fix(sandbox): restore mutable OpenClaw config perms after raw in-sandbox doctor --fix (#4538)

[yimoj]

Summary

A raw connect-shell openclaw doctor --fix (run directly inside a mutable sandbox, outside any NemoClaw wrapper) enforces OpenClaw's single-user 700/600 layout, tightening /sandbox/.openclaw and openclaw.json back from the NemoClaw mutable contract (2770 setgid + group-writable dir, 660 config). That blocks the gateway UID — a member of the sandbox group — from persisting config. This fixes the missed path at the always-on in-sandbox openclaw() guard so the contract is restored after the raw command, even when doctor exits nonzero.

Related Issue

Fixes #4538

Changes

• Always-on in-sandbox restore. The emitted openclaw() guard function (written into /tmp/nemoclaw-proxy-env.sh, sourced by every interactive/login sandbox shell) now calls a new _nemoclaw_restore_mutable_config_perms helper after every routed openclaw command, re-asserting 2770 dir / 660 config (+ .config-hash). PR fix(sandbox): preserve mutable OpenClaw config perms after doctor --fix (#4538) #4610 only repaired this via host-side wrapper commands (nemoclaw doctor --fix, rebuild, startup), none of which run after the raw in-sandbox path the reporter used.
• Safe by construction. The helper skips when shields are up (config dir root-owned, so the lock is never weakened), is a no-op fast path when the contract already holds, and strips group-write from the read-only recovery baseline that the recursive chmod could otherwise loosen in rootless mode.
• Survives nonzero exit. Errexit is dropped around the guarded call (mirroring the existing devices approve branch) so a nonzero doctor --fix exit — the exact reported failure (EACCES on a root-locked shell init file) — cannot abort the guard before the restore runs.
• Tests. Regression tests for the helper (restore, shields-up no-op, errexit survival, baseline protection) and a real-image reporter-workflow E2E (test/repro-4538-raw-doctor-perms.test.ts) that sources the actual emitted guard, runs raw openclaw doctor --fix in a NemoClaw sandbox image, and asserts the contract is restored. The E2E is gated behind NEMOCLAW_RUN_DOCTOR_PERMS_DOCKER_E2E=1 so it runs where docker + the image are available.

Type of Change

• Code change (feature, bug fix, or refactor)

Verification

• npm test passes locally (the only failures were 14 pre-existing, load-induced 5s-timeout flakes in unrelated CLI --help oclif-dispatch tests, e.g. test/cli/snapshot-shields.test.ts; they do not touch this change). All CI checks are green: ShellCheck, static-checks, 5 cli-test-shards, plugin-tests, build-typecheck, CodeQL, macos/wsl-e2e, dco-check, codebase-growth-guardrails.
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed

Reporter-workflow E2E evidence

The exact reported workflow — connect to a mutable sandbox, source the always-on guard (as /etc/bash.bashrc does on connect), run the raw in-sandbox openclaw doctor --fix — was reproduced end-to-end against a real NemoClaw sandbox image (nemoclaw-production:latest), as the sandbox user.

• Test: test/repro-4538-raw-doctor-perms.test.ts
• Env / command: NEMOCLAW_RUN_DOCTOR_PERMS_DOCKER_E2E=1 npx vitest run test/repro-4538-raw-doctor-perms.test.ts

=== BEFORE (baseline mutable contract) ===
/sandbox/.openclaw           2770 sandbox:sandbox
/sandbox/.openclaw/openclaw.json  660 sandbox:sandbox
=== reporter cmd: raw `openclaw doctor --fix` ===
(without the fix this leaves: dir 700 sandbox:sandbox, openclaw.json 600 sandbox:sandbox)
=== AFTER (with the always-on openclaw() guard) ===
/sandbox/.openclaw           2770 sandbox:sandbox
/sandbox/.openclaw/openclaw.json  660 sandbox:sandbox
RESULT dir=2770 file=660
PASS: mutable contract (2770/660) restored after raw openclaw doctor --fix

The before-fix regression (dir→700, file→600) was also reproduced directly in the same image without the guard sourced, confirming the gap. Additional non-docker regression tests in the same file cover the restore helper, shields-up no-op, errexit survival on a nonzero doctor --fix, and recovery-baseline protection.

---

Signed-off-by: Yimo Jiang yimoj@nvidia.com

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds _nemoclaw_restore_mutable_config_perms to the runtime guard and updates the guard's openclaw() wrapper to invoke the restore helper after every in-sandbox openclaw run, preserving exit codes and prior errexit state; includes unit tests and a gated Docker E2E validating permission restoration and baseline invariants.

Changes

Mutable config permission restoration after openclaw doctor --fix

Layer / File(s)	Summary
Permission restoration helper and guard wrapper scripts/nemoclaw-start.sh	Adds _nemoclaw_restore_mutable_config_perms (skips when config dir is root-owned; otherwise normalizes directory setgid/group rwx and file modes and strips group-write from openclaw.json.nemoclaw-baseline) and updates openclaw() to capture exit status, call the helper unconditionally, restore prior errexit state, and return the original exit code.
Unit helpers and tests test/repro-4538-raw-doctor-perms.test.ts	Adds utilities to extract the guard block and compute POSIX modes, creates a simulated tightened 700/600 tree, and unit-tests: restoring permissions after tightening, noop when shields up (root-owned), preserving nonzero openclaw exit codes while restoring permissions, preventing an errexit gap, and ensuring the baseline remains non-group-writable.
Gated Docker-based E2E validation test/repro-4538-raw-doctor-perms.test.ts	Optional Docker E2E (enabled via NEMOCLAW_RUN_DOCTOR_PERMS_DOCKER_E2E=1) that injects the guard into a sandbox image, runs openclaw doctor --fix, and asserts /sandbox/.openclaw and /sandbox/.openclaw/openclaw.json end at 2770 and 660.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4715: Related changes to scripts/nemoclaw-start.sh handling of .config-hash and mutable config startup behavior.

Suggested labels

fix, area: sandbox, integration: openclaw, bug-fix

Suggested reviewers

• cv
• cjagwani

🐰 A tiny rabbit hopped into the shell,
found doctor fixes that tightened the well.
It planted a guard and adjusted the perms,
so sandbox and gateway can both take turns.
Now configs are safe — hop, patch, and quell.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly summarizes the main change: fixing mutable OpenClaw config permission restoration after raw in-sandbox doctor --fix, directly addressing issue #4538.
Linked Issues check	✅ Passed	The PR fully addresses the core coding requirements from issue #4538: it implements permission restoration after openclaw doctor --fix, preserves group-writable contract in mutable mode, and includes comprehensive unit/E2E tests.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the stated objective: shell script modifications for permission restoration and corresponding test coverage; no unrelated alterations present.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}