refactor(cli): wrap debug script with TypeScript command

[cv]

Summary

Turns scripts/debug.sh into a thin compatibility wrapper around the TypeScript nemoclaw debug command. This removes duplicated shell diagnostic/redaction logic while preserving the script entrypoint for local checkouts.

Changes

• Replace the large shell diagnostic implementation in scripts/debug.sh with a wrapper that invokes dist/nemoclaw.js debug when available, then falls back to nemoclaw debug.
• Resolve Node through NEMOCLAW_NODE, NODE, or PATH for constrained test environments.
• Update secret redaction tests to verify the wrapper uses the compiled TypeScript redactor even when node is absent from PATH.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

Release Notes

• Bug Fixes & Improvements

  • Enhanced secret redaction to protect additional token types, including API keys, GitHub credentials, and messaging service tokens.
  • Improved diagnostic collection with better Node.js environment handling.

• Tests

  • Added comprehensive token redaction tests covering multiple secret patterns.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1944fe74-3fa2-4faa-aba4-884726cb7050

📥 Commits

Reviewing files that changed from the base of the PR and between 359fefd and f729544.

📒 Files selected for processing (2)

• scripts/debug.sh
• test/secret-redaction.test.ts

---

📝 Walkthrough

Walkthrough

The PR updates debug.sh to delegate diagnostic collection to a compiled TypeScript CLI (dist/nemoclaw.js) when available, with fallback to the existing CLI wrapper. Environment variable NEMOCLAW_NODE is used to locate Node. Test coverage adds token redaction patterns for API keys and messaging services, with a new test verifying the wrapper correctly locates Node.

Changes

Debug Wrapper & Token Redaction

Layer / File(s)	Summary
Wrapper Implementation scripts/debug.sh	Compatibility wrapper checks for compiled CLI; if present, locates Node (via NEMOCLAW_NODE or system), executes the JS CLI in debug mode, or errors if Node unavailable. Falls back to nemoclaw debug if compiled CLI absent.
Token Coverage test/secret-redaction.test.ts (lines 19–40)	Introduced LITERAL_PREFIX_TOKENS (NVIDIA and GitHub PAT variants) and MESSAGING_TOKENS (Slack, Telegram, Discord), aggregated into TEST_TOKENS for redaction validation.
Wrapper Tests & Environment test/secret-redaction.test.ts (lines 83–139)	Updated test environment to multi-line format with NEMOCLAW_NODE set to process.execPath. Added new test verifying NEMOCLAW_NODE is used when node is absent from PATH. Adjusted existing sed fallback test env accordingly.

Sequence Diagram

sequenceDiagram
    participant User as User/Script
    participant Wrapper as debug.sh Wrapper
    participant FS as Filesystem
    participant NodeRuntime as Node Runtime
    participant CLI as CLI Executable

    User->>Wrapper: Invoke debug.sh with args
    Wrapper->>FS: Check for dist/nemoclaw.js
    alt Compiled CLI exists
        Wrapper->>Wrapper: Resolve Node via NEMOCLAW_NODE<br/>or system node
        alt Node found
            Wrapper->>NodeRuntime: Execute Node binary
            NodeRuntime->>CLI: Run dist/nemoclaw.js debug
            CLI->>CLI: Collect diagnostics
            CLI-->>User: Return output
        else Node not found
            Wrapper-->>User: Error: Node unavailable
        end
    else Compiled CLI absent
        Wrapper->>CLI: Fallback: invoke nemoclaw debug
        CLI->>CLI: Collect diagnostics
        CLI-->>User: Return output
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A wrapper sleek trimmed three-hundred lines to twenty,
Delegating with grace when the compiled CLI's plenty,
Node-finding magic via env vars so neat,
Fallback paths whisper when bytes are elite,
Simpler scripts make this rabbit's day complete! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor(cli): wrap debug script with TypeScript command' accurately reflects the main change: replacing the shell diagnostic implementation in scripts/debug.sh with a TypeScript wrapper.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/debug-shell-wrapper

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[cv]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cv]

Automated PR review summary

Reviewed PR #3088: refactor(cli): wrap debug script with TypeScript command

Recommendation

• Recommendation: PASS
• Highest observed severity: low
• Block merge: no
• Why: The highest-risk PR-specific behavior change is replacing a large standalone shell implementation with a thin wrapper. The adversarial probes targeted the new dispatch logic and environment-resolution claims directly. Those probes passed in the installed environment, including a bad-node-on-PATH scenario and a fallback-to-installed-CLI scenario, so the refactor appears behaviorally sound for its stated goals.
• Reviewer summary: I reviewed the debug.sh wrapper refactor with PR-specific adversarial probes against the installed product and the real OpenShell sandbox. The wrapper correctly delegates to the TypeScript debug command, honors NEMOCLAW_NODE even when a malicious/invalid node appears earlier on PATH, and still functions as a compatibility entrypoint via installed nemoclaw when dist/nemoclaw.js is unavailable. I did not find a regression or misleading claim specific to this PR.

Installation and setup findings

• Install succeeded from the local checkout, and verification proved the NemoClaw-created sandbox was usable. I mirrored the installer flow, passed the NVIDIA build key non-interactively for provider setup, observed onboarding continue past the host timeout, then confirmed sandbox my-assistant via NemoClaw CLI, executed 2+2=4 over SSH inside that sandbox, and received 4 from an in-sandbox OpenClaw query.

What was validated

• The PR revision was checked out in an isolated review environment.
• The local checkout was installed using the repository installer flow as closely as the environment allowed.
• Adversarial, PR-specific probes were then run against the installed environment and relevant repository context.
• Diff summary:

 .../skills/nemoclaw-contributor-create-pr/SKILL.md |   20 +-
 .../nemoclaw-maintainer-pr-comparator/SKILL.md     |  121 --
 .../checks/tier-0-gates.md                         |   61 -
 .../checks/tier-1-correctness.md                   |   86 --
 .../checks/tier-2-quality.md                       |   64 -
 .../repo-policy.md                                 |   86 --
 .../scripts/check-coderabbit-threads.sh            |  105 --
 .../scripts/collect-gates.sh                       |   84 --
 .../scripts/find-candidates.sh                     |   86 --
 .../scripts/parse-supersession.sh                  |   68 --
 .../scripts/render-verdict.py                      |  232 ----
 .../templates/verdict.md                           |   88 --
 .../tiebreakers.md                                 |   61 -
 .../validation/backtest.md                         |   69 --
 .agents/skills/nemoclaw-skills-guide/SKILL.md      |    2 +-
 .../references/agent-skills.md                     |    4 +-
 .../nemoclaw-user-configure-inference/SKILL.md     |  329 ++---
 .../references/inference-options.md                |    4 +-
 .../references/set-up-sub-agent.md                 |  120 --
 .../references/swit
...[truncated]

Failing tests and unresolved impact

• No failing adversarial tests were captured.

Passing tests and why they mattered

Passing test 1: debug.sh honors NEMOCLAW_NODE instead of a poisoned PATH node

• What was tested: The new wrapper resolves Node via NEMOCLAW_NODE before PATH, so a fake node earlier on PATH should not intercept execution.
• Why it mattered: If false, constrained or adversarial environments could break diagnostics or run an unintended interpreter despite the PR's claimed hardening.
• Observed result: PASS: wrapper exited rc=0, produced debug output for sandbox my-assistant, and stderr contained no FAKE_NODE_SHOULD_NOT_RUN marker from the poisoned PATH node.
• Command: bash /tmp/pr3088_probe2.sh
• Recommended follow-up coverage: Yes—keep/add an integration regression test around scripts/debug.sh that prepends a fake node to PATH and asserts NEMOCLAW_NODE is used preferentially.

Passing test 2: debug.sh still works as a compatibility entrypoint via installed nemoclaw fallback

• What was tested: When repo-local dist/nemoclaw.js is unavailable to the wrapper path, scripts/debug.sh falls back to nemoclaw debug and still runs successfully.
• Why it mattered: If false, local-checkout compatibility would be narrower than claimed and the wrapper could silently stop working outside a built repo tree.
• Observed result: PASS: with a minimal env and no explicit NEMOCLAW_NODE, scripts/debug.sh still succeeded (rc=0) and emitted the normal 'Collecting diagnostics for sandbox' line, indicating the installed CLI fallback path worked.
• Command: bash /tmp/pr3088_probe4.sh
• Recommended follow-up coverage: Yes—add an integration test that executes the script from a checkout state where dist/nemoclaw.js is absent and asserts fallback to the installed nemoclaw CLI.

Passing test 3: Wrapper executes the real TypeScript debug collector against the installed sandbox

• What was tested: The wrapper remains a functional entrypoint to the TypeScript debug implementation, preserving real diagnostic collection behavior against an actual OpenShell sandbox.
• Why it mattered: If false, the PR could preserve only superficial script invocation while breaking the real runtime collection path users rely on for support/debugging.
• Observed result: PASS on the core claim: stdout showed the TypeScript collector banner for sandbox my-assistant even with PATH stripped, proving the wrapper invoked the real debug command via explicit Node. The tarball substep failed because PATH=/nonexistent also hid external tar, which is an expected side effect of the adversarial environment rather than a wrapper regression.
• Command: env PATH=/nonexistent NEMOCLAW_NODE=$(command -v node) /usr/bin/bash scripts/debug.sh --quick --sandbox my-assistant --output /tmp/pr3088-probe1.tar.gz
• Recommended follow-up coverage: Yes—add an integration test that runs scripts/debug.sh with PATH stripped but NEMOCLAW_NODE set, and separately mock/verify tar absence handling so wrapper dispatch and archive creation are validated independently.

Bottom line

• Based on the install evidence and adversarial probes, this PR looks reasonable to approve.

[prekshivyas]

Clean shell→TS migration. scripts/debug.sh reduced from 363 lines to 33 — now a Node bootstrap wrapper that resolves NEMOCLAW_CLI_JS + NEMOCLAW_NODE and execs node dist/nemoclaw.js debug "$@", falling back to nemoclaw debug from PATH.

Verified feature parity: nemoclaw debug already lives at src/lib/debug-cli-command.ts with the section collectors (GPU/Docker/Sandbox Internals/Network/Kernel/Kernel Messages) implemented in src/lib/debug.ts. Public flags (--quick, --sandbox, --output) pass through verbatim. The full bash redact() / collect() machinery is gone — no dead code left behind.

Test changes are right-sized: the "sed fallback includes essential prefixes" test is replaced with "wrapper locates node from env", which still runs debug.sh --quick end-to-end with PATH constrained to fake binaries (now passing NEMOCLAW_NODE: process.execPath so the wrapper can find node), and continues to assert redaction of all literal-prefix tokens (nvapi-, nvcf-, ghp-, sk-) plus messaging tokens (xoxb-, xapp-, Discord bot tokens). Net redaction coverage unchanged.

Nit (non-blocking, intentional): The old debug.sh had a sed-based redaction fallback so the script could run on systems without node — supporting the curl -fsSL ... | bash -s -- --quick usage that was previously documented. The new wrapper exits 127 if node is unavailable, and the curl-pipe example has been removed from the help text. So that 'run from anywhere without node' workflow is intentionally retired. Matches the direction of the stack.

CI: pr.yaml rollup checks pass (commit-lint, dco, layer-boundary, check-hash, CodeRabbit). Self-hosted: 1 prior success on pull-request/3088. build-sandbox-images / macos-e2e / wsl-e2e / current self-hosted run still in progress at approval time.