fix(sandbox): guard openclaw configure and export gateway token (#1114)

[Dongni-Yang]

Summary

Fixes the four issues reported in #1114 — EACCES permission errors and
missing gateway token when running inside the NemoClaw sandbox.

Issue mapping

#	Reported error	Fix
1	EACCES: open '/sandbox/.openclaw/openclaw.json.*.tmp'	install_configure_guard — intercepts openclaw configure with a clear error and directs users to nemoclaw onboard --resume on the host
2	Same as #1 (different PID)	Same fix
3	EACCES: mkdir '/sandbox/.openclaw/credentials'	Already resolved on main via #1519 (credentials symlink to .openclaw-data/)
4	No WhatsApp QR code	Consequence of #3, also resolved by #1519

Root cause (issues 1 & 2)

OpenClaw's configure command performs atomic writes — it creates a temp
file (openclaw.json.PID.UUID.tmp) in the same directory as the config.
Since /sandbox/.openclaw/ is Landlock read-only at the kernel level,
file creation is rejected with EACCES. This is by design: the sandbox
config is intentionally immutable at runtime.

Rather than weakening Landlock (security regression), we intercept the
command in the sandbox shell and guide users to the correct host-side
workflow.

Changes

1. install_configure_guard() — Writes a shell function wrapper to
.bashrc/.profile that intercepts openclaw configure and prints:

Error: 'openclaw configure' cannot modify config inside the sandbox.
The sandbox config is read-only (Landlock enforced) for security.

To change your configuration, exit the sandbox and run:
  nemoclaw onboard --resume

This rebuilds the sandbox with your updated settings.

All other openclaw subcommands pass through to the real binary.

2. export_gateway_token() — Reads gateway.auth.token from
openclaw.json and exports it as OPENCLAW_GATEWAY_TOKEN, so
interactive sessions (openshell sandbox connect) can authenticate
with the gateway. Persists to .bashrc/.profile using idempotent
marker blocks and cleans stale tokens on revocation.

3. _read_gateway_token() helper — Shared Python snippet used by
both export_gateway_token and print_dashboard_urls (deduplication,
uses with open() context manager).

All three are called in both root and non-root startup paths.

Security properties preserved

• /sandbox/.openclaw remains root-owned, Landlock read-only
• openclaw.json remains chmod 444 (immutable)
• No new attack surface — token is read-only from existing config
• command openclaw bypass preserves all non-configure functionality

Fixes #1114

Signed-off-by: Dongni Yang dongniy@nvidia.com
Co-authored-by: Claude Sonnet 4.6 noreply@anthropic.com
Co-authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds _read_gateway_token(), export_gateway_token(), and install_configure_guard() to scripts/nemoclaw-start.sh; startup flow now calls export_gateway_token() and install_configure_guard() (both root and non-root). print_dashboard_urls() now uses _read_gateway_token() to obtain gateway.auth.token from /sandbox/.openclaw/openclaw.json.

Changes

Cohort / File(s)

Summary

Startup script — token & guard scripts/nemoclaw-start.sh

Added _read_gateway_token() to centralize reading gateway.auth.token via python3; added export_gateway_token() to export OPENCLAW_GATEWAY_TOKEN at runtime and add/remove # nemoclaw-gateway-token marker blocks in ${_SANDBOX_HOME}/.bashrc and ${_SANDBOX_HOME}/.profile; added install_configure_guard() to inject a guard that intercepts openclaw configure and exits with an error. Integrated these calls into both root and non-root startup paths and updated print_dashboard_urls() to use the new reader.

Sequence Diagram(s)

sequenceDiagram
    participant Startup as Startup Script
    participant Reader as Python Token Reader
    participant Env as Runtime Env
    participant Profiles as User Profile Files

    Startup->>Reader: call _read_gateway_token() (reads /sandbox/.openclaw/openclaw.json)
    Reader-->>Startup: return token (string or empty)
    alt token non-empty
        Startup->>Env: export OPENCLAW_GATEWAY_TOKEN
        Startup->>Profiles: insert/replace marker block with export line in .bashrc/.profile
    else token empty
        Startup->>Profiles: remove marker block from .bashrc/.profile
    end
    Startup->>Profiles: insert configure guard function into .bashrc/.profile (via markers)
    Startup->>Startup: continue to configure_messaging_channels()

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I dug through JSON, found a tiny key,

I tuck it in shells so the sessions run free,
If nothing's there, I sweep the markers away,
If present, I place it where it will stay,
A hop, a guard, your startup's snug with me. 🥕

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR partially addresses #1114 by preventing configure errors via a guard function, but does not implement core fixes for EACCES errors, credentials directory creation, or model/config read-write operations.	Verify that the configure guard adequately mitigates the reported EACCES failures and that other requirements (credentials directory permissions, model config persistence) are addressed in separate PRs (#1126 or others).
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Out of Scope Changes check	✅ Passed	All changes (token export, configure guard installation) are directly related to the stated objectives; no unrelated modifications to other functional areas detected.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: guarding openclaw configure and exporting gateway token, which are the primary objectives reflected in the PR summary and commit messages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 130-132: The script currently returns early when the token is
empty, leaving previously inserted marker blocks in users' shell rc files and
causing stale credentials to persist; update the logic around the token check
(the block that currently does "if [ -z \"$token\" ]; then return; fi") to first
remove any existing marker blocks from the shell rc files (e.g., .bashrc,
.profile) before returning — implement a small cleanup routine that detects the
unique start/end markers used by the script and deletes the enclosed lines (use
the same marker names the script inserts), then return; apply the same change to
the other token-handling section referenced (the block around lines 144-156) so
both places remove markers when token is missing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 39659444-ffd6-4178-803e-b9e04d2789df

📥 Commits

Reviewing files that changed from the base of the PR and between 8f631ae and 09168e3.

📒 Files selected for processing (2)

• Dockerfile.base
• scripts/nemoclaw-start.sh

[wscurran]

✨ Thanks for submitting this pull request, which proposes a way to fix EACCES errors in sandboxes by adding the credentials directory to the writable state layout.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/nemoclaw-start.sh (1)

118-170: Well-structured idempotent token management with proper stale credential cleanup.

The function correctly:

1. Extracts the gateway token from the verified config file using a safe Python heredoc
2. Removes stale marker blocks when the token is empty (lines 133-147), preventing revoked tokens from persisting in interactive sessions
3. Persists non-empty tokens idempotently using the same marker pattern as proxy config

The block-removal awk logic appears in both the empty-token path (lines 140-141) and the update path (lines 161-162). Consider extracting this into a small helper function to reduce duplication, similar to _write_proxy_snippet.
,

♻️ Optional: Extract block-removal helper

+_remove_marker_block() {
+  local file="$1" begin="$2" end="$3"
+  if [ -f "$file" ] && grep -qF "$begin" "$file" 2>/dev/null; then
+    local tmp
+    tmp="$(mktemp)"
+    awk -v b="$begin" -v e="$end" \
+      '$0==b{s=1;next} $0==e{s=0;next} !s' "$file" >"$tmp"
+    cat "$tmp" >"$file"
+    rm -f "$tmp"
+    return 0
+  fi
+  return 1
+}
+
 export_gateway_token() {
   # ... token extraction ...
   local marker_begin="# nemoclaw-gateway-token begin"
   local marker_end="# nemoclaw-gateway-token end"

   if [ -z "$token" ]; then
     for rc_file in "${_SANDBOX_HOME}/.bashrc" "${_SANDBOX_HOME}/.profile"; do
-      if [ -f "$rc_file" ] && grep -qF "$marker_begin" "$rc_file" 2>/dev/null; then
-        local tmp
-        tmp="$(mktemp)"
-        awk -v b="$marker_begin" -v e="$marker_end" \
-          '$0==b{s=1;next} $0==e{s=0;next} !s' "$rc_file" >"$tmp"
-        cat "$tmp" >"$rc_file"
-        rm -f "$tmp"
-      fi
+      _remove_marker_block "$rc_file" "$marker_begin" "$marker_end" || true
     done
     return
   fi
   # ... rest of function uses _remove_marker_block similarly ...
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/nemoclaw-start.sh` around lines 118 - 170, The duplicate awk-based
block-removal logic in export_gateway_token (used in the empty-token branch and
the update branch) should be extracted into a small helper (e.g.,
_remove_marker_block or similar) that accepts an rc file path and the
marker_begin/marker_end values; replace both inline copies with calls to that
helper and reuse the same pattern used by _write_proxy_snippet to keep behavior
identical (create tmp via mktemp, write filtered content, overwrite rc file, and
cleanup).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 118-170: The duplicate awk-based block-removal logic in
export_gateway_token (used in the empty-token branch and the update branch)
should be extracted into a small helper (e.g., _remove_marker_block or similar)
that accepts an rc file path and the marker_begin/marker_end values; replace
both inline copies with calls to that helper and reuse the same pattern used by
_write_proxy_snippet to keep behavior identical (create tmp via mktemp, write
filtered content, overwrite rc file, and cleanup).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5f2f1ef9-d247-44c1-804a-08d1944a33c1

📥 Commits

Reviewing files that changed from the base of the PR and between 09168e3 and 69db8ed.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

[Dongni-Yang]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (2)

scripts/nemoclaw-start.sh (2)

121-129: Consider using context manager for file handling.

The inline Python uses open() without explicit close. While Python's GC will handle it, using with open() is the idiomatic pattern and avoids resource warnings in stricter environments.

♻️ Suggested improvement

   token="$(
     python3 - <<'PYTOKEN'
 import json
 try:
-    cfg = json.load(open('/sandbox/.openclaw/openclaw.json'))
+    with open('/sandbox/.openclaw/openclaw.json') as f:
+        cfg = json.load(f)
     print(cfg.get('gateway', {}).get('auth', {}).get('token', ''))
 except Exception:
     print('')
 PYTOKEN
   )"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/nemoclaw-start.sh` around lines 121 - 129, The inline Python heredoc
that calls json.load(open('/sandbox/.openclaw/openclaw.json')) should use a
context manager to ensure the file is closed: replace the direct open(...) usage
in the try block inside the python3 - <<'PYTOKEN' heredoc with a with
open('/sandbox/.openclaw/openclaw.json') as f: and then call json.load(f)
(keeping the existing try/except and print logic intact) so the file is
explicitly closed even on errors.

---

118-129: Token extraction duplicated with print_dashboard_urls.

The Python snippet for reading gateway.auth.token is nearly identical to lines 262-274. If this pattern is used again, consider extracting a shell helper function that returns the token, but this is low priority given only two usage sites.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/nemoclaw-start.sh` around lines 118 - 129, Duplicate Python
token-extraction logic appears in export_gateway_token and print_dashboard_urls;
create a single helper (e.g., get_gateway_token) that runs the Python snippet
once and returns the token, then call that helper from export_gateway_token and
print_dashboard_urls to remove the duplicated snippet and centralize
token-reading logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 121-129: The inline Python heredoc that calls
json.load(open('/sandbox/.openclaw/openclaw.json')) should use a context manager
to ensure the file is closed: replace the direct open(...) usage in the try
block inside the python3 - <<'PYTOKEN' heredoc with a with
open('/sandbox/.openclaw/openclaw.json') as f: and then call json.load(f)
(keeping the existing try/except and print logic intact) so the file is
explicitly closed even on errors.
- Around line 118-129: Duplicate Python token-extraction logic appears in
export_gateway_token and print_dashboard_urls; create a single helper (e.g.,
get_gateway_token) that runs the Python snippet once and returns the token, then
call that helper from export_gateway_token and print_dashboard_urls to remove
the duplicated snippet and centralize token-reading logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dfd9554f-2c5a-44f9-a1c1-78e23c876be0

📥 Commits

Reviewing files that changed from the base of the PR and between 69db8ed and cd4b846.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

scripts/nemoclaw-start.sh (1)

130-173: Please add a regression test for the rc-file marker updates.

These new paths rewrite ~/.bashrc and ~/.profile, but the provided test/nemoclaw-start.test.js coverage still only asserts startup flow and diagnostics. A temp-home test for insert/replace/remove behavior would keep the stale-token cleanup and configure guard from drifting again.

Also applies to: 175-216

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/nemoclaw-start.sh` around lines 130 - 173, Add a regression test for
export_gateway_token that verifies insert/replace/remove behavior on rc files:
create a temp home and set _SANDBOX_HOME to it, create .bashrc and .profile with
and without existing marker blocks and varying write permissions, then invoke
the export_gateway_token function (or source the script and call
export_gateway_token) with _read_gateway_token stubbed to return a token and
then to return empty; assert that when a token is returned the marker block is
inserted or replaced with the new OPENCLAW_GATEWAY_TOKEN snippet, and when empty
any existing marker blocks are removed. Add assertions in
test/nemoclaw-start.test.js to cover both branches that use the tmp-file+awk
replacement (existing marker present) and the append branch (no marker but
writable), ensuring the marker text and token value are exactly as expected and
removed on token absence.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 155-158: The snippet currently injects the raw token into a
sourced shell fragment (variables snippet, token, marker_begin, marker_end),
which can break or allow code execution if token contains quotes, dollars,
backticks or newlines; fix by shell-escaping the token before embedding it—e.g.,
produce an escaped_token from token using a safe shell-escaping method (printf
'%q' or base64-encode the value and decode at runtime) and then use that
escaped_token when building snippet between marker_begin and marker_end so the
resulting export OPENCLAW_GATEWAY_TOKEN assignment is always syntactically safe.
- Around line 136-149: The cleanup branch that strips marker blocks (the for
loop using _SANDBOX_HOME and marker_begin/marker_end) fails to remove the token
from the current environment, so children like NEMOCLAW_CMD can still inherit a
stale OPENCLAW_GATEWAY_TOKEN; fix by unsetting OPENCLAW_GATEWAY_TOKEN in that
branch (e.g., call unset OPENCLAW_GATEWAY_TOKEN before the return) so the
variable is removed from the current process environment before spawning any
children.

---

Nitpick comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 130-173: Add a regression test for export_gateway_token that
verifies insert/replace/remove behavior on rc files: create a temp home and set
_SANDBOX_HOME to it, create .bashrc and .profile with and without existing
marker blocks and varying write permissions, then invoke the
export_gateway_token function (or source the script and call
export_gateway_token) with _read_gateway_token stubbed to return a token and
then to return empty; assert that when a token is returned the marker block is
inserted or replaced with the new OPENCLAW_GATEWAY_TOKEN snippet, and when empty
any existing marker blocks are removed. Add assertions in
test/nemoclaw-start.test.js to cover both branches that use the tmp-file+awk
replacement (existing marker present) and the append branch (no marker but
writable), ensuring the marker text and token value are exactly as expected and
removed on token absence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d76bcc9c-8987-4fdd-af3e-55cd1d9c6a56

📥 Commits

Reviewing files that changed from the base of the PR and between 2cc5d78 and 902eaab.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

[ericksoa]

Reviewed: clean fix for #1114. Security properties preserved (no Landlock weakening), token properly shell-escaped, idempotent marker blocks, stale token cleanup, both root/non-root paths covered. Tests are solid. LGTM.