fix(onboard): scope live inference recovery to sandbox#6634
Conversation
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 77%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughRecorded provider recovery now uses registry sandbox authority and caller session identity. Unauthorized recorded state and pending routes are rejected, while authorized sessions can recover persisted provider data. Onboarding propagates this context through provider inference, setupNim, and route setup. ChangesProvider recovery
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Onboard
participant ProviderInference
participant ProviderRecovery
participant SetupNim
participant SetupInference
Onboard->>ProviderInference: Pass recovery session identity
ProviderInference->>ProviderRecovery: Get sandbox recovery authority
ProviderRecovery-->>ProviderInference: Return recovery authority
ProviderInference->>SetupNim: Pass recovery decision and session identity
SetupNim->>SetupInference: Pass ownership recheck callback
SetupInference->>SetupInference: Abort when reservation ownership is lost
Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
PR Review Advisor — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
Review findings by urgency: 0 required fixes, 2 items to resolve/justify, 0 in-scope improvements
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/lib/onboard/provider-recovery.ts (1)
134-167: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winExtract shared identity-gating logic to eliminate duplication.
readRecordedProviderandreadRecordedModelare now near-identical apart from the field name (providervsmodel), including the newhasRecordedSandboxIdentitytracking, the try/catch structure, and the live-gateway fallback gate. This doubles the maintenance surface for a very security-sensitive check (the exact logic this PR is fixing) — any future edit risks fixing one copy and missing the other.As per coding guidelines,
**/*.{js,ts}should "Keep function complexity low in JavaScript and TypeScript code," and this duplication is a good candidate to consolidate into a single generic helper.♻️ Proposed refactor: shared field-reader helper
+ function readRecordedField( + sandboxName: string, + field: "provider" | "model", + ): string | null { + let hasRecordedSandboxIdentity = false; + try { + const entry = registry.getSandbox(sandboxName); + hasRecordedSandboxIdentity = Boolean(entry); + const value = entry?.[field]; + if (typeof value === "string" && value) return value; + } catch { + // fall through to session + } + try { + const session = onboardSession.loadSession(); + if (session && session.sandboxName === sandboxName) { + hasRecordedSandboxIdentity = true; + const value = session[field]; + if (typeof value === "string" && value) return value; + } + } catch { + // fall through + } + // An empty registry does not prove that the gateway's residual route + // belongs to this requested sandbox name. Require a matching registry or + // session identity before using that route as rebuild recovery state; + // otherwise a brand-new sandbox inherits the previous sandbox's model. + if (!hasRecordedSandboxIdentity) return null; + const live = readLiveInference(sandboxName); + const liveValue = live?.[field]; + return typeof liveValue === "string" && liveValue ? liveValue : null; + } + function readRecordedProvider(sandboxName: string | null | undefined): string | null { if (!sandboxName) return null; - let hasRecordedSandboxIdentity = false; - try { - const entry = registry.getSandbox(sandboxName); - hasRecordedSandboxIdentity = Boolean(entry); - if (entry && typeof entry.provider === "string" && entry.provider) { - return entry.provider; - } - } catch { - // fall through to session - } - try { - const session = onboardSession.loadSession(); - if (session && session.sandboxName === sandboxName) { - hasRecordedSandboxIdentity = true; - if (typeof session.provider === "string" && session.provider) { - return session.provider; - } - } - } catch { - // fall through to live gateway - } - if (!hasRecordedSandboxIdentity) return null; - const live = readLiveInference(sandboxName); - if (live && typeof live.provider === "string" && live.provider) { - return live.provider; - } - return null; + return readRecordedField(sandboxName, "provider"); }Apply the analogous simplification to
readRecordedModel. Note the diff is illustrative — verify theInferenceSelection/session types allow index access onfieldwithout excessive type assertions.Also applies to: 195-224
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/provider-recovery.ts` around lines 134 - 167, Extract the duplicated identity-gating and fallback flow from readRecordedProvider and readRecordedModel into one generic helper that accepts the requested sandbox name and field key (provider or model), safely reads registry/session values, requires a recorded identity before consulting readLiveInference, and returns the selected string or null. Refactor both functions to delegate to this helper, preserving their existing behavior and using minimal type assertions compatible with the InferenceSelection and session types.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/lib/onboard/provider-recovery.ts`:
- Around line 134-167: Extract the duplicated identity-gating and fallback flow
from readRecordedProvider and readRecordedModel into one generic helper that
accepts the requested sandbox name and field key (provider or model), safely
reads registry/session values, requires a recorded identity before consulting
readLiveInference, and returns the selected string or null. Refactor both
functions to delegate to this helper, preserving their existing behavior and
using minimal type assertions compatible with the InferenceSelection and session
types.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: f6c515dc-f709-4313-8814-04151b9cc21e
📒 Files selected for processing (2)
src/lib/onboard/provider-recovery.test.tssrc/lib/onboard/provider-recovery.ts
E2E Target Results — ✅ All requested jobs passedRun: 29083126817
|
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29083689065
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/onboard.ts`:
- Around line 4420-4423: Move the recorded-provider recovery eligibility
decision out of the onboard entrypoint and into handleProviderInferenceState.
Pass the raw inputs (fresh, resume, sandboxName, session, and the registry
lookup capability) through coreFlowContext/deps, then call
providerRecovery.shouldRecoverRecordedProvider within the handler and use its
result there. Remove allowRecordedProviderRecovery from the entrypoint and
intermediate wiring.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 932ed885-ac6c-4e1a-aa51-a5f041bff8f9
📒 Files selected for processing (6)
src/lib/onboard.tssrc/lib/onboard/machine/core-flow-phases.tssrc/lib/onboard/machine/handlers/provider-inference.test.tssrc/lib/onboard/machine/handlers/provider-inference.tssrc/lib/onboard/provider-recovery.test.tssrc/lib/onboard/provider-recovery.ts
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29084488770
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/onboard/machine/handlers/provider-inference.ts`:
- Around line 324-330: Move the recoverRecordedProvider computation out of the
pre-loop initialization and recompute it immediately before each
deps.setupNim(...) call, using the current sandboxName, fresh, resume,
session?.sandboxName, and registered-sandbox status. Update all setupNim retry
paths, including selection retries, so the recovery decision reflects sandbox
names resolved during loop iterations.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 881b0550-770e-488a-af45-615819c87b18
📒 Files selected for processing (8)
src/lib/onboard.tssrc/lib/onboard/machine/core-flow-phases.test.tssrc/lib/onboard/machine/handlers/provider-inference-route-containment.test.tssrc/lib/onboard/machine/handlers/provider-inference.test-support.tssrc/lib/onboard/machine/handlers/provider-inference.test.tssrc/lib/onboard/machine/handlers/provider-inference.tssrc/lib/onboard/provider-recovery.test.tssrc/lib/onboard/provider-recovery.ts
💤 Files with no reviewable changes (1)
- src/lib/onboard/machine/handlers/provider-inference.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/lib/onboard/provider-recovery.test.ts
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29085347620
|
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/onboard/machine/handlers/provider-inference-recovery-gating.test.ts`:
- Around line 55-56: Update the “allows recovery for a registered sandbox” test
to make hasRegisteredSandbox in createDeps identity-sensitive: return true only
when called with "dc-after", record the invocation, and assert it was called
with exactly "dc-after" so incorrect or null sandbox lookups cannot pass.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 03a8f399-faf6-4b22-9e22-149e49d66de6
📒 Files selected for processing (3)
src/lib/onboard.tssrc/lib/onboard/machine/handlers/provider-inference-recovery-gating.test.tssrc/lib/onboard/provider-recovery.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
- src/lib/onboard/provider-recovery.test.ts
- src/lib/onboard.ts
E2E Target Results — ✅ All requested jobs passedRun: 29085927211
|
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29086523887
|
cv
left a comment
There was a problem hiding this comment.
Reviewed exact head ce957f129. The stale CodeRabbit architecture finding is fixed: the recovery decision now lives in handleProviderInferenceState, and I resolved that outdated thread.
One correctness blocker remains. onboard.ts currently supplies:
hasRegisteredSandbox: (name) => Boolean(registry.getSandbox(name))That treats a pendingRouteReservation placeholder as established sandbox identity. An abandoned reservation from an earlier onboarding session can therefore make shouldRecoverRecordedProvider() accept the old registry/live provider and model for a new attempt—the stale-identity case this PR is meant to prevent.
Please sequence this with #6626, which adds reservationSessionId / isPendingReservationForSession, then make recovery eligible only for either:
- a fully registered sandbox row (
pendingRouteReservation !== true), or - a pending reservation owned by the current onboard
session.sessionId.
Add a negative regression for an orphaned/other-session pending reservation with a stale route (the new DCode attempt must retain its agent default), plus the positive same-session resume case. Rebase on current main and refresh the exact-head gates/live evidence after the overlap is resolved.
|
Status update — branch tip #6626 is merged, and this branch was synced with What is fixed:
Verification:
Advisor disposition:
Human review state:
Platform note: the protected branch ref and commit API both show verified tip |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
✅ Action performedReview finished.
|
E2E Target Results — ✅ All requested jobs passedRun: 29123478046
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/lib/onboard/provider-recovery.test.ts (1)
118-158: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winAdd coverage for an orphaned reservation with no active session identity.
The
classifySandboxRecoveryAuthoritymatrix covers orphaned vs. foreign vs. owned pending reservations, all against a concretesessionId: "session-current". It never exercises the combination of an orphaned reservation (entry.reservationSessionIdunset) withsessionId: null/undefined— the scenario where no active onboard session exists at all. Given this function is the core authorization gate this PR introduces to fix#6630, adding this case would close a residual coverage gap on a security-relevant path.🧪 Suggested additional case
{ label: "another session's pending reservation", entry: pending("session-other"), sessionId: "session-current", expected: "unauthorized", }, + { + label: "orphaned reservation with no active session", + entry: pending(), + sessionId: null, + expected: "unauthorized", + },🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/provider-recovery.test.ts` around lines 118 - 158, Add a parameterized test case to the “sandbox recovery authority” matrix for a pending reservation without reservationSessionId and with no active session identity (sessionId null or undefined), asserting classifySandboxRecoveryAuthority returns “unauthorized”.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/lib/onboard/provider-recovery.test.ts`:
- Around line 118-158: Add a parameterized test case to the “sandbox recovery
authority” matrix for a pending reservation without reservationSessionId and
with no active session identity (sessionId null or undefined), asserting
classifySandboxRecoveryAuthority returns “unauthorized”.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: cefabc99-474c-4c04-b783-d4015a563a26
📒 Files selected for processing (9)
src/lib/onboard.tssrc/lib/onboard/machine/core-flow-phases.test.tssrc/lib/onboard/machine/handlers/provider-inference-recovery-gating.test.tssrc/lib/onboard/machine/handlers/provider-inference-route-containment.test.tssrc/lib/onboard/machine/handlers/provider-inference.test-support.tssrc/lib/onboard/machine/handlers/provider-inference.test.tssrc/lib/onboard/machine/handlers/provider-inference.tssrc/lib/onboard/provider-recovery.test.tssrc/lib/onboard/provider-recovery.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- src/lib/onboard/machine/handlers/provider-inference.test.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
@coderabbitai review |
✅ Action performedReview finished.
|
E2E Target Results — ✅ All requested jobs passedRun: 29125206127
|
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Exact-head security follow-up for
This head is not approval-ready yet because required CI is red:
The five required live jobs passed on |
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29127739163
|
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
E2E Target Results — ✅ All requested jobs passedRun: 29129518218
|
<!-- markdownlint-disable MD041 --> ## Summary Preserve the preflighted compatible-endpoint recovery authority while an authoritative rebuild revalidates messaging inference after deleting the old sandbox. This prevents the recreate flow from falling back to NVIDIA Endpoints and demanding an unrelated host key. ## Related Issue Regression follow-up to #6634. ## Changes - Thread authoritative rebuild context into recorded-provider recovery. - Keep ordinary incomplete sessions, fresh sandboxes, mismatched identities, and foreign reservations fail-closed. - Cover both the recovery gate and the two-pass messaging revalidation flow. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: internal rebuild recovery correction; commands and documented behavior are unchanged - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review; the change retains #6634's fresh, mismatched, and unauthorized recovery denials - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project cli src/lib/onboard/machine/handlers/provider-inference-recovery-gating.test.ts src/lib/onboard/machine/handlers/provider-inference.test.ts` (44 passed); adjacent recovery/rebuild selection (126 passed) - [ ] Applicable broad gate passed — full CLI project: 8,101 passed; six unrelated local prerequisite/time-budget failures, with timeout cases passing under a realistic budget; CI remains authoritative - [ ] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved provider inference recovery for authoritative resume flows, including incomplete onboarding sessions. * Recovery behavior now correctly accounts for sandbox/session context and foreign reservation flags. * Added stronger validation for preflighted locked rebuild resumes, with clearer blocking when required authoritative conditions are missing. * **Tests** * Added new test coverage for authoritative incomplete-session recovery across matching/mismatched sandboxes and reservation scenarios. * Expanded assertions to verify inference setup inputs and recovery gating behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
## Summary Release-prep documentation for **v0.0.80**. Adds the `## v0.0.80` section to `docs/about/release-notes.mdx` summarizing user-facing changes since v0.0.79, each bullet linking to the relevant deeper page. Produced via `nemoclaw-contributor-update-docs` (pre-tag path): scanned `v0.0.79..HEAD`, applied the docs skip list (no violations), and confirmed the 8 commits that already shipped in-PR docs are complete. No new pages needed. ## Source summary - #6507 -> `docs/about/release-notes.mdx`: Hermes v0.18 + Slack Block Kit (rich rendering, digest-pinned base image). - #6584 / #6616 -> `docs/about/release-notes.mdx`: host-local OpenRouter runtime attribution adapter (port `11437`, `NEMOCLAW_OPENROUTER_RUNTIME_ADAPTER_PORT`) and native Deep Agents `openrouter` provider. - #6210 / #6292 -> `docs/about/release-notes.mdx`: host corporate proxy CA import into sandbox trust (`NEMOCLAW_CORPORATE_CA_BUNDLE`, `NEMOCLAW_CORPORATE_CA_IMPORT`). - #6624 / #6623 / #6656 -> `docs/about/release-notes.mdx`: release-matched base-image selection, surfaced cluster-image build diagnostics, preserved Nemotron profile registration. - #6629 / #6637 -> `docs/about/release-notes.mdx`: bare `connect` default-sandbox behavior and route-probe hardening. - #6634 / #6626 / #6596 / #5569 / #6610 / #6655 -> `docs/about/release-notes.mdx`: onboarding/recovery preservation, stale-gateway-PID fix, installer backup message, vLLM label on managed platforms. - #6578 / #5670 -> `docs/about/release-notes.mdx`: automatic Hermes light terminal skin and non-interactive `npx` MCP server startup. ## Verification `npm run docs`: 0 errors, all internal links resolve (2 pre-existing hidden-page warnings). `_build/` variants for OpenClaw, Hermes, and Deep Agents all regenerate with the v0.0.80 section. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for v0.0.80. * Documented Hermes upgrades, including Slack Block Kit rendering. * Added details on OpenRouter traffic routing and attribution headers. * Documented improved proxy certificate handling and sandbox reliability. * Highlighted enhanced connection defaults, route-probing safeguards, onboarding recovery, and terminal/MCP startup behavior. * Added references to relevant user-guide documentation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
<!-- markdownlint-disable MD041 --> ## Summary Prevent a newly named sandbox from inheriting a stale inference provider and model left on an otherwise unowned OpenShell gateway. Live gateway recovery now requires matching registry or onboard-session identity, so Deep Agents Code can apply its Ultra agent default. ## Related Issue Fixes NVIDIA#6630 ## Changes - Gate live gateway provider/model recovery on a matching sandbox registry row or onboard session. - Add a regression test for an empty registry with a stale Super route and a brand-new dcode sandbox name. - Preserve and test live-route recovery for a real rebuild with a matching session identity. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: This restores the documented dcode agent default without changing commands, flags, or user-facing configuration. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Focused recovery-boundary review confirms live state is accepted only after durable sandbox identity is established; positive rebuild coverage protects the intended recovery path. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: `npx vitest run src/lib/onboard/provider-recovery.test.ts src/lib/onboard/setup-nim-flow.test.ts src/lib/onboard/machine/handlers/provider-inference.test.ts --project cli` — 61 passed. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Tightened onboarding recorded-provider recovery with sandbox recovery authority checks, preventing recovery when authorization is missing/unauthorized or when session identity is incomplete or mismatched. * Refined pending route handling during recovery so pending-route readers only succeed for the owning current session; otherwise they return no result. * Fail-closed behavior: when recovery authority can’t be confirmed or ownership is lost during setup, the flow stops and emits a warning/error. * **Tests** * Added/expanded automated coverage for recovery gating, pending-route ownership, and retry/setup parameter correctness. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Chengjie Wang <chengjiew@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Charan Jagwani <cjagwani@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Preserve the preflighted compatible-endpoint recovery authority while an authoritative rebuild revalidates messaging inference after deleting the old sandbox. This prevents the recreate flow from falling back to NVIDIA Endpoints and demanding an unrelated host key. ## Related Issue Regression follow-up to NVIDIA#6634. ## Changes - Thread authoritative rebuild context into recorded-provider recovery. - Keep ordinary incomplete sessions, fresh sandboxes, mismatched identities, and foreign reservations fail-closed. - Cover both the recovery gate and the two-pass messaging revalidation flow. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: internal rebuild recovery correction; commands and documented behavior are unchanged - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending maintainer review; the change retains NVIDIA#6634's fresh, mismatched, and unauthorized recovery denials - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run --project cli src/lib/onboard/machine/handlers/provider-inference-recovery-gating.test.ts src/lib/onboard/machine/handlers/provider-inference.test.ts` (44 passed); adjacent recovery/rebuild selection (126 passed) - [ ] Applicable broad gate passed — full CLI project: 8,101 passed; six unrelated local prerequisite/time-budget failures, with timeout cases passing under a realistic budget; CI remains authoritative - [ ] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved provider inference recovery for authoritative resume flows, including incomplete onboarding sessions. * Recovery behavior now correctly accounts for sandbox/session context and foreign reservation flags. * Added stronger validation for preflighted locked rebuild resumes, with clearer blocking when required authoritative conditions are missing. * **Tests** * Added new test coverage for authoritative incomplete-session recovery across matching/mismatched sandboxes and reservation scenarios. * Expanded assertions to verify inference setup inputs and recovery gating behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
## Summary Release-prep documentation for **v0.0.80**. Adds the `## v0.0.80` section to `docs/about/release-notes.mdx` summarizing user-facing changes since v0.0.79, each bullet linking to the relevant deeper page. Produced via `nemoclaw-contributor-update-docs` (pre-tag path): scanned `v0.0.79..HEAD`, applied the docs skip list (no violations), and confirmed the 8 commits that already shipped in-PR docs are complete. No new pages needed. ## Source summary - NVIDIA#6507 -> `docs/about/release-notes.mdx`: Hermes v0.18 + Slack Block Kit (rich rendering, digest-pinned base image). - NVIDIA#6584 / NVIDIA#6616 -> `docs/about/release-notes.mdx`: host-local OpenRouter runtime attribution adapter (port `11437`, `NEMOCLAW_OPENROUTER_RUNTIME_ADAPTER_PORT`) and native Deep Agents `openrouter` provider. - NVIDIA#6210 / NVIDIA#6292 -> `docs/about/release-notes.mdx`: host corporate proxy CA import into sandbox trust (`NEMOCLAW_CORPORATE_CA_BUNDLE`, `NEMOCLAW_CORPORATE_CA_IMPORT`). - NVIDIA#6624 / NVIDIA#6623 / NVIDIA#6656 -> `docs/about/release-notes.mdx`: release-matched base-image selection, surfaced cluster-image build diagnostics, preserved Nemotron profile registration. - NVIDIA#6629 / NVIDIA#6637 -> `docs/about/release-notes.mdx`: bare `connect` default-sandbox behavior and route-probe hardening. - NVIDIA#6634 / NVIDIA#6626 / NVIDIA#6596 / NVIDIA#5569 / NVIDIA#6610 / NVIDIA#6655 -> `docs/about/release-notes.mdx`: onboarding/recovery preservation, stale-gateway-PID fix, installer backup message, vLLM label on managed platforms. - NVIDIA#6578 / NVIDIA#5670 -> `docs/about/release-notes.mdx`: automatic Hermes light terminal skin and non-interactive `npx` MCP server startup. ## Verification `npm run docs`: 0 errors, all internal links resolve (2 pre-existing hidden-page warnings). `_build/` variants for OpenClaw, Hermes, and Deep Agents all regenerate with the v0.0.80 section. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added release notes for v0.0.80. * Documented Hermes upgrades, including Slack Block Kit rendering. * Added details on OpenRouter traffic routing and attribution headers. * Documented improved proxy certificate handling and sandbox reliability. * Highlighted enhanced connection defaults, route-probing safeguards, onboarding recovery, and terminal/MCP startup behavior. * Added references to relevant user-guide documentation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
Prevent a newly named sandbox from inheriting a stale inference provider and model left on an otherwise unowned OpenShell gateway. Live gateway recovery now requires matching registry or onboard-session identity, so Deep Agents Code can apply its Ultra agent default.
Related Issue
Fixes #6630
Changes
Type of Change
Quality Gates
Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpx vitest run src/lib/onboard/provider-recovery.test.ts src/lib/onboard/setup-nim-flow.test.ts src/lib/onboard/machine/handlers/provider-inference.test.ts --project cli— 61 passed.npm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result:npm run docsbuilds without warnings (doc changes only)Signed-off-by: Chengjie Wang chengjiew@nvidia.com
Summary by CodeRabbit