Skip to content

fix(e2e): route nightly hosted inference as custom#5385

Merged
cv merged 6 commits into
mainfrom
codex/fix-nightly-hosted-compatible
Jun 13, 2026
Merged

fix(e2e): route nightly hosted inference as custom#5385
cv merged 6 commits into
mainfrom
codex/fix-nightly-hosted-compatible

Conversation

@cv

@cv cv commented Jun 13, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

Summary

Route nightly hosted inference through NemoClaw's custom provider path instead of treating NVIDIA_INFERENCE_API_KEY like a Build/NVIDIA provider credential. The reusable and direct nightly E2E jobs now derive COMPATIBLE_API_KEY only from the hosted source secret for https://inference-api.nvidia.com/v1.

Changes

  • Remove the reusable workflow's separate nvidia_secret_as_compatible_api_key compatibility input and make nvidia_api_key export the hosted custom endpoint environment.
  • Set direct nightly jobs that consume NVIDIA_INFERENCE_API_KEY to provider custom, endpoint https://inference-api.nvidia.com/v1, hosted Nemotron model, and derived COMPATIBLE_API_KEY.
  • Update the shared E2E inference helper and shell tests to expect the OpenShell route provider compatible-endpoint in hosted CI mode while preserving non-hosted Build-provider validation.
  • Update workflow contract tests to assert there is no standalone compatible source secret path and that direct hosted-secret jobs receive the full custom endpoint environment.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

  • npx prek run --all-files passes
  • npm test passes
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

  • Chores
    • Standardized CI to use hosted/custom OpenAI-compatible inference: updated workflow inputs, removed legacy gating, added validation and export of hosted inference flags (provider/endpoint/model/compat-model and COMPATIBLE_API_KEY), and staged hosted inference for non-interactive provider runs.
  • Tests
    • Updated E2E suites and assertions to expect hosted-custom routing, added guarded-secret and routing tests, and aligned many sandbox/integration flows to hosted inference.
  • Documentation
    • Updated usage/prerequisites and env-var docs to require a hosted inference API key and describe hosted inference behavior.

@cv
fix(e2e): route nightly hosted inference as custom
b72de15 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv self-assigned this Jun 13, 2026
@coderabbitai

coderabbitai Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 82eee18f-e66c-41d6-bc18-5864f4612d52

📥 Commits

Reviewing files that changed from the base of the PR and between 240f8cd and 57cee8b.

📒 Files selected for processing (1)
  • test/e2e/test-issue-4434-tui-unreachable-inference.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/e2e/test-issue-4434-tui-unreachable-inference.sh
📝 Walkthrough

Walkthrough

Routes CI and E2E inference to a hosted OpenAI-compatible endpoint: add hosted credential staging in onboarding, switch CI helper to hosted mode, update workflows to export guarded hosted env, modify many E2E scripts to source/configure the helper, and update tests to assert hosted env wiring.

Changes

Hosted Inference CI Infrastructure Migration

Layer / File(s) Summary
Hosted inference staging & provider selection
src/lib/onboard/providers.ts, src/lib/onboard/providers.test.ts		 Stage hosted inference source secret into runtime env for non-interactive onboarding; set NEMOCLAW_* endpoint/model/compat vars, export hosted constants, and add tests verifying staging and provider-selection behavior.
CI-compatible helper (hosted)
test/e2e/lib/ci-compatible-inference.sh		 Switch helper gate to NEMOCLAW_E2E_USE_HOSTED_INFERENCE, require NVIDIA_INFERENCE_API_KEY for CI-compatible hosted mode, export COMPATIBLE_API_KEY from it, add expected-provider, ANSI-strip, and standardized PASS/FAIL note helpers.
Workflow inputs & nightly wiring
.github/workflows/e2e-script.yaml, .github/workflows/nightly-e2e.yaml		 Update nvidia_api_key input description, replace legacy compatible-key export with an export gated by inputs.nvidia_api_key that validates and writes hosted-inference vars to $GITHUB_ENV, and conditionally inject NVIDIA_INFERENCE_API_KEY/COMPATIBLE_API_KEY across nightly jobs.
E2E bootstrap & prerequisites
test/e2e/*.sh (many scripts)		 Update usage/prerequisite comments, source ci-compatible-inference.sh, call nemoclaw_e2e_configure_compatible_inference early, and replace inline nvapi-* checks with helper-driven hosted-key requirements and probes.
E2E runtime routing & assertions
test/e2e/*.sh, test/e2e-script-workflow.test.ts		 Derive HOSTED_INFERENCE_* values from helpers, probe hosted endpoints, use hosted endpoint/model/key in direct and sandbox requests, and update contract tests to assert hosted env wiring for reusable and direct nightly jobs.
Onboard flow adaptation
test/e2e/test-onboard-*.sh, test/onboard-selection.test.ts		 Introduce RESTORE_API_KEY handling, assemble ONBOARD_INFERENCE_ENV for hosted/custom routing, unset COMPATIBLE_API_KEY during resume commands, and validate provider-aware session/registry outputs.
  • Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

area: e2e, area: onboarding, bug-fix

  • Suggested reviewers
    • jyaunches

"🐰 I hop with keys and tests in tow,
Workflows now tell secrets where to go,
Helpers stage, scripts probe, and tests agree,
Hosted endpoints hum — a unified spree,
Rabbit cheers for routed CI flow!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 11.54% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: routing nightly hosted inference through the custom provider path instead of the NVIDIA provider path.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-nightly-hosted-compatible

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-code-quality

github-code-quality Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 57cee8b +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 44%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 57cee8b +/-
src/lib/state/o...oard-session.ts 90%
src/lib/inference/local.ts 77%
src/lib/sandbox/config.ts 72%
src/lib/inference/nim.ts 72%
src/lib/onboard/preflight.ts 64%
src/lib/state/sandbox.ts 55%
src/lib/onboard...er-gpu-patch.ts 50%
src/lib/actions...licy-channel.ts 49%
src/lib/policy/index.ts 48%
src/lib/onboard.ts 17%

Updated June 13, 2026 17:31 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e, cloud-inference-e2e, hermes-e2e, openclaw-inference-switch-e2e, hermes-inference-switch-e2e, credential-migration-e2e, onboard-negative-paths-e2e
Optional E2E: onboard-repair-e2e, onboard-resume-e2e, cron-preflight-inference-local-e2e, issue-4434-tui-unreachable-inference-e2e, agent-turn-latency-e2e, sandbox-survival-e2e, launchable-smoke-e2e

Dispatch hint: cloud-onboard-e2e,cloud-inference-e2e,hermes-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,credential-migration-e2e,onboard-negative-paths-e2e

Auto-dispatched E2E: cloud-onboard-e2e, cloud-inference-e2e, hermes-e2e, openclaw-inference-switch-e2e, hermes-inference-switch-e2e, credential-migration-e2e, onboard-negative-paths-e2e via nightly-e2e.yaml at 57cee8b6912aeeaf6ba33892d9b6df0327aa011fnightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • cloud-onboard-e2e (high): Validates the primary install/onboard path with hosted CI inference and catches regressions in non-interactive provider selection and credential staging.
  • cloud-inference-e2e (medium): Directly validates live inference.local routing through the newly configured hosted OpenAI-compatible endpoint and model.
  • hermes-e2e (high): Ensures Hermes onboarding and live inference still work with the new hosted inference environment and provider defaults.
  • openclaw-inference-switch-e2e (medium): Covers OpenClaw runtime inference reconfiguration, provider route persistence, config updates, and live requests after the provider/endpoint changes.
  • hermes-inference-switch-e2e (medium): Covers the parallel Hermes inference-switch path, which is also touched by the hosted inference helper updates.
  • credential-migration-e2e (medium): Validates credential migration into the OpenShell gateway and secret handling while the PR changes hosted secret staging and COMPATIBLE_API_KEY mapping.
  • onboard-negative-paths-e2e (medium): Exercises non-interactive onboarding error paths and validation around provider/credential choices affected by providers.ts.

Optional E2E

  • onboard-repair-e2e (medium): Useful adjacent coverage for the staged hosted inference environment across interrupted/repair onboarding flows, but less central than first-pass onboard and live inference.
  • onboard-resume-e2e (medium): Checks resumed onboarding with the new hosted inference env, complementing onboard-repair-e2e.
  • cron-preflight-inference-local-e2e (medium): Provides confidence that the scheduled/preflight inference lane still receives and probes the hosted inference environment correctly.
  • issue-4434-tui-unreachable-inference-e2e (high): Relevant because the PR changes hosted inference env wiring for the unreachable-inference TUI scenario, but it is a specialized privileged/firewall proof.
  • agent-turn-latency-e2e (very high): End-to-end OpenClaw and Hermes live-turn timing would provide extra confidence in real assistant behavior with the hosted model, but it is expensive and performance-oriented.
  • sandbox-survival-e2e (medium): Adjacent coverage for inference after gateway restart with the new hosted inference environment.
  • launchable-smoke-e2e (medium): Useful smoke coverage for the community install path after workflow/env changes, but not the most direct validation of provider staging.

New E2E recommendations

  • CI workflow security boundary (high): This PR changes secret withholding for workflow_dispatch target_ref runs, but existing E2E jobs mostly validate successful secret-backed execution rather than proving that PR-head/target_ref dispatches cannot receive NVIDIA or Docker Hub secrets while still failing clearly.
    • Suggested test: Add a hermetic workflow-dispatch contract test that exercises a target_ref selective-dispatch dry run and asserts NVIDIA_INFERENCE_API_KEY, Docker Hub credentials, and messaging live secrets are withheld without leaking into untrusted checked-out code.

Dispatch hint

  • Workflow: .github/workflows/nightly-e2e.yaml
  • jobs input: cloud-onboard-e2e,cloud-inference-e2e,hermes-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,credential-migration-e2e,onboard-negative-paths-e2e

@github-actions

github-actions Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: ubuntu-repo-cloud-openclaw
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

  • ubuntu-repo-cloud-openclaw: The PR changes onboard provider selection and hosted inference credential staging. The live-supported Ubuntu cloud OpenClaw typed scenario is the smallest Vitest scenario that exercises repository checkout onboarding with NVIDIA_INFERENCE_API_KEY plus inference and credential validation through the shared provider path.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional Vitest E2E scenarios

  • None.

Relevant changed files

  • src/lib/onboard/providers.ts
  • src/lib/onboard/providers.test.ts
  • test/onboard-selection.test.ts

@github-actions

This comment was marked as outdated.

Sign in to view
coderabbitai[bot]
coderabbitai Bot reviewed Jun 13, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
test/e2e/test-launchable-smoke.sh (1)

489-500: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Retry attempt uses a stale hardcoded model

Line 499 ignores the configured hosted model and reverts to a fixed model id. If the first attempt fails transiently, retries may hit the wrong model and fail for non-product reasons.

Suggested fix 
-        -d '{\"model\":\"nvidia/nemotron-3-super-120b-a12b\",\"messages\":[{\"role\":\"user\",\"content\":\"Reply with exactly one word: PONG\"}],\"max_tokens\":100}'" \
+        -d '{\"model\":\"$HOSTED_INFERENCE_MODEL\",\"messages\":[{\"role\":\"user\",\"content\":\"Reply with exactly one word: PONG\"}],\"max_tokens\":100}'" \
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/test-launchable-smoke.sh` around lines 489 - 500, The retry block in
the run_with_timeout call builds a curl -d JSON payload that hardcodes
"model":"nvidia/nemotron-3-super-120b-a12b" (inside the ssh/curl invocation);
replace that literal with the configured hosted-model variable used elsewhere in
the script (e.g. $HOSTED_MODEL or the script's model variable) so the retry uses
the same model as the primary attempt, preserving proper JSON quoting/escaping
when interpolating the shell variable into the -d argument; update the curl
payload in the run_with_timeout/ssh command to use the variable and ensure
quoting is safe for SSH/JSON.
🧹 Nitpick comments (1)
test/e2e-script-workflow.test.ts (1)

904-929: ⚡ Quick win

Broaden the direct-job hosted-inference contract table.

This only asserts five direct lanes, but the migration in .github/workflows/nightly-e2e.yaml also rewired other direct hosted-secret jobs like openclaw-tui-chat-correlation-e2e, sandbox-operations-e2e, onboard-repair-e2e, onboard-resume-e2e, onboard-negative-paths-e2e, and runtime-overrides-e2e. A drift in any of those env blocks would still leave this test green. Please either derive the cases from the workflow or enumerate the full direct-job set touched by this contract.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-script-workflow.test.ts` around lines 904 - 929, Test only asserts
five direct lanes (directJobSteps) but the workflow rewired additional direct
hosted-secret jobs; update the assertion set so the test covers all direct
hosted-secret jobs. Fix by either (A) expanding the directJobSteps array in
test/e2e-script-workflow.test.ts to include the full list of job names touched
by the migration (add openclaw-tui-chat-correlation-e2e, sandbox-operations-e2e,
onboard-repair-e2e, onboard-resume-e2e, onboard-negative-paths-e2e,
runtime-overrides-e2e in addition to the existing entries) and keep the same
stepName pairs, or (B) compute the cases from nightlyWorkflow by deriving job
entries from nightlyWorkflow.jobs (e.g., filter
Object.entries(nightlyWorkflow.jobs) for jobs whose steps contain the targeted
step name and env values like NEMOCLAW_E2E_USE_HOSTED_INFERENCE === "1" and
NEMOCLAW_PROVIDER === "custom"), then iterate that derived list instead of the
hardcoded directJobSteps; update references to directJobSteps and the loop
accordingly so the test will fail if any direct-hosted-secret job drifts.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/test-agent-turn-latency-e2e.sh`:
- Around line 585-586: The current invocation
"nemoclaw_e2e_configure_compatible_inference || finish" can hide setup failures
because finish() only causes a non-zero exit when FAIL>0; change the error
handling so a failed konfiguraton causes a non-zero exit: either make finish()
always exit non-zero on immediate failure or replace the invocation with an
explicit failure path like calling finish and then exiting non-zero (for
example: nemoclaw_e2e_configure_compatible_inference || { finish; exit 1; }) so
that a failed nemoclaw_e2e_configure_compatible_inference is reported as a
failure instead of potentially returning success.

