chore: upgrade OpenClaw from 2026.4.9 to 2026.4.24

[ericksoa]

Summary

Upgrades OpenClaw from 2026.4.9 to 2026.4.24 (latest stable, CalVer).

Three real fixes landed for the upgrade. A fourth issue (TC-SBX-02 hang) is still being root-caused.

Fixes in this PR

1. Version bumps — Dockerfile.base, nemoclaw-blueprint/blueprint.yaml, agents/openclaw/manifest.yaml, src/lib/sandbox-version.test.ts
2. Patch 4 updated — OpenClaw 2026.4.24 restructured replaceConfigFile to first attempt tryWriteSingleTopLevelIncludeMutation (writes to a $include file like plugins.json5) before falling back to writeConfigFile. The old patch matched an exact tab-indented writeConfigFile(params.nextConfig, {...}) string that no longer exists. Updated to match the new if (!await tryWriteSingleTopLevelIncludeMutation(...)) await writeConfigFile(...) block and wrap the entire write path in the OPENSHELL_SANDBOX-gated EACCES try/catch.
3. plugin-runtime-deps symlink — OpenClaw 2026.4.24 introduced lazy plugin runtime dep installation (Jiti loader). The CLI writes to ~/.openclaw/plugin-runtime-deps/openclaw-<version>-<hash>/ on first invocation. NemoClaw locks /sandbox/.openclaw to 444 root:root, so every bundled provider failed to load with EACCES. Fix: created the dir in the writable .openclaw-data tree and symlinked it from the immutable config tree, mirroring the existing pattern used for logs, credentials, extensions, etc. Added in both Dockerfile.base (canonical) and Dockerfile (idempotent fixup for stale GHCR base).
4. Sandbox safety-net gated to gateway processes only — _SANDBOX_SAFETY_NET (a Node --require preload from nemoclaw-start.sh) installs an unconditional unhandledRejection/uncaughtException swallower. Its purpose is to keep the long-running gateway alive across non-fatal library bugs, but NODE_OPTIONS=--require propagates to every Node process in the sandbox — including short-lived CLI commands. Gated to process.argv[2] === "gateway" so CLI commands (agent, doctor, plugins, tui) get default Node behavior.

Status

Run with all four fixes:

• ✅ 14 of 15 nightly E2E jobs PASS: cloud, messaging-providers, inference-routing, network-policy, sandbox-survival, snapshot-commands, deployment-services, diagnostics, shields-config, skip-permissions, token-rotation, hermes, rebuild-hermes, rebuild-openclaw, upgrade-stale-sandbox.
• ❌ sandbox-operations-e2e fails — only TC-SBX-02 (Connect & Chat) within it. All other 14 cases in that file PASS (sandbox listing, status, log streaming, registry rebuild, process recovery, multi-sandbox isolation, network isolation, destroy cleanup, gateway auto-recovery).

TC-SBX-02 — what we know

sandbox_exec "openclaw agent --agent main -m 'Say exactly: HELLO_E2E' --session-id e2e-test"

Times out at 60s. The captured output is one EnvHttpProxyAgent is experimental Node warning then silence. On 2026.4.9 the same call completed in ~20s with a real LLM round trip.

What we ruled out via instrumentation and code reading:

• Plugin EACCES (fixed via Change small local model to qwen3.5:9b #3)
• Client-side rejection swallow (fixed via Validate sandbox sessionId to prevent command injection #4 — would now surface as a Node stack trace via the ciao guard's uncaughtException fallthrough; we don't see one, so no rejection is happening on the CLI side)
• Inference path / network policy (cloud-e2e curl-to-inference.local passes — proxy + DNS + L7 allowlist all work)
• SSH (TC-SBX-04, TC-SBX-08, TC-SBX-11 use sandbox_exec and pass — SSH is healthy)
• Auth / device pairing (no device token mismatch error visible)
• Connect handshake timeout (10s default — would surface as error if it tripped)

What's left: the gateway receives the agent RPC and doesn't respond within 60s. The gateway still runs the safety-net preload (intentional — it should stay alive across non-fatal errors). If the gateway-side agent method handler hits an unhandledRejection from the new 2026.4.24 plugin path (e.g., the gateway user lacks write access to the sandbox-owned plugin-runtime-deps cache for a runtime-side install attempt), that rejection gets eaten by the gateway's safety net and the client awaits a response that never comes. That fits every observed symptom: silent hang, no client-side error, gateway alive enough to serve nemoclaw logs and nemoclaw status but not the agent method.

To pin this down definitively requires reading /tmp/gateway.log content during the hang. The test framework doesn't capture that file, and I've held the line on not changing the test contract or test infra. I'm requesting guidance on whether it's acceptable to add a NemoClaw-side runtime diagnostic (e.g., have nemoclaw-start.sh background-tail /tmp/gateway.log to PID 1's stderr so the gateway log appears in docker logs / nemoclaw <sandbox> logs) — that's a NemoClaw change, not a test change, but it does add runtime noise.

Notable upstream changes (2026.4.9 → 2026.4.24)

• Google Meet bundled plugin, DeepSeek V4 Flash/Pro, realtime voice loops (Talk/Voice Call/Google Meet), Gemini Live, browser automation improvements
• Lighter startup: static model catalogs, manifest-backed model rows, lazy provider dependencies (the new plugin-runtime-deps mechanism — root cause of fix Change small local model to qwen3.5:9b #3)
• Breaking: Plugin SDK tool-result transforms migrated from registerEmbeddedExtensionFactory() to registerAgentToolResultMiddleware() — verified NemoClaw uses neither
• Breaking: Plugin registry migrated from plugins.installs config key to managed plugins/installs.json ledger — openclaw doctor --fix migrates automatically
• Config writes restructured to use single-file $include mutations before falling back to full config write (root cause of fix feature: custom settings for using build endpoints #2)
• CVE-2026-41349, CVE-2026-22181 fixes; exec-approvals chat enablement (2026.4.22); cron jobs-state.json separation (2026.4.20)

User sandbox state migration on rebuild

Existing user sandboxes upgrade via nemoclaw <name> rebuild. State (memory/, workspace/, agents/, extensions/, etc.) is backed up via tar, sandbox is destroyed and recreated with the new image, state is restored, openclaw doctor --fix runs post-restore.

Handled automatically: memory, cron job definitions, plugin auto-discovery, plugin registry migration. Existing reset behavior (not new): exec-approvals, credentials, device pairing. New minor behavior change: cron runtime state (jobs-state.json) absent in pre-2026.4.20 backups — job execution history resets, jobs may re-fire once after upgrade.

Test plan

• CI lint, typecheck, unit tests pass
• Docker base image and sandbox image build with all four dist patches applied
• 14/15 nightly E2E jobs pass cleanly
• TC-SBX-02 — pending root-cause confirmation (see Status above)
• Manual smoke test via nemoclaw <sandbox> connect interactive flow
• Rebuild test: existing 2026.4.9 sandbox → rebuild → verify state preserved (rebuild-openclaw-e2e covers this)

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates OpenClaw from version 2026.4.9 to 2026.4.24 across build configuration, manifests, and tests. Introduces plugin runtime dependencies cache directory with proper permissions and group configuration. Implements new config writing API with sandbox error handling for read-only environments.

Changes

Cohort / File(s)	Summary
Version Upgrades Dockerfile.base, agents/openclaw/manifest.yaml, nemoclaw-blueprint/blueprint.yaml	Bump OpenClaw version from 2026.4.9 to 2026.4.24 across build configuration and manifest declarations.
Dockerfile Configuration Dockerfile	Implements new OpenClaw 2026.4.24+ config writing via tryWriteSingleTopLevelIncludeMutation with writeConfigFile fallback. Adds error handling for EACCES in sandboxes. Creates /sandbox/.openclaw-data/plugin-runtime-deps directory with group-write permissions (setgid/2775) to allow gateway user write access.
Test Updates src/lib/sandbox-version.test.ts	Update test fixtures and assertions to expect OpenClaw version 2026.4.24 across mocked agent definitions, version comparisons, and staleness warnings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hopping through configs, the version's bumped high,
From point-nine to point-twenty-four in the sky!
Plugin deps find a cache with a gateway's new right,
Sandboxes protected from permission-denied plight.
A safer, stronger OpenClaw, shiny and bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'chore: upgrade OpenClaw from 2026.4.9 to 2026.4.24' accurately reflects the primary change across the changeset—upgrading the OpenClaw version and updating all related version references.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/openclaw-2026.4.24

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[olegshilov]

lgtm

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/test-sandbox-operations.sh`:
- Line 282: The diag_env diagnostic line leaks secrets by expanding the token
values; replace the unsafe expansions
`${OPENCLAW_GATEWAY_TOKEN:+set}${OPENCLAW_GATEWAY_TOKEN:-unset}` and the
analogous `NVIDIA_API_KEY` expansion in the sandbox_exec invocation so they
never emit the variable contents, and instead emit only the literal "set" or
"unset"; implement this by checking each variable's presence (e.g., an explicit
conditional or test for non-empty) and printing "set" when present or "unset"
when not, updating the diag_env/sandbox_exec call accordingly to reference
OPENCLAW_GATEWAY_TOKEN and NVIDIA_API_KEY securely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5161bcbc-13b7-4cd0-8a9d-5d0f0d383403

📥 Commits

Reviewing files that changed from the base of the PR and between 5dcb0a9 and 2aacc51.

📒 Files selected for processing (1)

• test/e2e/test-sandbox-operations.sh

[coderabbitai]

♻️ Duplicate comments (1)

test/e2e/test-sandbox-operations.sh (1)

286-286: ⚠️ Potential issue | 🔴 Critical

Sensitive values can still be exposed in diagnostics.

Line 286 uses ${OPENCLAW_GATEWAY_TOKEN:+set}${OPENCLAW_GATEWAY_TOKEN:-unset} (and the same for NVIDIA_API_KEY), which includes the secret value when set. This can leak credentials into CI logs.

🔧 Proposed fix

-  diag_env=$(sandbox_exec 'echo HTTP_PROXY=${HTTP_PROXY:-unset}; echo HTTPS_PROXY=${HTTPS_PROXY:-unset}; echo NO_PROXY=${NO_PROXY:-unset}; echo OPENCLAW_GATEWAY_URL=${OPENCLAW_GATEWAY_URL:-unset}; echo OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN:+set}${OPENCLAW_GATEWAY_TOKEN:-unset}; echo OPENSHELL_SANDBOX=${OPENSHELL_SANDBOX:-unset}; echo NVIDIA_API_KEY=${NVIDIA_API_KEY:+set}${NVIDIA_API_KEY:-unset}' 2>&1) || true
+  diag_env=$(sandbox_exec 'echo HTTP_PROXY=${HTTP_PROXY:-unset}; echo HTTPS_PROXY=${HTTPS_PROXY:-unset}; echo NO_PROXY=${NO_PROXY:-unset}; echo OPENCLAW_GATEWAY_URL=${OPENCLAW_GATEWAY_URL:-unset}; echo OPENCLAW_GATEWAY_TOKEN=$([ -n "${OPENCLAW_GATEWAY_TOKEN:-}" ] && echo set || echo unset); echo OPENSHELL_SANDBOX=${OPENSHELL_SANDBOX:-unset}; echo NVIDIA_API_KEY=$([ -n "${NVIDIA_API_KEY:-}" ] && echo set || echo unset)' 2>&1) || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/test-sandbox-operations.sh` at line 286, The diagnostic command
leaks secret values because
`${OPENCLAW_GATEWAY_TOKEN:+set}${OPENCLAW_GATEWAY_TOKEN:-unset}` (and the
NVIDIA_API_KEY variant) concatenates "set" with the actual secret; change the
diagnostic to print only "set" or "unset" without expanding the value by
replacing those expansions with a conditional-only check (e.g., use a single
parameter expansion or an explicit test) inside the sandbox_exec invocation so
OPENCLAW_GATEWAY_TOKEN and NVIDIA_API_KEY are never interpolated into the logged
string.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/e2e/test-sandbox-operations.sh`:
- Line 286: The diagnostic command leaks secret values because
`${OPENCLAW_GATEWAY_TOKEN:+set}${OPENCLAW_GATEWAY_TOKEN:-unset}` (and the
NVIDIA_API_KEY variant) concatenates "set" with the actual secret; change the
diagnostic to print only "set" or "unset" without expanding the value by
replacing those expansions with a conditional-only check (e.g., use a single
parameter expansion or an explicit test) inside the sandbox_exec invocation so
OPENCLAW_GATEWAY_TOKEN and NVIDIA_API_KEY are never interpolated into the logged
string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: acfac00c-0120-4ef6-ac19-94ac3a5d1d09

📥 Commits

Reviewing files that changed from the base of the PR and between e1f1be8 and 1e512b1.

📒 Files selected for processing (1)

• test/e2e/test-sandbox-operations.sh

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

186-187: Pattern matching in minified JS is fragile.

The Python patch uses exact string matching including literal tabs (\t) and newlines (\n). Minified JavaScript bundles often vary in whitespace formatting between versions or build environments. The assertion assert old in src will fail-close (which is good), but consider:

1. The pattern assumes specific formatting that may not survive re-minification
2. Upstream OpenClaw version bumps could silently change whitespace

The fail-close behavior is correct — the build aborts if the pattern isn't found. However, when this inevitably breaks on a future OpenClaw bump, debugging the exact whitespace mismatch will be tedious.

💡 Alternative: Consider regex-based patching for resilience

A more robust approach would use regex matching that's whitespace-tolerant:

import re
pattern = re.compile(
    r'if\s*\(\s*!\s*await\s+tryWriteSingleTopLevelIncludeMutation\s*\(\s*\{[^}]+\}\s*\)\s*\)\s*await\s+writeConfigFile\s*\([^;]+\);',
    re.DOTALL
)

This would survive minor formatting changes. However, the current exact-match approach is acceptable given the fail-close assertion — just be prepared for patch maintenance on version bumps.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 186 - 187, The current Python one-liner patches the
minified JS by exact string match of the
tryWriteSingleTopLevelIncludeMutation/writeConfigFile block (the variables
old/new and the assert old in src), which is fragile against
whitespace/minification changes; change the script to use a regex-based,
whitespace-tolerant search (e.g., compile a pattern that matches the if(!await
tryWriteSingleTopLevelIncludeMutation(...)) await writeConfigFile(...) block
with \s* and re.DOTALL) and perform a re.sub to inject the new try { ... }
catch(...) wrapper, then update the assertion to check the regex matched (or
that the file changed) instead of relying on the literal old string.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Around line 186-187: The current Python one-liner patches the minified JS by
exact string match of the tryWriteSingleTopLevelIncludeMutation/writeConfigFile
block (the variables old/new and the assert old in src), which is fragile
against whitespace/minification changes; change the script to use a regex-based,
whitespace-tolerant search (e.g., compile a pattern that matches the if(!await
tryWriteSingleTopLevelIncludeMutation(...)) await writeConfigFile(...) block
with \s* and re.DOTALL) and perform a re.sub to inject the new try { ... }
catch(...) wrapper, then update the assertion to check the regex matched (or
that the file changed) instead of relying on the literal old string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 26c92d4a-9980-47a5-8dc7-a8dc2fab2065

📥 Commits

Reviewing files that changed from the base of the PR and between 1e512b1 and 521c599.

📒 Files selected for processing (2)

• Dockerfile
• Dockerfile.base

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile.base

[ericksoa]

Root cause: bonjour mDNS plugin destabilizes WS connections in sandbox netns

After significant diagnostic plumbing (the openclaw structured event log lives at /tmp/openclaw-<uid>/openclaw-<date>.log, not /tmp/gateway.log), the gateway-log streamer artifact (workflow sandbox-operations-docker-logs) finally captured the failure window for TC-SBX-02. Smoking-gun timeline from the gateway log:

03:17:39.354  [plugins] bonjour: restarting advertiser (service stuck in probing)
03:17:39.367  [openclaw] Unhandled promise rejection: CIAO PROBING CANCELLED
03:17:39.370  wrote stability bundle (rejection logged)
03:17:39.387  [gateway/ws] closed before connect conn=... code=1006 reason=n/a
              (handshake pending, durationMs=7)

19 ms between the unhandled rejection from the bonjour plugin and the abrupt WebSocket close.

Causal chain

1. The bonjour plugin (mDNS service advertiser) attempts to probe network interfaces every few seconds
2. The sandbox netns has no usable interfaces → os.networkInterfaces() throws
3. NemoClaw's ciao guard (in nemoclaw-start.sh) monkey-patches os.networkInterfaces to return empty on failure — BUT that doesn't stop ciao from cancelling its in-flight probe with "CIAO PROBING CANCELLED", which surfaces as an unhandled Promise rejection
4. The ciao guard only catches synchronous uncaughtException, not async unhandledRejection
5. The sandbox-safety-net catches the rejection (gateway-only after the earlier gate fix in this PR), but the swallow happens during the same event loop tick as in-flight WebSocket handshakes
6. Pending WS connections from the openclaw agent CLI get torn down with code 1006 (abnormal closure)
7. The agent CLI retries, hits the same race, eventually times out at the 10s connect-challenge timeout
8. The CLI's console.error failure message goes to the openclaw structured log, NOT stdout/stderr — that's why the test only ever saw the two UNDICI warnings followed by 60s of silence

Why this surfaces in 2026.4.24 but not 2026.4.9

Plugin load timing changed in the 2026.4.10–24 range (Jiti-based plugin loader, "lazy provider dependencies" in the release notes). The bonjour rejection window now overlaps WS handshakes more aggressively. On 2026.4.9 the timing was a lucky race; on 2026.4.24 it reliably hits.

Why disable bonjour is the right fix

mDNS service advertisement is structurally useless inside a NemoClaw sandbox:

• The sandbox netns is isolated — there are no peers on the network to advertise the gateway to
• The only way the gateway is reached from outside the sandbox is via the openshell SSH tunnel (nemoclaw <sandbox> connect), which doesn't use mDNS discovery
• Internal-to-sandbox callers (the agent CLI, the configure-guard) connect to 127.0.0.1:18789 directly via the openclaw config, not via mDNS lookup
• Continuing to load bonjour produces nothing useful and actively destabilizes the gateway every few seconds

This is the kind of plugin that exists for the user-laptop deployment story (where mDNS finds your assistant on a home network), not for the headless sandbox case NemoClaw runs.

Fix in this PR

plugins.entries.bonjour.enabled = false in the generated openclaw.json. Single line in the Dockerfile's Python config generator. Doesn't affect the user-laptop NemoClaw flow (different config path).

Validation re-run in progress: https://github.com/NVIDIA/NemoClaw/actions/runs/24975221024

Diagnostic infrastructure to remove on green

Once TC-SBX-02 passes, these diagnostic-only commits should be reverted:

• [gateway-log:] mirror in nemoclaw-start.sh (PID 1 stderr tail of /tmp/gateway.log)
• Start gateway log streamer (background) and related steps in .github/workflows/nightly-e2e.yaml

These were necessary to find the root cause but add ambient runtime/CI overhead. Cleanup commit will be marked with revert(diag): ….

[ericksoa]

Version bisect: bonjour plugin introduced in OpenClaw 2026.4.15

Bisected the dist tarballs from npm:

Version	bonjour plugin
2026.4.9	NOT PRESENT
2026.4.10	NOT PRESENT
2026.4.12	NOT PRESENT
2026.4.13	NOT PRESENT
2026.4.14	NOT PUBLISHED
2026.4.15	PRESENT (bonjour-discovery-*.js, extensions/bonjour/)
2026.4.20	PRESENT
2026.4.22	PRESENT
2026.4.24	PRESENT

This confirms the architectural cause and answers the user-facing question:

• The bonjour-disable fix is needed for any OpenClaw bump from < 2026.4.15 to >= 2026.4.15. It's not specific to 2026.4.24; pinning to 2026.4.13 or 2026.4.10 (still bumping past 2026.4.9) wouldn't trip it. The first version that ships bonjour is the one where TC-SBX-02 starts hanging on every run.
• The min_openclaw_version floor in nemoclaw-blueprint/blueprint.yaml should be at or above 2026.4.15 if we want this fix to be load-bearing for all builds. (We're already at 2026.4.24 — no change needed there. But if anyone tries to bump backwards, the fix becomes irrelevant; if anyone bumps forward, it remains applied as long as bonjour is still a bundled plugin in OpenClaw.)
• Removal criteria for the fix: drop the plugins.entries.bonjour.enabled = false line if upstream OpenClaw fixes the bonjour plugin to handle netns-restricted environments without throwing async unhandledRejections, OR if upstream removes bonjour from the bundled-plugin set entirely.

Reasoning recap

mDNS service advertisement in a NemoClaw sandbox is structurally useless: the netns is isolated, no peers exist on the L2 segment to receive the advertisement, no clients exist to discover the service. The gateway's only consumers are (a) the openclaw agent CLI inside the same sandbox connecting to 127.0.0.1:18789 directly, and (b) the openshell SSH tunnel that nemoclaw <sandbox> connect opens — neither uses mDNS. Continuing to load bonjour produces zero useful behavior and actively destabilizes other gateway connections by triggering CIAO PROBING CANCELLED rejections in the same event-loop tick as in-flight WS handshakes.

Validation in progress

Re-triggered nightly with the bonjour-disable fix landed: https://github.com/NVIDIA/NemoClaw/actions/runs/24975221024

If the hypothesis is right, sandbox-operations-e2e (TC-SBX-02 specifically) should now pass alongside the other 16 jobs. Will report back when the run completes (~30 min).

[ericksoa]

Validation result: bonjour disabled but TC-SBX-02 still hangs

Run 24976192166 confirmed the bonjour-disable fix is applied correctly:

Before: [gateway] ready (6 plugins: acpx, bonjour, browser, device-pair, phone-control, talk-voice)
After:  [gateway] ready (5 plugins: acpx,          browser, device-pair, phone-control, talk-voice)

The captured gateway log has no more CIAO PROBING CANCELLED rejections — that part of the chain is genuinely gone. But TC-SBX-02 still hangs with the same 60s SSH timeout. So bonjour was a contributing trigger, not the sole cause.

What the new log shows

Gateway timeline this run:

04:32:51.799  [gateway] ready (5 plugins, no bonjour)
04:32:51.810  [gateway] starting channels and sidecars...
04:33:03.810  [openclaw] Failed to start CLI: gateway timeout after 10000ms
04:33:05.807  [gateway/ws] closed before connect durationMs=3 code=1006
04:33:13.202  [plugins] embedded acpx runtime backend registered  (← 22s gap)

Two things here:

1. WebSocket still gets dropped (1006, 3ms after handshake start) during the "starting channels and sidecars" window even without bonjour. Some other plugin/sidecar in startup is also disrupting handshakes.
2. The streamer stopped capturing at 04:33:13. TC-SBX-02 ran at 04:34:55 — 1m42s later. We have no visibility into the actual TC-SBX-02 hang window because either (a) the gateway logs nothing during that window, or (b) the SSH-based streamer got disconnected before the test reached TC-SBX-02 and my polling logic did not re-establish.

The errors visible in the captured log (04:33:03, 04:33:05) are from the onboard probe, not TC-SBX-02 itself.

Next steps I see

a) Make the streamer self-heal (re-connect SSH if its follower dies, not just on new sandbox name). That gets us visibility into the actual TC-SBX-02 window.

b) Look at acpx more carefully — the 22-second gap between gateway "ready" and acpx "registered" is suspicious; acpx probably retries the npm install for @zed-industries/codex-acp (which the L7 proxy denies with 403) and that retry might be throwing async rejections similar to bonjour.

c) Investigate disabling MORE non-essential plugins (acpx specifically) and see if that finally unblocks TC-SBX-02.

I can pursue any/all. My honest take: the safety net's swallow-and-continue behavior on async rejections is the underlying systemic issue — any plugin that throws an unhandled rejection during sidecar startup will tear down in-flight handshakes the same way bonjour did. Disabling plugins one by one is whack-a-mole. The real fix is making the safety net not destabilize WS connections when it swallows, OR removing the safety net altogether and letting OpenClaw fail fast.

Awaiting direction.