fix(installer): clarify install tag pinning

[cv]

Summary

Clarifies how to pin NEMOCLAW_INSTALL_TAG in curl-piped installs and makes missing installer refs fail with an explicit error. This prevents users from thinking the installer accepted a tag while silently following lkg when the shell assignment was applied only to curl.

Related Issue

Fixes #4675

Changes

• Adds explicit unavailable-ref handling in both install.sh bootstrap and scripts/install.sh payload clone paths.
• Updates installer help text to show the correct curl ... | NEMOCLAW_INSTALL_TAG=v0.0.56 bash placement.
• Documents tag pinning in docs/manage-sandboxes/lifecycle.mdx, including the common shell-assignment pitfall.
• Adds installer regression coverage for help text and missing piped-install refs.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Documentation

  • Added guidance on pinning specific NemoClaw releases during installation, including curl|bash usage examples and a warning about where to set the variable.

• Bug Fixes

  • Installer now fails early with a clear message if the requested install ref can't be fetched (no silent fallback).
  • Help output clarified with explicit instructions for setting the install tag.

• Tests

  • Expanded tests for installer help text and failure behavior when a requested release is unavailable.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2b9ad4ba-fa6f-4554-a4af-84ed0d2d5f53

📥 Commits

Reviewing files that changed from the base of the PR and between f80ffc5 and 53964a8.

📒 Files selected for processing (1)

• docs/manage-sandboxes/lifecycle.mdx

✅ Files skipped from review due to trivial changes (1)

• docs/manage-sandboxes/lifecycle.mdx

---

📝 Walkthrough

Walkthrough

Adds explicit failure handling when a requested git ref (set via NEMOCLAW_INSTALL_TAG) cannot be fetched, expands installer help text with curl|bash guidance and examples, updates user docs to document pinning behavior, and strengthens tests to validate help text and failure behavior.

Changes

Installer Tag Resolution and Error Handling

Layer / File(s)	Summary
Explicit error on unavailable git ref install.sh, scripts/install.sh	clone_nemoclaw_ref wraps shallow git fetch in a conditional and exits with a clear error message when the requested ref cannot be fetched.
Help/usage text updates for NEMOCLAW_INSTALL_TAG install.sh, scripts/install.sh	Installer usage/--help output adds guidance for setting NEMOCLAW_INSTALL_TAG in `curl
User documentation for tag pinning docs/manage-sandboxes/lifecycle.mdx	New subsection documents pinning a specific NemoClaw release via NEMOCLAW_INSTALL_TAG, notes that the var must be set on the bash side of a pipe, and clarifies that failed ref fetches cause the installer to exit with error rather than fallback.
Test validation of ref error and help text test/install-preflight.test.ts	Help text assertions extended for NEMOCLAW_INSTALL_TAG defaults and curl-pipe guidance; adds an E2E piped-installer test that stubs a failing git fetch and asserts clear error messaging and non-zero exit.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4613: Both PRs modify installer help/usage behavior and tests around NEMOCLAW_INSTALL_TAG.

Suggested reviewers

• ericksoa

Poem

🐰 I nibbled at a tag today,
Pinned a release the proper way.
With curl and bash the ref is clear—
If fetch will fail, the error's near.
Hop, install, and worry less today!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: clarifying how to pin NEMOCLAW_INSTALL_TAG in curl-piped installs and making missing installer refs fail explicitly.
Linked Issues check	✅ Passed	All coding requirements from issue #4675 are met: explicit failure on unavailable refs [install.sh, scripts/install.sh], clear error messages, corrected usage documentation in help text and docs, and test coverage for missing refs.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing issue #4675: error handling for unavailable install refs, updated help text guidance, documentation updates, and test coverage for the new behavior.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/4675-install-tag

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/install-preflight.test.ts (1)

2888-2892: ⚡ Quick win

Add payload-entrypoint regression coverage.

These assertions only pin the bootstrap install.sh behavior. scripts/install.sh changed the same NEMOCLAW_INSTALL_TAG help text and unavailable-ref messaging, so the two installer entrypoints can drift without a failing test. Please add a companion payload case for --help and for an unavailable clone_nemoclaw_ref.

Also applies to: 3704-3748

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/install-preflight.test.ts` around lines 2888 - 2892, The current test
only asserts help text for the bootstrap install entrypoint; add companion tests
that invoke the payload entrypoint (scripts/install.sh) to cover its --help
output and the unavailable clone_nemoclaw_ref path so both installers stay in
sync. Specifically, add two assertions similar to the existing ones that run
scripts/install.sh --help and run it with an unavailable clone_nemoclaw_ref
value, then assert output contains NEMOCLAW_INSTALL_TAG, the "default: lkg"
text, the "set this on bash or export it first" message, and the curl example
(curl .* | NEMOCLAW_INSTALL_TAG=v0\.0\.56 bash); mirror this change for the
other test block referenced (lines around 3704-3748) so both entrypoints have
matching coverage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/install-preflight.test.ts`:
- Around line 2888-2892: The current test only asserts help text for the
bootstrap install entrypoint; add companion tests that invoke the payload
entrypoint (scripts/install.sh) to cover its --help output and the unavailable
clone_nemoclaw_ref path so both installers stay in sync. Specifically, add two
assertions similar to the existing ones that run scripts/install.sh --help and
run it with an unavailable clone_nemoclaw_ref value, then assert output contains
NEMOCLAW_INSTALL_TAG, the "default: lkg" text, the "set this on bash or export
it first" message, and the curl example (curl .* |
NEMOCLAW_INSTALL_TAG=v0\.0\.56 bash); mirror this change for the other test
block referenced (lines around 3704-3748) so both entrypoints have matching
coverage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 146208c6-ef94-4333-9f21-c34a89ef0e36

📥 Commits

Reviewing files that changed from the base of the PR and between 0c958cf and f80ffc5.

📒 Files selected for processing (4)

• docs/manage-sandboxes/lifecycle.mdx
• install.sh
• scripts/install.sh
• test/install-preflight.test.ts

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-4678.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e
Optional E2E: openshell-gateway-upgrade-e2e, docs-validation-e2e

Dispatch hint: cloud-onboard-e2e

Auto-dispatched E2E: cloud-onboard-e2e via nightly-e2e.yaml at 53964a8df744df3ba8dde43224b1ea1017e9ac75 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-onboard-e2e (medium; live Linux install/onboard with NVIDIA_API_KEY and sandbox creation): Exercises the public installer curl|bash path, exports the checked-out PR SHA as NEMOCLAW_PUBLIC_INSTALL_REF/NEMOCLAW_INSTALL_REF, verifies the GitHub clone path and requested ref are used, then onboards a live sandbox. This is the highest-signal existing E2E for installer ref/bootstrap changes.

Optional E2E

• openshell-gateway-upgrade-e2e (high; real old-to-new gateway upgrade and sandbox preservation path): Useful adjacent coverage because upgrade flows run the installer with NEMOCLAW_INSTALL_REF/NEMOCLAW_INSTALL_TAG while moving an old OpenShell gateway to the current stack, but the PR does not directly alter gateway upgrade logic.
• docs-validation-e2e (low; install plus docs validation): Optional confidence for the documentation/help surface touched by the PR; not merge-blocking for runtime installer behavior because unit tests already cover the new help text.

New E2E recommendations

• installer/bootstrap missing-ref behavior (medium): Existing E2E covers successful public install with a requested ref, while the new fail-closed behavior for an unavailable ref is only covered by unit/preflight tests. A small hermetic script E2E could run the public/root installer with a definitely missing NEMOCLAW_INSTALL_TAG and assert the clear error without provisioning a sandbox.
  • Suggested test: Add a lightweight installer-negative E2E script for curl|bash with unavailable NEMOCLAW_INSTALL_TAG/NEMOCLAW_INSTALL_REF that verifies nonzero exit and no fallback to lkg.

Dispatch hint

• Workflow: E2E / Nightly
• jobs input: cloud-onboard-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: wsl-repo-cloud-openclaw, macos-repo-cloud-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required scenario E2E

• ubuntu-repo-cloud-openclaw: Installer/setup script changes can affect the standard Ubuntu OpenClaw onboarding path; this is the smallest dispatchable scenario that validates the primary repo-current install plus baseline onboarding flow on the default runner.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• wsl-repo-cloud-openclaw: Optional adjacent platform coverage for shell installer/setup behavior under WSL; special-runner scenario, so not required for this installer change.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=wsl-repo-cloud-openclaw
• macos-repo-cloud-openclaw: Optional adjacent platform coverage for bash installer/setup behavior on macOS; special-runner scenario, so not required for this Ubuntu-focused installer change.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=macos-repo-cloud-openclaw

Relevant changed files

• install.sh
• scripts/install.sh

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 1 nice ideas
Top item: Payload missing-ref path lacks behavioral coverage

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• None.

🌱 Nice ideas

• Add a behavioral regression test for the payload clone failure path (scripts/install.sh:136): The new unavailable-ref handling was added in both the root bootstrap and the versioned payload. The new negative test exercises the piped root installer path, while the payload copy is only covered indirectly by a static source-shape assertion. A small targeted test would make future drift between the two clone_nemoclaw_ref implementations easier to catch.
  • Recommendation: Add or extend a test that sources/runs scripts/install.sh with a failing fake git fetch and asserts the non-zero exit plus the new “Requested install ref … is not available” message.
  • Evidence: install.sh and scripts/install.sh both wrap `git fetch --quiet --depth 1 origin "$ref"` with explicit errors, but the added negative test named “piped root installer fails clearly when the selected ref is unavailable” feeds the root installer; existing tests only statically inspect both function bodies for fetch/checkout shape.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26847586656
Target ref: 53964a8df744df3ba8dde43224b1ea1017e9ac75
Workflow ref: main
Requested jobs: cloud-onboard-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success