refactor(onboard): plumb step mutation options through runtime

[cv]

Summary

Thread step mutation options through OnboardRuntime and the runtime boundary. This prepares runtime-driven onboarding paths to record step status without letting legacy step helpers advance the machine snapshot.

Changes

• Extend OnboardRuntimeDeps and runtime step methods to accept StepMutationOptions.
• Let OnboardRuntimeBoundary carry optional stepMutationOptions into start, complete, and failed step recording.
• Add runtime coverage for forwarding record-only step mutation options.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 20 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ab05c26b-a067-488e-b738-bc10343d7767

📥 Commits

Reviewing files that changed from the base of the PR and between 54fa1ca and 3aaf898.

📒 Files selected for processing (6)

• src/lib/onboard/machine/runtime.test.ts
• src/lib/onboard/machine/runtime.ts
• src/lib/onboard/runtime-boundary.test.ts
• src/lib/onboard/runtime-boundary.ts
• src/lib/state/onboard-session.test.ts
• src/lib/state/onboard-session.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stack/onboard-fsm-runtime-step-options

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: onboard-resume-e2e, cloud-onboard-e2e
Optional E2E: onboard-negative-paths-e2e, double-onboard-e2e

Dispatch hint: onboard-resume-e2e,cloud-onboard-e2e

Auto-dispatched E2E: onboard-resume-e2e, cloud-onboard-e2e via nightly-e2e.yaml at 3aaf898cd6f68ffd633c0987b7bb3fc221982115 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• onboard-resume-e2e (high; real Docker/OpenShell sandbox and NVIDIA_API_KEY required): Most directly covers the changed session and machine snapshot behavior: it forces an interrupted onboard run, verifies persisted failure/step state, then resumes and validates completion.
• cloud-onboard-e2e (high; public install path, real Docker/OpenShell sandbox, NVIDIA_API_KEY, and cloud inference required): Validates the primary real user install/onboard happy path after changes to onboard runtime/session step recording and machine state persistence.

Optional E2E

• onboard-negative-paths-e2e (high; real Docker/OpenShell sandbox and NVIDIA_API_KEY required): Useful adjacent coverage for failure and edge-case onboarding behavior, including friendly validation failures and gateway-port conflict handling, but the PR already has direct unit coverage for record-only failure mutation.
• double-onboard-e2e (very high; multiple sequential sandbox creations): Optional confidence that repeated onboarding and sandbox lifecycle recovery still work with the changed session step/machine transition plumbing.

New E2E recommendations

• onboarding-runtime-state-machine (medium): Existing E2E coverage validates default legacy step mutation and resume behavior, but does not directly assert a live record-only step path where step status is recorded while the FSM result is the only machine snapshot writer.
  • Suggested test: Add an onboarding state-machine E2E that runs a controlled onboard flow with record-only step mutation enabled and asserts machine revision/state advance only from FSM transition results while step statuses and context updates persist.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: onboard-resume-e2e,cloud-onboard-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: ubuntu-repo-cloud-openclaw-resume, ubuntu-repo-cloud-hermes

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw: Core onboarding runtime/session mutation code changed. The baseline Ubuntu repo OpenClaw scenario exercises the live non-interactive onboarding path, step start/complete/failure defaults, session persistence, expected onboarding state, and post-onboarding smoke/credential checks on the standard runner.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• ubuntu-repo-cloud-openclaw-resume: Optional adjacent lifecycle coverage for session/machine snapshot persistence across interrupted/resumed onboarding, which is related to the changed onboard session and runtime-boundary code but not the primary default onboarding path.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-resume
• ubuntu-repo-cloud-hermes: Optional alternate-agent coverage to confirm the same onboarding runtime/session changes do not regress the Hermes path.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Relevant changed files

• src/lib/onboard/machine/runtime.ts
• src/lib/onboard/runtime-boundary.ts
• src/lib/state/onboard-session.ts

[github-actions]

PR Review Advisor

Findings: 1 needs attention, 2 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 2 new items found

Review findings

🛠️ Needs attention

• Offset large test-file growth: This PR adds another 20+ lines to two existing large test files. The changed tests are useful, but the repository drift signal marks these as current large-file hotspots where new coverage should be extracted or offset rather than growing the monolith further.
  • Recommendation: Move the new cases into focused test modules or extract shared harness helpers so `src/lib/onboard/runtime-boundary.test.ts` and `src/lib/state/onboard-session.test.ts` do not continue to grow as hotspots.
  • Evidence: Deterministic monolith deltas: `src/lib/onboard/runtime-boundary.test.ts` grew from 404 to 434 lines (+30); `src/lib/state/onboard-session.test.ts` grew from 1171 to 1197 lines (+26).