In `@test/e2e/test-onboard-negative-paths.sh`:
- Around line 82-91: The script currently derives EXPECTED_PROVIDER from the
hosted-inference helpers but then forces NEMOCLAW_PROVIDER=custom for the env
... node "bin/nemoclaw.js" onboard calls, which breaks non-hosted validation;
update those onboarding invocations to be mode-aware by removing the hardcoded
NEMOCLAW_PROVIDER=custom and instead pass NEMOCLAW_PROVIDER="$EXPECTED_PROVIDER"
(or only set NEMOCLAW_PROVIDER when unset) so the onboard runs follow the
EXPECTED_PROVIDER variable consistently; locate the env ... node "nemoclaw.js"
onboard invocations referenced in the comment and replace the forced custom
provider with the EXPECTED_PROVIDER (or a conditional that preserves existing
behavior if NEMOCLAW_PROVIDER is already set).
- Around line 308-313: Replace the plain non-empty check of RESTORE_API_KEY in
the if block with the mode-aware helper call by invoking the existing helper
function (nemoclaw_e2e_require_hosted_inference_key) instead of checking
RESTORE_API_KEY directly; ensure the helper's return/failure behavior is used
(call it and, on failure, call fail + print_summary + exit 1) and remove the
redundant pass "NVIDIA_INFERENCE_API_KEY is set" or adapt it to run only on
success of the helper so hosted CI remains permissive while local/live runs
still enforce the nvapi- key prefix.

In `@test/e2e/test-openclaw-skill-cli-e2e.sh`:
- Line 77: Call to the helper function
nemoclaw_e2e_configure_compatible_inference should fail the script when it
returns non-zero; update test/e2e/test-openclaw-skill-cli-e2e.sh (lines 77-77)
to append "|| exit 1" after the nemoclaw_e2e_configure_compatible_inference
invocation, and likewise update test/e2e/test-skill-agent-e2e.sh (lines 104-104)
to append "|| exit 1" after its nemoclaw_e2e_configure_compatible_inference call
so the script exits immediately on error.

---

Outside diff comments:
In `@test/e2e/test-launchable-smoke.sh`:
- Around line 489-500: The retry block in the run_with_timeout call builds a
curl -d JSON payload that hardcodes "model":"nvidia/nemotron-3-super-120b-a12b"
(inside the ssh/curl invocation); replace that literal with the configured
hosted-model variable used elsewhere in the script (e.g. $HOSTED_MODEL or the
script's model variable) so the retry uses the same model as the primary
attempt, preserving proper JSON quoting/escaping when interpolating the shell
variable into the -d argument; update the curl payload in the
run_with_timeout/ssh command to use the variable and ensure quoting is safe for
SSH/JSON.

---

Nitpick comments:
In `@test/e2e-script-workflow.test.ts`:
- Around line 904-929: Test only asserts five direct lanes (directJobSteps) but
the workflow rewired additional direct hosted-secret jobs; update the assertion
set so the test covers all direct hosted-secret jobs. Fix by either (A)
expanding the directJobSteps array in test/e2e-script-workflow.test.ts to
include the full list of job names touched by the migration (add
openclaw-tui-chat-correlation-e2e, sandbox-operations-e2e, onboard-repair-e2e,
onboard-resume-e2e, onboard-negative-paths-e2e, runtime-overrides-e2e in
addition to the existing entries) and keep the same stepName pairs, or (B)
compute the cases from nightlyWorkflow by deriving job entries from
nightlyWorkflow.jobs (e.g., filter Object.entries(nightlyWorkflow.jobs) for jobs
whose steps contain the targeted step name and env values like
NEMOCLAW_E2E_USE_HOSTED_INFERENCE === "1" and NEMOCLAW_PROVIDER === "custom"),
then iterate that derived list instead of the hardcoded directJobSteps; update
references to directJobSteps and the loop accordingly so the test will fail if
any direct-hosted-secret job drifts.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 27a452b9-2527-4e87-b24c-5f51eb036195

📥 Commits

Reviewing files that changed from the base of the PR and between 39fd60a and b72de15.

📒 Files selected for processing (22)
  • .github/workflows/e2e-script.yaml
  • .github/workflows/nightly-e2e.yaml
  • test/e2e-script-workflow.test.ts
  • test/e2e/lib/ci-compatible-inference.sh
  • test/e2e/test-agent-turn-latency-e2e.sh
  • test/e2e/test-common-egress-agent-e2e.sh
  • test/e2e/test-cron-preflight-inference-local-e2e.sh
  • test/e2e/test-hermes-discord-e2e.sh
  • test/e2e/test-hermes-e2e.sh
  • test/e2e/test-hermes-inference-switch.sh
  • test/e2e/test-hermes-slack-e2e.sh
  • test/e2e/test-issue-4434-tui-unreachable-inference.sh
  • test/e2e/test-launchable-smoke.sh
  • test/e2e/test-onboard-negative-paths.sh
  • test/e2e/test-onboard-repair.sh
  • test/e2e/test-onboard-resume.sh
  • test/e2e/test-openclaw-inference-switch.sh
  • test/e2e/test-openclaw-skill-cli-e2e.sh
  • test/e2e/test-overlayfs-autofix.sh
  • test/e2e/test-sandbox-survival.sh
  • test/e2e/test-shields-config.sh
  • test/e2e/test-skill-agent-e2e.sh

Comment thread test/e2e/test-agent-turn-latency-e2e.sh Outdated
Comment thread test/e2e/test-onboard-negative-paths.sh
Comment thread test/e2e/test-onboard-negative-paths.sh Outdated
Comment thread test/e2e/test-openclaw-skill-cli-e2e.sh Outdated
@github-actions

github-actions Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

PR Review Advisor

Findings: 1 needs attention, 7 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 4 still apply, 2 new items found

Review findings

🛠️ Needs attention

  • Hosted source secret staging preserves non-hosted endpoints (src/lib/onboard/providers.ts:247): The hosted inference staging helper copies NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY but keeps any existing NEMOCLAW_ENDPOINT_URL instead of enforcing https://inference-api.nvidia.com/v1. That weakens the stated invariant that the hosted source secret is derived only for the hosted endpoint and can pair the repo/source credential with a stale or caller-controlled custom endpoint. The E2E shell helper has the same shape by defaulting with ${NEMOCLAW_ENDPOINT_URL:-https://inference-api.nvidia.com/v1}.
    • Recommendation: When staging NVIDIA_INFERENCE_API_KEY as the hosted CI/custom credential, either force NEMOCLAW_ENDPOINT_URL to HOSTED_INFERENCE_ENDPOINT_URL or reject any preexisting endpoint that is not exactly the hosted endpoint. Add a negative test for source secret plus non-hosted endpoint in both the TypeScript helper and shell helper behavior.
    • Evidence: stageHostedInferenceSourceSecretEnv() assigns process.env.NEMOCLAW_ENDPOINT_URL = (process.env.NEMOCLAW_ENDPOINT_URL || '').trim() || HOSTED_INFERENCE_ENDPOINT_URL before assigning process.env[HOSTED_INFERENCE_CREDENTIAL_ENV] = sourceKey. test/e2e/lib/ci-compatible-inference.sh similarly exports NEMOCLAW_ENDPOINT_URL="${NEMOCLAW_ENDPOINT_URL:-https://inference-api.nvidia.com/v1}".

🔎 Worth checking

  • Source-of-truth review needed: src/lib/onboard/providers.ts stageHostedInferenceSourceSecretEnv(): The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: stageHostedInferenceSourceSecretEnv() mutates process.env, preserves an existing NEMOCLAW_ENDPOINT_URL, sets NEMOCLAW_PROVIDER custom only when no provider is present, and aliases NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY.
  • Source-of-truth review needed: test/e2e/lib/ci-compatible-inference.sh hosted inference shim: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: nemoclaw_e2e_configure_compatible_inference exports NEMOCLAW_ENDPOINT_URL="${NEMOCLAW_ENDPOINT_URL:-https://inference-api.nvidia.com/v1}" and COMPATIBLE_API_KEY="$NVIDIA_INFERENCE_API_KEY".
  • Source-of-truth review needed: ci/env-var-doc-allowlist.json NEMOCLAW_CLOUD_EXPERIMENTAL_MODEL: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: The allowlist reason says: "Legacy E2E-only model override used by cloud and hosted-inference live test scripts. Not a supported production configuration knob."
  • Arbitrary hosted secret values need exact-value redaction coverage (src/lib/onboard/providers.ts:257): This PR intentionally supports non-nvapi NVIDIA_INFERENCE_API_KEY values and aliases them into COMPATIBLE_API_KEY. The shared redaction patterns cover known token prefixes and context-anchored values such as KEY=..., but they do not prove masking for an arbitrary hosted secret shape if it appears as standalone text in logs or uploaded artifacts.
    • Recommendation: Add exact-value redaction and artifact-sanitization assertions for a non-nvapi hosted secret value exposed as both NVIDIA_INFERENCE_API_KEY and COMPATIBLE_API_KEY. Ensure the derived alias is included wherever failure artifacts or logs are sanitized.
    • Evidence: stageHostedInferenceSourceSecretEnv() assigns process.env[HOSTED_INFERENCE_CREDENTIAL_ENV] = sourceKey. src/lib/security/secret-patterns.ts redacts nvapi-/known prefixes and context-anchored values, but not arbitrary standalone hosted secret text.
  • Legacy hosted model override lacks migration or removal guard (ci/env-var-doc-allowlist.json:56): NEMOCLAW_CLOUD_EXPERIMENTAL_MODEL is added as a legacy E2E-only model override, but the change does not identify why the legacy source cannot be removed in this PR, what test prevents further dependence on it, or when it can be deleted.
    • Recommendation: Document the source boundary and removal condition for NEMOCLAW_CLOUD_EXPERIMENTAL_MODEL, or migrate the changed hosted-inference scripts to the canonical model variable and remove the legacy allowlist entry. Add a regression test that prevents new production use of this E2E-only knob.
    • Evidence: ci/env-var-doc-allowlist.json adds reason: "Legacy E2E-only model override used by cloud and hosted-inference live test scripts. Not a supported production configuration knob."
  • Unchecked provider monolith grew in a security-sensitive path (src/lib/onboard/providers.ts:1): The provider onboarding module is already under // @ts-nocheck and this PR adds hosted secret staging behavior to the same monolithic file. The drift signal shows providers.ts grew by 55 lines and providers.test.ts by 100 lines, increasing the amount of unchecked credential-routing logic in a high-risk area.
    • Recommendation: Consider extracting the hosted inference staging logic into a small typed helper with focused tests, or otherwise offset the monolith growth while preserving the new workflow contract coverage.
    • Evidence: src/lib/onboard/providers.ts begins with // @ts-nocheck and adds HOSTED_INFERENCE_* constants plus stageHostedInferenceSourceSecretEnv(). Drift data reported +55 lines in providers.ts and +100 lines in providers.test.ts.
  • Coordinate with overlapping inference wiring PR: This PR changes the same hosted/NVIDIA inference credential wiring surfaces as open PR fix: restore NVIDIA_API_KEY inference wiring #5390, which appears to be a revert restoring NVIDIA_API_KEY inference wiring. That overlap can cause contradictory follow-up work if both branches proceed independently.
    • Recommendation: Before landing this direction, reconcile it with the overlapping revert work so the final credential naming, endpoint routing, and workflow contract remain consistent.
    • Evidence: Drift context reports open PR fix: restore NVIDIA_API_KEY inference wiring #5390 overlaps nearly all changed files, including .github/workflows/e2e-script.yaml, .github/workflows/nightly-e2e.yaml, src/lib/onboard/providers.ts, provider tests, and the E2E shell scripts.

