ci: safely split slow CLI coverage suites

[cv]

Problem Statement

The cli-tests job in CI / Pull Request currently takes close to six minutes, with nearly all of that time spent in the Run CLI coverage step rather than checkout, dependency install, or build setup.

From PR #4887's passing run (CI / Pull Request, run 27055172682, job 79858083592):

• Install dependencies: about 11 seconds
• Build TypeScript plugin: effectively negligible
• Run CLI coverage: about 5 minutes 36 seconds
• Inside that shell step, clean + npm run build:cli + sourcemap validation took about 10 seconds, leaving roughly 5 minutes 25 seconds for npx vitest run --project cli --coverage ...

The cli Vitest project is broad: it currently covers about 505 test files and about 6,500 test cases. Local timing without coverage, even on a run that hit local environment-sensitive failures, still took about 4 minutes 28 seconds. The cost appears to be the existing subprocess-heavy and timeout/retry-heavy CLI test surface, plus V8 coverage overhead.

The biggest local timing hotspots were:

• test/cli.test.ts
• test/sandbox-connect-inference.test.ts
• test/nemoclaw-start.test.ts
• test/policies.test.ts
• test/onboard-selection.test.ts
• test/onboard.test.ts

This is not a correctness regression from PR #4887, but the workflow split made the long-running CLI coverage job more visible.

Proposed Design

Split or shard the slow CLI coverage work only after preserving the current behavior contract. The goal should be lower wall-clock time without changing which checks run, which tests are selected, or how coverage ratchets are enforced.

Suggested safe rollout:

1. Add measurement before changing behavior.

   • Split the current Run CLI coverage shell block into separately timed CI steps, or emit explicit timing markers for build, sourcemap validation, Vitest, and coverage ratchet.
   • Optionally upload Vitest JSON timing output as an artifact for the cli project.
   • Keep this as a no-behavior-change PR so baseline timing is visible on GitHub Actions.

2. Classify the expensive CLI test surface by ownership and failure mode.

   • Identify subprocess-heavy CLI command tests, retry/timeout simulation tests, and lower-level unit-style CLI tests.
   • Candidate heavy suites based on current timing: test/cli.test.ts, test/sandbox-connect-inference.test.ts, and test/nemoclaw-start.test.ts.
   • Avoid moving tests based only on filename convenience; preserve the current semantic coverage of CLI command behavior, sandbox lifecycle handling, inference preflights, and retry/timeouts.

3. Introduce explicit Vitest projects or CI shards.

   • Example shape: keep fast root/unit-style CLI tests in one project/job and move subprocess/timeout-heavy integration-style CLI tests into another project/job.
   • Alternatively use Vitest sharding if test selection remains deterministic and easy to audit.
   • Ensure every test currently selected by --project cli is selected exactly once unless a duplicate is intentionally removed.

4. Preserve aggregate coverage semantics.

   • Do not enforce separate per-shard coverage ratchets that could hide aggregate regressions.
   • Produce coverage reports from each shard and merge them before running the existing scripts/check-coverage-ratchet.ts checks, or otherwise prove the ratchet sees the same aggregate coverage data it sees today.
   • Keep both CLI coverage threshold files in force: ci/coverage-threshold-cli-summary.json and ci/coverage-threshold-cli-files.json.

5. Prove equivalence before deleting the old path.

   • On the migration PR, run the old monolithic npx vitest run --project cli --coverage ... path and the proposed split path at least once, then compare:
     • test file selection
     • total test count
     • failed/skipped test behavior
     • coverage summary
     • coverage ratchet result
   • After equivalence is demonstrated, remove the duplicate monolithic run so CI does not stay permanently more expensive.

6. Keep required-check behavior explicit.

   • Update the final PR aggregate checks job so all split CLI jobs are required when code changes are present.
   • Confirm docs-only PR routing is unchanged and does not start the CLI jobs.
   • Add or update workflow contract tests so the final aggregate cannot pass if one CLI shard is skipped, renamed, or omitted unexpectedly.

Alternatives Considered

• Only optimize individual slow tests. This may still be worthwhile, especially for timeout/retry simulations, but it will take longer to pay down and does not reduce wall-clock time as reliably as parallelizing independent work.
• Shard by test count alone. This is simpler, but can make ownership and coverage debugging harder if related CLI command tests move between shards unpredictably.
• Split coverage thresholds per shard. This is risky because a shard-local threshold can pass while aggregate CLI coverage behavior changes.
• Exclude slow suites from PR CI. This should not be done; the current behavior checks are valuable and should remain part of the code-change gate.

Acceptance Criteria

• The split keeps all checks and tests that the current cli-tests job performs for code PRs.
• Each existing cli project test is either selected exactly once or explicitly documented as a deliberate duplicate removal.
• Aggregate CLI coverage ratchets still run against equivalent merged coverage data.
• The final PR aggregate checks job requires every new CLI shard/job for code changes.
• Docs-only PR behavior remains unchanged.
• A migration PR includes before/after timing for the same commit or equivalent commit pair.
• Wall-clock time for the CLI coverage portion is reduced without weakening the gate.

Category

Testing

Checklist

• I searched existing issues and this is not a duplicate
• This is a design proposal, not a "please build this" request

[cv]

Follow-up from the cli-vitest-results artifact added in #4893. I parsed the JSON timing report from PR #4893's passing CI / Pull Request run (27055650751, cli-tests job 79859430861). This gives us a clearer split plan than the raw CI log did.

Artifact / suite summary

• Artifact file: coverage/cli/vitest-results.json
• Uncompressed JSON size: about 10.8 MB
• Uploaded artifact size after GitHub compression: about 1.7 MB
• Upload step cost: about 1.4s, so the artifact is cheap enough to keep
• The JSON includes both test results and coverageMap; the timing/test-result payload is only about 2.2 MB, while coverageMap is about 8.6 MB
• Suite shape: 506 files, 6531 assertions, 6523 passed, 8 skipped
• Test execution span in JSON: about 4m06s; full cli-tests job: 4m44s

Main finding

The suite is highly skewed toward a small number of large serialized files. The top three files account for about half of all assertion duration:

Rank	File	Assertion duration	Share
1	test/cli.test.ts	195s	31.1%
2	test/sandbox-connect-inference.test.ts	76s	12.1%
3	test/nemoclaw-start.test.ts	41s	6.6%
Top 3		313s	49.8%
Top 10		417s	66.3%

That means a CI-only shard split has a hard ceiling: test/cli.test.ts alone currently takes about 195s. To get meaningful wall-clock reduction, we should split oversized test files first, especially test/cli.test.ts, then shard jobs after the file-level work is no longer dominated by one file.

Slowest individual assertions

File	Test	Duration
test/sandbox-connect-inference.test.ts	route reset still broken after reset	10.7s
test/cli.test.ts	sandbox inspection help uses native oclif usage	9.7s
test/nemoclaw-start.test.ts	transient approve timeout retry	8.1s
test/sandbox-connect-inference.test.ts	WSL ollama-local repair	7.2s
test/sandbox-connect-inference.test.ts	DNS repair leaves inference.local broken	7.1s

Recommended test/cli.test.ts functional split

These buckets are derived from the current test names and physical line neighborhoods in test/cli.test.ts. The duration values are from the #4893 artifact, so they are approximate but directionally useful.

Candidate file / area	Current neighborhood	Tests	Duration	Notes
cli-sandbox-mutations.test.ts	lines 2991-3778	25	46.5s	Biggest bucket. Includes sandbox inspection help, policy/channel dry-run dispatch, host aliases, parser-owned mutation validation, shields/snapshot help. This may deserve a second split into policy/channels, host aliases, and snapshot/shields if still too lopsided.
cli-onboard-debug.test.ts	lines 2274-2687	28	23.4s	Onboard/setup/setup-spark/deploy/debug parser and stale-default behavior. Good standalone ownership area.
cli-logs.test.ts	lines 3787-4167, plus 4775, 6276	20	21.8s	Logs, audit enabling, follow-mode children, bridge-status helper, SIGINT semantics.
cli-status-health.test.ts	lines 927-2025	22	16.5s	status and sandbox status --json health/failure-layer behavior.
cli-tunnel-credentials-maintenance-skills.test.ts	lines 2031-2260	19	15.8s	Tunnel, credentials, maintenance command migration, skill install/plugin-marker parsing.
cli-connect-recovery.test.ts	lines 4821-6183	19	15.5s	Connect, readiness polling, probe-only recovery, SSH fallback, registry/list recovery.
cli-status-gateway-lifecycle.test.ts	lines 6326-7238	12	11.7s	Gateway transport/auth/lifecycle hints, live agent version, inference warning/status reconciliation.
cli-list-inference.test.ts	lines 737-920, plus current line 545	10	10.3s	List, inference get/set, alias branding, JSON list output. Move the inference set redirect test with this even though it currently sits earlier.
cli-list-share-live-inference.test.ts	existing describe, lines 7510-7914	10	9.5s	Already a clean top-level describe; easy first extraction.
cli-dispatch-basics.test.ts	lines 411-715	13	7.7s	Root help/version/unknown command/basic routing.
cli-destroy-gateway-cleanup.test.ts	lines 4238-4713	8	5.8s	Destroy behavior and gateway cleanup policy.
cli-docker-outage.test.ts	existing describe, lines 7304-7492	8	5.6s	Already a clean top-level describe; easy first extraction.
cli-doctor-gateway-token.test.ts	lines 2734-2945	8	5.3s	Doctor plus gateway-token help.

