test(e2e): migrate diagnostics, state, and runtime service coverage

[jyaunches]

Parent epic: #3588

Goal

Migrate the runtime-services E2E coverage area into the layered scenario framework without porting legacy scripts line-for-line. Add the missing primitive layer first, then move assertions into scenario plans/suites with stable IDs.

Legacy / current coverage to absorb

• test-diagnostics.sh
• test-docs-validation.sh
• test-state-backup-restore.sh
• test-tunnel-lifecycle.sh
• test-runtime-overrides.sh
• test-overlayfs-autofix.sh
• test-device-auth-health.sh
• test-skill-agent-e2e.sh

Architecture contract

• Add or extend the domain primitive library: test/e2e/validation_suites/lib/runtime_services.sh.
• Helpers must consume $E2E_CONTEXT_DIR/context.env; suites must not reinstall, onboard, or rediscover setup state.
• Add/extend suite family entries in test/e2e/validation_suites/suites.yaml.
• Add onboarding profiles/test plans/onboarding assertions only when the behavior belongs before expected-state validation.
• Emit stable assertion IDs using <layer>.<domain>.<behavior>.
• Update test/e2e/docs/parity-map.yaml metadata with layer, gap_domain, owner, and runner/secret requirements where applicable.
• Preserve compatibility with existing run-scenario.sh <id> --plan-only behavior.

Acceptance criteria

• Domain primitive helpers exist and are used by migrated suite steps.
• At least the highest-value assertions from the listed legacy coverage are mapped to stable scenario assertion IDs.
• Remaining legacy assertions are explicitly classified as deferred or retired with layer/domain metadata.
• Scenario framework tests pass for resolver/schema/suite/parity-map validation.
• The coverage report makes this domain visible as covered, deferred, or retired.

---

2026-05-26 scope refresh: current assertion audit and validation expectations

The legacy runtime-services scripts have continued to change since this issue was opened. Before implementing this migration, treat the current origin/main scripts as the source of truth and migrate/classify every current assertion.

Current source scripts in scope

Keep the original #3817 scope, using the current versions of:

• test/e2e/test-diagnostics.sh
• test/e2e/test-docs-validation.sh
• test/e2e/test-state-backup-restore.sh
• test/e2e/test-tunnel-lifecycle.sh
• test/e2e/test-runtime-overrides.sh
• test/e2e/test-overlayfs-autofix.sh
• test/e2e/test-device-auth-health.sh
• test/e2e/test-skill-agent-e2e.sh

Current coverage audit summary

The current scenario framework does not yet provide migration coverage for every assertion in these scripts. Existing coverage is mostly baseline smoke plus partial generic checks; domain assertions must either be migrated, explicitly deferred, or retired with rationale.

Legacy script	Current assertion state	Migration expectation
test-diagnostics.sh	Debug archive, extraction, credential-leak scan, config readability, status/model fields, and credential reset behavior are mostly deferred or only partially mapped.	Add diagnostics suite steps for nemoclaw --version format, debug --quick, full debug archive creation/extraction, debug tarball secret scan, agent config readability, and status/model assertions. Decide whether destructive credentials reset belongs here or is retired/deferred.
test-docs-validation.sh	nemoclaw on PATH is mapped by smoke; CLI/docs parity and link validation remain deferred.	Add docs-validation suite steps invoking the current docs parity/link validation path, updated for MDX/Fern docs. Preserve clear pass/fail propagation.
test-state-backup-restore.sh	Workspace marker setup, backup, destroy, re-onboard, restore, and file/content verification are all deferred.	Add a state backup/restore suite that writes marker files/directories, runs backup, destroys/re-onboards, restores, and verifies all marker files and memory directory contents.
test-tunnel-lifecycle.sh	nemoclaw tunnel start/status/stop, tunnel URL extraction, local dashboard readiness, remote dashboard probe, stale URL cleanup, and Cloudflare external-flake classification are deferred or missed.	Add a tunnel lifecycle suite with local dashboard precheck, start/status URL assertion, remote URL/dashboard marker probe, stop/status cleanup, and explicit Cloudflare transient skip/expected-external classification.
test-runtime-overrides.sh	All runtime override assertions are deferred: model, context window, max tokens, reasoning, CORS, invalid values, and rollback/no-partial-write.	Add runtime override suite steps that verify valid overrides patch config and hash correctly, invalid overrides are rejected, and rejected overrides leave config unchanged.
test-overlayfs-autofix.sh	Only Docker-running is mapped. Most overlayfs/containerd-snapshotter behavior is deferred; several applicability SKIP branches are missed; two brittle negatives are already retired.	Decide in the spec whether overlayfs autofix remains #3817 scope. If retained, model Docker storage-driver/containerd-snapshotter applicability and migrate detection, patched-image, gateway-image, log-cleanliness, idempotency, and disabled-autofix negative assertions. If not retained, explicitly defer/retire with rationale.
test-device-auth-health.sh	Basic install/CLI/sandbox readiness maps to smoke, but device-auth-specific /health == 200, / == 401, status not Offline, and gateway recovery/status behavior are missed.	Add device-auth health suite steps for sandbox-exec /health, root auth response, nemoclaw status not reporting Offline, host forward health, and any retained recovery behavior. Retire brittle install-log text checks unless required.
test-skill-agent-e2e.sh	CLI install checks map to baseline; injected skill fixture and agent verification are missed. Recent model/tool-call flake classification is not in scenarios.	Add skill-agent suite steps for fixture injection/queryability and live agent verification. If live model/tool-call behavior remains nondeterministic, encode explicit external/inconclusive classification or split deterministic fixture checks from optional live-agent proof.

Adjacent current E2E changes to account for

These files were not all new since this issue opened, but current versions include relevant behavior that must be preserved or classified:

• test-tunnel-lifecycle.sh: test(e2e): classify quick tunnel flakes as external #4154 Cloudflare quick-tunnel external classification; test(e2e): update cloudflared tunnel pin #4196 cloudflared pin update.
• test-skill-agent-e2e.sh: test(e2e): classify skill agent model flakes #4157 model/tool-call flake classification plus fixture-presence recheck.
• test-docs-validation.sh: docs: remove legacy markdown docs and refresh MDX checks #3837 MDX/Fern docs validation expectation refresh.
• Shared helper test/e2e/lib/openclaw-json.sh: test: tolerate OpenClaw JSON envelope changes #4038 added OpenClaw JSON envelope parsing. This helper is new since issue creation and should be reused where runtime-service assertions need OpenClaw agent JSON parsing.

Required implementation shape

• Add or extend test/e2e/validation_suites/lib/runtime_services.sh for shared runtime-service helpers.
• Add focused suite directories/steps rather than aliasing runtime-service suites to generic smoke steps.
• Update test/e2e/validation_suites/suites.yaml with explicit suites for diagnostics, docs validation, state backup/restore, tunnel lifecycle, runtime overrides, device-auth health, skill-agent behavior, and optionally overlayfs autofix.
• Update scenario metadata and coverage report inputs so every current assertion from the scripts above is visible as one of:
  • mapped to a stable scenario assertion ID,
  • deferred with reason and owner,
  • retired with reason,
  • or expected_failure where the scenario intentionally validates a negative/failure outcome.
• Stable assertion IDs should follow <layer>.<domain>.<behavior> and be specific enough to distinguish pass/fail/expected-failure behavior.

Validation spec requirements for /vd_spec

The spec for this issue must include a validation section that makes expected pass/fail behavior explicit:

1. Produce an assertion matrix for every current assertion in the scoped scripts, including expected result (pass, fail, skip/external, expected_failure, deferred, or retired) and the scenario assertion ID that owns it.
2. Define which scenario IDs/suites are expected to pass on a healthy PR branch.
3. Define which negative scenarios are expected to fail during setup/execution but be reported as expected failures by the scenario framework.
4. Define which assertions are intentionally not executable in PR CI and why, including owner and follow-up path.
5. Require the implementation PR to run the E2E scenario workflow on the PR head and include evidence that:
   • the runtime-services scenario suites pass where expected,
   • expected-failure scenarios are reported as expected failures, not unclassified failures,
   • no current assertion from the scoped legacy scripts is missing from the coverage report,
   • any deferred/retired assertion is visible in the report with rationale.

Acceptance criteria additions

• run-scenario.sh <id> --plan-only works for each new/updated runtime-services scenario.
• Scenario framework tests pass for resolver/schema/suite/coverage-report validation.
• The PR shows an e2e-scenarios workflow run against the PR branch with runtime-services suites selected or included.
• The PR description links the workflow run and includes the assertion matrix / coverage report excerpt showing pass, expected-failure, deferred, and retired classifications.

