OpenShell 0.0.72 Compatibility Review
This review covers NemoClaw’s stable OpenShell 0.0.72 pin, Docker-driver gateway authentication, policy mutation, and MCP and JSON-RPC policy compatibility.
The dependency compatibility review was completed on June 29, 2026; the MCP integration and DNS source/runtime supplement were reviewed on June 30, 2026.
Release Identity
- The stable tag is
NVIDIA/OpenShell@v0.0.72at commit8cb16de9eae4c44d7d31e1493747d8c10abb5963. - The upstream v0.0.72 release workflow completed all 54 jobs at that commit, including the MCP conformance lane, package smoke tests, release publication, and GHCR tags.
- NemoClaw pins the eight consumed CLI, gateway, and sandbox assets to the digests published by the GitHub release API.
- The stable Docker-driver default pins the multi-architecture supervisor manifest as
ghcr.io/nvidia/openshell/supervisor@sha256:80ed9cda5bf672fefdb9dcd4604b40a8b09c0891b6eb9d03e10227c7e3dfb49d. Explicit operator overrides and the opt-in development channel remain separate trust decisions.
Source-of-Truth Boundaries
The generated gateway authentication contract remains unchanged from the OpenShell 0.0.71 gateway authentication review.
The v0.0.71...v0.0.72 source comparison does not change the gateway config loader, local TLS tables, mTLS user authentication, gateway JWT issuer, or SandboxJwtAuthenticator contract used by NemoClaw.
The live openshell-gateway-auth-source-contract.test.ts scenario revalidates that NemoClaw keeps the main OpenShell listener on 127.0.0.1, rejects unauthenticated Docker-origin calls, accepts a correctly scoped sandbox JWT over guest mTLS, rejects cross-sandbox tokens, and scrubs OPENSHELL_DISABLE_GATEWAY_AUTH=true.
The inherited contract also continues to reject NEMOCLAW_GATEWAY_BIND_ADDRESS=0.0.0.0.
User principals remain blocked from sandbox-only methods.
The compatibility container remains an explicit trusted-host fallback behind NEMOCLAW_OPENSHELL_GATEWAY_CONTAINER_PATCH=1.
It uses host networking and read-only Docker socket access, so directly supported glibc 2.28 or newer hosts remain preferred.
Wildcard gateway binds remain rejected while gateway JWT authentication is active.
Review this fallback at every stable OpenShell bump and remove it in the same NemoClaw release that raises every supported Linux host to OpenShell’s native glibc floor and passes the exact-head gateway-authentication and gateway-upgrade matrix without the flag.
Compatibility Container Opt-In
invalidState: A host below OpenShell’s native glibc floor silently receives a privileged compatibility path, or the path is treated as equivalent to native execution even though read-only Docker socket access still exposes privileged Docker APIs.sourceBoundary: OpenShell owns its native glibc floor; NemoClaw owns the explicitNEMOCLAW_OPENSHELL_GATEWAY_CONTAINER_PATCH=1opt-in, host-networking configuration, read-only socket mount, and gateway authentication controls.whyNotSourceFix: NemoClaw cannot make an upstream binary support an older host libc, so supported legacy hosts require an explicit, audited container boundary until the host floor is raised.regressionTest:test/install-openshell-version-check.test.tsproves the flag gates the fallback, whilesrc/lib/onboard/docker-driver-gateway-compat-container.test.tscovers container launch, the trust boundary, and the glibc decision.removalCondition: Remove the fallback when every supported Linux host meets OpenShell’s native glibc 2.28-or-newer floor and the exact-head gateway-authentication and gateway-upgrade matrix passes without the flag.
The release source boundary is the immutable upstream tag, its GitHub release asset digests, and the GHCR manifest digest produced by the linked release workflow.
A mutable tag, a digest copied from another release, or a checksum file that disagrees with NemoClaw’s table is an invalid state.
NemoClaw cannot make an upstream release mutable source trustworthy after publication, so the installer independently pins every consumed archive and the stable runtime uses the immutable supervisor manifest.
install-openshell-version-check.test.ts compares all eight archive mappings with the checked-in installer table, and docker-driver-gateway-runtime.test.ts locks the stable supervisor default while preserving an explicit operator override.
These version-specific pins are removed only when NemoClaw drops 0.0.72 support or replaces them with independently verified artifacts for a newly supported release.
