refactor(cli): align public dispatch with oclif conventions

[cv]

Summary

This PR keeps the public nemoclaw <sandbox-name> <action> grammar while moving command discovery, dispatch, parsing, help, JSON output, and error reporting closer to oclif conventions. It reduces custom router behavior, colocates command display metadata with command classes, and converts several lower-level process.exit paths into oclif-owned command failures.

Changes

• Extract public grammar routing into src/lib/cli/public-dispatch.ts and keep src/nemoclaw.ts as a thin entrypoint shim.
• Derive global and sandbox parent usage from registered command metadata, and render parent usage through the public oclif help adapter.
• Colocate global and sandbox display metadata on command classes, simplifying src/commands/** wrappers.
• Rewrite public sandbox help examples away from oclif-native nemoclaw sandbox ... grammar.
• Move more validation into oclif parsing for config, credentials, and inference commands.
• Use oclif JSON handling for inference get --json and doctor --json.
• Convert config, share, host-alias, gateway-token, snapshot, and policy/channel action failures to typed errors handled by oclif command adapters.
• Add shared common flag builders and tests for public-help drift plus native oclif taxonomy behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• New Features

  • Unified public CLI dispatch and many commands now provide direct, consistent CLI entrypoints; shared flags standardized (--yes/--force/--dry-run/--json/--quiet).

• Bug Fixes

  • Improved help and unknown-subcommand behavior with clearer multi-line messages and correct exit codes.
  • Command failures now surface structured, user-facing error lines and exit codes instead of abrupt process exits; JSON/quiet modes respected.

• Documentation

  • Updated command help, examples, and README guidance to reflect public-friendly usage and discovery.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a public CLI dispatcher, tokenized route matching, generated oclif metadata and public-help rewriting; introduces shared flag factories, centralizes thrown CLI error types, converts many command entrypoints to in-file NemoClawCommand classes, and updates tests to the new contracts.

Changes

CLI Infrastructure and Flags Migration

Layer / File(s)	Summary
Public dispatch & routing src/lib/cli/public-dispatch.ts, src/lib/cli/oclif-dispatch.ts, src/nemoclaw.ts	New public dispatch entrypoint normalizes argv, derives token routes from command usage, resolves oclif targets by token prefix, and returns metadata-derived parent help for unknown/missing subcommands.
Public help generation & example rewriting src/lib/cli/public-oclif-help.ts, src/lib/cli/public-oclif-help.test.ts	Adds PublicUsage union, tokenizers, and example rewrites so sandbox examples show public CLI grammar; test suite updated for public-form examples and parent-usage rendering.
Generated oclif metadata manifest & loader src/lib/cli/generate-oclif-metadata-manifest.ts, src/lib/cli/oclif-metadata.ts, package.json	New generator emits command metadata JSON; metadata loader uses generated manifest and extends oclif metadata types with publicDisplay/deprecationOptions.
Shared common flags & bulk migrations src/lib/cli/common-flags.ts, many src/lib/commands/* and src/commands/*	Introduces yesFlag, forceFlag, dryRunFlag, jsonFlag, quietFlag and migrates many commands to use them, removing inline Flags.boolean duplication.
Centralized CLI error types src/lib/sandbox/config.ts, src/lib/share-command.ts, src/lib/gateway-token-command.ts, src/lib/actions/sandbox/snapshot.ts, src/lib/actions/sandbox/host-aliases.ts	Adds structured error classes (e.g., SandboxConfigError, ShareCommandError, GatewayTokenCommandError, SnapshotCommandError, HostAliasesCommandError) and replaces print+exit flows with throw/catch helpers used by command run() wrappers.
Command entrypoints & runtime bridges src/commands/*, src/lib/commands/*	Many top-level src/commands/* files now implement concrete NemoClawCommand classes with embedded static publicDisplay/display metadata and explicit run() wiring; runtime-bridge test hooks added where needed.
Doctor / Inference JSON behavior src/lib/actions/sandbox/doctor.ts, src/lib/commands/inference/get.ts	Doctor output lifted to a DoctorReport type and runSandboxDoctor may return a report; inference:get uses enableJsonFlag and quiet return paths for non-rendering results.
Tests & mocks updated test/*, src/lib/*/*.test.ts	Unit and integration tests updated to reflect thrown-error contracts, help output, command import locations, and JSON/quiet behaviors.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3537: Overlaps doctor changes and messaging in sandbox doctor logic.
• NVIDIA/NemoClaw#3611: Related broad migration of oclif commands to NemoClawCommand and entrypoint conversions.
• NVIDIA/NemoClaw#3615: Related centralized CLI exit/failure helpers and failWithLines usage.

