chore(openshell): trust v0.0.82 release manifests#6778
Conversation
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe installer hash-check script adds three trusted SHA-256 digests for the OpenShell v0.0.82 release manifests. ChangesOpenShell manifest verification
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 79%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
E2E Advisor RecommendationRequired E2E: None Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings This is an automated review. Required findings need action before merge. Warnings and optional suggestions do not require a response or follow-up. A human maintainer makes the final merge decision. |
## Summary Extend the base-trusted installer parser so a separately reviewed dependency pin PR can add standalone sandbox binary identities as release data without authorizing operational installer changes. This is the remaining base-branch prerequisite for #6726 after #6778 landed. ## Changes - Parse `pinned_sandbox_build_version` as a strict literal digest-to-version case map before normalizing it as release data. - Require a unique SHA-256 per entry, literal `X.Y.Z` versions, a fail-closed default branch, and at least one identity for the selected release. - Bind `DEV_MIN_VERSION` to the same selected release as the installer tables and other stable selectors. - Add positive coverage for a v0.0.82 sandbox identity addition and negative coverage for control-flow, unknown-command, duplicate-digest, and malformed-version edits. The complete v0.0.82 upgrade tree passes this base-trusted checker against all three release manifests and all ten consumed archives. ## Type of Change - [x] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [ ] Docs updated for user-facing behavior changes - [x] Docs not applicable — justification: this changes only the base-owned dependency verification boundary; active selectors remain on v0.0.72. - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: author review confirmed only the fully parsed release-data function and literal selectors are normalized; all other installer text remains locked by the trusted template hash. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — `npx vitest run test/installer-hash-check.test.ts` (67/67), `npm run build:cli`, `npm run typecheck`, and the base-trusted checker against #6726 - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not applicable to this focused verifier grammar extension; normal hooks, typecheck, and focused integration coverage passed. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Aaron Erickson <aerickson@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Security & Reliability** - Strengthened installer verification by adding trusted “sandbox build version” pin checks alongside existing checksum and command pin validation. - Installers now fail closed if sandbox build pins or development minimum version selectors are missing, malformed, inconsistent, or altered. - Updated trusted installer template expectations to improve detection of unauthorized changes and version drift. - **Testing** - Expanded installer-hash tests with new sandbox build mutation scenarios, including both allowed pin changes and multiple rejected tampering cases, plus development-version drift coverage. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Summary
Trust the three immutable OpenShell v0.0.82 release checksum manifests in the base-owned installer verifier. This is the base-branch prerequisite for #6726; it does not change NemoClaw's active OpenShell selector or consumed asset hashes.
Changes
74ba77d368744f412b2dd246099b63b38937962807333ded2b6284580a2d014e.c0a369ba2c66bcde3c18ce2753b04ff942d1fe1b5f3e4656de520f6d4b175477.3300b9856cdbe8e3f9b0f8068bbad93673739c4cfd3212c80dc0675168ee2b8d.The manifests were produced by the successful NVIDIA/OpenShell
Release Tagworkflow run 29260186856 at verified tag commit94cdd697c55aedb571f177ec13cfa54a8e213919. This must land separately because the installer-hash workflow evaluates proposed selectors with verifier code from the PR base; an upgrade PR cannot authorize its own new manifest.Type of Change
Quality Gates
test/installer-hash-check.test.tscovers the manifest allowlist, exact digest matching, and base-trusted verification boundary; 61/61 focused tests pass.Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpx vitest run test/installer-hash-check.test.ts --project integration(61/61) andbash scripts/check-installer-hash.shnpm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result:npm run docsbuilds without warnings (doc changes only)Signed-off-by: Aaron Erickson aerickson@nvidia.com
Summary by CodeRabbit