[codex] disable unsupported OpenClaw self-update hints in sandbox

[13ernkastel]

Summary

This PR stops NemoClaw sandbox images from advertising openclaw update as the supported upgrade path.

Root cause

NemoClaw installs openclaw into the sandbox image at build time and pins that version in Dockerfile.base, but the generated sandbox config still allows OpenClaw's startup update hint. Inside the sandbox that hint tells users to run openclaw update, which leads them into an in-container self-update flow that is not how NemoClaw images are upgraded.

What changed

• disable startup update hints in the generated sandbox openclaw.json
• document the supported upgrade path in troubleshooting docs
• add an image-level regression assertion that the sandbox config sets update.checkOnStart to false

User impact

Users inside a NemoClaw sandbox will stop seeing a misleading recommendation to run openclaw update. The supported path remains shipping a newer pinned OpenClaw version in the image and recreating the sandbox from that image.

Addresses #1029.

Validation

• bash -n test/e2e-gateway-isolation.sh
• git diff --check
• not run: ./test/e2e-gateway-isolation.sh (docker is not installed in the publishing environment)

Summary by CodeRabbit

• Documentation

  • Added troubleshooting guidance for update operations that hang or time out when run inside sandboxes, and recommended resolution steps.

• Configuration

  • Startup update checks are disabled by default in the generated runtime configuration.

• Tests

  • End-to-end gateway isolation tests updated to verify the startup update hint is disabled and test sequence renumbered accordingly.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff2e564a-d6df-4672-b272-a18b019e900d

📥 Commits

Reviewing files that changed from the base of the PR and between e1b790a and cc4177c.

📒 Files selected for processing (1)

• Dockerfile

✅ Files skipped from review due to trivial changes (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

Build-time config now sets update.checkOnStart: False in the generated openclaw.json; documentation was added explaining why openclaw update must not be run inside sandboxes; e2e tests were updated to assert the new config value and renumbered accordingly.

Changes

Cohort / File(s)	Summary
Configuration Generation Dockerfile	Added update.checkOnStart: False to the build-time generated openclaw.json to disable startup update checks in sandbox images.
Documentation docs/reference/troubleshooting.md	Added a troubleshooting subsection describing that openclaw update may hang inside sandboxes (expected when openclaw is pinned) and instructions to upgrade NemoClaw or rebuild the sandbox base image.
End-to-End Tests test/e2e-gateway-isolation.sh	Inserted a new test asserting /sandbox/.openclaw/openclaw.json contains update.checkOnStart: False; previous test about config hash writability was renumbered and subsequent tests updated accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I toggled a flag in the build-time dew,
No startup checks hopping into view,
Docs whisper why updates stall,
Tests peek in the sandbox hall,
Rebuild the image, and all will be new. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: disabling OpenClaw self-update hints in the sandbox environment, which aligns with the core objective of preventing unsupported update suggestions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wscurran]

✨ Thanks for submitting this pull request, which proposes a way to disable unsupported OpenClaw self-update hints in sandbox.

---

Possibly related open issues:

• #1117 sandbox@my-assistant:~$ openclaw update ## npm install -g openclaw@latest
• #1179 [NemoClaw][Brev Launchable] Openclaw UI only shows the most recently onboarded sandbox configuration when two sandboxes exist
• #1244 [NemoClaw][All Platform] [v0.0.2] in sandbox with nemotron-3-super-120b-a12b,  openclaw agent --agent main --local -m "hello" replies with xml tool_call

[13ernkastel]

Temporarily closing this bundled security PR to free one contributor PR slot for the grouped cleanup PR. I’ll link the replacement PR here as soon as it is open.

[13ernkastel]

Follow-up: the grouped cleanup PR is now open at #1500. I’m grouping the remaining Telegram/self-update security cleanup there while keeping #1416 and #1499 separate on purpose.

[13ernkastel]

Consolidated into the open security PR #1416: #1416