fix(sandbox): make workspace template seeding shell-serializable

[gauravprasadgp]

Summary

Fixes seed_default_workspace_templates startup failures caused by a heredoc inside an if block failing to survive the declare -f / bash -c round-trip. The skip-bootstrap check now uses node -e, keeping the serialized shell function flat and parseable.

Related Issue

Fixes #NNN

Changes

• Replaced the heredoc-based Node config check in seed_default_workspace_templates with a node -e snippet.
• Preserved existing behavior: seeding only runs when agents.defaults.skipBootstrap is true.
• Added a regression test that runs the function through declare -f and bash -c, then verifies template seeding still works.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Focused verification run:

• bash -n scripts/nemoclaw-start.sh
• npm test -- test/nemoclaw-start.test.ts -t "round-trips seed_default_workspace_templates"
• git diff --check -- scripts/nemoclaw-start.sh test/nemoclaw-start.test.ts

---

Signed-off-by: gauravprasad prasadgaurav559@gmail.com

Summary by CodeRabbit

• Refactor

  • Optimized the workspace template seeding validation process.

• Tests

  • Added comprehensive testing for workspace template seeding functionality.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 81d031ec-9c74-4718-a787-89ddcc79186b

📥 Commits

Reviewing files that changed from the base of the PR and between cbf7545 and 46028ae.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/nemoclaw-start.sh

---

📝 Walkthrough

Walkthrough

The PR refactors the skip-bootstrap validation in seed_default_workspace_templates from a heredoc-based Node check to a JavaScript one-liner stored in a shell variable. A new Vitest test file validates the refactored function executes correctly without heredoc syntax, seeding templates only when agents.defaults.skipBootstrap is true.

Changes

Skip bootstrap check refactoring and testing

Layer / File(s)	Summary
Skip bootstrap check refactoring scripts/nemoclaw-start.sh	The skip-bootstrap validator replaces a heredoc with a skip_bootstrap_check variable containing a Node.js one-liner; the variable is executed via node -e to gate template seeding based on agents.defaults.skipBootstrap.
Test infrastructure and validation test/nemoclaw-start-workspace-template-seeding.test.ts	New Vitest test extracts the seed_default_workspace_templates function from the shell script, asserts no heredoc is present, runs the function via bash -c with temporary directories and config, verifies seeding outputs and template file presence, and cleans up afterward. Includes shellQuote helper for safe subprocess argument passing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A bootstrap check, once wrapped in heredoc's maze,
Now shines as a one-liner, clear as morning blaze.
With tests to ensure it seeded just right,
The refactor brings both clarity and light! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: converting heredoc-based shell code to a shell-serializable format using a node -e one-liner to fix startup failures.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cv]

@gauravprasadgp mind addressing the failing checks, please?

[gauravprasadgp]

@gauravprasadgp mind addressing the failing checks, please?

Done @cv please proceed.

[coderabbitai]

🧹 Nitpick comments (1)

test/nemoclaw-start-workspace-template-seeding.test.ts (1)

13-19: 💤 Low value

Static analysis flagged potential ReDoS risk from regex variable interpolation.

The regex construction on line 14 uses the name parameter directly, which static analysis flagged as a potential Regular Expression Denial of Service (ReDoS) vector. In this test file, name is always the hardcoded string "seed_default_workspace_templates" (line 29), making this a false positive in practice.

However, as a defensive measure, consider escaping special regex characters in the name parameter:

🛡️ Optional defensive fix

 function extractShellFunctionFromSource(src: string, name: string): string {
-  const match = src.match(new RegExp(`${name}\\(\\) \\{([\\s\\S]*?)^\\}`, "m"));
+  const escapedName = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const match = src.match(new RegExp(`${escapedName}\\(\\) \\{([\\s\\S]*?)^\\}`, "m"));
   if (!match) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/nemoclaw-start-workspace-template-seeding.test.ts` around lines 13 - 19,
The test's extractShellFunctionFromSource function interpolates the name
parameter directly into a RegExp causing a potential ReDoS; fix it by escaping
regex-special characters in name before building the RegExp (e.g., transform
name with a safe escape like replace(/[.*+?^${}()|[\]\\]/g, '\\$&') so the
generated pattern treats the function name literally) and then use the
escapedName in new RegExp; refer to function extractShellFunctionFromSource and
the name variable when making this change.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/nemoclaw-start-workspace-template-seeding.test.ts`:
- Around line 13-19: The test's extractShellFunctionFromSource function
interpolates the name parameter directly into a RegExp causing a potential
ReDoS; fix it by escaping regex-special characters in name before building the
RegExp (e.g., transform name with a safe escape like
replace(/[.*+?^${}()|[\]\\]/g, '\\$&') so the generated pattern treats the
function name literally) and then use the escapedName in new RegExp; refer to
function extractShellFunctionFromSource and the name variable when making this
change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d39592dc-234a-4276-a9ba-7521a60ebf1c

📥 Commits

Reviewing files that changed from the base of the PR and between ce6b568 and cbf7545.

📒 Files selected for processing (1)

• test/nemoclaw-start-workspace-template-seeding.test.ts

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the main branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	main 1f75d03	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the main branch is 44%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	main 1f75d03	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	77%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/inference/nim.ts	—	72%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/onboard...er-gpu-patch.ts	—	50%	—
src/lib/actions...licy-channel.ts	—	49%	—
src/lib/policy/index.ts	—	48%	—
src/lib/onboard.ts	—	17%	—

---

_{Updated June 14, 2026 03:39 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}