Skip to content

fix(runtime): keep proxy env POSIX-compatible#6560

Merged
jyaunches merged 8 commits into
mainfrom
codex/fix-posix-proxy-env
Jul 9, 2026
Merged

fix(runtime): keep proxy env POSIX-compatible#6560
jyaunches merged 8 commits into
mainfrom
codex/fix-posix-proxy-env

Conversation

@cv

@cv cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes a regression from #6496 where the generated /tmp/nemoclaw-proxy-env.sh used Bash-only builtin commands, causing POSIX login shells to reject the gateway trust anchor and fail lifecycle operations. The generated file now preserves fail-closed trust behavior in Bash and POSIX sh, including when ordinary Bash functions are imported from the caller environment.

Changes

  • Invoke the readonly and unset shell builtins through portable command dispatch in the generated runtime environment.
  • Validate source-time anchor values with unshadowable shell case syntax and structurally withhold token re-export unless the exact baked anchor is readonly.
  • Bake the trusted gateway URL directly into the root-owned WhatsApp helper, independently of caller-preseedable variables.
  • Route WhatsApp login and trust decisions with shell syntax that imported functions cannot intercept.
  • Launch caller-selected gateway logins through /usr/bin/env -u OPENCLAW_GATEWAY_TOKEN, so readonly parent variables and imported command, unset, or exit functions cannot preserve the token in the child.
  • Cover repeated Bash/POSIX-sh sourcing, conflicting and mutable anchors, readonly tokens, and before/after-source function-shadowing regressions.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: this restores the documented shell-hook behavior without changing commands, configuration, security boundaries, or operator workflows.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: independent audit exercised source-time and invocation-time function-shadowing, readonly-token, poisoned-anchor, mutable-anchor, and caller-selected gateway paths; the final audit found no remaining bypass in the imported ordinary-function boundary.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: npx vitest run --project integration test/nemoclaw-start-gateway-ws-host.test.ts test/whatsapp-qr-compact.test.ts test/repro-6413-whatsapp-postpair-start.test.ts (56/56 passed)
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

  • Bug Fixes
    • Improved trusted-gateway and read-only enforcement in POSIX shells, adding confirmation checks and fail-closed behavior when enforcement can’t be verified.
    • Strengthened WhatsApp gateway login flow to ensure the gateway token is stripped in non-trusted paths, with clearer detection of token-clearing failures.
  • Tests
    • Expanded WhatsApp pairing/login and gateway websocket-host probes to run under both bash and POSIX sh, with per-shell assertions.
    • Updated guard and token-stripping tests to inject per-scenario trusted gateway URLs and validate outcomes via the openclaw call log.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv added area: security Security controls, permissions, secrets, or hardening v0.0.79 Release target labels Jul 9, 2026
@cv cv self-assigned this Jul 9, 2026
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The runtime env and WhatsApp login flow now enforce trusted-gateway token handling with POSIX shell primitives. Tests were updated to run the env and login probes under both bash and sh, and guard-extraction helpers now inject the trusted gateway URL into generated guard snippets.

Changes

POSIX Shell Gateway Handling

Layer / File(s) Summary
Trusted gateway and login dispatch
scripts/nemoclaw-start.sh
Generated runtime env output now verifies readonly enforcement with command-based primitives, conditionally re-exports the gateway token only when the trusted anchor matches, and the WhatsApp login dispatch uses guarded case-based routing, token stripping, and early return handling.
Runtime and login probes under both shells
test/nemoclaw-start-gateway-ws-host.test.ts
Gateway host sourcing and WhatsApp login probes now loop over bash and sh, use POSIX shell-compatible stubs and helper checks, and assert token stripping, failure exits, and empty or expected call logs.
Guard extraction parameterization
test/repro-6413-whatsapp-postpair-start.test.ts, test/repro-4538-raw-doctor-perms.test.ts, test/whatsapp-qr-compact.test.ts
Guard-extraction helpers now accept a trusted gateway URL, splice that URL into the extracted guard source, and run the regenerated guard against each test case’s private gateway URL.

Estimated code review effort: 4 (Complex) | ~45 minutes

Suggested labels: bug-fix, area: sandbox

Suggested reviewers: jyaunches

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: making the generated runtime proxy environment POSIX-compatible.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-posix-proxy-env

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 76%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 5476b9d bcc249d +/-
src/lib/runner.ts 80% 72% -8%
src/lib/messagi...ate-resolver.ts 100% 96% -4%
src/lib/messagi...els/metadata.ts 100% 99% -1%
src/lib/security/redact.ts 96% 97% +1%

Updated July 09, 2026 13:14 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Informational

Merge posture: Informational / low confidence
Primary next action: Resolve or justify PRA-1: PR review advisor unavailable.
Open items: 0 required · 1 warning · 0 suggestions · 1 test follow-up
Top item: PR review advisor unavailable

