Description
[Agent-generated issue]
Problem Statement
The issue-4462-scope-upgrade-approval-e2e / run nightly job failed in run #26698759656 at Phase 4 ("Trigger and approve CLI scope upgrade"). The openclaw devices approve command failed with GatewayClientRequestError: scope upgrade pending approval because the sandbox's openclaw wrapper guard only unset OPENCLAW_GATEWAY_URL, leaving OPENCLAW_GATEWAY_PORT and OPENCLAW_GATEWAY_TOKEN in the environment. The OpenClaw CLI falls back to the port-based gateway URL, causing the approval to route through the gateway — which rejects it because the approve command itself requires the scope being upgraded.
Proposed Design
Update the devices approve guard in scripts/nemoclaw-start.sh (line 1872) to unset all three gateway environment variables (OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_PORT, OPENCLAW_GATEWAY_TOKEN) in the subshell, preventing the CLI from reconnecting to the gateway via any fallback path. Update the corresponding unit test in test/nemoclaw-start.test.ts to verify PORT and TOKEN are also cleared.
See fix PR: #4573
Alternatives Considered
- Passing a
--no-gateway flag to openclaw devices approve — the flag does not exist in the current CLI.
- Overriding
OPENCLAW_CONFIG_PATH to point at a config without gateway settings — more invasive and fragile than unsetting the env vars.
Category
test_failure
Reproduction Steps
- Re-run
issue-4462-scope-upgrade-approval-e2e on commit a25b393 via gh workflow run nightly-e2e.yaml --repo NVIDIA/NemoClaw --ref main -f jobs=issue-4462-scope-upgrade-approval-e2e.
- Observe that Phase 4 fails when
openclaw devices approve connects to the gateway despite the guard.
Environment
- OS: Ubuntu 24.04 (GitHub-hosted runner)
- Node.js: 22
- Docker: GitHub Actions runner default
- NemoClaw: commit
a25b3931e1baec20d82eba205f67ccc705e31eb5
- Other: Nightly run ID
26698759656
Debug Output
FAIL: CLI scope upgrade: openclaw devices approve failed for 64c9d4d4-dc21-4790-999a-fa2d2dbabf31:
__URL_BEFORE__=ws://127.0.0.1:18789
__APPROVE_RC__=1
__APPROVE_OUTPUT_BEGIN__
(node:880) [UNDICI-EHPA] Warning: EnvHttpProxyAgent is experimental, expect them to change at any time.
(node:888) [UNDICI-EHPA] Warning: EnvHttpProxyAgent is experimental, expect them to change at any time.
gateway connect failed: GatewayClientRequestError: scope upgrade pending approval
Logs
N/A
Checklist
Suggested Labels (apply manually after triage)
nightly-e2e, auto-diagnosed, ci-failure, VRDC
Description
[Agent-generated issue]
Problem Statement
The
issue-4462-scope-upgrade-approval-e2e / runnightly job failed in run #26698759656 at Phase 4 ("Trigger and approve CLI scope upgrade"). Theopenclaw devices approvecommand failed withGatewayClientRequestError: scope upgrade pending approvalbecause the sandbox'sopenclawwrapper guard only unsetOPENCLAW_GATEWAY_URL, leavingOPENCLAW_GATEWAY_PORTandOPENCLAW_GATEWAY_TOKENin the environment. The OpenClaw CLI falls back to the port-based gateway URL, causing the approval to route through the gateway — which rejects it because the approve command itself requires the scope being upgraded.Proposed Design
Update the
devices approveguard inscripts/nemoclaw-start.sh(line 1872) to unset all three gateway environment variables (OPENCLAW_GATEWAY_URL,OPENCLAW_GATEWAY_PORT,OPENCLAW_GATEWAY_TOKEN) in the subshell, preventing the CLI from reconnecting to the gateway via any fallback path. Update the corresponding unit test intest/nemoclaw-start.test.tsto verify PORT and TOKEN are also cleared.See fix PR: #4573
Alternatives Considered
--no-gatewayflag toopenclaw devices approve— the flag does not exist in the current CLI.OPENCLAW_CONFIG_PATHto point at a config without gateway settings — more invasive and fragile than unsetting the env vars.Category
test_failureReproduction Steps
issue-4462-scope-upgrade-approval-e2eon commita25b393viagh workflow run nightly-e2e.yaml --repo NVIDIA/NemoClaw --ref main -f jobs=issue-4462-scope-upgrade-approval-e2e.openclaw devices approveconnects to the gateway despite the guard.Environment
a25b3931e1baec20d82eba205f67ccc705e31eb526698759656Debug Output
FAIL: CLI scope upgrade: openclaw devices approve failed for 64c9d4d4-dc21-4790-999a-fa2d2dbabf31: __URL_BEFORE__=ws://127.0.0.1:18789 __APPROVE_RC__=1 __APPROVE_OUTPUT_BEGIN__ (node:880) [UNDICI-EHPA] Warning: EnvHttpProxyAgent is experimental, expect them to change at any time. (node:888) [UNDICI-EHPA] Warning: EnvHttpProxyAgent is experimental, expect them to change at any time. gateway connect failed: GatewayClientRequestError: scope upgrade pending approvalLogs
N/A
Checklist
Suggested Labels (apply manually after triage)
nightly-e2e,auto-diagnosed,ci-failure,VRDC