Skip to content

ci(deps): audit reviewed npm archive graph#6741

Merged
cv merged 4 commits into
NVIDIA:mainfrom
HOYALIM:codex/issue-5896-npm-archive-audit
Jul 13, 2026
Merged

ci(deps): audit reviewed npm archive graph#6741
cv merged 4 commits into
NVIDIA:mainfrom
HOYALIM:codex/issue-5896-npm-archive-audit

Conversation

@HOYALIM

@HOYALIM HOYALIM commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • consolidate reviewed npm metadata, tarball, packed-SRI, filename-containment, and cleanup checks into one shared implementation
  • migrate OpenClaw core, Codex ACP, optional plugins, messaging plugins, and the mcporter metadata boundary to thin callers
  • materialize and audit the production-compatible reviewed archive graph plus the committed mcporter lock on PR and main CI
  • upload raw audit JSON unconditionally and fail at the configured high-severity threshold

Validation

  • live Node 22.22.2 production-graph audit: reviewed archives 9 moderate / 0 high / 0 critical; mcporter lock 0 findings
  • shared archive tests (9 passed)
  • messaging integrity tests (5 passed)
  • OpenClaw integrity suites (39 passed)
  • dependency review and mcporter supply-chain tests (14 passed)
  • sandbox provisioning tests (58 passed)
  • optional Brave build boundary (1 passed)
  • CLI/plugin builds and TypeScript checks
  • npm run check:diff

Refs #5896

Signed-off-by: Ho Lim subhoya@gmail.com

Summary by CodeRabbit

  • New Features
    • Added an automated “reviewed npm” production dependency audit gate for pull requests and main builds, including JSON audit report artifacts.
    • Introduced shared reviewed archive verification so installs use integrity-validated, safe local archives.
    • Updated CI workflows to enforce the new audit gate and required check outcomes.
  • Documentation
    • Refreshed dependency/security review guidance to reflect automated audit gating and shared verified-archive behavior.
  • Tests
    • Expanded tests for archive safety/integrity verification and the reviewed-audit threshold parsing and CI gating behavior.

Copilot AI review requested due to automatic review settings July 13, 2026 03:00
@copy-pr-bot

copy-pr-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The change centralizes reviewed npm archive verification, integrates it into container and plugin builds, adds production dependency graph auditing with CI enforcement and artifact uploads, and updates provenance, documentation, regression tests, and sandbox staging.

Changes

Reviewed npm supply chain

Layer / File(s) Summary
Shared reviewed archive helper
scripts/lib/reviewed-npm-archive.mts, test/helpers/*, test/reviewed-npm-archive.test.ts
Adds metadata verification, pinned tarball packing, integrity checks, safe-path validation, CLI handling, cleanup, fixtures, and focused tests.
Build and plugin integration
Dockerfile*, src/lib/messaging/..., src/lib/sandbox/build-context.ts, agents/hermes/Dockerfile, test/*
Routes pinned packages and plugins through the shared helper, adds tarball provenance, stages the helper, and updates build fixtures and integration traces.
Production graph audit pipeline
ci/reviewed-npm-audit.json, scripts/audit-reviewed-npm-graph.mts, .github/actions/..., .github/workflows/*, test/reviewed-npm-audit.test.ts, test/pr-workflow-contract.test.ts
Defines reviewed and locked audit graphs, materializes and audits them under Node 22.22.2, writes reports, enforces the high threshold, uploads artifacts, and gates main and code-changing PR checks.
Dependency review and regression contracts
docs/security/..., test/openclaw-dependency-review.test.ts, test/mcporter-supply-chain.test.ts, test/fetch-guard-patch-regression.test.ts, test/sandbox-*.test.ts, src/lib/onboard/...
Updates security contracts, Dockerfile and mcporter assertions, fetch-guard and sandbox coverage, and the canonical Dockerfile digest.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CI
  participant AuditAction
  participant AuditScript
  participant ReviewedArchive
  participant Npm
  CI->>AuditAction: start reviewed npm audit
  AuditAction->>AuditScript: run configured graph audit
  AuditScript->>ReviewedArchive: materialize reviewed package archives
  ReviewedArchive->>Npm: verify metadata and pack pinned tarballs
  AuditScript->>Npm: install graphs and run npm audit
  AuditScript-->>AuditAction: write reports and threshold result
  AuditAction-->>CI: upload reports and set job status
Loading

Possibly related PRs

Suggested labels: dependencies, area: security, refactor

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and matches the main CI change: auditing the reviewed npm archive graph.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: cloud-onboard, channels-add-remove, channels-stop-start, onboard-repair, onboard-resume
Optional E2E: test-e2e-sandbox, test-e2e-gateway-isolation, test-e2e-port-overrides

Dispatch hint: cloud-onboard,channels-add-remove,channels-stop-start,onboard-repair,onboard-resume

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: target/main
Head: HEAD
Confidence: high

Required E2E

  • cloud-onboard: Required validation floor: clean hosted onboarding must build and start the changed pinned runtime and installer image path.
  • channels-add-remove: Required validation floor: verified messaging plugin installation must still apply and remove a channel's runtime, policy, session, and persisted state.
  • channels-stop-start: Required validation floor: the changed messaging build/install path must restore configured channels after restart or rebuild.
  • onboard-repair: Required validation floor: the managed Dockerfile/dashboard-bind contract must converge safely through onboarding repair.
  • onboard-resume: Required validation floor: the managed Dockerfile/dashboard-bind contract must remain valid when onboarding resumes from persisted state.

Optional E2E

  • test-e2e-sandbox: Useful image-level regression check for the refactored archive-install and build-context paths after the production image is built.
  • test-e2e-gateway-isolation: Useful adjacent security-boundary check because the Dockerfile changes alter trusted build-time package acquisition and installed OpenClaw runtime contents.
  • test-e2e-port-overrides: Useful adjacent check for the changed Dockerfile configuration-generation ordering that is constrained by the remote dashboard bind contract.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: cloud-onboard,channels-add-remove,channels-stop-start,onboard-repair,onboard-resume

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (3)
Dockerfile (1)

988-1010: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Misleading function name: verify_openclaw_plugin_integrity also packs and returns an archive path.

Despite the name, this helper doesn't just verify — it invokes reviewed-npm-archive.mts without --verify-only, so it downloads/packs the tarball and its stdout (the archive path) is consumed by the caller. A future edit assuming this is side-effect-free verification (e.g., trying to call it in a loop, or swapping in --verify-only) would silently break plugin installation.

✏️ Suggested rename for clarity
-    verify_openclaw_plugin_integrity() { \
+    pack_reviewed_openclaw_plugin() { \
         plugin_spec="$1"; \
         ...
     }; \
     install_reviewed_openclaw_plugin() { \
         plugin_spec="${1}@${OPENCLAW_VERSION}"; \
-        plugin_archive="$(verify_openclaw_plugin_integrity "$plugin_spec")"; \
+        plugin_archive="$(pack_reviewed_openclaw_plugin "$plugin_spec")"; \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 988 - 1010, Rename verify_openclaw_plugin_integrity
to reflect that it validates and creates/returns the reviewed archive path, then
update its invocation in install_reviewed_openclaw_plugin and any other
references consistently. Preserve the existing archive-producing behavior and
arguments to reviewed-npm-archive.mts.
test/openclaw-optional-plugin-build.test.ts (1)

19-30: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Fragile Dockerfile block extraction by comment text.

If the anchor comment ("# Install non-messaging OpenClaw plugins") is edited or removed, start becomes -1, and dockerfile.indexOf("RUN ", start) treats the negative index as 0, silently scanning from the top of the file for the first RUN instead of failing clearly. Consider asserting start !== -1 (and end !== -1) before slicing, or using a dedicated marker comment reserved for this extraction, so a future Dockerfile edit fails the test with an obvious message rather than potentially extracting the wrong block.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/openclaw-optional-plugin-build.test.ts` around lines 19 - 30, Make the
Dockerfile extraction in the optional-plugin build test validate that both
anchor lookups succeed before calling slice or deriving the command. Add clear
assertions for start and end (or use a dedicated stable marker) so edits to the
non-messaging plugin block fail explicitly instead of allowing indexOf with -1
to scan from the beginning.
test/openclaw-integrity-pin-suite.ts (1)

184-222: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate reviewed-npm-fixture generator logic across two functions.

runInstallBlock (lines 184-222) and runOptionalOpenClawPluginBlock (lines 373-403) each hand-roll a near-identical bash fixture that intercepts npm view/npm pack, differing mainly in which package specs/pack-dispatch cases they support. Extracting a shared fixture-builder (taking a map of package-spec → {integrity, tarball} and an optional pack-dispatch table) would reduce duplication and keep future pin additions (e.g. the new mcporter-tarball) from needing to be wired into two separate string-template builders.

Also applies to: 373-403

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/openclaw-integrity-pin-suite.ts` around lines 184 - 222, Extract the
duplicated reviewed-npm-fixture generation from runInstallBlock and
runOptionalOpenClawPluginBlock into a shared fixture-builder. Have it accept the
package-spec-to-integrity/tarball mappings and optional pack-dispatch entries
needed by each caller, while preserving the existing npm view, npm pack,
logging, and pack-filename behavior; update both functions to use the shared
builder.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.base`:
- Around line 267-271: Add an explicit validation immediately after assigning
OPENCLAW_PACK_PATH and before the OPENCLAW_PACK_DIR dirname call, exiting with
failure when the archive path is empty or invalid. Keep the existing npm install
flow unchanged for valid paths so a failed reviewed-npm-archive.mts substitution
cannot continue.

In `@test/openclaw-dependency-review.test.ts`:
- Around line 330-334: Strengthen the contract checks in
test/openclaw-dependency-review.test.ts for the codex-acp, and corresponding
blocks at the other reviewed ranges, by asserting the superseded inline npm
view/npm pack and unsafe-filename-guard patterns are absent. Keep the existing
positive assertions for reviewed-npm-archive.mts and add negative checks against
each block so the migration proves the old path was removed.

In `@test/reviewed-npm-archive.test.ts`:
- Around line 38-91: Replace the inline if-based command dispatch in the
reviewed archive tests with a lookup table or dedicated helper dispatcher.
Preserve the existing responses for dist.integrity, dist.tarball, pack
destination file creation, and drift scenarios while removing test-body
conditional branches that trigger the guardrail.

---

Nitpick comments:
In `@Dockerfile`:
- Around line 988-1010: Rename verify_openclaw_plugin_integrity to reflect that
it validates and creates/returns the reviewed archive path, then update its
invocation in install_reviewed_openclaw_plugin and any other references
consistently. Preserve the existing archive-producing behavior and arguments to
reviewed-npm-archive.mts.

In `@test/openclaw-integrity-pin-suite.ts`:
- Around line 184-222: Extract the duplicated reviewed-npm-fixture generation
from runInstallBlock and runOptionalOpenClawPluginBlock into a shared
fixture-builder. Have it accept the package-spec-to-integrity/tarball mappings
and optional pack-dispatch entries needed by each caller, while preserving the
existing npm view, npm pack, logging, and pack-filename behavior; update both
functions to use the shared builder.

In `@test/openclaw-optional-plugin-build.test.ts`:
- Around line 19-30: Make the Dockerfile extraction in the optional-plugin build
test validate that both anchor lookups succeed before calling slice or deriving
the command. Add clear assertions for start and end (or use a dedicated stable
marker) so edits to the non-messaging plugin block fail explicitly instead of
allowing indexOf with -1 to scan from the beginning.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 61638e7b-bc84-4823-b3c2-b22f252cdcb6

📥 Commits

Reviewing files that changed from the base of the PR and between deed1aa and 6b3fd34.

📒 Files selected for processing (19)
  • .github/actions/ci-reviewed-npm-audit/action.yaml
  • .github/workflows/main.yaml
  • .github/workflows/pr.yaml
  • Dockerfile
  • Dockerfile.base
  • ci/reviewed-npm-audit.json
  • docs/security/openclaw-2026.6.10-dependency-review.md
  • scripts/audit-reviewed-npm-graph.mts
  • scripts/lib/reviewed-npm-archive.mts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • test/helpers/reviewed-npm-fixture.ts
  • test/mcporter-supply-chain.test.ts
  • test/messaging-build-applier-integrity.test.ts
  • test/openclaw-dependency-review.test.ts
  • test/openclaw-integrity-pin-suite.ts
  • test/openclaw-optional-plugin-build.test.ts
  • test/reviewed-npm-archive.test.ts
  • test/reviewed-npm-audit.test.ts
  • test/sandbox-provisioning.test.ts
💤 Files with no reviewable changes (1)
  • test/sandbox-provisioning.test.ts

Comment thread Dockerfile.base
Comment thread test/openclaw-dependency-review.test.ts
Comment thread test/reviewed-npm-archive.test.ts
@cv cv added the v0.0.82 Release target label Jul 13, 2026
@HOYALIM HOYALIM force-pushed the codex/issue-5896-npm-archive-audit branch from 6b3fd34 to 900443f Compare July 13, 2026 06:01

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/fetch-guard-patch-regression.test.ts`:
- Around line 189-192: The reviewed-helper stub must enforce its expected argv
contract instead of accepting arbitrary calls. Update the shell logic in the
fetch-guard test double to validate the required OpenClaw/mcporter integrity and
tarball arguments for both the normal archive-return invocation and the
--verify-only invocation, and log the tarball value supplied in argv rather than
OPENCLAW_2026_6_10_TARBALL. Reject missing or mismatched arguments before
returning.

