Skip to content

fix(installer): preserve sandbox payload lockfile#6628

Open
chengjiew wants to merge 3 commits into
mainfrom
fix/3798_preserve-sandbox-lockfile
Open

fix(installer): preserve sandbox payload lockfile#6628
chengjiew wants to merge 3 commits into
mainfrom
fix/3798_preserve-sandbox-lockfile

Conversation

@chengjiew

@chengjiew chengjiew commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Prevent macOS npm releases from rewriting the nested sandbox payload lockfile before Docker builds it on Linux. The installer now uses the committed lockfile for the payload, and CI rejects future nested lockfile drift.

Related Issue

Fixes #3798

Changes

  • Run npm ci --ignore-scripts for the nested nemoclaw/ payload in both source-checkout and GitHub-clone installer paths.
  • Validate nemoclaw/package-lock.json with a Linux CI dry run before dependency installation can mask drift.
  • Update installer fixtures and CI workflow contracts to cover the lockfile-preserving behavior.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: This changes the installer's internal dependency transaction and CI integrity check without changing commands, flags, prerequisites, configuration, output, or recovery steps.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Local nine-category review found no findings. Commands use fixed repository paths, disable lifecycle scripts, add no dependencies or privileges, and reduce dependency-resolution drift.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — LC_ALL=C LANG=C npx vitest run test/install-preflight.test.ts --testTimeout 60000 (95 passed); focused test/pr-workflow-contract.test.ts lockfile-guard contract (passed); npm 11.6.2 lockfile hash preservation and Linux node:22-trixie-slim npm ci --dry-run (passed); required cloud-onboard E2E run 29077214367 (passed)
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Chengjie Wang chengjiew@nvidia.com

Summary by CodeRabbit

  • Bug Fixes
    • Improved installation reliability by switching plugin build setup to use locked dependencies (npm ci --ignore-scripts) before building.
    • Added a CI validation step to detect sandbox payload lockfile issues prior to dependency installation.
  • Tests
    • Updated installer preflight and runtime tests to align with npm ci-based flows and ensure the sandbox payload lockfile is preserved with npm ci --ignore-scripts.
    • Extended workflow contract tests to verify the new lockfile validation command and its ordering before dependency installation.

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
@chengjiew chengjiew self-assigned this Jul 10, 2026
@copy-pr-bot

copy-pr-bot Bot commented Jul 10, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a10f8cad-ab1c-46e9-bbc0-e5cd46fe45a7

📥 Commits

Reviewing files that changed from the base of the PR and between 2762413 and a8bb355.

📒 Files selected for processing (1)
  • scripts/install.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • scripts/install.sh

📝 Walkthrough

Walkthrough

The installer now uses npm ci for plugin dependencies, CI validates the sandbox payload lockfile with a dry run, and installer tests support and assert the updated npm commands.

Changes

npm ci lockfile handling

Layer / File(s) Summary
Plugin dependency installation
scripts/install.sh
Both source-checkout and GitHub-clone installation paths use npm ci --ignore-scripts before building the plugin.
Sandbox lockfile CI check
.github/actions/ci-static-checks/action.yaml, test/pr-workflow-contract.test.ts
Static checks validate the sandbox payload lockfile with npm ci --ignore-scripts --dry-run before dependency installation, and tests verify the command and ordering.
Installer npm ci test coverage
test/install-preflight.test.ts
Shared and local npm stubs accept ci invocations, while runtime tests verify lockfile preservation and expected install and ci command counts across installer scenarios.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR adds the CI guard and stops npm install from rewriting the payload, but it does not show the required Linux re-sync of nemoclaw/package-lock.json. Regenerate nemoclaw/package-lock.json inside the same Linux image used by the sandbox build, commit the updated lockfile, and keep the new ci/dry-run safeguards.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately summarizes the installer change to preserve the sandbox payload lockfile.
Out of Scope Changes check ✅ Passed All changes target the installer and CI validation for the nested payload lockfile; no unrelated code paths were introduced.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/3798_preserve-sandbox-lockfile

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 78%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File e4d2e91 a8bb355 +/-
src/lib/messagi...ate-resolver.ts 94% 88% -6%
src/lib/messagi...ate-resolver.ts 100% 96% -4%
src/lib/state/config-io.ts 96% 93% -3%
src/lib/credentials/store.ts 63% 62% -1%
src/lib/agent/defs.ts 85% 84% -1%
src/lib/adapters/http/probe.ts 89% 91% +2%
src/lib/inference/config.ts 96% 98% +2%
src/lib/messagi...ate-resolver.ts 96% 100% +4%
src/lib/messagi...ate-resolver.ts 95% 100% +5%
src/lib/shields/seal.ts 88% 100% +12%

Updated July 11, 2026 04:43 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: cloud-onboard
Optional E2E: full-e2e

Dispatch hint: cloud-onboard

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • cloud-onboard (high): Deterministic risk plan requires cloud-onboard for scripts/install.sh changes. The installer path must be validated on a clean supported host through hosted onboarding to ensure pinned dependencies install correctly and the assistant reaches a usable state.

Optional E2E

  • full-e2e (high): Optional adjacent confidence for the complete install/onboard/sandbox/inference user journey after changing dependency installation semantics, though cloud-onboard is the required validation floor.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: E2E
  • jobs input: cloud-onboard

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: cloud-onboard
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=cloud-onboard

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • cloud-onboard: Installer and platform changes must work on a clean supported host with the pinned runtime dependencies.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=cloud-onboard

Optional E2E targets

  • None.

Relevant changed files

  • scripts/install.sh

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-1: Unmet acceptance clause: lockfile re-sync on Linux not visible in PR; then add or justify PRA-T1.
Open items: 1 required · 4 warnings · 0 suggestions · 8 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 5 new items found

Action checklist

  • PRA-1 Fix: Unmet acceptance clause: lockfile re-sync on Linux not visible in PR in scripts/install.sh:1497
  • PRA-2 Resolve or justify: CI guard runner not guaranteed to be Linux in .github/actions/ci-static-checks/action.yaml:24
  • PRA-3 Resolve or justify: Missing negative tests for npm ci failure modes (lockfile corruption, version mismatch, missing lockfile) in test/install-preflight.test.ts:692
  • PRA-4 Resolve or justify: Missing test for platform-install invariant feature: custom settings for using build endpoints #2: platform detection does not silently downgrade runtime validation in test/install-preflight.test.ts:692
  • PRA-5 Resolve or justify: GitHub-clone installer path untested for npm ci lockfile preservation in scripts/install.sh:1557
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Missing negative tests for npm ci failure modes (lockfile corruption, version mismatch, missing lockfile)
  • PRA-T6 Add or justify test follow-up: Missing test for platform-install invariant feature: custom settings for using build endpoints #2: platform detection does not silently downgrade runtime validation
  • PRA-T7 Add or justify test follow-up: GitHub-clone installer path untested for npm ci lockfile preservation
  • PRA-T8 Add or justify test follow-up: Acceptance clause

Findings index

ID Severity Category Location Required action
PRA-1 Required acceptance scripts/install.sh:1497 Either include the regenerated nemoclaw/package-lock.json in this PR, or demonstrate that a prior commit on this branch already fixed it. Verify by running 'npm ci --ignore-scripts --dry-run' inside node:22-trixie-slim against the current nemoclaw/package-lock.json.
PRA-2 Resolve/justify correctness .github/actions/ci-static-checks/action.yaml:24 Either (a) ensure this composite action is only invoked from workflows/jobs that run on Linux (e.g., cloud-onboard), or (b) make the step explicitly run in a Linux container (docker://node:22-trixie-slim) regardless of host runner. Verify the calling workflow context.
PRA-3 Resolve/justify tests test/install-preflight.test.ts:692 Add Vitest test cases: (1) corrupted package-lock.json triggers npm ci failure and installer exits with actionable error, (2) package.json version bump without lockfile update fails npm ci, (3) missing package-lock.json fails npm ci, (4) npm ci network error surfaces clearly. Verify no silent fallback to npm install.
PRA-4 Resolve/justify tests test/install-preflight.test.ts:692 Add a test that simulates the macOS↔Linux optional dep divergence: run npm ci --dry-run against the committed nemoclaw/package-lock.json in a Linux container (node:22-trixie-slim) and assert it passes, while documenting that the same lockfile would fail on macOS. Or add a unit test mocking the platform detection path.
PRA-5 Resolve/justify tests scripts/install.sh:1557 Add a test case in install-preflight.test.ts for the GitHub-clone path that: mocks git clone, verifies npm ci --ignore-scripts runs in the cloned nemoclaw/ dir, and asserts lockfile preservation. Can reuse existing curl-pipe test fixtures.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-1 Required — Unmet acceptance clause: lockfile re-sync on Linux not visible in PR