Suggested first PRs:

1. Extract shared test/cli.test.ts harness/helpers into a helper module without changing assertions.
2. Move the two already-isolated top-level describes first: Docker outage and list/share live inference. Low risk, validates the helper extraction pattern.
3. Move the largest mid-file bucket next: sandbox mutations/policy/channels/host aliases/snapshot. This is the highest-impact area, but probably worth splitting into 2-3 files if the first extraction still leaves one large file.
4. Move logs and onboard/debug after that. Those are the next largest clean functional areas.

Safety checks for the split work

For each split PR, I would want:

• npx vitest run --project cli --list before/after, with the same test count and expected file movement.
• npx vitest run --project cli --reporter=json --outputFile.json=... before/after for test/cli.test.ts moved subsets, checking no assertions disappear.
• Existing coverage ratchets unchanged and still run on aggregate CLI coverage.
• No CI job sharding until after the file split work, because the current 195s single-file ceiling would limit sharding gains.

Secondary observation

The timing artifact includes coverageMap, which is why the JSON is about 11 MB. That is not urgent because upload compression makes the artifact only about 1.7 MB, but if storage/noise ever matters we can post-process a timing-only copy that drops coverageMap before upload.

[cv]

Milestone update from PR #4898:

• Extracted the sandbox mutation bucket into focused test/cli/ files (sandbox-mutations, sandbox-host-aliases, snapshot-shields).
• Added a follow-up commit extracting the onboard/setup/setup-spark/deploy/debug neighborhood into test/cli/onboard-debug.test.ts.
• test/cli.test.ts is down to about 5.6k lines after this step.
• Focused verification for the latest split passed: npx vitest run --project cli test/cli.test.ts test/cli/onboard-debug.test.ts, plus npm run typecheck:cli; pre-commit and pre-push hooks also passed.

Next planned bucket: logs/follow-mode tests, including the later plain-log and SIGINT stragglers called out in the timing analysis.

[cv]

Milestone update from PR #4898:

• Added a logs extraction commit: test/cli/logs.test.ts now owns the logs/audit/follow-mode tests, bridge-status helper coverage, plain-log passthrough, and SIGINT exit semantics.
• test/cli.test.ts is down to about 5.1k lines after the logs split.
• Focused verification for this split passed: npx vitest run --project cli test/cli.test.ts test/cli/logs.test.ts, plus npm run typecheck:cli; pre-commit and pre-push hooks also passed.

Next planned bucket from the timing table: status/health or tunnel/credentials/maintenance/skills, depending on which current boundaries are cleanest after the prior extractions.

[cv]

Milestone update from PR #4898:

• Added a tunnel/credentials/maintenance/skills extraction commit: test/cli/tunnel-credentials-maintenance-skills.test.ts now owns the tunnel help/status coverage, credential command validation, maintenance command migration checks, and skill install/plugin-marker parsing tests.
• test/cli.test.ts is down to 4,879 lines after this split.
• Focused verification for this split passed: npx vitest run --project cli test/cli.test.ts test/cli/tunnel-credentials-maintenance-skills.test.ts, plus npm run typecheck:cli; commit and push hooks also passed.

Next planned bucket from the timing table: status-health, which is the largest remaining neighborhood still in test/cli.test.ts.