[Nemoclaw][All Platforms][Sandbox] rcf_patch.py missing in NemoClaw blueprint (cannot exercise replaceConfigFile EACCES fail-close test)

[PrachiShevate-nv]

Description

The NemoClaw blueprint under ~/.nemoclaw/source/nemoclaw-blueprint has no scripts/rcf_patch.py, so the documented Patch-4 "replaceConfigFile EACCES fail-close" test (corrupt rcf_patch.py and expect ERROR: Patch 4 (replaceConfigFile EACCES) not applied) cannot be executed.

Component area: Sandbox / Policy&Network / Install (sandbox build pipeline & blueprint patches).

Environment

Platform:        DGX Spark / bare-metal host
OS:              Ubuntu 22.04 / 24.04
nemoclaw:        v0.0.46
openshell:       0.0.39
Node.js:         v22.22.3
npm:             10.9.8
Docker:          (not captured)
Install method:  curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
Blueprint path:  ~/.nemoclaw/source/nemoclaw-blueprint

Steps to Reproduce

Preconditions:

• Fresh NemoClaw install via the official installer:

  curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

• Onboarding completed at least once so the sandbox base + blueprint are pulled.
• Blueprint exists at ~/.nemoclaw/source/nemoclaw-blueprint (contains blueprint.yaml, scripts/, policies/, openclaw-plugins/, etc.).

Repro:

1. Change into the blueprint directory:

   cd ~/.nemoclaw/source/nemoclaw-blueprint

2. Attempt to back up the Patch-4 script as described in the QA test:

   cp scripts/rcf_patch.py scripts/rcf_patch.py.bak

3. Inspect the contents of scripts/:

   ls scripts/

Expected Result

The blueprint should include a Python script scripts/rcf_patch.py that implements the replaceConfigFile EACCES patch ("Patch 4"), and the sandbox build pipeline should support a fail-closed test flow:

1. Back up the patch file:

   cp scripts/rcf_patch.py scripts/rcf_patch.py.bak

2. Corrupt its verification logic (e.g., change the regex around OPENSHELL_SANDBOX.*EACCES to something that will never match).
3. Run:

   nemoclaw onboard --recreate-sandbox

4. Expect the sandbox build to fail non-zero with a clear error like:

   ERROR: Patch 4 (replaceConfigFile EACCES) not applied
   

5. Restore the original rcf_patch.py and re-run onboarding to confirm the patch and verification pass.

This is intended to validate that the EACCES patch is present and fails closed (never silently turns into a no-op).

Actual Result

scripts/rcf_patch.py is missing. The blueprint's scripts/ directory contains only JS guards:

• ciao-network-guard.js
• sandbox-safety-net.js
• seccomp-guard.js
• nemotron-inference-fix.js
• http-proxy-fix.js
• telegram-diagnostics.js
• slack-channel-guard.js
• wechat-diagnostics.js

There is no scripts/rcf_patch.py or any obvious Python equivalent for the replaceConfigFile EACCES fix.

Consequently:

• Step (b) of the test plan ("corrupt scripts/rcf_patch.py and see ERROR: Patch 4 (replaceConfigFile EACCES) not applied") cannot be performed.
• QA cannot confirm whether Patch-4 exists at all, has been moved/renamed, or has been fully upstreamed into OpenClaw/OpenShell.

Either the patch script needs to be restored, or the docs/tests must be updated to the new patching mechanism.

Logs

nvidia@spark-dadc:~$ cd ~/.nemoclaw/source/nemoclaw-blueprint
nvidia@spark-dadc:~/.nemoclaw/source/nemoclaw-blueprint$ cp scripts/rcf_patch.py scripts/rcf_patch.py.bak
cp: cannot stat 'scripts/rcf_patch.py': No such file or directory
nvidia@spark-dadc:~/.nemoclaw/source/nemoclaw-blueprint$ ls
blueprint.yaml  model-specific-setup  openclaw-plugins  policies  private-networks.yaml  router  scripts  tsconfig.json
nvidia@spark-dadc:~/.nemoclaw/source/nemoclaw-blueprint$ ls scripts/
ciao-network-guard.js     nemotron-inference-fix.js  seccomp-guard.js          telegram-diagnostics.js
http-proxy-fix.js         sandbox-safety-net.js      slack-channel-guard.js    wechat-diagnostics.js

---

NVB#6196680

[chengjiew]

take a first look