From 7f55c0bd7b9544b2b3a3312362fbe1ddbec04f90 Mon Sep 17 00:00:00 2001 From: joshp123 Date: Wed, 6 May 2026 10:37:25 +0200 Subject: [PATCH] Pin safe-write Python in OpenClaw wrapper Bundle a Nix Python path inside the OpenClaw batteries wrapper for the safe-write helper. This avoids macOS /usr/bin/python3 triggering the Xcode command-line-tools shim on headless hosts, without exposing Python on the user PATH. Tests: nix build .#checks.aarch64-darwin.qmd-runtime --no-link; nix eval .#checks.x86_64-linux.qmd-runtime.name; scripts/check-flake-lock-owners.sh; git diff --check --- nix/packages/openclaw-batteries.nix | 2 ++ nix/scripts/check-openclaw-qmd-runtime.sh | 4 ++++ nix/scripts/openclaw-batteries-install.sh | 12 ++++++++++-- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/nix/packages/openclaw-batteries.nix b/nix/packages/openclaw-batteries.nix index 3031e65..eb9ae99 100644 --- a/nix/packages/openclaw-batteries.nix +++ b/nix/packages/openclaw-batteries.nix @@ -2,6 +2,7 @@ lib, stdenvNoCC, makeWrapper, + python3Minimal, openclaw-gateway, openclaw-app ? null, extendedTools ? [ ], @@ -28,6 +29,7 @@ stdenvNoCC.mkDerivation { env = { OPENCLAW_APP_PACKAGE = lib.optionalString (openclaw-app != null) "${openclaw-app}"; OPENCLAW_GATEWAY_BIN = "${openclaw-gateway}/bin/openclaw"; + OPENCLAW_PINNED_WRITE_PYTHON = "${python3Minimal}/bin/python3"; OPENCLAW_TOOLS_PATH = toolsPath; STDENV_SETUP = "${stdenvNoCC}/setup"; }; diff --git a/nix/scripts/check-openclaw-qmd-runtime.sh b/nix/scripts/check-openclaw-qmd-runtime.sh index fd98b04..c7883bf 100755 --- a/nix/scripts/check-openclaw-qmd-runtime.sh +++ b/nix/scripts/check-openclaw-qmd-runtime.sh @@ -31,6 +31,10 @@ if ! grep -q "${QMD_PACKAGE}/bin" "$openclaw_bin"; then echo "openclaw wrapper does not include qmd on the internal runtime PATH" >&2 exit 1 fi +if ! grep -q "OPENCLAW_PINNED_WRITE_PYTHON" "$openclaw_bin"; then + echo "openclaw wrapper does not pin a Nix Python for safe writes" >&2 + exit 1 +fi tmp_dir="$(mktemp -d)" trap 'rm -rf "$tmp_dir"' EXIT diff --git a/nix/scripts/openclaw-batteries-install.sh b/nix/scripts/openclaw-batteries-install.sh index e9c9ffe..96664f7 100755 --- a/nix/scripts/openclaw-batteries-install.sh +++ b/nix/scripts/openclaw-batteries-install.sh @@ -9,6 +9,14 @@ if [ ! -x "$OPENCLAW_GATEWAY_BIN" ]; then echo "OPENCLAW_GATEWAY_BIN is not executable: $OPENCLAW_GATEWAY_BIN" >&2 exit 1 fi +if [ -z "${OPENCLAW_PINNED_WRITE_PYTHON:-}" ]; then + echo "OPENCLAW_PINNED_WRITE_PYTHON is not set" >&2 + exit 1 +fi +if [ ! -x "$OPENCLAW_PINNED_WRITE_PYTHON" ]; then + echo "OPENCLAW_PINNED_WRITE_PYTHON is not executable: $OPENCLAW_PINNED_WRITE_PYTHON" >&2 + exit 1 +fi if [ -z "${STDENV_SETUP:-}" ]; then echo "STDENV_SETUP is not set" >&2 exit 1 @@ -21,9 +29,9 @@ fi mkdir -p "$out/bin" if [ -n "${OPENCLAW_TOOLS_PATH:-}" ]; then - bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --prefix PATH : "$OPENCLAW_TOOLS_PATH"' + bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --set OPENCLAW_PINNED_WRITE_PYTHON "$OPENCLAW_PINNED_WRITE_PYTHON" --prefix PATH : "$OPENCLAW_TOOLS_PATH"' else - bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw"' + bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --set OPENCLAW_PINNED_WRITE_PYTHON "$OPENCLAW_PINNED_WRITE_PYTHON"' fi if [ -n "${OPENCLAW_APP_PACKAGE:-}" ]; then