fix(sandbox): resolve OpenClaw workspace templates from installed pac…

[IronLung7]

…kage

Summary

Fix empty default workspaces when OpenClaw bootstrap is skipped.

NemoClaw sets agents.defaults.skipBootstrap=true to avoid the interactive identity setup turn. OpenClaw normally seeds workspace template files during that bootstrap path, so NemoClaw added its own seeding step. However, the seeder only looked under $(npm root -g)/openclaw/....

In the sandbox, npm root -g can resolve to /tmp/npm-global/lib/node_modules, while the bundled OpenClaw package and templates are installed under /usr/local/lib/node_modules/openclaw. That made the seeder miss the real templates and leave /sandbox/.openclaw/workspace/ empty.

Related Issue

Fixes #3240

Changes

• Resolve OpenClaw workspace templates from multiple package roots:
  • $(npm root -g)/openclaw
  • /usr/local/lib/node_modules/openclaw
  • the package root inferred from command -v openclaw
• Support both source and dist template layouts:
  • docs/reference/templates
  • dist/docs/reference/templates
• Keep the behavior conservative: no synthetic fallback templates are generated if OpenClaw templates are missing.
• Use the shared sandbox step-down prefix for root-mode seeding.
• Add regression coverage for default template discovery, binary-root discovery, missing-template behavior, skipBootstrap gating, no-clobber behavior, and symlink refusal.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Leo Zhu lingyuez@nvidia.com

Summary by CodeRabbit

• Improvements

  • Improved workspace template discovery: searches multiple candidate locations and records attempted paths for better resolution and diagnostics
  • Template seeding now runs via the standard privilege-drop wrapper for safer permission handling
  • Seeding won’t overwrite existing files, refuses symlinked workspaces, and respects explicit bootstrap skip

• Tests

  • Added comprehensive tests covering template seeding, layout resolution, skip/bootstrap behavior, and safety checks

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

seed_default_workspace_templates now probes multiple candidate OpenClaw package roots (global npm root, system path, binary package dir), searches multiple template subpaths, and logs tried locations. Root-mode invocation uses STEP_DOWN_PREFIX_SANDBOX. A Vitest suite validates discovery variants, seeding behavior, safety checks, and the startup invocation.

Changes

Template Seeding Discovery and Execution

Layer / File(s)	Summary
Template discovery and seeding logic enhancement scripts/nemoclaw-start.sh	seed_default_workspace_templates now collects candidate OpenClaw package roots from global npm root -g, packaged /usr/local/..., and resolved binary package dir; searches multiple docs/reference/templates and dist/... subpaths; sets templates_dir on first match and logs tried paths when none found.
Privilege step-down invocation update scripts/nemoclaw-start.sh	Root startup switches from an inline gosu sandbox call to executing seed_default_workspace_templates under the shared STEP_DOWN_PREFIX_SANDBOX wrapper.
Test harness and fixtures test/nemoclaw-start.test.ts	Adds runSeed helper to write isolated openclaw.json and execute the extracted shell function; adds writeTemplates fixture to generate deterministic template files (including BOOTSTRAP.md) for tests.
Template layout detection tests test/nemoclaw-start.test.ts	Validates seeding documented templates (skipping BOOTSTRAP.md), supports both docs/reference/templates and dist/docs/reference/templates layouts via fake npm package trees, and verifies package-root resolution from the openclaw binary path.
Behavioral and safety test cases test/nemoclaw-start.test.ts	Checks behavior when templates are missing (no files created, diagnostic emitted), enforces skipBootstrap flag, preserves existing workspace files (no clobber), refuses to seed symlinked workspace directories, and asserts STEP_DOWN_PREFIX_SANDBOX usage in startup invocation.
Telegram diagnostics test stub test/nemoclaw-start.test.ts	Adds seed_default_workspace_templates_as_sandbox() stub delegating to seed_default_workspace_templates in the Telegram startup test scaffold.

Sequence Diagram

sequenceDiagram
  participant Seeder as seed_default_workspace_templates
  participant NPM as "npm root (-g)"
  participant SYS as "/usr/local/lib/node_modules/openclaw"
  participant BIN as "openclaw binary package dir"
  Seeder->>NPM: query global npm root
  Seeder->>SYS: probe fixed system package path
  Seeder->>BIN: resolve package dir from openclaw binary
  Seeder->>Seeder: check docs/reference/templates and dist/docs/reference/templates subpaths
  Seeder->>Seeder: set templates_dir on first match or log tried: list

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through npm roots and the binary den,
I traced docs and dist to find templates again.
I left BOOTSTRAP untouched and kept user files whole,
Stepped down to sandbox with a careful soul.
Seeds planted, tests passing — nibble, thump, and stroll.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions resolving OpenClaw workspace templates from installed packages, which aligns with the main change (updating template discovery logic), but is truncated and incomplete.
Linked Issues check	✅ Passed	The PR addresses all coding requirements from issue #3240: resolves templates from multiple package roots, supports both source and dist layouts, implements conservative missing-template behavior, uses shared step-down mechanism, and adds comprehensive regression tests.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: updates to sandbox template seeding logic and comprehensive test coverage; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26179700021
Target ref: 90148e61a065c6f1c1ce81a815d51fd3a216b1a8
Workflow ref: main
Requested jobs: cloud-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success

[jyaunches]

Approved after manual E2E advisor review and dispatching required follow-up E2E coverage. Required runs are in progress.

[jyaunches]

Thanks for the contribution. This PR is currently blocked by the repository rule requiring verified commit signatures. I’m going to carry this forward in a maintainer-squashed PR so the fix can land, but for future contributions please configure commit signing so GitHub shows your commits as Verified before opening the PR. See GitHub’s docs for signing commits with GPG, SSH, or S/MIME.

[cv]

Done in #3917

[IronLung7]

Thank you @jyaunches