Action checklist

  • PRA-1 Resolve or justify: PR review advisor unavailable
  • PRA-T1 Add or justify test follow-up: Runtime validation

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify correctness Re-run the PR Review Advisor or perform a manual review.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — PR review advisor unavailable

  • Location: not file-specific
  • Category: correctness
  • Problem: The automated advisor could not complete: PR review advisor SDK execution failed: session: scope-risk-map must call pr_review_update_ledger exactly once (observed 7 starts); scope-risk-map must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 7 total completions); scope-risk-map called pr_review_update_ledger before analysis; turn: scope-risk-map: scope-risk-map must call pr_review_update_ledger exactly once (observed 7 starts); scope-risk-map must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 7 total completions); scope-risk-map called pr_review_update_ledger before analysis
  • Impact: Automated review evidence is incomplete, so human review must cover the changed code manually.
  • Recommended action: Re-run the PR Review Advisor or perform a manual review.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Inspect the workflow logs and raw advisor artifact for the execution failure.
  • Missing regression test: No regression test recommendation is available because the advisor did not complete.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the workflow logs and raw advisor artifact for the execution failure.
  • Evidence: PR review advisor SDK execution failed: session: scope-risk-map must call pr_review_update_ledger exactly once (observed 7 starts); scope-risk-map must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 7 total completions); scope-risk-map called pr_review_update_ledger before analysis; turn: scope-risk-map: scope-risk-map must call pr_review_update_ledger exactly once (observed 7 starts); scope-risk-map must finish pr_review_update_ledger successfully exactly once (observed 1 successful of 7 total completions); scope-risk-map called pr_review_update_ledger before analysis

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add or identify targeted runtime/integration validation for the changed behavior; do not report external E2E job pass/fail here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: scripts/nemoclaw-start.sh.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 2 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add or identify targeted runtime/integration validation for the changed behavior; do not report external E2E job pass/fail here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: scripts/nemoclaw-start.sh. The changed production file is sandbox bootstrap/runtime shell, so a real sandbox smoke would add confidence. However, the PR adds focused integration-style Vitest coverage that spawns Bash/POSIX shells and fake `openclaw` binaries to exercise the main trust-boundary state transitions.
  • PRA-T2 Runtime validation — Optional higher-confidence runtime smoke: in a real sandbox connect/login shell using the target image `/bin/sh`, source `/tmp/nemoclaw-proxy-env.sh`, verify the trusted gateway URL is readonly, then run `openclaw channels login --channel whatsapp` with a caller-selected `OPENCLAW_GATEWAY_URL` and confirm the child environment lacks `OPENCLAW_GATEWAY_TOKEN`.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: scripts/nemoclaw-start.sh. The changed production file is sandbox bootstrap/runtime shell, so a real sandbox smoke would add confidence. However, the PR adds focused integration-style Vitest coverage that spawns Bash/POSIX shells and fake `openclaw` binaries to exercise the main trust-boundary state transitions.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: gateway-guard-recovery, issue-4462-scope-upgrade-approval, messaging-providers
Optional E2E: whatsapp-qr-compact-e2e, openshell-gateway-auth-contract

Dispatch hint: gateway-guard-recovery,issue-4462-scope-upgrade-approval,messaging-providers

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • gateway-guard-recovery (medium): Required because the PR modifies the sandbox runtime env/guard chain emitted by nemoclaw-start.sh. This live job validates that a real sandbox restores and uses the guard chain after runtime disruption, catching entrypoint/runtime-env breakage that unit shell extraction cannot prove.
  • issue-4462-scope-upgrade-approval (high): Required because the PR changes in-sandbox gateway token exposure and OpenClaw command-guard auth boundaries. This live security job exercises the gateway token/device-auth boundary in a real sandbox and is the closest existing E2E coverage for preventing ambient gateway credentials from crossing into untrusted OpenClaw flows.
  • messaging-providers (high): Required because the changed runtime guard affects WhatsApp/messaging channel setup inside rebuilt sandboxes. This live job validates messaging provider/channel state, WhatsApp channel registration, policy, rebuild, and sandbox-visible OpenClaw runtime behavior.

Optional E2E

  • whatsapp-qr-compact-e2e (low): Optional adjacent confidence for the WhatsApp pairing surface. The PR touches the login guard that wires compact QR preloads, while this regression job verifies the bundled OpenClaw/@openclaw/whatsapp renderer still produces compact terminal QR output.
  • openshell-gateway-auth-contract (medium): Optional adjacent confidence for gateway authentication source behavior. The PR changes gateway URL/token trust handling in sourced runtime env, so this can help confirm the broader OpenShell gateway auth contract remains intact.

