Skip to content

test(e2e): hermeticize DCode fresh re-onboard inference#6530

Closed
HOYALIM wants to merge 1 commit into
NVIDIA:mainfrom
HOYALIM:codex/issue-5747-hermetic-e2e-inference
Closed

test(e2e): hermeticize DCode fresh re-onboard inference#6530
HOYALIM wants to merge 1 commit into
NVIDIA:mainfrom
HOYALIM:codex/issue-5747-hermetic-e2e-inference

Conversation

@HOYALIM

@HOYALIM HOYALIM commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Convert the Deep Agents Code fresh re-onboard bash check to use the existing hermetic fake OpenAI-compatible endpoint for its onboarding prerequisite.
  • Stop passing the hosted NVIDIA inference key into that specific cloud-experimental check path.
  • Add platform parity coverage that the script runs without COMPATIBLE_API_KEY, rejects leaked hosted env, and records a fake inference POST.

Validation

  • bash -n test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
  • bash -n test/e2e/lib/hermetic-compatible-inference.sh
  • npx vitest run --project e2e-support test/e2e/support/platform-parity-cloud-experimental.test.ts -t "fresh re-onboard|hosted inference key"
  • git diff --check
  • npx @biomejs/biome format test/e2e/live/cloud-experimental-checks.ts test/e2e/support/platform-parity-cloud-experimental.test.ts
  • npm run build:cli
  • npm run check:diff

DCO: Verified commit ce9ebcd contains Signed-off-by: Ho Lim subhoya@gmail.com.

Summary by CodeRabbit

  • Bug Fixes

    • Improved the fresh re-onboard flow to work with compatible local endpoints without requiring a hosted API key.
    • Added stronger verification that the expected compatible inference endpoint is used and that the flow completes successfully.
  • Tests

    • Expanded end-to-end coverage for the fresh re-onboard scenario using fake binaries.
    • Added validation to ensure API key redaction and safer command payload handling during checks.

Copilot AI review requested due to automatic review settings July 9, 2026 01:35
@copy-pr-bot

copy-pr-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 47ba07ae-f60b-491a-882c-441f3cba6bcb

📥 Commits

Reviewing files that changed from the base of the PR and between ce9ebcd and 4b41edc.

📒 Files selected for processing (3)
  • test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
  • test/e2e/live/cloud-experimental-checks.ts
  • test/e2e/support/platform-parity-cloud-experimental.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/e2e/live/cloud-experimental-checks.ts
  • test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh

📝 Walkthrough

Walkthrough

The fresh re-onboard e2e check now starts hermetic compatible inference, uses safer payload quoting, and no longer requires a hosted-inference API key. The runner conditionally clears the API key for this check, and tests cover the new execution path and API key handling.

Changes

Hermetic fresh re-onboard flow

Layer / File(s) Summary
Shell quoting and hermetic inference lifecycle
test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
Adds shell quoting for embedded payloads and sources hermetic-compatible-inference tooling with an EXIT trap to stop it.
Re-onboard flow rewired to hermetic inference
test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
Removes the COMPATIBLE_API_KEY requirement, exports NEMOCLAW_E2E_COMPATIBLE_MODEL, starts hermetic inference, rewires the onboard environment to use NEMOCLAW_ENDPOINT_URL, asserts hermetic endpoint usage post-onboard, and uses shell quoting for verification payloads.
Check runner API key override
test/e2e/live/cloud-experimental-checks.ts
Adds cloudExperimentalApiKeyForCheck to blank the API key for the fresh re-onboard check, wires scriptApiKey into env construction, and conditions redaction on a non-empty key.
Tests for hermetic behavior and API key logic
test/e2e/support/platform-parity-cloud-experimental.test.ts
Adds new check constants, a writeExecutable fixture helper, updates the sandbox-skip path to use the fresh re-onboard constant, adds an end-to-end test with fake binaries verifying hermetic success, and adds a unit test for the API key override.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Script as 04-deepagents-code-fresh-reonboard.sh
  participant Hermetic as hermetic-compatible-inference.sh

  Script->>Hermetic: source helper
  Script->>Hermetic: start compatible inference
  Script->>Hermetic: stop compatible inference on EXIT
Loading

Suggested labels: bug-fix
Suggested reviewers: jyaunches

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: making the DCode fresh re-onboard inference path hermetic in e2e tests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
test/e2e/support/platform-parity-cloud-experimental.test.ts (1)

78-87: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Prefer the behavioral proof over source-text assertions.

This case asserts on script text (toContain/not.toContain), while the following test at Lines 89-211 already runs the script under a hostile hosted-inference env and proves the hosted path is unreachable. Consider relying on that observable contract and dropping/trimming these string guards, which are brittle to harmless refactors.

As per path instructions: "Prefer observable outcomes through the public boundary over source-text, private-shape, or mock-call assertions" and "Migration tests must prove the superseded path is unreachable or removed."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/support/platform-parity-cloud-experimental.test.ts` around lines 78
- 87, The test around the fresh re-onboard check is relying on brittle
source-text assertions instead of the stronger behavioral proof already covered
by the hostile hosted-inference execution path. Update the `keeps the
destructive fresh re-onboard check on hermetic compatible inference` test in
`platform-parity-cloud-experimental.test.ts` to prefer the observable contract
from the script execution case and remove or trim the
`toContain`/`not.toContain` guards on the script contents, keeping the focus on
proving the hosted inference path is unreachable.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/support/platform-parity-cloud-experimental.test.ts`:
- Around line 188-211: The test’s spawnSync child timeout is longer than the
enclosing Vitest timeout, so the worker can hang past the intended budget;
update the timeout settings in the platform-parity-cloud-experimental test so
the spawnSync limit and the test’s outer timeout use the same value. Keep the
change localized to the test case that launches the CLI via spawnSync and
preserves the existing assertions.

---

Nitpick comments:
In `@test/e2e/support/platform-parity-cloud-experimental.test.ts`:
- Around line 78-87: The test around the fresh re-onboard check is relying on
brittle source-text assertions instead of the stronger behavioral proof already
covered by the hostile hosted-inference execution path. Update the `keeps the
destructive fresh re-onboard check on hermetic compatible inference` test in
`platform-parity-cloud-experimental.test.ts` to prefer the observable contract
from the script execution case and remove or trim the
`toContain`/`not.toContain` guards on the script contents, keeping the focus on
proving the hosted inference path is unreachable.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: da9651d6-a69e-421f-8456-373d84b071ac

📥 Commits

Reviewing files that changed from the base of the PR and between 17bf9a6 and ce9ebcd.

📒 Files selected for processing (3)
  • test/e2e/e2e-cloud-experimental/checks/04-deepagents-code-fresh-reonboard.sh
  • test/e2e/live/cloud-experimental-checks.ts
  • test/e2e/support/platform-parity-cloud-experimental.test.ts

Comment thread test/e2e/support/platform-parity-cloud-experimental.test.ts Outdated
Signed-off-by: Ho Lim <subhoya@gmail.com>
@HOYALIM
HOYALIM force-pushed the codex/issue-5747-hermetic-e2e-inference branch from ce9ebcd to 4b41edc Compare July 9, 2026 01:46
@apurvvkumaria apurvvkumaria added the v0.0.79 Release target label Jul 9, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 9, 2026
@cv

cv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Current main makes this conflict behavioral rather than mechanical: #6567 added live DCode TOML config get/key/YAML, rejected config set, and unchanged pre/post hash probes in the same fresh re-onboard script. Those probes must remain, while this PR’s hermetic endpoint lifecycle and hosted-secret exclusion must also remain.

The safe composition is to retain the credential canary and all #6567 config probes; retain the hermetic helper, cleanup, start, and usage assertion; shell-quote both the model and canary seed arguments; update the final count to 12 passes; and extend the fake CLI/OpenShell fixture to implement sanitized JSON/YAML/key reads, rejected mutation guidance/status, stable hashes, and the post-re-onboard model-B read. Without that fixture work, simply accepting both sides leaves the behavioral test failing.

Focused validation should include bash -n for the script, the platform-parity cloud-experimental test, full e2e-support, and npm run check:diff.

The PR description also needs this exact standalone DCO declaration (the current inline mention does not satisfy the body check):

Signed-off-by: Ho Lim <subhoya@gmail.com>

No history rewrite or force-push is needed.

@apurvvkumaria

Copy link
Copy Markdown
Collaborator

Superseded by #6581, which preserves this hermetic re-onboard change on a clean GitHub-verified, DCO-compliant commit and credits Ho Lim as co-author. The replacement is based on current main and retains the newer credential-canary, config-read, mutation-boundary, and safe shell-quoting coverage that conflicts with this branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants