merge: resolve conflicts with latest main

Merge origin/main into feat/jetson-orin-nano-support to resolve
conflicts from recent changes (NVIDIA#1208, NVIDIA#1200, NVIDIA#836, NVIDIA#1221, NVIDIA#1223).

Jetson detection now leverages main's UNIFIED_MEMORY_GPU_TAGS
with added jetson flag and /proc/device-tree fallback.

All 116 tests pass.

Author: realkim93

.agents/skills/nemoclaw-reference/references/troubleshooting.md

@@ -69,7 +69,7 @@ If another process is already bound to this port, onboarding fails.
 Identify the conflicting process, verify it is safe to stop, and terminate it:
 
 ```console
-$ lsof -i :18789
+$ sudo lsof -i :18789
 $ kill <PID>
 ```
 

.dockerignore

@@ -4,3 +4,9 @@ node_modules
 *.pyc
 __pycache__
 .pytest_cache
+.venv
+.ruff_cache
+.mypy_cache
+.env
+*.egg-info
+.DS_Store

.github/PULL_REQUEST_TEMPLATE.md

@@ -40,3 +40,7 @@
 - [ ] Follows the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md). Try running the `update-docs` agent skill to draft changes while complying with the style guide. For example, prompt your agent with "`/update-docs` catch up the docs for the new changes I made in this PR."
 - [ ] New pages include SPDX license header and frontmatter, if creating a new page.
 - [ ] Cross-references and links verified.
+
+---
+<!-- DCO sign-off (required by CI). Replace with your real name and email. -->
+Signed-off-by: Your Name <your-email@example.com>

.github/actions/basic-checks/action.yaml

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: basic-checks
+description: Run the shared Node.js, hadolint, build, and prek-based checks used by CI.
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: "22"
+        cache: npm
+
+    - name: Install hadolint
+      shell: bash
+      run: |
+        HADOLINT_VERSION="v2.14.0"
+        HADOLINT_URL="https://github.com/hadolint/hadolint/releases/download/${HADOLINT_VERSION}/hadolint-Linux-x86_64"
+        curl -fsSL -o /usr/local/bin/hadolint "$HADOLINT_URL"
+        EXPECTED=$(curl -fsSL "${HADOLINT_URL}.sha256" | awk '{print $1}')
+        ACTUAL=$(sha256sum /usr/local/bin/hadolint | awk '{print $1}')
+        [ "$EXPECTED" = "$ACTUAL" ] || { echo "::error::hadolint checksum mismatch"; exit 1; }
+        chmod +x /usr/local/bin/hadolint
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        npm install --ignore-scripts
+        cd nemoclaw && npm install
+
+    - name: Build TypeScript plugin
+      shell: bash
+      run: cd nemoclaw && npm run build
+
+    - name: Run checks
+      shell: bash
+      run: npx prek run --all-files --stage pre-push

.github/actions/resolve-sandbox-base-image/action.yaml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: resolve-sandbox-base-image
+description: Resolve the sandbox base image from GHCR, falling back to a local Dockerfile.base build.
+
+runs:
+  using: composite
+  steps:
+    - name: Resolve sandbox base image
+      shell: bash
+      run: |
+        if docker pull ghcr.io/nvidia/nemoclaw/sandbox-base:latest 2>/dev/null; then
+          echo "BASE_IMAGE=ghcr.io/nvidia/nemoclaw/sandbox-base:latest" >> "$GITHUB_ENV"
+        else
+          echo "::warning::GHCR base image not available, building locally"
+          docker build -f Dockerfile.base -t nemoclaw-sandbox-base-local .
+          echo "BASE_IMAGE=nemoclaw-sandbox-base-local" >> "$GITHUB_ENV"
+        fi

.github/dco-bypass.txt

@@ -0,0 +1,28 @@
+adityanjothi
+brandonpelfrey
+cjagwani
+cr7258
+cv
+dnandakumar-nv
+ericksoa
+gagandaroach
+hulynn
+jacobtomlinson
+jayavenkatesh19
+jbfbell
+jieunl24
+jneeee
+jyaunches
+kjw3
+krmurph
+mercl-lau
+miyoungc
+nv-ddave
+nv-kasikritc
+paritoshd-nv
+prekshivyas
+rwipfelnv
+sayalinvidia
+senthilr-nv
+theFong
+wscurran

.github/workflows/base-image.yaml

@@ -45,7 +45,7 @@ jobs:
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to GHCR
         uses: docker/login-action@v3

.github/workflows/dco-check.yaml

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: dco-check
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  dco-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Check DCO bypass list
+        id: dco-bypass
+        env:
+          USERNAME: ${{ github.event.pull_request.user.login }}
+        run: |
+          if grep -Fxq "$USERNAME" .github/dco-bypass.txt; then
+            echo "bypass=true" >> "$GITHUB_OUTPUT"
+            echo "Author is in dco-bypass.txt; skipping DCO sign-off requirement."
+          else
+            echo "bypass=false" >> "$GITHUB_OUTPUT"
+            echo "Author is not in dco-bypass.txt; DCO sign-off is required."
+          fi
+
+      - name: Check PR body for Signed-off-by
+        if: ${{ steps.dco-bypass.outputs.bypass != 'true' }}
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          normalized_body="$(printf '%s\n' "$PR_BODY" | tr -d '\r')"
+
+          if ! printf '%s\n' "$normalized_body" | grep -qP '^Signed-off-by:\s+.+\s+<[^<>]+>$'; then
+            echo "::error::PR description must contain a DCO sign-off line."
+            echo "::error::Expected format: Signed-off-by: Your Name <your-email@example.com>"
+            exit 1
+          fi
+
+          echo "PR description contains a DCO sign-off."

.github/workflows/docs-preview-deploy.yaml

@@ -78,7 +78,7 @@ jobs:
 
       - name: Post preview comment
         if: steps.meta.outputs.action != 'closed' && steps.meta.outputs.same-repo == 'true'
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405  # v2
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987  # v3.0.2
         with:
           header: pr-preview
           number: ${{ steps.meta.outputs.pr-number }}
@@ -99,7 +99,7 @@ jobs:
 
       - name: Remove preview comment
         if: steps.meta.outputs.action == 'closed'
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405  # v2
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987  # v3.0.2
         with:
           header: pr-preview
           number: ${{ steps.meta.outputs.pr-number }}

.github/workflows/e2e-brev.yaml

@@ -3,6 +3,28 @@
 
 name: e2e-brev
 
+# Ephemeral Brev E2E: provisions a cloud instance, bootstraps NemoClaw,
+# runs test suites remotely, then tears down. Use workflow_dispatch to
+# trigger manually from the Actions tab, or workflow_call from other workflows.
+#
+# Test suites:
+#   full                     — Install → onboard → sandbox verify → live inference
+#                              against NVIDIA Endpoints → CLI operations. Tests the
+#                              complete user journey. (~10 min, destroys sandbox)
+#   credential-sanitization  — 24 tests validating PR #743: credential stripping from
+#                              migration snapshots, auth-profiles.json deletion, blueprint
+#                              digest verification, symlink traversal protection, and
+#                              runtime sandbox credential checks. Requires running sandbox.
+#   telegram-injection       — 18 tests validating PR #584: command injection prevention
+#                              through $(cmd), backticks, quote breakout, ${VAR} expansion,
+#                              process table leak checks, and SANDBOX_NAME validation.
+#                              Requires running sandbox.
+#   all                      — Runs credential-sanitization + telegram-injection (NOT full,
+#                              which destroys the sandbox the security tests need).
+#
+# Required secrets: BREV_API_TOKEN, NVIDIA_API_KEY
+# Instance cost: Brev CPU credits (~$0.10/run for 4x16 instance)
+
 on:
   workflow_dispatch:
     inputs:
@@ -15,19 +37,24 @@ on:
         required: false
         default: ""
       test_suite:
-        description: "Test suite to run"
+        description: "Test suite to run (see workflow header for descriptions)"
         required: true
         default: "full"
         type: choice
         options:
           - full
           - credential-sanitization
+          - telegram-injection
           - all
       keep_alive:
         description: "Keep Brev instance alive after tests (for SSH debugging)"
         required: false
         type: boolean
         default: true
+      brev_token:
+        description: "Brev refresh token (overrides BREV_API_TOKEN secret if provided)"
+        required: false
+        default: ""
   workflow_call:
     inputs:
       branch:
@@ -64,7 +91,7 @@ jobs:
   e2e-brev:
     if: github.repository == 'NVIDIA/NemoClaw'
     runs-on: ubuntu-latest
-    timeout-minutes: 45
+    timeout-minutes: 90
     steps:
       - name: Checkout target branch
         uses: actions/checkout@v6
@@ -95,8 +122,8 @@ jobs:
 
       - name: Install Brev CLI
         run: |
-          # Pin to v0.6.310 — v0.6.322 removed --cpu flag and defaults to GPU instances
-          curl -fsSL -o /tmp/brev.tar.gz "https://github.com/brevdev/brev-cli/releases/download/v0.6.310/brev-cli_0.6.310_linux_amd64.tar.gz"
+          # Use latest Brev CLI (v0.6.322+) — CPU instances require `brev search cpu | brev create`
+          curl -fsSL -o /tmp/brev.tar.gz "https://github.com/brevdev/brev-cli/releases/download/v0.6.322/brev-cli_0.6.322_linux_amd64.tar.gz"
           tar -xzf /tmp/brev.tar.gz -C /usr/local/bin brev
           chmod +x /usr/local/bin/brev
 
@@ -105,7 +132,7 @@ jobs:
 
       - name: Run ephemeral Brev E2E
         env:
-          BREV_API_TOKEN: ${{ secrets.BREV_API_TOKEN }}
+          BREV_API_TOKEN: ${{ inputs.brev_token || secrets.BREV_API_TOKEN }}
           NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}
           GITHUB_TOKEN: ${{ github.token }}
           INSTANCE_NAME: e2e-pr-${{ inputs.pr_number || github.run_id }}