New E2E recommendations

  • WhatsApp gateway-token trust boundary (high): Existing live E2E covers WhatsApp channel registration/rebuild and QR rendering, but not the exact in-sandbox openclaw channels login --channel whatsapp branch changed here: caller-selected gateway URL token stripping, trusted literal URL handling, and post-pair channels.start reconciliation with gateway-token auth.
    • Suggested test: Add a live sandbox E2E that runs the generated connect-shell runtime env with a stubbed/fake OpenClaw WhatsApp login and gateway call inside the sandbox, then asserts that caller-selected OPENCLAW_GATEWAY_URL never receives OPENCLAW_GATEWAY_TOKEN while the baked trusted URL can perform the bounded post-pair channels.start reconcile.
  • connect-shell source-time trust-anchor hardening (medium): The unit tests model bash/sh function-shadowing cases, but there is no live sandbox E2E proving the root-owned /tmp/nemoclaw-proxy-env.sh fails closed when sourced from a real connect shell under hostile imported shell functions or readonly preseeded variables.
    • Suggested test: Add a focused live E2E that opens a sandbox connect shell with poisoned Bash environment functions/readonly trust-anchor variables and verifies token-bearing helpers are disabled or tokens are stripped before any OpenClaw invocation.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: gateway-guard-recovery,issue-4462-scope-upgrade-approval,messaging-providers

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-openclaw, shields-config, issue-4462-scope-upgrade-approval, messaging-providers
Optional E2E targets: channels-stop-start

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=shields-config
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=issue-4462-scope-upgrade-approval
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=messaging-providers

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • ubuntu-repo-cloud-openclaw: The PR changes scripts/nemoclaw-start.sh, which is the OpenClaw sandbox startup/runtime-env path used by live typed targets. The baseline Ubuntu OpenClaw target is the smallest live-supported registry target that boots the modified startup script and validates the gateway/sandbox steady state.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw
  • shields-config: The diff changes the emitted /tmp runtime shell guard around raw in-sandbox openclaw invocations and the [All Platforms][Sandbox] NemoClaw mutable sandbox breaks group-writable openclaw.json contract after openclaw doctor --fix (gateway cannot persist config) #4538 doctor-permission restore path. The wired shields-config live job directly exercises real sandbox config/shield behavior including raw openclaw doctor --fix.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=shields-config
  • issue-4462-scope-upgrade-approval: The startup-script change is security-sensitive around OPENCLAW_GATEWAY_TOKEN, the trusted private gateway URL, and in-sandbox OpenClaw gateway calls. The wired issue-4462 scope-upgrade live job is the closest live gateway-auth/device-approval boundary check.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=issue-4462-scope-upgrade-approval
  • messaging-providers: The PR changes WhatsApp-specific in-sandbox login/token handling and post-pair channel start behavior in nemoclaw-start.sh. The wired messaging-providers live job is the available E2E workflow path that exercises WhatsApp channel configuration and rebuild/runtime parity.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=messaging-providers

Optional E2E targets

  • channels-stop-start: Optional adjacent coverage for channel start/stop RPC behavior, useful because the PR changes a WhatsApp post-pair channels.start helper, but it is broader than the primary changed OpenClaw startup/token surface.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=channels-stop-start

Relevant changed files

  • scripts/nemoclaw-start.sh

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29008085596
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: onboard-resume,snapshot-commands
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
onboard-resume ✅ success
snapshot-commands ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29008260147
Workflow ref: codex/fix-posix-proxy-env
Requested targets: ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29008260120
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success

cv added 3 commits July 9, 2026 02:39
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29009134059
Workflow ref: codex/fix-posix-proxy-env
Requested targets: ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29009134045
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: onboard-resume,snapshot-commands
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
onboard-resume ✅ success
snapshot-commands ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29009134091
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29009460466
Workflow ref: codex/fix-posix-proxy-env
Requested targets: ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29009460549
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: onboard-resume,snapshot-commands
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
onboard-resume ✅ success
snapshot-commands ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29009460556
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval,messaging-providers
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success
messaging-providers ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29010342567
Workflow ref: codex/fix-posix-proxy-env
Requested targets: ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/repro-6413-whatsapp-postpair-start.test.ts (2)

39-59: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract the duplicated extractGuardFunction into a shared test helper.

This helper is copy-pasted in test/whatsapp-qr-compact.test.ts (lines 277-293) and the two copies have already diverged (assert(...) here vs throw new Error(...) there). Consolidating into one shared module keeps the marker/injection contract in a single place so both suites stay in sync as the guard structure evolves.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/repro-6413-whatsapp-postpair-start.test.ts` around lines 39 - 59, The
extractGuardFunction logic is duplicated across multiple test suites and has
already diverged in error handling, so centralize it into a shared test helper
and have both suites import the same implementation. Move the marker parsing and
injection replacement logic from extractGuardFunction into a common module, then
update the callers in the WhatsApp-related tests to use that helper so the
trusted-gateway marker contract stays in sync.

48-59: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Reconstruction may drift from the actually generated guard.

