Skip to content

chore(openshell): upgrade supported version to 0.0.82#6726

Draft
ericksoa wants to merge 57 commits into
mainfrom
dep/openshell-v0.0.82-6379
Draft

chore(openshell): upgrade supported version to 0.0.82#6726
ericksoa wants to merge 57 commits into
mainfrom
dep/openshell-v0.0.82-6379

Conversation

@ericksoa

@ericksoa ericksoa commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

This draft upgrades every stable NemoClaw OpenShell selector and consumed artifact from 0.0.72 to stable 0.0.82, including the #6379 credential-rewrite fix and OpenShell's multiline exec contract. Stable v0.0.82 is verified at 94cdd697c55aedb571f177ec13cfa54a8e213919, and the base-owned manifest and sandbox-build trust prerequisites landed in #6778 and #6779.

The branch remains draft while exact-head CI/advisor review and the platform-specific runtime proofs below are incomplete.

Related Issue

Fixes #6379.

Changes

  • Audit all ten adjacent OpenShell ranges from v0.0.72 through v0.0.82: 47 commits and 175 distinct changed paths. The final v0.0.81..v0.0.82 range contains 12 commits, 76 paths, and +7851/-983; release notes were treated as leads rather than proof.
  • Verify stable tag v0.0.82 at 94cdd697, its audited parent bb72d012, and successful producer run 29260186856. The final tag delta is limited to the release-action bump.
  • Advance the blueprint floor/ceiling, installer floor/ceiling/dev floor, Brev defaults, stable E2E gateway-auth pin, supervisor index, sandbox-build fallback, credential manifest, current docs, and user-visible messages to 0.0.82.
  • Pin all eight CLI/gateway/sandbox release archives, three component manifests, both extracted sandbox binaries, and the multi-arch supervisor image to immutable release identities. Historical 0.0.72 references remain only where cleanup, fallback, or compatibility evidence requires them.
  • Add a concern ledger covering consumed contracts, evidence-backed exclusions, mitigations, and blocking runtime/release gates in docs/security/openshell-0.0.82-migration-review.md.
  • Reject OpenShell's revisioned credential-name namespace before provider mutation while preserving cleanup of persisted legacy entries across host and Hermes adapters.
  • Report OpenShell's fail-closed CONNECT 503 as unavailable TLS credential rewriting instead of a generic curl transport error.
  • Preserve LF, CR, CRLF, quotes, and heredocs byte-exactly across multiline exec while retaining NUL, multiline-workdir, and request-environment boundaries.
  • Reject supervisor-only OPENSHELL_TLS_CA, OPENSHELL_TLS_CERT, and OPENSHELL_TLS_KEY if an entrypoint, exec, or connect child receives them.
  • Validate that each selected OpenShell archive contains exactly one expected regular binary before extraction; reject absolute paths, traversal, duplicates, extras, links, and devices.
  • Prove the exact head on the supported Linux x86, macOS Docker Desktop/Colima, WSL, Colossus, and DGX Spark paths selected by CI/advisor.
  • On a physical Docker 27 DGX Spark arm64 host, prove honest mcp status, real credential substitution, an authenticated MCP tool call, rotation/rebuild/removal behavior, and absence of literal openshell:resolve:env: leakage.
  • Record the platform decision for Docker 27 versus upstream OpenShell's Docker 28 requirement.

Release provenance

  • Stable release archives have valid SLSA attestations, and the gateway x86 binary remains compatible through GLIBC 2.28.
  • GitHub currently exposes no OCI referrer/attestation/SBOM for the stable supervisor image, and its configs contain no source/revision/version labels. The review records that upstream provenance limitation rather than inferring missing evidence.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: pending exact-head maintainer review
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: bash scripts/check-installer-hash.sh passed all three manifests and all ten consumed release archives against trusted main; npx tsx scripts/checks/dependency-pins.ts, npm run build:cli, and npm run typecheck passed; the installer/trust suite passed 69/69 after its positive future-release fixture was refreshed.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: the macOS broad run executed 950 tests across 50 files (870 passed, 72 skipped, 8 failed). One stale installer fixture was fixed and its suite passed 69/69. Four failures require Linux fcntl.F_SEAL_*; two timeout-sensitive files (auto-pair, sandbox exec) passed focused reruns; the older-branch OTLP test still exceeds the local 15-second budget. Authoritative exact-head Linux/platform CI is pending.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only) — result: build completed with zero errors; existing unauthenticated-redirect and light-contrast warnings remain. Route/variant checks and targeted docs tests passed, and an independent docs-writer review required no further edits.
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only) — the security review has the required SPDX header and is not a Fern page.

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@ericksoa ericksoa self-assigned this Jul 12, 2026
@copy-pr-bot

copy-pr-bot Bot commented Jul 12, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5e8bc16a-bb72-4434-8732-59a3ba0ec6c7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dep/openshell-v0.0.82-6379

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / high confidence
Primary next action: No advisor follow-up required beyond maintainer review.
Findings: 0 blockers · 0 warnings · 0 optional suggestions
Status: No actionable findings remain in the canonical review ledger.

Model lanes

  • GPT-5.6 Terra (primary): Completed · high confidence · 0 blockers · 0 warnings · 0 suggestions
  • Nemotron 3 Ultra (non-blocking second opinion): Completed · high confidence · 0 blockers · 3 warnings · 1 suggestion
  • Model comparison: normalized findings differ; normalized E2E selections differ; Nemotron reported the same number of blockers, 3 more warnings, 1 more suggestion.

Nemotron is a non-blocking second opinion. Its prose, findings, and E2E guidance do not change the primary assessment above and remain in workflow artifacts only.

E2E guidance

Advisory only: coverage and selector recommendations are non-authoritative. E2E / PR Gate independently computes and dispatches trusted jobs without consuming this output.

Recommended coverage: cloud-onboard, credential-sanitization, full-e2e, hermes-e2e, security-posture, bedrock-runtime-compatible-anthropic, cron-preflight-inference-local, gateway-guard-recovery, hermes-discord, inference-routing, mcp-bridge, mcp-bridge-dev, messaging-compatible-endpoint, network-policy, onboard-repair, onboard-resume, openclaw-inference-switch, openclaw-plugin-runtime-exdev, openclaw-skill-cli, openshell-gateway-auth-contract
Recommended selectors: cloud-onboard, credential-sanitization, full-e2e, hermes-e2e, security-posture, bedrock-runtime-compatible-anthropic, cron-preflight-inference-local, gateway-guard-recovery, hermes-discord, inference-routing, mcp-bridge, mcp-bridge-dev, messaging-compatible-endpoint, network-policy, onboard-repair, onboard-resume, openclaw-inference-switch, openclaw-plugin-runtime-exdev, openclaw-skill-cli, openshell-gateway-auth-contract

  • cloud-onboard — Selected from the trusted checked-in E2E coverage inventory.

  • credential-sanitization — Selected from the trusted checked-in E2E coverage inventory.

  • full-e2e — Selected from the trusted checked-in E2E coverage inventory.

  • hermes-e2e — Selected from the trusted checked-in E2E coverage inventory.

  • security-posture — Selected from the trusted checked-in E2E coverage inventory.

  • bedrock-runtime-compatible-anthropic — Selected from the trusted checked-in E2E coverage inventory.

  • cron-preflight-inference-local — Selected from the trusted checked-in E2E coverage inventory.

  • gateway-guard-recovery — Selected from the trusted checked-in E2E coverage inventory.

  • hermes-discord — Selected from the trusted checked-in E2E coverage inventory.

  • inference-routing — Selected from the trusted checked-in E2E coverage inventory.

  • mcp-bridge — Selected from the trusted checked-in E2E coverage inventory.

  • mcp-bridge-dev — Selected from the trusted checked-in E2E coverage inventory.

  • messaging-compatible-endpoint — Selected from the trusted checked-in E2E coverage inventory.

  • network-policy — Selected from the trusted checked-in E2E coverage inventory.

  • onboard-repair — Selected from the trusted checked-in E2E coverage inventory.

  • onboard-resume — Selected from the trusted checked-in E2E coverage inventory.

  • openclaw-inference-switch — Selected from the trusted checked-in E2E coverage inventory.

  • openclaw-plugin-runtime-exdev — Selected from the trusted checked-in E2E coverage inventory.

  • openclaw-skill-cli — Selected from the trusted checked-in E2E coverage inventory.

  • openshell-gateway-auth-contract — Selected from the trusted checked-in E2E coverage inventory.

  • cloud-onboard — Selected as a trusted checked-in E2E job.

  • credential-sanitization — Selected as a trusted checked-in E2E job.

  • full-e2e — Selected as a trusted checked-in E2E job.

  • hermes-e2e — Selected as a trusted checked-in E2E job.

  • security-posture — Selected as a trusted checked-in E2E job.

  • bedrock-runtime-compatible-anthropic — Selected as a trusted checked-in E2E job.

  • cron-preflight-inference-local — Selected as a trusted checked-in E2E job.

  • gateway-guard-recovery — Selected as a trusted checked-in E2E job.

  • hermes-discord — Selected as a trusted checked-in E2E job.

  • inference-routing — Selected as a trusted checked-in E2E job.

  • mcp-bridge — Selected as a trusted checked-in E2E job.

  • mcp-bridge-dev — Selected as a trusted checked-in E2E job.

  • messaging-compatible-endpoint — Selected as a trusted checked-in E2E job.

  • network-policy — Selected as a trusted checked-in E2E job.

  • onboard-repair — Selected as a trusted checked-in E2E job.

  • onboard-resume — Selected as a trusted checked-in E2E job.

  • openclaw-inference-switch — Selected as a trusted checked-in E2E job.

  • openclaw-plugin-runtime-exdev — Selected as a trusted checked-in E2E job.

  • openclaw-skill-cli — Selected as a trusted checked-in E2E job.

  • openshell-gateway-auth-contract — Selected as a trusted checked-in E2E job.

Workflow run details

This is an automated, non-authoritative review. Findings are inputs to maintainer adjudication. Warnings and optional suggestions do not require a response or follow-up. A human maintainer makes the final merge decision.

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-code-quality

github-code-quality Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 79%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 462b789 81895e0 +/-
src/lib/agent/dashboard-ui.ts 89% 83% -6%
src/lib/state/config-io.ts 94% 91% -3%
src/lib/securit...ntial-filter.ts 99% 96% -3%
src/lib/runner.ts 75% 72% -3%
src/lib/messagi.../persistence.ts 86% 89% +3%
src/lib/adapter...shell/client.ts 83% 88% +5%
src/lib/onboard...shboard-port.ts 83% 89% +6%
src/lib/state/m...-acquisition.ts 80% 89% +9%
src/lib/onboard...reachability.ts 63% 72% +9%
src/lib/actions...ge-preflight.ts 74% 89% +15%

Updated July 14, 2026 00:24 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some tests failed

Run: 29207131689
Workflow ref: dep/openshell-v0.0.82-6379
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result
mcp-bridge ❌ failure

Failed tests: mcp-bridge. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested tests passed

Run: 29207131689
Workflow ref: dep/openshell-v0.0.82-6379
Requested targets: (default — all supported)
Requested test IDs: mcp-bridge
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped, 0 unknown

Test Result
mcp-bridge ✅ success

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@cv cv added the v0.0.82 Release target label Jul 12, 2026
@wscurran wscurran added area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery chore Build, CI, dependency, or tooling maintenance platform: dgx-spark Affects DGX Spark hardware or workflows security labels Jul 12, 2026
ericksoa added 12 commits July 12, 2026 20:16
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
cv pushed a commit that referenced this pull request Jul 13, 2026
## Summary

Extend the base-trusted installer parser so a separately reviewed
dependency pin PR can add standalone sandbox binary identities as
release data without authorizing operational installer changes. This is
the remaining base-branch prerequisite for #6726 after #6778 landed.

## Changes

- Parse `pinned_sandbox_build_version` as a strict literal
digest-to-version case map before normalizing it as release data.
- Require a unique SHA-256 per entry, literal `X.Y.Z` versions, a
fail-closed default branch, and at least one identity for the selected
release.
- Bind `DEV_MIN_VERSION` to the same selected release as the installer
tables and other stable selectors.
- Add positive coverage for a v0.0.82 sandbox identity addition and
negative coverage for control-flow, unknown-command, duplicate-digest,
and malformed-version edits.

The complete v0.0.82 upgrade tree passes this base-trusted checker
against all three release manifests and all ten consumed archives.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this changes only the
base-owned dependency verification boundary; active selectors remain on
v0.0.72.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: author review confirmed
only the fully parsed release-data function and literal selectors are
normalized; all other installer text remains locked by the trusted
template hash.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — `npx vitest run
test/installer-hash-check.test.ts` (67/67), `npm run build:cli`, `npm
run typecheck`, and the base-trusted checker against #6726
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not applicable to this
focused verifier grammar extension; normal hooks, typecheck, and focused
integration coverage passed.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Security & Reliability**
- Strengthened installer verification by adding trusted “sandbox build
version” pin checks alongside existing checksum and command pin
validation.
- Installers now fail closed if sandbox build pins or development
minimum version selectors are missing, malformed, inconsistent, or
altered.
- Updated trusted installer template expectations to improve detection
of unauthorized changes and version drift.
- **Testing**
- Expanded installer-hash tests with new sandbox build mutation
scenarios, including both allowed pin changes and multiple rejected
tampering cases, plus development-version drift coverage.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@cjagwani cjagwani added v0.0.83 Release target and removed v0.0.82 Release target labels Jul 13, 2026
@cv cv added v0.0.84 Release target and removed v0.0.83 Release target labels Jul 14, 2026
@cv cv assigned prekshivyas and unassigned ericksoa Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery area: security Security controls, permissions, secrets, or hardening chore Build, CI, dependency, or tooling maintenance platform: dgx-spark Affects DGX Spark hardware or workflows v0.0.84 Release target

Projects

None yet

6 participants