<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Stops Deep Agents Code startup from copying inherited LangSmith tracing and project values into the sandbox-readable runtime shell environment. This closes the final review gap from #6206 while preserving the managed proxy and trust-store contract. ## Related Issue <!-- Fixes #NNN or Closes #NNN. Remove this section if none. --> Follow-up to #6206 and #6191. ## Changes <!-- Bullet list of key changes. --> - Exclude LangSmith tracing and both project variables from `/tmp/nemoclaw-proxy-env.sh`. - Extend the real `start.sh` fixture with valid-shape `lsv2_pt_...` and `lsv2_sk_...` tracing and project values and prove none reaches the emitted file. - Align the documented `0444` risk acceptance and Deep Agents Code quickstart with the narrowed persisted environment. - Require existing Deep Agents Code sandboxes to rebuild after upgrading because `start.sh` is baked into the image. - Local verification: 54 focused tests, CLI build/typecheck, Bash syntax, ShellCheck, shfmt, Biome, test-title/source-shape/test-size guards, conditional scan, secret scan, and docs validation passed. The broad macOS `test-cli` hook remains non-green on unrelated Linux-only PTY tests because BSD `script` rejects `-qec`; exact-head Linux CI is authoritative. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check all that apply. For any "covered by existing tests", "not applicable", or waiver entry, add a brief justification on the same line or in the Changes section. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved shared runtime environment generation to exclude LangSmith “project” settings and avoid persisting any token-shaped/secret-shaped values. * Updated proxy environment handling to use normalized proxy configuration while inheriting safe trust-store paths only. * **Documentation** * Refreshed security and quickstart guidance to clarify what tracing-related values are intentionally not saved. * Added upgrade note: rebuild existing sandboxes from older releases to pick up the fix. * **Tests** * Strengthened CI to fail if any secret-shaped values appear in emitted environment output, and to verify the forbidden LangSmith project variables are not present. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
4.8 KiB
Security
NVIDIA is dedicated to the security and trust of its software products and services, including all source code repositories managed through our organization.
If you need to report a security issue, use the appropriate contact points outlined below. DO NOT report security vulnerabilities through public GitHub issues or pull requests. If a potential security issue is inadvertently reported through a public channel, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.
How to Report a Vulnerability
Report a potential security vulnerability in NemoClaw or any NVIDIA product through one of the following channels.
NVIDIA Vulnerability Disclosure Program
Submit a report through the NVIDIA Vulnerability Disclosure Program. This is the preferred method for reporting security concerns across all NVIDIA products.
Send an encrypted email to psirt@nvidia.com. Use the NVIDIA public PGP key to encrypt the message.
GitHub Private Vulnerability Reporting
You can use GitHub's private vulnerability reporting to submit a report directly on this repository. Navigate to the Security tab and select Report a vulnerability.
What to Include
Provide as much of the following information as possible:
- Product name and version or branch that contains the vulnerability.
- Type of vulnerability (code execution, denial of service, buffer overflow, privilege escalation, etc.).
- Step-by-step instructions to reproduce the vulnerability.
- Proof-of-concept or exploit code.
- Potential impact, including how an attacker could exploit the vulnerability.
Detailed reports help NVIDIA evaluate and address issues faster.
What to Expect
NVIDIA's Product Security Incident Response Team (PSIRT) triages all incoming reports. After submission:
- NVIDIA acknowledges receipt and begins analysis.
- NVIDIA validates the report and determines severity.
- NVIDIA develops and tests corrective actions.
- NVIDIA publishes a security bulletin and releases a fix.
Visit the PSIRT Policies page for details on timelines and acknowledgement practices.
While NVIDIA does not currently have a public bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy.
NVIDIA Product Security
For security bulletins, PSIRT policies, and all security-related concerns, visit the NVIDIA Product Security portal. Subscribe to notifications on that page to receive alerts when new bulletins are published.
Documented Risk Acceptances
The following security-relevant defaults are intentional. Each item names the code path that carries the constraint and the compensating controls that make the trade-off acceptable.
Deep Agents Code proxy env file is world-readable (mode 0444)
- Location:
agents/langchain-deepagents-code/start.sh(prepare_runtime_env) - Constraint:
/tmp/nemoclaw-proxy-env.shis sandbox-user-owned convenience state, not an integrity boundary. It is created with mode0444so independent login and exec shells can source the same credential-free settings. The Deep Agents Code runtime deliberately runs as the non-root sandbox user, unlike the root-supervised OpenClaw and Hermes startup paths. - Compensating controls:
- The file is credential-free by construction.
prepare_runtime_envwrites normalized proxy config and inherited trust-store paths. It does not persist LangSmith tracing, project, or API key variables. - A regression test in
test/langchain-deepagents-code-image.test.tsinjects token-shaped values through LangSmith tracing and both project variables, scans the emitted env file against canonical token shapes, and fails CI if any secret-shaped value is present. - The root-owned, image-baked proxy host/port files and direct
dcode-launcher.shboundary remain the routing source of truth. Focused and live login-shell checks compare the sourced convenience values with that root-owned source; file metadata checks detect accidental drift but do not claim sandbox-owner tamper resistance.
- The file is credential-free by construction.
- When to revisit: If a future change adds credential-shaped values to the env-file writer, or if the Deep Agents Code runtime moves back to the root-supervised startup model, revisit the mode and the compensating controls together.