chore: harden install scripts and add smoke ci

Author: steipete

.github/workflows/install-smoke.yml

@@ -0,0 +1,38 @@
+name: Install Smoke
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  install-smoke:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout installer
+        uses: actions/checkout@v4
+
+      - name: Build smoke image (root)
+        run: docker build -t clawdbot-install-smoke:ci -f scripts/docker/install-sh-smoke/Dockerfile scripts/docker/install-sh-smoke
+
+      - name: Run install smoke (root)
+        env:
+          CLAWDBOT_INSTALL_URL: file://$GITHUB_WORKSPACE/public/install.sh
+          CLAWDBOT_NO_ONBOARD: "1"
+        run: docker run --rm -t -e CLAWDBOT_INSTALL_URL -e CLAWDBOT_NO_ONBOARD clawdbot-install-smoke:ci
+
+      - name: Build non-root image
+        run: docker build -t clawdbot-install-nonroot:ci -f scripts/docker/install-sh-nonroot/Dockerfile scripts/docker/install-sh-nonroot
+
+      - name: Run install smoke (non-root + CLI)
+        env:
+          CLAWDBOT_INSTALL_URL: file://$GITHUB_WORKSPACE/public/install.sh
+          CLAWDBOT_INSTALL_CLI_URL: file://$GITHUB_WORKSPACE/public/install-cli.sh
+          CLAWDBOT_NO_ONBOARD: "1"
+        run: |
+          docker run --rm -t \
+            -e CLAWDBOT_INSTALL_URL \
+            -e CLAWDBOT_INSTALL_CLI_URL \
+            -e CLAWDBOT_NO_ONBOARD \
+            clawdbot-install-nonroot:ci

public/install-cli.sh

@@ -9,6 +9,7 @@ CLAWDBOT_VERSION="${CLAWDBOT_VERSION:-latest}"
 NODE_VERSION="${CLAWDBOT_NODE_VERSION:-22.12.0}"
 JSON=0
 RUN_ONBOARD=0
+SET_NPM_PREFIX=0
 
 print_usage() {
   cat <<EOF
@@ -19,6 +20,7 @@ Usage: install-cli.sh [options]
   --node-version <ver>   Node version (default: 22.12.0)
   --onboard              Run "clawdbot onboard" after install
   --no-onboard           Skip onboarding (default)
+  --set-npm-prefix       Force npm prefix to ~/.npm-global if current prefix is not writable (Linux)
 EOF
 }
 
@@ -79,6 +81,10 @@ parse_args() {
         print_usage
         exit 0
         ;;
+      --set-npm-prefix)
+        SET_NPM_PREFIX=1
+        shift
+        ;;
       *)
         fail "Unknown option: $1"
         ;;
@@ -158,10 +164,45 @@ install_node() {
   emit_json "{\"event\":\"step\",\"name\":\"node\",\"status\":\"ok\",\"version\":\"${NODE_VERSION}\"}"
 }
 
+fix_npm_prefix_if_needed() {
+  # only meaningful on Linux, non-root installs
+  if [[ "$(os_detect)" != "linux" ]]; then
+    return
+  fi
+
+  local prefix
+  prefix="$("$(npm_bin)" config get prefix 2>/dev/null || true)"
+  if [[ -z "$prefix" ]]; then
+    return
+  fi
+
+  if [[ -w "$prefix" || -w "${prefix}/lib" ]]; then
+    return
+  fi
+
+  local target="${HOME}/.npm-global"
+  mkdir -p "$target"
+  "$(npm_bin)" config set prefix "$target"
+
+  local path_line="export PATH=\\\"${target}/bin:\\$PATH\\\""
+  for rc in "${HOME}/.bashrc" "${HOME}/.zshrc"; do
+    if [[ -f "$rc" ]] && ! grep -q ".npm-global" "$rc"; then
+      echo "$path_line" >> "$rc"
+    fi
+  done
+
+  export PATH="${target}/bin:${PATH}"
+  emit_json "{\"event\":\"step\",\"name\":\"npm-prefix\",\"status\":\"ok\",\"prefix\":\"${target//\"/\\\"}\"}"
+  log "Configured npm prefix to ${target}"
+}
+
 install_clawdbot() {
   emit_json "{\"event\":\"step\",\"name\":\"clawdbot\",\"status\":\"start\",\"version\":\"${CLAWDBOT_VERSION}\"}"
   log "Installing Clawdbot (${CLAWDBOT_VERSION})..."
   require_bin git
+  if [[ "$SET_NPM_PREFIX" -eq 1 ]]; then
+    fix_npm_prefix_if_needed
+  fi
   "$(npm_bin)" install -g --prefix "$PREFIX" "clawdbot@${CLAWDBOT_VERSION}"
   rm -f "${PREFIX}/bin/clawdbot"
   cat > "${PREFIX}/bin/clawdbot" <<EOF
@@ -184,9 +225,16 @@ resolve_clawdbot_version() {
 main() {
   parse_args "$@"
 
+  if [[ "${CLAWDBOT_NO_ONBOARD:-0}" == "1" ]]; then
+    RUN_ONBOARD=0
+  fi
+
   export PATH="$(node_dir)/bin:${PREFIX}/bin:${PATH}"
 
   install_node
+  if [[ "$SET_NPM_PREFIX" -eq 1 ]]; then
+    fix_npm_prefix_if_needed
+  fi
   install_clawdbot
 
   local installed_version

public/install.sh

@@ -138,6 +138,26 @@ pick_tagline() {
 
 TAGLINE=$(pick_tagline)
 
+NO_ONBOARD=${CLAWDBOT_NO_ONBOARD:-0}
+
+parse_args() {
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --no-onboard)
+                NO_ONBOARD=1
+                shift
+                ;;
+            --onboard)
+                NO_ONBOARD=0
+                shift
+                ;;
+            *)
+                shift
+                ;;
+        esac
+    done
+}
+
 echo -e "${ACCENT}${BOLD}"
 echo "  🦞 Clawdbot Installer"
 echo -e "${NC}${ACCENT_DIM}  ${TAGLINE}${NC}"
@@ -225,6 +245,67 @@ install_node() {
     fi
 }
 
+# Check Git
+check_git() {
+    if command -v git &> /dev/null; then
+        echo -e "${SUCCESS}✓${NC} Git already installed"
+        return 0
+    fi
+    echo -e "${WARN}→${NC} Git not found"
+    return 1
+}
+
+install_git() {
+    echo -e "${WARN}→${NC} Installing Git..."
+    if [[ "$OS" == "macos" ]]; then
+        brew install git
+    elif [[ "$OS" == "linux" ]]; then
+        if command -v apt-get &> /dev/null; then
+            sudo apt-get update -y
+            sudo apt-get install -y git
+        elif command -v dnf &> /dev/null; then
+            sudo dnf install -y git
+        elif command -v yum &> /dev/null; then
+            sudo yum install -y git
+        else
+            echo -e "${ERROR}Error: Could not detect package manager for Git${NC}"
+            exit 1
+        fi
+    fi
+    echo -e "${SUCCESS}✓${NC} Git installed"
+}
+
+# Fix npm permissions for global installs (Linux)
+fix_npm_permissions() {
+    if [[ "$OS" != "linux" ]]; then
+        return 0
+    fi
+
+    local npm_prefix
+    npm_prefix="$(npm config get prefix 2>/dev/null || true)"
+    if [[ -z "$npm_prefix" ]]; then
+        return 0
+    fi
+
+    if [[ -w "$npm_prefix" || -w "$npm_prefix/lib" ]]; then
+        return 0
+    fi
+
+    echo -e "${WARN}→${NC} Configuring npm for user-local installs..."
+    mkdir -p "$HOME/.npm-global"
+    npm config set prefix "$HOME/.npm-global"
+
+    local path_line='export PATH="$HOME/.npm-global/bin:$PATH"'
+    for rc in "$HOME/.bashrc" "$HOME/.zshrc"; do
+        if [[ -f "$rc" ]] && ! grep -q ".npm-global" "$rc"; then
+            echo "$path_line" >> "$rc"
+        fi
+    done
+
+    export PATH="$HOME/.npm-global/bin:$PATH"
+    echo -e "${SUCCESS}✓${NC} npm configured for user installs"
+}
+
 # Check for existing Clawdbot installation
 check_existing_clawdbot() {
     if command -v clawdbot &> /dev/null; then
@@ -279,10 +360,18 @@ main() {
         install_node
     fi
 
-    # Step 3: Clawdbot
+    # Step 3: Git (required for npm installs that may fetch from git or apply patches)
+    if ! check_git; then
+        install_git
+    fi
+
+    # Step 4: npm permissions (Linux)
+    fix_npm_permissions
+
+    # Step 5: Clawdbot
     install_clawdbot
 
-    # Step 4: Run doctor for migrations if upgrading
+    # Step 6: Run doctor for migrations if upgrading
     if [[ "$is_upgrade" == "true" ]]; then
         run_doctor
     fi
@@ -301,13 +390,18 @@ main() {
     if [[ "$is_upgrade" == "true" ]]; then
         echo -e "Upgrade complete. Run ${INFO}clawdbot doctor${NC} to check for additional migrations."
     else
-        echo -e "Starting setup..."
-        echo ""
-        exec clawdbot onboard
+        if [[ "$NO_ONBOARD" == "1" ]]; then
+            echo -e "Skipping onboard (requested). Run ${INFO}clawdbot onboard${NC} later."
+        else
+            echo -e "Starting setup..."
+            echo ""
+            exec clawdbot onboard
+        fi
     fi
 
     echo ""
     echo -e "FAQ: ${INFO}https://docs.clawd.bot/start/faq${NC}"
 }
 
+parse_args "$@"
 main

scripts/docker/install-sh-nonroot/Dockerfile

@@ -0,0 +1,23 @@
+FROM ubuntu:24.04
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    bash \
+    ca-certificates \
+    curl \
+    sudo \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN useradd -m -s /bin/bash app \
+  && echo "app ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/app
+
+USER app
+WORKDIR /home/app
+
+ENV NPM_CONFIG_FUND=false
+ENV NPM_CONFIG_AUDIT=false
+
+COPY run.sh /usr/local/bin/clawdbot-install-nonroot
+RUN sudo chmod +x /usr/local/bin/clawdbot-install-nonroot
+
+ENTRYPOINT ["/usr/local/bin/clawdbot-install-nonroot"]

scripts/docker/install-sh-nonroot/run.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+INSTALL_URL="${CLAWDBOT_INSTALL_URL:-https://clawd.bot/install.sh}"
+CLI_INSTALL_URL="${CLAWDBOT_INSTALL_CLI_URL:-https://clawd.bot/install-cli.sh}"
+
+echo "==> Pre-flight: ensure git absent"
+if command -v git >/dev/null; then
+  echo "git is present unexpectedly" >&2
+  exit 1
+fi
+
+echo "==> Run installer (non-root user)"
+curl -fsSL "$INSTALL_URL" | bash --no-onboard
+
+# Ensure PATH picks up user npm prefix
+export PATH="$HOME/.npm-global/bin:$PATH"
+
+echo "==> Verify git installed"
+command -v git >/dev/null
+
+echo "==> Verify clawdbot installed"
+LATEST_VERSION="$(npm view clawdbot version)"
+CMD_PATH="$(command -v clawdbot || true)"
+if [[ -z "$CMD_PATH" && -x "$HOME/.npm-global/bin/clawdbot" ]]; then
+  CMD_PATH="$HOME/.npm-global/bin/clawdbot"
+fi
+if [[ -z "$CMD_PATH" ]]; then
+  echo "clawdbot not on PATH" >&2
+  exit 1
+fi
+INSTALLED_VERSION="$("$CMD_PATH" --version 2>/dev/null | head -n 1 | tr -d '\r')"
+
+echo "installed=$INSTALLED_VERSION expected=$LATEST_VERSION"
+if [[ "$INSTALLED_VERSION" != "$LATEST_VERSION" ]]; then
+  echo "ERROR: expected clawdbot@$LATEST_VERSION, got @$INSTALLED_VERSION" >&2
+  exit 1
+fi
+
+echo "==> Sanity: CLI runs"
+"$CMD_PATH" --help >/dev/null
+
+echo "==> Run CLI installer (should also succeed non-root)"
+curl -fsSL "$CLI_INSTALL_URL" | bash -s -- --set-npm-prefix --no-onboard
+
+echo "OK"

scripts/docker/install-sh-smoke/Dockerfile

@@ -0,0 +1,14 @@
+FROM node:22-bookworm-slim
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    bash \
+    ca-certificates \
+    curl \
+    sudo \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY run.sh /usr/local/bin/clawdbot-install-smoke
+RUN chmod +x /usr/local/bin/clawdbot-install-smoke
+
+ENTRYPOINT ["/usr/local/bin/clawdbot-install-smoke"]

scripts/docker/install-sh-smoke/run.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+INSTALL_URL="${CLAWDBOT_INSTALL_URL:-https://clawd.bot/install.sh}"
+
+echo "==> Resolve npm versions"
+LATEST_VERSION="$(npm view clawdbot version)"
+PREVIOUS_VERSION="$(node - <<'NODE'
+const { execSync } = require("node:child_process");
+
+const versions = JSON.parse(execSync("npm view clawdbot versions --json", { encoding: "utf8" }));
+if (!Array.isArray(versions) || versions.length === 0) {
+  process.exit(1);
+}
+const previous = versions.length >= 2 ? versions[versions.length - 2] : versions[0];
+process.stdout.write(previous);
+NODE
+)"
+
+echo "latest=$LATEST_VERSION previous=$PREVIOUS_VERSION"
+
+echo "==> Preinstall previous (forces installer upgrade path)"
+npm install -g "clawdbot@${PREVIOUS_VERSION}"
+
+echo "==> Run official installer one-liner"
+curl -fsSL "$INSTALL_URL" | bash --no-onboard
+
+echo "==> Verify installed version"
+INSTALLED_VERSION="$(clawdbot --version 2>/dev/null | head -n 1 | tr -d '\r')"
+echo "installed=$INSTALLED_VERSION expected=$LATEST_VERSION"
+
+if [[ "$INSTALLED_VERSION" != "$LATEST_VERSION" ]]; then
+  echo "ERROR: expected clawdbot@$LATEST_VERSION, got clawdbot@$INSTALLED_VERSION" >&2
+  exit 1
+fi
+
+echo "==> Sanity: CLI runs"
+clawdbot --help >/dev/null
+
+echo "OK"