[jyaunches]

Fresh #3817 assertion coverage audit — current legacy E2E scripts

Verdict: No, current #3817 scenario coverage is not 100% yet. The issue now does require every current assertion in the eight scoped runtime-services scripts to be mapped, deferred, retired, or expected-failure, but current origin/main scenario coverage is mostly generic smoke/inference/credentials. Most domain assertions are still deferred or missed.

Current canonical scenario currently referenced by parity metadata:

• ubuntu-repo-cloud-openclaw → suites: smoke, inference, credentials
• Current diagnostics / docs-validation / rebuild aliases in suites.yaml still point at generic smoke steps, not domain-specific runtime-services checks.

Legend:

• Covered by = existing current scenario/suite/step that materially covers the assertion.
• None = no current scenario assertion covers it.
• Partial = generic setup/smoke covers a prerequisite, not the specific legacy behavior.
• Required by test(e2e): migrate diagnostics, state, and runtime service coverage #3817? = whether the updated issue scope definitely requires executable coverage vs classification/retire/defer decision.

test/e2e/test-diagnostics.sh

Assertion	Current parity	Covered by current scenario	Required by #3817?
TC-DIAG-04: Exit code	deferred	None	Yes
TC-DIAG-04: Version output matches semver	deferred	Partial: ubuntu-repo-cloud-openclaw / smoke / cli-available runs nemoclaw --version, no semver assertion	Yes
TC-DIAG-04: Format	deferred	None	Yes
TC-DIAG-02: Exit code	deferred	None	Yes
TC-DIAG-02: debug --quick produced non-empty archive	deferred	None	Yes
TC-DIAG-02: Output	deferred	None	Yes
TC-DIAG-02: Completed within time limit	deferred	None	Yes
TC-DIAG-02: Timing	deferred	None	Yes
TC-DIAG-01: Setup	deferred	None	Yes
TC-DIAG-01: Debug tarball created	deferred	None	Yes
TC-DIAG-01: Extract	deferred	None	Yes
TC-DIAG-01: Credential check	missed	None	Yes as classification at least
TC-DIAG-01: No API key found in debug tarball	deferred	None	Yes
TC-DIAG-01: Credential leak	deferred	None	Yes
TC-DIAG-01: No nvapi- pattern credentials in tarball	mapped metadata	No executable step; assert/no-credentials-leaked.sh exists but is not wired to a diagnostics tarball suite	Yes
TC-DIAG-01: Pattern leak	deferred	None	Yes
TC-DIAG-05: Config	deferred	None	Yes
TC-DIAG-05: openclaw.json readable inside sandbox	deferred	None	Yes
TC-DIAG-05: nemoclaw status shows model info	deferred	None	Yes
TC-DIAG-05: nemoclaw status shows Model field	deferred	None	Yes
TC-DIAG-05: Status	deferred	None	Yes
TC-DIAG-03: List	deferred	Partial: credentials / credentials-present runs nemoclaw credentials list >/dev/null, no diagnostics semantics	Decision needed
TC-DIAG-03: credentials list works (store empty...)	mapped metadata	Partial: ubuntu-repo-cloud-openclaw / credentials / credentials-present; does not check empty-store text	Decision needed
TC-DIAG-03: Value leak	deferred	None	Decision needed
TC-DIAG-03: credentials list does not expose env key values	mapped metadata	No exact output redaction step	Decision needed; high value if credentials list retained
TC-DIAG-03: credentials list shows key name	mapped metadata	None exact	Decision needed
TC-DIAG-03: Key name	missed	None	Classify
TC-DIAG-03: Value leak duplicate	deferred	None	Decision needed
TC-DIAG-03: credentials list does not expose key values	mapped metadata	No exact output redaction step	Decision needed
TC-DIAG-03: credentials reset completed	mapped metadata	None; no scenario runs credentials reset	No, unless we keep destructive reset in scope
TC-DIAG-03: Reset	deferred	None	No, unless reset retained
TC-DIAG-03: Post-reset	deferred	None	No, unless reset retained
TC-DIAG-03: NVIDIA_API_KEY removed after reset	retired	None	No

Extractor noise in current inventory: summary counter rows $PASS${NC} / $FAIL${NC} should be retired/excluded, not migrated.

test/e2e/test-docs-validation.sh

Assertion	Current parity	Covered by current scenario	Required by #3817?
nemoclaw on PATH	mapped	ubuntu-repo-cloud-openclaw / smoke / cli-available	Yes as prerequisite
nemoclaw on PATH (after sourcing nvm)	mapped metadata	Partial: same smoke step; no explicit nvm fallback	Classify or cover explicitly
nemoclaw not on PATH — install NemoClaw first	deferred	Partial failure path of smoke, different message	Yes/classify
CLI / docs parity check passed	deferred	None	Yes
CLI / docs parity check failed	deferred	None	Yes
Markdown link validation passed	deferred	None	Yes
Markdown link validation failed	deferred	None	Yes

test/e2e/test-state-backup-restore.sh

All real assertions are currently deferred with no scenario/suite coverage. Required by #3817: Yes for all real behavior rows.

Assertion	Covered by current scenario
TC-STATE-01: Setup	None
TC-STATE-01: Backup completed successfully	None
TC-STATE-01: Backup	None
TC-STATE-01: Backup dir	None
TC-STATE-01: BackupCaptureFiles	None
TC-STATE-01: BackupCaptureFiles — 5/5 .md files captured in host backup	None
TC-STATE-01: BackupCaptureDir missing file	None
TC-STATE-01: BackupCaptureDir wrong content	None
TC-STATE-01: BackupCaptureDir — memory directory captured in host backup	None
TC-STATE-01: Destroy	None
TC-STATE-01: Sandbox destroyed	None
TC-STATE-01: Re-onboard	None
TC-STATE-01: Sandbox re-onboarded	None
TC-STATE-01: Restore completed successfully	None
TC-STATE-01: Restore	None
TC-STATE-01: FilesRestore — ${files_restored}/5 workspace files restored correctly	None
TC-STATE-01: FilesRestore	None
TC-STATE-01: MemoryDirRestore — memory directory contents restored correctly	None
TC-STATE-01: MemoryDirRestore missing	None
TC-STATE-01: MemoryDirRestore content/SSH error	None

Extractor noise: summary counter rows $PASS${NC} / $FAIL${NC} should be retired/excluded.

test/e2e/test-tunnel-lifecycle.sh

No current scenario exercises nemoclaw tunnel start/status/stop, cloudflared, trycloudflare URL extraction, remote dashboard probing, or Cloudflare external classification. Required by #3817: Yes, with Cloudflare errors modeled as skip/external/expected classification where appropriate.

Assertion	Current parity	Covered by current scenario
TC-DEPLOY-01a / TC-DEPLOY-01b / TC-DEPLOY-01c cloudflared missing	deferred	None
sandbox absent cascade guard	missed	None
TC-DEPLOY-01a: LocalReadiness	deferred	None
TC-DEPLOY-01a: Local dashboard reachable (pre-check passed)	deferred	None
TC-DEPLOY-01a: Start command failed	deferred	None
TC-DEPLOY-01a: Tunnel URL found in status ($tunnel_url)	deferred	None
TC-DEPLOY-01a: NoSpawn	deferred	None
TC-DEPLOY-01a: CaptureBug	deferred	None
TC-DEPLOY-01a: LocalOrigin	deferred	None
TC-DEPLOY-01a: CloudflareRegister	deferred	None
TC-DEPLOY-01a: Start unclassified no URL	deferred	None
TC-DEPLOY-01b: LocalRegression	deferred	None
TC-DEPLOY-01b: Tunnel serves OpenClaw dashboard (HTTP 200, marker matched)	deferred	None
TC-DEPLOY-01b body lacks OpenClaw markers	deferred	None
TC-DEPLOY-01b: CloudflareEdge	deferred	None
TC-DEPLOY-01b tunnel URL unavailable	missed	None
TC-DEPLOY-01c: Stop command	deferred	None
TC-DEPLOY-01c URL never confirmed	missed	None
TC-DEPLOY-01c: Stop status unreadable after stop	deferred	None
TC-DEPLOY-01c: Tunnel URL absent after stop	deferred	None
TC-DEPLOY-01c: Stop stale URL present	deferred	None

Extractor noise: summary counter rows $PASS${NC} / $FAIL${NC} should be retired/excluded.

test/e2e/test-runtime-overrides.sh

All assertions are currently deferred with no scenario/suite coverage. Required by #3817: Yes for runtime override behavior and negative validation/rollback behavior. Setup failure row can be classified rather than directly migrated.

