Skip to content

test(openclaw): cover TUI idle timeout regression#6296

Merged
cv merged 47 commits into
mainfrom
fix/6194_openclaw_tui_idle_v2
Jul 9, 2026
Merged

test(openclaw): cover TUI idle timeout regression#6296
cv merged 47 commits into
mainfrom
fix/6194_openclaw_tui_idle_v2

Conversation

@chengjiew

@chengjiew chengjiew commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds explicit #6194 regression coverage for the OpenClaw terminal TUI timeout-after-connected-idle failure mode. The existing live correlation target drives the real OpenClaw TUI after connected idle, verifies chat and /nemoclaw status, and confirms a bounded clean exit. It then separately drives the supported host-side OpenShell terminal UI and a direct sandbox curl to prove deterministic network-rule approval without using assistant prose as an oracle. After the UI acknowledges the approval, the target retries the exact documented Atlassian probe and requires its unauthenticated HTTP 401 response to prove that the running policy was actually updated.

The historical report used NemoClaw v0.0.72. This target guards the current branch against the same post-idle regression instead of reinstalling that known-bad release, and reuses the existing #2603/#3145 provisioned sandbox to avoid a second long cloud setup.

Related Issue

Refs #6194 — current-branch regression guard for the supported OpenClaw TUI and OpenShell approval surfaces.

Changes

  • Add a dedicated Expect flow for chat, status, and a bounded two-step Ctrl+C exit after connected idle.
  • Pin the host-side OpenShell Expect PTY to xterm-256color at 40x120, bind every multi-pattern wait to its intended spawn, and keep failure cleanup nonblocking.
  • Add a separate OpenShell terminal approval phase with an argv-bounded direct curl, empty-pending-queue preflight, exact sandbox/host/binary checks, and supported approval action.
  • Match stable sandbox-detail labels and strip OpenShell SGR styling before parsing CLI rule evidence.
  • Use the fixed Atlassian URL as the deny-by-default pending-rule trigger, then retry that exact full URL after approval and require the documented unauthenticated HTTP 401 success signal.
  • Parse the policy revision from the approval acknowledgement and bounded-poll its read-only status until that exact revision is loaded and active before retrying the request.
  • Publish a separate post-approval capture plus structured endpoint, expected-status, observed-status, and running-policy marker fields before assertions.
  • Declare all three combined live boundaries explicitly: OpenClaw websocket correlation, OpenClaw post-idle terminal input, and OpenShell network-rule terminal approval.
  • Extend openclaw-tui-chat-correlation so the new flow reuses its provisioned cloud sandbox.
  • Add fast e2e-support contracts for marker ordering, complete boundary metadata, secret redaction, trusted host-command use, spawn binding, ANSI normalization, the two-step exit, fail-closed capture diagnostics, and post-approval policy proof ordering.
  • Precreate terminal captures, publish structured missing/empty/marker diagnostics before assertions, and redact raw captures before writing artifacts.
  • Install the single allowlisted expect host dependency in the selected live job, with a pinned workflow-boundary regression contract.
  • Remove unrelated config-dispatch and auto-pair test changes during maintainer salvage.

Original Author Credit

@chengjiew authored the #6194 reproduction design and implementation. The maintainer synchronization and scope-cleanup commits preserve that work; the scope-cleanup commit also records Chengjie Wang as co-author.

Maintainer Gate Disposition

  • The combined target is deliberate. The existing correlation target already provisions the real cloud sandbox, gateway, hosted inference route, and OpenClaw runtime needed by all three boundaries. Running the [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 phases sequentially against that one sandbox avoids a second expensive onboard and avoids cross-run state variance. Diagnostics remain isolated by boundary: the OpenClaw TUI and OpenShell approval phases have separate Expect scripts, spawn IDs, exit-code ranges, structured result JSON, raw/plain captures, and shell result artifacts. A failure identifies its owning phase and marker instead of collapsing into one transcript.
  • The fast contract tests inspect the generated Tcl because several safety invariants are source boundaries that one successful PTY run cannot prove: every multi-pattern wait must bind to the intended spawn, host commands must retain exact argv boundaries, markers and timeouts must remain ordered, cleanup must stay nonblocking, pending-rule evidence must match the exact sandbox/endpoint/binary, assistant prose must not become an approval oracle, the exact post-approval retry must follow the UI acknowledgement, and redaction/diagnostic artifacts must precede assertions. These are focused mutation guards for concrete failures encountered while stabilizing the live path. The exact live job supplies the complementary behavior proof.
  • Exact-head run 29034353469 proved the new fail-closed check by rejecting an immediate HTTP 000 retry after approval. Follow-up run 29035248442 proved the read-only synchronization path and no-curl-before-loaded invariant: cloud-onboard passed, while all captured policy samples still showed acknowledged revision 4 pending with active revision 3, so the final curl did not run. Behavior-tested head d1ea65a uses OpenShell's supported 60-second policy-load deadline. Run 29035848193 passed both required jobs on that head. Its audited OpenClaw artifact reports acknowledged revision 4 loaded and active on polling attempt 10, then exactly one retry of the documented Atlassian endpoint returning HTTP 401, with policyUpdated: true and successful cleanup. The independently audited cloud-onboard artifact installs that exact SHA on a clean hosted runner, exits 0 after deployment verification reports a healthy gateway and dashboard, and verifies cleanup. Artifact digests: sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd (OpenClaw) and sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7 (cloud-onboard). Current head aff5821 is a GitHub-Verified merge-only commit of d1ea65a and current main e2777f8 (fix(dcode): enforce sandbox process and file descriptor limits #6559): all six PR files retain identical Git blobs, and the only added main changes are the already-merged DCode resource-limit work. The merge audit records why the prior cloud/TUI evidence remains behaviorally applicable while fresh ordinary CI and advisors run on aff5821.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: test-only regression coverage; no user-facing behavior changed.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — test/workflow-only change; maintainer review verified the host-side OpenShell approval boundary, transcript isolation, and fail-closed artifact contracts.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • Required live E2E behavior evidence with merge-only reuse audit — run 29035848193 passed cloud-onboard and openclaw-tui-chat-correlation on d1ea65a; audited artifacts prove clean-host install/deployment, revision 4 loaded and active before the exact Atlassian retry returned HTTP 401, and successful cleanup. Current head aff5821 changes none of those PR files and only merges current main's already-landed fix(dcode): enforce sandbox process and file descriptor limits #6559 DCode work; see the linked merge audit above.
  • Current-head phase attribution and post-approval contracts — focused 11/11 and full e2e-support 869/869 passed.
  • PR description includes DCO declarations and every commit is GitHub Verified
  • Normal pre-commit, commit-msg, and pre-push hooks passed on the salvaged head
  • Focused final TUI PTY, metadata, capture-diagnostic, and post-approval contract — 11/11 passed
  • Full e2e-support suite — 869/869 passed on the current head
  • npm run build:cli — passed
  • cd nemoclaw && npm run build — passed
  • Quality Gates section completed with required justifications
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Chengjie Wang chengjiew@nvidia.com
Signed-off-by: Apurv Kumaria akumaria@nvidia.com

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
@chengjiew chengjiew self-assigned this Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds issue #6194 coverage for TUI behavior after connected idle, expands a CLI dispatch contract test around oclif routing, switches a rebuild-flow test to shared environment hooks, and rewrites two inline timeline comments in nemoclaw-start.

Changes

TUI post-idle regression coverage (#6194)

Layer / File(s) Summary
Timeout config and capture helpers
test/e2e/live/issue-6194-tui-expect.ts, test/e2e/live/openclaw-tui-chat-correlation.test.ts, test/e2e/fixtures/clients/host.ts
Adds the issue timeout, optional capture reader, output normalization helpers, updated imports and metadata, and a trust-boundary comment for host command execution.
Expect script generator for TUI interaction flow
test/e2e/live/issue-6194-tui-expect.ts
Generates the scripted TUI flow that checks connected-idle, chat, status, network approval, and clean-exit transitions with explicit timeout and EOF handling.
Test target metadata and runtime assertion phase
test/e2e/live/openclaw-tui-chat-correlation.test.ts
Expands the issue/boundary metadata, runs the generated expect script, redacts and normalizes capture output, writes artifacts, and verifies ordered markers plus exit code.
Contract test for TUI source markers
test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
Validates the generated expect script’s timeout, required markers, disallowed strings, and marker ordering.

CLI dispatch oclif routing test updates

Layer / File(s) Summary
Oclif runner mocking and dispatch assertions
test/package-contract/cli/config-set-cli-dispatch.test.ts
Adds require-cache restoration, oclif runner mocks, stricter configSet dispatch assertions, and cleanup for cached modules.

Rebuild flow test environment hooks

Layer / File(s) Summary
Rebuild flow environment hooks
src/lib/actions/sandbox/rebuild-prepared-recovery.test.ts
Replaces snapshot-based env handling and vi.restoreAllMocks() with shared reset and restore helpers in the Vitest hooks.

Timeline comment clarifications

Layer / File(s) Summary
Slow-mode keepalive comment wording
test/nemoclaw-start.test.ts
Rewords two inline comments describing late CLI scope upgrade timing and the concurrent late wave.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Suggested labels: bug-fix

Suggested reviewers: jyaunches, ericksoa, brandonpelfrey

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning Several touched tests are unrelated to #6194, including config-set dispatch, rebuild-prepared-recovery, host client comments, and nemoclaw-start comment tweaks. Split the unrelated test/refactor/comment updates into separate PRs or add evidence they are required for the #6194 fix.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The new live TUI and contract tests cover chat, slash command, approval, and clean-exit flows after connected idle, matching #6194.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding regression coverage for the OpenClaw TUI post-idle timeout issue.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/6194_openclaw_tui_idle_v2

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 77%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 4df9fc2 3b0c037 +/-
src/lib/inferen.../vllm-models.ts 81% 66% -15%
src/lib/inference/config.ts 98% 93% -5%
src/lib/agent/onboard.ts 71% 70% -1%
src/lib/actions...dbox/destroy.ts 71% 72% +1%
src/lib/agent/base-image.ts 82% 84% +2%
src/lib/agent/t...ersion-drift.ts 88% 96% +8%
src/lib/agent/b...availability.ts 63% 74% +11%
src/lib/onboard/config-sync.ts 31% 46% +15%
src/lib/agent/t...-enforcement.ts 75% 100% +25%
src/lib/sandbox...rsion-scheme.ts 73% 100% +27%

Updated July 09, 2026 17:51 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: cloud-onboard, openclaw-tui-chat-correlation
Optional E2E: network-policy

Dispatch hint: cloud-onboard,openclaw-tui-chat-correlation

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • cloud-onboard (high): Required by the deterministic risk plan for the .github/workflows/e2e.yaml platform-install change; it validates clean-host onboarding with the pinned runtime dependencies.
  • openclaw-tui-chat-correlation (high): This PR directly changes the openclaw-tui-chat-correlation live job/test and expands it to cover [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 OpenClaw TUI post-idle input plus OpenShell network-rule approval, so the modified real assistant flow should be run before merge.

Optional E2E

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: cloud-onboard,openclaw-tui-chat-correlation

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: cloud-onboard, openclaw-tui-chat-correlation
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=cloud-onboard
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • cloud-onboard: Installer and platform changes must work on a clean supported host with the pinned runtime dependencies.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=cloud-onboard
  • openclaw-tui-chat-correlation: Focused free-standing E2E job wired for changed live test test/e2e/live/openclaw-tui-chat-correlation.test.ts.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation

Optional E2E targets

  • None.

Relevant changed files

  • .github/workflows/e2e.yaml
  • test/e2e/live/issue-6194-tui-expect.ts
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts
  • test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
  • tools/e2e/workflow-boundary.mts

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Fix PRA-1: Incomplete workflow-boundary validator for openclaw-tui-chat-correlation job; then add or justify PRA-T1.
Open items: 1 required · 5 warnings · 1 suggestion · 8 test follow-ups
Since last review: 1 prior item resolved · 5 still apply · 3 new items found

Action checklist

  • PRA-1 Fix: Incomplete workflow-boundary validator for openclaw-tui-chat-correlation job in tools/e2e/workflow-boundary.mts:808
  • PRA-2 Resolve or justify: Missing workflow-boundary test cases for openclaw-tui-chat-correlation security validations in test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100
  • PRA-3 Resolve or justify: Host dependency workaround lacks regression test for documented invalidState and removalCondition in .github/workflows/e2e.yaml:4000
  • PRA-4 Resolve or justify: Open PR overlap on workflow boundary validators and job definitions with PR ci(e2e): guard queued Jetson dispatches #6582 in .github/workflows/e2e.yaml:1
  • PRA-5 Resolve or justify: Risk plan platform-install invariants require cloud-onboard E2E validation in .github/workflows/e2e.yaml:1
  • PRA-7 Resolve or justify: Expect script timeout/eof error paths lack test coverage in test/e2e/live/issue-6194-tui-expect.ts:64
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Runtime validation
  • PRA-T6 Add or justify test follow-up: Missing workflow-boundary test cases for openclaw-tui-chat-correlation security validations
  • PRA-T7 Add or justify test follow-up: Risk plan platform-install invariants require cloud-onboard E2E validation
  • PRA-T8 Add or justify test follow-up: Expect script timeout/eof error paths lack test coverage
  • PRA-6 In-scope improvement: Monolith growth: duplicated security validation logic across job validators in tools/e2e/workflow-boundary.mts:808

Findings index

ID Severity Category Location Required action
PRA-1 Required security tools/e2e/workflow-boundary.mts:808 Expand validateOpenclawTuiChatCorrelationHostDependencies to match the validation scope of validateNetworkPolicyJob: add checkout step validation (persist-credentials=false), dockerhub-auth step presence, per-step secret non-exposure checks, artifact upload action and path validation, and cleanup step (if: always, docker-auth-cleanup.sh) validation.
PRA-2 Resolve/justify tests test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100 Add test cases to e2e-host-dependency-workflow-boundary.test.ts that mutate the openclaw-tui-chat-correlation job: remove cleanup step, remove checkout step, set persist-credentials=true, expose secret in non-test step, mutate artifact upload path, remove dockerhub-auth step — each should produce a validation error from validateOpenclawTuiChatCorrelationHostDependencies after it is expanded per the security finding.
PRA-3 Resolve/justify architecture .github/workflows/e2e.yaml:4000 Add regression test coverage for: (1) apt-get update retry behavior (mock or document that the 3-attempt loop is exercised), (2) a test that validates the removalCondition by checking if the step can be conditionally omitted when Expect is pre-installed, (3) ensure the package allowlist test already covers the exact command (it does). Consider whether the retry logic belongs in a shared action rather than inline shell.
PRA-4 Resolve/justify workflow .github/workflows/e2e.yaml:1 Coordinate with PR #6582 author. Ensure both PRs' changes to workflow-boundary.mts are compatible: validator registration in validateE2eWorkflowBoundary, job selector predicates, and any shared helpers. Rebase this PR on top of PR #6582 or vice versa before merge.
PRA-5 Resolve/justify tests .github/workflows/e2e.yaml:1 Ensure cloud-onboard E2E job passes on the PR head before merge. This is a required validation floor per the risk plan, not an optional check. Coordinate with CI to run cloud-onboard against the exact head SHA (3b0c037).
PRA-6 Improvement architecture tools/e2e/workflow-boundary.mts:808 Extract a shared helper function validateFreeStandingJobSecurityBaseline(errors, jobName, steps, options) that enforces: checkout with persist-credentials=false, dockerhub-auth step presence, per-step secret non-exposure (configurable allowlist for test runner step), artifact upload action/path validation, cleanup step with if: always and docker-auth-cleanup.sh. Refactor validateNetworkPolicyJob, validateOpenclawTuiChatCorrelationHostDependencies, and other free-standing job validators to call the shared helper with job-specific overrides.
PRA-7 Resolve/justify tests test/e2e/live/issue-6194-tui-expect.ts:64 Add focused contract tests that exercise at least one timeout path and one eof path per Expect script. For example: mock a delayed openshell term to trigger dashboard timeout (exit 64/65), or a sandbox network partition to trigger curl timeout (exit 74/88). Verify the expected exit code, diagnostic capture, and non-blocking cleanup are executed.

🚨 Required before merge

Address these before merging unless a maintainer explicitly overrides the advisor with rationale.

PRA-1 Required — Incomplete workflow-boundary validator for openclaw-tui-chat-correlation job

  • Location: tools/e2e/workflow-boundary.mts:808
  • Category: security
  • Problem: The validator validateOpenclawTuiChatCorrelationHostDependencies (lines 808-185) only validates host-dependency package allowlist and install-before-prep order. It does not enforce checkout step with persist-credentials=false, dockerhub-auth step presence, secret non-exposure in non-test steps, artifact upload action/path validation, or cleanup step presence. validateNetworkPolicyJob (lines 700-830) enforces all of these security validations.
  • Impact: Future drift in security-critical workflow configuration (missing cleanup, secret exposure in non-test steps, missing checkout hardening, artifact upload tampering) would not be caught by the workflow-boundary test suite, allowing regressions to reach CI. Credential leakage risk persists if cleanup step is later removed.
  • Required action: Expand validateOpenclawTuiChatCorrelationHostDependencies to match the validation scope of validateNetworkPolicyJob: add checkout step validation (persist-credentials=false), dockerhub-auth step presence, per-step secret non-exposure checks, artifact upload action and path validation, and cleanup step (if: always, docker-auth-cleanup.sh) validation.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare tools/e2e/workflow-boundary.mts validateOpenclawTuiChatCorrelationHostDependencies (lines 808-185) vs validateNetworkPolicyJob (lines 700-830). Check .github/workflows/e2e.yaml openclaw-tui-chat-correlation job steps for presence of checkout (persist-credentials=false), dockerhub-auth, cleanup step.
  • Missing regression test: Add workflow-boundary test cases in test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts that mutate the openclaw-tui-chat-correlation job to: (1) remove cleanup step, (2) remove checkout step, (3) set persist-credentials=true, (4) expose NVIDIA_INFERENCE_API_KEY in non-runner step, (5) mutate artifact upload path, (6) remove dockerhub-auth step — each expecting validation error from expanded validator.
  • Done when: The required change is committed and verification passes: Compare tools/e2e/workflow-boundary.mts validateOpenclawTuiChatCorrelationHostDependencies (lines 808-185) vs validateNetworkPolicyJob (lines 700-830). Check .github/workflows/e2e.yaml openclaw-tui-chat-correlation job steps for presence of checkout (persist-credentials=false), dockerhub-auth, cleanup step.
  • Evidence: tools/e2e/workflow-boundary.mts:808-185 (current validator) tools/e2e/workflow-boundary.mts:700-830 (validateNetworkPolicyJob reference) .github/workflows/e2e.yaml:3963-4150 (openclaw-tui-chat-correlation job steps) .github/workflows/e2e.yaml:3943-3990 (openclaw-plugin-runtime-exdev job with full validations)
Review findings by urgency: 1 required fix, 5 items to resolve/justify, 1 in-scope improvement

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-2 Resolve/justify — Missing workflow-boundary test cases for openclaw-tui-chat-correlation security validations

  • Location: test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100
  • Category: tests
  • Problem: The test file validates package allowlist (expect only) and install-before-prep ordering for the new openclaw-tui-chat-correlation job, but does not test the security validations that other job validators enforce: checkout step persist-credentials=false, dockerhub-auth step presence, secret non-exposure in non-runner steps, artifact upload action/path, and cleanup step.
  • Impact: Future drift in workflow security configuration (missing cleanup, secret exposure, missing checkout hardening, artifact upload tampering) would not be caught by the workflow-boundary test suite, allowing regressions to reach CI.
  • Recommended action: Add test cases to e2e-host-dependency-workflow-boundary.test.ts that mutate the openclaw-tui-chat-correlation job: remove cleanup step, remove checkout step, set persist-credentials=true, expose secret in non-test step, mutate artifact upload path, remove dockerhub-auth step — each should produce a validation error from validateOpenclawTuiChatCorrelationHostDependencies after it is expanded per the security finding.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts lines 100-125 for current test cases (package allowlist + order only). Compare with tools/e2e/workflow-boundary.mts validateNetworkPolicyJob (lines 700-830) for the full set of validations that should be tested.
  • Missing regression test: Add 6 test cases in e2e-host-dependency-workflow-boundary.test.ts: (1) missing cleanup step, (2) missing checkout step, (3) persist-credentials=true, (4) secret exposed in non-runner step, (5) artifact upload path mutated, (6) dockerhub-auth step removed — all expecting validation errors from the expanded validator.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts lines 100-125 for current test cases (package allowlist + order only). Compare with tools/e2e/workflow-boundary.mts validateNetworkPolicyJob (lines 700-830) for the full set of validations that should be tested.
  • Evidence: test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100-125 (current test cases) tools/e2e/workflow-boundary.mts:808-185 (validateOpenclawTuiChatCorrelationHostDependencies - incomplete) tools/e2e/workflow-boundary.mts:700-830 (validateNetworkPolicyJob - complete reference)

PRA-3 Resolve/justify — Host dependency workaround lacks regression test for documented invalidState and removalCondition

  • Location: .github/workflows/e2e.yaml:4000
  • Category: architecture
  • Problem: The apt-get install expect step is documented as a workaround for GitHub-hosted runner images lacking Expect. The comment block specifies invalidState (transient mirror failures), sourceBoundary (trusted workflow chooses package), whyNotSourceFix (runner image and repo move together), regressionTest (workflow-boundary test rejects drift), and removalCondition (when runner image includes Expect). Current workflow-boundary test only validates package allowlist and install-before-prep order — no test exercises the 3-attempt retry loop or validates removalCondition.
  • Impact: The retry logic and removal condition are documented but untested. If the retry behavior regresses (e.g., loop removed, backoff changed) or the step is not removed when Expect becomes pre-installed, the workflow-boundary test will not catch it. The workaround could become permanent technical debt without a guard.
  • Recommended action: Add regression test coverage for: (1) apt-get update retry behavior (mock or document that the 3-attempt loop is exercised), (2) a test that validates the removalCondition by checking if the step can be conditionally omitted when Expect is pre-installed, (3) ensure the package allowlist test already covers the exact command (it does). Consider whether the retry logic belongs in a shared action rather than inline shell.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check .github/workflows/e2e.yaml lines 3995-4015 for the documented workaround comment block and retry loop. Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts for any test exercising retry behavior or removalCondition.
  • Missing regression test: Add test case in e2e-host-dependency-workflow-boundary.test.ts that: (1) mocks apt-get update to fail twice then succeed, verifying the 3-attempt retry is executed, (2) validates the step can be removed when a simulated runner image provides Expect (removalCondition).
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check .github/workflows/e2e.yaml lines 3995-4015 for the documented workaround comment block and retry loop. Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts for any test exercising retry behavior or removalCondition.
  • Evidence: .github/workflows/e2e.yaml:3995-4015 (workaround comment block and retry loop) test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100-125 (current tests only cover allowlist + order)

PRA-4 Resolve/justify — Open PR overlap on workflow boundary validators and job definitions with PR #6582

  • Location: .github/workflows/e2e.yaml:1
  • Category: workflow
  • Problem: PR ci(e2e): guard queued Jetson dispatches #6582 modifies the same files (.github/workflows/e2e.yaml and tools/e2e/workflow-boundary.mts) and likely registers validators, job selector predicates, and shared helpers (validateFreeStandingJobSelector, validateInlineHostDependencyInstall). Concurrent changes risk validator registration conflicts, job selector predicate collisions, and helper function drift.
  • Impact: If both PRs merge without coordination, validator registration order, job selector matching, or shared helper signatures could conflict, causing workflow-boundary validation to miss jobs or produce false positives/negatives.
  • Recommended action: Coordinate with PR ci(e2e): guard queued Jetson dispatches #6582 author. Ensure both PRs' changes to workflow-boundary.mts are compatible: validator registration in validateE2eWorkflowBoundary, job selector predicates, and any shared helpers. Rebase this PR on top of PR ci(e2e): guard queued Jetson dispatches #6582 or vice versa before merge.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check PR ci(e2e): guard queued Jetson dispatches #6582 diff for changes to tools/e2e/workflow-boundary.mts (validator registration, job selectors, shared helpers) and .github/workflows/e2e.yaml (job definitions). Compare with this PR's changes to the same areas.
  • Missing regression test: After coordination/rebase, run validateE2eWorkflowBoundary against the merged workflow to ensure all job validators (including both PRs' new jobs) execute without conflict.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check PR ci(e2e): guard queued Jetson dispatches #6582 diff for changes to tools/e2e/workflow-boundary.mts (validator registration, job selectors, shared helpers) and .github/workflows/e2e.yaml (job definitions). Compare with this PR's changes to the same areas.
  • Evidence: PR ci(e2e): guard queued Jetson dispatches #6582 title: 'feat(gpu): prefer native OpenShell with compatibility fallback' PR ci(e2e): guard queued Jetson dispatches #6582 sameFiles: ['.github/workflows/e2e.yaml'] This PR modifies: .github/workflows/e2e.yaml, tools/e2e/workflow-boundary.mts Commit history shows multiple merges from origin/main but no merge of PR ci(e2e): guard queued Jetson dispatches #6582

PRA-5 Resolve/justify — Risk plan platform-install invariants require cloud-onboard E2E validation

  • Location: .github/workflows/e2e.yaml:1
  • Category: tests
  • Problem: The deterministic risk plan (version 1, headSha 3b0c037) identifies platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes. Required job cloud-onboard is flagged as automatic. The plan states: 'Installer and platform changes must work on a clean supported host with the pinned runtime dependencies.' No evidence that cloud-onboard E2E executed against this exact head SHA.
  • Impact: Platform-install changes (new host dependency step with apt-get retry loop) are not validated on a clean supported host. The risk plan treats cloud-onboard as a required validation floor; skipping it defeats the tier-3 risk gate.
  • Recommended action: Ensure cloud-onboard E2E job passes on the PR head before merge. This is a required validation floor per the risk plan, not an optional check. Coordinate with CI to run cloud-onboard against the exact head SHA (3b0c037).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check GitHub Actions workflow runs for cloud-onboard job against commit 3b0c037. Verify it completed successfully.
  • Missing regression test: Not a test gap — CI execution gap. The cloud-onboard job itself is the validation; it must run and pass on the PR head.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check GitHub Actions workflow runs for cloud-onboard job against commit 3b0c037. Verify it completed successfully.
  • Evidence: Risk plan: requiredJobs includes cloud-onboard for platform-install family Risk plan: automaticJobs includes cloud-onboard No CI run evidence for cloud-onboard at headSha 3b0c037 in PR context

PRA-7 Resolve/justify — Expect script timeout/eof error paths lack test coverage

  • Location: test/e2e/live/issue-6194-tui-expect.ts:64
  • Category: tests
  • Problem: The Expect scripts define explicit timeout and eof handling with distinct exit codes for each major wait (dashboard, network rule detail, policy polling, post-approval curl, cleanup). However, no test mutates the environment to trigger these error paths (e.g., delaying openshell term startup to hit dashboard timeout, sandbox network partition to hit curl timeout, policy revision never loading). Only the happy path (all markers hit, exitCode 0) is exercised.
  • Impact: If timeout/eof handling regresses (e.g., exit code changed, cleanup not executed, diagnostic not captured), the test suite will not detect it. Error-path behavior is part of the regression guard's fail-closed contract.
  • Recommended action: Add focused contract tests that exercise at least one timeout path and one eof path per Expect script. For example: mock a delayed openshell term to trigger dashboard timeout (exit 64/65), or a sandbox network partition to trigger curl timeout (exit 74/88). Verify the expected exit code, diagnostic capture, and non-blocking cleanup are executed.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check test/e2e/support/issue-6194-tui-post-idle-contract.test.ts for any test that triggers Expect script timeout or eof branches. Search for 'timeout' or 'eof' in test assertions against the Expect scripts.
  • Missing regression test: Add contract test cases that: (1) force openshell_dashboard timeout by mocking delayed openshell term startup, assert exit 64/65 and diagnostic capture, (2) force curl timeout by network partition, assert exit 74/88 and cleanup, (3) force policy revision never loading, assert exit 90 and policyStatusOutput capture.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check test/e2e/support/issue-6194-tui-post-idle-contract.test.ts for any test that triggers Expect script timeout or eof branches. Search for 'timeout' or 'eof' in test assertions against the Expect scripts.
  • Evidence: test/e2e/live/issue-6194-tui-expect.ts:64-71 (dashboard timeout exits 64/65) test/e2e/live/issue-6194-tui-expect.ts:78-87 (network_rule_detail timeout exits 78/79, 80/81, 84/85) test/e2e/live/issue-6194-tui-expect.ts:270-290 (policy polling timeout exit 90) test/e2e/live/issue-6194-tui-expect.ts:315-325 (post-approval curl timeout exit 88/91) test/e2e/support/issue-6194-tui-post-idle-contract.test.ts (no timeout/eof mutation tests)

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-6 Improvement — Monolith growth: duplicated security validation logic across job validators

  • Location: tools/e2e/workflow-boundary.mts:808
  • Category: architecture
  • Problem: validateOpenclawTuiChatCorrelationHostDependencies reimplements (incompletely) the security validations that validateNetworkPolicyJob already enforces: checkout persist-credentials=false, dockerhub-auth step presence, per-step secret non-exposure, artifact upload action/path validation, cleanup step (if: always, docker-auth-cleanup.sh). This pattern repeats across multiple job validators, growing the file to 4000+ lines with duplicated logic.
  • Impact: Inconsistent validation coverage (as seen in PRA-1), higher maintenance burden, increased risk of drift when security requirements change. Fixing a validation gap requires updating multiple validators.
  • Suggested action: Extract a shared helper function validateFreeStandingJobSecurityBaseline(errors, jobName, steps, options) that enforces: checkout with persist-credentials=false, dockerhub-auth step presence, per-step secret non-exposure (configurable allowlist for test runner step), artifact upload action/path validation, cleanup step with if: always and docker-auth-cleanup.sh. Refactor validateNetworkPolicyJob, validateOpenclawTuiChatCorrelationHostDependencies, and other free-standing job validators to call the shared helper with job-specific overrides.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search tools/e2e/workflow-boundary.mts for repeated patterns: 'persist-credentials=false', 'dockerhub-auth', 'requireEnvDoesNotExposeSecret', 'upload-e2e-artifacts', 'docker-auth-cleanup.sh'. Count occurrences across validators.
  • Missing regression test: After refactoring, ensure existing workflow-boundary tests still pass and validateOpenclawTuiChatCorrelationHostDependencies mutation tests (from PRA-2) catch security regressions via the shared helper.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: tools/e2e/workflow-boundary.mts:700-830 (validateNetworkPolicyJob full validations) tools/e2e/workflow-boundary.mts:808-185 (validateOpenclawTuiChatCorrelationHostDependencies minimal validations) tools/e2e/workflow-boundary.mts:3879+ (validateE2eWorkflowBoundary calls multiple validators with duplicated patterns)
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `cloud-onboard` E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: `.github/workflows/e2e.yaml`.. Deterministic regression risks require live validation: platform-install. Deterministic risk plan platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes (new apt-get install expect with 3-attempt retry). Invariant 'a clean host installs the intended pinned dependencies and reaches a usable agent' requires cloud-onboard E2E as validation floor.
  • PRA-T2 Runtime validation — Run the cloud-onboard E2E job against head SHA 3b0c037 to validate platform-install invariant on a clean supported host. Deterministic regression risks require live validation: platform-install. Deterministic risk plan platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes (new apt-get install expect with 3-attempt retry). Invariant 'a clean host installs the intended pinned dependencies and reaches a usable agent' requires cloud-onboard E2E as validation floor.
  • PRA-T3 Runtime validation — Add contract tests exercising Expect script timeout/eof error paths (dashboard timeout exit 64/65, curl timeout exit 74/88, policy polling timeout exit 90). Deterministic regression risks require live validation: platform-install. Deterministic risk plan platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes (new apt-get install expect with 3-attempt retry). Invariant 'a clean host installs the intended pinned dependencies and reaches a usable agent' requires cloud-onboard E2E as validation floor.
  • PRA-T4 Runtime validation — Add workflow-boundary mutation tests for openclaw-tui-chat-correlation security validations (checkout persist-credentials, dockerhub-auth, secret non-exposure, artifact upload, cleanup). Deterministic regression risks require live validation: platform-install. Deterministic risk plan platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes (new apt-get install expect with 3-attempt retry). Invariant 'a clean host installs the intended pinned dependencies and reaches a usable agent' requires cloud-onboard E2E as validation floor.
  • PRA-T5 Runtime validation — Add test exercising apt-get update 3-attempt retry loop and validating removalCondition when Expect pre-installed. Deterministic regression risks require live validation: platform-install. Deterministic risk plan platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes (new apt-get install expect with 3-attempt retry). Invariant 'a clean host installs the intended pinned dependencies and reaches a usable agent' requires cloud-onboard E2E as validation floor.
  • PRA-T6 Missing workflow-boundary test cases for openclaw-tui-chat-correlation security validations — Add test cases to e2e-host-dependency-workflow-boundary.test.ts that mutate the openclaw-tui-chat-correlation job: remove cleanup step, remove checkout step, set persist-credentials=true, expose secret in non-test step, mutate artifact upload path, remove dockerhub-auth step — each should produce a validation error from validateOpenclawTuiChatCorrelationHostDependencies after it is expanded per the security finding.
  • PRA-T7 Risk plan platform-install invariants require cloud-onboard E2E validation — Ensure cloud-onboard E2E job passes on the PR head before merge. This is a required validation floor per the risk plan, not an optional check. Coordinate with CI to run cloud-onboard against the exact head SHA (3b0c037).
  • PRA-T8 Expect script timeout/eof error paths lack test coverage — Add focused contract tests that exercise at least one timeout path and one eof path per Expect script. For example: mock a delayed openshell term to trigger dashboard timeout (exit 64/65), or a sandbox network partition to trigger curl timeout (exit 74/88). Verify the expected exit code, diagnostic capture, and non-blocking cleanup are executed.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Required — Incomplete workflow-boundary validator for openclaw-tui-chat-correlation job

  • Location: tools/e2e/workflow-boundary.mts:808
  • Category: security
  • Problem: The validator validateOpenclawTuiChatCorrelationHostDependencies (lines 808-185) only validates host-dependency package allowlist and install-before-prep order. It does not enforce checkout step with persist-credentials=false, dockerhub-auth step presence, secret non-exposure in non-test steps, artifact upload action/path validation, or cleanup step presence. validateNetworkPolicyJob (lines 700-830) enforces all of these security validations.
  • Impact: Future drift in security-critical workflow configuration (missing cleanup, secret exposure in non-test steps, missing checkout hardening, artifact upload tampering) would not be caught by the workflow-boundary test suite, allowing regressions to reach CI. Credential leakage risk persists if cleanup step is later removed.
  • Required action: Expand validateOpenclawTuiChatCorrelationHostDependencies to match the validation scope of validateNetworkPolicyJob: add checkout step validation (persist-credentials=false), dockerhub-auth step presence, per-step secret non-exposure checks, artifact upload action and path validation, and cleanup step (if: always, docker-auth-cleanup.sh) validation.
  • Expected follow-up: Fix before merge or get explicit maintainer override.
  • Verification: Compare tools/e2e/workflow-boundary.mts validateOpenclawTuiChatCorrelationHostDependencies (lines 808-185) vs validateNetworkPolicyJob (lines 700-830). Check .github/workflows/e2e.yaml openclaw-tui-chat-correlation job steps for presence of checkout (persist-credentials=false), dockerhub-auth, cleanup step.
  • Missing regression test: Add workflow-boundary test cases in test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts that mutate the openclaw-tui-chat-correlation job to: (1) remove cleanup step, (2) remove checkout step, (3) set persist-credentials=true, (4) expose NVIDIA_INFERENCE_API_KEY in non-runner step, (5) mutate artifact upload path, (6) remove dockerhub-auth step — each expecting validation error from expanded validator.
  • Done when: The required change is committed and verification passes: Compare tools/e2e/workflow-boundary.mts validateOpenclawTuiChatCorrelationHostDependencies (lines 808-185) vs validateNetworkPolicyJob (lines 700-830). Check .github/workflows/e2e.yaml openclaw-tui-chat-correlation job steps for presence of checkout (persist-credentials=false), dockerhub-auth, cleanup step.
  • Evidence: tools/e2e/workflow-boundary.mts:808-185 (current validator) tools/e2e/workflow-boundary.mts:700-830 (validateNetworkPolicyJob reference) .github/workflows/e2e.yaml:3963-4150 (openclaw-tui-chat-correlation job steps) .github/workflows/e2e.yaml:3943-3990 (openclaw-plugin-runtime-exdev job with full validations)

PRA-2 Resolve/justify — Missing workflow-boundary test cases for openclaw-tui-chat-correlation security validations

  • Location: test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100
  • Category: tests
  • Problem: The test file validates package allowlist (expect only) and install-before-prep ordering for the new openclaw-tui-chat-correlation job, but does not test the security validations that other job validators enforce: checkout step persist-credentials=false, dockerhub-auth step presence, secret non-exposure in non-runner steps, artifact upload action/path, and cleanup step.
  • Impact: Future drift in workflow security configuration (missing cleanup, secret exposure, missing checkout hardening, artifact upload tampering) would not be caught by the workflow-boundary test suite, allowing regressions to reach CI.
  • Recommended action: Add test cases to e2e-host-dependency-workflow-boundary.test.ts that mutate the openclaw-tui-chat-correlation job: remove cleanup step, remove checkout step, set persist-credentials=true, expose secret in non-test step, mutate artifact upload path, remove dockerhub-auth step — each should produce a validation error from validateOpenclawTuiChatCorrelationHostDependencies after it is expanded per the security finding.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts lines 100-125 for current test cases (package allowlist + order only). Compare with tools/e2e/workflow-boundary.mts validateNetworkPolicyJob (lines 700-830) for the full set of validations that should be tested.
  • Missing regression test: Add 6 test cases in e2e-host-dependency-workflow-boundary.test.ts: (1) missing cleanup step, (2) missing checkout step, (3) persist-credentials=true, (4) secret exposed in non-runner step, (5) artifact upload path mutated, (6) dockerhub-auth step removed — all expecting validation errors from the expanded validator.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts lines 100-125 for current test cases (package allowlist + order only). Compare with tools/e2e/workflow-boundary.mts validateNetworkPolicyJob (lines 700-830) for the full set of validations that should be tested.
  • Evidence: test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100-125 (current test cases) tools/e2e/workflow-boundary.mts:808-185 (validateOpenclawTuiChatCorrelationHostDependencies - incomplete) tools/e2e/workflow-boundary.mts:700-830 (validateNetworkPolicyJob - complete reference)

PRA-3 Resolve/justify — Host dependency workaround lacks regression test for documented invalidState and removalCondition

  • Location: .github/workflows/e2e.yaml:4000
  • Category: architecture
  • Problem: The apt-get install expect step is documented as a workaround for GitHub-hosted runner images lacking Expect. The comment block specifies invalidState (transient mirror failures), sourceBoundary (trusted workflow chooses package), whyNotSourceFix (runner image and repo move together), regressionTest (workflow-boundary test rejects drift), and removalCondition (when runner image includes Expect). Current workflow-boundary test only validates package allowlist and install-before-prep order — no test exercises the 3-attempt retry loop or validates removalCondition.
  • Impact: The retry logic and removal condition are documented but untested. If the retry behavior regresses (e.g., loop removed, backoff changed) or the step is not removed when Expect becomes pre-installed, the workflow-boundary test will not catch it. The workaround could become permanent technical debt without a guard.
  • Recommended action: Add regression test coverage for: (1) apt-get update retry behavior (mock or document that the 3-attempt loop is exercised), (2) a test that validates the removalCondition by checking if the step can be conditionally omitted when Expect is pre-installed, (3) ensure the package allowlist test already covers the exact command (it does). Consider whether the retry logic belongs in a shared action rather than inline shell.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check .github/workflows/e2e.yaml lines 3995-4015 for the documented workaround comment block and retry loop. Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts for any test exercising retry behavior or removalCondition.
  • Missing regression test: Add test case in e2e-host-dependency-workflow-boundary.test.ts that: (1) mocks apt-get update to fail twice then succeed, verifying the 3-attempt retry is executed, (2) validates the step can be removed when a simulated runner image provides Expect (removalCondition).
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check .github/workflows/e2e.yaml lines 3995-4015 for the documented workaround comment block and retry loop. Check test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts for any test exercising retry behavior or removalCondition.
  • Evidence: .github/workflows/e2e.yaml:3995-4015 (workaround comment block and retry loop) test/e2e/support/e2e-host-dependency-workflow-boundary.test.ts:100-125 (current tests only cover allowlist + order)

PRA-4 Resolve/justify — Open PR overlap on workflow boundary validators and job definitions with PR #6582

  • Location: .github/workflows/e2e.yaml:1
  • Category: workflow
  • Problem: PR ci(e2e): guard queued Jetson dispatches #6582 modifies the same files (.github/workflows/e2e.yaml and tools/e2e/workflow-boundary.mts) and likely registers validators, job selector predicates, and shared helpers (validateFreeStandingJobSelector, validateInlineHostDependencyInstall). Concurrent changes risk validator registration conflicts, job selector predicate collisions, and helper function drift.
  • Impact: If both PRs merge without coordination, validator registration order, job selector matching, or shared helper signatures could conflict, causing workflow-boundary validation to miss jobs or produce false positives/negatives.
  • Recommended action: Coordinate with PR ci(e2e): guard queued Jetson dispatches #6582 author. Ensure both PRs' changes to workflow-boundary.mts are compatible: validator registration in validateE2eWorkflowBoundary, job selector predicates, and any shared helpers. Rebase this PR on top of PR ci(e2e): guard queued Jetson dispatches #6582 or vice versa before merge.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check PR ci(e2e): guard queued Jetson dispatches #6582 diff for changes to tools/e2e/workflow-boundary.mts (validator registration, job selectors, shared helpers) and .github/workflows/e2e.yaml (job definitions). Compare with this PR's changes to the same areas.
  • Missing regression test: After coordination/rebase, run validateE2eWorkflowBoundary against the merged workflow to ensure all job validators (including both PRs' new jobs) execute without conflict.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check PR ci(e2e): guard queued Jetson dispatches #6582 diff for changes to tools/e2e/workflow-boundary.mts (validator registration, job selectors, shared helpers) and .github/workflows/e2e.yaml (job definitions). Compare with this PR's changes to the same areas.
  • Evidence: PR ci(e2e): guard queued Jetson dispatches #6582 title: 'feat(gpu): prefer native OpenShell with compatibility fallback' PR ci(e2e): guard queued Jetson dispatches #6582 sameFiles: ['.github/workflows/e2e.yaml'] This PR modifies: .github/workflows/e2e.yaml, tools/e2e/workflow-boundary.mts Commit history shows multiple merges from origin/main but no merge of PR ci(e2e): guard queued Jetson dispatches #6582

PRA-5 Resolve/justify — Risk plan platform-install invariants require cloud-onboard E2E validation

  • Location: .github/workflows/e2e.yaml:1
  • Category: tests
  • Problem: The deterministic risk plan (version 1, headSha 3b0c037) identifies platform-install family (tier 3) matched by .github/workflows/e2e.yaml changes. Required job cloud-onboard is flagged as automatic. The plan states: 'Installer and platform changes must work on a clean supported host with the pinned runtime dependencies.' No evidence that cloud-onboard E2E executed against this exact head SHA.
  • Impact: Platform-install changes (new host dependency step with apt-get retry loop) are not validated on a clean supported host. The risk plan treats cloud-onboard as a required validation floor; skipping it defeats the tier-3 risk gate.
  • Recommended action: Ensure cloud-onboard E2E job passes on the PR head before merge. This is a required validation floor per the risk plan, not an optional check. Coordinate with CI to run cloud-onboard against the exact head SHA (3b0c037).
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check GitHub Actions workflow runs for cloud-onboard job against commit 3b0c037. Verify it completed successfully.
  • Missing regression test: Not a test gap — CI execution gap. The cloud-onboard job itself is the validation; it must run and pass on the PR head.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check GitHub Actions workflow runs for cloud-onboard job against commit 3b0c037. Verify it completed successfully.
  • Evidence: Risk plan: requiredJobs includes cloud-onboard for platform-install family Risk plan: automaticJobs includes cloud-onboard No CI run evidence for cloud-onboard at headSha 3b0c037 in PR context

PRA-6 Improvement — Monolith growth: duplicated security validation logic across job validators

  • Location: tools/e2e/workflow-boundary.mts:808
  • Category: architecture
  • Problem: validateOpenclawTuiChatCorrelationHostDependencies reimplements (incompletely) the security validations that validateNetworkPolicyJob already enforces: checkout persist-credentials=false, dockerhub-auth step presence, per-step secret non-exposure, artifact upload action/path validation, cleanup step (if: always, docker-auth-cleanup.sh). This pattern repeats across multiple job validators, growing the file to 4000+ lines with duplicated logic.
  • Impact: Inconsistent validation coverage (as seen in PRA-1), higher maintenance burden, increased risk of drift when security requirements change. Fixing a validation gap requires updating multiple validators.
  • Suggested action: Extract a shared helper function validateFreeStandingJobSecurityBaseline(errors, jobName, steps, options) that enforces: checkout with persist-credentials=false, dockerhub-auth step presence, per-step secret non-exposure (configurable allowlist for test runner step), artifact upload action/path validation, cleanup step with if: always and docker-auth-cleanup.sh. Refactor validateNetworkPolicyJob, validateOpenclawTuiChatCorrelationHostDependencies, and other free-standing job validators to call the shared helper with job-specific overrides.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search tools/e2e/workflow-boundary.mts for repeated patterns: 'persist-credentials=false', 'dockerhub-auth', 'requireEnvDoesNotExposeSecret', 'upload-e2e-artifacts', 'docker-auth-cleanup.sh'. Count occurrences across validators.
  • Missing regression test: After refactoring, ensure existing workflow-boundary tests still pass and validateOpenclawTuiChatCorrelationHostDependencies mutation tests (from PRA-2) catch security regressions via the shared helper.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: tools/e2e/workflow-boundary.mts:700-830 (validateNetworkPolicyJob full validations) tools/e2e/workflow-boundary.mts:808-185 (validateOpenclawTuiChatCorrelationHostDependencies minimal validations) tools/e2e/workflow-boundary.mts:3879+ (validateE2eWorkflowBoundary calls multiple validators with duplicated patterns)

PRA-7 Resolve/justify — Expect script timeout/eof error paths lack test coverage

  • Location: test/e2e/live/issue-6194-tui-expect.ts:64
  • Category: tests
  • Problem: The Expect scripts define explicit timeout and eof handling with distinct exit codes for each major wait (dashboard, network rule detail, policy polling, post-approval curl, cleanup). However, no test mutates the environment to trigger these error paths (e.g., delaying openshell term startup to hit dashboard timeout, sandbox network partition to hit curl timeout, policy revision never loading). Only the happy path (all markers hit, exitCode 0) is exercised.
  • Impact: If timeout/eof handling regresses (e.g., exit code changed, cleanup not executed, diagnostic not captured), the test suite will not detect it. Error-path behavior is part of the regression guard's fail-closed contract.
  • Recommended action: Add focused contract tests that exercise at least one timeout path and one eof path per Expect script. For example: mock a delayed openshell term to trigger dashboard timeout (exit 64/65), or a sandbox network partition to trigger curl timeout (exit 74/88). Verify the expected exit code, diagnostic capture, and non-blocking cleanup are executed.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check test/e2e/support/issue-6194-tui-post-idle-contract.test.ts for any test that triggers Expect script timeout or eof branches. Search for 'timeout' or 'eof' in test assertions against the Expect scripts.
  • Missing regression test: Add contract test cases that: (1) force openshell_dashboard timeout by mocking delayed openshell term startup, assert exit 64/65 and diagnostic capture, (2) force curl timeout by network partition, assert exit 74/88 and cleanup, (3) force policy revision never loading, assert exit 90 and policyStatusOutput capture.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check test/e2e/support/issue-6194-tui-post-idle-contract.test.ts for any test that triggers Expect script timeout or eof branches. Search for 'timeout' or 'eof' in test assertions against the Expect scripts.
  • Evidence: test/e2e/live/issue-6194-tui-expect.ts:64-71 (dashboard timeout exits 64/65) test/e2e/live/issue-6194-tui-expect.ts:78-87 (network_rule_detail timeout exits 78/79, 80/81, 84/85) test/e2e/live/issue-6194-tui-expect.ts:270-290 (policy polling timeout exit 90) test/e2e/live/issue-6194-tui-expect.ts:315-325 (post-approval curl timeout exit 88/91) test/e2e/support/issue-6194-tui-post-idle-contract.test.ts (no timeout/eof mutation tests)

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Provide clean-host runtime validation for the workflow host-dependency change.
Open items: 0 required · 1 warning · 0 suggestions · 3 test follow-ups
Since last review: 0 prior items resolved · 1 still applies · 0 new items found

Action checklist

  • PRA-1 Resolve or justify: Provide clean-host runtime validation for the workflow host-dependency change in .github/workflows/e2e.yaml:4032
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Provide clean-host runtime validation for the workflow host-dependency change

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify tests .github/workflows/e2e.yaml:4032 Provide exact-head `cloud-onboard` runtime evidence for this PR head, or add an equivalent clean-host E2E validation that exercises the workflow install path and successful agent readiness after installing `expect`.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Provide clean-host runtime validation for the workflow host-dependency change

  • Location: .github/workflows/e2e.yaml:4032
  • Category: tests
  • Problem: The PR changes the trusted E2E workflow host setup by adding a privileged apt install of `expect` for `openclaw-tui-chat-correlation`. Static workflow-boundary and contract tests cover package allowlist/order and [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 behavior, but they do not prove the deterministic `platform-install` invariant that a clean supported host installs the intended dependencies and reaches a usable agent at the current head.
  • Impact: A workflow host-dependency change could pass static tests while failing on a fresh hosted runner due to apt repository, image, or setup differences, leaving the new TUI regression target unusable in the environment it is meant to validate.
  • Recommended action: Provide exact-head `cloud-onboard` runtime evidence for this PR head, or add an equivalent clean-host E2E validation that exercises the workflow install path and successful agent readiness after installing `expect`.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read the riskPlan for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f` and confirm trusted exact-head `cloud-onboard` evidence exists; do not substitute static workflow-boundary/support-test output for the clean-host runtime proof.
  • Missing regression test: Run or provide trusted exact-head evidence for the `cloud-onboard` E2E job validating that a clean supported host installs the workflow dependencies and reaches a usable agent after the host-dependency change.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read the riskPlan for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f` and confirm trusted exact-head `cloud-onboard` evidence exists; do not substitute static workflow-boundary/support-test output for the clean-host runtime proof.
  • Evidence: Risk plan family `platform-install` matches `.github/workflows/e2e.yaml` and lists invariant: `a clean host installs the intended pinned dependencies and reaches a usable agent`. Risk plan required validation floor is `cloud-onboard` for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f`. Static test inventory includes workflow-boundary tests for package allowlist/order and [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 support contracts, but the tests/regression context did not provide trusted exact-head clean-host runtime evidence.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `cloud-onboard` E2E job for Installer and platform changes must work on a clean supported host with the pinned runtime dependencies. Matched files: `.github/workflows/e2e.yaml`.. Deterministic regression risks require live validation: platform-install. Static and live-test source coverage is strong for [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 behavior, workflow package allowlist/order, spawn binding, redaction, policy polling, and failure diagnostics. However, the deterministic `platform-install` risk plan for `.github/workflows/e2e.yaml` requires clean-host runtime validation as a floor, and the review context did not provide trusted exact-head evidence that `cloud-onboard` ran for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f`.
  • PRA-T2 Runtime validation — Run or provide trusted exact-head evidence for the `cloud-onboard` E2E job validating that a clean supported host installs the workflow dependencies and reaches a usable agent after the `expect` host-dependency change.. Deterministic regression risks require live validation: platform-install. Static and live-test source coverage is strong for [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 behavior, workflow package allowlist/order, spawn binding, redaction, policy polling, and failure diagnostics. However, the deterministic `platform-install` risk plan for `.github/workflows/e2e.yaml` requires clean-host runtime validation as a floor, and the review context did not provide trusted exact-head evidence that `cloud-onboard` ran for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f`.
  • PRA-T3 Provide clean-host runtime validation for the workflow host-dependency change — Provide exact-head `cloud-onboard` runtime evidence for this PR head, or add an equivalent clean-host E2E validation that exercises the workflow install path and successful agent readiness after installing `expect`.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Provide clean-host runtime validation for the workflow host-dependency change

  • Location: .github/workflows/e2e.yaml:4032
  • Category: tests
  • Problem: The PR changes the trusted E2E workflow host setup by adding a privileged apt install of `expect` for `openclaw-tui-chat-correlation`. Static workflow-boundary and contract tests cover package allowlist/order and [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 behavior, but they do not prove the deterministic `platform-install` invariant that a clean supported host installs the intended dependencies and reaches a usable agent at the current head.
  • Impact: A workflow host-dependency change could pass static tests while failing on a fresh hosted runner due to apt repository, image, or setup differences, leaving the new TUI regression target unusable in the environment it is meant to validate.
  • Recommended action: Provide exact-head `cloud-onboard` runtime evidence for this PR head, or add an equivalent clean-host E2E validation that exercises the workflow install path and successful agent readiness after installing `expect`.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read the riskPlan for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f` and confirm trusted exact-head `cloud-onboard` evidence exists; do not substitute static workflow-boundary/support-test output for the clean-host runtime proof.
  • Missing regression test: Run or provide trusted exact-head evidence for the `cloud-onboard` E2E job validating that a clean supported host installs the workflow dependencies and reaches a usable agent after the host-dependency change.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read the riskPlan for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f` and confirm trusted exact-head `cloud-onboard` evidence exists; do not substitute static workflow-boundary/support-test output for the clean-host runtime proof.
  • Evidence: Risk plan family `platform-install` matches `.github/workflows/e2e.yaml` and lists invariant: `a clean host installs the intended pinned dependencies and reaches a usable agent`. Risk plan required validation floor is `cloud-onboard` for head `3b0c03720c3d5154a08f627cce6139ebfe20a41f`. Static test inventory includes workflow-boundary tests for package allowlist/order and [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 support contracts, but the tests/regression context did not provide trusted exact-head clean-host runtime evidence.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

chengjiew added 3 commits July 7, 2026 00:57
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
test/package-contract/cli/config-set-cli-dispatch.test.ts (1)

81-89: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Inconsistent mock shape vs. other stubbed modules.

Other mocked require.cache entries in this file use a Proxy that falls back to vi.fn() for unknown properties (Lines 73-76), but the oclifRunnerPath exports object here is a plain literal with only runOclifArgv/runOclifCommandById. If oclif-runner.js gains or exposes another export consumed along this dispatch path, this would throw TypeError: ... is not a function instead of failing gracefully like the other stubs. Based on the current public-dispatch.ts usage shown in context, only these two functions are consumed, so this is low risk today but worth aligning with the established pattern for resilience against future changes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/package-contract/cli/config-set-cli-dispatch.test.ts` around lines 81 -
89, The oclifRunnerPath mock uses a plain exports object, unlike the other
require.cache stubs that use a Proxy fallback. Update the mocked oclifRunnerPath
entry in config-set-cli-dispatch.test.ts to follow the same Proxy-based shape as
the other module stubs, while still exposing runOclifArgv and
runOclifCommandById, so any future unexpected export access degrades
consistently instead of throwing.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/live/openclaw-tui-chat-correlation.test.ts`:
- Around line 236-297: The Expect script in buildIssue6194TuiExpectScript is
self-matching echoed input instead of verifying real TUI output. Update the two
expect checks after send -- "Reply exactly NEMOCLAW6194_CHAT_OK..." and send --
"/nemoclaw status\\r" so they anchor on output that cannot appear in the
user-entered command text, or explicitly consume the echoed line before
matching. Keep the existing ISSUE6194_MARK markers but make the regexes in
buildIssue6194TuiExpectScript validate only the TUI response, not the sent
command.

---

Nitpick comments:
In `@test/package-contract/cli/config-set-cli-dispatch.test.ts`:
- Around line 81-89: The oclifRunnerPath mock uses a plain exports object,
unlike the other require.cache stubs that use a Proxy fallback. Update the
mocked oclifRunnerPath entry in config-set-cli-dispatch.test.ts to follow the
same Proxy-based shape as the other module stubs, while still exposing
runOclifArgv and runOclifCommandById, so any future unexpected export access
degrades consistently instead of throwing.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: acacff39-7317-410f-ad5e-6e1242b7fbef

📥 Commits

Reviewing files that changed from the base of the PR and between a8b23d6 and 9aec0ea.

📒 Files selected for processing (4)
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
  • test/nemoclaw-start.test.ts
  • test/package-contract/cli/config-set-cli-dispatch.test.ts
✅ Files skipped from review due to trivial changes (1)
  • test/e2e/support/issue-6194-tui-post-idle-contract.test.ts

Comment thread test/e2e/live/openclaw-tui-chat-correlation.test.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/e2e/live/issue-6194-tui-expect.ts (1)

6-99: 📐 Maintainability & Code Quality | 🔵 Trivial

Repeated expect { ... timeout {...} eof {...} } boilerplate across 7 blocks.

The connected[^\r\n]*idle pattern and the timeout/eof-with-Ctrl-C-and-exit-code boilerplate is duplicated across all seven expect blocks. A small Tcl proc (or a JS-side template helper that emits this block given a pattern, mark name, and exit-code pair) would shrink the generated script and make future mark/exit-code changes less error-prone. Given this is templated string generation rather than executed Tcl logic per se, this is optional and can be deferred.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/live/issue-6194-tui-expect.ts` around lines 6 - 99, The generated
Tcl script repeats the same connected-idle expectation and timeout/eof Ctrl-C
handling across multiple expect blocks, so factor that boilerplate out in
buildIssue6194TuiExpectScript. Add a small JS-side helper or Tcl proc that takes
the regex, mark name, and exit codes, then reuse it for the repeated expect
sequences so the template stays shorter and easier to update.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/live/issue-6194-tui-expect.ts`:
- Around line 6-99: The generated Tcl script repeats the same connected-idle
expectation and timeout/eof Ctrl-C handling across multiple expect blocks, so
factor that boilerplate out in buildIssue6194TuiExpectScript. Add a small
JS-side helper or Tcl proc that takes the regex, mark name, and exit codes, then
reuse it for the repeated expect sequences so the template stays shorter and
easier to update.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 04e04616-2459-4ff2-a1f9-15cf65ff9710

📥 Commits

Reviewing files that changed from the base of the PR and between dac74e5 and 646f1d0.

📒 Files selected for processing (6)
  • src/lib/actions/sandbox/rebuild-prepared-recovery.test.ts
  • test/e2e/fixtures/clients/host.ts
  • test/e2e/live/issue-6194-tui-expect.ts
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
  • test/package-contract/cli/config-set-cli-dispatch.test.ts
✅ Files skipped from review due to trivial changes (1)
  • test/e2e/fixtures/clients/host.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • test/e2e/support/issue-6194-tui-post-idle-contract.test.ts
  • test/package-contract/cli/config-set-cli-dispatch.test.ts
  • test/e2e/live/openclaw-tui-chat-correlation.test.ts

Comment thread test/e2e/live/openclaw-tui-chat-correlation.test.ts Fixed
Comment thread test/e2e/live/openclaw-tui-chat-correlation.test.ts Fixed
chengjiew added 2 commits July 7, 2026 04:00
…_idle_v2

# Conflicts:
#	src/lib/actions/sandbox/rebuild-prepared-recovery.test.ts
@jyaunches

Copy link
Copy Markdown
Contributor

Exact-head refresh after the prior sequencing blockers landed:

  • #6560 and #6566 are merged.
  • Branch is current with main at 6073b643993abe5e5c4095372f20a54142fdd446.
  • Ordinary CI is green: no failed or pending required checks.
  • Required E2E passed at this exact head: run 29031040550 (cloud-onboard, openclaw-tui-chat-correlation).
  • PR Review Advisor is now informational only: 0 required, 0 warnings, 0 suggestions; runtime follow-ups are covered by the exact-head E2E run above.
  • No unresolved review threads remain.
  • @jyaunches approved from review side.

Requesting re-review/clearance of the stale CHANGES_REQUESTED review so this can proceed to merge once the review gate updates.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29032540924
Workflow ref: fix/6194_openclaw_tui_idle_v2
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,openclaw-tui-chat-correlation
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
openclaw-tui-chat-correlation ✅ success

@apurvvkumaria

Copy link
Copy Markdown
Collaborator

Maintainer resolution for exact head 6073b643993abe5e5c4095372f20a54142fdd446 and Advisor PRA-1:

The combined live target is intentional. The terminal-idle, approval, and WebSocket phases reuse one provisioned sandbox, which avoids repeating slow external cloud setup. They still have explicit diagnostic boundaries: openclaw-tui-terminal-after-connected-idle, openshell-network-rule-terminal-approval, and openclaw-gateway-websocket, plus distinct ISSUE6194_MARK values and phase-specific exit codes. This preserves failure attribution while keeping the live test economical.

Exact-head validation passed in run 29032540924: both cloud-onboard and openclaw-tui-chat-correlation succeeded. Splitting the target would repeat provisioning without improving diagnostic isolation.

cv added 2 commits July 9, 2026 09:27
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 29034353469
Workflow ref: fix/6194_openclaw_tui_idle_v2
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,openclaw-tui-chat-correlation
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
openclaw-tui-chat-correlation ❌ failure

Failed jobs: openclaw-tui-chat-correlation. Check run artifacts for logs.

cv and others added 2 commits July 9, 2026 09:55
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 29035248442
Workflow ref: fix/6194_openclaw_tui_idle_v2
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,openclaw-tui-chat-correlation
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
openclaw-tui-chat-correlation ❌ failure

Failed jobs: openclaw-tui-chat-correlation. Check run artifacts for logs.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29035848193
Workflow ref: fix/6194_openclaw_tui_idle_v2
Requested targets: (default — all supported)
Requested jobs: cloud-onboard,openclaw-tui-chat-correlation
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-onboard ✅ success
openclaw-tui-chat-correlation ✅ success

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Exact-head evidence for d1ea65a544426ed48b4824fb0bfdfd14b921934f:

  • Required E2E run 29035848193 passed both advisor-required jobs: cloud-onboard and openclaw-tui-chat-correlation.
  • The audited cloud-onboard artifact installs the exact head from the public installer on a clean hosted runner, exits 0 after deployment verification reports a healthy gateway and dashboard, and verifies cleanup. Artifact digest: sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7.
  • The audited OpenClaw artifact records approval revision 4, nine pending samples with active revision 3, then revision 4 loaded and active on attempt 10. Only after that convergence it performs exactly one retry of https://api.atlassian.com/oauth/token/accessible-resources, receives the required unauthenticated HTTP 401, reports policyUpdated: true, and verifies cleanup. Artifact digest: sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd.
  • E2E advisor run 29035840300 independently requires exactly those two jobs; both are covered above. Its optional network-policy recommendation is adjacency-only because no production network-policy implementation changed.

This resolves the primary GPT advisor's sole PRA-1 warning and runtime follow-ups from attempt 1; advisor run 29035840279 has been rerun after publishing this evidence. No merge action taken.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 29036102053
Workflow ref: fix/6194_openclaw_tui_idle_v2
Requested targets: (default — all supported)
Requested jobs: openclaw-tui-chat-correlation
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
openclaw-tui-chat-correlation ✅ success

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Maintainer disposition for the nonbinding Nemotron findings on exact head d1ea65a544426ed48b4824fb0bfdfd14b921934f:

The remaining architecture suggestions are nonblocking: Expect is used for real multi-PTY fidelity, the two phases have separate spawn IDs/captures/result artifacts, and focused contracts enforce explicit approval input and prevent assistant prose from serving as an approval oracle. No merge action taken.

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Disposition for Nemotron attempt-2 PRA-1/PRA-2 on d1ea65a544426ed48b4824fb0bfdfd14b921934f: false premise and redundant requested coverage; no code change needed.

  • The openclaw-tui-chat-correlation job already ends with the canonical Clean up Docker auth step (if: always(), shell: bash, bash .github/scripts/docker-auth-cleanup.sh) at .github/workflows/e2e.yaml:4077-4080. Exact-head run 29035848193 executed that step successfully. The advisor inspected only through line 4070 and missed the existing final step.
  • validateDockerHubAuthBoundary is intentionally repo-wide rather than duplicated in every job-specific validator. Because this job has E2E_JOB: "1" and is not a no-image exemption, tools/e2e/workflow-boundary.mts:2025-2110 enforces exactly one canonical Docker auth alias and exactly one canonical cleanup, auth immediately after checkout, cleanup after test work and as the final step, no Docker credentials at job scope, and no Docker credential/config exposure from any non-auth step.
  • validateFreeStandingInventoryBoundary independently enforces the common job-level secret boundary, full-SHA actions, and no direct secret interpolation in run scripts for this job. The workflow itself has persist-credentials: false, localizes NVIDIA_INFERENCE_API_KEY to the live-test step, and uses the pinned shared artifact action.
  • test/e2e/support/dockerhub-auth-workflow-boundary.test.ts dynamically enumerates every image-consuming E2E job (more than 50, including this one), asserts canonical auth/cleanup and ordering for each, and mutation-tests missing auth and cleanup across the entire set. That suite passed within the current-head full e2e-support result (869/869). The new job-specific host-dependency tests correctly cover only the delta they own: one-package allowlisting and install-before-workspace ordering.

The requested duplicate per-job mutations would not close an uncovered credential boundary. Primary GPT attempt 2 independently recommends merge_as_is; Nemotron remains nonbinding. No merge action taken.

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved at exact head d1ea65a544426ed48b4824fb0bfdfd14b921934f.

  • deterministic maintainer gate: all pass (50 checks green, clean merge state, no unresolved major/critical CodeRabbit findings, risky workflow path covered, DCO present, all 45 commits GitHub Verified);
  • primary PR Review Advisor attempt 2: merge_as_is;
  • required exact-head E2E: run 29035848193 passed cloud-onboard and openclaw-tui-chat-correlation, with audited artifacts proving clean-host deployment and the loaded/active revision-4 policy before the exact Atlassian retry returned HTTP 401;
  • latest Nemotron cleanup finding is a false positive: the canonical final cleanup exists and passed, while the repo-wide Docker-auth validator and mutation suite already cover this job. Maintainer disposition: #6296 (comment).

Approval only; no merge action taken.

@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Exact-head merge audit for aff5821a7ec99b8be45a30208696b4a6affbd8b6:

  • This is a GitHub-Verified merge-only commit with parents d1ea65a544426ed48b4824fb0bfdfd14b921934f and current main e2777f8652b4d1633f1c446b517bef98bc9ae916 (fix(dcode): enforce sandbox process and file descriptor limits #6559).
  • Relative to current main, the PR still changes exactly the same six test(openclaw): cover TUI idle timeout regression #6296 files. Every one of those files has the identical Git blob at d1ea65a and aff5821a (workflow, both live-test files, both support-test files, and workflow-boundary.mts). The merge introduced no conflict-resolution edit to the PR behavior or its test harness.
  • Relative to d1ea65a, the only additions are the already-merged fix(dcode): enforce sandbox process and file descriptor limits #6559 DCode resource-limit files from main. The changed cloud check exits before its new DCode assertions when the sandbox is not DCode; the audited cloud-onboard artifact for this PR provisions OpenClaw and recorded that check as skipped. The only shared OpenClaw-consumed change, scripts/lib/sandbox-rlimits.sh, adds an opt-in exact verifier for DCode while preserving the existing maximum-cap verifier and its OpenClaw/Hermes call contract.
  • Therefore prior run 29035848193 remains behaviorally applicable to the unchanged test(openclaw): cover TUI idle timeout regression #6296 cloud/TUI surfaces: both required jobs passed, and the OpenClaw artifact proved policy revision 4 loaded/active before the one-shot Atlassian HTTP 401 retry. Fresh ordinary CI and advisors are still required on aff5821a; a new live dispatch will be added only if the refreshed deterministic risk/advisor gate identifies an exact-tree runtime delta not covered by the merge audit above.

No merge action taken.

@cv
cv enabled auto-merge (squash) July 9, 2026 17:30
@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Maintainer disposition for Nemotron attempt 1 on exact head aff5821a7ec99b8be45a30208696b4a6affbd8b6:

  • PRA-1 / PRA-2: the requested per-job Docker-auth validator is redundant with the repo-wide boundary and its dynamic mutation suite. validateDockerHubAuthBoundary classifies this E2E_JOB: "1" target as image-consuming and enforces exactly one canonical auth and cleanup step, ordering, final cleanup, and Docker credential/config non-exposure. validateFreeStandingInventoryBoundary adds common secret, full-SHA action, and direct-interpolation checks. dockerhub-auth-workflow-boundary.test.ts enumerates every image job and mutation-tests missing auth/cleanup across that set. The exact evidence and line-level disposition remain recorded in comment 4927788976; all relevant blobs are unchanged on this merge-only head.
  • PRA-3: the retry claim is factually incorrect. validateInlineHostDependencyInstall requires for attempt in 1 2 3, sudo apt-get update, the terminal-attempt branch, the three-attempt failure marker, and sleep $((attempt * 5)); it also requires exactly one sudo apt-get install -y --no-install-recommends expect line. The support suite mutation-tests package drift. removalCondition is the documented condition for deleting the workaround when the hosted image supplies Expect, not a runtime branch that should silently skip the trusted setup today.
  • PRA-4: merge sequencing is already explicit: land test(openclaw): cover TUI idle timeout regression #6296 first, then update ci(e2e): guard queued Jetson dispatches #6582 from main and rerun its Jetson-focused contracts. ci(e2e): guard queued Jetson dispatches #6582 is still open on an older base and touches different functional regions of the shared files. See comment 4927747955.
  • PRA-5: the acceptance mapping is already documented on the issue itself at NVIDIA/NemoClaw#6194 comment 4927112403, and it links the canonical approval and CLI-selection docs. The advisor's own evidence points to that issue comment, so the claimed discoverability gap does not exist.
  • PRA-6 and runtime follow-ups: exact-head union run 29037281297 has been dispatched for both deterministic required targets, cloud-onboard and openclaw-tui-chat-correlation. This remains a hard gate until it passes and its artifacts are audited.

No merge action taken.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 29037281297
Workflow ref: fix/6194_openclaw_tui_idle_v2
Requested targets: (default — all supported)
Requested jobs: (selector rejected by workflow validation)
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
generate-matrix ❌ failure

Failed jobs: generate-matrix. Check run artifacts for logs.

@cv
cv merged commit 521bb13 into main Jul 9, 2026
42 checks passed
@cv
cv deleted the fix/6194_openclaw_tui_idle_v2 branch July 9, 2026 17:51
@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Post-merge gate audit for final PR head 3b0c03720c3d5154a08f627cce6139ebfe20a41f and merge commit 521bb1318d7bb8a9748ff005f1e79ea711a5682c:

  • The trusted post-merge risk plan selected cloud-onboard; run 29038667617 passed it on the exact merge commit.
  • The TUI implementation and its [All Platforms][Agent&Skills] openclaw tui interactions timeout after connected idle on v0.0.72 #6194 live/contract test blobs did not change after the passing d1ea65a union run; run 29035848193 passed both openclaw-tui-chat-correlation and cloud-onboard with audited artifacts.
  • The later merge-only head composed already-reviewed main changes. Its ordinary CI completed green.
  • The final Nemotron auth/cleanup premise is not applicable to the current tree: the repo-wide validateDockerHubAuthBoundary enforces one canonical auth step, one final always-run cleanup, and Docker Hub secret non-exposure for every image-consuming E2E job; the upload-action boundary independently validates artifact uploads. The job itself keeps persist-credentials: false.

For clarity, run 29039604494 is not a product-test failure. My attempted post-merge manual dispatch omitted the required risk-shadow provenance inputs, so generate-matrix rejected it before either requested test ran; reporting also correctly refused to comment on a closed PR.

This closes the final-head runtime-evidence warning post-merge. A job-specific checkout mutation assertion would be additional hardening, not evidence of an unsafe current workflow.

@jyaunches jyaunches mentioned this pull request Jul 9, 2026
21 tasks
cv pushed a commit that referenced this pull request Jul 9, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- #6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- #6271 and #6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- #6465, #6539, #6570, and #6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- #6523, #6551, #6484, #6488, #6324, and #6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- #6559, #6538, #6560, #6568, #6552, #6567, and #6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- #6541, #5415, #6246, #6496, and #6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- #6253, #6572, #6444, #6536, and #5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- #6508, #6527, #5506, #6588, #6446, #6447, #6582, #6296, #6367, #6397,
and #6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Adds explicit NVIDIA#6194 regression coverage for the OpenClaw terminal TUI
timeout-after-connected-idle failure mode. The existing live correlation
target drives the real OpenClaw TUI after connected idle, verifies chat
and /nemoclaw status, and confirms a bounded clean exit. It then
separately drives the supported host-side OpenShell terminal UI and a
direct sandbox curl to prove deterministic network-rule approval without
using assistant prose as an oracle. After the UI acknowledges the
approval, the target retries the exact documented Atlassian probe and
requires its unauthenticated HTTP 401 response to prove that the running
policy was actually updated.

The historical report used NemoClaw v0.0.72. This target guards the
current branch against the same post-idle regression instead of
reinstalling that known-bad release, and reuses the existing NVIDIA#2603/NVIDIA#3145
provisioned sandbox to avoid a second long cloud setup.

## Related Issue

Refs NVIDIA#6194 — current-branch regression guard for the supported OpenClaw
TUI and OpenShell approval surfaces.

## Changes

- Add a dedicated Expect flow for chat, status, and a bounded two-step
Ctrl+C exit after connected idle.
- Pin the host-side OpenShell Expect PTY to xterm-256color at 40x120,
bind every multi-pattern wait to its intended spawn, and keep failure
cleanup nonblocking.
- Add a separate OpenShell terminal approval phase with an argv-bounded
direct curl, empty-pending-queue preflight, exact sandbox/host/binary
checks, and supported approval action.
- Match stable sandbox-detail labels and strip OpenShell SGR styling
before parsing CLI rule evidence.
- Use the fixed Atlassian URL as the deny-by-default pending-rule
trigger, then retry that exact full URL after approval and require the
documented unauthenticated HTTP 401 success signal.
- Parse the policy revision from the approval acknowledgement and
bounded-poll its read-only status until that exact revision is loaded
and active before retrying the request.
- Publish a separate post-approval capture plus structured endpoint,
expected-status, observed-status, and running-policy marker fields
before assertions.
- Declare all three combined live boundaries explicitly: OpenClaw
websocket correlation, OpenClaw post-idle terminal input, and OpenShell
network-rule terminal approval.
- Extend openclaw-tui-chat-correlation so the new flow reuses its
provisioned cloud sandbox.
- Add fast e2e-support contracts for marker ordering, complete boundary
metadata, secret redaction, trusted host-command use, spawn binding,
ANSI normalization, the two-step exit, fail-closed capture diagnostics,
and post-approval policy proof ordering.
- Precreate terminal captures, publish structured missing/empty/marker
diagnostics before assertions, and redact raw captures before writing
artifacts.
- Install the single allowlisted expect host dependency in the selected
live job, with a pinned workflow-boundary regression contract.
- Remove unrelated config-dispatch and auto-pair test changes during
maintainer salvage.

## Original Author Credit

@chengjiew authored the NVIDIA#6194 reproduction design and implementation.
The maintainer synchronization and scope-cleanup commits preserve that
work; the scope-cleanup commit also records Chengjie Wang as co-author.

## Maintainer Gate Disposition

- The combined target is deliberate. The existing correlation target
already provisions the real cloud sandbox, gateway, hosted inference
route, and OpenClaw runtime needed by all three boundaries. Running the
NVIDIA#6194 phases sequentially against that one sandbox avoids a second
expensive onboard and avoids cross-run state variance. Diagnostics
remain isolated by boundary: the OpenClaw TUI and OpenShell approval
phases have separate Expect scripts, spawn IDs, exit-code ranges,
structured result JSON, raw/plain captures, and shell result artifacts.
A failure identifies its owning phase and marker instead of collapsing
into one transcript.
- The fast contract tests inspect the generated Tcl because several
safety invariants are source boundaries that one successful PTY run
cannot prove: every multi-pattern wait must bind to the intended spawn,
host commands must retain exact argv boundaries, markers and timeouts
must remain ordered, cleanup must stay nonblocking, pending-rule
evidence must match the exact sandbox/endpoint/binary, assistant prose
must not become an approval oracle, the exact post-approval retry must
follow the UI acknowledgement, and redaction/diagnostic artifacts must
precede assertions. These are focused mutation guards for concrete
failures encountered while stabilizing the live path. The exact live job
supplies the complementary behavior proof.
- Exact-head run
[29034353469](https://github.com/NVIDIA/NemoClaw/actions/runs/29034353469)
proved the new fail-closed check by rejecting an immediate HTTP 000
retry after approval. Follow-up run
[29035248442](https://github.com/NVIDIA/NemoClaw/actions/runs/29035248442)
proved the read-only synchronization path and no-curl-before-loaded
invariant: cloud-onboard passed, while all captured policy samples still
showed acknowledged revision 4 pending with active revision 3, so the
final curl did not run. Behavior-tested head
d1ea65a uses OpenShell's supported
60-second policy-load deadline. Run
[29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193)
passed both required jobs on that head. Its audited OpenClaw artifact
reports acknowledged revision 4 loaded and active on polling attempt 10,
then exactly one retry of the documented Atlassian endpoint returning
HTTP 401, with `policyUpdated: true` and successful cleanup. The
independently audited cloud-onboard artifact installs that exact SHA on
a clean hosted runner, exits 0 after deployment verification reports a
healthy gateway and dashboard, and verifies cleanup. Artifact digests:
`sha256:c7138daffb9c38133c824e3061efd4d6e9dc5021320d7479ab8c2451826dd9fd`
(OpenClaw) and
`sha256:4226b386b9150dd50486eaab7025030c61d17d9d316448a069fe3b6e217e27d7`
(cloud-onboard). Current head aff5821
is a GitHub-Verified merge-only commit of d1ea65a and current main
e2777f8 (NVIDIA#6559): all six PR files retain identical Git blobs, and the
only added main changes are the already-merged DCode resource-limit
work. The [merge
audit](NVIDIA#6296 (comment))
records why the prior cloud/TUI evidence remains behaviorally applicable
while fresh ordinary CI and advisors run on aff5821.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: test-only regression
coverage; no user-facing behavior changed.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — test/workflow-only change; maintainer review verified the
host-side OpenShell approval boundary, transcript isolation, and
fail-closed artifact contracts.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] Required live E2E behavior evidence with merge-only reuse audit —
[run
29035848193](https://github.com/NVIDIA/NemoClaw/actions/runs/29035848193)
passed cloud-onboard and openclaw-tui-chat-correlation on
d1ea65a; audited artifacts prove
clean-host install/deployment, revision 4 loaded and active before the
exact Atlassian retry returned HTTP 401, and successful cleanup. Current
head aff5821 changes none of those PR
files and only merges current main's already-landed NVIDIA#6559 DCode work;
see the linked merge audit above.
- [x] Current-head phase attribution and post-approval contracts —
focused 11/11 and full e2e-support 869/869 passed.
- [x] PR description includes DCO declarations and every commit is
GitHub Verified
- [x] Normal pre-commit, commit-msg, and pre-push hooks passed on the
salvaged head
- [x] Focused final TUI PTY, metadata, capture-diagnostic, and
post-approval contract — 11/11 passed
- [x] Full e2e-support suite — 869/869 passed on the current head
- [x] npm run build:cli — passed
- [x] cd nemoclaw && npm run build — passed
- [x] Quality Gates section completed with required justifications
- [x] No secrets, API keys, or credentials committed
- [ ] npm run docs builds without warnings (doc changes only)
- [ ] Doc pages follow the style guide (doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>

---------

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Apurv Kumaria <akumaria@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Julie Yaunches <jyaunches@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Adds the pre-tag v0.0.79 release notes entry to
`docs/about/release-notes.mdx` so the release plan can be generated
after docs merge.
The entry summarizes the merged v0.0.79 release train across inference,
diagnostics, runtime hardening, policies, onboarding recovery, and
release validation.

## Changes
- Added the v0.0.79 release notes section with linked follow-up
documentation for OpenRouter onboarding, managed vLLM changes,
completion and logging, Deep Agents runtime limits, policy updates,
onboarding recovery, and release validation.
- Source summary:
- NVIDIA#6461 -> `docs/about/release-notes.mdx`: Documents OpenRouter
onboarding support and links to inference/provider references.
- NVIDIA#6271 and NVIDIA#6272 -> `docs/about/release-notes.mdx`: Documents shell
completion and structured logging highlights.
- NVIDIA#6465, NVIDIA#6539, NVIDIA#6570, and NVIDIA#6528 -> `docs/about/release-notes.mdx`:
Documents status route-drift, orphaned sandbox, gateway cleanup, and DGX
Spark express-install diagnostics.
- NVIDIA#6523, NVIDIA#6551, NVIDIA#6484, NVIDIA#6488, NVIDIA#6324, and NVIDIA#6542 ->
`docs/about/release-notes.mdx`: Documents managed vLLM, Qwen3.6 tool
parser, compaction, and timeout/readiness improvements.
- NVIDIA#6559, NVIDIA#6538, NVIDIA#6560, NVIDIA#6568, NVIDIA#6552, NVIDIA#6567, and NVIDIA#6587 ->
`docs/about/release-notes.mdx`: Documents runtime, credential, proxy,
PID namespace, TOML, and provider-state hardening.
- NVIDIA#6541, NVIDIA#5415, NVIDIA#6246, NVIDIA#6496, and NVIDIA#6573 ->
`docs/about/release-notes.mdx`: Documents GitHub policy, Gmail policy,
MCP allowlist, WhatsApp, and messaging-variant updates.
- NVIDIA#6253, NVIDIA#6572, NVIDIA#6444, NVIDIA#6536, and NVIDIA#5860 ->
`docs/about/release-notes.mdx`: Documents onboarding resume and
create-step recovery improvements.
- NVIDIA#6508, NVIDIA#6527, NVIDIA#5506, NVIDIA#6588, NVIDIA#6446, NVIDIA#6447, NVIDIA#6582, NVIDIA#6296, NVIDIA#6367, NVIDIA#6397,
and NVIDIA#6505 -> `docs/about/release-notes.mdx`: Documents docs,
release-risk, and E2E validation updates.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: Release-note prose only.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: Tests
not applicable, release-note prose only.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Docs validation note: `npm run docs:check-agent-variants && npm run
docs:check-routes && git diff --check` passed. Full `npm run docs` is
currently blocked before Fern validation because the pinned
`fern-api@5.65.2` package is unavailable from npm (`ETARGET No matching
version found`).

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Julie Yaunches <jyaunches@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added release notes for v0.0.79 with a new summary of recent
improvements, including onboarding and inference options, operator/CLI
diagnostics, sandbox recovery hardening, runtime limits, network policy
behavior, and release validation updates.
  * Added updated references and links for the latest release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: e2e End-to-end tests, nightly failures, or validation infrastructure area: ui Web UI, terminal display, visual layout, or UX behavior chore Build, CI, dependency, or tooling maintenance integration: openclaw OpenClaw integration behavior v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants