fix(installer): preserve npm lockfiles during install

[jyaunches]

Summary

• Change installer dependency setup from npm install to npm ci for both the root package and nested nemoclaw/ sandbox payload.
• Add a basic-checks guard that dry-runs npm ci for both lockfiles before the install step.
• Update installer behavior coverage so source checkouts are verified to use npm ci --ignore-scripts without global GitHub installs.

Supersedes #3840.
Fixes #3798.

Repro

Issue #3798 reproduces when a host-side install mutates the nested sandbox lockfile before the Linux Docker build. On macOS with npm 11.6.2, cd nemoclaw && npm install --ignore-scripts prunes Linux-only optional @emnapi/* entries from nemoclaw/package-lock.json; the subsequent Linux node:22-trixie-slim npm ci then fails with the missing @emnapi/core / @emnapi/runtime errors described in the issue.

Test Plan

• bash -n scripts/install.sh
• git diff --check
• npm test -- test/install-preflight.test.ts test/lockfile-ci-guard.test.ts -t "uses npm ci|lockfile CI guards" (blocked locally: vitest: command not found; this worktree has no node_modules)

Summary by CodeRabbit

• Chores
  • Added npm lockfile validation in CI pipeline to ensure consistency between lockfiles and installed dependencies before proceeding with installation
  • Updated dependency installation process to use stricter, lockfile-aligned methods for improved build reproducibility
  • Expanded test coverage for critical installer workflows and CI behavior validation

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR resolves lockfile drift in the nemoclaw subdirectory by adding CI validation for both root and nemoclaw lockfiles, switching the install flow from npm install to npm ci --ignore-scripts, and refactoring the OpenClaw pre-extraction workaround to restore contents after npm ci removes node_modules.

Changes

npm ci & lockfile validation

Layer / File(s)	Summary
GitHub Action lockfile validation .github/actions/basic-checks/action.yaml	Adds a "Validate npm lockfiles" step that runs npm ci --ignore-scripts --dry-run for both root and nemoclaw before the install step, catching lockfile drift early. Dependency installation switches from npm install to npm ci --ignore-scripts for both directories.
Install script npm ci & OpenClaw restore flow scripts/install.sh	Introduces restore_pre_extracted_openclaw() helper and updates both source-checkout and GitHub-clone installation paths to run npm ci --ignore-scripts followed by OpenClaw contents restoration before each build stage, replacing the prior pre-extraction-then-install order.
Preflight installer test updates test/install-preflight.test.ts	npm stub now recognizes npm ci; source-checkout test tightened to require openclaw directories to exist for build steps and validates the exact sequence of npm ci --ignore-scripts and npm pack calls relative to builds. Assertions verify npm ci is used and npm install (non-global) is not.
CI guard tests for lockfile validation test/lockfile-ci-guard.test.ts	New test suite that parses .github/actions/basic-checks/action.yaml and asserts the lockfile validation step runs before install with the correct npm ci --dry-run commands, and verifies install dependencies use npm ci --ignore-scripts for both root and nemoclaw without npm install.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

fix

Suggested reviewers

• cv

Poem

🐰 A drift in lockfiles brought the sandbox low,
npm ci and --dry-run now guard the flow,
OpenClaw restored after deps align,
Both root and nemoclaw sit in line,
Tests assure the guards do their part divine! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: replacing npm install with npm ci to preserve lockfiles during the installation process.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from #3798: uses npm ci instead of install, adds CI guard validating lockfiles via npm ci --dry-run for both root and nemoclaw, and updates installer to use npm ci with proper OpenClaw workaround handling.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing #3798 and #3840: GitHub Actions config, installer script, and corresponding tests for lockfile validation and npm ci migration. No unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-3798-sandbox-lockfile-sync-rescue

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-e2e, cloud-onboard-e2e
Optional E2E: macos-e2e, wsl-e2e

Dispatch hint: cloud-e2e,cloud-onboard-e2e

Auto-dispatched E2E: cloud-e2e, cloud-onboard-e2e via nightly-e2e.yaml at 5b42d8a0485ceba17d7d84504496207fc7e38dbc — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-e2e (high): Required because it runs the complete repo-source user journey via bash install.sh --non-interactive, covering the changed source-checkout install path, npm ci dependency install, OpenClaw package restore before build, CLI link, onboard, sandbox creation, and live inference.
• cloud-onboard-e2e (high): Required because it exercises the public installer/GitHub-clone path that was also changed from npm install to npm ci and now depends on restoring the OpenClaw package after ci before build/onboard. It validates the clone-path install, CLI availability, OpenShell availability, sandbox health, security checks, and inference.local.

Optional E2E

• macos-e2e (medium): Optional cross-platform confidence for npm ci/build behavior and installer-adjacent changes on macOS. The changed installer path is mainly validated on Ubuntu by required jobs, but macOS can catch shell/path/npm differences.
• wsl-e2e (high): Optional platform confidence for WSL/Linux shell behavior around dependency installation and build/link assumptions. Useful because install.sh is shell-heavy, but not merge-blocking if Ubuntu install E2E passes.

New E2E recommendations

• installer dependency install ordering (medium): The existing unit tests mock the OpenClaw restore ordering, and cloud E2Es cover happy paths, but there is no focused E2E/regression job that hermetically proves npm ci deletes node_modules and OpenClaw is restored before both root build:cli and plugin build without requiring live onboarding.
  • Suggested test: Add a lightweight regression E2E that runs scripts/install.sh from a temporary source checkout with fake npm pack/ci/run/link stubs and asserts OpenClaw restoration occurs after each npm ci and before both build steps.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: cloud-e2e,cloud-onboard-e2e

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/install-preflight.test.ts`:
- Around line 98-100: The test harness function writeNpmStub and the
installSnippet handlers are not accounting for npm "ci" invocations, causing
many tests to hit the "unexpected npm invocation: ci --ignore-scripts" path;
update writeNpmStub (and any installSnippet blocks used in
test/install-preflight.test.ts) to accept and handle the "ci" command the same
way as "install" (e.g., add "$1" = "ci" branches or normalize "$1" to "install"
inside the stub) so existing test-specific handlers match the new installer
behavior and no longer reject npm ci.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 175adef9-a9c5-45a2-b6ec-9bed3c4f2f55

📥 Commits

Reviewing files that changed from the base of the PR and between 1bdb519 and 5b42d8a.

📒 Files selected for processing (4)

• .github/actions/basic-checks/action.yaml
• scripts/install.sh
• test/install-preflight.test.ts
• test/lockfile-ci-guard.test.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

writeNpmStub() still leaves many test-specific handlers rejecting npm ci.

Line 98 now dispatches ci, but a lot of callers in this file still only branch on "$1" = "install" inside installSnippet. Those tests will now fall through to unexpected npm invocation: ci --ignore-scripts, so the suite is still out of sync with the installer change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/install-preflight.test.ts` around lines 98 - 100, The test harness
function writeNpmStub and the installSnippet handlers are not accounting for npm
"ci" invocations, causing many tests to hit the "unexpected npm invocation: ci
--ignore-scripts" path; update writeNpmStub (and any installSnippet blocks used
in test/install-preflight.test.ts) to accept and handle the "ci" command the
same way as "install" (e.g., add "$1" = "ci" branches or normalize "$1" to
"install" inside the stub) so existing test-specific handlers match the new
installer behavior and no longer reject npm ci.

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: high
Analyzed HEAD: 5b42d8a0485ceba17d7d84504496207fc7e38dbc
Findings: 3 blocker(s), 2 warning(s), 0 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: This review used the supplied trusted metadata and read-only file inspection only; it did not execute tests, npm commands, installer scripts, or E2E workflows.; The linked issue #3798 acceptance includes lockfile regeneration provenance; the PR diff does not include nemoclaw/package-lock.json, so resync provenance could not be confirmed from changed files.; E2E Advisor reported required cloud jobs were auto-dispatched, but the supplied status rollup did not include their pass/fail conclusions.; The exact unit-vitest-linux failure log was not provided; the test-stub finding is based on diff, grep evidence, unresolved review thread, and failed context metadata.; Open PR overlaps were identified from trusted metadata, but their diffs were not reviewed here.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: 5b42d8a0485ceba17d7d84504496207fc7e38dbc
Recommendation: blocked
Confidence: high

Installer and CI lockfile direction is appropriate, but merge is blocked by mergeStateStatus=BLOCKED, an unresolved review thread, a unit-vitest-linux failure tied to stale npm stubs, and missing pass evidence for required cloud E2Es at the head SHA.

Gate status

• CI: pass — Required contexts checks, commit-lint, dco-check, check-hash, and changes completed successfully for 5b42d8a; however unit-vitest-linux is a non-required failed context and several non-required contexts are still pending.
• Mergeability: fail — GitHub GraphQL reports mergeStateStatus=BLOCKED and reviewDecision=REVIEW_REQUIRED for PR fix(installer): preserve npm lockfiles during install #4029 at head 5b42d8a.
• Review threads: fail — 1 unresolved review thread remains: CodeRabbit reports test/install-preflight.test.ts npm stub snippets still reject npm ci.
• Risky code tested: fail — Risky installer/bootstrap shell and onboarding/host glue changed. Test files were added/updated, but unit-vitest-linux failed and required cloud-e2e/cloud-onboard-e2e pass evidence for this head SHA was not present.

🔴 Blockers

• Several npm test stubs still only accept npm install, causing the migrated installer path to fail tests (test/install-preflight.test.ts:299): The shared stub dispatch now reaches installSnippet for npm ci, but many installSnippet bodies still only handle "$1" = "install". After scripts/install.sh changed source and clone paths to run npm ci --ignore-scripts, these tests can fall through to the generic unexpected npm invocation path. This aligns with the failed unit-vitest-linux check and the unresolved review thread.
  • Recommendation: Update every installer test npm snippet that models dependency installation to accept ci with the same semantics as install, or normalize ci/install in writeNpmStub before invoking snippets. Re-run the affected Vitest suite in CI and resolve the review thread after verification.
  • Evidence: grep found install-only branches at test/install-preflight.test.ts:299, 402, 725, 827, 934, 1039, 1278, 1365, 1436, 1593, 1725, 1828, 1969, 2075, and 3361. GraphQL rollup shows unit-vitest-linux conclusion=FAILURE, and the unresolved thread is on test/install-preflight.test.ts:100.
• Required E2E jobs have no pass evidence for the current head SHA: The E2E Advisor requires cloud-e2e and cloud-onboard-e2e because this PR changes the installer source-checkout and GitHub-clone paths. The advisor comment says they were auto-dispatched for 5b42d8a, but the supplied status rollup does not show either required job passing for that SHA.
  • Recommendation: Wait for cloud-e2e and cloud-onboard-e2e to complete successfully for head SHA 5b42d8a before considering the installer-path change merge-ready.
  • Evidence: E2E Advisor comment: Required E2E: cloud-e2e, cloud-onboard-e2e. Status rollup includes successful macos-e2e and wsl-e2e, but no passed cloud-e2e or cloud-onboard-e2e entries.
• PR is not currently mergeable despite required contexts passing: Required status contexts are green, but GitHub reports mergeStateStatus=BLOCKED and there is a failed non-required unit-vitest-linux context plus an unresolved review thread. This is a hard gate failure for a risky installer change.
  • Recommendation: Resolve the failed unit test context and unresolved review thread, then confirm mergeability is no longer blocked at the same head SHA.
  • Evidence: GraphQL: mergeStateStatus=BLOCKED, reviewDecision=REVIEW_REQUIRED; reviewThreads has one unresolved node; statusCheckRollup includes unit-vitest-linux conclusion=FAILURE.

🟡 Warnings

• OpenClaw restore failure is downgraded to a warning on a required build prerequisite (scripts/install.sh:1303): The new restore_pre_extracted_openclaw helper logs a warning and continues if OpenClaw package restoration fails, even though later build steps may need the restored OpenClaw contents. This preserves previous warning behavior, but the changed ordering makes restore-after-ci more central to success because npm ci removes node_modules.
  • Recommendation: Consider failing fast when NEMOCLAW_AGENT is unset or openclaw and the restore fails before build steps that require OpenClaw, or add explicit tests proving all affected build paths fail clearly and recoverably.
  • Evidence: scripts/install.sh:1303-1304 runs spin "Restoring OpenClaw package" ... || warn "OpenClaw package restore failed - subsequent build steps may fail"; install_nemoclaw then proceeds to build CLI/plugin.
• Open PR overlap touches the same installer and preflight files (scripts/install.sh:1398): There is active parallel work touching scripts/install.sh and test/install-preflight.test.ts, so this PR may need revalidation after rebasing or after overlapping changes land. Installer sequencing is particularly sensitive to small ordering changes around dependency install, build, link, onboarding, and OpenClaw restore.
  • Recommendation: Before merge, compare against overlapping PR feat(hermes): request network access through policy local #3750 and re-run the relevant unit and required E2E checks after any rebase or conflict resolution.
  • Evidence: Trusted overlap scan reports PR feat(hermes): request network access through policy local #3750 touches scripts/install.sh and test/install-preflight.test.ts; PR fix: resolve silent output and remove nc dependency #3669 touches .github/actions/basic-checks/action.yaml.

🔵 Suggestions

• None.

