NemoClaw/SECURITY.md
Aaron Erickson 🦞 8b307c07d5
fix(dcode): stop persisting LangSmith variables (#6219)
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->

Stops Deep Agents Code startup from copying inherited LangSmith tracing
and project values into the sandbox-readable runtime shell environment.
This closes the final review gap from #6206 while preserving the managed
proxy and trust-store contract.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->

Follow-up to #6206 and #6191.

## Changes
<!-- Bullet list of key changes. -->

- Exclude LangSmith tracing and both project variables from
`/tmp/nemoclaw-proxy-env.sh`.
- Extend the real `start.sh` fixture with valid-shape `lsv2_pt_...` and
`lsv2_sk_...` tracing and project values and prove none reaches the
emitted file.
- Align the documented `0444` risk acceptance and Deep Agents Code
quickstart with the narrowed persisted environment.
- Require existing Deep Agents Code sandboxes to rebuild after upgrading
because `start.sh` is baked into the image.
- Local verification: 54 focused tests, CLI build/typecheck, Bash
syntax, ShellCheck, shfmt, Biome, test-title/source-shape/test-size
guards, conditional scan, secret scan, and docs validation passed. The
broad macOS `test-cli` hook remains non-green on unrelated Linux-only
PTY tests because BSD `script` rejects `-qec`; exact-head Linux CI is
authoritative.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved shared runtime environment generation to exclude LangSmith
“project” settings and avoid persisting any token-shaped/secret-shaped
values.
* Updated proxy environment handling to use normalized proxy
configuration while inheriting safe trust-store paths only.

* **Documentation**
* Refreshed security and quickstart guidance to clarify what
tracing-related values are intentionally not saved.
* Added upgrade note: rebuild existing sandboxes from older releases to
pick up the fix.

* **Tests**
* Strengthened CI to fail if any secret-shaped values appear in emitted
environment output, and to verify the forbidden LangSmith project
variables are not present.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
2026-07-02 20:29:32 -07:00

4.8 KiB

Security

NVIDIA is dedicated to the security and trust of its software products and services, including all source code repositories managed through our organization.

If you need to report a security issue, use the appropriate contact points outlined below. DO NOT report security vulnerabilities through public GitHub issues or pull requests. If a potential security issue is inadvertently reported through a public channel, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.

How to Report a Vulnerability

Report a potential security vulnerability in NemoClaw or any NVIDIA product through one of the following channels.

NVIDIA Vulnerability Disclosure Program

Submit a report through the NVIDIA Vulnerability Disclosure Program. This is the preferred method for reporting security concerns across all NVIDIA products.

Email

Send an encrypted email to psirt@nvidia.com. Use the NVIDIA public PGP key to encrypt the message.

GitHub Private Vulnerability Reporting

You can use GitHub's private vulnerability reporting to submit a report directly on this repository. Navigate to the Security tab and select Report a vulnerability.

What to Include

Provide as much of the following information as possible:

  • Product name and version or branch that contains the vulnerability.
  • Type of vulnerability (code execution, denial of service, buffer overflow, privilege escalation, etc.).
  • Step-by-step instructions to reproduce the vulnerability.
  • Proof-of-concept or exploit code.
  • Potential impact, including how an attacker could exploit the vulnerability.

Detailed reports help NVIDIA evaluate and address issues faster.

What to Expect

NVIDIA's Product Security Incident Response Team (PSIRT) triages all incoming reports. After submission:

  1. NVIDIA acknowledges receipt and begins analysis.
  2. NVIDIA validates the report and determines severity.
  3. NVIDIA develops and tests corrective actions.
  4. NVIDIA publishes a security bulletin and releases a fix.

Visit the PSIRT Policies page for details on timelines and acknowledgement practices.

While NVIDIA does not currently have a public bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy.

NVIDIA Product Security

For security bulletins, PSIRT policies, and all security-related concerns, visit the NVIDIA Product Security portal. Subscribe to notifications on that page to receive alerts when new bulletins are published.

Documented Risk Acceptances

The following security-relevant defaults are intentional. Each item names the code path that carries the constraint and the compensating controls that make the trade-off acceptable.

Deep Agents Code proxy env file is world-readable (mode 0444)

  • Location: agents/langchain-deepagents-code/start.sh (prepare_runtime_env)
  • Constraint: /tmp/nemoclaw-proxy-env.sh is sandbox-user-owned convenience state, not an integrity boundary. It is created with mode 0444 so independent login and exec shells can source the same credential-free settings. The Deep Agents Code runtime deliberately runs as the non-root sandbox user, unlike the root-supervised OpenClaw and Hermes startup paths.
  • Compensating controls:
    1. The file is credential-free by construction. prepare_runtime_env writes normalized proxy config and inherited trust-store paths. It does not persist LangSmith tracing, project, or API key variables.
    2. A regression test in test/langchain-deepagents-code-image.test.ts injects token-shaped values through LangSmith tracing and both project variables, scans the emitted env file against canonical token shapes, and fails CI if any secret-shaped value is present.
    3. The root-owned, image-baked proxy host/port files and direct dcode-launcher.sh boundary remain the routing source of truth. Focused and live login-shell checks compare the sourced convenience values with that root-owned source; file metadata checks detect accidental drift but do not claim sandbox-owner tamper resistance.
  • When to revisit: If a future change adds credential-shaped values to the env-file writer, or if the Deep Agents Code runtime moves back to the root-supervised startup model, revisit the mode and the compensating controls together.