feat(onboard): bake secondary agents via NEMOCLAW_EXTRA_AGENTS_JSON

[laitingsheng]

Summary

Adds NEMOCLAW_EXTRA_AGENTS_JSON so operators can bake one or more OpenClaw secondary agents into the sandbox openclaw.json at onboard time, alongside the canonical primary main agent. The bake always emits agents.list with { id: "main", default: true } first and operator-supplied entries appended after it, so secondary agents cannot displace the primary agent as the default.

Related Issue

Closes #4560.
Closes #4562 — complementary to #4560.

Changes

• scripts/generate-openclaw-config.mts: validate NEMOCLAW_EXTRA_AGENTS_JSON_B64 — id regex, reserved-id main rejection, duplicate-id rejection, resolve()-based containment under /sandbox/.openclaw/ (rejects .. traversal), required per-agent tools allow/deny policy, required subagents.maxSpawnDepth, no default: true overrides. Always emit agents.list with the canonical main entry first.
• src/lib/onboard/dockerfile-patch.ts: read process.env.NEMOCLAW_EXTRA_AGENTS_JSON and base64-encode the raw payload into ARG NEMOCLAW_EXTRA_AGENTS_JSON_B64. The host-side stage does not parse or shape-check the JSON, so the build-time validator in scripts/generate-openclaw-config.mts remains the single source of truth for structured validation errors.
• Dockerfile: declare ARG NEMOCLAW_EXTRA_AGENTS_JSON_B64=W10= and promote it to ENV, matching the NEMOCLAW_*_B64 convention.
• test/generate-openclaw-config.test.ts: cases for default-only emission, append-after-main, main reservation, default: true rejection, duplicate-id rejection, id-regex enforcement, absolute-path and dot-segment traversal rejection, required-tools enforcement, required-subagents enforcement, and primary-agent-default regression with extras present.
• src/lib/onboard/dockerfile-patch-extra-agents.test.ts: focused test file covering valid-payload encoding, empty-default preservation, and raw-payload passthrough so malformed input reaches the build-time validator instead of being silently dropped on the host.
• docs/reference/commands.mdx: row pointer plus a new "Extra OpenClaw agents" subsection documenting the field schema, path constraints, validation rules, and an example payload.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• New Features

  • Support injecting additional secondary OpenClaw agents into the built agent list via a new build-time / runtime variable; primary "main" agent remains first/default.

• Documentation

  • Added a detailed schema and validation rules for extra agent entries (required fields, exact sandbox path constraints, tools/subagents rules, prohibited keys, and build-failure behavior), plus examples.

• Tests

  • Added extensive tests covering config baking, validation, Dockerfile handling, and regressions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5481f23a-38eb-4a27-b660-d7fd1bab2b4b

📥 Commits

Reviewing files that changed from the base of the PR and between 981c56e and 3ee9b5d.

📒 Files selected for processing (3)

• docs/reference/commands.mdx
• scripts/generate-openclaw-config.mts
• test/generate-openclaw-config.test.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• scripts/generate-openclaw-config.mts
• docs/reference/commands.mdx
• test/generate-openclaw-config.test.ts

---

📝 Walkthrough

Walkthrough

Adds support for baking secondary OpenClaw agents via NEMOCLAW_EXTRA_AGENTS_JSON: Docker ARG/ENV, onboard Dockerfile patching, config generation/validation that prepends canonical main agent, tests, and documentation.

Changes

Secondary Agents Feature

Layer / File(s)	Summary
Docker build argument infrastructure Dockerfile	Define NEMOCLAW_EXTRA_AGENTS_JSON_B64 build ARG (base64-encoded empty array default) and promote it to image ENV for script access.
Onboard-time Dockerfile patching src/lib/onboard/dockerfile-patch.ts, src/lib/onboard/dockerfile-patch-extra-agents.test.ts	Read NEMOCLAW_EXTRA_AGENTS_JSON from process.env, base64-encode non-empty payloads, and rewrite staged Dockerfile ARG NEMOCLAW_EXTRA_AGENTS_JSON_B64 line; preserve default when unset/empty; passthrough malformed inputs for build-time validation.
Config generation and validation scripts/generate-openclaw-config.mts, test/generate-openclaw-config.test.ts	Decode and validate extras: reserve main, enforce ID uniqueness/regex, require absolute /sandbox/.openclaw/-scoped workspace/agentDir, forbid default: true on extras, require tools policy and subagents.maxSpawnDepth, filter to allowlisted fields, and prepend canonical primary agent to agents.list. Tests cover ordering, validation, path constraints, tools/subagents rules, canonicalization, and field stripping.
Documentation docs/reference/commands.mdx	Document NEMOCLAW_EXTRA_AGENTS_JSON, per-entry JSON schema, validation rules, rejection behavior, and example payload.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

Docker, Sandbox

Suggested reviewers

• cv

Poem

🐰 I nibble code by soft moonlight,
I bake agents in base64 bright,
I validate each id and path,
I prepend main to do the math,
Now agents hop in sandboxed delight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.25% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding support for baking secondary agents via NEMOCLAW_EXTRA_AGENTS_JSON environment variable into the onboard process.
Linked Issues check	✅ Passed	All code changes directly address the requirements from #4560 (secondary agents support) and #4562 (canonical main agent preservation). Validation, encoding, and baking mechanisms are fully implemented across all modified files.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the NEMOCLAW_EXTRA_AGENTS_JSON feature. The Dockerfile, encoding logic, validation rules, tests, and documentation are all within the defined objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-extra-agents-bake

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-4653.docs.buildwithfern.com/nemoclaw

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/reference/commands.mdx (1)

1391-1391: ⚡ Quick win

Split this table description into one sentence per source line.

This row currently packs multiple sentences into one source line, which hurts reviewability and violates docs formatting rules.

As per coding guidelines, "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands.mdx` at line 1391, The table cell for
NEMOCLAW_EXTRA_AGENTS_JSON is currently one long source line—split it so each
sentence is its own source line (one-sentence-per-line rule). Break the content
into separate sentences such as: 1) "NEMOCLAW_EXTRA_AGENTS_JSON is a JSON array
of OpenClaw secondary-agent entries." 2) "It adds secondary agents to
agents.list in the built OpenClaw config." 3) "Each entry requires id (1-32
chars, matching ^[a-z][a-z0-9_-]*$, not main), workspace, and agentDir." 4)
"Both workspace and agentDir must be absolute paths under /sandbox/.openclaw/."
5) "Operators must supply per-agent tools policies and subagents.maxSpawnDepth;
nothing is implicitly granted." 6) "The canonical main entry is always written
first with default: true so secondary agents cannot displace it." 7) "Malformed
JSON or invalid entries fail the image build with a structured error." Ensure
each of the above sentences occupies its own source line in the docs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/generate-openclaw-config.mts`:
- Around line 521-529: The current containment check uses
pathValue.startsWith(AGENT_DATA_ROOT) which can be bypassed with dot segments;
first normalize the incoming path before any containment checks (e.g., use
path.posix.normalize or path.resolve to collapse "."/".." segments), then
validate the normalizedPath is absolute and verify it is under AGENT_DATA_ROOT
(ensure consistent trailing slash handling) before throwing the existing error;
update the checks around pathValue, AGENT_DATA_ROOT, and the error throws (refer
to variables pathValue, normalizedPath, AGENT_DATA_ROOT and the surrounding
validation logic in scripts/generate-openclaw-config.mts) so the normalized path
is what's tested for containment.

---

Nitpick comments:
In `@docs/reference/commands.mdx`:
- Line 1391: The table cell for NEMOCLAW_EXTRA_AGENTS_JSON is currently one long
source line—split it so each sentence is its own source line
(one-sentence-per-line rule). Break the content into separate sentences such as:
1) "NEMOCLAW_EXTRA_AGENTS_JSON is a JSON array of OpenClaw secondary-agent
entries." 2) "It adds secondary agents to agents.list in the built OpenClaw
config." 3) "Each entry requires id (1-32 chars, matching ^[a-z][a-z0-9_-]*$,
not main), workspace, and agentDir." 4) "Both workspace and agentDir must be
absolute paths under /sandbox/.openclaw/." 5) "Operators must supply per-agent
tools policies and subagents.maxSpawnDepth; nothing is implicitly granted." 6)
"The canonical main entry is always written first with default: true so
secondary agents cannot displace it." 7) "Malformed JSON or invalid entries fail
the image build with a structured error." Ensure each of the above sentences
occupies its own source line in the docs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6a9589c5-f0e0-41c4-89b1-244cc0051025

📥 Commits

Reviewing files that changed from the base of the PR and between c8df6ae and 7a12d9c.

📒 Files selected for processing (6)

• Dockerfile
• docs/reference/commands.mdx
• scripts/generate-openclaw-config.mts
• src/lib/onboard/dockerfile-patch.test.ts
• src/lib/onboard/dockerfile-patch.ts
• test/generate-openclaw-config.test.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 3 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 2 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: test/generate-openclaw-config.test.ts local simulation of OpenClaw `resolveDefaultAgentId`: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The test comment says `The authoritative resolver still lives in the openclaw npm package`; previous advisor review flagged the same source-of-truth risk and it still applies.
• Validate baked secondary-agent semantics through OpenClaw's actual loader/resolver (test/generate-openclaw-config.test.ts:1229): The PR now strongly validates and emits the intended JSON shape, but it still does not exercise the pinned OpenClaw runtime boundary that interprets that shape. This leaves the linked issue clause that `tools.allow`/`deny` and `subagents.maxSpawnDepth` are honored by OpenClaw only partially proven, and keeps a security-relevant policy boundary as a local schema assumption.
  • Recommendation: Add or reference a targeted runtime/integration validation that loads the generated `openclaw.json` through the pinned OpenClaw package or CLI and verifies the secondary agent is recognized, `main` remains the default via OpenClaw's resolver, and the tool policy plus spawn-depth policy are enforced.
  • Evidence: Issue feat: support secondary agents via NEMOCLAW_EXTRA_AGENTS_JSON #4560 says `Per-agent maxSpawnDepth: 0 and explicit deny lists should be expressible in the JSON and honored by OpenClaw's agent loader.` The tests assert generated JSON shape and locally compute default selection, but no changed test loads the config through OpenClaw itself.
• Source-of-truth review needed for local `resolveDefaultAgentId` simulation (test/generate-openclaw-config.test.ts:1229): The regression test models OpenClaw's default-agent resolver in NemoClaw test code even though the test comments state that the authoritative resolver lives in the OpenClaw npm package. If OpenClaw changes resolver semantics, this test can continue passing while NemoClaw bakes a config that behaves differently at runtime.
  • Recommendation: Either exercise the real resolver from the pinned OpenClaw runtime or document the invalid state, source boundary, source-fix constraint, regression test, and removal condition for keeping this local simulation.
  • Evidence: The test named `matches OpenClaw's resolveDefaultAgentId fallback shape for the baked list` computes `list.find((entry) => entry.default === true)?.id ?? list[0]?.id` locally and comments that the authoritative resolver still lives in the OpenClaw npm package.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Source-of-truth review needed: test/generate-openclaw-config.test.ts local simulation of OpenClaw `resolveDefaultAgentId`: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The test comment says `The authoritative resolver still lives in the openclaw npm package`; previous advisor review flagged the same source-of-truth risk and it still applies.
• Validate baked secondary-agent semantics through OpenClaw's actual loader/resolver (test/generate-openclaw-config.test.ts:1229): The PR now strongly validates and emits the intended JSON shape, but it still does not exercise the pinned OpenClaw runtime boundary that interprets that shape. This leaves the linked issue clause that `tools.allow`/`deny` and `subagents.maxSpawnDepth` are honored by OpenClaw only partially proven, and keeps a security-relevant policy boundary as a local schema assumption.
  • Recommendation: Add or reference a targeted runtime/integration validation that loads the generated `openclaw.json` through the pinned OpenClaw package or CLI and verifies the secondary agent is recognized, `main` remains the default via OpenClaw's resolver, and the tool policy plus spawn-depth policy are enforced.
  • Evidence: Issue feat: support secondary agents via NEMOCLAW_EXTRA_AGENTS_JSON #4560 says `Per-agent maxSpawnDepth: 0 and explicit deny lists should be expressible in the JSON and honored by OpenClaw's agent loader.` The tests assert generated JSON shape and locally compute default selection, but no changed test loads the config through OpenClaw itself.
• Source-of-truth review needed for local `resolveDefaultAgentId` simulation (test/generate-openclaw-config.test.ts:1229): The regression test models OpenClaw's default-agent resolver in NemoClaw test code even though the test comments state that the authoritative resolver lives in the OpenClaw npm package. If OpenClaw changes resolver semantics, this test can continue passing while NemoClaw bakes a config that behaves differently at runtime.
  • Recommendation: Either exercise the real resolver from the pinned OpenClaw runtime or document the invalid state, source boundary, source-fix constraint, regression test, and removal condition for keeping this local simulation.
  • Evidence: The test named `matches OpenClaw's resolveDefaultAgentId fallback shape for the baked list` computes `list.find((entry) => entry.default === true)?.id ?? list[0]?.id` locally and comments that the authoritative resolver still lives in the OpenClaw npm package.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: runtime-overrides-e2e, openclaw-onboard-security-posture-e2e
Optional E2E: cloud-onboard-e2e, rebuild-openclaw-e2e, network-policy-e2e

Dispatch hint: runtime-overrides-e2e,openclaw-onboard-security-posture-e2e

Auto-dispatched E2E: runtime-overrides-e2e, openclaw-onboard-security-posture-e2e via nightly-e2e.yaml at 85522529700921fb35d8a57802bb399d8d476a12 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• runtime-overrides-e2e (medium): Builds the real OpenClaw Docker image from this Dockerfile and reads the generated /sandbox/.openclaw/openclaw.json through the runtime entrypoint path, giving fast E2E coverage that the new ARG/ENV wiring and default agents.list shape do not break image build or config hash behavior.
• openclaw-onboard-security-posture-e2e (high): Runs a full OpenClaw install/onboard/live-agent flow with non-root/security-posture assertions. This is merge-blocking because the PR changes OpenClaw agent config generation and security-sensitive agent path/tool validation.

Optional E2E

• cloud-onboard-e2e (high): Useful adjacent confidence for the public installer/onboard path and sandbox health/security checks after changing staged Dockerfile patching, but the required security-posture full flow already covers the core OpenClaw onboard path.
• rebuild-openclaw-e2e (high): Optional regression coverage for rebuild preserving OpenClaw state/config after changes to generated openclaw.json shape. Valuable if maintainers are concerned about agents.list interacting with rebuild/config-hash migration.
• network-policy-e2e (high): Optional because the new secondary-agent schema includes per-agent tool allow/deny policy, but existing network-policy E2E does not explicitly configure extra agents.

New E2E recommendations

• extra OpenClaw agents onboard path (high): No existing E2E appears to set NEMOCLAW_EXTRA_AGENTS_JSON during nemoclaw onboard, then verify the baked sandbox openclaw.json contains main first plus a valid secondary agent and that the secondary workspace/agentDir are provisioned correctly.
  • Suggested test: Add an OpenClaw extra-agents E2E that exports a valid NEMOCLAW_EXTRA_AGENTS_JSON payload, runs non-interactive onboard, asserts agents.list ordering/default semantics, canonical paths, config hash, and a main-agent live turn still succeeds.
• extra OpenClaw agents negative build validation (medium): Unit tests cover malformed payloads, but there is no live image-build E2E proving an invalid NEMOCLAW_EXTRA_AGENTS_JSON fails onboard/build with actionable diagnostics rather than silently producing a sandbox.
  • Suggested test: Add a negative E2E or regression E2E case that sets an invalid secondary-agent payload and asserts nemoclaw onboard fails during image build with the structured validator error.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: runtime-overrides-e2e,openclaw-onboard-security-posture-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: ubuntu-repo-openai-compatible-openclaw, wsl-repo-cloud-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw: OpenClaw Docker image build/config generation and onboarding Dockerfile patching changed. The Ubuntu repo cloud OpenClaw scenario is the primary non-special-runner path that builds from the current branch, runs OpenClaw onboarding, and validates the resulting sandbox/config through smoke, inference, credentials, and baseline onboarding suites.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• ubuntu-repo-openai-compatible-openclaw: Optional adjacent OpenClaw onboarding path using the OpenAI-compatible provider. It can provide extra coverage that the new agents.list/default-agent config shape does not regress non-NVIDIA-compatible provider onboarding, but the primary changed surface is already exercised by the required cloud OpenClaw scenario.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-openai-compatible-openclaw
• wsl-repo-cloud-openclaw: Optional special-runner coverage for the same OpenClaw cloud onboarding/build surface under WSL. Useful if maintainers want platform confidence, but not required because the change is not WSL-specific.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=wsl-repo-cloud-openclaw

Relevant changed files

• Dockerfile
• scripts/generate-openclaw-config.mts
• src/lib/onboard/dockerfile-patch.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26804857751
Target ref: 7d51961c747a2cc02d1018b6f24f9eb2608cd0ef
Workflow ref: main
Requested jobs: cloud-e2e,runtime-overrides-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
runtime-overrides-e2e	✅ success

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/onboard/dockerfile-patch.ts (1)

263-266: ⚡ Quick win

Consider wrapping the base64-encoded value with sanitizeDockerArg for consistency and defense-in-depth.

All other base64-encoded JSON args in this file use encodeSanitizedDockerJsonArg or at least sanitizeDockerArg to strip \r\n characters before Docker ARG interpolation (lines 115, 210, 216, 222, 228, 234, 240, 250). While base64 output is inherently safe (alphanumeric + / + = only), applying sanitizeDockerArg maintains the established pattern and provides defense-in-depth.

🔄 Suggested consistency fix

-    const encoded = Buffer.from(extraAgentsRaw, "utf8").toString("base64");
+    const encoded = sanitizeDockerArg(
+      Buffer.from(extraAgentsRaw, "utf8").toString("base64")
+    );
     dockerfile = dockerfile.replace(

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/dockerfile-patch.ts` around lines 263 - 266, Wrap the base64
value assigned to ARG NEMOCLAW_EXTRA_AGENTS_JSON_B64 with the existing
sanitization helper instead of inserting `encoded` raw; locate the `encoded`
variable and the `dockerfile.replace` call that sets `ARG
NEMOCLAW_EXTRA_AGENTS_JSON_B64=...` and pass the value through
`sanitizeDockerArg` (or use `encodeSanitizedDockerJsonArg` for parity with other
JSON args) before interpolation so it follows the same defense-in-depth pattern
as the other ARG insertions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/onboard/dockerfile-patch.ts`:
- Around line 263-266: Wrap the base64 value assigned to ARG
NEMOCLAW_EXTRA_AGENTS_JSON_B64 with the existing sanitization helper instead of
inserting `encoded` raw; locate the `encoded` variable and the
`dockerfile.replace` call that sets `ARG NEMOCLAW_EXTRA_AGENTS_JSON_B64=...` and
pass the value through `sanitizeDockerArg` (or use
`encodeSanitizedDockerJsonArg` for parity with other JSON args) before
interpolation so it follows the same defense-in-depth pattern as the other ARG
insertions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: edbf2cfd-f377-481b-9653-7baad3b1812d

📥 Commits

Reviewing files that changed from the base of the PR and between 7d51961 and 4f405b9.

📒 Files selected for processing (6)

• Dockerfile
• docs/reference/commands.mdx
• scripts/generate-openclaw-config.mts
• src/lib/onboard/dockerfile-patch-extra-agents.test.ts
• src/lib/onboard/dockerfile-patch.ts
• test/generate-openclaw-config.test.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• docs/reference/commands.mdx
• scripts/generate-openclaw-config.mts
• Dockerfile

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26806681061
Target ref: 4f405b9905ed8ea1a3078ba578a12c351ef26d98
Workflow ref: main
Requested jobs: cloud-e2e,runtime-overrides-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
runtime-overrides-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26809278439
Target ref: 3ee9b5d7ffce81191be4ef48bd2108d2a07216ac
Workflow ref: main
Requested jobs: runtime-overrides-e2e,openclaw-onboard-security-posture-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
openclaw-onboard-security-posture-e2e	✅ success
runtime-overrides-e2e	✅ success

[prekshivyas]

APPROVE. Reviewed the env-driven agent bake end-to-end.

Validation is solid (generate-openclaw-config.mts:224-299): id allowlisted by regex, main reserved and always pinned first with default:true (fixes #4562), paths are resolve()-normalized and matched against the exact canonical /sandbox/.openclaw/workspace-<id> and agents/<id> slots (dot-segment traversal rejected), and a strict per-level key allowlist drops any credential-like field — the baked entry is rebuilt from scratch, never copied from raw input. Confirmed the canonical paths match what provision_agent_workspaces in nemoclaw-start.sh actually parses, and the bare main entry is handled by the if (workspace)/if (agentDir) guards in migration-state.ts (no phantom host root). Using /sandbox/.openclaw/ over the issue's proposed .openclaw-data/ is the correct deviation.

Tests cover the negative space well (malformed, traversal, dup, reserved id, smuggled secrets, default-displacement regression); docs in commands.mdx cover schema, path constraints, and prohibited keys. CI green on 3ee9b5d; both CodeRabbit/CodeQL threads resolved. Resolves #4560, #4562.

Non-blocking nit: a whitespace-only NEMOCLAW_EXTRA_AGENTS_JSON is dropped host-side and never reaches the validator (dockerfile-patch.ts:501) — defensible as "empty == no extras," worth a one-line note if intentional.

Signed-off-by: Prekshi Vyas prekshiv@nvidia.com

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26833892971
Target ref: 85522529700921fb35d8a57802bb399d8d476a12
Workflow ref: main
Requested jobs: runtime-overrides-e2e,openclaw-onboard-security-posture-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
openclaw-onboard-security-posture-e2e	✅ success
runtime-overrides-e2e	✅ success