Upgrade OpenClaw to 2026.5.18

[ericksoa]

Summary

• Bump the NemoClaw OpenClaw pin and compatibility metadata to stable 2026.5.18.
• Keep the upgrade OpenClaw-only: base image ARG, blueprint minimum, agent manifest expected version, plugin metadata/tests, and docs example.
• Update the Dockerfile OpenClaw dist patch guard for the 2026.5.x handshake-timeout constant shape and add a regression test.

Local validation

• npm ci --ignore-scripts passed.
• npm run build:cli passed.
• npm run validate:configs passed: 22 config files valid.
• npx vitest run --project plugin nemoclaw/src/package-metadata.test.ts passed: 1 test.
• npx vitest run --project cli src/lib/sandbox/version.test.ts src/lib/sandbox-base-image.test.ts test/fetch-guard-patch-regression.test.ts test/validate-blueprint.test.ts passed: 83 tests.
• npm run source-shape:check passed: no source-shape tests detected.
• npm run checks passed.
• git diff --check passed.

Notes

• npm view openclaw@2026.5.18 version returned 2026.5.18.
• I inspected the 2026.5.18 package dist and confirmed the guarded fetch symbols still exist; the handshake default constant moved to 15e3, which required the Dockerfile regex update.
• Full E2E / Nightly workflow dispatch will follow this PR creation.

Summary by CodeRabbit

• Chores

  • Updated OpenClaw version from 2026.4.24 to 2026.5.18 across build configuration, manifests, and dependencies.
  • Improved WebSocket pre-auth handshake timeout patch to handle multiple upstream timeout defaults.

• Documentation

  • Updated documentation to reflect OpenClaw v2026.5.18.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates OpenClaw from 2026.4.24 to 2026.5.18 across Dockerfile, manifest, blueprint, and package.json. It also enhances the Dockerfile Patch 5 logic to handle two possible upstream constants (1e4 or 15e3) for WebSocket pre-auth handshake timeout, and adds a new regression test to validate the patch behavior.

Changes

OpenClaw Version Update and Patch Enhancement

Layer / File(s)	Summary
Dockerfile Patch 5 handshake timeout robustness Dockerfile	Patch 5 now searches for DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS when set to either 1e4 or 15e3 and rewrites either value to 6e4 (60 seconds), with post-patch verification to ensure old constants are absent.
OpenClaw version pin across build and runtime configuration Dockerfile.base, agents/openclaw/manifest.yaml, nemoclaw-blueprint/blueprint.yaml, nemoclaw/package.json	OpenClaw version bumped from 2026.4.24 to 2026.5.18 in build arg default, agent manifest expected_version, blueprint min_openclaw_version, and package.json compatibility/build fields.
Documentation example outputs for version display docs/reference/commands.md, docs/reference/commands.mdx	Status command output examples updated to show OpenClaw v2026.5.18 instead of v2026.4.24.
Test fixture updates for version expectations nemoclaw/src/package-metadata.test.ts, src/lib/sandbox/version.test.ts	All test mocks, fixtures, and assertions updated to expect version 2026.5.18: package metadata compatibility fields, mocked agent version, registry cache values, SSH probe output mocks, and warning format strings.
Regression test for Patch 5 handshake timeout rewrite test/fetch-guard-patch-regression.test.ts	New dockerShellSegmentBetween helper extracts filtered shell snippets from Dockerfile markers; new test validates Patch 5 correctly rewrites timeout constant from 15e3 to 6e4 and removes old value.

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

Integration: OpenClaw, Docker, CI/CD, v0.0.46

Suggested reviewers

• cv
• jyaunches

🐰 A version dance, both far and near,
From twenty-twenty-four, a new frontier!
Patches now more robust, with constants in sight,
OpenClaw hops forward with all of its might! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: upgrading OpenClaw to a new version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/openclaw-2026.5.18

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-3825.docs.buildwithfern.com/nemoclaw

[coderabbitai]

🧹 Nitpick comments (3)

Dockerfile.base (1)

180-180: Run the Dockerfile.base E2E suite for container-layer validation.

Since this line changes the sandbox base image OpenClaw pin, run the targeted nightly E2E jobs before merge to validate runtime behavior (cloud-e2e, sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e).

As per coding guidelines: "Dockerfile.base: This file affects the sandbox container image... E2E test recommendation: cloud-e2e, sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.base` at line 180, This diff updates the OpenClaw base image pin
via the ARG OPENCLAW_VERSION declaration; before merging, run the targeted
container-layer E2E validation suite to ensure runtime compatibility: execute
cloud-e2e, sandbox-survival-e2e, hermes-e2e, and rebuild-openclaw-e2e against
the updated ARG OPENCLAW_VERSION to validate the sandbox image and surface any
regressions.

test/fetch-guard-patch-regression.test.ts (1)

162-221: ⚡ Quick win

Cover both supported timeout literals in this regression test.

Line 162 currently verifies only the 15e3 shape, while the Dockerfile patch explicitly supports both 15e3 and 1e4. Parameterizing this test would lock in the full compatibility contract.

♻️ Suggested test hardening

-it("patches the OpenClaw 2026.5.x handshake timeout constant shape", () => {
+it.each(["15e3", "1e4"] as const)(
+  "patches the OpenClaw handshake timeout constant shape: %s",
+  (originalLiteral) => {
     const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-handshake-timeout-"));
     const dist = path.join(tmp, "dist");
     fs.mkdirSync(dist, { recursive: true });
     const modulePath = path.join(dist, "handshake-timeouts-test.js");
     fs.writeFileSync(
       modulePath,
       [
-        "const DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 15e3;",
+        `const DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = ${originalLiteral};`,
         "const MAX_CONNECT_CHALLENGE_TIMEOUT_MS = DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS;",
         "export { DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS };",
         "",
       ].join("\n"),
     );
@@
       expect(patch.status, `${patch.stdout}${patch.stderr}`).toBe(0);
       const patched = fs.readFileSync(modulePath, "utf-8");
       expect(patched).toContain("DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 6e4");
-      expect(patched).not.toContain("DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 15e3");
+      expect(patched).not.toContain(
+        `DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = ${originalLiteral}`,
+      );
     } finally {
       fs.rmSync(tmp, { recursive: true, force: true });
     }
-  });
+  },
+);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/fetch-guard-patch-regression.test.ts` around lines 162 - 221, The test
"patches the OpenClaw 2026.5.x handshake timeout constant shape" only asserts
replacement of the 15e3 literal; update it to cover both supported source
literals (15e3 and 1e4) by parameterizing the expectation: run the same patch
invocation and assert that DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS is changed to
6e4 for inputs originally containing either
"DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 15e3" or
"DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 1e4" (e.g., loop over an array of
sourceLiteral strings before writing modulePath and making the same assertions
against the patched file). Ensure the test still verifies the old literal is
removed and the new "6e4" value is present for each case.

Dockerfile (1)

205-223: Run the Dockerfile E2E matrix before merge.

This layer mutates runtime OpenClaw dist behavior in-image, so please validate with the recommended end-to-end jobs.

As per coding guidelines: "Dockerfile: This file affects the sandbox container image... E2E test recommendation: cloud-e2e, sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 205 - 223, This Dockerfile change mutates runtime
OpenClaw distribution (the patch that replaces
DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS values in the Dockerfile patch block), so
before merging run the recommended E2E matrix: execute cloud-e2e,
sandbox-survival-e2e, hermes-e2e and rebuild-openclaw-e2e against the built
image and verify the OpenClaw behavior (including the patched
DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS change) is correct and no regressions
occur; only merge once all these end-to-end jobs pass.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile`:
- Around line 205-223: This Dockerfile change mutates runtime OpenClaw
distribution (the patch that replaces DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS
values in the Dockerfile patch block), so before merging run the recommended E2E
matrix: execute cloud-e2e, sandbox-survival-e2e, hermes-e2e and
rebuild-openclaw-e2e against the built image and verify the OpenClaw behavior
(including the patched DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS change) is correct
and no regressions occur; only merge once all these end-to-end jobs pass.

In `@Dockerfile.base`:
- Line 180: This diff updates the OpenClaw base image pin via the ARG
OPENCLAW_VERSION declaration; before merging, run the targeted container-layer
E2E validation suite to ensure runtime compatibility: execute cloud-e2e,
sandbox-survival-e2e, hermes-e2e, and rebuild-openclaw-e2e against the updated
ARG OPENCLAW_VERSION to validate the sandbox image and surface any regressions.

In `@test/fetch-guard-patch-regression.test.ts`:
- Around line 162-221: The test "patches the OpenClaw 2026.5.x handshake timeout
constant shape" only asserts replacement of the 15e3 literal; update it to cover
both supported source literals (15e3 and 1e4) by parameterizing the expectation:
run the same patch invocation and assert that
DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS is changed to 6e4 for inputs originally
containing either "DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 15e3" or
"DEFAULT_PREAUTH_HANDSHAKE_TIMEOUT_MS = 1e4" (e.g., loop over an array of
sourceLiteral strings before writing modulePath and making the same assertions
against the patched file). Ensure the test still verifies the old literal is
removed and the new "6e4" value is present for each case.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 356604a2-7d9b-4a10-adc7-35d38f95bd5f

📥 Commits

Reviewing files that changed from the base of the PR and between abae70f and 538b9cb.

📒 Files selected for processing (10)

• Dockerfile
• Dockerfile.base
• agents/openclaw/manifest.yaml
• docs/reference/commands.md
• docs/reference/commands.mdx
• nemoclaw-blueprint/blueprint.yaml
• nemoclaw/package.json
• nemoclaw/src/package-metadata.test.ts
• src/lib/sandbox/version.test.ts
• test/fetch-guard-patch-regression.test.ts

[github-actions]

E2E Advisor Recommendation

Required E2E: test-e2e-sandbox, cloud-e2e, sandbox-operations-e2e, network-policy-e2e, upgrade-stale-sandbox-e2e, openclaw-plugin-runtime-exdev-e2e
Optional E2E: rebuild-openclaw-e2e, openclaw-inference-switch-e2e, messaging-compatible-endpoint-e2e, cloud-onboard-e2e

Dispatch hint: cloud-e2e,sandbox-operations-e2e,network-policy-e2e,upgrade-stale-sandbox-e2e

Auto-dispatched E2E: cloud-e2e, sandbox-operations-e2e, network-policy-e2e, upgrade-stale-sandbox-e2e via nightly-e2e.yaml at 538b9cbd31fe0e29ea9d64e2ff8f0f607d31746a — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• test-e2e-sandbox (medium): Builds the production and sandbox test images and runs the in-container NemoClaw/OpenClaw/blueprint smoke suite. This is the fastest required backstop for Dockerfile.base, Dockerfile, blueprint min_openclaw_version, and plugin packaging changes.
• cloud-e2e (high): Exercises the full install/onboard path plus an OpenClaw-mediated openclaw agent --json turn through inference.local. This is required because the PR bumps OpenClaw and changes runtime patches that can affect the real assistant user flow.
• sandbox-operations-e2e (high): Covers sandbox lifecycle, connect/status/logs/recovery, and TC-SBX-02 openclaw agent --json. The Dockerfile handshake timeout patch explicitly targets failures in this path under CI load.
• network-policy-e2e (high): Required for the fetch-guard/proxy-validation patch because it validates deny-by-default, policy hot reload, inference exemption, and SSRF-related network policy behavior.
• upgrade-stale-sandbox-e2e (high): The pinned OpenClaw expected/minimum version changed, so stale sandbox detection and rebuild-after-upgrade must be validated against a real older sandbox.
• openclaw-plugin-runtime-exdev-e2e (high): The OpenClaw version and plugin compatibility metadata changed. This regression job validates that OpenClaw plugin runtime dependency bootstrap still works in real sandbox layouts.

Optional E2E

• rebuild-openclaw-e2e (high): Useful additional confidence that rebuilding an existing OpenClaw sandbox across the version bump preserves workspace state and picks up the new image.
• openclaw-inference-switch-e2e (high): Adjacent coverage for OpenClaw openclaw.json mutation and live inference after provider switching with the new OpenClaw runtime.
• messaging-compatible-endpoint-e2e (high): Useful adjacent check for Telegram plus OpenAI-compatible routing through inference.local after the OpenClaw/fetch-guard bump, though it does not specifically prove Telegram media fetch proxy validation.
• cloud-onboard-e2e (high): Additional onboarding/security confidence for public install, Landlock read-only behavior, credential leak checks, and inference.local HTTPS probing after Dockerfile and blueprint changes.

New E2E recommendations

• fetch-guard-explicit-proxy-media-path (high): Existing tests include a unit/regression guard for the Dockerfile sed patch and broad network-policy coverage, but there is no E2E that drives an OpenClaw media-fetch path, such as Telegram media download, with hostnameAllowlist plus explicit proxy inside an OpenShell sandbox to prove assertExplicitProxyAllowed is bypassed only in the intended environment.
  • Suggested test: Add an E2E that onboards OpenClaw with a hermetic fake Telegram/media endpoint and asserts media fetch succeeds through the L7 proxy while direct disallowed egress remains blocked.
• openclaw-handshake-timeout-under-load (medium): The Dockerfile patch updates the OpenClaw preauth handshake timeout constant for the 2026.5.x bundle shape, but existing E2E only observes normal agent/connect flows. It does not intentionally create concurrent slow handshakes to prove the 60s default prevents gateway timeout regressions.
  • Suggested test: Add a stress E2E that opens several concurrent openclaw agent --json or connect sessions on a sandbox and asserts no preauth handshake gateway timeout occurs under CI load.
• version-pin-consistency (medium): The OpenClaw pin is duplicated across Dockerfile.base, agent manifest, blueprint, package metadata, docs, and tests. Unit tests cover some fields, but no E2E/release guard verifies that a built sandbox's openclaw --version, manifest expected_version, and blueprint min_openclaw_version all match the release pin.
  • Suggested test: Add a build-time or lightweight E2E consistency check that extracts the OpenClaw version from a built sandbox image and compares it with manifest, blueprint, and plugin metadata.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cloud-e2e,sandbox-operations-e2e,network-policy-e2e,upgrade-stale-sandbox-e2e

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26126693020
Target ref: 538b9cbd31fe0e29ea9d64e2ff8f0f607d31746a
Workflow ref: main
Requested jobs: cloud-e2e,sandbox-operations-e2e,network-policy-e2e,upgrade-stale-sandbox-e2e
Summary: 2 passed, 2 failed, 0 skipped

Job	Result
cloud-e2e	❌ failure
network-policy-e2e	✅ success
sandbox-operations-e2e	❌ failure
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: cloud-e2e, sandbox-operations-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26126544011
Target ref: upgrade/openclaw-2026.5.18
Workflow ref: upgrade/openclaw-2026.5.18
Requested jobs: all (no filter)
Summary: 33 passed, 10 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	❌ failure
brave-search-e2e	✅ success
channels-stop-start-e2e	❌ failure
cloud-e2e	❌ failure
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	❌ failure
kimi-inference-compat-e2e	❌ failure
launchable-smoke-e2e	❌ failure
messaging-compatible-endpoint-e2e	❌ failure
messaging-providers-e2e	❌ failure
network-policy-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	❌ failure
openclaw-slack-pairing-e2e	✅ success
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	❌ failure
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: bedrock-runtime-compatible-anthropic-e2e, channels-stop-start-e2e, cloud-e2e, issue-2478-crash-loop-recovery-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-compatible-endpoint-e2e, messaging-providers-e2e, openclaw-inference-switch-e2e, sandbox-operations-e2e. Check run artifacts for logs.