npm - @agent-vm/agent-vm - Versions diffs - 0.0.69 → 0.0.70 - Mend

@agent-vm/agent-vm 0.0.69 → 0.0.70

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/dist/integration-tests/smoke-harness.js CHANGED Viewed

@@ -1,16 +1,28 @@
-import { execFileSync } from 'node:child_process';
+import { execFile, execFileSync } from 'node:child_process';
 import fs from 'node:fs/promises';
 import net from 'node:net';
 import os from 'node:os';
 import path from 'node:path';
-import { resolveGondolinMinimumZigVersion, } from '@agent-vm/gondolin-adapter';
+import { promisify } from 'node:util';
+import { resolveGondolinMinimumZigVersion } from '@agent-vm/gondolin-adapter';
 import { computeFingerprintFromConfigPath } from '../build/gondolin-image-builder.js';
 import { resolveManagedImageRelease } from '../build/managed-image-dockerfile.js';
 import { isZigVersionAtLeast, resolveHostZigVersion } from '../build/zig-compatibility.js';
 import { scaffoldAgentVmProject } from '../cli/init-command.js';
+import { loadJsonConfigFile } from '../config/json-config-file.js';
 import { loadSystemConfig } from '../config/system-config.js';
 import { startControllerRuntime } from '../controller/controller-runtime.js';
 import { startGatewayZone } from '../gateway/gateway-zone-orchestrator.js';
+const defaultOpenClawMcpPortalExtensionsPath = '/home/openclaw/.openclaw/extensions/mcp-portal';
+const execFileAsync = promisify(execFile);
+const openClawMcpPortalPluginName = 'mcp-portal';
+const smokeTempRootPrefixes = [
+    'agent-vm-gateway-smoke-project-',
+    'agent-vm-smoke-harness-',
+    'openclaw-mcp-portal-smoke-',
+    'openclaw-zone-git-smoke-',
+    'worker-loop-smoke-',
+];
 export function hasCommand(command) {
     try {
         execFileSync('sh', ['-lc', `command -v ${command} >/dev/null`], { stdio: 'ignore' });
@@ -26,6 +38,22 @@ export function currentSmokeArchitecture() {
 export function qemuCommandForArchitecture(architecture) {
     return architecture === 'aarch64' ? 'qemu-system-aarch64' : 'qemu-system-x86_64';
 }
+function isOwnedSmokeTempRoot(tempRoot) {
+    const resolvedTempRoot = path.resolve(tempRoot);
+    const resolvedSystemTempRoot = path.resolve(os.tmpdir());
+    if (resolvedTempRoot === resolvedSystemTempRoot ||
+        !resolvedTempRoot.startsWith(`${resolvedSystemTempRoot}${path.sep}`)) {
+        return false;
+    }
+    const basename = path.basename(resolvedTempRoot);
+    return smokeTempRootPrefixes.some((prefix) => basename.startsWith(prefix));
+}
+export async function removeSmokeTempRoot(tempRoot) {
+    if (!isOwnedSmokeTempRoot(tempRoot)) {
+        return;
+    }
+    await fs.rm(tempRoot, { force: true, recursive: true });
+}
 export async function canRunGondolinSmoke(options) {
     const commandExists = options.commandExists ?? hasCommand;
     if (!commandExists(qemuCommandForArchitecture(options.architecture)) ||
@@ -92,11 +120,15 @@ export async function waitForControllerReady(controllerPort) {
     throw new Error('Controller did not become ready in time.');
 }
 export async function findReusableGatewayImageDirectory(currentProjectRoot, gatewayBuildConfigPath) {
+    const explicitSmokeCacheRoot = process.env.AGENT_VM_SMOKE_CACHE_DIR;
+    if (!explicitSmokeCacheRoot) {
+        return null;
+    }
     const requiredFingerprint = await computeFingerprintFromConfigPath(gatewayBuildConfigPath);
-    const tempRootEntries = await fs.readdir(os.tmpdir(), { withFileTypes: true });
+    const tempRootEntries = await fs.readdir(explicitSmokeCacheRoot, { withFileTypes: true });
     const smokeRunDirectories = tempRootEntries
         .filter((entry) => entry.isDirectory() && entry.name.includes('-smoke-'))
-        .map((entry) => path.join(os.tmpdir(), entry.name));
+        .map((entry) => path.join(explicitSmokeCacheRoot, entry.name));
     for (const smokeRunDirectory of smokeRunDirectories) {
         if (smokeRunDirectory === currentProjectRoot) {
             continue;
@@ -185,60 +217,211 @@ function getWorkerSmokeZone(systemConfig) {
     }
     return { ...zone, gateway: zone.gateway };
 }
-async function archivePackageDist(props) {
-    await fs.access(path.join(props.distDirectory, 'index.js'));
-    execFileSync('tar', ['--no-xattrs', '-czf', props.archivePath, '-C', props.distDirectory, '.'], {
-        env: { ...process.env, COPYFILE_DISABLE: '1' },
-        stdio: 'inherit',
-    });
-}
 async function packLocalPackageTarball(props) {
     const packageJsonPath = path.join(props.packageDirectory, 'package.json');
     await fs.access(packageJsonPath);
     const packDirectory = await fs.mkdtemp(path.join(os.tmpdir(), `${props.packageName}-pack-`));
-    execFileSync('pnpm', ['pack', '--pack-destination', packDirectory], {
-        cwd: props.packageDirectory,
-        stdio: 'pipe',
-    });
-    const packedTarballs = (await fs.readdir(packDirectory)).filter((fileName) => fileName.endsWith('.tgz'));
-    const [packedTarballName] = packedTarballs;
-    if (packedTarballName === undefined) {
-        throw new Error(`Failed to pack local ${props.packageName} tarball for smoke image.`);
+    try {
+        execFileSync('pnpm', ['pack', '--pack-destination', packDirectory], {
+            cwd: props.packageDirectory,
+            stdio: 'pipe',
+        });
+        const packedTarballs = (await fs.readdir(packDirectory)).filter((fileName) => fileName.endsWith('.tgz'));
+        const [packedTarballName] = packedTarballs;
+        if (packedTarballName === undefined) {
+            throw new Error(`Failed to pack local ${props.packageName} tarball for smoke image.`);
+        }
+        if (packedTarballs.length > 1) {
+            throw new Error(`Expected pnpm pack for ${props.packageName} to produce exactly one tarball.`);
+        }
+        return path.join(packDirectory, packedTarballName);
     }
-    if (packedTarballs.length > 1) {
-        throw new Error(`Expected pnpm pack for ${props.packageName} to produce exactly one tarball.`);
+    catch (error) {
+        await fs.rm(packDirectory, { force: true, recursive: true });
+        throw error;
     }
-    return path.join(packDirectory, packedTarballName);
 }
-async function useLocalToolVmMcpPortalPackage(options) {
+async function removeLocalPackageTarballDirectories(tarballPaths) {
+    await Promise.all(Array.from(new Set(tarballPaths
+        .filter((tarballPath) => tarballPath !== undefined)
+        .map((tarballPath) => path.dirname(tarballPath)))).map(async (packDirectory) => {
+        await fs.rm(packDirectory, { force: true, recursive: true });
+    }));
+}
+async function copyLocalPackageTarballsToDockerContext(options) {
+    await Promise.all(options.tarballs.map(async (tarball) => {
+        await fs.copyFile(tarball.sourcePath, path.join(options.dockerContextDirectory, tarball.archiveName));
+    }));
+}
+async function useLocalToolVmMcpPortalPackageTarballs(options) {
     const managedImageRelease = await resolveManagedImageRelease();
     const baseImage = managedImageRelease.baseImages['tool-vm'];
     const toolVmProfiles = Object.entries(options.systemConfig.imageProfiles.toolVms);
-    for (const [profileName, toolVmProfile] of toolVmProfiles) {
+    await Promise.all(toolVmProfiles.map(async ([profileName, toolVmProfile]) => {
         const dockerContextDirectory = path.join(options.projectRoot, 'vm-images', 'tool-vms', `${profileName}-local-mcp-portal`);
         const dockerfilePath = path.join(dockerContextDirectory, 'Dockerfile');
         const localConfigContractsTarballName = 'config-contracts-local.tgz';
+        const localSecretsTarballName = 'secrets-local.tgz';
         const localTarballName = 'mcp-portal-local.tgz';
         await fs.rm(dockerContextDirectory, { force: true, recursive: true });
         await fs.mkdir(dockerContextDirectory, { recursive: true });
-        await fs.copyFile(options.localConfigContractsTarballPath, path.join(dockerContextDirectory, localConfigContractsTarballName));
-        await fs.copyFile(options.localMcpPortalTarballPath, path.join(dockerContextDirectory, localTarballName));
+        await copyLocalPackageTarballsToDockerContext({
+            dockerContextDirectory,
+            tarballs: [
+                {
+                    archiveName: localConfigContractsTarballName,
+                    sourcePath: options.localConfigContractsTarballPath,
+                },
+                {
+                    archiveName: localSecretsTarballName,
+                    sourcePath: options.localSecretsTarballPath,
+                },
+                { archiveName: localTarballName, sourcePath: options.localMcpPortalTarballPath },
+            ],
+        });
         await fs.writeFile(dockerfilePath, [
             `FROM ${baseImage.repository}:${baseImage.tag}`,
             '',
             '# Generated by the OpenClaw smoke harness from the local MCP Portal package.',
             'COPY config-contracts-local.tgz /tmp/config-contracts-local.tgz',
+            'COPY secrets-local.tgz /tmp/secrets-local.tgz',
             'COPY mcp-portal-local.tgz /tmp/mcp-portal-local.tgz',
-            `ENV PNPM_HOME=/pnpm`,
-            'ENV PATH=${PNPM_HOME}:${PATH}',
-            'RUN pnpm config set global-dir /pnpm/global && pnpm config set global-bin-dir /pnpm',
-            'RUN pnpm add -g /tmp/config-contracts-local.tgz /tmp/mcp-portal-local.tgz && rm -f /tmp/config-contracts-local.tgz /tmp/mcp-portal-local.tgz',
+            'RUN mkdir -p /opt/agent-vm/local-packages && \\',
+            '    npm install --omit=dev --no-audit --no-fund --prefix /opt/agent-vm/local-packages /tmp/config-contracts-local.tgz /tmp/secrets-local.tgz /tmp/mcp-portal-local.tgz && \\',
+            '    rm -f /tmp/config-contracts-local.tgz /tmp/secrets-local.tgz /tmp/mcp-portal-local.tgz',
             '',
         ].join('\n'), 'utf8');
         toolVmProfile.dockerfile = dockerfilePath;
         delete toolVmProfile.source;
+    }));
+}
+export async function useLocalToolVmMcpPortalPackage(options) {
+    const localConfigContractsTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'config-contracts'),
+        packageName: 'config-contracts',
+    });
+    const localSecretsTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'secrets'),
+        packageName: 'secrets',
+    });
+    const localMcpPortalTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'mcp-portal'),
+        packageName: 'mcp-portal',
+    });
+    try {
+        await useLocalToolVmMcpPortalPackageTarballs({
+            localConfigContractsTarballPath,
+            localMcpPortalTarballPath,
+            localSecretsTarballPath,
+            projectRoot: options.projectRoot,
+            systemConfig: options.systemConfig,
+        });
+    }
+    finally {
+        await removeLocalPackageTarballDirectories([
+            localConfigContractsTarballPath,
+            localSecretsTarballPath,
+            localMcpPortalTarballPath,
+        ]);
     }
 }
+function localPackageTarballArchiveName(packageName) {
+    return `${packageName}-local.tgz`;
+}
+function isJsonRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function mutableJsonRecord(value) {
+    if (!isJsonRecord(value)) {
+        return undefined;
+    }
+    return value;
+}
+async function runDockerCommand(args) {
+    await execFileAsync('docker', [...args]);
+}
+async function readSmokeDockerImageTag(buildConfigPath) {
+    let buildConfig;
+    try {
+        buildConfig = mutableJsonRecord(await loadJsonConfigFile(buildConfigPath));
+    }
+    catch (error) {
+        if (isJsonRecord(error) && error.code === 'ENOENT') {
+            return null;
+        }
+        throw error;
+    }
+    const ociConfig = mutableJsonRecord(buildConfig?.oci);
+    const imageTag = ociConfig?.image;
+    return typeof imageTag === 'string' && imageTag.length > 0 ? imageTag : null;
+}
+export async function collectSmokeDockerImageTags(systemConfig) {
+    const imageProfiles = [
+        ...Object.values(systemConfig.imageProfiles.gateways),
+        ...Object.values(systemConfig.imageProfiles.toolVms),
+    ];
+    const imageTags = [];
+    for (const imageProfile of imageProfiles) {
+        // oxlint-disable-next-line eslint/no-await-in-loop -- config files are intentionally read deterministically
+        const imageTag = await readSmokeDockerImageTag(imageProfile.buildConfig);
+        if (imageTag !== null) {
+            imageTags.push(imageTag);
+        }
+    }
+    return Array.from(new Set(imageTags));
+}
+export async function removeSmokeDockerImages(imageTags, options = {}) {
+    const dockerCommand = options.runDockerCommand ?? runDockerCommand;
+    for (const imageTag of Array.from(new Set(imageTags))) {
+        try {
+            // oxlint-disable-next-line eslint/no-await-in-loop -- one tag at a time keeps cleanup errors attributable
+            await dockerCommand(['image', 'inspect', imageTag]);
+        }
+        catch {
+            continue;
+        }
+        // oxlint-disable-next-line eslint/no-await-in-loop -- one tag at a time keeps cleanup errors attributable
+        await dockerCommand(['image', 'rm', '--force', imageTag]);
+    }
+}
+export async function removeSmokeDockerImagesForSystemConfig(systemConfig, options = {}) {
+    await removeSmokeDockerImages(await collectSmokeDockerImageTags(systemConfig), options);
+}
+function throwIfSmokeHarnessCleanupFailed(errors) {
+    if (errors.length === 0) {
+        return;
+    }
+    const [firstError] = errors;
+    if (errors.length === 1 && firstError !== undefined) {
+        throw firstError;
+    }
+    throw new AggregateError(errors, 'Smoke harness cleanup failed.');
+}
+function withoutStringValue(value, removedValue) {
+    if (!Array.isArray(value)) {
+        return value;
+    }
+    return value.filter((entry) => entry !== removedValue);
+}
+export async function disableOpenClawMcpPortalPlugin(configPath) {
+    const config = mutableJsonRecord(await loadJsonConfigFile(configPath));
+    if (!config) {
+        throw new Error(`OpenClaw config at ${configPath} must be an object.`);
+    }
+    const plugins = mutableJsonRecord(config.plugins);
+    const pluginLoad = mutableJsonRecord(plugins?.load);
+    if (pluginLoad) {
+        pluginLoad.paths = withoutStringValue(pluginLoad.paths, defaultOpenClawMcpPortalExtensionsPath);
+    }
+    if (plugins) {
+        plugins.allow = withoutStringValue(plugins.allow, openClawMcpPortalPluginName);
+    }
+    const pluginEntries = mutableJsonRecord(plugins?.entries);
+    if (pluginEntries) {
+        delete pluginEntries[openClawMcpPortalPluginName];
+    }
+    await fs.writeFile(configPath, `${JSON.stringify(config, null, '\t')}\n`, 'utf8');
+}
 export async function useLocalOpenClawGatewayImagePackages(options) {
     const gatewayProfile = options.systemConfig.imageProfiles.gateways[options.profileName];
     if (!gatewayProfile) {
@@ -248,61 +431,169 @@ export async function useLocalOpenClawGatewayImagePackages(options) {
     const baseImage = managedImageRelease.baseImages['openclaw-gateway'];
     const dockerContextDirectory = path.join(options.projectRoot, 'vm-images', 'gateways', `${options.profileName}-local-packages`);
     const dockerfilePath = path.join(dockerContextDirectory, 'Dockerfile');
-    const packages = [
-        {
-            archiveName: 'gondolin-dist.tgz',
-            extensionPath: '/home/openclaw/.openclaw/extensions/gondolin',
-            packageDirectory: path.join(options.repoRoot, 'packages', 'openclaw-agent-vm-plugin'),
-        },
-        {
-            archiveName: 'mcp-portal-plugin-dist.tgz',
-            extensionPath: '/home/openclaw/.openclaw/extensions/mcp-portal',
-            packageDirectory: path.join(options.repoRoot, 'packages', 'openclaw-mcp-portal-plugin'),
-        },
-    ];
-    await fs.rm(dockerContextDirectory, { force: true, recursive: true });
-    await fs.mkdir(dockerContextDirectory, { recursive: true });
-    await Promise.all(packages.map((packageConfig) => archivePackageDist({
-        archivePath: path.join(dockerContextDirectory, packageConfig.archiveName),
-        distDirectory: path.join(packageConfig.packageDirectory, 'dist'),
-    })));
-    const portalServerPath = path.join(options.repoRoot, 'packages', 'mcp-portal', 'dist', 'bin', 'portal-server.js');
-    await fs.access(portalServerPath);
+    const localConfigContractsTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'config-contracts'),
+        packageName: 'config-contracts',
+    });
+    const localSecretsTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'secrets'),
+        packageName: 'secrets',
+    });
+    const localGondolinAdapterTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'gondolin-adapter'),
+        packageName: 'gondolin-adapter',
+    });
     const localMcpPortalTarballPath = await packLocalPackageTarball({
         packageDirectory: path.join(options.repoRoot, 'packages', 'mcp-portal'),
         packageName: 'mcp-portal',
     });
-    const localConfigContractsTarballPath = await packLocalPackageTarball({
-        packageDirectory: path.join(options.repoRoot, 'packages', 'config-contracts'),
-        packageName: 'config-contracts',
+    const localOpenClawAgentVmPluginTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'openclaw-agent-vm-plugin'),
+        packageName: 'openclaw-agent-vm-plugin',
     });
-    await useLocalToolVmMcpPortalPackage({
-        localConfigContractsTarballPath,
-        localMcpPortalTarballPath,
-        projectRoot: options.projectRoot,
-        systemConfig: options.systemConfig,
+    const localOpenClawMcpPortalPluginTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'openclaw-mcp-portal-plugin'),
+        packageName: 'openclaw-mcp-portal-plugin',
     });
-    await fs.writeFile(dockerfilePath, [
-        `FROM ${baseImage.repository}:${baseImage.tag}`,
-        '',
-        '# Generated by the OpenClaw smoke harness from local package dist outputs.',
-        'COPY gondolin-dist.tgz /tmp/gondolin-dist.tgz',
-        'COPY mcp-portal-plugin-dist.tgz /tmp/mcp-portal-plugin-dist.tgz',
-        'RUN rm -rf /home/openclaw/.openclaw/extensions/gondolin /home/openclaw/.openclaw/extensions/mcp-portal && \\',
-        '    mkdir -p /home/openclaw/.openclaw/extensions/gondolin /home/openclaw/.openclaw/extensions/mcp-portal /opt/agent-vm/portal/bin && \\',
-        '    tar -xzf /tmp/gondolin-dist.tgz -C /home/openclaw/.openclaw/extensions/gondolin && \\',
-        '    tar -xzf /tmp/mcp-portal-plugin-dist.tgz -C /home/openclaw/.openclaw/extensions/mcp-portal && \\',
-        '    chown -R root:root /home/openclaw/.openclaw/extensions/gondolin /home/openclaw/.openclaw/extensions/mcp-portal && \\',
-        '    rm -f /tmp/gondolin-dist.tgz /tmp/mcp-portal-plugin-dist.tgz',
-        'RUN printf \'#!/bin/sh\\nexec node /work/repo/packages/mcp-portal/dist/bin/portal-server.js "$@"\\n\' > /opt/agent-vm/portal/bin/agent-vm-mcp-portal-server && \\',
-        '    chmod 755 /opt/agent-vm/portal/bin/agent-vm-mcp-portal-server',
-        '',
-    ].join('\n'), 'utf8');
-    gatewayProfile.dockerfile = dockerfilePath;
-    delete gatewayProfile.source;
+    try {
+        const localPackageTarballs = [
+            {
+                archiveName: localPackageTarballArchiveName('config-contracts'),
+                sourcePath: localConfigContractsTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('secrets'),
+                sourcePath: localSecretsTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('gondolin-adapter'),
+                sourcePath: localGondolinAdapterTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('mcp-portal'),
+                sourcePath: localMcpPortalTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('openclaw-agent-vm-plugin'),
+                sourcePath: localOpenClawAgentVmPluginTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('openclaw-mcp-portal-plugin'),
+                sourcePath: localOpenClawMcpPortalPluginTarballPath,
+            },
+        ];
+        await fs.rm(dockerContextDirectory, { force: true, recursive: true });
+        await fs.mkdir(dockerContextDirectory, { recursive: true });
+        await copyLocalPackageTarballsToDockerContext({
+            dockerContextDirectory,
+            tarballs: localPackageTarballs,
+        });
+        await useLocalToolVmMcpPortalPackageTarballs({
+            localConfigContractsTarballPath,
+            localMcpPortalTarballPath,
+            localSecretsTarballPath,
+            projectRoot: options.projectRoot,
+            systemConfig: options.systemConfig,
+        });
+        await fs.writeFile(dockerfilePath, [
+            `FROM ${baseImage.repository}:${baseImage.tag}`,
+            '',
+            '# Generated by the OpenClaw smoke harness from local package tarballs.',
+            ...localPackageTarballs.map((tarball) => `COPY ${tarball.archiveName} /tmp/${tarball.archiveName}`),
+            'RUN mkdir -p /opt/agent-vm/local-packages && \\',
+            '    npm install --omit=dev --no-audit --no-fund --prefix /opt/agent-vm/local-packages ' +
+                localPackageTarballs.map((tarball) => `/tmp/${tarball.archiveName}`).join(' ') +
+                ' && \\',
+            '    rm -f ' +
+                localPackageTarballs.map((tarball) => `/tmp/${tarball.archiveName}`).join(' '),
+            'RUN package_root="/opt/agent-vm/local-packages/node_modules" && \\',
+            '    mkdir -p /home/openclaw/.openclaw/extensions && \\',
+            '    ln -sfn "$package_root/@agent-vm/openclaw-agent-vm-plugin/dist" /home/openclaw/.openclaw/extensions/gondolin && \\',
+            '    ln -sfn "$package_root/@agent-vm/openclaw-mcp-portal-plugin/dist" /home/openclaw/.openclaw/extensions/mcp-portal',
+            '',
+        ].join('\n'), 'utf8');
+        gatewayProfile.dockerfile = dockerfilePath;
+        delete gatewayProfile.source;
+    }
+    finally {
+        await removeLocalPackageTarballDirectories([
+            localConfigContractsTarballPath,
+            localSecretsTarballPath,
+            localGondolinAdapterTarballPath,
+            localMcpPortalTarballPath,
+            localOpenClawAgentVmPluginTarballPath,
+            localOpenClawMcpPortalPluginTarballPath,
+        ]);
+    }
 }
 export async function useLocalOpenClawPluginGatewayImage(options) {
-    await useLocalOpenClawGatewayImagePackages(options);
+    const gatewayProfile = options.systemConfig.imageProfiles.gateways[options.profileName];
+    if (!gatewayProfile) {
+        throw new Error(`Gateway image profile '${options.profileName}' is not configured.`);
+    }
+    const managedImageRelease = await resolveManagedImageRelease();
+    const baseImage = managedImageRelease.baseImages['openclaw-gateway'];
+    const dockerContextDirectory = path.join(options.projectRoot, 'vm-images', 'gateways', `${options.profileName}-local-plugin`);
+    const dockerfilePath = path.join(dockerContextDirectory, 'Dockerfile');
+    const localSecretsTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'secrets'),
+        packageName: 'secrets',
+    });
+    const localGondolinAdapterTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'gondolin-adapter'),
+        packageName: 'gondolin-adapter',
+    });
+    const localOpenClawAgentVmPluginTarballPath = await packLocalPackageTarball({
+        packageDirectory: path.join(options.repoRoot, 'packages', 'openclaw-agent-vm-plugin'),
+        packageName: 'openclaw-agent-vm-plugin',
+    });
+    try {
+        const localPackageTarballs = [
+            {
+                archiveName: localPackageTarballArchiveName('secrets'),
+                sourcePath: localSecretsTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('gondolin-adapter'),
+                sourcePath: localGondolinAdapterTarballPath,
+            },
+            {
+                archiveName: localPackageTarballArchiveName('openclaw-agent-vm-plugin'),
+                sourcePath: localOpenClawAgentVmPluginTarballPath,
+            },
+        ];
+        await fs.rm(dockerContextDirectory, { force: true, recursive: true });
+        await fs.mkdir(dockerContextDirectory, { recursive: true });
+        await copyLocalPackageTarballsToDockerContext({
+            dockerContextDirectory,
+            tarballs: localPackageTarballs,
+        });
+        await fs.writeFile(dockerfilePath, [
+            `FROM ${baseImage.repository}:${baseImage.tag}`,
+            '',
+            '# Generated by the OpenClaw smoke harness from local plugin package tarballs.',
+            ...localPackageTarballs.map((tarball) => `COPY ${tarball.archiveName} /tmp/${tarball.archiveName}`),
+            'RUN mkdir -p /opt/agent-vm/local-packages && \\',
+            '    npm install --omit=dev --no-audit --no-fund --prefix /opt/agent-vm/local-packages ' +
+                localPackageTarballs.map((tarball) => `/tmp/${tarball.archiveName}`).join(' ') +
+                ' && \\',
+            '    rm -f ' +
+                localPackageTarballs.map((tarball) => `/tmp/${tarball.archiveName}`).join(' '),
+            'RUN package_root="/opt/agent-vm/local-packages/node_modules" && \\',
+            '    mkdir -p /home/openclaw/.openclaw/extensions && \\',
+            '    ln -sfn "$package_root/@agent-vm/openclaw-agent-vm-plugin/dist" /home/openclaw/.openclaw/extensions/gondolin',
+            '',
+        ].join('\n'), 'utf8');
+        gatewayProfile.dockerfile = dockerfilePath;
+        delete gatewayProfile.source;
+    }
+    finally {
+        await removeLocalPackageTarballDirectories([
+            localSecretsTarballPath,
+            localGondolinAdapterTarballPath,
+            localOpenClawAgentVmPluginTarballPath,
+        ]);
+    }
 }
 export async function scaffoldOpenClawSmokeProject(options) {
     const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), options.prefix));
@@ -430,19 +721,12 @@ export async function writeOpenClawMcpPortalSmokeConfigs(options) {
             },
         },
         schemaVersion: 1,
-        server: {
-            accessHeader: {
-                name: options.portalAccessHeaderName,
-                secret: { name: 'MCP_PORTAL_SERVER_SECRET', source: 'environment' },
-            },
-            host: '127.0.0.1',
-            port: 18790,
-        },
     }, null, '\t')}\n`, 'utf8');
 }
 export async function startSmokeControllerRuntime(options) {
     const restoreEnvironment = applySmokeEnvironment(options.secrets);
     const secretResolver = createSmokeSecretResolver(options.secrets);
+    const tempRoot = path.dirname(path.dirname(options.startOptions.systemConfig.systemConfigPath));
     try {
         const runtime = await startControllerRuntime(options.startOptions, {
             createSecretResolver: async () => secretResolver,
@@ -474,19 +758,52 @@ export async function startSmokeControllerRuntime(options) {
             controllerUrl: `http://127.0.0.1:${options.startOptions.systemConfig.host.controllerPort}`,
             runtime,
             systemConfig: options.startOptions.systemConfig,
-            tempRoot: path.dirname(path.dirname(options.startOptions.systemConfig.systemConfigPath)),
+            tempRoot,
             close: async () => {
+                const cleanupErrors = [];
                 try {
                     await runtime.close();
                 }
+                catch (error) {
+                    cleanupErrors.push(error);
+                }
+                try {
+                    await removeSmokeDockerImagesForSystemConfig(options.startOptions.systemConfig);
+                }
+                catch (error) {
+                    cleanupErrors.push(error);
+                }
+                try {
+                    await removeSmokeTempRoot(tempRoot);
+                }
+                catch (error) {
+                    cleanupErrors.push(error);
+                }
                 finally {
                     restoreEnvironment();
                 }
+                throwIfSmokeHarnessCleanupFailed(cleanupErrors);
             },
         };
     }
     catch (error) {
-        restoreEnvironment();
+        const cleanupErrors = [error];
+        try {
+            await removeSmokeDockerImagesForSystemConfig(options.startOptions.systemConfig);
+        }
+        catch (cleanupError) {
+            cleanupErrors.push(cleanupError);
+        }
+        try {
+            await removeSmokeTempRoot(tempRoot);
+        }
+        catch (cleanupError) {
+            cleanupErrors.push(cleanupError);
+        }
+        finally {
+            restoreEnvironment();
+        }
+        throwIfSmokeHarnessCleanupFailed(cleanupErrors);
         throw error;
     }
 }