[All Platforms][Policy&Network] Slack resume policy test fails: fake SLACK_* env vars now cause invalid_auth and Slack policy preset is not applied

[PrachiShevate-nv]

Component

• Product: NemoClaw
• Area: Onboard Slack integration + network policy presets (policy-list)

Environment

• Device: Ubuntu 24.04 server
• OS: Ubuntu 24.04, x86_64
• node --version: v22.22.3
• npm --version: 10.9.8
• docker --version: Docker version 29.2.1, build a5c7197
• openshell --version: openshell 0.0.44
• openclaw --version: OpenClaw 2026.5.22 (a374c3a)
• NemoClaw: v0.0.60

Environment vars set before onboarding:

export NVIDIA_API_KEY=...  # valid NVIDIA key
export SLACK_BOT_TOKEN=xoxb-fake-resume-policy-test
export SLACK_APP_TOKEN=xapp-fake-resume-policy-test
export NEMOCLAW_NON_INTERACTIVE=1

No existing sandbox named slack-resume-policy-test (nemoclaw list confirms).

Summary

The test case "slack resume policy test" assumes that fake Slack env vars are sufficient to auto-enable the Slack channel during nemoclaw onboard and that the slack network policy preset will appear as applied (●) in nemoclaw <sandbox> policy-list. In the current NemoClaw build, onboarding calls the Slack API, receives invalid_auth for the fake tokens, prints "Skipped slack (invalid Slack credentials)", and the slack preset does not appear as applied in policy-list. This is a divergence between the spec and the implementation.

Steps to Reproduce

1. Ensure no sandbox named slack-resume-policy-test exists:

nemoclaw list

2. Export the required environment variables with fake Slack tokens:

export NVIDIA_API_KEY=...  # valid
export SLACK_BOT_TOKEN=xoxb-fake-resume-policy-test
export SLACK_APP_TOKEN=xapp-fake-resume-policy-test
export NEMOCLAW_NON_INTERACTIVE=1

3. Run NemoClaw onboard non-interactively:

NEMOCLAW_SANDBOX_NAME=slack-resume-policy-test \
  nemoclaw onboard --non-interactive --yes-i-accept-third-party-software 2>&1 | tee /tmp/slack-onboard.log

4. Observe the "Messaging channels" section in /tmp/slack-onboard.log. Actual output:

[5/8] Messaging channels
...
[non-interactive] Messaging channel inputs detected: slack
✓ slack — already configured
✓ slack app token — already configured
✗ Slack bot token was rejected by Slack API: invalid_auth. Skipped slack (invalid Slack credentials)

5. After onboarding completes, list sandbox policies:

nemoclaw slack-resume-policy-test policy-list

Observe that the slack preset is absent or not marked as applied (●).

Expected Behavior

Per the "Slack resume policy test" specification:

• nemoclaw onboard with the fake Slack env tokens should treat Slack as "auto-enabled via env tokens" without requiring live Slack API validation.
• The slack network policy preset should be applied to the sandbox.
• nemoclaw slack-resume-policy-test policy-list should show a slack preset entry marked as applied (●).

The test spec explicitly expects this to work with fake tokens — no live Slack validation should be needed.

Actual Behavior

Onboarding with the fake tokens produces:

[5/8] Messaging channels
[non-interactive] Messaging channel inputs detected: slack
✓ slack — already configured
✓ slack app token — already configured
✗ Slack bot token was rejected by Slack API: invalid_auth. Skipped slack (invalid Slack credentials)

NemoClaw calls the Slack API and honors the invalid_auth response even for fake test tokens. As a result:

• nemoclaw slack-resume-policy-test policy-list does not show slack as an applied preset.
• Slack is skipped entirely, consistent with invalid credentials — not with the test's expectations.

Impact

• The "Slack resume policy" test as written can no longer pass on current NemoClaw releases, because the product now strictly validates Slack tokens against the Slack API during onboarding.
• Any automated QA or documentation claiming "fake SLACK_* env vars are sufficient to auto-enable Slack and apply the Slack policy" is now misleading.

Possible Resolutions

One of the following needs to change:

Option A — Update the test and docs:

• Clarify that NemoClaw now validates Slack tokens against the Slack API on onboard.
• State that valid Slack tokens are required for Slack to be enabled and for the slack policy preset to be applied.
• Drop or rewrite tests that assume fake tokens are sufficient.

Option B — Introduce a test mode for known fake tokens:

• If SLACK_BOT_TOKEN / SLACK_APP_TOKEN match documented fake test values (e.g., xoxb-fake-resume-policy-test), skip live Slack validation and treat Slack as "present for policy purposes" — enabling policy-list testing in non-networked CI environments.

At minimum, the mismatch between current behavior and the "fake Slack envs" test should be documented, and the test should be either gated behind a real Slack workspace or clearly marked as requiring real tokens.

[abhi-0906]

Looked into this. The current behavior is intentional: NemoClaw validates Slack tokens against the live Slack API during onboard, so placeholder/fake tokens return invalid_auth and the Slack channel is skipped. Because the slack network policy preset is only applied for channels that are actually enabled, a skipped channel also means the slack preset isn't applied — which is why it doesn't show as applied (●) in policy-list.

The "fake-token test mode" the test plan wants already exists: NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION=1 skips the live credential probes (format checks still apply), which lets you exercise Slack setup and the slack policy preset with placeholder tokens in restricted-network or hermetic CI environments.

So this is a documentation gap rather than a code defect. #4986 documents the validation behavior, the consequence for the slack preset, and the skip flag in the Slack onboarding section. The QA repro should either use real tokens or set NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION=1 to test the policy path.