Skip to content

[macOS][CLI&UX] shields status reports "UP (lockdown active)" on fresh onboard but config is mutable 660 sandbox:sandbox #3114

Closed
Bug
#3162
Closed
[macOS][CLI&UX] shields status reports "UP (lockdown active)" on fresh onboard but config is mutable 660 sandbox:sandbox#3114
Bug
#3162
Assignees
yimoj
Labels
NV QABugs found by the NVIDIA QA Teamarea: cliCommand line interface, flags, terminal UX, or outputplatform: macosAffects macOS, including Apple Silicon
@zNeill

Description

@zNeill
zNeill
opened on May 6, 2026

Description

Description

After a fresh onboard on v0.0.35, `nemoclaw shields status` reports
"Shields: UP (lockdown active)" but the actual config file permissions
are 660 sandbox:sandbox (mutable default). The config is writable by
the sandbox user despite shields claiming lockdown is active.

Only after explicitly running `nemoclaw shields up` does the config
actually change to 444 root:root (true lockdown). This means the
status display is wrong on fresh onboard — it should report "DOWN"
or "mutable default" since PR #2227 made mutable the default.
Environment 
Device:        MacBook Pro (Apple M4 Pro, 48 GB)
OS:            macOS 26.0.1 (Darwin 25.0.0, arm64)
Node.js:       v22.22.1
npm:           10.9.4
Docker:        Docker Desktop 29.2.1
OpenShell CLI: openshell 0.0.36
NemoClaw:      v0.0.35
OpenClaw:      2026.4.24
Steps to Reproduce 
1. Fresh install v0.0.35 + onboard a sandbox
2. Run: nemoclaw my-assistant shields status
   → Shows "Shields: UP (lockdown active)"
3. Run: openshell sandbox exec -n my-assistant -- stat -c '%U:%G %a' /sandbox/.openclaw/openclaw.json
   → Shows "sandbox:sandbox 660" (mutable, NOT locked)
4. Run: openshell sandbox exec -n my-assistant -- sh -c 'echo test >> /sandbox/.openclaw/openclaw.json && echo CAN_WRITE'
   → Shows "CAN_WRITE" (config is writable despite shields UP)
5. Run: nemoclaw my-assistant shields up
   → Config changes to "root:root 444" (actually locked now)
Expected Result 
After fresh onboard with mutable default (PR #2227):
- shields status should show "DOWN (mutable default)" or similar
- Config should be 660 sandbox:sandbox (which it is)
- shields up should then lock to 444 root:root (which it does)
Actual Result 
- shields status falsely shows "UP (lockdown active)"
- Config is actually 660 sandbox:sandbox (mutable)
- Misleading status — users think lockdown is active when it is not

Bug Details

Field Value
Priority Unprioritized
Action Dev - Open - To fix
Disposition Open issue
Module Machine Learning - NemoClaw
Keyword NemoClaw, NemoClaw_CLI&UX, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Security

[NVB#6148101]

Metadata

Metadata

Assignees

Labels

NV QABugs found by the NVIDIA QA Teamarea: cliCommand line interface, flags, terminal UX, or outputplatform: macosAffects macOS, including Apple Silicon

Type

Bug

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions