fix(install): prevent nvm/login shell from resetting PATH in subshells

[cv]

Summary

• bash -lc → bash -c in install_nemoclaw() subshells. The login shell flag sourced /etc/profile which runs path_helper on macOS, resetting PATH to system defaults and hiding the caller's binaries.
• Skip nvm.sh sourcing when node is already on PATH. ensure_nvm_loaded() unconditionally sourced nvm.sh, which also resets PATH — breaking test stubs and unnecessarily mutating the environment.
• Export info/warn helpers via declare -f so pre_extract_openclaw can use them in the subshell.
• Fix SC2206 shellcheck warning in version_gte() — use read -ra instead of unquoted word splitting.
• Add .shellcheckrc to suppress SC2059 (printf format string with color vars) and SC1091 (dynamically sourced files).
• Pin apt and pip package versions in Dockerfile — resolves hadolint DL3008/DL3013/DL3042/DL3059 without suppressing warnings.
• Document -h short alias in the installer usage output to match the option parser.

Why these tests failed locally but passed in CI

CI runs on ubuntu-latest with a minimal shell profile — no nvm, no path_helper. On macOS with nvm installed, both bash -l (via /etc/profile) and ensure_nvm_loaded (via nvm.sh) reset PATH, causing the fake node/npm/git stubs in install-preflight.test.js to be overridden by real system binaries.

Test plan

• npx vitest run — all tests pass
• npx shellcheck install.sh scripts/install.sh — clean
• CI green: lint, hadolint, test-unit, test-e2e-sandbox, commit-lint

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added ShellCheck configuration file to suppress linting rules, refactored shell script helpers with formatting adjustments and minor logic changes (early returns, function expansion), updated subprocess invocation flags, reorganized option parsing, and pinned dependency versions in Docker configuration.

Changes

Cohort / File(s)	Summary
ShellCheck Configuration .shellcheckrc	Disables ShellCheck rules SC2059 and SC1091 to accommodate intentional ANSI escape sequences in printf format strings and dynamically resolved sourced scripts.
Installation Script Refactoring install.sh, scripts/install.sh	Refined shell helper formatting (color constants, printf statements), expanded error() and refined spin() implementations, restructured semver parsing in version_gte(), added early return when node is available on PATH in ensure_nvm_loaded() to prevent nvm sourcing, changed subprocess invocations from bash -lc to bash -c with expanded function declarations, and reorganized option parsing patterns in main().
Docker Dependency Pinning Dockerfile	Updated runtime package installations to use explicit pinned versions for Python 3.11, curl, git, ca-certificates, and iproute2; upgraded PyYAML from 6.0.2 to 6.0.3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 We've hopped through config lines with care,
Pinned versions floating in the Docker air,
Shell helpers polished, scripts refined—
Each bash refactor, perfectly designed!
ShellCheck now rests, no warnings to bear,
A cleaner path for all to share! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(install): prevent nvm/login shell from resetting PATH in subshells' directly addresses the primary change—preventing PATH resets in subshells by replacing bash -lc with bash -c and refining NVM loading. This is the main focus of the PR as evidenced by the objectives.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.shellcheckrc (1)

9-9: Scope ShellCheck suppressions more narrowly.

Line 9 disables SC2059 and SC1091 repo-wide, which can mask future issues outside installer helpers. Prefer keeping global config minimal and using local # shellcheck disable=... at intentional callsites.

Example tightening

-disable=SC2059,SC1091
+disable=SC1091

# In files with intentional colorized printf format strings:
# shellcheck disable=SC2059
info() { printf "${C_CYAN}[INFO]${C_RESET}  %s\n" "$*"; }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.shellcheckrc at line 9, Remove the repo‑wide suppression of SC2059 and
SC1091 from .shellcheckrc and instead scope those disables to specific call
sites that intentionally require them (for example the colorized printf helper
like info() and any installer helper that sources generated files), by adding
local comments such as "# shellcheck disable=SC2059" or "# shellcheck
disable=SC1091" directly above the offending function or source statement; keep
the global .shellcheckrc minimal so other files still get checked.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.shellcheckrc:
- Line 9: Remove the repo‑wide suppression of SC2059 and SC1091 from
.shellcheckrc and instead scope those disables to specific call sites that
intentionally require them (for example the colorized printf helper like info()
and any installer helper that sources generated files), by adding local comments
such as "# shellcheck disable=SC2059" or "# shellcheck disable=SC1091" directly
above the offending function or source statement; keep the global .shellcheckrc
minimal so other files still get checked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dee031f5-e9f3-4ee0-b586-67c22701b172

📥 Commits

Reviewing files that changed from the base of the PR and between 2ce2905 and 8c79539.

📒 Files selected for processing (3)

• .shellcheckrc
• install.sh
• scripts/install.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@install.sh`:
- Around line 572-579: Update the script's usage output (the usage function) to
document the new -h short alias alongside --help and --version/-v; specifically,
modify the displayed options so the help text lists both `-h, --help` (and where
applicable `-v, --version`) to match the case in the option parsing block that
now accepts `-h` in addition to `--help`.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9587cdde-3ef8-4e1b-89f2-dd36b75ac933

📥 Commits

Reviewing files that changed from the base of the PR and between 8c79539 and 350cba0.

📒 Files selected for processing (5)

• .pre-commit-config.yaml
• install.sh
• nemoclaw-blueprint/pyproject.toml
• scripts/backup-workspace.sh
• scripts/install-openshell.sh

✅ Files skipped from review due to trivial changes (2)

• nemoclaw-blueprint/pyproject.toml
• scripts/backup-workspace.sh

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

16-22: Pinned APT versions may cause build failures when packages are superseded and removed from mirrors.

Pinning to exact Debian package versions (e.g., curl=7.88.1-10+deb12u14) ensures reproducible builds, but Debian does not retain old package versions in stable mirrors once a newer version is published. When a superseding version is released, the older one can be removed (e.g., when deb12u15 is published, deb12u14 may no longer be available), causing apt-get install to fail.

Consider one of these alternatives:

1. Pin only major/minor versions (e.g., curl=7.88.1*) to accept security patches automatically.
2. Keep exact pins but document a process/schedule for updating them when CI breaks.
3. Use snapshot.debian.org if strict reproducibility is required; older package versions remain available there even after being removed from the main mirrors.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 16 - 22, The Dockerfile currently pins exact Debian
package versions (e.g., python3, python3-pip, curl, git, ca-certificates,
iproute2) which will cause apt installs to fail when upstream mirrors remove
superseded versions; change those exact pins to looser pins (for example use
major/minor wildcards like curl=7.88.1* or remove the "=version" suffix
entirely) so security updates don’t break builds, or alternatively document a
process for updating these exact pins or switch to snapshot.debian.org for
strict reproducibility—apply the chosen approach to the listed package entries
in the Dockerfile.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Around line 16-22: The Dockerfile currently pins exact Debian package versions
(e.g., python3, python3-pip, curl, git, ca-certificates, iproute2) which will
cause apt installs to fail when upstream mirrors remove superseded versions;
change those exact pins to looser pins (for example use major/minor wildcards
like curl=7.88.1* or remove the "=version" suffix entirely) so security updates
don’t break builds, or alternatively document a process for updating these exact
pins or switch to snapshot.debian.org for strict reproducibility—apply the
chosen approach to the listed package entries in the Dockerfile.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee2cb981-62d4-438f-9a32-5fcd11169685

📥 Commits

Reviewing files that changed from the base of the PR and between e2b955b and f02d161.

📒 Files selected for processing (2)

• Dockerfile
• scripts/brev-setup.sh

✅ Files skipped from review due to trivial changes (1)

• scripts/brev-setup.sh

[wscurran]

Thanks for submitting this fix to prevent the login shell from resetting the PATH in subshells, which could help resolve installation issues on macOS and make it easier for users to get started with NemoClaw.

[ericksoa]

Shell script fixes look good — the bash -lc → bash -c change and nvm skip are solid.

One thing: the Dockerfile apt version pins conflict with #721 (gateway process isolation) which adds gosu and a gateway user in the same area. Can you rebase onto #721 once it merges and reconcile the Dockerfile? The apt pins may also need loosening (e.g. python3=3.11* instead of exact point release) since they'll break when the base image rolls to a newer Debian build.