fix: add OpenClaw dogfood gateway build

What:\n- expose temporary dogfood package outputs pinned to an upstream OpenClaw commit with the Nix-mode fixes merged\n- let source pins disable downstream patches that are already upstream\n- build current upstream plugin assets through upstream asset hooks, while keeping the 2026.5.7 path working\n- supply the fs-safe Git dependency as an immutable Nix source for the dogfood build\n\nWhy:\n- private deployments need to dogfood upstream fixes before the next OpenClaw release without making the published stable package depend on runtime npm work\n\nTests:\n- remote Mac mini: nix build --accept-flake-config .#openclaw-gateway-dogfood --no-link\n- remote Mac mini: nix build --accept-flake-config .#openclaw-dogfood --no-link\n- remote Mac mini: nix build --accept-flake-config .#checks.aarch64-darwin.default-instance --no-link\n- remote Mac mini: nix build --accept-flake-config .#checks.aarch64-darwin.package-contents --no-link\n\nCo-authored-by: Codex <noreply@openai.com>

flake.nix

@@ -45,6 +45,7 @@
           qmdPkgs = qmdPkgsFor prev.stdenv.hostPlatform.system;
         } final prev;
       sourceInfoStable = import ./nix/sources/openclaw-source.nix;
+      sourceInfoDogfood = import ./nix/sources/openclaw-dogfood-source.nix;
       systems = [
         "x86_64-linux"
         "aarch64-darwin"
@@ -70,6 +71,12 @@
           openclawToolPkgs = openclawToolPkgs;
           inherit qmdPackage;
         };
+        packageSetDogfood = import ./nix/packages {
+          pkgs = pkgs;
+          sourceInfo = sourceInfoDogfood;
+          openclawToolPkgs = openclawToolPkgs;
+          inherit qmdPackage;
+        };
       in
       {
         formatter = pkgs.nixfmt-tree.override {
@@ -80,6 +87,8 @@
 
         packages = packageSetStable // {
           default = packageSetStable.openclaw;
+          openclaw-dogfood = packageSetDogfood.openclaw;
+          openclaw-gateway-dogfood = packageSetDogfood.openclaw-gateway;
         };
 
         apps = {

garnix.yaml

@@ -6,6 +6,10 @@ builds:
     # User-facing/component packages must also be top-level Garnix artifacts,
     # otherwise downstream machines can see green CI but miss the binary cache.
     - "packages.aarch64-darwin.openclaw"
+    - "packages.aarch64-darwin.openclaw-dogfood"
     - "packages.aarch64-darwin.openclaw-gateway"
+    - "packages.aarch64-darwin.openclaw-gateway-dogfood"
     - "packages.x86_64-linux.openclaw"
+    - "packages.x86_64-linux.openclaw-dogfood"
     - "packages.x86_64-linux.openclaw-gateway"
+    - "packages.x86_64-linux.openclaw-gateway-dogfood"

maintainers/packaging.md

@@ -8,6 +8,9 @@ This repo ships a working Nix package for OpenClaw users, not just a pin mirror.
 - `openclaw-gateway` is the source-built runnable gateway for Linux and macOS.
 - `openclaw-app` is the Darwin-only desktop app from upstream's public app artifact.
 - Component outputs exist for modules, checks, and debugging. They are not separate product tracks.
+- `openclaw-dogfood` and `openclaw-gateway-dogfood` are temporary maintainer
+  artifacts for testing a specific upstream commit before the next stable
+  release. They must not become the documented consumer default.
 - Do not split the repo into separate desktop and server tracks.
 
 ## Nix Ownership

nix/lib/openclaw-gateway-common.nix

@@ -38,6 +38,9 @@ let
     "pnpmDepsHash"
     "releaseTag"
     "releaseVersion"
+    "applyPublicSurfaceHardlinksPatch"
+    "applySkipPluginAutoEnableNixModePatch"
+    "fsSafeSource"
   ];
 
   # Prefer nixpkgs' platform mapping instead of hand-rolled arch/platform.
@@ -55,6 +58,8 @@ let
     else
       fetchFromGitHub sourceFetch;
 
+  fsSafeSource = if sourceInfo ? fsSafeSource then fetchFromGitHub sourceInfo.fsSafeSource else null;
+
   nodeAddonApi = import ../packages/node-addon-api.nix { inherit stdenv fetchurl; };
 
   pnpmDeps = fetchPnpmDeps {
@@ -81,11 +86,22 @@ let
     NODE_GYP_WRAPPER_SH = "${../scripts/node-gyp-wrapper.sh}";
     GATEWAY_PREBUILD_SH = "${../scripts/gateway-prebuild.sh}";
     PATCH_BUNDLED_RUNTIME_DEPS_SCRIPT = "${../patches/stage-bundled-plugin-runtime-deps.mjs}";
-    PATCH_PUBLIC_SURFACE_HARDLINKS = "${../patches/allow-package-public-surface-hardlinks.patch}";
-    PATCH_SKIP_PLUGIN_AUTO_ENABLE_NIX_MODE = "${../patches/skip-plugin-auto-enable-persist-in-nix-mode.patch}";
+    PATCH_PUBLIC_SURFACE_HARDLINKS =
+      if sourceInfo.applyPublicSurfaceHardlinksPatch or true then
+        "${../patches/allow-package-public-surface-hardlinks.patch}"
+      else
+        "";
+    PATCH_SKIP_PLUGIN_AUTO_ENABLE_NIX_MODE =
+      if sourceInfo.applySkipPluginAutoEnableNixModePatch or true then
+        "${../patches/skip-plugin-auto-enable-persist-in-nix-mode.patch}"
+      else
+        "";
     PROMOTE_PNPM_INTEGRITY_SH = "${../scripts/promote-pnpm-integrity.sh}";
     REMOVE_PACKAGE_MANAGER_FIELD_SH = "${../scripts/remove-package-manager-field.sh}";
     STDENV_SETUP = "${stdenv}/setup";
+  }
+  // lib.optionalAttrs (fsSafeSource != null) {
+    OPENCLAW_FS_SAFE_SOURCE = fsSafeSource;
   };
 
 in

nix/scripts/gateway-build.sh

@@ -72,16 +72,29 @@ fi
 
 log_step "patchShebangs node_modules/.bin" bash -e -c ". \"$STDENV_SETUP\"; patchShebangs node_modules/.bin"
 
+# Git tarball dependencies do not get their npm prepack output in offline Nix
+# builds. OpenClaw currently depends on @openclaw/fs-safe this way.
+if [ -n "${OPENCLAW_FS_SAFE_SOURCE:-}" ] && [ ! -d "node_modules/@openclaw/fs-safe/dist" ]; then
+  rm -rf node_modules/@openclaw/fs-safe
+  mkdir -p node_modules/@openclaw
+  cp -R "$OPENCLAW_FS_SAFE_SOURCE" node_modules/@openclaw/fs-safe
+  chmod -R u+w node_modules/@openclaw/fs-safe
+  log_step "build dependency: @openclaw/fs-safe" pnpm exec tsc -p node_modules/@openclaw/fs-safe/tsconfig.json
+fi
+
 # Ensure rolldown is found from workspace bins in offline/sandbox builds.
 if [ -d "node_modules/.pnpm/node_modules/.bin" ]; then
   export PATH="$PWD/node_modules/.pnpm/node_modules/.bin:$PATH"
 fi
 
-# Break down `pnpm build` (upstream package.json) so we can profile it.
-# Upstream's bundle-a2ui script shells back out through pnpm-runner.
-# In Nix builds that nested spawn can fail silently, so run the same steps directly.
-log_step "build: canvas:a2ui:tsc" pnpm exec tsc -p vendor/a2ui/renderers/lit/tsconfig.json
-log_step "build: canvas:a2ui:rolldown" node node_modules/rolldown/bin/cli.mjs -c apps/shared/OpenClawKit/Tools/CanvasA2UI/rolldown.config.mjs
+# Break down `pnpm build` (upstream package.json) so we can profile it while
+# still using upstream's asset hooks. v2026.5.7 has the older canvas-only helper;
+# newer OpenClaw has the generic bundled-plugin asset runner.
+if [ -f "scripts/bundled-plugin-assets.mjs" ]; then
+  log_step "build: plugins:assets:build" node scripts/bundled-plugin-assets.mjs --phase build
+else
+  log_step "build: canvas:a2ui:bundle" node scripts/bundle-a2ui.mjs
+fi
 log_step "build: tsdown" pnpm exec tsdown
 log_step "build: runtime-postbuild" node scripts/runtime-postbuild.mjs
 if [ -f "scripts/stage-bundled-plugin-runtime.mjs" ]; then
@@ -95,7 +108,11 @@ fi
 if [ -f "scripts/copy-bundled-plugin-metadata.mjs" ]; then
   log_step "build: copy-bundled-plugin-metadata" node scripts/copy-bundled-plugin-metadata.mjs
 fi
-log_step "build: canvas-a2ui-copy" node --import tsx scripts/canvas-a2ui-copy.ts
+if [ -f "scripts/bundled-plugin-assets.mjs" ]; then
+  log_step "build: plugins:assets:copy" node scripts/bundled-plugin-assets.mjs --phase copy
+else
+  log_step "build: canvas-a2ui-copy" node --import tsx scripts/canvas-a2ui-copy.ts
+fi
 log_step "build: copy-hook-metadata" node --import tsx scripts/copy-hook-metadata.ts
 log_step "build: write-build-info" node --import tsx scripts/write-build-info.ts
 log_step "build: write-cli-compat" node --import tsx scripts/write-cli-compat.ts

nix/sources/openclaw-dogfood-source.nix

@@ -0,0 +1,17 @@
+{
+  owner = "openclaw";
+  repo = "openclaw";
+  releaseVersion = "2026.5.7-dogfood.20260508";
+  rev = "954d20ece2de0fba3688f7800613183fbeb9685c";
+  hash = "sha256-6CZWsH8dV6XZ4JeG5ItKLqGAOFqbzWosyCmMXVc+c/g=";
+  pnpmDepsHash = "sha256-hNZA1OEuJgtoLz2hWLPk8Hm+7heLvhiZpDdBBQ1UXpc=";
+  fsSafeSource = {
+    owner = "openclaw";
+    repo = "fs-safe";
+    rev = "c7ccb99d3058f2acf2ad2758ad2470c7e113a53c";
+    hash = "sha256-jndOOSSFROyrK4RiwAsJfUuCJTj7qbmmm4Qz8BqtJ/c=";
+  };
+
+  applyPublicSurfaceHardlinksPatch = false;
+  applySkipPluginAutoEnableNixModePatch = false;
+}