First time launch user help to fix "device identity required"

[blacksaturn1]

Summary

This pull request enhances the installation script by improving how the dashboard URL is displayed to the user. After installation, the script now attempts to retrieve an authentication token from the sandbox's openclaw.json file and, if successful, appends it to the dashboard URL for easier access.

Dashboard authentication improvements:

• The print_done() function in install.sh now tries to read the gateway auth token from the sandbox's openclaw.json using openshell and Python, and includes the token in the dashboard URL if available.
• The dashboard URL shown to the user after installation now reflects the presence of an authentication token, making it more convenient to access the dashboard directly.

Related Issue

Changes

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

Summary by CodeRabbit

• New Features
  • Dashboard URLs now display with pre-populated authentication tokens when available, eliminating manual token entry and improving access across onboarding, status checks, and installation completion.

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple scripts now support computed dashboard URLs with optional authentication tokens. A new getDashboardUrl helper in runner.js retrieves sandbox tokens and constructs authenticated dashboard URLs. This function is imported and integrated into onboard.js, nemoclaw.js, and install.sh to display dashboards during initialization and status operations.

Changes

Cohort / File(s)	Summary
Core Dashboard URL Helper bin/lib/runner.js	Added readSandboxToken(sandboxName) to download and parse sandbox tokens from openclaw.json, validating 64-character hex format. Added getDashboardUrl(sandboxName, port=18789) to construct dashboard URLs with embedded tokens or fallback to unauthenticated URLs.
Dashboard Output Integration bin/lib/onboard.js, bin/nemoclaw.js	Imported getDashboardUrl helper and integrated into dashboard output. onboard.js replaces hardcoded localhost URL with computed URL. nemoclaw.js extends sandboxStatus() to compute and log dashboard URL.
Shell Installation Script install.sh	Updated print_done() to independently derive dashboard URL by downloading openclaw.json via openshell, extracting and validating token, then printing authenticated or default dashboard URL.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hop along, dear coders, the dashboard now gleams,
With tokens tucked neatly in authentication schemes!
From scripts we've hopped through, a URL now appears,
Gateway authentication, no more dashboard fears! 🎪

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions 'First time launch user help' and fixing 'device identity required', which aligns with the PR's objective of helping first-time users avoid the device identity barrier by including authentication tokens in dashboard URLs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

install.sh (1)

112-119: Minor: Python path injection edge case with special characters in temp directory.

The $_token_dir variable is interpolated directly into the Python string literal. While mktemp typically returns safe paths, if the path contained a single quote, it would break Python syntax.

Consider using stdin to pass the path:

♻️ Safer alternative using stdin

-      token="$(python3 -c "
-import json, sys
-try:
-    cfg = json.load(open('${_token_dir}/openclaw.json'))
-    print(cfg.get('gateway',{}).get('auth',{}).get('token',''))
-except Exception:
-    pass
-" 2>/dev/null | grep -xE '[0-9a-f]{64}' | head -1)" || token=""
+      token="$(python3 -c "
+import json, sys
+try:
+    cfg = json.load(open(sys.argv[1]))
+    print(cfg.get('gateway',{}).get('auth',{}).get('token',''))
+except Exception:
+    pass
+" "${_token_dir}/openclaw.json" 2>/dev/null | grep -xE '[0-9a-f]{64}' | head -1)" || token=""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@install.sh` around lines 112 - 119, The current token extraction embeds
${_token_dir} directly into the python3 -c string (the command that sets the
token variable), which can break if the temp path contains single quotes; change
the invocation so the path is passed via stdin or environment instead of
interpolating into the Python literal: keep the token assignment and the python3
-c usage but read the directory path from sys.stdin or os.environ (or accept it
as an argument) and open the file '<provided_path>/openclaw.json' inside the
Python code, then print the token as before and pipe the script output through
the same grep/head checks; update references to the python invocation that
currently mentions ${_token_dir} and ensure the fallback || token="" remains.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@install.sh`:
- Around line 112-119: The current token extraction embeds ${_token_dir}
directly into the python3 -c string (the command that sets the token variable),
which can break if the temp path contains single quotes; change the invocation
so the path is passed via stdin or environment instead of interpolating into the
Python literal: keep the token assignment and the python3 -c usage but read the
directory path from sys.stdin or os.environ (or accept it as an argument) and
open the file '<provided_path>/openclaw.json' inside the Python code, then print
the token as before and pipe the script output through the same grep/head
checks; update references to the python invocation that currently mentions
${_token_dir} and ensure the fallback || token="" remains.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 30134e02-79f4-4918-a7eb-01168cc1f562

📥 Commits

Reviewing files that changed from the base of the PR and between a1e7485 and 0dc1180.

📒 Files selected for processing (4)

• bin/lib/onboard.js
• bin/lib/runner.js
• bin/nemoclaw.js
• install.sh

[wscurran]

Thanks for submitting this PR, it enhances the installation script to make it easier for users to access the dashboard and fixes the 'device identity required' issue, which improves the overall user experience during the setup process.