Suggested labels

refactor, NemoClaw CLI

Suggested reviewers

• jyaunches

"I hopped through tokens and polished each flag,
Shared carrots of code make the help less vague.
Examples now speak the public CLI song,
Errors that once crashed now return where they belong.
A rabbit cheers softly — the CLI hops along."

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/oclif-router-cleanup

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e, cloud-inference-e2e, sandbox-operations-e2e, sandbox-survival-e2e, docs-validation-e2e, diagnostics-e2e, openclaw-inference-switch-e2e, inference-routing-e2e, network-policy-e2e, channels-stop-start-e2e, shields-config-e2e, snapshot-commands-e2e, tunnel-lifecycle-e2e
Optional E2E: credential-migration-e2e, state-backup-restore-e2e, rebuild-openclaw-e2e, messaging-providers-e2e, skill-agent-e2e, hermes-inference-switch-e2e, upgrade-stale-sandbox-e2e

Dispatch hint: cloud-onboard-e2e,cloud-inference-e2e,sandbox-operations-e2e,sandbox-survival-e2e,docs-validation-e2e,diagnostics-e2e,openclaw-inference-switch-e2e,inference-routing-e2e,network-policy-e2e,channels-stop-start-e2e,shields-config-e2e,snapshot-commands-e2e,tunnel-lifecycle-e2e

Auto-dispatched E2E: cloud-onboard-e2e, cloud-inference-e2e, sandbox-operations-e2e, sandbox-survival-e2e, docs-validation-e2e, diagnostics-e2e, openclaw-inference-switch-e2e, inference-routing-e2e, network-policy-e2e, channels-stop-start-e2e, shields-config-e2e, snapshot-commands-e2e, tunnel-lifecycle-e2e via nightly-e2e.yaml at 9a0ac2384172adf970eaccb643c0273fc01821e9 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-onboard-e2e (high, about 45 minutes; requires NVIDIA_API_KEY): Validates the public installer, generated packaged CLI, non-interactive onboard command path, sandbox health, Landlock/read-only enforcement, API key leak checks, and inference.local HTTPS after the command-surface and installer changes.
• cloud-inference-e2e (medium-high, about 30 minutes; requires NVIDIA_API_KEY): Covers a real assistant user flow after install/onboard by exercising live chat through inference.local and skill filesystem validation. This is required because CLI dispatch/onboard and inference command surfaces changed broadly.
• sandbox-operations-e2e (very high, about 60 minutes; requires NVIDIA_API_KEY): Exercises core lifecycle commands affected by the refactor: onboard, list, status, logs, destroy, multi-sandbox metadata, sandbox isolation, and gateway/process recovery behavior.
• sandbox-survival-e2e (high, about 45 minutes; requires NVIDIA_API_KEY): src/nemoclaw.ts and lifecycle routing changed; this job specifically validates sandbox survival across gateway restarts and confirms workspace and inference still work after recovery.
• docs-validation-e2e (low, about 15 minutes; installs NemoClaw but no sandbox required): The PR changes command metadata generation, help/display code, and direct oclif command definitions. This job validates installed CLI help parity against docs and catches user-visible command surface drift.
• diagnostics-e2e (high, about 45 minutes; requires NVIDIA_API_KEY): Required for changed debug, version, status/config, credentials list/reset, and diagnostic sanitization command paths. It verifies credentials are not exposed and diagnostic archives remain useful.
• openclaw-inference-switch-e2e (high, about 45 minutes; requires NVIDIA_API_KEY): Directly validates the changed nemoclaw inference set path against a running OpenClaw sandbox, including OpenShell route state, openclaw.json patching, config hashes, and live requests after the switch.
• inference-routing-e2e (medium, about 30 minutes; some provider cases skip without extra secrets): Covers inference routing error classification and credential isolation through the gateway proxy. This is required because inference command wrappers and JSON/error behavior changed.
• network-policy-e2e (high, about 45 minutes; requires NVIDIA_API_KEY): Sandbox policy add/list/remove command surfaces and policy support code changed. This validates deny-by-default, whitelist, live policy add, dry-run, hot-reload, inference exemption, permissive mode, and SSRF validation.
• channels-stop-start-e2e (very high, up to 120 minutes; uses fake messaging tokens plus NVIDIA_API_KEY): Channels add/list/remove/start/stop command wrappers and support code changed. This validates messaging channel credential bridge lifecycle across stop/start/remove and rebuild with cached credentials.
• shields-config-e2e (medium, about 30 minutes; requires NVIDIA_API_KEY): Config get/set/rotate-token and shields down/status/up command surfaces changed. This job validates config mutability boundaries, credential rotation, audit trail, permissions, and auto-restore behavior.
• snapshot-commands-e2e (medium, about 30 minutes; requires NVIDIA_API_KEY): Snapshot create/list/restore command wrappers and snapshot action files changed. This validates state persistence and restore behavior through the installed CLI.
• tunnel-lifecycle-e2e (high, about 60 minutes; requires NVIDIA_API_KEY): Tunnel start/stop and deployment-related command paths changed. This validates cloudflared tunnel start, probe, and stop lifecycle through the public CLI.

Optional E2E

• credential-migration-e2e (medium, about 30 minutes; requires NVIDIA_API_KEY): Additional confidence for credential storage hardening after credentials command/support refactors. Diagnostics covers list/reset, while this covers legacy migration, zero-fill unlink, allowlist filtering, and symlink safety.
• state-backup-restore-e2e (high, about 60 minutes; requires NVIDIA_API_KEY): Useful adjacent coverage for backup/restore persistence because backup-all, maintenance, snapshot, and lifecycle command surfaces changed, but snapshot-commands-e2e is the more direct merge-blocking state test.
• rebuild-openclaw-e2e (high, about 60 minutes; requires NVIDIA_API_KEY): Useful confidence for rebuild command rewiring and workspace state preservation after changing sandbox rebuild and CLI dispatch paths.
• messaging-providers-e2e (high, uses fake messaging tokens plus NVIDIA_API_KEY): Adjacent coverage for messaging provider placeholders and channel credential flows. Run if reviewers are concerned about the channels command refactor beyond stop/start lifecycle coverage.
• skill-agent-e2e (medium, about 30 minutes; requires NVIDIA_API_KEY): Optional confidence for changed sandbox skill command surfaces and installed skill filesystem behavior with a real agent turn.
• hermes-inference-switch-e2e (high, about 45 minutes; requires NVIDIA_API_KEY): Optional if the same oclif dispatch changes are expected to affect nemohermes inference set; the required OpenClaw inference switch covers the NemoClaw command path directly.
• upgrade-stale-sandbox-e2e (high; requires NVIDIA_API_KEY): Optional upgrade-path coverage for changed update/upgrade-sandboxes command wrappers and stale sandbox rebuild detection.

New E2E recommendations

• CLI command surface and backward-compatible routing (high): This PR rewrites most command entrypoints and public argv translation, but existing E2E coverage is spread across scenario-specific jobs. Add a fast installed-CLI smoke that enumerates all public commands, legacy aliases such as nemoclaw <name> status, sandbox-prefixed forms, --json variants, help/version, and oclif manifest discovery without creating a full sandbox for every command.
  • Suggested test: cli-command-surface-e2e
• Sandbox share lifecycle (medium): Share, share mount/status/unmount, and share command support files changed, but no existing E2E script appears to exercise nemoclaw <name> share ... or SSHFS mount lifecycle.
  • Suggested test: share-filesystem-e2e
• Host aliases and sandbox exec command (medium): The PR changes hosts add/list/remove and sandbox exec command surfaces. Existing jobs use OpenShell or raw SSH heavily, but there is no focused NemoClaw E2E that validates nemoclaw <name> exec and nemoclaw <name> hosts ... behavior through the installed CLI.
  • Suggested test: sandbox-exec-hosts-e2e
• Maintenance command wrappers (low): backup-all, gc, update, upgrade-sandboxes, and uninstall command wrappers changed. Existing E2E coverage only partially exercises related state/upgrade behavior and does not directly validate these installed maintenance commands in a safe dry-run/non-destructive mode.
  • Suggested test: maintenance-commands-e2e

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: cloud-onboard-e2e,cloud-inference-e2e,sandbox-operations-e2e,sandbox-survival-e2e,docs-validation-e2e,diagnostics-e2e,openclaw-inference-switch-e2e,inference-routing-e2e,network-policy-e2e,channels-stop-start-e2e,shields-config-e2e,snapshot-commands-e2e,tunnel-lifecycle-e2e

[coderabbitai]

🧹 Nitpick comments (1)

src/nemoclaw.ts (1)

52-55: 💤 Low value

Consider removing empty section markers.

These section comments no longer contain any code. If the removed functionality won't return, consider deleting these placeholder headers.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/nemoclaw.ts` around lines 52 - 55, Remove the two empty placeholder
comment headers left in src/nemoclaw.ts (the "// ── Pre-upgrade backup
───────────────────────────────────────────" and "// ── Snapshot
─────────────────────────────────────────────────────" section markers) since
they contain no code; if the functionality is permanently removed, delete these
lines to avoid clutter, otherwise replace them with a brief TODO comment linking
to the intended implementation in the future.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/nemoclaw.ts`:
- Around line 52-55: Remove the two empty placeholder comment headers left in
src/nemoclaw.ts (the "// ── Pre-upgrade backup
───────────────────────────────────────────" and "// ── Snapshot
─────────────────────────────────────────────────────" section markers) since
they contain no code; if the functionality is permanently removed, delete these
lines to avoid clutter, otherwise replace them with a brief TODO comment linking
to the intended implementation in the future.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d96b6bc8-b3dc-4e9d-9015-19afac331392

📥 Commits

Reviewing files that changed from the base of the PR and between fdae301 and 5ac7144.

📒 Files selected for processing (6)

• src/commands/sandbox/config/set.ts
• src/lib/cli/oclif-dispatch.ts
• src/lib/cli/public-oclif-help.test.ts
• src/lib/cli/public-oclif-help.ts
• src/lib/commands/sandbox/config/set.ts
• src/nemoclaw.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25946151043
Target ref: 5ac7144c8d111fe96830e119f63a72f0f03604bc
Workflow ref: main
Requested jobs: cloud-e2e,sandbox-operations-e2e,shields-config-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
sandbox-operations-e2e	✅ success
shields-config-e2e	✅ success

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/cli/public-dispatch.ts (1)

161-164: 💤 Low value

Minor: args shadows normalized actionArgs in scope.

args = argv.slice(1) is used only for connect-order detection (lines 199, 214), while normalized.actionArgs is used for actual dispatch. This dual representation is correct but the variable name args is generic and could be clearer.

Consider renaming to rawArgsAfterCmd or similar for clarity, though this is optional.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/cli/public-dispatch.ts` around lines 161 - 164, The local variable
name args (assigned from argv.slice(1)) is shadowing/competing with
normalized.actionArgs and causes confusion; rename args to a clearer name like
rawArgsAfterCmd (or rawArgvAfterCmd) where it’s declared and used in
connect-order detection logic so callers still use normalized.actionArgs for
dispatch (update occurrences that check connect-order to reference the new name
and leave normalized.actionArgs unchanged).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/cli/public-dispatch.ts`:
- Around line 161-164: The local variable name args (assigned from
argv.slice(1)) is shadowing/competing with normalized.actionArgs and causes
confusion; rename args to a clearer name like rawArgsAfterCmd (or
rawArgvAfterCmd) where it’s declared and used in connect-order detection logic
so callers still use normalized.actionArgs for dispatch (update occurrences that
check connect-order to reference the new name and leave normalized.actionArgs
unchanged).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ee13fcad-d034-42ff-8a28-8084c03ab896

📥 Commits

Reviewing files that changed from the base of the PR and between 5ac7144 and a0a7081.

📒 Files selected for processing (15)

• src/commands/sandbox/shields/down.ts
• src/lib/cli/common-flags.ts
• src/lib/cli/oclif-dispatch.test.ts
• src/lib/cli/oclif-dispatch.ts
• src/lib/cli/public-dispatch.ts
• src/lib/commands/credentials/reset.ts
• src/lib/commands/maintenance/gc.ts
• src/lib/commands/maintenance/update.ts
• src/lib/commands/maintenance/upgrade-sandboxes.ts
• src/lib/commands/sandbox/channels/common.ts
• src/lib/commands/sandbox/destroy.ts
• src/lib/commands/sandbox/hosts/common.ts
• src/lib/commands/sandbox/policy/common.ts
• src/lib/commands/sandbox/rebuild.ts
• src/nemoclaw.ts

✅ Files skipped from review due to trivial changes (3)

• src/commands/sandbox/shields/down.ts
• src/lib/commands/sandbox/rebuild.ts
• src/lib/commands/maintenance/upgrade-sandboxes.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25947131613
Target ref: a0a7081673e5906e591293890fb84a5430f7fb80
Workflow ref: main
Requested jobs: sandbox-operations-e2e,shields-config-e2e,network-policy-e2e,upgrade-stale-sandbox-e2e,channels-stop-start-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
channels-stop-start-e2e	⚠️ cancelled
network-policy-e2e	⚠️ cancelled
sandbox-operations-e2e	⚠️ cancelled
shields-config-e2e	✅ success
upgrade-stale-sandbox-e2e	⚠️ cancelled

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/lib/cli/public-oclif-help.ts (1)

41-49: ⚡ Quick win

Keep help tokenization aligned with dispatch tokenization.

publicRouteTokens() already drifted from literalTokensFromUsage() in src/lib/cli/oclif-dispatch.ts: this helper does not stop on (. A usage like <name> foo (bar|baz) would be rewritten as if (bar|baz) were a literal route token even though dispatch treats it as a boundary. Reusing the same tokenizer, or at least matching the same stop rules here, will keep routing and help output in sync.

Minimal fix

-    if (token.startsWith("[") || token.startsWith("<") || token.startsWith("-")) break;
+    if (
+      token.startsWith("[") ||
+      token.startsWith("<") ||
+      token.startsWith("(") ||
+      token.startsWith("-")
+    ) break;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/cli/public-oclif-help.ts` around lines 41 - 49, publicRouteTokens
currently treats tokens starting with "(" as literals, causing divergence from
literalTokensFromUsage; update publicRouteTokens to use the same stop rules as
literalTokensFromUsage (or directly call literalTokensFromUsage) so it breaks on
"(" as well as "[" "<" and "-" — locate the publicRouteTokens function and
either reuse literalTokensFromUsage for tokenization or add a check to break
when token.startsWith("(") to keep dispatch and help output aligned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/cli/oclif-dispatch.ts`:
- Around line 211-212: The current branch unconditionally returns
parentHelp(action) for any action string "config" or "shields", which hides
invalid-subcommand errors; update the logic in oclif-dispatch.ts so that you
only show parentHelp for the legitimate parent invocation (exact/expected
token), and for any unmatched/typo input for these groups preserve a non-zero
failure path similar to how the "channels" branch does — e.g., validate the
subcommand name/args and for invalid values call the same error/exit routine
used by channels (or invoke parentHelp with a non-zero exit indicator) instead
of returning plain help; refer to the action variable and parentHelp function to
implement this change.

---

Nitpick comments:
In `@src/lib/cli/public-oclif-help.ts`:
- Around line 41-49: publicRouteTokens currently treats tokens starting with "("
as literals, causing divergence from literalTokensFromUsage; update
publicRouteTokens to use the same stop rules as literalTokensFromUsage (or
directly call literalTokensFromUsage) so it breaks on "(" as well as "[" "<" and
"-" — locate the publicRouteTokens function and either reuse
literalTokensFromUsage for tokenization or add a check to break when
token.startsWith("(") to keep dispatch and help output aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b7d42fc5-293a-446f-a3f8-ec39718d2011

📥 Commits

Reviewing files that changed from the base of the PR and between a0a7081 and 20972c8.

📒 Files selected for processing (5)

• src/lib/cli/oclif-dispatch.test.ts
• src/lib/cli/oclif-dispatch.ts
• src/lib/cli/public-dispatch.ts
• src/lib/cli/public-oclif-help.test.ts
• src/lib/cli/public-oclif-help.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• src/lib/cli/public-oclif-help.test.ts
• src/lib/cli/oclif-dispatch.test.ts
• src/lib/cli/public-dispatch.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25947423915
Target ref: 20972c8ab43a02420c2df1fc1a61cf588780044b
Workflow ref: main
Requested jobs: sandbox-operations-e2e,shields-config-e2e,network-policy-e2e,upgrade-stale-sandbox-e2e,diagnostics-e2e,channels-stop-start-e2e
Summary: 6 passed, 0 failed, 0 skipped

Job	Result
channels-stop-start-e2e	✅ success
diagnostics-e2e	✅ success
network-policy-e2e	✅ success
sandbox-operations-e2e	✅ success
shields-config-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/sandbox/config.ts`:
- Around line 819-822: The hint text uses the old internal command form; update
the recovery guidance in the configFail call so it references the sandbox-scoped
public command grammar by replacing "Use `nemoclaw config rotate-token` for
credential changes." with "Use `nemoclaw sandbox rotate-token` for credential
changes." (edit the second string in the array passed to configFail).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 95308dc4-f704-4e87-8603-0e3978b930c6

📥 Commits

Reviewing files that changed from the base of the PR and between 20972c8 and d87bee5.

📒 Files selected for processing (10)

• src/lib/cli/oclif-runner.test.ts
• src/lib/cli/oclif-runner.ts
• src/lib/cli/public-oclif-help.test.ts
• src/lib/commands/credentials/reset.ts
• src/lib/commands/sandbox/config/get.ts
• src/lib/commands/sandbox/config/set.ts
• src/lib/commands/sandbox/oclif-command-adapters.test.ts
• src/lib/sandbox/config.ts
• test/cli.test.ts
• test/config-set-nested-ssrf.test.ts

✅ Files skipped from review due to trivial changes (1)

• src/lib/cli/oclif-runner.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/commands/credentials/reset.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25948148546
Target ref: d87bee5f2cb941ad001f184c5f8036985787d943
Workflow ref: main
Requested jobs: shields-config-e2e,sandbox-operations-e2e,diagnostics-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
diagnostics-e2e	✅ success
sandbox-operations-e2e	✅ success
shields-config-e2e	✅ success

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

src/lib/cli/oclif-dispatch.ts (1)

211-213: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Invalid config/shields subcommands return success-style help instead of error.

This is the issue flagged in a previous review. The current code unconditionally returns parentHelp(action) without an error message or exit code for any unmatched input (e.g., config bogus, shields typo). This causes these invalid subcommand cases to exit like successful help requests, unlike the channels case at line 207 which properly returns an error message.

This regresses the invalid-subcommand diagnostic for these groups and makes scripting against failures harder.

Proposed fix

   if (action === "config" || action === "shields") {
+    if (hasHelpFlag(actionArgs)) return parentHelp(action);
+    const subcommand = actionArgs[0];
+    return parentHelp(
+      action,
+      subcommand ? `Unknown ${action} subcommand: ${subcommand}` : undefined,
+    );
-    return parentHelp(action);
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/cli/oclif-dispatch.ts` around lines 211 - 213, The current branch for
action === "config" || action === "shields" returns parentHelp(action) which
produces a success-style help exit; change it to follow the same error path used
for "channels" so invalid subcommands produce an error message and non-zero
exit. Concretely, replace the unconditional return parentHelp(action) call with
the same error-handling call used for channels (e.g., call the helper that
prints parent help as an error or invoke parentHelp with an error flag / throw a
CLI error) so that "config bogus" and "shields typo" emit an explicit
invalid-subcommand error and a non-zero exit code; keep the reference to
parentHelp and action so reviewers can find the change.

🧹 Nitpick comments (1)

src/lib/cli/public-dispatch.ts (1)

218-225: 💤 Low value

Unreachable code path or redundant check.

Lines 218-225 check !registry.getSandbox(cmd) after the earlier block (lines 187-216) already handles the case where the sandbox doesn't exist and exits. If control reaches line 218, either:

1. The sandbox wasn't a valid action (line 187's condition failed), or
2. Recovery succeeded and registry.getSandbox(cmd) now returns truthy

In case (1), sandboxActions.includes(requestedSandboxAction) was false, so the user provided a non-sandbox-action. The code at line 227 then checks registry.getSandbox(cmd) again. This path seems intended for when cmd isn't a known sandbox AND the action isn't a sandbox action — but the suggestion logic here doesn't account for that distinction.

Consider whether this block is reachable or if the logic should be consolidated.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/cli/public-dispatch.ts` around lines 218 - 225, The duplicate check
of registry.getSandbox(cmd) is redundant and creates an unreachable or confusing
path; update the logic in public-dispatch.ts around the sandbox resolution (the
block that uses sandboxActions, requestedSandboxAction, and registry.getSandbox)
to consolidate suggestion handling into a single place: after determining that
the command is not a known sandbox and requestedSandboxAction is not a sandbox
action, call suggestGlobalCommand(cmd) once and log the "Unknown command / Did
you mean" message and exit; remove the second registry.getSandbox(cmd)
conditional (the later block at lines ~218-225) or merge its suggestion logic
into the earlier failure branch so suggestion only runs for truly unknown
commands. Ensure you reference and update the code that computes
requestedSandboxAction, sandboxActions, and calls registry.getSandbox(cmd).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/cli/oclif-dispatch.test.ts`:
- Around line 197-216: The test currently checks
resolveLegacySandboxDispatch("alpha", "config", ["bogus"]) and ("shields",
["bogus"]) only for kind, commandId and publicUsage; update these expectations
to also assert that invalid subcommands produce a non-zero exit code and an
error message like the `channels` test does — i.e. include exitCode: 1 and a
message string indicating the invalid subcommand (e.g. "Unknown subcommand
'bogus' for config" or similar) so the tests mirror the behavior asserted in the
`channels` case and preserve diagnostic parity; modify the expectations for the
`config` and `shields` assertions in oclif-dispatch.test.ts to include exitCode
and message fields referencing resolveLegacySandboxDispatch results.

In `@src/lib/cli/public-dispatch.ts`:
- Around line 111-117: The "usageError" switch case can fall through into
"unknownAction" because TypeScript doesn't know printDispatchUsageError will
exit; update the switch handling in public-dispatch by making the "usageError"
branch explicitly not continue execution — e.g., add a return immediately after
calling printDispatchUsageError(result, opts.sandboxName) (or otherwise
restructure so the function never reaches the "unknownAction" branch) to prevent
unintended fall-through to the unknownAction case that logs and exits.

---

Duplicate comments:
In `@src/lib/cli/oclif-dispatch.ts`:
- Around line 211-213: The current branch for action === "config" || action ===
"shields" returns parentHelp(action) which produces a success-style help exit;
change it to follow the same error path used for "channels" so invalid
subcommands produce an error message and non-zero exit. Concretely, replace the
unconditional return parentHelp(action) call with the same error-handling call
used for channels (e.g., call the helper that prints parent help as an error or
invoke parentHelp with an error flag / throw a CLI error) so that "config bogus"
and "shields typo" emit an explicit invalid-subcommand error and a non-zero exit
code; keep the reference to parentHelp and action so reviewers can find the
change.

---

Nitpick comments:
In `@src/lib/cli/public-dispatch.ts`:
- Around line 218-225: The duplicate check of registry.getSandbox(cmd) is
redundant and creates an unreachable or confusing path; update the logic in
public-dispatch.ts around the sandbox resolution (the block that uses
sandboxActions, requestedSandboxAction, and registry.getSandbox) to consolidate
suggestion handling into a single place: after determining that the command is
not a known sandbox and requestedSandboxAction is not a sandbox action, call
suggestGlobalCommand(cmd) once and log the "Unknown command / Did you mean"
message and exit; remove the second registry.getSandbox(cmd) conditional (the
later block at lines ~218-225) or merge its suggestion logic into the earlier
failure branch so suggestion only runs for truly unknown commands. Ensure you
reference and update the code that computes requestedSandboxAction,
sandboxActions, and calls registry.getSandbox(cmd).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c7189628-dc9e-4c1a-9376-0c42f14b5548

📥 Commits

Reviewing files that changed from the base of the PR and between d87bee5 and 4dcc675.

📒 Files selected for processing (5)

• src/commands/credentials/reset.ts
• src/lib/cli/oclif-dispatch.test.ts
• src/lib/cli/oclif-dispatch.ts
• src/lib/cli/public-dispatch.ts
• test/cli.test.ts

✅ Files skipped from review due to trivial changes (1)

• src/commands/credentials/reset.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/cli.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25949522967
Target ref: 4dcc67576de01e60f117aaad4b01bc4239b5a4b3
Workflow ref: main
Requested jobs: shields-config-e2e,sandbox-operations-e2e,diagnostics-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
diagnostics-e2e	✅ success
sandbox-operations-e2e	⚠️ cancelled
shields-config-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25949902841
Target ref: f2142f050bb9b82586d999d0a3cf9bba8b14956a
Workflow ref: main
Requested jobs: cloud-e2e,shields-config-e2e,diagnostics-e2e,sandbox-operations-e2e,rebuild-openclaw-e2e
Summary: 5 passed, 0 failed, 0 skipped

Job	Result
cloud-e2e	✅ success
diagnostics-e2e	✅ success
rebuild-openclaw-e2e	✅ success
sandbox-operations-e2e	✅ success
shields-config-e2e	✅ success

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26110131067
Target ref: 70a90f4bcd512b44ac2f2b2acff394dfb5da264c
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,sandbox-operations-e2e,sandbox-survival-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,inference-routing-e2e,channels-stop-start-e2e,network-policy-e2e,shields-config-e2e,snapshot-commands-e2e,state-backup-restore-e2e,tunnel-lifecycle-e2e,diagnostics-e2e,rebuild-openclaw-e2e,onboard-resume-e2e,credential-sanitization-e2e
Summary: 16 passed, 1 failed, 0 skipped

Job	Result
channels-stop-start-e2e	❌ failure
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-sanitization-e2e	✅ success
diagnostics-e2e	✅ success
hermes-inference-switch-e2e	✅ success
inference-routing-e2e	✅ success
network-policy-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
rebuild-openclaw-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
tunnel-lifecycle-e2e	✅ success

Failed jobs: channels-stop-start-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26112718750
Target ref: 1c3022281abdbba9826efb73184573cd63525e0e
Workflow ref: main
Requested jobs: cloud-onboard-e2e,sandbox-operations-e2e,diagnostics-e2e,docs-validation-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,inference-routing-e2e,channels-stop-start-e2e,network-policy-e2e,shields-config-e2e,snapshot-commands-e2e,state-backup-restore-e2e,tunnel-lifecycle-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
channels-stop-start-e2e	⚠️ cancelled
cloud-onboard-e2e	⚠️ cancelled
diagnostics-e2e	⚠️ cancelled
docs-validation-e2e	⚠️ cancelled
hermes-inference-switch-e2e	⚠️ cancelled
inference-routing-e2e	⚠️ cancelled
network-policy-e2e	⚠️ cancelled
openclaw-inference-switch-e2e	⚠️ cancelled
sandbox-operations-e2e	⚠️ cancelled
shields-config-e2e	⚠️ cancelled
snapshot-commands-e2e	⚠️ cancelled
state-backup-restore-e2e	⚠️ cancelled
tunnel-lifecycle-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26112986647
Target ref: 14697b7ad75516797189a92e37089d750020eac1
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,sandbox-survival-e2e,sandbox-operations-e2e,diagnostics-e2e,openclaw-inference-switch-e2e,channels-stop-start-e2e,network-policy-e2e,shields-config-e2e,snapshot-commands-e2e,state-backup-restore-e2e,tunnel-lifecycle-e2e,upgrade-stale-sandbox-e2e,onboard-resume-e2e,docs-validation-e2e
Summary: 14 passed, 1 failed, 0 skipped

Job	Result
channels-stop-start-e2e	❌ failure
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
network-policy-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: channels-stop-start-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26116643258
Target ref: 40dd2158629fd98d3762b58af1b3468226685692
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,sandbox-operations-e2e,sandbox-survival-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,inference-routing-e2e,channels-stop-start-e2e,messaging-providers-e2e,token-rotation-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,shields-config-e2e,snapshot-commands-e2e,state-backup-restore-e2e,tunnel-lifecycle-e2e,diagnostics-e2e,rebuild-openclaw-e2e,upgrade-stale-sandbox-e2e,onboard-resume-e2e,onboard-repair-e2e,docs-validation-e2e
Summary: 20 passed, 0 failed, 0 skipped

Job	Result
channels-stop-start-e2e	⚠️ cancelled
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
hermes-inference-switch-e2e	✅ success
inference-routing-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
rebuild-openclaw-e2e	⚠️ cancelled
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
token-rotation-e2e	⚠️ cancelled
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

[jyaunches]

🔴 E2E blocker: the advisor-dispatched required E2E run is still failing.

Run: https://github.com/NVIDIA/NemoClaw/actions/runs/26112986647
Failed job: channels-stop-start-e2e

Failure details:

• openclaw/wechat: expected channel present in agent config at baseline, got no
• openclaw/wechat: expected channel present in agent config after start+rebuild, got no
• The diagnostic dump shows the registry/provider/policy state includes WeChat, but openclaw.json does not:
  • registry.messagingChannels: ["discord","slack","telegram","wechat","whatsapp"]
  • openclaw.json channels: ['defaults', 'discord', 'slack', 'telegram', 'whatsapp'] (missing wechat)

Please address or rerun with evidence if this is an unrelated flaky/environmental failure. Since this PR rewires broad CLI dispatch/command adapters and the E2E advisor marked channels-stop-start-e2e required, I would not merge until this job passes against the PR HEAD.

[ericksoa]

Approved with one accepted follow-up risk from local review.

Focused validation passed locally: npm run build:cli, npm run typecheck:cli, focused CLI routing/metadata tests (10 files, 85 tests), and git diff --check origin/main...HEAD. Visible GitHub checks are green.

Comment for follow-up: the built CLI currently routes parent help for nested sandbox groups that do not have parent command files to non-existent oclif command IDs, e.g. nemoclaw alpha channels --help -> command sandbox:channels not found, similarly config --help and shields --help. share, snapshot, and skill work because those parent commands exist. This is a user-facing help regression worth fixing in a follow-up, but per maintainer direction I am not blocking merge on it.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26117524739
Target ref: 8682bd7a446443bd271507c013abf2b2b48a1965
Workflow ref: main
Requested jobs: docs-validation-e2e,cloud-onboard-e2e,onboard-resume-e2e,sandbox-operations-e2e,sandbox-survival-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,inference-routing-e2e,diagnostics-e2e,channels-stop-start-e2e,network-policy-e2e,shields-config-e2e,snapshot-commands-e2e,state-backup-restore-e2e,tunnel-lifecycle-e2e,rebuild-openclaw-e2e
Summary: 15 passed, 0 failed, 0 skipped

Job	Result
channels-stop-start-e2e	⚠️ cancelled
cloud-onboard-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
hermes-inference-switch-e2e	✅ success
inference-routing-e2e	✅ success
network-policy-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
rebuild-openclaw-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
tunnel-lifecycle-e2e	✅ success

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26119271812
Target ref: 9a0ac2384172adf970eaccb643c0273fc01821e9
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,sandbox-operations-e2e,sandbox-survival-e2e,docs-validation-e2e,diagnostics-e2e,openclaw-inference-switch-e2e,inference-routing-e2e,network-policy-e2e,channels-stop-start-e2e,shields-config-e2e,snapshot-commands-e2e,tunnel-lifecycle-e2e
Summary: 12 passed, 1 failed, 0 skipped

Job	Result
channels-stop-start-e2e	❌ failure
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
inference-routing-e2e	✅ success
network-policy-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
snapshot-commands-e2e	✅ success
tunnel-lifecycle-e2e	✅ success

Failed jobs: channels-stop-start-e2e. Check run artifacts for logs.