refactor: inline single-use aliases

[cv]

Summary

This PR makes a focused first cleanup pass for the single-use alias audit by inlining adjacent, side-effect-free aliases in CLI and plugin production code. The selection intentionally skips named constants, test readability helpers, exhaustiveness guards, mutation snapshots, and longer expressions where the local variable still improves readability.

Related Issue

Fixes #4876

Changes

• Inline reviewed single-use aliases in sandbox, inference, messaging, shields, and state helpers under src/lib.
• Inline two plugin aliases in blueprint validation and migration state traversal under nemoclaw/src.
• Keep the scan helper out of the repo; candidates were generated locally and manually filtered for low-risk adjacent uses.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 25 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d6d54a24-7f19-4979-93d4-3a3808f63d9b

📥 Commits

Reviewing files that changed from the base of the PR and between 0151ff3 and cf839b4.

📒 Files selected for processing (10)

• nemoclaw/src/blueprint/runner.ts
• nemoclaw/src/commands/migration-state.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/inference/local.ts
• src/lib/inference/onboard-probes.ts
• src/lib/messaging/compiler/manifest-compiler.ts
• src/lib/shields/timer-control.ts
• src/lib/state/sandbox-session.ts
• src/lib/state/tar-listing.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/inline-single-use-aliases

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Top item: No actionable findings

Consider writing more tests for

• **Runtime validation** — Validate `setConfigValue` still creates missing array/object path segments and still rejects `__proto__`, `constructor`, and `prototype` segments.. The refactor appears behavior-preserving and unit-level changes are not required for the mechanical inlining itself, but several touched files are runtime/sandbox/inference paths where targeted validation improves confidence.
• **Runtime validation** — Validate snapshot restore image resolution still returns the registered image for gateway-metadata drivers and the kubectl-discovered image for kubernetes fallback.. The refactor appears behavior-preserving and unit-level changes are not required for the mechanical inlining itself, but several touched files are runtime/sandbox/inference paths where targeted validation improves confidence.
• **Runtime validation** — Validate messaging manifest compilation still trims config env values and reports secret input availability without exposing secret values.. The refactor appears behavior-preserving and unit-level changes are not required for the mechanical inlining itself, but several touched files are runtime/sandbox/inference paths where targeted validation improves confidence.
• **Runtime validation** — Validate tar listing still rejects listings over `TAR_LISTING_MAX_OUTPUT_BYTES` and removes the temporary listing directory after success and failure.. The refactor appears behavior-preserving and unit-level changes are not required for the mechanical inlining itself, but several touched files are runtime/sandbox/inference paths where targeted validation improves confidence.
• **Runtime validation** — Validate sandbox session parsing still matches only exact `openshell-<sandbox>` SSH host names and not prefix matches.. The refactor appears behavior-preserving and unit-level changes are not required for the mechanical inlining itself, but several touched files are runtime/sandbox/inference paths where targeted validation improves confidence.
• **Acceptance clause:** Tests and type-checks relevant to touched files pass. — add test evidence or identify existing coverage. The PR body reports `npx prek run --all-files` and `npm test` passing, but this review did not execute tests or evaluate external CI status.
• **Acceptance clause:** Add a TypeScript-aware filter, or equivalent review script, that only reports variables with exactly one local reference. — add test evidence or identify existing coverage. The PR body claims candidates were generated locally and manually filtered, but no helper script is committed and the exact filter cannot be independently verified from repository contents.
• **Acceptance clause:** Manually review candidates before editing. — add test evidence or identify existing coverage. The PR body states candidates were manually filtered, but manual review process evidence is outside the repository diff.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: snapshot-commands-e2e, inference-routing-e2e, messaging-providers-e2e, sandbox-operations-e2e, shields-config-e2e, network-policy-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No merge-blocking E2E is recommended: every shown change is a behavior-preserving local-variable inline/removal in sensitive runtime files, with no logic, control-flow, IO, validation, command, policy, or configuration semantics changed. Optional jobs are listed only for extra confidence in adjacent high-risk domains.

Optional E2E

• snapshot-commands-e2e (medium): Optional regression confidence for snapshot create/list/restore and credential absence because snapshot, migration-state, and tar-listing files were touched, even though the diff is behavior-preserving.
• inference-routing-e2e (medium): Optional confidence for inference route error classification and credential isolation after no-op refactors in local inference diagnostics and onboard probe helpers.
• messaging-providers-e2e (high): Optional coverage for messaging provider credential placeholder/L7-proxy flows because manifest input/env normalization code was touched.
• sandbox-operations-e2e (medium): Optional lifecycle confidence for sandbox operations and destroy cleanup paths after a no-op refactor in sandbox destroy/session-related code.
• shields-config-e2e (medium): Optional check for shields state/timer lifecycle because shields timer and destroy-artifact cleanup code was touched.
• network-policy-e2e (medium): Optional confidence for policy parsing/enforcement because blueprint policy validation code was touched, despite the shown change being an equivalent refactor.

New E2E recommendations

• None.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw-custom-policies, ubuntu-rebuild-openclaw, ubuntu-repo-cloud-openclaw-telegram
Optional scenario E2E: gpu-repo-local-ollama-openclaw, ubuntu-repo-openai-compatible-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-custom-policies
• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-rebuild-openclaw
• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-telegram

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required scenario E2E

• ubuntu-repo-cloud-openclaw-custom-policies: Best single Ubuntu scenario for the changed OpenClaw source paths that affect onboarding, custom policy/blueprint handling, inference routing, sandbox snapshot create/list/restore, state/tar listing, and normal sandbox teardown behavior.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-custom-policies
• ubuntu-rebuild-openclaw: Exercises the migration-state snapshot bundle and rebuild lifecycle path touched by nemoclaw/src/commands/migration-state.ts, plus post-rebuild inference and policy preservation checks.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-rebuild-openclaw
• ubuntu-repo-cloud-openclaw-telegram: Minimal routed messaging scenario to cover the manifest compiler input/env normalization path changed in src/lib/messaging/compiler/manifest-compiler.ts, including common messaging provider attachment and no-secret-leak checks.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw-telegram

Optional scenario E2E

• gpu-repo-local-ollama-openclaw: Optional special-runner coverage for the local Ollama provider path in src/lib/inference/local.ts; this is the scenario suite's dedicated local-Ollama/GPU path.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=gpu-repo-local-ollama-openclaw
• ubuntu-repo-openai-compatible-openclaw: Optional adjacent provider-onboarding coverage for src/lib/inference/onboard-probes.ts changes affecting OpenAI-compatible endpoint probe parsing beyond the primary NVIDIA cloud onboarding path.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-openai-compatible-openclaw

Relevant changed files

• nemoclaw/src/blueprint/runner.ts
• nemoclaw/src/commands/migration-state.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/inference/local.ts
• src/lib/inference/onboard-probes.ts
• src/lib/messaging/compiler/manifest-compiler.ts
• src/lib/shields/timer-control.ts
• src/lib/state/sandbox-session.ts
• src/lib/state/tar-listing.ts