test(e2e): migrate credential migration to Vitest [IND-5]

[jyaunches]

Summary

Migrate test/e2e/test-credential-migration.sh with equivalent live Vitest coverage and run the existing credential-migration-e2e nightly lane on the same ubuntu-latest runner through Vitest.

Related Issues

Refs #5098

Contract mapping

• Legacy assertion: staged legacy ~/.nemoclaw/credentials.json feeds nemoclaw onboard when NVIDIA_API_KEY is absent from the child env.
  • Replacement: test/e2e-scenario/live/credential-migration.test.ts runs real node bin/nemoclaw.js onboard --non-interactive with a temp HOME containing the legacy file.
  • Boundary preserved: real host CLI, install fallback, Docker/OpenShell gateway, and onboard subprocess.
• Legacy assertion: tampered non-credential keys (OPENSHELL_GATEWAY, NODE_OPTIONS) are ignored.
  • Replacement: provider-list assertions verify those names are not registered after migration.
  • Boundary preserved: real openshell -g nemoclaw provider list --names.
• Legacy assertion: successful onboard removes plaintext credentials.json and nemoclaw credentials list reads providers from the gateway.
  • Replacement: file-removal and node bin/nemoclaw.js credentials list assertions in the live Vitest test.
  • Boundary preserved: real CLI and OpenShell gateway.
• Legacy assertion: secure unlink removes a symlink at the legacy path without modifying its target.
  • Replacement: the Vitest test plants a symlink and invokes compiled removeLegacyCredentialsFile().
  • Boundary preserved: real filesystem symlink/unlink behavior against compiled dist module.

Simplicity check

• Test shape: simple live Vitest test.
• New shared helpers: none; one-off setup/cleanup helpers are local to the test.
• New framework/registry/ledger: none.
• Workflow changes: credential-migration-e2e now runs the Vitest test directly on ubuntu-latest, preserving the same nightly lane/runner while removing that lane's shell-script execution. Legacy shell deletion is deferred to Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 Phase 11.

Verification

• npm run build:cli
• npx vitest run --project cli test/e2e-script-workflow.test.ts test/e2e-scenario/live/credential-migration.test.ts --reporter=default
• NEMOCLAW_RUN_E2E_SCENARIOS=1 npx vitest run --project e2e-scenarios-live test/e2e-scenario/live/credential-migration.test.ts --reporter=default (local import/skip path; live body requires NVIDIA_API_KEY)
• npm run typecheck:cli
• git diff --check

CI / live runner

After opening this PR, dispatch E2E / Nightly with jobs=credential-migration-e2e on this branch so the migrated Vitest test runs on the same ubuntu-latest runner as the legacy lane.

Summary by CodeRabbit

• Tests
  • Added a live end-to-end scenario that validates legacy credential migration, tampering exclusion, gateway-backed provider handling, secure deletion (symlink safety), and produces test artifacts with results.
• Chores
  • Added a dedicated CI job to run the credential-migration scenario, upload artifacts (14-day retention), and include its status in PR reports; updated CI validation tests and workflow contracts to support the new job.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27349913431
Target ref: e2e-migrate/test-credential-migration
Workflow ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

E2E Advisor Recommendation

Required E2E: credential-migration-vitest, credential-migration-e2e
Optional E2E: onboard-negative-paths-vitest

Dispatch hint: credential-migration-vitest

Auto-dispatched E2E: credential-migration-e2e via nightly-e2e.yaml at 905b6c0721f5f46634e945a17ab5c57fa9ef0419 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• credential-migration-vitest (high): Directly exercises the newly added workflow-dispatched Vitest credential migration job and the new live test covering credential migration into the OpenShell gateway and secure plaintext cleanup.
• credential-migration-e2e (high): Validates the modified nightly credential migration lane after conversion from the reusable shell E2E workflow to the direct Vitest job, including secrets/artifact wiring and Docker/OpenShell setup under the nightly workflow surface.

Optional E2E

• onboard-negative-paths-vitest (medium): Adjacent confidence for onboarding CLI failure-path behavior because the PR modifies free-standing Vitest job selector plumbing and adds another onboarding-related live job, but the changed credential migration path is covered by the required credential-migration jobs.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/e2e-vitest-scenarios.yaml
• jobs input: credential-migration-vitest

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: e2e-scenarios-all
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref>

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• e2e-scenarios-all: The canonical Vitest scenario workflow changed, including selector validation, matrix/free-standing job behavior, a new credential-migration live Vitest job, and report-to-pr dependencies. Policy requires the full Vitest scenario fan-out for workflow changes rather than targeted dispatches.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref>

Optional Vitest E2E scenarios

• None.

Relevant changed files

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/credential-migration.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replaces the legacy shell-based credential-migration E2E with a Vitest live scenario and adds/updates workflows, contract tests, validators, and a TypeScript workflow-job type extension.

Changes

Credential Migration E2E Vitest Migration

Layer / File(s)	Summary
Workflow contract type extension test/helpers/e2e-workflow-contract.ts	WorkflowJob type adds optional runs-on field to match workflow YAML job structure.
Add credential-migration Vitest job & boundary wiring .github/workflows/e2e-vitest-scenarios.yaml, tools/e2e-scenarios/workflow-boundary.mts, test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts	Adds credential-migration-vitest job, includes it in report-to-pr.needs, updates validate-jobs allowlist, and extends validator/tests to require selector and dependency wiring.
Nightly workflow credential-migration-e2e job .github/workflows/nightly-e2e.yaml, test/e2e-script-workflow.test.ts	Refactors credential-migration-e2e from reusable wrapper to inline steps: checkout, Docker Hub auth, Node setup, npm ci --ignore-scripts, npm run build:cli, run Vitest scenario, set env vars, 50-minute timeout, and upload Vitest artifacts with 14-day retention; updates nightly contract tests and allowlists.
Test constants, helpers, and setup test/e2e-scenario/live/credential-migration.test.ts	Adds repo/timeout/sandbox constants, deterministic sandbox name validation, command helpers, output normalization, and best-effort cleanup wrapper.
Host orchestration and cleanup test/e2e-scenario/live/credential-migration.test.ts	Ensures OpenShell is installed (installs via script if missing) and implements best-effort cleanup that destroys Nemoclaw state, deletes OpenShell sandbox, stops port forwarding, and destroys gateway.
Main onboarding and migration scenario test/e2e-scenario/live/credential-migration.test.ts	Seeds temporary HOME with legacy ~/.nemoclaw/credentials.json containing NVIDIA_API_KEY and tampered fields, runs nemoclaw.js onboard --non-interactive, asserts onboarding success, migration notice, and removal of plaintext file.
Gateway provider & credentials-list validation test/e2e-scenario/live/credential-migration.test.ts	Validates provider registration via OpenShell (asserts nvidia-prod present, excludes tampered keys) and asserts nemoclaw.js credentials list reports gateway-backed providers without recreating plaintext file.
Symlink secure deletion test test/e2e-scenario/live/credential-migration.test.ts	Creates a symlink at legacy credentials path to victim.txt, calls removeLegacyCredentialsFile(), and asserts symlink removal while preserving target file contents.
Scenario result artifact test/e2e-scenario/live/credential-migration.test.ts	Writes scenario-result.json capturing sandbox name, provider list, and boolean assertions for verification steps.

Sequence Diagram

sequenceDiagram
  participant GitHubActions
  participant Runner
  participant DockerHub
  participant NodeSetup
  participant Vitest
  participant NemoclawCLI
  participant OpenShell
  participant ArtifactUploader
  GitHubActions->>Runner: start credential-migration-vitest job / nightly job
  Runner->>DockerHub: attempt login (retry/fallback)
  Runner->>NodeSetup: setup Node 22, npm ci, build CLI
  Runner->>Vitest: run credential-migration.test.ts
  Vitest->>NemoclawCLI: write legacy credentials, run onboard
  NemoclawCLI->>OpenShell: register/read providers
  NemoclawCLI->>Vitest: remove legacy credentials file / test symlink unlink
  Vitest->>ArtifactUploader: upload e2e-artifacts/vitest/credential-migration/

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5243: Shared free-standing job selector and gating plumbing relevant to Vitest workflow additions.
• NVIDIA/NemoClaw#5150: Adds another free-standing Vitest job and updates workflow-boundary expectations.
• NVIDIA/NemoClaw#5152: Similar Vitest workflow-boundary/contract validation extension for a free-standing job.

Suggested labels

area: e2e, area: ci, area: onboarding

Suggested reviewers

• cv
• prekshivyas

Poem

🐇 I hopped through jobs and nightly light,

Seeded keys and watched providers write.
Symlinks fell but data stayed,
Vitest sang where scripts once played,
A rabbit dances—migration bright!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: migrating a credential migration E2E test from shell scripts to Vitest. It is concise, specific, and directly related to the primary change across the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-migrate/test-credential-migration

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27350040869
Target ref: 2d3e363131793b77c8246aa56538502f5881184d
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27350181215
Target ref: e2e-migrate/test-credential-migration
Workflow ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27350290064
Target ref: c8daffc329ca12978c37d659f3a6ce0ee5c921dc
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 2 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 2 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: tools/e2e-scenarios/workflow-boundary.mts credential-migration-vitest validation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: tools/e2e-scenarios/workflow-boundary.mts adds credential-migration-vitest to ALLOWED_FREE_STANDING_JOBS and calls validateFreeStandingJobSelector(errors, jobs, "credential-migration-vitest") but does not inspect the job's steps, secrets, checkout settings, action pins, or artifact upload settings.
• Add full boundary validation for the new secret-bearing Vitest job (tools/e2e-scenarios/workflow-boundary.mts:1020): The new credential-migration-vitest workflow job receives DockerHub credentials and NVIDIA_API_KEY, but the workflow-boundary validator still only checks that the job is allowed, depends on validate-jobs, and uses the shared selector condition. The current YAML is mostly constrained, but without job-specific assertions future drift could move secrets to job env, expose GITHUB_TOKEN, broaden artifact collection, weaken action pinning or checkout credential settings, or interpolate workflow_dispatch inputs without a support-test failure. This also leaves the source-of-truth review for this localized workflow-boundary behavior incomplete.
  • Recommendation: Add a focused validateCredentialMigrationVitestJob path, or equivalent support-test assertions, covering pinned checkout/setup-node/upload-artifact actions, checkout persist-credentials: false, DockerHub credentials only on Authenticate to Docker Hub, npm ci --ignore-scripts, Build CLI, the exact test/e2e-scenario/live/credential-migration.test.ts invocation, NVIDIA_API_KEY only on the Vitest run step, no GITHUB_TOKEN, artifact path/name/include-hidden-files/retention settings, and no direct workflow_dispatch input interpolation in run scripts.
  • Evidence: .github/workflows/e2e-vitest-scenarios.yaml adds credential-migration-vitest with DockerHub auth and NVIDIA_API_KEY. tools/e2e-scenarios/workflow-boundary.mts adds credential-migration-vitest to ALLOWED_FREE_STANDING_JOBS and report-to-pr needs, then calls validateFreeStandingJobSelector(errors, jobs, "credential-migration-vitest") without inspecting the job's steps, secrets, action pins, checkout settings, or artifact upload settings.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — credential-migration-vitest keeps NVIDIA_API_KEY only on the Run credential migration live test step and never exposes GITHUB_TOKEN. The new live test provides meaningful runtime coverage for credential migration and preserves real CLI/OpenShell/filesystem boundaries. The remaining confidence gap is workflow-boundary validation for the new secret-bearing free-standing Vitest job.
• **Runtime validation** — credential-migration-vitest keeps DockerHub credentials only on Authenticate to Docker Hub. The new live test provides meaningful runtime coverage for credential migration and preserves real CLI/OpenShell/filesystem boundaries. The remaining confidence gap is workflow-boundary validation for the new secret-bearing free-standing Vitest job.
• **Runtime validation** — credential-migration-vitest pins checkout/setup-node/upload-artifact and sets checkout persist-credentials false. The new live test provides meaningful runtime coverage for credential migration and preserves real CLI/OpenShell/filesystem boundaries. The remaining confidence gap is workflow-boundary validation for the new secret-bearing free-standing Vitest job.
• **Runtime validation** — credential-migration-vitest runs npm ci --ignore-scripts, builds CLI, and invokes only test/e2e-scenario/live/credential-migration.test.ts. The new live test provides meaningful runtime coverage for credential migration and preserves real CLI/OpenShell/filesystem boundaries. The remaining confidence gap is workflow-boundary validation for the new secret-bearing free-standing Vitest job.
• **Runtime validation** — credential-migration-vitest artifact upload uses the stable credential-migration name/path, include-hidden-files=false, if-no-files-found=ignore, and retention-days=14. The new live test provides meaningful runtime coverage for credential migration and preserves real CLI/OpenShell/filesystem boundaries. The remaining confidence gap is workflow-boundary validation for the new secret-bearing free-standing Vitest job.
• **Acceptance clause:** No trusted linked-issue acceptance clauses were provided in deterministic context. — add test evidence or identify existing coverage. The deterministic linkedIssues array is empty. The PR body references Refs Epic: Migrate legacy bash E2E into the Vitest E2E system #5098, but no trusted issue Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 body or comments were supplied, so PR-body prose was treated as untrusted and not used as literal acceptance criteria.
• **tools/e2e-scenarios/workflow-boundary.mts credential-migration-vitest validation** — Missing: a validateCredentialMigrationVitestJob-style assertion path that fails if secrets, GITHUB_TOKEN, action pins, artifact paths/settings, install/build/run steps, or dispatch-input interpolation drift from the intended contract.. tools/e2e-scenarios/workflow-boundary.mts adds credential-migration-vitest to ALLOWED_FREE_STANDING_JOBS and calls validateFreeStandingJobSelector(errors, jobs, "credential-migration-vitest") but does not inspect the job's steps, secrets, checkout settings, action pins, or artifact upload settings.

Since last review details

Current findings:

• Source-of-truth review needed: tools/e2e-scenarios/workflow-boundary.mts credential-migration-vitest validation: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: tools/e2e-scenarios/workflow-boundary.mts adds credential-migration-vitest to ALLOWED_FREE_STANDING_JOBS and calls validateFreeStandingJobSelector(errors, jobs, "credential-migration-vitest") but does not inspect the job's steps, secrets, checkout settings, action pins, or artifact upload settings.
• Add full boundary validation for the new secret-bearing Vitest job (tools/e2e-scenarios/workflow-boundary.mts:1020): The new credential-migration-vitest workflow job receives DockerHub credentials and NVIDIA_API_KEY, but the workflow-boundary validator still only checks that the job is allowed, depends on validate-jobs, and uses the shared selector condition. The current YAML is mostly constrained, but without job-specific assertions future drift could move secrets to job env, expose GITHUB_TOKEN, broaden artifact collection, weaken action pinning or checkout credential settings, or interpolate workflow_dispatch inputs without a support-test failure. This also leaves the source-of-truth review for this localized workflow-boundary behavior incomplete.
  • Recommendation: Add a focused validateCredentialMigrationVitestJob path, or equivalent support-test assertions, covering pinned checkout/setup-node/upload-artifact actions, checkout persist-credentials: false, DockerHub credentials only on Authenticate to Docker Hub, npm ci --ignore-scripts, Build CLI, the exact test/e2e-scenario/live/credential-migration.test.ts invocation, NVIDIA_API_KEY only on the Vitest run step, no GITHUB_TOKEN, artifact path/name/include-hidden-files/retention settings, and no direct workflow_dispatch input interpolation in run scripts.
  • Evidence: .github/workflows/e2e-vitest-scenarios.yaml adds credential-migration-vitest with DockerHub auth and NVIDIA_API_KEY. tools/e2e-scenarios/workflow-boundary.mts adds credential-migration-vitest to ALLOWED_FREE_STANDING_JOBS and report-to-pr needs, then calls validateFreeStandingJobSelector(errors, jobs, "credential-migration-vitest") without inspecting the job's steps, secrets, action pins, checkout settings, or artifact upload settings.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27350987810
Target ref: af52c1068f81ab103197365d81e132977862daa6
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27350836737
Target ref: e2e-migrate/test-credential-migration
Workflow ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e-scenario/live/credential-migration.test.ts (1)

46-46: ⚡ Quick win

Prefer POSIX : for test PATH composition in this repo.

Use ":" instead of path.delimiter in this test helper to stay consistent with established test conventions across this suite.

♻️ Proposed change

-    PATH: [path.join(home, ".local", "bin"), base.PATH].filter(Boolean).join(path.delimiter),
+    PATH: [path.join(home, ".local", "bin"), base.PATH].filter(Boolean).join(":"),

Based on learnings: in this repo’s tests, PATH construction should use : (Linux CI convention), not path.delimiter.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/live/credential-migration.test.ts` at line 46, The test's
PATH construction uses path.delimiter when joining entries—replace the join
delimiter with the POSIX ":" literal so the PATH property is built as
[...].filter(Boolean).join(":"); update the expression that composes PATH (the
array containing path.join(home, ".local", "bin") and base.PATH) to use ":"
instead of path.delimiter to match the repo's POSIX test convention.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-scenario/live/credential-migration.test.ts`:
- Line 46: The test's PATH construction uses path.delimiter when joining
entries—replace the join delimiter with the POSIX ":" literal so the PATH
property is built as [...].filter(Boolean).join(":"); update the expression that
composes PATH (the array containing path.join(home, ".local", "bin") and
base.PATH) to use ":" instead of path.delimiter to match the repo's POSIX test
convention.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f9ad2087-7f09-4e12-ba4b-ef02888ee261

📥 Commits

Reviewing files that changed from the base of the PR and between 6622476 and af52c10.

📒 Files selected for processing (4)

• .github/workflows/nightly-e2e.yaml
• test/e2e-scenario/live/credential-migration.test.ts
• test/e2e-script-workflow.test.ts
• test/helpers/e2e-workflow-contract.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27351979452
Target ref: e2e-migrate/test-credential-migration
Workflow ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[jyaunches]

Temporarily closing to make room for the maintainer PR-limit exemption fix; will reopen after that lands.

[jyaunches]

Update: addressed the still-valid advisor/CodeRabbit items.

• Raised credential-migration-e2e workflow timeout to 50m so it exceeds the 45m Vitest budget and preserves cleanup/artifact finalization margin.
• Documented the trusted-code boundary for the direct Vitest job: target-ref code receives NVIDIA_API_KEY, checkout credentials stay disabled, no GITHUB_TOKEN is passed, and dispatch should remain maintainer/reviewed-ref only.
• Applied CodeRabbit nit: POSIX : PATH join in the live test helper.
• Re-ran same-runner proof on the updated head: credential-migration-e2e passed on ubuntu-latest: https://github.com/NVIDIA/NemoClaw/actions/runs/27351979452

Left unchanged intentionally: the compatible-endpoint COMPATIBLE_API_KEY route. It still proves the core legacy credential migration gate (KNOWN_CREDENTIAL_ENV_KEYS staging, real gateway provider upsert, post-success plaintext removal, credentials-list gateway source, symlink-safe unlink) while avoiding flaky external NVIDIA endpoint quota; the default NVIDIA_API_KEY path is covered at the unit/caller level by the existing credential staging/finalization tests.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27352148185
Target ref: a555cdc3e53f01f25c04687d7e1411ce8f737dc7
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27352857067
Target ref: a555cdc3e53f01f25c04687d7e1411ce8f737dc7
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/e2e-vitest-scenarios.yaml (1)

527-528: 💤 Low value

Consider accessing dispatch inputs via context object instead of template expansion.

The toJSON() wrapper provides JSON escaping that should prevent JavaScript injection, and workflow_dispatch is limited to users with write access, so actual risk is low. However, for defense-in-depth, you could access inputs from the context object instead:

-const prNumberInput = ${{ toJSON(inputs.pr_number) }} || '';
-const requestedScenarios = ${{ toJSON(inputs.scenarios) }} || '';
+const prNumberInput = context.payload.inputs?.pr_number || '';
+const requestedScenarios = context.payload.inputs?.scenarios || '';

