Skip to content

fix(onboard): surface network-policy hint when OpenClaw plugin install fails during sandbox build#5835

Merged
cv merged 10 commits into
mainfrom
fix/4127-plugin-install-network-policy-hint
Jun 30, 2026
Merged

fix(onboard): surface network-policy hint when OpenClaw plugin install fails during sandbox build#5835
cv merged 10 commits into
mainfrom
fix/4127-plugin-install-network-policy-hint

Conversation

@Dongni-Yang

@Dongni-Yang Dongni-Yang commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

When openshell sandbox create fails at openclaw plugins install because npm or ClawHub is unreachable, NemoClaw currently emits only generic resume guidance. This change classifies that narrow failure and prints an actionable network-policy hint while preserving nemoclaw onboard --resume as the recovery path.

Fixes #4127

Changes

  • Add plugin_install_network_denied to the sandbox-create failure classification.
  • Require the failed Docker command summary to contain openclaw plugins install.
  • Require npm-prefixed network evidence to name the same scoped plugin package as the failed command.
  • Keep non-network failures, later-step failures, different-package errors, package-agnostic errors, and non-plugin npm commands on the generic recovery path.
  • Add targeted recovery guidance for npm/ClawHub reachability and feature opt-out.
  • Isolate the nine classifier regressions in src/lib/validation-plugin-install.test.ts.

Source Boundary and Removal Condition

  • Invalid state: a plugin-install egress failure is surfaced as an undifferentiated sandbox-build failure.
  • Source boundary: the current OpenShell create interface exposes combined Docker text, including subprocess stderr followed by the failed-command summary, rather than a structured failed-subcommand type.
  • Source-fix constraint: NemoClaw cannot recover package identity from a structured OpenShell event until that interface exists, and this PR does not patch upstream runtime behavior.
  • Regression boundary: the classifier requires the exact installer command, same-package npm evidence, and a known network failure; focused positive and false-positive fixtures lock the ordering and quoting assumptions.
  • Removal condition: replace and remove this text classifier when OpenShell exposes a structured plugin-install failure carrying package identity.

Type of Change

  • Code change (bug fix)
  • Code change with doc updates
  • Doc only

Quality Gates

  • Focused tests cover the changed behavior and false-positive boundaries.
  • No user documentation change is needed; the emitted recovery hint is self-contained.
  • The code is diagnostic only and does not widen policy or change sandbox state.
  • Live runtime validation is not required for this parser-only correction: deterministically forcing external registry denial would change the environment, while the pure classifier and printer are covered with Docker/OpenShell-shaped fixtures.

Verification

  • PR body includes the DCO declaration and every commit appears Verified in GitHub.
  • Commit and push hooks passed.
  • npx vitest run --project cli src/lib/validation.test.ts src/lib/validation-plugin-install.test.ts src/lib/build-context.test.ts passed: 87 tests.
  • npm run typecheck:cli passed.
  • npm run test:imports:check passed.
  • Full root CLI/integration hook suite passed.
  • No secrets, API keys, or credentials committed.

Signed-off-by: Dongni Yang dongniy@nvidia.com

…the openclaw plugins install step

When `openshell sandbox create` fails because the Dockerfile's
`openclaw plugins install` RUN step exits non-zero, the build output
contains the distinctive strings "openclaw plugins install" or
"npm:@openclaw/", but `classifySandboxCreateFailure` had no branch for
this pattern and fell through to `kind="unknown"`. The resulting hint
was the generic "nemoclaw onboard --resume" line with no indication of
the likely cause.

Add a `"plugin_install_network_denied"` kind to `SandboxCreateFailure`
and a classifier that matches those strings in the openshell create
output. `printSandboxCreateRecoveryHints` now emits a targeted message
noting that network policy may be blocking outbound access to ClawHub
or the npm registry, and suggests disabling the feature (e.g.
`NEMOCLAW_WEB_SEARCH_ENABLED=0`) as an alternative if a preset isn't
available.

Fixes #4127

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
The previous regex matched `openclaw plugins install|npm:@openclaw/`
anywhere in the captured output, which would mis-classify a build where
that step succeeded and a later step failed — the Docker step header
(`Step N: RUN openclaw plugins install ...`) would match even though the
failure came from an unrelated subsequent RUN step.

