fix(installer): preserve npm lockfiles during install

[jyaunches]

Summary

• Change installer dependency setup from npm install to npm ci for both the root package and nested nemoclaw/ sandbox payload.
• Add a basic-checks guard that dry-runs npm ci for both lockfiles before the install step.
• Update installer behavior coverage so source checkouts are verified to use npm ci --ignore-scripts without global GitHub installs.

Supersedes #3840.
Fixes #3798.

Repro

Issue #3798 reproduces when a host-side install mutates the nested sandbox lockfile before the Linux Docker build. On macOS with npm 11.6.2, cd nemoclaw && npm install --ignore-scripts prunes Linux-only optional @emnapi/* entries from nemoclaw/package-lock.json; the subsequent Linux node:22-trixie-slim npm ci then fails with the missing @emnapi/core / @emnapi/runtime errors described in the issue.

Test Plan

• bash -n scripts/install.sh
• git diff --check
• npm test -- test/install-preflight.test.ts test/lockfile-ci-guard.test.ts -t "uses npm ci|lockfile CI guards" (blocked locally: vitest: command not found; this worktree has no node_modules)

Summary by CodeRabbit

• Chores

  • Added npm lockfile validation step to CI to run a dry-run check on lockfile installs.
  • Switched CI and installer dependency installs to lockfile-aligned, script-disabled npm ci for improved reproducibility.
  • Installer now restores pre-extracted package contents after ci to preserve required build artifacts.

• Tests

  • Added and updated tests to assert lockfile-validation ordering and the new npm ci install behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3345a576-e9ce-4cab-8af8-36ba0c90149f

📥 Commits

Reviewing files that changed from the base of the PR and between 5b42d8a and 3774510.

📒 Files selected for processing (1)

• scripts/install.sh

---

📝 Walkthrough

Walkthrough

This PR validates both root and nemoclaw lockfiles in CI, switches installs to npm ci --ignore-scripts, and refactors the installer to restore OpenClaw contents after npm ci; tests were added/updated to assert the CI step order and installer behavior.

Changes

npm ci & lockfile validation

Layer / File(s)	Summary
GitHub Action lockfile validation .github/actions/basic-checks/action.yaml	Adds a "Validate npm lockfiles" step that runs npm ci --ignore-scripts --dry-run for both root and nemoclaw before install, and changes the install step to use npm ci --ignore-scripts rather than npm install.
Install script npm ci & OpenClaw restore flow scripts/install.sh	Adds restore_pre_extracted_openclaw() and updates install_nemoclaw (both source-checkout and GitHub-clone paths) to run npm ci --ignore-scripts then restore OpenClaw before each build step.
Preflight installer test updates test/install-preflight.test.ts	Updates npm stub to recognize npm ci; tightens source-checkout test to require OpenClaw directories, adds fixtures, and asserts exact npm ci --ignore-scripts call counts and ordering relative to npm pack and builds.
CI guard tests for lockfile validation test/lockfile-ci-guard.test.ts	New tests that parse .github/actions/basic-checks/action.yaml and assert the "Validate npm lockfiles" step runs before "Install dependencies", checks the exact npm ci --dry-run commands for root and nemoclaw, and verifies install uses npm ci --ignore-scripts without npm install.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4060: Modifies scripts/install.sh install flow and is code-level related to installer changes.

Suggested labels

Getting Started

Poem

🐰 In burrows deep the lockfiles slept, out of line,
CI now checks root and plugin, both align,
npm ci runs, then OpenClaw's bits restore,
Tests hop in to prove the steps before,
A tiny rabbit cheers—builds run fine!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing npm install with npm ci to preserve lockfiles during installation.
Linked Issues check	✅ Passed	All code objectives from issue #3798 are addressed: npm ci replaces npm install, dry-run lockfile validation is added via basic-checks, and installer behavior reflects the sync requirement.
Out of Scope Changes check	✅ Passed	All changes are scoped to the linked issue #3798: GitHub Actions workflow updates, installer refactoring, and corresponding test additions for lockfile preservation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-3798-sandbox-lockfile-sync-rescue

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-e2e, cloud-onboard-e2e
Optional E2E: launchable-smoke-e2e, rebuild-openclaw-e2e

Dispatch hint: cloud-e2e,cloud-onboard-e2e

Auto-dispatched E2E: cloud-e2e, cloud-onboard-e2e via nightly-e2e.yaml at 956aefb25c3cb4f22d90d1c8d4c48aa6e5db0d7c — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-e2e (high): Runs the checked-out repo install.sh path, which exercises the source-checkout branch changed by this PR: npm ci, restore_pre_extracted_openclaw, CLI/plugin build, npm link, OpenShell install/onboard, sandbox health, and live inference.
• cloud-onboard-e2e (high): Exercises the public installer/GitHub-clone install path changed by this PR via curl/raw installer and NEMOCLAW_PUBLIC_INSTALL_REF, then validates onboard-created sandbox health, security checks, and inference.local. This covers the non-source install branch where npm ci and OpenClaw restore ordering also changed.

Optional E2E

• launchable-smoke-e2e (high): Useful adjacent confidence for the community/Brev-style bootstrap path, but not merge-blocking for this PR because the direct changes are in install.sh and CI dependency installation rather than the launchable script itself.
• rebuild-openclaw-e2e (high): Optional because it starts with install.sh and later validates OpenClaw rebuild behavior. It may catch install/build regressions involving OpenClaw package availability, but the required install-path E2Es provide more direct coverage for this diff.

New E2E recommendations

• installer dependency installation (medium): Existing E2Es cover full install flows, but there is no small E2E dedicated to asserting npm ci lockfile-preserving behavior and OpenClaw post-ci restoration without requiring live NVIDIA inference.
  • Suggested test: Add a hermetic installer E2E that runs install.sh against a temporary source checkout with stubbed npm/openclaw packaging and verifies npm ci ordering, OpenClaw restore after node_modules deletion, CLI/plugin build, and npm link before onboard is skipped or mocked.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cloud-e2e,cloud-onboard-e2e

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/install-preflight.test.ts`:
- Around line 98-100: The test harness function writeNpmStub and the
installSnippet handlers are not accounting for npm "ci" invocations, causing
many tests to hit the "unexpected npm invocation: ci --ignore-scripts" path;
update writeNpmStub (and any installSnippet blocks used in
test/install-preflight.test.ts) to accept and handle the "ci" command the same
way as "install" (e.g., add "$1" = "ci" branches or normalize "$1" to "install"
inside the stub) so existing test-specific handlers match the new installer
behavior and no longer reject npm ci.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 175adef9-a9c5-45a2-b6ec-9bed3c4f2f55

📥 Commits

Reviewing files that changed from the base of the PR and between 1bdb519 and 5b42d8a.

📒 Files selected for processing (4)

• .github/actions/basic-checks/action.yaml
• scripts/install.sh
• test/install-preflight.test.ts
• test/lockfile-ci-guard.test.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

writeNpmStub() still leaves many test-specific handlers rejecting npm ci.

Line 98 now dispatches ci, but a lot of callers in this file still only branch on "$1" = "install" inside installSnippet. Those tests will now fall through to unexpected npm invocation: ci --ignore-scripts, so the suite is still out of sync with the installer change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/install-preflight.test.ts` around lines 98 - 100, The test harness
function writeNpmStub and the installSnippet handlers are not accounting for npm
"ci" invocations, causing many tests to hit the "unexpected npm invocation: ci
--ignore-scripts" path; update writeNpmStub (and any installSnippet blocks used
in test/install-preflight.test.ts) to accept and handle the "ci" command the
same way as "install" (e.g., add "$1" = "ci" branches or normalize "$1" to
"install" inside the stub) so existing test-specific handlers match the new
installer behavior and no longer reject npm ci.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Top item: PR review advisor unavailable

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• PR review advisor unavailable: The automated advisor could not complete: timed out after 900000 ms
  • Recommendation: Re-run the PR Review Advisor or perform a manual review.
  • Evidence: timed out after 900000 ms

🌱 Nice ideas

• None.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26262466547
Target ref: 5b42d8a0485ceba17d7d84504496207fc7e38dbc
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
cloud-onboard-e2e	✅ success

[wscurran]

✨
Related open PRs:

• #3840 fix(installer): preserve npm lockfiles during install

---

Related open issues:

• #3798 [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760)

[chengjiew]

I checked the failing CI / Self-Hosted PR / unit-vitest-linux job. The failures all cascade from test/install-preflight.test.ts fake npm fixtures not accepting the new installer npm ci --ignore-scripts calls:

unexpected npm invocation: ci --ignore-scripts

I did not force-push this PR branch. I pushed a helper branch and opened a helper PR against this branch:

• test(installer): accept npm ci in preflight stubs #4203

Focused local verification from /Users/wangchengjie/Project/NemoClaw-pr-4029:

npm_config_cache=/tmp/codex-npm-cache-pr4029 npx vitest run test/install-preflight.test.ts test/lockfile-ci-guard.test.ts --testTimeout 60000
npm run source-shape:check
bash -n scripts/install.sh && git diff --check

[chengjiew]

Update: helper PR #4203 was auto-closed by the repository's open-PR limit automation, but the helper branch remains pushed:

• fix/pr4029-unit-vitest
• commit fa4b3a94587f33f5516865659619f24f568d0c46
• compare: fix-3798-sandbox-lockfile-sync-rescue...fix/pr4029-unit-vitest

The branch contains only the test/install-preflight.test.ts fix for the unit-vitest-linux failure.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26453121265
Target ref: 377451006be8b49aafe6f04ce1ae122b466ca080
Workflow ref: main
Requested jobs: cloud-onboard-e2e,openclaw-onboard-security-posture-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26496036613
Target ref: 956aefb25c3cb4f22d90d1c8d4c48aa6e5db0d7c
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
cloud-onboard-e2e	✅ success