  • Location: scripts/install.sh:1497
  • Category: acceptance
  • Problem: Linked issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 requires two fixes: (1) re-sync nemoclaw/package-lock.json by regenerating inside node:22-trixie-slim, and (2) add CI guard on Linux. This PR's diff (4 files) shows only the CI guard and npm ci switch — no change to nemoclaw/package-lock.json. Issue comment from 2026-07-07 confirms v0.0.73 (main) still exhibits the drift. Without the lockfile re-sync, the CI guard will fail on the drifted lockfile, blocking CI rather than fixing the root cause.
  • Impact: If the committed nemoclaw/package-lock.json is still out of sync (as reported on main as of July 7), the new CI validation step will fail on every run, and the installer's npm ci will fail on every source-checkout install. The root cause (platform-conditional optional deps missing from lockfile) remains unaddressed.
  • Required action: Either include the regenerated nemoclaw/package-lock.json in this PR, or demonstrate that a prior commit on this branch already fixed it. Verify by running 'npm ci --ignore-scripts --dry-run' inside node:22-trixie-slim against the current nemoclaw/package-lock.json.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Check git log for commits touching nemoclaw/package-lock.json on this branch. Run: docker run --rm -v $(pwd)/nemoclaw:/work -w /work node:22-trixie-slim sh -c 'npm ci --ignore-scripts --dry-run'
  • Missing regression test: CI validation that nemoclaw/package-lock.json passes npm ci --dry-run on Linux (node:22-trixie-slim) — already added as the new CI step, but the lockfile must be correct for it to pass.
  • Done when: The required change is committed and verification passes: Check git log for commits touching nemoclaw/package-lock.json on this branch. Run: docker run --rm -v $(pwd)/nemoclaw:/work -w /work node:22-trixie-slim sh -c 'npm ci --ignore-scripts --dry-run'.
  • Evidence: Linked issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 body: 'Two parts, both needed: 1. Re-sync nemoclaw/package-lock.json... 2. Add a CI guard' Issue comment 4904225955 (2026-07-07): 'Still reproducing on v0.0.73' PR diff shows 4 changed files, none is nemoclaw/package-lock.json PR description: 'installer now uses the committed lockfile' — implies lockfile is already correct
Review findings by urgency: 1 required fix, 4 items to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-2 Resolve/justify — CI guard runner not guaranteed to be Linux

  • Location: .github/actions/ci-static-checks/action.yaml:24
  • Category: correctness
  • Problem: The new 'Validate sandbox payload lockfile' step runs in a composite action (.github/actions/ci-static-checks/action.yaml). Composite actions inherit the runner from the calling workflow. The riskPlan requires cloud-onboard (Linux host) for platform-install tier-3 validation. If this action is also used in workflows running on macOS/Windows runners, the npm ci --dry-run will validate against the wrong platform's optional dependency resolution, missing the exact drift pattern described in [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798.
  • Impact: The CI guard may pass on macOS runners (where @emnapi/core/runtime are pruned) but fail on Linux build containers, or vice versa. The validation must run on the same Linux image (node:22-trixie-slim) used by the sandbox Dockerfile to catch the platform-conditional dep drift.
  • Recommended action: Either (a) ensure this composite action is only invoked from workflows/jobs that run on Linux (e.g., cloud-onboard), or (b) make the step explicitly run in a Linux container (docker://node:22-trixie-slim) regardless of host runner. Verify the calling workflow context.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check .github/workflows/ for jobs using ci-static-checks action and their runs-on. Confirm cloud-onboard job uses it and runs on Linux.
  • Missing regression test: Workflow contract test asserting the static-checks action runs on Linux runner or in Linux container for the platform-install validation path.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check .github/workflows/ for jobs using ci-static-checks action and their runs-on. Confirm cloud-onboard job uses it and runs on Linux.
  • Evidence: .github/actions/ci-static-checks/action.yaml uses 'runs: using: composite' — no runs-on specified riskPlan.requiredJobs[0].id == 'cloud-onboard' with tier 3 Issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798: 'guard that only runs on the maintainer's local platform won't catch this — the problem is precisely the macOS↔Linux divergence' PR claim: 'required cloud-onboard E2E run 29077214367 (passed)' — suggests it ran on Linux but not verified in this context

PRA-3 Resolve/justify — Missing negative tests for npm ci failure modes (lockfile corruption, version mismatch, missing lockfile)

  • Location: test/install-preflight.test.ts:692
  • Category: tests
  • Problem: The new test 'preserves the sandbox payload lockfile with npm ci' only validates the happy path. No tests cover: corrupted package-lock.json, missing package-lock.json, package.json version bump without lockfile update, npm ci network failure, or installer error handling when npm ci fails. The supply-chain hardening (npm ci enforcement) is only verified on success.
  • Impact: Lockfile drift, corruption, or version conflicts could cause silent fallback to npm install (defeating the hardening) or confusing failures without regression coverage. Installer has no explicit error handling for npm ci failure; relies on set -e / spin() wrapper.
  • Recommended action: Add Vitest test cases: (1) corrupted package-lock.json triggers npm ci failure and installer exits with actionable error, (2) package.json version bump without lockfile update fails npm ci, (3) missing package-lock.json fails npm ci, (4) npm ci network error surfaces clearly. Verify no silent fallback to npm install.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read test/install-preflight.test.ts around line 692 — only one test case for npm ci path; search for 'ci' in test names and negative assertions. Check scripts/install.sh lines 1497 and 1557 for error handling around npm ci.
  • Missing regression test: Vitest test cases asserting npm ci fails on lockfile corruption/version mismatch/missing lockfile and installer exits with clear error message (no silent fallback to npm install).
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read test/install-preflight.test.ts around line 692 — only one test case for npm ci path; search for 'ci' in test names and negative assertions. Check scripts/install.sh lines 1497 and 1557 for error handling around npm ci.
  • Evidence: test/install-preflight.test.ts:692-760 only happy-path assertions: npm ci called once, lockfile content preserved scripts/install.sh:1497 and 1557 use 'npm ci --ignore-scripts' without explicit error handling for lockfile failures npm ci man page: exits non-zero if package-lock.json missing or out of sync Test npm stub in same file only handles ci on happy path (exits 0)