Tighten to the Docker error block format:
  The command '...<plugin text>...' returned a non-zero code

`[^']*` is used (not `[^\n]*`) because the embedded shell command often
spans multiple lines (chained commands joined with semicolons), and JS
character classes match newlines. Add a regression test that verifies
the step-header false-positive is rejected.

Refs #4127

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
…n-install failure as network-denied

The previous classifier fired on any failed `openclaw plugins install`
Docker command, including package-not-found (HTTP 404 from the registry),
version conflicts, and auth errors — all of which would receive a
misleading "network policy blocking egress" hint.

Narrow the match to require both:
1. The Docker error block anchored to the failed plugin-install step
2. A network/egress reachability error (ENOTFOUND, EAI_AGAIN,
   ECONNREFUSED, ETIMEDOUT, fetch failed, etc.) in the captured output

This ensures the hint "your sandbox network policy may be blocking
outbound plugin-install access" is only shown when the underlying
failure is actually a network reachability problem.

Test changes:
- Updated positive tests to include ENOTFOUND / ECONNREFUSED output
  matching real npm network error messages (registry.npmjs.org and
  ClawHub paths respectively)
- Added negative test: same Docker failed-command block but E404
  package-not-found → classifies as "unknown"
- Added direct build-context.test.ts coverage for the new hint branch,
  asserting the key user-visible strings (plugin-install step, ClawHub,
  npm registry, network policy, NEMOCLAW_WEB_SEARCH_ENABLED=0,
  onboard --resume)

Refs #4127

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new sandbox-create failure kind for plugin-install network denial, classifies matching OpenClaw install errors, and prints recovery hints that mention the plugin-install step, network policy, and onboard --resume.

Changes

OpenClaw plugin install network denial

Layer / File(s) Summary
Failure kind and classifier
src/lib/validation.ts, src/lib/validation.test.ts
Adds plugin_install_network_denied to sandbox-create failures and classifies plugin-install failures when network/DNS-style error text is present; tests cover matching and non-matching cases.
Recovery hints and resume path
src/lib/build-context.ts, src/lib/build-context.test.ts
Prints targeted recovery guidance for the new failure kind, including the plugin-install step context and onboard --resume, with a test for the emitted text.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

Suggested labels

integration: openclaw, area: onboarding, area: sandbox, bug-fix

Suggested reviewers

  • cv
  • ericksoa

Poem

A rabbit hopped through logs so bright,
and found a network-denied night.
“ClawHub’s far,” said I with flair,
“but onboard --resume gets us there!”
🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: a network-policy hint for OpenClaw plugin-install sandbox build failures.
Linked Issues check ✅ Passed The PR adds targeted diagnostics for plugin-install egress denials and covers both npm registry and ClawHub network failures as requested.
Out of Scope Changes check ✅ Passed No unrelated functionality is introduced beyond the plugin-install failure diagnostics, classifier, and tests.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/4127-plugin-install-network-policy-hint

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 8d4ee7e +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 67%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 8d4ee7e +/-
src/lib/actions...all/run-plan.ts 80%
src/lib/state/o...oard-session.ts 79%
src/lib/actions...dbox/rebuild.ts 74%
src/lib/state/sandbox.ts 72%
src/lib/onboard/preflight.ts 69%
src/lib/actions...licy-channel.ts 60%
src/lib/onboard...er-gpu-patch.ts 59%
src/lib/policy/index.ts 52%
src/lib/shields/index.ts 51%
src/lib/onboard.ts 20%

Updated June 30, 2026 05:17 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: No advisor follow-up required beyond maintainer review.
Open items: 0 required · 0 warnings · 0 suggestions · 0 test follow-ups
Top item: No actionable code findings

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: onboard-negative-paths, brave-search
Optional E2E: network-policy

Dispatch hint: onboard-negative-paths,brave-search

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • onboard-negative-paths (low): Closest existing negative-path E2E for onboarding CLI failure/output behavior; this PR changes failure classification and recovery text users see from onboarding failures.
  • brave-search (medium): Exercises the real OpenClaw plugin-install path used by the web-search plugin flow, which is the concrete plugin-install scenario referenced by the new classifier and recovery hint.

Optional E2E

  • network-policy (high): Useful adjacent confidence because the new hint points users at sandbox network-policy egress for npm/ClawHub, though this PR does not modify policy assets or enforcement.

New E2E recommendations

  • plugin-install sandbox-create failure recovery (high): Existing E2E jobs do not appear to deterministically inject an npm/ClawHub network failure at the openclaw plugins install Docker build step and assert the new plugin_install_network_denied recovery guidance.
    • Suggested test: Add a focused live or regression E2E that forces the sandbox Docker build plugin-install step to fail with npm ENOTFOUND/ECONNREFUSED for the selected @openclaw package, then asserts the CLI output mentions OpenClaw plugin-install, ClawHub/npm registry, network policy, NEMOCLAW_WEB_SEARCH_ENABLED=0, and onboard --resume.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: onboard-negative-paths,brave-search

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

  • None. Changes are limited to sandbox-create failure classification and user-facing recovery hints for a plugin-install network-denial error, with accompanying unit tests. The live Vitest scenario workflow does not have a deterministic typed scenario that forces the OpenClaw plugin-install network-policy failure path, so a scenario dispatch would not prove this changed surface.

Optional Vitest E2E scenarios

  • None.

Relevant changed files

  • src/lib/build-context.ts
  • src/lib/validation.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/validation.ts`:
- Around line 144-149: The classifier in validation.ts is too broad because it
matches any Docker RUN block containing openclaw plugins install, even when a
later command in the same block fails. Tighten the logic in the network-failure
branch so it only classifies plugin_install_network_denied when the failing
subcommand itself shows plugin-fetch/install evidence, using the existing
validation.ts matching and the relevant openclaw plugins install / npm:`@openclaw`
patterns as anchors. Update validation.test.ts with a regression case where
plugin install succeeds but a later command in the same shell block fails, and
verify it no longer returns the plugin install recovery hint.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b142153c-913c-41f6-bb87-87ba3729f360

📥 Commits

Reviewing files that changed from the base of the PR and between 8e047a6 and 563708c.

📒 Files selected for processing (4)
  • src/lib/build-context.test.ts
  • src/lib/build-context.ts
  • src/lib/validation.test.ts
  • src/lib/validation.ts

Comment thread src/lib/validation.ts Outdated
…false positives from later RUN block commands

The previous network-error predicate matched any ENOTFOUND/ECONNREFUSED/etc.
in the captured output, which could fire the plugin-install hint when the
plugin install itself succeeded but a later command in the same RUN block
(e.g. `openclaw doctor --fix`) failed with a network error. npm's error
output consistently prefixes every line with "npm error", whereas commands
run after a successful install produce different error formats. Requiring
"npm error" + network pattern anchors the evidence to the npm installer
specifically, ruling out later-command false positives.

Add a regression test: the same RUN block runs plugin install (succeeds)
then openclaw doctor (fails with ENOTFOUND but no "npm error" prefix) →
correctly returns "unknown".

Refs #4127

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
…get divergence

Refs #4127

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Bound the network-evidence regex to the text up to and including the
failed-plugin-install Docker error block rather than scanning the entire
output. This prevents an npm script that runs after a successful plugin
install in the same RUN block from producing a false
plugin_install_network_denied classification when that later script emits
an npm-prefixed network error.

Adds a regression test for this case (npm script post-install in the
same RUN block emits npm error ENOTFOUND after the Docker boundary).

Refs #4127

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
@Dongni-Yang

Copy link
Copy Markdown
Contributor Author

Addressing PRA-2 / CodeRabbit (windowed npm-error search):

Both PRA-2 and the CodeRabbit comment correctly identified that scanning the entire output for npm error network evidence could misfire if an unrelated npm script in the same RUN block emits a network error after the plugin-install step has already succeeded.

Fixed in the latest commit (9d8df9496): the network-evidence regex now searches only the text up to and including the Docker The command '...' returned a non-zero code boundary, not the full output. This means npm errors that appear after the Docker error line (i.e. from a later command whose errors are streamed after Docker reports the block failure) are excluded from the classification window.

A regression test was added for this case:

"The command '...openclaw plugins install...' returned a non-zero code: 1"
"npm error code ENOTFOUND"       ← appears after the Docker boundary → excluded
"npm error network request ..."  ← same
→ kind: "unknown"  ✓

Addressing PRA-1 (source-of-truth review):

The classification is intentionally localized to NemoClaw's classifier layer. The source-of-truth facts:

  • Invalid state: Docker build fails at the plugin-install RUN block with both (a) a The command '...' returned a non-zero code boundary containing openclaw plugins install or npm:@openclaw/, and (b) an npm error network error in the prefix up to that boundary.
  • Source boundary: classifySandboxCreateFailure() in src/lib/validation.ts — a pure function with no I/O, so the behavior is fully unit-testable without Docker.
  • Source-fix constraint: The upstream fix would be OpenShell exposing the failing RUN-block step name in structured error output so the classifier doesn't need regex parsing. Until that lands, the localized pattern match is the best available signal.
  • Regression tests: 7 tests total covering the positive path (ENOTFOUND, ECONNREFUSED against npm/ClawHub registries), 5 negative paths (unrelated failures, non-network E404, step-header false positive, doctor-fix format, post-boundary npm error).
  • Removal condition: when OpenShell exposes a structured failedStep field in sandbox create failure output, this classifier branch can be replaced with a direct field check.

@Dongni-Yang Dongni-Yang added the v0.0.69 Release target label Jun 26, 2026
@wscurran wscurran added area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression integration: openclaw OpenClaw integration behavior labels Jun 26, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ✅ All requested jobs passed

Run: 28261980087
Target ref: fix/4127-plugin-install-network-policy-hint
Requested jobs: onboard-negative-paths-e2e,cloud-onboard-e2e
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard-e2e ✅ success
onboard-negative-paths-e2e ✅ success

@cv cv added v0.0.71 Release target and removed v0.0.69 Release target labels Jun 28, 2026

@prekshivyas prekshivyas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeRabbit's concern about same-RUN-block false positives is pre-addressed: the window slice text.slice(0, match.index + match[0].length) excludes post-boundary npm output, and the npm error.* prefix anchor drops non-npm error formats. Tests at lines 344 and 359 of validation.test.ts cover both sub-cases (non-npm network error and npm network error from a later command in the same block). Implementation is correct as-is.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-openclaw
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required E2E targets

  • ubuntu-repo-cloud-openclaw: The PR changes sandbox-create failure classification and recovery hints used by OpenClaw onboarding. The smallest live-supported typed target that exercises the OpenClaw Docker onboarding and sandbox creation surface is ubuntu-repo-cloud-openclaw.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw

Optional E2E targets

  • None.

Relevant changed files

  • src/lib/build-context.ts
  • src/lib/validation.ts

Comment thread src/lib/validation.ts Fixed
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 2 suggestions · 1 test follow-up
Since last review: 0 prior items resolved · 0 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Test uses hardcoded plugin version that will age
  • PRA-1 In-scope improvement: Test uses hardcoded plugin version that will age in src/lib/validation-plugin-install.test.ts:15
  • PRA-2 In-scope improvement: Hint references single feature flag as example; consider generalizing if more plugin-dependent features exist in src/lib/build-context.ts:231

Findings index

ID Severity Category Location Required action
PRA-1 Improvement tests src/lib/validation-plugin-install.test.ts:15 Replace with a generic version like `@latest` or `@1.0.0` to signal version is irrelevant, or add a comment that version is ignored.
PRA-2 Improvement scope src/lib/build-context.ts:231 Add a TODO comment noting that if more plugin-dependent features are added, the hint should generalize (e.g., 'disable the feature requiring this plugin').
Review findings by urgency: 0 required fixes, 0 items to resolve/justify, 2 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

  • None.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-1 Improvement — Test uses hardcoded plugin version that will age

  • Location: src/lib/validation-plugin-install.test.ts:15
  • Category: tests
  • Problem: The positive test case embeds a specific version `@2026.5.27` in the Docker command text. While the classifier only matches the package name (not version), using a fixed date-like version could confuse future readers into thinking the version matters.
  • Impact: Low — cosmetic; no functional risk since classifier extracts package name via regex ignoring version.
  • Suggested action: Replace with a generic version like `@latest` or `@1.0.0` to signal version is irrelevant, or add a comment that version is ignored.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read test line 15; confirm classifier regex at validation.ts:147 only captures @openclaw/... package name.
  • Missing regression test: No new test needed — existing test already proves version independence via package-name extraction logic.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: validation-plugin-install.test.ts:15 contains 'npm:@openclaw/brave-plugin@2026.5.27'; validation.ts:147 regex /(?:npm:)?(@openclaw\/[a-z0-9._-]+)/gi captures only package name.

PRA-2 Improvement — Hint references single feature flag as example; consider generalizing if more plugin-dependent features exist

  • Location: src/lib/build-context.ts:231
  • Category: scope
  • Problem: Recovery hint mentions `NEMOCLAW_WEB_SEARCH_ENABLED=0` as the example feature to disable. If additional features trigger plugin installs, the hint may need updating.
  • Impact: Low — hint is guidance only; users can still inspect policy. No functional regression if example becomes stale.
  • Suggested action: Add a TODO comment noting that if more plugin-dependent features are added, the hint should generalize (e.g., 'disable the feature requiring this plugin').
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read build-context.ts:221-233; check if other env flags gate plugin installs in codebase.
  • Missing regression test: Not testable — depends on future feature additions.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: build-context.ts:231 mentions NEMOCLAW_WEB_SEARCH_ENABLED=0; grep for other NEMOCLAW_*_ENABLED flags that might gate plugins.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Test uses hardcoded plugin version that will age — Replace with a generic version like `@latest` or `@1.0.0` to signal version is irrelevant, or add a comment that version is ignored.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Improvement — Test uses hardcoded plugin version that will age

  • Location: src/lib/validation-plugin-install.test.ts:15
  • Category: tests
  • Problem: The positive test case embeds a specific version `@2026.5.27` in the Docker command text. While the classifier only matches the package name (not version), using a fixed date-like version could confuse future readers into thinking the version matters.
  • Impact: Low — cosmetic; no functional risk since classifier extracts package name via regex ignoring version.
  • Suggested action: Replace with a generic version like `@latest` or `@1.0.0` to signal version is irrelevant, or add a comment that version is ignored.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read test line 15; confirm classifier regex at validation.ts:147 only captures @openclaw/... package name.
  • Missing regression test: No new test needed — existing test already proves version independence via package-name extraction logic.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: validation-plugin-install.test.ts:15 contains 'npm:@openclaw/brave-plugin@2026.5.27'; validation.ts:147 regex /(?:npm:)?(@openclaw\/[a-z0-9._-]+)/gi captures only package name.

PRA-2 Improvement — Hint references single feature flag as example; consider generalizing if more plugin-dependent features exist

  • Location: src/lib/build-context.ts:231
  • Category: scope
  • Problem: Recovery hint mentions `NEMOCLAW_WEB_SEARCH_ENABLED=0` as the example feature to disable. If additional features trigger plugin installs, the hint may need updating.
  • Impact: Low — hint is guidance only; users can still inspect policy. No functional regression if example becomes stale.
  • Suggested action: Add a TODO comment noting that if more plugin-dependent features are added, the hint should generalize (e.g., 'disable the feature requiring this plugin').
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Read build-context.ts:221-233; check if other env flags gate plugin installs in codebase.
  • Missing regression test: Not testable — depends on future feature additions.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: build-context.ts:231 mentions NEMOCLAW_WEB_SEARCH_ENABLED=0; grep for other NEMOCLAW_*_ENABLED flags that might gate plugins.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
cv added 2 commits June 29, 2026 21:51
@cv

cv commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Maintainer disposition for exact head 8d4ee7e3715fdd7851aedc80dd2551fbb1c049e7:

  • Both PR Review Advisor jobs/checks are green, and the workflow is explicitly advisory. Nemotron PRA-1 is internally contradictory: its own required action says “No action needed” and cites the committed source-boundary/removal-condition comment plus nine focused fixtures. Treat PRA-1 as resolved.
  • Accept the bounded text-parser risk in PRA-2 and PRA-T1PRA-T3: package correlation, Docker-boundary slicing, network-code matching, and negative fixtures cover the changed behavior. A live success-path onboard target cannot exercise this failure classifier.
  • PRA-3 and PRA-4 concern unchanged code and are out of scope.
  • PRA-5/PRA-T4 does not match the production installer shape, which invokes openclaw plugins install once per package.
  • PRA-6 is mitigated by same-package correlation and the package-agnostic negative test. PRA-7 proposes a broad recovery-plan refactor; this PR directly tests the existing hint-rendering pattern.

No code change or additional E2E is required for these advisor items. Rerunning the PR Review Advisor once on this exact SHA to refresh its sticky outputs.

@cv

cv commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Refreshed Nemotron suggestions disposition: keep @2026.5.27 in the fixture because it intentionally mirrors the pinned OpenClaw runtime output; the classifier ignores the version. No TODO is needed for the feature flag because the emitted hint is already generic (“the feature that requires this plugin”) and labels NEMOCLAW_WEB_SEARCH_ENABLED=0 only as an example. These are non-blocking and require no code change.

@cv cv merged commit 0690f16 into main Jun 30, 2026
47 checks passed
@cv cv deleted the fix/4127-plugin-install-network-policy-hint branch June 30, 2026 06:19
@jyaunches jyaunches mentioned this pull request Jun 30, 2026
21 tasks
jyaunches added a commit that referenced this pull request Jun 30, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Refreshes the public documentation for NemoClaw v0.0.71 after scanning
commits since v0.0.70. Adds release notes and fills the remaining doc
gaps for Windows bootstrap diagnostics, OpenClaw agent auto-relock
warnings, auto-pair cadence tuning, and plugin-install recovery hints.

## Changes
- `docs/about/release-notes.mdx`: adds the v0.0.71 release-note section,
grouped by gateway recovery, OpenShell auth, policy provenance, day-two
maintenance, messaging/inference, and Windows setup.
- `docs/get-started/windows-preparation.mdx`: documents sanitized WSL
install output and reboot gating in the Windows bootstrap.
- `docs/reference/commands.mdx`: documents the host `agent` wrapper's
shields auto-relock warning and OpenClaw auto-pair watcher tuning
variables.
- `docs/reference/troubleshooting.mdx`: adds plugin-install network
failure recovery guidance and updates Windows WSL troubleshooting for
sanitized install logs and reboot-required handling.

Source summary:
- #6065 -> `docs/about/release-notes.mdx`: Notes explicit model override
preservation and gateway-log guard-chain recovery diagnostics.
- #5874 -> `docs/about/release-notes.mdx`: Summarizes host-mediated
`recover` and `gateway restart`, linking to lifecycle, command,
troubleshooting, and trusted-boundary docs already added by the source
PR.
- #5596 -> `docs/about/release-notes.mdx`: Summarizes OpenShell 0.0.71
gateway auth, loopback binding, and compatibility-container docs already
added by the source PR.
- #5797 and #5798 -> `docs/about/release-notes.mdx`: Summarizes
`policy-list` provenance, Restricted tier suppression, and Balanced tier
weather behavior already reflected in policy docs.
- #5784 -> `docs/about/release-notes.mdx`: Summarizes
`--destroy-user-data` and the safe `--yes` uninstall behavior already
documented in lifecycle and command docs.
- #6034 -> `docs/about/release-notes.mdx`: Summarizes custom Dockerfile
warm-build cache behavior already documented in the command reference.
- #5951 -> `docs/reference/commands.mdx`: Documents the stderr-only host
`agent` wrapper warning after recent shields auto-relock.
- #5387 -> `docs/reference/commands.mdx`: Documents OpenClaw auto-pair
watcher cadence and fast-reentry tuning variables.
- #5835 -> `docs/reference/troubleshooting.mdx`: Adds recovery guidance
for OpenClaw plugin-install network failures.
- #5995 and #5956 -> `docs/about/release-notes.mdx`: Summarizes
Microsoft Teams final-message delivery and runtime mention hints already
covered by messaging docs.
- #5716 -> `docs/about/release-notes.mdx`: Summarizes non-interactive
Ollama loopback safety already covered by local inference docs.
- #5505, #5527, and #5528 -> `docs/about/release-notes.mdx`: Summarizes
compatible local endpoint, model task-fit, and model capability audit
docs.
- #6009 -> `docs/get-started/windows-preparation.mdx`,
`docs/reference/troubleshooting.mdx`: Documents sanitized Windows
bootstrap WSL output and reboot-required gating.
- #6055 -> no additional source doc page change needed beyond the
already-merged quickstart update; release notes did not duplicate
routine quickstart cleanup.

No matching v0.0.71 GitHub announcement discussion was found in the
latest 20 discussions, so this refresh is based on the commit scan and
existing source PR docs.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: docs-only refresh with no
runtime behavior changes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — ran
`npm run docs`; Fern reported 0 errors and 2 existing warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added a new release-notes entry covering gateway recovery,
authentication, network policy/provenance output, uninstall safety,
Windows bootstrap diagnostics, messaging defaults, and inference setup
guidance.
* Clarified Windows preparation steps around reboot behavior and
redacting troubleshooting transcripts.
* Expanded command reference details for OpenClaw wrapper behavior and
new auto-pair tuning options.
* Improved troubleshooting guidance for plugin installation issues, WSL
repair/reboot cases, and install timing problems.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…l fails during sandbox build (NVIDIA#5835)

<!-- markdownlint-disable MD041 -->
## Summary

When `openshell sandbox create` fails at `openclaw plugins install`
because npm or ClawHub is unreachable, NemoClaw currently emits only
generic resume guidance. This change classifies that narrow failure and
prints an actionable network-policy hint while preserving `nemoclaw
onboard --resume` as the recovery path.

Fixes NVIDIA#4127

## Changes

- Add `plugin_install_network_denied` to the sandbox-create failure
classification.
- Require the failed Docker command summary to contain `openclaw plugins
install`.
- Require npm-prefixed network evidence to name the same scoped plugin
package as the failed command.
- Keep non-network failures, later-step failures, different-package
errors, package-agnostic errors, and non-plugin npm commands on the
generic recovery path.
- Add targeted recovery guidance for npm/ClawHub reachability and
feature opt-out.
- Isolate the nine classifier regressions in
`src/lib/validation-plugin-install.test.ts`.

## Source Boundary and Removal Condition

- Invalid state: a plugin-install egress failure is surfaced as an
undifferentiated sandbox-build failure.
- Source boundary: the current OpenShell create interface exposes
combined Docker text, including subprocess stderr followed by the
failed-command summary, rather than a structured failed-subcommand type.
- Source-fix constraint: NemoClaw cannot recover package identity from a
structured OpenShell event until that interface exists, and this PR does
not patch upstream runtime behavior.
- Regression boundary: the classifier requires the exact installer
command, same-package npm evidence, and a known network failure; focused
positive and false-positive fixtures lock the ordering and quoting
assumptions.
- Removal condition: replace and remove this text classifier when
OpenShell exposes a structured plugin-install failure carrying package
identity.

## Type of Change

- [x] Code change (bug fix)
- [ ] Code change with doc updates
- [ ] Doc only

## Quality Gates

- [x] Focused tests cover the changed behavior and false-positive
boundaries.
- [x] No user documentation change is needed; the emitted recovery hint
is self-contained.
- [x] The code is diagnostic only and does not widen policy or change
sandbox state.
- [x] Live runtime validation is not required for this parser-only
correction: deterministically forcing external registry denial would
change the environment, while the pure classifier and printer are
covered with Docker/OpenShell-shaped fixtures.

## Verification

- [x] PR body includes the DCO declaration and every commit appears
Verified in GitHub.
- [x] Commit and push hooks passed.
- [x] `npx vitest run --project cli src/lib/validation.test.ts
src/lib/validation-plugin-install.test.ts src/lib/build-context.test.ts`
passed: 87 tests.
- [x] `npm run typecheck:cli` passed.
- [x] `npm run test:imports:check` passed.
- [x] Full root CLI/integration hook suite passed.
- [x] No secrets, API keys, or credentials committed.

---
Signed-off-by: Dongni Yang <dongniy@nvidia.com>

---------

Signed-off-by: Dongni Yang <dongniy@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Refreshes the public documentation for NemoClaw v0.0.71 after scanning
commits since v0.0.70. Adds release notes and fills the remaining doc
gaps for Windows bootstrap diagnostics, OpenClaw agent auto-relock
warnings, auto-pair cadence tuning, and plugin-install recovery hints.

## Changes
- `docs/about/release-notes.mdx`: adds the v0.0.71 release-note section,
grouped by gateway recovery, OpenShell auth, policy provenance, day-two
maintenance, messaging/inference, and Windows setup.
- `docs/get-started/windows-preparation.mdx`: documents sanitized WSL
install output and reboot gating in the Windows bootstrap.
- `docs/reference/commands.mdx`: documents the host `agent` wrapper's
shields auto-relock warning and OpenClaw auto-pair watcher tuning
variables.
- `docs/reference/troubleshooting.mdx`: adds plugin-install network
failure recovery guidance and updates Windows WSL troubleshooting for
sanitized install logs and reboot-required handling.

Source summary:
- NVIDIA#6065 -> `docs/about/release-notes.mdx`: Notes explicit model override
preservation and gateway-log guard-chain recovery diagnostics.
- NVIDIA#5874 -> `docs/about/release-notes.mdx`: Summarizes host-mediated
`recover` and `gateway restart`, linking to lifecycle, command,
troubleshooting, and trusted-boundary docs already added by the source
PR.
- NVIDIA#5596 -> `docs/about/release-notes.mdx`: Summarizes OpenShell 0.0.71
gateway auth, loopback binding, and compatibility-container docs already
added by the source PR.
- NVIDIA#5797 and NVIDIA#5798 -> `docs/about/release-notes.mdx`: Summarizes
`policy-list` provenance, Restricted tier suppression, and Balanced tier
weather behavior already reflected in policy docs.
- NVIDIA#5784 -> `docs/about/release-notes.mdx`: Summarizes
`--destroy-user-data` and the safe `--yes` uninstall behavior already
documented in lifecycle and command docs.
- NVIDIA#6034 -> `docs/about/release-notes.mdx`: Summarizes custom Dockerfile
warm-build cache behavior already documented in the command reference.
- NVIDIA#5951 -> `docs/reference/commands.mdx`: Documents the stderr-only host
`agent` wrapper warning after recent shields auto-relock.
- NVIDIA#5387 -> `docs/reference/commands.mdx`: Documents OpenClaw auto-pair
watcher cadence and fast-reentry tuning variables.
- NVIDIA#5835 -> `docs/reference/troubleshooting.mdx`: Adds recovery guidance
for OpenClaw plugin-install network failures.
- NVIDIA#5995 and NVIDIA#5956 -> `docs/about/release-notes.mdx`: Summarizes
Microsoft Teams final-message delivery and runtime mention hints already
covered by messaging docs.
- NVIDIA#5716 -> `docs/about/release-notes.mdx`: Summarizes non-interactive
Ollama loopback safety already covered by local inference docs.
- NVIDIA#5505, NVIDIA#5527, and NVIDIA#5528 -> `docs/about/release-notes.mdx`: Summarizes
compatible local endpoint, model task-fit, and model capability audit
docs.
- NVIDIA#6009 -> `docs/get-started/windows-preparation.mdx`,
`docs/reference/troubleshooting.mdx`: Documents sanitized Windows
bootstrap WSL output and reboot-required gating.
- NVIDIA#6055 -> no additional source doc page change needed beyond the
already-merged quickstart update; release notes did not duplicate
routine quickstart cleanup.

No matching v0.0.71 GitHub announcement discussion was found in the
latest 20 discussions, so this refresh is based on the commit scan and
existing source PR docs.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: docs-only refresh with no
runtime behavior changes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — ran
`npm run docs`; Fern reported 0 errors and 2 existing warnings.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added a new release-notes entry covering gateway recovery,
authentication, network policy/provenance output, uninstall safety,
Windows bootstrap diagnostics, messaging defaults, and inference setup
guidance.
* Clarified Windows preparation steps around reboot behavior and
redacting troubleshooting transcripts.
* Expanded command reference details for OpenClaw wrapper behavior and
new auto-pair tuning options.
* Improved troubleshooting guidance for plugin installation issues, WSL
repair/reboot cases, and install timing problems.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>
Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression integration: openclaw OpenClaw integration behavior v0.0.71 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Improve OpenClaw plugin install network-policy denial diagnostics

5 participants