Acceptance coverage

• partial — Fresh install of NemoClaw v0.0.45 fails during onboarding when the sandbox image builds. Step 7/70 of the Dockerfile (RUN npm ci && npm run build) crashes with:: PR changes install flow to preserve lockfiles before sandbox build, but this review did not receive passing cloud-onboard-e2e/cloud-e2e evidence for the current head SHA.
• met — This is the same symptom as Version 0.0.31 Sandbox creation failed (exit 1). #2760 (closed as "fixed on main"), but the fix referenced in that issue's closing comment only addressed the root package-lock.json.: .github/actions/basic-checks/action.yaml now validates both root and nemoclaw lockfiles with npm ci --ignore-scripts --dry-run before install.
• met — root package.json / package-lock.json — host CLI build (validated, in sync): Validate npm lockfiles step runs npm ci --ignore-scripts --dry-run at repository root before Install dependencies.
• partial — nemoclaw/package.json / nemoclaw/package-lock.json — payload baked into the sandbox image at build time (not in sync): Validate npm lockfiles step cd's into nemoclaw and runs npm ci --ignore-scripts --dry-run, and current nemoclaw/package-lock.json contains node_modules/@emnapi/core and node_modules/@emnapi/runtime entries. The PR diff does not include a lockfile change, so the resync itself is not attributable to this patch.
• met — It is tempting to tell users to just run cd ~/.nemoclaw/source/nemoclaw && npm install --package-lock-only and move on. This does not fix the build, and the failure mode is subtle:: scripts/install.sh replaces host-side npm install with npm ci --ignore-scripts, avoiding package-lock rewrites during install.
• partial — Where you run npm install --package-lock-only | Resulting nemoclaw/package-lock.json | npm ci --dry-run on macOS | npm ci inside node:22-trixie-slim (the build container): CI guard validates with npm ci --dry-run on Linux, and macos-e2e passed, but required cloud E2Es have no pass evidence in the supplied rollup.
• unknown — In a v0.0.45 source clone (~/.nemoclaw/source):: The PR targets current code, not the v0.0.45 release clone; no direct v0.0.45 validation evidence was provided.
• met — Root | package-lock.json | ✅ in sync: Root dry-run validation is added in .github/actions/basic-checks/action.yaml and required checks passed.
• partial — Subdir (as shipped) | nemoclaw/package-lock.json | ❌ Missing @emnapi/core@1.9.2, @emnapi/runtime@1.9.2 (macOS) / @1.10.0 (Linux): Current checkout has nemoclaw/package-lock.json entries for node_modules/@emnapi/core and node_modules/@emnapi/runtime, but the PR did not change the lockfile and required cloud E2E pass evidence is missing.
• unknown — 1. curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 NEMOCLAW_INSTALL_TAG=v0.0.45 bash: No evidence was provided that the exact v0.0.45 curl|bash reproduction was rerun; the patch affects current install.sh behavior.
• unknown — 2. The installer's auto-onboard at step [3/8] reaches the sandbox-build step and fails at Dockerfile Step 7/70 (RUN npm ci && npm run build).: The required cloud-onboard-e2e that would exercise public installer/onboard is required but not shown as passed for the head SHA.
• met — Standalone reproduction without onboarding the agent:: The new Validate npm lockfiles step performs the standalone reproduction shape by running npm ci --ignore-scripts --dry-run in nemoclaw before dependency install.
• unknown — Regenerate the lockfile inside the same Linux image used by the sandbox build, not on the host:: No lockfile regeneration command or package-lock diff is present in this PR. Current lockfile contains the expected @emnapi entries, but provenance is not shown by the changed files.
• unknown — 1. Re-sync nemoclaw/package-lock.json against nemoclaw/package.json by regenerating it inside the same Linux image the sandbox Dockerfile uses (node:22-trixie-slim pinned by SHA in Dockerfile). Regenerating on a maintainer's macOS dev machine will reintroduce this same bug, just with platform-specific optional deps stripped from the lockfile rather than missing.: changedFiles excludes nemoclaw/package-lock.json. Current file includes @emnapi core/runtime entries, but this patch does not demonstrate the Linux-image regeneration step.
• met — 2. Add a CI guard that runs npm ci --ignore-scripts --dry-run against nemoclaw/package-lock.json on Linux, in addition to the existing root-level check. A guard that only runs on the maintainer's local platform won't catch this — the problem is precisely the macOS↔Linux divergence in optional-dep resolution.: .github/actions/basic-checks/action.yaml adds Validate npm lockfiles before Install dependencies, running npm ci --ignore-scripts --dry-run at root and after cd nemoclaw. The required checks context passed for this Linux CI action.
• unknown — - [x] I confirmed this bug is reproducible: Issue reporter checked this, but this PR review has no independent reproduction run evidence beyond CI signals.
• unknown — - [x] I searched existing issues and this is not a duplicate: Issue metadata contains the checklist item and a related issue comment, but no diff evidence is applicable.
• partial — ✨ Thanks for submitting this detailed issue about the sandbox build failure on macOS. This report identifies a problem with the onboarding process silently accepting an invalid package-lock.json file, which can lead to issues later in the setup process.: CI now fails earlier on invalid lockfiles, but required E2E pass evidence for the onboarding process is missing.
• unknown — Related open issues:: The comment lists related issue Version 0.0.31 Sandbox creation failed (exit 1). #2760; no direct acceptance action is required by this PR.
• unknown — - #2760 Version 0.0.31 Sandbox creation failed (exit 1).: The PR supersedes/fixes [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798; this review did not inspect Version 0.0.31 Sandbox creation failed (exit 1). #2760 beyond the linked comment.

Security review

• pass — 1. Secrets and Credentials: No hardcoded secrets, tokens, PEM files, credential JSON, or new secret-bearing environment variables appear in the diff. The installer and CI commands do not log credentials beyond existing npm/GitHub operations.
• warning — 2. Input Validation and Data Sanitization: The change does not add new external input parsing, but it modifies shell execution around installer paths and OpenClaw restoration. Existing shell commands interpolate resolved install directories into bash -c and node -e snippets; no new confirmed injection was introduced, but installer shell paths remain a sensitive area requiring E2E coverage.
• pass — 3. Authentication and Authorization: No authentication, authorization, token validation, endpoint access control, or privilege escalation logic is added or modified.
• warning — 4. Dependencies and Third-Party Libraries: The PR improves reproducibility by switching npm install to npm ci and adding dry-run lockfile checks. It still relies on existing npm registry downloads and npm pack openclaw during install; no new dependency is introduced, but required E2E pass evidence is missing for the changed install paths.
• warning — 5. Error Handling and Logging: OpenClaw restore failure is logged as a warning and the installer continues, even though the changed npm ci ordering makes restoration after node_modules removal important for subsequent builds. This is not a secret leak, but it can defer failure and complicate diagnosis.
• pass — 6. Cryptography and Data Protection: Not applicable — no cryptographic operations, encryption, hashing for security decisions, or data protection mechanisms are changed. Existing hadolint checksum verification remains unchanged.
• warning — 7. Configuration and Security Headers: The composite action changes CI dependency installation behavior and adds lockfile validation. It does not change HTTP headers or container security posture. Existing actions/setup-node@v6 and curl-based hadolint retrieval are not newly introduced; installer/workflow changes are high-risk and need the required E2E gate to prove secure defaults are preserved.
• warning — 8. Security Testing: Tests were added for lockfile CI guard ordering and installer npm ci behavior, but unit-vitest-linux failed and an unresolved thread indicates several npm stubs still reject npm ci. Required cloud E2Es for installer/onboard paths are missing in the supplied status evidence.
• warning — 9. Holistic Security Posture: The intended posture improves supply-chain determinism by preventing host npm install from mutating lockfiles. However, risky installer/bootstrap and onboarding paths are not fully validated because mergeability is blocked, a unit test context failed, and required cloud E2Es are not shown passing for the head SHA.

Test / E2E status

• Test depth: e2e_required — Runtime/sandbox/infrastructure paths changed in .github/actions/basic-checks/action.yaml and scripts/install.sh. Unit/static tests cover intended command ordering, but the installer has real npm, shell, OpenClaw restore, build, link, onboard, sandbox, and network interactions that mocks cannot fully prove. Current evidence includes a unit-vitest-linux failure and no passed cloud-e2e/cloud-onboard-e2e entries for the head SHA.
• E2E Advisor: missing
• Required E2E jobs: cloud-e2e, cloud-onboard-e2e
• Missing for analyzed SHA: cloud-e2e, cloud-onboard-e2e

✅ What looks good

• The PR patches active files that still exist and directly targets the reported installer/lockfile failure path.
• Replacing npm install with npm ci --ignore-scripts is the correct direction for preventing host-side package-lock rewrites.
• The basic-checks action now validates both root and nemoclaw lockfiles before installing dependencies, catching drift earlier.
• The new lockfile-ci-guard test asserts guard ordering and prevents basic-checks from regressing back to npm install.
• The updated source-checkout test attempts to verify OpenClaw restoration occurs after npm ci and before build steps, which is the right behavior to cover.

Review completeness

• This review used the supplied trusted metadata and read-only file inspection only; it did not execute tests, npm commands, installer scripts, or E2E workflows.
• The linked issue [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760) #3798 acceptance includes lockfile regeneration provenance; the PR diff does not include nemoclaw/package-lock.json, so resync provenance could not be confirmed from changed files.
• E2E Advisor reported required cloud jobs were auto-dispatched, but the supplied status rollup did not include their pass/fail conclusions.
• The exact unit-vitest-linux failure log was not provided; the test-stub finding is based on diff, grep evidence, unresolved review thread, and failed context metadata.
• Open PR overlaps were identified from trusted metadata, but their diffs were not reviewed here.
• Human maintainer review required: yes

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26262466547
Target ref: 5b42d8a0485ceba17d7d84504496207fc7e38dbc
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
cloud-onboard-e2e	✅ success

[wscurran]

✨
Related open PRs:

• #3840 fix(installer): preserve npm lockfiles during install

---

Related open issues:

• #3798 [macOS][Onboard] v0.0.45 sandbox build fails on RUN npm ci: nemoclaw/package-lock.json out of sync (regression of #2760)