fix(install): use GitHub repo for curl one-liner (Fixes #54)

[deepujain]

Summary

Fixes #54 (and helps #32). After running the one-line install (curl ... | bash), the script ran npm install -g nemoclaw, which installs the stub package from the npm registry. The stub has no proper bin, so nemoclaw onboard failed with "could not determine executable to run". This change makes the curl-pipe installer install from the GitHub repo so the real CLI is used.

Changes

• scripts/install.sh: Replace npm install -g nemoclaw with npm install -g "git+https://github.com/NVIDIA/NemoClaw.git". Add a short comment that the npm package is a stub until Set up Continuous Releases #71 (publishing) is done and that this fixes GTC Keynote url didn't work #54.
• README.md: Add Option B (one-line install) using the raw GitHub script URL and nemoclaw onboard. Add a note that if https://nvidia.com/nemoclaw.sh returns 404, use the one-line command until that endpoint is live (see Endpoint for install https://nvidia.com/nemoclaw.sh returns 404 error #32).

Testing

• npm test passes (39 tests).
• No new unit tests: change is limited to the installer script and README. Manual verification: run curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/main/scripts/install.sh | bash (with sudo for OpenShell step), then nemoclaw onboard should work.

Fixes #54

Summary by CodeRabbit

• Documentation

  • Split onboarding into two explicit install flows; added a new one-line installer that sets up Node.js 22 and runs the onboarding command to create a sandbox, configure inference, and apply security policies; clarified PATH troubleshooting and a 404 fallback.

• Bug Fixes

  • Simplified installer package installation flow and adjusted privilege handling for more reliable installs across environments.

• Tests

  • Added a test stub to simulate global install behavior and verify the CLI shim.

[deepujain]

Rebased onto latest main to resolve conflicts in README.md and scripts/install.sh. Upstream added the nvm/fnm PATH note (kept alongside Option B) and sudo for nodesource installs (applied to the git URL). npm test passes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

README adds two explicit onboarding options (Option A: https://www.nvidia.com/nemoclaw.sh | bash; Option B: https://raw.githubusercontent.com/.../install.sh | bash then nemoclaw onboard). scripts/install.sh removes the pre-extract clone flow and installs the CLI via npm install -g "git+https://github.com/NVIDIA/NemoClaw.git" (sudo only in nodesource branch). Test adds npm -g stub behavior.

Changes

Cohort / File(s)	Summary
Documentation README.md	Replaced single installer instruction with two onboarding workflows (Option A: nvidia.com/nemoclaw.sh; Option B: raw GitHub install.sh then nemoclaw onboard); documents installed components (Node.js 22, Docker/Colima, OpenShell, NemoClaw) and adds a 404 fallback note referencing #32.
Installer script scripts/install.sh	Removed pre_extract_openclaw() and the repo clone/build pre-extract flow; switched to direct global install from GitHub: npm install -g "git+https://github.com/NVIDIA/NemoClaw.git" with sudo only in the nodesource branch; left reshimming, PATH refresh, verification, and completion messaging intact.
Tests test/install-preflight.test.js	Added npm stub branch handling for npm install -g: writes a nemoclaw shim in $NPM_PREFIX/bin that returns v0.1.0-test for --version, enabling tests to simulate global install behavior.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User as User (shell)
  participant Installer as install.sh
  participant GitHub as GitHub repo
  participant npm as npm (local)
  participant System as System PATH / $NPM_PREFIX

  User->>Installer: curl .../install.sh | bash
  Installer->>GitHub: fetch git+https://github.com/NVIDIA/NemoClaw.git (tarball)
  Installer->>npm: run npm install -g <tarball> (prefix with sudo if nodesource)
  npm->>System: write executables to $NPM_PREFIX/bin (e.g., `nemoclaw`)
  Installer->>System: reshims / refresh PATH
  Installer->>User: verify `nemoclaw --version` and completion message

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through scripts and README light,
Two trails to install by day or night.
A clone unmade, a direct npm cheer,
My whiskers twitch — the CLI is near! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	Issue #54 lacks clear coding requirements or acceptance criteria—only a screenshot showing a URL issue. The PR addresses an installation problem, but the link between the vague issue and the implementation cannot be clearly validated.	Verify that the installation fix resolves the actual issue reported in #54, or clarify the connection between the GTC Keynote URL problem and the installer changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(install): use GitHub repo for curl one-liner (Fixes #54)' accurately reflects the main change in the PR, which modifies the installer to use the GitHub repository instead of npm registry.
Out of Scope Changes check	✅ Passed	All changes directly support the core objective: fixing the one-liner installer by using the GitHub repository. README updates document the fix, install.sh implements it, and test updates cover the new npm -g path.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

scripts/install.sh (1)

369-371: Pin the Git install target to an immutable ref to avoid installer drift.

Using an unpinned git+https URL means npm will always pull the latest default branch, making global installs non-reproducible and vulnerable to unexpected upstream changes. Pin to a specific tag or commit SHA.

Suggested change

-  sudo npm install -g "git+https://github.com/NVIDIA/NemoClaw.git"
+  sudo npm install -g "git+https://github.com/NVIDIA/NemoClaw.git#<tag-or-commit>"
...
-  npm install -g "git+https://github.com/NVIDIA/NemoClaw.git"
+  npm install -g "git+https://github.com/NVIDIA/NemoClaw.git#<tag-or-commit>"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/install.sh` around lines 369 - 371, Replace the unpinned git install
URL used in both the sudo and non-sudo npm install commands (the lines invoking
npm install -g "git+https://github.com/NVIDIA/NemoClaw.git") with a pinned
reference to a specific immutable ref (either a release tag or a commit SHA),
e.g. change "git+https://github.com/NVIDIA/NemoClaw.git" to
"git+https://github.com/NVIDIA/NemoClaw.git#vX.Y.Z" or
"git+https://github.com/NVIDIA/NemoClaw.git#<commit-sha>" so the global
installer is reproducible and won't drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Line 87: The README sentence claiming the installer "then runs the guided
onboard wizard" is incorrect; update that line to state the installer only
installs Node.js if missing and that the guided onboarding must be run
separately via the `nemoclaw onboard` command (or similar phrasing) so users
know to run `nemoclaw onboard` to create a sandbox, configure inference, and
apply security policies rather than expecting the installer to perform those
steps automatically.
- Line 69: The heading text "Option A — Clone and run (recommended):" in
README.md is misleading given the shown command uses a curl pipe-to-bash
installer; update that label (the literal string "Option A — Clone and run
(recommended):") to a more accurate phrase such as "Installer URL" or "Run
installer script" and ensure any adjacent descriptive text reflects that the
instructions use a remote installer (curl ... | bash) rather than a git clone
workflow.
- Around line 81-82: Remove the leading "$" shell prompt markers in the README
code block or change the fence to a bash-style fenced block so lint MD014 is
satisfied; specifically update the snippet containing the curl command and the
"nemoclaw onboard" command (the lines with "curl -fsSL
https://raw.githubusercontent.com/NVIDIA/NemoClaw/main/scripts/install.sh |
bash" and "nemoclaw onboard") by either stripping the "$ " prefixes or by
wrapping them in a fenced block like ```bash to indicate shell commands without
prompt markers.

---

Nitpick comments:
In `@scripts/install.sh`:
- Around line 369-371: Replace the unpinned git install URL used in both the
sudo and non-sudo npm install commands (the lines invoking npm install -g
"git+https://github.com/NVIDIA/NemoClaw.git") with a pinned reference to a
specific immutable ref (either a release tag or a commit SHA), e.g. change
"git+https://github.com/NVIDIA/NemoClaw.git" to
"git+https://github.com/NVIDIA/NemoClaw.git#vX.Y.Z" or
"git+https://github.com/NVIDIA/NemoClaw.git#<commit-sha>" so the global
installer is reproducible and won't drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b1e199d-8516-41c8-b40f-52c1dd28f514

📥 Commits

Reviewing files that changed from the base of the PR and between dbfd78c and 5162a53.

📒 Files selected for processing (2)

• README.md
• scripts/install.sh

[deepujain]

CodeRabbit review comment resolved

[deepujain]

Rebased on latest main. Tests pass. Ready for review!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/install-preflight.test.js`:
- Around line 417-429: The stub that simulates a global npm install (the if
block checking [ "$1" = "install" ] && [[ "$*" == *"-g"* ]]) currently accepts
any npm -g invocation; update the stub that writes "$NPM_PREFIX/bin/nemoclaw" so
it verifies the install argv contains the expected GitHub package target (e.g.
check "$*" or "$@" for the GitHub URL pattern like "github.com/OWNER/REPO" or
the exact URL used in the test) and if the URL is missing print an error and
exit with non-zero status; keep the existing --version handling but return
success only when the argv includes the GitHub URL, otherwise fail the install
stub (exit 1).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2be93ffa-2d59-45f4-987e-90d19b67792b

📥 Commits

Reviewing files that changed from the base of the PR and between b082927 and 58d1003.

📒 Files selected for processing (3)

• README.md
• scripts/install.sh
• test/install-preflight.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

[deepujain]

Rebased on latest main (clean, no conflicts). Addressed the CodeRabbit nitpick

[deepujain]

Rebased onto the latest main and resolved the installer drift against the newer legacy-wrapper layout. The one-line README example now points at the repository-root install.sh, the wrapper stays executable, and the focused installer preflight suite passes locally (npm test -- test/install-preflight.test.js, 41 passing).

[cv]

@deepujain is this still a valid PR to try to merge?

[deepujain]

Rebased this onto the latest main. This still looks valid to me, but the scope is basically docs-only now because main already picked up most of the installer-side behavior. If that narrower README cleanup is still useful, this branch should be ready for another look.

[deepujain]

Rebased this onto the latest main again. The diff is still the narrow README and installer-wrapper cleanup, and the branch now contains current main.

[wscurran]

Thanks for catching this early, @deepujain — the npm stub problem was real. Installing from GitHub directly landed in the same week the repo went public (ec0b2425), and scripts/install.sh now clones and builds from source rather than pulling from the registry. A follow-up (#1606) also added detection and removal of any pre-existing broken placeholder packages. Closing as superseded.