fix(whatsapp): pair login over the loopback gateway and preserve npm plugin provenance#6645
Conversation
Signed-off-by: Hung Le <hple@nvidia.com>
…air reconcile Signed-off-by: Hung Le <hple@nvidia.com>
…e npm provenance Signed-off-by: Hung Le <hple@nvidia.com>
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThe change switches OpenClaw plugin installs to ChangesOpenClaw plugin installation
WhatsApp pairing flow
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Operator
participant NemoClawWrapper
participant OpenClaw
Operator->>NemoClawWrapper: channels login --channel whatsapp
NemoClawWrapper->>NemoClawWrapper: validate loopback gateway override
NemoClawWrapper->>OpenClaw: run WhatsApp login with conditional gateway environment
OpenClaw-->>Operator: render pairing result
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage remains at 96%, unchanged from the branch. TypeScript / code-coverage/cliThe overall coverage in the branch remains at 78%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
|
🌿 Preview your docs: https://nvidia-preview-pr-6645.docs.buildwithfern.com/nemoclaw |
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
PR Review Advisor (Nemotron Ultra) — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
🚨 Required before mergeAddress these before merging unless a maintainer explicitly overrides the advisor with rationale.
|
PR Review Advisor — No blocking findingsMerge posture: No blocking advisor findings Action checklist
Test follow-ups to resolve or justifyIf these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.
This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision. |
…ed guard Signed-off-by: Hung Le <hple@nvidia.com>
…osts Signed-off-by: Hung Le <hple@nvidia.com>
…he loopback workaround Signed-off-by: Hung Le <hple@nvidia.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 3601-3625: The WhatsApp gateway URL allowlist in the case block
accepts userinfo-based URLs such as ws://127.0.0.1:1@evil.example, exposing the
gateway token to a non-loopback host. Reject any override containing “@” before
the existing loopback pattern matching (or validate the parsed hostname
directly), and add a negative test confirming this URL is rejected.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: b2122a2f-ceea-4a4b-94d8-7455a34740e5
📒 Files selected for processing (14)
Dockerfiledocs/manage-sandboxes/messaging-channels.mdxscripts/nemoclaw-start.shsrc/lib/messaging/applier/build/messaging-build-applier.mtstest/messaging-build-applier-integrity.test.tstest/messaging-build-applier.test.tstest/nemoclaw-start-gateway-ws-host.test.tstest/openclaw-dependency-review.test.tstest/openclaw-integrity-pin.test.tstest/openclaw-lifecycle-policy.test.tstest/repro-4538-raw-doctor-perms.test.tstest/repro-6413-whatsapp-postpair-start.test.tstest/sandbox-provisioning.test.tstest/whatsapp-qr-compact.test.ts
💤 Files with no reviewable changes (1)
- test/repro-6413-whatsapp-postpair-start.test.ts
…list Signed-off-by: Hung Le <hple@nvidia.com>
…law into fix/whatsapp-login-loopback
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
CI follow-up at
The commit is signed, signed off, and GitHub Verified. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Security remediation for GPT Advisor PRA-2 at
Verification: 36/36 focused WhatsApp guard tests and 182/182 surrounding start/gateway/provisioning tests passed; ShellCheck, shfmt, Biome, the conditional scanner, normal pre-commit hooks, CLI pre-push typecheck, and package/tag sync passed. The commit is signed, signed off, and GitHub Verified. This resolves PRA-2. PRA-1, the distinct post-pair restart-state acceptance test, remains separate and is not claimed by this change. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/whatsapp-qr-compact.test.ts`:
- Around line 462-487: Update both rejection tests in the “fails closed…” and
“cannot continue…” cases to assert that the sentinel value “guard-secret-token”
is absent from stderr as well as stdout, covering direct token leaks through
either output stream while retaining the existing public-boundary assertions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 8a904508-ef4e-4b3d-a12a-feeef235487d
📒 Files selected for processing (2)
scripts/nemoclaw-start.shtest/whatsapp-qr-compact.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- scripts/nemoclaw-start.sh
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
Maintainer remediation pushed at exact head This addresses the current GPT Advisor findings and the follow-up security review:
Verification on this head:
No documentation change is needed because the public pairing workflow is unchanged. Exact-head CI, automated review, and native-runtime E2E evidence are now running. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
|
CI follow-up pushed at exact head The two failures on
Verification: 44 tests passed with the existing opt-in Docker test skipped; Biome, CLI typecheck, project overlap, source-shape/size budgets, secret scan, and normal pre-commit/pre-push hooks passed. The new commit is GitHub Verified and DCO passes. |
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
E2E Target Results — ❌ Some jobs failedRun: 29144927205
|
|
Maintainer follow-up pushed at exact head
The stale-head manual run was canceled. Fresh exact-head live evidence is running for |
E2E Target Results — ✅ All selected jobs passedRun: 29145241512
|
cv
left a comment
There was a problem hiding this comment.
Approved at exact head 1b22b22.
Required CI, DCO, commit verification, and CodeRabbit are clean. Exact-head E2E run 29145241512 passed cloud-onboard, channels-add-remove, and channels-stop-start for both OpenClaw and Hermes. The completed GPT-5.5 advisor returned merge_as_is with no findings.
I adjudicated the partial low-confidence Nemotron ledger against the implementation and regression tests: native post-pair reload is restored through the loopback route, the original argument vector (including --account) is forwarded unchanged, replacement security/preload coverage is present, and the claimed missing live targets all passed. The failed partial advisor job and older cancel-superseded status do not identify a valid implementation defect.
<!-- markdownlint-disable MD041 --> ## Summary Release-prep documentation for v0.0.81 now summarizes user-facing changes merged since v0.0.80. It also closes the Hermes dashboard-profile backup gap and distinguishes direct blueprint-runner actions from public host CLI commands. ## Changes - Add the `v0.0.81` section to `docs/about/release-notes.mdx` with links to the detailed user guides. - Document that Hermes rebuilds preserve `.hermes/dashboard-home/`, including Dashboard `MEMORY.md` and `USER.md`. - Update Hermes manual backup and restore examples to transfer those two profile files without copying generated configuration or the secret-bearing dashboard `.env`. - Explain the new per-item backup failure causes. - Clarify that migration snapshot retention fragments are direct-runner arguments and are not exposed by the host `nemoclaw` CLI. ### Source summary - #6445 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Summarize manifest-owned key-level restore and current-config authority. - #6617 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Record the fail-closed `/proc` fallback used to verify an idle Deep Agents runtime before snapshot creation. - #6685 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Document Hermes Web Dashboard profile persistence and safe manual transfer. - #6649 -> `docs/about/release-notes.mdx`: Summarize host-validated loopback compatible-endpoint routing through the sandbox gateway. - #6643 -> `docs/about/release-notes.mdx`: Summarize automatic `max_completion_tokens` handling for GPT-5 and o-series models. - #6661 -> `docs/about/release-notes.mdx`: Summarize bounded connection reuse for eligible provider-validation probes. - #6704 -> `docs/about/release-notes.mdx`: Record that direct blueprint apply stops instead of persisting incomplete state after provider or inference setup fails. - #6677 -> `docs/about/release-notes.mdx`: Summarize transactional recovery for legacy Docker containers whose managed supervisor disappeared after restart. - #6625 -> `docs/about/release-notes.mdx`: Record Hermes managed-startup persistence across direct Docker restarts. - #6597 -> `docs/about/release-notes.mdx`: Record final-sandbox gateway cleanup on macOS. - #6680 -> `docs/about/release-notes.mdx`: Summarize managed Deep Agents first-run and process-tree cleanup improvements. - #6647 -> `docs/about/release-notes.mdx`: Record fail-closed validation for the managed Deep Agents fetch CA bundle. - #6645 -> `docs/about/release-notes.mdx`: Summarize WhatsApp loopback pairing and trusted npm plugin provenance. - #6673 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document stopped-sandbox backup remediation. - #6631 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document per-item backup failure causes. - #6620 -> `docs/about/release-notes.mdx`: Record the created-but-not-ready sandbox lifecycle receipt. - #6664 -> `docs/about/release-notes.mdx`: Record prompt-aware onboarding progress output. - #6598 -> `docs/about/release-notes.mdx`: Summarize stale replay-result invalidation during resumed onboarding. - #6593 -> `docs/about/release-notes.mdx`: Summarize contextual OpenClaw audit findings for managed dashboard compatibility settings. - #6650 -> `docs/about/release-notes.mdx`: Record redaction of token-shaped URL query values. - #6638 -> `docs/about/release-notes.mdx`: Record the exact-path MCP `DELETE` policy recipe for session termination. - #5453 -> `docs/reference/host-files-and-state.mdx`: Clarify that snapshot retention actions belong to direct runner integrations and are not standalone host CLI commands. ### Skipped from docs-skip - #6633 matched the `openclaw-sandbox-permissive.yaml` path in `docs/.docs-skip` and produced no documentation in this update. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: This is a documentation-only release-prep update; behavior is protected by the merged source PRs, and the documentation build validates the changed examples and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — tests are not applicable for this documentation-only change; `npm run docs` completed successfully. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not run for this documentation-only change. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — 0 errors; two existing Fern warnings remain. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) — no new pages. --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Added release notes for v0.0.81 covering state preservation, inference setup, sandbox recovery, session setup, pairing, diagnostics, and security policy updates. - Expanded backup and restore guidance to include dashboard profile files and clarify files that must not be copied. - Added dashboard profile persistence details to workspace and rebuild documentation. - Clarified snapshot retention guidance and the distinction between host CLI capabilities and direct runner actions. - Added more detailed backup failure reporting information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Carlos Villela <cvillela@nvidia.com>
…plugin provenance (NVIDIA#6645) <!-- markdownlint-disable MD041 --> ## Summary Fixes two stacked failures that made WhatsApp unusable on a stock install — pairing succeeded but the channel never ran: - **Login (NVIDIA#6413):** stop re-injecting the stashed private veth IP URL into `openclaw channels login`. A private-IP origin makes the gateway's locality check strip operator scopes (token or not), so the post-pair `channels.start` was denied with `missing scope: operator.admin`. With no URL in the env, OpenClaw resolves the loopback gateway from its own config — same pattern as the `devices approve` wrapper (NVIDIA#4462) — and the restart succeeds natively. Replaces the NVIDIA#6496 reconcile, which no-ops on exactly this token-authed connect-shell path (`0:1:1` dispatch arm); fresh-install validation with NVIDIA#6496 merged still reproduced the error. - **Plugin trust:** install channel plugins through the `npm-pack:` spec so OpenClaw records npm provenance for the integrity-verified tarball. Archive-path installs record archive provenance, which fails the trusted-official-install check gating `openKeyedStore` on OpenClaw >= 2026.6.10 — the channel crash-looped right after pairing (`openKeyedStore is only available for trusted plugins in this release`). - **Removed with NVIDIA#6496's reconcile:** its config token reader, `--account` forwarding, and the readonly gateway trust anchor (source of the DGX Spark/Station regression, NVIDIA#6560). No gateway token moves anywhere under this design. **Blast radius:** the npm-pack change flows through the shared installer, so all externally-installed channels (whatsapp, discord, slack, msteams, weixin) plus diagnostics-otel/brave gain npm provenance; telegram is bundled and unaffected. Audited: trust flip is benefit-only (unblocks keyed stores that today crash or silently degrade), and the new install layout breaks no path assumption (details below). **Validated:** WhatsApp end-to-end live on a fresh install — QR pair, no missing-scope, trusted record, channel running, real message round-trip. Control run on unfixed main on the same host still fails. <details> <summary>Blast-radius audit: why the npm-pack change is safe for the other channels</summary> **What actually changes for a channel plugin?** Only two things: (1) the install ledger now says the plugin came from npm (name, exact version, integrity) instead of from an anonymous archive file, and (2) the plugin's files land under `.openclaw/npm/projects/<hash>/node_modules/<pkg>` instead of `extensions/<id>`. The tarball itself, and the integrity verification before installing it, are byte-for-byte the same as before. **Could the new ledger entry break anything?** No — it only unlocks. The trusted-official-install check is the single consumer of this provenance, and today it fails for all five external channels. That is why WhatsApp crash-loops at startup (it opens `openKeyedStore` immediately), why Slack silently loses its duplicate-message protection across restarts, and why Discord's interactive buttons/modals lose their persistent state. With npm provenance the check passes and those features work as designed. Nothing consumes "archive" provenance as a positive signal, so nothing regresses. **Could the new file location break anything?** We audited every place that could care about the old path: - *Runtime patches/preloads:* none match on `extensions/<id>`. The WhatsApp compact-QR preload recognizes the qrcode module by its shape, not its path. - *Sandbox rebuild (backup/restore):* the backup never includes `npm/`, so after a rebuild the plugin files and ledger always come from the freshly built image. The old extensions-restore logic simply sees "no extensions dir to preserve" and moves on — a state it already handles. - *WeChat seed files:* they are written to the state dir (`~/.openclaw/openclaw-weixin/`), not into the plugin's install dir, so the move doesn't touch them. WeChat's hand-written `plugins.installs` config entry keeps the old path, but the trust check never reads config — only the ledger — so the stale entry is inert. **Who is not affected at all?** Telegram — it ships bundled inside the openclaw package, never goes through this installer, and was already trusted. **What was tested?** WhatsApp end-to-end on a fresh install (the only channel that hard-fails today). The `openclaw-lifecycle-policy` contract test verifies every reviewed package spec installs through the new `npm-pack:` form. </details> ## Related Issue Fixes NVIDIA#6413 ## Changes <!-- Bullet list of key changes. --> ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Quality Gates <!-- Check exactly one tests line and one docs line. Check other lines when applicable. Add every requested justification or approval reference. --> - [x] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [ ] Tests not applicable — justification: - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [x] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [x] Sensitive-path review completed or maintainer-approved waiver recorded — targeted replacement of the NVIDIA#6496 login machinery: removes gateway-token movement entirely (the reconcile helper and its config token reader are deleted), removes the readonly trust anchor that regressed DGX Spark/Station, and restores the pre-NVIDIA#6496 runtime-env emission; the ws:// scheme check on an explicitly exported `OPENCLAW_GATEWAY_URL` is retained. - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each applicable item only when supported by the requested evidence. Run targeted tests once per relevant change set and rerun after later edits or hook autofixes that can affect the tested behavior. Do not rerun hook-covered checks. --> - [ ] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [ ] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [ ] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — command/result or justification: - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: - [ ] Quality Gates section completed with required justifications or waivers - [ ] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Hung Le <hple@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Improvements** - Updated OpenClaw plugin installation to use `npm-pack:` based installs, aligning provenance/version traces (replacing direct archive installs and `--pin`). - Adjusted Docker-based plugin installation to use the verified tarball install path that preserves npm provenance. - Refreshed WhatsApp pairing/login: defaults to in-sandbox loopback, accepts gateway URL overrides only for loopback `ws://`/`wss://`, and exports gateway tokens whenever available. - **Documentation** - Shortened WhatsApp sandbox guidance and added troubleshooting for gateway close code **1008**. - **Tests** - Updated messaging/OpenClaw trace expectations for `npm-pack:` formats and revised WhatsApp guard coverage/fixtures to match the new pairing/token/exit-code behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Hung Le <hple@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Release-prep documentation for v0.0.81 now summarizes user-facing changes merged since v0.0.80. It also closes the Hermes dashboard-profile backup gap and distinguishes direct blueprint-runner actions from public host CLI commands. ## Changes - Add the `v0.0.81` section to `docs/about/release-notes.mdx` with links to the detailed user guides. - Document that Hermes rebuilds preserve `.hermes/dashboard-home/`, including Dashboard `MEMORY.md` and `USER.md`. - Update Hermes manual backup and restore examples to transfer those two profile files without copying generated configuration or the secret-bearing dashboard `.env`. - Explain the new per-item backup failure causes. - Clarify that migration snapshot retention fragments are direct-runner arguments and are not exposed by the host `nemoclaw` CLI. ### Source summary - NVIDIA#6445 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Summarize manifest-owned key-level restore and current-config authority. - NVIDIA#6617 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Record the fail-closed `/proc` fallback used to verify an idle Deep Agents runtime before snapshot creation. - NVIDIA#6685 -> `docs/about/release-notes.mdx`, `docs/manage-sandboxes/backup-restore.mdx`, and `docs/manage-sandboxes/workspace-files.mdx`: Document Hermes Web Dashboard profile persistence and safe manual transfer. - NVIDIA#6649 -> `docs/about/release-notes.mdx`: Summarize host-validated loopback compatible-endpoint routing through the sandbox gateway. - NVIDIA#6643 -> `docs/about/release-notes.mdx`: Summarize automatic `max_completion_tokens` handling for GPT-5 and o-series models. - NVIDIA#6661 -> `docs/about/release-notes.mdx`: Summarize bounded connection reuse for eligible provider-validation probes. - NVIDIA#6704 -> `docs/about/release-notes.mdx`: Record that direct blueprint apply stops instead of persisting incomplete state after provider or inference setup fails. - NVIDIA#6677 -> `docs/about/release-notes.mdx`: Summarize transactional recovery for legacy Docker containers whose managed supervisor disappeared after restart. - NVIDIA#6625 -> `docs/about/release-notes.mdx`: Record Hermes managed-startup persistence across direct Docker restarts. - NVIDIA#6597 -> `docs/about/release-notes.mdx`: Record final-sandbox gateway cleanup on macOS. - NVIDIA#6680 -> `docs/about/release-notes.mdx`: Summarize managed Deep Agents first-run and process-tree cleanup improvements. - NVIDIA#6647 -> `docs/about/release-notes.mdx`: Record fail-closed validation for the managed Deep Agents fetch CA bundle. - NVIDIA#6645 -> `docs/about/release-notes.mdx`: Summarize WhatsApp loopback pairing and trusted npm plugin provenance. - NVIDIA#6673 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document stopped-sandbox backup remediation. - NVIDIA#6631 -> `docs/about/release-notes.mdx` and `docs/manage-sandboxes/backup-restore.mdx`: Document per-item backup failure causes. - NVIDIA#6620 -> `docs/about/release-notes.mdx`: Record the created-but-not-ready sandbox lifecycle receipt. - NVIDIA#6664 -> `docs/about/release-notes.mdx`: Record prompt-aware onboarding progress output. - NVIDIA#6598 -> `docs/about/release-notes.mdx`: Summarize stale replay-result invalidation during resumed onboarding. - NVIDIA#6593 -> `docs/about/release-notes.mdx`: Summarize contextual OpenClaw audit findings for managed dashboard compatibility settings. - NVIDIA#6650 -> `docs/about/release-notes.mdx`: Record redaction of token-shaped URL query values. - NVIDIA#6638 -> `docs/about/release-notes.mdx`: Record the exact-path MCP `DELETE` policy recipe for session termination. - NVIDIA#5453 -> `docs/reference/host-files-and-state.mdx`: Clarify that snapshot retention actions belong to direct runner integrations and are not standalone host CLI commands. ### Skipped from docs-skip - NVIDIA#6633 matched the `openclaw-sandbox-permissive.yaml` path in `docs/.docs-skip` and produced no documentation in this update. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: This is a documentation-only release-prep update; behavior is protected by the merged source PRs, and the documentation build validates the changed examples and routes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or `npm run check:diff` passed when hooks were skipped or unavailable - [x] Targeted behavior tests pass for the current change set, or tests are marked not applicable above — tests are not applicable for this documentation-only change; `npm run docs` completed successfully. - [ ] Applicable broad gate passed — `npm test` for broad runtime/test-harness changes; `npm run check` for repo-wide validation/coverage changes — command/result: not run for this documentation-only change. - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — 0 errors; two existing Fern warnings remain. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) — no new pages. --- Signed-off-by: Carlos Villela <cvillela@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Added release notes for v0.0.81 covering state preservation, inference setup, sandbox recovery, session setup, pairing, diagnostics, and security policy updates. - Expanded backup and restore guidance to include dashboard profile files and clarify files that must not be copied. - Added dashboard profile persistence details to workspace and rebuild documentation. - Clarified snapshot retention guidance and the distinction between host CLI capabilities and direct runner actions. - Added more detailed backup failure reporting information. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Summary
Fixes two stacked failures that made WhatsApp unusable on a stock install — pairing succeeded but the channel never ran:
openclaw channels login. A private-IP origin makes the gateway's locality check strip operator scopes (token or not), so the post-pairchannels.startwas denied withmissing scope: operator.admin. With no URL in the env, OpenClaw resolves the loopback gateway from its own config — same pattern as thedevices approvewrapper (OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462) — and the restart succeeds natively. Replaces the fix(whatsapp): reconcile post-pair gateway restart without operator.admin #6496 reconcile, which no-ops on exactly this token-authed connect-shell path (0:1:1dispatch arm); fresh-install validation with fix(whatsapp): reconcile post-pair gateway restart without operator.admin #6496 merged still reproduced the error.npm-pack:spec so OpenClaw records npm provenance for the integrity-verified tarball. Archive-path installs record archive provenance, which fails the trusted-official-install check gatingopenKeyedStoreon OpenClaw >= 2026.6.10 — the channel crash-looped right after pairing (openKeyedStore is only available for trusted plugins in this release).--accountforwarding, and the readonly gateway trust anchor (source of the DGX Spark/Station regression, fix(runtime): keep proxy env POSIX-compatible #6560). No gateway token moves anywhere under this design.Blast radius: the npm-pack change flows through the shared installer, so all externally-installed channels (whatsapp, discord, slack, msteams, weixin) plus diagnostics-otel/brave gain npm provenance; telegram is bundled and unaffected. Audited: trust flip is benefit-only (unblocks keyed stores that today crash or silently degrade), and the new install layout breaks no path assumption (details below).
Validated: WhatsApp end-to-end live on a fresh install — QR pair, no missing-scope, trusted record, channel running, real message round-trip. Control run on unfixed main on the same host still fails.
Blast-radius audit: why the npm-pack change is safe for the other channels
What actually changes for a channel plugin? Only two things: (1) the install ledger now says the plugin came from npm (name, exact version, integrity) instead of from an anonymous archive file, and (2) the plugin's files land under
.openclaw/npm/projects/<hash>/node_modules/<pkg>instead ofextensions/<id>. The tarball itself, and the integrity verification before installing it, are byte-for-byte the same as before.Could the new ledger entry break anything? No — it only unlocks. The trusted-official-install check is the single consumer of this provenance, and today it fails for all five external channels. That is why WhatsApp crash-loops at startup (it opens
openKeyedStoreimmediately), why Slack silently loses its duplicate-message protection across restarts, and why Discord's interactive buttons/modals lose their persistent state. With npm provenance the check passes and those features work as designed. Nothing consumes "archive" provenance as a positive signal, so nothing regresses.Could the new file location break anything? We audited every place that could care about the old path:
extensions/<id>. The WhatsApp compact-QR preload recognizes the qrcode module by its shape, not its path.npm/, so after a rebuild the plugin files and ledger always come from the freshly built image. The old extensions-restore logic simply sees "no extensions dir to preserve" and moves on — a state it already handles.~/.openclaw/openclaw-weixin/), not into the plugin's install dir, so the move doesn't touch them. WeChat's hand-writtenplugins.installsconfig entry keeps the old path, but the trust check never reads config — only the ledger — so the stale entry is inert.Who is not affected at all? Telegram — it ships bundled inside the openclaw package, never goes through this installer, and was already trusted.
What was tested? WhatsApp end-to-end on a fresh install (the only channel that hard-fails today). The
openclaw-lifecycle-policycontract test verifies every reviewed package spec installs through the newnpm-pack:form.Related Issue
Fixes #6413
Changes
Type of Change
Quality Gates
OPENCLAW_GATEWAY_URLis retained.Verification
Verifiedin GitHubpre-commit,commit-msg, andpre-pushhooks passed, ornpm run check:diffpassed when hooks were skipped or unavailablenpm testfor broad runtime/test-harness changes;npm run checkfor repo-wide validation/coverage changes — command/result:npm run docsbuilds without warnings (doc changes only)Signed-off-by: Hung Le hple@nvidia.com
Summary by CodeRabbit
npm-pack:based installs, aligning provenance/version traces (replacing direct archive installs and--pin).ws:///wss://, and exports gateway tokens whenever available.npm-pack:formats and revised WhatsApp guard coverage/fixtures to match the new pairing/token/exit-code behavior.