fix(cli): replace config-set allow-list with mode-based new-path gate

[laitingsheng]

Summary

The #1973 fix added a path validator that walked the currently-loaded config; #2400 reported that this rejected schema-valid first-time writes (the documented provider.compatible-endpoint.timeoutSeconds Ollama workaround) with the same error as a typo. An earlier attempt at a top-level allow-list improved discoverability but still couldn't catch deep typos, and would have had to be hand-maintained against OpenClaw's evolving schema.

This switches config set to a mode-based gate. Modifying an existing key still goes straight through. First-time writes prompt the user when stdin is a TTY, refuse with a discoverable opt-in when not, and accept an explicit override flag/env for scripts — so silent stub-writes stay impossible without coupling to a schema we don't own.

Related Issue

Fixes #2400

Changes

• Drop isRecognizedConfigPath entirely. Replace with a small validateConfigDotpath helper that only enforces dotpath syntax (no empty segments) and the existing prototype-pollution segment block (proto, constructor, prototype, toString, hasOwnProperty).
• In configSet, after the existing URL/SSRF and gateway.* guards, gate first-time writes: interactive (process.stdin.isTTY and !NEMOCLAW_NON_INTERACTIVE) prompts y/N; non-interactive refuses with a message naming the override; --config-accept-new-path or NEMOCLAW_CONFIG_ACCEPT_NEW_PATH=1 skips the gate.
• Make configSet async to support the readline prompt; thread await through the CLI dispatcher and update its usage line.
• Add a troubleshooting entry under docs/reference/troubleshooting.md and regenerate the autogenerated agent-skill mirror so users can discover the override flag and the rationale.
• Tests: drop the allow-list cases, replace with focused validateConfigDotpath coverage (syntax + prototype-pollution segments anywhere in the path).

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

AI Disclosure

• AI-assisted — tool: Claude Code

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• New Features
  • Syntactic validation for config paths and an opt‑in gate for creating new config keys (interactive prompt, --config-accept-new-path flag, or env var).
• Bug Fixes
  • Rejects unsafe/malformed dotpaths (empty/prototype‑like/numeric segments) and blocks accidental creation of missing keys unless accepted.
• Documentation
  • Added troubleshooting guidance describing prompt behavior and non‑interactive opt‑in.
• Tests
  • Expanded tests for path validation, clobbering detection, error reasons, and new-key acceptance logic.

[coderabbitai]

📝 Walkthrough

Walkthrough

configSet was made async and now validates dotpath syntax and safety (prototype-pollution, empty segments, numeric segments), prevents clobbering existing non-object ancestors, and gates creation of previously-unset keys via an opt-in flag/env or interactive confirmation; exports updated to surface the new validators and gate helpers, and CLI/tests/docs adjusted.

Changes

Cohort / File(s)	Summary
Sandbox config logic src/lib/sandbox-config.ts	Made configSet async; removed isRecognizedConfigPath; added and exported validateConfigDotpath, findClobberingAncestor, and classifyNewKeyGate; introduced confirmYesNo prompt helper; dotpath validation now rejects empty/leading/trailing segments, prototype-like segments, numeric segments, and prevents clobbering non-object ancestors; gating for first-time key creation implemented.
CLI wiring src/nemoclaw.ts	Added --config-accept-new-path flag populating acceptNewPath; call to sandboxConfig.configSet(...) updated to await; help/usage text updated to document new flag.
Tests test/config-set.test.ts	Replaced isRecognizedConfigPath assertions with validateConfigDotpath checks; added unit tests for findClobberingAncestor and classifyNewKeyGate across accept/prompt/refuse scenarios, numeric-segment blocking, and clobbering-ancestor detection.
Documentation .agents/skills/nemoclaw-user-reference/references/troubleshooting.md, docs/reference/troubleshooting.md	Documented behavior when setting non-existent or numeric dotpaths, interactive prompt behavior, and non-interactive opt-in via --config-accept-new-path / NEMOCLAW_CONFIG_ACCEPT_NEW_PATH=1.

Sequence Diagram(s)

sequenceDiagram
  participant CLI as Nemoclaw CLI
  participant Module as sandbox-config
  participant Config as Config file
  participant Env as Env/CI
  participant User as TTY/User

  CLI->>Module: configSet(sandbox, { dotpath, value, acceptNewPath })
  Module->>Module: validateConfigDotpath(dotpath)
  alt invalid syntax / unsafe
    Module-->>CLI: error(reason)
  else valid syntax
    Module->>Config: read existing value at dotpath
    alt value exists
      Module-->>Config: write new value
      Module-->>CLI: success
    else value missing
      Module->>Env: check NEMOCLAW_CONFIG_ACCEPT_NEW_PATH or opts.acceptNewPath
      alt accepted via flag/env
        Module-->>Config: write new value
        Module-->>CLI: success
      else interactive
        Module->>User: prompt confirmYesNo("create new path?")
        User-->>Module: yes/no
        alt yes
          Module-->>Config: write new value
          Module-->>CLI: success
        else no
          Module-->>CLI: abort with error
        end
      end
    end
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibble dotpaths, check each hop and claw,

I block the proto-bleed and gaps with one small paw.
Flag me, env me, or say yes in the night—
then I'll hop in, plant the key, and set it right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing the allow-list approach (isRecognizedConfigPath) with a mode-based gate for new config paths.
Linked Issues check	✅ Passed	All requirements from #2400 are addressed: schema-valid unset keys are no longer rejected, interactive/non-interactive modes are implemented, opt-in flag and env var are added, numeric segments are blocked, and troubleshooting docs are provided.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to #2400: core validation/gating logic, CLI flag integration, tests, and documentation. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/2400-config-set-unset-keys

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/config-set.test.ts (1)

119-124: Add an explicit test for the prototype denylist segment.

UNSAFE_KEY_SEGMENTS includes prototype, but this specific case is not asserted here.

Add the missing regression assertion

     it("rejects prototype-pollution segments anywhere in the path", () => {
       expect(isRecognizedConfigPath("toString")).toBe(false);
       expect(isRecognizedConfigPath("agents.constructor")).toBe(false);
+      expect(isRecognizedConfigPath("agents.prototype.config")).toBe(false);
       expect(isRecognizedConfigPath("provider.__proto__.polluted")).toBe(false);
       expect(isRecognizedConfigPath("tools.hasOwnProperty")).toBe(false);
     });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/config-set.test.ts` around lines 119 - 124, Add a regression assertion
to the test "rejects prototype-pollution segments anywhere in the path" that
explicitly checks for the denylisted segment "prototype": update the test in
test/config-set.test.ts by adding an expect call using isRecognizedConfigPath
with a path that includes "prototype" (for example "provider.prototype.polluted"
or just "prototype") and assert it returns false; this ensures
UNSAFE_KEY_SEGMENTS' "prototype" entry is covered alongside the existing checks
for "toString", "constructor", "__proto__", and "hasOwnProperty".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/sandbox-config.ts`:
- Around line 174-179: isRecognizedConfigPath currently treats any dotted path
that starts with a recognized top-level key as valid, allowing typos in nested
keys; update isRecognizedConfigPath to reject unknown deep paths by (1) keeping
the existing guard for falsy/unsafe segments (UNSAFE_KEY_SEGMENTS) and top-level
membership (RECOGNIZED_TOP_LEVEL_KEYS), and then (2) when keys.length > 1
validate the remainder of the path against an explicit whitelist/schema instead
of accepting any child — e.g. check the full dotpath against a
RECOGNIZED_CONFIG_PATHS set or walk a RECOGNIZED_SUBKEYS map keyed by parent
names to confirm each subsequent segment is an allowed child; ensure you
reference and preserve UNSAFE_KEY_SEGMENTS and RECOGNIZED_TOP_LEVEL_KEYS and
only return true when the full path is recognized by the chosen deep-path
whitelist/schema.

---

Nitpick comments:
In `@test/config-set.test.ts`:
- Around line 119-124: Add a regression assertion to the test "rejects
prototype-pollution segments anywhere in the path" that explicitly checks for
the denylisted segment "prototype": update the test in test/config-set.test.ts
by adding an expect call using isRecognizedConfigPath with a path that includes
"prototype" (for example "provider.prototype.polluted" or just "prototype") and
assert it returns false; this ensures UNSAFE_KEY_SEGMENTS' "prototype" entry is
covered alongside the existing checks for "toString", "constructor",
"__proto__", and "hasOwnProperty".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9e8479f1-d88d-4bf7-aef2-7a81b02cb835

📥 Commits

Reviewing files that changed from the base of the PR and between 99b72c4 and 3de44d9.

📒 Files selected for processing (2)

• src/lib/sandbox-config.ts
• test/config-set.test.ts

[coderabbitai]

♻️ Duplicate comments (1)

src/lib/sandbox-config.ts (1)

175-180: ⚠️ Potential issue | 🟠 Major

Root-only fallback still accepts unknown deep keys (typo protection remains weakened).

At Line 180, any nested path under an allow-listed root is accepted when it does not already exist. Example: provider.compatible-endpoint.timeuotSeconds (typo) passes validation and gets written, which undermines typo detection for first-time writes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/sandbox-config.ts` around lines 175 - 180, isRecognizedConfigPath
currently permits any nested path under an allowed top-level key, which lets
typos like provider.compatible-endpoint.timeuotSeconds pass; modify the fallback
so that the top-level allowance only applies to single-segment dotpaths: keep
the existing validations and extractDotpath check, but change the final return
to require keys.length === 1 in addition to
RECOGNIZED_TOP_LEVEL_KEYS.has(keys[0]) so only root-level names (no dots) are
accepted by the fallback.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/lib/sandbox-config.ts`:
- Around line 175-180: isRecognizedConfigPath currently permits any nested path
under an allowed top-level key, which lets typos like
provider.compatible-endpoint.timeuotSeconds pass; modify the fallback so that
the top-level allowance only applies to single-segment dotpaths: keep the
existing validations and extractDotpath check, but change the final return to
require keys.length === 1 in addition to RECOGNIZED_TOP_LEVEL_KEYS.has(keys[0])
so only root-level names (no dots) are accepted by the fallback.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 02dea3be-3812-4f54-aded-768a75730c3a

📥 Commits

Reviewing files that changed from the base of the PR and between 3de44d9 and 2189633.

📒 Files selected for processing (2)

• src/lib/sandbox-config.ts
• test/config-set.test.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/sandbox-config.ts`:
- Around line 162-173: validateConfigDotpath currently allows numeric segments
which extractDotpath interprets as array indices while setDotpath always
constructs plain objects; to avoid corrupting arrays, update
validateConfigDotpath to reject any dotpath that contains a purely numeric
segment (e.g., /^\d+$/) in addition to the existing checks. Keep references to
validateConfigDotpath, extractDotpath, setDotpath, and UNSAFE_KEY_SEGMENTS in
the message so the change is targeted: return { ok: false, reason: "numeric
segment not allowed" } for numeric segments until setDotpath is updated to
preserve/handle arrays.
- Around line 385-395: The interactive detection in sandbox-config.ts treats any
non-empty NEMOCLAW_NON_INTERACTIVE as true (interactive = !!process.stdin.isTTY
&& !process.env.NEMOCLAW_NON_INTERACTIVE), which deviates from the CLI
convention of only disabling prompts when NEMOCLAW_NON_INTERACTIVE === "1";
update the interactive check to mirror other commands by testing
process.env.NEMOCLAW_NON_INTERACTIVE === "1" (or its negation) so that only the
exact value "1" disables prompts, and keep the surrounding logic that uses
opts.acceptNewPath and prints the console errors for non-interactive flows
unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 14f65eab-39ad-45c7-8076-9531df1283ee

📥 Commits

Reviewing files that changed from the base of the PR and between 2189633 and d378d06.

📒 Files selected for processing (5)

• .agents/skills/nemoclaw-user-reference/references/troubleshooting.md
• docs/reference/troubleshooting.md
• src/lib/sandbox-config.ts
• src/nemoclaw.ts
• test/config-set.test.ts

✅ Files skipped from review due to trivial changes (2)

• docs/reference/troubleshooting.md
• .agents/skills/nemoclaw-user-reference/references/troubleshooting.md

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/sandbox-config.ts (1)

391-417: Consider adding branch tests for the new-path gate.

This block introduces important behavior modes (--config-accept-new-path, NEMOCLAW_CONFIG_ACCEPT_NEW_PATH=1, interactive confirm, and non-interactive refusal). I’d add explicit tests for each mode to prevent regressions in CLI UX and script flows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/sandbox-config.ts` around lines 391 - 417, Add automated branch tests
covering the new-path gate around the oldValue === undefined block: assert
behavior when opts.acceptNewPath === true (write allowed), when
NEMOCLAW_CONFIG_ACCEPT_NEW_PATH="1" (write allowed), when interactive TTY with
confirmYesNo returning true (write allowed) and false (process exits with
"Aborted."), and when non-interactive TTY (process exits and prints the
non-interactive refusal message). In tests mock/stub process.stdin.isTTY,
set/unset process.env.NEMOCLAW_CONFIG_ACCEPT_NEW_PATH, stub confirmYesNo, and
spy on process.exit and console.error to verify the correct branches in the code
paths referencing opts.key, opts.acceptNewPath, confirmYesNo, and the
process.env flag.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/lib/sandbox-config.ts`:
- Around line 391-417: Add automated branch tests covering the new-path gate
around the oldValue === undefined block: assert behavior when opts.acceptNewPath
=== true (write allowed), when NEMOCLAW_CONFIG_ACCEPT_NEW_PATH="1" (write
allowed), when interactive TTY with confirmYesNo returning true (write allowed)
and false (process exits with "Aborted."), and when non-interactive TTY (process
exits and prints the non-interactive refusal message). In tests mock/stub
process.stdin.isTTY, set/unset process.env.NEMOCLAW_CONFIG_ACCEPT_NEW_PATH, stub
confirmYesNo, and spy on process.exit and console.error to verify the correct
branches in the code paths referencing opts.key, opts.acceptNewPath,
confirmYesNo, and the process.env flag.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2b924b37-8fb0-4c4c-8700-5a1fbfd083b1

📥 Commits

Reviewing files that changed from the base of the PR and between d378d06 and 6128583.

📒 Files selected for processing (4)

• .agents/skills/nemoclaw-user-reference/references/troubleshooting.md
• docs/reference/troubleshooting.md
• src/lib/sandbox-config.ts
• test/config-set.test.ts

✅ Files skipped from review due to trivial changes (2)

• docs/reference/troubleshooting.md
• .agents/skills/nemoclaw-user-reference/references/troubleshooting.md

[ericksoa]

Review

Good design choice decoupling from OpenClaw's schema — the old isRecognizedConfigPath was genuinely broken for documented workflows like provider.compatible-endpoint.timeoutSeconds, and maintaining a parallel allow-list would have been a drag. The mode-based gate is the right call.

CI is green (wsl-e2e pending). A few things I'd want addressed before merge:

Missing test coverage for the new-key gate

The tests cover validateConfigDotpath well, but the actual behavioral change — the oldValue === undefined branch in configSet — has no test coverage. These are the most important paths in the PR:

• Non-interactive mode refusing a new key without --config-accept-new-path
• Non-interactive mode accepting with --config-accept-new-path
• The NEMOCLAW_CONFIG_ACCEPT_NEW_PATH=1 env var path

I'd ask for at least the non-interactive rejection and flag override cases before merging.

Mixed import style in sandbox-config.ts

import * as readline from "readline";  // ES import (new, line 15)

const fs = require("fs");              // CJS require (existing, line 16)

The entire rest of the file uses require(). The mixed style works because TypeScript rewrites it, but it's inconsistent. Either const readline = require("readline") to match the file, or a comment noting it's intentional for the TS migration path.

Dead code in confirmYesNo

if (!process.stdin.isTTY) {
  if (typeof process.stdin.pause === "function") process.stdin.pause();
  if (typeof process.stdin.unref === "function") process.stdin.unref();
}

The caller already gates on !!process.stdin.isTTY, so this branch never executes. Remove it or add a comment explaining the defensive intent.

Minor: step number renumbering

The diff renumbers inline comments from 6–12 to 7–13 because the new gate was inserted. This is pure noise in the diff and makes git blame less useful. Consider dropping the sequence numbers or using labels.

What looks good

• validateConfigDotpath is clean — prototype-pollution, empty segments, and numeric index guards all make sense
• The troubleshooting doc entry follows one-sentence-per-line and covers all three modes (interactive, non-interactive, env var)
• The --config-accept-new-path flag name is discoverable and the error message tells you exactly what to do

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/sandbox-config.ts`:
- Around line 421-451: The current "new key" gate treats oldValue === undefined
as a safe new path but misses the case where traversal failed because an
existing ancestor is a non-object scalar; setDotpath then clobbers that scalar.
Change the check around classifyNewKeyGate/oldValue to verify that every
existing ancestor along opts.key in config is an object (e.g., walk the dotpath
parents and ensure any present segment is typeof "object" and not null); only
treat it as a new path when oldValue === undefined AND all existing ancestors
are objects. If any existing ancestor is a non-object, refuse the write (use the
same error/exit flow instead of prompting) and include target.agentName and
opts.key in the message so the caller knows it would clobber a scalar; leave the
final setDotpath(config, opts.key, parsedValue) unchanged once the safety check
passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1ea52e0a-3891-4228-9f10-b17c7892dd53

📥 Commits

Reviewing files that changed from the base of the PR and between 6128583 and ca9aae7.

📒 Files selected for processing (4)

• .agents/skills/nemoclaw-user-reference/references/troubleshooting.md
• docs/reference/troubleshooting.md
• src/lib/sandbox-config.ts
• test/config-set.test.ts

✅ Files skipped from review due to trivial changes (2)

• .agents/skills/nemoclaw-user-reference/references/troubleshooting.md
• docs/reference/troubleshooting.md

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/sandbox-config.ts (1)

750-762: Consider handling readline close event for robustness.

The current implementation doesn't resolve the promise if the user presses Ctrl+C or stdin closes unexpectedly (the close event fires without the question callback). In practice, Ctrl+C triggers SIGINT which terminates the process, so this is rarely a problem for CLI usage.

For robustness, you could handle the close event:

♻️ Optional: Handle readline close event

 function confirmYesNo(prompt: string): Promise<boolean> {
-  return new Promise((resolve) => {
+  return new Promise((resolve, _reject) => {
     const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+    let answered = false;
+    rl.on("close", () => {
+      if (!answered) resolve(false);
+    });
     rl.question(prompt, (answer: string) => {
+      answered = true;
       rl.close();
       resolve(/^y(es)?$/i.test(answer.trim()));
     });
   });
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/sandbox-config.ts` around lines 750 - 762, The confirmYesNo function
can hang if stdin closes or the user triggers a readline 'close' without the
'question' callback firing; update confirmYesNo to attach an rl.on('close', ...)
handler that resolves the promise (e.g., resolve(false)) and ensure you guard
against double-resolution (use a local settled flag or remove listeners) and
still close/cleanup the readline; reference the existing confirmYesNo function
and the readline interface creation when adding this handler.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/lib/sandbox-config.ts`:
- Around line 750-762: The confirmYesNo function can hang if stdin closes or the
user triggers a readline 'close' without the 'question' callback firing; update
confirmYesNo to attach an rl.on('close', ...) handler that resolves the promise
(e.g., resolve(false)) and ensure you guard against double-resolution (use a
local settled flag or remove listeners) and still close/cleanup the readline;
reference the existing confirmYesNo function and the readline interface creation
when adding this handler.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2869a0f2-7c56-4584-b601-ce0231d4bfac

📥 Commits

Reviewing files that changed from the base of the PR and between ca9aae7 and bc0f6ec.

📒 Files selected for processing (2)

• src/lib/sandbox-config.ts
• test/config-set.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/config-set.test.ts

[ericksoa]

LGTM. Clean separation of pure helpers, strong test coverage, and security-critical guards (prototype-pollution, SSRF, gateway.*) preserved ahead of the new gate. Override path is discoverable for non-interactive use.