chore(infra): unstick prod pipeline — .family cross-stack, revert prod.tag, drop nonce

[prez2307]

Summary

PR #324's nonce theory was wrong — today's deploy failed again with the same Cannot update export ... as it is in use error. CFN checks the consumer's live template, not pending changes queued in the same run, so giving service-stack a nonce diff doesn't help.

This is the PR-A half of a two-PR plan to roll the extended image out to everyone:

1. Revert openclaw-version.json prod.tag → "bootstrap". Container-stack will have no task-def diff this deploy, so it can't hit the lock. Prod stays on alpine/openclaw:2026.4.5 (upstream) — where every running task-def revision is now. Zero runtime regression.
2. Swap service-stack.ts:588 from .taskDefinitionArn → .family. That's an inlined static string ("isol8-prod-openclaw"), not a cross-stack Fn::ImportValue. The coupling is gone: after deploy, isol8-prod-container:ExportsOutputRefOpenClawTaskDef... has no consumers.
3. Drop DEPLOY_NONCE (PR chore(infra): unblock prod task-def export bump via DEPLOY_NONCE #324 leftover).

Trade-off

.family reintroduces the "latest-in-family" lookup PR #299 moved away from. Currently safe:

• CLAWHUB_WORKDIR is on every clone now (added in PR fix(skills): redirect clawhub installs + always enable ECS Exec #277, inherited by every subsequent per-user clone).
• Access point is always overridden in _build_register_kwargs_from_base, so no cross-user leakage even if the backend clones from a per-user revision.

Durable fix (put the revision ARN behind an SSM parameter so it's not a CFN-import) is worth doing later — filed as follow-up.

Follow-up PR

PR-B: re-bump prod.tag → "2026.4.5-bf9f699". With no consumer importing the export, container-stack updates the task-def freely. New provisions land on the extended image (clawhub baked in). Then POST /container/updates with owner_id:"all" rolls banners to every existing owner.

Test plan

• isol8-prod-container deploys (no-op on task-def, expected).
• isol8-prod-service deploys (template diff for ECS_TASK_DEFINITION env, and DEPLOY_NONCE removal).
• After deploy, aws cloudformation list-imports --export-name isol8-prod-container:ExportsOutputRefOpenClawTaskDefDC1884BEC2B7400A returns empty.
• Backend reads ECS_TASK_DEFINITION=isol8-prod-openclaw (family), describe_task_definition still works on the family name.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b5a26fa7d1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep ECS task definition env pinned to revision ARN

Switching ECS_TASK_DEFINITION to openclawTaskDef.family makes the backend resolve describe_task_definition against family-latest instead of the CDK base revision, so any per-user revision that was most recently created (including ones from resize_user_container with custom new_cpu/new_memory/new_image) becomes the template for subsequently provisioned users. In apps/backend/core/containers/ecs_manager.py, _build_register_kwargs_from_base clones self._task_def and preserves base CPU/memory/image when overrides are absent, which means this change can silently propagate one tenant’s sizing/image choices to other tenants and reintroduce non-deterministic drift.

Useful? React with 👍 / 👎.