fix(sandbox): stage patch-openclaw-slack-deny-feedback.mts in build context

[jyaunches]

Summary

Nightly E2E run 27154074940 lost 48 of 67 jobs to a single root cause: every E2E job that exercises onboard/install died at the same Dockerfile step with

COPY failed: file not found in build context: stat
scripts/patch-openclaw-slack-deny-feedback.mts: file does not exist

PR #4933 added scripts/patch-openclaw-slack-deny-feedback.mts and the matching COPY line in Dockerfile, but did not register the new file in stageOptimizedSandboxBuildContext (src/lib/sandbox/build-context.ts). The optimized staging path hand-copies a curated set of files into a temp build context — its two existing siblings (patch-openclaw-tool-catalog.js, patch-openclaw-chat-send.js) are listed there explicitly. The new .mts patch was missed, so docker build couldn't see it.

PR #4933 itself was green because PR-time builds were satisfied by other paths or cached layers; the gap only showed up when nightly built from main against the staged context.

Change

• src/lib/sandbox/build-context.ts: stage patch-openclaw-slack-deny-feedback.mts next to its siblings.
• test/sandbox-build-context.test.ts: extend the fixture + assertion so any future drop of this file is caught locally before it can take down nightly.
• test/sandbox-build-context.test.ts: parse staged Dockerfile COPY scripts/... lines and verify every referenced script exists in the optimized staged context, folding in the broader guard from fix(sandbox): stage Slack deny-feedback patch script #4971.

Validation

• npx vitest run test/sandbox-build-context.test.ts → 7/7 passing locally.
• GitHub PR checks on updated head 7fca86f78 are green, including build-sandbox-images, build-sandbox-images-arm64, unit-vitest-linux, cli-tests, and downstream self-hosted smoke jobs.
• After merge, rerun nightly-e2e.yaml (or gh run rerun 27154074940 --failed). A single onboard-stage job clearing Dockerfile step 23 confirms all 48 failures are resolved.

Follow-up (suggested, not in this PR)

The two-place duplication (Dockerfile COPY + hand-listed staging) is the structural cause of this incident. This PR now adds a contract test for that duplication; a future cleanup could still drive the staged list from a glob (scripts/patch-openclaw-*.{js,mts}) or shared manifest.

cc @yimoj (PR #4933 author).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c650b6e5-353d-4a92-801b-eade8c9395ce

📥 Commits

Reviewing files that changed from the base of the PR and between 9a738e0 and 08f9926.

📒 Files selected for processing (2)

• src/lib/sandbox/build-context.ts
• test/sandbox-build-context.test.ts

---

📝 Walkthrough

Walkthrough

The PR ensures that patch-openclaw-slack-deny-feedback.mts is included in the optimized sandbox build context by adding a file-copy operation during staging, updating the test fixture to create the source file, and extending the staging test to assert file presence.

Changes

Script staging in build context

Layer / File(s)	Summary
Script file copying and test validation src/lib/sandbox/build-context.ts, test/sandbox-build-context.test.ts	The optimized sandbox staging logic now copies patch-openclaw-slack-deny-feedback.mts from source scripts/ into the staged directory. The test fixture generates the source file, and a new assertion verifies the staged file exists.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4933: Introduces the patch-openclaw-slack-deny-feedback.mts compatibility patch that is now included in the sandbox build context staging via this PR.

Suggested labels

integration: slack, area: sandbox, bug-fix, v0.0.61

Suggested reviewers

• prekshivyas

Poem

🐰 A script hops into the sandbox with care,
Patch and copy, tested everywhere!
From source to stage, no file left behind,
Build context clean—precision refined! 🎯

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: staging a specific file in the build context to resolve a Docker build failure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/slack-deny-build-context

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-e2e
Optional E2E: messaging-providers-e2e, test-e2e-sandbox

Dispatch hint: cloud-e2e

Auto-dispatched E2E: cloud-e2e via nightly-e2e.yaml at 7fca86f78bc42304bceccb561174ab05f57b5b37 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-e2e (medium-high; real Docker sandbox build plus NVIDIA endpoint inference): Validates the full install → onboard → sandbox create → inference user journey from source. This is the most direct existing E2E coverage for optimized sandbox build-context staging because onboard invokes stageOptimizedSandboxBuildContext before building the sandbox image.

Optional E2E

• messaging-providers-e2e (medium; creates messaging sandbox with fake provider tokens): Useful adjacent confidence because the newly staged file is the OpenClaw Slack denied-feedback patch, and this suite includes fake-token Slack provider coverage plus denied explicit @mention feedback assertions. Not merge-blocking because the PR only stages the script, and cloud-e2e should catch the Docker COPY/build failure mode.
• test-e2e-sandbox (medium; requires self-hosted Docker image build artifact): Adjacent sandbox image/runtime smoke for the production image and sandbox test image. It does not specifically exercise the optimized staged build context, but it can catch Dockerfile/script-copy and sandbox runtime regressions around the same image assets.

New E2E recommendations

• sandbox-build-context (medium): There is no focused low-cost E2E/integration job that stages the optimized sandbox build context and runs a Docker build directly. The full cloud E2E catches this but is expensive and includes unrelated inference/onboarding work.
  • Suggested test: Add a focused optimized sandbox build-context Docker build smoke that calls stageOptimizedSandboxBuildContext on the repo, builds using the staged Dockerfile/context, and verifies all Dockerfile COPY script targets are present.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cloud-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw-slack
Optional scenario E2E: None

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-slack

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw-slack: The optimized sandbox build context now stages scripts/patch-openclaw-slack-deny-feedback.mts, an OpenClaw Slack-related script copied by the Dockerfile. The Ubuntu repo OpenClaw Slack scenario exercises repo-current Docker sandbox build/start plus the messaging-slack validation surface affected by this staged script.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-slack

Optional scenario E2E

• None.

Relevant changed files

• src/lib/sandbox/build-context.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 0 new items found

Consider writing more tests for

• **Runtime validation** — Validate that an optimized build context produced from the real repository can progress through all Dockerfile `COPY scripts/...` steps without missing-source errors, without reporting external E2E job pass/fail here.. The added unit/invariant coverage is well targeted for the missing-file regression. Because this code prepares sandbox/Docker build contexts, runtime validation would further increase confidence that optimized staging satisfies Docker build COPY behavior in an actual build path.
• **Runtime validation** — If Dockerfile `COPY` syntax later changes, add coverage that recognizes flagged or JSON-array `COPY` forms so the staging invariant does not silently miss required script sources.. The added unit/invariant coverage is well targeted for the missing-file regression. Because this code prepares sandbox/Docker build contexts, runtime validation would further increase confidence that optimized staging satisfies Docker build COPY behavior in an actual build path.
• **Acceptance clause:** `npx vitest run test/sandbox-build-context.test.ts` → 7/7 passing locally. — add test evidence or identify existing coverage. This read-only review did not execute tests. Code inspection shows the added assertions directly target the changed behavior.
• **Acceptance clause:** After merge, rerun `nightly-e2e.yaml` (or `gh run rerun 27154074940 --failed`). A single onboard-stage job clearing Dockerfile step 23 confirms all 48 failures are resolved. — add test evidence or identify existing coverage. External workflow reruns and E2E status are outside this advisor review surface. Code evidence shows the optimized context now includes the file required by the existing Dockerfile `COPY` instruction.
• **Acceptance clause:** The two-place duplication (`Dockerfile` `COPY` + hand-listed staging) is the structural cause of this incident. Worth considering driving the staged list from a glob (`scripts/patch-openclaw-*.{js,mts}`) or shared manifest, plus a check that every `COPY scripts/patch-openclaw-*` token in `Dockerfile` is satisfied by `prepareBuildContext()` output. Happy to file as a separate issue. — add test evidence or identify existing coverage. The PR does not replace the hand-listed staging list with a glob or shared manifest, but it does add a broader invariant that parses the staged Dockerfile's current simple-form `COPY scripts/...` lines and checks each source exists in the optimized build context. The PR text frames the glob/shared-manifest work as suggested follow-up, not in-scope acceptance for this narrow fix.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27155279333
Target ref: 08f992699022581bf63cc31045a679ff4678231d
Workflow ref: main
Requested jobs: cloud-onboard-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	⚠️ cancelled

[cv]

Folded in the stronger regression guard from #4971 in commit 7fca86f: the build-context test now parses staged Dockerfile COPY scripts/... entries and verifies every referenced script exists in the optimized staged context. That keeps this PR's incident writeup/first-fix branch and #4971's broader drift protection in one place.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27155288425
Target ref: 08f992699022581bf63cc31045a679ff4678231d
Workflow ref: main
Requested jobs: cloud-e2e,onboard-repair-e2e,openclaw-skill-cli-e2e,messaging-providers-e2e
Summary: 4 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
messaging-providers-e2e	✅ success
onboard-repair-e2e	✅ success
openclaw-skill-cli-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27156172292
Target ref: 7fca86f78bc42304bceccb561174ab05f57b5b37
Workflow ref: main
Requested jobs: cloud-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success