fix(openclaw): unblock scope-upgrade approvals#4468
Merged
Conversation
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Contributor
📝 WalkthroughWalkthroughStrip OPENCLAW_GATEWAY_URL for in-sandbox approve subprocesses, separate attempted vs successful approval counting, update guard/watcher wiring and tests, add a comprehensive ChangesIssue
Issue
Sequence DiagramsequenceDiagram
participant Test
participant Sandbox
participant Guard as proxy-env guard
participant OpenClaw
Test->>Sandbox: provision sandbox & create CLI device
Test->>Sandbox: trigger agent to request scope-upgrade
Test->>Sandbox: poll for pending scope-upgrade request
Test->>Guard: run approval via proxy-env guard
Guard->>OpenClaw: openclaw devices approve (OPENCLAW_GATEWAY_URL stripped)
OpenClaw-->>Guard: approval rc / JSON
Guard-->>Test: success/failure
Test->>Sandbox: verify request cleared & device scopes updated
Test->>Sandbox: run approved agent turn & verify gateway-mode output
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
Contributor
E2E Scenario Advisor RecommendationRequired scenario E2E: None Full scenario advisor summaryE2E Scenario AdvisorBase: Required scenario E2E
Optional scenario E2E
Relevant changed files
|
Contributor
PR Review AdvisorFindings: 1 needs attention, 8 worth checking, 0 nice ideas Review findings🛠️ Needs attention
🔎 Worth checking
🌱 Nice ideas
Since last review detailsCurrent findings:
This is an automated advisory review. A human maintainer must make the final merge decision. |
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26604218244
|
Contributor
|
Actionable comments posted: 0 |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Contributor
|
Actionable comments posted: 0 |
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26604659560
|
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26604744502
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Contributor
|
Actionable comments posted: 0 |
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26605221785
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Contributor
|
Actionable comments posted: 0 |
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26605540893
|
Collaborator
|
Follow-up pushed at
Local validation:
Dispatched fresh selective E2E for both #4462 lanes against |
Contributor
|
Actionable comments posted: 0 |
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Contributor
Selective E2E Results — ❌ Some jobs failedRun: 26605795773
|
Collaborator
|
Pushed Local validation repeated:
Fresh selective E2E for both #4462 lanes against |
Contributor
Selective E2E Results — ❌ Some jobs failedRun: 26606354890
|
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26606399473
|
ericksoa
added
v0.0.54
Contributor
Selective E2E Results — ❌ Some jobs failedRun: 26609778207
|
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26609807234
|
Collaborator
|
Proposed way to resolve the remaining #4462 repro ambiguity before we make more changes: The positive lane is now the stable fix signal: it builds the real sandbox, gets from low-scope CLI pairing through scope-upgrade approval, and verifies the next The legacy
Because issue #4462 originally described a same-request deadlock, requiring the legacy lane to pass as an exact repro is making the PR brittle and is what the advisor is flagging. I suggest we re-scope that lane as a characterization/diagnostic lane rather than a required merge gate, and stop claiming it proves the same-request deadlock unless the logs actually show that subcase. Concrete planned changes, pending agreement:
I want to clear this with @ericksoa before editing the workflow/test naming further. |
Collaborator
|
Implemented the agreed re-scope in
Also fixed the CodeRabbit nit by removing the unused Validation run locally:
Fresh selective E2E against |
Contributor
Selective E2E Results — ❌ Some jobs failedRun: 26610174331
|
Contributor
Selective E2E Results — ❌ Some jobs failedRun: 26611223063
|
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26610174331
|
Contributor
Selective E2E Results — ❌ Some jobs failedRun: 26611223063
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/nightly-e2e.yaml (1)
433-458:⚠️ Potential issue | 🟠 MajorAdd missing
.coderabbit.yamlpath_instructionsmapping for the new issue-4462 nightly E2E job
.github/workflows/nightly-e2e.yamljobissue-4462-gateway-pinned-approval-characterization-e2erunstest/e2e/test-issue-4462-scope-upgrade-approval.sh, but.coderabbit.yamlonly maps the issue-specifictest/e2e/test-issue-2478-crash-loop-recovery.shundertest/e2e/test-issue*and has no corresponding entry (or covering wildcard) for the issue-4462 script.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/nightly-e2e.yaml around lines 433 - 458, Add a mapping in .coderabbit.yaml's path_instructions so the new nightly job's script is recognized: the job issue-4462-gateway-pinned-approval-characterization-e2e in .github/workflows/nightly-e2e.yaml executes test/e2e/test-issue-4462-scope-upgrade-approval.sh, but .coderabbit.yaml currently only maps test/e2e/test-issue-2478-crash-loop-recovery.sh under test/e2e/test-issue*; update path_instructions to include either an explicit entry for test/e2e/test-issue-4462-scope-upgrade-approval.sh or broaden the existing wildcard to cover test/e2e/test-issue-*.sh so the new script is picked up by code rabbit.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/nightly-e2e.yaml:
- Around line 433-458: Add a mapping in .coderabbit.yaml's path_instructions so
the new nightly job's script is recognized: the job
issue-4462-gateway-pinned-approval-characterization-e2e in
.github/workflows/nightly-e2e.yaml executes
test/e2e/test-issue-4462-scope-upgrade-approval.sh, but .coderabbit.yaml
currently only maps test/e2e/test-issue-2478-crash-loop-recovery.sh under
test/e2e/test-issue*; update path_instructions to include either an explicit
entry for test/e2e/test-issue-4462-scope-upgrade-approval.sh or broaden the
existing wildcard to cover test/e2e/test-issue-*.sh so the new script is picked
up by code rabbit.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: d3f216ae-871c-4d65-808a-1daaed471590
📒 Files selected for processing (2)
.github/workflows/nightly-e2e.yamltest/e2e/test-issue-4462-scope-upgrade-approval.sh
Collaborator
|
Re-dispatched the #4462 selective E2E with the full target SHA (the previous manual run used a short SHA and failed at checkout before executing tests). Run: https://github.com/NVIDIA/NemoClaw/actions/runs/26611504524 |
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26611504524
|
cv
approved these changes
May 29, 2026
12 tasks
miyoungc
added a commit
that referenced
this pull request
May 29, 2026
## Summary Refreshes the NemoClaw documentation for the v0.0.54 release and regenerates user skills from the Fern MDX source. Also keeps the Fern CLI pin current so local docs checks use the upgraded Fern version. ## Related Issue <!-- No single related issue. This is release-prep documentation catch-up. --> ## Changes - #4403 -> `docs/manage-sandboxes/messaging-channels.mdx`, `docs/reference/commands.mdx`, `docs/about/release-notes.mdx`: Document Telegram, Discord, and Slack post-rebuild bridge verification and summarize channel activation fixes. - #4222 -> `docs/about/release-notes.mdx`: Include Slack generated channel enablement in the v0.0.54 messaging summary. - #4346 -> `docs/get-started/windows-preparation.mdx`, `docs/about/release-notes.mdx`: Document safer Windows bootstrap behavior for Ubuntu first-run and Docker Desktop WSL integration. - #4416 -> `docs/inference/use-local-inference.mdx`, `docs/about/release-notes.mdx`: Document the Docker Desktop WSL requirement for Windows-host Ollama. - #4442 -> `docs/about/release-notes.mdx`: Summarize the optional NemoHermes native web dashboard and related environment variables. - #4426 -> `docs/about/release-notes.mdx`: Summarize copy-paste recovery hints for invalid sandbox names and missing NVIDIA API keys. - #4459 -> `docs/about/release-notes.mdx`: Summarize the Linuxbrew prefix fix for sandbox Homebrew usage. - #4450 -> `docs/about/release-notes.mdx`: Summarize `/nemoclaw` slash command startup activation. - #4468 -> `docs/about/release-notes.mdx`: Summarize scope-upgrade approval recovery. - #4325 -> `docs/about/release-notes.mdx`: Summarize the narrowed `web_fetch` host-gateway allowance. - #4474 -> `docs/about/release-notes.mdx`: Summarize Hermes Provider smoke-check behavior for OAuth versus Nous API key setup. - Refresh generated `.agents/skills/nemoclaw-user-*` references from `docs/` and update `fern/fern.config.json` to Fern `5.41.2`. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [x] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [ ] `npx prek run --all-files` passes - [ ] `npm test` passes - [ ] Tests added or updated for new or changed behavior - [x] No secrets, API keys, or credentials committed - [x] Docs updated for user-facing behavior changes - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off required by CI. Run: git config user.name && git config user.email --> Signed-off-by: Miyoung Choi <miyoungc@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Optional NemoHermes native web dashboard (configurable port and TUI) * GPU memory cleanup now unloads Ollama models when switching providers or stopping services * **Bug Fixes** * Improved sandbox name validation with suggested slug recovery * Windows-host Ollama now requires Docker Desktop WSL integration and exits with remediation guidance when unsupported * **Documentation** * Clarified quickstart/onboard flow, installer TTY/non‑TTY guidance, Hermes Docker prerequisites, sandbox hardening, and channels add rebuild checks <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4539?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4539?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OPENCLAW_GATEWAY_URLonly foropenclaw devices approve, so late CLI scope-upgrade approvals use OpenClaw's local pairing fallback instead of asking the gateway connection for the upgraded scopes it is trying to approveValidation
npm run build:clinpx vitest run test/nemoclaw-start.test.ts test/sandbox-connect-inference.test.tsnpx vitest run test/validate-e2e-coverage.test.ts test/e2e-script-workflow.test.ts test/e2e-advisor-dispatch.test.ts --testTimeout 60000bash -n test/e2e/test-issue-4462-scope-upgrade-approval.shshellcheck test/e2e/test-issue-4462-scope-upgrade-approval.shnpx tsx scripts/e2e/lint-conventions.tsgit diff --checkNightly Proofs
Notes
The product fix is in
scripts/nemoclaw-start.shandsrc/lib/actions/sandbox/connect.ts. The E2E/workflow changes are coverage and proof for the runtime approval behavior.Summary by CodeRabbit
New Features
Bug Fixes
Tests