fix(e2e): unset OPENCLAW_GATEWAY_PORT and TOKEN in devices approve guard

[hunglp6d]

Summary

The issue-4462-scope-upgrade-approval-e2e / run job in nightly run #26698759656 failed because the openclaw devices approve guard function in the sandbox proxy env only unset OPENCLAW_GATEWAY_URL, leaving OPENCLAW_GATEWAY_PORT and OPENCLAW_GATEWAY_TOKEN in the environment. The OpenClaw CLI falls back to the port-based gateway URL, causing the approval to route through the gateway and fail with GatewayClientRequestError: scope upgrade pending approval.

Changes

• scripts/nemoclaw-start.sh: Unset all three gateway env vars (OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_PORT, OPENCLAW_GATEWAY_TOKEN) in the devices approve guard subshell.
• test/nemoclaw-start.test.ts: Update the fake openclaw stub to log PORT and TOKEN alongside URL; add OPENCLAW_GATEWAY_PORT and OPENCLAW_GATEWAY_TOKEN to the test env; update assertions to verify all three are unset for devices approve while remaining set for other commands.

Root Cause

The #4462 guard (line 1872 of nemoclaw-start.sh) runs openclaw devices approve in a subshell that unsets only OPENCLAW_GATEWAY_URL. The sandbox proxy env also exports OPENCLAW_GATEWAY_PORT (line 264) and OPENCLAW_GATEWAY_TOKEN (line 1351). When the OpenClaw CLI resolves the gateway URL, it can fall back to OPENCLAW_GATEWAY_PORT, reconnecting to the gateway and hitting the scope-upgrade Catch-22: the approve command itself requires the upgraded scope.

Validation

The GITHUB_TOKEN used by this CI run does not include the workflow scope, so the -custom-e2e validation branch could not be pushed. To validate manually:

gh workflow run nightly-e2e.yaml --repo NVIDIA/NemoClaw \
  --ref fix/nightly-e2e-gateway-env-approve-guard-a25b393 \
  -f jobs=issue-4462-scope-upgrade-approval-e2e

• Original failing run: #26698759656 on a25b3931

Signed-off-by: Hung Le hple@nvidia.com

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d768979b-db94-415f-a57c-ddef5eeddd66

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/nightly-e2e-gateway-env-approve-guard-a25b393

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 1 nice ideas
Top item: Identify runtime validation for devices approve env fallback

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Runtime validation is still needed for the actual OpenClaw approval path (scripts/nemoclaw-start.sh:1872): The unit test proves that the generated shell wrapper unsets OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_PORT, and OPENCLAW_GATEWAY_TOKEN for `openclaw devices approve`, but it does not exercise a real sandbox/OpenClaw CLI resolving its gateway target and completing scope-upgrade approval. Because this is onboarding/host glue in a sourced sandbox shell env, the changed behavior depends on runtime OpenClaw URL-resolution semantics.
  • Recommendation: Add or identify targeted runtime/integration validation for the OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462 repro path that sources `/tmp/nemoclaw-proxy-env.sh`, runs `openclaw devices approve <requestId> --json`, and verifies approval succeeds without leaking the gateway-env mutation into later gateway-pinned commands. Do not rely only on the mocked env-contract unit test for this runtime path.
  • Evidence: Changed code at `scripts/nemoclaw-start.sh` runs `( unset OPENCLAW_GATEWAY_URL OPENCLAW_GATEWAY_PORT OPENCLAW_GATEWAY_TOKEN; command openclaw "$@" )`; the updated test fake binary logs env values and confirms they are unset for `devices approve`, but does not invoke real OpenClaw gateway/device approval behavior.

🌱 Nice ideas

• Update the OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462 guard comment to mention all stripped gateway env vars (scripts/nemoclaw-start.sh:1867): The shell guard comment still describes the workaround in terms of removing OPENCLAW_GATEWAY_URL, while the behavior now also strips OPENCLAW_GATEWAY_PORT and OPENCLAW_GATEWAY_TOKEN. This is minor, but the comment is part of the source-of-truth for a localized workaround in a security-sensitive startup script.
  • Recommendation: Adjust the comment to say that `devices approve` temporarily removes the gateway URL, port, and token environment so future maintainers do not reintroduce the port/token fallback.
  • Evidence: The generated guard comment says: `Other commands keep OPENCLAW_GATEWAY_URL.` The changed command now unsets `OPENCLAW_GATEWAY_URL OPENCLAW_GATEWAY_PORT OPENCLAW_GATEWAY_TOKEN`.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: issue-4462-scope-upgrade-approval-e2e
Optional E2E: issue-4462-gateway-pinned-approval-characterization-e2e, rebuild-openclaw-e2e

Dispatch hint: issue-4462-scope-upgrade-approval-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• issue-4462-scope-upgrade-approval-e2e (high (~60 min, live sandbox, NVIDIA API)): Directly validates the real sandbox openclaw devices approve scope-upgrade flow affected by this guard change, and confirms subsequent openclaw agent usage remains on the gateway path.

Optional E2E

• issue-4462-gateway-pinned-approval-characterization-e2e (high (~60 min, live sandbox, NVIDIA API)): Useful diagnostic coverage for the legacy gateway-pinned approval path and recovery through the fixed proxy-env guard; adjacent to the changed env-unset behavior but not the primary merge-blocking proof.
• rebuild-openclaw-e2e (high (~60 min, live sandbox, NVIDIA API)): Adjacent confidence check for runtime proxy-env regeneration and gateway token export after rebuilds, since the changed block writes the same proxy-env file and handles OPENCLAW_GATEWAY_TOKEN.

New E2E recommendations

• gateway-credentials-security-boundary (high): Existing OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462 E2E coverage appears to assert OPENCLAW_GATEWAY_URL before/after approval, but not that OPENCLAW_GATEWAY_PORT and OPENCLAW_GATEWAY_TOKEN are absent from the devices approve subprocess while remaining available to the caller shell afterward.
  • Suggested test: Extend test/e2e/test-issue-4462-scope-upgrade-approval.sh in the issue-4462-scope-upgrade-approval-e2e job to probe OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_PORT, and OPENCLAW_GATEWAY_TOKEN around openclaw devices approve.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: issue-4462-scope-upgrade-approval-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: wsl-repo-cloud-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required scenario E2E

• ubuntu-repo-cloud-openclaw: scripts/nemoclaw-start.sh emits the in-sandbox runtime shell environment and OpenClaw command guard. The standard Ubuntu repo/current OpenClaw scenario is the smallest primary scenario that rebuilds from this PR, starts a sandbox, validates gateway health, sandbox shell access, and baseline onboarding surfaces affected by the start script.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• wsl-repo-cloud-openclaw: Optional adjacent platform coverage for the same repo/current cloud OpenClaw startup and sandbox shell environment under WSL. This is a special-runner scenario, so it is optional unless WSL-specific risk is suspected.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=wsl-repo-cloud-openclaw

Relevant changed files

• scripts/nemoclaw-start.sh