The marker-based surgery re-derives the guard by hand instead of running the real writer, so it re-implements the script's literal-injection. Note the escaping is not identical: the script emits printf "..._nemoclaw_whatsapp_trusted_url='%s'" (sed single-quote escaping), whereas this reconstruction uses JSON.stringify (double-quote/JS escaping). For plain URLs they coincide, but a URL containing a quote would be assembled differently, so the test would validate a body the script never emits. Consider deriving the guard from real write_runtime_shell_env output (as test/nemoclaw-start-gateway-ws-host.test.ts does) for higher fidelity.

As per path instructions: "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions" and "Flag copied production algorithms."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/repro-6413-whatsapp-postpair-start.test.ts` around lines 48 - 59, The
reconstruction in this test is re-implementing the trusted-gateway guard logic
instead of using the real generator, so it can diverge from the actual emitted
shell body. Update the test to derive the guard from the real
write_runtime_shell_env output, following the approach used in
test/nemoclaw-start-gateway-ws-host.test.ts, rather than slicing and rebuilding
the marker block by hand. Make sure the assertion still targets the same
observable trusted-gateway injection behavior, but avoid using
JSON.stringify-based reconstruction that can differ from the script’s sed/printf
escaping in the actual writer.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/repro-6413-whatsapp-postpair-start.test.ts`:
- Around line 39-59: The extractGuardFunction logic is duplicated across
multiple test suites and has already diverged in error handling, so centralize
it into a shared test helper and have both suites import the same
implementation. Move the marker parsing and injection replacement logic from
extractGuardFunction into a common module, then update the callers in the
WhatsApp-related tests to use that helper so the trusted-gateway marker contract
stays in sync.
- Around line 48-59: The reconstruction in this test is re-implementing the
trusted-gateway guard logic instead of using the real generator, so it can
diverge from the actual emitted shell body. Update the test to derive the guard
from the real write_runtime_shell_env output, following the approach used in
test/nemoclaw-start-gateway-ws-host.test.ts, rather than slicing and rebuilding
the marker block by hand. Make sure the assertion still targets the same
observable trusted-gateway injection behavior, but avoid using
JSON.stringify-based reconstruction that can differ from the script’s sed/printf
escaping in the actual writer.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c0f18006-2169-4f6e-a650-586e381557ee

📥 Commits

Reviewing files that changed from the base of the PR and between f11a6cc and 8220828.

📒 Files selected for processing (4)
  • scripts/nemoclaw-start.sh
  • test/nemoclaw-start-gateway-ws-host.test.ts
  • test/repro-6413-whatsapp-postpair-start.test.ts
  • test/whatsapp-qr-compact.test.ts

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Some jobs cancelled — partial pass

Run: 29010340847
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: messaging-providers,gateway-guard-recovery,openshell-gateway-auth-contract
Summary: 2 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
gateway-guard-recovery ✅ success
messaging-providers ⚠️ cancelled
openshell-gateway-auth-contract ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29010902764
Workflow ref: codex/fix-posix-proxy-env
Requested targets: ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Some jobs cancelled — partial pass

Run: 29010901183
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: messaging-providers,gateway-guard-recovery,openshell-gateway-auth-contract
Summary: 2 passed, 0 failed, 1 cancelled, 0 skipped

Job Result
gateway-guard-recovery ✅ success
messaging-providers ⚠️ cancelled
openshell-gateway-auth-contract ✅ success

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
test/whatsapp-qr-compact.test.ts (2)

278-296: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Marker-based source-text splicing is brittle and tightly coupled to scripts/nemoclaw-start.sh layout.

extractGuardFunction now depends on exact substrings (GUARDENVEOF\n # nemoclaw-trusted-gateway-literal-injection begin, etc.) from the generated shell script. Any whitespace/indentation change in the production script (even a harmless one) silently breaks this test via the assert failure rather than exercising real behavioral drift. As per path instructions, tests should prefer observable outcomes through the public boundary over source-text/private-shape assertions; this pattern is inherently source-text coupled. If there's no alternative to extracting the raw guard body, consider deriving markers from named anchors that are less likely to shift with formatting-only edits.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/whatsapp-qr-compact.test.ts` around lines 278 - 296, The
`extractGuardFunction` helper is too tightly coupled to the exact text layout of
`scripts/nemoclaw-start.sh`, making the test brittle on formatting-only changes.
Refactor the test to avoid splicing with hardcoded substrings like the trusted
gateway injection markers, and instead assert behavior through a more stable
boundary or use named anchors that are less sensitive to whitespace/indentation
shifts. Keep the change localized to `extractGuardFunction` in
`test/whatsapp-qr-compact.test.ts`.

Source: Path instructions


291-295: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

JSON.stringify isn't shell-safe quoting for the injected URL.

JSON.stringify(trustedGatewayUrl) escapes " and \ but not $ or backticks, which remain special inside double-quoted shell strings (variable expansion / command substitution). If any test's gateway URL fixture ever contains $ or a backtick, the generated guard script would be corrupted or trigger unintended substitution when sourced.

