fix(uninstall): stop confirm prompt auto-abort on TTY

[hunglp6d]

Summary

Interactive nemoclaw uninstall printed Proceed? [y/N] and then immediately Aborted. before the user could type — on every Linux TTY. Regression from #5020, which replaced the child-shell stdin read with an in-process fs.readSync(0) loop: buildRuntime touches process.stdin to detect a TTY, which flips fd 0 to non-blocking (libuv side effect), so the empty read throws EAGAIN and the catch treated it as EOF. This PR detects the TTY without side effects, retries transient read errors, and clarifies the abort message.

Related Issue

Fixes #5188

Changes

• Detect TTY via tty.isatty(0) in buildRuntime instead of process.stdin.isTTY, which instantiates the stdin stream and switches fd 0 to non-blocking mode for the rest of the process.
• Retry EAGAIN/EWOULDBLOCK (25 ms sleep) and EINTR in defaultReadLine instead of conflating them with EOF; hard errors and real EOF keep prior behavior (return buffered bytes or null).
• Print a re-run with --yes hint when stdin yields no input at the confirm prompt instead of a bare Aborted..
• Export defaultReadLine with injectable readSync/sleep deps; add 7 unit tests (EAGAIN retry, EINTR, EOF, CRLF, partial-line, hard errors) and 1 integration test for the no-input message.

Manually verified under a pty against the compiled CLI: with fd 0 poisoned non-blocking, the prompt now waits for input (read "y" after ~1 s) instead of aborting in ~1 ms; full internal uninstall run-plan waits and aborts only after an actual n.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Hung Le hple@nvidia.com

Summary by CodeRabbit

• Bug Fixes

  • Improved uninstall confirmation behavior when stdin is closed/non-interactive; now logs a clear message and guides rerunning with --yes.
  • Better terminal detection to avoid unwanted side effects and ensure interactive prompts behave correctly.

• Tests

  • Added robust tests covering no-stdin, TTY vs non-TTY, retry/error cases, and PTY-driven prompt interactions to prevent regressions.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c3a2bfd2-85cf-4861-9734-59eab37275aa

📥 Commits

Reviewing files that changed from the base of the PR and between 24e1a5b and 6d9b49a.

📒 Files selected for processing (6)

• src/lib/actions/uninstall/run-plan.test.ts
• src/lib/actions/uninstall/run-plan.ts
• src/lib/core/stdin.test.ts
• src/lib/core/stdin.ts
• test/fixtures/uninstall-prompt-pty-driver.ts
• test/uninstall-prompt-pty.test.ts

💤 Files with no reviewable changes (2)

• test/fixtures/uninstall-prompt-pty-driver.ts
• test/uninstall-prompt-pty.test.ts

---

📝 Walkthrough

Walkthrough

Adds a reusable fd(0) stdin reader and isatty check, wires them into the uninstall runtime (replacing the local reader), logs a clear message when stdin is unavailable, and adds unit and PTY tests plus a PTY fixture to validate interactive prompt behavior.

Changes

Uninstall interactive reader refactoring

Layer / File(s)	Summary
Core stdin reader and tests src/lib/core/stdin.ts, src/lib/core/stdin.test.ts	Adds isStdinTty() and readLineFromStdin(deps?) (byte-wise fd 0 reads, EAGAIN/EWOULDBLOCK retry, EINTR handling, non-TTY deadline) and unit tests covering errno behavior, CRLF/EOF, partial-buffer semantics, and TTY detection.
run-plan integration and unit tests src/lib/actions/uninstall/run-plan.ts, src/lib/actions/uninstall/run-plan.test.ts	Replaces local default reader with imports from core/stdin, updates buildRuntime to use isStdinTty() and readLineFromStdin(), adds messaging when readLine() returns null, and hardens multiple uninstall tests by explicitly controlling NEMOCLAW_* env vars and adding tests for null-read and default-runtime stdin safety.
PTY fixture and integration tests test/fixtures/uninstall-prompt-pty-driver.ts, test/uninstall-prompt-pty.test.ts	Adds a PTY driver and Linux-only Vitest suite that runs uninstall under script -qec with hermetic env/stubs to assert the prompt blocks for input, accepts typed y/n sequences, and exercises the preservation second prompt.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

v0.0.64

• cv
• prekshivyas

"I nibble bytes from fd zero in the night,
EAGAIN makes me wait, EINTR bounces light,
TTY asks the kernel, not a stream to pry,
If stdin is gone I say 're-run with --yes' — bye! 🐇"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(uninstall): stop confirm prompt auto-abort on TTY' accurately describes the primary bug fix: preventing the confirm prompt from immediately aborting on TTYs due to stdin being set to non-blocking mode.
Linked Issues check	✅ Passed	The PR comprehensively addresses all coding requirements from issue #5188: uses tty.isatty(0) instead of process.stdin.isTTY, implements EAGAIN/EWOULDBLOCK/EINTR retry logic in readLineFromStdin, exports injectable stdin helpers, provides improved user messaging, and adds comprehensive unit and integration tests.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the confirm-prompt auto-abort bug: stdin TTY detection refactoring, read-retry logic, test coverage for stdin error handling, integration tests for prompt behavior under real PTYs, and the uninstall prompt test hardening to prevent interactive/non-interactive branching regressions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/uninstall-prompt-eagain-abort

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: gpu-e2e
Optional E2E: sandbox-operations-e2e, cloud-e2e

Dispatch hint: gpu-e2e

Auto-dispatched E2E: gpu-e2e via nightly-e2e.yaml at f5bcec61aca3964825856a0a296dce0481e9c13f — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• gpu-e2e (high): Best existing E2E coverage for the changed uninstall plan: test/e2e/test-gpu-e2e.sh runs a real install/onboard/local Ollama flow, then exercises bash uninstall.sh --yes --delete-models and verifies cleanup of ~/.nemoclaw after destroying resources. Although it does not cover the interactive prompt, it is the only existing E2E job found that executes the real uninstall path after a live sandbox/inference flow.

Optional E2E

• sandbox-operations-e2e (high): Adjacent confidence for sandbox lifecycle state and OpenShell gateway behavior. It does not directly exercise uninstall prompts, but the changed run plan removes OpenShell helper resources and sandbox state, so this is useful if maintainers want broader lifecycle validation without relying only on the GPU uninstall path.
• cloud-e2e (medium): Broad install → onboard → live inference smoke for the primary OpenClaw user journey. It does not directly test uninstall, but it can catch build/runtime regressions from the new shared stdin helper import and CLI changes before users reach uninstall.

New E2E recommendations

• interactive uninstall prompt under a real pseudo-TTY (high): The PR adds strong process-level Vitest coverage for [All Platforms][Uninstall] Confirm prompt self-aborts before user can type #5188, but no existing dispatchable E2E job appears to target interactive uninstall prompts specifically. Existing uninstall E2E coverage uses --yes and therefore does not exercise readLineFromStdin, EAGAIN/EWOULDBLOCK retry behavior, second user-data prompt handling, or the bash uninstall.sh wrapper waiting for typed input on a poisoned fd 0.
  • Suggested test: Add a lightweight Linux E2E/script-runner job that runs test/uninstall-prompt-pty.test.ts or an equivalent bash-driven pseudo-TTY uninstall prompt scenario under util-linux script -qec, with destructive uninstall dependencies stubbed as in test/fixtures/uninstall-prompt-pty-driver.ts.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: gpu-e2e

[github-actions]

PR Review Advisor

Findings: 1 needs attention, 1 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 2 still apply, 0 new items found

Review findings

🛠️ Needs attention

• Avoid growing the uninstall run-plan test monolith (src/lib/actions/uninstall/run-plan.test.ts:1): This PR adds more coverage to an already-large uninstall test file. The deterministic size check reports `run-plan.test.ts` grew from 989 to 1059 lines, a +70 line increase in a current large-file hotspot.
  • Recommendation: Move the newly added prompt/default-runtime cases into a focused test file, such as a prompt-specific uninstall run-plan test, or offset the growth by extracting existing related cases so this hotspot does not keep expanding.
  • Evidence: Monolith delta context: `src/lib/actions/uninstall/run-plan.test.ts`, baseLines 989, headLines 1059, delta 70, rationale: current monolith grew by 20 or more lines.

🔎 Worth checking

• Quote or avoid shell strings in the PTY test helper (test/uninstall-prompt-pty.test.ts:39): The new PTY helper passes a composed command string to `script -qec`, and callers interpolate repository paths into that string. These paths are trusted in CI, so this is test-only risk, but local checkouts with spaces or shell metacharacters can make the test parse unintended tokens or fail for reasons unrelated to the behavior under test.
  • Recommendation: Quote each path component before building the `script -qec` command, or use a tiny argv-safe wrapper script/driver so `tsx`, the driver path, `bash`, and `uninstall.sh` are not parsed from an unquoted shell string.
  • Evidence: `spawnUnderPty(command)` calls `spawn("script", ["-qec", command, "/dev/null"], ...)`, and tests pass strings such as `${TSX} ${DRIVER}` and `bash ${UNINSTALL_SH}`.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Avoid growing the uninstall run-plan test monolith (src/lib/actions/uninstall/run-plan.test.ts:1): This PR adds more coverage to an already-large uninstall test file. The deterministic size check reports `run-plan.test.ts` grew from 989 to 1059 lines, a +70 line increase in a current large-file hotspot.
  • Recommendation: Move the newly added prompt/default-runtime cases into a focused test file, such as a prompt-specific uninstall run-plan test, or offset the growth by extracting existing related cases so this hotspot does not keep expanding.
  • Evidence: Monolith delta context: `src/lib/actions/uninstall/run-plan.test.ts`, baseLines 989, headLines 1059, delta 70, rationale: current monolith grew by 20 or more lines.
• Quote or avoid shell strings in the PTY test helper (test/uninstall-prompt-pty.test.ts:39): The new PTY helper passes a composed command string to `script -qec`, and callers interpolate repository paths into that string. These paths are trusted in CI, so this is test-only risk, but local checkouts with spaces or shell metacharacters can make the test parse unintended tokens or fail for reasons unrelated to the behavior under test.
  • Recommendation: Quote each path component before building the `script -qec` command, or use a tiny argv-safe wrapper script/driver so `tsx`, the driver path, `bash`, and `uninstall.sh` are not parsed from an unquoted shell string.
  • Evidence: `spawnUnderPty(command)` calls `spawn("script", ["-qec", command, "/dev/null"], ...)`, and tests pass strings such as `${TSX} ${DRIVER}` and `bash ${UNINSTALL_SH}`.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• None. No Vitest E2E scenario dispatch is recommended: the changes are in uninstall/stdin implementation plus non-scenario tests under test/, and the current e2e-vitest-scenarios.yaml registry/free-standing live jobs do not include an uninstall prompt scenario that would exercise this surface.

Optional Vitest E2E scenarios

• None.

Relevant changed files

• None.

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27296917240
Target ref: 24e1a5b7d4f984438081fb9c3a853337a1f63474
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27314451505
Target ref: 11ebf7135e1a27cf175850728671564d02a8f22c
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27319439075
Target ref: fa21ef4fd3264b7e7f20a31fdf1125ae9c6480f8
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27330203502
Target ref: 4ac0d6cd78d0ec7938ac96cdf06eca4dc86f2fd1
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27350562866
Target ref: e6814c223ff05ece47dda746373291a80fdf4cc6
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27356452526
Target ref: 2cac99aefcafe8bc6354550a324aa9eda0989606
Workflow ref: main
Requested jobs: sandbox-operations-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
sandbox-operations-e2e	❌ failure

Failed jobs: sandbox-operations-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27365367058
Target ref: 7466e990e39dfe3e706c9f91a8d89c16c26741c5
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[hunglp6d]

Advisor findings — all 5 resolved

1. Monolith growth — reader extracted to src/lib/core/stdin.ts + stdin.test.ts; run-plan.ts now 859 lines, below its 868 pre-PR baseline.
2. Runtime validation — new test/uninstall-prompt-pty.test.ts + test/fixtures/uninstall-prompt-pty-driver.ts: real default readLine/isTty under a pseudo-TTY with fd 0 pre-flipped non-blocking; covers typed y, typed n, the second user-data prompt, and the bash uninstall.sh wrapper path.
3. Source-of-truth review — covered by 4 + 5 below.
4. Persistent EAGAIN hang — non-TTY reads now give up after a 10 s deadline → existing --yes hint; TTY waits stay unbounded by design. Negative tests for persistent EAGAIN/EWOULDBLOCK added.
5. Boundary completion — core/stdin.ts module comment now names the remaining process.stdin offenders, why the retry stays, and the removal condition; spy-getter test asserts the default runtime never touches process.stdin.

Also pinned NEMOCLAW_NON_INTERACTIVE / NEMOCLAW_AGENT / NEMOCLAW_UNINSTALL_DESTROY_USER_DATA in env-sensitive tests — pre-existing process.env leak flipped scenarios on developer shells.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27381049105
Target ref: 65da466fa20f29b7f89e24b72775f94444a7666b
Workflow ref: main
Requested jobs: sandbox-operations-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
sandbox-operations-e2e	✅ success

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27392243725
Target ref: 1ea839263e84dc81d6ccad2d306b2540e6904744
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 0 cancelled, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped

[github-actions]

Selective E2E Results — ⚠️ No requested jobs ran

Run: 27398361229
Target ref: f5bcec61aca3964825856a0a296dce0481e9c13f
Workflow ref: main
Requested jobs: gpu-e2e
Summary: 0 passed, 0 failed, 0 cancelled, 1 skipped

Job	Result
gpu-e2e	⏭️ skipped