← Back to PRs

#18003: feat(infra): Adaptive SSH Environment Wrapper (ARE)

by stakeswky open 2026-02-16 11:20 View on GitHub →
stale size: XS
## Summary Add an adaptive environment-probing wrapper for SSH-based remote command execution. This solves the common `command not found` (Exit 127) issues caused by incomplete non-interactive login shells. ## The Problem When OpenClaw connects to remote nodes (e.g. macOS via Homebrew, custom Linux distros) via SSH, the non-interactive session often lacks a full `PATH`. Tools like `node`, `openclaw`, or `pnpm` are frequently missing from the environment, leading to failed task executions. ## Solution Inject a lightweight shell preamble into SSH commands: 1. Safely loads `/etc/profile` and `~/.profile` (avoids zsh-specific configs that break under `sh`) 2. Probes common binary locations (`/opt/homebrew`, `Library/pnpm`, `~/.local/bin`, etc.) 3. Handles macOS-specific paths (Playwright cache, Homebrew) 4. Deduplicates PATH entries 5. Exports `wrapAdaptiveCommand()` API for wrapping any shell command ## Testing Tested on: - **macOS (Darwin)**: Successfully discovered `node` at `/opt/homebrew/bin/node` and `openclaw` at `/usr/local/bin/openclaw` - **Linux (arm64)**: Verified profile loading and PATH construction ## Files Changed - `src/infra/adaptive-ssh.ts` (new file) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR introduces a lightweight shell preamble wrapper for SSH remote commands to solve `command not found` errors in non-interactive SSH sessions. The implementation loads standard profile files and probes common binary locations (Homebrew, pnpm, Playwright cache) to construct a complete PATH, then deduplicates entries using shell commands. **Changes made:** - New `src/infra/adaptive-ssh.ts` file with `ARE_PREAMBLE` constant and `wrapAdaptiveCommand()` export - Addresses previous review feedback by switching from template literal to array-based string construction to clarify escaping behavior - Added comprehensive security documentation in JSDoc warning about shell injection risks **Key implementation details:** - Uses array `.join("\n")` approach instead of template literals for clearer escape sequence handling - PATH deduplication using `tr`, `awk`, and `sed` pipeline - macOS-specific Playwright binary discovery with `ls -d` and fallback handling - Safe profile loading that avoids zsh-specific configs under `sh` The code is not yet integrated anywhere in the codebase - this appears to be preparatory infrastructure for future SSH remote execution features. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with minimal risk - it introduces new infrastructure code that is not yet integrated - The code properly addresses previous review feedback regarding escaping and security documentation. The shell pipeline logic is sound, and the security risks are well-documented. Score is 4 rather than 5 because: (1) the code has no tests or integration points to validate behavior, (2) it's unclear how callers will ensure command sanitization despite the JSDoc warning, and (3) there's no validation that the generated shell script actually works across target environments - No files require special attention - this is a small, isolated infrastructure addition <sub>Last reviewed commit: 5482c85</sub> <!-- greptile_other_comments_section --> <!-- /greptile_comment -->

Most Similar PRs