fix(onboard): update gateway rootfs guard

[sandl99]

Summary

Update the OpenShell gateway upgrade E2E regression guard after the Dockerfile patch flow moved out of src/lib/onboard.ts. The guard now checks the helper that actually passes the macOS VM-rootfs compatibility flag.

Changes

• Make the disabled darwinVmCompat value explicit in src/lib/onboard/sandbox-dockerfile-patch-flow.ts.
• Update test/e2e/test-openshell-gateway-upgrade.sh to assert the new helper location instead of the old onboard.ts comment.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

Targeted checks run locally before push:

• npx vitest run src/lib/onboard/sandbox-dockerfile-patch-flow.test.ts
• bash -n test/e2e/test-openshell-gateway-upgrade.sh
• npx @biomejs/biome lint src/lib/onboard/sandbox-dockerfile-patch-flow.ts src/lib/onboard/sandbox-dockerfile-patch-flow.test.ts
• git diff --check

Full npx prek run --all-files and npm test were deferred; branch was pushed with --no-verify.

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: San Dang sdang@nvidia.com

Summary by CodeRabbit

Release Notes

• Refactor

  • Improved internal code organization for sandbox compatibility handling.

• Tests

  • Enhanced end-to-end testing verification for macOS VM compatibility checks.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR extracts a local darwinVmCompat constant (set to false) in the prepareSandboxDockerfilePatch function and passes it to the patchStagedDockerfile call instead of a hardcoded false literal. The corresponding e2e regression test is updated to verify the constant is explicitly set at the new location.

Changes

Darwin VM compatibility constant refactor

Layer / File(s)	Summary
Extract darwinVmCompat constant and update test assertion src/lib/onboard/sandbox-dockerfile-patch-flow.ts, test/e2e/test-openshell-gateway-upgrade.sh	The darwinVmCompat constant is introduced and set to false in the patch flow, passed to patchStagedDockerfile, and the e2e test assertion is updated to check the constant definition in sandbox-dockerfile-patch-flow.ts instead of the prior assertion location.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• NVIDIA/NemoClaw#5261: Addresses the same Darwin VM compatibility constant check by moving the assertion target to src/lib/onboard/sandbox-dockerfile-patch-flow.ts and fixing the stale test path.

Possibly related PRs

• NVIDIA/NemoClaw#5154: Prior refactor that extracted and centralized the Dockerfile patch flow with the patchStagedDockerfile invocation; this PR extends that work by isolating the darwinVmCompat constant definition for improved test coverage.

Suggested labels

area: sandbox, bug-fix, v0.0.63

Suggested reviewers

• jyaunches
• cv

Poem

🐰 A constant hops into light,
From magic numbers, now explicit and bright,
The tests see the truth at last,
Darwin's compat, no longer masked!
One small refactor makes clarity right. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The PR title 'fix(onboard): update gateway rootfs guard' directly describes the main change: updating the gateway rootfs guard after the Dockerfile patch flow refactoring.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/gateway-upgrade-rootfs-guard

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: openshell-gateway-upgrade-e2e, macos-e2e
Optional E2E: double-onboard-vitest, runtime-overrides-vitest

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• openshell-gateway-upgrade-e2e (high): Directly covers the modified E2E script and includes the macOS Docker rootfs compatibility assertion that was updated, plus the installer/OpenShell gateway upgrade and survivor sandbox restoration flow.
• macos-e2e (high): The source change is specifically about keeping macOS Docker sandbox builds out of the Darwin VM compatibility path during onboarding; the macOS workflow is the closest platform-level E2E validation for real macOS onboarding/build behavior when Docker is available.

Optional E2E

• double-onboard-vitest (high): Useful adjacent confidence for the onboarding/sandbox lifecycle path that calls the Dockerfile patch flow, verifying repeated onboarding, gateway reuse, sibling sandbox preservation, and stale registry recovery.
• runtime-overrides-vitest (medium): Builds the real sandbox image and exercises the Docker image/ENTRYPOINT boundary, providing additional confidence that Dockerfile patching still produces a runnable sandbox image.

New E2E recommendations

• macos-dockerfile-patch-flow (medium): Current coverage for darwinVmCompat=false is a grep inside a broad gateway-upgrade shell test. A focused PR-safe scenario would reduce brittleness and directly validate the prepareSandboxDockerfilePatch contract.
  • Suggested test: Add a focused E2E/Vitest scenario that runs prepareSandboxDockerfilePatch with mocked dependencies and asserts patchStagedDockerfile receives darwinVmCompat=false for macOS Docker sandbox onboarding paths.

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: ubuntu-repo-cloud-openclaw
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• ubuntu-repo-cloud-openclaw: The PR changes the sandbox Dockerfile patch flow used during Docker-based OpenClaw onboarding. The smallest live-supported typed Vitest scenario that exercises this path is the Ubuntu repo Docker cloud OpenClaw scenario.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional Vitest E2E scenarios

• None.

Relevant changed files

• src/lib/onboard/sandbox-dockerfile-patch-flow.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Top item: No blocking code-review findings

Consider writing more tests for

• **Runtime validation** — Validate that the onboard sandbox Dockerfile patch flow keeps `NEMOCLAW_DARWIN_VM_COMPAT=0` for regular macOS Docker sandbox builds after the helper extraction.. The changed production file sits on the sandbox Dockerfile build path, so runtime or integration validation is useful even though the behavior-preserving code delta is already covered by a direct Vitest caller/callee assertion.
• **Runtime validation** — Keep or identify an integration guard that fails if `prepareSandboxDockerfilePatch()` ever passes `true` for `darwinVmCompat` on the regular onboard sandbox path.. The changed production file sits on the sandbox Dockerfile build path, so runtime or integration validation is useful even though the behavior-preserving code delta is already covered by a direct Vitest caller/callee assertion.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27393351141
Target ref: fix/gateway-upgrade-rootfs-guard
Requested jobs: openshell-gateway-upgrade-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
openshell-gateway-upgrade-e2e	✅ success