NemoClaw/agents
Aaron Erickson 🦞 8b307c07d5
fix(dcode): stop persisting LangSmith variables (#6219)
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->

Stops Deep Agents Code startup from copying inherited LangSmith tracing
and project values into the sandbox-readable runtime shell environment.
This closes the final review gap from #6206 while preserving the managed
proxy and trust-store contract.

## Related Issue
<!-- Fixes #NNN or Closes #NNN. Remove this section if none. -->

Follow-up to #6206 and #6191.

## Changes
<!-- Bullet list of key changes. -->

- Exclude LangSmith tracing and both project variables from
`/tmp/nemoclaw-proxy-env.sh`.
- Extend the real `start.sh` fixture with valid-shape `lsv2_pt_...` and
`lsv2_sk_...` tracing and project values and prove none reaches the
emitted file.
- Align the documented `0444` risk acceptance and Deep Agents Code
quickstart with the narrowed persisted environment.
- Require existing Deep Agents Code sandboxes to rebuild after upgrading
because `start.sh` is baked into the image.
- Local verification: 54 focused tests, CLI build/typecheck, Bash
syntax, ShellCheck, shfmt, Biome, test-title/source-shape/test-size
guards, conditional scan, secret scan, and docs validation passed. The
broad macOS `test-cli` hook remains non-green on unrelated Linux-only
PTY tests because BSD `script` rejects `-qec`; exact-head Linux CI is
authoritative.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved shared runtime environment generation to exclude LangSmith
“project” settings and avoid persisting any token-shaped/secret-shaped
values.
* Updated proxy environment handling to use normalized proxy
configuration while inheriting safe trust-store paths only.

* **Documentation**
* Refreshed security and quickstart guidance to clarify what
tracing-related values are intentionally not saved.
* Added upgrade note: rebuild existing sandboxes from older releases to
pick up the fix.

* **Tests**
* Strengthened CI to fail if any secret-shaped values appear in emitted
environment output, and to verify the forbidden LangSmith project
variables are not present.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
2026-07-02 20:29:32 -07:00
..
hermes fix(gpu): prefer native OpenShell injection (#6142) 2026-07-02 09:50:03 -07:00
langchain-deepagents-code fix(dcode): stop persisting LangSmith variables (#6219) 2026-07-02 20:29:32 -07:00
openclaw fix(sandbox): compare hermes agent version in its runtime scheme (#6089) 2026-07-01 15:35:46 -04:00