refactor(installer): add internal plan commands

[cv]

Summary

Adds hidden oclif-native installer internal commands that expose the typed installer domain helpers through deterministic planning and normalization entrypoints. This prepares follow-up installer shell migrations without changing the public installer bootstrap behavior.

Changes

• Add nemoclaw internal installer plan --json for deterministic installer planning from env/probe inputs.
• Add nemoclaw internal installer resolve-release-tag and normalize-env helper commands.
• Add src/lib/actions/installer-plan.ts and tests for provider/ref/runtime/npm planning.
• Extend internal CLI tests to cover the new installer namespace.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• New Features

  • Added internal CLI commands for installer environment normalization, plan generation, and release tag resolution.
  • Introduced installer plan construction logic that builds comprehensive installation configurations with provider and npm settings.

• Tests

  • Added test coverage for internal installer CLI routing and installer plan functionality.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces a new NemoClaw installer plan system comprising core logic, three internal CLI commands, and tests. The system reads installer configuration from environment variables and flags, computes installation metadata (reference, provider, npm settings), and outputs results as JSON or text.

Changes

Installer Plan System

Layer / File(s)	Summary
Data Shapes & Types src/lib/actions/installer-plan.ts (lines 24–93)	Defines interfaces for environment (InstallerPlanEnv), options (BuildInstallerPlanOptions), and output structures (InstallerProviderPlan, InstallerNpmPlan, InstallerPlan).
Core Plan Computation src/lib/actions/installer-plan.ts (lines 97–187)	Implements buildInstallerPlan to resolve install references, version info, npm configuration (when prefix provided), and provider metadata; normalizeInstallerEnv extracts a minimal reference and provider view.
CLI Command Layer src/commands/internal/installer/normalize-env.ts, src/commands/internal/installer/plan.ts, src/commands/internal/installer/resolve-release-tag.ts	Three hidden internal oclif commands expose the plan system: normalize-env reads flags/env and outputs normalized installRef and provider; plan builds a full installer plan with version and npm details; resolve-release-tag resolves the release reference. All support --json output.
Tests & Validation src/lib/actions/installer-plan.test.ts, test/internal-cli.test.ts	Unit tests verify plan construction from env/versions with npm prefix handling and unsupported provider resilience; integration tests validate oclif command routing, help text, and JSON output from all three commands.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A plan is born from flags and air,
Where installers dance with graceful care,
Three commands whisper soft and clear,
npm paths and refs appear,
The rabbit cheers—a ship so fair!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'refactor(installer): add internal plan commands' clearly and concisely summarizes the main change: adding new internal CLI commands for installer planning. It is specific, related to the primary objective, and follows conventional commit format.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/internal-installer-plan

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cv]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cv]

Automated PR review summary

Reviewed PR #3108: refactor(installer): add internal plan commands

Recommendation

• Recommendation: PASS
• Highest observed severity: low
• Block merge: no
• Why: If merged as-is, the main risk would have been hidden installer helpers producing unstable or incorrect planning data for follow-up shell migrations. In the installed environment, the new commands were reachable and behaved deterministically under adversarial conflicting and malformed inputs.
• Reviewer summary: Reviewed the installed CLI adversarially against the PR’s new internal installer entrypoints. The highest-value probes on command routing, deterministic plan output, ref/tag precedence, provider normalization, and malformed-provider handling all passed.

Installation and setup findings

• Install from the local checkout succeeded through CLI install and onboarding-created sandbox setup. The top-level installer command timed out during the last policy preset phase, but the created sandbox 'my-assistant' was present and Ready. Verification succeeded: nemoclaw list showed the sandbox, SSH via openshell sandbox ssh-config my-assistant executed printf "2+2=4\n" inside it, and an in-sandbox openclaw agent --agent main -m 'Reply with only: 4' returned 4. I also confirmed that --local is intentionally blocked inside NemoClaw sandboxes.

What was validated

• The PR revision was checked out in an isolated review environment.
• The local checkout was installed using the repository installer flow as closely as the environment allowed.
• Adversarial, PR-specific probes were then run against the installed environment and relevant repository context.
• Diff summary:

 .../skills/nemoclaw-contributor-create-pr/SKILL.md |   20 +-
 .../nemoclaw-maintainer-pr-comparator/SKILL.md     |  121 --
 .../checks/tier-0-gates.md                         |   61 -
 .../checks/tier-1-correctness.md                   |   86 --
 .../checks/tier-2-quality.md                       |   64 -
 .../repo-policy.md                                 |   86 --
 .../scripts/check-coderabbit-threads.sh            |  105 --
 .../scripts/collect-gates.sh                       |   84 --
 .../scripts/find-candidates.sh                     |   86 --
 .../scripts/parse-supersession.sh                  |   68 -
 .../scripts/render-verdict.py                      |  232 ----
 .../templates/verdict.md                           |   88 --
 .../tiebreakers.md                                 |   61 -
 .../validation/backtest.md                         |   69 -
 .agents/skills/nemoclaw-skills-guide/SKILL.md      |    2 +-
 .../references/agent-skills.md                     |    4 +-
 .../nemoclaw-user-configure-inference/SKILL.md     |  329 ++---
 .../references/inference-options.md                |    4 +-
 .../references/set-up-sub-agent.md                 |  120 --
 .../references/switch
...[truncated]

Failing tests and unresolved impact

• No failing adversarial tests were captured.

Passing tests and why they mattered

Passing test 1: Installed CLI routes hidden internal installer commands

• What was tested: The installed nemoclaw binary exposes the new hidden internal installer namespace and help text in a real runtime, not only in unit tests.
• Why it mattered: If routing is broken, follow-up shell migrations cannot rely on these internal entrypoints.
• Observed result: internal installer plan --help succeeded in the installed CLI and showed the new command and flags.
• Command: bash /tmp/pr3108_probe.sh
• Recommended follow-up coverage: Keep the existing CLI routing integration test; no extra unit test is needed beyond installed-package smoke coverage.

Passing test 2: Installer plan honors explicit ref precedence and emits deterministic normalized JSON

• What was tested: internal installer plan --json uses explicit --install-ref over --install-tag, normalizes provider aliases, and returns runtime/npm data from explicit probe inputs.
• Why it mattered: If false, shell migrations built on this planner could install the wrong ref or derive incorrect runtime/npm actions.
• Observed result: JSON showed installRef=feature/refactor, installerVersion=feature/refactor, provider normalized cloud->build, runtime ok:true, and npm fields derived from /tmp/npm-prefix.
• Command: bash /tmp/pr3108_probe.sh
• Recommended follow-up coverage: Add or keep an integration regression test for conflicting ref/tag inputs through the installed CLI, since precedence bugs are easy to reintroduce.

Passing test 3: Resolve-release-tag and normalize-env preserve deterministic fallback behavior

• What was tested: resolve-release-tag returns ref-over-tag precedence in JSON and tag fallback in text mode, while normalize-env trims refs and maps provider aliases predictably.
• Why it mattered: If false, downstream installer shell code may parse unstable outputs or normalize env differently than the helper commands claim.
• Observed result: resolve-release-tag --json preferred feature/refactor over v9.9.9; text mode with only tag returned v2.0.0; normalize-env trimmed branch/test and mapped nim->nim-local and cloud->build.
• Command: bash /tmp/pr3108_probe.sh && bash /tmp/pr3108_probe2.sh
• Recommended follow-up coverage: Add a regression test for text-mode output stability if shell scripts will parse these commands directly.

Passing test 4: Invalid provider is surfaced as invalid instead of causing planner failure

• What was tested: Unsupported provider values are reported as invalid planning metadata rather than crashing the new internal installer commands.
• Why it mattered: If false, malformed installer env could cause hard failures instead of inspectable planning output during shell migration work.
• Observed result: normalize-env --json --provider bad-provider returned normalized:null and valid:false; non-JSON plan --provider bad-provider still returned a concise summary instead of erroring.
• Command: bash /tmp/pr3108_probe.sh && bash /tmp/pr3108_probe2.sh
• Recommended follow-up coverage: Keep this as an integration/regression test because malformed env handling is a likely shell-migration edge case.

Bottom line

• Based on the install evidence and adversarial probes, this PR looks reasonable to approve.

[cjagwani]

verified locally — no env leak from the ...process.env spread (AWS_SECRET_ACCESS_KEY etc. don't appear in the JSON output, since buildInstallerPlan only reads 4 typed keys).

one footgun worth noting before downstream consumers wire up: installRef is stored verbatim with no validation. running NEMOCLAW_INSTALL_REF='\$(rm -rf /)' nemoclaw internal installer plan --json produces "installRef": "\$(rm -rf /)". internal-only command and no consumer in scripts/install.sh yet, so it's theoretical — but if/when a shell consumer does TAG=\$(... resolve-release-tag) && curl .../installer-\$TAG.sh, the verbatim ref becomes RCE.

cheap fixes: reject anything that's not ^[A-Za-z0-9._/-]+\$ in resolveInstallRef, or whitelist env keys instead of spreading process.env into the input.

[prekshivyas]

Pure additive — wires the #3107 typed installer helpers into three hidden oclif internal commands plus a composing action layer. Same pattern as #3083 → #3080.

Three new static hidden = true commands under src/commands/internal/installer/:

• internal installer plan — calls buildInstallerPlan(...), accepts CLI flags for env overrides (--install-ref, --install-tag, --provider) and probe inputs (--node-version, --npm-version, --npm-prefix, plus three hidden: true version-source fallback flags).
• internal installer resolve-release-tag — thin wrapper around resolveInstallRef.
• internal installer normalize-env — projects to {installRef, provider} only.

The action layer at src/lib/actions/installer-plan.ts:48 composes all four #3107 domain helpers into a single InstallerPlan shape with {installRef, installerVersion, npm | null, provider, runtime | null}. Both npm and runtime are nullable so callers can build partial plans when probes aren't available — the test "missing optional probes without failing plan construction" pins this contract.

Test coverage targets the right invariants:

• installer-plan.test.ts (3 cases) proves all 4 domain helpers compose correctly, the valid: false flag plumbs through for bad providers, and the env→ref+provider projection works.
• internal-cli.test.ts (+2 cases, +58 lines) exercises real oclif dispatch via process.execPath + JSON parse, proving routing + flag parsing + JSON emission for all three commands.

Observations (non-blocking):

1. provider.valid is true when either raw === null (no provider given) OR normalized !== null. Slightly counterintuitive — the next PR's wrapper will need to distinguish "no provider" from "valid provider X" when emitting user-facing errors.
2. defaultVersion defaults to \"0.1.0\" from #3107; in production the wrapper will pass --package-json-version or --stamped-version, so the literal only surfaces in tests with no version sources.

install.sh is untouched, per PR description.

CI: pr.yaml lightweight checks pass (commit-lint, dco, layer-boundary, check-hash). Self-hosted queued, other rollup checks pending. CodeRabbit in progress at approval time.