fix(e2e): pin old gateway base for resolved digests

[ericksoa]

Summary

• make the old gateway-upgrade Docker wrapper rewrite any BASE_IMAGE=* build arg, including resolved sandbox-base digests
• keep the v0.0.36 fixture on the historical sandbox base instead of inheriting current OpenClaw from main
• add a guard that fails clearly if the old fixture consumes a newer OpenClaw than the pinned 2026.4.24

Why

The full nightly showed openshell-gateway-upgrade-e2e failing before upgrade validation: the old v0.0.36 install received a resolved current sandbox-base digest containing OpenClaw 2026.5.18. Because the old Dockerfile treats 2026.4.24 as a minimum, it skipped installing the intended OpenClaw and then the old source-shape patch failed.

Test plan

• bash -n test/e2e/test-openshell-gateway-upgrade.sh
• git diff --check
• dispatch E2E / Nightly with jobs=openshell-gateway-upgrade-e2e against this PR head

Summary by CodeRabbit

• Tests
  • Strengthened regression tests: improved handling of base-image pulls and build arguments, injection of historical runtime-version handling during builds, and pre/post-install checks to ensure the expected runtime is selected. Installer failures now include captured wrapper activity logs for easier diagnosis.

Note: This release contains no user-visible changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

Generalizes the old docker wrapper's base/pull and BASE_IMAGE build-arg rewrites, injects a pinned OpenClaw install when Dockerfiles contain a min_openclaw_version gate, and improves installer failure diagnostics and post-install log verification for the old NemoClaw installer.

Changes

Gateway Upgrade Test Hardening

Layer / File(s)	Summary
sandbox-base tag and pull rewrite test/e2e/test-openshell-gateway-upgrade.sh	Defines base_tag for sandbox-base:latest and rewrites pulls of that tag to the pinned base_ref in pull mode, retagging after pull.
BASE_IMAGE build-arg rewriting generalization test/e2e/test-openshell-gateway-upgrade.sh	Matches and rewrites both --build-arg BASE_IMAGE=... and --build-arg=BASE_IMAGE=... forms to BASE_IMAGE=${base_ref}.
Inject pinned OpenClaw install before Dockerfile gate test/e2e/test-openshell-gateway-upgrade.sh	Adds patch_old_installer_fixture to detect min_openclaw_version markers and inject steps to uninstall and force-install the pinned historical OpenClaw before the gate.
Installer failure logging test/e2e/test-openshell-gateway-upgrade.sh	On installer payload failure, prints the saved old docker-wrapper activity log when available.
Old NemoClaw installer log verification test/e2e/test-openshell-gateway-upgrade.sh	Patches the old installer fixture before running and parses OLD_INSTALL_LOG to fail on mismatched/current OpenClaw selection or missing evidence of the pinned OLD_OPENCLAW_VERSION.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4047: Both PRs modify test/e2e/test-openshell-gateway-upgrade.sh’s old docker-wrapper logic to ensure BASE_IMAGE is pinned/re-written to the historical sandbox-base reference when BASE_IMAGE isn’t provided (with the main PR extending that behavior further for sandbox-base:latest pull/retag and broader build-arg rewrite).
• NVIDIA/NemoClaw#4041: Both PRs modify test/e2e/test-openshell-gateway-upgrade.sh’s “old docker wrapper” flow—pinning the old sandbox base/OpenClaw inputs and using the wrapper during the old installer path—so the main PR’s extended wrapper and related installer/log-verification changes build directly on the same mechanism.
• NVIDIA/NemoClaw#3820: Related changes touching OpenClaw version gating and expectations used by the injected install and Dockerfile gates.

Suggested labels

OpenShell

Suggested reviewers

• jyaunches
• cv

Poem

🐰 I hop through Dockerfiles and logs so deep,
I pin the claw from history while the build guards sleep.
I rewrite pulls, retag digests tight,
Then read the installer notes by lantern-light.
A carrot, a patch, and tests now sleep—ok, I’ll keep.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: pinning the old gateway base for resolved digests, which is the core fix to prevent the old fixture from receiving an unintended newer OpenClaw version.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/e2e-old-gateway-base-arg

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: openshell-gateway-upgrade-e2e

Dispatch hint: openshell-gateway-upgrade-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No required E2E because this PR changes only an existing E2E test script and cannot affect NemoClaw runtime/user flows unless that job is selected to validate the test harness itself.

Optional E2E

• openshell-gateway-upgrade-e2e (high): Optional validation of the modified E2E script itself. This is not merge-blocking under the tests-only policy, but it is the directly affected job and would catch breakage in the old-install upgrade fixture and survivor sandbox checks.

New E2E recommendations

• None.

Dispatch hint

• Workflow: E2E / Nightly
• jobs input: openshell-gateway-upgrade-e2e

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26301123575
Target ref: 3736d02d4d49fa00ecd7a18967db88c382b731e8
Workflow ref: main
Requested jobs: openshell-gateway-upgrade-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
openshell-gateway-upgrade-e2e	❌ failure

Failed jobs: openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: high
Analyzed HEAD: 0685f16c31d1eba5b9894a2d03043550a4f8fa0b
Findings: 2 blocker(s), 2 warning(s), 0 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: I did not execute scripts, tests, Docker builds, package-manager commands, or fetch external artifacts; review is based on trusted metadata, the provided diff, and read-only file inspection.; No linked issues were present, so acceptance mapping is based on PR body clauses and PR comments rather than linked issue clauses.; The exact root causes of prior selective E2E failures require run artifacts/logs that were not included in the provided context.; No selective openshell-gateway-upgrade-e2e result for current head 0685f16 was provided.; Although the review thread is marked resolved, current diff/file inspection still shows the marker string that the thread identified as problematic.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: 0685f16c31d1eba5b9894a2d03043550a4f8fa0b
Recommendation: blocked
Confidence: high

Test-only gateway-upgrade harness change is narrow, but mergeability is blocked and the current diff still appears to contain the v0.0.36 Dockerfile marker mismatch that can fail the old-install fixture.

Gate status

• CI: pass — 5 required status context(s) completed with no failures. Non-required contexts still pending: 2; failed: 0.
• Mergeability: fail — mergeStateStatus=BLOCKED
• Review threads: pass — 1 review thread(s), all resolved.
• Risky code tested: pass — No risky code areas detected by path heuristics.

🔴 Blockers

• PR mergeability is blocked: GitHub reports mergeStateStatus=BLOCKED for head 0685f16. Required CI contexts passed, but branch protection/review state still prevents merge.
  • Recommendation: Resolve the branch-protection or review-required condition and confirm mergeStateStatus is no longer BLOCKED before merging.
  • Evidence: Trusted gate summary: mergeability status fail, evidence mergeStateStatus=BLOCKED. GraphQL: reviewDecision=REVIEW_REQUIRED, mergeStateStatus=BLOCKED, headRefOid=0685f16c31d1eba5b9894a2d03043550a4f8fa0b.
• Old Dockerfile injection marker still appears mismatched (test/e2e/test-openshell-gateway-upgrade.sh:221): The patch injects the pinned OpenClaw install block only if the downloaded old Dockerfile contains the exact marker MIN_VER=$(grep -m 1 'min_openclaw_version'. The resolved review thread says the v0.0.36 Dockerfile uses OPENCLAW_MIN_VERSION=$(grep -m 1 'min_openclaw_version', so the current marker can still raise old OpenClaw version gate not found and fail the gateway-upgrade fixture before validating the intended pinned-base behavior.
  • Recommendation: Update the marker to match the historical v0.0.36 Dockerfile or make insertion robust around the min_openclaw_version occurrence, then validate the directly affected gateway-upgrade E2E job for the current head.
  • Evidence: Read-only inspection of test/e2e/test-openshell-gateway-upgrade.sh at the current checkout shows marker = "RUN set -eu; \\\n MIN_VER=$(grep -m 1 'min_openclaw_version'". The CodeRabbit thread on the same hunk states the actual v0.0.36 Dockerfile contains OPENCLAW_MIN_VERSION=$(grep -m 1 'min_openclaw_version'; although the thread is resolved and says addressed in commit 0685f16, the provided diff and current file content still show MIN_VER.

🟡 Warnings

• No passing targeted gateway-upgrade E2E result for current head (test/e2e/test-openshell-gateway-upgrade.sh:88): The E2E Advisor marked openshell-gateway-upgrade-e2e optional because the PR changes only an existing E2E script, but this PR modifies the exact Docker wrapper, installer patching, and version-selection checks for that job. Earlier selective runs failed for prior heads, and no passing selective result for head 0685f16 was provided.
  • Recommendation: After fixing the marker mismatch, run openshell-gateway-upgrade-e2e against head 0685f16 and review artifacts if it fails. Since the advisor says no required E2E, treat this as confidence evidence for the changed harness rather than a required product-runtime gate.
  • Evidence: E2E Advisor comment: Required E2E: None; Optional E2E: openshell-gateway-upgrade-e2e. Selective E2E comments show failures for target refs 3736d02, c25e979, and 3f46d2b. No selective result for current head 0685f16 is present in the trusted context.
• Active overlapping PRs touch the same gateway-upgrade script (test/e2e/test-openshell-gateway-upgrade.sh:88): The changed file exists and the patch applies to active code, but there is active overlapping work on the same E2E script. In particular, another PR appears semantically related to explicit old base-arg handling, which could conflict with this PR's rewrite-any-BASE_IMAGE behavior.
  • Recommendation: Coordinate with overlapping PRs and rebase/retest after whichever lands first to avoid silently undoing or contradicting old base-image pinning behavior.
  • Evidence: Trusted overlap scan found open PR chore: bump OpenShell pin to 0.0.44 #3830 chore: bump OpenShell pin to 0.0.44 and PR fix(e2e): preserve explicit old base arg #4048 fix(e2e): preserve explicit old base arg, both touching test/e2e/test-openshell-gateway-upgrade.sh. Recent history also shows multiple related fixes to this file, including fix(e2e): pin old gateway upgrade install #4041 and fix(e2e): pin old gateway base fallback #4047.

🔵 Suggestions

• None.

Acceptance coverage

• met — make the old gateway-upgrade Docker wrapper rewrite any BASE_IMAGE=* build arg, including resolved sandbox-base digests: The wrapper now rewrites split --build-arg BASE_IMAGE=... values and equals-form --build-arg=BASE_IMAGE=* values to BASE_IMAGE=${base_ref} rather than only matching ghcr.io/nvidia/nemoclaw/sandbox-base:latest.
• partial — keep the v0.0.36 fixture on the historical sandbox base instead of inheriting current OpenClaw from main: The wrapper rewrites old installer BASE_IMAGE build args to OLD_SANDBOX_BASE_IMAGE_REF and intercepts docker pull ghcr.io/nvidia/nemoclaw/sandbox-base:latest to pull/tag the pinned base ref. However, the Dockerfile injection marker still appears to use MIN_VER rather than the historical OPENCLAW_MIN_VERSION, so the old fixture may fail before proving the historical OpenClaw selection.
• partial — add a guard that fails clearly if the old fixture consumes a newer OpenClaw than the pinned 2026.4.24: install_old_nemoclaw_and_claw now parses installer logs for OpenClaw ... is current (>= ${OLD_OPENCLAW_VERSION}), fails if a mismatched version is observed, and fails if evidence of the pinned version is missing. Runtime evidence for current head 0685f16 is not provided, and the marker mismatch may fail earlier.
• unknown — bash -n test/e2e/test-openshell-gateway-upgrade.sh: The PR body lists this test-plan item, but the trusted context does not include explicit output for this exact command.
• unknown — git diff --check: The PR body lists this test-plan item, but the trusted context does not include explicit output for this exact command.
• missing — dispatch E2E / Nightly with jobs=openshell-gateway-upgrade-e2e against this PR head: Selective E2E results are present for earlier target refs and failed, but no passing or failing selective openshell-gateway-upgrade-e2e result for current head 0685f16 is present in the trusted context.
• missing — Fix v0.0.36 Dockerfile injection marker mismatch in test/e2e/test-openshell-gateway-upgrade.sh (lines 239-249): The review thread is resolved and says addressed in commit 0685f16, but read-only inspection and the provided diff still show the marker string as MIN_VER=$(grep -m 1 'min_openclaw_version', not OPENCLAW_MIN_VERSION or a more robust marker.
• met — Required E2E: None: The E2E Advisor comment states no required E2E because this PR changes only an existing E2E test script and cannot affect NemoClaw runtime/user flows unless that job is selected to validate the test harness itself.
• unknown — Optional E2E: openshell-gateway-upgrade-e2e: The optional E2E recommendation was identified, but no selective result for the current head SHA was provided.

Security review

• pass — 1. Secrets and Credentials: No hardcoded real secrets, API keys, passwords, tokens, PEM files, or credential JSON are introduced. The existing COMPATIBLE_API_KEY=dummy remains a test fixture value.
• pass — 2. Input Validation and Data Sanitization: The Docker wrapper processes command arguments with Bash arrays and prefix checks rather than eval or shell-string reconstruction. The values it injects are controlled pinned variables for the old sandbox base and OpenClaw version. The main concern found is correctness of the Dockerfile marker, not an injection path.
• pass — 3. Authentication and Authorization: Not applicable — the change modifies an E2E shell script and does not add or change endpoints, authentication flows, authorization checks, token validation, scopes, or permissions.
• pass — 4. Dependencies and Third-Party Libraries: No production dependencies are added. The test harness pins a historical OpenClaw npm package version and a pinned sandbox-base digest for deterministic old-upgrade setup rather than adding a floating production dependency.
• pass — 5. Error Handling and Logging: The added diagnostics improve failure clarity by printing old Docker wrapper activity on installer failure and by failing when the old fixture selected a non-pinned OpenClaw version or lacks pinned-version evidence. No newly logged secrets were identified.
• pass — 6. Cryptography and Data Protection: Not applicable — no cryptographic operations, algorithms, keys, encryption, signing, or data-protection logic are modified.
• pass — 7. Configuration and Security Headers: No HTTP security headers, CORS configuration, service ports, production container configuration, or workflow permissions are modified. The test harness uses pinned old image/version inputs for deterministic E2E setup.
• warning — 8. Security Testing: The patch is itself in an E2E test and adds a negative guard for wrong OpenClaw selection, which is positive. However, this script validates a security-sensitive OpenShell gateway/sandbox upgrade path, the current diff still appears to contain the marker mismatch, and no passing targeted openshell-gateway-upgrade-e2e result for the current head was provided.
• warning — 9. Holistic Security Posture: No direct runtime security regression is visible because only a test script changes. Still, the file validates NemoClaw-sensitive gateway and sandbox upgrade behavior, and the unresolved-in-code marker mismatch may make the regression harness fail before proving pinned-base behavior.

Test / E2E status

• Test depth: e2e_required — Product runtime code is not changed, but the modified file is the E2E harness for an installer/OpenShell gateway upgrade path and changes Docker pull/build-arg rewriting plus downloaded installer payload patching. Static review found a likely marker mismatch; unit checks cannot prove this harness works with the historical v0.0.36 installer and Dockerfile.
• E2E Advisor: ok

✅ What looks good

• The patch is narrowly scoped to one existing E2E script and does not modify production runtime code.
• Required status contexts completed successfully for the specified head SHA, according to trusted gate metadata.
• The Docker wrapper now handles both split and equals forms of BASE_IMAGE build args and rewrites arbitrary BASE_IMAGE values, addressing resolved digest cases.
• The new docker pull interception covers an old installer path that pulls sandbox-base:latest directly, then tags the pinned base as latest for compatibility.
• The added log guard is intended to fail earlier and more clearly if the old fixture accidentally consumes a newer OpenClaw version.

Review completeness

• I did not execute scripts, tests, Docker builds, package-manager commands, or fetch external artifacts; review is based on trusted metadata, the provided diff, and read-only file inspection.
• No linked issues were present, so acceptance mapping is based on PR body clauses and PR comments rather than linked issue clauses.
• The exact root causes of prior selective E2E failures require run artifacts/logs that were not included in the provided context.
• No selective openshell-gateway-upgrade-e2e result for current head 0685f16 was provided.
• Although the review thread is marked resolved, current diff/file inspection still shows the marker string that the thread identified as problematic.
• Human maintainer review required: yes

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e/test-openshell-gateway-upgrade.sh (1)

563-575: ⚡ Quick win

Use fixed-string equality for pinned-version checks.

The pin guard is good, but regex-based equality can still match unexpectedly for version strings. Prefer fixed-string comparisons for deterministic pass/fail behavior.

Proposed adjustment

   wrong_old_openclaw="$(
-    grep -Eo "OpenClaw [0-9]{4}\\.[0-9]+\\.[0-9]+ is current \\(>= ${OLD_OPENCLAW_VERSION}\\)" "$OLD_INSTALL_LOG" 2>/dev/null \
+    grep -Eo "OpenClaw [0-9]{4}\\.[0-9]+\\.[0-9]+ is current \\(>= [0-9]{4}\\.[0-9]+\\.[0-9]+\\)" "$OLD_INSTALL_LOG" 2>/dev/null \
       | awk '{print $2}' \
-      | grep -v "^${OLD_OPENCLAW_VERSION}$" \
+      | grep -Fxv "$OLD_OPENCLAW_VERSION" \
       | head -n 1 || true
   )"
@@
-  if ! grep -q "OpenClaw ${OLD_OPENCLAW_VERSION}\\|openclaw@${OLD_OPENCLAW_VERSION}" "$OLD_INSTALL_LOG" 2>/dev/null; then
+  if ! grep -Fq "OpenClaw ${OLD_OPENCLAW_VERSION}" "$OLD_INSTALL_LOG" 2>/dev/null \
+    && ! grep -Fq "openclaw@${OLD_OPENCLAW_VERSION}" "$OLD_INSTALL_LOG" 2>/dev/null; then
     fail "old ${OLD_NEMOCLAW_REF} fixture did not show pinned OpenClaw ${OLD_OPENCLAW_VERSION}"
   fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/test-openshell-gateway-upgrade.sh` around lines 563 - 575, The
pinned-version checks should use fixed-string exact matches instead of regex: in
the wrong_old_openclaw pipeline (variable wrong_old_openclaw using
OLD_INSTALL_LOG and OLD_OPENCLAW_VERSION) replace the regex-based exclusion grep
-v "^${OLD_OPENCLAW_VERSION}$" with a fixed-string exact exclude (e.g., grep -F
-x -v) so the version comparison is literal, and change the final presence check
that currently uses grep -q "OpenClaw
${OLD_OPENCLAW_VERSION}\|openclaw@${OLD_OPENCLAW_VERSION}" to a fixed-strings
check (e.g., grep -F -q -e "OpenClaw ${OLD_OPENCLAW_VERSION}" -e
"openclaw@${OLD_OPENCLAW_VERSION}") to ensure deterministic equality matching.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/test-openshell-gateway-upgrade.sh`:
- Around line 563-575: The pinned-version checks should use fixed-string exact
matches instead of regex: in the wrong_old_openclaw pipeline (variable
wrong_old_openclaw using OLD_INSTALL_LOG and OLD_OPENCLAW_VERSION) replace the
regex-based exclusion grep -v "^${OLD_OPENCLAW_VERSION}$" with a fixed-string
exact exclude (e.g., grep -F -x -v) so the version comparison is literal, and
change the final presence check that currently uses grep -q "OpenClaw
${OLD_OPENCLAW_VERSION}\|openclaw@${OLD_OPENCLAW_VERSION}" to a fixed-strings
check (e.g., grep -F -q -e "OpenClaw ${OLD_OPENCLAW_VERSION}" -e
"openclaw@${OLD_OPENCLAW_VERSION}") to ensure deterministic equality matching.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 518b73b2-556a-45de-93a7-ce4976e9ae02

📥 Commits

Reviewing files that changed from the base of the PR and between 3736d02 and c25e979.

📒 Files selected for processing (1)

• test/e2e/test-openshell-gateway-upgrade.sh

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26301551200
Target ref: c25e979e463d9d850494ddce198cec9357e0d8d0
Workflow ref: main
Requested jobs: openshell-gateway-upgrade-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
openshell-gateway-upgrade-e2e	❌ failure

Failed jobs: openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/test-openshell-gateway-upgrade.sh`:
- Around line 239-249: The injection fails because the marker string assigned to
marker ("MIN_VER=$(grep -m 1 'min_openclaw_version'") doesn't match the actual
Dockerfile line which uses OPENCLAW_MIN_VERSION; update the marker value in
test/e2e/test-openshell-gateway-upgrade.sh to match the real substring (e.g.
"OPENCLAW_MIN_VERSION=$(grep -m 1 'min_openclaw_version'") or make the check
more robust by searching for "min_openclaw_version" only, then keep the existing
injection/insertion logic (variables marker, injection, text.replace) so the old
OpenClaw install block is correctly inserted instead of raising the SystemExit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 38e91855-fc6a-4c2e-bd1e-35547e5077d1

📥 Commits

Reviewing files that changed from the base of the PR and between c25e979 and 3f46d2b.

📒 Files selected for processing (1)

• test/e2e/test-openshell-gateway-upgrade.sh

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26301970629
Target ref: 3f46d2babd3a3b0cf3ee2b441841d12f879ee012
Workflow ref: main
Requested jobs: openshell-gateway-upgrade-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
openshell-gateway-upgrade-e2e	❌ failure

Failed jobs: openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e/test-openshell-gateway-upgrade.sh (1)

615-633: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Cover the Dockerfile's upgrading to ... branch in the guard.

This check only fails on the OpenClaw X is current log path. If the old fixture logs Base image has OpenClaw X, upgrading to Y (minimum required), the injected openclaw@${OLD_OPENCLAW_VERSION} lines still satisfy the later presence check, so the test can pass after consuming a newer OpenClaw than the pin.

🛠️ Suggested fix

-  local wrong_old_openclaw
-  wrong_old_openclaw="$(
-    grep -Eo "OpenClaw [0-9]{4}\\.[0-9]+\\.[0-9]+ is current \\(>= ${OLD_OPENCLAW_VERSION}\\)" "$OLD_INSTALL_LOG" 2>/dev/null \
-      | awk '{print $2}' \
-      | grep -v "^${OLD_OPENCLAW_VERSION}$" \
-      | head -n 1 || true
-  )"
-  if [ -n "$wrong_old_openclaw" ]; then
-    fail "old ${OLD_NEMOCLAW_REF} fixture used OpenClaw ${wrong_old_openclaw} instead of pinned ${OLD_OPENCLAW_VERSION}"
+  local selected_old_openclaw
+  selected_old_openclaw="$(
+    {
+      grep -Eo "OpenClaw [0-9]{4}\\.[0-9]+\\.[0-9]+ is current \\(>= [0-9]{4}\\.[0-9]+\\.[0-9]+\\)" "$OLD_INSTALL_LOG" 2>/dev/null \
+        | awk '{print $2}' || true
+      grep -Eo "upgrading to [0-9]{4}\\.[0-9]+\\.[0-9]+ \\(minimum required\\)" "$OLD_INSTALL_LOG" 2>/dev/null \
+        | awk '{print $3}' || true
+    } | tail -n 1
+  )"
+  if [ -n "$selected_old_openclaw" ] && [ "$selected_old_openclaw" != "$OLD_OPENCLAW_VERSION" ]; then
+    fail "old ${OLD_NEMOCLAW_REF} fixture used OpenClaw ${selected_old_openclaw} instead of pinned ${OLD_OPENCLAW_VERSION}"
   fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/test-openshell-gateway-upgrade.sh` around lines 615 - 633, The
current wrong_old_openclaw detection only considers the "OpenClaw X is current"
log line and misses the "Base image has OpenClaw X, upgrading to Y (minimum
required)" branch; update the command that sets wrong_old_openclaw (which reads
from OLD_INSTALL_LOG) to also grep and extract the base-image version from the
"Base image has OpenClaw ... , upgrading to ..." message (in addition to the
existing "OpenClaw X is current" pattern), then continue to filter out the
pinned OLD_OPENCLAW_VERSION and fail if a different older base image version is
found; keep references to wrong_old_openclaw, OLD_INSTALL_LOG and
OLD_OPENCLAW_VERSION so the change is localized.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@test/e2e/test-openshell-gateway-upgrade.sh`:
- Around line 615-633: The current wrong_old_openclaw detection only considers
the "OpenClaw X is current" log line and misses the "Base image has OpenClaw X,
upgrading to Y (minimum required)" branch; update the command that sets
wrong_old_openclaw (which reads from OLD_INSTALL_LOG) to also grep and extract
the base-image version from the "Base image has OpenClaw ... , upgrading to ..."
message (in addition to the existing "OpenClaw X is current" pattern), then
continue to filter out the pinned OLD_OPENCLAW_VERSION and fail if a different
older base image version is found; keep references to wrong_old_openclaw,
OLD_INSTALL_LOG and OLD_OPENCLAW_VERSION so the change is localized.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 04586233-67c3-46ca-8720-2cad2267b2c7

📥 Commits

Reviewing files that changed from the base of the PR and between 3f46d2b and 0685f16.

📒 Files selected for processing (1)

• test/e2e/test-openshell-gateway-upgrade.sh

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26302400688
Target ref: 0685f16c31d1eba5b9894a2d03043550a4f8fa0b
Workflow ref: main
Requested jobs: openshell-gateway-upgrade-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
openshell-gateway-upgrade-e2e	✅ success