Skip to content

fix(cli): explain restricted dmesg in debug output#3854

Merged
jyaunches merged 1 commit into
NVIDIA:mainfrom
yimoj:fix/3700-debug-dmesg-permission
May 21, 2026
Merged

fix(cli): explain restricted dmesg in debug output#3854
jyaunches merged 1 commit into
NVIDIA:mainfrom
yimoj:fix/3700-debug-dmesg-permission

Conversation

@yimoj

@yimoj yimoj commented May 20, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

nemoclaw debug --quick now reports restricted kernel log access as a contextual skipped kernel-message section instead of surfacing raw dmesg permission stderr.

Related Issue

Fixes #3700

Changes

  • Adds dmesg-specific diagnostics handling for restricted kernel-log access and missing dmesg binaries.
  • Detects common dmesg permission-denied output and /proc/sys/kernel/dmesg_restrict=1 for non-root users.
  • Adds focused diagnostics and CLI regression coverage for restricted dmesg output.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

Focused verification run locally with Node v22.16.0:

  • npm run build:cli
  • npx vitest run --project cli src/lib/diagnostics/debug.test.ts test/cli.test.ts -t "isDmesgPermissionDeniedOutput|debug --quick"
  • npx vitest run --project cli src/lib/diagnostics/debug.test.ts
  • isolated node bin/nemoclaw.js debug --quick with fake dmesg under /tmp/nemoclaw-fix-3700-home
  • npm run typecheck:cli
  • npm run checks
  • npx biome lint --write --no-errors-on-unmatched src/lib/diagnostics/debug.ts src/lib/diagnostics/debug.test.ts test/cli.test.ts
  • git diff --check
  • codex review -c sandbox_mode="danger-full-access" --uncommitted

Broader npx vitest run --project cli src/lib/diagnostics/debug.test.ts test/cli.test.ts was stopped after the diagnostics file passed and test/cli.test.ts made no progress for more than three minutes in unrelated later CLI dispatch tests.

  • npx prek run --all-files passes
  • npm test passes
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • make docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Yimo Jiang yimoj@nvidia.com

Summary by CodeRabbit

Release Notes

  • Bug Fixes
    • Improved handling of restricted kernel message access on Linux. The debug command now displays a clear message explaining permission restrictions instead of showing raw error output.

Review Change Stack

@yimoj
fix(cli): explain restricted dmesg in debug output
1330076 
Signed-off-by: Yimo Jiang <yimoj@nvidia.com>
@yimoj yimoj self-assigned this May 20, 2026
@coderabbitai

coderabbitai Bot commented May 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7bfb9772-7eb6-4fd3-8f0a-065eaac3fe51

📥 Commits

Reviewing files that changed from the base of the PR and between 11b1937 and 1330076.

📒 Files selected for processing (3)
  • src/lib/diagnostics/debug.test.ts
  • src/lib/diagnostics/debug.ts
  • test/cli.test.ts
📝 Walkthrough

Walkthrough

The PR adds Linux dmesg access restriction detection to the debug diagnostic tool. When kernel dmesg is unreadable due to permission restrictions, the report now displays a contextual skip message instead of raw "Operation not permitted" errors.

Changes

dmesg Restriction Detection and Reporting

Layer / File(s) Summary
dmesg restriction detection and guarded collection
src/lib/diagnostics/debug.ts		 Imports readFileSync, defines DMESG_RESTRICT_PATH constant, and adds diagnostic helpers to detect kernel restrictions via /proc/sys/kernel/dmesg_restrict. Exports isDmesgPermissionDeniedOutput predicate to classify permission-denied patterns. collectDmesg conditionally writes restriction/permission messages or captures redacted dmesg | tail -100. Integrates into non-macOS kernel message collection.
Permission-denied output detection tests
src/lib/diagnostics/debug.test.ts		 Updates imports and adds test suite for isDmesgPermissionDeniedOutput verifying true for restricted dmesg errors and false for unrelated permission messages.
Test environment setup and integration test
test/cli.test.ts		 Extends createDebugCommandTestEnv to generate unique sandbox names and inject NEMOCLAW_HOME/NEMOCLAW_SANDBOX variables. Creates stub dmesg binary emitting permission errors. Adds debug --quick integration test asserting kernel message output summarizes restriction and omits raw stderr.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

  • #3700: [All Platforms][CLI] nemoclaw debug --quick reports raw dmesg: ... not permitted without context — This PR directly implements the proposed fix: detection of kernel.dmesg_restrict, guarded dmesg collection, and contextual messaging to replace raw "Operation not permitted" errors.

Poem

🐰 A kernel so strict guards its logs with care,
But now our debug sees the restriction there!
No raw errors confuse the weary traveler's sight—
Just "dmesg needs sudo" in welcome text so bright. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 10.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title accurately and concisely describes the main change: fixing the debug command to explain restricted dmesg access instead of showing raw errors.
Linked Issues check ✅ Passed The PR successfully addresses all coding requirements from issue #3700: detects dmesg permission restrictions via /proc/sys/kernel/dmesg_restrict and error pattern matching, exports isDmesgPermissionDeniedOutput, handles restricted access in collectDmesg, and adds comprehensive test coverage.
Out of Scope Changes check ✅ Passed All changes are directly scoped to issue #3700: dmesg permission handling in diagnostics collection, test helpers for fake dmesg binaries, and regression tests for the new behavior. No unrelated modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Comment @coderabbitai help to get the list of available commands and usage tips.

@yimoj yimoj added the v0.0.48 Release target label May 20, 2026
@wscurran

wscurran commented May 20, 2026

Copy link
Copy Markdown
Contributor

Related open issues:

@github-actions github-actions Bot mentioned this pull request May 21, 2026
Closed
6 tasks
@cv cv added v0.0.49 Release target and removed v0.0.48 Release target labels May 21, 2026
@jyaunches jyaunches merged commit 5bf1be0 into NVIDIA:main May 21, 2026
30 checks passed
@miyoungc miyoungc mentioned this pull request May 22, 2026
Merged
12 tasks
miyoungc added a commit that referenced this pull request May 22, 2026
@miyoungc @claude
docs: correct v0.0.49 release notes against source
398406b 
Audit found the v0.0.49 release notes promised behaviors that did not ship
or were never implemented. Realign to the actual code on main.

- Drop the EXDEV runtime-deps claim: #3820 was reverted by #4051 in this
  release window, so the behavior is not present.
- Drop the "skip broad permission repair" claim: no corresponding commit
  in v0.0.48..v0.0.49.
- Rewrite the gateway probe classifier list in release-notes.mdx and
  commands.mdx to match the real states emitted by
  src/lib/status-command-deps.ts (named gateway unreachable / present
  but not Connected / pointing at a different name / not configured).
  The previous "non-JSON health response" example did not exist in code.
- Expand the channel-removal bullet to describe #4001's user-visible
  teardown (durable QR-paired state wipe, abort-on-failure, config.json
  re-sync) in addition to the existing #4013 sync.
- Add bullets for user-visible PRs that were merged in the release
  window but missing from the notes: #3854 (restricted dmesg in debug
  output), #3866 (shields status and logs --tail UX), #3984 (Hermes
  messaging policy scoping), and #4011 (Docker group security note).

Regenerated nemoclaw-user-overview and nemoclaw-user-reference skills
from the updated docs via scripts/docs-to-skills.py.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cv pushed a commit that referenced this pull request May 22, 2026
@miyoungc @claude
docs: refresh release notes for v0.0.49 (#4078)
756fbca 
## Summary
Refreshes the NemoClaw docs for the v0.0.49 hardening release, including
release notes, command reference updates, troubleshooting guidance,
version metadata, and regenerated user skills.

## Changes
- #3796, #3854, #3863, #3866, #3984, #4001, #4011, #4013, #4020, #4022,
#4023, #4060, #4062 -> `docs/about/release-notes.mdx`: Adds the v0.0.49
hardening release summary covering gateway reliability,
status/doctor/shields and debug UX, OpenClaw compatibility, messaging
channel teardown, Hermes policy scoping, snapshots, source installs and
Docker group security note, GPU preflight, CLI usage, E2E, and CI
improvements.
- #3796 -> `docs/manage-sandboxes/backup-restore.mdx` and
`docs/reference/commands.mdx`: Documents `snapshot restore --to`
overwrite protection and the `--force` opt-in.
- #3863, #4013, #4020, #4023 -> `docs/reference/commands.mdx`: Documents
missing channel argument usage, sandbox-scoped custom preset matching,
session policy preset sync, and gateway failure classification (uses the
real probe states from `src/lib/status-command-deps.ts`).
- #4022, #4060, #4062 -> `docs/reference/troubleshooting.mdx`: Adds
guidance for gateway-down `connect`, source checkout OpenShell
bootstrapping, WDDM placeholder GPU names, and Jetson sandbox GPU
passthrough.
- Release prep -> `docs/project.json`, `docs/versions1.json`,
`.agents/skills/nemoclaw-user-*`: Bumps docs metadata to 0.0.49 and
refreshes generated user skills from the Fern docs.

## Type of Change
- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Verification
- [x] `npx prek run --all-files` passes
- [ ] `npm test` passes
- [ ] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [x] Docs updated for user-facing behavior changes
- [ ] `make docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

\`make docs\` was attempted locally but did not complete because \`npm\`
returned \`403 Forbidden\` while fetching \`fern-api\` from
\`registry.npmjs.org\` in the sandboxed environment.

---
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Released v0.0.49 with reliability and compatibility improvements
including faster gateway failure diagnostics and safer snapshot restore
behavior
* Enhanced snapshot restore documentation with `--to` cloning and
`--force` overwrite requirements
* Expanded troubleshooting guides for source installs, GPU setup, and
gateway recovery
* Clarified Docker group access requirements and improved CLI command
reference

* **Chores**
  * Version bumped to 0.0.49

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4078?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 25, 2026
Merged
Merged
@wscurran wscurran added area: cli Command line interface, flags, terminal UX, or output bug-fix PR fixes a bug or regression and removed NemoClaw CLI labels Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jyaunches jyaunches jyaunches approved these changes

Assignees

@yimoj yimoj

Labels

area: cli Command line interface, flags, terminal UX, or output bug-fix PR fixes a bug or regression v0.0.49 Release target

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[All Platforms][CLI] nemoclaw debug --quick reports raw dmesg: ... not permitted without context

4 participants

@yimoj @wscurran @jyaunches @cv