This eliminates the template expansion entirely and avoids static analysis warnings.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-vitest-scenarios.yaml around lines 527 - 528, The
current workflow uses template expansion with toJSON(inputs.pr_number) and
toJSON(inputs.scenarios) to populate prNumberInput and requestedScenarios;
change these to read inputs from the context object at runtime instead (e.g.,
use the context.inputs/pr_number and context.inputs/scenarios equivalents) to
avoid template expansion and static-analysis warnings—update the assignments for
prNumberInput and requestedScenarios to pull from the GitHub Actions context
rather than using toJSON template expansion.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Around line 527-528: The current workflow uses template expansion with
toJSON(inputs.pr_number) and toJSON(inputs.scenarios) to populate prNumberInput
and requestedScenarios; change these to read inputs from the context object at
runtime instead (e.g., use the context.inputs/pr_number and
context.inputs/scenarios equivalents) to avoid template expansion and
static-analysis warnings—update the assignments for prNumberInput and
requestedScenarios to pull from the GitHub Actions context rather than using
toJSON template expansion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f8ca3460-0888-455c-a3ce-977fe18be1e2

📥 Commits

Reviewing files that changed from the base of the PR and between af52c10 and 26c330a.

📒 Files selected for processing (5)

• .github/workflows/e2e-vitest-scenarios.yaml
• .github/workflows/nightly-e2e.yaml
• test/e2e-scenario/live/credential-migration.test.ts
• test/e2e-script-workflow.test.ts
• test/helpers/e2e-workflow-contract.ts

✅ Files skipped from review due to trivial changes (1)

• test/helpers/e2e-workflow-contract.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/nightly-e2e.yaml
• test/e2e-script-workflow.test.ts
• test/e2e-scenario/live/credential-migration.test.ts

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27354068402
Target ref: 26c330af0776ab42a6b07eaada1d269feeb5bb0e
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27353934442
Workflow ref: e2e-migrate/test-credential-migration
Requested scenarios: ubuntu-repo-cloud-openclaw
Summary: 4 passed, 2 failed, 1 skipped

Job	Result
credential-migration-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
live-scenarios	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	✅ success

Failed jobs: gateway-guard-recovery, live-scenarios. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27354389656
Target ref: e2e-migrate/test-credential-migration
Workflow ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27370155805
Target ref: e66f36aa7929cb34fbe6d16a38c0edc7ba7d91a0
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27370465224
Target ref: e66f36aa7929cb34fbe6d16a38c0edc7ba7d91a0
Workflow ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27370480288
Workflow ref: e2e-migrate/test-credential-migration
Requested scenarios: (default — all supported)
Requested jobs: (default — all free-standing when no scenarios are requested)
Summary: 5 passed, 3 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
live-scenarios	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	❌ failure
openshell-version-pin-vitest	✅ success
validate-jobs	✅ success

Failed jobs: gateway-guard-recovery, live-scenarios, openclaw-tui-chat-correlation-vitest. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27374864318
Target ref: ea028936c323734e50783c5018e25d3ec4bbf2fb
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27375068521
Workflow ref: e2e-migrate/test-credential-migration
Requested scenarios: (default — all supported)
Requested jobs: (default — all free-standing when no scenarios are requested)
Summary: 6 passed, 3 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
live-scenarios	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	❌ failure
openshell-version-pin-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: gateway-guard-recovery, live-scenarios, openclaw-tui-chat-correlation-vitest. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27376415002
Target ref: 64e9d4eb7284f96dff9911df33227b7fe4b7d94e
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	❌ failure

Failed jobs: credential-migration-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27376759693
Target ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27376761867
Workflow ref: e2e-migrate/test-credential-migration
Requested scenarios: (default — all supported)
Requested jobs: (default — all free-standing when no scenarios are requested)
Summary: 7 passed, 3 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
live-scenarios	❌ failure
network-policy-vitest	✅ success
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	❌ failure
openshell-version-pin-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: gateway-guard-recovery, live-scenarios, openclaw-tui-chat-correlation-vitest. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27378164078
Target ref: 905b6c0721f5f46634e945a17ab5c57fa9ef0419
Workflow ref: main
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27378533297
Target ref: e2e-migrate/test-credential-migration
Requested jobs: credential-migration-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
credential-migration-e2e	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27378535332
Workflow ref: e2e-migrate/test-credential-migration
Requested scenarios: (default — all supported)
Requested jobs: (default — all free-standing when no scenarios are requested)
Summary: 8 passed, 3 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
live-scenarios	❌ failure
network-policy-vitest	✅ success
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	❌ failure
openshell-version-pin-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: gateway-guard-recovery, live-scenarios, openclaw-tui-chat-correlation-vitest. Check run artifacts for logs.