test(e2e): migrate VM driver privexec coverage

[jyaunches]

Summary

Migrate the test/e2e/test-vm-driver-privileged-exec-routing.sh contract into focused Vitest coverage while keeping the legacy shell file present for now.

Seeded from Carlos's PR #5144, but rebuilt on current main with only the one-script migration changes and no #5126-era framework diff.

Related Issues

Refs #5098
Refs #4245

Contract mapping

• Legacy assertion: VM-driver privileged exec routes to the direct sandbox container, not openshell-gateway-nemoclaw.
  • Replacement: test/vm-driver-privileged-exec-routing.test.ts asserts alpha selects openshell-alpha-abc123 while ignoring openshell-alpha-child and gateway containers.
  • Boundary preserved: real built dist/lib/sandbox/privileged-exec.js helper plus fake registry and fake docker ps subprocess boundary.
• Legacy assertion: exact direct container wins when present.
  • Replacement: alpha-child selects openshell-alpha-child.
  • Boundary preserved: fake Docker output exercises the same direct-container selection path.
• Legacy assertion: Docker-driver and older registry entries without recorded driver still route to direct sandbox containers.
  • Replacement: dockerbox and unknown-driver cases assert direct container argv.
  • Boundary preserved: built helper reads a temp ~/.nemoclaw/sandboxes.json.
• Legacy assertion: missing direct VM container fails clearly instead of falling back to gateway routing.
  • Replacement: missing-container case asserts the No running direct OpenShell sandbox container...driver: vm error.
  • Boundary preserved: fake docker ps contains only gateway/unrelated containers.

Simplicity check

• Test shape: focused process/unit-shaped Vitest test in test/.
• New shared helpers: none; fake registry/Docker setup is local to the test.
• New framework/registry/ledger: none.
• Workflow changes: retired/unwired the nightly shell-script lane from selective dispatch and nightly shell-script wiring. The legacy shell file remains in test/e2e/ and in the top-level frozen shell allowlist; replacement coverage runs in normal CLI Vitest.

Verification

• npm run build:cli
• npx vitest run --project cli test/vm-driver-privileged-exec-routing.test.ts --silent=false --reporter=default
• npx vitest run --project cli test/e2e-script-workflow.test.ts --silent=false --reporter=default
  • includes a contract assertion that the unwired vm-driver-privileged-exec-routing-e2e lane is absent from nightly dispatch/wiring, the legacy shell file remains present, the replacement test is in the CLI Vitest include path, and the CLI coverage shard rebuilds dist before Vitest
• npm run test-size:check -- test/vm-driver-privileged-exec-routing.test.ts test/e2e-script-workflow.test.ts
• git diff --check

CI follow-up

The first selective E2E auto-dispatch still used the trusted main nightly workflow, which attempted to run the shell-script lane. This PR now removes vm-driver-privileged-exec-routing-e2e from the nightly dispatch input/list/job definitions so the unwired lane is not auto-dispatched. The legacy shell file has been restored per maintainer preference; this PR no longer deletes any file under test/e2e/.

Summary by CodeRabbit

• Tests

  • Added a regression test for privileged-exec routing to validate correct OpenShell sandbox selection across VM, Docker, and other drivers.
  • Added a contract test to ensure the retired nightly job is absent and that the CLI coverage shard runs the build step before executing CLI tests.

• Chores

  • Retired a nightly E2E job and updated CI guidance to reference the new CLI test shard and narrowed nightly run targets.
  • Test helper updated to include CLI coverage shard metadata.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR replaces a shell-script-based privileged-exec routing regression test with a Vitest test. It adds the new Vitest test file, removes the old shell script from test allowlists and CI workflow wiring, and asserts the retirement through updated contract tests.

Changes

Test migration and CI job removal

Layer / File(s)	Summary
New Vitest privileged-exec regression test test/vm-driver-privileged-exec-routing.test.ts	Adds a Vitest test that bootstraps a fake Docker environment and sandbox registry, then asserts privilegedSandboxExecArgv() correctly routes privileged-exec to direct OpenShell container names for VM/Docker/unknown drivers and throws on missing containers.
Test allowlist and workflow contract updates test/e2e-script-workflow.test.ts, test/helpers/e2e-workflow-contract.ts	Reorders node:fs imports, adds constants for the retired job, removes the shell script from frozen allowlists, adds a contract test asserting the nightly workflow no longer references the retired job and CLI Vitest coverage is correctly wired, and extends the E2E workflow contract loader to include the CLI coverage shard action.
Nightly E2E workflow job removal .github/workflows/nightly-e2e.yaml	Removes vm-driver-privileged-exec-routing-e2e from dispatch inputs, deletes the job definition, and drops it from notify-on-failure, report-to-pr, and scorecard job dependencies.
Coderabbit guidance updates .coderabbit.yaml	Replaces the E2E test recommendation reference to the new CLI Vitest regression test and narrows the selective jobs= list to shields-config-e2e.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5155: Performs a similar E2E retirement pattern by removing a legacy bash script job from the nightly workflow and adding corresponding Vitest coverage with updated test contracts.

Suggested labels

area: e2e, area: ci, area: sandbox, chore

Suggested reviewers

• cv
• prekshivyas

Poem

🐰 A shell script fades as Vitest takes the stage,
Direct containers route through a new test age,
CI jobs removed, contracts in their place,
Privileged-exec routing finds its testing space!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(e2e): migrate VM driver privexec coverage' accurately describes the main change: migrating VM driver privileged-exec-routing test coverage from a shell script (test-vm-driver-privileged-exec-routing.sh) to a Vitest test (test/vm-driver-privileged-exec-routing.test.ts).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-migrate/vm-driver-privexec-simple

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: shields-config-e2e

Dispatch hint: shields-config-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No required E2E is recommended because the PR changes CI workflow wiring, advisory metadata, and test coverage only. It does not modify installer/onboarding, sandbox lifecycle implementation, credentials, security boundary code, network policy, inference routing, deployment code, or real assistant user-flow runtime paths. The retired vm-driver privileged-exec lane is covered by newly added CLI Vitest regression and workflow contract tests rather than by a live E2E dispatch.

Optional E2E

• shields-config-e2e (medium): Optional confidence only: this is the remaining live E2E adjacent to privileged config/shields mutations after retiring the VM-driver routing E2E lane. No runtime source changed, so it should not be merge-blocking.

New E2E recommendations

• None.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: shields-config-e2e

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• None. Changed files affect CodeRabbit guidance, the legacy nightly E2E workflow, and CLI/workflow contract Vitest tests outside test/e2e-scenario/. They do not change the Vitest scenario workflow, scenario registry, runtime support, live scenario entry point, or shared Vitest scenario fixtures.

Optional Vitest E2E scenarios

• None.

Relevant changed files

• None.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27315928722
Target ref: 3af822a6fb16e1f7081855269587d0c78cb14b17
Workflow ref: main
Requested jobs: vm-driver-privileged-exec-routing-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
vm-driver-privileged-exec-routing-e2e	❌ failure

Failed jobs: vm-driver-privileged-exec-routing-e2e. Check run artifacts for logs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/vm-driver-privileged-exec-routing.test.ts`:
- Around line 88-101: In loadHelperWithFakeHome, replace use of path.delimiter
when building process.env.PATH with the POSIX separator ':' so tests use a
consistent POSIX PATH (i.e., change the PATH assignment that currently uses
path.delimiter to use ':' and keep the fallback to process.env.PATH or empty
string); update the assignment in the function loadHelperWithFakeHome to use
`${fakeBin}:${process.env.PATH ?? ""}` to ensure CI Linux runners get the
expected PATH format.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e22b0408-4c81-4158-b8cd-5726a5e81a11

📥 Commits

Reviewing files that changed from the base of the PR and between 0f99ee5 and 3af822a.

📒 Files selected for processing (4)

• .github/workflows/nightly-e2e.yaml
• test/e2e-script-workflow.test.ts
• test/e2e/test-vm-driver-privileged-exec-routing.sh
• test/vm-driver-privileged-exec-routing.test.ts

💤 Files with no reviewable changes (1)

• test/e2e/test-vm-driver-privileged-exec-routing.sh

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 0 still apply, 0 new items found

Consider writing more tests for

• **Runtime validation** — Add a contract test that scans .coderabbit.yaml and fails if it advertises vm-driver-privileged-exec-routing-e2e when .github/workflows/nightly-e2e.yaml has no dispatchable job with that ID.. The migrated behavior is covered by focused built-dist CLI Vitest regression and workflow-contract assertions. Because the changed surfaces include reviewer guidance and nightly workflow dispatch wiring for sandbox-escape-relevant privileged-exec coverage, additional contract scanning would improve confidence against future source-of-truth drift.
• **Runtime validation** — Add a contract test that the CodeRabbit guidance for src/lib/shields/**, src/lib/sandbox/privileged-exec.ts, and src/lib/sandbox/config.ts includes test/vm-driver-privileged-exec-routing.test.ts and references only live dispatchable E2E job IDs such as shields-config-e2e.. The migrated behavior is covered by focused built-dist CLI Vitest regression and workflow-contract assertions. Because the changed surfaces include reviewer guidance and nightly workflow dispatch wiring for sandbox-escape-relevant privileged-exec coverage, additional contract scanning would improve confidence against future source-of-truth drift.
• **Acceptance clause:** No linked issue acceptance clauses were available in deterministic context. — add test evidence or identify existing coverage. Trusted context reported linkedIssues: []. The PR body references Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 and [macOS][Security] nemoclaw shields up/down fails with "No such container: openshell-cluster-nemoclaw" on Docker Desktop VM driver #4245, but issue bodies/comments were not provided for literal clause extraction.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/nightly-e2e.yaml:
- Line 143: The .coderabbit.yaml path_instructions still reference the removed
job vm-driver-privileged-exec-routing-e2e for paths "src/lib/shields/**",
"src/lib/sandbox/privileged-exec.ts", and "src/lib/sandbox/config.ts"; update
.coderabbit.yaml so these entries no longer mention
vm-driver-privileged-exec-routing-e2e and instead map those paths to the actual
jobs exported by the nightly-e2e workflow (e.g., shields-config-e2e,
rebuild-openclaw-e2e or other current job names), or remove the
path_instructions entirely for those files if no matching job exists. Ensure
references to vm-driver-privileged-exec-routing-e2e are removed so
.coderabbit.yaml matches the job set in the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e9d618db-8fa9-423c-a272-74b02d6ff503

📥 Commits

Reviewing files that changed from the base of the PR and between 3af822a and fb6e584.

📒 Files selected for processing (1)

• .github/workflows/nightly-e2e.yaml

[jyaunches]

Addressed PR Review Advisor worth-checking item with commit 052693326: test/e2e-script-workflow.test.ts now asserts the retired vm-driver-privileged-exec-routing-e2e lane/script are absent from nightly, test/vm-driver-privileged-exec-routing.test.ts is covered by the CLI Vitest include path, and the CLI coverage shard runs npm run build:cli before npx vitest run --project cli. Re-ran: npm run build:cli, focused replacement Vitest, workflow contract Vitest, test-size check, and git diff --check.

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e-script-workflow.test.ts (1)

222-227: ⚡ Quick win

Reuse the contract loaded on line 185 instead of re-calling loadE2eWorkflowContract().

loadE2eWorkflowContract() is already called on line 185 to load the workflow contracts for the entire test suite. Now that it returns cliCoverageShardAction (per the helper changes), add it to the line 185 destructuring and remove the redundant call on line 223.

♻️ Proposed refactor

Update line 185 to include cliCoverageShardAction:

-  const { runnerWorkflow, nightlyWorkflow, action } = loadE2eWorkflowContract();
+  const { runnerWorkflow, nightlyWorkflow, action, cliCoverageShardAction } = loadE2eWorkflowContract();

Then remove the redundant call on line 223:

   it("keeps the unwired VM driver privileged-exec lane covered by CLI Vitest", () => {
-    const { cliCoverageShardAction } = loadE2eWorkflowContract();
     const runStepNames = cliCoverageShardAction.runs.steps.map((step) => step.name);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-script-workflow.test.ts` around lines 222 - 227, The test re-calls
loadE2eWorkflowContract() to get cliCoverageShardAction even though that value
is already returned by the earlier call; update the earlier destructuring where
loadE2eWorkflowContract() is first invoked to include cliCoverageShardAction,
then remove the redundant call and use the existing cliCoverageShardAction
variable for computing runStepNames and cliShardRunStep (references:
loadE2eWorkflowContract, cliCoverageShardAction, runStepNames, cliShardRunStep).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-script-workflow.test.ts`:
- Around line 222-227: The test re-calls loadE2eWorkflowContract() to get
cliCoverageShardAction even though that value is already returned by the earlier
call; update the earlier destructuring where loadE2eWorkflowContract() is first
invoked to include cliCoverageShardAction, then remove the redundant call and
use the existing cliCoverageShardAction variable for computing runStepNames and
cliShardRunStep (references: loadE2eWorkflowContract, cliCoverageShardAction,
runStepNames, cliShardRunStep).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b9715a50-d910-4b2d-b476-060900a87c25

📥 Commits

Reviewing files that changed from the base of the PR and between 390e6ea and 1e774a3.

📒 Files selected for processing (3)

• .coderabbit.yaml
• test/e2e-script-workflow.test.ts
• test/helpers/e2e-workflow-contract.ts