Skip to content

fix(messaging): lock WeChat runtime graph#6739

Merged
ericksoa merged 37 commits into
NVIDIA:mainfrom
HOYALIM:codex/issue-5896-wechat-lock
Jul 13, 2026
Merged

fix(messaging): lock WeChat runtime graph#6739
ericksoa merged 37 commits into
NVIDIA:mainfrom
HOYALIM:codex/issue-5896-wechat-lock

Conversation

@HOYALIM

@HOYALIM HOYALIM commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a NemoClaw-owned production lock for @tencent-weixin/openclaw-weixin@2.4.3 and its transitive runtime dependencies
  • populate a dedicated image cache from the reviewed lock, then force the OpenClaw installer to consume it offline
  • verify the installed managed npm lock, integrity metadata, dependency set, and package versions against the reviewed graph
  • document the deliberate lock-refresh and peer-dependency boundary

Validation

  • npx vitest run test/verify-wechat-runtime-lock.test.ts test/wechat-locked-install.test.ts test/messaging-build-applier.test.ts (30 passed)
  • real OpenClaw 2026.6.10 npm-pack: install with NPM_CONFIG_OFFLINE=true (installed 3 locked packages and linked the existing OpenClaw peer)
  • npm audit --omit=dev --json --prefix agents/openclaw/wechat-runtime (0 vulnerabilities)
  • npm run build:cli
  • npm run typecheck:cli
  • npm run check:diff

Refs #5896

Signed-off-by: Ho Lim subhoya@gmail.com

Summary by CodeRabbit

  • New Features
    • Added locked, offline WeChat runtime graph staging and installation with OpenClaw peer compatibility verification.
    • Introduced per-plugin runtime lock configuration for WeChat runtime installs (script-ignoring, controlled cache/offline behavior).
    • Added a dedicated WeChat runtime CI audit gate with evidence upload.
  • Bug Fixes
    • Prevented dependency/lock drift and untrusted npm configuration from being used during WeChat runtime installation.
  • Tests
    • Added and expanded coverage for lock verification, cache isolation, locked install behavior, and CI enforcement.
  • Documentation
    • Published updated guidance for the reviewed WeChat dependency graph and audit process.

Copilot AI review requested due to automatic review settings July 13, 2026 02:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@copy-pr-bot

copy-pr-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This change adds a pinned WeChat runtime graph, lock verification, offline plugin installation, Docker and sandbox staging, and mandatory CI auditing with artifact evidence and workflow contract tests.

Changes

WeChat runtime lock

Layer / File(s) Summary
Runtime contract
agents/openclaw/wechat-runtime/package.json, src/lib/messaging/manifest/*, agents/openclaw/dependency-review.md
Defines the pinned WeChat package, runtime-lock manifest contract, and reviewed dependency graph.
Lock verification
scripts/verify-wechat-runtime-lock.mts, test/verify-wechat-runtime-lock.test.ts
Compares installed dependency locations and metadata with the reviewed lock and validates OpenClaw peer compatibility.
Offline installation and cache boundaries
src/lib/messaging/applier/build/*, src/lib/messaging/channels/wechat/manifest.ts, Dockerfile, test/wechat-locked-install.test.ts, test/messaging-build-applier.test.ts
Configures offline, script-disabled plugin installation through a disposable writable cache and runs post-install verification.
Container runtime staging
src/lib/sandbox/build-context.ts, Dockerfile, test/sandbox-build-context.test.ts, test/*provisioning*.test.ts
Stages both OpenClaw runtime graphs and the verifier while preserving Docker instruction contracts.
Runtime audit CI gates
.github/actions/ci-wechat-runtime-audit/*, .github/workflows/{pr,main}.yaml, test/wechat-runtime-audit-workflow.test.ts
Audits the locked graph, rejects unsafe configuration or origins, uploads evidence, and makes the audit a required workflow check.

Estimated code review effort: 4 (Complex) | ~60 minutes

Possibly related PRs

  • NVIDIA/NemoClaw#4403: Both changes touch messaging plugin build and channel/plugin enabling logic.

Suggested labels: dependencies, platform: container, VDR

Suggested reviewers: ericksoa

Sequence Diagram(s)

sequenceDiagram
  participant DockerBuild
  participant MessagingBuildApplier
  participant Npm
  participant LockVerifier
  DockerBuild->>MessagingBuildApplier: provide staged runtime lock and trusted cache
  MessagingBuildApplier->>Npm: install plugin offline using disposable cache
  Npm-->>MessagingBuildApplier: create installed npm project
  MessagingBuildApplier->>LockVerifier: verify installed lock and OpenClaw peer range
  LockVerifier-->>MessagingBuildApplier: accept or reject installation
Loading
sequenceDiagram
  participant Workflow
  participant WechatRuntimeAudit
  participant Npm
  participant ArtifactStorage
  Workflow->>WechatRuntimeAudit: run trusted audit action
  WechatRuntimeAudit->>Npm: materialize and audit locked graph offline
  Npm-->>WechatRuntimeAudit: audit and signature results
  WechatRuntimeAudit->>ArtifactStorage: upload audit evidence
  Workflow-->>Workflow: require audit success
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: locking the WeChat runtime graph for messaging.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: cloud-onboard, channels-add-remove, channels-stop-start, onboard-repair, onboard-resume, messaging-providers
Optional E2E: None

Dispatch hint: cloud-onboard,channels-add-remove,channels-stop-start,onboard-repair,onboard-resume,messaging-providers

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: target/main
Head: HEAD
Confidence: high

Required E2E

  • cloud-onboard (high): Required validation floor: Dockerfile platform-install changes must prove a clean hosted onboarding reaches a usable sandbox with the new runtime-image assembly.
  • channels-add-remove (high): Required validation floor: verify messaging channel installation, rebuild, credential/policy application, and teardown after the WeChat runtime-lock integration.
  • channels-stop-start (high): Required validation floor: verify WeChat and other channel configuration survives stop/start and rebuild lifecycle transitions for both supported agents.
  • onboard-repair (high): Required validation floor: the managed Dockerfile remote-dashboard bind contract can affect repaired onboarding state and sandbox convergence.
  • onboard-resume (medium): Required validation floor: the managed Dockerfile remote-dashboard bind contract can affect resumed onboarding and persisted lifecycle state.
  • messaging-providers (high): The final image now installs a new verified WeChat plugin graph; run the live provider test to validate its real OpenShell credential, placeholder, account-file, and installed OpenClaw channel behavior.

Optional E2E

  • None.

New E2E recommendations

  • security-boundary (high): Current live messaging coverage validates WeChat configuration and lifecycle, but does not explicitly prove in a final built sandbox that the plugin installer uses only the copied writable cache while the source cache remains immutable and no registry fallback occurs.
    • Suggested test: Add a live final-image WeChat runtime-lock boundary test that attempts installation with registry access unavailable, verifies successful locked plugin installation, and asserts the trusted cache remains root-owned and non-writable after the build.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: cloud-onboard,channels-add-remove,channels-stop-start,onboard-repair,onboard-resume,messaging-providers

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
Dockerfile (1)

159-169: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

verify-wechat-runtime-lock.mts is missing from the explicit chmod 755 list.

Every other script copied into /usr/local/lib/nemoclaw/ in this block gets an explicit chmod 755, even though (like this one) they're only ever invoked as node <script>. This new script is left at whatever mode COPY happens to preserve from the build context, breaking the file's own explicit least-privilege convention.

As per path instructions for Dockerfile*: "Preserve deny-by-default behavior, least privilege, redaction, and fail-closed handling."

🔒 Proposed fix
 RUN chmod 755 /usr/local/lib/nemoclaw/patch-openclaw-tool-catalog.js \
         /usr/local/lib/nemoclaw/patch-openclaw-chat-send.js \
         /usr/local/lib/nemoclaw/patch-openclaw-mcp-npx.mts \
         /usr/local/lib/nemoclaw/patch-openclaw-issue-4434-diagnostics.ts \
-        /usr/local/lib/nemoclaw/patch-openclaw-device-self-approval.ts
+        /usr/local/lib/nemoclaw/patch-openclaw-device-self-approval.ts \
+        /usr/local/lib/nemoclaw/verify-wechat-runtime-lock.mts
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 159 - 169, Update the Dockerfile chmod command to
include /usr/local/lib/nemoclaw/verify-wechat-runtime-lock.mts alongside the
other copied scripts, preserving the block’s explicit executable-permission
convention.

Source: Path instructions

🧹 Nitpick comments (1)
agents/openclaw/dependency-review.md (1)

23-31: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add an audit/advisory trail and regression-test reference, matching the mcporter section above.

The mcporter section records an explicit advisory command, review date, and result, plus a regressionTest field. The new WeChat section skips these, even though the PR objectives claim zero production audit vulnerabilities were verified — there's nothing here recording how/when that was checked, or which test keeps this pin, the Dockerfile npm-cache literals, and WECHAT_OPENCLAW_PLUGIN_SPEC in messaging-build-applier.mts synchronized.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/openclaw/dependency-review.md` around lines 23 - 31, Update the WeChat
plugin runtime graph section to include the same advisory command, review date,
and audit result fields used by the mcporter section, and add a regressionTest
field. Reference the test that verifies synchronization of the pinned package,
Dockerfile npm-cache literals, and WECHAT_OPENCLAW_PLUGIN_SPEC in
messaging-build-applier.mts.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/verify-wechat-runtime-lock.mts`:
- Around line 66-93: Update normalizedRecord so its dependencies object is
rebuilt with deterministically sorted keys before comparison, while preserving
each dependency value and the existing empty-object fallback. Keep
verifyWechatRuntimeLock’s metadata comparison and version checks unchanged.

In `@src/lib/messaging/applier/build/messaging-build-applier.mts`:
- Around line 129-133: Move WeChat-specific package-install metadata from
WECHAT_OPENCLAW_PLUGIN_SPEC, WECHAT_NPM_CACHE, WECHAT_RUNTIME_LOCK,
WECHAT_NPM_PROJECTS_ROOT, and the install.spec branch into the channel manifest
or hook-output schema keyed by channelId. Update the applier’s package-install
dispatch to consume that manifest metadata, including offline/cache,
legacy-peer-deps, lock-path, and verification behavior, without matching a
version-embedded plugin spec. Ensure manifest metadata remains synchronized with
the runtime package configuration and preserves WeChat lock verification.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 159-169: Update the Dockerfile chmod command to include
/usr/local/lib/nemoclaw/verify-wechat-runtime-lock.mts alongside the other
copied scripts, preserving the block’s explicit executable-permission
convention.

---

Nitpick comments:
In `@agents/openclaw/dependency-review.md`:
- Around line 23-31: Update the WeChat plugin runtime graph section to include
the same advisory command, review date, and audit result fields used by the
mcporter section, and add a regressionTest field. Reference the test that
verifies synchronization of the pinned package, Dockerfile npm-cache literals,
and WECHAT_OPENCLAW_PLUGIN_SPEC in messaging-build-applier.mts.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ed6ad7e9-f4f4-4544-a44b-c009bb06f8ba

📥 Commits

Reviewing files that changed from the base of the PR and between deed1aa and 7f5f7b0.

⛔ Files ignored due to path filters (1)
  • agents/openclaw/wechat-runtime/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (8)
  • Dockerfile
  • agents/openclaw/dependency-review.md
  • agents/openclaw/wechat-runtime/package.json
  • scripts/verify-wechat-runtime-lock.mts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • test/messaging-build-applier.test.ts
  • test/verify-wechat-runtime-lock.test.ts
  • test/wechat-locked-install.test.ts

Comment thread scripts/verify-wechat-runtime-lock.mts
Comment thread src/lib/messaging/applier/build/messaging-build-applier.mts Outdated
@cv cv added the v0.0.82 Release target label Jul 13, 2026
Comment thread scripts/verify-wechat-runtime-lock.mts Fixed
Signed-off-by: Ho Lim <subhoya@gmail.com>
@HOYALIM HOYALIM force-pushed the codex/issue-5896-wechat-lock branch from 7f5f7b0 to 033febe Compare July 13, 2026 05:45

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
src/lib/messaging/applier/build/messaging-build-applier.mts (1)

698-722: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider extracting helper functions to reduce complexity of installOpenClawMessagingPlugins.

This function now builds install env, runs the install, and conditionally runs verification — three distinct responsibilities in one loop body. Extracting buildInstallEnv(install, env) and the verifier-invocation block would keep each function focused and easier to unit-test in isolation.

♻️ Proposed extraction
+function buildInstallEnv(install: OpenClawPluginInstall, env: Env): Env {
+  return {
+    ...env,
+    NPM_CONFIG_IGNORE_SCRIPTS: "true",
+    npm_config_ignore_scripts: "true",
+    ...(install.runtimeLock
+      ? {
+          NPM_CONFIG_CACHE: install.runtimeLock.cachePath,
+          NPM_CONFIG_OFFLINE: String(install.runtimeLock.offline),
+          NPM_CONFIG_LEGACY_PEER_DEPS: String(install.runtimeLock.legacyPeerDeps),
+        }
+      : {}),
+  };
+}
+
+function verifyRuntimeLockIfPresent(install: OpenClawPluginInstall, installEnv: Env): void {
+  if (!install.runtimeLock) return;
+  runCommand(
+    [
+      "node",
+      "--experimental-strip-types",
+      install.runtimeLock.verifierPath,
+      install.runtimeLock.lockFile,
+      install.runtimeLock.projectsRoot,
+    ],
+    installEnv,
+  );
+}
+
 export function installOpenClawMessagingPlugins(plan: MessagingBuildPlan | null, env: Env): void {
   for (const install of collectOpenClawMessagingPluginInstalls(plan, env)) {
     const packed = packVerifiedOpenClawPluginArchive(install, env);
     try {
-      const installEnv = {
-        ...env,
-        NPM_CONFIG_IGNORE_SCRIPTS: "true",
-        npm_config_ignore_scripts: "true",
-        ...(install.runtimeLock
-          ? {
-              NPM_CONFIG_CACHE: install.runtimeLock.cachePath,
-              NPM_CONFIG_OFFLINE: String(install.runtimeLock.offline),
-              NPM_CONFIG_LEGACY_PEER_DEPS: String(install.runtimeLock.legacyPeerDeps),
-            }
-          : {}),
-      };
+      const installEnv = buildInstallEnv(install, env);
       runCommand(["openclaw", "plugins", "install", `npm-pack:${packed.archivePath}`], installEnv);
-      if (install.runtimeLock) {
-        runCommand(
-          [
-            "node",
-            "--experimental-strip-types",
-            install.runtimeLock.verifierPath,
-            install.runtimeLock.lockFile,
-            install.runtimeLock.projectsRoot,
-          ],
-          installEnv,
-        );
-      }
+      verifyRuntimeLockIfPresent(install, installEnv);
     } finally {
       rmSync(packed.rootDir, { recursive: true, force: true });
     }
   }
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/messaging/applier/build/messaging-build-applier.mts` around lines 698
- 722, Refactor installOpenClawMessagingPlugins by extracting the install
environment construction into buildInstallEnv(install, env) and the conditional
runtime-lock verification command into a separate helper. Keep the existing
environment values, install command, verifier arguments, and conditional
behavior unchanged, then invoke the helpers from the loop.
test/wechat-locked-install.test.ts (1)

27-27: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Select the package by agent id
Use find((pkg) => pkg.agent === "openclaw") here instead of [0] so the assertion stays stable if another agent package is added or the manifest order changes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/wechat-locked-install.test.ts` at line 27, Update the runtimeLock
selection in the test to find the package whose agent is "openclaw" using the
agent field, replacing the order-dependent wechatManifest.agentPackages[0]
access while preserving the existing assertion behavior.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/messaging/applier/build/messaging-build-applier.mts`:
- Around line 698-722: Refactor installOpenClawMessagingPlugins by extracting
the install environment construction into buildInstallEnv(install, env) and the
conditional runtime-lock verification command into a separate helper. Keep the
existing environment values, install command, verifier arguments, and
conditional behavior unchanged, then invoke the helpers from the loop.

In `@test/wechat-locked-install.test.ts`:
- Line 27: Update the runtimeLock selection in the test to find the package
whose agent is "openclaw" using the agent field, replacing the order-dependent
wechatManifest.agentPackages[0] access while preserving the existing assertion
behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 28524fd5-af5b-4cb6-8d04-9d43c9f71977

📥 Commits

Reviewing files that changed from the base of the PR and between 7f5f7b0 and 033febe.

⛔ Files ignored due to path filters (1)
  • agents/openclaw/wechat-runtime/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (12)
  • Dockerfile
  • agents/openclaw/dependency-review.md
  • agents/openclaw/wechat-runtime/package.json
  • scripts/verify-wechat-runtime-lock.mts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • src/lib/messaging/channels/wechat/manifest.ts
  • src/lib/messaging/manifest/types.ts
  • src/lib/sandbox/build-context.ts
  • test/messaging-build-applier.test.ts
  • test/sandbox-build-context.test.ts
  • test/verify-wechat-runtime-lock.test.ts
  • test/wechat-locked-install.test.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • agents/openclaw/wechat-runtime/package.json
  • agents/openclaw/dependency-review.md
  • scripts/verify-wechat-runtime-lock.mts
  • Dockerfile

@wscurran wscurran added area: packaging Packages, images, registries, installers, or distribution area: security Security controls, permissions, secrets, or hardening chore Build, CI, dependency, or tooling maintenance integration: wechat WeChat integration behavior security labels Jul 13, 2026
@wscurran

Copy link
Copy Markdown
Contributor

✨ Thanks for the hardening work, @HOYALIM. Locking the WeChat runtime graph and verifying the offline install path closes a supply-chain gap. Ready for maintainer review.


Related open issues:


Related open issues:

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/sandbox-build-context.test.ts`:
- Around line 36-37: Update the staging test fixtures around writeFixture and
the assertions near the staged-file checks so each runtime manifest uses
distinct, runtime-specific JSON content. Assert the staged manifest file
contents against the corresponding expected source data, not just filenames or
modes, for both package.json and package-lock.json, preserving the observable
staging-boundary verification.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f9aa23b2-e010-4b19-b8ac-dafcb98e20c7

📥 Commits

Reviewing files that changed from the base of the PR and between 033febe and d19deb6.

📒 Files selected for processing (3)
  • Dockerfile
  • src/lib/sandbox/build-context.ts
  • test/sandbox-build-context.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • Dockerfile

Comment thread test/sandbox-build-context.test.ts Outdated

@cjagwani cjagwani left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes on exact head 399a3143b4ab941edcf7b2a91ef02b1c6834bcf4.

  1. [P1] The WeChat-enabled image cannot complete the real sandbox-user install. Dockerfile builds /usr/local/share/nemoclaw/wechat-npm-cache as root and only grants a+rX, then switches to USER sandbox; the messaging applier forces that cache for openclaw plugins install. A production-shape reproduction with OpenClaw 2026.6.10, npm 10.9.4, and the exact reviewed 2.4.3 archive fails at npm pack with EACCES creating _cacache/tmp. The same archive installs and verifies when the cache is writable. Please use a sandbox-writable temporary install cache (then remove/reseal it, preserving the final trusted cache boundary) and add a real installer/image-user-boundary regression. The current locked-install test mocks npm/OpenClaw/Node, so it cannot catch this failure.

  2. [P2] The issue-required package-bump audit is not enforced. #5896 requires a CI audit on dependency refresh, but this head only documents a manual npm audit; no default workflow/test materializes the committed nested graph and audits it. Please add a production-compatible CI lane that performs the locked npm ci --ignore-scripts --omit=dev --legacy-peer-deps, runs npm audit --omit=dev --json with the agreed threshold/report artifact, and preferably verifies registry signatures.

The exact graph is currently clean (0 vulnerabilities; all three registry signatures verify), and the SRI/path/manifest logic otherwise passed review. The blockers are the production install boundary and the missing repeatable CI audit proof; green mocked tests or unrelated live targets do not cover them.

ericksoa added 2 commits July 13, 2026 11:22
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

@cjagwani cjagwani left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prior EACCES and default-audit blockers are fixed on this head: the sandbox-owned cache copy works, the exact npm 10.9.4 audit/signature/pack exercise passes, and the new wechat-runtime-audit job is green. This head still cannot merge because the Dockerfile change breaks a production path and the required CLI suite.

  1. [P1] The stock Dockerfile is no longer accepted by the remote-dashboard bind contract. Dockerfile:1141-1156 replaces the allowlisted one-line agent-install instruction with a complex RUN set -eu block. dockerfile-remote-dashboard-bind-contract.ts:23-29,35-61 recognizes only the old instruction shape/canonical digests, so requesting NEMOCLAW_DASHBOARD_BIND=0.0.0.0 now makes the checked-in Dockerfile fail closed at line 167. This is reproduced by test/dashboard-remote-bind-lifecycle.test.ts:130-141. Add the new normalized instruction to the exact trusted contract (and its digest lifecycle proof) so the managed remote-dashboard path works without weakening custom-Dockerfile validation.

  2. Required CI also exposes stale contracts caused by this same shape change:

    • sandbox-provisioning-tavily.test.ts, sandbox-provisioning.test.ts, and openclaw-integrity-pin-suite.ts still delimit/execute the old one-line agent-install marker; update them to isolate the optional-plugin block and new WeChat cache block correctly.
    • openclaw-dependency-review.test.ts still expects the old manual-audit wording and counts three exact one-line applier RUN instructions.
    • pr-workflow-contract.test.ts does not provide WECHAT_RUNTIME_AUDIT_RESULT in its successful/code/docs-only/main fixtures, so the newly required gate fails even when modeled as healthy.

Exact-head run 29274554458 failed CLI shards 1, 2, 4, 5, and 8 plus aggregate checks; these are deterministic assertion failures, so rerunning the unchanged head will not help. Please update the production allowlist and the affected tests, then restart all gates on the new SHA.

Retain the reviewed WeChat runtime hardening while incorporating the consolidated advisor and dependency-audit workflows. Correct the advisor's Ubuntu fd-find binary verification so the trusted review jobs can execute.
Comment thread src/lib/messaging/applier/build/messaging-build-applier.mts Fixed
Comment thread src/lib/messaging/applier/build/messaging-build-applier.mts Fixed
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@cjagwani cjagwani added v0.0.83 Release target and removed v0.0.82 Release target labels Jul 13, 2026
ericksoa added 7 commits July 13, 2026 14:10
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

# Conflicts:
#	.github/workflows/pr-review-advisor.yaml
#	test/pr-review-advisor-workflow-boundary.test.ts
#	tools/pr-review-advisor/workflow-boundary.mts
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

# Conflicts:
#	.github/workflows/pr-review-advisor.yaml
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / low confidence
Primary next action: No advisor follow-up required beyond maintainer review.
Findings: 0 blockers · 0 warnings · 0 optional suggestions
Status: No actionable findings remain in the canonical review ledger.
Since last review: 0 prior items resolved · 0 still apply · 0 new items found

E2E guidance

Advisory only: coverage and selector recommendations are non-authoritative. E2E / PR Gate independently computes and dispatches trusted jobs without consuming this output.

Recommended coverage: cloud-onboard, credential-sanitization, security-posture, channels-add-remove, channels-stop-start, onboard-repair, onboard-resume
Recommended selectors: cloud-onboard, credential-sanitization, security-posture, channels-add-remove, channels-stop-start, onboard-repair, onboard-resume

  • cloud-onboard — Selected from the trusted checked-in E2E coverage inventory.

  • credential-sanitization — Selected from the trusted checked-in E2E coverage inventory.

  • security-posture — Selected from the trusted checked-in E2E coverage inventory.

  • channels-add-remove — Selected from the trusted checked-in E2E coverage inventory.

  • channels-stop-start — Selected from the trusted checked-in E2E coverage inventory.

  • onboard-repair — Selected from the trusted checked-in E2E coverage inventory.

  • onboard-resume — Selected from the trusted checked-in E2E coverage inventory.

  • cloud-onboard — Selected as a trusted checked-in E2E job.

  • credential-sanitization — Selected as a trusted checked-in E2E job.

  • security-posture — Selected as a trusted checked-in E2E job.

  • channels-add-remove — Selected as a trusted checked-in E2E job.

  • channels-stop-start — Selected as a trusted checked-in E2E job.

  • onboard-repair — Selected as a trusted checked-in E2E job.

  • onboard-resume — Selected as a trusted checked-in E2E job.

1 optional coverage item · 1 optional selector · 0 new-test recommendations
  • Optional coverage network-policy — Selected from the trusted checked-in E2E coverage inventory.
  • Optional selector network-policy — Selected as a trusted checked-in E2E job.

Workflow run details

This is an automated, non-authoritative review. Findings are inputs to maintainer adjudication. Warnings and optional suggestions do not require a response or follow-up. A human maintainer makes the final merge decision.

Comment thread test/wechat-locked-install.test.ts Fixed

@ericksoa ericksoa left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving exact head 721a2a9 after the complete hosted matrix, CodeQL/ShellCheck, real offline WeChat cache proof, dual high-confidence advisor passes with zero findings, audited exact-head/base fork no-secret E2E exception, and zero unresolved review threads.

@ericksoa ericksoa merged commit f62c278 into NVIDIA:main Jul 13, 2026
46 checks passed
@github-actions github-actions Bot added the v0.0.82 Release target label Jul 13, 2026
@ericksoa ericksoa removed the v0.0.82 Release target label Jul 13, 2026
@github-actions github-actions Bot added the v0.0.82 Release target label Jul 14, 2026
cv pushed a commit that referenced this pull request Jul 14, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Release-prep documentation for v0.0.82 now summarizes user-facing
changes merged since v0.0.81.
It also closes stale wording in the stopped-sandbox backup,
snapshot-clone, Ollama selection, and custom-policy authoring guidance.

## Changes

- Add the `v0.0.82` section to `docs/about/release-notes.mdx` with links
to the focused user guides.
- Document that snapshot clones receive a destination-owned dashboard
port before destructive replacement begins.
- Align `backup-all` guidance with eligible stopped Docker-driver
sandboxes that NemoClaw starts temporarily.
- Describe the running and stopped Ollama menu states without claiming
one fixed label.
- Document runtime rejection of catch-all hosts in custom policy files.

### Source summary

- [#6748](#6748) ->
`docs/about/release-notes.mdx`, `docs/manage-sandboxes/lifecycle.mdx`,
and `docs/reference/commands.mdx`: Summarize non-destructive sandbox
`stop` and `start` commands.
- [#6723](#6723) ->
`docs/about/release-notes.mdx`,
`docs/manage-sandboxes/backup-restore.mdx`, and
`docs/reference/commands.mdx`: Record temporary startup and cleanup for
eligible stopped-sandbox backups.
- [#6749](#6749) ->
`docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Document destination-owned
dashboard ports for snapshot clones.
- [#6764](#6764) ->
`docs/about/release-notes.mdx`: Summarize installer handling of
route-only onboarding placeholders.
- [#6771](#6771) ->
`docs/about/release-notes.mdx`, `docs/inference/set-up-vllm.mdx`,
`docs/inference/choose-inference-provider.mdx`,
`docs/reference/commands.mdx`, and
`docs/reference/platform-support.mdx`: Summarize managed-vLLM storage
gates, immutable image digests, and the explicit override boundary.
- [#6759](#6759) ->
`docs/about/release-notes.mdx`: Record early, actionable OpenShell
gateway-port conflict diagnostics.
- [#6753](#6753) ->
`docs/about/release-notes.mdx` and `docs/inference/set-up-ollama.mdx`:
Document truthful running and stopped Ollama menu states.
- [#6776](#6776) ->
`docs/about/release-notes.mdx`: Summarize proxy-independent loopback
readiness checks.
- [#6769](#6769) ->
`docs/about/release-notes.mdx`: Record compatible endpoint and agent
guidance when Chat Completions is unavailable.
- [#6730](#6730) ->
`docs/about/release-notes.mdx`: Summarize bounded reuse of an eligible
successful Chat Completions check.
- [#6768](#6768) ->
`docs/about/release-notes.mdx`: Record route-reservation repair during
resumed onboarding.
- [#6742](#6742) ->
`docs/about/release-notes.mdx`: Summarize pre-mutation resolution of
secret-free sandbox create intent.
- [#6721](#6721) ->
`docs/about/release-notes.mdx` and
`docs/get-started/quickstart-langchain-deepagents-code.mdx`: Record
bounded cleanup of completed managed Deep Agents headless sessions.
- [#6731](#6731) ->
`docs/about/release-notes.mdx` and
`docs/network-policy/customize-network-policy.mdx`: Document runtime
rejection of catch-all custom-policy destinations.
- [#6729](#6729) ->
`docs/about/release-notes.mdx` and `docs/get-started/prerequisites.mdx`:
Record the Node.js 22.19 minimum.
- [#6735](#6735) ->
`docs/about/release-notes.mdx` and
`docs/reference/platform-support.mdx`: Summarize the Ubuntu 26.04
userspace contract without claiming pending host or live validation.
- [#6775](#6775) ->
`docs/about/release-notes.mdx` and
`docs/resources/community-contributions.mdx`: Route independent
solutions outside canonical supported-product documentation.
- [#6740](#6740) ->
`docs/about/release-notes.mdx`: Summarize the semantic
dependency-upgrade contributor workflow.
- [#6777](#6777) ->
`docs/about/release-notes.mdx` and `docs/CONTRIBUTING.md`: Summarize the
route-safe documentation-refactor workflow.
- [#6741](#6741) ->
`docs/about/release-notes.mdx` and
`docs/security/openclaw-2026.6.10-dependency-review.md`: Summarize
reviewed npm archive verification and audit enforcement.
- [#6739](#6739) ->
`docs/about/release-notes.mdx` and
`docs/security/openclaw-2026.6.10-dependency-review.md`: Record the
locked offline dependency graph for the managed OpenClaw WeChat runtime.
- [#6737](#6737) ->
`docs/about/release-notes.mdx`: Record removal of the messaging build
plan from final OpenClaw and Hermes image environments.
- [#6733](#6733) ->
`docs/about/release-notes.mdx`: Summarize cached plugin dependency
layers for source and blueprint rebuilds.

### Skipped from docs-skip

- None. No commit or changed path in `v0.0.81..origin/main` matched
`openclaw-sandbox-permissive.yaml` or `config-show`, and the drafted
content contains none of the configured skip terms.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: This is a documentation-only
release-prep update; behavior is protected by the merged source PRs, and
the documentation build validates the changed routes and agent variants.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — tests are not applicable for this
documentation-only change.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not run for this
documentation-only change.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — 0
errors; two pre-existing Fern warnings remain.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
— no new pages.

---
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Updated release notes with improvements to sandbox recovery,
onboarding, session management, policy validation, storage checks, and
system requirements.
  * Clarified Ollama setup instructions and status labels.
* Documented safer snapshot restoration, including dedicated ports and
protection against destructive failures.
* Expanded `backup-all` coverage to include eligible stopped sandboxes.
* Added guidance rejecting broad or catch-all network destinations in
custom policies.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cv cv removed the v0.0.83 Release target label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: packaging Packages, images, registries, installers, or distribution area: security Security controls, permissions, secrets, or hardening chore Build, CI, dependency, or tooling maintenance integration: wechat WeChat integration behavior v0.0.82 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants