fix(onboard): guard config-sync chmod with ownership check

[hunglp6d]

Summary

Guard chmod 700 ~/.nemoclaw and chmod 600 ~/.nemoclaw/config.json in the sandbox config-sync script with an ownership check so the commands only run when the current user owns the target. This prevents EPERM crashes inside OpenClaw sandbox containers where /sandbox/.nemoclaw is root-owned (Dockerfile L733: root:root 1755), fixing all 39 failed OpenClaw E2E jobs in the May 26 nightly run.

Related Issue

Fixes #4207

Changes

• Wrap chmod 700 ~/.nemoclaw with if [ "$(stat -c '%u' ~/.nemoclaw)" = "$(id -u)" ] so it only runs when the sandbox user owns the directory (host installs). Inside root-owned containers, prepare_filesystem already handles permissions.
• Wrap chmod 600 ~/.nemoclaw/config.json with the same ownership guard.
• Existing tests in config-sync.test.ts continue to pass (3/3) since the chmod 700 and chmod 600 strings are still present inside the if-blocks.

Root Cause

PR #4054 (commit f1044ad) added unconditional chmod 700 ~/.nemoclaw and chmod 600 ~/.nemoclaw/config.json to buildSandboxConfigSyncScript() in src/lib/onboard/config-sync.ts. The script runs as the sandbox user inside OpenClaw containers where /sandbox/.nemoclaw is root:root 1755 (Dockerfile L733). Under set -euo pipefail, the EPERM from the failed chmod becomes exit 1, piped through openshell sandbox connect, crashing every OpenClaw E2E job at onboard step 7/8.

Hermes containers are unaffected because Dockerfile.base L74-75 chowns /sandbox to sandbox:sandbox.

Validation

A focused custom-e2e.yaml workflow was run on a sibling branch to confirm this fix repairs the regression. The workflow re-runs only the jobs from the original nightly that this PR targets, on ubuntu-latest, off the same fix commit as this PR.

• Validation branch: ci/nightly-e2e-self-hosted on hunglp6d/NemoClaw
• Validation run: #26426343022 — success ✅
• Targeted jobs: cloud-e2e (covers the OpenClaw onboard path that crashes)
• Original failing run: 26425202514 on 4f9b749

The validation branch is intentionally not the head of this PR — it carries an extra .github/workflows/custom-e2e.yaml commit that is scaffolding, not part of the fix. Re-run the validation by pushing any commit to the validation branch.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

AI Disclosure

• AI-assisted — tool: Claude Code (nemoclaw-diagnosis skill)

---

Signed-off-by: Hung Le hple@nvidia.com

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f9d091d8-c7bb-4a2d-9155-df92fe7a809e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hunglp6d]

Closed due to a fix #4199 was merged