Skip to content

refactor(onboard): extract sandbox create-failure reporting and create step into modules#6444

Merged
jyaunches merged 43 commits into
mainfrom
fix/6258-extract-onboard-create-orchestration
Jul 9, 2026
Merged

refactor(onboard): extract sandbox create-failure reporting and create step into modules#6444
jyaunches merged 43 commits into
mainfrom
fix/6258-extract-onboard-create-orchestration

Conversation

@Dongni-Yang

@Dongni-Yang Dongni-Yang commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Extracts cohesive units of the sandbox create/register orchestration out of the ~4,900-line src/lib/onboard.ts entrypoint into focused modules under src/lib/onboard/, following the injected-deps boundary style established by created-sandbox-finalization.ts (#6332). The primary goal is maintainability and independent unit-test coverage for the create path, with intentional safety/behavior refinements discovered during review: redacted create-output failure echoing, preservation of non-zero create-stream status when readiness fails, direct argv spawning for trusted create paths, fail-closed Docker-GPU create-poll side-effect handling, and redacted trace reporting for poll/readiness errors.

Note on the issue's premise: #6258 cites a +27 net lines growth-guard violation from #6166. That premise is stale — the merged #6166 left onboard.ts net-smaller, and #6276/#6332 shrank it further, so the guard (.github/workflows/codebase-growth-guardrails.yaml, a per-PR net-neutral diff gate) is not currently red. This PR is therefore incremental maintainability work; it keeps onboard.ts net-neutral-or-smaller so the gate stays green.

Related Issue

Refs #6258

Changes

  • Add src/lib/onboard/created-sandbox-failure.ts: reportSandboxCreateFailure (warns-and-continues on an incomplete create; otherwise prints diagnostics + recovery hints and exits) and reportSandboxReadinessFailure (prints the readiness failure, defers cleanup to the Docker-GPU patch or deletes the failed sandbox, then exits). onboard.ts replaces the two inline blocks with module calls — net −2 lines.
  • Add src/lib/onboard/sandbox-create-step.ts: runSandboxCreateStep encapsulates the BuildKit prebuild handoff → Docker-GPU create-patch provisioning → create-stream behind a context + injected-deps boundary. This move is line-neutral on onboard.ts; its value is a named, unit-testable boundary (the prepare → patch → stream sequence is now testable without standing up the entrypoint), not a size reduction. Build-context and exit-listener cleanup stay with the caller that armed them.
  • Add focused unit tests across created-sandbox-failure.test.ts, sandbox-create-step.test.ts, sandbox-create-launch.test.ts, create-stream.test.ts, create-stream-argv.test.ts, and create-stream-ready-gate.test.ts covering failure branches, redaction, exit-code preservation, GPU vs non-GPU readiness cleanup, prebuild/patch/stream wiring, direct argv spawn boundaries, terminal-agent/default-driver ready-check gating, fail-closed onPoll error handling, and redacted poll/readiness trace behavior.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: no CLI flags, commands, configuration, or documented user workflow changed. The user-visible differences are limited to safer failure-path diagnostics (credential redaction), more accurate readiness-failure exit status, and fail-closed create-poll error handling.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: onboarding/sandbox path. Extraction boundaries were verified against the pre-extraction source; intentional safety refinements are explicitly covered by tests: create output is redacted before failure logging, readiness failure preserves a non-zero create-stream status instead of flattening to 1, Docker-GPU during-create polling is isolated from readiness detection via onPoll, escaping poll errors abort create with classified/generic failure text plus redacted trace emission, and ready-check exceptions emit redacted trace evidence without falsely forcing Ready. Requesting maintainer sensitive-path review.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result: npx vitest run --project cli src/lib/actions/sandbox/snapshot.test.ts src/lib/onboard/created-sandbox-failure.test.ts src/lib/onboard/sandbox-create-launch.test.ts src/lib/onboard/sandbox-create-step.test.ts src/lib/sandbox/create-stream.test.ts src/lib/sandbox/create-stream-ready-gate.test.ts src/lib/sandbox/create-stream-argv.test.ts → 107 passed; npx tsc --noEmit --pretty false --project tsconfig.cli.json → clean; npm run test-size:check → passed; npx prek run --all-files --stage pre-commit --skip source-shape-test-budget --skip test-skills-yaml → passed; npm run test-conditionals:scan -- --top 25 → no new changed-file conditional failures; git diff --check → clean.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: Required live E2E run 29021019725 passed on exact head 82518f7e6f69c39d9bc04f63a365753aac7b1b6d: cloud-onboard, onboard-repair, onboard-resume, state-backup-restore, upgrade-stale-sandbox, and snapshot-commands all succeeded. PR CI checks also passed on the same head after rerunning flaky policy-channel-list.test.ts shard timeout (cli-test-shards (3)).
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Dongni Yang dongniy@nvidia.com

Summary by CodeRabbit

  • New Features
    • Improved sandbox onboarding using a dedicated creation step that centralizes prebuild handoff, streaming create execution, GPU patch wiring, and readiness capture.
  • Bug Fixes
    • More consistent, centralized handling for both create failures and readiness failures, including redacted output, clearer diagnostics, and reliable retry guidance.
    • Safer cleanup on readiness failures to avoid same-name collisions, with correct behavior for GPU-enabled flows.
  • Tests
    • Added coverage for create/readiness failure reporting, exit-code fallback, cleanup/command messaging, and early-detach behavior in create-stream.

…dule

The sandbox create/readiness failure handling was inlined in the ~4,900-line
src/lib/onboard.ts entrypoint. Move both terminal handlers behind a focused
boundary in src/lib/onboard/created-sandbox-failure.ts, mirroring the injected-
deps shape of created-sandbox-finalization.ts (#6332): reportSandboxCreateFailure
warns-and-continues on an incomplete create but prints diagnostics + recovery
hints and exits otherwise; reportSandboxReadinessFailure prints the readiness
failure, defers cleanup to the Docker-GPU patch or deletes the failed sandbox,
then exits. Behavior is unchanged (verified byte-for-byte); onboard.ts ends
net-smaller, satisfying the codebase-growth guard without a waiver.

First cohesive increment toward the create-orchestration extraction; the
remaining prebuild/create/finalize wiring stays for follow-ups.

Refs #6258

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Move the BuildKit prebuild handoff, Docker-GPU create-patch provisioning, and
create-stream out of the src/lib/onboard.ts entrypoint into
src/lib/onboard/sandbox-create-step.ts (runSandboxCreateStep), behind a
context + injected-deps boundary. Behavior is unchanged (pure move, verified
byte-for-byte). The move is line-neutral on onboard.ts, but it gives the
create step a name and makes the prepare->patch->stream orchestration
unit-testable without standing up the 4,900-line entrypoint. Build-context and
exit-listener cleanup stay with the caller that armed them.

Second cohesive increment for #6258.

Refs #6258

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
@Dongni-Yang Dongni-Yang self-assigned this Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

onboard.ts now delegates sandbox creation to runSandboxCreateStep and sandbox create/readiness failure handling to created-sandbox-failure.ts. New tests cover the extracted orchestration and reporting paths.

Changes

Onboard sandbox create/failure extraction

Layer / File(s) Summary
Sandbox create step module and wiring
src/lib/onboard/sandbox-create-step.ts, src/lib/onboard/sandbox-create-step.test.ts, src/lib/onboard.ts, src/lib/sandbox/create-stream.test.ts
runSandboxCreateStep resolves launch inputs, creates the Docker-GPU patch, streams creation with readiness hooks, and returns the create result plus patch handles; onboard.ts now calls it, and tests cover launch forwarding, readiness patching, terminal-agent output gating, and VM detachment when output patterns are empty.
Failure reporting module and wiring
src/lib/onboard/created-sandbox-failure.ts, src/lib/onboard/created-sandbox-failure.test.ts, src/lib/onboard.ts
reportSandboxCreateFailure and reportSandboxReadinessFailure centralize create/readiness diagnostics, recovery hints, sandbox deletion, Docker-GPU-specific cleanup, and exit behavior; onboard.ts now delegates both failure paths, and tests cover incomplete vs hard create failures plus readiness cleanup branches.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested labels: refactor, area: onboarding, area: sandbox, area: architecture

Suggested reviewers: jyaunches, brandonpelfrey

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main refactor: extracting sandbox create-failure reporting and the create step into modules.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/6258-extract-onboard-create-orchestration

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 77%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 0d2aca4 82518f7 +/-
src/lib/actions...ge-preflight.ts 89% 74% -15%
src/lib/inference/config.ts 98% 93% -5%
src/lib/sandbox...reate-stream.ts 99% 99% 0%
src/lib/onboard.ts 28% 29% +1%
src/lib/actions...box/snapshot.ts 79% 80% +1%
src/lib/onboard...dbox-failure.ts 0% 100% +100%
src/lib/sandbox...est-fixtures.ts 0% 100% +100%
src/lib/onboard...-create-step.ts 0% 100% +100%
src/lib/sandbox...m-ready-gate.ts 0% 100% +100%
src/lib/sandbox...eam-progress.ts 0% 100% +100%

Updated July 09, 2026 14:18 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Merge posture: Informational / low confidence
Primary next action: Resolve or justify PRA-1: PR review advisor unavailable.
Open items: 0 required · 1 warning · 0 suggestions · 4 test follow-ups
Top item: PR review advisor unavailable

Action checklist

  • PRA-1 Resolve or justify: PR review advisor unavailable
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify correctness Re-run the PR Review Advisor or perform a manual review.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — PR review advisor unavailable

  • Location: not file-specific
  • Category: correctness
  • Problem: The automated advisor could not complete: PR review advisor SDK execution failed: session: security-trust must call pr_review_update_ledger exactly once (observed 2 starts); security-trust must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 2 total completions); turn: security-trust: security-trust must call pr_review_update_ledger exactly once (observed 2 starts); security-trust must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 2 total completions)
  • Impact: Automated review evidence is incomplete, so human review must cover the changed code manually.
  • Recommended action: Re-run the PR Review Advisor or perform a manual review.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the workflow logs and raw advisor artifact for the execution failure.
  • Missing regression test: No regression test recommendation is available because the advisor did not complete.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the workflow logs and raw advisor artifact for the execution failure.
  • Evidence: PR review advisor SDK execution failed: session: security-trust must call pr_review_update_ledger exactly once (observed 2 starts); security-trust must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 2 total completions); turn: security-trust: security-trust must call pr_review_update_ledger exactly once (observed 2 starts); security-trust must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 2 total completions)

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `onboard-repair` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`, `src/lib/onboard.ts`, `src/lib/onboard/created-sandbox-failure.ts`, `src/lib/onboard/sandbox-create-launch.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.
  • PRA-T2 Runtime validation — Run the `onboard-resume` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`, `src/lib/onboard.ts`, `src/lib/onboard/created-sandbox-failure.ts`, `src/lib/onboard/sandbox-create-launch.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.
  • PRA-T3 Runtime validation — Run the `state-backup-restore` E2E job for Upgrade, rebuild, snapshot, and restore operations must preserve user state while replacing stale runtime state. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.
  • PRA-T4 Runtime validation — Run the `upgrade-stale-sandbox` E2E job for Upgrade, rebuild, snapshot, and restore operations must preserve user state while replacing stale runtime state. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Informational

Merge posture: Informational / low confidence
Primary next action: Resolve or justify PRA-1: PR review advisor unavailable.
Open items: 0 required · 1 warning · 0 suggestions · 4 test follow-ups
Top item: PR review advisor unavailable

Action checklist

  • PRA-1 Resolve or justify: PR review advisor unavailable
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify correctness Re-run the PR Review Advisor or perform a manual review.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — PR review advisor unavailable

  • Location: not file-specific
  • Category: correctness
  • Problem: The automated advisor could not complete: PR review advisor SDK execution failed: session: scope-risk-map called pr_review_update_ledger before analysis; turn: scope-risk-map: scope-risk-map called pr_review_update_ledger before analysis
  • Impact: Automated review evidence is incomplete, so human review must cover the changed code manually.
  • Recommended action: Re-run the PR Review Advisor or perform a manual review.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the workflow logs and raw advisor artifact for the execution failure.
  • Missing regression test: No regression test recommendation is available because the advisor did not complete.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the workflow logs and raw advisor artifact for the execution failure.
  • Evidence: PR review advisor SDK execution failed: session: scope-risk-map called pr_review_update_ledger before analysis; turn: scope-risk-map: scope-risk-map called pr_review_update_ledger before analysis

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `onboard-repair` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`, `src/lib/onboard.ts`, `src/lib/onboard/created-sandbox-failure.ts`, `src/lib/onboard/sandbox-create-launch.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.
  • PRA-T2 Runtime validation — Run the `onboard-resume` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`, `src/lib/onboard.ts`, `src/lib/onboard/created-sandbox-failure.ts`, `src/lib/onboard/sandbox-create-launch.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.
  • PRA-T3 Runtime validation — Run the `state-backup-restore` E2E job for Upgrade, rebuild, snapshot, and restore operations must preserve user state while replacing stale runtime state. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.
  • PRA-T4 Runtime validation — Run the `upgrade-stale-sandbox` E2E job for Upgrade, rebuild, snapshot, and restore operations must preserve user state while replacing stale runtime state. Matched files: `src/lib/actions/sandbox/snapshot-create-stream-test-types.ts`, `src/lib/actions/sandbox/snapshot.ts`.. Deterministic regression risks require live validation: lifecycle-state, upgrade-rebuild.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: onboard-repair, onboard-resume, state-backup-restore, upgrade-stale-sandbox, cloud-onboard
Optional E2E: sandbox-operations

Dispatch hint: onboard-repair,onboard-resume,state-backup-restore,upgrade-stale-sandbox,cloud-onboard

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • onboard-repair: Required by the deterministic lifecycle-state risk plan. The onboarding create/readiness/failure changes must be validated against repair flows where persisted metadata, gateway state, and live sandbox state must converge after partial failures.
  • onboard-resume: Required by the deterministic lifecycle-state risk plan. The sandbox create orchestration and failure reporting changes can affect resume after interrupted or incomplete onboarding, so live resume coverage is required rather than relying only on unit tests.
  • state-backup-restore: Required by the deterministic upgrade-rebuild risk plan. Snapshot restore auto-create and create-stream changes can affect backup restore correctness, retryability, and avoiding ghost destination sandboxes.
  • upgrade-stale-sandbox: Required by the deterministic upgrade-rebuild risk plan. Restore/rebuild flows must preserve user state while replacing stale runtime state, and this PR changes snapshot restore create execution and failure behavior.
  • cloud-onboard: The PR changes the full hosted onboarding sandbox creation path, including command argv construction, readiness gating, create failure handling, and cleanup after readiness failure. A full hosted onboarding run is required to validate the real user flow end to end.

Optional E2E

  • sandbox-operations: Useful adjacent coverage for general sandbox lifecycle operations because create-stream argv/readiness behavior and snapshot restore auto-create touch sandbox lifecycle mechanics.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: onboard-repair,onboard-resume,state-backup-restore,upgrade-stale-sandbox,cloud-onboard

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: onboard-repair, onboard-resume, state-backup-restore, upgrade-stale-sandbox
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-repair
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-resume
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=state-backup-restore
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=upgrade-stale-sandbox

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • onboard-repair: Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-repair
  • onboard-resume: Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-resume
  • state-backup-restore: Upgrade, rebuild, snapshot, and restore operations must preserve user state while replacing stale runtime state.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=state-backup-restore
  • upgrade-stale-sandbox: Upgrade, rebuild, snapshot, and restore operations must preserve user state while replacing stale runtime state.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=upgrade-stale-sandbox

Optional E2E targets

  • None.

Relevant changed files

  • src/lib/actions/sandbox/snapshot-create-stream-test-types.ts
  • src/lib/actions/sandbox/snapshot.ts
  • src/lib/onboard.ts
  • src/lib/onboard/created-sandbox-failure.ts
  • src/lib/onboard/sandbox-create-launch.ts
  • src/lib/onboard/sandbox-create-step.ts
  • src/lib/sandbox/create-stream-progress.ts
  • src/lib/sandbox/create-stream-ready-gate.ts
  • src/lib/sandbox/create-stream-test-fixtures.ts
  • src/lib/sandbox/create-stream.ts

@Dongni-Yang Dongni-Yang added the v0.0.72 Release target label Jul 8, 2026
@jyaunches jyaunches added v0.0.79 Release target and removed v0.0.72 Release target labels Jul 9, 2026
jyaunches added 18 commits July 8, 2026 20:18
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exact-head follow-up at 08a1308dcf: three requested items are now addressed. The new restore auto-create failure regression proves a status-7 create neither registers nor restores a sandbox; the snapshot mock has the typed argv shape and complete result; and the legacy shell overload now has the #6258 removal condition. The focused exact-head suite passes 108/108.

Two merge blockers remain:

  1. The argv overload still declares env?, while the implementation defaults envOrOptions to {} and passes that empty environment to spawn when callers omit it (create-stream.ts:84-100). This silently drops PATH, HOME, and inherited configuration. Please either require env in the argv contract or default the argv branch to process.env, with a focused regression. The refreshed GPT advisor independently reports this as PRA-2.
  2. There is still no exact-head lifecycle/restore E2E at 08a1308dcf; the newest successful run is 28998347989 at 7a3f18f. After the source fix, update the PR evidence and run the requested exact-head cloud-onboard, onboard-repair, onboard-resume, state-backup-restore, upgrade-stale-sandbox, and snapshot-commands set.

The remaining dashboard/stdio/initial-phase/snapshot-success automated items stay non-blocking for the reasons already recorded. Current standard CI is still finishing with no failures so far.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 29003632720
Workflow ref: fix/6258-extract-onboard-create-orchestration
Requested targets: (default — all supported)
Requested jobs: onboard-repair,onboard-resume,state-backup-restore,upgrade-stale-sandbox,cloud-onboard,snapshot-commands
Summary: 4 passed, 2 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
onboard-repair ✅ success
onboard-resume ❌ failure
snapshot-commands ❌ failure
state-backup-restore ✅ success
upgrade-stale-sandbox ✅ success

Failed jobs: onboard-resume, snapshot-commands. Check run artifacts for logs.

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

The selective lifecycle failure is now diagnosed and is not caused by this PR's create-stream diff.

Run 29003632720 at c7a9b417af passed cloud-onboard, onboard-repair, state-backup-restore, and upgrade-stale-sandbox; onboard-resume and snapshot-commands both failed when an authenticated openshell sandbox exec ... -- sh -lc ... sourced /tmp/nemoclaw-proxy-env.sh.

Main commit 1ff885596 introduced builtin readonly / builtin unset into that generated file. /bin/sh does not provide the Bash builtin command (builtin: not found, exit 127), so the fail-closed branch emits NemoClaw rejected a conflicting gateway trust anchor, and the ambient gateway token could not be cleared. scripts/nemoclaw-start.sh is not part of #6444's PR diff.

The current 7f80f0aa3 head only merges newer main and still contains this mainline regression. I am not dispatching another live run until that shell-compatibility issue is corrected. #6444 should remain unapproved until a fresh exact-head lifecycle run can pass after the main fix.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Exact-head follow-up at 04581fcfe: the refreshed GPT finding about cross-stream partial lines was valid and is fixed. streamSandboxCreate now buffers stdout and stderr independently; the interleaving regression failed before the fix and the focused suite now passes 19/19. The commit is GitHub-verified, CLI build/typecheck pass, and normal commit/push hooks pass. No user-facing docs change is needed.

The remaining advisor cleanup warning does not require another source change: the non-GPU failed-sandbox deletion was mechanically extracted from behavior already on main since 3205c12c1/#3434. It cleans up the exact owned sandbox NemoClaw created, has exact-name/manual-fallback/GPU-path unit coverage, and is not a temporary workaround needing a removal condition.

This head still cannot be approved:

  • Ordinary CI has one unrelated root failure: policy-channel-list.test.ts:260 hit the shared 5-second timeout in cli-test-shards (3); cli-tests and checks are derivative. The same unchanged test repeated on docs(security): add credential rotation guide #6266, so I am not adding timeout churn to this PR.
  • Current-head lifecycle evidence remains unavailable because the mainline /bin/sh trust-anchor regression documented above is still present. I also recorded that regression on #6496.

No further #6444 source request is being made at this point; the blockers are required CI and fresh runtime evidence after the main fix.

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

The confirmed mainline shell-portability blocker now has a narrow follow-up in #6560. It replaces the Bash-only generated builtin readonly/builtin unset calls with command readonly/command unset and adds POSIX sh coverage for successful repeated sourcing, a conflicting readonly anchor, and untrusted WhatsApp gateway token stripping. Once #6560 lands, merge updated main here and rerun the requested exact lifecycle/restore E2E set; no additional #6444 production change is needed for this blocker.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29021019725
Workflow ref: fix/6258-extract-onboard-create-orchestration
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,onboard-repair,onboard-resume,state-backup-restore,upgrade-stale-sandbox,snapshot-commands
Summary: 6 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
onboard-repair ✅ success
onboard-resume ✅ success
snapshot-commands ✅ success
state-backup-restore ✅ success
upgrade-stale-sandbox ✅ success

@jyaunches

Copy link
Copy Markdown
Contributor

Current-head closeout after #6560 landed:

  • Branch is current with main at 82518f7e6f69c39d9bc04f63a365753aac7b1b6d.
  • Required PR CI is green; the only earlier red was cli-test-shards (3) timing out in unchanged policy-channel-list.test.ts, and the failed jobs reran green in run 29020966802.
  • Required exact-head E2E passed in run 29021019725: cloud-onboard, onboard-repair, onboard-resume, state-backup-restore, upgrade-stale-sandbox, and snapshot-commands.
  • PR body verification evidence is updated to the current head/run.

No additional #6444 source changes appear needed; ready for approval once the stale CHANGES_REQUESTED review is cleared.

@jyaunches jyaunches requested a review from cv July 9, 2026 14:25
@jyaunches jyaunches merged commit 1f05438 into main Jul 9, 2026
136 of 139 checks passed
@jyaunches jyaunches deleted the fix/6258-extract-onboard-create-orchestration branch July 9, 2026 15:26
@jyaunches jyaunches mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- #6523, #6551, #6484, #6488, #6324, and #6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- #6559, #6538, #6560, #6568, #6552, #6567, and #6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- #6541, #5415, #6246, #6496, and #6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- #6253, #6572, #6444, #6536, and #5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397,
and #6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…e step into modules (NVIDIA#6444)

<!-- markdownlint-disable MD041 -->
## Summary

Extracts cohesive units of the sandbox create/register orchestration out
of the ~4,900-line `src/lib/onboard.ts` entrypoint into focused modules
under `src/lib/onboard/`, following the injected-deps boundary style
established by `created-sandbox-finalization.ts` (NVIDIA#6332). The primary
goal is maintainability and independent unit-test coverage for the
create path, with intentional safety/behavior refinements discovered
during review: redacted create-output failure echoing, preservation of
non-zero create-stream status when readiness fails, direct argv spawning
for trusted create paths, fail-closed Docker-GPU create-poll side-effect
handling, and redacted trace reporting for poll/readiness errors.

Note on the issue's premise: NVIDIA#6258 cites a `+27 net lines` growth-guard
violation from NVIDIA#6166. That premise is stale — the merged NVIDIA#6166 left
`onboard.ts` net-smaller, and NVIDIA#6276/NVIDIA#6332 shrank it further, so the
guard (`.github/workflows/codebase-growth-guardrails.yaml`, a per-PR
net-neutral diff gate) is not currently red. This PR is therefore
incremental maintainability work; it keeps `onboard.ts`
net-neutral-or-smaller so the gate stays green.

## Related Issue

Refs NVIDIA#6258

<!-- Refs (not Fixes): this PR lands two increments of a larger
extraction; the remaining create/finalize wiring is left for follow-ups,
so the issue should stay open. -->

## Changes

- Add `src/lib/onboard/created-sandbox-failure.ts`:
`reportSandboxCreateFailure` (warns-and-continues on an incomplete
create; otherwise prints diagnostics + recovery hints and exits) and
`reportSandboxReadinessFailure` (prints the readiness failure, defers
cleanup to the Docker-GPU patch or deletes the failed sandbox, then
exits). `onboard.ts` replaces the two inline blocks with module calls —
net −2 lines.
- Add `src/lib/onboard/sandbox-create-step.ts`: `runSandboxCreateStep`
encapsulates the BuildKit prebuild handoff → Docker-GPU create-patch
provisioning → create-stream behind a context + injected-deps boundary.
This move is **line-neutral** on `onboard.ts`; its value is a named,
unit-testable boundary (the `prepare → patch → stream` sequence is now
testable without standing up the entrypoint), not a size reduction.
Build-context and exit-listener cleanup stay with the caller that armed
them.
- Add focused unit tests across `created-sandbox-failure.test.ts`,
`sandbox-create-step.test.ts`, `sandbox-create-launch.test.ts`,
`create-stream.test.ts`, `create-stream-argv.test.ts`, and
`create-stream-ready-gate.test.ts` covering failure branches, redaction,
exit-code preservation, GPU vs non-GPU readiness cleanup,
prebuild/patch/stream wiring, direct argv spawn boundaries,
terminal-agent/default-driver ready-check gating, fail-closed `onPoll`
error handling, and redacted poll/readiness trace behavior.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: no CLI flags, commands,
configuration, or documented user workflow changed. The user-visible
differences are limited to safer failure-path diagnostics (credential
redaction), more accurate readiness-failure exit status, and fail-closed
create-poll error handling.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: onboarding/sandbox
path. Extraction boundaries were verified against the pre-extraction
source; intentional safety refinements are explicitly covered by tests:
create output is redacted before failure logging, readiness failure
preserves a non-zero create-stream status instead of flattening to `1`,
Docker-GPU during-create polling is isolated from readiness detection
via `onPoll`, escaping poll errors abort create with classified/generic
failure text plus redacted trace emission, and ready-check exceptions
emit redacted trace evidence without falsely forcing Ready. Requesting
maintainer sensitive-path review.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result: `npx vitest run
--project cli src/lib/actions/sandbox/snapshot.test.ts
src/lib/onboard/created-sandbox-failure.test.ts
src/lib/onboard/sandbox-create-launch.test.ts
src/lib/onboard/sandbox-create-step.test.ts
src/lib/sandbox/create-stream.test.ts
src/lib/sandbox/create-stream-ready-gate.test.ts
src/lib/sandbox/create-stream-argv.test.ts` → 107 passed; `npx tsc
--noEmit --pretty false --project tsconfig.cli.json` → clean; `npm run
test-size:check` → passed; `npx prek run --all-files --stage pre-commit
--skip source-shape-test-budget --skip test-skills-yaml` → passed; `npm
run test-conditionals:scan -- --top 25` → no new changed-file
conditional failures; `git diff --check` → clean.
- [x] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: Required live E2E run
[29021019725](https://github.com/NVIDIA/NemoClaw/actions/runs/29021019725)
passed on exact head `82518f7e6f69c39d9bc04f63a365753aac7b1b6d`:
`cloud-onboard`, `onboard-repair`, `onboard-resume`,
`state-backup-restore`, `upgrade-stale-sandbox`, and `snapshot-commands`
all succeeded. PR CI checks also passed on the same head after rerunning
flaky `policy-channel-list.test.ts` shard timeout (`cli-test-shards
(3)`).
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Dongni Yang <dongniy@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Improved sandbox onboarding using a dedicated creation step that
centralizes prebuild handoff, streaming create execution, GPU patch
wiring, and readiness capture.
* **Bug Fixes**
* More consistent, centralized handling for both create failures and
readiness failures, including redacted output, clearer diagnostics, and
reliable retry guidance.
* Safer cleanup on readiness failures to avoid same-name collisions,
with correct behavior for GPU-enabled flows.
* **Tests**
* Added coverage for create/readiness failure reporting, exit-code
fallback, cleanup/command messaging, and early-detach behavior in
create-stream.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397,
and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants