mirror of
https://github.com/NVIDIA/NemoClaw.git
synced 2026-07-03 03:37:16 +00:00
<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Stops Deep Agents Code startup from copying inherited LangSmith tracing and project values into the sandbox-readable runtime shell environment. This closes the final review gap from #6206 while preserving the managed proxy and trust-store contract. ## Related Issue <!-- Fixes #NNN or Closes #NNN. Remove this section if none. --> Follow-up to #6206 and #6191. ## Changes <!-- Bullet list of key changes. --> - Exclude LangSmith tracing and both project variables from `/tmp/nemoclaw-proxy-env.sh`. - Extend the real `start.sh` fixture with valid-shape `lsv2_pt_...` and `lsv2_sk_...` tracing and project values and prove none reaches the emitted file. - Align the documented `0444` risk acceptance and Deep Agents Code quickstart with the narrowed persisted environment. - Require existing Deep Agents Code sandboxes to rebuild after upgrading because `start.sh` is baked into the image. - Local verification: 54 focused tests, CLI build/typecheck, Bash syntax, ShellCheck, shfmt, Biome, test-title/source-shape/test-size guards, conditional scan, secret scan, and docs validation passed. The broad macOS `test-cli` hook remains non-green on unrelated Linux-only PTY tests because BSD `script` rejects `-qec`; exact-head Linux CI is authoritative. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check all that apply. For any "covered by existing tests", "not applicable", or waiver entry, add a brief justification on the same line or in the Changes section. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved shared runtime environment generation to exclude LangSmith “project” settings and avoid persisting any token-shaped/secret-shaped values. * Updated proxy environment handling to use normalized proxy configuration while inheriting safe trust-store paths only. * **Documentation** * Refreshed security and quickstart guidance to clarify what tracing-related values are intentionally not saved. * Added upgrade note: rebuild existing sandboxes from older releases to pick up the fix. * **Tests** * Strengthened CI to fail if any secret-shaped values appear in emitted environment output, and to verify the forbidden LangSmith project variables are not present. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> |
||
|---|---|---|
| .. | ||
| hermes | ||
| langchain-deepagents-code | ||
| openclaw | ||