Skip to content

fix(dcode): require Landlock enforcement#5812

Open
chengjiew wants to merge 34 commits into
mainfrom
fix/5795_landlock_min_kernel
Open

fix(dcode): require Landlock enforcement#5812
chengjiew wants to merge 34 commits into
mainfrom
fix/5795_landlock_min_kernel

Conversation

@chengjiew

@chengjiew chengjiew commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Deep Agents Code now fails closed at OpenShell's authoritative sandbox-process Landlock boundary by using the exact hard_requirement compatibility mode.
OpenClaw and Hermes keep their intentional best_effort behavior, and NemoClaw no longer treats a host kernel-version heuristic as proof of sandbox enforcement.
This update preserves @chengjiew's original commit and credits Chengjie Wang as co-author of the corrective implementation.

Related Issue

Fixes #5795

Changes

  • Set the Deep Agents Code filesystem policy to compatibility: hard_requirement and constrain the policy schema to OpenShell's supported best_effort and hard_requirement values.
  • Preserve the hard requirement through real onboarding policy composition.
  • Treat successful Deep Agents Code sandbox startup as the authoritative Landlock probe while retaining the host warning for best-effort agents only.
  • Cover OpenShell rejection after sandbox creation, including nonzero exit, sandbox deletion, and no registry registration or update.
  • Add policy, schema, warning, and Deep Agents Code image regressions, including explicit rejection of the unsupported strict value.
  • Document Deep Agents Code fail-closed behavior separately from OpenClaw and Hermes best-effort behavior.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer re-review of the updated exact head.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: none requested.

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes — all non-test-cli commit hooks and all pre-push hooks passed; the all-repository test-cli hook was attempted four times and blocked only on unrelated macOS/toolchain or timeout flakes, with each residual failing file passing on immediate isolated rerun. Exact-head Linux CI is pending.
  • Targeted tests pass for changed behavior
  • Full npm test passes (broad runtime changes only) — not run separately; focused CLI/integration coverage and exact-head CI/E2E are the relevant gates for this policy change.
  • Quality Gates section completed with required justifications or waivers — pending sensitive-path maintainer re-review.
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only) — build passes with zero errors and two unrelated pre-existing warnings.
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only) — no new pages.

Focused verification at exact head de42e632d:

  • npx vitest run src/lib/onboard/landlock-warning.test.ts src/lib/onboard/initial-policy-real-policy.test.ts test/langchain-deepagents-code-image.test.ts test/onboard-landlock-failure.test.ts test/validate-config-schemas.test.ts (161 tests)
  • npm run typecheck:cli
  • npm run validate:configs
  • npm run test:projects:check
  • npm run test:titles:check
  • npm run test-conditionals:scan -- --top 25
  • npm run test-size:check
  • npm run docs (zero errors; two unrelated pre-existing warnings)
  • git diff --check

GitHub verification:

  • 36ee0b89c, a7e031caf, 98f162ce4, d922d3a19, 6fc078c23, fca7dc27b, and de42e632d are all Verified with reason valid.

Signed-off-by: Chengjie Wang chengjiew@nvidia.com
Signed-off-by: Apurv Kumaria akumaria@nvidia.com

Summary by CodeRabbit

  • New Features
    • Agent-specific Landlock compatibility behavior is now reflected end-to-end: best-effort for OpenClaw/Hermes, fail-closed for Deep Agents Code.
  • Bug Fixes
    • Deep Agents Code now aborts sandbox startup and returns a nonzero onboarding exit code when Landlock cannot be enforced.
    • Failed sandboxes are cleaned up to allow safe retries.
  • Documentation
    • Updated deployment, enterprise readiness, security, and troubleshooting guidance with log-based Landlock verification and remediation steps.
  • Tests
    • Added coverage for hard-requirement onboarding failure behavior.