PRA-4 Resolve/justify — Missing test for platform-install invariant #2: platform detection does not silently downgrade runtime validation

  • Location: test/install-preflight.test.ts:692
  • Category: tests
  • Problem: RiskPlan defines two invariants for platform-install tier-3 family: (1) clean host installs pinned deps, (2) platform detection does not silently downgrade required runtime validation. The new test covers invariant ci: auto-update release notes on push to main #1 happy path. Invariant feature: custom settings for using build endpoints #2 has no test coverage — no test exercises macOS vs Linux optional dependency resolution difference that caused the original [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 drift.
  • Impact: The exact drift pattern (macOS prunes @emnapi/core/runtime optional deps, Linux requires them) is undetected by tests. A future change to platform detection or lockfile generation could reintroduce the drift without test failure.
  • Recommended action: Add a test that simulates the macOS↔Linux optional dep divergence: run npm ci --dry-run against the committed nemoclaw/package-lock.json in a Linux container (node:22-trixie-slim) and assert it passes, while documenting that the same lockfile would fail on macOS. Or add a unit test mocking the platform detection path.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/install-preflight.test.ts for platform detection, optional deps, @emnapi, or cross-platform test patterns. Check if any test runs npm ci in a container or simulates different platforms.
  • Missing regression test: Test asserting that the committed nemoclaw/package-lock.json passes npm ci --dry-run on Linux (node:22-trixie-slim) and that platform detection logic (if any) does not strip optional deps required on Linux.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/install-preflight.test.ts for platform detection, optional deps, @emnapi, or cross-platform test patterns. Check if any test runs npm ci in a container or simulates different platforms.
  • Evidence: riskPlan.families[0].invariants[1] == 'platform detection does not silently downgrade required runtime validation' Issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798: '@emnapi/core and @emnapi/runtime as optional, platform-conditional transitive deps — they are a WASI fallback that npm's resolver only includes on Linux' test/install-preflight.test.ts has no test exercising cross-platform optional dep resolution

PRA-5 Resolve/justify — GitHub-clone installer path untested for npm ci lockfile preservation

  • Location: scripts/install.sh:1557
  • Category: tests
  • Problem: install.sh has two call sites for npm ci: source-checkout path (line ~1497) and GitHub-clone path (line ~1557). The new test 'preserves the sandbox payload lockfile with npm ci' only exercises the source-checkout path (sets NEMOCLAW_REPO_ROOT). The GitHub-clone path (curl|bash install) clones to ~/.nemoclaw/source and runs npm ci there — same lockfile preservation expectation but different code path, untested.
  • Impact: The GitHub-clone install path (used by most users via curl|bash) has no test coverage for the npm ci behavior. If the clone path has a bug (e.g., wrong working directory, missing lockfile copy), users would hit failures not caught by tests.
  • Recommended action: Add a test case in install-preflight.test.ts for the GitHub-clone path that: mocks git clone, verifies npm ci --ignore-scripts runs in the cloned nemoclaw/ dir, and asserts lockfile preservation. Can reuse existing curl-pipe test fixtures.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Compare the two test scenarios in install-preflight.test.ts: 'preserves the sandbox payload lockfile with npm ci' (source-checkout) vs 'repo-checkout install ignores release-tag cloning when invoked by path' (curl-pipe). The latter doesn't assert npm ci for the plugin.
  • Missing regression test: Vitest test for curl-pipe / GitHub-clone install path asserting npm ci --ignore-scripts is invoked for nemoclaw plugin build and lockfile is preserved.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Compare the two test scenarios in install-preflight.test.ts: 'preserves the sandbox payload lockfile with npm ci' (source-checkout) vs 'repo-checkout install ignores release-tag cloning when invoked by path' (curl-pipe). The latter doesn't assert npm ci for the plugin.
  • Evidence: scripts/install.sh:1497 (source-checkout) and :1557 (GitHub-clone) both use 'npm ci --ignore-scripts && npm run build' test/install-preflight.test.ts:692 test sets NEMOCLAW_REPO_ROOT and tests source-checkout path only Existing curl-pipe tests (lines ~2000+) verify clone behavior but not npm ci for plugin build