Assertion	Covered by current scenario	Required by #3817?
baseline container failed before config capture	None	Classify
baseline config hash valid	None	Yes
baseline config hash invalid	None	Yes
model overridden to $OVERRIDE_MODEL	None	Yes
expected model=$OVERRIDE_MODEL, got $ACTUAL	None	Yes
config hash valid after model override	None	Yes
config hash invalid after model override	None	Yes
contextWindow overridden to 32768	None	Yes
expected contextWindow=32768, got $ACTUAL	None	Yes
maxTokens overridden to 16384	None	Yes
expected maxTokens=16384, got $ACTUAL	None	Yes
reasoning overridden to true	None	Yes
expected reasoning=true, got $ACTUAL	None	Yes
CORS origin added: $CORS	None	Yes
CORS origin not found in allowedOrigins	None	Yes
all 5 overrides applied correctly	None	Yes
combined override mismatch	None	Yes
model override with control chars rejected	None	Yes
model override with control chars was not rejected	None	Yes
non-integer context window rejected	None	Yes
non-integer context window was not rejected	None	Yes
non-integer max tokens rejected	None	Yes
non-integer max tokens was not rejected	None	Yes
invalid reasoning value rejected	None	Yes
invalid reasoning value was not rejected	None	Yes
non-http CORS origin rejected	None	Yes
non-http CORS origin was not rejected	None	Yes
invalid inference API type rejected	None	Yes
invalid inference API type was not rejected	None	Yes
config unchanged after rejected override	None	Yes
config was modified despite rejected override	None	Yes

test/e2e/test-overlayfs-autofix.sh

Current #3817 says overlayfs is a scope decision: retain and migrate, or explicitly defer/retire. Only Docker-running is mapped generically today; no overlayfs-specific scenario exists.

Assertion	Current parity	Covered by current scenario	Required by #3817?
OpenShell Docker-driver runtime path skip	missed	None	Scope decision/classify
Docker is running	mapped	Generic runtime: docker-running dimension	No new domain coverage
Docker is not running — cannot continue	deferred	None	Scope decision
NVIDIA_API_KEY is set	deferred	None	Scope decision
NVIDIA_API_KEY not set or invalid	deferred	None	Scope decision
NEMOCLAW_NON_INTERACTIVE=1 is required	deferred	None	Scope decision
NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 is required	deferred	None	Scope decision
Passwordless sudo available	deferred	None	Scope decision
Passwordless sudo required to edit $DAEMON_JSON	deferred	None	Scope decision
Cannot find install.sh at $REPO_ROOT/install.sh	deferred	None	Scope decision
Repo root found: $REPO_ROOT	deferred	None	Scope decision
Docker version predates snapshotter skip	missed	None	Scope decision/classify
Failed to restart Docker after daemon.json change	deferred	None	Scope decision
Docker did not come back up after restart	deferred	None	Scope decision
Docker storage Driver is now overlayfs	deferred	None	Scope decision
Docker driver not overlayfs skip	missed	None	Scope decision/classify
DriverStatus reports io.containerd.snapshotter.v1	deferred	None	Scope decision
DriverStatus missing v1 snapshotter skip	missed	None	Scope decision/classify
Pre-cleanup complete	deferred	None	Scope decision
Could not cd to repo root	deferred	None	Scope decision
install.sh + onboard completed	deferred	None	Scope decision
install.sh + onboard failed	deferred	None	Scope decision
Onboard log contains the auto-fix detection message	deferred	None	Scope decision
Onboard log missing detection message	deferred	None	Scope decision
Patched cluster image present	deferred	None	Scope decision
No patched cluster image found	deferred	None	Scope decision
Gateway container is running the patched image	deferred	None	Scope decision
Gateway image mismatch	deferred	None	Scope decision
Cluster log still contains nested-overlay error	deferred	None	Scope decision
Cluster log clean of nested-overlay error	deferred	None	Scope decision
Idempotency check skipped	missed	None	Scope decision/classify
ensurePatchedClusterImage returned same tag	deferred	None	Scope decision
ensurePatchedClusterImage tag mismatch	deferred	None	Scope decision
Patched image reused, timestamp unchanged	deferred	None	Scope decision
Patched image rebuilt unexpectedly	retired	None	No
auto-fix disabled exited non-zero	deferred	None	Scope decision
auto-fix disabled unexpectedly succeeded	retired	None	No
nested-overlay failure signature surfaced	deferred	None	Scope decision
runner did not reproduce nested-overlay bug skip	missed	None	Scope decision/classify
negative phase unrelated flake	deferred	None	Scope decision

test/e2e/test-device-auth-health.sh

Most domain assertions are deferred/missed. Current smoke covers generic host /health only, not the device-auth-specific contract.

Assertion	Current parity	Covered by current scenario	Required by #3817?
Preflight checks passed	deferred	Partial: onboarding preflight assertion	Classify
Install failed with exit code	deferred	None	Classify
nemoclaw not found on PATH after install	deferred	Partial: base-installed / smoke/cli-available failure path	Classify
Onboard succeeded — sandbox registered	deferred	Partial: smoke/sandbox-listed	Classify
Sandbox not found in nemoclaw list after onboard	deferred	Partial failure path of smoke/sandbox-listed	Classify
/health returns 200 via sandbox exec	deferred	None	Yes
/health via sandbox exec returned empty	missed	None	Classify external/inconclusive
/health returned ... expected 200	deferred	None	Yes
/ returns 401 device auth active	deferred	None	Yes
/ returns 200 device auth not active	missed	None	Classify/retire depending default
/ via sandbox exec returned empty	missed	None	Classify external/inconclusive
/ returned ... expected 401 or 200	deferred	None	Yes
Status reports 'Offline' — #2342 regression	deferred	None	Yes
Status does NOT report 'Offline'	deferred	None	Yes
Status shows positive health indicator	deferred	None exact	Yes if retained
Could not confirm positive health indicator	missed	None	Classify/retire
Host port forward to dashboard is live	deferred	Partial: smoke/gateway-health checks host /health == 200, not full auth semantics	Yes
Port forward not reachable from host	missed	None	Classify external/inconclusive
Host health probe returned ... expected 200 or 401	deferred	Partial failure path of smoke/gateway-health	Yes
Status reports Offline during recovery	deferred	None	Yes if recovery retained
Status does not report Offline during recovery	deferred	None	Yes if recovery retained
Gateway recovered after restart	deferred	None	Conditional if recovery retained
Gateway did not recover within 150s	missed	None	Classify external/inconclusive
Onboard log contains deployment verification output	deferred	None	No, likely retire brittle log text
Onboard log confirms dashboard readiness check passed	deferred	None	No, likely retire brittle log text
Could not confirm verification output in onboard log	missed	None	No, likely retire

test/e2e/test-skill-agent-e2e.sh

Only two baseline assertions are mapped; skill-specific behavior has no current scenario coverage.

Assertion	Current parity	Covered by current scenario	Required by #3817?
Docker is not running	deferred	Partial: no-docker negative scenario exists, not mapped here	Classify
Docker is running	mapped	Generic runtime: docker-running	No new domain coverage
NVIDIA_API_KEY not set or invalid	deferred	None	Classify
NVIDIA_API_KEY is set	deferred	None	Classify
Could not cd to repo root	deferred	None	Classify/retire
install.sh failed	deferred	None	Classify
NemoClaw installed	mapped	base-installed / smoke/cli-available	No new domain coverage
nemoclaw not on PATH	deferred	Partial failure path of CLI smoke	Classify
openshell not on PATH	deferred	None exact	Classify
CLIs on PATH	deferred	Partial: nemoclaw only, not openshell	Classify
Failed to inject ${SKILL_ID}	deferred	None	Yes
${SKILL_ID} injected and queryable	deferred	None	Yes
Agent returned ${VERIFY_PHRASE}	deferred	None	Yes or explicit external/inconclusive classification
Agent returned ${VERIFY_PHRASE} via fuzzy match	deferred	None	Underlying proof yes; fuzzy detail can be retired
$last_fail	deferred	None	Yes as failure side or external classification

Adjacent related files, not required by #3817 unless scope expands

test/e2e/test-openshell-gateway-upgrade.sh

• Current test(e2e): migrate diagnostics, state, and runtime service coverage #3817 treats this as adjacent, not required.
• Current parity: 51 assertions = 40 deferred, 11 retired, 0 mapped.
• Current scenario coverage: none exact.
• Recommendation: do not require 3817 to cover this unless we explicitly expand scope beyond the eight runtime-services scripts.

test/e2e/test-issue-2478-crash-loop-recovery.sh

• Current test(e2e): migrate diagnostics, state, and runtime service coverage #3817 treats this as adjacent, not required.
• Current parity: 39 assertions = 36 deferred, 3 mapped.
• Mapped assertions are partial/generic:
  • nemoclaw on PATH → base-installed / smoke/cli-available
  • initial inference API responds → inference/models-health
  • gateway healthy/inference serving → split between smoke/gateway-health and inference/models-health
• No current scenario covers guard-chain/preload recovery or crash-loop soak behavior.

test/e2e/lib/openclaw-json.sh

• Helper only; no PASS/FAIL/SKIP assertions.
• test(e2e): migrate diagnostics, state, and runtime service coverage #3817 mentions it as adjacent helper to reuse if runtime-services assertions need OpenClaw agent JSON parsing.

Final coverage answer

No: #3817 does not currently have definite 100% assertion coverage across the relevant current E2E tests. It now has a clear requirement to get there, but implementation still needs to add focused suites and update parity metadata.

Highest required coverage gaps:

1. Diagnostics: debug --quick, full debug tarball, extract, secret scan, config readability, status/model checks.
2. Docs validation: CLI/docs parity and markdown/MDX link validation.
3. State backup/restore: marker write, backup, destroy, re-onboard, restore, file/content verification.
4. Tunnel lifecycle: local dashboard, tunnel start/status URL, remote probe, Cloudflare external classification, stop cleanup.
5. Runtime overrides: valid override config/hash, invalid override rejection, unchanged config after rejection.
6. Device auth health: sandbox /health, root auth code, status not Offline, host forward semantics, optional recovery classification.
7. Skill agent: fixture injection/queryability and agent verification with external/inconclusive classification.
8. Overlayfs autofix: explicit scope decision required; currently only Docker-running is mapped.

[jyaunches]

Closing — superseded by epic #3588's new audit-coverage spec (specs/2026-05-26_scenario-e2e-audit-coverage-implementation).

Scope is now redistributed across phase-aligned issues:

• test-docs-validation.sh → AQ-006 in Phase 1: Environment, Manifest, Fixture, and Runtime Action Primitives (E2E audit-coverage) #4347 (Phase 1)
• test-state-backup-restore.sh → AQ-047 in Phase 8: Sandbox Lifecycle, State, Backup, Snapshot, Skill, and Diagnostics Audit Coverage (E2E audit-coverage) #4354 (Phase 8)
• test-diagnostics.sh → AQ-048 in Phase 8: Sandbox Lifecycle, State, Backup, Snapshot, Skill, and Diagnostics Audit Coverage (E2E audit-coverage) #4354 (Phase 8)
• test-skill-agent-e2e.sh → AQ-049 in Phase 8: Sandbox Lifecycle, State, Backup, Snapshot, Skill, and Diagnostics Audit Coverage (E2E audit-coverage) #4354 (Phase 8)
• test-runtime-overrides.sh → AQ-053 in Phase 9: Rebuild, Upgrade, Installer Version, and Runtime Edge Audit Coverage (E2E audit-coverage) #4355 (Phase 9)
• test-overlayfs-autofix.sh → AQ-054 in Phase 9: Rebuild, Upgrade, Installer Version, and Runtime Edge Audit Coverage (E2E audit-coverage) #4355 (Phase 9)
• test-device-auth-health.sh → AQ-058 in Phase 10: Gateway, Dashboard, Device Auth, Crash Loop, Tunnel, and Remote Service Audit Coverage (E2E audit-coverage) #4356 (Phase 10)
• test-tunnel-lifecycle.sh → AQ-060 in Phase 10: Gateway, Dashboard, Device Auth, Crash Loop, Tunnel, and Remote Service Audit Coverage (E2E audit-coverage) #4356 (Phase 10)

The new spec also retires the deferred/retired parity classification and the per-domain validation_suites/lib/<domain>.sh primitive layer that this issue references. Implementation work should target test/e2e-scenario/ under the 5-part scenario contract model and the audit work queue (docs/e2e-audit-work-queue.md).