@github-code-quality

github-code-quality Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 79%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 0d384da e6fc1fe +/-
src/lib/cli/public-dispatch.ts 85% 69% -16%
src/lib/shields...imer-control.ts 78% 66% -12%
src/lib/status-command-deps.ts 57% 45% -12%
src/lib/actions...ess-recovery.ts 81% 74% -7%
src/lib/shields...nsition-lock.ts 85% 89% +4%
src/lib/messagi...agent-config.ts 71% 79% +8%
src/lib/actions...ridge-policy.ts 53% 64% +11%
src/lib/sandbox/config.ts 58% 74% +16%
src/lib/cli/com...and-registry.ts 69% 98% +29%
src/lib/onboard...lock-warning.ts 0% 88% +88%

Updated July 11, 2026 23:17 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Landlock onboarding now fails closed for Deep Agents Code on unsupported or unenforceable setups. Policy, schema, tests, and docs were updated to use hard_requirement for that mode while keeping best_effort behavior for other agents.

Changes

Landlock onboarding hardening

Layer / File(s) Summary
Kernel support check and tests
src/lib/onboard/landlock-warning.ts, src/lib/onboard/landlock-warning.test.ts
warnIfLandlockUnsupported now throws remediation text for unsupported kernels, and tests cover unsupported and supported Linux kernels.
Policy schema and agent defaults
agents/langchain-deepagents-code/policy-additions.yaml, schemas/sandbox-policy.schema.json, src/lib/onboard.ts
landlock.compatibility changes to hard_requirement, the schema enum accepts it, and onboarding passes the selected compatibility mode into the Landlock check.
Onboarding failure path test
test/onboard-landlock-failure.test.ts
A new test verifies hard_requirement failure exits nonzero, deletes the sandbox, and does not record readiness.
Documentation updates
docs/deployment/sandbox-hardening.mdx, docs/reference/enterprise-readiness.mdx, docs/reference/troubleshooting.mdx, docs/security/best-practices.mdx
Landlock docs now describe agent-specific best_effort versus hard_requirement behavior, startup failure cases, and runtime log-based verification.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested labels: security, bug-fix

Suggested reviewers: ericksoa

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR satisfies #5795 by failing closed for Deep Agents Code when Landlock is unsupported and returning a nonzero exit instead of silently degrading.
Out of Scope Changes check ✅ Passed The changes are scoped to Landlock enforcement, related schema/policy updates, tests, and docs; no unrelated functionality appears added.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: Deep Agents Code now requires Landlock enforcement instead of falling back.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/5795_landlock_min_kernel

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: full-e2e, hermes-e2e, onboard-repair, onboard-resume, cloud-onboard
Optional E2E: security-posture, ubuntu-repo-cloud-langchain-deepagents-code

Dispatch hint: full-e2e,hermes-e2e,onboard-repair,onboard-resume,cloud-onboard

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • full-e2e (high): Required floor from the deterministic risk plan: shared agent abstractions must retain real OpenClaw lifecycle behavior and complete a live assistant turn after manifest/definition changes.
  • hermes-e2e (high): Required floor from the deterministic risk plan: shared agent abstractions must retain real Hermes lifecycle behavior and complete a live assistant turn after manifest/definition changes.
  • onboard-repair (high): Required floor from the deterministic risk plan: onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime after sandbox failure/repair path changes.
  • onboard-resume (medium): Required floor from the deterministic risk plan: onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime after sandbox failure/resume path changes.
  • cloud-onboard (high): Changes to src/lib/onboard.ts, sandbox create failure handling, Landlock policy, schema validation, and Deep Agents onboarding behavior can affect full hosted onboarding on a clean host; run the clean-host public installer/onboard flow and its security checks.

Optional E2E

  • security-posture (high): Adjacent confidence for filesystem/security-boundary changes: exercises live OpenClaw and Hermes security posture checks around sandbox hardening, although it does not cover Deep Agents Code hard-required Landlock.
  • ubuntu-repo-cloud-langchain-deepagents-code (high): Useful targeted confidence for the changed Deep Agents Code manifest and policy: the typed live target runs Deep Agents Code onboarding plus cloud-experimental checks including Landlock/read-only behavior, Python egress, headless inference, secret boundary, and TUI startup.

New E2E recommendations

  • deepagents-landlock-hard-requirement (high): The required PR-selectable job floor validates OpenClaw/Hermes and generic cloud onboarding, while the hard-required Deep Agents Code Landlock negative path is currently covered mainly by local tests. A live PR-selectable lane should prove that an unavailable Landlock runtime or missing hard-required policy path fails closed, cleans up the failed sandbox, and never writes Ready registry state.
    • Suggested test: Add a PR-selectable deepagents-landlock-hard-requirement E2E job, or make the existing ubuntu-repo-cloud-langchain-deepagents-code live target selectable through the PR jobs input, with assertions for hard_requirement startup failure, cleanup, and successful Ready registration on a compatible runtime.

