perf(onboard): honor .dockerignore for custom --from build contexts

[amata-human]

Summary

Honors .dockerignore when staging custom onboard --from <Dockerfile> build contexts. This reduces unnecessary context copying while preserving NemoClaw’s built-in secret/path exclusions.

Related Issue

Fixes #4679

Changes

• Added a .dockerignore-aware custom build-context filter for custom Dockerfile onboarding.
• Reused the same effective filter for context size calculation and fs.cpSync staging.
• Kept NemoClaw’s secret denylist stronger than .dockerignore negation rules.
• Added focused tests for missing .dockerignore, excludes, negation, rooted patterns, and custom Dockerfile staging behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Angel Mata amata@nvidia.com

Summary by CodeRabbit

• New Features

  • Added support for .dockerignore files when using custom Dockerfiles during onboarding, enabling users to exclude build artifacts from Docker context staging.

• Documentation

  • Updated installation and onboarding guides to explain .dockerignore handling and clarify that security exclusions for credential-like paths are enforced regardless of .dockerignore rules.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Worried about impact? Review this PR in Change Stack to explore blast radius before you approve or request changes.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d6d4ef70-6a7b-4ca2-8bf4-c6a6267d04de

📥 Commits

Reviewing files that changed from the base of the PR and between 5d842e6 and 8de2d68.

📒 Files selected for processing (3)

• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx
• src/lib/onboard.ts

✅ Files skipped from review due to trivial changes (2)

• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/onboard.ts

---

📝 Walkthrough

Walkthrough

This PR adds .dockerignore support to custom Dockerfile build contexts in the onboarding flow. A new filter reads and parses .dockerignore rules from the Dockerfile parent directory, applies them alongside NemoClaw's existing secret denylist (which takes precedence), and integrates the same predicate into both context size calculation and file staging. Tests validate filter behavior and integration, and documentation clarifies the security model to users.

Changes

Honor .dockerignore rules in custom build contexts

Layer / File(s)	Summary
Core .dockerignore filter logic src/lib/onboard/custom-build-context.ts	New createCustomBuildContextFilter(buildContextDir) function that reads .dockerignore, parses glob patterns (supporting negation, directory-only, comments), normalizes paths to Dockerignore semantics, and combines .dockerignore matching with NemoClaw's secret denylist to produce include/exclude decisions.
Onboard context staging with filter src/lib/onboard.ts	Creates a reusable shouldIncludeCustomContextPath predicate via createCustomBuildContextFilter and passes it to both collectBuildContextStats() for sizing and fs.cpSync(..., { filter }) for file transfer during --from custom Dockerfile onboarding.
Filter logic and integration tests test/onboard-custom-dockerfile.test.ts	Unit tests for createCustomBuildContextFilter covering missing .dockerignore, pattern exclusion, negation ordering, rooted vs nested paths, and denylist precedence. Extended --from integration test adds .dockerignore-controlled files and asserts staged-context inclusion/exclusion per rules.
Documentation: .dockerignore behavior and secret safety docs/deployment/install-openclaw-plugins.mdx, docs/manage-sandboxes/install-plugins-hermes.mdx, docs/reference/commands-nemohermes.mdx, docs/reference/commands.mdx	Updated onboarding and plugin installation docs to explain .dockerignore is now honored, clarify NemoClaw's secret denylist override for credential paths even if .dockerignore would include them, provide guidance to place .dockerignore alongside custom Dockerfiles, and warn against relying on .dockerignore for credential inclusion.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

Docker, fix

Suggested reviewers

• cv
• prekshivyas

🐰 Hop, skip, and Docker-ignore—your build context flies light!
Secret denylists stand firm, no negation tricks will fight,
NemoClaw keeps your credentials tight,
While respecting your patterns just right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: honoring .dockerignore semantics in custom build context staging for the onboard --from command.
Linked Issues check	✅ Passed	The PR successfully implements all key objectives from issue #4679: parses and honors .dockerignore rules, preserves NemoClaw's secret denylist as higher priority, uses the same filter for size calculation and copying, and includes comprehensive documentation updates and tests.
Out of Scope Changes check	✅ Passed	All changes directly address issue #4679 requirements: new .dockerignore filtering logic, reuse in onboard.ts, documentation updates covering the behavior, and tests validating .dockerignore parsing, negation, and precedence rules.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 4679-perfonboard-honor-dockerignore-for-custom---from-build-contexts

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-4868.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: openclaw-plugin-runtime-exdev-e2e
Optional E2E: cloud-onboard-e2e, hermes-secret-boundary-e2e

Dispatch hint: openclaw-plugin-runtime-exdev-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• openclaw-plugin-runtime-exdev-e2e (high; live Docker sandbox onboarding with NVIDIA API key): This is the closest existing live E2E for the changed path: it runs nemoclaw onboard --agent openclaw --from "$REPO/Dockerfile", forcing custom Dockerfile build-context staging under Docker and then validating the resulting sandbox/plugin runtime. It should catch regressions where the new .dockerignore filtering breaks real --from onboarding.

Optional E2E

• cloud-onboard-e2e (high; live install/onboard with Docker and NVIDIA API key): Useful broad confidence that normal install and cloud onboarding still works after touching shared onboard.ts, although it does not specifically exercise --from build-context staging.
• hermes-secret-boundary-e2e (high; builds/inspects Hermes sandbox images): Adjacent confidence for Hermes sandbox secret-boundary behavior because the PR documents Hermes plugin custom build contexts and changes secret-exclusion semantics. This does not directly validate nemohermes --from staging.

New E2E recommendations

• custom-dockerfile-dockerignore-staging (high): Existing unit coverage mocks/stages the filter, and openclaw-plugin-runtime-exdev exercises --from with the repository Dockerfile, but there is no focused live E2E that creates a dedicated custom build directory with a .dockerignore, negated non-secret files, and negated credential-like files, then verifies the built sandbox image contains only the expected staged files.
  • Suggested test: Add a focused E2E script for nemoclaw onboard --from <temp-build-dir>/Dockerfile that uses a fixture .dockerignore to exclude directories/globs, re-include a safe file, attempt to re-include secrets, and verify from inside the sandbox that safe included files exist while ignored and credential-like files do not.
• nemohermes-custom-dockerfile-build-context (medium): The changed code is shared by NemoHermes onboarding and the PR updates Hermes plugin docs, but no existing E2E appears to exercise nemohermes onboard --from with .dockerignore handling.
  • Suggested test: Add a NemoHermes custom Dockerfile onboarding E2E that bakes a trivial Hermes plugin/marker file using a dedicated build context and validates .dockerignore plus credential-safety behavior.

Dispatch hint

• Workflow: .github/workflows/regression-e2e.yaml
• jobs input: openclaw-plugin-runtime-exdev-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw, ubuntu-repo-cloud-hermes
Optional scenario E2E: wsl-repo-cloud-openclaw, macos-repo-cloud-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw
• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required scenario E2E

• ubuntu-repo-cloud-openclaw: Onboarding implementation changed in src/lib/onboard.ts and src/lib/onboard/custom-build-context.ts. This is the primary Ubuntu repo-current OpenClaw scenario that exercises the standard onboarding path and verifies the CLI/sandbox smoke and baseline onboarding contract.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw
• ubuntu-repo-cloud-hermes: The changed onboarding code is shared by NemoClaw/Hermes onboarding, and the PR updates Hermes --from documentation. This scenario is the primary Ubuntu repo-current Hermes onboarding coverage.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Optional scenario E2E

• wsl-repo-cloud-openclaw: Optional adjacent platform coverage for the shared onboarding flow on WSL. Useful because the custom build-context code mentions unreadable files visible in WSL, but no scenario route directly exercises custom --from Dockerfile staging.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=wsl-repo-cloud-openclaw
• macos-repo-cloud-openclaw: Optional adjacent platform coverage for CLI/onboarding readiness on macOS. It is not a primary target because hosted macOS skips Docker-dependent sandbox onboarding suites.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=macos-repo-cloud-openclaw

Relevant changed files

• src/lib/onboard.ts
• src/lib/onboard/custom-build-context.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Top item: PR review advisor unavailable

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• PR review advisor unavailable: The automated advisor could not complete: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt
  • Recommendation: Re-run the PR Review Advisor or perform a manual review.
  • Evidence: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — Add or identify targeted runtime/integration validation for the changed behavior; do not report external E2E job pass/fail here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/deployment/install-openclaw-plugins.mdx, docs/manage-sandboxes/install-plugins-hermes.mdx, docs/reference/commands-nemohermes.mdx, docs/reference/commands.mdx, src/lib/onboard.ts, src/lib/onboard/custom-build-context.ts.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Around line 3277-3280: Collapse the multi-line call to
collectBuildContextStats into a single-line statement to remove one net line:
replace the current const buildContextStats = collectBuildContextStats(
buildContextDir, shouldIncludeCustomContextPath, ); with a single-line call like
const buildContextStats = collectBuildContextStats(buildContextDir,
shouldIncludeCustomContextPath); so it still uses the same symbols
(collectBuildContextStats, buildContextDir, shouldIncludeCustomContextPath,
buildContextStats) but reduces file length by one line.

In `@src/lib/onboard/custom-build-context.ts`:
- Around line 116-127: The code incorrectly treats leading slashes as an
"anchored" flag; Docker semantics strip leading slashes so `/foo` and `foo` are
equivalent. In parseDockerignoreRule() stop setting anchored =
pattern.startsWith("/") (always clear the leading slashes and set anchored =
false) or remove/ignore the anchored flag entirely, and update
matchesDockerignoreRule() to not use the anchored flag when deciding matches
(use the normalized pattern and dockerignoreGlobToRegex result instead) so
patterns match nested paths the same way Docker does.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1fc97b17-318b-48a8-b720-058c982a85c5

📥 Commits

Reviewing files that changed from the base of the PR and between 3090c4d and e88eb6e.

📒 Files selected for processing (7)

• docs/deployment/install-openclaw-plugins.mdx
• docs/manage-sandboxes/install-plugins-hermes.mdx
• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx
• src/lib/onboard.ts
• src/lib/onboard/custom-build-context.ts
• test/onboard-custom-dockerfile.test.ts

[wscurran]

✨ Thanks for submitting this proposed fix to honor .dockerignore for custom --from build contexts, which reduces unnecessary context copying while preserving NemoClaw’s built-in secret/path exclusions. This proposes a bug fix in the onboarding and performance areas that affects the packaging of custom Dockerfile build contexts.

---

Related open issues:

• #4679 perf(onboard): honor .dockerignore for custom --from build contexts