Merge branch 'main' into docs/architecture-docker-driver

Author: latenighthackathon

src/lib/state/sandbox.ts

@@ -9,7 +9,7 @@
 //
 // Credentials are stripped from backups using shared credential-filter.ts.
 
-import { spawnSync } from "child_process";
+import { createHash } from "node:crypto";
 import {
   chmodSync,
   existsSync,
@@ -21,17 +21,17 @@ import {
   rmSync,
   writeFileSync,
 } from "node:fs";
-import { createHash } from "node:crypto";
 import os from "node:os";
 import path from "node:path";
+import { spawnSync } from "child_process";
 
-import * as registry from "./registry.js";
-import { loadAgent } from "../agent/defs.js";
-import type { AgentStateFile } from "../agent/defs.js";
-import { resolveOpenshell } from "../adapters/openshell/resolve.js";
 import { captureOpenshellCommand } from "../adapters/openshell/client.js";
-import { sanitizeConfigFile, isSensitiveFile } from "../security/credential-filter.js";
+import { resolveOpenshell } from "../adapters/openshell/resolve.js";
+import type { AgentStateFile } from "../agent/defs.js";
+import { loadAgent } from "../agent/defs.js";
 import { shellQuote } from "../runner.js";
+import { isSensitiveFile, sanitizeConfigFile } from "../security/credential-filter.js";
+import * as registry from "./registry.js";
 
 const HOME_DIR = path.resolve(process.env.HOME || os.homedir());
 const REBUILD_BACKUPS_DIR = path.join(HOME_DIR, ".nemoclaw", "rebuild-backups");
@@ -318,8 +318,7 @@ function auditExtractedSymlinks(dirPath: string, allowedRoots: string[]): string
           // path with a tampered target falls through to the normal
           // containment check.
           const relFromDir = path.relative(dirPath, fullPath).split(path.sep).join("/");
-          const expectedTarget = AUDIT_SYMLINK_WHITELIST.get(relFromDir);
-          if (expectedTarget !== undefined && expectedTarget === linkTarget) {
+          if (isAllowedStateSymlink(relFromDir, linkTarget)) {
             continue;
           }
 
@@ -565,17 +564,12 @@ function sanitizeBackupDirectory(dirPath: string): void {
 
 const _verbose = () => process.env.NEMOCLAW_REBUILD_VERBOSE === "1";
 
-// Symlinks baked into the base image at build time (Dockerfile.base) by
-// `openclaw plugins install`. npm creates these as part of its standard
-// install layout — peer-dependency links and .bin shortcuts — and the
-// pre-backup audit would otherwise treat them as agent-planted exfil
-// attempts. Source paths are relative to the agent state-dir root (e.g.
-// for OpenClaw, /sandbox/.openclaw); targets are matched exactly against
-// the value of `readlink(source)`. Source-only matching is unsafe: a
-// compromised agent could repoint one of these to /etc/passwd and the
-// audit would still let it through. Keep in lockstep with
-// WECHAT_PLUGIN_VERSION in Dockerfile.base — bump together if the plugin
-// install layout changes.
+// Exact symlinks baked into the base image at build time (Dockerfile.base) by
+// `openclaw plugins install`. Source paths are relative to the agent state-dir
+// root (e.g. for OpenClaw, /sandbox/.openclaw); targets are matched exactly
+// against the value of `readlink(source)`. Source-only matching is unsafe: a
+// compromised agent could repoint one of these to /etc/passwd and the audit
+// would still let it through.
 const AUDIT_SYMLINK_WHITELIST: ReadonlyMap<string, string> = new Map([
   [
     "extensions/openclaw-weixin/node_modules/.bin/qrcode-terminal",
@@ -586,6 +580,33 @@ const AUDIT_SYMLINK_WHITELIST: ReadonlyMap<string, string> = new Map([
     "/usr/local/lib/node_modules/openclaw",
   ],
 ]);
+
+const EXTENSION_NPM_BIN_RE = /^extensions\/[^/]+\/node_modules\/\.bin\/[^/]+$/;
+
+function isAllowedExtensionNpmBinSymlink(relPath: string, linkTarget: string): boolean {
+  const normalizedRelPath = relPath.split(path.sep).join("/");
+  if (!EXTENSION_NPM_BIN_RE.test(normalizedRelPath)) return false;
+  if (linkTarget.length === 0 || path.posix.isAbsolute(linkTarget)) return false;
+
+  const binDir = path.posix.dirname(normalizedRelPath);
+  const nodeModulesDir = path.posix.dirname(binDir);
+  const resolvedTarget = path.posix.normalize(path.posix.join(binDir, linkTarget));
+  const targetWithinNodeModules = path.posix.relative(nodeModulesDir, resolvedTarget);
+
+  return (
+    targetWithinNodeModules.length > 0 &&
+    !targetWithinNodeModules.startsWith("../") &&
+    !path.posix.isAbsolute(targetWithinNodeModules) &&
+    !targetWithinNodeModules.startsWith(".bin/")
+  );
+}
+
+function isAllowedStateSymlink(relPath: string, linkTarget: string): boolean {
+  const exactTarget = AUDIT_SYMLINK_WHITELIST.get(relPath.split(path.sep).join("/"));
+  if (exactTarget !== undefined) return exactTarget === linkTarget;
+  return isAllowedExtensionNpmBinSymlink(relPath, linkTarget);
+}
+
 function _log(msg: string): void {
   if (_verbose()) console.error(`  [sandbox-state ${new Date().toISOString()}] ${msg}`);
 }
@@ -1059,9 +1080,7 @@ export function backupSandboxState(sandboxName: string, options: BackupOptions =
             const relPath = absPath.startsWith(dirPrefix)
               ? absPath.slice(dirPrefix.length)
               : absPath;
-            const expectedTarget =
-              type === "l" ? AUDIT_SYMLINK_WHITELIST.get(relPath) : undefined;
-            if (expectedTarget !== undefined && expectedTarget === linkTarget) {
+            if (type === "l" && isAllowedStateSymlink(relPath, linkTarget)) {
               whitelisted.push(entry);
             } else {
               violations.push(entry);

test/e2e/nemoclaw_scenarios/expected-states.yaml

@@ -130,10 +130,11 @@ expected_states:
       policy_engine: supported
       shields: supported
 
-  # Negative preflight state. Introduced alongside its first consumer,
-  # `ubuntu-no-docker-preflight-negative` (deferred from Phase 1).
-  # Setup is expected to fail, and the runner must confirm that no
-  # gateway or sandbox ghost state was left behind.
+  # Negative preflight state. Setup is expected to fail and the runner
+  # must confirm that no gateway or sandbox ghost state was left behind.
+  # The `expected_failure` block (added for #3608) is the structured
+  # contract the runner matches against; the legacy `failure` block is
+  # retained as a drift guard while scenarios migrate.
   preflight-failure-no-sandbox:
     cli:
       installed: true
@@ -144,6 +145,15 @@ expected_states:
     failure:
       expected: true
       stage: preflight
+    expected_failure:
+      phase: preflight
+      error_class: docker-missing
+      # Docker, container, daemon, socket, or preflight - case insensitive.
+      message_pattern: "(?i)docker|container|daemon|socket|preflight"
+      forbidden_side_effects:
+        - sandbox-created
+        - gateway-started
+        - credentials-written
 
   onboarding-failure-invalid-nvidia-key:
     cli:

test/e2e/runtime/resolver/expected-failure.ts

@@ -0,0 +1,167 @@
+// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Expected-failure matcher.
+ *
+ * Negative scenarios declare an `expected_failure` contract on their
+ * expected state. The runner captures the failed setup's log plus a small
+ * side-effect inventory (sandbox-created, gateway-started, credentials-written)
+ * and asks this module whether the observation matches the contract.
+ *
+ * The contract has four parts:
+ *   - phase: which setup stage produced the failure (informational; the
+ *     runner is responsible for invoking the matcher only when that phase
+ *     actually ran).
+ *   - error_class: stable identifier for the failure mode.
+ *   - message_pattern: regex applied to the captured log when present.
+ *   - forbidden_side_effects: effects that MUST NOT be observed.
+ *
+ * Match result is structured (`ExpectedFailureReport`) so the runner can
+ * write `expected-vs-actual.json` and surface a useful diff in CI.
+ */
+
+import { compileMessagePattern } from "./load.ts";
+import type {
+  ExpectedFailure,
+  ExpectedFailurePhase,
+  ExpectedFailureErrorClass,
+  ExpectedFailureSideEffect,
+} from "./schema.ts";
+
+export interface ObservedFailure {
+  /** Phase the runner attempted; matched against `expected_failure.phase`. */
+  phase: ExpectedFailurePhase;
+  /**
+   * Structured reason if the runner could derive one (preferred). When
+   * absent, matching falls back to log-content heuristics in the runner.
+   */
+  error_class?: ExpectedFailureErrorClass;
+  /** Captured setup log; matched against `expected_failure.message_pattern`. */
+  log: string;
+  /**
+   * Side effects the runner positively observed after the failure. Each
+   * effect in `expected_failure.forbidden_side_effects` is checked against
+   * this set; presence is a failure.
+   */
+  observed_side_effects: ExpectedFailureSideEffect[];
+}
+
+export interface ExpectedFailureCheck {
+  name: "phase" | "error_class" | "message_pattern" | "forbidden_side_effects";
+  ok: boolean;
+  expected: string;
+  actual: string;
+  message?: string;
+}
+
+export interface ExpectedFailureReport {
+  ok: boolean;
+  expected: ExpectedFailure;
+  observed: ObservedFailure;
+  checks: ExpectedFailureCheck[];
+}
+
+export function matchExpectedFailure(
+  expected: ExpectedFailure,
+  observed: ObservedFailure,
+): ExpectedFailureReport {
+  const checks: ExpectedFailureCheck[] = [];
+
+  const phaseOk = expected.phase === observed.phase;
+  checks.push({
+    name: "phase",
+    ok: phaseOk,
+    expected: expected.phase,
+    actual: observed.phase,
+    message: phaseOk
+      ? undefined
+      : `phase mismatch: expected '${expected.phase}' but observed '${observed.phase}'`,
+  });
+
+  if (observed.error_class !== undefined) {
+    const classOk = expected.error_class === observed.error_class;
+    checks.push({
+      name: "error_class",
+      ok: classOk,
+      expected: expected.error_class,
+      actual: observed.error_class,
+      message: classOk
+        ? undefined
+        : `error_class mismatch: expected '${expected.error_class}' but observed '${observed.error_class}'`,
+    });
+  } else {
+    // No structured class from the runner; defer to message_pattern as
+    // the discriminator. Record a SKIPPED entry so the report makes it
+    // obvious that the class was not asserted structurally.
+    checks.push({
+      name: "error_class",
+      ok: true,
+      expected: expected.error_class,
+      actual: "<unobserved>",
+      message: "skipped: runner did not derive a structured error_class",
+    });
+  }
+
+  if (expected.message_pattern) {
+    let regex: RegExp;
+    try {
+      regex = compileMessagePattern(expected.message_pattern);
+    } catch (err) {
+      checks.push({
+        name: "message_pattern",
+        ok: false,
+        expected: expected.message_pattern,
+        actual: "<invalid regex>",
+        message: `message_pattern is not a valid regex: ${(err as Error).message}`,
+      });
+      return finalize(expected, observed, checks);
+    }
+    const ok = regex.test(observed.log);
+    checks.push({
+      name: "message_pattern",
+      ok,
+      expected: expected.message_pattern,
+      actual: ok ? "<match>" : "<no match>",
+      message: ok
+        ? undefined
+        : `message_pattern '${expected.message_pattern}' did not match captured log`,
+    });
+  }
+
+  if (expected.forbidden_side_effects?.length) {
+    const observedSet = new Set(observed.observed_side_effects);
+    const found = expected.forbidden_side_effects.filter((e) => observedSet.has(e));
+    const ok = found.length === 0;
+    checks.push({
+      name: "forbidden_side_effects",
+      ok,
+      expected: expected.forbidden_side_effects.join(","),
+      actual: observed.observed_side_effects.join(",") || "<none>",
+      message: ok
+        ? undefined
+        : `forbidden side effects observed after failure: ${found.join(", ")}`,
+    });
+  }
+
+  return finalize(expected, observed, checks);
+}
+
+function finalize(
+  expected: ExpectedFailure,
+  observed: ObservedFailure,
+  checks: ExpectedFailureCheck[],
+): ExpectedFailureReport {
+  return { ok: checks.every((c) => c.ok), expected, observed, checks };
+}
+
+export function formatExpectedFailureReport(report: ExpectedFailureReport): string {
+  const lines: string[] = [];
+  lines.push(`expected-failure: ${report.ok ? "OK" : "FAILED"}`);
+  for (const c of report.checks) {
+    const status = c.ok ? "PASS" : "FAIL";
+    lines.push(`  ${status} ${c.name} expected=${c.expected} actual=${c.actual}`);
+    if (c.message) lines.push(`       ${c.message}`);
+  }
+  return lines.join("\n");
+}