`:
- Around line 137-157: Replace the source-substring checks in the tests for
buildExactMainNftInspectionScript, DIRECT_BYPASS_PROBE_CODE, and the CONNECT
transition script with focused fixture-based executions. Assert each generated
probe’s observable output and exit status across the supported nft topologies,
bypass outcomes, and CONNECT transition cases, while retaining only syntax
validation where appropriate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aee22754-4668-4daa-a86c-c4a3ef5f4ce3

📥 Commits

Reviewing files that changed from the base of the PR and between 326f7cf and 3d6f5d2.

📒 Files selected for processing (4)
  • test/e2e/live/openshell-exact-main-driver-config.ts
  • test/e2e/live/openshell-exact-main-runtime-contracts.ts
  • test/e2e/support/openshell-exact-main-runtime-contracts.test.ts
  • test/sandbox-provisioning.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/e2e/live/openshell-exact-main-driver-config.ts

Comment thread test/sandbox-provisioning.test.ts Outdated
@apurvvkumaria
apurvvkumaria merged commit 4fe17e1 into main Jul 18, 2026
146 of 149 checks passed
@apurvvkumaria
apurvvkumaria deleted the codex/fix-dcode-inspect-mounts branch July 18, 2026 05:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.87 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants