Skip to content

fix(policy): restore Tavily egress for managed Python#6134

Merged
apurvvkumaria merged 3 commits into
mainfrom
fix/restore-tavily-python-egress
Jul 1, 2026
Merged

fix(policy): restore Tavily egress for managed Python#6134
apurvvkumaria merged 3 commits into
mainfrom
fix/restore-tavily-python-egress

Conversation

@apurvvkumaria

@apurvvkumaria apurvvkumaria commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

Restore the managed Deep Agents Code Python interpreter to the Tavily policy and provider-profile allowlists. PR #5969 removed Python while tightening the Tavily boundary, which left policy-add tavily successful but Python-originated Tavily requests blocked by OpenShell with HTTP 403.

Changes

  • Add /opt/venv/bin/python3* to nemoclaw-blueprint/policies/presets/tavily.yaml.
  • Add the same managed interpreter path to nemoclaw-blueprint/provider-profiles/tavily.yaml so both enforcement layers agree.
  • Document that the wildcard relies on Deep Agents Code's strict Landlock policy mounting /opt/venv read-only.
  • Keep system Python and writable project-venv paths excluded.
  • Add exact allowlist, profile/preset alignment, and managed-venv trust-boundary contracts.
  • Extend the live Tavily opt-in check: managed Python must reach Tavily, while /usr/bin/python3 and /sandbox/.../bin/python3 must remain blocked.

Source-boundary rationale

  • Invalid state: the documented policy-add tavily flow succeeds, but OpenShell attributes Deep Agents Code requests to /opt/venv/bin/python3*, so Tavily remains blocked unless that managed interpreter is present in both enforcement layers.
  • Source boundary: the existing user-facing source of truth is the shared Tavily preset plus its provider profile; both must remain aligned while policy-add tavily is the supported opt-in command.
  • Constraint: moving Tavily into an agent-default policy would change opt-in semantics during a release-blocking regression fix. This PR therefore restores the narrow read-only managed path without adding system or writable project Python.
  • Regression coverage: exact allowlists, profile/preset equality, the Deep Agents read-only /opt/venv contract, and live positive/negative process-attribution probes.
  • Removal condition: remove the shared managed path only when policy-add tavily is redesigned or deprecated in favor of an agent-scoped opt-in mechanism with equivalent runtime coverage.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: existing Deep Agents documentation already states that OpenShell attributes Tavily calls to the managed Python interpreter; this restores the documented behavior.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review; the change restores only /opt/venv/bin/python3*, not system or writable project Python paths.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes — the diff-scoped fallback passed formatting, schema, repository, and secret-scan hooks; its broad integration lane requires Linux utilities/semantics unavailable on this macOS host, so CI remains authoritative.
  • Targeted tests pass for changed behavior
  • Full npm test passes (broad runtime changes only)
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Apurv Kumaria 36614+apurvvkumaria@users.noreply.github.com

Signed-off-by: Apurv Kumaria <36614+apurvvkumaria@users.noreply.github.com>
@apurvvkumaria apurvvkumaria self-assigned this Jul 1, 2026
@copy-pr-bot

copy-pr-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds /opt/venv/bin/python3* to the Tavily preset policy and provider profile binary allowlists. It updates validation tests and e2e checks to reflect the new managed Python path and to keep system Python blocked under the Tavily policy.

Changes

Tavily Python binary allowlist update

Layer / File(s) Summary
Allowlist config updates
nemoclaw-blueprint/policies/presets/tavily.yaml, nemoclaw-blueprint/provider-profiles/tavily.yaml
Adds /opt/venv/bin/python3* with explanatory comments to both Tavily binary allowlists.
Test assertion updates
test/tavily-preset.test.ts, test/validate-blueprint.test.ts
Updates Tavily policy/profile expectations to include the new Python glob and asserts the provider profile matches the policy preset binaries.
E2E Tavily probe checks
test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh, test/langchain-deepagents-code-image.test.ts
Parameterizes the probe Python executable, adds a system-Python block check after policy-add, and updates the image test expectations for the new probe output.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Suggested labels: bug-fix, area: policy

Suggested reviewers: ericksoa, cv

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: restoring Tavily access for the managed Python interpreter in policy allowlists.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/restore-tavily-python-egress

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File f2a161c +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 68%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File f2a161c +/-
src/lib/shields...nsition-lock.ts 86%
src/lib/actions...dbox/rebuild.ts 80%
src/lib/actions...all/run-plan.ts 80%
src/lib/state/o...oard-session.ts 80%
src/lib/state/sandbox.ts 72%
src/lib/onboard/preflight.ts 69%
src/lib/shields/index.ts 67%
src/lib/onboard...er-gpu-patch.ts 59%
src/lib/actions...licy-channel.ts 58%
src/lib/onboard.ts 20%

Updated July 01, 2026 18:42 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ubuntu-repo-cloud-langchain-deepagents-code, network-policy
Optional E2E: None

Dispatch hint: network-policy

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ubuntu-repo-cloud-langchain-deepagents-code (high): Runs the live LangChain Deep Agents Code target, including the changed 09-deepagents-code-tavily-opt-in.sh check that applies the Tavily policy and verifies managed /opt/venv Python can reach Tavily while system/project Python remain blocked.
  • network-policy (high): The PR changes a network-policy preset allowlist. The focused network-policy job validates live policy-add/dry-run behavior, deny-by-default posture, per-binary enforcement, and hot reload on a real sandbox.

Optional E2E

  • None.

New E2E recommendations

  • tavily-provider-profile-live-credential-flow (medium): Existing live coverage exercises the Tavily policy preset through policy-add, but does not appear to create/use a Tavily provider profile with TAVILY_API_KEY and prove credential rewrite plus endpoint access in a real sandbox.
    • Suggested test: Add a live E2E that provisions a Tavily provider from nemoclaw-blueprint/provider-profiles/tavily.yaml, injects a test Tavily credential via the supported credential path, and verifies only the intended runtime binary reaches api.tavily.com with credentials applied.

Dispatch hint

  • Workflow: e2e.yaml
  • jobs input: network-policy

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-langchain-deepagents-code
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-langchain-deepagents-code: The PR changes the Tavily policy/provider allowlist and the Deep Agents Code Tavily opt-in E2E check. The live-supported ubuntu-repo-cloud-langchain-deepagents-code target is the smallest typed target that onboards Deep Agents Code and runs the deepagents-code-policy suite containing this Tavily opt-in check.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-langchain-deepagents-code

Optional E2E targets

  • None.

Relevant changed files

  • nemoclaw-blueprint/policies/presets/tavily.yaml
  • nemoclaw-blueprint/provider-profiles/tavily.yaml
  • test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: No advisor follow-up required beyond maintainer review.
Open items: 0 required · 0 warnings · 0 suggestions · 0 test follow-ups
Since last review: 2 prior items resolved · 0 still apply · 0 new items found

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-3: Wildcard /opt/venv/bin/python3* in shared Tavily preset creates sandbox escape vector; then add or justify PRA-T1.
Open items: 2 required · 5 warnings · 4 suggestions · 8 test follow-ups
Since last review: 1 prior item resolved · 3 still apply · 4 new items found

Action checklist

  • PRA-3 Fix: Wildcard /opt/venv/bin/python3* in shared Tavily preset creates sandbox escape vector in nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • PRA-4 Fix: Source-of-truth review: Tavily policy in shared preset vs agent-specific policy in nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • PRA-1 Resolve or justify: Source-of-truth review needed: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • PRA-2 Resolve or justify: Source-of-truth review needed: nemoclaw-blueprint/provider-profiles/tavily.yaml:25
  • PRA-5 Resolve or justify: Provider profile mirrors preset wildcard in shared context in nemoclaw-blueprint/provider-profiles/tavily.yaml:25
  • PRA-6 Resolve or justify: Missing cross-sandbox negative test for policy bypass in test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:126
  • PRA-7 Resolve or justify: PR feat(mcp): add OpenShell-managed MCP servers #5876 overlap on same tavily.yaml files in nemoclaw-blueprint/policies/presets/tavily.yaml:1
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Missing cross-sandbox negative test for policy bypass
  • PRA-T6 Add or justify test follow-up: Sync test lacks documentation of Landlock dependency
  • PRA-T7 Add or justify test follow-up: Tavily preset test lacks security rationale documentation
  • PRA-T8 Add or justify test follow-up: Acceptance clause
  • PRA-8 In-scope improvement: Sync test lacks documentation of Landlock dependency in test/validate-blueprint.test.ts:514
  • PRA-9 In-scope improvement: Tavily preset test lacks security rationale documentation in test/tavily-preset.test.ts:17
  • PRA-10 In-scope improvement: Comment documents intent but doesn't enforce scope in nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • PRA-11 In-scope improvement: SandboxPolicy type incomplete for new test assertions in test/validate-blueprint.test.ts:1

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2 Resolve/justify architecture Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-3 Required security nemoclaw-blueprint/policies/presets/tavily.yaml:22 Option A (preferred): Move Tavily network policy block into agents/langchain-deepagents-code/policy-additions.yaml (where github/pypi/managed_inference blocks already live with same wildcard) and deprecate the shared preset. Option B: Pin to exact version /opt/venv/bin/python3.13 (matches Dockerfile.base python3=3.13.5-1) and add runtime validation that preset is only applied to Deep Agents Code sandboxes. Option C: Add guard in applyPreset/loadPresetForSandbox that rejects tavily preset on non-Deep-Agents sandboxes.
PRA-4 Required architecture nemoclaw-blueprint/policies/presets/tavily.yaml:22 File a follow-up issue to migrate Tavily policy to Deep Agents Code policy-additions.yaml and deprecate the shared preset. Add a test that Deep Agents Code sandbox gets Tavily egress via agent policy without needing shared preset. Add negative test: base sandbox applying tavily preset should not grant /opt/venv/bin/python3* egress.
PRA-5 Resolve/justify security nemoclaw-blueprint/provider-profiles/tavily.yaml:25 Keep the sync test. Consider generating one from the other at build time to eliminate drift risk entirely. Add documentation comment in provider profile noting Deep Agents Code scope.
PRA-6 Resolve/justify tests test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:126 Keep existing test. Add new E2E test (or unit test) that attempts to apply tavily preset to a base sandbox and verifies the wildcard does not grant unintended egress (either because /opt/venv doesn't exist, or because Landlock would block writes to it if it did).
PRA-7 Resolve/justify architecture nemoclaw-blueprint/policies/presets/tavily.yaml:1 Coordinate with PR #5876 author. Ensure both PRs' changes to tavily.yaml are compatible. Consider rebasing one onto the other.
PRA-8 Improvement tests test/validate-blueprint.test.ts:514 Add a test comment or assertion documenting that the wildcard mirrors agents/langchain-deepagents-code/policy-additions.yaml managed_inference/github/pypi blocks and relies on Landlock read-only /opt/venv with strict compatibility. Add a cross-reference test that tavily preset binaries ⊆ Deep Agents Code managed_inference binaries.
PRA-9 Improvement tests test/tavily-preset.test.ts:17 Add a comment in the test explaining the wildcard is specific to Deep Agents Code managed venv and protected by Landlock read-only /opt/venv with strict compatibility.
PRA-10 Improvement correctness nemoclaw-blueprint/policies/presets/tavily.yaml:22 Either move policy to agent-specific location (Option A) or add runtime enforcement (Option B/C). If keeping shared preset temporarily, strengthen comment to warn: 'WARNING: This wildcard is only safe under Deep Agents Code strict Landlock /opt/venv read-only. Do not apply to other sandbox types.'
PRA-11 Improvement correctness test/validate-blueprint.test.ts:1 Ensure SandboxPolicy type includes all accessed fields (filesystem_policy.read_only, landlock.compatibility).

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-3 Required — Wildcard /opt/venv/bin/python3* in shared Tavily preset creates sandbox escape vector

  • Location: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • Category: security
  • Problem: The Tavily shared opt-in preset adds `/opt/venv/bin/python3*` wildcard. This path only exists and is protected (Landlock read-only + strict mode) in Deep Agents Code sandboxes. Base sandbox has Landlock compatibility: best_effort and no /opt/venv read-only rule. Hermes has /opt/hermes read-only but not /opt/venv. Any sandbox can `policy-add tavily`; if a non-Deep-Agents sandbox creates /opt/venv/bin at runtime, an attacker could place a malicious python3* binary there to gain Tavily egress.
  • Impact: Policy bypass / sandbox escape: non-Deep-Agents sandbox applying tavily preset with writable /opt/venv/bin gets unintended Tavily egress for arbitrary python binaries
  • Required action: Option A (preferred): Move Tavily network policy block into agents/langchain-deepagents-code/policy-additions.yaml (where github/pypi/managed_inference blocks already live with same wildcard) and deprecate the shared preset. Option B: Pin to exact version /opt/venv/bin/python3.13 (matches Dockerfile.base python3=3.13.5-1) and add runtime validation that preset is only applied to Deep Agents Code sandboxes. Option C: Add guard in applyPreset/loadPresetForSandbox that rejects tavily preset on non-Deep-Agents sandboxes.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare agents/langchain-deepagents-code/policy-additions.yaml:16 (read_only: /opt/venv) and :24 (landlock.compatibility: strict) vs nemoclaw-blueprint/policies/openclaw-sandbox.yaml:48 (best_effort, no /opt/venv read-only). Verify no other sandbox creates /opt/venv at build.
  • Missing regression test: Add negative test: base sandbox + tavily preset + create /opt/venv/bin/python3.11 at runtime -> should be blocked by policy (no match) or Landlock (if read-only added). Or add unit test asserting tavily preset binaries are subset of Deep Agents Code managed_inference binaries.
  • Done when: The required change is committed and verification passes: Compare agents/langchain-deepagents-code/policy-additions.yaml:16 (read_only: /opt/venv) and :24 (landlock.compatibility: strict) vs nemoclaw-blueprint/policies/openclaw-sandbox.yaml:48 (best_effort, no /opt/venv read-only). Verify no other sandbox creates /opt/venv at build.
  • Evidence: tavily.yaml:22 adds wildcard; policy-additions.yaml:16 has read_only /opt/venv; policy-additions.yaml:24 has strict mode; openclaw-sandbox.yaml:48 has best_effort; Dockerfile.base creates venv at /opt/venv

PRA-4 Required — Source-of-truth review: Tavily policy in shared preset vs agent-specific policy

  • Location: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • Category: architecture
  • Problem: Tavily network policy lives in a shared preset but contains Deep Agents Code-specific implementation detail (/opt/venv/bin/python3*). The PR acknowledges this is a workaround: 'Moving Tavily to agent-specific policy is a larger refactor; this PR restores the documented behavior minimally.' The invalid state is: shared preset leaks agent-specific trust assumption. github/pypi presets are NOT shared — they live only in agent-specific policy.
  • Impact: Technical debt: any sandbox can opt into tavily preset and get wildcard, but only Deep Agents Code has filesystem protection. github/pypi presets are NOT in shared presets — they are agent-specific.
  • Required action: File a follow-up issue to migrate Tavily policy to Deep Agents Code policy-additions.yaml and deprecate the shared preset. Add a test that Deep Agents Code sandbox gets Tavily egress via agent policy without needing shared preset. Add negative test: base sandbox applying tavily preset should not grant /opt/venv/bin/python3* egress.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare agents/langchain-deepagents-code/policy-additions.yaml (has github, pypi, managed_inference with /opt/venv/bin/python3*) vs shared tavily preset. Note github/pypi are NOT in shared presets — they are agent-specific.
  • Missing regression test: When migration occurs, test that Deep Agents Code sandbox gets Tavily egress via agent policy without needing shared preset. Add negative test: base sandbox applying tavily preset should not grant /opt/venv/bin/python3* egress.
  • Done when: The required change is committed and verification passes: Compare agents/langchain-deepagents-code/policy-additions.yaml (has github, pypi, managed_inference with /opt/venv/bin/python3*) vs shared tavily preset. Note github/pypi are NOT in shared presets — they are agent-specific.
  • Evidence: PR body: 'Moving Tavily to agent-specific policy is a larger refactor; this PR restores the documented behavior minimally.' policy-additions.yaml has github/pypi/managed_inference with same wildcard pattern
Review findings by urgency: 2 required fixes, 5 items to resolve/justify, 4 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: nemoclaw-blueprint/policies/presets/tavily.yaml:22

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: NONE — no test prevents this architectural issue from persisting
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: tavily.yaml:22 wildcard; policy-additions.yaml:16,24 strict Landlock; openclaw-sandbox.yaml:48 best_effort

PRA-2 Resolve/justify — Source-of-truth review needed: nemoclaw-blueprint/provider-profiles/tavily.yaml:25

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Sync test at validate-blueprint.test.ts:518-523 ensures equality but doesn't prevent shared-context issue
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: provider-profiles/tavily.yaml:25 wildcard; validate-blueprint.test.ts sync test

PRA-5 Resolve/justify — Provider profile mirrors preset wildcard in shared context

  • Location: nemoclaw-blueprint/provider-profiles/tavily.yaml:25
  • Category: security
  • Problem: Provider profile binaries list mirrors the preset wildcard. The new sync test (validate-blueprint.test.ts:518-523) ensures they stay equal, but both carry the same agent-specific path in a shared context. If provider profile is imported on a non-Deep-Agents sandbox, credential routing would allow /opt/venv/bin/python3* to use Tavily credentials while network policy might not match (or vice versa if they drift).
  • Impact: Credential leakage or policy bypass if provider profile and network policy drift or are applied to different sandbox types
  • Recommended action: Keep the sync test. Consider generating one from the other at build time to eliminate drift risk entirely. Add documentation comment in provider profile noting Deep Agents Code scope.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check validate-blueprint.test.ts sync test and provider profile binaries list.
  • Missing regression test: Cross-sandbox test: apply tavily provider profile to base sandbox, verify credential routing does not grant unintended access when /opt/venv doesn't exist or isn't read-only.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check validate-blueprint.test.ts sync test and provider profile binaries list.
  • Evidence: provider-profiles/tavily.yaml:25 adds /opt/venv/bin/python3*; validate-blueprint.test.ts:518-523 sync test

PRA-6 Resolve/justify — Missing cross-sandbox negative test for policy bypass

  • Location: test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:126
  • Category: tests
  • Problem: E2E test verifies system Python (/usr/bin/python3) and project venv (/sandbox/.nemoclaw-e2e-project-venv) are blocked from Tavily AFTER policy-add on a Deep Agents Code sandbox. This is a positive validation of current behavior, not a cross-sandbox negative test. It does not test what happens when a base sandbox applies the tavily preset.
  • Impact: No automated coverage proving that base sandbox + tavily preset + runtime /opt/venv/bin creation is denied
  • Recommended action: Keep existing test. Add new E2E test (or unit test) that attempts to apply tavily preset to a base sandbox and verifies the wildcard does not grant unintended egress (either because /opt/venv doesn't exist, or because Landlock would block writes to it if it did).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Run the E2E test on a base sandbox (not Deep Agents Code) with tavily preset applied, attempt to create /opt/venv/bin/python3.11 and reach Tavily.
  • Missing regression test: Cross-sandbox negative test: base sandbox + tavily preset + runtime /opt/venv/bin creation -> verify Tavily egress denied.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Run the E2E test on a base sandbox (not Deep Agents Code) with tavily preset applied, attempt to create /opt/venv/bin/python3.11 and reach Tavily.
  • Evidence: E2E test at lines 144-168 only validates Deep Agents Code sandbox behavior

PRA-7 Resolve/justify — PR #5876 overlap on same tavily.yaml files

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-8 Improvement — Sync test lacks documentation of Landlock dependency

  • Location: test/validate-blueprint.test.ts:514
  • Category: tests
  • Problem: New 'anchors managed Python access to Deep Agents Code's read-only venv' test documents the relationship but doesn't explicitly note the Landlock strict-mode dependency that makes this safe. The test asserts deepAgentsPolicy.filesystem_policy.read_only contains /opt/venv and landlock.compatibility: strict, but the comment could be more explicit about the security boundary.
  • Impact: Future maintainers may not understand why the wildcard is safe only in this context
  • Suggested action: Add a test comment or assertion documenting that the wildcard mirrors agents/langchain-deepagents-code/policy-additions.yaml managed_inference/github/pypi blocks and relies on Landlock read-only /opt/venv with strict compatibility. Add a cross-reference test that tavily preset binaries ⊆ Deep Agents Code managed_inference binaries.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read the test at validate-blueprint.test.ts lines 525-535.
  • Missing regression test: Cross-reference test: tavily preset binaries ⊆ Deep Agents Code managed_inference binaries.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: validate-blueprint.test.ts:525-535 asserts read_only and strict but comment doesn't explain security boundary

PRA-9 Improvement — Tavily preset test lacks security rationale documentation

  • Location: test/tavily-preset.test.ts:17
  • Category: tests
  • Problem: Tavily preset test asserts the binary allowlist but doesn't explain why /opt/venv/bin/python3* is acceptable only in Deep Agents Code context.
  • Impact: Future maintainers may not understand the security rationale for the wildcard
  • Suggested action: Add a comment in the test explaining the wildcard is specific to Deep Agents Code managed venv and protected by Landlock read-only /opt/venv with strict compatibility.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read test/tavily-preset.test.ts around line 17.
  • Missing regression test: Test comment documenting security rationale.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: test/tavily-preset.test.ts:17 asserts wildcard without explanatory comment

PRA-10 Improvement — Comment documents intent but doesn't enforce scope

  • Location: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • Category: correctness
  • Problem: Comment in preset says 'OpenShell attributes Deep Agents Code Tavily requests to this managed Python venv' but the preset is shared and has no enforcement of this scope. The comment documents intent but doesn't enforce it.
  • Impact: Developers may apply preset to wrong sandbox type assuming it's safe
  • Suggested action: Either move policy to agent-specific location (Option A) or add runtime enforcement (Option B/C). If keeping shared preset temporarily, strengthen comment to warn: 'WARNING: This wildcard is only safe under Deep Agents Code strict Landlock /opt/venv read-only. Do not apply to other sandbox types.'
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read the comment at tavily.yaml:19-21.
  • Missing regression test: None — this is a documentation/guard improvement.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: tavily.yaml:19-21 comment documents intent without enforcement

PRA-11 Improvement — SandboxPolicy type incomplete for new test assertions

  • Location: test/validate-blueprint.test.ts:1
  • Category: correctness
  • Problem: New test imports DEEPAGENTS_POLICY_PATH and TAVILY_POLICY_PRESET_PATH but the test file's SandboxPolicy type doesn't include filesystem_policy or landlock fields until line 525 where they're accessed. Type definition updated but could be more complete.
  • Impact: TypeScript may not catch missing fields if policy structure changes
  • Suggested action: Ensure SandboxPolicy type includes all accessed fields (filesystem_policy.read_only, landlock.compatibility).
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check SandboxPolicy type definition at validate-blueprint.test.ts:50-55 vs usage at 528-530.
  • Missing regression test: TypeScript compilation check.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Type at line 50-55 vs usage at 528-530
Simplification opportunities: 1 possible cut

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-10 shrink (nemoclaw-blueprint/policies/presets/tavily.yaml:22): /opt/venv/bin/python3* wildcard in shared preset
    • Replacement: Pin to /opt/venv/bin/python3.13 (matches Dockerfile.base python3=3.13.5-1) and add runtime guard in applyPreset/loadPresetForSandbox
    • Net: 2 lines
    • Safety boundary: Preserve managed_inference/github/pypi wildcard pattern in agent-specific policy-additions.yaml where Landlock strict mode protects it
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Cross-sandbox negative test: create base sandbox, apply tavily preset, attempt to create /opt/venv/bin/python3.11 at runtime and reach api.tavily.com — should be denied. Runtime/sandbox/infrastructure paths need behavioral runtime validation: nemoclaw-blueprint/policies/presets/tavily.yaml, nemoclaw-blueprint/provider-profiles/tavily.yaml. Positive validation exists for Deep Agents Code sandbox; cross-sandbox negative validation missing.
  • PRA-T2 Runtime validation — Unit test: loadPresetForSandbox('base-sandbox', 'tavily') should return null or preset with pinned python3.13 only when sandbox is not Deep Agents Code. Runtime/sandbox/infrastructure paths need behavioral runtime validation: nemoclaw-blueprint/policies/presets/tavily.yaml, nemoclaw-blueprint/provider-profiles/tavily.yaml. Positive validation exists for Deep Agents Code sandbox; cross-sandbox negative validation missing.
  • PRA-T3 Runtime validation — Test that tavily preset binaries are subset of Deep Agents Code managed_inference binaries. Runtime/sandbox/infrastructure paths need behavioral runtime validation: nemoclaw-blueprint/policies/presets/tavily.yaml, nemoclaw-blueprint/provider-profiles/tavily.yaml. Positive validation exists for Deep Agents Code sandbox; cross-sandbox negative validation missing.
  • PRA-T4 Runtime validation — Test that applying tavily provider profile to base sandbox does not grant credential routing for /opt/venv/bin/python3* when path doesn't exist. Runtime/sandbox/infrastructure paths need behavioral runtime validation: nemoclaw-blueprint/policies/presets/tavily.yaml, nemoclaw-blueprint/provider-profiles/tavily.yaml. Positive validation exists for Deep Agents Code sandbox; cross-sandbox negative validation missing.
  • PRA-T5 Missing cross-sandbox negative test for policy bypass — Keep existing test. Add new E2E test (or unit test) that attempts to apply tavily preset to a base sandbox and verifies the wildcard does not grant unintended egress (either because /opt/venv doesn't exist, or because Landlock would block writes to it if it did).
  • PRA-T6 Sync test lacks documentation of Landlock dependency — Add a test comment or assertion documenting that the wildcard mirrors agents/langchain-deepagents-code/policy-additions.yaml managed_inference/github/pypi blocks and relies on Landlock read-only /opt/venv with strict compatibility. Add a cross-reference test that tavily preset binaries ⊆ Deep Agents Code managed_inference binaries.
  • PRA-T7 Tavily preset test lacks security rationale documentation — Add a comment in the test explaining the wildcard is specific to Deep Agents Code managed venv and protected by Landlock read-only /opt/venv with strict compatibility.
  • PRA-T8 Acceptance clause — Document Deep Agents Code read-only venv dependency — add test evidence or identify existing coverage. New test at validate-blueprint.test.ts:525-535 anchors to Deep Agents policy but comment could be more explicit about Landlock strict mode
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: nemoclaw-blueprint/policies/presets/tavily.yaml:22

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: NONE — no test prevents this architectural issue from persisting
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: tavily.yaml:22 wildcard; policy-additions.yaml:16,24 strict Landlock; openclaw-sandbox.yaml:48 best_effort

PRA-2 Resolve/justify — Source-of-truth review needed: nemoclaw-blueprint/provider-profiles/tavily.yaml:25

  • Location: not file-specific
  • Category: architecture
  • Problem: The advisor marked localized patch analysis as needs_followup.
  • Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
  • Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Missing regression test: Sync test at validate-blueprint.test.ts:518-523 ensures equality but doesn't prevent shared-context issue
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
  • Evidence: provider-profiles/tavily.yaml:25 wildcard; validate-blueprint.test.ts sync test

PRA-3 Required — Wildcard /opt/venv/bin/python3* in shared Tavily preset creates sandbox escape vector

  • Location: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • Category: security
  • Problem: The Tavily shared opt-in preset adds `/opt/venv/bin/python3*` wildcard. This path only exists and is protected (Landlock read-only + strict mode) in Deep Agents Code sandboxes. Base sandbox has Landlock compatibility: best_effort and no /opt/venv read-only rule. Hermes has /opt/hermes read-only but not /opt/venv. Any sandbox can `policy-add tavily`; if a non-Deep-Agents sandbox creates /opt/venv/bin at runtime, an attacker could place a malicious python3* binary there to gain Tavily egress.
  • Impact: Policy bypass / sandbox escape: non-Deep-Agents sandbox applying tavily preset with writable /opt/venv/bin gets unintended Tavily egress for arbitrary python binaries
  • Required action: Option A (preferred): Move Tavily network policy block into agents/langchain-deepagents-code/policy-additions.yaml (where github/pypi/managed_inference blocks already live with same wildcard) and deprecate the shared preset. Option B: Pin to exact version /opt/venv/bin/python3.13 (matches Dockerfile.base python3=3.13.5-1) and add runtime validation that preset is only applied to Deep Agents Code sandboxes. Option C: Add guard in applyPreset/loadPresetForSandbox that rejects tavily preset on non-Deep-Agents sandboxes.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare agents/langchain-deepagents-code/policy-additions.yaml:16 (read_only: /opt/venv) and :24 (landlock.compatibility: strict) vs nemoclaw-blueprint/policies/openclaw-sandbox.yaml:48 (best_effort, no /opt/venv read-only). Verify no other sandbox creates /opt/venv at build.
  • Missing regression test: Add negative test: base sandbox + tavily preset + create /opt/venv/bin/python3.11 at runtime -> should be blocked by policy (no match) or Landlock (if read-only added). Or add unit test asserting tavily preset binaries are subset of Deep Agents Code managed_inference binaries.
  • Done when: The required change is committed and verification passes: Compare agents/langchain-deepagents-code/policy-additions.yaml:16 (read_only: /opt/venv) and :24 (landlock.compatibility: strict) vs nemoclaw-blueprint/policies/openclaw-sandbox.yaml:48 (best_effort, no /opt/venv read-only). Verify no other sandbox creates /opt/venv at build.
  • Evidence: tavily.yaml:22 adds wildcard; policy-additions.yaml:16 has read_only /opt/venv; policy-additions.yaml:24 has strict mode; openclaw-sandbox.yaml:48 has best_effort; Dockerfile.base creates venv at /opt/venv

PRA-4 Required — Source-of-truth review: Tavily policy in shared preset vs agent-specific policy

  • Location: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • Category: architecture
  • Problem: Tavily network policy lives in a shared preset but contains Deep Agents Code-specific implementation detail (/opt/venv/bin/python3*). The PR acknowledges this is a workaround: 'Moving Tavily to agent-specific policy is a larger refactor; this PR restores the documented behavior minimally.' The invalid state is: shared preset leaks agent-specific trust assumption. github/pypi presets are NOT shared — they live only in agent-specific policy.
  • Impact: Technical debt: any sandbox can opt into tavily preset and get wildcard, but only Deep Agents Code has filesystem protection. github/pypi presets are NOT in shared presets — they are agent-specific.
  • Required action: File a follow-up issue to migrate Tavily policy to Deep Agents Code policy-additions.yaml and deprecate the shared preset. Add a test that Deep Agents Code sandbox gets Tavily egress via agent policy without needing shared preset. Add negative test: base sandbox applying tavily preset should not grant /opt/venv/bin/python3* egress.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare agents/langchain-deepagents-code/policy-additions.yaml (has github, pypi, managed_inference with /opt/venv/bin/python3*) vs shared tavily preset. Note github/pypi are NOT in shared presets — they are agent-specific.
  • Missing regression test: When migration occurs, test that Deep Agents Code sandbox gets Tavily egress via agent policy without needing shared preset. Add negative test: base sandbox applying tavily preset should not grant /opt/venv/bin/python3* egress.
  • Done when: The required change is committed and verification passes: Compare agents/langchain-deepagents-code/policy-additions.yaml (has github, pypi, managed_inference with /opt/venv/bin/python3*) vs shared tavily preset. Note github/pypi are NOT in shared presets — they are agent-specific.
  • Evidence: PR body: 'Moving Tavily to agent-specific policy is a larger refactor; this PR restores the documented behavior minimally.' policy-additions.yaml has github/pypi/managed_inference with same wildcard pattern

PRA-5 Resolve/justify — Provider profile mirrors preset wildcard in shared context

