refactor(cli): port debug.sh to TypeScript

[prekshivyas]

Summary

Closes #1296. Part of #924 shell consolidation.

• Port scripts/debug.sh (355 lines) to src/lib/debug.ts using execa for subprocess execution
• Add redact() function with 4 regex patterns for secret filtering (API keys, nvapi tokens, GitHub PATs, Bearer tokens)
• Platform-aware diagnostics: System, Processes, GPU, Docker, OpenShell, Sandbox Internals (SSH), Network, Kernel/IO, Kernel Messages
• Replace bin/nemoclaw.js spawnSync("bash", ["scripts/debug.sh", ...]) with direct runDebug() call
• Parse --quick, --output, --sandbox, --help flags in CLI with unknown-flag rejection
• Add bin/lib/debug.js thin CJS re-export shim following established migration pattern
• Add src/lib/debug.test.ts with 7 tests covering all redaction patterns
• Preserve scripts/debug.sh for standalone curl-pipe usage

Test plan

• npx vitest run --project plugin — all 200 tests pass (9 files)
• npx tsc --noEmit — no type errors
• npx eslint src/lib/debug.ts src/lib/debug.test.ts — clean
• Pre-commit hooks pass (gitleaks, prettier, eslint, vitest, commitlint)
• Manual: nemoclaw debug --quick collects minimal diagnostics
• Manual: nemoclaw debug --output /tmp/diag.tar.gz creates tarball
• Manual: nemoclaw debug --help shows usage text

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced the debug command with CLI options: --help, --quick, --output, and --sandbox for customized diagnostic collection.
  • Debug command now automatically redacts sensitive information (API keys, tokens, passwords) from diagnostic output.
  • Added support for exporting collected diagnostics as a gzipped archive.

• Tests

  • Added comprehensive test coverage for secret redaction functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 02626eef-51cb-4c63-9cc0-28b55dd48024

📥 Commits

Reviewing files that changed from the base of the PR and between 4ffb5a5 and a99273c.

📒 Files selected for processing (1)

• bin/nemoclaw.js

---

📝 Walkthrough

Walkthrough

Ports the diagnostic collection functionality from scripts/debug.sh to src/lib/debug.ts, introducing a new TypeScript module with CLI option parsing in bin/nemoclaw.js. Adds a CommonJS shim at bin/lib/debug.js and test coverage for the secret redaction logic.

Changes

Cohort / File(s)	Summary
CommonJS Shim bin/lib/debug.js	New entry point that re-exports compiled TypeScript module from dist/lib/debug.
CLI Option Parsing bin/nemoclaw.js	Replaced spawnSync invocation of scripts/debug.sh with direct call to runDebug(). Added in-function CLI option parsing for --help/-h, --quick/-q, --output/-o <path>, and --sandbox <name>. Updated default sandbox selection to use registry.listSandboxes().defaultSandbox.
Debug Implementation src/lib/debug.ts	New module implementing diagnostic data collection with runDebug(opts) and redact(text) functions. Gathers OS, process, GPU, Docker, OpenShell, sandbox internals, and kernel data via subprocess execution with 30s timeout, secret redaction, and optional gzipped tarball output.
Test Coverage src/lib/debug.test.ts	New test suite verifying redact() function removes API keys, tokens, passwords, and Bearer tokens from diagnostic output across multiple pattern types.

Sequence Diagram

sequenceDiagram
    participant User as User / CLI
    participant Nemoclaw as bin/nemoclaw.js
    participant Debug as src/lib/debug.ts
    participant SubProc as Subprocess Execution
    participant FS as Filesystem

    User->>Nemoclaw: nemoclaw debug [options]
    Nemoclaw->>Nemoclaw: Parse CLI options (--sandbox, --output, --quick)
    Nemoclaw->>Debug: runDebug(opts)
    Debug->>Debug: Resolve target sandbox name
    Debug->>FS: Create temp collection directory
    Debug->>SubProc: Execute multiple diagnostic commands<br/>(OS info, Docker, GPU, OpenShell, etc.)
    SubProc-->>Debug: Capture stdout/stderr (30s timeout)
    Debug->>Debug: Apply secret redaction patterns
    Debug->>FS: Write labeled .txt files to temp dir
    Debug->>User: Print colorized output to console
    alt opts.output provided
        Debug->>FS: Create gzipped tarball
        Debug->>User: Print archive path & usage instructions
    end
    Debug->>FS: Clean up temp directory & files

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Poem

🐰 Hop, hop, the debug script hops from bash to TS,
With secrets safely redacted, diagnostic tales expressed,
Subprocess whispers gathered in a tidy archive,
The CLI's bright new paths help problems come alive! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title "refactor(cli): port debug.sh to TypeScript" accurately summarizes the main change: converting a bash diagnostic script to TypeScript in the CLI.
Linked Issues check	✅ Passed	The PR successfully implements all requirements from #1296: ports debug.sh to TypeScript, preserves secret redaction, replaces shell-out with direct invocation, adds tests, and follows the established migration pattern.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objectives: new debug.ts implementation, corresponding tests, CLI integration in nemoclaw.js, and the required CJS shim in bin/lib/. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/port-debug-to-ts-1296

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

nemoclaw/src/lib/debug.test.ts (1)

5-5: Import the co-located source module here.

Pointing this test at ../../dist/lib/debug.js makes the suite depend on a built artifact and can hide a source/dist mismatch. If this is meant to be a unit test for the new TypeScript implementation, import the local source module instead; if it is meant to smoke-test the packaged output, it should live with the integration/build checks instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw/src/lib/debug.test.ts` at line 5, The test currently imports the
built artifact (dist) which creates a dependency on a packaged output; update
the import in the test so it imports the co-located source TypeScript module
that exports redact (the repo's debug module) instead of ../../dist/lib/debug.js
so the unit test exercises the source implementation rather than the built
artifact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/nemoclaw.js`:
- Around line 241-247: The CLI argument parsing block that sets opts.output and
opts.sandboxName accepts any next token (args[++i]) including flag-shaped values
like "--quick"; update the parsing for the branches handling "--output"/"-o" and
"--sandbox" to validate the next argument is not another flag (e.g., starts with
'-') and exists, and if it is missing or flag-shaped emit the same error path
(console.error + process.exit(1)) instead of assigning it to opts.output or
opts.sandboxName; locate the code that checks args[i] and assigns to opts.output
and opts.sandboxName and add a guard rejecting values that begin with '-' so
typos don’t become valid names.

In `@nemoclaw/src/lib/debug.ts`:
- Around line 250-254: The execa(...) calls used for probing Docker/OpenShell
can hang and bypass collect()'s timeout; update the ad-hoc probes (the execa
invocation shown and the similar call at the 313-317 block) to include a timeout
option (e.g., timeout: <milliseconds>) and propagate the same timeout value used
by collect() (or introduce a shared timeoutMs constant) so the probe is killed
after the collection timeout; ensure the option is passed alongside
reject/stdout/stderr and handle the timeout result consistently (reject: false)
to avoid throwing on timeout.
- Around line 324-333: The code currently builds sshHost and sshBase (variables
sshHost and sshBase) and then rebuilds them into a shell string (via
collectShell/round-tripping), which allows a crafted sandboxName to break
quoting; instead keep sshBase as an argv array and stop converting it to a
single shell string: pass the sshBase array (with sshHost) directly to the child
process/spawn API or any function that accepts argv, and update the places that
previously used collectShell()/stringified argv (also the similar block around
lines 338-342) to accept an array instead of concatenating into a shell command
so sandboxName is never interpolated into sh -c.
- Around line 50-52: Update the GitHub PAT redact regex in
nemoclaw/src/lib/debug.ts to also match fine-grained tokens prefixed with
"github_pat_" (in addition to "ghp_") by extending the existing
[/ghp_[A-Za-z0-9]{30,}/g, "<REDACTED>"] entry (or replacing it with a single
regex that matches both prefixes), and add a unit test that verifies tokens
starting with "github_pat_" are redacted the same way as "ghp_" tokens.

---

Nitpick comments:
In `@nemoclaw/src/lib/debug.test.ts`:
- Line 5: The test currently imports the built artifact (dist) which creates a
dependency on a packaged output; update the import in the test so it imports the
co-located source TypeScript module that exports redact (the repo's debug
module) instead of ../../dist/lib/debug.js so the unit test exercises the source
implementation rather than the built artifact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 685019af-01b4-4196-8d9e-827712605a49

📥 Commits

Reviewing files that changed from the base of the PR and between cb668d7 and ebf2b5d.

📒 Files selected for processing (4)

• bin/lib/debug.js
• bin/nemoclaw.js
• nemoclaw/src/lib/debug.test.ts
• nemoclaw/src/lib/debug.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Redact fine-grained GitHub PATs too.

ghp_ only covers classic personal access tokens. GitHub also issues fine-grained PATs with the github_pat_ prefix, so those can still be written to disk and echoed back unredacted by this collector. Please extend the pattern and add a matching test case. (docs.github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw/src/lib/debug.ts` around lines 50 - 52, Update the GitHub PAT redact
regex in nemoclaw/src/lib/debug.ts to also match fine-grained tokens prefixed
with "github_pat_" (in addition to "ghp_") by extending the existing
[/ghp_[A-Za-z0-9]{30,}/g, "<REDACTED>"] entry (or replacing it with a single
regex that matches both prefixes), and add a unit test that verifies tokens
starting with "github_pat_" are redacted the same way as "ghp_" tokens.

[cv]

Nice work porting the debug collector. A few issues to fix, one of which is a security concern:

1. Wrong directory — same as #1306 and #1307. nemoclaw/src/lib/debug.ts should be src/lib/debug.ts.

2. Shell injection via sandbox name (critical) — sandboxName is interpolated into a sh -c command string for the SSH diagnostic collection. A sandbox name containing shell metacharacters (quotes, semicolons, backticks) can execute arbitrary commands locally. Use execa array args instead of string interpolation:

// Instead of:
await execa("sh", ["-c", `ssh ${sshBase} "command"`])
// Use:
await execa("ssh", [...sshArgs, "command"])

3. Missing redaction for fine-grained GitHub PATs — the ghp_ pattern only catches classic tokens. GitHub also issues github_pat_ prefixed tokens. Add that pattern.

4. No timeouts on ad-hoc execa probes — the Docker and OpenShell health checks outside of collect() have no timeout. If Docker is wedged, nemoclaw debug hangs forever. Add { timeout: 10_000 } or similar.

5. Flag-shaped values accepted for --output and --sandbox — nemoclaw debug --output --quick writes to a file literally named --quick. Reject values starting with - for these flags, or use a flag parsing library that handles this.

6. Needs rebase — merge conflicts with main.

The overall structure (platform-aware collectors, secret redaction, tarball output) is solid.

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/debug.ts (1)

70-77: Consider using execFileSync for command existence check.

command -v ${cmd} interpolates into a shell string. While all current callers pass hardcoded command names, using execFileSync with which (or spawning a shell with array args) would be safer for defense in depth.

♻️ Optional: Safer implementation

 function commandExists(cmd: string): boolean {
   try {
-    execSync(`command -v ${cmd}`, { stdio: ["ignore", "ignore", "ignore"] });
+    spawnSync("sh", ["-c", `command -v "$1"`, "_", cmd], {
+      stdio: "ignore",
+    }).status === 0;
     return true;
   } catch {
     return false;
   }
 }

Or simply document that this function expects only trusted/hardcoded command names.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/debug.ts` around lines 70 - 77, The commandExists function currently
calls execSync with an interpolated shell string; replace it to avoid shell
interpolation by using execFileSync (or spawnSync) to run the platform command
directly (e.g., call execFileSync or spawnSync with the executable name "which"
and an args array containing cmd) and check exit status/throwing behavior to
return true/false; update the function named commandExists accordingly and
ensure stdio/options mirror previous behavior for silent execution.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/lib/debug.ts`:
- Around line 70-77: The commandExists function currently calls execSync with an
interpolated shell string; replace it to avoid shell interpolation by using
execFileSync (or spawnSync) to run the platform command directly (e.g., call
execFileSync or spawnSync with the executable name "which" and an args array
containing cmd) and check exit status/throwing behavior to return true/false;
update the function named commandExists accordingly and ensure stdio/options
mirror previous behavior for silent execution.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 18349c7e-7076-49c4-9d74-1af7fa1a41b8

📥 Commits

Reviewing files that changed from the base of the PR and between ebf2b5d and 0726521.

📒 Files selected for processing (6)

• bin/lib/debug.js
• bin/nemoclaw.js
• install.sh
• src/lib/debug.test.ts
• src/lib/debug.ts
• test/install-preflight.test.js

✅ Files skipped from review due to trivial changes (1)

• bin/lib/debug.js

🚧 Files skipped from review as they are similar to previous changes (1)

• bin/nemoclaw.js

[coderabbitai]

🧹 Nitpick comments (2)

src/lib/debug.ts (2)

105-107: Consider distinguishing timeouts from other failures.

When spawnSync times out, result.signal will be 'SIGTERM' but the current message says "non-zero status". For better diagnostics, consider checking result.signal to display a more informative message like "(command timed out after 30s)".

💡 Optional enhancement

   if (result.status !== 0) {
-    console.log("  (command exited with non-zero status)");
+    if (result.signal === "SIGTERM") {
+      console.log(`  (command timed out after ${TIMEOUT_MS / 1000}s)`);
+    } else {
+      console.log(`  (command exited with status ${result.status ?? "unknown"})`);
+    }
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/debug.ts` around lines 105 - 107, The current console message for
non-zero exits uses result.status only; update the check around the spawnSync
result (variable name result) to detect timeouts by inspecting result.signal
(e.g., === 'SIGTERM') and print a timeout-specific message like "(command timed
out after 30s)" instead of the generic "(command exited with non-zero status)";
keep the original non-zero/exit case for other failures and include the status
or signal in the log for clearer diagnostics.

---

306-306: Minor: Consider using mkdtempSync for the SSH config.

The timestamp-based filename is predictable, which creates a small TOCTOU window. For hardened environments, consider creating a temp directory with mkdtempSync and placing the config inside, or using crypto.randomUUID() for the filename suffix.

💡 Optional hardening

-  const sshConfigPath = join(tmpdir(), `nemoclaw-ssh-${String(Date.now())}`);
+  const sshConfigPath = join(tmpdir(), `nemoclaw-ssh-${crypto.randomUUID()}`);

Add to imports:

import { randomUUID } from "node:crypto";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/debug.ts` at line 306, The sshConfigPath currently uses a predictable
timestamp-based name; update the code that defines sshConfigPath (the variable
assigned with join(tmpdir(), `nemoclaw-ssh-${String(Date.now())}`)) to create a
secure temp location instead—either create a unique temp directory with
fs.mkdtempSync and place the SSH config file inside it, or append a
cryptographically strong suffix such as crypto.randomUUID() to the filename (add
the import for randomUUID from node:crypto if chosen); ensure any downstream
uses of sshConfigPath still point to the new file path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/lib/debug.ts`:
- Around line 105-107: The current console message for non-zero exits uses
result.status only; update the check around the spawnSync result (variable name
result) to detect timeouts by inspecting result.signal (e.g., === 'SIGTERM') and
print a timeout-specific message like "(command timed out after 30s)" instead of
the generic "(command exited with non-zero status)"; keep the original
non-zero/exit case for other failures and include the status or signal in the
log for clearer diagnostics.
- Line 306: The sshConfigPath currently uses a predictable timestamp-based name;
update the code that defines sshConfigPath (the variable assigned with
join(tmpdir(), `nemoclaw-ssh-${String(Date.now())}`)) to create a secure temp
location instead—either create a unique temp directory with fs.mkdtempSync and
place the SSH config file inside it, or append a cryptographically strong suffix
such as crypto.randomUUID() to the filename (add the import for randomUUID from
node:crypto if chosen); ensure any downstream uses of sshConfigPath still point
to the new file path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f233e8ab-307c-4a07-936c-5b469d12a5ff

📥 Commits

Reviewing files that changed from the base of the PR and between 0726521 and 4ffb5a5.

📒 Files selected for processing (1)

• src/lib/debug.ts

[cv]

Shell injection fixed (execa array args), github_pat_ redaction added, timeouts added, directory structure corrected. Remaining CodeRabbit comments are nitpicks. Good work.