fix(plugin): register nemoclaw command

[zyang-dev]

Summary

Fixes NemoClaw’s OpenClaw plugin registration so /nemoclaw is reliably available in the TUI. The plugin install now fails loudly during image build, uses OpenClaw 2026.4.24-compatible metadata, and removes scanner-flagged subprocess usage from the gateway-loaded plugin path.

Related Issue

Fixes #2021

Changes

• Install, enable, and inspect the bundled NemoClaw OpenClaw plugin during image build.
• Remove the silent best-effort plugin install path.
• Replace subprocess-based inference probing with a read of the sandbox OpenClaw config.
• Remove subprocess use from runtime context injection.
• Preserve the fallback model catalog when no active model is configured.
• Add/update regression coverage for plugin install failure, metadata compatibility, model resolution, and runtime context behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: zyang-dev 267119621+zyang-dev@users.noreply.github.com

Summary by CodeRabbit

• Bug Fixes

  • Plugin installation now fails the build on install/enable/inspection errors and explicitly verifies plugin enablement.

• Refactor

  • Pinned compatibility to 2026.4.24.
  • Model selection now reads the active model from the gateway config for consistent selection.
  • Runtime context simplified to a synchronous static summary injected before prompts (no dynamic inspection/deltas).

• Tests

  • Added regression test for installation failure and updated tests for model-selection and runtime changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

Reads active model from /sandbox/.openclaw/openclaw.json, uses that model for provider registration, simplifies runtime-context to synchronous static injection, aligns OpenClaw compatibility to 2026.4.24, sets bearer auth id, makes Docker plugin install fail-fast, and updates tests.

Changes

NemoClaw inference model resolution and runtime context refactoring

Layer / File(s)	Summary
Target version alignment nemoclaw/package.json, nemoclaw/src/package-metadata.test.ts	Package configuration and metadata test assertions updated to target OpenClaw API version 2026.4.24.
Config-based inference model resolution nemoclaw/src/index.ts	Replaces live gateway probing with sandbox config reads (/sandbox/.openclaw/openclaw.json); adds readOpenClawPrimaryModel() and refactors activeModelEntries and registeredProviderForConfig to accept an activeModel string; register() uses the sandbox-derived activeModel.
Provider auth and tool-call parsing enhancements nemoclaw/src/index.ts	ProviderAuthMethod gains optional id?: string (registered bearer auth sets id: "bearer"); refactors before-tool-call parsing helpers/type guards to operate on unknown for extraction of toolName and params.
Runtime context static injection and sync API nemoclaw/src/runtime-context.ts	Removes async OpenShell inspection, caching, and deltas; introduces static deny-by-default network/filesystem summary lines and a synchronous getRuntimeSummary() used to prepend a full <nemoclaw-runtime> block in a synchronous before_prompt_build hook.
Runtime context test harness and coverage redesign nemoclaw/src/runtime-context.test.ts	Simplifies mocks to a MockOpenClawPluginApi, narrows tests to static runtime summary, persisted sandbox-name preference, and hook registration assertions.
Register test infrastructure and model-selection coverage nemoclaw/src/register.test.ts	Mocks node:fs.readFileSync reads, adds mockMissingOpenClawConfig(), strengthens provider-registration assertions to verify bearer auth id, and adds tests for sandbox openclaw.json primary model preference with fallbacks.
Container build fail-fast plugin validation Dockerfile, test/fetch-guard-patch-regression.test.ts	Dockerfile now enables and inspects the nemoclaw plugin after install so builds fail on install/registration errors; regression test asserts the install step failure causes the script to exit with the plugin's exit code.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

Integration: OpenClaw, Docker, NemoClaw CLI

Suggested reviewers

• ericksoa
• jyaunches

Poem

🐰 From sandbox files the models leap,
No probes to wake from runtime's sleep,
Bearer id now standing proud,
Builds that fail won't wear a shroud,
Tests hop after — tidy and neat.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(plugin): register nemoclaw command' directly addresses the main objective of fixing NemoClaw plugin registration and command availability, matching the core purpose of the changeset.
Linked Issues check	✅ Passed	All coding requirements from issue #2021 are addressed: plugin installation/enabling/inspection fail-fast in Dockerfile, metadata updated to OpenClaw 2026.4.24, inference model reading replaces subprocess probing, and tests verify behavior.
Out of Scope Changes check	✅ Passed	All changes directly support fixing the /nemoclaw command registration: Dockerfile enforces plugin setup, version alignment ensures compatibility, model resolution simplifies the codebase, and tests validate the fixes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/openclaw-slash-command-registration