  • Location: nemoclaw-blueprint/provider-profiles/tavily.yaml:25
  • Category: security
  • Problem: Provider profile binaries list mirrors the preset wildcard. The new sync test (validate-blueprint.test.ts:518-523) ensures they stay equal, but both carry the same agent-specific path in a shared context. If provider profile is imported on a non-Deep-Agents sandbox, credential routing would allow /opt/venv/bin/python3* to use Tavily credentials while network policy might not match (or vice versa if they drift).
  • Impact: Credential leakage or policy bypass if provider profile and network policy drift or are applied to different sandbox types
  • Recommended action: Keep the sync test. Consider generating one from the other at build time to eliminate drift risk entirely. Add documentation comment in provider profile noting Deep Agents Code scope.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check validate-blueprint.test.ts sync test and provider profile binaries list.
  • Missing regression test: Cross-sandbox test: apply tavily provider profile to base sandbox, verify credential routing does not grant unintended access when /opt/venv doesn't exist or isn't read-only.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check validate-blueprint.test.ts sync test and provider profile binaries list.
  • Evidence: provider-profiles/tavily.yaml:25 adds /opt/venv/bin/python3*; validate-blueprint.test.ts:518-523 sync test

PRA-6 Resolve/justify — Missing cross-sandbox negative test for policy bypass

  • Location: test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh:126
  • Category: tests
  • Problem: E2E test verifies system Python (/usr/bin/python3) and project venv (/sandbox/.nemoclaw-e2e-project-venv) are blocked from Tavily AFTER policy-add on a Deep Agents Code sandbox. This is a positive validation of current behavior, not a cross-sandbox negative test. It does not test what happens when a base sandbox applies the tavily preset.
  • Impact: No automated coverage proving that base sandbox + tavily preset + runtime /opt/venv/bin creation is denied
  • Recommended action: Keep existing test. Add new E2E test (or unit test) that attempts to apply tavily preset to a base sandbox and verifies the wildcard does not grant unintended egress (either because /opt/venv doesn't exist, or because Landlock would block writes to it if it did).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Run the E2E test on a base sandbox (not Deep Agents Code) with tavily preset applied, attempt to create /opt/venv/bin/python3.11 and reach Tavily.
  • Missing regression test: Cross-sandbox negative test: base sandbox + tavily preset + runtime /opt/venv/bin creation -> verify Tavily egress denied.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Run the E2E test on a base sandbox (not Deep Agents Code) with tavily preset applied, attempt to create /opt/venv/bin/python3.11 and reach Tavily.
  • Evidence: E2E test at lines 144-168 only validates Deep Agents Code sandbox behavior

PRA-7 Resolve/justify — PR #5876 overlap on same tavily.yaml files

PRA-8 Improvement — Sync test lacks documentation of Landlock dependency

  • Location: test/validate-blueprint.test.ts:514
  • Category: tests
  • Problem: New 'anchors managed Python access to Deep Agents Code's read-only venv' test documents the relationship but doesn't explicitly note the Landlock strict-mode dependency that makes this safe. The test asserts deepAgentsPolicy.filesystem_policy.read_only contains /opt/venv and landlock.compatibility: strict, but the comment could be more explicit about the security boundary.
  • Impact: Future maintainers may not understand why the wildcard is safe only in this context
  • Suggested action: Add a test comment or assertion documenting that the wildcard mirrors agents/langchain-deepagents-code/policy-additions.yaml managed_inference/github/pypi blocks and relies on Landlock read-only /opt/venv with strict compatibility. Add a cross-reference test that tavily preset binaries ⊆ Deep Agents Code managed_inference binaries.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read the test at validate-blueprint.test.ts lines 525-535.
  • Missing regression test: Cross-reference test: tavily preset binaries ⊆ Deep Agents Code managed_inference binaries.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: validate-blueprint.test.ts:525-535 asserts read_only and strict but comment doesn't explain security boundary

PRA-9 Improvement — Tavily preset test lacks security rationale documentation

  • Location: test/tavily-preset.test.ts:17
  • Category: tests
  • Problem: Tavily preset test asserts the binary allowlist but doesn't explain why /opt/venv/bin/python3* is acceptable only in Deep Agents Code context.
  • Impact: Future maintainers may not understand the security rationale for the wildcard
  • Suggested action: Add a comment in the test explaining the wildcard is specific to Deep Agents Code managed venv and protected by Landlock read-only /opt/venv with strict compatibility.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read test/tavily-preset.test.ts around line 17.
  • Missing regression test: Test comment documenting security rationale.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: test/tavily-preset.test.ts:17 asserts wildcard without explanatory comment

PRA-10 Improvement — Comment documents intent but doesn't enforce scope

  • Location: nemoclaw-blueprint/policies/presets/tavily.yaml:22
  • Category: correctness
  • Problem: Comment in preset says 'OpenShell attributes Deep Agents Code Tavily requests to this managed Python venv' but the preset is shared and has no enforcement of this scope. The comment documents intent but doesn't enforce it.
  • Impact: Developers may apply preset to wrong sandbox type assuming it's safe
  • Suggested action: Either move policy to agent-specific location (Option A) or add runtime enforcement (Option B/C). If keeping shared preset temporarily, strengthen comment to warn: 'WARNING: This wildcard is only safe under Deep Agents Code strict Landlock /opt/venv read-only. Do not apply to other sandbox types.'
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read the comment at tavily.yaml:19-21.
  • Missing regression test: None — this is a documentation/guard improvement.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: tavily.yaml:19-21 comment documents intent without enforcement

PRA-11 Improvement — SandboxPolicy type incomplete for new test assertions

  • Location: test/validate-blueprint.test.ts:1
  • Category: correctness
  • Problem: New test imports DEEPAGENTS_POLICY_PATH and TAVILY_POLICY_PRESET_PATH but the test file's SandboxPolicy type doesn't include filesystem_policy or landlock fields until line 525 where they're accessed. Type definition updated but could be more complete.
  • Impact: TypeScript may not catch missing fields if policy structure changes
  • Suggested action: Ensure SandboxPolicy type includes all accessed fields (filesystem_policy.read_only, landlock.compatibility).
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check SandboxPolicy type definition at validate-blueprint.test.ts:50-55 vs usage at 528-530.
  • Missing regression test: TypeScript compilation check.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: Type at line 50-55 vs usage at 528-530

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@cv cv marked this pull request as ready for review July 1, 2026 18:20
Signed-off-by: Apurv Kumaria <36614+apurvvkumaria@users.noreply.github.com>
@apurvvkumaria apurvvkumaria enabled auto-merge (squash) July 1, 2026 18:26

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/langchain-deepagents-code-image.test.ts (1)

523-530: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Assertions are literal source-text matches, not behavioral checks.

Line 527's toContain('python_probe "https://api.tavily.com/" "/usr/bin/python3"') and the other new toContain checks lock the test to the exact literal text of the generated shell script. A harmless refactor of quoting/spacing/variable extraction in 09-deepagents-code-tavily-opt-in.sh (with no behavior change) would break this test without any regression occurring.

This mirrors the file's existing convention for validating generated e2e check scripts, so it's likely an accepted trade-off given real e2e execution requires cloud infra — flagging for awareness rather than as a blocker. As per path instructions, tests should "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/langchain-deepagents-code-image.test.ts` around lines 523 - 530, The new
assertions in the Tavily opt-in test are matching literal shell-script text
instead of observable behavior, making the test brittle. Update the checks in
the `tavilyOptInCheck` section of `test/langchain-deepagents-code-image.test.ts`
to validate the generated script’s outcome or a stable public boundary rather
than exact quoting/spacing. Keep the same intent around `python_probe` and the
managed/system Python behavior, but assert through behavior-driven evidence
instead of source-text substrings.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/langchain-deepagents-code-image.test.ts`:
- Around line 523-530: The new assertions in the Tavily opt-in test are matching
literal shell-script text instead of observable behavior, making the test
brittle. Update the checks in the `tavilyOptInCheck` section of
`test/langchain-deepagents-code-image.test.ts` to validate the generated
script’s outcome or a stable public boundary rather than exact quoting/spacing.
Keep the same intent around `python_probe` and the managed/system Python
behavior, but assert through behavior-driven evidence instead of source-text
substrings.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d1d27173-0d48-4408-903e-33c1b8ea7338

📥 Commits

Reviewing files that changed from the base of the PR and between d325e2c and 9bb5072.

📒 Files selected for processing (5)
  • nemoclaw-blueprint/policies/presets/tavily.yaml
  • nemoclaw-blueprint/provider-profiles/tavily.yaml
  • test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh
  • test/langchain-deepagents-code-image.test.ts
  • test/validate-blueprint.test.ts
✅ Files skipped from review due to trivial changes (1)
  • nemoclaw-blueprint/provider-profiles/tavily.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • nemoclaw-blueprint/policies/presets/tavily.yaml
  • test/validate-blueprint.test.ts

Signed-off-by: Apurv Kumaria <36614+apurvvkumaria@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh`:
- Around line 182-194: The `PROJECT_OUT` / `PROJECT_PYTHON` usability check is
brittle because `readlink -f` can return a canonicalized symlink target that
won’t string-match the original path, causing false failures in the
`sandbox_exec` probe. Update the logic around `PROJECT_OUT` in the deepagents
Tavily opt-in check to rely on `test -x`/shell exit status for the venv Python
executable instead of `grep -Fxq` path equality, and keep the existing
`python_probe` and `fail_test`/`pass` branches keyed off that executable check.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 254522f1-0736-4597-8566-0be3cd85ed6c

📥 Commits

Reviewing files that changed from the base of the PR and between 9bb5072 and f2a161c.

📒 Files selected for processing (3)
  • test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh
  • test/langchain-deepagents-code-image.test.ts
  • test/validate-blueprint.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/langchain-deepagents-code-image.test.ts
  • test/validate-blueprint.test.ts

Comment on lines +182 to +194
PROJECT_OUT="$(sandbox_exec "if ! test -x ${PROJECT_PYTHON@Q}; then python3 -m venv --copies ${PROJECT_VENV@Q}; fi; test -x ${PROJECT_PYTHON@Q} && readlink -f ${PROJECT_PYTHON@Q}" || true)"
if echo "$PROJECT_OUT" | grep -Fxq "$PROJECT_PYTHON"; then
PROJECT_PROBE_OUTPUT="$(python_probe "https://api.tavily.com/" "$PROJECT_PYTHON" || true)"
if echo "$PROJECT_PROBE_OUTPUT" | grep -q "BLOCKED:" && ! echo "$PROJECT_PROBE_OUTPUT" | grep -q "REACHED:"; then
pass "project venv Python under /sandbox remains blocked from Tavily after policy-add"
elif echo "$PROJECT_PROBE_OUTPUT" | grep -q "REACHED:"; then
fail_test "project venv Python reached Tavily unexpectedly after policy-add: $PROJECT_PROBE_OUTPUT"
else
fail_test "project venv Python Tavily probe lacked denial evidence after policy-add: $PROJECT_PROBE_OUTPUT"
fi
else
fail_test "project venv under /sandbox did not expose a usable python3 executable: $PROJECT_OUT"
fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fragile path-equality check via readlink -f.

readlink -f canonicalizes the full path, resolving any symlinks in the chain (e.g. venv python3 binaries are often themselves symlinks, or --copies may fall back to a symlink on some platforms/venv implementations). Comparing that canonical output against the literal, non-canonicalized $PROJECT_PYTHON string with grep -Fxq can spuriously fail even when the venv executable is perfectly usable, producing a flaky fail_test "project venv under /sandbox did not expose a usable python3 executable".

Prefer checking the exit status of test -x directly instead of string-comparing resolved paths.

🔧 Proposed fix
-PROJECT_OUT="$(sandbox_exec "if ! test -x ${PROJECT_PYTHON@Q}; then python3 -m venv --copies ${PROJECT_VENV@Q}; fi; test -x ${PROJECT_PYTHON@Q} && readlink -f ${PROJECT_PYTHON@Q}" || true)"
-if echo "$PROJECT_OUT" | grep -Fxq "$PROJECT_PYTHON"; then
+PROJECT_OUT="$(sandbox_exec "if ! test -x ${PROJECT_PYTHON@Q}; then python3 -m venv --copies ${PROJECT_VENV@Q}; fi; test -x ${PROJECT_PYTHON@Q} && echo OK" || true)"
+if echo "$PROJECT_OUT" | grep -Fxq "OK"; then
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
PROJECT_OUT="$(sandbox_exec "if ! test -x ${PROJECT_PYTHON@Q}; then python3 -m venv --copies ${PROJECT_VENV@Q}; fi; test -x ${PROJECT_PYTHON@Q} && readlink -f ${PROJECT_PYTHON@Q}" || true)"
if echo "$PROJECT_OUT" | grep -Fxq "$PROJECT_PYTHON"; then
PROJECT_PROBE_OUTPUT="$(python_probe "https://api.tavily.com/" "$PROJECT_PYTHON" || true)"
if echo "$PROJECT_PROBE_OUTPUT" | grep -q "BLOCKED:" && ! echo "$PROJECT_PROBE_OUTPUT" | grep -q "REACHED:"; then
pass "project venv Python under /sandbox remains blocked from Tavily after policy-add"
elif echo "$PROJECT_PROBE_OUTPUT" | grep -q "REACHED:"; then
fail_test "project venv Python reached Tavily unexpectedly after policy-add: $PROJECT_PROBE_OUTPUT"
else
fail_test "project venv Python Tavily probe lacked denial evidence after policy-add: $PROJECT_PROBE_OUTPUT"
fi
else
fail_test "project venv under /sandbox did not expose a usable python3 executable: $PROJECT_OUT"
fi
PROJECT_OUT="$(sandbox_exec "if ! test -x ${PROJECT_PYTHON@Q}; then python3 -m venv --copies ${PROJECT_VENV@Q}; fi; test -x ${PROJECT_PYTHON@Q} && echo OK" || true)"
if echo "$PROJECT_OUT" | grep -Fxq "OK"; then
PROJECT_PROBE_OUTPUT="$(python_probe "https://api.tavily.com/" "$PROJECT_PYTHON" || true)"
if echo "$PROJECT_PROBE_OUTPUT" | grep -q "BLOCKED:" && ! echo "$PROJECT_PROBE_OUTPUT" | grep -q "REACHED:"; then
pass "project venv Python under /sandbox remains blocked from Tavily after policy-add"
elif echo "$PROJECT_PROBE_OUTPUT" | grep -q "REACHED:"; then
fail_test "project venv Python reached Tavily unexpectedly after policy-add: $PROJECT_PROBE_OUTPUT"
else
fail_test "project venv Python Tavily probe lacked denial evidence after policy-add: $PROJECT_PROBE_OUTPUT"
fi
else
fail_test "project venv under /sandbox did not expose a usable python3 executable: $PROJECT_OUT"
fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh`
around lines 182 - 194, The `PROJECT_OUT` / `PROJECT_PYTHON` usability check is
brittle because `readlink -f` can return a canonicalized symlink target that
won’t string-match the original path, causing false failures in the
`sandbox_exec` probe. Update the logic around `PROJECT_OUT` in the deepagents
Tavily opt-in check to rely on `test -x`/shell exit status for the venv Python
executable instead of `grep -Fxq` path equality, and keep the existing
`python_probe` and `fail_test`/`pass` branches keyed off that executable check.

@apurvvkumaria apurvvkumaria merged commit adfcc90 into main Jul 1, 2026
60 of 63 checks passed
@apurvvkumaria apurvvkumaria deleted the fix/restore-tavily-python-egress branch July 1, 2026 18:42
apurvvkumaria pushed a commit that referenced this pull request Jul 1, 2026
## Summary

Five pre-existing test failures on the `macos-vitest` CI workflow
(confirmed present before #6060) traced to bash 3.x incompatibilities, a
macOS UTF-8 locale issue, and a missing fixture sync. This PR fixes all
five root causes.

Supersedes #6137 (that PR's branch was accidentally cut from a security
feature branch, pulling in unrelated files into the diff; this is a
clean rebase onto main with the same two commits plus a CodeRabbit fix).

## Related Issue

Investigation of CI run
[28539883104](https://github.com/NVIDIA/NemoClaw/actions/runs/28539883104);
failures also present in run
[28534214317](https://github.com/NVIDIA/NemoClaw/actions/runs/28534214317)
(before #6060), confirming #6060 is not the cause.

## Changes

- **`agents/hermes/start.sh`** — three bash 3.2 compatibility fixes:
- Replace bash 4.1+ named-FD `exec {var}<file` with a `{ } < file`
grouped redirect; variables assigned inside `{}` remain in function
scope
- Replace `mapfile -d '' -t` (bash 4.x only) with `while IFS= read -r -d
"" elem; do arr+=("$elem"); done`
- Guard `${_HERMES_GUARD_TIMEOUT[@]}` with `${arr[@]+"${arr[@]}"}` so
`set -u` does not abort the script when the array is empty (bash 3.2
treats empty `[@]` as unbound)
- **`scripts/gateway-control.sh`** — add `export LC_ALL=C` so `[a-f]`
character-class ranges in `case` patterns are byte-exact; macOS
`en_US.UTF-8` makes `[a-f]` case-insensitive, allowing uppercase hex
nonces to pass the `*[!0-9a-f]*` check
- **`scripts/lib/gateway-supervisor.sh`** — same `LC_ALL=C` fix for the
sourced library's nonce validation path
- **`test/gateway-supervisor-control.test.ts`** — pin
`NEMOCLAW_TEST_GATEWAY_CONTROL_CALLER_UID=0` in the nonce-rejection test
so it does not depend on the CI runner's UID; tighten macOS bash 3.2
SIGTERM filter from broad word-match to exact `Terminated: <digits>` /
`Killed: <digits>` format so unrelated stderr still fails the assertion
- **`test/e2e/fixtures/redaction.ts`** — add `tvly-` Tavily token
pattern missing since #6134, fixing the `e2e-redaction-parity`
`Array(16)` vs `Array(17)` mismatch

## Type of Change

- [x] Code change (feature, bug fix, or refactor)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [x] Docs not applicable — justification: shell compatibility and test
fixes, no user-facing behavior change
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging) —
`gateway-control.sh` and `gateway-supervisor.sh` handle nonce validation
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — the `LC_ALL=C` fix tightens nonce validation (rejects
uppercase hex on macOS that was previously accepted);
`gateway_control_stop_tracked_pid` behavior is unchanged

## Verification

- [x] Git hooks passed during commit and push
- [x] Targeted tests pass for changed behavior
  - `test/gateway-supervisor-control.test.ts`: 22/22 ✓
- `test/hermes-managed-exit-authorization.test.ts`: all ✓ (was 8
failures before)
  - `test/e2e/support/e2e-redaction-parity.test.ts`: 3/3 ✓
- `test/hermes-gateway-supervisor-recovery.test.ts`: 41/42 (1 local
flake — PID 4242 alive on dev machine; unrelated to these changes,
passes on CI fresh runners)
- [x] No secrets, API keys, or credentials committed

**Remaining failures not addressed in this PR** (different root class,
need separate investigation):
- `install-preflight.test.ts` — environment-specific
- `deepagents-code-tui-startup-check.test.ts` — needs investigation
- `platform-parity-cloud-experimental.test.ts` — needs investigation
- WSL `runtime-recovery-preload.test.ts`, `rebuild-config-hash.test.ts`
— different class of failure

---
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved gateway nonce validation to reliably accept only lowercase
hex characters, independent of locale and macOS environments.
* Fixed managed gateway startup, recovery, and live-status monitoring to
be compatible with older Bash versions.
* Tightened controller/marker parsing to reduce incorrect authorization
or status detection.
* Expanded secret redaction to cover additional Tavily-shaped tokens,
improving protection in logs and text output.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
ericksoa pushed a commit that referenced this pull request Jul 2, 2026
## Summary
- Add the `v0.0.72` release-note section with links to the deeper docs
pages for installer recovery, command diagnostics, inference, policy,
and sandbox repair changes.
- Document the custom preset `allowed_ips` guard for user-authored
policy files.

## Related Issue
None.

## Source summary
- #6132 -> `docs/about/release-notes.mdx`: Summarizes installer and
upgrade recovery before generic onboarding, with links to quickstart and
lifecycle docs.
- #6087 -> `docs/network-policy/customize-network-policy.mdx`: Documents
that user-authored custom presets reject `allowed_ips` for ordinary
endpoints; also summarized in release notes.
- #5975 -> `docs/about/release-notes.mdx`: Summarizes safer curl-based
inference probes that keep API keys out of process arguments.
- #6044 -> `docs/about/release-notes.mdx`: Summarizes compact `channels
status` configuration reporting.
- #6096 -> `docs/about/release-notes.mdx`: Summarizes OpenClaw EC2
metadata discovery disablement and links to security guidance.
- #5980 and #5991 -> `docs/about/release-notes.mdx`: Summarizes `exec`
multiline argument rejection and recovery guidance.
- #6023 -> `docs/about/release-notes.mdx`: Summarizes
registered-provider diagnostics for `inference set` failures.
- #6074 -> `docs/about/release-notes.mdx`: Summarizes the refreshed
NVIDIA Endpoints featured-model selection behavior.
- #5969 -> `docs/about/release-notes.mdx`: Summarizes `credentials add`
provider credential registration.
- #6060 -> `docs/about/release-notes.mdx`: Summarizes mutable OpenClaw
config permission restoration after `exec`.
- #6134 -> `docs/about/release-notes.mdx`: Summarizes restored Tavily
access for managed Python workflows.
- #6089 -> `docs/about/release-notes.mdx`: Summarizes Hermes runtime
version-scheme comparison during upgrade checks.
- #6131 -> `docs/about/release-notes.mdx`: Summarizes OpenClaw gateway
watchdog recovery behavior.
- #5976 and #5990 -> `docs/about/release-notes.mdx`: Summarizes prompt
stdin EOF cancellation behavior during onboarding.
- #5540 -> `docs/about/release-notes.mdx`: Summarizes clarified
host-level and per-sandbox status command scope.
- #5978 and #6018 -> `docs/about/release-notes.mdx`: Summarizes
policy-denial log breadcrumbs in connect shells.

## Testing
- `npm run docs:sync-agent-variants`
- `npm run docs`
- Commit hooks passed during `git commit`, including commitlint and
gitleaks.
- Pre-push hook passed during `git push`, including TypeScript CLI and
package/tag version sync.

## Checklist
- [x] Documentation updated.
- [x] `npm run docs` completed with 0 errors and 1 existing Fern
warning.
- [x] No source code or generated build artifacts committed.

Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.72 covering improved installer recovery,
clearer CLI diagnostics, safer inference setup and provider switching,
better credential handling, stronger policy boundaries, and more robust
runtime repair behavior.
* Updated network policy guidance to clarify when `allowed_ips` can be
used, including a specific exception for the sandbox-to-host bridge
endpoint.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Restore the managed Deep Agents Code Python interpreter to the Tavily
policy and provider-profile allowlists. PR NVIDIA#5969 removed Python while
tightening the Tavily boundary, which left `policy-add tavily`
successful but Python-originated Tavily requests blocked by OpenShell
with HTTP 403.

## Changes

- Add `/opt/venv/bin/python3*` to
`nemoclaw-blueprint/policies/presets/tavily.yaml`.
- Add the same managed interpreter path to
`nemoclaw-blueprint/provider-profiles/tavily.yaml` so both enforcement
layers agree.
- Document why the interpreter is required for OpenShell process
attribution.
- Update the exact preset and provider-profile allowlist contracts.
- Keep system Python paths excluded so the restored access remains
limited to the managed Deep Agents environment.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: existing Deep Agents
documentation already states that OpenShell attributes Tavily calls to
the managed Python interpreter; this restores the documented behavior.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: pending maintainer
review; the change restores only `/opt/venv/bin/python3*`, not system
Python paths.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes — the diff-scoped fallback passed
formatting, schema, repository, and secret-scan hooks; its broad
integration lane requires Linux utilities/semantics unavailable on this
macOS host, so CI remains authoritative.
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Apurv Kumaria
<36614+apurvvkumaria@users.noreply.github.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Updated Tavily-related runtime permissions to allow the managed Python
interpreter, which should reduce permission-related failures when
running Python-based tasks.
* Kept existing allowed binaries unchanged while extending support for
the additional Python runtime path.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Apurv Kumaria <36614+apurvvkumaria@users.noreply.github.com>
Co-authored-by: Apurv Kumaria <36614+apurvvkumaria@users.noreply.github.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
## Summary

Five pre-existing test failures on the `macos-vitest` CI workflow
(confirmed present before NVIDIA#6060) traced to bash 3.x incompatibilities, a
macOS UTF-8 locale issue, and a missing fixture sync. This PR fixes all
five root causes.

Supersedes NVIDIA#6137 (that PR's branch was accidentally cut from a security
feature branch, pulling in unrelated files into the diff; this is a
clean rebase onto main with the same two commits plus a CodeRabbit fix).

## Related Issue

Investigation of CI run
[28539883104](https://github.com/NVIDIA/NemoClaw/actions/runs/28539883104);
failures also present in run
[28534214317](https://github.com/NVIDIA/NemoClaw/actions/runs/28534214317)
(before NVIDIA#6060), confirming NVIDIA#6060 is not the cause.

## Changes

- **`agents/hermes/start.sh`** — three bash 3.2 compatibility fixes:
- Replace bash 4.1+ named-FD `exec {var}<file` with a `{ } < file`
grouped redirect; variables assigned inside `{}` remain in function
scope
- Replace `mapfile -d '' -t` (bash 4.x only) with `while IFS= read -r -d
"" elem; do arr+=("$elem"); done`
- Guard `${_HERMES_GUARD_TIMEOUT[@]}` with `${arr[@]+"${arr[@]}"}` so
`set -u` does not abort the script when the array is empty (bash 3.2
treats empty `[@]` as unbound)
- **`scripts/gateway-control.sh`** — add `export LC_ALL=C` so `[a-f]`
character-class ranges in `case` patterns are byte-exact; macOS
`en_US.UTF-8` makes `[a-f]` case-insensitive, allowing uppercase hex
nonces to pass the `*[!0-9a-f]*` check
- **`scripts/lib/gateway-supervisor.sh`** — same `LC_ALL=C` fix for the
sourced library's nonce validation path
- **`test/gateway-supervisor-control.test.ts`** — pin
`NEMOCLAW_TEST_GATEWAY_CONTROL_CALLER_UID=0` in the nonce-rejection test
so it does not depend on the CI runner's UID; tighten macOS bash 3.2
SIGTERM filter from broad word-match to exact `Terminated: <digits>` /
`Killed: <digits>` format so unrelated stderr still fails the assertion
- **`test/e2e/fixtures/redaction.ts`** — add `tvly-` Tavily token
pattern missing since NVIDIA#6134, fixing the `e2e-redaction-parity`
`Array(16)` vs `Array(17)` mismatch

## Type of Change

- [x] Code change (feature, bug fix, or refactor)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [x] Docs not applicable — justification: shell compatibility and test
fixes, no user-facing behavior change
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging) —
`gateway-control.sh` and `gateway-supervisor.sh` handle nonce validation
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — the `LC_ALL=C` fix tightens nonce validation (rejects
uppercase hex on macOS that was previously accepted);
`gateway_control_stop_tracked_pid` behavior is unchanged

## Verification

- [x] Git hooks passed during commit and push
- [x] Targeted tests pass for changed behavior
  - `test/gateway-supervisor-control.test.ts`: 22/22 ✓
- `test/hermes-managed-exit-authorization.test.ts`: all ✓ (was 8
failures before)
  - `test/e2e/support/e2e-redaction-parity.test.ts`: 3/3 ✓
- `test/hermes-gateway-supervisor-recovery.test.ts`: 41/42 (1 local
flake — PID 4242 alive on dev machine; unrelated to these changes,
passes on CI fresh runners)
- [x] No secrets, API keys, or credentials committed

**Remaining failures not addressed in this PR** (different root class,
need separate investigation):
- `install-preflight.test.ts` — environment-specific
- `deepagents-code-tui-startup-check.test.ts` — needs investigation
- `platform-parity-cloud-experimental.test.ts` — needs investigation
- WSL `runtime-recovery-preload.test.ts`, `rebuild-config-hash.test.ts`
— different class of failure

---
Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved gateway nonce validation to reliably accept only lowercase
hex characters, independent of locale and macOS environments.
* Fixed managed gateway startup, recovery, and live-status monitoring to
be compatible with older Bash versions.
* Tightened controller/marker parsing to reduce incorrect authorization
or status detection.
* Expanded secret redaction to cover additional Tavily-shaped tokens,
improving protection in logs and text output.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
## Summary
- Add the `v0.0.72` release-note section with links to the deeper docs
pages for installer recovery, command diagnostics, inference, policy,
and sandbox repair changes.
- Document the custom preset `allowed_ips` guard for user-authored
policy files.

## Related Issue
None.

## Source summary
- NVIDIA#6132 -> `docs/about/release-notes.mdx`: Summarizes installer and
upgrade recovery before generic onboarding, with links to quickstart and
lifecycle docs.
- NVIDIA#6087 -> `docs/network-policy/customize-network-policy.mdx`: Documents
that user-authored custom presets reject `allowed_ips` for ordinary
endpoints; also summarized in release notes.
- NVIDIA#5975 -> `docs/about/release-notes.mdx`: Summarizes safer curl-based
inference probes that keep API keys out of process arguments.
- NVIDIA#6044 -> `docs/about/release-notes.mdx`: Summarizes compact `channels
status` configuration reporting.
- NVIDIA#6096 -> `docs/about/release-notes.mdx`: Summarizes OpenClaw EC2
metadata discovery disablement and links to security guidance.
- NVIDIA#5980 and NVIDIA#5991 -> `docs/about/release-notes.mdx`: Summarizes `exec`
multiline argument rejection and recovery guidance.
- NVIDIA#6023 -> `docs/about/release-notes.mdx`: Summarizes
registered-provider diagnostics for `inference set` failures.
- NVIDIA#6074 -> `docs/about/release-notes.mdx`: Summarizes the refreshed
NVIDIA Endpoints featured-model selection behavior.
- NVIDIA#5969 -> `docs/about/release-notes.mdx`: Summarizes `credentials add`
provider credential registration.
- NVIDIA#6060 -> `docs/about/release-notes.mdx`: Summarizes mutable OpenClaw
config permission restoration after `exec`.
- NVIDIA#6134 -> `docs/about/release-notes.mdx`: Summarizes restored Tavily
access for managed Python workflows.
- NVIDIA#6089 -> `docs/about/release-notes.mdx`: Summarizes Hermes runtime
version-scheme comparison during upgrade checks.
- NVIDIA#6131 -> `docs/about/release-notes.mdx`: Summarizes OpenClaw gateway
watchdog recovery behavior.
- NVIDIA#5976 and NVIDIA#5990 -> `docs/about/release-notes.mdx`: Summarizes prompt
stdin EOF cancellation behavior during onboarding.
- NVIDIA#5540 -> `docs/about/release-notes.mdx`: Summarizes clarified
host-level and per-sandbox status command scope.
- NVIDIA#5978 and NVIDIA#6018 -> `docs/about/release-notes.mdx`: Summarizes
policy-denial log breadcrumbs in connect shells.

## Testing
- `npm run docs:sync-agent-variants`
- `npm run docs`
- Commit hooks passed during `git commit`, including commitlint and
gitleaks.
- Pre-push hook passed during `git push`, including TypeScript CLI and
package/tag version sync.

## Checklist
- [x] Documentation updated.
- [x] `npm run docs` completed with 0 errors and 1 existing Fern
warning.
- [x] No source code or generated build artifacts committed.

Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.72 covering improved installer recovery,
clearer CLI diagnostics, safer inference setup and provider switching,
better credential handling, stronger policy boundaries, and more robust
runtime repair behavior.
* Updated network policy guidance to clarify when `allowed_ips` can be
used, including a specific exception for the sandbox-to-host bridge
endpoint.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants