refactor(openclaw): share device approval policy

[cv]

Summary

Share the OpenClaw device approval allowlist/scope policy between the startup auto-pair watcher and the connect-time approval pass. This keeps the #4786 compatibility shim fail-closed in one place while still injecting the helper into existing sandboxes during connect.

Related Issue

Refs #4462, #4263. Stacked on #4786.

Changes

• Add scripts/lib/openclaw_device_approval_policy.py as the shared policy helper for allowed clients, modes, scopes, malformed scope rejection, and gateway-env stripping.
• Load the helper from nemoclaw-start.sh and inject the same helper into /tmp for the connect-time approval pass.
• Copy the helper into sandbox images and optimized build contexts.
• Update startup/connect/build-context tests around the shared policy source.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional focused checks run:

• npm run build:cli
• npm run typecheck:cli
• npm test -- --run test/nemoclaw-start.test.ts test/sandbox-connect-inference.test.ts test/sandbox-build-context.test.ts
• python3 -m py_compile scripts/lib/openclaw_device_approval_policy.py
• bash -n scripts/nemoclaw-start.sh

Skipped/blocked:

• npx prek run --files ... and node_modules/.bin/prek --version both failed before hooks ran with Error fetching release: self-signed certificate in certificate chain.
• shellcheck scripts/nemoclaw-start.sh was not available in this environment (shellcheck: command not found).

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• New Features

  • Externalized device approval policy for OpenClaw pairing, driving approval decisions from a pluggable policy module instead of embedded allowlists.

• Chores

  • Included the approval policy module in builds and runtime images, with tightened file permissions and staging so it’s available where the watcher runs.

• Tests

  • Updated and expanded auto-pair and sandbox tests to exercise the new policy-driven approval flow and related hardening.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 14 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bae4fdde-c2b8-45b6-af17-9b4ec25774ea

📥 Commits

Reviewing files that changed from the base of the PR and between 4a06da5 and f571499.

📒 Files selected for processing (3)

• scripts/nemoclaw-start.sh
• test/nemoclaw-start.test.ts
• test/sandbox-provisioning.test.ts

📝 Walkthrough

Walkthrough

This PR extracts device approval logic into a shared Python policy module and wires it into the embedded shell watcher and the sandbox in-sandbox approval pass, stages and packages the module for runtime, and extends tests to validate decision behavior and tamper-resistance.

Changes

Device Approval Policy Externalization

Layer / File(s)	Summary
Policy module definition scripts/lib/openclaw_device_approval_policy.py	New Python module defining ALLOWED_CLIENTS, ALLOWED_MODES, ALLOWED_SCOPES, GATEWAY_APPROVAL_ENV_KEYS, plus requested_scopes(), approval_request_decision(), and gateway_approval_env() to produce structured decisions and a cleaned approve-time environment.
Shell script watcher integration scripts/nemoclaw-start.sh	Embedded auto-pair watcher loads the external policy module and delegates approval decisions and approve-env construction to approval_request_decision() and gateway_approval_env() instead of in-script allowlists and manual env popping.
TypeScript sandbox approval pass src/lib/actions/sandbox/connect.ts	Reads the on-disk policy module (if present), base64-embeds it into the generated in-sandbox Python script using shellQuote, and the sandbox script execs the policy to call approval_request_decision() / gateway_approval_env() when approving pending devices.
Build context and Docker deployment Dockerfile, src/lib/sandbox/build-context.ts	Copy policy module into staged sandbox build context and into the Docker image at /usr/local/lib/nemoclaw/ with 644 permissions so the shell watcher can load it at runtime.
Test coverage and tamper-resistance test/nemoclaw-start.test.ts, test/sandbox-build-context.test.ts, test/sandbox-connect-inference.test.ts	Test helpers inject local policy paths, disable test-time sleeping, validate base64 embedding + in-memory exec of the policy, exercise malformed/disallowed-scope handling, and assert PYTHONPATH tamper-resistance via malicious-policy fixtures. Also assert the policy is staged in build contexts.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4573: Related changes to stripping gateway approval env in the approve flow.
• NVIDIA/NemoClaw#4786: Modifies auto-pair approval logic / scope validation; related functional area.
• NVIDIA/NemoClaw#4652: Prior changes to the sandbox connect auto-pair approval pass.

Suggested labels

Integration: OpenClaw, enhancement: policy, area: sandbox, area: integrations

Suggested reviewers

• prekshivyas
• cjagwani

Poem

🐰 A tiny rabbit hops with care,
A policy tucked into its lair.
Shell and sandbox share the tune,
Base64 moonlight hums in tune.
Hop—approve—security aware.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor(openclaw): share device approval policy' accurately describes the main change—extracting and centralizing device approval policy logic into a shared helper module used across multiple parts of the codebase.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/approval-policy-helper

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 4 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 3 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: src/lib/actions/sandbox/connect.ts connect-time approval helper read fallback: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: readConnectAutoPairPolicyModule() catches all exceptions and returns null; runConnectAutoPairApprovalPass() returns immediately when approvalPolicyModule is falsy.
• Silent helper-read fallback can disable connect-time approval recovery (src/lib/actions/sandbox/connect.ts:693): The connect-time approval pass still catches every failure while reading scripts/lib/openclaw_device_approval_policy.py and returns without diagnostics when the helper source is unavailable. The PR adds Docker build-context coverage and package files already include scripts/, but there is still no direct packaged/tarball install-layout regression test proving the installed CLI can read this helper and emit the sandbox exec. If a publish/layout regression omits or hides the helper, late OpenClaw CLI/webchat scope-upgrade approvals during connect are silently skipped.
  • Recommendation: Add a packaged/install-layout test that runs the installed CLI or equivalent tarball layout and proves `nemoclaw <sandbox> connect` can read `scripts/lib/openclaw_device_approval_policy.py` and emits the approval-pass sandbox exec; alternatively emit a quiet/debug-safe diagnostic when the helper is absent. Also document whether this best-effort skip is permanent and when it can be removed.
  • Evidence: readConnectAutoPairPolicyModule() catches all exceptions and returns null; runConnectAutoPairApprovalPass() returns immediately when approvalPolicyModule is falsy. Existing tests cover generated shell/Python behavior and optimized Docker staging, not a published/install layout.
• Source-of-truth review is still incomplete for the connect-time helper fallback (src/lib/actions/sandbox/connect.ts:696): The helper-read fallback is localized tolerant behavior: it accepts a missing/unreadable helper and skips the approval pass. The code identifies the invalid state as a packaging/layout regression, but it does not fully answer why the source cannot be fixed or proven in this PR, what install-layout regression test prevents recurrence, or when the silent skip can be removed.
  • Recommendation: Either make the helper presence impossible to regress at the packaging source with install-layout coverage, or explicitly document the source boundary, source-fix constraint, regression test, and removal condition for the silent best-effort skip.
  • Evidence: src/lib/actions/sandbox/connect.ts: readConnectAutoPairPolicyModule() has `} catch {` followed by comments that a packaging/layout regression must not block connect and then `return null;`.
• PR description still says the connect helper is injected into /tmp: The implementation intentionally avoids importing authorization code from /tmp by embedding the trusted helper source in NEMOCLAW_APPROVAL_POLICY_B64 and executing it in memory. Tests assert that /tmp/openclaw_device_approval_policy.py and sys.path insertion are absent. The PR body still says the helper is injected into /tmp, which contradicts the changed trusted-code boundary.
  • Recommendation: Update the PR description to say the connect-time approval pass embeds the trusted helper source via base64/in-memory execution instead of injecting or importing it from /tmp.
  • Evidence: PR body clause: “Load the helper from `nemoclaw-start.sh` and inject the same helper into `/tmp` for the connect-time approval pass.” Diff evidence: connect.ts sets NEMOCLAW_APPROVAL_POLICY_B64 and exec(compile(policy_source,...)); test/sandbox-connect-inference.test.ts asserts the script does not contain /tmp/openclaw_device_approval_policy.py or sys.path.insert(0, '/tmp').

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — Packaged CLI/tarball layout contains scripts/lib/openclaw_device_approval_policy.py and `nemoclaw <sandbox> connect` emits the approval-pass sandbox exec instead of silently skipping.. Unit and harness tests exercise the generated shell/Python logic well, but the changed behavior spans Docker image contents, actual OpenShell sandbox exec, in-sandbox Python/OpenClaw resolution, runtime filesystem permissions, env stripping, and packaged CLI file layout.
• **Runtime validation** — Built sandbox image startup loads /usr/local/lib/nemoclaw/openclaw_device_approval_policy.py and rejects a pending operator.admin scope request.. Unit and harness tests exercise the generated shell/Python logic well, but the changed behavior spans Docker image contents, actual OpenShell sandbox exec, in-sandbox Python/OpenClaw resolution, runtime filesystem permissions, env stripping, and packaged CLI file layout.
• **Runtime validation** — Real OpenShell sandbox exec connect-time approval pass rejects malformed requestedScopes and ignores malicious /tmp or PYTHONPATH policy files.. Unit and harness tests exercise the generated shell/Python logic well, but the changed behavior spans Docker image contents, actual OpenShell sandbox exec, in-sandbox Python/OpenClaw resolution, runtime filesystem permissions, env stripping, and packaged CLI file layout.
• **Runtime validation** — Runtime approval calls strip OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_PORT, and OPENCLAW_GATEWAY_TOKEN inside an actual sandbox.. Unit and harness tests exercise the generated shell/Python logic well, but the changed behavior spans Docker image contents, actual OpenShell sandbox exec, in-sandbox Python/OpenClaw resolution, runtime filesystem permissions, env stripping, and packaged CLI file layout.
• **Runtime validation** — macOS/VM or equivalent ownership-projection runtime loads /usr/local/lib/nemoclaw/openclaw_device_approval_policy.py successfully, or deliberately documents and handles the fail-closed behavior if the helper appears current-user-owned with mode 0644.. Unit and harness tests exercise the generated shell/Python logic well, but the changed behavior spans Docker image contents, actual OpenShell sandbox exec, in-sandbox Python/OpenClaw resolution, runtime filesystem permissions, env stripping, and packaged CLI file layout.
• **Silent helper-read fallback can disable connect-time approval recovery** — Add a packaged/install-layout test that runs the installed CLI or equivalent tarball layout and proves `nemoclaw <sandbox> connect` can read `scripts/lib/openclaw_device_approval_policy.py` and emits the approval-pass sandbox exec; alternatively emit a quiet/debug-safe diagnostic when the helper is absent. Also document whether this best-effort skip is permanent and when it can be removed.
• **Acceptance clause:** This keeps the fix(openclaw): handle 2026.5.27 approval compatibility #4786 compatibility shim fail-closed in one place while still injecting the helper into existing sandboxes during `connect`. — add test evidence or identify existing coverage. Fail-closed scope policy is centralized and tests cover malformed/admin-scope rejection. The connect pass embeds the helper source via NEMOCLAW_APPROVAL_POLICY_B64 rather than injecting it into /tmp, which is safer but contradicts the literal wording.
• **Acceptance clause:** Load the helper from `nemoclaw-start.sh` and inject the same helper into `/tmp` for the connect-time approval pass. — add test evidence or identify existing coverage. nemoclaw-start.sh loads /usr/local/lib/nemoclaw/openclaw_device_approval_policy.py. The connect-time pass does not inject into /tmp; it embeds base64 policy source and executes it in memory, with tests asserting no /tmp import path.

Since last review details

Current findings:

• Source-of-truth review needed: src/lib/actions/sandbox/connect.ts connect-time approval helper read fallback: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: readConnectAutoPairPolicyModule() catches all exceptions and returns null; runConnectAutoPairApprovalPass() returns immediately when approvalPolicyModule is falsy.
• Silent helper-read fallback can disable connect-time approval recovery (src/lib/actions/sandbox/connect.ts:693): The connect-time approval pass still catches every failure while reading scripts/lib/openclaw_device_approval_policy.py and returns without diagnostics when the helper source is unavailable. The PR adds Docker build-context coverage and package files already include scripts/, but there is still no direct packaged/tarball install-layout regression test proving the installed CLI can read this helper and emit the sandbox exec. If a publish/layout regression omits or hides the helper, late OpenClaw CLI/webchat scope-upgrade approvals during connect are silently skipped.
  • Recommendation: Add a packaged/install-layout test that runs the installed CLI or equivalent tarball layout and proves `nemoclaw <sandbox> connect` can read `scripts/lib/openclaw_device_approval_policy.py` and emits the approval-pass sandbox exec; alternatively emit a quiet/debug-safe diagnostic when the helper is absent. Also document whether this best-effort skip is permanent and when it can be removed.
  • Evidence: readConnectAutoPairPolicyModule() catches all exceptions and returns null; runConnectAutoPairApprovalPass() returns immediately when approvalPolicyModule is falsy. Existing tests cover generated shell/Python behavior and optimized Docker staging, not a published/install layout.
• Source-of-truth review is still incomplete for the connect-time helper fallback (src/lib/actions/sandbox/connect.ts:696): The helper-read fallback is localized tolerant behavior: it accepts a missing/unreadable helper and skips the approval pass. The code identifies the invalid state as a packaging/layout regression, but it does not fully answer why the source cannot be fixed or proven in this PR, what install-layout regression test prevents recurrence, or when the silent skip can be removed.
  • Recommendation: Either make the helper presence impossible to regress at the packaging source with install-layout coverage, or explicitly document the source boundary, source-fix constraint, regression test, and removal condition for the silent best-effort skip.
  • Evidence: src/lib/actions/sandbox/connect.ts: readConnectAutoPairPolicyModule() has `} catch {` followed by comments that a packaging/layout regression must not block connect and then `return null;`.
• PR description still says the connect helper is injected into /tmp: The implementation intentionally avoids importing authorization code from /tmp by embedding the trusted helper source in NEMOCLAW_APPROVAL_POLICY_B64 and executing it in memory. Tests assert that /tmp/openclaw_device_approval_policy.py and sys.path insertion are absent. The PR body still says the helper is injected into /tmp, which contradicts the changed trusted-code boundary.
  • Recommendation: Update the PR description to say the connect-time approval pass embeds the trusted helper source via base64/in-memory execution instead of injecting or importing it from /tmp.
  • Evidence: PR body clause: “Load the helper from `nemoclaw-start.sh` and inject the same helper into `/tmp` for the connect-time approval pass.” Diff evidence: connect.ts sets NEMOCLAW_APPROVAL_POLICY_B64 and exec(compile(policy_source,...)); test/sandbox-connect-inference.test.ts asserts the script does not contain /tmp/openclaw_device_approval_policy.py or sys.path.insert(0, '/tmp').

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: issue-4462-scope-upgrade-approval-e2e, openclaw-onboard-security-posture-e2e
Optional E2E: device-auth-health-e2e, sandbox-operations-e2e, test-e2e-gateway-isolation, test-non-root-sandbox-smoke

Dispatch hint: issue-4462-scope-upgrade-approval-e2e,openclaw-onboard-security-posture-e2e

Auto-dispatched E2E: issue-4462-scope-upgrade-approval-e2e, openclaw-onboard-security-posture-e2e via nightly-e2e.yaml at f571499b1ca89f1ed817d0442510cf90b4cd81c8 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• issue-4462-scope-upgrade-approval-e2e (high): Directly validates the real OpenClaw CLI scope-upgrade approval flow in a live sandbox, including the auto-pair watcher path this PR refactors into a shared approval policy.
• openclaw-onboard-security-posture-e2e (high): Runs full OpenClaw onboard and live inference with additional security-posture assertions, providing merge-blocking confidence that the new helper is packaged with safe ownership/permissions and that entrypoint startup still works in the real image.

Optional E2E

• device-auth-health-e2e (medium): Adjacent confidence for default device-auth behavior and gateway health when auth is enabled; useful because this PR changes device approval plumbing but not strictly required if the scope-upgrade E2E passes.
• sandbox-operations-e2e (high): Exercises sandbox lifecycle and a real OpenClaw agent turn through a running sandbox, covering broader lifecycle/connect-adjacent regressions from Dockerfile and startup-script changes.
• test-e2e-gateway-isolation (medium): Image-level security isolation smoke for the production Dockerfile; useful because the PR changes files copied into /usr/local/lib/nemoclaw and startup security boundaries.
• test-non-root-sandbox-smoke (low): Quick image entrypoint smoke under no-new-privileges; useful to catch packaging/permission regressions around the new helper without running a full sandbox lifecycle.

New E2E recommendations

• connect-time OpenClaw approval pass (high): Existing E2E coverage validates startup/manual scope-upgrade approval, but there is no dedicated live E2E that creates a pending allowlisted CLI/webchat approval, runs nemoclaw <sandbox> connect, and asserts the connect-time approval pass itself clears the request using the embedded trusted policy while rejecting disallowed scopes.
  • Suggested test: Add a live E2E for nemoclaw connect auto-pair approval pass with pending allowlisted and disallowed scope requests.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: issue-4462-scope-upgrade-approval-e2e,openclaw-onboard-security-posture-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: wsl-repo-cloud-openclaw, gpu-repo-local-ollama-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw: Primary repo-current OpenClaw scenario exercises the changed Dockerfile/build-context packaging and in-sandbox startup path, including scripts/nemoclaw-start.sh and the newly copied OpenClaw device approval policy helper, on the standard Ubuntu Docker onboarding path.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• wsl-repo-cloud-openclaw: Optional adjacent platform coverage for the same repo-current OpenClaw onboarding/startup surface on WSL; useful because connect.ts and sandbox behavior include platform-sensitive paths, but it uses a special Windows/WSL runner.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=wsl-repo-cloud-openclaw
• gpu-repo-local-ollama-openclaw: Optional adjacent OpenClaw scenario covering the same Docker image/startup packaging on the local Ollama onboarding path; it requires the special GPU runner, so it is not the primary required target.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=gpu-repo-local-ollama-openclaw

Relevant changed files

• Dockerfile
• scripts/lib/openclaw_device_approval_policy.py
• scripts/nemoclaw-start.sh
• src/lib/actions/sandbox/connect.ts
• src/lib/sandbox/build-context.ts

[cjagwani]

Lgtm

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile (1)

403-421: Please run the boot-path E2Es for this image change.

This bakes a new runtime asset that the sandbox entrypoint now executes during device approval, so unit coverage alone will miss image/boot regressions. I’d run the targeted sandbox-survival-e2e, sandbox-operations-e2e, cloud-e2e, openclaw-slack-pairing-e2e, hermes-e2e, rebuild-openclaw-e2e, and openclaw-tui-chat-correlation-e2e jobs before merge. As per coding guidelines, Dockerfile changes are only testable with a real container build, and scripts/nemoclaw-start.sh changes affect every sandbox boot and are invisible to unit tests.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 403 - 421, This change adds runtime files (notably
the new /usr/local/bin/nemoclaw-start entrypoint and files under
/usr/local/lib/nemoclaw/) that affect sandbox boot-time behavior, so before
merging build the updated Docker image and run the boot-path E2E suites:
sandbox-survival-e2e, sandbox-operations-e2e, cloud-e2e,
openclaw-slack-pairing-e2e, hermes-e2e, rebuild-openclaw-e2e, and
openclaw-tui-chat-correlation-e2e against the built image (verify sandbox boots,
device approval flow using scripts/nemoclaw-start.sh and
openclaw_device_approval_policy.py, and that preloads under
/usr/local/lib/nemoclaw/preloads load correctly); fix any failures, then re-run
the same E2Es until green before merging.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 1737-1749: The loader currently only rejects group/other writable
helpers but must also reject files that are owner-writable by the current
sandbox user; inside load_approval_policy, after obtaining st = os.stat(path)
use st.st_uid and compare to os.geteuid(), and if st.st_uid == os.geteuid() and
st.st_mode & stat.S_IWUSR raise a RuntimeError (similar to the existing
group/other check) so any helper writable by the effective sandbox UID is
rejected; keep the existing stat.S_IWGRP|stat.S_IWOTH check and then proceed to
import as before (refer to load_approval_policy, APPROVAL_POLICY_FILE,
approval_request_decision, gateway_approval_env).

---

Nitpick comments:
In `@Dockerfile`:
- Around line 403-421: This change adds runtime files (notably the new
/usr/local/bin/nemoclaw-start entrypoint and files under
/usr/local/lib/nemoclaw/) that affect sandbox boot-time behavior, so before
merging build the updated Docker image and run the boot-path E2E suites:
sandbox-survival-e2e, sandbox-operations-e2e, cloud-e2e,
openclaw-slack-pairing-e2e, hermes-e2e, rebuild-openclaw-e2e, and
openclaw-tui-chat-correlation-e2e against the built image (verify sandbox boots,
device approval flow using scripts/nemoclaw-start.sh and
openclaw_device_approval_policy.py, and that preloads under
/usr/local/lib/nemoclaw/preloads load correctly); fix any failures, then re-run
the same E2Es until green before merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3c759f01-3daf-4710-8dcd-fdd6cfb2bbc5

📥 Commits

Reviewing files that changed from the base of the PR and between 2246a4b and 2f094d3.

📒 Files selected for processing (8)

• Dockerfile
• scripts/lib/openclaw_device_approval_policy.py
• scripts/nemoclaw-start.sh
• src/lib/actions/sandbox/connect.ts
• src/lib/sandbox/build-context.ts
• test/nemoclaw-start.test.ts
• test/sandbox-build-context.test.ts
• test/sandbox-connect-inference.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26985744598
Target ref: 2f094d35f182c46e19eb699849e29eb3e73f72d1
Workflow ref: main
Requested jobs: issue-4462-scope-upgrade-approval-e2e,cloud-onboard-e2e,device-auth-health-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
device-auth-health-e2e	✅ success
issue-4462-scope-upgrade-approval-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26986068886
Target ref: 4a06da58eb3041b025732b9b00fedd6943012c99
Workflow ref: main
Requested jobs: issue-4462-scope-upgrade-approval-e2e,cloud-onboard-e2e,device-auth-health-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
device-auth-health-e2e	✅ success
issue-4462-scope-upgrade-approval-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26986310753
Target ref: 856661e69d977943500586de490ffd71814235f2
Workflow ref: main
Requested jobs: issue-4462-scope-upgrade-approval-e2e,device-auth-health-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
device-auth-health-e2e	✅ success
issue-4462-scope-upgrade-approval-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26986708337
Target ref: f571499b1ca89f1ed817d0442510cf90b4cd81c8
Workflow ref: main
Requested jobs: issue-4462-scope-upgrade-approval-e2e,openclaw-onboard-security-posture-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
issue-4462-scope-upgrade-approval-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success