From 26c58273e7d4d7c28b9bccfc43074a7811ae837f Mon Sep 17 00:00:00 2001
From: joshp123 <joshp123@users.noreply.github.com>
Date: Sat, 9 May 2026 00:37:43 +0800
Subject: [PATCH] fix: add OpenClaw dogfood gateway build

What:\n- expose temporary dogfood package outputs pinned to an upstream OpenClaw commit with the Nix-mode fixes merged\n- let source pins disable downstream patches that are already upstream\n- build current upstream plugin assets through upstream asset hooks, while keeping the 2026.5.7 path working\n- supply the fs-safe Git dependency as an immutable Nix source for the dogfood build\n\nWhy:\n- private deployments need to dogfood upstream fixes before the next OpenClaw release without making the published stable package depend on runtime npm work\n\nTests:\n- remote Mac mini: nix build --accept-flake-config .#openclaw-gateway-dogfood --no-link\n- remote Mac mini: nix build --accept-flake-config .#openclaw-dogfood --no-link\n- remote Mac mini: nix build --accept-flake-config .#checks.aarch64-darwin.default-instance --no-link\n- remote Mac mini: nix build --accept-flake-config .#checks.aarch64-darwin.package-contents --no-link\n\nCo-authored-by: Codex <noreply@openai.com>
---
 flake.nix                               |  9 ++++++++
 garnix.yaml                             |  4 ++++
 maintainers/packaging.md                |  3 +++
 nix/lib/openclaw-gateway-common.nix     | 20 +++++++++++++++--
 nix/scripts/gateway-build.sh            | 29 ++++++++++++++++++++-----
 nix/sources/openclaw-dogfood-source.nix | 17 +++++++++++++++
 6 files changed, 74 insertions(+), 8 deletions(-)
 create mode 100644 nix/sources/openclaw-dogfood-source.nix

diff --git a/flake.nix b/flake.nix
index 2796168..2a144ec 100644
--- a/flake.nix
+++ b/flake.nix
@@ -45,6 +45,7 @@
           qmdPkgs = qmdPkgsFor prev.stdenv.hostPlatform.system;
         } final prev;
       sourceInfoStable = import ./nix/sources/openclaw-source.nix;
+      sourceInfoDogfood = import ./nix/sources/openclaw-dogfood-source.nix;
       systems = [
         "x86_64-linux"
         "aarch64-darwin"
@@ -70,6 +71,12 @@
           openclawToolPkgs = openclawToolPkgs;
           inherit qmdPackage;
         };
+        packageSetDogfood = import ./nix/packages {
+          pkgs = pkgs;
+          sourceInfo = sourceInfoDogfood;
+          openclawToolPkgs = openclawToolPkgs;
+          inherit qmdPackage;
+        };
       in
       {
         formatter = pkgs.nixfmt-tree.override {
@@ -80,6 +87,8 @@
 
         packages = packageSetStable // {
           default = packageSetStable.openclaw;
+          openclaw-dogfood = packageSetDogfood.openclaw;
+          openclaw-gateway-dogfood = packageSetDogfood.openclaw-gateway;
         };
 
         apps = {
diff --git a/garnix.yaml b/garnix.yaml
index 266e1f3..0bde41c 100644
--- a/garnix.yaml
+++ b/garnix.yaml
@@ -6,6 +6,10 @@ builds:
     # User-facing/component packages must also be top-level Garnix artifacts,
     # otherwise downstream machines can see green CI but miss the binary cache.
     - "packages.aarch64-darwin.openclaw"
+    - "packages.aarch64-darwin.openclaw-dogfood"
     - "packages.aarch64-darwin.openclaw-gateway"
+    - "packages.aarch64-darwin.openclaw-gateway-dogfood"
     - "packages.x86_64-linux.openclaw"
+    - "packages.x86_64-linux.openclaw-dogfood"
     - "packages.x86_64-linux.openclaw-gateway"
+    - "packages.x86_64-linux.openclaw-gateway-dogfood"
diff --git a/maintainers/packaging.md b/maintainers/packaging.md
index 7ca0348..b25e8dc 100644
--- a/maintainers/packaging.md
+++ b/maintainers/packaging.md
@@ -8,6 +8,9 @@ This repo ships a working Nix package for OpenClaw users, not just a pin mirror.
 - `openclaw-gateway` is the source-built runnable gateway for Linux and macOS.
 - `openclaw-app` is the Darwin-only desktop app from upstream's public app artifact.
 - Component outputs exist for modules, checks, and debugging. They are not separate product tracks.
+- `openclaw-dogfood` and `openclaw-gateway-dogfood` are temporary maintainer
+  artifacts for testing a specific upstream commit before the next stable
+  release. They must not become the documented consumer default.
 - Do not split the repo into separate desktop and server tracks.
 
 ## Nix Ownership
diff --git a/nix/lib/openclaw-gateway-common.nix b/nix/lib/openclaw-gateway-common.nix
index 254666c..0a9fe46 100644
--- a/nix/lib/openclaw-gateway-common.nix
+++ b/nix/lib/openclaw-gateway-common.nix
@@ -38,6 +38,9 @@ let
     "pnpmDepsHash"
     "releaseTag"
     "releaseVersion"
+    "applyPublicSurfaceHardlinksPatch"
+    "applySkipPluginAutoEnableNixModePatch"
+    "fsSafeSource"
   ];
 
   # Prefer nixpkgs' platform mapping instead of hand-rolled arch/platform.
@@ -55,6 +58,8 @@ let
     else
       fetchFromGitHub sourceFetch;
 
+  fsSafeSource = if sourceInfo ? fsSafeSource then fetchFromGitHub sourceInfo.fsSafeSource else null;
+
   nodeAddonApi = import ../packages/node-addon-api.nix { inherit stdenv fetchurl; };
 
   pnpmDeps = fetchPnpmDeps {
@@ -81,11 +86,22 @@ let
     NODE_GYP_WRAPPER_SH = "${../scripts/node-gyp-wrapper.sh}";
     GATEWAY_PREBUILD_SH = "${../scripts/gateway-prebuild.sh}";
     PATCH_BUNDLED_RUNTIME_DEPS_SCRIPT = "${../patches/stage-bundled-plugin-runtime-deps.mjs}";
-    PATCH_PUBLIC_SURFACE_HARDLINKS = "${../patches/allow-package-public-surface-hardlinks.patch}";
-    PATCH_SKIP_PLUGIN_AUTO_ENABLE_NIX_MODE = "${../patches/skip-plugin-auto-enable-persist-in-nix-mode.patch}";
+    PATCH_PUBLIC_SURFACE_HARDLINKS =
+      if sourceInfo.applyPublicSurfaceHardlinksPatch or true then
+        "${../patches/allow-package-public-surface-hardlinks.patch}"
+      else
+        "";
+    PATCH_SKIP_PLUGIN_AUTO_ENABLE_NIX_MODE =
+      if sourceInfo.applySkipPluginAutoEnableNixModePatch or true then
+        "${../patches/skip-plugin-auto-enable-persist-in-nix-mode.patch}"
+      else
+        "";
     PROMOTE_PNPM_INTEGRITY_SH = "${../scripts/promote-pnpm-integrity.sh}";
     REMOVE_PACKAGE_MANAGER_FIELD_SH = "${../scripts/remove-package-manager-field.sh}";
     STDENV_SETUP = "${stdenv}/setup";
+  }
+  // lib.optionalAttrs (fsSafeSource != null) {
+    OPENCLAW_FS_SAFE_SOURCE = fsSafeSource;
   };
 
 in
diff --git a/nix/scripts/gateway-build.sh b/nix/scripts/gateway-build.sh
index c58f35c..423472b 100755
--- a/nix/scripts/gateway-build.sh
+++ b/nix/scripts/gateway-build.sh
@@ -72,16 +72,29 @@ fi
 
 log_step "patchShebangs node_modules/.bin" bash -e -c ". \"$STDENV_SETUP\"; patchShebangs node_modules/.bin"
 
+# Git tarball dependencies do not get their npm prepack output in offline Nix
+# builds. OpenClaw currently depends on @openclaw/fs-safe this way.
+if [ -n "${OPENCLAW_FS_SAFE_SOURCE:-}" ] && [ ! -d "node_modules/@openclaw/fs-safe/dist" ]; then
+  rm -rf node_modules/@openclaw/fs-safe
+  mkdir -p node_modules/@openclaw
+  cp -R "$OPENCLAW_FS_SAFE_SOURCE" node_modules/@openclaw/fs-safe
+  chmod -R u+w node_modules/@openclaw/fs-safe
+  log_step "build dependency: @openclaw/fs-safe" pnpm exec tsc -p node_modules/@openclaw/fs-safe/tsconfig.json
+fi
+
 # Ensure rolldown is found from workspace bins in offline/sandbox builds.
 if [ -d "node_modules/.pnpm/node_modules/.bin" ]; then
   export PATH="$PWD/node_modules/.pnpm/node_modules/.bin:$PATH"
 fi
 
-# Break down `pnpm build` (upstream package.json) so we can profile it.
-# Upstream's bundle-a2ui script shells back out through pnpm-runner.
-# In Nix builds that nested spawn can fail silently, so run the same steps directly.
-log_step "build: canvas:a2ui:tsc" pnpm exec tsc -p vendor/a2ui/renderers/lit/tsconfig.json
-log_step "build: canvas:a2ui:rolldown" node node_modules/rolldown/bin/cli.mjs -c apps/shared/OpenClawKit/Tools/CanvasA2UI/rolldown.config.mjs
+# Break down `pnpm build` (upstream package.json) so we can profile it while
+# still using upstream's asset hooks. v2026.5.7 has the older canvas-only helper;
+# newer OpenClaw has the generic bundled-plugin asset runner.
+if [ -f "scripts/bundled-plugin-assets.mjs" ]; then
+  log_step "build: plugins:assets:build" node scripts/bundled-plugin-assets.mjs --phase build
+else
+  log_step "build: canvas:a2ui:bundle" node scripts/bundle-a2ui.mjs
+fi
 log_step "build: tsdown" pnpm exec tsdown
 log_step "build: runtime-postbuild" node scripts/runtime-postbuild.mjs
 if [ -f "scripts/stage-bundled-plugin-runtime.mjs" ]; then
@@ -95,7 +108,11 @@ fi
 if [ -f "scripts/copy-bundled-plugin-metadata.mjs" ]; then
   log_step "build: copy-bundled-plugin-metadata" node scripts/copy-bundled-plugin-metadata.mjs
 fi
-log_step "build: canvas-a2ui-copy" node --import tsx scripts/canvas-a2ui-copy.ts
+if [ -f "scripts/bundled-plugin-assets.mjs" ]; then
+  log_step "build: plugins:assets:copy" node scripts/bundled-plugin-assets.mjs --phase copy
+else
+  log_step "build: canvas-a2ui-copy" node --import tsx scripts/canvas-a2ui-copy.ts
+fi
 log_step "build: copy-hook-metadata" node --import tsx scripts/copy-hook-metadata.ts
 log_step "build: write-build-info" node --import tsx scripts/write-build-info.ts
 log_step "build: write-cli-compat" node --import tsx scripts/write-cli-compat.ts
diff --git a/nix/sources/openclaw-dogfood-source.nix b/nix/sources/openclaw-dogfood-source.nix
new file mode 100644
index 0000000..16cce37
--- /dev/null
+++ b/nix/sources/openclaw-dogfood-source.nix
@@ -0,0 +1,17 @@
+{
+  owner = "openclaw";
+  repo = "openclaw";
+  releaseVersion = "2026.5.7-dogfood.20260508";
+  rev = "954d20ece2de0fba3688f7800613183fbeb9685c";
+  hash = "sha256-6CZWsH8dV6XZ4JeG5ItKLqGAOFqbzWosyCmMXVc+c/g=";
+  pnpmDepsHash = "sha256-hNZA1OEuJgtoLz2hWLPk8Hm+7heLvhiZpDdBBQ1UXpc=";
+  fsSafeSource = {
+    owner = "openclaw";
+    repo = "fs-safe";
+    rev = "c7ccb99d3058f2acf2ad2758ad2470c7e113a53c";
+    hash = "sha256-jndOOSSFROyrK4RiwAsJfUuCJTj7qbmmm4Qz8BqtJ/c=";
+  };
+
+  applyPublicSurfaceHardlinksPatch = false;
+  applySkipPluginAutoEnableNixModePatch = false;
+}