fix: use npm ci with package-lock.json in Dockerfile

[webdevpraveen]

Problem

The runtime stage in Dockerfile copies nemoclaw/package.json into
the image but omits nemoclaw/package-lock.json, then runs
npm install --omit=dev.

Without the lockfile, npm install resolves dependencies from the
registry at build time. Two docker build runs from the same Git
commit can produce images with different transitive dependency versions
if any upstream package is updated between runs — non-reproducible
builds.

Fix

-COPY nemoclaw/package.json /opt/nemoclaw/
+COPY nemoclaw/package.json nemoclaw/package-lock.json /opt/nemoclaw/

-RUN npm install --omit=dev
+RUN npm ci --omit=dev

1. Copy nemoclaw/package-lock.json into the image — it exists in
   the repo but was never passed to Docker.
2. Replace npm install with npm ci — reads the lockfile
   exclusively, installs exactly pinned versions, and exits non-zero if
   package.json and package-lock.json drift out of sync.

The RUN npm install -g openclaw@2026.3.11 global install line is
intentionally unchanged — it installs a pinned external package and
does not use a local lockfile.

References

• npm ci docs
• Docker + Node.js best practices

Summary by CodeRabbit

• Chores
  • Improved build process reliability through deterministic dependency installation using dependency lockfiles.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 37fa5c44-cb70-4aae-a179-2fc072fa25fc

📥 Commits

Reviewing files that changed from the base of the PR and between 04012f7 and 8a63674.

📒 Files selected for processing (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

The Dockerfile is updated to copy both package.json and package-lock.json into the container and switches from npm install --omit=dev to npm ci --omit=dev, enabling deterministic dependency installation using the lockfile.

Changes

Cohort / File(s)	Summary
Docker Configuration Dockerfile	Adds package-lock.json to the COPY step and replaces npm install with npm ci for deterministic dependency resolution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 A lock file joins the journey,
npm ci takes the lead,
Deterministic paths and certainty,
Our container's guaranteed indeed!
No surprises in the build today,
Just pure reproducibility on display. 📦

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing npm install with npm ci and including package-lock.json in the Dockerfile for reproducible builds.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can generate a title for your PR based on the changes with custom instructions.

Set the reviews.auto_title_instructions setting to generate a title for your PR based on the changes in the PR with custom instructions.

[webdevpraveen]

Flagging for maintainer review - happy to address any feedback.