chore: bump OpenShell pin to 0.0.44

[ericksoa]

Summary

• Pin NemoClaw stable OpenShell install/support window to v0.0.44.
• Update version-pin installer/E2E expectations and parity metadata for the new max version.
• Keep this PR scoped to OpenShell only; no OpenClaw or other dependency bumps.

Validation

• npm ci --ignore-scripts
• npm run build:cli
• npm run validate:configs
• bash -n scripts/install-openshell.sh scripts/brev-launchable-ci-cpu.sh test/e2e/test-openshell-version-pin.sh test/e2e/test-openshell-gateway-upgrade.sh
• npx tsx scripts/e2e/check-parity-map.ts --strict
• npx vitest run test/install-openshell-version-check.test.ts test/onboard-openshell-version.test.ts test/onboard-gateway-runtime.test.ts src/lib/onboard/docker-driver-gateway-runtime-marker.test.ts --testTimeout 60000
• bash test/e2e/test-openshell-version-pin.sh
• npx vitest run test/install-preflight.test.ts test/install-onboard-yes.test.ts test/onboard.test.ts --testTimeout 60000
• git diff --check

Summary by CodeRabbit

Release Notes

• Chores
  • Updated OpenShell version pinning from 0.0.39 to 0.0.44 across the platform, including minimum and maximum version constraints.
  • Refreshed CI/CD regression tests to validate version pinning behavior against the updated baseline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7449c553-89cc-40bc-add2-ec865af30611

📥 Commits

Reviewing files that changed from the base of the PR and between 32fac96 and ee95de0.

📒 Files selected for processing (14)

• .github/workflows/regression-e2e.yaml
• nemoclaw-blueprint/blueprint.yaml
• scripts/brev-launchable-ci-cpu.sh
• scripts/install-openshell.sh
• src/lib/onboard.ts
• src/lib/onboard/docker-driver-gateway-runtime-marker.test.ts
• src/lib/onboard/openshell-install.ts
• test/e2e/docs/parity-inventory.generated.json
• test/e2e/docs/parity-map.yaml
• test/e2e/test-openshell-gateway-upgrade.sh
• test/e2e/test-openshell-version-pin.sh
• test/install-openshell-version-check.test.ts
• test/onboard-gateway-runtime.test.ts
• test/onboard-openshell-version.test.ts

---

📝 Walkthrough

Walkthrough

This PR pins the OpenShell version across the codebase from 0.0.39 to 0.0.44, with the test sticky version updated from 0.0.40 to 0.0.45. Changes span blueprint configuration, installer scripts, TypeScript onboarding logic, and all related E2E and unit test scenarios.

Changes

OpenShell Version Pinning Update to 0.0.44

Layer / File(s)	Summary
Configuration constants and environment defaults nemoclaw-blueprint/blueprint.yaml, scripts/install-openshell.sh, scripts/brev-launchable-ci-cpu.sh	Blueprint min_openshell_version and max_openshell_version fields updated to 0.0.44. Installer script constants MIN_VERSION, MAX_VERSION, and DEV_MIN_VERSION bumped to 0.0.44. CI environment override OPENSHELL_VERSION default and derived SUPERVISOR_TAG reflect new pinned version.
Onboarding and runtime logic src/lib/onboard.ts, src/lib/onboard/openshell-install.ts	Docker supervisor fallback version in getOpenShellDockerSupervisorImage() updated to 0.0.44. Error message instructing missing binary install changed to v0.0.44. Fallback minimum in ensureOpenshellForOnboard bumped to 0.0.44 for upgrade-decision logic.
E2E version pinning guard test scenario test/e2e/test-openshell-version-pin.sh, .github/workflows/regression-e2e.yaml	Primary regression test updated to exercise sticky OpenShell 0.0.45 against maximum 0.0.44. Fake openshell --version outputs changed from 0.0.40/0.0.39 to 0.0.45/0.0.44. Assertions verify "above maximum" warning for 0.0.45, require download of v0.0.44, forbid v0.0.45, and confirm binary replacement. Workflow comment reflects new version pair.
E2E test assertion documentation and parity mapping test/e2e/docs/parity-inventory.generated.json, test/e2e/docs/parity-map.yaml	Generated E2E parity assertions and mapping documentation updated to reflect new version scenarios (sticky 0.0.45 → pinned 0.0.44) with corresponding assertion IDs and expected download/replacement behavior.
Installer version check unit tests test/install-openshell-version-check.test.ts	Test cases across already-installed success path, missing binaries reinstall, macOS gateway/codesign, PATH shadowing, and version-policy scenarios updated to expect 0.0.44 as the pinned version and installation target.
Onboarding and gateway unit tests src/lib/onboard/docker-driver-gateway-runtime-marker.test.ts, test/e2e/test-openshell-gateway-upgrade.sh, test/onboard-gateway-runtime.test.ts, test/onboard-openshell-version.test.ts	Docker gateway runtime marker fixture, gateway upgrade regression mocks, and onboarding version envelope tests updated to use 0.0.44 pinned version and 0.0.45 development/test versions in assertions and mock outputs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3383: Both PRs touch the OpenShell onboarding/install logic—this PR bumps pinned version values while the retrieved PR refactors ensureOpenshellForOnboard() and driver-binary checks, so changes are related at the function-logic level.
• NVIDIA/NemoClaw#3478: This PR updates the existing OpenShell version pinning E2E guard test (test-openshell-version-pin.sh and regression coverage) to new pinned/sticky versions (0.0.39→0.0.44 and 0.0.40→0.0.45), directly connected to the retrieved PR's addition of the same guard.
• NVIDIA/NemoClaw#3446: Both PRs touch the OpenShell pinning installer path—scripts/install-openshell.sh and onboarding modules—so this PR's version bump to 0.0.44 lands on the same MIN/MAX/PIN resolution behavior introduced in the retrieved PR.

Suggested labels

OpenShell, v0.0.44, E2E

Suggested reviewers

• jyaunches
• cv
• cjagwani

Poem

🐰 A pinned version bumps from thirty-nine to forty-four,
Sticky baseline hops from forty to forty-five galore,
E2E guards test the dance, too-new falls back in place,
Installation paths aligned, supervisor tags keep pace! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: bumping the OpenShell pin version from 0.0.39 to 0.0.44, which is reflected consistently across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upgrade/openshell-0.0.44

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: openshell-version-pin-e2e, openshell-gateway-upgrade-e2e, cloud-onboard-e2e, gateway-drift-preflight-e2e, gateway-health-honest-e2e
Optional E2E: onboard-inference-smoke-e2e, cloud-inference-e2e, sandbox-survival-e2e

Auto-dispatched E2E: openshell-gateway-upgrade-e2e, cloud-onboard-e2e via nightly-e2e.yaml at ee95de07d1f1bb48ad1d61739342b5309dd0ab14 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• openshell-version-pin-e2e (low): Direct coverage for the changed OpenShell min/max/pin behavior: verifies a sticky too-new OpenShell 0.0.45 is replaced with pinned 0.0.44 instead of hard-failing.
• openshell-gateway-upgrade-e2e (high): Required because the PR changes the current OpenShell version used by the gateway upgrade scenario. It validates old-install upgrade, gateway replacement, restored durable state, registry continuity, and OpenClaw agent survival.
• cloud-onboard-e2e (high): Required real install/onboard validation for the new blueprint OpenShell bounds and installer env propagation. This catches asset availability, fresh install, sandbox creation, and inference.local/onboard readiness regressions that unit tests and stubbed E2Es cannot.
• gateway-drift-preflight-e2e (medium): Required because the PR changes the Docker supervisor tag fallback and runtime version identity used by Docker-driver gateway drift detection. This verifies stale/incompatible gateway state is still detected and fails closed.
• gateway-health-honest-e2e (medium): Required gateway lifecycle guard because onboard gateway startup code and OpenShell binary version guidance changed. It verifies a failing gateway binary is not incorrectly reported healthy.

Optional E2E

• onboard-inference-smoke-e2e (medium): Useful adjacent confidence for the onboard success contract after the OpenShell pin bump: onboard should not report success until the configured inference route has served a real completion.
• cloud-inference-e2e (high): Optional live assistant confidence that the new OpenShell 0.0.44 install/onboard stack still supports inference.local and real chat completion after sandbox creation.
• sandbox-survival-e2e (high): Optional broader sandbox lifecycle coverage for gateway restart/survival behavior under the new OpenShell/supervisor version. Not merge-blocking if the targeted gateway upgrade and drift tests pass.

New E2E recommendations

• ci-launchable-runtime-image (medium): No targeted existing E2E appears to assert that scripts/brev-launchable-ci-cpu.sh installs the same OpenShell version as blueprint.yaml and pre-pulls the matching openshell/supervisor tag. Launchable regressions can break PR E2E readiness before product tests start.
  • Suggested test: Add a launchable-openshell-pin E2E that boots the CPU launchable setup path and asserts openshell --version, supervisor image tag, and blueprint min/max/pin coherence.
• openshell-release-asset-coherence (medium): The stubbed version-pin E2E validates installer decision logic, while cloud onboard validates the happy path. A lightweight release-asset coherence guard would catch missing OpenShell 0.0.44 helper assets or checksum naming drift before full onboarding.
  • Suggested test: Add an OpenShell asset availability E2E/check that verifies the pinned release has CLI, gateway, sandbox, and checksum assets for supported Linux/macOS architectures.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26126929207
Target ref: ee95de07d1f1bb48ad1d61739342b5309dd0ab14
Workflow ref: main
Requested jobs: openshell-gateway-upgrade-e2e,cloud-onboard-e2e
Summary: 1 passed, 1 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
openshell-gateway-upgrade-e2e	❌ failure

Failed jobs: openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26126835952
Target ref: upgrade/openshell-0.0.44
Workflow ref: upgrade/openshell-0.0.44
Requested jobs: all (no filter)
Summary: 43 passed, 0 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success