🔎 Worth checking

• Source-of-truth review needed: Step mutation options exposed through `OnboardRuntimeBoundaryOptions.stepMutationOptions`: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `src/lib/state/onboard-step-mutation.ts` labels `updateMachine` as a transitional escape hatch; this PR adds `stepMutationOptions?: StepMutationOptions` to `OnboardRuntimeBoundaryOptions` and forwards it to generic step recorders.
• Record-only boundary option needs explicit source-of-truth guardrails (src/lib/onboard/runtime-boundary.ts:26): `OnboardRuntimeBoundaryOptions.stepMutationOptions` exposes the transitional `{ updateMachine:false }` escape hatch through the generic boundary recorders. If a future caller configures this option and then uses `startRecordedStep`, `recordStepComplete`, or `recordStepFailed` without an explicit FSM result, the step status can diverge from the durable machine/status/failure source of truth. Current production construction does not pass the option, so this is a guardrail/future-footgun concern rather than an active production bypass.
  • Recommendation: Document this option directly on `OnboardRuntimeBoundaryOptions` and/or constrain its use to paired state-result adapters so record-only writes are always followed by an explicit `OnboardStateResult`. Add a boundary contract test that demonstrates the required pairing.
  • Evidence: `runtime-boundary.ts` adds `stepMutationOptions?: StepMutationOptions` and forwards it to `runtime.markStepStarted`, `runtime.markStepComplete`, and `runtime.markStepFailed`; `onboard-session.ts` suppresses machine/status/failure mutation when `shouldUpdateMachine(options)` is false.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Mocked behavioral coverage** — Boundary configured with `{ updateMachine:false }` leaves `session.machine` unchanged after `recordStepComplete` until `recordStateResult` applies the explicit transition.. The changed surfaces mutate persisted onboarding session state and runtime FSM behavior. Existing mocked runtime/boundary harnesses and temp-session tests cover the main forwarding/default behavior, but the newly exposed boundary-level escape hatch would benefit from explicit contract tests around source-of-truth pairing.
• **Mocked behavioral coverage** — Boundary configured with `{ updateMachine:false }` does not mark the session failed after `recordStepFailed` until `recordStepFailedWithStateResult` or an explicit failure result applies.. The changed surfaces mutate persisted onboarding session state and runtime FSM behavior. Existing mocked runtime/boundary harnesses and temp-session tests cover the main forwarding/default behavior, but the newly exposed boundary-level escape hatch would benefit from explicit contract tests around source-of-truth pairing.
• **Mocked behavioral coverage** — Production/default `OnboardRuntimeBoundary` behavior preserves legacy machine advancement when no `stepMutationOptions` are provided.. The changed surfaces mutate persisted onboarding session state and runtime FSM behavior. Existing mocked runtime/boundary harnesses and temp-session tests cover the main forwarding/default behavior, but the newly exposed boundary-level escape hatch would benefit from explicit contract tests around source-of-truth pairing.
• **Offset large test-file growth** — Move the new cases into focused test modules or extract shared harness helpers so `src/lib/onboard/runtime-boundary.test.ts` and `src/lib/state/onboard-session.test.ts` do not continue to grow as hotspots.
• **Step mutation options exposed through `OnboardRuntimeBoundaryOptions.stepMutationOptions`** — Existing tests cover option forwarding, session-level no-machine-mutation behavior, and paired record-only step/result adapters. Missing follow-up: a boundary contract test that a configured record-only generic recorder must be paired with an explicit state result before the machine source of truth advances.. `src/lib/state/onboard-step-mutation.ts` labels `updateMachine` as a transitional escape hatch; this PR adds `stepMutationOptions?: StepMutationOptions` to `OnboardRuntimeBoundaryOptions` and forwards it to generic step recorders.

Since last review details

Current findings:

• Source-of-truth review needed: Step mutation options exposed through `OnboardRuntimeBoundaryOptions.stepMutationOptions`: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `src/lib/state/onboard-step-mutation.ts` labels `updateMachine` as a transitional escape hatch; this PR adds `stepMutationOptions?: StepMutationOptions` to `OnboardRuntimeBoundaryOptions` and forwards it to generic step recorders.
• Offset large test-file growth: This PR adds another 20+ lines to two existing large test files. The changed tests are useful, but the repository drift signal marks these as current large-file hotspots where new coverage should be extracted or offset rather than growing the monolith further.
  • Recommendation: Move the new cases into focused test modules or extract shared harness helpers so `src/lib/onboard/runtime-boundary.test.ts` and `src/lib/state/onboard-session.test.ts` do not continue to grow as hotspots.
  • Evidence: Deterministic monolith deltas: `src/lib/onboard/runtime-boundary.test.ts` grew from 404 to 434 lines (+30); `src/lib/state/onboard-session.test.ts` grew from 1171 to 1197 lines (+26).
• Record-only boundary option needs explicit source-of-truth guardrails (src/lib/onboard/runtime-boundary.ts:26): `OnboardRuntimeBoundaryOptions.stepMutationOptions` exposes the transitional `{ updateMachine:false }` escape hatch through the generic boundary recorders. If a future caller configures this option and then uses `startRecordedStep`, `recordStepComplete`, or `recordStepFailed` without an explicit FSM result, the step status can diverge from the durable machine/status/failure source of truth. Current production construction does not pass the option, so this is a guardrail/future-footgun concern rather than an active production bypass.
  • Recommendation: Document this option directly on `OnboardRuntimeBoundaryOptions` and/or constrain its use to paired state-result adapters so record-only writes are always followed by an explicit `OnboardStateResult`. Add a boundary contract test that demonstrates the required pairing.
  • Evidence: `runtime-boundary.ts` adds `stepMutationOptions?: StepMutationOptions` and forwards it to `runtime.markStepStarted`, `runtime.markStepComplete`, and `runtime.markStepFailed`; `onboard-session.ts` suppresses machine/status/failure mutation when `shouldUpdateMachine(options)` is false.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26979953134
Target ref: a283bb4c93ece137dd7888b23acf5faead8f8404
Workflow ref: stack/onboard-fsm-step-record-only
Requested jobs: cloud-onboard-e2e,onboard-resume-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	⚠️ cancelled
onboard-resume-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26980148131
Target ref: 357d936c2b541133eca3de5684fbcb195f4c7fc1
Workflow ref: stack/onboard-fsm-step-record-only
Requested jobs: cloud-onboard-e2e,onboard-resume-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
onboard-resume-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27000005131
Target ref: 3aaf898cd6f68ffd633c0987b7bb3fc221982115
Workflow ref: main
Requested jobs: onboard-resume-e2e,cloud-onboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
onboard-resume-e2e	✅ success