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `cloud-onboard` E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: `scripts/install.sh`.. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install tier-3 family has two invariants. Invariant ci: auto-update release notes on push to main #1 (pinned deps) has happy-path unit test only. Invariant feature: custom settings for using build endpoints #2 (platform detection) has zero coverage. Required job cloud-onboard (Linux E2E) is validation floor but not a checked-in test. Negative failure modes for npm ci untested. Second installer code path (GitHub-clone) untested.
  • PRA-T2 Runtime validation — Vitest test cases asserting npm ci fails on lockfile corruption/version mismatch/missing lockfile and installer exits with clear error message (no silent fallback to npm install).. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install tier-3 family has two invariants. Invariant ci: auto-update release notes on push to main #1 (pinned deps) has happy-path unit test only. Invariant feature: custom settings for using build endpoints #2 (platform detection) has zero coverage. Required job cloud-onboard (Linux E2E) is validation floor but not a checked-in test. Negative failure modes for npm ci untested. Second installer code path (GitHub-clone) untested.
  • PRA-T3 Runtime validation — Test asserting that the committed nemoclaw/package-lock.json passes npm ci --dry-run on Linux (node:22-trixie-slim) and that platform detection logic (if any) does not strip optional deps required on Linux.. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install tier-3 family has two invariants. Invariant ci: auto-update release notes on push to main #1 (pinned deps) has happy-path unit test only. Invariant feature: custom settings for using build endpoints #2 (platform detection) has zero coverage. Required job cloud-onboard (Linux E2E) is validation floor but not a checked-in test. Negative failure modes for npm ci untested. Second installer code path (GitHub-clone) untested.
  • PRA-T4 Runtime validation — Vitest test for curl-pipe / GitHub-clone install path asserting npm ci --ignore-scripts is invoked for nemoclaw plugin build and lockfile is preserved.. Deterministic regression risks require live validation: platform-install. Deterministic regression risks require live validation: platform-install tier-3 family has two invariants. Invariant ci: auto-update release notes on push to main #1 (pinned deps) has happy-path unit test only. Invariant feature: custom settings for using build endpoints #2 (platform detection) has zero coverage. Required job cloud-onboard (Linux E2E) is validation floor but not a checked-in test. Negative failure modes for npm ci untested. Second installer code path (GitHub-clone) untested.
  • PRA-T5 Missing negative tests for npm ci failure modes (lockfile corruption, version mismatch, missing lockfile) — Add Vitest test cases: (1) corrupted package-lock.json triggers npm ci failure and installer exits with actionable error, (2) package.json version bump without lockfile update fails npm ci, (3) missing package-lock.json fails npm ci, (4) npm ci network error surfaces clearly. Verify no silent fallback to npm install.
  • PRA-T6 Missing test for platform-install invariant feature: custom settings for using build endpoints #2: platform detection does not silently downgrade runtime validation — Add a test that simulates the macOS↔Linux optional dep divergence: run npm ci --dry-run against the committed nemoclaw/package-lock.json in a Linux container (node:22-trixie-slim) and assert it passes, while documenting that the same lockfile would fail on macOS. Or add a unit test mocking the platform detection path.
  • PRA-T7 GitHub-clone installer path untested for npm ci lockfile preservation — Add a test case in install-preflight.test.ts for the GitHub-clone path that: mocks git clone, verifies npm ci --ignore-scripts runs in the cloned nemoclaw/ dir, and asserts lockfile preservation. Can reuse existing curl-pipe test fixtures.
  • PRA-T8 Acceptance clause — Re-sync nemoclaw/package-lock.json by regenerating inside node:22-trixie-slim (from issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798) — add test evidence or identify existing coverage. PR diff shows 4 changed files, none is nemoclaw/package-lock.json. Issue comment 4904225955 (2026-07-07) confirms drift persists on main v0.0.73. PR description claims 'installer now uses the committed lockfile' but lockfile change not in this PR.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Required — Unmet acceptance clause: lockfile re-sync on Linux not visible in PR

  • Location: scripts/install.sh:1497
  • Category: acceptance
  • Problem: Linked issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 requires two fixes: (1) re-sync nemoclaw/package-lock.json by regenerating inside node:22-trixie-slim, and (2) add CI guard on Linux. This PR's diff (4 files) shows only the CI guard and npm ci switch — no change to nemoclaw/package-lock.json. Issue comment from 2026-07-07 confirms v0.0.73 (main) still exhibits the drift. Without the lockfile re-sync, the CI guard will fail on the drifted lockfile, blocking CI rather than fixing the root cause.
  • Impact: If the committed nemoclaw/package-lock.json is still out of sync (as reported on main as of July 7), the new CI validation step will fail on every run, and the installer's npm ci will fail on every source-checkout install. The root cause (platform-conditional optional deps missing from lockfile) remains unaddressed.
  • Required action: Either include the regenerated nemoclaw/package-lock.json in this PR, or demonstrate that a prior commit on this branch already fixed it. Verify by running 'npm ci --ignore-scripts --dry-run' inside node:22-trixie-slim against the current nemoclaw/package-lock.json.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Check git log for commits touching nemoclaw/package-lock.json on this branch. Run: docker run --rm -v $(pwd)/nemoclaw:/work -w /work node:22-trixie-slim sh -c 'npm ci --ignore-scripts --dry-run'
  • Missing regression test: CI validation that nemoclaw/package-lock.json passes npm ci --dry-run on Linux (node:22-trixie-slim) — already added as the new CI step, but the lockfile must be correct for it to pass.
  • Done when: The required change is committed and verification passes: Check git log for commits touching nemoclaw/package-lock.json on this branch. Run: docker run --rm -v $(pwd)/nemoclaw:/work -w /work node:22-trixie-slim sh -c 'npm ci --ignore-scripts --dry-run'.
  • Evidence: Linked issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 body: 'Two parts, both needed: 1. Re-sync nemoclaw/package-lock.json... 2. Add a CI guard' Issue comment 4904225955 (2026-07-07): 'Still reproducing on v0.0.73' PR diff shows 4 changed files, none is nemoclaw/package-lock.json PR description: 'installer now uses the committed lockfile' — implies lockfile is already correct

PRA-2 Resolve/justify — CI guard runner not guaranteed to be Linux

  • Location: .github/actions/ci-static-checks/action.yaml:24
  • Category: correctness
  • Problem: The new 'Validate sandbox payload lockfile' step runs in a composite action (.github/actions/ci-static-checks/action.yaml). Composite actions inherit the runner from the calling workflow. The riskPlan requires cloud-onboard (Linux host) for platform-install tier-3 validation. If this action is also used in workflows running on macOS/Windows runners, the npm ci --dry-run will validate against the wrong platform's optional dependency resolution, missing the exact drift pattern described in [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798.
  • Impact: The CI guard may pass on macOS runners (where @emnapi/core/runtime are pruned) but fail on Linux build containers, or vice versa. The validation must run on the same Linux image (node:22-trixie-slim) used by the sandbox Dockerfile to catch the platform-conditional dep drift.
  • Recommended action: Either (a) ensure this composite action is only invoked from workflows/jobs that run on Linux (e.g., cloud-onboard), or (b) make the step explicitly run in a Linux container (docker://node:22-trixie-slim) regardless of host runner. Verify the calling workflow context.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check .github/workflows/ for jobs using ci-static-checks action and their runs-on. Confirm cloud-onboard job uses it and runs on Linux.
  • Missing regression test: Workflow contract test asserting the static-checks action runs on Linux runner or in Linux container for the platform-install validation path.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check .github/workflows/ for jobs using ci-static-checks action and their runs-on. Confirm cloud-onboard job uses it and runs on Linux.
  • Evidence: .github/actions/ci-static-checks/action.yaml uses 'runs: using: composite' — no runs-on specified riskPlan.requiredJobs[0].id == 'cloud-onboard' with tier 3 Issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798: 'guard that only runs on the maintainer's local platform won't catch this — the problem is precisely the macOS↔Linux divergence' PR claim: 'required cloud-onboard E2E run 29077214367 (passed)' — suggests it ran on Linux but not verified in this context

PRA-3 Resolve/justify — Missing negative tests for npm ci failure modes (lockfile corruption, version mismatch, missing lockfile)

  • Location: test/install-preflight.test.ts:692
  • Category: tests
  • Problem: The new test 'preserves the sandbox payload lockfile with npm ci' only validates the happy path. No tests cover: corrupted package-lock.json, missing package-lock.json, package.json version bump without lockfile update, npm ci network failure, or installer error handling when npm ci fails. The supply-chain hardening (npm ci enforcement) is only verified on success.
  • Impact: Lockfile drift, corruption, or version conflicts could cause silent fallback to npm install (defeating the hardening) or confusing failures without regression coverage. Installer has no explicit error handling for npm ci failure; relies on set -e / spin() wrapper.
  • Recommended action: Add Vitest test cases: (1) corrupted package-lock.json triggers npm ci failure and installer exits with actionable error, (2) package.json version bump without lockfile update fails npm ci, (3) missing package-lock.json fails npm ci, (4) npm ci network error surfaces clearly. Verify no silent fallback to npm install.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read test/install-preflight.test.ts around line 692 — only one test case for npm ci path; search for 'ci' in test names and negative assertions. Check scripts/install.sh lines 1497 and 1557 for error handling around npm ci.
  • Missing regression test: Vitest test cases asserting npm ci fails on lockfile corruption/version mismatch/missing lockfile and installer exits with clear error message (no silent fallback to npm install).
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read test/install-preflight.test.ts around line 692 — only one test case for npm ci path; search for 'ci' in test names and negative assertions. Check scripts/install.sh lines 1497 and 1557 for error handling around npm ci.
  • Evidence: test/install-preflight.test.ts:692-760 only happy-path assertions: npm ci called once, lockfile content preserved scripts/install.sh:1497 and 1557 use 'npm ci --ignore-scripts' without explicit error handling for lockfile failures npm ci man page: exits non-zero if package-lock.json missing or out of sync Test npm stub in same file only handles ci on happy path (exits 0)

PRA-4 Resolve/justify — Missing test for platform-install invariant #2: platform detection does not silently downgrade runtime validation

  • Location: test/install-preflight.test.ts:692
  • Category: tests
  • Problem: RiskPlan defines two invariants for platform-install tier-3 family: (1) clean host installs pinned deps, (2) platform detection does not silently downgrade required runtime validation. The new test covers invariant ci: auto-update release notes on push to main #1 happy path. Invariant feature: custom settings for using build endpoints #2 has no test coverage — no test exercises macOS vs Linux optional dependency resolution difference that caused the original [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 drift.
  • Impact: The exact drift pattern (macOS prunes @emnapi/core/runtime optional deps, Linux requires them) is undetected by tests. A future change to platform detection or lockfile generation could reintroduce the drift without test failure.
  • Recommended action: Add a test that simulates the macOS↔Linux optional dep divergence: run npm ci --dry-run against the committed nemoclaw/package-lock.json in a Linux container (node:22-trixie-slim) and assert it passes, while documenting that the same lockfile would fail on macOS. Or add a unit test mocking the platform detection path.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search test/install-preflight.test.ts for platform detection, optional deps, @emnapi, or cross-platform test patterns. Check if any test runs npm ci in a container or simulates different platforms.
  • Missing regression test: Test asserting that the committed nemoclaw/package-lock.json passes npm ci --dry-run on Linux (node:22-trixie-slim) and that platform detection logic (if any) does not strip optional deps required on Linux.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search test/install-preflight.test.ts for platform detection, optional deps, @emnapi, or cross-platform test patterns. Check if any test runs npm ci in a container or simulates different platforms.
  • Evidence: riskPlan.families[0].invariants[1] == 'platform detection does not silently downgrade required runtime validation' Issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798: '@emnapi/core and @emnapi/runtime as optional, platform-conditional transitive deps — they are a WASI fallback that npm's resolver only includes on Linux' test/install-preflight.test.ts has no test exercising cross-platform optional dep resolution

PRA-5 Resolve/justify — GitHub-clone installer path untested for npm ci lockfile preservation

  • Location: scripts/install.sh:1557
  • Category: tests
  • Problem: install.sh has two call sites for npm ci: source-checkout path (line ~1497) and GitHub-clone path (line ~1557). The new test 'preserves the sandbox payload lockfile with npm ci' only exercises the source-checkout path (sets NEMOCLAW_REPO_ROOT). The GitHub-clone path (curl|bash install) clones to ~/.nemoclaw/source and runs npm ci there — same lockfile preservation expectation but different code path, untested.
  • Impact: The GitHub-clone install path (used by most users via curl|bash) has no test coverage for the npm ci behavior. If the clone path has a bug (e.g., wrong working directory, missing lockfile copy), users would hit failures not caught by tests.
  • Recommended action: Add a test case in install-preflight.test.ts for the GitHub-clone path that: mocks git clone, verifies npm ci --ignore-scripts runs in the cloned nemoclaw/ dir, and asserts lockfile preservation. Can reuse existing curl-pipe test fixtures.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Compare the two test scenarios in install-preflight.test.ts: 'preserves the sandbox payload lockfile with npm ci' (source-checkout) vs 'repo-checkout install ignores release-tag cloning when invoked by path' (curl-pipe). The latter doesn't assert npm ci for the plugin.
  • Missing regression test: Vitest test for curl-pipe / GitHub-clone install path asserting npm ci --ignore-scripts is invoked for nemoclaw plugin build and lockfile is preserved.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Compare the two test scenarios in install-preflight.test.ts: 'preserves the sandbox payload lockfile with npm ci' (source-checkout) vs 'repo-checkout install ignores release-tag cloning when invoked by path' (curl-pipe). The latter doesn't assert npm ci for the plugin.
  • Evidence: scripts/install.sh:1497 (source-checkout) and :1557 (GitHub-clone) both use 'npm ci --ignore-scripts && npm run build' test/install-preflight.test.ts:692 test sets NEMOCLAW_REPO_ROOT and tests source-checkout path only Existing curl-pipe tests (lines ~2000+) verify clone behavior but not npm ci for plugin build

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 2 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `cloud-onboard` E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: `scripts/install.sh`.. Deterministic regression risks require live validation: platform-install. Checked-in tests cover the changed installer behavior, CI guard contract, and error propagation, but the deterministic risk plan flags `platform-install`, so live clean-host validation remains the floor for proving a usable agent after installer dependency resolution.
  • PRA-T2 Runtime validation — Run the `cloud-onboard` E2E job for the platform-install invariant that a clean supported host installs the intended pinned dependencies and reaches a usable agent after the `scripts/install.sh` payload `npm ci` change.. Deterministic regression risks require live validation: platform-install. Checked-in tests cover the changed installer behavior, CI guard contract, and error propagation, but the deterministic risk plan flags `platform-install`, so live clean-host validation remains the floor for proving a usable agent after installer dependency resolution.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29077214367
Workflow ref: fix/3798_preserve-sandbox-lockfile
Requested targets: (default — all supported)
Requested jobs: cloud-onboard
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success

@chengjiew chengjiew marked this pull request as ready for review July 10, 2026 07:56

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/install-preflight.test.ts`:
- Around line 605-606: The assertions in the relevant install preflight test
only verify npm command invocations, not lockfile preservation. Extend the test
around the existing log assertions to read and hash nemoclaw/package-lock.json
before and after the operation, then assert the hashes match, using the test’s
existing filesystem and hashing utilities where available.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6a74ef1f-1498-4afc-8609-58940c7620bb

📥 Commits

Reviewing files that changed from the base of the PR and between 9dec1fb and 6059b6a.

📒 Files selected for processing (4)
  • .github/actions/ci-static-checks/action.yaml
  • scripts/install.sh
  • test/install-preflight.test.ts
  • test/pr-workflow-contract.test.ts

Comment thread test/install-preflight.test.ts
@cv cv added the v0.0.81 Release target label Jul 11, 2026
Signed-off-by: Carlos Villela <cvillela@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/install-preflight.test.ts (1)

576-608: 🎯 Functional Correctness | 🔵 Trivial | 🏗️ Heavy lift

Add equivalent lockfile coverage for the GitHub-clone path.

This test forces the source-checkout path and explicitly verifies that the GitHub install URL is absent. The PR objective requires preserving the nested lockfile for both source-checkout and GitHub-clone installations; add the same sentinel-preservation assertion to a clone-mode case, or confirm that an existing test already covers it.

As per path instructions, keep this regression test focused on observable behavior at the public installer boundary.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/install-preflight.test.ts` around lines 576 - 608, Add equivalent nested
package-lock.json sentinel-preservation coverage for the GitHub-clone
installation path. Locate the existing clone-mode installer test, add a sentinel
under the cloned payload’s nemoclaw directory before invoking the installer,
then assert the file remains unchanged afterward alongside the existing
observable installer assertions; avoid testing internal implementation details.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/install-preflight.test.ts`:
- Around line 576-608: Add equivalent nested package-lock.json
sentinel-preservation coverage for the GitHub-clone installation path. Locate
the existing clone-mode installer test, add a sentinel under the cloned
payload’s nemoclaw directory before invoking the installer, then assert the file
remains unchanged afterward alongside the existing observable installer
assertions; avoid testing internal implementation details.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f69bd5a4-b428-4d38-a388-36dfcced187c

📥 Commits

Reviewing files that changed from the base of the PR and between 6059b6a and 2762413.

📒 Files selected for processing (1)
  • test/install-preflight.test.ts

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29139480097
Workflow ref: fix/3798_preserve-sandbox-lockfile
Requested targets: cloud-onboard
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29140037914
Workflow ref: fix/3798_preserve-sandbox-lockfile
Requested targets: cloud-onboard
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success

@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Exact-head maintainer adjudication for the Nemotron findings on a8bb355:

  • PRA-1 is already satisfied on this head. nemoclaw/package-lock.json is byte-identical to origin/main and contains @emnapi/core, @emnapi/runtime, and @emnapi/wasi-threads. The exact-head Linux static check also passed npm --prefix nemoclaw ci --ignore-scripts --dry-run. No lockfile re-sync change is needed.
  • PRA-2 does not apply: the static composite action is only called by PR/main CI jobs whose runners are ubuntu-latest.
  • PRA-3 is fail-closed and covered: npm ci is executed through spin with no fallback, and the existing installer failure test sends ci/install/run/link down the simulated ENOTFOUND path and asserts non-zero surfaced failure.
  • PRA-4 now has exact-head live evidence: cloud-onboard passed in https://github.com/NVIDIA/NemoClaw/actions/runs/29140037914.
  • PRA-5 is accepted as non-blocking. The changed source-checkout test exercises the local checkout branch directly, including the destructive fake npm install and byte-for-byte payload-lock sentinel assertion. Adding a second network clone fixture would duplicate the same post-clone installer boundary without exercising different lockfile behavior.

The outstanding CodeRabbit content-preservation thread was replied to and resolved because line 608 now directly byte-compares the nested payload lockfile after the installer run.

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved on exact head a8bb355. All required checks pass, CodeRabbit has no unresolved threads, and exact cloud E2E run 29140037914 passed. The remaining red cancel-superseded context is a controller page-limit infrastructure failure: no product/E2E test ran there, and the exact-head replacement E2E is green. Advisor concerns were adjudicated against the identical validated lockfile blob and runtime evidence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.81 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760)

2 participants