🌱 Nice ideas

  • None.
Consider writing more tests for
  • **Runtime validation** — stageHostedInferenceSourceSecretEnv rejects or overwrites a non-hosted NEMOCLAW_ENDPOINT_URL when staging NVIDIA_INFERENCE_API_KEY as hosted inference.. The changed behavior crosses GitHub workflow expression gating, secret withholding for target_ref dispatches, process environment staging, OpenShell provider routing, shell helpers, and artifact/log sanitization. Unit and workflow contract tests improve confidence but do not cover all runtime boundaries.
  • **Runtime validation** — ci-compatible-inference.sh hosted mode rejects or overwrites a preexisting non-hosted endpoint before probing with NVIDIA_INFERENCE_API_KEY.. The changed behavior crosses GitHub workflow expression gating, secret withholding for target_ref dispatches, process environment staging, OpenShell provider routing, shell helpers, and artifact/log sanitization. Unit and workflow contract tests improve confidence but do not cover all runtime boundaries.
  • **Runtime validation** — Shared redactors and failure artifact sanitizers hide an arbitrary non-nvapi hosted secret when exposed as both NVIDIA_INFERENCE_API_KEY and COMPATIBLE_API_KEY.. The changed behavior crosses GitHub workflow expression gating, secret withholding for target_ref dispatches, process environment staging, OpenShell provider routing, shell helpers, and artifact/log sanitization. Unit and workflow contract tests improve confidence but do not cover all runtime boundaries.
  • **Runtime validation** — workflow_dispatch with target_ref passes empty hosted, Docker, and messaging secrets and aborts before a target script can receive a live hosted inference credential.. The changed behavior crosses GitHub workflow expression gating, secret withholding for target_ref dispatches, process environment staging, OpenShell provider routing, shell helpers, and artifact/log sanitization. Unit and workflow contract tests improve confidence but do not cover all runtime boundaries.
  • **Runtime validation** — Every direct nightly step referencing the hosted inference secret sets NEMOCLAW_E2E_USE_HOSTED_INFERENCE=1, custom provider, hosted endpoint, hosted model, and derived COMPATIBLE_API_KEY.. The changed behavior crosses GitHub workflow expression gating, secret withholding for target_ref dispatches, process environment staging, OpenShell provider routing, shell helpers, and artifact/log sanitization. Unit and workflow contract tests improve confidence but do not cover all runtime boundaries.
  • **Acceptance clause:** Route nightly hosted inference through NemoClaw's custom provider path instead of treating `NVIDIA_INFERENCE_API_KEY` like a Build/NVIDIA provider credential. — add test evidence or identify existing coverage. Reusable and direct workflow envs set NEMOCLAW_PROVIDER=custom and hosted endpoint/model values, and workflow contract tests assert this. The TypeScript and shell staging helpers still preserve a preexisting endpoint while deriving COMPATIBLE_API_KEY from NVIDIA_INFERENCE_API_KEY.
  • **Acceptance clause:** The reusable and direct nightly E2E jobs now derive `COMPATIBLE_API_KEY` only from the hosted source secret for `https://inference-api.nvidia.com/v1\`. — add test evidence or identify existing coverage. Workflow wiring derives COMPATIBLE_API_KEY from the guarded hosted source secret and pins the endpoint in those steps. However, stageHostedInferenceSourceSecretEnv() and ci-compatible-inference.sh preserve an existing NEMOCLAW_ENDPOINT_URL, so the invariant is not enforced in the helper paths.
  • **src/lib/onboard/providers.ts stageHostedInferenceSourceSecretEnv()** — Positive staging tests exist, but there is no negative test for NVIDIA_INFERENCE_API_KEY plus a non-hosted preexisting NEMOCLAW_ENDPOINT_URL, and no exact-value leak test for the derived COMPATIBLE_API_KEY alias.. stageHostedInferenceSourceSecretEnv() mutates process.env, preserves an existing NEMOCLAW_ENDPOINT_URL, sets NEMOCLAW_PROVIDER custom only when no provider is present, and aliases NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY.
Since last review details

Current findings:

  • Source-of-truth review needed: src/lib/onboard/providers.ts stageHostedInferenceSourceSecretEnv(): The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: stageHostedInferenceSourceSecretEnv() mutates process.env, preserves an existing NEMOCLAW_ENDPOINT_URL, sets NEMOCLAW_PROVIDER custom only when no provider is present, and aliases NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY.
  • Source-of-truth review needed: test/e2e/lib/ci-compatible-inference.sh hosted inference shim: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: nemoclaw_e2e_configure_compatible_inference exports NEMOCLAW_ENDPOINT_URL="${NEMOCLAW_ENDPOINT_URL:-https://inference-api.nvidia.com/v1}" and COMPATIBLE_API_KEY="$NVIDIA_INFERENCE_API_KEY".
  • Source-of-truth review needed: ci/env-var-doc-allowlist.json NEMOCLAW_CLOUD_EXPERIMENTAL_MODEL: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: The allowlist reason says: "Legacy E2E-only model override used by cloud and hosted-inference live test scripts. Not a supported production configuration knob."
  • Hosted source secret staging preserves non-hosted endpoints (src/lib/onboard/providers.ts:247): The hosted inference staging helper copies NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY but keeps any existing NEMOCLAW_ENDPOINT_URL instead of enforcing https://inference-api.nvidia.com/v1. That weakens the stated invariant that the hosted source secret is derived only for the hosted endpoint and can pair the repo/source credential with a stale or caller-controlled custom endpoint. The E2E shell helper has the same shape by defaulting with ${NEMOCLAW_ENDPOINT_URL:-https://inference-api.nvidia.com/v1}.
    • Recommendation: When staging NVIDIA_INFERENCE_API_KEY as the hosted CI/custom credential, either force NEMOCLAW_ENDPOINT_URL to HOSTED_INFERENCE_ENDPOINT_URL or reject any preexisting endpoint that is not exactly the hosted endpoint. Add a negative test for source secret plus non-hosted endpoint in both the TypeScript helper and shell helper behavior.
    • Evidence: stageHostedInferenceSourceSecretEnv() assigns process.env.NEMOCLAW_ENDPOINT_URL = (process.env.NEMOCLAW_ENDPOINT_URL || '').trim() || HOSTED_INFERENCE_ENDPOINT_URL before assigning process.env[HOSTED_INFERENCE_CREDENTIAL_ENV] = sourceKey. test/e2e/lib/ci-compatible-inference.sh similarly exports NEMOCLAW_ENDPOINT_URL="${NEMOCLAW_ENDPOINT_URL:-https://inference-api.nvidia.com/v1}".
  • Arbitrary hosted secret values need exact-value redaction coverage (src/lib/onboard/providers.ts:257): This PR intentionally supports non-nvapi NVIDIA_INFERENCE_API_KEY values and aliases them into COMPATIBLE_API_KEY. The shared redaction patterns cover known token prefixes and context-anchored values such as KEY=..., but they do not prove masking for an arbitrary hosted secret shape if it appears as standalone text in logs or uploaded artifacts.
    • Recommendation: Add exact-value redaction and artifact-sanitization assertions for a non-nvapi hosted secret value exposed as both NVIDIA_INFERENCE_API_KEY and COMPATIBLE_API_KEY. Ensure the derived alias is included wherever failure artifacts or logs are sanitized.
    • Evidence: stageHostedInferenceSourceSecretEnv() assigns process.env[HOSTED_INFERENCE_CREDENTIAL_ENV] = sourceKey. src/lib/security/secret-patterns.ts redacts nvapi-/known prefixes and context-anchored values, but not arbitrary standalone hosted secret text.
  • Legacy hosted model override lacks migration or removal guard (ci/env-var-doc-allowlist.json:56): NEMOCLAW_CLOUD_EXPERIMENTAL_MODEL is added as a legacy E2E-only model override, but the change does not identify why the legacy source cannot be removed in this PR, what test prevents further dependence on it, or when it can be deleted.
    • Recommendation: Document the source boundary and removal condition for NEMOCLAW_CLOUD_EXPERIMENTAL_MODEL, or migrate the changed hosted-inference scripts to the canonical model variable and remove the legacy allowlist entry. Add a regression test that prevents new production use of this E2E-only knob.
    • Evidence: ci/env-var-doc-allowlist.json adds reason: "Legacy E2E-only model override used by cloud and hosted-inference live test scripts. Not a supported production configuration knob."
  • Unchecked provider monolith grew in a security-sensitive path (src/lib/onboard/providers.ts:1): The provider onboarding module is already under // @ts-nocheck and this PR adds hosted secret staging behavior to the same monolithic file. The drift signal shows providers.ts grew by 55 lines and providers.test.ts by 100 lines, increasing the amount of unchecked credential-routing logic in a high-risk area.
    • Recommendation: Consider extracting the hosted inference staging logic into a small typed helper with focused tests, or otherwise offset the monolith growth while preserving the new workflow contract coverage.
    • Evidence: src/lib/onboard/providers.ts begins with // @ts-nocheck and adds HOSTED_INFERENCE_* constants plus stageHostedInferenceSourceSecretEnv(). Drift data reported +55 lines in providers.ts and +100 lines in providers.test.ts.
  • Coordinate with overlapping inference wiring PR: This PR changes the same hosted/NVIDIA inference credential wiring surfaces as open PR fix: restore NVIDIA_API_KEY inference wiring #5390, which appears to be a revert restoring NVIDIA_API_KEY inference wiring. That overlap can cause contradictory follow-up work if both branches proceed independently.
    • Recommendation: Before landing this direction, reconcile it with the overlapping revert work so the final credential naming, endpoint routing, and workflow contract remain consistent.
    • Evidence: Drift context reports open PR fix: restore NVIDIA_API_KEY inference wiring #5390 overlaps nearly all changed files, including .github/workflows/e2e-script.yaml, .github/workflows/nightly-e2e.yaml, src/lib/onboard/providers.ts, provider tests, and the E2E shell scripts.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

@cv
fix(e2e): harden hosted inference routing
2f61b23 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
coderabbitai[bot]
coderabbitai Bot reviewed Jun 13, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
src/lib/onboard/providers.test.ts (1)

293-324: ⚡ Quick win

Add coverage for the hosted-routing branches nightly CI actually uses.

These tests only lock down the auto-detect path (unset provider + non-nvapi- key) and the explicit cloud bypass. The new helper still has separate branches for NEMOCLAW_PROVIDER=custom and NEMOCLAW_E2E_USE_HOSTED_INFERENCE=1, and either can regress the hosted CI wiring without this file failing.

Suggested additions 
+  it("stages hosted inference when the provider is explicitly custom", () => {
+    withProviderEnv(
+      {
+        NVIDIA_INFERENCE_API_KEY: "repo-hosted-key",
+        NEMOCLAW_PROVIDER: "custom",
+      },
+      () => {
+        expect(stageHostedInferenceSourceSecretEnv()).toBe(true);
+        expect(process.env.NEMOCLAW_PROVIDER).toBe("custom");
+        expect(process.env.NEMOCLAW_ENDPOINT_URL).toBe(HOSTED_INFERENCE_ENDPOINT_URL);
+        expect(process.env.COMPATIBLE_API_KEY).toBe("repo-hosted-key");
+      },
+    );
+  });
+
+  it("stages hosted inference when the hosted flag is enabled for an nvapi key", () => {
+    withProviderEnv(
+      {
+        NVIDIA_INFERENCE_API_KEY: "nvapi-test-key",
+        NEMOCLAW_E2E_USE_HOSTED_INFERENCE: "1",
+      },
+      () => {
+        expect(stageHostedInferenceSourceSecretEnv()).toBe(true);
+        expect(getRequestedProviderHint(true)).toBe("custom");
+        expect(process.env.COMPATIBLE_API_KEY).toBe("nvapi-test-key");
+      },
+    );
+  });
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/providers.test.ts` around lines 293 - 324, The test file
currently only covers the auto-detect path and the explicit cloud bypass; add
additional test cases to exercise the other hosted-routing branches so CI won't
miss regressions: add one test that sets NEMOCLAW_PROVIDER="custom" with a
non-nvapi NVIDIA_INFERENCE_API_KEY and asserts
stageHostedInferenceSourceSecretEnv() returns true,
getRequestedProviderHint(true) returns "custom", and
process.env.COMPATIBLE_API_KEY/ NEMOCLAW_* vars are set to the hosted values
(mirror the first test but with NEMOCLAW_PROVIDER preset), and add another test
that sets NEMOCLAW_E2E_USE_HOSTED_INFERENCE="1" (with/without
NVIDIA_INFERENCE_API_KEY as appropriate) and asserts the same hosted-routing
outcomes; reference the helper functions stageHostedInferenceSourceSecretEnv,
getRequestedProviderHint, getRequestedModelHint and constants
HOSTED_INFERENCE_MODEL/HOSTED_INFERENCE_ENDPOINT_URL to implement the assertions
exactly as in the existing tests.
src/lib/onboard/providers.ts (1)

221-231: ⚡ Quick win

Deduplicate provider alias normalization before it drifts.

stageHostedInferenceSourceSecretEnv() now carries a second alias table alongside getNonInteractiveProvider(). If one map changes without the other, hosted staging and final provider resolution can disagree for the same NEMOCLAW_PROVIDER value. Extract a shared normalizer and reuse it in both places.

Possible cleanup 
+function normalizeNonInteractiveProviderKey(providerKey) {
+  const rawProvider = (providerKey || "").trim().toLowerCase();
+  const aliases = {
+    cloud: "build",
+    anthropiccompatible: "anthropicCompatible",
+    hermes: "hermesProvider",
+    "hermes-provider": "hermesProvider",
+    hermesprovider: "hermesProvider",
+    nous: "hermesProvider",
+    "nous-portal": "hermesProvider",
+  };
+  return aliases[rawProvider] || rawProvider;
+}
+
 function getNonInteractiveProvider() {
   stageHostedInferenceSourceSecretEnv();
-  const providerKey = (process.env.NEMOCLAW_PROVIDER || "").trim().toLowerCase();
+  const providerKey = normalizeNonInteractiveProviderKey(process.env.NEMOCLAW_PROVIDER);
   if (!providerKey) return null;
-  const aliases = {
-    cloud: "build",
-    nim: "nim-local",
-    vllm: "vllm",
-    anthropiccompatible: "anthropicCompatible",
-    hermes: "hermesProvider",
-    "hermes-provider": "hermesProvider",
-    hermesprovider: "hermesProvider",
-    nous: "hermesProvider",
-    "nous-portal": "hermesProvider",
-  };
-  const normalized = aliases[providerKey] || providerKey;
+  const normalized = providerKey;
   // ...
 }
 
 function stageHostedInferenceSourceSecretEnv() {
   const sourceKey = normalizeCredentialValue(process.env[HOSTED_INFERENCE_SOURCE_ENV] ?? "");
   if (!sourceKey) return false;
-
-  const rawProvider = (process.env.NEMOCLAW_PROVIDER || "").trim().toLowerCase();
-  const aliases = {
-    cloud: "build",
-    anthropiccompatible: "anthropicCompatible",
-    hermes: "hermesProvider",
-    "hermes-provider": "hermesProvider",
-    hermesprovider: "hermesProvider",
-    nous: "hermesProvider",
-    "nous-portal": "hermesProvider",
-  };
-  const normalizedProvider = aliases[rawProvider] || rawProvider;
+  const normalizedProvider = normalizeNonInteractiveProviderKey(process.env.NEMOCLAW_PROVIDER);
   // ...
 }
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/providers.ts` around lines 221 - 231, Extract the
provider-alias normalization into a single shared utility (e.g., export function
normalizeProvider(raw?: string): string) and replace the inline alias map and
normalization in both the current block (where
rawProvider/aliases/normalizedProvider are defined) and in
stageHostedInferenceSourceSecretEnv() and getNonInteractiveProvider() so they
call normalizeProvider(process.env.NEMOCLAW_PROVIDER) (or normalizeProvider(raw)
where raw is already passed); ensure the alias map (cloud -> build,
anthropiccompatible -> anthropicCompatible,
hermes/hermes-provider/hermesprovider/nous/ nous-portal -> hermesProvider, etc.)
lives only in that utility and both call sites use its returned normalized
value.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/onboard/providers.test.ts`:
- Around line 293-324: The test file currently only covers the auto-detect path
and the explicit cloud bypass; add additional test cases to exercise the other
hosted-routing branches so CI won't miss regressions: add one test that sets
NEMOCLAW_PROVIDER="custom" with a non-nvapi NVIDIA_INFERENCE_API_KEY and asserts
stageHostedInferenceSourceSecretEnv() returns true,
getRequestedProviderHint(true) returns "custom", and
process.env.COMPATIBLE_API_KEY/ NEMOCLAW_* vars are set to the hosted values
(mirror the first test but with NEMOCLAW_PROVIDER preset), and add another test
that sets NEMOCLAW_E2E_USE_HOSTED_INFERENCE="1" (with/without
NVIDIA_INFERENCE_API_KEY as appropriate) and asserts the same hosted-routing
outcomes; reference the helper functions stageHostedInferenceSourceSecretEnv,
getRequestedProviderHint, getRequestedModelHint and constants
HOSTED_INFERENCE_MODEL/HOSTED_INFERENCE_ENDPOINT_URL to implement the assertions
exactly as in the existing tests.

In `@src/lib/onboard/providers.ts`:
- Around line 221-231: Extract the provider-alias normalization into a single
shared utility (e.g., export function normalizeProvider(raw?: string): string)
and replace the inline alias map and normalization in both the current block
(where rawProvider/aliases/normalizedProvider are defined) and in
stageHostedInferenceSourceSecretEnv() and getNonInteractiveProvider() so they
call normalizeProvider(process.env.NEMOCLAW_PROVIDER) (or normalizeProvider(raw)
where raw is already passed); ensure the alias map (cloud -> build,
anthropiccompatible -> anthropicCompatible,
hermes/hermes-provider/hermesprovider/nous/ nous-portal -> hermesProvider, etc.)
lives only in that utility and both call sites use its returned normalized
value.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 97c8334d-0fd3-4455-aa43-60089e9df631

📥 Commits

Reviewing files that changed from the base of the PR and between b72de15 and 2f61b23.

📒 Files selected for processing (12)
  • .github/workflows/nightly-e2e.yaml
  • ci/env-var-doc-allowlist.json
  • src/lib/onboard/providers.test.ts
  • src/lib/onboard/providers.ts
  • test/e2e-script-workflow.test.ts
  • test/e2e/lib/ci-compatible-inference.sh
  • test/e2e/test-agent-turn-latency-e2e.sh
  • test/e2e/test-launchable-smoke.sh
  • test/e2e/test-onboard-negative-paths.sh
  • test/e2e/test-openclaw-skill-cli-e2e.sh
  • test/e2e/test-skill-agent-e2e.sh
  • test/onboard-selection.test.ts
🚧 Files skipped from review as they are similar to previous changes (5)
  • test/e2e/test-openclaw-skill-cli-e2e.sh
  • test/e2e/test-skill-agent-e2e.sh
  • test/e2e/test-onboard-negative-paths.sh
  • .github/workflows/nightly-e2e.yaml
  • test/e2e/lib/ci-compatible-inference.sh

@github-actions

This comment was marked as outdated.

Sign in to view
@cv
fix(ci): gate hosted inference secrets for target refs
62f5583 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
coderabbitai[bot]
coderabbitai Bot reviewed Jun 13, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/nightly-e2e.yaml:
- Around line 1574-1579: The credential-migration Vitest lane is missing the
required hosted-mode flag; add the environment variable
NEMOCLAW_E2E_USE_HOSTED_INFERENCE: "1" to the job's env block that currently
contains NEMOCLAW_ENDPOINT_URL, NEMOCLAW_MODEL, NEMOCLAW_COMPAT_MODEL,
NVIDIA_INFERENCE_API_KEY and COMPATIBLE_API_KEY so this hosted-inference job
follows the same hosted code path as other nightly jobs and the
workflow-contract tests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6d4b3bc5-b731-4544-82c3-4cd347477306

📥 Commits

Reviewing files that changed from the base of the PR and between 2f61b23 and 62f5583.

📒 Files selected for processing (5)
  • .github/workflows/e2e-script.yaml
  • .github/workflows/nightly-e2e.yaml
  • src/lib/onboard/providers.test.ts
  • src/lib/onboard/providers.ts
  • test/e2e-script-workflow.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/onboard/providers.ts

Comment thread .github/workflows/nightly-e2e.yaml
Comment on lines +1574 to +1579
NVIDIA_INFERENCE_API_KEY: ${{ (github.event_name != 'workflow_dispatch' || inputs.target_ref == '') && secrets.NVIDIA_INFERENCE_API_KEY || '' }}
NEMOCLAW_PROVIDER: custom
NEMOCLAW_ENDPOINT_URL: https://inference-api.nvidia.com/v1
NEMOCLAW_MODEL: nvidia/nvidia/nemotron-3-super-v3
NEMOCLAW_COMPAT_MODEL: nvidia/nvidia/nemotron-3-super-v3
COMPATIBLE_API_KEY: ${{ (github.event_name != 'workflow_dispatch' || inputs.target_ref == '') && secrets.NVIDIA_INFERENCE_API_KEY || '' }}

@coderabbitai coderabbitai Bot Jun 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add the hosted-mode flag to the credential-migration Vitest lane.

This direct hosted-inference job is the only hosted-secret lane here that stages the custom endpoint env without NEMOCLAW_E2E_USE_HOSTED_INFERENCE: "1", so it can drift from the same hosted code path the other nightly jobs exercise. The current workflow-contract test also doesn't assert this flag, so the omission would keep slipping through.

Suggested fix 
         env:
           NVIDIA_INFERENCE_API_KEY: ${{ (github.event_name != 'workflow_dispatch' || inputs.target_ref == '') && secrets.NVIDIA_INFERENCE_API_KEY || '' }}
+          NEMOCLAW_E2E_USE_HOSTED_INFERENCE: "1"
           NEMOCLAW_PROVIDER: custom
           NEMOCLAW_ENDPOINT_URL: https://inference-api.nvidia.com/v1
           NEMOCLAW_MODEL: nvidia/nvidia/nemotron-3-super-v3
           NEMOCLAW_COMPAT_MODEL: nvidia/nvidia/nemotron-3-super-v3
           COMPATIBLE_API_KEY: ${{ (github.event_name != 'workflow_dispatch' || inputs.target_ref == '') && secrets.NVIDIA_INFERENCE_API_KEY || '' }}

As per coding guidelines, jobs that perform hosted inference must set NEMOCLAW_E2E_USE_HOSTED_INFERENCE: "1".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/nightly-e2e.yaml around lines 1574 - 1579, The
credential-migration Vitest lane is missing the required hosted-mode flag; add
the environment variable NEMOCLAW_E2E_USE_HOSTED_INFERENCE: "1" to the job's env
block that currently contains NEMOCLAW_ENDPOINT_URL, NEMOCLAW_MODEL,
NEMOCLAW_COMPAT_MODEL, NVIDIA_INFERENCE_API_KEY and COMPATIBLE_API_KEY so this
hosted-inference job follows the same hosted code path as other nightly jobs and
the workflow-contract tests.

Source: Coding guidelines

@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

This comment was marked as outdated.

Sign in to view
@copy-pr-bot

copy-pr-bot Bot commented Jun 13, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions

This comment was marked as outdated.

Sign in to view
coderabbitai[bot]
coderabbitai Bot reviewed Jun 13, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/e2e/lib/ci-compatible-inference.sh (1)

78-78: ⚡ Quick win

Tighten provider matching to avoid route-assertion false positives.

Line 78 currently allows prefix/superset matches (e.g., Provider: compatible-endpoint-v2 would satisfy expected compatible-endpoint), which can hide routing regressions.

Suggested patch 
-  grep -Eqi "Provider:[[:space:]]*${provider}" <<<"$plain" || return 1
+  grep -Eqi "Provider:[[:space:]]*${provider}([[:space:]]|$)" <<<"$plain" || return 1
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/lib/ci-compatible-inference.sh` at line 78, Tighten the
provider-matching grep so it no longer treats longer names with the expected
provider as a prefix: replace the pattern grep -Eqi
"Provider:[[:space:]]*${provider}" <<<"$plain" || return 1 with a regex that
requires the provider to be followed by end-of-line or whitespace (e.g., require
(${provider} followed by $ or whitespace) ) so only exact/same-token matches
succeed and prevent prefix/superset false positives.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/lib/ci-compatible-inference.sh`:
- Line 78: Tighten the provider-matching grep so it no longer treats longer
names with the expected provider as a prefix: replace the pattern grep -Eqi
"Provider:[[:space:]]*${provider}" <<<"$plain" || return 1 with a regex that
requires the provider to be followed by end-of-line or whitespace (e.g., require
(${provider} followed by $ or whitespace) ) so only exact/same-token matches
succeed and prevent prefix/superset false positives.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 72f3fbf4-e24a-4174-9ad5-98d5a25bf87a

📥 Commits

Reviewing files that changed from the base of the PR and between 62f5583 and 240f8cd.

📒 Files selected for processing (6)
  • .github/workflows/nightly-e2e.yaml
  • test/e2e/lib/ci-compatible-inference.sh
  • test/e2e/test-agent-turn-latency-e2e.sh
  • test/e2e/test-hermes-e2e.sh
  • test/e2e/test-issue-4434-tui-unreachable-inference.sh
  • test/e2e/test-launchable-smoke.sh
🚧 Files skipped from review as they are similar to previous changes (4)
  • test/e2e/test-agent-turn-latency-e2e.sh
  • test/e2e/test-hermes-e2e.sh
  • test/e2e/test-launchable-smoke.sh
  • .github/workflows/nightly-e2e.yaml

@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27473531845
Target ref: codex/fix-nightly-hosted-compatible
Requested jobs: agent-turn-latency-e2e,hermes-e2e,hermes-dashboard-e2e,hermes-onboard-security-posture-e2e,issue-4434-tui-unreachable-inference-e2e,launchable-smoke-e2e
Summary: 5 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
agent-turn-latency-e2e ✅ success
hermes-dashboard-e2e ✅ success
hermes-e2e ✅ success
hermes-onboard-security-posture-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ❌ failure
launchable-smoke-e2e ✅ success

Failed jobs: issue-4434-tui-unreachable-inference-e2e. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Selective E2E Results — ✅ All requested jobs passed

Run: 27473849272
Target ref: codex/fix-nightly-hosted-compatible
Requested jobs: issue-4434-tui-unreachable-inference-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4434-tui-unreachable-inference-e2e ✅ success

@cv cv merged commit ff5322b into main Jun 13, 2026
108 checks passed
@cv cv deleted the codex/fix-nightly-hosted-compatible branch June 13, 2026 17:32
@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Selective E2E Results — ✅ All requested jobs passed

Run: 27473928680
Target ref: 57cee8b6912aeeaf6ba33892d9b6df0327aa011f
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,hermes-e2e,openclaw-inference-switch-e2e,hermes-inference-switch-e2e,credential-migration-e2e,onboard-negative-paths-e2e
Summary: 7 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
cloud-inference-e2e ✅ success
cloud-onboard-e2e ✅ success
credential-migration-e2e ✅ success
hermes-e2e ✅ success
hermes-inference-switch-e2e ✅ success
onboard-negative-paths-e2e ✅ success
openclaw-inference-switch-e2e ✅ success

This was referenced Jun 13, 2026
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@cv cv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cv