Dispatch hint

  • Workflow: e2e.yaml
  • jobs input: full-e2e,hermes-e2e,onboard-repair,onboard-resume,cloud-onboard

@github-actions

Copy link
Copy Markdown
Contributor

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: onboard-resume-vitest, onboard-repair-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

  • onboard-resume-vitest: The PR changes onboarding sandbox creation/reuse ordering and Landlock fail-closed behavior in src/lib/onboard.ts and src/lib/onboard/landlock-warning.ts. This can affect onboarding resume/session bootstrap paths, so the wired onboard-resume live Vitest job is required.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • onboard-repair-vitest: The same onboarding reuse gate can affect repair/backstop execution from persisted sandbox state, especially because the Landlock check now runs before live sandbox reuse handling. The onboarding resume compatibility rule makes repair required for this persisted-session path.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Optional Vitest E2E scenarios

  • None.

Relevant changed files

  • src/lib/onboard.ts
  • src/lib/onboard/landlock-warning.ts
  • src/lib/onboard/landlock-warning.test.ts

@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Review the warnings below.
Findings: 0 required · 1 warning · 0 optional suggestions

1 warning · 0 optional suggestions

Warnings

These merit maintainer attention but do not block by themselves.

PRA-1 Warning — Redact saved and printed sandbox-create diagnostics

  • Location: src/lib/onboard/sandbox-create-failure.ts:235
  • Category: security
  • Problem: The new sandbox-create diagnostic path copies `rootfs-console.log` verbatim and later writes/prints selected OpenShell gateway log lines without passing them through the existing redaction helpers. If OpenShell or VM console diagnostics include env args, authorization headers, provider keys, or other token-shaped values during a failed create, NemoClaw can persist them under `~/.nemoclaw/onboard-failures` and echo them to stderr.
  • Impact: Local diagnostic files and terminal output may expose provider credentials or other secrets to users/processes that can read the operator account's logs, shell scrollback, copied bug reports, or collected support artifacts.
  • Recommendation: Apply existing redaction helpers (prefer full redaction for saved diagnostic artifacts and printed summaries) to copied console output, gateway relevant/tail lines, summary text, and stderr diagnostic lines before writing or printing them.
  • Verification: Read `src/lib/onboard/sandbox-create-failure.ts` and confirm every path that writes or prints gateway/console diagnostic text passes through `redactFull`/`redactSensitiveText` (or equivalent full redaction).
  • Test coverage: Add a unit test for `collectSandboxCreateFailureDiagnostics`/`printSandboxCreateFailureDiagnostics` with token-like values in the gateway log and rootfs console log, asserting saved files and printed stderr contain redacted placeholders and not the original secrets.
  • Evidence: src/lib/onboard/sandbox-create-failure.ts:235 copies the discovered console log with `fs.copyFileSync(src, dst)` without redaction. src/lib/onboard/sandbox-create-failure.ts:311-326 writes summary data and gateway-derived details to `summary.txt`; src/lib/onboard/sandbox-create-failure.ts:339 returns raw `relevantLines`/`gatewayTailLines` as `summaryLines`; src/lib/onboard/sandbox-create-failure.ts:351-354 prints those lines to stderr. src/lib/onboard/created-sandbox-failure.ts:39 shows create-stream output is redacted before classification/echoing, but the new gateway/console diagnostics path does not use the same redaction boundary.

Workflow run details

This is an automated review. Required findings need action before merge. Warnings and optional suggestions do not require a response or follow-up. A human maintainer makes the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (5)
docs/deployment/sandbox-hardening.mdx (2)

147-147: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use active voice here.

is required by onboarding reads passive. Say directly that onboarding requires kernel 5.13+ with Landlock enabled.

As per path instructions, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment/sandbox-hardening.mdx` at line 147, The sentence in the
sandbox-hardening documentation uses passive voice; rewrite it in active voice
so onboarding is the subject, e.g. have onboarding directly require kernel 5.13+
with Landlock enabled. Update the wording in the affected prose block to keep
the same meaning while removing the passive construction.

Source: Path instructions


138-138: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use the shared CLI placeholder here.

This reads like shared guidance, so a concrete nemoclaw example will render the wrong command name for other agent aliases.

Suggested fix
-On such kernels, `nemoclaw onboard` aborts before creating or reusing a sandbox.
+On such kernels, `$$nemoclaw onboard` aborts before creating or reusing a sandbox.

As per coding guidelines, "Use $$nemoclaw for host CLI command examples on shared OpenClaw and Hermes pages." As per path instructions, "When a docs PR adds a command-line example that works across all NemoClaw agent aliases, comment if it uses a concrete alias such as nemoclaw or nemohermes; ask the author to use $$nemoclaw instead."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment/sandbox-hardening.mdx` at line 138, The CLI example in the
shared sandbox-hardening guidance uses a concrete agent alias and should be
generalized for all aliases. Update the command example in the relevant docs
section to use the shared placeholder symbol $$nemoclaw instead of a specific
command name like nemoclaw, so the rendered guidance is correct across OpenClaw
and Hermes variants. Locate the host CLI example in the sandbox-hardening
content and replace the alias-specific invocation with the shared placeholder
consistently.

Sources: Coding guidelines, Path instructions

docs/reference/troubleshooting.mdx (1)

1062-1062: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use active voice here.

prevents a new sandbox from being created is passive. Say directly that the check prevents NemoClaw from creating a sandbox with reduced filesystem isolation.

As per path instructions, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/troubleshooting.mdx` at line 1062, The sentence uses passive
voice; rewrite it in active voice by naming the actor directly, using the
surrounding troubleshooting text to state that the check prevents NemoClaw from
creating a sandbox with reduced filesystem isolation. Keep the meaning the same,
but avoid constructions like “is created” or “being created” in this section.

Source: Path instructions

src/lib/onboard.ts (1)

2646-2646: 🩺 Stability & Availability | 🔵 Trivial

Please rerun the onboarding E2E slice for this gate move.

This now short-circuits the core onboard flow before reuse/delete/create paths, so cloud-e2e, sandbox-operations-e2e, rebuild-openclaw-e2e, and channels-stop-start-e2e are the highest-value checks before merge.

As per path instructions, "src/lib/onboard.ts: This file contains core onboarding logic. Changes here affect the full sandbox creation and configuration flow."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` at line 2646, The change in onboard flow around
warnIfLandlockUnsupported should be validated by rerunning the onboarding E2E
slice, since it now short-circuits before reuse/delete/create paths. Re-run the
highest-value checks for cloud-e2e, sandbox-operations-e2e,
rebuild-openclaw-e2e, and channels-stop-start-e2e, and confirm the core flow in
src/lib/onboard.ts still behaves correctly after the gate move.

Source: Path instructions

docs/security/best-practices.mdx (1)

276-276: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use active voice in this row.

managed sandboxes are not created is passive. Say that NemoClaw does not create managed sandboxes in reduced Landlock mode.

As per path instructions, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 276, The “Default” table row uses
passive voice in the NemoClaw onboarding description, so rewrite that sentence
in active voice. Update the row text to say that NemoClaw does not create
managed sandboxes in reduced Landlock mode when it detects a host or Docker VM
kernel older than 5.13, keeping the same meaning while removing “are not
created.”

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard/landlock-warning.ts`:
- Around line 12-15: The Landlock support check is currently failing open when
kernel parsing or probing cannot be verified, which allows onboarding to
continue and reuse/create sandbox state unsafely. Update
unsupportedLandlockMessage and the surrounding probe/validation flow so that
parse failures, catch paths, and any inability to confirm support are treated as
blocking conditions instead of returning null; keep the fail-closed behavior in
the Landlock warning path and ensure callers of unsupportedLandlockMessage,
parseKernelMajorMinor, and the probe logic do not proceed when verification is
inconclusive.
- Line 46: The retry hint in landlock-warning.ts hardcodes the command name
instead of using the active CLI alias. Update the message in the onboarding
warning flow to build the retry command from cliName() or cliDisplayName(),
matching the rest of the user-facing onboarding text, so alternate aliases show
the correct `onboard` command. Use the landlock-warning helper that assembles
the warning copy to locate and thread the dynamic CLI name through this string.

---

Nitpick comments:
In `@docs/deployment/sandbox-hardening.mdx`:
- Line 147: The sentence in the sandbox-hardening documentation uses passive
voice; rewrite it in active voice so onboarding is the subject, e.g. have
onboarding directly require kernel 5.13+ with Landlock enabled. Update the
wording in the affected prose block to keep the same meaning while removing the
passive construction.
- Line 138: The CLI example in the shared sandbox-hardening guidance uses a
concrete agent alias and should be generalized for all aliases. Update the
command example in the relevant docs section to use the shared placeholder
symbol $$nemoclaw instead of a specific command name like nemoclaw, so the
rendered guidance is correct across OpenClaw and Hermes variants. Locate the
host CLI example in the sandbox-hardening content and replace the alias-specific
invocation with the shared placeholder consistently.

In `@docs/reference/troubleshooting.mdx`:
- Line 1062: The sentence uses passive voice; rewrite it in active voice by
naming the actor directly, using the surrounding troubleshooting text to state
that the check prevents NemoClaw from creating a sandbox with reduced filesystem
isolation. Keep the meaning the same, but avoid constructions like “is created”
or “being created” in this section.

In `@docs/security/best-practices.mdx`:
- Line 276: The “Default” table row uses passive voice in the NemoClaw
onboarding description, so rewrite that sentence in active voice. Update the row
text to say that NemoClaw does not create managed sandboxes in reduced Landlock
mode when it detects a host or Docker VM kernel older than 5.13, keeping the
same meaning while removing “are not created.”

In `@src/lib/onboard.ts`:
- Line 2646: The change in onboard flow around warnIfLandlockUnsupported should
be validated by rerunning the onboarding E2E slice, since it now short-circuits
before reuse/delete/create paths. Re-run the highest-value checks for cloud-e2e,
sandbox-operations-e2e, rebuild-openclaw-e2e, and channels-stop-start-e2e, and
confirm the core flow in src/lib/onboard.ts still behaves correctly after the
gate move.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cf7d7a3e-9759-4dbd-b2c6-7da90bfbe2c6

📥 Commits

Reviewing files that changed from the base of the PR and between e521f6a and 36ee0b8.

📒 Files selected for processing (7)
  • docs/deployment/sandbox-hardening.mdx
  • docs/reference/enterprise-readiness.mdx
  • docs/reference/troubleshooting.mdx
  • docs/security/best-practices.mdx
  • src/lib/onboard.ts
  • src/lib/onboard/landlock-warning.test.ts
  • src/lib/onboard/landlock-warning.ts

Comment thread src/lib/onboard/landlock-warning.ts Outdated
Comment thread src/lib/onboard/landlock-warning.ts Outdated
@wscurran wscurran added area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression labels Jun 25, 2026
@wscurran

Copy link
Copy Markdown
Contributor

@wscurran wscurran added v0.0.69 Release target NV QA Bugs found by the NVIDIA QA Team labels Jun 25, 2026

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after addressing feedback comments

@wscurran wscurran added the integration: dcode LangChain Deep Code integration behavior label Jun 26, 2026
@cv cv added v0.0.71 Release target and removed v0.0.69 Release target labels Jun 28, 2026

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — Landlock gate is not authoritative

Do not merge exact head 36ee0b89c3f269df446fcd21e106bc0b74d25b01.

  1. The source contract remains wrong. agents/langchain-deepagents-code/policy-additions.yaml uses compatibility: strict, and the NemoClaw schema permits that value. Pinned OpenShell v0.0.44 recognizes only exact hard_requirement; every other string maps to BestEffort (source). OpenShell v0.0.71 retains the same contract. Therefore #5596 is not a prerequisite for this fix and does not change the relevant policy/schema files.

  2. The new heuristic fails open and can inspect the wrong kernel. Empty or unparseable probe output and probe exceptions all continue onboarding. A version at or above 5.13 does not prove that Landlock is compiled in, active, syscall-accessible, successfully prepared, or enforced. On Linux, host uname -r is also not authoritative for a remote Docker daemon, OpenShell gateway, or Kubernetes node. The check applies globally even though other agent policies intentionally use best_effort.

  3. The security/lifecycle evidence is incomplete. The two unit tests cover only known 5.12 and 5.13 strings. There is no create/reuse/delete/registry boundary test. The PR Review Advisor remains Blocked, both CodeRabbit threads remain unresolved, and the required E2E advisor jobs were recommended but not run.

Minimal salvage:

  • Change the dcode policy from strict to upstream hard_requirement, and change the schema enum to best_effort | hard_requirement.
  • Add policy/schema regressions that reject strict, plus a focused onboarding failure test proving no Ready registry entry or stale sandbox when OpenShell rejects Landlock.
  • Remove the global host-kernel heuristic, or keep it only as scoped, non-authoritative dcode UX; treat OpenShell sandbox-process enforcement as the security boundary.
  • Rewrite the documentation as dcode-specific and resolve the two current documentation conflicts after the behavior is correct.
  • Run focused config/dcode/onboarding tests, then a supported-kernel dcode Landlock E2E and the advised negative-path E2E.

@jyaunches jyaunches added v0.0.72 Release target and removed v0.0.71 Release target labels Jun 30, 2026
@cv cv added v0.0.73 Release target and removed v0.0.72 Release target labels Jul 1, 2026
@wscurran wscurran added v0.0.74 Release target and removed v0.0.73 Release target labels Jul 2, 2026
@apurvvkumaria apurvvkumaria assigned apurvvkumaria and unassigned cv Jul 3, 2026
apurvvkumaria and others added 2 commits July 3, 2026 13:23
Co-authored-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@ericksoa ericksoa added the v0.0.78 Release target label Jul 8, 2026
@cjagwani

cjagwani commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Release disposition: deferring this PR from v0.0.78 to v0.0.79. The failure-classification and cleanup work is useful, but the exact-head security blocker cannot be repaired by resolving the current merge conflicts: NemoClaw still pins OpenShell 0.0.72, and the real Docker-driver reproduction shows hard_requirement plus the DCode policy's file paths aborting proxy-mode startup under the ABI-v2 rights behavior. The committed negative fixture uses an error shape that does not establish a successful enforced runtime.

Exit criteria for the next release target remain: (1) land and pin an upstream/runtime fix compatible with the DCode policy, (2) update this branch conflict-free onto current main, and (3) pass a real Docker-driver DCode E2E proving successful startup with hard_requirement actually enforced, followed by exact-head CI/advisor review. Leaving the PR open preserves the valid cleanup work and contributor history.

cv added 2 commits July 8, 2026 23:00
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@jyaunches jyaunches added v0.0.80 Release target and removed v0.0.79 Release target labels Jul 9, 2026
@cv

cv commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Current upstream recheck at exact head ec59f82203: the runtime blocker still exists, so no conflict-only salvage or E2E rerun is useful yet.

  • OpenShell v0.0.80 and current main retain the same Landlock builder as v0.0.72: ABI v2 with AccessFs::from_read(abi) for every read-only PathBeneath and AccessFs::from_all(abi) for every read-write path (source).
  • The proxy baseline still injects the file node /dev/urandom (source). Enrichment deduplicates exact strings only, so replacing the explicit device leaves with /dev does not prevent /dev/urandom from being re-added.
  • NemoClaw main still pins OpenShell 0.0.72, but pinning 0.0.80 alone would not help: the relevant Landlock file is byte-identical and the same directory-only ReadDir right is applied to file descriptors.

The required unblock remains an upstream file-type-aware Landlock rule fix, followed by a reviewed released pin. Only then should we port the Landlock-specific create-failure cleanup through current main and require a real successful DCode hard_requirement startup/inference E2E plus the controlled negative cleanup/no-Ready-registry proof.

@cv cv added v0.0.81 Release target and removed v0.0.80 Release target labels Jul 10, 2026
@cv

cv commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Release sweep: deferring this PR from v0.0.81.

This remains blocked on a released, file-type-aware OpenShell Landlock implementation rather than only on branch drift. The current hard requirement still names device files that the available policy builder cannot enforce successfully, and the committed fixture proves a synthetic failure path rather than successful DCode startup. The branch also conflicts with current main, and the requested live E2E evidence is not present.

Re-target after the runtime fix is released and pinned, then require positive DCode startup/inference proof plus negative cleanup and registry-state proof.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression integration: dcode LangChain Deep Code integration behavior needs: unblock Blocked item needs dependency or decision resolved NV QA Bugs found by the NVIDIA QA Team

Projects

None yet

9 participants