Dev Channel Opt-In
invalidState: A mutable development artifact is installed without SHA-256 verification or an explicit operator risk acknowledgment.sourceBoundary: NVIDIA/OpenShell owns the mutabledevtag; NemoClaw owns the opt-in that permits consuming it for pre-release compatibility tests.whyNotSourceFix: NemoClaw cannot make an upstream development tag immutable, so it must fail closed unless the operator explicitly accepts that unverified install.regressionTest:test/install-openshell-version-check.test.tsproves the development channel fails withoutNEMOCLAW_ACCEPT_DEV_UNVERIFIED_INSTALL=1and succeeds with it.removalCondition: Remove the opt-in when NemoClaw no longer tests unreleased OpenShell builds or the development channel publishes artifacts through an independently verified immutable pipeline.
The development channel is compatibility evidence only. Use it in trusted test environments, never as the stable shipping configuration.
Round-Trippable Policy Boundary
OpenShell 0.0.72 reserves the _provider_* network-policy namespace for provider composition.
openshell policy get <sandbox> --full returns the effective policy including those derived entries, while policy set rejects user-authored reserved keys.
The invalid state occurs when a NemoClaw read-modify-write path feeds provider-composed _provider_* entries back into openshell policy set.
Every NemoClaw policy read-modify-write path, including preset merges and blueprint additions, and every Shields snapshot-for-restore path therefore starts from:
Read-only status and diagnostic views continue to use --full.
Regression coverage verifies that mutation commands select --base, provider-composed entries never reach policy set, and existing MCP policy fields survive a preset or blueprint merge.
MCP and JSON-RPC Policy Support
OpenShell 0.0.72 adds protocol: mcp for MCP Streamable HTTP and protocol: json-rpc for generic JSON-RPC-over-HTTP enforcement.
MCP rules can match methods and tools/call tool names, support allow and deny rules, and fail closed for malformed or ambiguous request frames.
The upstream MCP conformance lane passed initialize, tools_call, and elicitation-sep1034-client-defaults with no expected failures.
NemoClaw preserves the new MCP and JSON-RPC YAML fields when it merges existing policies.
The strict blueprint-addition schema does not author MCP endpoints; nemoclaw <sandbox> mcp add is the supported managed product path described in Set Up MCP Servers and the accepted architecture decision.
OpenShell enforcement covers sandbox-to-server Streamable HTTP requests, not stdio MCP or generic inbound traffic.
DNS Pinning Source and Runtime Contract
The MCP integration pins the OpenShell DNS enforcement contract to NVIDIA/OpenShell@8cb16de9eae4c44d7d31e1493747d8c10abb5963.
In that implementation, crates/openshell-supervisor-network/src/proxy.rs:2476-2502 produces one socket-address list, crates/openshell-supervisor-network/src/proxy.rs:2527-2567 validates every address in that list, and crates/openshell-supervisor-network/src/proxy.rs:2622-2630 returns the validated list unchanged.
The CONNECT path passes that returned list directly to TcpStream::connect at crates/openshell-supervisor-network/src/proxy.rs:822-832.
The explicit HTTP-forward path carries the same returned list from crates/openshell-supervisor-network/src/proxy.rs:3885-3893 to crates/openshell-supervisor-network/src/proxy.rs:4123-4125.
There is no second hostname resolution between validation and connection in either path.
The stable and development mcp-bridge live lanes isolate that upstream contract from NemoClaw’s MCP implementation before the OpenClaw scenario performs any managed MCP mutation.
They apply a raw OpenShell protocol: mcp policy with allowed_ips: [1.1.1.1], remap the hostname to a reachable private runner address, send a raw MCP tools/list request, require an exact HTTP 403, verify zero upstream requests without calling nemoclaw mcp or any agent adapter, and restore the exact base policy in finally.
The live MCP scenario registers a hostname while it resolves to a pinned public address, remaps it to a reachable unpinned runner address, and sends an MCP tools/list request beneath each adapter runtime identity.
OpenClaw uses the managed Node identity, Hermes uses its managed Python identity, and LangChain Deep Agents Code uses its managed virtual-environment Python identity.
The scenario requires an OpenShell HTTP 403 or CONNECT 403 for every adapter and verifies that the upstream MCP server recorded zero requests.
Local Contract Coverage
- Installer and runner tests pin all eight published release digests.
- The sticky-version guard replaces a too-new
0.0.73install with0.0.72. - Policy tests cover
--basecommand construction and MCP and JSON-RPC field preservation. - Blueprint tests prove the merged policy excludes reserved provider entries.
- The live gateway authentication and gateway-upgrade scenarios run against
0.0.72. - The stable and development MCP live lanes independently prove raw OpenShell
allowed_ipsrebinding denial with an exact HTTP 403 and zero upstream requests, then restore the base policy. - The live MCP matrix proves DNS rebinding denial with zero upstream requests for OpenClaw, Hermes, and LangChain Deep Agents Code.