fix(image): route exec approvals to .openclaw-data

[skainguyen1412]

Summary

Fixes the exec approvals regression introduced by the .openclaw / .openclaw-data split. OpenClaw now refuses to write exec-approvals.json through a symlink, so this PR patches the installed OpenClaw dist bundles to write directly to ~/.openclaw-data/exec-approvals.json while keeping /sandbox/.openclaw immutable.

Related Issue

Fixes #1785

Changes

• Patch OpenClaw exec approvals path in Dockerfile.base from ~/.openclaw/exec-approvals.json to ~/.openclaw-data/exec-approvals.json
• Strengthen the post-install guard in Dockerfile.base to scan all OpenClaw dist *.js bundles and fail if the old path still exists or the path cannot be verified
• Add the same compatibility patch in Dockerfile so production builds still work when they pull a stale published GHCR base image
• Add regression coverage in test/exec-approvals-path-regression.test.ts for both the base-image patch and the runtime compatibility shim

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Additional testing performed:

• npm test -- test/exec-approvals-path-regression.test.ts

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the nemoclaw-contributor-update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/nemoclaw-contributor-update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

---

Signed-off-by: Thien Nguyen [email protected]

Summary by CodeRabbit

• Bug Fixes

  • Build now detects and replaces legacy OpenClaw approval-path references with the updated runtime data path and fails the build if verification or patching does not succeed, preventing images with unpatched defaults.

• Tests

  • Added static regression tests that verify the build includes the approval-path patching and verification safeguards to prevent future regressions.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: aeb1611a-4f6c-4adf-b683-9a3611e9ff8e

📥 Commits

Reviewing files that changed from the base of the PR and between 0ae01c7 and de6d4b2.

📒 Files selected for processing (2)

• Dockerfile
• test/exec-approvals-path-regression.test.ts

✅ Files skipped from review due to trivial changes (1)

• test/exec-approvals-path-regression.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

Adds Docker build steps that locate the global OpenClaw JS dist, search-and-replace legacy ~/.openclaw/exec-approvals.json to ~/.openclaw-data/exec-approvals.json in-place across *.js files with verification and failing conditions, plus a Vitest regression test that asserts the Dockerfile patching logic exists.

Changes

Cohort / File(s)	Summary
Docker Build Patching Dockerfile, Dockerfile.base	Adds RUN steps that compute $(npm root -g)/openclaw/dist, fail if missing, search *.js for legacy ~/.openclaw/exec-approvals.json, replace matches with ~/.openclaw-data/exec-approvals.json (in-place), and perform post-patch verification that fails on remnants or verification failures.
Regression Test test/exec-approvals-path-regression.test.ts	New Vitest file that statically reads Dockerfile and Dockerfile.base and asserts presence of the legacy/new path strings, temp-file marker, --include='*.js' usage, and introduced failure/diagnostic substrings to guard against regressions.

Sequence Diagram(s)

sequenceDiagram
    participant DockerBuild as Docker build
    participant Npm as npm (global)
    participant FS as Filesystem (openclaw/dist)
    participant Shell as Shell (grep/sed)
    DockerBuild->>Npm: resolve OPENCLAW_DIST_DIR ($(npm root -g)/openclaw/dist)
    Npm-->>DockerBuild: return OPENCLAW_DIST_DIR
    DockerBuild->>FS: check if dist directory exists
    alt dist missing
        FS-->>DockerBuild: not found
        DockerBuild->>DockerBuild: fail build ("OpenClaw dist directory not found")
    else dist present
        DockerBuild->>Shell: grep *.js for legacy path
        alt legacy occurrences found
            Shell->>Shell: record files (mktemp), sed -i replace legacy → data path
        else no legacy found
            Shell->>Shell: verify new data path exists in dist (fail if not)
        end
        Shell->>Shell: grep for remaining legacy matches (with line numbers)
        alt remaining found
            DockerBuild->>DockerBuild: fail build ("OpenClaw exec approvals path patch failed")
        else
            DockerBuild-->>DockerBuild: continue build
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nibble through Docker’s midnight seam,
Rewriting paths like a soft, bright dream.
From .openclaw to .openclaw-data I bound,
Patching bytes until no ghosts are found.
A tiny hop — approvals safe and sound.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: routing exec approvals configuration to a new writable data directory.
Linked Issues check	✅ Passed	The PR implements all core requirements from issue #1785: patches exec-approvals path in Dockerfile.base, adds runtime compatibility in Dockerfile, includes dist validation, and provides regression test coverage.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the exec-approvals path regression: Dockerfile updates patch the path, regression test validates the fix, with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/exec-approvals-path-regression.test.ts (1)

1-1: Avoid blanket @ts-nocheck in this test

This test is small and typed APIs are straightforward; removing global type suppression would preserve static checks with minimal cost.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/exec-approvals-path-regression.test.ts` at line 1, Remove the blanket
"// `@ts-nocheck`" at the top of test/exec-approvals-path-regression.test.ts; run
the type checker and fix the reported issues by adding explicit types to test
variables/fixtures and imports used in the describe/it blocks (e.g., types for
any helper like exec or approvalsPath), or where a true type mismatch cannot be
resolved, replace a global suppression with a single-line "// `@ts-expect-error`"
immediately adjacent to that specific statement so static checking remains
enabled for the rest of the file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Around line 220-230: The RUN step that sets OPENCLAW_DIST_DIR and searches for
the old path is too permissive: if the dist directory is missing or neither the
old nor new path strings are present the build can silently pass. Update the RUN
block that defines OPENCLAW_DIST_DIR and uses files_with_old_path/grep to
explicitly verify the target directory exists and then assert that at least one
of the expected strings is present (the old "~/.openclaw/exec-approvals.json" or
the new "~/.openclaw-data/exec-approvals.json"); if the directory is missing or
neither string is found, fail the build (exit 1) and emit a clear error. Use the
existing variable names (OPENCLAW_DIST_DIR, files_with_old_path) and the same
grep operations but add checks for -d "$OPENCLAW_DIST_DIR" and a grep -q for the
new path, and ensure the final verification step fails when neither path is
detected.

---

Nitpick comments:
In `@test/exec-approvals-path-regression.test.ts`:
- Line 1: Remove the blanket "// `@ts-nocheck`" at the top of
test/exec-approvals-path-regression.test.ts; run the type checker and fix the
reported issues by adding explicit types to test variables/fixtures and imports
used in the describe/it blocks (e.g., types for any helper like exec or
approvalsPath), or where a true type mismatch cannot be resolved, replace a
global suppression with a single-line "// `@ts-expect-error`" immediately adjacent
to that specific statement so static checking remains enabled for the rest of
the file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 47ee7215-50b8-442e-bf6b-6859d7e11020

📥 Commits

Reviewing files that changed from the base of the PR and between d4aac4c and b605f63.

📒 Files selected for processing (3)

• Dockerfile
• Dockerfile.base
• test/exec-approvals-path-regression.test.ts

[wscurran]

✨ Thanks for submitting this PR, which proposes a fix for a bug with the exec approvals regression.

---

Possibly related open issues:

• #1785 .openclaw folder split broke exec-approvals.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Around line 221-243: The stale-base fallback must ensure the redirected data
dir is writable by the sandbox user before patching paths: after determining
OPENCLAW_DIST_DIR and before using DATA_EXEC_APPROVALS_PATH, create the
~/.openclaw-data directory (e.g. /sandbox/.openclaw-data) if missing and set
ownership/permissions to the sandbox user (chown to sandbox:sandbox and/or chmod
to allow write) so OpenClaw can create exec-approvals.json; update the
Dockerfile sequence around the LEGACY_EXEC_APPROVALS_PATH /
DATA_EXEC_APPROVALS_PATH patch block to perform this chown/mkdir step alongside
the existing chown of logs/credentials/sandbox.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: fdd794d6-b609-430a-8383-58559cf36264

📥 Commits

Reviewing files that changed from the base of the PR and between 305b9ba and 0ae01c7.

📒 Files selected for processing (2)

• Dockerfile
• Dockerfile.base

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile.base