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-e2e, openclaw-inference-switch-e2e, openclaw-plugin-runtime-exdev-e2e
Optional E2E: cloud-inference-e2e, model-router-provider-routed-inference-e2e, network-policy-e2e

Dispatch hint: cloud-e2e,openclaw-inference-switch-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-e2e (high): Runs the complete install/onboard/sandbox/live OpenClaw user journey, including the production Dockerfile-built sandbox and an OpenClaw-mediated agent turn through inference.local. This is required because the PR changes sandbox image plugin installation and plugin registration behavior.
• openclaw-inference-switch-e2e (high): Validates a running OpenClaw sandbox after nemoclaw inference set: route state, openclaw.json primary model, config hash, gateway continuity, sandbox inference.local, and an OpenClaw agent turn. This directly covers the changed logic that reads the active primary model from openclaw.json instead of probing OpenShell.
• openclaw-plugin-runtime-exdev-e2e (medium): Exercises fresh OpenClaw sandbox onboarding and plugin runtime dependency behavior around the same Dockerfile plugin install/runtime-deps area changed by this PR. It is the closest existing regression guard for plugin install/runtime-deps failures in a real sandbox.

Optional E2E

• cloud-inference-e2e (medium): Useful narrower confidence check for install plus live sandbox inference.local routing. It overlaps with cloud-e2e but is a focused signal for inference-path regressions.
• model-router-provider-routed-inference-e2e (medium): Adjacent coverage for provider-routed inference through inference.local. Useful because the plugin provider registration shape and auth metadata changed, but not as directly targeted as openclaw-inference-switch-e2e.
• network-policy-e2e (high): Optional confidence that real network policy enforcement remains intact after the runtime context was simplified to static deny-by-default messaging. The changed code affects prompt context, not policy enforcement itself.

New E2E recommendations

• OpenClaw plugin installation and command registration (high): Existing E2E coverage appears to exercise sandbox boot and OpenClaw turns, but there is no dedicated real-sandbox assertion that openclaw plugins install, openclaw plugins enable nemoclaw, openclaw plugins inspect nemoclaw --json, and the /nemoclaw runtime command are all available in the active Gateway after boot.
  • Suggested test: Add an OpenClaw plugin install/enable smoke E2E that onboards a sandbox from the production Dockerfile and asserts plugin inspect output plus /nemoclaw status in the live OpenClaw command path.
• runtime context injection (medium): runtime-context.ts was substantially rewritten, but current E2E tests found do not appear to assert that a real OpenClaw agent turn receives the NemoClaw runtime context block with sandbox name and deny-by-default network/filesystem guidance.
  • Suggested test: Add a runtime-context-injection E2E using a deterministic/mock model or trace hook to prove the live before_prompt_build hook injects <nemoclaw-runtime> content in a real sandbox.
• plugin provider catalog active-model sync (medium): The plugin now reads the active primary model from openclaw.json rather than probing openshell inference get; existing inference switch E2E verifies config and live requests but may not verify the plugin-registered model catalog/banner reflects the switched model.
  • Suggested test: Extend an OpenClaw inference switch or diagnostics E2E to inspect the registered plugin/provider model catalog or banner/status after a model switch and assert it reflects the openclaw.json primary model.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cloud-e2e,openclaw-inference-switch-e2e

[coderabbitai]

🧹 Nitpick comments (2)

Dockerfile (1)

412-414: Run the Dockerfile E2E matrix before merge.

Given this is an image-build/runtime contract change, please run the recommended jobs to validate behavior in real container execution paths:

gh workflow run nightly-e2e.yaml --ref <branch> -f jobs=cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e

As per coding guidelines, “Layer ordering, permissions, and baked config changes are only testable with a real container build.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 412 - 414, Run the Dockerfile E2E matrix before
merging: trigger the nightly-e2e workflow for this branch with the jobs
cloud-e2e, sandbox-survival-e2e, hermes-e2e, and rebuild-openclaw-e2e and verify
in actual container runs that the Dockerfile steps invoking "openclaw plugins
install /opt/nemoclaw", "openclaw plugins enable nemoclaw", and "openclaw
plugins inspect nemoclaw --json" complete successfully (no errors, correct exit
codes, and expected inspection output), and fix any failures (permissions,
missing files, or runtime differences) found during those real container
builds/executions.

nemoclaw/src/register.test.ts (1)

34-39: ⚡ Quick win

Make the missing-config mock path-scoped and ENOENT-shaped.

mockMissingOpenClawConfig() currently throws a generic error for every readFileSync call. That can mask unrelated file reads and doesn’t emulate a real “missing file” condition for openclaw.json.

Proposed patch

 const mockedReadFileSync = vi.mocked(readFileSync);
+const defaultReadFileSyncImpl = mockedReadFileSync.getMockImplementation();
 const mockedLoadOnboardConfig = vi.mocked(loadOnboardConfig);

 function mockMissingOpenClawConfig(): void {
   mockedReadFileSync.mockReset();
-  mockedReadFileSync.mockImplementation(() => {
-    throw new Error("openclaw config unavailable");
+  mockedReadFileSync.mockImplementation((path, options) => {
+    if (String(path).endsWith("openclaw.json")) {
+      const err = new Error("openclaw config unavailable") as NodeJS.ErrnoException;
+      err.code = "ENOENT";
+      throw err;
+    }
+    return defaultReadFileSyncImpl
+      ? defaultReadFileSyncImpl(path as never, options as never)
+      : ("" as ReturnType<typeof readFileSync>);
   });
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw/src/register.test.ts` around lines 34 - 39, Change
mockMissingOpenClawConfig to only throw a file-not-found (ENOENT) error for the
openclaw.json path instead of throwing for every read; capture the real
readFileSync (e.g. originalReadFileSync) and use
mockedReadFileSync.mockImplementation((path, ...args) => { if
(String(path).includes('openclaw.json')) throw Object.assign(new Error("openclaw
config unavailable"), { code: 'ENOENT' }); return originalReadFileSync(path,
...args); }); so unrelated reads still work and code that checks error.code ===
'ENOENT' will behave correctly; keep the function name mockMissingOpenClawConfig
and mockedReadFileSync in place.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile`:
- Around line 412-414: Run the Dockerfile E2E matrix before merging: trigger the
nightly-e2e workflow for this branch with the jobs cloud-e2e,
sandbox-survival-e2e, hermes-e2e, and rebuild-openclaw-e2e and verify in actual
container runs that the Dockerfile steps invoking "openclaw plugins install
/opt/nemoclaw", "openclaw plugins enable nemoclaw", and "openclaw plugins
inspect nemoclaw --json" complete successfully (no errors, correct exit codes,
and expected inspection output), and fix any failures (permissions, missing
files, or runtime differences) found during those real container
builds/executions.

In `@nemoclaw/src/register.test.ts`:
- Around line 34-39: Change mockMissingOpenClawConfig to only throw a
file-not-found (ENOENT) error for the openclaw.json path instead of throwing for
every read; capture the real readFileSync (e.g. originalReadFileSync) and use
mockedReadFileSync.mockImplementation((path, ...args) => { if
(String(path).includes('openclaw.json')) throw Object.assign(new Error("openclaw
config unavailable"), { code: 'ENOENT' }); return originalReadFileSync(path,
...args); }); so unrelated reads still work and code that checks error.code ===
'ENOENT' will behave correctly; keep the function name mockMissingOpenClawConfig
and mockedReadFileSync in place.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8158d254-1444-4679-916c-5a072c67c040

📥 Commits

Reviewing files that changed from the base of the PR and between 5a03166 and ce1c354.

📒 Files selected for processing (8)

• Dockerfile
• nemoclaw/package.json
• nemoclaw/src/index.ts
• nemoclaw/src/package-metadata.test.ts
• nemoclaw/src/register.test.ts
• nemoclaw/src/runtime-context.test.ts
• nemoclaw/src/runtime-context.ts
• test/fetch-guard-patch-regression.test.ts

[cjagwani]

Approving — clean fix that targets the root cause from cr7258's analysis (OpenClaw scanner rejecting child_process in gateway-loaded plugin code).

Notes for the record:

• Pin alignment looks correct: 2026.4.24 matches nemoclaw-blueprint/blueprint.yaml:7 and agents/openclaw/manifest.yaml:22; the prior 2026.5.10-beta.1 in nemoclaw/package.json was inconsistent.
• Fail-fast RUN at Dockerfile:405-419 + the regression test at test/fetch-guard-patch-regression.test.ts:62-86 lock in the loud-failure behavior so #2021 can't silently regress again.
• Config-read fallback chain in nemoclaw/src/index.ts:200-238 (live openclaw.json → onboard config → hardcoded default) is the right shape; debug-logged read failures will surface in support bundles.

CodeRabbit nitpick (register.test.ts:34-39 path-scoped ENOENT mock) is already addressed in commit 2ed9809a — no further action needed there.

Optional pre-merge: trigger nightly-e2e for extra Dockerfile-matrix coverage, but per-platform e2e + sandbox image builds are already green.

One acceptance gap worth flagging in the v0.0.46 QA pass: no direct test asserts /nemoclaw appears in TUI autocomplete (issue #2021's literal expected result). Build-time install/enable/inspect succeeding is a strong proxy, but manual TUI verification is still warranted at release time.

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

402-404: Verify the fix with recommended E2E tests.

The fail-fast plugin installation correctly ensures /nemoclaw command registration happens at build time. To confirm this resolves the TUI slash-command issue (#2021) and doesn't regress existing flows, run the E2E test suites recommended for Dockerfile changes.

As per coding guidelines, run the following E2E tests on this branch:

gh workflow run nightly-e2e.yaml --ref fix/openclaw-slash-command-registration -f jobs=cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e

Expected results:

• cloud-e2e: Onboard + cloud inference completes without plugin registration errors
• sandbox-survival-e2e: Gateway restart does not lose the /nemoclaw command
• hermes-e2e: Hermes agent onboard + inference works with the plugin enabled
• rebuild-openclaw-e2e: Workspace state survives rebuild and /nemoclaw remains registered

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 402 - 404, The Dockerfile change ensures the
nemoclaw plugin is installed/enabled at build time using the openclaw CLI
(openclaw plugins install /opt/nemoclaw, openclaw plugins enable nemoclaw,
openclaw plugins inspect nemoclaw), so validate this by running the recommended
E2E workflows: execute the GitHub Actions command to run nightly-e2e.yaml for
jobs cloud-e2e, sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e (as
provided) and confirm cloud-e2e completes without plugin registration errors,
sandbox-survival-e2e preserves the /nemoclaw command across gateway restarts,
hermes-e2e allows Hermes agent onboard+inference with the plugin, and
rebuild-openclaw-e2e preserves workspace state and the /nemoclaw registration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile`:
- Around line 402-404: The Dockerfile change ensures the nemoclaw plugin is
installed/enabled at build time using the openclaw CLI (openclaw plugins install
/opt/nemoclaw, openclaw plugins enable nemoclaw, openclaw plugins inspect
nemoclaw), so validate this by running the recommended E2E workflows: execute
the GitHub Actions command to run nightly-e2e.yaml for jobs cloud-e2e,
sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e (as provided) and confirm
cloud-e2e completes without plugin registration errors, sandbox-survival-e2e
preserves the /nemoclaw command across gateway restarts, hermes-e2e allows
Hermes agent onboard+inference with the plugin, and rebuild-openclaw-e2e
preserves workspace state and the /nemoclaw registration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0492602d-a062-46ed-95a9-934df40111b5

📥 Commits

Reviewing files that changed from the base of the PR and between 2ed9809 and 8bb4ad4.

📒 Files selected for processing (1)

• Dockerfile