🔧 Safer approach
-  return `${guardSource.slice(0, injectionStart)}            _nemoclaw_whatsapp_trusted_url=${JSON.stringify(trustedGatewayUrl)}\n${guardSource.slice(injectionEnd + injectionEndMarker.length)}`;
+  const shellSingleQuoted = `'${trustedGatewayUrl.replace(/'/g, "'\\''")}'`;
+  return `${guardSource.slice(0, injectionStart)}            _nemoclaw_whatsapp_trusted_url=${shellSingleQuoted}\n${guardSource.slice(injectionEnd + injectionEndMarker.length)}`;

Since test URLs are currently simple/controlled, real-world impact is limited today, but this is fragile if fixtures ever change.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/whatsapp-qr-compact.test.ts` around lines 291 - 295, The trusted gateway
URL injection in the whatsapp QR compact test uses JSON.stringify, which is not
safe for shell assignment content in the generated guard script. Update the
injection logic around the marker replacement in the test to use shell-safe
quoting/escaping for the `_nemoclaw_whatsapp_trusted_url` value so `$` and
backticks cannot be expanded when sourced, and keep the change localized to the
trusted gateway literal generation in this test helper.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/repro-4538-raw-doctor-perms.test.ts`:
- Line 75: The injected URL in the guard script is being serialized with
JSON.stringify, which can alter shell semantics for special characters; update
the URL injection in the helper around the return template to use POSIX shell
single-quote escaping instead. Keep the shell literal form consistent with the
guard source so the emitted script remains safe for URLs containing $,
backticks, quotes, or backslashes.

---

Nitpick comments:
In `@test/whatsapp-qr-compact.test.ts`:
- Around line 278-296: The `extractGuardFunction` helper is too tightly coupled
to the exact text layout of `scripts/nemoclaw-start.sh`, making the test brittle
on formatting-only changes. Refactor the test to avoid splicing with hardcoded
substrings like the trusted gateway injection markers, and instead assert
behavior through a more stable boundary or use named anchors that are less
sensitive to whitespace/indentation shifts. Keep the change localized to
`extractGuardFunction` in `test/whatsapp-qr-compact.test.ts`.
- Around line 291-295: The trusted gateway URL injection in the whatsapp QR
compact test uses JSON.stringify, which is not safe for shell assignment content
in the generated guard script. Update the injection logic around the marker
replacement in the test to use shell-safe quoting/escaping for the
`_nemoclaw_whatsapp_trusted_url` value so `$` and backticks cannot be expanded
when sourced, and keep the change localized to the trusted gateway literal
generation in this test helper.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 16691850-9340-418e-9453-28c6c4911966

📥 Commits

Reviewing files that changed from the base of the PR and between 8220828 and 00a882b.

📒 Files selected for processing (2)
  • test/repro-4538-raw-doctor-perms.test.ts
  • test/whatsapp-qr-compact.test.ts

Comment thread test/repro-4538-raw-doctor-perms.test.ts
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29011947901
Workflow ref: codex/fix-posix-proxy-env
Requested targets: ubuntu-repo-cloud-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
live ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29011618741
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: openshell-gateway-auth-contract,messaging-providers,gateway-guard-recovery
Summary: 3 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
gateway-guard-recovery ✅ success
messaging-providers ✅ success
openshell-gateway-auth-contract ✅ success

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29011948002
Workflow ref: codex/fix-posix-proxy-env
Requested targets: (default — all supported)
Requested jobs: full-e2e,channels-stop-start
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
channels-stop-start ✅ success
full-e2e ✅ success

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator Author

Exact-head gate complete at 00a882bf599c7076dd61beff3902bd911b3535bc:

  • The POSIX profile-hook regression is fixed while the gateway-token trust boundary remains fail-closed against conflicting/preseeded anchors and imported shell-function shadowing.
  • Focused runtime/security coverage passes 61/61 with one environment-gated skip; the exact formerly failing doctor-guard suite passes 5/5 with one gated skip. Normal hooks, shell syntax, Biome, and TypeScript checks pass.
  • Ordinary CI is green. Its only initial red was the unchanged mcp-bridge-status-resolution.test.ts hitting the shared 5-second timeout simultaneously on fix(advisor): make ledger commits atomic #6566; the one-time retry passed, followed by green cli-tests and aggregate checks.
  • Exact required live evidence is green: gateway auth, gateway recovery, and messaging providers; full E2E plus Hermes/OpenClaw channel stop-start; and the Ubuntu OpenClaw target.
  • CodeRabbit and both CodeQL lanes are green. Trusted GPT-5.5 is merge_as_is with 0 required findings, 0 warnings, and 0 suggestions.
  • The final CodeRabbit minor about hypothetical special characters in a controlled test-only URL renderer is explicitly dispositioned: production already performs POSIX escaping, current fixtures accept only simple maintainer-controlled ws:// literals, and all three sibling test renderers should be hardened together if arbitrary URLs enter that fixture contract.
  • Independent docs review confirms no docs update is needed; the final delta only corrects test materialization of already-existing runtime behavior.

The PR is content-mergeable with no pending or failed current checks. The remaining gate is independent review; I am not self-approving or merging a cv-authored PR. Landing this unblocks the required current-main refresh and exact runtime reruns for #6444, #6296, and #6567.

@cv cv mentioned this pull request Jul 9, 2026
21 tasks
@jyaunches jyaunches merged commit 0d2aca4 into main Jul 9, 2026
55 of 58 checks passed
@jyaunches jyaunches deleted the codex/fix-posix-proxy-env branch July 9, 2026 13:18
@jyaunches jyaunches mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- #6523, #6551, #6484, #6488, #6324, and #6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- #6559, #6538, #6560, #6568, #6552, #6567, and #6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- #6541, #5415, #6246, #6496, and #6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- #6253, #6572, #6444, #6536, and #5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397,
and #6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
cv added a commit that referenced this pull request Jul 11, 2026
…plugin provenance (#6645)

<!-- markdownlint-disable MD041 -->
## Summary
Fixes two stacked failures that made WhatsApp unusable on a stock
install — pairing succeeded but the channel never ran:

- **Login (#6413):** stop re-injecting the stashed private veth IP URL
into `openclaw channels login`. A private-IP origin makes the gateway's
locality check strip operator scopes (token or not), so the post-pair
`channels.start` was denied with `missing scope: operator.admin`. With
no URL in the env, OpenClaw resolves the loopback gateway from its own
config — same pattern as the `devices approve` wrapper (#4462) — and the
restart succeeds natively. Replaces the #6496 reconcile, which no-ops on
exactly this token-authed connect-shell path (`0:1:1` dispatch arm);
fresh-install validation with #6496 merged still reproduced the error.
- **Plugin trust:** install channel plugins through the `npm-pack:` spec
so OpenClaw records npm provenance for the integrity-verified tarball.
Archive-path installs record archive provenance, which fails the
trusted-official-install check gating `openKeyedStore` on OpenClaw >=
2026.6.10 — the channel crash-looped right after pairing
(`openKeyedStore is only available for trusted plugins in this
release`).
- **Removed with #6496's reconcile:** its config token reader,
`--account` forwarding, and the readonly gateway trust anchor (source of
the DGX Spark/Station regression, #6560). No gateway token moves
anywhere under this design.

**Blast radius:** the npm-pack change flows through the shared
installer, so all externally-installed channels (whatsapp, discord,
slack, msteams, weixin) plus diagnostics-otel/brave gain npm provenance;
telegram is bundled and unaffected. Audited: trust flip is benefit-only
(unblocks keyed stores that today crash or silently degrade), and the
new install layout breaks no path assumption (details below).

**Validated:** WhatsApp end-to-end live on a fresh install — QR pair, no
missing-scope, trusted record, channel running, real message round-trip.
Control run on unfixed main on the same host still fails.

<details>
<summary>Blast-radius audit: why the npm-pack change is safe for the
other channels</summary>

**What actually changes for a channel plugin?** Only two things: (1) the
install ledger now says the plugin came from npm (name, exact version,
integrity) instead of from an anonymous archive file, and (2) the
plugin's files land under
`.openclaw/npm/projects/<hash>/node_modules/<pkg>` instead of
`extensions/<id>`. The tarball itself, and the integrity verification
before installing it, are byte-for-byte the same as before.

**Could the new ledger entry break anything?** No — it only unlocks. The
trusted-official-install check is the single consumer of this
provenance, and today it fails for all five external channels. That is
why WhatsApp crash-loops at startup (it opens `openKeyedStore`
immediately), why Slack silently loses its duplicate-message protection
across restarts, and why Discord's interactive buttons/modals lose their
persistent state. With npm provenance the check passes and those
features work as designed. Nothing consumes "archive" provenance as a
positive signal, so nothing regresses.

**Could the new file location break anything?** We audited every place
that could care about the old path:
- *Runtime patches/preloads:* none match on `extensions/<id>`. The
WhatsApp compact-QR preload recognizes the qrcode module by its shape,
not its path.
- *Sandbox rebuild (backup/restore):* the backup never includes `npm/`,
so after a rebuild the plugin files and ledger always come from the
freshly built image. The old extensions-restore logic simply sees "no
extensions dir to preserve" and moves on — a state it already handles.
- *WeChat seed files:* they are written to the state dir
(`~/.openclaw/openclaw-weixin/`), not into the plugin's install dir, so
the move doesn't touch them. WeChat's hand-written `plugins.installs`
config entry keeps the old path, but the trust check never reads config
— only the ledger — so the stale entry is inert.

