Skip to content

fix(status): probe inference.local route for cloud providers in status/doctor#6203

Closed
harjothkhara wants to merge 128 commits into
NVIDIA:mainfrom
harjothkhara:fix/6192-status-doctor-probe-inference-local
Closed

fix(status): probe inference.local route for cloud providers in status/doctor#6203
harjothkhara wants to merge 128 commits into
NVIDIA:mainfrom
harjothkhara:fix/6192-status-doctor-probe-inference-local

Conversation

@harjothkhara

@harjothkhara harjothkhara commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

nemoclaw <sbx> status and doctor reported inference healthy for cloud/managed providers by probing only the upstream provider endpoint, never the inference.local route the agent actually uses. When inference.local was broken inside the sandbox they still reported "healthy" (exit 0), contradicting nemoclaw <sbx> connect (which probes the real route). This widens the existing inference.local gateway-chain probe — added for local providers in #3265 — to run for all providers.

Related Issue

Refs #6192

Changes

  • doctor.ts: drop the local-only gate in collectInferenceSubprobes (and the now-unused file-local isLocalInferenceProvider helper / provider param) so the inference.local gateway chain is probed for every provider. A broken route surfaces as [fail] Provider health (gateway) and flips doctor to fail (exit 1).
  • status-snapshot.ts: drop the ollama-local/vllm-local clause on the snapshot gateway probe so status surfaces the same broken route.
  • doctor-flow.test.ts: parameterized the harness (provider, gatewayChainOk; defaults preserve existing tests); added cloud-provider red→green regression coverage.

Type of Change

  • Code change (feature, bug fix, or refactor)

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Git hooks passed during commit and push
  • Targeted tests pass (doctor, status-flow, status, process-recovery, connect-flow — 162 tests)
  • Tests added for changed behavior (2 new #6192 cases; verified they fail on main)
  • npm run typecheck:cli and biome pass
  • No secrets, API keys, or credentials committed

Real behavior proof

  • Behavior addressed: status/doctor reported inference "healthy" for cloud providers off the upstream probe while the real inference.local route was broken (false all-clear, exit 0).
  • Real environment tested: the actual runSandboxDoctor production path; only the two external boundaries stubbed — upstream probeProviderHealth (reachable) and the in-sandbox inference.local curl probeSandboxInferenceGatewayHealth (broken). No live GPU sandbox required.
  • Exact steps or command run after this patch: drive runSandboxDoctor("alpha", …) for provider=nvidia-prod, upstream healthy, inference.local returning HTTP 000.
  • Evidence after fix:
    [ok]   Provider health: https://integrate.api.nvidia.com/v1/models reachable   <- upstream (negative control)
    [fail] Provider health (gateway): Inference gateway unreachable on https://inference.local/v1/models from inside the sandbox.
    Summary: attention needed (1 failed, 0 warning(s))
    exit 1
    
    Same scenario on main: no gateway line emitted, Summary: healthy, exit 0.
  • Observed result after fix: status/doctor now agree with connect — a broken in-sandbox route reports broken. Regression is locked by two doctor-flow tests that fail on main and pass with the fix.
  • What was not tested: the human render was captured for doctor; status shares the identical collectSandboxStatusSnapshot seam and the same subprobe path, covered by existing status-flow tests. The status --json exit code keys off failureLayer (not inferenceHealth.ok) — left unchanged and noted as a follow-up. No live cloud sandbox / real openshell sandbox exec roundtrip.

Signed-off-by: harjoth harjoth.khara@gmail.com

🤖 Generated with Claude Code

@copy-pr-bot

copy-pr-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Too many files!

This PR contains 1383 files, which is 1083 over the limit of 300.

To get a review, narrow the scope:
• coderabbit review --type committed # exclude uncommitted changes
• coderabbit review --dir # limit to a subdirectory
• coderabbit review --base # compare against a closer base

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0b940840-7401-4805-be73-d6b10c1eadae

📥 Commits

Reviewing files that changed from the base of the PR and between 6a45c01 and 30bd2c8.

⛔ Files ignored due to path filters (4)
  • agents/langchain-deepagents-code/requirements.lock is excluded by !**/*.lock
  • agents/openclaw/mcporter-runtime/package-lock.json is excluded by !**/package-lock.json
  • nemoclaw/package-lock.json is excluded by !**/package-lock.json
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1383)
  • .agents/skills/nemoclaw-contributor-create-pr/SKILL.md
  • .agents/skills/nemoclaw-contributor-onboard-messaging-channel/SKILL.md
  • .agents/skills/nemoclaw-contributor-onboard/SKILL.md
  • .agents/skills/nemoclaw-contributor-onboard/agents/openai.yaml
  • .agents/skills/nemoclaw-contributor-update-docs/SKILL.md
  • .agents/skills/nemoclaw-maintainer-cut-release-tag/SKILL.md
  • .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md
  • .agents/skills/nemoclaw-maintainer-day/PR-REVIEW-PRIORITIES.md
  • .agents/skills/nemoclaw-maintainer-day/SALVAGE-PR.md
  • .agents/skills/nemoclaw-maintainer-day/SKILL.md
  • .agents/skills/nemoclaw-maintainer-day/TEST-GAPS.md
  • .agents/skills/nemoclaw-maintainer-day/scripts/check-gates.ts
  • .agents/skills/nemoclaw-maintainer-evening/SKILL.md
  • .agents/skills/nemoclaw-maintainer-policies/references/daily-flow.md
  • .agents/skills/nemoclaw-maintainer-policies/references/label-taxonomy.json
  • .agents/skills/nemoclaw-maintainer-policies/references/label-taxonomy.md
  • .agents/skills/nemoclaw-maintainer-policies/references/project-workflow.md
  • .agents/skills/nemoclaw-maintainer-policies/references/release-train.md
  • .agents/skills/nemoclaw-skills-guide/SKILL.md
  • .editorconfig
  • .github/PULL_REQUEST_TEMPLATE.md
  • .github/actions/ci-installer-hash-check/action.yaml
  • .github/actions/ci-plugin-coverage/action.yaml
  • .github/actions/ci-static-checks/action.yaml
  • .github/actions/resolve-hermes-base-image/action.yaml
  • .github/workflows/base-image.yaml
  • .github/workflows/brev-nightly-e2e.yaml
  • .github/workflows/cloudflared-update-check.yaml
  • .github/workflows/e2e-branch-validation.yaml
  • .github/workflows/e2e.yaml
  • .github/workflows/installer-hash-check.yaml
  • .github/workflows/label-merged-pr-release-target.yaml
  • .github/workflows/macos-e2e.yaml
  • .github/workflows/main.yaml
  • .github/workflows/pr-self-hosted.yaml
  • .github/workflows/regression-e2e.yaml
  • .github/workflows/sandbox-images-and-e2e.yaml
  • .pre-commit-config.yaml
  • AGENTS.md
  • CONTRIBUTING.md
  • Dockerfile
  • Dockerfile.base
  • Makefile
  • README.md
  • SECURITY.md
  • agents/hermes/Dockerfile
  • agents/hermes/Dockerfile.base
  • agents/hermes/build-mcp-digest.py
  • agents/hermes/config/build-env.ts
  • agents/hermes/config/generate.ts
  • agents/hermes/config/hermes-config.ts
  • agents/hermes/config/hermes-env.ts
  • agents/hermes/config/managed-tool-gateway.ts
  • agents/hermes/generate-config.ts
  • agents/hermes/hermes-wrapper.py
  • agents/hermes/manifest.yaml
  • agents/hermes/mcp-config-transaction.py
  • agents/hermes/patch-session-list-preview.py
  • agents/hermes/policy-additions.yaml
  • agents/hermes/policy-permissive.yaml
  • agents/hermes/runtime-config-guard.py
  • agents/hermes/seed-dashboard-config.py
  • agents/hermes/start.sh
  • agents/langchain-deepagents-code/Dockerfile
  • agents/langchain-deepagents-code/dcode-launcher.sh
  • agents/langchain-deepagents-code/dcode-wrapper.sh
  • agents/langchain-deepagents-code/dependency-review.md
  • agents/langchain-deepagents-code/generate-config.ts
  • agents/langchain-deepagents-code/managed-dcode-runtime.py
  • agents/langchain-deepagents-code/manifest.yaml
  • agents/langchain-deepagents-code/patch-managed-deepagents-code.py
  • agents/langchain-deepagents-code/progressive_tool_disclosure.py
  • agents/langchain-deepagents-code/requirements.in
  • agents/langchain-deepagents-code/start.sh
  • agents/langchain-deepagents-code/validate-progressive-tool-disclosure.py
  • agents/openclaw/dependency-review.md
  • agents/openclaw/manifest.yaml
  • agents/openclaw/mcporter-runtime/package.json
  • agents/openclaw/policy-permissive.yaml
  • ci/coverage-threshold-cli.json
  • ci/env-var-doc-allowlist.json
  • ci/onboard-performance-budget.json
  • ci/platform-matrix.json
  • ci/reviewed-npm-lifecycle-allowlist.json
  • ci/test-file-size-budget.json
  • docs/AGENTS.md
  • docs/CONTRIBUTING.md
  • docs/_components/StarterPrompt.tsx
  • docs/_components/StarterPromptButton.tsx
  • docs/about/release-notes.mdx
  • docs/deployment/deploy-to-remote-gpu.mdx
  • docs/deployment/install-openclaw-plugins.mdx
  • docs/deployment/set-up-mcp-bridge.mdx
  • docs/get-started/prerequisites.mdx
  • docs/get-started/quickstart-hermes.mdx
  • docs/get-started/quickstart-langchain-deepagents-code.mdx
  • docs/get-started/quickstart.mdx
  • docs/get-started/windows-preparation.mdx
  • docs/index.mdx
  • docs/index.yml
  • docs/inference/inference-options.mdx
  • docs/inference/model-capability-audit.mdx
  • docs/inference/switch-inference-providers.mdx
  • docs/inference/tool-calling-reliability.mdx
  • docs/inference/use-local-inference.mdx
  • docs/manage-sandboxes/install-plugins-hermes.mdx
  • docs/manage-sandboxes/lifecycle.mdx
  • docs/manage-sandboxes/messaging-channels.mdx
  • docs/manage-sandboxes/runtime-controls.mdx
  • docs/monitoring/monitor-sandbox-activity.mdx
  • docs/network-policy/customize-network-policy.mdx
  • docs/network-policy/integration-policy-examples.mdx
  • docs/reference/cli-selection-guide.mdx
  • docs/reference/commands-nemohermes.mdx
  • docs/reference/commands.mdx
  • docs/reference/host-files-and-state.mdx
  • docs/reference/network-policies.mdx
  • docs/reference/platform-support.mdx
  • docs/reference/troubleshooting.mdx
  • docs/resources/agent-skills.mdx
  • docs/security/best-practices.mdx
  • docs/security/credential-storage.mdx
  • docs/security/openclaw-2026.6.10-dependency-review.md
  • docs/security/openshell-0.0.71-gateway-auth-review.mdx
  • docs/security/openshell-0.0.72-compatibility-review.mdx
  • fern/AGENTS.md
  • install.sh
  • nemoclaw-blueprint/blueprint.yaml
  • nemoclaw-blueprint/model-specific-setup/openclaw/nemotron-3-super-120b-managed-inference.json
  • nemoclaw-blueprint/model-specific-setup/openclaw/nemotron-3-ultra-managed-inference.json
  • nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
  • nemoclaw-blueprint/policies/presets/tavily.yaml
  • nemoclaw-blueprint/policies/presets/weather.yaml
  • nemoclaw-blueprint/provider-profiles/tavily-hermes-v1.yaml
  • nemoclaw-blueprint/provider-profiles/tavily.yaml
  • nemoclaw/package.json
  • nemoclaw/src/blueprint/runner-openshell-072-policy.test.ts
  • nemoclaw/src/blueprint/runner.test.ts
  • nemoclaw/src/blueprint/runner.ts
  • nemoclaw/src/lib/subprocess-env.ts
  • nemoclaw/src/package-metadata.test.ts
  • nemoclaw/src/shared/openshell-policy-boundary.cts
  • nemoclaw/src/shared/openshell-policy-boundary.test.ts
  • nemoclaw/tsconfig.shared.json
  • nemoclaw/vitest.config.ts
  • package.json
  • schemas/onboard-config.schema.json
  • schemas/policy-preset.schema.json
  • schemas/sandbox-policy.schema.json
  • scripts/bench/README.md
  • scripts/bench/lib.ts
  • scripts/bench/run.ts
  • scripts/bench/trace-ingest.ts
  • scripts/brev-launchable-ci-cpu.sh
  • scripts/check-docs-published-routes.ts
  • scripts/check-installer-hash.sh
  • scripts/check-production-build-args.sh
  • scripts/checks/check-cloudflared-update.sh
  • scripts/checks/extract-installer-pins.mts
  • scripts/checks/layer-import-boundaries.ts
  • scripts/checks/no-coverage-ignore.ts
  • scripts/checks/no-unit-blocks-in-live-e2e.ts
  • scripts/checks/openshell-policy-mutation-read.ts
  • scripts/checks/run.ts
  • scripts/checks/test-create-require-budget.ts
  • scripts/checks/verify-openshell-policy-boundary-dependencies.mts
  • scripts/dev-setup.sh
  • scripts/e2e/sanitize-trace-timing.py
  • scripts/fern-preview-config.ts
  • scripts/find-source-shape-tests.ts
  • scripts/gateway-control.sh
  • scripts/generate-openclaw-config.mts
  • scripts/install-openshell.sh
  • scripts/install.sh
  • scripts/lib/gateway-supervisor.sh
  • scripts/lib/openclaw_device_approval_policy.py
  • scripts/nemoclaw-start.sh
  • scripts/patch-openclaw-chat-send.js
  • scripts/patch-openclaw-device-self-approval.ts
  • scripts/patch-openclaw-issue-4434-diagnostics.ts
  • scripts/scorecard/analyze-trace-timing.ts
  • scripts/state-dir-guard.py
  • scripts/update-hermes-agent.sh
  • scripts/validate-configs.ts
  • scripts/validate-openclaw-tool-search.mts
  • scripts/watch-fern-preview.ts
  • src/commands/credentials/reset.ts
  • src/commands/inference/set.ts
  • src/commands/sandbox/exec.test.ts
  • src/commands/sandbox/exec.ts
  • src/commands/sandbox/inference/get.ts
  • src/commands/sandbox/inference/oclif-command-adapters.test.ts
  • src/commands/sandbox/inference/set.ts
  • src/commands/sandbox/mcp.ts
  • src/commands/sandbox/oclif-command-adapters.test.ts
  • src/commands/sandbox/rebuild.ts
  • src/commands/sandbox/sessions.ts
  • src/commands/sandbox/sessions/list.ts
  • src/commands/sandbox/shields/down.ts
  • src/commands/sandbox/shields/status.ts
  • src/commands/sandbox/shields/up.ts
  • src/commands/sandbox/status.ts
  • src/commands/simple-global-oclif-adapters.test.ts
  • src/commands/stop.ts
  • src/commands/update.ts
  • src/lib/actions/credentials-add.ts
  • src/lib/actions/gateway-drift-preflight.test.ts
  • src/lib/actions/global.test.ts
  • src/lib/actions/global.ts
  • src/lib/actions/inference-route-api.test.ts
  • src/lib/actions/inference-route-api.ts
  • src/lib/actions/inference-set-compatible-provider.test.ts
  • src/lib/actions/inference-set-degraded-state.test.ts
  • src/lib/actions/inference-set-gateway-restart.ts
  • src/lib/actions/inference-set-hermes-run.test.ts
  • src/lib/actions/inference-set-openclaw-gateway-restart.test.ts
  • src/lib/actions/inference-set-openclaw-run.test.ts
  • src/lib/actions/inference-set-patch-openclaw.test.ts
  • src/lib/actions/inference-set-reply-budget.ts
  • src/lib/actions/inference-set.test-support.ts
  • src/lib/actions/inference-set.ts
  • src/lib/actions/maintenance.test.ts
  • src/lib/actions/maintenance.ts
  • src/lib/actions/onboard.ts
  • src/lib/actions/sandbox/agent/passthrough-json.test.ts
  • src/lib/actions/sandbox/agent/passthrough-json.ts
  • src/lib/actions/sandbox/auto-pair-approval.test.ts
  • src/lib/actions/sandbox/auto-pair-approval.ts
  • src/lib/actions/sandbox/channel-status-config-core.test.ts
  • src/lib/actions/sandbox/channel-status-config.ts
  • src/lib/actions/sandbox/channel-status-telegram-policy.test.ts
  • src/lib/actions/sandbox/connect-autopair-budget.ts
  • src/lib/actions/sandbox/connect-boundary-refusal.ts
  • src/lib/actions/sandbox/connect-flow-hermes-boundary.test.ts
  • src/lib/actions/sandbox/connect-flow.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.test.ts
  • src/lib/actions/sandbox/connect-inference-route-probe.ts
  • src/lib/actions/sandbox/connect-route-lifecycle.test.ts
  • src/lib/actions/sandbox/connect-route-repair.test.ts
  • src/lib/actions/sandbox/connect.ts
  • src/lib/actions/sandbox/destroy-confirmation.ts
  • src/lib/actions/sandbox/destroy-execution.ts
  • src/lib/actions/sandbox/destroy-flow.test.ts
  • src/lib/actions/sandbox/destroy-preflight.ts
  • src/lib/actions/sandbox/destroy-presence.ts
  • src/lib/actions/sandbox/destroy.ts
  • src/lib/actions/sandbox/doctor-flow.test.ts
  • src/lib/actions/sandbox/doctor.ts
  • src/lib/actions/sandbox/exec-openclaw-permission-cleanup.test.ts
  • src/lib/actions/sandbox/exec-policy-hint-detection.test.ts
  • src/lib/actions/sandbox/exec-policy-hint-detection.ts
  • src/lib/actions/sandbox/exec-policy-hint-emission.ts
  • src/lib/actions/sandbox/exec-policy-hint-integration.ts
  • src/lib/actions/sandbox/exec-policy-hint-probe-decision.test.ts
  • src/lib/actions/sandbox/exec-policy-hint-rendering.test.ts
  • src/lib/actions/sandbox/exec-policy-hint-rendering.ts
  • src/lib/actions/sandbox/exec-policy-hint-runtime.test.ts
  • src/lib/actions/sandbox/exec-policy-hint.test.ts
  • src/lib/actions/sandbox/exec-policy-hint.ts
  • src/lib/actions/sandbox/exec-stdio.test.ts
  • src/lib/actions/sandbox/exec-stdio.ts
  • src/lib/actions/sandbox/exec.multiline-guard.test.ts
  • src/lib/actions/sandbox/exec.test.ts
  • src/lib/actions/sandbox/exec.ts
  • src/lib/actions/sandbox/forward-recovery.ts
  • src/lib/actions/sandbox/gateway-restart-hermes-drift.test.ts
  • src/lib/actions/sandbox/gateway-restart-mcp.test.ts
  • src/lib/actions/sandbox/gateway-restart.test.ts
  • src/lib/actions/sandbox/gateway-restart.ts
  • src/lib/actions/sandbox/gateway-state-drift.test.ts
  • src/lib/actions/sandbox/gateway-state-hints.test.ts
  • src/lib/actions/sandbox/gateway-state.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-capability.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-command.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy-teardown.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-legacy.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-projection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-registration.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-registration.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-rollback.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-runtime-guards.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-teardown.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents-v2-removal.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-deepagents.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-hermes.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-hermes.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-inspection.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-openclaw.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-openclaw.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-registration.test.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-status.ts
  • src/lib/actions/sandbox/mcp-bridge-adapter-teardown.ts
  • src/lib/actions/sandbox/mcp-bridge-adapters.ts
  • src/lib/actions/sandbox/mcp-bridge-add-restart.ts
  • src/lib/actions/sandbox/mcp-bridge-contracts.ts
  • src/lib/actions/sandbox/mcp-bridge-destroy-preflight.ts
  • src/lib/actions/sandbox/mcp-bridge-destroy.ts
  • src/lib/actions/sandbox/mcp-bridge-hermes-reconciliation.test.ts
  • src/lib/actions/sandbox/mcp-bridge-hermes-reconciliation.ts
  • src/lib/actions/sandbox/mcp-bridge-input-runtime.test.ts
  • src/lib/actions/sandbox/mcp-bridge-input-targets.test.ts
  • src/lib/actions/sandbox/mcp-bridge-input-validation.test.ts
  • src/lib/actions/sandbox/mcp-bridge-output.test.ts
  • src/lib/actions/sandbox/mcp-bridge-output.ts
  • src/lib/actions/sandbox/mcp-bridge-policy-render.ts
  • src/lib/actions/sandbox/mcp-bridge-policy.test.ts
  • src/lib/actions/sandbox/mcp-bridge-policy.ts
  • src/lib/actions/sandbox/mcp-bridge-provider-attachments.ts
  • src/lib/actions/sandbox/mcp-bridge-provider-inspection.ts
  • src/lib/actions/sandbox/mcp-bridge-provider-mutation.ts
  • src/lib/actions/sandbox/mcp-bridge-provider-readiness.ts
  • src/lib/actions/sandbox/mcp-bridge-provider.test.ts
  • src/lib/actions/sandbox/mcp-bridge-provider.ts
  • src/lib/actions/sandbox/mcp-bridge-rebuild.ts
  • src/lib/actions/sandbox/mcp-bridge-recovery.test.ts
  • src/lib/actions/sandbox/mcp-bridge-recovery.ts
  • src/lib/actions/sandbox/mcp-bridge-remove.ts
  • src/lib/actions/sandbox/mcp-bridge-render.ts
  • src/lib/actions/sandbox/mcp-bridge-restart.ts
  • src/lib/actions/sandbox/mcp-bridge-runtime-capabilities.ts
  • src/lib/actions/sandbox/mcp-bridge-state.ts
  • src/lib/actions/sandbox/mcp-bridge-status-boundaries.test.ts
  • src/lib/actions/sandbox/mcp-bridge-status-removal.test.ts
  • src/lib/actions/sandbox/mcp-bridge-status-state.test.ts
  • src/lib/actions/sandbox/mcp-bridge-status.ts
  • src/lib/actions/sandbox/mcp-bridge-url-validation.ts
  • src/lib/actions/sandbox/mcp-bridge-validation.ts
  • src/lib/actions/sandbox/mcp-bridge.ts
  • src/lib/actions/sandbox/openshell-child-visible-credentials.v0.0.72.json
  • src/lib/actions/sandbox/policy-add-agent-gate.test.ts
  • src/lib/actions/sandbox/policy-channel-agent-gate.test.ts
  • src/lib/actions/sandbox/policy-channel-cleanup.test.ts
  • src/lib/actions/sandbox/policy-channel-conflict.test.ts
  • src/lib/actions/sandbox/policy-channel-dependencies.ts
  • src/lib/actions/sandbox/policy-channel-list.test.ts
  • src/lib/actions/sandbox/policy-channel-lock.test.ts
  • src/lib/actions/sandbox/policy-channel-policy.test.ts
  • src/lib/actions/sandbox/policy-channel-refresh.test.ts
  • src/lib/actions/sandbox/policy-channel-remove-flow.test.ts
  • src/lib/actions/sandbox/policy-channel.ts
  • src/lib/actions/sandbox/policy-list-render.test.ts
  • src/lib/actions/sandbox/process-recovery.test.ts
  • src/lib/actions/sandbox/process-recovery.ts
  • src/lib/actions/sandbox/rebuild-agent-base-image-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-backup-phase.test.ts
  • src/lib/actions/sandbox/rebuild-backup-phase.ts
  • src/lib/actions/sandbox/rebuild-base-image-resolution-flow.test.ts
  • src/lib/actions/sandbox/rebuild-config-hash-command.ts
  • src/lib/actions/sandbox/rebuild-config-hash.test.ts
  • src/lib/actions/sandbox/rebuild-config-hash.ts
  • src/lib/actions/sandbox/rebuild-credential-preflight.ts
  • src/lib/actions/sandbox/rebuild-custom-image-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-custom-image-preflight.ts
  • src/lib/actions/sandbox/rebuild-dcode-artifact-drift.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-mutation-edge.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-orchestrator.ts
  • src/lib/actions/sandbox/rebuild-dcode-pre-delete-drift.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-preflight.ts
  • src/lib/actions/sandbox/rebuild-dcode-recovered-provider.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-recovery.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-target.test.ts
  • src/lib/actions/sandbox/rebuild-dcode-target.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.test.ts
  • src/lib/actions/sandbox/rebuild-destroy-phase.ts
  • src/lib/actions/sandbox/rebuild-durable-config.test.ts
  • src/lib/actions/sandbox/rebuild-durable-config.ts
  • src/lib/actions/sandbox/rebuild-env-isolation.test.ts
  • src/lib/actions/sandbox/rebuild-env-isolation.ts
  • src/lib/actions/sandbox/rebuild-finalization.test.ts
  • src/lib/actions/sandbox/rebuild-finalization.ts
  • src/lib/actions/sandbox/rebuild-flow-helpers.test.ts
  • src/lib/actions/sandbox/rebuild-flow-helpers.ts
  • src/lib/actions/sandbox/rebuild-flow-test-fixtures.ts
  • src/lib/actions/sandbox/rebuild-flow.test.ts
  • src/lib/actions/sandbox/rebuild-gateway-drift.test.ts
  • src/lib/actions/sandbox/rebuild-gpu-opt-out.test.ts
  • src/lib/actions/sandbox/rebuild-gpu-opt-out.ts
  • src/lib/actions/sandbox/rebuild-inference-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-inference-preflight.ts
  • src/lib/actions/sandbox/rebuild-local-provider-recreate.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-configuration.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preflight.ts
  • src/lib/actions/sandbox/rebuild-managed-image-preparation.test.ts
  • src/lib/actions/sandbox/rebuild-managed-image-verification.test.ts
  • src/lib/actions/sandbox/rebuild-mcp-order.test.ts
  • src/lib/actions/sandbox/rebuild-mcp-order.ts
  • src/lib/actions/sandbox/rebuild-mcp-phase.ts
  • src/lib/actions/sandbox/rebuild-messaging-conflict-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-messaging-conflict-preflight.ts
  • src/lib/actions/sandbox/rebuild-messaging-phase.ts
  • src/lib/actions/sandbox/rebuild-messaging-stage.test.ts
  • src/lib/actions/sandbox/rebuild-messaging-stage.ts
  • src/lib/actions/sandbox/rebuild-onboard-dependencies.ts
  • src/lib/actions/sandbox/rebuild-pipeline.ts
  • src/lib/actions/sandbox/rebuild-post-restore-phase.ts
  • src/lib/actions/sandbox/rebuild-preflight-confirmation.test.ts
  • src/lib/actions/sandbox/rebuild-preflight-confirmation.ts
  • src/lib/actions/sandbox/rebuild-preflight-error.ts
  • src/lib/actions/sandbox/rebuild-preflight-guards.ts
  • src/lib/actions/sandbox/rebuild-preflight-phase.ts
  • src/lib/actions/sandbox/rebuild-preflight-target-phase.ts
  • src/lib/actions/sandbox/rebuild-prepared-image-context.ts
  • src/lib/actions/sandbox/rebuild-prepared-recovery.test.ts
  • src/lib/actions/sandbox/rebuild-prepared-recovery.ts
  • src/lib/actions/sandbox/rebuild-provider-preflight.test.ts
  • src/lib/actions/sandbox/rebuild-provider-preflight.ts
  • src/lib/actions/sandbox/rebuild-recreate-phase.ts
  • src/lib/actions/sandbox/rebuild-registry-rollback.test.ts
  • src/lib/actions/sandbox/rebuild-registry-rollback.ts
  • src/lib/actions/sandbox/rebuild-restore-phase.test.ts
  • src/lib/actions/sandbox/rebuild-restore-phase.ts
  • src/lib/actions/sandbox/rebuild-resume-config.test.ts
  • src/lib/actions/sandbox/rebuild-resume-config.ts
  • src/lib/actions/sandbox/rebuild-resume-preflight.ts
  • src/lib/actions/sandbox/rebuild-resume-reasoning.test.ts
  • src/lib/actions/sandbox/rebuild-resume-session.test.ts
  • src/lib/actions/sandbox/rebuild-resume-session.ts
  • src/lib/actions/sandbox/rebuild-resume-snapshot.test.ts
  • src/lib/actions/sandbox/rebuild-shields-finally.test.ts
  • src/lib/actions/sandbox/rebuild-shields-phase.ts
  • src/lib/actions/sandbox/rebuild-target-config.ts
  • src/lib/actions/sandbox/rebuild-target-preflight.ts
  • src/lib/actions/sandbox/rebuild-target-runtime.ts
  • src/lib/actions/sandbox/rebuild-target-staging.test.ts
  • src/lib/actions/sandbox/rebuild-target-staging.ts
  • src/lib/actions/sandbox/rebuild-usage-notice.test.ts
  • src/lib/actions/sandbox/rebuild-usage-notice.ts
  • src/lib/actions/sandbox/rebuild.ts
  • src/lib/actions/sandbox/runtime-env.test.ts
  • src/lib/actions/sandbox/runtime-env.ts
  • src/lib/actions/sandbox/sandbox-exec-output.test.ts
  • src/lib/actions/sandbox/sandbox-exec-output.ts
  • src/lib/actions/sandbox/sessions/passthrough.test.ts
  • src/lib/actions/sandbox/sessions/passthrough.ts
  • src/lib/actions/sandbox/skill-install.test.ts
  • src/lib/actions/sandbox/snapshot.test.ts
  • src/lib/actions/sandbox/snapshot.ts
  • src/lib/actions/sandbox/status-flow.test.ts
  • src/lib/actions/sandbox/status-snapshot.ts
  • src/lib/actions/sandbox/status-text.ts
  • src/lib/actions/sandbox/status.test.ts
  • src/lib/actions/sandbox/terminal-connect-probe.test.ts
  • src/lib/actions/sandbox/terminal-connect-probe.ts
  • src/lib/actions/sandbox/wipe-state.ts
  • src/lib/actions/uninstall/plan.ts
  • src/lib/actions/uninstall/run-plan.test.ts
  • src/lib/actions/uninstall/run-plan.ts
  • src/lib/actions/update.test.ts
  • src/lib/actions/update.ts
  • src/lib/actions/upgrade-sandboxes-preflight.test.ts
  • src/lib/actions/upgrade-sandboxes-recovery.test.ts
  • src/lib/actions/upgrade-sandboxes.ts
  • src/lib/adapters/dns/resolve.test.ts
  • src/lib/adapters/dns/resolve.ts
  • src/lib/adapters/fs/build-context-fingerprint.test.ts
  • src/lib/adapters/fs/build-context-fingerprint.ts
  • src/lib/adapters/http/curl-args.ts
  • src/lib/adapters/http/probe.test.ts
  • src/lib/adapters/http/probe.ts
  • src/lib/adapters/openshell/client.test.ts
  • src/lib/adapters/openshell/client.ts
  • src/lib/adapters/openshell/resolve.ts
  • src/lib/adapters/openshell/runtime-capabilities.ts
  • src/lib/adapters/openshell/runtime.ts
  • src/lib/agent/base-image-hermes-resolution.test.ts
  • src/lib/agent/base-image-hermes.test.ts
  • src/lib/agent/base-image.test.ts
  • src/lib/agent/base-image.ts
  • src/lib/agent/definition-types.ts
  • src/lib/agent/defs.test.ts
  • src/lib/agent/defs.ts
  • src/lib/agent/hermes-recovery-boundary-fixtures.ts
  • src/lib/agent/manifest-readers.ts
  • src/lib/agent/onboard-terminal-fixtures.test.ts
  • src/lib/agent/onboard-terminal-fixtures.ts
  • src/lib/agent/onboard-terminal.test.ts
  • src/lib/agent/onboard.test.ts
  • src/lib/agent/onboard.ts
  • src/lib/agent/runtime.test.ts
  • src/lib/agent/terminal-version-drift.test.ts
  • src/lib/agent/terminal-version-drift.ts
  • src/lib/agent/terminal-version-enforcement.ts
  • src/lib/build-context.test.ts
  • src/lib/build-context.ts
  • src/lib/cli/argv-normalizer.test.ts
  • src/lib/cli/command-display.ts
  • src/lib/cli/command-registry.ts
  • src/lib/cli/flag-helpers.ts
  • src/lib/cli/oclif-runner.test.ts
  • src/lib/cli/oclif-runner.ts
  • src/lib/cli/public-dispatch.ts
  • src/lib/cli/public-display-defaults.ts
  • src/lib/cli/public-display-mcp.test.ts
  • src/lib/cli/public-display-mcp.ts
  • src/lib/cli/public-display-sessions.ts
  • src/lib/cli/terminal-style.test.ts
  • src/lib/cli/terminal-style.ts
  • src/lib/core/json-types.test.ts
  • src/lib/core/url-utils.test.ts
  • src/lib/core/url-utils.ts
  • src/lib/dashboard/contract.test.ts
  • src/lib/dashboard/contract.ts
  • src/lib/domain/lifecycle/options.test.ts
  • src/lib/domain/lifecycle/options.ts
  • src/lib/domain/maintenance/images.test.ts
  • src/lib/domain/sandbox/destroy.test.ts
  • src/lib/domain/sandbox/destroy.ts
  • src/lib/domain/sandbox/image-tag.ts
  • src/lib/domain/uninstall/paths.ts
  • src/lib/domain/uninstall/shims.test.ts
  • src/lib/domain/uninstall/shims.ts
  • src/lib/gateway-runtime-action.test.ts
  • src/lib/gateway-runtime-action.ts
  • src/lib/hermes-provider-auth.test.ts
  • src/lib/hermes-provider-auth.ts
  • src/lib/inference/config.test.ts
  • src/lib/inference/config.ts
  • src/lib/inference/local.test.ts
  • src/lib/inference/local.ts
  • src/lib/inference/nim-igpu-compute-constrained.test.ts
  • src/lib/inference/nim.ts
  • src/lib/inference/ollama-runtime-context.ts
  • src/lib/inference/ollama-version.ts
  • src/lib/inference/onboard-probes-curl-harness.ts
  • src/lib/inference/onboard-probes-responses-fallback.test.ts
  • src/lib/inference/probe-anthropic.test.ts
  • src/lib/inference/probe-anthropic.ts
  • src/lib/inference/selection.test.ts
  • src/lib/inference/selection.ts
  • src/lib/inference/vllm-models.test.ts
  • src/lib/inference/vllm-models.ts
  • src/lib/inference/vllm.test.ts
  • src/lib/inference/web-search.test.ts
  • src/lib/inference/web-search.ts
  • src/lib/messaging/AGENTS.md
  • src/lib/messaging/README.md
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • src/lib/messaging/channels/discord/manifest.ts
  • src/lib/messaging/channels/discord/policy/hermes.yaml
  • src/lib/messaging/channels/discord/policy/openclaw.yaml
  • src/lib/messaging/channels/index.ts
  • src/lib/messaging/channels/manifests.test.ts
  • src/lib/messaging/channels/metadata.test.ts
  • src/lib/messaging/channels/metadata.ts
  • src/lib/messaging/channels/policy.test.ts
  • src/lib/messaging/channels/policy.ts
  • src/lib/messaging/channels/slack/manifest.ts
  • src/lib/messaging/channels/slack/policy/hermes.yaml
  • src/lib/messaging/channels/slack/policy/openclaw.yaml
  • src/lib/messaging/channels/teams/manifest.ts
  • src/lib/messaging/channels/teams/policy/hermes.yaml
  • src/lib/messaging/channels/teams/policy/openclaw.yaml
  • src/lib/messaging/channels/telegram/policy/hermes.yaml
  • src/lib/messaging/channels/telegram/policy/openclaw.yaml
  • src/lib/messaging/channels/telegram/rendered-config-parser.test.ts
  • src/lib/messaging/channels/telegram/rendered-config-parser.ts
  • src/lib/messaging/channels/wechat/manifest.ts
  • src/lib/messaging/channels/wechat/policy/hermes.yaml
  • src/lib/messaging/channels/wechat/policy/openclaw.yaml
  • src/lib/messaging/channels/whatsapp/manifest.ts
  • src/lib/messaging/channels/whatsapp/policy/hermes.yaml
  • src/lib/messaging/channels/whatsapp/policy/openclaw.yaml
  • src/lib/messaging/channels/whatsapp/runtime/whatsapp-qr-compact-test-helpers.ts
  • src/lib/messaging/channels/whatsapp/runtime/whatsapp-qr-compact.test.ts
  • src/lib/messaging/channels/whatsapp/runtime/whatsapp-qr-compact.ts
  • src/lib/messaging/manifest/types.ts
  • src/lib/messaging/utils.ts
  • src/lib/onboard.ts
  • src/lib/onboard/authoritative-rebuild-target.test.ts
  • src/lib/onboard/authoritative-rebuild-target.ts
  • src/lib/onboard/base-image-resolution-flow.test.ts
  • src/lib/onboard/base-image-resolution-flow.ts
  • src/lib/onboard/base-image-resolution-metadata.test.ts
  • src/lib/onboard/base-image.ts
  • src/lib/onboard/bedrock-runtime.test.ts
  • src/lib/onboard/bedrock-runtime.ts
  • src/lib/onboard/brave-provider-profile.test.ts
  • src/lib/onboard/brave-provider-profile.ts
  • src/lib/onboard/bridge-dns-preflight.test.ts
  • src/lib/onboard/bridge-dns-preflight.ts
  • src/lib/onboard/build-context-stage.test.ts
  • src/lib/onboard/build-context-stage.ts
  • src/lib/onboard/command-support.ts
  • src/lib/onboard/command.test.ts
  • src/lib/onboard/command.ts
  • src/lib/onboard/created-sandbox-finalization.test.ts
  • src/lib/onboard/created-sandbox-finalization.ts
  • src/lib/onboard/dashboard-access.test.ts
  • src/lib/onboard/dashboard-access.ts
  • src/lib/onboard/dashboard.ts
  • src/lib/onboard/dcode-selection-drift.test.ts
  • src/lib/onboard/dcode-selection-drift.ts
  • src/lib/onboard/docker-driver-gateway-compat-container.test.ts
  • src/lib/onboard/docker-driver-gateway-compat.ts
  • src/lib/onboard/docker-driver-gateway-config-auth-contract.test.ts
  • src/lib/onboard/docker-driver-gateway-config-toml.test.ts
  • src/lib/onboard/docker-driver-gateway-config.ts
  • src/lib/onboard/docker-driver-gateway-cutover.ts
  • src/lib/onboard/docker-driver-gateway-env-deb-override.test.ts
  • src/lib/onboard/docker-driver-gateway-env.test.ts
  • src/lib/onboard/docker-driver-gateway-env.ts
  • src/lib/onboard/docker-driver-gateway-launch.test.ts
  • src/lib/onboard/docker-driver-gateway-launch.ts
  • src/lib/onboard/docker-driver-gateway-local-tls.ts
  • src/lib/onboard/docker-driver-gateway-port-listener.test.ts
  • src/lib/onboard/docker-driver-gateway-port-listener.ts
  • src/lib/onboard/docker-driver-gateway-prelaunch.test.ts
  • src/lib/onboard/docker-driver-gateway-prelaunch.ts
  • src/lib/onboard/docker-driver-gateway-runtime.test.ts
  • src/lib/onboard/docker-driver-gateway-runtime.ts
  • src/lib/onboard/docker-gpu-local-inference.ts
  • src/lib/onboard/docker-gpu-patch.test.ts
  • src/lib/onboard/docker-gpu-supervisor-reconnect.ts
  • src/lib/onboard/dockerfile-patch-security.test.ts
  • src/lib/onboard/dockerfile-patch.test.ts
  • src/lib/onboard/dockerfile-patch.ts
  • src/lib/onboard/dockerfile-tool-disclosure-contract.test.ts
  • src/lib/onboard/dockerfile-tool-disclosure-contract.ts
  • src/lib/onboard/entry-options.test.ts
  • src/lib/onboard/entry-options.ts
  • src/lib/onboard/exit-step-failure.test.ts
  • src/lib/onboard/exit-step-failure.ts
  • src/lib/onboard/extra-placeholder-keys.test.ts
  • src/lib/onboard/extra-placeholder-keys.ts
  • src/lib/onboard/fatal-runtime-preflight.ts
  • src/lib/onboard/gateway-binding.test.ts
  • src/lib/onboard/gateway-binding.ts
  • src/lib/onboard/gateway-provider-metadata.test.ts
  • src/lib/onboard/gateway-provider-metadata.ts
  • src/lib/onboard/gateway-reuse.ts
  • src/lib/onboard/gateway-sandbox-reachability-severity.test.ts
  • src/lib/onboard/gateway-sandbox-reachability.test.ts
  • src/lib/onboard/gateway-sandbox-reachability.ts
  • src/lib/onboard/gateway-start-failure.test.ts
  • src/lib/onboard/gateway-start-failure.ts
  • src/lib/onboard/hermes-auth.test.ts
  • src/lib/onboard/hermes-auth.ts
  • src/lib/onboard/host-gateway-process.test.ts
  • src/lib/onboard/host-gateway-process.ts
  • src/lib/onboard/http-proxy-preflight.test.ts
  • src/lib/onboard/http-proxy-preflight.ts
  • src/lib/onboard/inference-providers/hermes.test.ts
  • src/lib/onboard/inference-providers/hermes.ts
  • src/lib/onboard/inference-providers/ollama-local.ts
  • src/lib/onboard/inference-providers/remote-openai-surface.test.ts
  • src/lib/onboard/inference-providers/remote.ts
  • src/lib/onboard/inference-providers/routed.ts
  • src/lib/onboard/inference-providers/types.ts
  • src/lib/onboard/inference-providers/vllm-local.ts
  • src/lib/onboard/inference-route.test.ts
  • src/lib/onboard/inference-route.ts
  • src/lib/onboard/inference-selection-validation.test.ts
  • src/lib/onboard/inference-selection-validation.ts
  • src/lib/onboard/initial-policy-real-policy.test.ts
  • src/lib/onboard/initial-policy.test.ts
  • src/lib/onboard/initial-policy.ts
  • src/lib/onboard/local-inference-route.test.ts
  • src/lib/onboard/local-inference-route.ts
  • src/lib/onboard/machine/core-flow-phases.test.ts
  • src/lib/onboard/machine/core-flow-phases.ts
  • src/lib/onboard/machine/final-flow-phases.ts
  • src/lib/onboard/machine/flow-context.test.ts
  • src/lib/onboard/machine/flow-context.ts
  • src/lib/onboard/machine/handlers/policies.ts
  • src/lib/onboard/machine/handlers/provider-inference.test.ts
  • src/lib/onboard/machine/handlers/provider-inference.ts
  • src/lib/onboard/machine/handlers/sandbox-dcode-resume.ts
  • src/lib/onboard/machine/handlers/sandbox-dcode-selection.test.ts
  • src/lib/onboard/machine/handlers/sandbox-resume.test.ts
  • src/lib/onboard/machine/handlers/sandbox-resume.ts
  • src/lib/onboard/machine/handlers/sandbox-test-fixtures.ts
  • src/lib/onboard/machine/handlers/sandbox-tool-disclosure.test.ts
  • src/lib/onboard/machine/handlers/sandbox.test.ts
  • src/lib/onboard/machine/handlers/sandbox.ts
  • src/lib/onboard/machine/live-flow-slice.test.ts
  • src/lib/onboard/machine/live-flow-slice.ts
  • src/lib/onboard/machine/phase-progress.test.ts
  • src/lib/onboard/machine/phase-progress.ts
  • src/lib/onboard/machine/sequence-runner.test.ts
  • src/lib/onboard/machine/sequence-runner.ts
  • src/lib/onboard/messaging-channel-setup.test.ts
  • src/lib/onboard/messaging-channel-setup.ts
  • src/lib/onboard/messaging-policy-presets.test.ts
  • src/lib/onboard/messaging-policy-presets.ts
  • src/lib/onboard/messaging-prep.test.ts
  • src/lib/onboard/messaging-prep.ts
  • src/lib/onboard/nim-image-compat-warning.test.ts
  • src/lib/onboard/nim-image-compat-warning.ts
  • src/lib/onboard/not-ready-recreate.test.ts
  • src/lib/onboard/not-ready-recreate.ts
  • src/lib/onboard/openclaw-otel-policy-presets.test.ts
  • src/lib/onboard/openshell-feature-gate.test.ts
  • src/lib/onboard/openshell-feature-gate.ts
  • src/lib/onboard/openshell-install.test.ts
  • src/lib/onboard/openshell-install.ts
  • src/lib/onboard/openshell-pin.ts
  • src/lib/onboard/openshell-version.ts
  • src/lib/onboard/overlayfs-auto-fix.test.ts
  • src/lib/onboard/overlayfs-auto-fix.ts
  • src/lib/onboard/policy-preset-persistence.test.ts
  • src/lib/onboard/policy-presets.ts
  • src/lib/onboard/policy-resume-selection.test.ts
  • src/lib/onboard/policy-resume-selection.ts
  • src/lib/onboard/policy-selection.ts
  • src/lib/onboard/preflight-cdi.test.ts
  • src/lib/onboard/preflight-gateway-cleanup-decision.test.ts
  • src/lib/onboard/preflight-gateway-cleanup-decision.ts
  • src/lib/onboard/preflight-messages.test.ts
  • src/lib/onboard/preflight-messages.ts
  • src/lib/onboard/preflight-runtime-resources.test.ts
  • src/lib/onboard/preflight.ts
  • src/lib/onboard/prepared-dcode-rebuild.test.ts
  • src/lib/onboard/prepared-dcode-rebuild.ts
  • src/lib/onboard/probe-diagnostics.test.ts
  • src/lib/onboard/probe-diagnostics.ts
  • src/lib/onboard/provider-host-state.ts
  • src/lib/onboard/provider-recovery.test.ts
  • src/lib/onboard/provider-recovery.ts
  • src/lib/onboard/providers.test.ts
  • src/lib/onboard/providers.ts
  • src/lib/onboard/rebuild-route-handoff.test.ts
  • src/lib/onboard/rebuild-route-handoff.ts
  • src/lib/onboard/recovered-provider-reuse.test.ts
  • src/lib/onboard/recovered-provider-reuse.ts
  • src/lib/onboard/resume-config.test.ts
  • src/lib/onboard/resume-config.ts
  • src/lib/onboard/resume-hint.test.ts
  • src/lib/onboard/resume-hint.ts
  • src/lib/onboard/resume-provider-shim.ts
  • src/lib/onboard/sandbox-backup-on-recreate.test.ts
  • src/lib/onboard/sandbox-backup-on-recreate.ts
  • src/lib/onboard/sandbox-create-failure.ts
  • src/lib/onboard/sandbox-create-intent-types.ts
  • src/lib/onboard/sandbox-create-launch.test.ts
  • src/lib/onboard/sandbox-create-launch.ts
  • src/lib/onboard/sandbox-create-plan.test.ts
  • src/lib/onboard/sandbox-create-plan.ts
  • src/lib/onboard/sandbox-dockerfile-patch-fail-closed.test.ts
  • src/lib/onboard/sandbox-dockerfile-patch-flow.test.ts
  • src/lib/onboard/sandbox-dockerfile-patch-flow.ts
  • src/lib/onboard/sandbox-gpu-preflight.ts
  • src/lib/onboard/sandbox-lifecycle.test.ts
  • src/lib/onboard/sandbox-lifecycle.ts
  • src/lib/onboard/sandbox-messaging-preflight.test.ts
  • src/lib/onboard/sandbox-messaging-preflight.ts
  • src/lib/onboard/sandbox-prebuild.test.ts
  • src/lib/onboard/sandbox-prebuild.ts
  • src/lib/onboard/sandbox-provider-cleanup.ts
  • src/lib/onboard/sandbox-readiness-tracing.test.ts
  • src/lib/onboard/sandbox-readiness-tracing.ts
  • src/lib/onboard/sandbox-registration.test.ts
  • src/lib/onboard/sandbox-registration.ts
  • src/lib/onboard/session-bootstrap.test.ts
  • src/lib/onboard/session-bootstrap.ts
  • src/lib/onboard/session-updates.ts
  • src/lib/onboard/setup-inference.ts
  • src/lib/onboard/setup-nim-flow.test.ts
  • src/lib/onboard/setup-nim-flow.ts
  • src/lib/onboard/setup-nim-selection.test.ts
  • src/lib/onboard/setup-nim-selection.ts
  • src/lib/onboard/skipped-step-message.ts
  • src/lib/onboard/summary.test.ts
  • src/lib/onboard/summary.ts
  • src/lib/onboard/tool-disclosure-flow.test.ts
  • src/lib/onboard/tool-disclosure-flow.ts
  • src/lib/onboard/tracing.ts
  • src/lib/onboard/types.ts
  • src/lib/onboard/web-search-flow.test.ts
  • src/lib/onboard/web-search-flow.ts
  • src/lib/onboard/web-search-support.test.ts
  • src/lib/onboard/web-search-support.ts
  • src/lib/onboard/web-search-verify.test.ts
  • src/lib/onboard/web-search-verify.ts
  • src/lib/onboard/windows-host-ollama.test.ts
  • src/lib/onboard/windows-host-ollama.ts
  • src/lib/openshell-sandbox-list.test.ts
  • src/lib/openshell-sandbox-list.ts
  • src/lib/policy/commands.ts
  • src/lib/policy/context.test.ts
  • src/lib/policy/context.ts
  • src/lib/policy/failure-classifier.test.ts
  • src/lib/policy/gateway-state.ts
  • src/lib/policy/index.ts
  • src/lib/policy/merge.test.ts
  • src/lib/policy/merge.ts
  • src/lib/policy/preset-ownership.ts
  • src/lib/policy/preset-parsing.ts
  • src/lib/policy/remove-preset-fail-closed.test.ts
  • src/lib/registry-recovery-action.test.ts
  • src/lib/registry-recovery-seeded-paths.test.ts
  • src/lib/runner-argv.test.ts
  • src/lib/runner.ts
  • src/lib/sandbox-base-image-platform-digest.test.ts
  • src/lib/sandbox-base-image-resolution.test.ts
  • src/lib/sandbox-base-image.test.ts
  • src/lib/sandbox-base-image.ts
  • src/lib/sandbox-base-image/image-compatibility.test.ts
  • src/lib/sandbox-base-image/image-compatibility.ts
  • src/lib/sandbox-base-image/label-codec.test.ts
  • src/lib/sandbox-base-image/label-codec.ts
  • src/lib/sandbox-base-image/resolution-key.test.ts
  • src/lib/sandbox-base-image/resolution-key.ts
  • src/lib/sandbox-base-image/resolution-metadata.test.ts
  • src/lib/sandbox-base-image/resolution-metadata.ts
  • src/lib/sandbox-base-image/resolution-validation.test.ts
  • src/lib/sandbox-base-image/source-identity.test.ts
  • src/lib/sandbox-base-image/source-identity.ts
  • src/lib/sandbox-base-image/types.ts
  • src/lib/sandbox/build-context.ts
  • src/lib/sandbox/config-get.test.ts
  • src/lib/sandbox/config.ts
  • src/lib/sandbox/privileged-exec.test.ts
  • src/lib/sandbox/privileged-exec.ts
  • src/lib/sandbox/version.ts
  • src/lib/security/credential-env.test.ts
  • src/lib/security/credential-env.ts
  • src/lib/security/mcp-url-target.ts
  • src/lib/security/redact.test.ts
  • src/lib/security/redact.ts
  • src/lib/security/secret-patterns.ts
  • src/lib/shields/audit-format.test.ts
  • src/lib/shields/flow.test.ts
  • src/lib/shields/index.test.ts
  • src/lib/shields/index.ts
  • src/lib/shields/mutable-config-perms.ts
  • src/lib/shields/openclaw-transition.test.ts
  • src/lib/shields/policy-transition.test.ts
  • src/lib/shields/timer.test.ts
  • src/lib/shields/timer.ts
  • src/lib/state/dcode-config-restore-input.test.ts
  • src/lib/state/dcode-config-restore-input.ts
  • src/lib/state/mcp-lifecycle-lock-acquisition.ts
  • src/lib/state/mcp-lifecycle-lock-identity.test.ts
  • src/lib/state/mcp-lifecycle-lock-identity.ts
  • src/lib/state/mcp-lifecycle-lock-storage.ts
  • src/lib/state/mcp-lifecycle-lock.ts
  • src/lib/state/onboard-session-cross-process-lock.test.ts
  • src/lib/state/onboard-session-tool-disclosure.test.ts
  • src/lib/state/onboard-session-tool-disclosure.ts
  • src/lib/state/onboard-session.test.ts
  • src/lib/state/onboard-session.ts
  • src/lib/state/openclaw-config-merge-tool-search.test.ts
  • src/lib/state/openclaw-config-merge.test.ts
  • src/lib/state/openclaw-config-merge.ts
  • src/lib/state/openclaw-managed-extensions.test.ts
  • src/lib/state/openclaw-managed-extensions.ts
  • src/lib/state/registry-mcp.ts
  • src/lib/state/registry-reversible-removal.test.ts
  • src/lib/state/registry-reversible-removal.ts
  • src/lib/state/registry.ts
  • src/lib/state/sandbox.ts
  • src/lib/state/ssh-transport.test.ts
  • src/lib/state/ssh-transport.ts
  • src/lib/state/state-file-restore-policy.ts
  • src/lib/status-command-deps.test.ts
  • src/lib/subprocess-env.ts
  • src/lib/tool-disclosure.test.ts
  • src/lib/tool-disclosure.ts
  • src/lib/tunnel/allowed-origins.test.ts
  • src/lib/tunnel/allowed-origins.ts
  • src/lib/tunnel/gateway-port-confirmation.test.ts
  • src/lib/tunnel/gateway-port-confirmation.ts
  • src/lib/tunnel/gateway-port-listeners.test.ts
  • src/lib/tunnel/gateway-port-listeners.ts
  • src/lib/tunnel/gateway-port-release-fail-closed.test.ts
  • src/lib/tunnel/gateway-port-release-lifecycle.test.ts
  • src/lib/tunnel/gateway-port-release-test-helpers.ts
  • src/lib/tunnel/gateway-port-release.test.ts
  • src/lib/tunnel/gateway-port-release.ts
  • src/lib/tunnel/gateway-port-resolution.ts
  • src/lib/tunnel/gateway-stop.ts
  • src/lib/tunnel/service-command.test.ts
  • src/lib/tunnel/service-command.ts
  • src/lib/tunnel/services-gateway-ownership.test.ts
  • src/lib/tunnel/services.test.ts
  • src/lib/tunnel/services.ts
  • src/lib/use-command-deps.test.ts
  • src/lib/use-command-deps.ts
  • test/bench/bench-cli.test.ts
  • test/bench/bench.test.ts
  • test/brev-launchable-ci-cpu-checksum.test.ts
  • test/brev-nightly-workflow.test.ts
  • test/brev-remote-vitest.test.ts
  • test/channels-add-deepagents-rejection.test.ts
  • test/channels-add-preset.test.ts
  • test/cli-oclif-compatibility.test.ts
  • test/cli/connect-recovery-settle.test.ts
  • test/cli/connect-recovery.test.ts
  • test/cli/connect-terminal-agent.test.ts
  • test/cli/credentials-command.test.ts
  • test/cli/destroy-detach-order.test.ts
  • test/cli/destroy-gateway-unreachable.test.ts
  • test/cli/dispatch-basics.test.ts
  • test/cli/helpers.test.ts
  • test/cli/helpers.ts
  • test/cli/list-share-live-inference.test.ts
  • test/cli/onboard-compatibility.test.ts
  • test/cli/sandbox-status-json.test.ts
  • test/cli/sandbox-status-text.test.ts
  • test/cli/status-gateway-lifecycle.test.ts
  • test/cli/status-routing.test.ts
  • test/cli/tunnel-command.test.ts
  • test/cli/unknown-sandbox-action.test.ts
  • test/cloudflared-update-check-workflow.test.ts
  • test/config-set.test.ts
  • test/credential-rotation.test.ts
  • test/credentials-reset-outcome.test.ts
  • test/dcode-sandbox-identity-integration.test.ts
  • test/dcode-start-keepalive.test.ts
  • test/dcode-wrapper-empty-prompt.test.ts
  • test/dcode-wrapper-identity.test.ts
  • test/deepagents-code-tui-startup-check.test.ts
  • test/deepagents-mcp-legacy-lifecycle.test.ts
  • test/deepagents-mcp-runtime-capability.test.ts
  • test/destroy-cleanup-sandbox-services.test.ts
  • test/destroy-wipe-sandbox-state.test.ts
  • test/dev-setup-doctor.test.ts
  • test/e2e-advisor-targets.test.ts
  • test/e2e-advisor.test.ts
  • test/e2e-release-gate-workflow.test.ts
  • test/e2e-test.sh
  • test/e2e/README.md
  • test/e2e/brev-e2e.test.ts
  • test/e2e/docs/MIGRATION.md
  • test/e2e/docs/README.md
  • test/e2e/docs/RETIREMENT.md
  • test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
  • test/e2e/e2e-cloud-experimental/checks/07-deepagents-code-headless-inference.sh
  • test/e2e/e2e-cloud-experimental/checks/09-deepagents-code-tavily-opt-in.sh
  • test/e2e/e2e-cloud-experimental/checks/10-deepagents-code-tui-startup.sh
  • test/e2e/fixtures/artifacts.ts
  • test/e2e/fixtures/clients/command.ts
  • test/e2e/fixtures/clients/index.ts
  • test/e2e/fixtures/clients/sandbox.ts
  • test/e2e/fixtures/docker-probe.ts
  • test/e2e/fixtures/e2e-test.ts
  • test/e2e/fixtures/environment-profiles.ts
  • test/e2e/fixtures/file-state.ts
  • test/e2e/fixtures/hermes-session.ts
  • test/e2e/fixtures/http-protocol.ts
  • test/e2e/fixtures/inference-switch-retry.ts
  • test/e2e/fixtures/issue-4462-pairing-seed.ts
  • test/e2e/fixtures/mcp-bridge-credentials.ts
  • test/e2e/fixtures/onboard-performance.ts
  • test/e2e/fixtures/paths.ts
  • test/e2e/fixtures/phases/index.ts
  • test/e2e/fixtures/phases/lifecycle-dcode-invalid-credential.ts
  • test/e2e/fixtures/phases/lifecycle.ts
  • test/e2e/fixtures/phases/onboarding.ts
  • test/e2e/fixtures/redaction.ts
  • test/e2e/fixtures/shell-probe.ts
  • test/e2e/lib/discord-rest-policy-proof.sh
  • test/e2e/lib/fake-telegram-api.cjs
  • test/e2e/lib/issue-4462-fresh-agent-gateway-snapshot.py
  • test/e2e/lib/slack-api-proof.sh
  • test/e2e/lib/telegram-api-proof.sh
  • test/e2e/live/agent-turn-latency-helpers.ts
  • test/e2e/live/agent-turn-latency.test.ts
  • test/e2e/live/bedrock-runtime-compatible-anthropic.test.ts
  • test/e2e/live/brave-search-helpers.ts
  • test/e2e/live/brave-search.test.ts
  • test/e2e/live/channels-add-remove.test.ts
  • test/e2e/live/channels-stop-start-helpers.ts
  • test/e2e/live/channels-stop-start.test.ts
  • test/e2e/live/cloud-experimental-check-list.ts
  • test/e2e/live/cloud-experimental-checks.ts
  • test/e2e/live/cloud-inference-provider-skip.ts
  • test/e2e/live/cloud-inference.test.ts
  • test/e2e/live/cloud-onboard.test.ts
  • test/e2e/live/common-egress-agent-helpers.ts
  • test/e2e/live/common-egress-agent.test.ts
  • test/e2e/live/concurrent-gateway-ports.test.ts
  • test/e2e/live/credential-migration.test.ts
  • test/e2e/live/credential-sanitization.test.ts
  • test/e2e/live/cron-preflight-inference-local.test.ts
  • test/e2e/live/dashboard-remote-bind.test.ts
  • test/e2e/live/device-auth-health-helpers.ts
  • test/e2e/live/device-auth-health.test.ts
  • test/e2e/live/diagnostics.test.ts
  • test/e2e/live/dns-rebinding-hosts-fixture.ts
  • test/e2e/live/docs-validation.test.ts
  • test/e2e/live/double-onboard.test.ts
  • test/e2e/live/full-e2e.test.ts
  • test/e2e/live/gateway-guard-recovery.test.ts
  • test/e2e/live/gateway-health-honest.test.ts
  • test/e2e/live/gpu-double-onboard.test.ts
  • test/e2e/live/gpu-e2e-helpers.ts
  • test/e2e/live/gpu-e2e.test.ts
  • test/e2e/live/hermes-discord.test.ts
  • test/e2e/live/hermes-e2e.test.ts
  • test/e2e/live/hermes-gpu-startup.test.ts
  • test/e2e/live/hermes-inference-switch-helpers.ts
  • test/e2e/live/hermes-inference-switch.test.ts
  • test/e2e/live/hermes-root-entrypoint-smoke.test.ts
  • test/e2e/live/hermes-sandbox-secret-boundary.test.ts
  • test/e2e/live/hermes-shields-config.test.ts
  • test/e2e/live/hermes-slack-e2e-helpers.ts
  • test/e2e/live/hermes-slack-e2e.test.ts
  • test/e2e/live/inference-routing.test.ts
  • test/e2e/live/issue-2478-crash-loop-recovery.test.ts
  • test/e2e/live/issue-4434-tui-unreachable-inference.test.ts
  • test/e2e/live/issue-4462-admin-approval-helper.ts
  • test/e2e/live/issue-4462-scope-upgrade-approval.test.ts
  • test/e2e/live/jetson-nvmap-gpu.test.ts
  • test/e2e/live/kimi-inference-compat-helpers.ts
  • test/e2e/live/kimi-inference-compat.test.ts
  • test/e2e/live/launchable-smoke.test.ts
  • test/e2e/live/mcp-bridge-hermes-lifecycle.ts
  • test/e2e/live/mcp-bridge-sandbox.ts
  • test/e2e/live/mcp-bridge-servers.ts
  • test/e2e/live/mcp-bridge.test.ts
  • test/e2e/live/messaging-compatible-endpoint-helpers.ts
  • test/e2e/live/messaging-compatible-endpoint.test.ts
  • test/e2e/live/messaging-providers-helpers.ts
  • test/e2e/live/messaging-providers-slack-runtime-proof.ts
  • test/e2e/live/messaging-providers-telegram-runtime-proof.ts
  • test/e2e/live/messaging-providers.test.ts
  • test/e2e/live/model-router-provider-routed-inference.test.ts
  • test/e2e/live/network-policy-inference.ts
  • test/e2e/live/network-policy-transient-provider.ts
  • test/e2e/live/network-policy.test.ts
  • test/e2e/live/ollama-auth-proxy.test.ts
  • test/e2e/live/onboard-negative-paths.test.ts
  • test/e2e/live/onboard-repair.test.ts
  • test/e2e/live/onboard-resume.test.ts
  • test/e2e/live/openclaw-discord-pairing.test.ts
  • test/e2e/live/openclaw-inference-switch-helpers.ts
  • test/e2e/live/openclaw-inference-switch.test.ts
  • test/e2e/live/openclaw-plugin-runtime-exdev.test.ts
  • test/e2e/live/openclaw-skill-cli.test.ts
  • test/e2e/live/openclaw-slack-pairing.test.ts
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/live/openshell-allowed-ips-rebinding.ts
  • test/e2e/live/openshell-gateway-auth-source-contract-helpers.ts
  • test/e2e/live/openshell-gateway-auth-source-contract.test.ts
  • test/e2e/live/openshell-gateway-upgrade-helpers.ts
  • test/e2e/live/openshell-gateway-upgrade.test.ts
  • test/e2e/live/openshell-version-pin.test.ts
  • test/e2e/live/overlayfs-autofix.test.ts
  • test/e2e/live/phase6-messaging-helpers.ts
  • test/e2e/live/policy-list-state.ts
  • test/e2e/live/public-nvidia-switch-provider.ts
  • test/e2e/live/rebuild-hermes-env.ts
  • test/e2e/live/rebuild-hermes.test.ts
  • test/e2e/live/rebuild-openclaw-old-base-context.ts
  • test/e2e/live/rebuild-openclaw.test.ts
  • test/e2e/live/registry-targets.test.ts
  • test/e2e/live/runtime-overrides.test.ts
  • test/e2e/live/sandbox-operations.test.ts
  • test/e2e/live/sandbox-rebuild.test.ts
  • test/e2e/live/sandbox-rlimits-connect.test.ts
  • test/e2e/live/sandbox-survival.test.ts
  • test/e2e/live/sessions-agents-cli.test.ts
  • test/e2e/live/shields-config.test.ts
  • test/e2e/live/skill-agent.test.ts
  • test/e2e/live/snapshot-commands.test.ts
  • test/e2e/live/snapshot-credential-scanner.ts
  • test/e2e/live/spark-install.test.ts
  • test/e2e/live/state-backup-restore.test.ts
  • test/e2e/live/telegram-injection.test.ts
  • test/e2e/live/token-rotation.test.ts
  • test/e2e/live/tunnel-lifecycle-helpers.ts
  • test/e2e/live/tunnel-lifecycle.test.ts
  • test/e2e/live/ubuntu-repo-cli-smoke.test.ts
  • test/e2e/live/upgrade-stale-sandbox-helpers.ts
  • test/e2e/live/upgrade-stale-sandbox.test.ts
  • test/e2e/live/whatsapp-qr-compact.test.ts
  • test/e2e/registry/definitions/baseline.ts
  • test/e2e/registry/runtime-support.ts
  • test/e2e/setup-mcp-test-tls.sh
  • test/e2e/support/channels-add-remove-workflow-boundary.test.ts
  • test/e2e/support/common-egress-agent-helpers.test.ts
  • test/e2e/support/device-auth-health-helpers.test.ts
  • test/e2e/support/dockerhub-auth-workflow-boundary.test.ts
  • test/e2e/support/e2e-clients.test.ts
  • test/e2e/support/e2e-command-helper-adoption.test.ts
  • test/e2e/support/e2e-docker-prerequisite.test.ts
  • test/e2e/support/e2e-environment-profiles.test.ts
  • test/e2e/support/e2e-file-state.test.ts
  • test/e2e/support/e2e-fixture-context.test.ts
  • test/e2e/support/e2e-http-protocol.test.ts
  • test/e2e/support/e2e-live-project-config.test.ts
  • test/e2e/support/e2e-live-registry-discovery.test.ts
  • test/e2e/support/e2e-live-target-gating.test.ts
  • test/e2e/support/e2e-operations-workflow-boundary.test.ts
  • test/e2e/support/e2e-paths.test.ts
  • test/e2e/support/e2e-phase-lifecycle.test.ts
  • test/e2e/support/e2e-redaction-entry.test.ts
  • test/e2e/support/e2e-scorecard.test.ts
  • test/e2e/support/e2e-target-evidence.test.ts
  • test/e2e/support/e2e-workflow-trace.test.ts
  • test/e2e/support/e2e-workflow.test.ts
  • test/e2e/support/hermes-inference-switch-command-shape.test.ts
  • test/e2e/support/hermes-secret-boundary-workflow.test.ts
  • test/e2e/support/hosted-inference.test.ts
  • test/e2e/support/inference-switch-retry.test.ts
  • test/e2e/support/inference-switch-workflow-boundary.test.ts
  • test/e2e/support/issue-4434-tui-capture.ts
  • test/e2e/support/issue-4462-fixture-boundary.test.ts
  • test/e2e/support/jetson-workflow-boundary.test.ts
  • test/e2e/support/mcp-bridge-sandbox.test.ts
  • test/e2e/support/mcp-workflow-boundary.test.ts
  • test/e2e/support/messaging-endpoint-classifiers.test.ts
  • test/e2e/support/messaging-endpoint-classifiers.ts
  • test/e2e/support/messaging-providers-runtime-proofs.test.ts
  • test/e2e/support/network-policy-inference.test.ts
  • test/e2e/support/onboard-performance.test.ts
  • test/e2e/support/openclaw-inference-switch-helpers.test.ts
  • test/e2e/support/openshell-gateway-auth-contract-workflow-boundary.test.ts
  • test/e2e/support/openshell-gateway-upgrade-workflow-boundary.test.ts
  • test/e2e/support/platform-parity-cloud-experimental.test.ts
  • test/e2e/support/policy-list-state.test.ts
  • test/e2e/support/public-nvidia-switch-provider.test.ts
  • test/e2e/support/sandbox-images-workflow-boundary.test.ts
  • test/e2e/support/sanitize-trace-timing.test.ts
  • test/e2e/support/skill-agent-classifiers.test.ts
  • test/e2e/support/skill-agent-classifiers.ts
  • test/e2e/support/snapshot-credential-scanner.test.ts
  • test/e2e/support/tunnel-lifecycle-helpers.test.ts
  • test/e2e/support/upload-e2e-artifacts-workflow-boundary.test.ts
  • test/exit-code-user-error-surfaces.test.ts
  • test/fern-preview-config.test.ts
  • test/fetch-guard-patch-regression.test.ts
  • test/fixtures/deepagents-progressive-disclosure-harness.py
  • test/fixtures/langchain-deepagents-code/app.py
  • test/fixtures/langchain-deepagents-code/mcp_tools.py
  • test/fixtures/langchain-deepagents-code/server.py
  • test/fixtures/openshell-v0.0.72
  • test/fixtures/strict-tool-call-probe-driver.ts
  • test/gateway-drift-preflight.test.ts
  • test/gateway-state-reconcile-2276.test.ts
  • test/gateway-supervisor-mcp-failure-contract.test.ts
  • test/generate-hermes-config.test.ts
  • test/generate-openclaw-config-plugin-entries.test.ts
  • test/generate-openclaw-config-web-search.test.ts
  • test/generate-openclaw-config.test.ts
  • test/generate-openclaw-tool-disclosure-config.test.ts
  • test/helpers/base-image-test-harness.ts
  • test/helpers/destroy-flow-test-assertions.ts
  • test/helpers/destroy-flow-test-harness.ts
  • test/helpers/e2e-retries.ts
  • test/helpers/e2e-workflow-contract.ts
  • test/helpers/fetch-guard-patch-harness.ts
  • test/helpers/langchain-deepagents-code-headless.ts
  • test/helpers/langchain-deepagents-code-secret-patterns.ts
  • test/helpers/mcp-bridge-adapter-deepagents-fixture.ts
  • test/helpers/mcp-lifecycle-lock-properties.ts
  • test/helpers/onboard-final-flow-phases.ts
  • test/helpers/onboard-script-mocks.cjs
  • test/helpers/openclaw-device-self-approval-patch-harness.ts
  • test/helpers/openclaw-real-device-self-approval-proof.ts
  • test/helpers/rebuild-dcode-flow-helpers.ts
  • test/helpers/rebuild-dcode-flow-support.ts
  • test/helpers/rebuild-flow-credential-preflight-cases.ts
  • test/helpers/rebuild-flow-harness.ts
  • test/helpers/rebuild-flow-lifecycle-cases.ts
  • test/helpers/rebuild-flow-recovery-cases.ts
  • test/helpers/rebuild-flow-target-credentials-cases.ts
  • test/helpers/rebuild-flow-target-image-cases.ts
  • test/helpers/rebuild-flow-target-session-cases.ts
  • test/helpers/rebuild-flow-test-harness.ts
  • test/helpers/rebuild-flow-test-support.ts
  • test/helpers/rebuild-managed-image-preflight-harness.ts
  • test/helpers/source-loader-options.ts
  • test/hermes-doctor-config-hash.test.ts
  • test/hermes-env-secret-boundary-hardening.test.ts
  • test/hermes-gateway-auxiliary-retry.test.ts
  • test/hermes-gateway-pid-cleanup-helpers.ts
  • test/hermes-gateway-pid-cleanup.test.ts
  • test/hermes-gateway-supervisor-recovery.test.ts
  • test/hermes-gateway-wrapper.test.ts
  • test/hermes-mcp-config-transaction.test.ts
  • test/hermes-mcp-credential-boundary-manifest.test.ts
  • test/hermes-mcp-force-cleanup.test.ts
  • test/hermes-mcp-integrity-state.test.ts
  • test/hermes-mcp-reload-convergence.test.ts
  • test/hermes-mcp-rollback-pending.test.ts
  • test/hermes-mcp-runtime-capability.test.ts
  • test/hermes-mcp-shields-order.test.ts
  • test/hermes-mcp-startup-probe.test.ts
  • test/hermes-nonroot-strict-hash-reconciliation.test.ts
  • test/hermes-restart-config-seal.test.ts
  • test/hermes-runtime-api-key.test.ts
  • test/hermes-runtime-config-guard.test.ts
  • test/hermes-sandbox-workflow.test.ts
  • test/hermes-share-mount-deps.test.ts
  • test/hermes-start-config-integrity.test.ts
  • test/hermes-start.test.ts
  • test/hermes-tool-gateway-broker.test.ts
  • test/image-cleanup.test.ts
  • test/install-build-dependency-preflight.test.ts
  • test/install-npm-resolution.test.ts
  • test/install-openshell-upgrade-prompt.test.ts
  • test/install-openshell-version-check.test.ts
  • test/install-preexisting-sandbox-recovery.test.ts
  • test/install-preflight.test.ts
  • test/installer-hash-check.test.ts
  • test/issue-4434-error-fields.test.ts
  • test/issue-4434-tui-unreachable-inference.test.ts
  • test/issue-4462-admin-approval-helper.test.ts
  • test/issue-5667-hosted-inference-model-namespace.test.ts
  • test/label-merged-pr-release-target-workflow.test.ts
  • test/langchain-deepagents-code-config.test.ts
  • test/langchain-deepagents-code-direct-module-patch.test.ts
  • test/langchain-deepagents-code-headless-runtime.test.ts
  • test/langchain-deepagents-code-image.test.ts
  • test/langchain-deepagents-code-managed-entrypoints.test.ts
  • test/langchain-deepagents-code-managed-mcp-hardening.test.ts
  • test/langchain-deepagents-code-progressive-tool-disclosure.test.ts
  • test/langchain-deepagents-code-proxy-launcher.test.ts
  • test/langchain-deepagents-code-proxy-runtime-contract.test.ts
  • test/langchain-deepagents-code-secret-pattern-parity.test.ts
  • test/layer-import-boundaries.test.ts
  • test/maintainer-skills-policy.test.ts
  • test/mcp-add-crash-consistency.test.ts
  • test/mcp-artifact-secret-scan.test.ts
  • test/mcp-bridge-servers.test.ts
  • test/mcp-destroy-lifecycle.test.ts
  • test/mcp-lifecycle-lock.test.ts
  • test/mcp-openshell-workflow.test.ts
  • test/mcp-policy-key-ownership.test.ts
  • test/mcp-policy-transition.test.ts
  • test/mcp-provider-ownership.test.ts
  • test/mcp-restart-policy-order.test.ts
  • test/mcp-url-target.test.ts
  • test/mcporter-supply-chain.test.ts
  • test/messaging-build-applier-inactive-channel.test.ts
  • test/messaging-build-applier-integrity.test.ts
  • test/messaging-build-applier-render-safety.test.ts
  • test/messaging-build-applier.test.ts
  • test/messaging-plan-test-helper.ts
  • test/messaging-teams-compiler.test.ts
  • test/nemoclaw-start-extra-placeholder-breadcrumb-helpers.ts
  • test/nemoclaw-start-extra-placeholder-breadcrumb.test.ts
  • test/nemoclaw-start-gateway-ws-host.test.ts
  • test/nemoclaw-start-guard-recovery.test.ts
  • test/nemoclaw-start-perms.test.ts
  • test/nemoclaw-start-reconcile.test.ts
  • test/nemoclaw-start-scope-replacement.test.ts
  • test/nemoclaw-start.test.ts
  • test/no-unit-blocks-in-live-e2e.test.ts
  • test/ollama-auth-proxy-handler-helpers.ts
  • test/ollama-auth-proxy-handler.test.ts
  • test/ollama-proxy-recovery.test.ts
  • test/onboard-anthropic-compatible-openai-agent.test.ts
  • test/onboard-brave-validation.test.ts
  • test/onboard-build-recreate-credential-reuse.test.ts
  • test/onboard-custom-dockerfile.test.ts
  • test/onboard-dashboard.test.ts
  • test/onboard-gateway-prelaunch-cutover.test.ts
  • test/onboard-inference-failure-paths.test.ts
  • test/onboard-installer-restore-intent.test.ts
  • test/onboard-messaging.test.ts
  • test/onboard-model-router.test.ts
  • test/onboard-nim-image-compat-warning.test.ts
  • test/onboard-openshell-install-stream.test.ts
  • test/onboard-openshell-version.test.ts
  • test/onboard-policy-suggestions.test.ts
  • test/onboard-prepared-build-context.test.ts
  • test/onboard-prepared-gateway-handoff.test.ts
  • test/onboard-preset-diff.test.ts
  • test/onboard-prompt-default-case.test.ts
  • test/onboard-remote-recreate-credential-reuse.test.ts
  • test/onboard-resume-provider-recovery.test.ts
  • test/onboard-sandbox-create-failure.test.ts
  • test/onboard-sandbox-name.test.ts
  • test/onboard-selection-anthropic-retry.test.ts
  • test/onboard-selection.test.ts
  • test/onboard-terminal-dashboard.test.ts
  • test/onboard.test.ts
  • test/openclaw-chat-send-patch.test.ts
  • test/openclaw-dependency-review.test.ts
  • test/openclaw-device-approval-policy.test.ts
  • test/openclaw-device-self-approval-patch.test.ts
  • test/openclaw-device-stored-auth-patch.test.ts
  • test/openclaw-integrity-pin.test.ts
  • test/openclaw-issue-4434-diagnostics-patch.test.ts
  • test/openclaw-lifecycle-policy.test.ts
  • test/openclaw-plugin-proof-paths.test.ts
  • test/openclaw-real-patched-dist-harness.test.ts
  • test/openclaw-tool-search-runtime-validator.test.ts
  • test/openshell-channel-workflow.test.ts
  • test/package-contract/cli/command-registry.test.ts
  • test/package-contract/cli/config-set-cli-dispatch.test.ts
  • test/package-contract/cli/credentials-cli-command.test.ts
  • test/package-contract/cli/policy-dispatch.test.ts
  • test/package-contract/cli/public-argv-translation.test.ts
  • test/package-contract/msteams-message-hints-preload.test.ts
  • test/package-contract/openshell-policy-boundary.test.ts
  • test/package-contract/rebuild-loader-boundary.test.ts
  • test/policies.test.ts
  • test/policy-add-deepagents-rejection.test.ts
  • test/policy-add-remove-session-sync.test.ts
  • test/policy-channel-agent-resolution.test.ts
  • test/policy-channel-yaml-contract.test.ts
  • test/policy-diagnostic-read.test.ts
  • test/policy-mutation-read-discovery.test.ts
  • test/policy-mutation-read-failure.test.ts
  • test/policy-openshell-072-roundtrip.test.ts
  • test/policy-preset-sync.test.ts
  • test/policy-roundtrip-docs.test.ts
  • test/policy-tiers-onboard.test.ts
  • test/pr-review-advisor.test.ts
  • test/pr-workflow-contract.test.ts
  • test/presets-checkbox.test.ts
  • test/process-recovery-forward-failure.test.ts
  • test/process-recovery-managed-controller.test.ts
  • test/process-recovery-primitives.test.ts
  • test/process-recovery.test.ts
  • test/rebuild-credential-preflight.test.ts
  • test/rebuild-messaging-conflict-preflight.test.ts
  • test/rebuild-shields-auto-unlock.test.ts
  • test/rebuild-stale-recovery.test.ts
  • test/recover-port-forward.test.ts
  • test/registry-default-selection-revision.test.ts
  • test/registry.test.ts
  • test/repro-2201.test.ts
  • test/repro-5324-operator-admin-approval-docs.test.ts
  • test/repro-5445-docs-published-route.test.ts
  • test/runner.test.ts
  • test/runtime-shell.test.ts
  • test/sandbox-build-context.test.ts
  • test/sandbox-connect-inference/auto-pair-approval.test.ts
  • test/sandbox-connect-inference/helpers.ts
  • test/sandbox-connect-inference/route-swap-repair.test.ts
  • test/sandbox-provider-cleanup.test.ts
  • test/sandbox-provisioning-helper-permissions.test.ts
  • test/sandbox-provisioning-tavily.test.ts
  • test/sandbox-provisioning.test.ts
  • test/sandbox-rlimit-hooks.test.ts
  • test/scorecard-trace-timing.test.ts
  • test/secret-redaction.test.ts
  • test/security-sandbox-tar-traversal.test.ts
  • test/seed-hermes-dashboard-config.test.ts
  • test/service-env.test.ts
  • test/skills-frontmatter.test.ts
  • test/skills/check-gates-compliance.test.ts
  • test/snapshot-recovery-validation.test.ts
  • test/snapshot.test.ts
  • test/starter-prompt-docs.test.ts
  • test/state-dir-guard.test.ts
  • test/strict-tool-call-probe.test.ts
  • test/support/connect-flow-test-harness.ts
  • test/support/dcode-start-script-fixture.ts
  • test/support/hermes-shell-harness.ts
  • test/support/onboard-selection-test-helpers.ts
  • test/support/openshell-gateway-config-helpers.ts
  • test/support/setup-inference-test-harness.ts
  • test/support/status-flow-test-harness.ts
  • test/sync-agent-variant-docs.test.ts
  • test/tavily-preset.test.ts
  • test/telegram-diagnostics.test.ts
  • test/test-create-require-budget.test.ts
  • test/tunnel-gateway-port-release-runtime.test.ts
  • test/update-hermes-agent-script.test.ts
  • test/update.test.ts
  • test/validate-blueprint.test.ts
  • test/validate-config-schemas.test.ts
  • test/vm-driver-privileged-exec-routing.test.ts
  • test/weather-policy.test.ts
  • test/wechat-diagnostics.test.ts
  • test/whatsapp-qr-compact.test.ts
  • tools/e2e-advisor/README.md
  • tools/e2e-advisor/analyze.mts
  • tools/e2e-advisor/targets.mts
  • tools/e2e/assert-mcp-artifact-secrets-absent.mts
  • tools/e2e/brev-remote-vitest.mts
  • tools/e2e/inference-switch-workflow-boundary.mts
  • tools/e2e/mcp-workflow-boundary.mts
  • tools/e2e/operations-workflow-boundary.mts
  • tools/e2e/prepare-e2e-workflow-boundary.mts
  • tools/e2e/sandbox-images-workflow-boundary.mts
  • tools/e2e/upload-e2e-artifacts-workflow-boundary.mts
  • tools/e2e/workflow-boundary.mts
  • tools/pr-review-advisor/analyze.mts
  • tsconfig.cli.json
  • tsconfig.runtime-preloads.json
  • vitest.config.ts

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The inference gateway-chain health probe, previously restricted to ollama-local/vllm-local providers, is now executed for any provider in both the doctor flow and status snapshot collection. Test harness and regression tests were updated to cover cloud-provider scenarios.

Changes

Gateway Chain Probing Expansion

Layer / File(s) Summary
Doctor gateway-chain sub-check
src/lib/actions/sandbox/doctor.ts
Appends an "Inference gateway chain" subprobe for any provider health probe, using probeSandboxInferenceGatewayHealth results with "unreachable" failure label when not ok.
Status snapshot gating change
src/lib/actions/sandbox/status-snapshot.ts
Gates gateway-chain probing on inferenceHealth presence and "present" gateway state instead of specific provider names.
Test harness and regression coverage
src/lib/actions/sandbox/doctor-flow.test.ts
Parameterizes createDoctorHarness with provider/gatewayChainOk overrides and adds tests validating fail/ok status for cloud providers based on gateway reachability.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related issues

Poem

A rabbit hops through gateway lore,
No longer just for "local" chores,
Cloud or vLLM, all get a peek,
If the chain is broken, doctor will speak! 🐰🔌
Green checks glow when all is well,
Fail turns red — the tests will tell.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/lib/actions/sandbox/doctor.ts (1)

743-763: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

Gateway-chain probe now runs regardless of sandbox reachability.

Unlike status-snapshot.ts, which gates the equivalent probe on lookup.state === "present", this call to probeSandboxInferenceGatewayHealth(sandboxName) runs whenever currentProvider is known, even if the sandbox itself was never confirmed reachable (sandboxReachable is false, e.g. dead/absent sandbox). The probe's contract returns null on exec failure so this won't crash, but it does add an unnecessary exec+network round trip (curl with 5s timeout) on every doctor run against a dead sandbox, and is inconsistent with the sibling implementation in the same cohort.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/actions/sandbox/doctor.ts` around lines 743 - 763, Gate the
`probeSandboxInferenceGatewayHealth` call in `doctor.ts` the same way the
sibling `status-snapshot.ts` logic does, so it only runs when the sandbox is
actually reachable/present. Use the existing `sandboxReachable`/lookup-state
check around the `gatewayChain` probe before appending to
`inferenceHealth.subprobes`, and keep the current
`probeSandboxInferenceGatewayHealth` handling unchanged otherwise.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/actions/sandbox/doctor.ts`:
- Around line 743-763: Gate the `probeSandboxInferenceGatewayHealth` call in
`doctor.ts` the same way the sibling `status-snapshot.ts` logic does, so it only
runs when the sandbox is actually reachable/present. Use the existing
`sandboxReachable`/lookup-state check around the `gatewayChain` probe before
appending to `inferenceHealth.subprobes`, and keep the current
`probeSandboxInferenceGatewayHealth` handling unchanged otherwise.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: efa50985-5236-47fc-b18b-b1203746d225

📥 Commits

Reviewing files that changed from the base of the PR and between 3a767fb and 6a45c01.

📒 Files selected for processing (3)
  • src/lib/actions/sandbox/doctor-flow.test.ts
  • src/lib/actions/sandbox/doctor.ts
  • src/lib/actions/sandbox/status-snapshot.ts

…s/doctor

`status` and `doctor` reported inference healthy for cloud/managed providers
by probing only the upstream provider endpoint, never the `inference.local`
route the agent actually uses. When `inference.local` was broken inside the
sandbox they still reported healthy (exit 0), contradicting `connect`.

Widen the inference.local gateway-chain probe (added for local providers in
NVIDIA#3265) to run for every provider. In doctor this removes the local-only gate
in collectInferenceSubprobes; in status it drops the provider clause on the
snapshot probe. A broken route now surfaces as `[fail] Provider health
(gateway)` and flips doctor to fail (exit 1).

Refs NVIDIA#6192

Signed-off-by: harjoth <harjoth.khara@gmail.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@harjothkhara harjothkhara force-pushed the fix/6192-status-doctor-probe-inference-local branch from 6a45c01 to ec8bd67 Compare July 2, 2026 17:01
@harjothkhara

Copy link
Copy Markdown
Contributor Author

Thanks for the review! On the gateway-chain reachability nitpick — the probe is already gated on reachability in collectInferenceSubprobes:

if (!sandboxReachable) return [...existing, skippedInferenceGatewayProbe()];
const gateway = await probeSandboxInferenceGatewayHealth(sandboxName);

So an unreachable/dead sandbox short-circuits to the "skipped" subprobe with no openshell exec / curl round trip — the concern about an extra network call per doctor run doesn't apply. (The referenced 743-763 range looks mismapped; the probe is at ~340–366.)

The one real difference from the status-snapshot.ts sibling is that doctor emits an explicit skippedInferenceGatewayProbe() line when unreachable while status appends nothing — but that predates this PR (it came in with the #5910 doctor refactor) and is out of scope here. This PR only removes the ollama-local/vllm-local gate so cloud providers get the same inference.local check. Happy to align the two in a follow-up if maintainers prefer.

@harjothkhara

Copy link
Copy Markdown
Contributor Author

Hi @wscurran — thanks for the reviews on my earlier PRs. This one (#6203, fixes #6192) is blocked on the copy-pr-bot vetting gate before CI can run on NVIDIA's runners. When you have a moment, could you vet it or point me to the right person?

It's a small, tested runtime fix: status/doctor were reporting inference "healthy" for cloud providers by probing only the upstream endpoint, never the inference.local route the agent actually uses (so a broken in-sandbox route gave a false all-clear, contradicting connect). Red→green regression tests included. Happy to address anything that comes up.

@apurvvkumaria

Copy link
Copy Markdown
Collaborator

Thanks—removing the local-provider gate is the right direction. Before merge, could we make the in-sandbox inference.local probe authoritative rather than appending it beneath the upstream result?

Currently, upstream healthy + inference.local 000 still leaves the status report's root health green, prints Inference: healthy, and exits 0. The route probe is also skipped for providers without a registered direct health probe, such as nvidia-router and hermes-provider.

Please:

  • Probe inference.local independently of direct provider health.
  • Use it as the primary status/doctor result; keep upstream checks as labeled diagnostics.
  • Treat HTTP 1xx–4xx as reachable, 5xx as unhealthy, and 000 or an unavailable probe as broken.
  • Exit nonzero when the authoritative route fails or cannot be probed.
  • Add status text/JSON regression coverage, plus cases for a provider without a direct probe, HTTP 503, and an unavailable probe.

@apurvvkumaria apurvvkumaria self-assigned this Jul 2, 2026
ericksoa and others added 2 commits July 2, 2026 12:43
<!-- markdownlint-disable MD041 -->
## Summary
This PR restores LangChain Deep Agents Code inference by replacing the
sandbox-create host proxy seed with OpenShell's managed runtime proxy
before dcode runs. It keeps `inference.local` on the proxy path instead
of allowing direct DNS resolution, without changing OpenShell route
provisioning or other agent runtimes.

## Related Issue
Fixes NVIDIA#6191.

## Changes
- Pin the validated `NEMOCLAW_PROXY_HOST` / `NEMOCLAW_PROXY_PORT` build
values in root-owned, read-only image files. The dcode startup and
direct-exec launcher reject missing, linked, writable, or non-root-owned
files and ignore process-level proxy-host overrides.
- Normalize uppercase and lowercase HTTP proxy variables for every dcode
entry path, set runtime bypasses to loopback plus the managed proxy host
only, and persist the same normalized values for interactive and login
shells. Inherited corporate proxy URLs, credentials, and
`inference.local` bypass entries are not retained.
- Make the dcode-only `connect --probe-only` route check use the
login-shell proxy contract and fail if route repair still reports
`inference.local` unhealthy. OpenClaw, Hermes, and unknown-agent probe
behavior is unchanged.
- Add focused coverage for inherited credential-bearing proxies, exact
`NO_PROXY` values, trusted host/port overrides, hostile runtime
overrides, file ownership/mode, validator parity, login-shell
persistence, direct dcode execution, and broken-route connect behavior.
- Require the live Deep Agents check to observe direct DNS state, verify
the trusted proxy files, force the managed proxy for
`https://inference.local/v1/models`, and return `PONG` with dcode exit 0
through both login-shell and direct-exec paths. Connection, DNS,
timeout, provider, and ambiguous failures fail the check.
- An empty `getent hosts inference.local` is intentionally valid for
dcode. Direct DNS or `/etc/hosts` provisioning is outside this fix
because OpenShell's managed L7 proxy owns the route; the sandbox-create
host proxy seed remains unchanged for host-side chaining.
- Existing Deep Agents Code sandboxes must be rebuilt after upgrading
because the corrected startup and launcher scripts are baked into the
image.
- Exact-head [`ubuntu-repo-cloud-langchain-deepagents-code`
E2E](https://github.com/NVIDIA/NemoClaw/actions/runs/28616070748) passed
at `22d42e2fa26d17bb8f64d45eb9ba853c8feb9e51`: onboarding and Ready
state, absent direct DNS, managed `/v1/models` HTTP 200, login/direct
`PONG`, `connect --probe-only`, and clean teardown all passed.
- Reporter-class macOS/Colima and DGX Spark confirmation remains
pending. A local macOS/Colima attempt stopped before sandbox creation on
provider HTTP 401 and cleaned up its isolated gateway state; any DGX
Provisioning/GPU lifecycle failure remains a separate blocker.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification: New
regression coverage was required and added.
- [ ] Tests not applicable — justification: Tests apply and were added.
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: This restores the managed
`inference.local` contract and rebuild workflow already documented in
the Deep Agents quickstart, inference options, troubleshooting, and
sandbox lifecycle pages.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: Pending maintainer
sensitive-path review; no waiver claimed.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue: No acceptance claimed.
The local repo-wide `test-cli` coverage hook hit unrelated baseline
subprocess-loader and timeout failures; targeted suites, scoped hooks,
and exact-head GitHub CI/E2E are authoritative for this change.

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a Deep Agents Code launcher that normalizes managed proxy
settings (host/port, `HTTP_PROXY`/`HTTPS_PROXY`, and `NO_PROXY`) before
running entry points.
* Introduced agent-aware inference route probing during sandbox connect.

* **Bug Fixes**
* Hardened proxy environment contract with stricter host/port validation
and consistent `NO_PROXY` behavior across uppercase/lowercase.
* Reduced risk of proxy credential leakage in outputs and generated
artifacts.

* **Tests**
* Expanded end-to-end and unit coverage to enforce the login-shell proxy
contract, probe wiring, and improved inference connection/error
classification.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
…kup (NVIDIA#6199)

<!-- markdownlint-disable MD041 -->
## Summary
Pre-upgrade `backup-all` aborted the `curl | bash` installer whenever a
running sandbox's in-sandbox SSH endpoint did not answer, with no
override, looping the upgrade forever. This classifies such a sandbox as
unreachable and adds `NEMOCLAW_SKIP_UNREACHABLE_SANDBOX_BACKUP=1` to
skip it so the upgrade proceeds and onboarding recovers it from its
latest validated backup.

## Related Issue
Fixes NVIDIA#6188

## Changes
- `src/lib/state/sandbox.ts`: add `unreachable` to `BackupResult` and
set it on an SSH transport-level dir-check failure (exit 255, timeout,
spawn error) via a new `isSshTransportFailure` predicate.
- `src/lib/actions/maintenance.ts`: an unreachable running sandbox is
skipped when `NEMOCLAW_SKIP_UNREACHABLE_SANDBOX_BACKUP=1`, otherwise it
still fails but prints actionable guidance before exit.
- `scripts/install.sh`: reword the pre-upgrade backup abort to name the
override and the recovery path.
- `docs/reference/commands.mdx`: document the flag in the `backup-all`
section.
- Tests: `maintenance.test.ts` gains skip-with-flag, fail-with-guidance,
and flag truth-table cases; new `sandbox.test.ts` covers
`isSshTransportFailure`.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* `backup-all` now detects running sandboxes with an unreachable
in-sandbox SSH endpoint and can skip them when
`NEMOCLAW_SKIP_UNREACHABLE_SANDBOX_BACKUP=1`.
* Skipped sandboxes are recovered during onboarding from the latest
validated backup; any uncommitted state since then is not preserved.
* **Bug Fixes**
* Improved failure handling and remediation when SSH
transport/unreachability occurs, including clearer guidance and
installer/upgrade retry behavior.
* **Documentation**
* Updated `nemoclaw` and `nemohermes` `backup-all` docs to state the
default abort behavior and the skip flag’s exact `=1` requirement.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
@wscurran wscurran added area: cli Command line interface, flags, terminal UX, or output area: inference Inference routing, serving, model selection, or outputs area: routing Request routing, policy routing, model selection, or fallback logic bug-fix PR fixes a bug or regression labels Jul 2, 2026
@wscurran wscurran requested review from cjagwani and cv and removed request for cjagwani July 2, 2026 22:04
miyoungc and others added 2 commits July 2, 2026 15:07
<!-- markdownlint-disable MD041 -->
## Summary
This PR makes release-prep docs a small explicit prerequisite before
cutting a NemoClaw tag.
Maintainers should run `/nemoclaw-contributor-update-docs for vX.Y.Z`
before `release:plan`, and regenerate the plan if `origin/main` changes
afterward.

## Related Issue
None.

## Changes
- Add the explicit `/nemoclaw-contributor-update-docs for vX.Y.Z`
pre-tag invocation to the docs-update skill.
- Add a short pre-tag docs note to `nemoclaw-maintainer-evening` before
it loads `cut-release-tag`.
- Add the same docs-before-plan precondition to
`nemoclaw-maintainer-cut-release-tag` and the release-train policy
reference.
- Add a narrow maintainer-skill policy regression test for the
docs-before-plan ordering.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this updates contributor and
maintainer workflow guidance, not user-facing product documentation.
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes — latest cleanup commits were
pushed with `--no-verify` per maintainer request; relying on remote CI.
- [x] Targeted tests pass for changed behavior — `npm test --
test/maintainer-skills-policy.test.ts`
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — ran
`npm run docs`; it completed successfully, but Fern reported 1 hidden
warning, so this is left unchecked.
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added a required pre-tag documentation step before generating final
release plans.
* Clarified when release-prep documentation should be run for a
versioned release.

* **Bug Fixes**
  * Prevented release plans from being created too early.
* Ensured release plans are regenerated if release-related changes land
afterward.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- markdownlint-disable MD041 -->
## Summary

This PR carries the final proxy-review follow-ups that reached the
source branch seconds after NVIDIA#6204 was squash-merged. It tightens the
Deep Agents Code managed-proxy contract without changing its routing
behavior.

Existing Deep Agents Code sandboxes must still be rebuilt after
upgrading because the corrected startup and launcher scripts are baked
into the image.

## Related Issue

Follow-up to NVIDIA#6204; relates to NVIDIA#6191.

## Changes

- Make the credential-free runtime proxy environment read-only (`0444`)
and verify its ownership and mode in focused and live checks.
- Clear inherited `ALL_PROXY`/`all_proxy` state at every dcode runtime
boundary, including persisted login-shell state, while preserving the
sandbox-create host proxy seed used by OpenShell.
- Extract the connect inference-route probe into a focused module and
test, keeping existing non-dcode behavior unchanged.
- Require strict exit-zero standalone `PONG`, preserve the dcode
`routeHealthy: null` smoke path, and validate the real
login/direct/connect paths.
- Extend canonical secret detection for complete multi-segment LangSmith
v2 keys and keep the shell/runtime mirrors under parity tests.
- Record the agent-local `0444` runtime-file risk acceptance and its
compensating controls in `SECURITY.md`.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: [Charan Jagwani
approval](NVIDIA#6206 (review)).
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes — exact affected hooks, CLI
build/typecheck, focused tests, pre-push checks, and all exact-head
GitHub CI passed; the broad local macOS hook exposed pre-existing Node
22.16 child-process and BSD `script` incompatibilities outside this
diff.
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

### Runtime evidence

- NVIDIA#6204 exact-head E2E:
[ubuntu-repo-cloud-langchain-deepagents-code](https://github.com/NVIDIA/NemoClaw/actions/runs/28616070748)
passed on `22d42e2f`, including onboarding/Ready, managed `/v1/models`
HTTP 200, login-shell and direct-exec `PONG`, connect probe, and clean
teardown.
- NVIDIA#6206 final exact-head E2E:
[ubuntu-repo-cloud-langchain-deepagents-code](https://github.com/NVIDIA/NemoClaw/actions/runs/28623778067)
passed on `de004fd6`, including onboarding/Ready, cleared
`ALL_PROXY`/`all_proxy`, trusted root-owned proxy source comparison,
absent direct DNS, managed `/v1/models` HTTP 200, exit-zero
standalone-line login/direct `PONG`, connect acceptance, clean
credential scan, and clean teardown.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>

@apurvvkumaria apurvvkumaria left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes at head ec8bd679. Removing the local-provider gate is the right direction, but the published patch still does not make the route the agent actually uses authoritative:

  1. status-snapshot.ts retains the upstream provider result as root inferenceHealth and appends inference.local only as a subprobe. status can therefore print Inference: healthy, emit root JSON ok: true, and exit 0 while the gateway subprobe is broken.
  2. Both doctor and status skip the route entirely when no direct provider-health probe is registered. Supported providers such as nvidia-router and hermes-provider therefore remain untested.
  3. probeSandboxInferenceGatewayHealth treats every positive HTTP code as healthy, including 503. The intended contract is 1xx-4xx reachable, 5xx unhealthy, and 000 broken.
  4. A null/unavailable in-sandbox probe is silently omitted, allowing an upstream result to produce a false green instead of failing closed.

Please probe inference.local independently, use it as the primary status/doctor result, retain upstream checks as labeled diagnostics, and make failed or unavailable authoritative probes produce nonzero status. Add regression coverage for status text and JSON, exit codes, providers without direct probes, HTTP 503, and an unavailable probe.

This formalizes the earlier maintainer comment; the current PR head has not yet incorporated that follow-up.

miyoungc and others added 8 commits July 2, 2026 16:24
## Summary
This PR resolves the maintainer-owned docs gaps behind the noisy
contributor PR set without reusing that branch history. It adds missing
recovery guidance and a host-side state reference while keeping
OpenClaw-only gateway guidance out of the Hermes variant.

## Related Issue
Closes NVIDIA#5326 — `docs/get-started/windows-preparation.mdx`: adds Cursor
Run Mode / Legacy Terminal Tool troubleshooting for Windows
starter-prompt installs, including fallback-file and Docker Desktop
readiness guidance.
Closes NVIDIA#6027 — `docs/reference/troubleshooting.mdx`: adds `Kubernetes
namespace not ready` recovery steps that clean failed setup state before
retrying install, with preserved-user-data notes.
Closes NVIDIA#6028 — `docs/get-started/prerequisites.mdx`,
`docs/reference/troubleshooting.mdx`, `ci/platform-matrix.json`,
`docs/reference/platform-support.mdx`: documents that Homebrew Colima
users must install both Colima and the Docker CLI and verify `docker
info`.
Closes NVIDIA#6030 — `AGENTS.md`: clarifies that `nemoclaw/` registers
`/nemoclaw` OpenClaw TUI slash commands and that the `openclaw nemoclaw
<cmd>` shell subcommand path is descoped.
Closes NVIDIA#6031 — `docs/reference/troubleshooting.mdx`: adds
OpenShell/OpenClaw gateway startup-order guidance for the OpenClaw
variant and replaces stopped-sandbox guidance with a lighter recovery
ladder before rebuild.
Closes NVIDIA#6088 — `docs/reference/host-files-and-state.mdx`,
`docs/manage-sandboxes/lifecycle.mdx`, `docs/index.yml`: adds a unified
`~/.nemoclaw/` host files and state reference, including current
`sandboxes.json` registry wording and uninstall preservation behavior.

## Changes
- Add Windows Cursor recovery guidance to the Windows preparation page
instead of expanding the starter prompt.
- Document Homebrew Colima needing the Docker CLI, Kubernetes namespace
cleanup, OpenShell/OpenClaw gateway order, and
`sandbox_container_stopped` recovery.
- Add a `Host Files and State` reference page, wire it into both
OpenClaw and Hermes navigation, and link related docs.
- Clarify the descoped `openclaw nemoclaw <cmd>` path in the agent
architecture table.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: docs-only change; validated
with docs generators, link checks, and Fern docs build.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [x] New doc pages include SPDX header and frontmatter (new pages only)

Commands run:
- `python3 scripts/generate-platform-docs.py --check`
- `npm run docs:check-agent-variants`
- `bash test/e2e/e2e-cloud-experimental/check-docs.sh --only-links
--local-only docs/get-started/windows-preparation.mdx
docs/resources/agent-skills.mdx docs/reference/troubleshooting.mdx
docs/reference/host-files-and-state.mdx`
- `git diff --check`
- `npm run docs` — passed with 0 errors; Fern reported 1 warning.
- `npm run build:cli` — run so the pre-push TypeScript hook could
resolve `dist/` imports.

---
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a new reference page explaining NemoClaw host-side storage,
safe-to-delete items, and how uninstall preserves or destroys data.
* Added the new “Host Files and State” page to the user-guide navigation
for both agent variants.

* **Documentation**
* Improved macOS Apple Silicon + Homebrew Colima setup by explicitly
requiring the Docker CLI and verifying with `docker info`.
* Expanded Windows troubleshooting guidance and added clearer recovery
steps for onboarding and stopped sandboxes, including the correct
startup order for gateways.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->

Define exact-SHA E2E evidence as an explicit precondition of the release
process. The candidate commit's `.github/workflows/e2e.yaml` remains the
sole source of truth: every declared E2E test needs at least one green
execution or an itemized maintainer exception before the exact tag
confirmation is requested.

## Changes
<!-- Bullet list of key changes. -->

- Freeze the candidate SHA with the release plan, then build an evidence
ledger across workflow runs, reruns, and attempts.
- Require green evidence for every E2E test declared by that SHA's
workflow, including explicit-only and expanded matrix executions,
without maintaining a second test inventory.
- Preserve maintainer discretion through itemized exceptions and
invalidate both evidence and exceptions whenever the candidate SHA
changes.
- Carry the gate through the cut-tag, evening, daily-flow, and
maintainer-cadence guidance while keeping overnight QA as additional
post-tag validation.
- Add a maintainer-policy contract test for the exact-SHA, flaky-run,
exception, and confirmation-order invariants.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this changes internal
maintainer policy and skills only; documentation review found no
user-facing CLI, configuration, API, or runtime change.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: maintainer-directed
release-policy design received an independent diff review; both
hardening findings were addressed before commit.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Strengthened release workflow guidance to require pre-tag, exact
commit-based E2E evidence before confirming a tag.
* Added an evidence-ledger approach using the E2E workflow as the single
source of truth, including detailed green evidence (counts plus run/job
links and attempt numbers), explicit itemized exceptions for non-green
tests, and rules to regenerate evidence if the candidate SHA changes.

* **Tests**
* Added automated coverage to ensure the updated evidence and
confirmation gating rules are enforced across the maintainer release
workflows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 -->
## Summary
This PR prepares the user-facing documentation for v0.0.73 before the
release plan is frozen.
It adds release notes for the merged runtime changes and closes
documentation gaps around DNS-backed HTTPS endpoint validation and
LangChain Deep Agents Code proxy recovery.

## Changes
- Add the `v0.0.73` release-note section with links to the detailed
command, inference, recovery, lifecycle, platform, and setup
documentation.
- Correct the custom endpoint guidance so DNS-backed HTTPS rejection and
the supported alternatives match the fail-closed runtime behavior.
- Document the managed `inference.local` proxy boundary and rebuild
requirement for existing LangChain Deep Agents Code sandboxes.
- Add troubleshooting guidance for the DNS-backed HTTPS validation
error.
- Validate with `npm run docs:sync-agent-variants` and `npm run docs`;
Fern completed with 0 errors and 2 existing warnings.
- Source summary:
- [NVIDIA#6139](NVIDIA#6139) ->
`docs/about/release-notes.mdx`, `docs/inference/inference-options.mdx`,
`docs/reference/commands.mdx`, `docs/reference/commands-nemohermes.mdx`,
and `docs/reference/troubleshooting.mdx`: Document fail-closed
DNS-backed HTTPS endpoint handling and recovery options.
- [NVIDIA#6142](NVIDIA#6142) ->
`docs/about/release-notes.mdx`: Summarize native OpenShell GPU injection
and compatibility-path diagnostics.
- [NVIDIA#6197](NVIDIA#6197) ->
`docs/about/release-notes.mdx`: Summarize agent-aware messaging preset
rejection.
- [NVIDIA#6199](NVIDIA#6199) ->
`docs/about/release-notes.mdx`: Summarize the unreachable-sandbox backup
opt-in, restore behavior, and data-loss boundary.
- [NVIDIA#6204](NVIDIA#6204) and
[NVIDIA#6206](NVIDIA#6206) ->
`docs/about/release-notes.mdx` and
`docs/get-started/quickstart-langchain-deepagents-code.mdx`: Document
the corrected managed proxy contract and required sandbox rebuild.
- [NVIDIA#6213](NVIDIA#6213) ->
`docs/about/release-notes.mdx`: Summarize the merged setup, recovery,
and host-state documentation.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: documentation-only release
preparation; the Fern docs build validates the changed pages and routes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Added a new **v0.0.73** release notes section with six highlights at
the top of the changelog.
* Expanded **Custom Endpoint URL Validation** guidance in inference
option docs, including explicit acceptance/rejection rules for HTTP vs
DNS-backed HTTPS and how validated IPs are stored.
* Updated command references (`nemohermes inference set`, `$$nemoclaw
inference set`) to match the new validation behavior.
* Added troubleshooting documentation for unsupported **DNS-backed HTTPS
endpoints**, plus clarified Deep Agents Code routing and post-upgrade
sandbox rebuild guidance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 -->
## Summary
Adds an agent-first install path to the NemoClaw docs front door and
quickstarts so users can copy a prompt into Cursor, Claude Code, Codex,
Copilot, or another local coding agent.
The prompt now lives in one shared docs source, powers the copy button,
and renders as a manual fallback for users whose browser or agent UI
cannot use clipboard copy.

## Related Issue
Fixes NVIDIA#5048

## Changes
- Added `docs/_components/StarterPrompt.tsx` as the shared source for
the starter prompt plus a manual-copy fallback.
- Updated `docs/_components/StarterPromptButton.tsx` to copy the shared
prompt instead of embedding a duplicate prompt string.
- Added the agent-supported install path near the top of the home page,
OpenClaw quickstart, Hermes quickstart, and AI Agent Docs page.
- Updated the prompt to tell agents to use NemoClaw skills when
available and bootstrap `nemoclaw-user-guide` when missing.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: docs-only CTA, prompt
source, and docs-site component changes; no CLI/runtime behavior
changed.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

`npm run docs` passed with 0 errors; Fern reported the pre-existing
light-mode accent color contrast warning.
`fern check --warnings` confirmed the warning is unrelated to these docs
content changes.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a “Start from Your Coding Agent” flow across the getting-started
docs and homepage onboarding.
* Provided a copyable starter prompt experience with an in-UI manual
copy fallback for clipboard-restricted environments.
* **Documentation**
* Updated quickstart and related guide pages with expanded,
agent-friendly prompt instructions and behavior constraints (one
question at a time, command approval, no secrets).
* **Tests**
* Added coverage to confirm prompt contents and validate the copy/manual
fallback rendering across docs pages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
…n secret guard (NVIDIA#6202)

## Summary

Adds a `dcode status` identity command to the managed LangChain Deep
Agents Code wrapper so a user connected into a sandbox can tell which
sandbox the session is in, and fixes the wrapper secret guard falsely
refusing to start when OpenShell injects its canonical TLS client-key
path after a credential provider is attached.

## Related Issue

Fixes NVIDIA#6189
Resolves NVIDIA#6186

## Changes

- `agents/langchain-deepagents-code/dcode-wrapper.sh`: add a `status` /
`whoami` / `identity` subcommand that distinguishes the sandbox,
NemoClaw harness, active dcode agent, inference route, upstream
provider, model, endpoint, and runtime, then exits without launching
Deep Agents Code; advertise the managed aliases in `dcode --help`.
- `agents/langchain-deepagents-code/dcode-wrapper.sh`: allow only the
exact runtime pair
`OPENSHELL_TLS_KEY=/etc/openshell/tls/client/tls.key`; alternate paths,
opaque values, PEM material, and provider tokens remain rejected.
- Keep `.deepagents/.env` fail-closed: the OpenShell runtime exception
does not apply to the user-mutable env file.
- Add `tvly-` Tavily tokens to the secret-shape detection patterns.
- `src/lib/onboard/sandbox-create-launch.ts`, `src/lib/onboard.ts`:
forward `NEMOCLAW_SANDBOX_NAME` into the Deep Agents Code sandbox create
env (gated to the `langchain-deepagents-code` agent).
- `agents/langchain-deepagents-code/start.sh`: persist
`NEMOCLAW_SANDBOX_NAME` into the shared runtime env file that connect
shells and the wrapper source, so `dcode status` resolves the name.
- `docs/get-started/quickstart-langchain-deepagents-code.mdx`: document
`dcode status`.
- Tests: wrapper identity and agent-preference resolution, managed help,
exact runtime-pair acceptance, negative secret/path cases, mutable-env
rejection, sandbox-create env injection, and start.sh serialization.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: reviewed against the
repository security checklist; the exception is limited to one exact
runtime name/value pair, values are never logged, mutable env files
remain fail-closed, and Linux tests cover alternate paths, PEM material,
opaque values, and provider tokens.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes — pre-push hooks and scoped checks
pass; the broad pre-commit test hook encounters unrelated
environment-sensitive baseline failures.
- [x] Targeted tests pass for changed behavior
- [x] Required live Deep Agents Code E2E passes on the PR branch
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — build
passes with two pre-existing warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added `dcode status`, `dcode whoami`, and `dcode identity` to show the
active sandbox/session identity and exit without launching the
interactive UI.
* Sandboxes for supported Deep Agents Code runs can now propagate a
sandbox name into the runtime environment.
* **Bug Fixes**
* Strengthened runtime secret/credential checks by allowing only
OpenShell’s exact mounted TLS-key keypair, and correctly rejecting
additional secret-shaped Tavily token formats.
* **Documentation**
* Updated the Quickstart “Use the Harness” guide with the new
identity/status workflow and command aliases.
* **Tests**
* Added and expanded coverage for identity/status output, secret gating,
TLS-key allowlisting behavior, and sandbox name propagation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->


Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com>

---------

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
## Summary

Reverts NVIDIA#6202 from `main` so v0.0.73 retains the release boundary that
was already documented and exercised by the release E2E run. PR NVIDIA#6202
remains targeted for v0.0.74.

The resulting tree is byte-for-byte identical to commit
`2276b2e1373548f9afa95b3a4f4bcd8db244874c`
(`967ad0207b591bfc7f3398f37c230f199bb932ed`).

## Related Issue

Release-boundary housekeeping for v0.0.73. Reverts NVIDIA#6202 without closing
its related issues.

## Changes

- Revert the Deep Agents Code `status`/identity wrapper commands
introduced by NVIDIA#6202.
- Revert the OpenShell TLS-key secret-guard exception introduced by
NVIDIA#6202.
- Revert the Deep Agents Code sandbox-name propagation and accompanying
tests.
- Remove the deferred user-facing `dcode status` documentation from the
v0.0.73 tree.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior — exact revert
restores the previously tested tree.
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes — NVIDIA#6202
documentation is reverted with the code.
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — the index tree exactly matches the pre-NVIDIA#6202 release tree,
and no manual edits were made to the revert.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
no CI waiver requested; the local broad `test-cli` pre-commit hook was
skipped after seven unrelated environment-sensitive baseline failures in
Hermes file modes, managed-gateway trust state, and state-dir permission
modes. Changed-area tests pass and PR CI remains required.

## Verification

- [x] PR description includes the DCO sign-off declaration and the
commit appears as `Verified` in GitHub.
- [x] Normal pre-push hooks passed; all pre-commit hooks except the
disclosed broad `test-cli` baseline lane passed.
- [x] `npx vitest run --project cli
src/lib/onboard/sandbox-create-launch.test.ts --silent=false
--reporter=default` — 6/6 passed.
- [x] `npx vitest run --project integration
test/langchain-deepagents-code-image.test.ts --silent=false
--reporter=default` — 53/53 passed.
- [ ] Full `npm test` passes (broad runtime changes only) — not rerun;
the broad hook's unrelated baseline failures are disclosed above.
- [x] Quality Gates section completed with required justifications or
waivers.
- [x] No secrets, API keys, or credentials committed.
- [x] `npm run docs` passes with 0 errors and two pre-existing Fern
warnings.
- [x] Doc pages follow the style guide.
- [ ] New doc pages include SPDX header and frontmatter — no new doc
pages.

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Additional environment details are now carried into runtime setup for
better tracing and project context.
* **Bug Fixes**
* Tightened secret-detection and runtime-value checks to reduce the
chance of sensitive values being accepted.
* Improved sandbox launch behavior by simplifying how launch settings
are prepared.
* **Documentation**
* Removed outdated guidance about checking the current sandbox from the
quickstart.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->

Restores NVIDIA#6202 now that v0.0.73 has been tagged. This reintroduces
`dcode status` identity reporting, managed help, the exact OpenShell
TLS-key runtime allowance, sandbox-name propagation, and their docs and
tests for v0.0.74, with focused follow-ups that suppress
private-key-shaped or encoded-credential metadata and fail closed on
malformed or unsupported identity config scalars.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->

Restores NVIDIA#6202 after the release-boundary revert in NVIDIA#6223. Related to
NVIDIA#6189, NVIDIA#6186, and the complementary runtime hardening in NVIDIA#6082.

## Changes
<!-- Bullet list of key changes. -->

- Restore `dcode status`, `dcode whoami`, and `dcode identity` without
launching the interactive UI.
- Restore the exact runtime-only
`OPENSHELL_TLS_KEY=/etc/openshell/tls/client/tls.key` allowance while
keeping arbitrary paths, values, PEM material, and persisted `.env`
entries fail-closed.
- Restore Tavily and context-shaped secret detection in the managed Deep
Agents Code wrapper.
- Mirror canonical private-key block detection before mutable config or
runtime metadata can reach `dcode status`, including the managed Slack
early-allowlist path, and scan the complete mutable `.deepagents/.env`
so raw multiline blocks cannot evade per-line classification.
- Reject literal, escaped, percent-encoded, and double-encoded query,
fragment, and userinfo delimiters before endpoint metadata can reach
`dcode status`.
- Restrict the informational TOML reader to known generated sections and
complete quoted scalars so malformed, commented, array, and unsupported
nested values fall back safely instead of being displayed.
- Restore Deep Agents Code sandbox-name propagation through onboarding
and startup state.
- Restore the original NVIDIA#6202 quickstart documentation, identity tests,
secret-boundary tests, and shared fixture, then add a composed
onboarding → `start.sh` → `dcode status` handoff test.
- Record the NVIDIA#6082 rebase contract: NVIDIA#6232's managed-proxy and
secret-filtering paths remain authoritative while NVIDIA#6082's runtime
upgrade, auth-store, and mutation-command work layers on afterward.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior — restores the
original NVIDIA#6202 identity, secret-boundary, image-contract, and onboarding
coverage; adds canonical private-key parity, malformed/unsupported
config, encoded endpoint, and composed sandbox-name handoff cases.
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes — restores the
original `dcode status` quickstart section.
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — the restoration commit exactly matches the previously
reviewed NVIDIA#6202 tree; independent reproduction confirmed the
advisor-reported private-key status leak, and focused follow-ups mirror
the canonical block pattern, reject raw multiline `.env` key blocks and
encoded endpoint delimiters, and fail closed on malformed generated
scalars with status, parity, managed-Slack, composed-handoff, no-launch,
redaction, and secret-scanner coverage.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
no CI waiver requested; required remote checks remain mandatory.

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub.
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes — all commit hooks except the
disclosed local `test-cli` environment-sensitive baseline lane passed;
normal pre-push CLI typecheck and tag-version synchronization passed.
- [x] Targeted tests pass for changed behavior — onboarding 8/8 and Deep
Agents Code wrapper/image/composed-handoff tests 77/77 after review
follow-ups; CLI typecheck, ShellCheck, Biome, test-size/project-overlap
gates, detect-private-key, and gitleaks also pass.
- [x] Required exact-head live E2Es pass on attempt 1 —
`ubuntu-repo-cloud-langchain-deepagents-code` and `cloud-onboard` at
`a503d95a81094cd3415ce933b64a0213a4d3aa2d`.
- [ ] Full `npm test` passes (broad runtime changes only) — not rerun;
remote CI remains required.
- [x] Quality Gates section completed with required justifications or
waivers.
- [x] No secrets, API keys, or credentials committed.
- [ ] `npm run docs` builds without warnings (doc changes only) — build
passed with 0 errors and two pre-existing Fern warnings.
- [x] Doc pages follow the style guide; independent docs review found no
additional changes needed.
- [ ] New doc pages include SPDX header and frontmatter — no new doc
pages.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
NVIDIA#6176)

## Summary

The unknown-action error for sandbox commands listed the valid actions
but no concrete example. This appends an example command that uses the
sandbox name the user typed, e.g. `nemoclaw <name> connect`, satisfying
the last unmet acceptance criterion in NVIDIA#755 (unknown sandbox actions
should list valid actions *and* a concrete example).

## Related Issue

Refs NVIDIA#755

## Changes

- `src/lib/cli/public-dispatch.ts`: the `unknownPublicAction` branch now
prints ` Example: <cli> <name> connect` after the valid-actions list,
matching the existing `Did you mean:` / command-order hint patterns
already in that file.
- `test/cli/unknown-sandbox-action.test.ts`: new test asserting an
unknown sandbox action reports the valid actions and the concrete
example.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [x] Docs not applicable — justification: CLI error-output only; no
user-facing docs affected.

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push
- [x] Targeted tests pass for changed behavior
- [x] No secrets, API keys, or credentials committed

Ran: `npx @biomejs/biome check` (pass), `npm run typecheck` (pass), `npm
run build:cli`, and `vitest run test/cli/unknown-sandbox-action.test.ts`
(pass).

---
Signed-off-by: latenighthackathon
<latenighthackathon@users.noreply.github.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
  * Improved CLI guidance when an unknown sandbox action is entered.
* The error message now includes a clearer example command, using the
sandbox name when available.
* Added test coverage to confirm the CLI shows the expected error, valid
actions, and example usage.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
Co-authored-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
cv and others added 21 commits July 6, 2026 23:47
<!-- markdownlint-disable MD041 -->
## Summary

Run four MCP lifecycle and runtime-capability suites directly in Vitest
instead of cold-starting a Node process for every scenario. The focused
local run falls from 14.25 seconds to 2.97 seconds wall-clock while
preserving all 52 behaviors, real registry filesystem state, and the two
real OpenShell fixture version probes.

## Related Issue

Contributes to NVIDIA#6245.

## Changes

- Replace 55 outer Node isolation children across the destroy, Hermes
startup, and Deep Agents lifecycle/capability suites with direct source
calls and hoisted Vitest mocks.
- Preserve per-scenario provider, attachment, adapter, policy, recovery,
and environment isolation.
- Keep real temporary registry and lifecycle-lock filesystem behavior
plus the two nested OpenShell fixture version checks.
- Leave production modules and genuine crash/process-contract tests
unchanged.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: This only changes internal
test isolation mechanics; MCP commands, configuration, registry
semantics, and runtime behavior are unchanged.
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: `npx
vitest run --project integration test/mcp-destroy-lifecycle.test.ts
test/hermes-mcp-startup-probe.test.ts
test/deepagents-mcp-legacy-lifecycle.test.ts
test/deepagents-mcp-runtime-capability.test.ts` (4 files, 52/52 tests
passed; 2.65s Vitest / 2.97s wall-clock); `npm run
test-conditionals:scan -- --top 25` (completed; changed files contain
zero `if` statements).
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Improved coverage for lifecycle, startup, and runtime capability-probe
flows.
* Reworked multiple suites to run in-process with mocked dependencies
for faster, more reliable execution.
* Expanded assertions around destroy/rebuild/restore behaviors,
including rollback/reattach paths and durable-marker handling.
* Strengthened validation of cleanup and state transitions, and improved
error-message checking to better prevent regressions.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- markdownlint-disable MD041 -->
## Summary

Fix legacy upgrades so pre-fingerprint managed sandboxes can be rebuilt
only after a complete backup and explicit, exact-name operator
confirmation. The prepared recovery path can restore the replacement
gateway's exact provider and inference route without weakening ordinary
rebuild checks or custom-image protections.

## Related Issue

Fixes NVIDIA#6114

## Changes

- Prepare the current NemoClaw CLI before sandbox recovery and require
every managed sandbox to be backed up successfully before continuing.
- Scope legacy recovery to the exact confirmed OpenClaw and Hermes
sandbox-name set, reject custom-image and unsupported-agent cases, and
revalidate immediately before deletion.
- Let only a validated prepared backup defer the fresh-gateway route
check and reconstruct a missing canonical provider when its exact
recorded credential binding has a host key.
- Carry that authority through an immutable
provider/model/credential/endpoint handoff, recheck provider absence and
credential availability at the delete edge, then force and verify the
exact provider and route during authoritative onboarding.
- Keep ordinary rebuilds fail-closed for missing, mismatched, or
indeterminate gateway state; skip redundant generic onboarding after
successful recovery.
- Add focused CLI, installer integration, live E2E contract,
security-race, and documentation coverage.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: Final independent
security review passed with no P0–P2 findings. It covered exact-name
authorization, custom-image vetoes, strict backup handling, bounded and
exact provider-absence parsing, canonical credential binding, immutable
recovery authority, delete-edge revalidation, and exact post-setup route
verification.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification:
Broader focused suites passed with 160 CLI tests and 85
installer/onboarding integration tests; extraction reruns passed 134
focused CLI and 68 onboarding integration tests. Final provider-recovery
follow-up verification passed 92 focused tests and `npm run
typecheck:cli`.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: Final-head GitHub CI
passed with 40 successful checks and 2 expected skips. An earlier local
broad run completed with 13,441 passed and 8 environment-sensitive
failures; affected focused reruns pass.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) —
command/result: passed with 0 errors and 2 existing Fern warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

### Live E2E

- [x] Final-head `openshell-gateway-upgrade` passed in [run
28837548991](https://github.com/NVIDIA/NemoClaw/actions/runs/28837548991).
Attempt 1 exhausted runner Docker storage before current code ran;
attempt 2 completed the legacy install, gateway replacement,
provider/route recovery, state restore, and survivor assertions.
- [x] Remaining advisor-required targets `cloud-onboard`,
`onboard-repair`, `onboard-resume`, and `upgrade-stale-sandbox` passed
in [run
28835500944](https://github.com/NVIDIA/NemoClaw/actions/runs/28835500944).
- [x] Additional `rebuild-hermes`, `rebuild-openclaw`,
`sandbox-rebuild`, and `state-backup-restore` jobs passed in that run.
The Hermes cross-product matrix gap is [explicitly
justified](NVIDIA#6362 (comment)).

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added scripted support for confirming legacy managed sandboxes during
OpenShell upgrade and recovery, including exact JSON-array confirmation
of eligible sandbox names.
* Recovery now reports when existing sandboxes are recovered and skips
generic onboarding after successful recovery.

* **Bug Fixes**
* Strengthened pre-upgrade backup strictness: upgrades now stop with a
nonzero exit if any registered sandbox is skipped or fails; strict
handling can’t be bypassed by unreachable-backup overrides.
* Tightened validation around inference/provider recovery to prevent
unintended automatic rebuilds.

* **Documentation**
* Updated quickstart, command reference, lifecycle, and
credential-storage docs to reflect the new upgrade/recovery flow,
failure behavior, and lifecycle environment variables.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
)

## Summary

Extract the repeated synchronous file snapshot/restore and JSON state
helpers used by the stateful rebuild E2E scenarios. The shared utility
preserves the existing absent-file, empty-file, malformed-JSON,
parent-directory, and formatted-newline behavior.

## Related Issue

Closes NVIDIA#6348
Parent epic: NVIDIA#6346

## Changes

- Add a discriminated `FileSnapshot` type that cannot confuse an absent
file with an empty one.
- Add shared snapshot, restore, strict JSON read, missing-file fallback,
parse-error fallback, and formatted JSON write helpers.
- Keep malformed JSON behavior explicit through separate
`readJsonFileOr` and `readJsonFileOrFallback` APIs.
- Migrate rebuild-openclaw, rebuild-hermes, and stale-sandbox upgrade
state handling.
- Add focused support tests for absent, empty, populated, malformed, and
nested-path cases.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [x] Docs not applicable — justification: test-state utility only
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed
- [x] Targeted behavior tests pass — `e2e-file-state.test.ts` (3 passed)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed

Additional local verification:

- `npm run build:cli`
- `npm run typecheck:cli`
- `npm run lint`


## Advisor / Merge Coordination Notes

- **Overlapping E2E refactor PRs:** PR NVIDIA#6358 and PR NVIDIA#6357 touch the same
rebuild/stale-sandbox live test files. This PR should land first because
it only extracts shared file-state helpers; the overlapping PRs can then
rebase and keep using `test/e2e/fixtures/file-state.ts`. Any conflicts
are expected to be mechanical import/helper-call conflicts, not runtime
behavior conflicts.
- **`readJsonFileOrFallback` semantics:** The malformed-JSON fallback is
intentional only for stale-sandbox E2E setup state where prior test runs
may leave incomplete registry/session JSON. The helper catches only
`SyntaxError`; non-parse I/O/read failures still propagate, and
`test/e2e/support/e2e-file-state.test.ts` covers that negative case.
- **Sensitive-path waiver:** Changes are test-only under `test/e2e/**`;
no production credential, policy, onboarding, inference, runner, sandbox
runtime, or messaging code is modified. Maintainer approval by `cv` is
recorded on this PR.

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added shared E2E file-state utilities for snapshot/restore and JSON
read/write, with consistent pretty-printed JSON output and a trailing
newline.
* Introduced two JSON fallback behaviors: fallback only when a file is
missing, or fallback when the file is missing and/or contains malformed
JSON.
* **Tests**
* Added E2E coverage for restore behavior (absent vs. empty), nested
directory handling for writes, and the JSON fallback/throw rules.
* **Chores**
* Updated multiple live E2E tests to reuse the shared file-state
utilities instead of local helpers.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
…VIDIA#6306)

<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
`nemoclaw gc` never removed orphaned locally-prebuilt sandbox images
because it scanned only the gateway-built image repository
(`openshell/sandbox-from`). This makes gc enumerate every sandbox image
repo, so orphans under `nemoclaw-sandbox-local` (the
docker-driver-gateway prebuild path — Linux or macOS/Apple Silicon) are
detected, and the "run 'nemoclaw gc' to clean up" remediation that
`destroy --force` prints actually works.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->
Fixes  NVIDIA#6301

## Changes
<!-- Bullet list of key changes. -->
- `src/lib/domain/sandbox/image-tag.ts`: add `SANDBOX_FROM_IMAGE_REPO`,
`LOCAL_SANDBOX_IMAGE_REPO`, and `SANDBOX_IMAGE_REPOS` as the single
source of truth for sandbox image repositories.
- `src/lib/actions/maintenance.ts`: `garbageCollectImages()` now queries
every repo in `SANDBOX_IMAGE_REPOS` and unions the results before orphan
detection (was hardcoded to `openshell/sandbox-from` only).
- `src/lib/onboard/sandbox-prebuild.ts`: reuse the shared
`LOCAL_SANDBOX_IMAGE_REPO` constant instead of a private literal.
- Tests: `images.test.ts` gains a mixed-repo case (local orphan
detected, registered local image preserved); `maintenance.test.ts`
asserts gc scans both repos.

## Type of Change

- [√] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [√] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [√] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [√] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [√] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification:
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [√] Quality Gates section completed with required justifications or
waivers
- [√] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Rui Luo <ruluo@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved sandbox image cleanup to scan all sandbox image repositories,
rather than a single hard-coded source, to remove unused images more
reliably.
* Fixed local sandbox image reference handling so repository names and
tags are generated consistently across the app.
* Enhanced orphan image detection to correctly flag unregistered local
images even when repository context differs.
* **Tests**
* Added coverage for orphan-detection and garbage-collection behavior
across both sandbox image repositories.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Rui Luo <ruluo@nvidia.com>
…nboarding (NVIDIA#6289) (NVIDIA#6297)

## Summary

Custom Anthropic-compatible endpoints were validated with a
non-streaming `/v1/messages` probe only, so endpoints whose SSE
streaming layer is malformed (e.g. duplicate `message_start` events with
the same message id, observed on the Inference Hub route) passed
onboarding and then failed at runtime inside the sandbox with Hermes'
cryptic `no final response was produced` (exit 1). This PR adds
streaming-event validation to the custom Anthropic onboarding path —
mirroring the existing `/v1/responses` streaming validation from NVIDIA#1833 —
so the defect is diagnosed at onboarding time with an actionable
message.

## Related Issue

Refs NVIDIA#6289

This PR is the onboarding guardrail for the malformed Anthropic SSE
signature. It intentionally rejects a broken compatible endpoint before
sandbox creation; the functional runtime routing fix remains in NVIDIA#6295.

## Changes

- Add `runAnthropicStreamingEventProbe`
(`src/lib/adapters/http/probe.ts`): sends a `stream: true` request to
`/v1/messages` and validates the SSE event sequence — exactly one
`message_start`, at least one `content_block_delta`, one `message_stop`.
Refactors the shared curl/SSE capture into `captureSseEventCounts`,
reused by the existing `/v1/responses` streaming probe with identical
behavior (trace events, temp cleanup, curl exit-28 tolerance).
- Wire the streaming probe into `probeAnthropicEndpoint` behind a new `{
probeStreaming }` option (`src/lib/inference/probe-anthropic.ts`);
tighter `--max-time 15` timing so validation cannot hang the wizard.
- Enable it in `validateCustomAnthropicSelection`
(`src/lib/onboard/inference-selection-validation.ts`). Skipped when
`NEMOCLAW_REASONING=true`, matching the custom OpenAI-compatible path.
The official Anthropic provider path is unchanged; Bedrock-classified
endpoints are unaffected (streaming probe only runs after the
non-streaming `/v1/messages` probe succeeds).
- Move the two Anthropic credential-retry integration tests into a
focused `test/onboard-selection-anthropic-retry.test.ts` (fake curl now
serves a well-formed SSE stream for `"stream":true` probe bodies),
shrinking `test/onboard-selection.test.ts` below its legacy size budget;
budget ratcheted down 6146 → 5935.
- Docs: validation-table row and Anthropic-compatible server section in
`docs/inference/inference-options.mdx`; new troubleshooting entry for
the onboarding-time duplicate `message_start` failure in
`docs/reference/troubleshooting.mdx`.

## Type of Change

- [x] Code change with doc updates

## Quality Gates

- [x] Tests added or updated for changed behavior
- [x] Docs updated for user-facing behavior changes
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: requesting maintainer
review; probes reuse the existing trusted `--config` credential routing
(no credential appears in argv), and the new probe adds no new
credential surface.

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result: `npx vitest run
src/lib/adapters/http/probe.test.ts
src/lib/inference/probe-anthropic.test.ts
src/lib/onboard/inference-selection-validation.test.ts --project cli`
(68 passed); `npx vitest run test/onboard-selection.test.ts --project
integration` (67 passed); `npx vitest run
test/onboard-selection-anthropic-retry.test.ts --project integration` (2
passed); `npx vitest run src/lib/inference/onboard-probes.test.ts
src/lib/inference/onboard-probes-responses-fallback.test.ts --project
cli` (25 passed, 1 skipped); `npm run test:projects:check` (disjoint);
`npm run typecheck:cli` (clean)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [x] `npm run docs` builds without warnings (doc changes only) — 0
errors; 2 pre-existing warnings on main (login-gated redirects check,
theme contrast), unrelated to this change

## DCO

Signed-off-by: Tony Luo <xialuo@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added Anthropic-compatible streaming SSE validation during onboarding
to catch malformed `/v1/messages` event sequences.
* Streaming validation can be skipped for reasoning-only models via
`NEMOCLAW_REASONING`.
* **Bug Fixes**
* Improved reporting and recovery behavior for missing, duplicate, and
out-of-order streaming events, including clearer diagnostic messaging.
* **Documentation**
* Updated inference validation docs and added troubleshooting guidance
for onboarding failures caused by malformed SSE events.
* **Tests**
* Expanded streaming probe and onboarding validation tests; added
Anthropic onboarding retry UX coverage; removed obsolete Anthropic retry
tests.
* **Chores**
  * Adjusted CI test file size budget.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Tony Luo <xialuo@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
NVIDIA#6000) (NVIDIA#6007)

## Summary

Fresh sandboxes print a spurious plugin warning on the first `openclaw
tui` launch:

```
plugins.entries.qqbot: plugin not installed: qqbot
```

The generated default `openclaw.json` listed a `qqbot` plugin entry, but
`qqbot` is not bundled in the NemoClaw OpenClaw image. OpenClaw's plugin
loader warns `plugin not installed` for any referenced plugin that is
absent on disk, regardless of `enabled: false`, so every user who never
configured a messaging channel sees a warning that implies a broken
install.

`acpx` and `bonjour` are kept: they are bundled plugins, so listing them
with `enabled: false` correctly disables a present plugin without a
warning. Only the absent `qqbot` entry is removed.

## Changes

- `scripts/generate-openclaw-config.mts`: remove the dangling `qqbot`
default plugin entry.
- `test/generate-openclaw-config-plugin-entries.test.ts`: new focused
test asserting the default entries keep `acpx`/`bonjour` but no longer
reference `qqbot` (split into its own file to respect the test-file size
budget).

## Test

- `npx vitest run test/generate-openclaw-config-plugin-entries.test.ts`
— 2 passing.
- `source-shape:check` and `check-test-file-size-budget.ts` pass.

Closes NVIDIA#6000

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Updated generated plugin configuration so the default plugin list no
longer includes an unused entry.
* Ensured bundled plugins continue to be generated with disabled
defaults where expected.

* **Tests**
  * Added coverage for default plugin entry generation.
* Verified the configuration does not include the removed plugin entry.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>
Co-authored-by: San Dang <sdang@nvidia.com>
… (NVIDIA#6008)

## Summary

When `nemoclaw onboard` fails or is interrupted partway through, most of
its many `process.exit(1)` paths print no recovery guidance. Users
assume a transient failure (network timeout during an image pull, a bad
key, a Docker hiccup) requires a full reinstall, when the run is
actually resumable with `nemoclaw onboard --resume` (NVIDIA#6003).

## Approach

Rather than touch every scattered exit site, add a single catch-all in
the centralized incomplete-onboard exit handler
(`exit-step-failure.ts`). It fires on any non-zero exit while onboarding
is incomplete and, **when a step was in progress** (a resumable point
recorded in the session), prints:

```
  Onboarding did not finish. Resume from the step that failed with:
    nemoclaw onboard --resume
  Completed steps are skipped; pass --fresh instead to start over.
```

This automatically covers the non-interactive abort paths and any
uncaught failure.

The hint is suppressed where it would be wrong or redundant:

- **Already-handled paths:** the sandbox build-context explainer prints
tailored `--resume` guidance and calls `noteOnboardResumeHintShown()`,
so the backstop never duplicates it.
- **Ctrl-C cancel:** the cancel-rollback clears the onboard session
before this handler runs, so no resumable step remains and the hint
stays silent (resuming a discarded session would be misleading).
- **Early exits** before any step started leave `lastStepStarted` unset,
so the handler stays silent.

## Changes

- `src/lib/onboard/resume-hint.ts` (new): once-per-process
`printOnboardResumeHint()` + `noteOnboardResumeHintShown()` dedup latch.
- `src/lib/onboard/exit-step-failure.ts`: print the hint from the
incomplete-exit handler when a step was in progress.
- `src/lib/build-context.ts`: mark the hint shown on the sandbox-create
path that already prints tailored `--resume` guidance.
- Tests: `resume-hint.test.ts` (new) and added cases in
`exit-step-failure.test.ts`.

## Test

- `npx vitest run src/lib/onboard/resume-hint.test.ts
src/lib/onboard/exit-step-failure.test.ts test/build-context.test.ts` —
all passing.
- `tsc -p jsconfig.json`, `source-shape:check`,
`check-test-file-size-budget.ts` pass.

Closes NVIDIA#6003

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added a new onboarding recovery hint that points users to resume
interrupted setup with a resume command.
  * The hint is shown only once, reducing repeated messages.

* **Bug Fixes**
* Improved exit-time messaging so the resume hint appears only when
onboarding was actually in progress.
* Prevented duplicate recovery hints from being shown in overlapping
recovery paths.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
…ult (NVIDIA#6326)

<!-- markdownlint-disable MD041 -->
## Summary

The generic-Linux managed-vLLM default,
`nvidia/NVIDIA-Nemotron-3-Nano-4B-FP8`, was launched without
`--enable-auto-tool-choice` or a tool-call parser. Plain completions
succeeded, but agent requests using `tool_choice: "auto"` failed HTTP
400. This PR pins `--tool-call-parser qwen3_coder`, matching NVIDIA's
model-card launch recipe, and adds regression coverage at both the
model-registry and generic-Linux profile layers.

## Related Issue

Closes NVIDIA#6314.

## Reproduction and Analysis

The reporter reproduced the failure on Ubuntu 24.04 x86_64 with an RTX
5070 (12 GB) using NemoClaw v0.0.74:

```bash
NEMOCLAW_EXPERIMENTAL=1 NEMOCLAW_PROVIDER=install-vllm \
  nemoclaw onboard --agent <agent> --name <name> --non-interactive --fresh --yes
```

Before this fix, `buildVllmServeCommand` produced a command ending with:

```text
... --gpu-memory-utilization 0.7 --load-format fastsafetensors
```

The reporter observed:

```text
PLAIN:    HTTP_CODE=200
TOOLCALL: HTTP_CODE=400
"auto" tool choice requires --enable-auto-tool-choice and --tool-call-parser to be set
```

`GENERIC_LINUX_PROFILE.defaultModel` resolves to the
`nemotron-3-nano-4b` registry entry. That entry was the outlier: the DGX
Spark (`qwen3.6-35b-a3b-nvfp4` / `qwen3_xml`) and DGX Station
(`deepseek-v4-flash` / `deepseek_v4`) defaults already pinned their own
tool-call parsers.

After this fix, the command ends with:

```text
... --gpu-memory-utilization 0.7 --load-format fastsafetensors \
  --enable-auto-tool-choice --tool-call-parser qwen3_coder
```

The parser choice comes from the NVIDIA Nemotron-3-Nano-4B-FP8
model-card vLLM example and uses a parser already present in this
registry.

## Changes

- Add `--enable-auto-tool-choice --tool-call-parser qwen3_coder` to the
Nemotron-3-Nano-4B FP8 registry entry.
- Cover the generated serve command and the generic-Linux profile
default with regression tests.
- Require each tool-call switch to occur exactly once in the generated
command.
- Merge current `main` into the contributor branch without rewriting
contributor history.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this corrects the baked serve
arguments for an existing managed-vLLM model and requires no new user
action; current docs already describe the generic-Linux default,
managed-vLLM limitations, and the need for model-appropriate tool-call
flags.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: maintainer review by
@ericksoa on the final diff (2026-07-06) covered all nine
security-review categories. The change adds fixed model-specific argv
tokens, does not introduce user-controlled interpolation or alter
credential/auth/policy boundaries, retains negative-path parser
coverage, and passed gitleaks; no security findings.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable —
`npm run check:diff` passed at
`4f847e8f76373ab3d62386ea4902a0263a70f353`.
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npx vitest run
src/lib/inference/vllm-models.test.ts src/lib/inference/vllm.test.ts`
(47/47 passed).
- [x] Applicable broad gate passed — `npx vitest run src/lib/inference/`
(502 passed, 1 pre-existing skip), `npm run typecheck:cli`, and `npm run
build:cli` passed.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## Remaining Runtime Evidence

Live end-to-end proof on an x86_64 generic-Linux NVIDIA GPU host is not
included. The available fleet does not have that architecture/GPU
combination; the DGX Spark host exercises a different profile that was
already unaffected. The unit tests prove the exact command/profile
composition, and the required `inference-routing` E2E is being run at
the final head, but that E2E does not launch managed vLLM or validate
this parser against the model. Before merge, a maintainer must either
explicitly accept this hardware-evidence limitation or obtain a
generic-Linux GPU run showing the fixed command and a successful
`tool_choice: "auto"` request.

## AI Disclosure

- [x] AI-assisted — contributor tool: Claude Code; maintainer salvage
tool: Codex

---
Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Updated vLLM settings for the Nemotron-3-Nano-4B FP8 model to enable
automatic tool choice with the correct tool-call parser configuration.
* Fixed Linux/NVIDIA vLLM profile detection to include the expected
tool-call parser settings.
* **Tests**
* Added regression coverage to ensure the tool-call related flags are
included correctly going forward.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Yanyun Liao <yanyunl@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Co-authored-by: Aaron Erickson <aerickson@nvidia.com>
## Summary

Add immutable E2E command-environment profiles on top of the existing
filtered availability boundary, and migrate the repeated test-HOME
builders used by six live scenarios.

## Related Issue

Closes NVIDIA#6356
Parent epic: NVIDIA#6346

## Changes

- Add filtered command, installed-CLI, test-HOME, and sandbox
environment profiles.
- Centralize noninteractive acceptance flags, default OpenShell gateway
selection, and deduplicated `.local/bin` / `.npm-global/bin` PATH
entries.
- Preserve caller-override precedence and avoid `process.env` mutation.
- Keep secret-bearing inference overlays as explicit caller data rather
than embedding inference-mode semantics.
- Migrate six exact/near-exact test-HOME environment builders.
- Add support tests for filtering, precedence, sandbox identity, PATH
composition, immutability, and secret overlays.

## Verification

- [x] Signed/Verified commit; pre-commit, commit-msg, and pre-push hooks
passed
- [x] `npm run build:cli`
- [x] `npm run typecheck:cli`
- [x] `npm run lint`
- [x] `e2e-environment-profiles.test.ts` (3 passed)
- [x] No user-facing docs required
- [x] No secrets or credentials committed

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added shared environment presets for CLI, home-directory, and
sandboxed command runs.
* Standardized test command environments so local CLI paths and required
settings are applied consistently.

* **Bug Fixes**
* Improved end-to-end test reliability by removing duplicated
environment setup across multiple scenarios.

* **Tests**
* Added coverage for environment profile behavior, including command
setup, home-path handling, and sandbox-specific variables.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Carlos Villela <cvillela@nvidia.com>
…VIDIA#6365)

## Summary

Expose the existing redacting Docker probe through the live Vitest
fixture with explicit required, optional, and intentionally-missing
policies.

Closes NVIDIA#6354
Parent epic: NVIDIA#6346

## Changes

- Add `DockerPrerequisite` with `probeDocker`, `requireDocker`, and
`expectMissingDocker`.
- Centralize local-skip versus CI-failure behavior for required Docker.
- Expose the prerequisite as the `docker` E2E fixture.
- Migrate the sandbox-operations prerequisite block.
- Preserve isolated Docker config, redacted output, and artifacts
through `DockerProbe`.
- Add 9 focused prerequisite/probe tests.

## Verification

- [x] Signed/Verified commit and all hooks passed
- [x] `npm run build:cli`
- [x] `npm run typecheck:cli`
- [x] Docker support tests: 9 passed
- [x] No product behavior, docs, or secrets changed

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved Docker availability checks for live test runs, with clearer
handling when Docker is missing.
* Tests now skip more gracefully on local machines and fail more
explicitly in CI when Docker is unavailable.
* Added coverage for Docker-present, Docker-missing, and
expected-missing scenarios to make test behavior more reliable.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Carlos Villela <cvillela@nvidia.com>
)

## Summary

Consolidate shared fake-provider HTTP mechanics—request bodies, JSON/SSE
responses, and deterministic server listen/close—without changing
mock-versus-hosted inference selection (NVIDIA#5745).

Closes NVIDIA#6349
Parent epic: NVIDIA#6346
Related: NVIDIA#5745

## Changes

- Add reusable request-body, JSON response, raw/named SSE, listen, and
close primitives.
- Migrate messaging-compatible, MCP bridge, and Hermes inference-switch
mock servers.
- Preserve scenario-specific request logs, streaming shapes, auth
checks, and cleanup.
- Document the protocol-only boundary with NVIDIA#5745.
- Add focused real-server protocol tests.

## Verification

- [x] Signed/Verified commit and all hooks passed
- [x] `npm run build:cli`
- [x] `npm run typecheck:cli`
- [x] `npm run lint`
- [x] Protocol and migrated-helper support tests: 23 passed
- [x] No production provider behavior or inference-mode policy changed

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Added shared HTTP test helpers for reading request bodies, writing
JSON responses, and sending SSE streams.
* Updated end-to-end tests to use the shared helpers for server setup,
response handling, and cleanup.
* Added coverage for HTTP request/response behavior, including JSON and
streaming event responses.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Carlos Villela <cvillela@nvidia.com>
## Summary

Add a typed target-evidence facade to the existing artifact sink and
migrate live Vitest targets to it. Target metadata/results now retain
the same artifact filenames and redaction boundary while receiving a
consistent runner, result status, and contract field shape.

## Related Issue

Closes NVIDIA#6353
Parent epic: NVIDIA#6346

## Changes

- Add `artifacts.target.declare(...)` and
`artifacts.target.complete(...)` with typed extensible metadata/result
inputs.
- Emit `target.json` and `target-result.json` through the existing
redacting `ArtifactSink`.
- Supply `runner: "vitest"` centrally and default completed results
without an explicit status to `status: "passed"`.
- Normalize legacy singular `contract` values to the canonical
`contracts` array and reject conflicting or malformed contract fields.
- Validate non-empty target IDs and explicit result statuses.
- Migrate all 117 live target evidence writes and remove repeated runner
fields.
- Add focused support tests for emitted files, normalization,
validation, redaction, and adoption.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-evidence refactor with
no user-facing behavior
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — 28 focused artifact, fixture, and
redaction assertions passed
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional local verification:

- `npm run build:cli`
- `npm run typecheck`
- `npm run typecheck:cli`
- `npm run lint`
- `npx vitest run --project e2e-support
test/e2e/support/e2e-target-evidence.test.ts
test/e2e/support/e2e-fixture-context.test.ts
test/e2e/support/e2e-redaction-entry.test.ts`

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a typed E2E “target evidence” lifecycle with explicit
**declare**/**complete** steps, producing consistent, normalized
evidence outputs.
* **Bug Fixes**
* Improved validation and normalization (non-empty identifiers,
non-empty status when provided, enforce single `contract` vs
`contracts`, consistent contract array formatting, and automatic result
defaults).
  * Added secret redaction in persisted evidence details.
* **Tests**
  * Migrated many live E2E scenarios to use the typed evidence API.
* Added test coverage for evidence normalization/redaction and a
safeguard scan to prevent direct JSON target writes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
## Summary
Translate Hermes top-level resumed one-shot invocations through the
native non-interactive chat resume path so the new turn appends to the
selected session instead of fragmenting into a fresh session.

## Related Issue
Fixes NVIDIA#5254

## Changes
- Detect top-level `--resume`/`--continue` combined with
`-z`/`--oneshot` in the installed Hermes wrapper.
- Rewrite only that composed form to `hermes chat --query ... --quiet
--resume/--continue ...`, preserving model/tool/config flags and leaving
plain one-shot invocations untouched.
- Add wrapper regression coverage for resumed one-shot, continued
one-shot, and unchanged plain one-shot behavior.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: fixes existing documented
flag composition without changing user-facing syntax.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: scoped wrapper argument
rewrite only; existing `gateway` guard and `config show` masker branches
remain first and unchanged, and the new path delegates to Hermes' native
`chat --query --quiet --resume/--continue` implementation instead of
directly editing session storage.
- [x] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue: local `npx vitest run
test/hermes-gateway-wrapper.test.ts` is skipped by the existing
Linux+python3 `canRun` gate on macOS; CI Linux should execute it.

## Verification
- [ ] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification:
`python3 -m py_compile agents/hermes/hermes-wrapper.py` passed; direct
Python assertions for `_translate_resumed_oneshot` passed;
`NPM_CONFIG_CACHE=/tmp/nemoclaw-5254-npm-cache npx biome check
test/hermes-gateway-wrapper.test.ts` passed;
`NPM_CONFIG_CACHE=/tmp/nemoclaw-5254-npm-cache npx vitest run
test/hermes-gateway-wrapper.test.ts` loaded but skipped all 45 tests due
the existing macOS gate.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added automatic routing that rewrites resumed/continued one-shot agent
invocations into Hermes’ non-interactive `chat --query` resume flow.

* **Bug Fixes**
* Fail-closed argv translation: only rewrites when inputs match
supported resume/continue patterns; otherwise runs the original command
unchanged.
* Preserves supported arguments while safely handling
unsupported/ambiguous forms (including `--` termination and conflicting
usage).

* **Tests**
* Expanded Hermes one-shot/resume/continue routing assertions, including
updated argv recording (`realArgv`).
* Added Hermes e2e regression to verify resume/continue don’t create
extra sessions and export content matches the seeded marker.
* Updated sandbox rebuild recovery test harness to use shared
environment helpers.

* **Chores**
* Updated Hermes wrapper integrity pin and added build-time verification
to detect flag allowlist drift.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
… (NVIDIA#5868)

## Summary

Adds the missing arm64 Local NVIDIA NIM image-compatibility warning
during onboarding.

GB10 detection and the NIM-local provider menu are already working on
current `main`, so this PR leaves that behavior alone. The new warning
is advisory only: it tells Linux arm64 DGX Spark/Station users that some
NIM images may not publish `linux/arm64` manifests, while still allowing
the existing NIM pull/start path to try the selected image.

Fixes NVIDIA#5772

## Changes

- `src/lib/onboard/nim-image-compat-warning.ts`: adds a small helper for
the Linux arm64 DGX Spark/Station warning.
- `src/lib/onboard/provider-host-state.ts`: prints the warning once when
`nim-local` is available in the provider options.
- `src/lib/onboard/nim-image-compat-warning.test.ts`: covers the warning
eligibility and wording.
- `test/onboard-nim-image-compat-warning.test.ts`: exercises the
compiled onboarding flow with a fake Linux arm64 DGX Spark GPU and
confirms the warning appears when Local NIM is offered.

## Testing

- `npm install --ignore-scripts` - completed.
- `npm run build:cli` - passed.
- `npx vitest run src/lib/onboard/nim-image-compat-warning.test.ts
test/onboard-nim-image-compat-warning.test.ts` - passed.
- `npm run typecheck:cli` - passed.
- `npm run source-shape:check` - passed outside the sandbox after the
sandboxed `tsx` IPC pipe failed with `EPERM`.
- `npm run test-size:check` - passed outside the sandbox after the
sandboxed `tsx` IPC pipe failed with `EPERM`.
- `git diff --check` - passed.
- `npx @biomejs/biome format src/lib/onboard/nim-image-compat-warning.ts
src/lib/onboard/nim-image-compat-warning.test.ts src/lib/onboard.ts
test/onboard-nim-image-compat-warning.test.ts` - passed.
- `npx @biomejs/biome lint src/lib/onboard/nim-image-compat-warning.ts
src/lib/onboard/nim-image-compat-warning.test.ts src/lib/onboard.ts
test/onboard-nim-image-compat-warning.test.ts` - passed.

## Evidence it works

The focused onboarding regression overrides `process.arch` and
`process.platform` to simulate a Linux arm64 DGX Spark host, passes a
GB10-style GPU object with `nimCapable: true`, enables
`NEMOCLAW_EXPERIMENTAL=1`, and selects the default cloud provider so no
real NIM image is pulled. The test confirms onboarding still completes
with `nvidia-prod` while the output contains both the Local NIM arm64
warning and the `linux/arm64` manifest note.

Signed-off-by: Deepak Jain <deepujain@gmail.com>

---------

Signed-off-by: Deepak Jain <deepujain@gmail.com>
## Summary
Adds a focused unit-test suite for the `isRecord` type guard in
`src/lib/core/json-types.ts`, which previously had no co-located test.
This raises coverage on a shared utility used across CLI data boundaries
(onboard, policies, agent-onboard) with no production code changes.

## Changes
- Add `src/lib/core/json-types.test.ts` with Vitest cases for
`isRecord`:
  - returns `true` for plain, empty, and nested objects
- returns `false` for `null`, `undefined`, arrays, strings, numbers, and
booleans

## Type of Change
- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [ ] Docs updated for user-facing behavior changes
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the style guide (doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Atulya Singh <atulyarajsingh@gmail.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Added comprehensive test coverage for record validation logic,
verifying correct behavior with various input types including objects,
null, undefined, arrays, and primitive values.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary

Centralize the live Vitest E2E command-result formatter and zero-exit
assertion on the existing fixture client helpers. This removes the
equivalent local helper copies exposed by the post-migration audit and
adds a ratchet against reintroducing them.

## Related Issue

Closes NVIDIA#6355
Parent epic: NVIDIA#6346

## Changes

- Generalize the shared command-result types so lightweight subprocess
results can use `resultText` and `assertExitZero` without casts.
- Replace equivalent local helpers across live targets and the
onboarding phase with shared imports.
- Preserve the existing Phase 6 helper APIs through re-exports while
moving their implementation to the fixture client.
- Rename the richer runtime-overrides spawn formatter instead of
changing its intentionally different diagnostics.
- Add an E2E support guard that rejects new local `resultText` or
`expectExitZero` definitions in live targets.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-harness-only refactor
with no user-facing behavior
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npx vitest run --project e2e-support
test/e2e/support/e2e-command-helper-adoption.test.ts
test/e2e/support/e2e-clients.test.ts
test/e2e/support/messaging-providers-runtime-proofs.test.ts
test/e2e/support/openclaw-discord-pairing-helpers.test.ts` (79 passed)
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional local verification:

- `npm run build:cli`
- `npm run typecheck`
- `npm run lint`
- Full `e2e-support` run reached 87 passing files; the unchanged
main-branch shell-quote source-of-truth check currently reports
`openshell-gateway-upgrade-helpers.ts`, and that test plus source file
are unchanged by this PR.

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Standardized end-to-end command output formatting across flows for
more consistent, readable failure messages.
* Improved exit-status failure details by deriving them from unified
command output and aligning accepted result shapes.

* **Tests**
* Updated many end-to-end tests to use shared command-result and
exit-check helpers instead of local duplicates.
* Added coverage for exit-check behavior with lightweight command
results.
* Added a guard test to prevent future live tests from reintroducing
local helper implementations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
…VIDIA#6383)

<!-- markdownlint-disable MD041 -->
## Summary
Reduce process isolation in two high-cost integration targets without
changing production behavior. Against the final `main` base, stale
rebuild recovery drops from 14.94–15.01 seconds to approximately 3.50
seconds (76.6% faster), while provider selection drops from 17.60–18.07
seconds to 9.95–10.23 seconds (43.4% faster).

## Related Issue
Part of NVIDIA#6245.

## Changes
- replace five redundant full-CLI stale-rebuild launches with the
existing direct flow harness while retaining one real CLI/HOME rollback
contract
- retain a focused 65ms harness case for successful stale recovery,
including backup skip, recreate handoff, and finalization assertions
- exercise unit-shaped onboarding cases through typed source seams while
preserving real-process coverage for module-wiring, environment parsing,
and subprocess boundaries
- batch nine provider credential back/exit scenarios through their real
`setupNim` call sites in one isolated child; full Node boots fall from
50 to 26 with all 66 provider-selection behaviors retained
- add a real-classifier rebuild contract for both recorded/active
gateway mismatch directions instead of injecting the terminal
`wrong_gateway_active` state
- ratchet the legacy `onboard-selection.test.ts` size budget from 5,624
to 4,834 lines
- sync the latest `main` and correct its stale plugin-entry assertion so
the test preserves the intentional omission of `acpx`

## Wrong-Gateway Source-of-Truth Review
- **Invalid state:** an empty active-gateway sandbox list is ambiguous
when the registry's recorded gateway differs from the currently selected
gateway; it must not authorize stale destruction
- **Source boundary:**
`gateway-state.ts#getReconciledSandboxGatewayState` and its
named-gateway reconciliation path own the classification
- **Source constraint:** gateway selection is mutable, so a `NotFound`
response by itself cannot prove the recorded sandbox is stale on its own
gateway
- **Regression coverage:** `rebuild-gateway-drift.test.ts` now drives
the real classifier for `nemoclaw`/`other-gw` and
`nemoclaw-9000`/`nemoclaw`, then verifies no backup, delete, registry
removal, or onboard occurs
- **Removal condition:** retain this contract until gateway
reconciliation and the rebuild mutation decision become one typed,
atomic boundary

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-isolation and
regression-coverage changes only; production behavior, CLI output,
configuration, defaults, and public APIs are unchanged
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: independent reviews
verified the real wrong-gateway reconciliation path,
destructive-boundary assertions, provider call-site wiring, environment
cleanup, and retained process boundaries; no actionable findings remain
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect that behavior. Do
not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `test/onboard-selection.test.ts`
passed 66/66 at final head; `test/rebuild-stale-recovery.test.ts` passed
5/5 in 3.49 seconds wall; `rebuild-flow.test.ts` plus
`rebuild-gateway-drift.test.ts` passed 85/85; the final `main` sync's
OpenClaw config test plus the unrelated Hermes stress file passed 33/33
with 2 environment skips
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: [final-head
CI](https://github.com/NVIDIA/NemoClaw/actions/runs/28853151732) passed
all five CLI coverage shards, the merged coverage gate, static/type
checks, package lanes, and sandbox smoke tests
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
…ion (NVIDIA#5445) (NVIDIA#6385)

## Summary

The OpenClaw commands reference page linked to the Install OpenClaw
Plugins page using its **source directory**
(`../deployment/install-openclaw-plugins`), but Fern publishes that page
under the **`manage-sandboxes`** nav section. The link therefore 404s on
the live site even though the source file exists on disk. This restores
the published-route link and adds a route-level regression guard so the
drift cannot recur.

## Related Issue

Fixes NVIDIA#5445

## Changes

- `docs/reference/commands.mdx`: link `Install OpenClaw Plugins` via its
published nav section (`../manage-sandboxes/install-openclaw-plugins`)
instead of its source directory
(`../deployment/install-openclaw-plugins`).
- `scripts/check-docs-published-routes.ts`: new checker that derives the
published route map from `docs/index.yml` (variant + section slugs) and
resolves the commands page's relative links **route-relative, the way
Fern serves them**, failing if any resolves to a route that is not
published. Scoped to the commands reference page, which has regressed
repeatedly (NVIDIA#5445, NVIDIA#6290, NVIDIA#5465, NVIDIA#5460).
- `package.json`: add `docs:check-routes` and wire it into `npm run
docs:strict`, so a source-path-valid but published-route-broken link
fails docs validation.
- `test/repro-5445-docs-published-route.test.ts`: Vitest regression that
derives the route from `docs/index.yml`, asserts the commands link
resolves to
`/user-guide/openclaw/manage-sandboxes/install-openclaw-plugins` and
**not** `/user-guide/openclaw/deployment/install-openclaw-plugins`, plus
resolver/extractor robustness cases.

## Root cause

PR NVIDIA#6290, tasked with fixing this link, reasoned from the source file
path (`docs/deployment/install-openclaw-plugins.mdx`) and "corrected" a
previously-working `manage-sandboxes` link back to `deployment`. `fern
check` and source-path checks both pass on the broken form because the
source file exists — the missing validation was published-route
resolution.

## Type of Change

- [x] Code change with doc updates

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: the changed page is the doc;
the link target and its content are unchanged, only the route it points
to is corrected.

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set —
command/result: `npx vitest run
test/repro-5445-docs-published-route.test.ts` (8 passed; fails on
upstream/main pre-fix, passes post-fix); `npm run docs:strict` (0
errors).
- [x] No secrets, API keys, or credentials committed
- [x] `npm run docs` builds without warnings (doc changes only)

### Route-level reporter-workflow evidence

Ground truth from Fern's own link resolver (`fern docs broken-links`),
the same resolution the reader navigates:

- **Before (upstream/main):** 26 broken links, including the commands
page → `/user-guide/openclaw/deployment/install-openclaw-plugins` (404).
- **After (this branch):** 24 broken links — the commands-page
install-plugins error is gone, and **none added**. The remaining 24 are
pre-existing, unrelated broken links (nested-page relative links,
hermes-variant structural gaps) outside this issue's scope.

`fern check` alone does not catch this (it passed in NVIDIA#6290); the new
`docs:check-routes` gate does.

---
Signed-off-by: Yimo Jiang <yimoj@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Corrected a documentation link to point to the published “Install
OpenClaw Plugins” page under the correct route.
* Improved doc link validation to ensure links resolve to published
routes (including correct route selection).

* **Tests**
* Added/expanded regression coverage for the plugin installation link,
published-route mapping, and robust markdown link resolution.

* **Chores**
* Enhanced the strict documentation checks to also verify
published-route correctness and route mappings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Yimo Jiang <yimoj@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
…IA#6358)

## Summary

Make the `e2e-live` Vitest project collection gate the single default
opt-in boundary and expose canonical repository/CLI paths from the E2E
fixture layer. Target-specific Linux, hardware, and
destructive/high-cost opt-ins remain intact.

## Related Issue

Closes NVIDIA#6350
Parent epic: NVIDIA#6346

## Changes

- Add canonical `REPO_ROOT`, E2E roots, source CLI, and built CLI paths
in `test/e2e/fixtures/paths.ts`.
- Replace repeated live-test path derivations with those shared exports.
- Remove redundant per-file `shouldRunLiveE2E()` checks now enforced by
the `e2e-live` project include gate.
- Preserve platform and explicit target-specific switches such as
Linux-only execution, MCP agent matrices, connect-rlimit coverage, and
the issue-4434 live repro.
- Add support-test ratchets preventing new local path declarations or
duplicate global live gates.
- Update the live unit-block scanner examples to demonstrate
target-specific rather than global gating.

This touches legacy live specs that were not formatted under the current
Biome version. The repository's required pre-commit formatter normalized
each changed file, so the PR contains mechanical formatting alongside
the focused import/gate changes.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-harness-only refactor
with no user-facing behavior
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — 9 E2E support assertions and 7
integration scanner assertions passed
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional local verification:

- `npm run build:cli`
- `npm run typecheck`
- `npm run lint`
- `npx vitest run --project e2e-support
test/e2e/support/e2e-paths.test.ts
test/e2e/support/e2e-live-target-gating.test.ts
test/e2e/support/e2e-live-project-config.test.ts`
- `npx vitest run --project integration
test/no-unit-blocks-in-live-e2e.test.ts`

---
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Tests**
* Centralized shared end-to-end repository and CLI entrypoint path
constants for live scenarios, and updated affected E2E helpers/tests to
use them consistently.
* Removed live-project conditional skip wrappers across many scenarios
so tests are now registered directly (preserving existing timeouts and
core flow).
* Updated execution behavior to depend on runtime availability checks
(environment/CI/platform/hardware) to determine whether a test proceeds
or skips.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 -->
## Summary

Fixes sandbox exec hangs caused by forwarding a live non-terminal stdin
that never reaches EOF. NemoClaw now inherits stdin by default only for
terminals, closes non-terminal or unavailable stdin, and keeps
intentional pipes available through `--stdin`.

## Related Issue

Fixes NVIDIA#6319

## Changes

- Merge current `main` without rewriting the contributor's commits or
credit.
- Add public `--stdin` / `--no-stdin` controls, with explicit flags
taking precedence over TTY detection.
- Thread `stdin?: boolean` through sandbox exec and select inherited
versus ignored stdin in the async production spawner.
- Keep the stdio policy and its focused tests in companion modules so
the existing exec action/test files stay within growth limits.
- Preserve signal forwarding, remote exit codes, cleanup, workdir and
multiline guards, and denial-adjacent policy hints.
- Update NemoClaw and NemoHermes command references so piped scripts opt
in with `--stdin`.
- Add parser, default-selection, production-stdio, multiline-guidance,
signal, cleanup, exit-code, and policy-hint coverage.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: fresh maintainer review
requested on the new semantics; the prior approval predates this head
and does not satisfy this gate.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub — GitHub reports all 10 PR
commits verified at `d73686641e828025789dedf581099b9f23e4b988`.
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable —
`npm run check:diff` passed at
`d73686641e828025789dedf581099b9f23e4b988`.
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — the sandbox-exec
command/action/policy/cleanup/stdio plus runtime-environment matrix
passed 11 files / 160 tests; `npm run build:cli`, CLI typecheck, and
`npm run docs:strict` also passed.
- [x] Applicable broad gate passed — exact-head required CI run
`28829324545` passed (including the successful same-head retry of one
unrelated timing flake), and advisor-selected E2E run `28829674160`
passed 3/3 jobs.
- [ ] Quality Gates section completed with required justifications or
waivers — fresh sensitive-path review is pending.
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — `npm
run docs:strict` found 0 errors and two pre-existing hidden Fern
warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

The exact-head isolated OpenShell 0.0.72 proof
`2026-07-06T23-01-11-471Z-pid-7719` passed: a held-open non-TTY FIFO
returned promptly by default, `/dev/null` reached EOF, `--stdin`
forwarded a finite two-line script, remote exit status `37` propagated,
and a parent-only SIGTERM produced NemoClaw exit `143`. OpenShell 0.0.72
has no remote exec cancellation operation, so the harness recorded its
pre-existing detached-command behavior separately and removed the
uniquely tagged process after identity verification.

Both exact-head PR advisors (`28829423941`) returned `merge_as_is` with
no blocker or warning. The E2E advisor (`28829422926`) selected
`sessions-agents-cli`, `sandbox-operations`, and `shields-config`; all
three passed. Fresh human approval remains required because the existing
approval predates this head and its stdin semantics.

---
Signed-off-by: HwangJohn <angelic805@gmail.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

---------

Signed-off-by: HwangJohn <angelic805@gmail.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Aaron Erickson <aerickson@nvidia.com>
<!-- markdownlint-disable MD041 -->
## Summary

Reduce cold collection overhead in four rebuild-focused CLI test files
by replacing CommonJS source-loader/cache-invalidation seams with native
source imports and dependency-light production boundaries. This
preserves the existing behavioral coverage while removing incidental
loading of the full rebuild graph.

## Related Issue

Refs NVIDIA#6245
Refs NVIDIA#6237

## Changes

- Extract messaging-plan staging and config-hash command construction
into dependency-light leaf modules while preserving the public rebuild
facade exports.
- Defer loading `sandbox/rebuild` from `upgrade-sandboxes` until a
sandbox actually needs rebuilding, with an explicit dependency seam for
focused tests.
- Convert four CLI suites from `createRequire`, cache deletion, and
loader warmups to native imports and typed spies.
- Tighten the exact-path `createRequire` ratchet from 32 to 28 CLI test
files.
- Preserve all 43 existing assertions in the optimized suites and the
real Bash/filesystem, manifest planner, recovery, and
gateway-classification contracts.
- Add a compiled package-contract test for lazy rebuild loading and
facade exports, and make config-hash refresh propagate `sha256sum`
failures instead of masking them behind best-effort permission repair.

Matched CI evidence: the previous merged head reported 28.806s of
aggregate collection time for these four files. Final-head NVIDIA#6388 CI
reports 3.041s, a reduction of 25.765s (89.44%; 9.47× faster), while
preserving the original assertions and adding the hash-failure
regression. Aggregate collection work overlaps across Vitest shards, so
this is not a claim of equivalent one-for-one shard-wall savings.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: internal module-boundary and
test-loader refactor only; commands, flags, defaults, configuration,
protocols, and user-visible behavior are unchanged.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: two independent source
reviews found no blocking findings; focused rebuild, recovery,
preflight, messaging, config-hash, and compiled package-contract
coverage passed.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — 126/126 focused CLI tests passed
across the optimized suites, upgrade preflight, and the broader rebuild
flow; 2/2 compiled package-contract tests and the ratchet's 8/8
integration tests also passed.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — five-shard final-head `CI / Pull Request`
and coverage merge passed; all 40 PR checks are green.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional local verification:

- `npm run typecheck:cli`
- `npm run build:cli`
- compiled package-contract coverage proves importing
`dist/lib/actions/upgrade-sandboxes.js` does not eagerly load the
rebuild module, forwards the lazy call exactly, and preserves both
extracted rebuild facade exports
- `npx tsx scripts/checks/test-create-require-budget.ts` (28 CLI files,
8 support files)
- `npm run test:projects:check`
- required live E2E passed: `rebuild-openclaw`, `rebuild-hermes`,
`sandbox-rebuild`, `upgrade-stale-sandbox`, and `channels-add-remove`,
and `messaging-providers` (OpenClaw passed on retry after an initial npm
`ECONNRESET` during fixture setup)
- `git diff --check`

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added rebuild messaging “recreate contract” planning based on built-in
channel manifests.
* Introduced a safer sandbox config-hash refresh command with stricter
pre-checks before updating the mutable OpenClaw config hash.

* **Bug Fixes**
* Improved restore/recovery and rebuild messaging preparation, including
safer skip conditions when messaging support is unavailable.
* Ensured config-hash refresh failures surface correctly, with stronger
protections against symlinked/mismatched config inputs.

* **Tests**
* Updated and expanded package-contract and rebuild flow tests to
validate loader laziness and expected rebuild entrypoints.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@wscurran wscurran added the v0.0.76 Release target label Jul 7, 2026
jyaunches and others added 3 commits July 7, 2026 12:51
<!-- markdownlint-disable MD041 -->
## Summary
Adds a CPU-only live E2E that reproduces the fresh Hermes shields
lifecycle regression from NVIDIA#6381. The test onboards a new non-root Hermes
sandbox, runs shields down/up twice, and preserves the failure as a
dedicated E2E lane until NVIDIA#6384 lands.

## Related Issue
Relates to NVIDIA#6381.

Depends on NVIDIA#6384.

## Changes
- Add a fresh Hermes onboard and two-cycle shields down/up live
regression test.
- Assert the mutable and locked ownership/mode contracts after each
transition.
- Add a dedicated `hermes-shields-config` workflow job that requires no
GPU or hosted inference secret.
- Extend the E2E artifact workflow boundary for the new job.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test and CI coverage only; no
user-facing behavior changes
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [ ] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: E2E
workflow support tests passed (24/24), and the live target collects
successfully; the live run is intentionally expected to reproduce NVIDIA#6381
on current `main`
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a new Hermes live end-to-end check that runs repeated shields
cycles in a fresh non-root sandbox.
* Updated PR reporting so the new live job is included in the results
summary.
* **Bug Fixes**
* Updated E2E artifact upload workflow boundary validations to match the
current number of expected E2E execution jobs and default callers.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Probe inference.local from the sandbox for status and doctor.
Classify HTTP transport boundaries consistently with connect.
Keep provider checks as non-authoritative upstream diagnostics.

Co-authored-by: harjoth <harjoth.khara@gmail.com>
Co-authored-by: Souvik Ghosh <138186578+souvikDevloper@users.noreply.github.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria

apurvvkumaria commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Superseded by #6412 because bringing this stale-base branch onto current main made GitHub expand the PR to an unreviewable historical diff. The original implementation by @harjothkhara is explicitly retained and credited in #6412 through the signed commit Co-authored-by trailer, the PR description, and the contributor-credit comment. Thank you, Harjoth, for the original fix.

apurvvkumaria added a commit that referenced this pull request Jul 8, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Make the in-sandbox `https://inference.local/v1/models` route
authoritative for inference health in `nemoclaw status`, `nemoclaw
doctor`, and `nemoclaw connect`. This supersedes #6203 and #6264 while
retaining credit for Harjoth's original implementation and Souvik's
typed test-seam contribution.

## Related Issue

Fixes #6192

## Changes

- Share one agent-aware `inference.local` probe and fail-closed parser
across connect, status, and doctor.
- Treat final HTTP 200-499 responses as route-reachable; treat interim
100-199 responses, HTTP 500-599, `000`, malformed output, timeout, and
unavailable probes as failing.
- Centralize route-failure labels and status exit decisions so text,
JSON, status, doctor, and connect cannot drift.
- Discard route-probe response bodies through `/dev/null` instead of a
persistent sandbox temp file.
- Verify route TLS with OpenShell's managed CA bundle; certificate
failures are authoritative unreachable results.
- Keep direct provider checks as explicitly labeled, non-authoritative
upstream diagnostics.
- Return nonzero status for unhealthy or unavailable inference routes in
text and JSON output.
- Add regression coverage for HTTP boundaries, unavailable probes,
framed OpenShell output, no-direct-probe providers, DCode, and CLI exit
behavior.
- Update command, monitoring, local-inference, and troubleshooting
documentation for the authoritative route semantics.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: [nine-category review
passed after the only hardening finding was
fixed](#6412 (comment)).
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npx vitest run --project cli` over
the nine route/connect/status/doctor/recovery/adapter files: 163 passed;
`npx vitest run --project integration` over the eight changed
CLI/recovery files: 43 passed.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: `npm run checks` passed;
the exact-head PR CI suite completed without failures; [typed OpenClaw
and DCode live
targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28970519701)
passed; [inference-routing, diagnostics, and sandbox-operations live
jobs](https://github.com/NVIDIA/NemoClaw/actions/runs/28970503175)
passed.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — build
passed with 0 errors and two existing Fern warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)


## Architecture and Runtime-Boundary Review

- **Invalid state:** Host/provider checks can succeed while the
agent-visible `https://inference.local/v1/models` route is unusable.
This PR exposes that disagreement; it does not preserve or mask it.
- **Source boundary:** OpenShell owns sandbox exec, DNS, TLS CA
injection, and proxy provisioning. NemoClaw owns interpretation and
orchestration in `status`, `doctor`, and `connect`, so it probes the
exact in-sandbox route and fails closed when OpenShell cannot return
trusted `OK` or `BROKEN` evidence.
- **Source-fix constraint:** Read-only diagnostics cannot repair
OpenShell infrastructure, and an inconclusive result is inherently
lossy. `connect` must not open SSH or mutate route state on inconclusive
evidence. This fail-closed behavior is a permanent security boundary,
not a temporary workaround.
- **Regression and removal contract:** Checked-in parser, flow, CLI,
missing-CA, 401/403, DCode argv/proxy, and redaction tests cover
deterministic fault injection. The DCode wrapper may be removed only if
OpenShell provides an agent-independent structured route-health API that
preserves its CA and login-shell contract; fail-closed handling remains.
- **Runtime justification:** A separate standalone live artifact would
duplicate the repository's existing typed E2E lanes. Exact head
`130e74f3c520aa82db86fd80e830eff362390b08` passed the [required live
jobs](https://github.com/NVIDIA/NemoClaw/actions/runs/28970503175) and
[OpenClaw and DCode live
targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28970519701);
exact-head macOS E2E and arm64 image/build checks also passed. Induced
broken-route, auth, and CA faults remain deterministic checked-in tests
to avoid destructive shared-state mutation.
- **PR sequencing:** #6412 is foundational. Merge it first, then rebase
#6465 and integrate its additive route-drift warning into the final
status-snapshot shape.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added clearer, authoritative inference health checks and diagnostics
for sandbox status and doctor commands.
* `connect` now fails closed when the in-sandbox inference route cannot
be trusted, with safer redacted error details.

* **Bug Fixes**
* Improved handling of reachable, unhealthy, unreachable, and not-probed
inference states.
* Fixed status exit behavior so inference-route failures correctly
return a non-zero result.

* **Documentation**
* Updated troubleshooting and command docs to explain the new inference
health and proxy diagnostic output.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: harjoth <harjoth.khara@gmail.com>
Co-authored-by: Souvik Ghosh
<138186578+souvikDevloper@users.noreply.github.com>

---------

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: harjoth <harjoth.khara@gmail.com>
Co-authored-by: Souvik Ghosh <138186578+souvikDevloper@users.noreply.github.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Make the in-sandbox `https://inference.local/v1/models` route
authoritative for inference health in `nemoclaw status`, `nemoclaw
doctor`, and `nemoclaw connect`. This supersedes NVIDIA#6203 and NVIDIA#6264 while
retaining credit for Harjoth's original implementation and Souvik's
typed test-seam contribution.

## Related Issue

Fixes NVIDIA#6192

## Changes

- Share one agent-aware `inference.local` probe and fail-closed parser
across connect, status, and doctor.
- Treat final HTTP 200-499 responses as route-reachable; treat interim
100-199 responses, HTTP 500-599, `000`, malformed output, timeout, and
unavailable probes as failing.
- Centralize route-failure labels and status exit decisions so text,
JSON, status, doctor, and connect cannot drift.
- Discard route-probe response bodies through `/dev/null` instead of a
persistent sandbox temp file.
- Verify route TLS with OpenShell's managed CA bundle; certificate
failures are authoritative unreachable results.
- Keep direct provider checks as explicitly labeled, non-authoritative
upstream diagnostics.
- Return nonzero status for unhealthy or unavailable inference routes in
text and JSON output.
- Add regression coverage for HTTP boundaries, unavailable probes,
framed OpenShell output, no-direct-probe providers, DCode, and CLI exit
behavior.
- Update command, monitoring, local-inference, and troubleshooting
documentation for the authoritative route semantics.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: [nine-category review
passed after the only hardening finding was
fixed](NVIDIA#6412 (comment)).
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npx vitest run --project cli` over
the nine route/connect/status/doctor/recovery/adapter files: 163 passed;
`npx vitest run --project integration` over the eight changed
CLI/recovery files: 43 passed.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: `npm run checks` passed;
the exact-head PR CI suite completed without failures; [typed OpenClaw
and DCode live
targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28970519701)
passed; [inference-routing, diagnostics, and sandbox-operations live
jobs](https://github.com/NVIDIA/NemoClaw/actions/runs/28970503175)
passed.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — build
passed with 0 errors and two existing Fern warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)


## Architecture and Runtime-Boundary Review

- **Invalid state:** Host/provider checks can succeed while the
agent-visible `https://inference.local/v1/models` route is unusable.
This PR exposes that disagreement; it does not preserve or mask it.
- **Source boundary:** OpenShell owns sandbox exec, DNS, TLS CA
injection, and proxy provisioning. NemoClaw owns interpretation and
orchestration in `status`, `doctor`, and `connect`, so it probes the
exact in-sandbox route and fails closed when OpenShell cannot return
trusted `OK` or `BROKEN` evidence.
- **Source-fix constraint:** Read-only diagnostics cannot repair
OpenShell infrastructure, and an inconclusive result is inherently
lossy. `connect` must not open SSH or mutate route state on inconclusive
evidence. This fail-closed behavior is a permanent security boundary,
not a temporary workaround.
- **Regression and removal contract:** Checked-in parser, flow, CLI,
missing-CA, 401/403, DCode argv/proxy, and redaction tests cover
deterministic fault injection. The DCode wrapper may be removed only if
OpenShell provides an agent-independent structured route-health API that
preserves its CA and login-shell contract; fail-closed handling remains.
- **Runtime justification:** A separate standalone live artifact would
duplicate the repository's existing typed E2E lanes. Exact head
`130e74f3c520aa82db86fd80e830eff362390b08` passed the [required live
jobs](https://github.com/NVIDIA/NemoClaw/actions/runs/28970503175) and
[OpenClaw and DCode live
targets](https://github.com/NVIDIA/NemoClaw/actions/runs/28970519701);
exact-head macOS E2E and arm64 image/build checks also passed. Induced
broken-route, auth, and CA faults remain deterministic checked-in tests
to avoid destructive shared-state mutation.
- **PR sequencing:** NVIDIA#6412 is foundational. Merge it first, then rebase
NVIDIA#6465 and integrate its additive route-drift warning into the final
status-snapshot shape.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added clearer, authoritative inference health checks and diagnostics
for sandbox status and doctor commands.
* `connect` now fails closed when the in-sandbox inference route cannot
be trusted, with safer redacted error details.

* **Bug Fixes**
* Improved handling of reachable, unhealthy, unreachable, and not-probed
inference states.
* Fixed status exit behavior so inference-route failures correctly
return a non-zero result.

* **Documentation**
* Updated troubleshooting and command docs to explain the new inference
health and proxy diagnostic output.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: harjoth <harjoth.khara@gmail.com>
Co-authored-by: Souvik Ghosh
<138186578+souvikDevloper@users.noreply.github.com>

---------

Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: cjagwani <cjagwani@nvidia.com>
Co-authored-by: harjoth <harjoth.khara@gmail.com>
Co-authored-by: Souvik Ghosh <138186578+souvikDevloper@users.noreply.github.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: cli Command line interface, flags, terminal UX, or output area: inference Inference routing, serving, model selection, or outputs area: routing Request routing, policy routing, model selection, or fallback logic bug-fix PR fixes a bug or regression v0.0.76 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.