In `@test/mcporter-supply-chain.test.ts`:
- Around line 22-30: Update extractIntegrityGate to include the complete
reviewed-npm-archive helper invocation, including --verify-only, in the
extracted gate. Modify the fake node used by runIntegrityGate to reject
incorrect package, integrity, or tarball arguments, so the test executes and
validates the reviewed helper command through observable behavior rather than
relying on source-text assertions.

In `@test/openclaw-integrity-pin-suite.ts`:
- Line 109: Update the fallback matrix in the integrity-pin test to mutate
`mcporter-tarball` using `PINNED_MCPORTER_TARBALL`, ensuring the test detects
implementations that ignore this provenance field while preserving the existing
tampering coverage.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5b563fc3-fb64-4492-a417-10b12a029d83

📥 Commits

Reviewing files that changed from the base of the PR and between 6b3fd34 and 900443f.

📒 Files selected for processing (26)
  • .github/actions/ci-reviewed-npm-audit/action.yaml
  • .github/workflows/main.yaml
  • .github/workflows/pr.yaml
  • Dockerfile
  • Dockerfile.base
  • ci/reviewed-npm-audit.json
  • docs/security/openclaw-2026.6.10-dependency-review.md
  • scripts/audit-reviewed-npm-graph.mts
  • scripts/lib/reviewed-npm-archive.mts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • src/lib/onboard/dockerfile-remote-dashboard-bind-contract.ts
  • src/lib/sandbox/build-context.ts
  • test/fetch-guard-patch-regression.test.ts
  • test/helpers/fetch-guard-patch-harness.ts
  • test/helpers/reviewed-npm-fixture.ts
  • test/mcporter-supply-chain.test.ts
  • test/messaging-build-applier-integrity.test.ts
  • test/messaging-build-applier.test.ts
  • test/openclaw-dependency-review.test.ts
  • test/openclaw-integrity-pin-suite.ts
  • test/openclaw-optional-plugin-build.test.ts
  • test/pr-workflow-contract.test.ts
  • test/reviewed-npm-archive.test.ts
  • test/reviewed-npm-audit.test.ts
  • test/sandbox-build-context.test.ts
  • test/sandbox-provisioning.test.ts
💤 Files with no reviewable changes (1)
  • test/sandbox-provisioning.test.ts
🚧 Files skipped from review as they are similar to previous changes (10)
  • ci/reviewed-npm-audit.json
  • scripts/audit-reviewed-npm-graph.mts
  • scripts/lib/reviewed-npm-archive.mts
  • .github/workflows/main.yaml
  • .github/actions/ci-reviewed-npm-audit/action.yaml
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • .github/workflows/pr.yaml
  • Dockerfile
  • docs/security/openclaw-2026.6.10-dependency-review.md
  • test/openclaw-dependency-review.test.ts

Comment thread test/fetch-guard-patch-regression.test.ts
Comment thread test/mcporter-supply-chain.test.ts Outdated
Comment thread test/openclaw-integrity-pin-suite.ts
@HOYALIM HOYALIM force-pushed the codex/issue-5896-npm-archive-audit branch from 900443f to 6cf08ff Compare July 13, 2026 06:35

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
test/fetch-guard-patch-regression.test.ts (1)

144-203: 📐 Maintainability & Code Quality | 🔵 Trivial

runOpenClawUpgradeBlock keeps growing into a large embedded-bash generator.

This PR adds ~45 more lines of inline bash (reviewed-archive fixture + full argv-contract validation) to an already large function. test/helpers/reviewed-npm-fixture.ts shows this repo already has a pattern for extracting this kind of fake-CLI script generation into a standalone, reusable, unit-testable helper. Consider factoring the node()/argv-validation block (and similarly the npm() stub) out of this test file into a shared helper, the same way the npm fixture was extracted.

As per coding guidelines, **/*.{ts,tsx} should "Keep TypeScript function complexity low."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/fetch-guard-patch-regression.test.ts` around lines 144 - 203, Reduce the
complexity of runOpenClawUpgradeBlock by extracting its embedded node() and
npm() fake-CLI/argv-validation script generation into a reusable helper,
following the pattern established by test/helpers/reviewed-npm-fixture.ts. Keep
the reviewed archive setup and argument-contract behavior unchanged, and have
the test compose the helper output instead of maintaining the inline bash block.

Source: Coding guidelines

test/openclaw-optional-plugin-build.test.ts (1)

18-30: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Reuse the shared Dockerfile RUN-block helper here.

test/helpers/fetch-guard-patch-harness.ts already exports dockerRunCommandBetween(...), which handles the marker lookup and fails clearly when the block is missing. Inlining the same extraction logic here adds drift risk and leaves the indexOf(...) lookups unguarded.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/openclaw-optional-plugin-build.test.ts` around lines 18 - 30, Replace
the inline Dockerfile RUN-block extraction in the optional plugin build test
with the shared dockerRunCommandBetween(...) helper from
test/helpers/fetch-guard-patch-harness.ts, passing the existing start and end
markers. Remove the local indexOf, slicing, comment filtering, and
line-continuation normalization logic while preserving the resulting command
behavior.
test/reviewed-npm-audit.test.ts (1)

20-29: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Rename exceedsAuditThreshold to match its numeric return value

This function returns the count of vulnerabilities at or above the threshold, so the current name reads like a boolean predicate. Consider a name like countAtOrAboveThreshold for clarity.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/reviewed-npm-audit.test.ts` around lines 20 - 29, Rename
exceedsAuditThreshold to a count-oriented name such as countAtOrAboveThreshold
throughout the implementation and all call sites, including this test, while
preserving its numeric return behavior and threshold semantics.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/helpers/fetch-guard-patch-harness.ts`:
- Around line 12-64: The static fixture in
loadReviewedOpenClaw20260610SsrfPolicyShape is tested without verifying it
matches the real OpenClaw implementation. Add a source-text or hash comparison
between REVIEWED_OPENCLAW_2026_6_10_SSRF_POLICY_SHAPE and the extracted
dependency source before exercising the fixture, or replace the string-evaluated
copied algorithm with regular TypeScript helpers if source-shape validation is
not required.

---

Nitpick comments:
In `@test/fetch-guard-patch-regression.test.ts`:
- Around line 144-203: Reduce the complexity of runOpenClawUpgradeBlock by
extracting its embedded node() and npm() fake-CLI/argv-validation script
generation into a reusable helper, following the pattern established by
test/helpers/reviewed-npm-fixture.ts. Keep the reviewed archive setup and
argument-contract behavior unchanged, and have the test compose the helper
output instead of maintaining the inline bash block.

In `@test/openclaw-optional-plugin-build.test.ts`:
- Around line 18-30: Replace the inline Dockerfile RUN-block extraction in the
optional plugin build test with the shared dockerRunCommandBetween(...) helper
from test/helpers/fetch-guard-patch-harness.ts, passing the existing start and
end markers. Remove the local indexOf, slicing, comment filtering, and
line-continuation normalization logic while preserving the resulting command
behavior.

In `@test/reviewed-npm-audit.test.ts`:
- Around line 20-29: Rename exceedsAuditThreshold to a count-oriented name such
as countAtOrAboveThreshold throughout the implementation and all call sites,
including this test, while preserving its numeric return behavior and threshold
semantics.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9d91ae6c-b37a-43f8-96dd-64faf95fe9e1

📥 Commits

Reviewing files that changed from the base of the PR and between 900443f and 6cf08ff.

📒 Files selected for processing (26)
  • .github/actions/ci-reviewed-npm-audit/action.yaml
  • .github/workflows/main.yaml
  • .github/workflows/pr.yaml
  • Dockerfile
  • Dockerfile.base
  • ci/reviewed-npm-audit.json
  • docs/security/openclaw-2026.6.10-dependency-review.md
  • scripts/audit-reviewed-npm-graph.mts
  • scripts/lib/reviewed-npm-archive.mts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • src/lib/onboard/dockerfile-remote-dashboard-bind-contract.ts
  • src/lib/sandbox/build-context.ts
  • test/fetch-guard-patch-regression.test.ts
  • test/helpers/fetch-guard-patch-harness.ts
  • test/helpers/reviewed-npm-fixture.ts
  • test/mcporter-supply-chain.test.ts
  • test/messaging-build-applier-integrity.test.ts
  • test/messaging-build-applier.test.ts
  • test/openclaw-dependency-review.test.ts
  • test/openclaw-integrity-pin-suite.ts
  • test/openclaw-optional-plugin-build.test.ts
  • test/pr-workflow-contract.test.ts
  • test/reviewed-npm-archive.test.ts
  • test/reviewed-npm-audit.test.ts
  • test/sandbox-build-context.test.ts
  • test/sandbox-provisioning.test.ts
💤 Files with no reviewable changes (1)
  • test/sandbox-provisioning.test.ts
🚧 Files skipped from review as they are similar to previous changes (14)
  • src/lib/onboard/dockerfile-remote-dashboard-bind-contract.ts
  • ci/reviewed-npm-audit.json
  • .github/actions/ci-reviewed-npm-audit/action.yaml
  • .github/workflows/main.yaml
  • test/pr-workflow-contract.test.ts
  • src/lib/sandbox/build-context.ts
  • Dockerfile.base
  • test/mcporter-supply-chain.test.ts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • scripts/audit-reviewed-npm-graph.mts
  • scripts/lib/reviewed-npm-archive.mts
  • test/openclaw-dependency-review.test.ts
  • Dockerfile
  • docs/security/openclaw-2026.6.10-dependency-review.md

Comment thread test/helpers/fetch-guard-patch-harness.ts Outdated
@HOYALIM HOYALIM force-pushed the codex/issue-5896-npm-archive-audit branch from 6cf08ff to 747baeb Compare July 13, 2026 06:57
Comment thread test/messaging-build-applier.test.ts Fixed
Comment thread test/messaging-build-applier.test.ts Fixed
Comment thread test/messaging-build-applier.test.ts Fixed
Comment thread test/messaging-build-applier.test.ts Fixed
Comment thread test/messaging-build-applier.test.ts Fixed
Signed-off-by: Ho Lim <subhoya@gmail.com>
@HOYALIM HOYALIM force-pushed the codex/issue-5896-npm-archive-audit branch from 747baeb to bec46e5 Compare July 13, 2026 08:48
@wscurran wscurran added area: ci CI workflows, checks, release automation, or GitHub Actions area: packaging Packages, images, registries, installers, or distribution chore Build, CI, dependency, or tooling maintenance labels Jul 13, 2026
@wscurran

Copy link
Copy Markdown
Contributor

✨ Thanks for the CI and supply-chain work, @HOYALIM. Consolidating the reviewed npm archive audit into a shared implementation and failing at the high-severity threshold strengthens our dependency posture. Ready for maintainer review.


Related open issues:


Related open issues:

@cjagwani cjagwani left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed exact head 555fdf0. Current CI is green, but two fail-closed supply-chain blockers remain:

  1. The Hermes image cannot execute the reviewed-archive helper. src/lib/messaging/applier/build/messaging-build-applier.mts:10 statically imports ../../../../../scripts/lib/reviewed-npm-archive.mts, while agents/hermes/Dockerfile invokes the applier around lines 313/322 after copying /src/lib/messaging but never copies /scripts/lib/reviewed-npm-archive.mts. The build reaches ERR_MODULE_NOT_FOUND. Copy the reviewed helper/transitive runtime into the trusted build context (or package the applier so that dependency is present), and add a real Hermes build-boundary regression that runs this path.

  2. scripts/audit-reviewed-npm-graph.mts:64-82 treats any nonzero npm audit exit as usable whenever stdout parses as JSON, then missing metadata defaults every severity to zero. An unreachable audit endpoint reproduces as npm's ECONNREFUSED JSON, counts={all:0}, blocked=0 — a fail-open clean result. Distinguish a valid vulnerability report from operational/auth/network/schema failures, reject missing/invalid metadata, and add a regression proving npm audit transport failure exits nonzero and cannot report zero vulnerabilities.

These are correctness and security gate failures, not advisory hardening items; please fix both and rerun the exact-head image/build and audit paths.

@cjagwani cjagwani self-assigned this Jul 13, 2026
Signed-off-by: Ho Lim <subhoya@gmail.com>
@HOYALIM

HOYALIM commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Addressed both exact-head blockers in ca8bf5351.

  • The Hermes image now stages /scripts/lib/reviewed-npm-archive.mts before any messaging build-applier phase and makes it root-owned/read-only alongside the staged messaging sources.
  • Added a behavior-level Hermes staging regression that replays the relevant Dockerfile COPY boundary and imports the real staged applier; a missing transitive helper now fails the test with the same module-resolution error as the image build.
  • The npm audit gate now requires a complete, non-negative integer severity report and accepts nonzero status only when actual vulnerability findings explain it.
  • Parseable transport/auth/schema errors, including an ECONNREFUSED response, now fail closed instead of defaulting missing counts to zero.

Validation:

  • focused reviewed-audit and messaging-integrity suites - 11/11 passed
  • npm run typecheck:cli - passed
  • npm run source-shape:check - 0 source-shape cases
  • npm run check:diff - all applicable gates passed

A wider local Hermes runtime suite had one unrelated macOS Bash 3.2 fixture failure (BASHPID is unavailable); the changed focused suites and repository gates pass, and exact-head Linux CI will cover that platform-specific lane.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@HOYALIM Thanks for the detailed writeup on the fixes in ca8bf5351. I'll kick off a fresh review of the updated changes now, including the Hermes staging boundary, the new staging regression test, and the hardened audit-gate fail-closed behavior.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/reviewed-npm-audit.test.ts (1)

55-65: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Cover all invalid severity-count shapes explicitly.

The PR contract requires complete, non-negative integer counts, but these cases only cover missing metadata and a string value. Add negative, fractional, and missing-severity-key cases so regressions in those validations cannot pass unnoticed. The PR objective explicitly requires complete non-negative integer severity counts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/reviewed-npm-audit.test.ts` around lines 55 - 65, Expand the
invalid-input cases in the parseAuditReport test’s it.each block to explicitly
cover negative counts, fractional counts, and missing severity keys, while
retaining the existing missing-metadata and string-count cases. Ensure each case
uses otherwise structured vulnerability metadata and continues asserting that
parseAuditReport rejects it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/reviewed-npm-audit.test.ts`:
- Around line 55-65: Expand the invalid-input cases in the parseAuditReport
test’s it.each block to explicitly cover negative counts, fractional counts, and
missing severity keys, while retaining the existing missing-metadata and
string-count cases. Ensure each case uses otherwise structured vulnerability
metadata and continues asserting that parseAuditReport rejects it.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b3b59a73-2390-4a4e-8f7e-6bbcfcc1114c

📥 Commits

Reviewing files that changed from the base of the PR and between bec46e5 and ca8bf53.

📒 Files selected for processing (4)
  • agents/hermes/Dockerfile
  • scripts/audit-reviewed-npm-graph.mts
  • test/messaging-build-applier-integrity.test.ts
  • test/reviewed-npm-audit.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • scripts/audit-reviewed-npm-graph.mts

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
@cv cv dismissed cjagwani’s stale review July 13, 2026 20:47

Addressed

@cv cv merged commit e9c0ff8 into NVIDIA:main Jul 13, 2026
41 checks passed
cv pushed a commit that referenced this pull request Jul 14, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Release-prep documentation for v0.0.82 now summarizes user-facing
changes merged since v0.0.81.
It also closes stale wording in the stopped-sandbox backup,
snapshot-clone, Ollama selection, and custom-policy authoring guidance.

## Changes

- Add the `v0.0.82` section to `docs/about/release-notes.mdx` with links
to the focused user guides.
- Document that snapshot clones receive a destination-owned dashboard
port before destructive replacement begins.
- Align `backup-all` guidance with eligible stopped Docker-driver
sandboxes that NemoClaw starts temporarily.
- Describe the running and stopped Ollama menu states without claiming
one fixed label.
- Document runtime rejection of catch-all hosts in custom policy files.

### Source summary

- [#6748](#6748) ->
`docs/about/release-notes.mdx`, `docs/manage-sandboxes/lifecycle.mdx`,
and `docs/reference/commands.mdx`: Summarize non-destructive sandbox
`stop` and `start` commands.
- [#6723](#6723) ->
`docs/about/release-notes.mdx`,
`docs/manage-sandboxes/backup-restore.mdx`, and
`docs/reference/commands.mdx`: Record temporary startup and cleanup for
eligible stopped-sandbox backups.
- [#6749](#6749) ->
`docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Document destination-owned
dashboard ports for snapshot clones.
- [#6764](#6764) ->
`docs/about/release-notes.mdx`: Summarize installer handling of
route-only onboarding placeholders.
- [#6771](#6771) ->
`docs/about/release-notes.mdx`, `docs/inference/set-up-vllm.mdx`,
`docs/inference/choose-inference-provider.mdx`,
`docs/reference/commands.mdx`, and
`docs/reference/platform-support.mdx`: Summarize managed-vLLM storage
gates, immutable image digests, and the explicit override boundary.
- [#6759](#6759) ->
`docs/about/release-notes.mdx`: Record early, actionable OpenShell
gateway-port conflict diagnostics.
- [#6753](#6753) ->
`docs/about/release-notes.mdx` and `docs/inference/set-up-ollama.mdx`:
Document truthful running and stopped Ollama menu states.
- [#6776](#6776) ->
`docs/about/release-notes.mdx`: Summarize proxy-independent loopback
readiness checks.
- [#6769](#6769) ->
`docs/about/release-notes.mdx`: Record compatible endpoint and agent
guidance when Chat Completions is unavailable.
- [#6730](#6730) ->
`docs/about/release-notes.mdx`: Summarize bounded reuse of an eligible
successful Chat Completions check.
- [#6768](#6768) ->
`docs/about/release-notes.mdx`: Record route-reservation repair during
resumed onboarding.
- [#6742](#6742) ->
`docs/about/release-notes.mdx`: Summarize pre-mutation resolution of
secret-free sandbox create intent.
- [#6721](#6721) ->
`docs/about/release-notes.mdx` and
`docs/get-started/quickstart-langchain-deepagents-code.mdx`: Record
bounded cleanup of completed managed Deep Agents headless sessions.
- [#6731](#6731) ->
`docs/about/release-notes.mdx` and
`docs/network-policy/customize-network-policy.mdx`: Document runtime
rejection of catch-all custom-policy destinations.
- [#6729](#6729) ->
`docs/about/release-notes.mdx` and `docs/get-started/prerequisites.mdx`:
Record the Node.js 22.19 minimum.
- [#6735](#6735) ->
`docs/about/release-notes.mdx` and
`docs/reference/platform-support.mdx`: Summarize the Ubuntu 26.04
userspace contract without claiming pending host or live validation.
- [#6775](#6775) ->
`docs/about/release-notes.mdx` and
`docs/resources/community-contributions.mdx`: Route independent
solutions outside canonical supported-product documentation.
- [#6740](#6740) ->
`docs/about/release-notes.mdx`: Summarize the semantic
dependency-upgrade contributor workflow.
- [#6777](#6777) ->
`docs/about/release-notes.mdx` and `docs/CONTRIBUTING.md`: Summarize the
route-safe documentation-refactor workflow.
- [#6741](#6741) ->
`docs/about/release-notes.mdx` and
`docs/security/openclaw-2026.6.10-dependency-review.md`: Summarize
reviewed npm archive verification and audit enforcement.
- [#6739](#6739) ->
`docs/about/release-notes.mdx` and
`docs/security/openclaw-2026.6.10-dependency-review.md`: Record the
locked offline dependency graph for the managed OpenClaw WeChat runtime.
- [#6737](#6737) ->
`docs/about/release-notes.mdx`: Record removal of the messaging build
plan from final OpenClaw and Hermes image environments.
- [#6733](#6733) ->
`docs/about/release-notes.mdx`: Summarize cached plugin dependency
layers for source and blueprint rebuilds.

### Skipped from docs-skip

- None. No commit or changed path in `v0.0.81..origin/main` matched
`openclaw-sandbox-permissive.yaml` or `config-show`, and the drafted
content contains none of the configured skip terms.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: This is a documentation-only
release-prep update; behavior is protected by the merged source PRs, and
the documentation build validates the changed routes and agent variants.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — tests are not applicable for this
documentation-only change.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not run for this
documentation-only change.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — 0
errors; two pre-existing Fern warnings remain.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
— no new pages.

---
Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Updated release notes with improvements to sandbox recovery,
onboarding, session management, policy validation, storage checks, and
system requirements.
  * Clarified Ollama setup instructions and status labels.
* Documented safer snapshot restoration, including dedicated ports and
protection against destructive failures.
* Expanded `backup-all` coverage to include eligible stopped sandboxes.
* Added guidance rejecting broad or catch-all network destinations in
custom policies.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Charan Jagwani <cjagwani@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: ci CI workflows, checks, release automation, or GitHub Actions area: packaging Packages, images, registries, installers, or distribution chore Build, CI, dependency, or tooling maintenance v0.0.82 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants