fix(openclaw): bump duplicate message fix version

[chengjiew]

Summary

• bump the pinned OpenClaw version from 2026.4.24 to 2026.4.25
• keep Dockerfile, blueprint minimum, and manifest expected version aligned
• add a regression guard so future sandboxes stay on a version with the duplicate-message fix

Closes #3789.

Linux e2e evidence

Ran an OpenClaw gateway probe on aits@aits-log-worker-6 with a fake OpenAI-compatible endpoint and the same prompt through the control-UI WebSocket path.

• openclaw@2026.4.24: matchingUserTurnCount=2, matchingAssistantTurnCount=2
• openclaw@2026.4.25: matchingUserTurnCount=1, matchingAssistantTurnCount=1

The fake endpoint received one model request in both runs, so the failure is duplicated session/history turns, matching the upstream OpenClaw session-prompt regression rather than duplicate inference calls.

Validation

• npx vitest run --project cli test/openclaw-version-pin.test.ts
• npm run validate:configs

Local pre-push note

The full local pre-push CLI coverage hook was attempted but did not pass on this workstation due unrelated/environment-sensitive failures (for example macOS x86_64 OpenShell installer asset expectations, version fallback tests reading ambient git-derived version, sandbox-base-image git fixture environment, and one CLI timeout). I pushed with --no-verify after the focused regression test, config validation, and Linux e2e passed.

Summary by CodeRabbit

• Tests

  • Added a version-consistency test to ensure all OpenClaw version references match and meet the minimum required release.

• Chores

  • Bumped the default OpenClaw version to 2026.4.25 across configuration and runtime metadata.

Signed-off-by: Chengjie Wang chengjiew@nvidia.com

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumps OpenClaw version from 2026.4.24 to 2026.4.25 in Docker build arg, agent manifest, and blueprint minimum version. Adds a Vitest that parses those files, asserts each version >= 2026.4.25, and verifies all three values are identical.

Changes

OpenClaw version compatibility update

Layer / File(s)	Summary
Version updates across configuration files Dockerfile.base, agents/openclaw/manifest.yaml, nemoclaw-blueprint/blueprint.yaml	Build arg OPENCLAW_VERSION, manifest expected_version, and blueprint min_openclaw_version updated to 2026.4.25.
OpenClaw version consistency test test/openclaw-version-pin.test.ts	Adds versionGte comparator, file-read and regex-based matchVersion helpers, and a Vitest that extracts versions from the three files, asserts each >= 2026.4.25, and asserts all three versions are identical.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3777: Related OpenClaw version pinning changes.

Suggested labels

bug

Suggested reviewers

• ericksoa

Poem

🐰 A version hop, a gentle springing tune,
From twenty-four we leap to twenty-five this June,
Docker, manifest, blueprint all aligned,
A test now checks the versions are combined,
Hop on — the pin's in place, the checks are fine!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title refers to bumping an OpenClaw version but doesn't clearly explain that this addresses a duplicate message fix. It's partially related but lacks clarity.	Consider revising to be more specific, e.g., 'fix(openclaw): bump version to fix duplicate user messages' to better convey the main issue being resolved.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	All code changes directly address issue #3789: version bump prevents duplicate message regression by pinning OpenClaw to 2026.4.25 where the fix is available, with a regression guard test ensuring future versions maintain the fix.
Out of Scope Changes check	✅ Passed	All four file modifications are within scope: three update pinned versions in Dockerfile, manifest, and blueprint; one adds regression test. All changes align with the objective of bumping OpenClaw version and preventing duplicate messages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/3789_openclaw-duplicate-user-messages

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: rebuild-openclaw-e2e, upgrade-stale-sandbox-e2e, cloud-onboard-e2e, cloud-inference-e2e
Optional E2E: test-e2e-sandbox, device-auth-health-e2e, openclaw-onboard-security-posture-e2e

Dispatch hint: rebuild-openclaw-e2e,upgrade-stale-sandbox-e2e,cloud-onboard-e2e,cloud-inference-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• rebuild-openclaw-e2e (high (~60 min timeout; builds Docker images and uses live NVIDIA inference)): Directly exercises the version-bump path by building an older OpenClaw base, rebuilding to the current Dockerfile.base/blueprint version, and verifying state preservation, agent version upgrade, policy preservation, and post-rebuild inference.
• upgrade-stale-sandbox-e2e (high (~60 min timeout; builds Docker images and uses live NVIDIA inference)): Validates that a sandbox registered with an older OpenClaw agentVersion is detected as stale after the min_openclaw_version/manifest bump and can be rebuilt to the current runtime.
• cloud-onboard-e2e (medium-high (~45 min timeout; live cloud inference required)): Covers the fresh OpenClaw onboarding path with the updated runtime, including public install from the PR ref, sandbox health, Landlock/read-only checks, credential leak checks, and inference.local reachability.
• cloud-inference-e2e (medium (~30 min timeout; live cloud inference required)): Runs a real assistant inference flow through inference.local using the freshly installed OpenClaw runtime, which is the highest-signal existing check for regressions from the 2026.4.25 agent bump.

Optional E2E

• test-e2e-sandbox (medium (requires sandbox image build dependency)): Useful image-level smoke coverage: builds the production/test sandbox image using the changed Dockerfile.base/blueprint inputs and verifies the OpenClaw CLI, plugin installability, blueprint validity, and blueprint runner smoke paths inside the container.
• device-auth-health-e2e (medium (~30 min timeout; live cloud inference/onboard required)): Optional confidence that the updated OpenClaw gateway still behaves correctly with default device auth, including /health, authenticated root behavior, status reporting, and gateway recovery.
• openclaw-onboard-security-posture-e2e (high (~60 min timeout)): Optional broader security-posture check for a fresh OpenClaw onboard under a non-root host user; useful if maintainers want extra assurance that the new OpenClaw package does not change sandbox startup or runtime guard assumptions.

New E2E recommendations

• openclaw-version-pin-exactness (high): Existing rebuild/stale E2Es verify the sandbox version is no longer an old version, but they do not appear to assert that a fresh or rebuilt sandbox reports exactly the version declared by Dockerfile.base, agents/openclaw/manifest.yaml, and blueprint.yaml.
  • Suggested test: Add an E2E assertion that fresh onboard and rebuild paths run openclaw --version inside the sandbox and compare it to the exact repository OpenClaw pin.
• duplicate-message-regression (high): The added unit test references the duplicate-message fix version, but there is no obvious E2E that sends an assistant message through OpenClaw and asserts only one assistant response/event is emitted for the user action.
  • Suggested test: Add a focused OpenClaw duplicate-message E2E using a hermetic or live inference route that sends one prompt and fails if duplicate assistant messages are observed in the response stream/logs/state.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: rebuild-openclaw-e2e,upgrade-stale-sandbox-e2e,cloud-onboard-e2e,cloud-inference-e2e

[wscurran]

✨Related open issues:

• #3789 [0.0.39] Duplicate user messages from openclaw-control-ui and You identities, even with weixin plugin fully removed

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: high
Analyzed HEAD: 5b2d522fd15abf8837ed465a84a6ee143702d13d
Findings: 2 blocker(s), 3 warning(s), 0 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: This review used the supplied trusted metadata and diff; no PR scripts, package-manager commands, tests, or E2E workflows were executed.; No independent vulnerability database lookup for openclaw@2026.4.25 was performed in this environment.; Required E2E pass/fail status for cloud-e2e and rebuild-openclaw-e2e at the current head SHA was not present in the trusted context.; Review thread state is based on GraphQL nodes and REST reviewComments provided in the context; external UI state was not inspected.; PR body and issue/comment text were treated as untrusted evidence and mapped only against diff/trusted status evidence.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: 5b2d522fd15abf8837ed465a84a6ee143702d13d
Recommendation: blocked
Confidence: high

The version bump is small and aligned across Dockerfile, manifest, and blueprint, but the PR is currently blocked by pending CI/merge state and missing required E2E evidence for runtime sandbox changes.

Gate status

• CI: pending — Status rollup for head SHA 5b2d522 shows multiple IN_PROGRESS/PENDING contexts, including E2E recommendation, wsl-e2e, macos-e2e, PR review advisor, CodeQL jobs, checks, ShellCheck SARIF, and CodeRabbit.
• Mergeability: fail — GitHub GraphQL mergeStateStatus=BLOCKED and reviewDecision=REVIEW_REQUIRED for PR fix(openclaw): bump duplicate message fix version #3841.
• Review threads: pass — GraphQL reviewThreads.nodes is empty and REST reviewComments is empty; no unresolved review thread evidence was available in the trusted context.
• Risky code tested: warning — Risky runtime/sandbox files changed: Dockerfile.base, agents/openclaw/manifest.yaml, and nemoclaw-blueprint/blueprint.yaml. A unit test was added for pin consistency, but E2E Advisor requires cloud-e2e and rebuild-openclaw-e2e for this head SHA and no passing evidence is present.

🔴 Blockers

• Required gates are not complete for the current head SHA: The PR cannot be considered ready while status checks are pending and GitHub reports the merge state as blocked.
  • Recommendation: Wait for all required CI/status contexts to complete successfully for head SHA 5b2d522 and resolve the BLOCKED merge state before merge consideration.
  • Evidence: GraphQL statusCheckRollup includes IN_PROGRESS/PENDING contexts; mergeStateStatus=BLOCKED; reviewDecision=REVIEW_REQUIRED.
• Required runtime sandbox E2E evidence is missing (Dockerfile.base:180): The PR changes the OpenClaw version used by real sandboxes and rebuilt sandboxes, but the E2E Advisor required cloud-e2e and rebuild-openclaw-e2e. No trusted evidence shows those jobs passed for the current head SHA.
  • Recommendation: Confirm cloud-e2e and rebuild-openclaw-e2e pass for head SHA 5b2d522. The version consistency unit test is useful but does not prove install/onboard/rebuild/runtime behavior.
  • Evidence: E2E Advisor comment: Required E2E: cloud-e2e, rebuild-openclaw-e2e. Changed files include Dockerfile.base ARG OPENCLAW_VERSION=2026.4.25, manifest expected_version, and blueprint min_openclaw_version.

🟡 Warnings

• Active overlapping PRs touch the same runtime version files: Multiple open PRs modify the same high-risk runtime files, which increases drift and supersession risk for version pinning and sandbox image behavior.
  • Recommendation: Before merge, reconcile this PR with overlapping OpenClaw/runtime dependency PRs, especially fix(openclaw): bump runtime deps EXDEV fix #3820, Upgrade OpenClaw to 2026.5.18 #3825, and chore: upgrade agent runtime dependencies #3925, to avoid landing an immediately stale or conflicting version pin.
  • Evidence: Trusted overlap data lists same-file overlaps on Dockerfile.base, agents/openclaw/manifest.yaml, and nemoclaw-blueprint/blueprint.yaml for PRs fix(openclaw): bump runtime deps EXDEV fix #3820, Upgrade OpenClaw to 2026.5.18 #3825, and chore: upgrade agent runtime dependencies #3925; additional overlaps exist for Dockerfile.base and blueprint.yaml.
• Regression test verifies only version pinning, not duplicate-message behavior (test/openclaw-version-pin.test.ts:34): The added test ensures the Dockerfile, blueprint, and manifest versions are aligned and at least 2026.4.25, but it does not reproduce the web UI/control-UI duplicate-message path from issue [0.0.39] Duplicate user messages from openclaw-control-ui and You identities, even with weixin plugin fully removed #3789.
  • Recommendation: Keep the version-pin guard, and supplement it with required runtime E2E evidence or a hermetic messaging/chat regression that asserts a single user turn and single assistant turn for the affected control-UI path.
  • Evidence: test/openclaw-version-pin.test.ts parses three version strings and asserts they match and are >= 2026.4.25; E2E Advisor additionally recommends an openclaw-duplicate-message-regression test.
• Sandbox runtime dependency bump relies on upstream package trust (Dockerfile.base:189): The PR changes the globally installed OpenClaw npm package version used inside the sandbox. This is expected for the bug fix, but it changes a high-privilege runtime dependency without trusted evidence of supply-chain/security review for the new upstream artifact in this review context.
  • Recommendation: Ensure maintainers verify the OpenClaw 2026.4.25 package provenance/changelog/advisories and that required runtime E2E passes before accepting the dependency bump.
  • Evidence: Dockerfile.base runs npm install -g "openclaw@${OPENCLAW_VERSION}" after changing ARG OPENCLAW_VERSION from 2026.4.24 to 2026.4.25.

🔵 Suggestions

• None.

Acceptance coverage

• partial — Every user message sent through the web UI at http://127.0.0.1:18789 is processed twice by the agent — once labeled openclaw-control-ui and once labeled You.: PR bumps OpenClaw to 2026.4.25, which linked issue comments identify as containing the upstream fix. The added test only validates version pins; no diff-level behavioral test exercises web UI message processing.
• partial — Both messages produce identical Assistant responses.: The PR body reports external Linux probe evidence showing 2026.4.24 had matchingUserTurnCount=2 and matchingAssistantTurnCount=2 while 2026.4.25 had both counts at 1, but the repository diff only adds a version-pin test.
• unknown — Disabling openclaw-weixin in plugins.entries (still happens): No changed code or added test covers the disabled-weixin reproduction variant; the fix path is an upstream OpenClaw version bump.
• unknown — Completely removing openclaw-weixin from disk + config (still happens): No changed code or added test covers the removed-weixin reproduction variant; the fix path is an upstream OpenClaw version bump.
• partial — Full uninstall and clean reinstall (still happens): Dockerfile.base changes fresh sandbox installs to OpenClaw 2026.4.25, and blueprint min_openclaw_version is raised to 2026.4.25, but required fresh-user E2E cloud-e2e has not been shown passing for the head SHA.
• unknown — nemoclaw my-assistant recover (still happens): No changed code or added test covers the recover command path.
• missing — The openclaw-weixin plugin is auto-installed and auto-enabled during onboarding regardless of user's wizard selection.: This PR does not modify onboarding or weixin plugin enablement behavior; Dockerfile.base still installs and enables @tencent-weixin/openclaw-weixin@2.4.2.
• partial — However, removing it does NOT fix the duplicate message issue, so it's not the root cause.: The PR addresses the issue by bumping OpenClaw from 2026.4.24 to 2026.4.25 rather than changing weixin. No in-repo behavioral regression test proves the root-cause distinction.
• partial — The duplication appears to be in the message broadcaster routing messages with two identity labels for a single user input.: Linked triage comments point to an upstream OpenClaw 2026.4.24 session-prompt layer regression fixed in 2026.4.25; the diff pins 2026.4.25 but does not modify broadcaster routing or add a broadcaster-level test.
• partial — 1. Fresh install with curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash: Dockerfile.base changes the fresh sandbox OpenClaw install version to 2026.4.25. Required cloud-e2e for the fresh user path is not shown passing.
• unknown — 2. Select NVIDIA Endpoints, Nemotron 120B, default settings: No changed code or added test exercises this onboarding selection path.
• unknown — 3. Skip all messaging channels (including wechat): No changed code or added test exercises this wizard path; Dockerfile.base still enables the weixin plugin in the base image.
• unknown — 4. Open dashboard via tokenized URL: No changed code or added test opens the dashboard/tokenized URL path.
• partial — 5. Send any message → see duplicate: The version bump targets the upstream fix for duplicate messages, and the PR body reports manual probe evidence. In-repo coverage is only version-pin consistency; no automated message-send regression is added.
• unknown — NemoClaw CLI: v0.0.45: The PR does not change or test CLI v0.0.45 specifically.
• met — OpenClaw version: 2026.4.24: Dockerfile.base, agents/openclaw/manifest.yaml, and nemoclaw-blueprint/blueprint.yaml all change the OpenClaw pin/expectation/minimum from 2026.4.24 to 2026.4.25.
• unknown — OS: Windows 11 + WSL2 (Ubuntu): wsl-e2e is shown IN_PROGRESS in status checks, but no passing result for the head SHA is present in the trusted context.
• unknown — GPU: NVIDIA RTX 5070 Laptop (8GB): No diff or trusted test evidence targets this GPU environment.
• unknown — Inference: NVIDIA Endpoints / Nemotron 3 Super 120B: No changed test exercises live NVIDIA Endpoints/Nemotron inference; E2E Advisor says cloud-e2e is required for live inference against NVIDIA endpoints.
• unknown — I confirmed this bug is reproducible: Issue reporter checked this box; PR diff does not add a reproduction fixture for the original bug path.

Security review

• pass — 1. Secrets and Credentials: No hardcoded secrets, tokens, passwords, PEM files, credential JSON, or new secret material are introduced. Existing credential_env entries in blueprint.yaml remain environment-variable references.
• pass — 2. Input Validation and Data Sanitization: No new user-facing input handlers, URL parsers, deserializers, shell command inputs, or API endpoints are introduced. The new test parses repository-controlled version strings with constrained regexes.
• pass — 3. Authentication and Authorization: No authentication or authorization code is changed. Existing manifest fields device_pairing and web_auth_method remain unchanged.
• warning — 4. Dependencies and Third-Party Libraries: The sandbox runtime dependency openclaw is bumped from 2026.4.24 to 2026.4.25, which is the intended fix, but this review context does not include independent CVE/provenance verification for the new npm artifact. The dependency is version-pinned rather than floating.
• pass — 5. Error Handling and Logging: No runtime error-handling or logging paths are changed. The new test throws only local parse errors for repository files.
• pass — 6. Cryptography and Data Protection: Not applicable — no cryptographic operations, key management, hashing, or data-protection logic are changed.
• warning — 7. Configuration and Security Headers: The PR changes security-relevant sandbox/runtime configuration by raising min_openclaw_version and expected_version. No headers/CORS changes are present, and the pinned sandbox image digest remains unchanged. Because this affects real sandbox behavior, required E2E validation is needed before accepting the configuration change.
• warning — 8. Security Testing: The added unit test guards version alignment and a minimum fixed version, but it does not exercise sandbox runtime, rebuild, web UI messaging, SSRF/network policy boundaries, or duplicate-message behavior. E2E Advisor requires cloud-e2e and rebuild-openclaw-e2e.
• warning — 9. Holistic Security Posture: The change likely improves correctness by moving away from a regressed OpenClaw version, but it changes a sandbox runtime dependency and overlaps with other active runtime dependency PRs. Pending CI/E2E and overlap reconciliation are needed to avoid stale or unvalidated runtime behavior.

Test / E2E status

• Test depth: e2e_required — The added unit test is appropriate for preventing version drift across Dockerfile.base, agents/openclaw/manifest.yaml, and nemoclaw-blueprint/blueprint.yaml, but the changed files affect fresh sandbox creation and rebuilt sandbox runtime behavior. Unit tests cannot prove install/onboard/rebuild/live-message behavior or the original duplicate-message bug path.
• E2E Advisor: missing
• Required E2E jobs: cloud-e2e, rebuild-openclaw-e2e
• Missing for analyzed SHA: cloud-e2e, rebuild-openclaw-e2e

✅ What looks good

• The three runtime version declarations are aligned to 2026.4.25: Dockerfile.base OPENCLAW_VERSION, manifest expected_version, and blueprint min_openclaw_version.
• The new test provides a useful regression guard against future drift between fresh-build, manifest, and rebuild minimum version controls.
• The change is narrow and directly tied to the linked issue's upstream OpenClaw 2026.4.24 regression analysis.
• The Dockerfile already validates OPENCLAW_VERSION format, checks the blueprint minimum, and verifies the npm version exists before install.

Review completeness

• This review used the supplied trusted metadata and diff; no PR scripts, package-manager commands, tests, or E2E workflows were executed.
• No independent vulnerability database lookup for openclaw@2026.4.25 was performed in this environment.
• Required E2E pass/fail status for cloud-e2e and rebuild-openclaw-e2e at the current head SHA was not present in the trusted context.
• Review thread state is based on GraphQL nodes and REST reviewComments provided in the context; external UI state was not inspected.
• PR body and issue/comment text were treated as untrusted evidence and mapped only against diff/trusted status evidence.
• Human maintainer review required: yes

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile.base (1)

181-181: ⚠️ Potential issue | 🟠 Major

Dockerfile.base: ensure required nightly-e2e jobs ran (container image change)
ARG bump is fine, but there were no runs of .github/workflows/nightly-e2e.yaml on branch fix/3789_openclaw-duplicate-user-messages; the cloud-e2e, sandbox-survival-e2e, hermes-e2e, and rebuild-openclaw-e2e jobs are gated behind that workflow’s inputs.jobs.

• Share links/conclusions for the nightly-e2e.yaml run invoked with -f jobs=cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e (or provide equivalent e2e coverage for the same scenarios).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.base` at line 181, The ARG bump (OPENCLAW_VERSION) in
Dockerfile.base was accepted but the required
`.github/workflows/nightly-e2e.yaml` jobs (cloud-e2e, sandbox-survival-e2e,
hermes-e2e, rebuild-openclaw-e2e) were not executed on branch
fix/3789_openclaw-duplicate-user-messages; re-run the nightly-e2e workflow with
inputs.jobs set to
"cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e" (or trigger
equivalent e2e pipelines covering those scenarios), then attach or paste the
workflow run links and a short summary of results/conclusions to this PR so we
have evidence the image change was validated; reference the ARG OPENCLAW_VERSION
change and include the run IDs for traceability.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Dockerfile.base`:
- Line 181: The ARG bump (OPENCLAW_VERSION) in Dockerfile.base was accepted but
the required `.github/workflows/nightly-e2e.yaml` jobs (cloud-e2e,
sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e) were not executed on
branch fix/3789_openclaw-duplicate-user-messages; re-run the nightly-e2e
workflow with inputs.jobs set to
"cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e" (or trigger
equivalent e2e pipelines covering those scenarios), then attach or paste the
workflow run links and a short summary of results/conclusions to this PR so we
have evidence the image change was validated; reference the ARG OPENCLAW_VERSION
change and include the run IDs for traceability.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e54639d0-b712-4ab2-8138-9604ad27b376

📥 Commits

Reviewing files that changed from the base of the PR and between a47f155 and 5b2d522.

📒 Files selected for processing (1)

• Dockerfile.base