sync: rebase on upstream (2026-03-26)

.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build-and-push:
+    runs-on: [self-hosted, Linux, X64]
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.ref == 'refs/heads/main' }}
+          tags: |
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/upstream-sync.yml

@@ -0,0 +1,101 @@
+name: Upstream Sync
+
+on:
+  schedule:
+    # Daily at 06:30 UTC (offset from paperclip's 06:00)
+    - cron: "30 6 * * *"
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: "Sync mode"
+        required: true
+        default: "pr"
+        type: choice
+        options:
+          - pr
+          - push
+          - dry-run
+
+jobs:
+  sync:
+    runs-on: self-hosted
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout (full history for rebase)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          # Nuke stale credential helpers on self-hosted runner
+          git config --local --unset-all credential.helper 2>/dev/null || true
+          git config --global --unset-all credential.helper 2>/dev/null || true
+
+      - name: Clean working tree (self-hosted runner may have leftovers)
+        run: |
+          git checkout main 2>/dev/null || true
+          git rebase --abort 2>/dev/null || true
+          git reset --hard HEAD
+          git clean -fd
+
+      - name: Add upstream remote
+        run: |
+          git remote get-url upstream 2>/dev/null || \
+            git remote add upstream https://github.com/NVIDIA/NemoClaw.git
+          git fetch upstream
+
+      - name: Install Agent SDK
+        run: |
+          rm -rf "$(npm root -g)/@anthropic-ai/.claude-code-"* "$(npm root -g)/@anthropic-ai/.claude-agent-sdk-"* 2>/dev/null || true
+          npm install -g @anthropic-ai/claude-code || npm install -g @anthropic-ai/claude-code
+          npm install -g @anthropic-ai/claude-agent-sdk || npm install -g @anthropic-ai/claude-agent-sdk
+          node -e "require('@anthropic-ai/claude-agent-sdk')" 2>/dev/null || echo "SDK import check: will resolve at runtime via global root"
+
+      - name: Write Claude credentials
+        run: |
+          mkdir -p ~/.claude
+          echo '${{ secrets.CLAUDE_CREDENTIALS_JSON }}' > ~/.claude/.credentials.json
+
+      - name: Check for upstream changes
+        id: check
+        run: |
+          BEHIND=$(git rev-list HEAD..upstream/main --count)
+          echo "behind=$BEHIND" >> "$GITHUB_OUTPUT"
+          if [ "$BEHIND" -eq 0 ]; then
+            echo "Up to date with upstream. Skipping sync."
+          else
+            echo "Behind upstream by $BEHIND commits."
+          fi
+
+      - name: Run upstream sync
+        if: steps.check.outputs.behind != '0'
+        env:
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
+        run: |
+          MODE="${{ github.event.inputs.mode || 'pr' }}"
+          case "$MODE" in
+            push)    FLAG="--push" ;;
+            pr)      FLAG="--pr" ;;
+            dry-run) FLAG="--dry-run" ;;
+          esac
+          node scripts/upstream-sync.mjs $FLAG
+
+      - name: Upload agent event log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: agent-events-log
+          path: agent-events.log
+          if-no-files-found: ignore
+          retention-days: 14

Dockerfile

@@ -69,9 +69,18 @@ ENV NEMOCLAW_MODEL=${NEMOCLAW_MODEL} \
     NEMOCLAW_INFERENCE_API=${NEMOCLAW_INFERENCE_API} \
     NEMOCLAW_INFERENCE_COMPAT_B64=${NEMOCLAW_INFERENCE_COMPAT_B64}
 
+# WOPR sidecar — provision + health endpoints for nemoclaw-platform
+COPY wopr/ /opt/wopr/
+
 WORKDIR /sandbox
 USER sandbox
 
+# Pre-create OpenClaw directories and write default config.
+# These are saved to /opt/nemoclaw-defaults/ (read-only at runtime).
+# The startup script copies them to $HOME/.openclaw/ (writable volume).
+RUN mkdir -p /sandbox/.openclaw/agents/main/agent \
+    && chmod 700 /sandbox/.openclaw
+
 # Write the COMPLETE openclaw.json including gateway config and auth token.
 # This file is immutable at runtime (Landlock read-only on /sandbox/.openclaw).
 # No runtime writes to openclaw.json are needed or possible.
@@ -118,7 +127,6 @@ path = os.path.expanduser('~/.openclaw/openclaw.json'); \
 json.dump(config, open(path, 'w'), indent=2); \
 os.chmod(path, 0o600)"
 
-# Install NemoClaw plugin into OpenClaw
 RUN openclaw doctor --fix > /dev/null 2>&1 || true \
     && openclaw plugins install /opt/nemoclaw > /dev/null 2>&1 || true
 
@@ -146,6 +154,18 @@ RUN sha256sum /sandbox/.openclaw/openclaw.json > /sandbox/.openclaw/.config-hash
     && chmod 444 /sandbox/.openclaw/.config-hash \
     && chown root:root /sandbox/.openclaw/.config-hash
 
+# Save build-time config as defaults — startup script copies to writable HOME
+RUN cp -a /sandbox/.openclaw /opt/nemoclaw-defaults \
+    && cp -a /sandbox/.nemoclaw /opt/nemoclaw-defaults/.nemoclaw
+USER sandbox
+
+# At runtime, HOME=/data (writable volume mount from FleetManager).
+# ReadonlyRootfs makes /sandbox read-only, so all writes go to /data.
+ENV HOME=/data
+
+# Expose WOPR sidecar port
+EXPOSE 3100
+
 # Entrypoint runs as root to start the gateway as the gateway user,
 # then drops to sandbox for agent commands. See nemoclaw-start.sh.
 ENTRYPOINT ["/usr/local/bin/nemoclaw-start"]

scripts/nemoclaw-start.sh

@@ -207,6 +207,20 @@ PYAUTOPAIR
 
 # ── Main ─────────────────────────────────────────────────────────
 
+# Copy default config to writable HOME if not already present.
+# FleetManager mounts a volume at /data and sets HOME=/data.
+# The rootfs is read-only, so all writes must go to /data.
+if [ -d /opt/nemoclaw-defaults ] && [ ! -f "${HOME}/.openclaw/openclaw.json" ]; then
+  echo "[init] Copying default config to ${HOME}/.openclaw/"
+  mkdir -p "${HOME}/.openclaw" "${HOME}/.nemoclaw"
+  cp -a /opt/nemoclaw-defaults/. "${HOME}/.openclaw/"
+  [ -d /opt/nemoclaw-defaults/.nemoclaw ] && cp -a /opt/nemoclaw-defaults/.nemoclaw/. "${HOME}/.nemoclaw/"
+fi
+
+# Ensure writable dirs exist
+mkdir -p "${HOME}/.openclaw/agents/main/agent" 2>/dev/null || true
+touch /tmp/gateway.log 2>/dev/null || true
+
 echo 'Setting up NemoClaw...'
 [ -f .env ] && chmod 600 .env
 
@@ -293,6 +307,13 @@ echo "[gateway] openclaw gateway launched as 'gateway' user (pid $GATEWAY_PID)"
 start_auto_pair
 print_dashboard_urls
 
+# Start WOPR sidecar in foreground — keeps the container alive.
+# Serves /internal/health + /internal/provision for nemoclaw-platform.
+if [ -f /opt/wopr/sidecar.js ]; then
+  echo "[wopr-sidecar] starting in foreground (port ${PORT:-3100})"
+  exec node /opt/wopr/sidecar.js
+fi
+
 # Keep container running by waiting on the gateway process.
 # This script is PID 1 (ENTRYPOINT); if it exits, Docker kills all children.
 wait "$GATEWAY_PID"