**Who is not affected at all?** Telegram — it ships bundled inside the
openclaw package, never goes through this installer, and was already
trusted.

**What was tested?** WhatsApp end-to-end on a fresh install (the only
channel that hard-fails today). The `openclaw-lifecycle-policy` contract
test verifies every reviewed package spec installs through the new
`npm-pack:` form.

</details>

## Related Issue
Fixes #6413

## Changes
<!-- Bullet list of key changes. -->

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — targeted replacement of the #6496 login machinery: removes
gateway-token movement entirely (the reconcile helper and its config
token reader are deleted), removes the readonly trust anchor that
regressed DGX Spark/Station, and restores the pre-#6496 runtime-env
emission; the ws:// scheme check on an explicitly exported
`OPENCLAW_GATEWAY_URL` is retained.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [ ] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [ ] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification:
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [ ] Quality Gates section completed with required justifications or
waivers
- [ ] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Hung Le <hple@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Improvements**
- Updated OpenClaw plugin installation to use `npm-pack:` based
installs, aligning provenance/version traces (replacing direct archive
installs and `--pin`).
- Adjusted Docker-based plugin installation to use the verified tarball
install path that preserves npm provenance.
- Refreshed WhatsApp pairing/login: defaults to in-sandbox loopback,
accepts gateway URL overrides only for loopback `ws://`/`wss://`, and
exports gateway tokens whenever available.
- **Documentation**
- Shortened WhatsApp sandbox guidance and added troubleshooting for
gateway close code **1008**.
- **Tests**
- Updated messaging/OpenClaw trace expectations for `npm-pack:` formats
and revised WhatsApp guard coverage/fixtures to match the new
pairing/token/exit-code behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Hung Le <hple@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Fixes a regression from NVIDIA#6496 where the generated
`/tmp/nemoclaw-proxy-env.sh` used Bash-only `builtin` commands, causing
POSIX login shells to reject the gateway trust anchor and fail lifecycle
operations. The generated file now preserves fail-closed trust behavior
in Bash and POSIX `sh`, including when ordinary Bash functions are
imported from the caller environment.

## Changes

- Invoke the `readonly` and `unset` shell builtins through portable
`command` dispatch in the generated runtime environment.
- Validate source-time anchor values with unshadowable shell `case`
syntax and structurally withhold token re-export unless the exact baked
anchor is readonly.
- Bake the trusted gateway URL directly into the root-owned WhatsApp
helper, independently of caller-preseedable variables.
- Route WhatsApp login and trust decisions with shell syntax that
imported functions cannot intercept.
- Launch caller-selected gateway logins through `/usr/bin/env -u
OPENCLAW_GATEWAY_TOKEN`, so readonly parent variables and imported
`command`, `unset`, or `exit` functions cannot preserve the token in the
child.
- Cover repeated Bash/POSIX-sh sourcing, conflicting and mutable
anchors, readonly tokens, and before/after-source function-shadowing
regressions.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: this restores the documented
shell-hook behavior without changing commands, configuration, security
boundaries, or operator workflows.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: independent audit
exercised source-time and invocation-time function-shadowing,
readonly-token, poisoned-anchor, mutable-anchor, and caller-selected
gateway paths; the final audit found no remaining bypass in the imported
ordinary-function boundary.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: `npx
vitest run --project integration
test/nemoclaw-start-gateway-ws-host.test.ts
test/whatsapp-qr-compact.test.ts
test/repro-6413-whatsapp-postpair-start.test.ts` (56/56 passed)
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved trusted-gateway and read-only enforcement in POSIX shells,
adding confirmation checks and fail-closed behavior when enforcement
can’t be verified.
* Strengthened WhatsApp gateway login flow to ensure the gateway token
is stripped in non-trusted paths, with clearer detection of
token-clearing failures.
* **Tests**
* Expanded WhatsApp pairing/login and gateway websocket-host probes to
run under both `bash` and POSIX `sh`, with per-shell assertions.
* Updated guard and token-stripping tests to inject per-scenario trusted
gateway URLs and validate outcomes via the `openclaw` call log.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: J. Yaunches <jyaunches@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397,
and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…plugin provenance (NVIDIA#6645)

<!-- markdownlint-disable MD041 -->
## Summary
Fixes two stacked failures that made WhatsApp unusable on a stock
install — pairing succeeded but the channel never ran:

- **Login (NVIDIA#6413):** stop re-injecting the stashed private veth IP URL
into `openclaw channels login`. A private-IP origin makes the gateway's
locality check strip operator scopes (token or not), so the post-pair
`channels.start` was denied with `missing scope: operator.admin`. With
no URL in the env, OpenClaw resolves the loopback gateway from its own
config — same pattern as the `devices approve` wrapper (NVIDIA#4462) — and the
restart succeeds natively. Replaces the NVIDIA#6496 reconcile, which no-ops on
exactly this token-authed connect-shell path (`0:1:1` dispatch arm);
fresh-install validation with NVIDIA#6496 merged still reproduced the error.
- **Plugin trust:** install channel plugins through the `npm-pack:` spec
so OpenClaw records npm provenance for the integrity-verified tarball.
Archive-path installs record archive provenance, which fails the
trusted-official-install check gating `openKeyedStore` on OpenClaw >=
2026.6.10 — the channel crash-looped right after pairing
(`openKeyedStore is only available for trusted plugins in this
release`).
- **Removed with NVIDIA#6496's reconcile:** its config token reader,
`--account` forwarding, and the readonly gateway trust anchor (source of
the DGX Spark/Station regression, NVIDIA#6560). No gateway token moves
anywhere under this design.

**Blast radius:** the npm-pack change flows through the shared
installer, so all externally-installed channels (whatsapp, discord,
slack, msteams, weixin) plus diagnostics-otel/brave gain npm provenance;
telegram is bundled and unaffected. Audited: trust flip is benefit-only
(unblocks keyed stores that today crash or silently degrade), and the
new install layout breaks no path assumption (details below).

**Validated:** WhatsApp end-to-end live on a fresh install — QR pair, no
missing-scope, trusted record, channel running, real message round-trip.
Control run on unfixed main on the same host still fails.

<details>
<summary>Blast-radius audit: why the npm-pack change is safe for the
other channels</summary>

**What actually changes for a channel plugin?** Only two things: (1) the
install ledger now says the plugin came from npm (name, exact version,
integrity) instead of from an anonymous archive file, and (2) the
plugin's files land under
`.openclaw/npm/projects/<hash>/node_modules/<pkg>` instead of
`extensions/<id>`. The tarball itself, and the integrity verification
before installing it, are byte-for-byte the same as before.

**Could the new ledger entry break anything?** No — it only unlocks. The
trusted-official-install check is the single consumer of this
provenance, and today it fails for all five external channels. That is
why WhatsApp crash-loops at startup (it opens `openKeyedStore`
immediately), why Slack silently loses its duplicate-message protection
across restarts, and why Discord's interactive buttons/modals lose their
persistent state. With npm provenance the check passes and those
features work as designed. Nothing consumes "archive" provenance as a
positive signal, so nothing regresses.

**Could the new file location break anything?** We audited every place
that could care about the old path:
- *Runtime patches/preloads:* none match on `extensions/<id>`. The
WhatsApp compact-QR preload recognizes the qrcode module by its shape,
not its path.
- *Sandbox rebuild (backup/restore):* the backup never includes `npm/`,
so after a rebuild the plugin files and ledger always come from the
freshly built image. The old extensions-restore logic simply sees "no
extensions dir to preserve" and moves on — a state it already handles.
- *WeChat seed files:* they are written to the state dir
(`~/.openclaw/openclaw-weixin/`), not into the plugin's install dir, so
the move doesn't touch them. WeChat's hand-written `plugins.installs`
config entry keeps the old path, but the trust check never reads config
— only the ledger — so the stale entry is inert.

**Who is not affected at all?** Telegram — it ships bundled inside the
openclaw package, never goes through this installer, and was already
trusted.

**What was tested?** WhatsApp end-to-end on a fresh install (the only
channel that hard-fails today). The `openclaw-lifecycle-policy` contract
test verifies every reviewed package spec installs through the new
`npm-pack:` form.

</details>

## Related Issue
Fixes NVIDIA#6413

## Changes
<!-- Bullet list of key changes. -->

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — targeted replacement of the NVIDIA#6496 login machinery: removes
gateway-token movement entirely (the reconcile helper and its config
token reader are deleted), removes the readonly trust anchor that
regressed DGX Spark/Station, and restores the pre-NVIDIA#6496 runtime-env
emission; the ws:// scheme check on an explicitly exported
`OPENCLAW_GATEWAY_URL` is retained.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [ ] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [ ] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification:
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [ ] Quality Gates section completed with required justifications or
waivers
- [ ] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Hung Le <hple@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Improvements**
- Updated OpenClaw plugin installation to use `npm-pack:` based
installs, aligning provenance/version traces (replacing direct archive
installs and `--pin`).
- Adjusted Docker-based plugin installation to use the verified tarball
install path that preserves npm provenance.
- Refreshed WhatsApp pairing/login: defaults to in-sandbox loopback,
accepts gateway URL overrides only for loopback `ws://`/`wss://`, and
exports gateway tokens whenever available.
- **Documentation**
- Shortened WhatsApp sandbox guidance and added troubleshooting for
gateway close code **1008**.
- **Tests**
- Updated messaging/OpenClaw trace expectations for `npm-pack:` formats
and revised WhatsApp guard coverage/fixtures to match the new
pairing/token/exit-code behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Hung Le <hple@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: security Security controls, permissions, secrets, or hardening v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants