fix: restore NVIDIA_API_KEY inference wiring

[jyaunches]

Summary

Reverts the NVIDIA_INFERENCE_API_KEY migration stack so E2E can validate the old NVIDIA_API_KEY-backed path while weekend traffic is lower.

Reverted PRs/commits:

• fix(e2e): support compatible credential migration #5380 / 9e9efd6 fix(e2e): support compatible credential migration
• fix(inference): use NVIDIA inference credential env #5366 / ef8e43b fix(inference): use NVIDIA inference credential env

Validation

• git diff --check origin/main..HEAD
• Confirmed the target workflows no longer reference NVIDIA_INFERENCE_API_KEY / compatible migration toggles:
  • .github/workflows/nightly-e2e.yaml
  • .github/workflows/e2e-vitest-scenarios.yaml
  • .github/workflows/e2e-script.yaml

Full E2E runs will be dispatched on this branch after PR creation:

• Nightly E2E
• E2E / Vitest Scenarios

Note: local pre-push hooks were bypassed because this worktree has no installed npm dependencies; hook failures were missing local modules/tools (typescript, tsx, vitest, ajv, biome transitive klaw), not validation failures from the revert.

Summary by CodeRabbit

• Bug Fixes

  • Standardized NVIDIA credential name to NVIDIA_API_KEY across onboarding, CLI, E2E flows and runtime checks.
  • Updated NVIDIA inference endpoints to the new standard host(s) to improve routing and reachability checks.

• Documentation

  • Quickstarts, release notes, walkthroughs and examples updated to reference NVIDIA_API_KEY and the updated NVIDIA endpoints.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b2d06fb1-1a5c-472d-869e-1d0bc53ac729

📥 Commits

Reviewing files that changed from the base of the PR and between 59f78b4 and df07fb6.

📒 Files selected for processing (4)

• docs/get-started/quickstart-hermes.mdx
• src/lib/onboard/providers.test.ts
• src/lib/onboard/providers.ts
• test/e2e/test-messaging-providers.sh

✅ Files skipped from review due to trivial changes (1)

• docs/get-started/quickstart-hermes.mdx

🚧 Files skipped from review as they are similar to previous changes (3)

• test/e2e/test-messaging-providers.sh
• src/lib/onboard/providers.ts
• src/lib/onboard/providers.test.ts

---

📝 Walkthrough

Walkthrough

Standardize NVIDIA credential to NVIDIA_API_KEY across workflows, runtime code, scripts, docs, policies, tests; update NVIDIA endpoint references and remove legacy CI-compatible inference wiring.

Changes

NVIDIA API key migration

Layer / File(s)	Summary
Workflow and CI wiring .github/workflows/*, tools/e2e-scenarios/workflow-boundary.mts, test/e2e-script-workflow.test.ts, test/regression-e2e-workflow.test.ts	Reusable workflows, nightly jobs, and workflow-boundary checks switch NVIDIA secret wiring to NVIDIA_API_KEY and remove compatible-inference job paths.
Runtime credential contract src/lib/credentials/store.ts, src/lib/deploy/index.ts, src/lib/inference/*, src/lib/onboard/*, src/lib/security/redact.ts, scripts/checks/direct-credential-env.ts	Core credential lookup, deploy, inference, onboarding, redaction, and subprocess checks switch to NVIDIA_API_KEY and update NVIDIA endpoint handling.
Validation and redaction rules test/*, src/lib/*/*.test.ts	Secret validation, redaction, and direct env-read guard logic align NVIDIA key checks and masking behavior with NVIDIA_API_KEY.
CLI, startup, and shell helpers scripts/*, src/commands/sandbox/config/rotate-token.ts, test/e2e/*.sh	Installer, startup, walkthrough, and E2E shell scripts now require NVIDIA_API_KEY; cloud/NVIDIA checks target updated integrate endpoints where modified.
Policies, blueprints, and docs nemoclaw-blueprint/*, agents/*, docs/*, test/e2e-runtime/*	Blueprints, network policies, and documentation examples updated to use NVIDIA_API_KEY and add/adjust inference-api.nvidia.com entries.
Scenario manifests and live E2E tests test/e2e-scenario/**, test/e2e-scenario/manifests/*	Live scenario fixtures, manifests, and test contracts switch required secrets and env wiring to NVIDIA_API_KEY, with matching endpoint and redaction updates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5366: Both PRs modify NVIDIA credential wiring and workflows.
• NVIDIA/NemoClaw#5374: Related changes to token-rotation and compatible-inference wiring.
• NVIDIA/NemoClaw#5231: Overlaps on e2e tests and NVIDIA credential exposures.

Suggested labels

bug-fix, area: ci, area: e2e

Suggested reviewers

• cv

"A rabbit hopped through keys and docs with cheer,
Swapping names so workflows sing clear.
Old aliases hopped off, new key takes the stage,
Tests and scripts aligned — a tidy new page!
🐇✨"

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jyaunches/revert-inference-api-key-migration

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-5390.docs.buildwithfern.com/nemoclaw

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the jyaunches/revert-inf... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	jyaunches/revert-inf... df07fb6	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the jyaunches/revert-inf... branch is 44%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	jyaunches/revert-inf... df07fb6	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	77%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/inference/nim.ts	—	72%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/onboard...er-gpu-patch.ts	—	50%	—
src/lib/actions...licy-channel.ts	—	49%	—
src/lib/policy/index.ts	—	48%	—
src/lib/onboard.ts	—	17%	—

---

_{Updated June 13, 2026 19:32 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e, cloud-inference-e2e, inference-routing-e2e, model-router-provider-routed-inference-vitest, credential-migration-e2e, credential-sanitization-e2e, network-policy-e2e, launchable-smoke-e2e, hermes-e2e, rebuild-openclaw-e2e, sandbox-rebuild-e2e, token-rotation-e2e
Optional E2E: sandbox-survival-e2e, shields-config-e2e, onboard-negative-paths-e2e, onboard-resume-e2e, macos-e2e, wsl-e2e, common-egress-agent-e2e

Dispatch hint: cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,launchable-smoke-e2e,hermes-e2e,rebuild-openclaw-e2e,sandbox-rebuild-e2e,token-rotation-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-onboard-e2e (medium): Validates the clean hosted/NVIDIA provider onboarding path after changes to install scripts, onboard flow, provider selection, credential env name, and workflow secret wiring.
• cloud-inference-e2e (medium): Required because the PR changes NVIDIA API credential naming, inference health/NIM code, hosted inference fixtures, and model prompt/routing behavior.
• inference-routing-e2e (medium): Covers live inference.local routing through the onboarded sandbox, which is directly affected by routed inference, provider sandbox handlers, and model-router changes.
• model-router-provider-routed-inference-vitest (medium): Focused live coverage for provider-routed Model Router behavior after changes to src/lib/onboard/model-router.ts, routed-inference.ts, NVIDIA provider handling, and the corresponding live Vitest test.
• credential-migration-e2e (medium): Required for credential storage/migration and NVIDIA_API_KEY compatibility changes; validates legacy credential migration, secure deletion, gateway hydration, and provider credential resolution.
• credential-sanitization-e2e (medium): Required because secret redaction, subprocess env filtering, direct credential env checks, and live credential sanitization fixtures are touched; validates that credentials are not exposed in snapshots, env, logs, or sandbox state.
• network-policy-e2e (medium): Required because agent policy YAML and blueprint sandbox network policies changed; validates real allow/deny behavior and policy application inside an OpenShell sandbox.
• launchable-smoke-e2e (medium): Required for install/blueprint/workflow changes affecting the community/launchable path and NVIDIA_API_KEY handoff during a real launchable-style onboard.
• hermes-e2e (medium): Required because Hermes policy assets, manifests, onboarding fixture behavior, and NVIDIA credential handling are changed; validates the Hermes install/onboard/health/live inference path.
• rebuild-openclaw-e2e (high): Required because deploy/index, blueprint assets, credential hydration tests, and rebuild live tests are changed; validates rebuilding an existing OpenClaw sandbox without losing route, policy, or credentials.
• sandbox-rebuild-e2e (medium): Required to cover sandbox lifecycle and OpenShell rebuild boundaries after changes to deployment, blueprint policies, and sandbox rebuild fixtures/manifests.
• token-rotation-e2e (medium): Required because src/commands/sandbox/config/rotate-token.ts and token-rotation live tests/manifests are touched; validates token rotation propagates through gateway credentials and sandbox config.

Optional E2E

• sandbox-survival-e2e (medium): Useful adjacent confidence for install.sh, deploy, inference.local, and gateway restart behavior after sandbox lifecycle and credential routing changes, but less targeted than rebuild/network/credential coverage.
• shields-config-e2e (medium): Optional confidence for security posture and live config behavior because shields config live tests and secret/security-related files are touched.
• onboard-negative-paths-e2e (medium): Optional validation of error recovery and invalid-key handling after changes to validation recovery prompts, provider inference handlers, missing credential hints, and onboard negative-path fixtures.
• onboard-resume-e2e (medium): Optional coverage for onboard session/state mutation and resume manifests touched by the PR.
• macos-e2e (medium): Optional platform confidence because macOS workflow and smoke install script are modified; run if the PR is intended to validate macOS secret wiring and install behavior before merge.
• wsl-e2e (high): Optional platform confidence because the WSL E2E workflow is touched and install/onboard scripts changed; useful if Windows/WSL support is in scope for the PR.
• common-egress-agent-e2e (high): Optional confidence for policy and live agent-turn behavior across OpenClaw/Hermes after common egress policy and NVIDIA_API_KEY routing updates.

New E2E recommendations

• CI E2E workflow secret-contract coverage (medium): This PR changes the canonical hosted inference secret name across many reusable and dispatched workflows. Existing live E2E jobs validate runtime behavior when run, but there is no single lightweight workflow-contract E2E that dispatches the reusable script runner and asserts NVIDIA_API_KEY is passed while legacy NVIDIA_INFERENCE_API_KEY is absent across all workflow entry points.
  • Suggested test: Add a trusted workflow-dispatch contract E2E that exercises e2e-script.yaml and e2e-vitest-scenarios.yaml with nvidia_api_key=true and verifies the sanitized environment contract for NVIDIA_API_KEY, including failure diagnostics when the secret is unavailable.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,launchable-smoke-e2e,hermes-e2e,rebuild-openclaw-e2e,sandbox-rebuild-e2e,token-rotation-e2e

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: credential-migration-vitest, credential-sanitization-vitest, gateway-guard-recovery, inference-routing-vitest, issue-4434-tui-unreachable-inference-vitest, launchable-smoke-vitest, model-router-provider-routed-inference-vitest, network-policy-vitest, onboard-negative-paths-vitest, openclaw-tui-chat-correlation-vitest, rebuild-openclaw-vitest, sandbox-rebuild-vitest, sandbox-survival-vitest, shields-config-vitest, skill-agent-vitest, token-rotation-vitest, e2e-scenarios-all
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-migration-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-sanitization-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=gateway-guard-recovery
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=inference-routing-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4434-tui-unreachable-inference-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=launchable-smoke-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=model-router-provider-routed-inference-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=network-policy-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-negative-paths-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=rebuild-openclaw-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-rebuild-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-survival-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=shields-config-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=skill-agent-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=token-rotation-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref>

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• credential-migration-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/credential-migration.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-migration-vitest
• credential-sanitization-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/credential-sanitization.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-sanitization-vitest
• gateway-guard-recovery: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/gateway-guard-recovery.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=gateway-guard-recovery
• inference-routing-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/inference-routing.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=inference-routing-vitest
• issue-4434-tui-unreachable-inference-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4434-tui-unreachable-inference-vitest
• launchable-smoke-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/launchable-smoke.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=launchable-smoke-vitest
• model-router-provider-routed-inference-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/model-router-provider-routed-inference.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=model-router-provider-routed-inference-vitest
• network-policy-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/network-policy.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=network-policy-vitest
• onboard-negative-paths-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/onboard-negative-paths.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-negative-paths-vitest
• openclaw-tui-chat-correlation-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation-vitest
• rebuild-openclaw-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/rebuild-openclaw.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=rebuild-openclaw-vitest
• sandbox-rebuild-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/sandbox-rebuild.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-rebuild-vitest
• sandbox-survival-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/sandbox-survival.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-survival-vitest
• shields-config-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/shields-config.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=shields-config-vitest
• skill-agent-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/skill-agent.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=skill-agent-vitest
• token-rotation-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/token-rotation.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=token-rotation-vitest
• e2e-scenarios-all: This PR changes the shared Vitest scenario workflow, shared fixtures, manifests, typed scenario metadata, support tests, and many live Vitest scenario files. That affects scenario matrix/workflow machinery and shared execution behavior, so the full Vitest scenario fan-out is required.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref>

Optional Vitest E2E scenarios

• None.

Relevant changed files

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/fixtures/hosted-inference.ts
• test/e2e-scenario/fixtures/phases/onboarding.ts
• test/e2e-scenario/live/credential-migration.test.ts
• test/e2e-scenario/live/credential-sanitization.test.ts
• test/e2e-scenario/live/gateway-guard-recovery.test.ts
• test/e2e-scenario/live/hermes-e2e.test.ts
• test/e2e-scenario/live/inference-routing.test.ts
• test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts
• test/e2e-scenario/live/launchable-smoke.test.ts
• test/e2e-scenario/live/model-router-provider-routed-inference.test.ts
• test/e2e-scenario/live/network-policy.test.ts
• test/e2e-scenario/live/onboard-negative-paths.test.ts
• test/e2e-scenario/live/onboard-resume.test.ts
• test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts
• test/e2e-scenario/live/rebuild-openclaw.test.ts
• test/e2e-scenario/live/sandbox-operations.test.ts
• test/e2e-scenario/live/sandbox-rebuild.test.ts
• test/e2e-scenario/live/sandbox-survival.test.ts
• test/e2e-scenario/live/shields-config.test.ts
• test/e2e-scenario/live/skill-agent.test.ts
• test/e2e-scenario/live/token-rotation.test.ts
• test/e2e-scenario/live/whatsapp-qr-compact.test.ts
• test/e2e-scenario/manifests/hermes-nvidia-discord.yaml
• test/e2e-scenario/manifests/hermes-nvidia-slack.yaml
• test/e2e-scenario/manifests/hermes-nvidia.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-brave.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-discord.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-double-provider-switch.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-double-same-provider.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-invalid-key.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-post-reboot-recovery.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-repair.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-resume.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-slack.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-telegram.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-token-rotation.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-wsl.yaml
• test/e2e-scenario/manifests/openclaw-nvidia.yaml
• test/e2e-scenario/scenarios/scenarios/baseline.ts
• test/e2e-scenario/scenarios/types.ts
• test/e2e-scenario/support-tests/docker-probe.test.ts
• test/e2e-scenario/support-tests/e2e-fixture-context.test.ts
• test/e2e-scenario/support-tests/e2e-manifests.test.ts
• test/e2e-scenario/support-tests/e2e-phase-environment.test.ts
• test/e2e-scenario/support-tests/e2e-phase-onboarding.test.ts
• test/e2e-scenario/support-tests/e2e-phase-state-validation.test.ts
• test/e2e-scenario/support-tests/e2e-scenario-matrix.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• test/e2e-scenario/support-tests/hosted-inference.test.ts
• test/e2e-scenario/support-tests/network-policy-transient-provider.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27472338696
Target ref: 59f78b48c78496550c72edbfb0e4b77bd1ef64f1
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,launchable-smoke-e2e,hermes-e2e,token-rotation-e2e
Summary: 2 passed, 7 failed, 0 cancelled, 0 skipped

Job	Result
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
credential-migration-e2e	✅ success
credential-sanitization-e2e	❌ failure
hermes-e2e	❌ failure
inference-routing-e2e	✅ success
launchable-smoke-e2e	❌ failure
network-policy-e2e	❌ failure
token-rotation-e2e	❌ failure

Failed jobs: cloud-inference-e2e, cloud-onboard-e2e, credential-sanitization-e2e, hermes-e2e, launchable-smoke-e2e, network-policy-e2e, token-rotation-e2e. Check run artifacts for logs.

[github-actions]

PR Review Advisor

Findings: 2 needs attention, 3 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 4 still apply, 1 new item found

Review findings

🛠️ Needs attention

• Token rotation still sources deleted helper (test/e2e/test-token-rotation.sh:41): The PR deletes test/e2e/lib/ci-compatible-inference.sh, but the legacy token-rotation shell test still sources it and later calls nemoclaw_e2e_configure_compatible_inference. Nightly still runs this exact shell script, so token-rotation-e2e fails before it can validate either the reverted NVIDIA_API_KEY path or messaging token rotation.
  • Recommendation: Either restore the helper, or remove the source/call from test-token-rotation.sh and configure the reverted NVIDIA_API_KEY/default-provider path directly. Add a focused guard that the legacy token-rotation script starts through prerequisites without ci-compatible-inference.sh, or retire the nightly shell lane in favor of the Vitest replacement in the same change.
  • Evidence: test/e2e/test-token-rotation.sh sources ${SCRIPT_DIR_TIMEOUT}/lib/ci-compatible-inference.sh near line 41 and calls nemoclaw_e2e_configure_compatible_inference before prereq checks; read-only inspection of test/e2e/lib/ci-compatible-inference.sh returned ENOENT; .github/workflows/nightly-e2e.yaml:957 still runs bash test/e2e/test-token-rotation.sh.
• NVIDIA_API_KEY is exposed to target-ref E2E code (.github/workflows/nightly-e2e.yaml:209): The reusable nightly secret anchor now passes NVIDIA_API_KEY directly, while many jobs check out and execute inputs.target_ref. The reusable runner then invokes target-ref test/e2e scripts with that secret when nvidia_api_key is true, and direct jobs such as openclaw-tui-chat-correlation-e2e also pass the secret after a target-ref checkout. This removes the prior target-ref withholding boundary and increases the blast radius of any target-ref script or artifact/log leak.
  • Recommendation: Restore target-ref gating for NVIDIA_API_KEY, or require explicit trusted full-SHA/ancestor verification before any job passes the secret. For privileged/direct jobs, keep trusted workflow checkout code separate from the product-under-test ref and withhold secrets unless the ref is verified trusted.
  • Evidence: .github/workflows/nightly-e2e.yaml:201 checks out ref ${{ inputs.target_ref || github.ref }} through e2e-script callers, line 209 passes NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}, and .github/workflows/e2e-script.yaml passes NVIDIA_API_KEY to the target script env when nvidia_api_key is true. The openclaw-tui-chat-correlation path uses target-ref checkout and passes NVIDIA_API_KEY directly at .github/workflows/nightly-e2e.yaml:467.

🔎 Worth checking

• Source-of-truth review needed: NVIDIA_INFERENCE_API_KEY compatibility remnants: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: src/lib/onboard/providers.ts still defines HOSTED_INFERENCE_SOURCE_ENV = NVIDIA_INFERENCE_API_KEY; workflow-boundary.mts and tools/e2e-advisor/dispatch.mts also retain NVIDIA_INFERENCE_API_KEY checks. This is covered by the stale validator finding.
• Base sandbox policy restores direct NVIDIA inference egress (nemoclaw-blueprint/policies/openclaw-sandbox.yaml:95): The base OpenClaw sandbox policy now allows /usr/local/bin/openclaw to reach inference-api.nvidia.com directly in addition to the managed inference.local route. The base rules are path-scoped, but direct vendor egress can bypass or obscure the managed-inference-only boundary if credentials or provider routing assumptions drift; permissive policies additionally grant access: full for this host to all binaries.
  • Recommendation: Verify direct inference-api.nvidia.com access is required in the base policy. If retained, keep it path-scoped and add regression coverage proving normal agent inference still uses inference.local and that direct egress cannot expose credentials or broaden SSRF scope.
  • Evidence: nemoclaw-blueprint/policies/openclaw-sandbox.yaml lists inference-api.nvidia.com under the nvidia policy with POST/GET /v1 paths for /usr/local/bin/openclaw. agents/openclaw/policy-permissive.yaml and agents/hermes/policy-permissive.yaml add inference-api.nvidia.com with access: full for /** binaries.
• Boundary validators still check the retired secret name (tools/e2e-scenarios/workflow-boundary.mts:2639): The workflow boundary validator was partly updated for NVIDIA_API_KEY but still contains NVIDIA_INFERENCE_API_KEY checks, and the E2E advisor dispatch classifier still looks for secrets.NVIDIA_INFERENCE_API_KEY in one target-ref secret-blocking path. This can create false confidence that canonical NVIDIA_API_KEY exposure is covered, especially for direct jobs that do not use the reusable e2e-script nvidia_api_key flag.
  • Recommendation: Update workflow-boundary.mts and tools/e2e-advisor/dispatch.mts so NVIDIA_API_KEY is the canonical secret checked in no-secret, direct-job, and target-ref secret-blocking paths. Keep NVIDIA_INFERENCE_API_KEY only where intentionally testing backward compatibility, and add a regression that a direct job exposing NVIDIA_API_KEY to target_ref is rejected/classified as secret-blocked.
  • Evidence: workflow-boundary.mts still references NVIDIA_INFERENCE_API_KEY at lines 2639, 2653, and 2737. tools/e2e-advisor/dispatch.mts:378 checks body.includes('secrets.NVIDIA_INFERENCE_API_KEY') for target-ref secret blocking.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — test-token-rotation.sh starts through prerequisites without sourcing deleted ci-compatible-inference.sh. This PR changes workflow secret wiring, live E2E script paths, sandbox network policy, installer/start shell surfaces, and credential migration behavior. Unit tests and static workflow checks are not enough, and one runtime script path is visibly broken by read-only inspection.
• **Runtime validation** — nightly token-rotation-e2e uses NVIDIA_API_KEY or the Vitest replacement and no longer calls nemoclaw_e2e_configure_compatible_inference. This PR changes workflow secret wiring, live E2E script paths, sandbox network policy, installer/start shell surfaces, and credential migration behavior. Unit tests and static workflow checks are not enough, and one runtime script path is visibly broken by read-only inspection.
• **Runtime validation** — workflow target_ref runs with nvidia_api_key=true do not receive NVIDIA_API_KEY unless the ref is verified trusted. This PR changes workflow secret wiring, live E2E script paths, sandbox network policy, installer/start shell surfaces, and credential migration behavior. Unit tests and static workflow checks are not enough, and one runtime script path is visibly broken by read-only inspection.
• **Runtime validation** — workflow-boundary validator rejects NVIDIA_API_KEY exposure in every no-secret job and direct target_ref job. This PR changes workflow secret wiring, live E2E script paths, sandbox network policy, installer/start shell surfaces, and credential migration behavior. Unit tests and static workflow checks are not enough, and one runtime script path is visibly broken by read-only inspection.
• **Runtime validation** — e2e-advisor dispatch classifies NVIDIA_API_KEY direct jobs as target-ref secret blocked. This PR changes workflow secret wiring, live E2E script paths, sandbox network policy, installer/start shell surfaces, and credential migration behavior. Unit tests and static workflow checks are not enough, and one runtime script path is visibly broken by read-only inspection.
• **Boundary validators still check the retired secret name** — Update workflow-boundary.mts and tools/e2e-advisor/dispatch.mts so NVIDIA_API_KEY is the canonical secret checked in no-secret, direct-job, and target-ref secret-blocking paths. Keep NVIDIA_INFERENCE_API_KEY only where intentionally testing backward compatibility, and add a regression that a direct job exposing NVIDIA_API_KEY to target_ref is rejected/classified as secret-blocked.
• **Acceptance clause:** Reverts the NVIDIA_INFERENCE_API_KEY migration stack so E2E can validate the old NVIDIA_API_KEY-backed path while weekend traffic is lower. — add test evidence or identify existing coverage. Most workflows/tests/manifests were rewired to NVIDIA_API_KEY and credential-migration now stages legacy NVIDIA_API_KEY into the nvidia-prod provider. However, nightly token-rotation-e2e still runs test/e2e/test-token-rotation.sh, which depends on the deleted ci-compatible-inference.sh helper, so the old path is not consistently restored.
• **Acceptance clause:** fix(e2e): support compatible credential migration #5380 / 9e9efd6 `fix(e2e): support compatible credential migration` — add test evidence or identify existing coverage. The hosted-inference fixture is deleted and credential-migration is rewritten away from the compatible-provider path. Stale NVIDIA_INFERENCE_API_KEY logic remains in src/lib/onboard/providers.ts and validation/advisor tooling, so this migration stack is not fully reverted.

Since last review details

Current findings:

• Source-of-truth review needed: NVIDIA_INFERENCE_API_KEY compatibility remnants: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: src/lib/onboard/providers.ts still defines HOSTED_INFERENCE_SOURCE_ENV = NVIDIA_INFERENCE_API_KEY; workflow-boundary.mts and tools/e2e-advisor/dispatch.mts also retain NVIDIA_INFERENCE_API_KEY checks. This is covered by the stale validator finding.
• Token rotation still sources deleted helper (test/e2e/test-token-rotation.sh:41): The PR deletes test/e2e/lib/ci-compatible-inference.sh, but the legacy token-rotation shell test still sources it and later calls nemoclaw_e2e_configure_compatible_inference. Nightly still runs this exact shell script, so token-rotation-e2e fails before it can validate either the reverted NVIDIA_API_KEY path or messaging token rotation.
  • Recommendation: Either restore the helper, or remove the source/call from test-token-rotation.sh and configure the reverted NVIDIA_API_KEY/default-provider path directly. Add a focused guard that the legacy token-rotation script starts through prerequisites without ci-compatible-inference.sh, or retire the nightly shell lane in favor of the Vitest replacement in the same change.
  • Evidence: test/e2e/test-token-rotation.sh sources ${SCRIPT_DIR_TIMEOUT}/lib/ci-compatible-inference.sh near line 41 and calls nemoclaw_e2e_configure_compatible_inference before prereq checks; read-only inspection of test/e2e/lib/ci-compatible-inference.sh returned ENOENT; .github/workflows/nightly-e2e.yaml:957 still runs bash test/e2e/test-token-rotation.sh.
• NVIDIA_API_KEY is exposed to target-ref E2E code (.github/workflows/nightly-e2e.yaml:209): The reusable nightly secret anchor now passes NVIDIA_API_KEY directly, while many jobs check out and execute inputs.target_ref. The reusable runner then invokes target-ref test/e2e scripts with that secret when nvidia_api_key is true, and direct jobs such as openclaw-tui-chat-correlation-e2e also pass the secret after a target-ref checkout. This removes the prior target-ref withholding boundary and increases the blast radius of any target-ref script or artifact/log leak.
  • Recommendation: Restore target-ref gating for NVIDIA_API_KEY, or require explicit trusted full-SHA/ancestor verification before any job passes the secret. For privileged/direct jobs, keep trusted workflow checkout code separate from the product-under-test ref and withhold secrets unless the ref is verified trusted.
  • Evidence: .github/workflows/nightly-e2e.yaml:201 checks out ref ${{ inputs.target_ref || github.ref }} through e2e-script callers, line 209 passes NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}, and .github/workflows/e2e-script.yaml passes NVIDIA_API_KEY to the target script env when nvidia_api_key is true. The openclaw-tui-chat-correlation path uses target-ref checkout and passes NVIDIA_API_KEY directly at .github/workflows/nightly-e2e.yaml:467.
• Base sandbox policy restores direct NVIDIA inference egress (nemoclaw-blueprint/policies/openclaw-sandbox.yaml:95): The base OpenClaw sandbox policy now allows /usr/local/bin/openclaw to reach inference-api.nvidia.com directly in addition to the managed inference.local route. The base rules are path-scoped, but direct vendor egress can bypass or obscure the managed-inference-only boundary if credentials or provider routing assumptions drift; permissive policies additionally grant access: full for this host to all binaries.
  • Recommendation: Verify direct inference-api.nvidia.com access is required in the base policy. If retained, keep it path-scoped and add regression coverage proving normal agent inference still uses inference.local and that direct egress cannot expose credentials or broaden SSRF scope.
  • Evidence: nemoclaw-blueprint/policies/openclaw-sandbox.yaml lists inference-api.nvidia.com under the nvidia policy with POST/GET /v1 paths for /usr/local/bin/openclaw. agents/openclaw/policy-permissive.yaml and agents/hermes/policy-permissive.yaml add inference-api.nvidia.com with access: full for /** binaries.
• Boundary validators still check the retired secret name (tools/e2e-scenarios/workflow-boundary.mts:2639): The workflow boundary validator was partly updated for NVIDIA_API_KEY but still contains NVIDIA_INFERENCE_API_KEY checks, and the E2E advisor dispatch classifier still looks for secrets.NVIDIA_INFERENCE_API_KEY in one target-ref secret-blocking path. This can create false confidence that canonical NVIDIA_API_KEY exposure is covered, especially for direct jobs that do not use the reusable e2e-script nvidia_api_key flag.
  • Recommendation: Update workflow-boundary.mts and tools/e2e-advisor/dispatch.mts so NVIDIA_API_KEY is the canonical secret checked in no-secret, direct-job, and target-ref secret-blocking paths. Keep NVIDIA_INFERENCE_API_KEY only where intentionally testing backward compatibility, and add a regression that a direct job exposing NVIDIA_API_KEY to target_ref is rejected/classified as secret-blocked.
  • Evidence: workflow-boundary.mts still references NVIDIA_INFERENCE_API_KEY at lines 2639, 2653, and 2737. tools/e2e-advisor/dispatch.mts:378 checks body.includes('secrets.NVIDIA_INFERENCE_API_KEY') for target-ref secret blocking.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

src/lib/credentials/store.ts (1)

204-213: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep NVIDIA_INFERENCE_API_KEY as a read-only compatibility alias during the revert.

resolveProviderCredential("NVIDIA_API_KEY") now only checks NVIDIA_API_KEY, and the legacy-file staging path only rehydrates allowlisted current names. Any resumed or non-interactive install that still has only NVIDIA_INFERENCE_API_KEY staged in its environment or legacy credentials.json now resolves as missing instead of transparently recovering, even though the secret is still present under the just-reverted name.

Please preserve the old name as a temporary read-only alias in this resolver and in the legacy staging allowlist until the rollback window is over.

src/lib/onboard.ts (1)

3999-4016: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not use NVIDIA_API_KEY as the fallback NGC credential.

This branch is still resolving ngcApiKey, and the surrounding flow explicitly treats that as the secret used to pull NIM model artifacts. Falling back to NVIDIA_API_KEY here skips the interactive NGC prompt when a cloud inference key is present, then passes the wrong credential into startNimContainerByName(), so the user-selected local NIM path can fail and silently degrade to cloud inference.

Suggested fix

-            ngcApiKey =
-              hydrateCredentialEnv("NGC_API_KEY") || hydrateCredentialEnv("NVIDIA_API_KEY");
+            ngcApiKey = hydrateCredentialEnv("NGC_API_KEY");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 3999 - 4016, The code incorrectly falls back
to hydrateCredentialEnv("NVIDIA_API_KEY") when resolving ngcApiKey, which can
cause the wrong credential to be used for NIM pulls; change the resolution to
only use hydrateCredentialEnv("NGC_API_KEY") (i.e., set ngcApiKey =
hydrateCredentialEnv("NGC_API_KEY") without the || fallback), leaving the
interactive prompt logic (credentialPrompt.readValue,
credentialPrompt.returningToProviderSelection, isNonInteractive) and subsequent
use in startNimContainerByName unchanged so that only a true NGC key is accepted
and passed through.

test/e2e/test-model-router-provider-routed-inference.sh (1)

68-75: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the standardized NVIDIA redaction placeholder and token-pattern redaction.

The redaction path still writes a generic <REDACTED> and only replaces exact env-secret matches. The documented contract requires [REDACTED_NVIDIA_API_KEY] and nvapi-... token-pattern redaction in failure logs.

Suggested patch

-  python3 - "$file" <<'PY'
-import os, sys
+  python3 - "$file" <<'PY'
+import os, re, sys
 path = sys.argv[1]
 secrets = [os.environ.get("NVIDIA_API_KEY", ""), os.environ.get("NEMOCLAW_PROVIDER_KEY", "")]
 text = open(path, "r", errors="replace").read()
 for secret in filter(None, secrets):
-    text = text.replace(secret, "<REDACTED>")
+    text = text.replace(secret, "[REDACTED_NVIDIA_API_KEY]")
+text = re.sub(r"nvapi-[A-Za-z0-9_-]+", "[REDACTED_NVIDIA_API_KEY]", text)
 open(path, "w").write(text)
 PY

As per coding guidelines, failure-log redaction must use NVIDIA_API_KEY with [REDACTED_NVIDIA_API_KEY], including regex redaction for nvapi-....

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/test-model-router-provider-routed-inference.sh` around lines 68 -
75, The script currently replaces exact env-secret values and writes a generic
"<REDACTED>" placeholder; change it so NVIDIA_API_KEY is redacted using the
standardized placeholder "[REDACTED_NVIDIA_API_KEY]" and also redact any token
patterns matching the nvapi prefix (e.g. regex like r"nvapi-[A-Za-z0-9_-]+")
anywhere in the file; keep replacing exact NEMOCLAW_PROVIDER_KEY value as before
(or use a distinct placeholder if required) and ensure the code updates the
variable secrets/text replacement logic to perform both exact-value replacement
for env vars and regex-based replacement for nvapi tokens before writing the
file.

Source: Coding guidelines

🧹 Nitpick comments (2)

test/e2e-scenario/live/sandbox-operations.test.ts (1)

101-104: ⚡ Quick win

Thread the required secret value explicitly instead of re-reading ambient process.env.

You already gate on secrets.required("NVIDIA_API_KEY") at Line 531, but onboardSandbox still pulls from process.env. Passing the returned secret into onboardSandbox keeps this test hermetic and avoids hidden env coupling.

Also applies to: 531-531

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/live/sandbox-operations.test.ts` around lines 101 - 104,
The test currently re-reads process.env for the NVIDIA API key inside the
onboardSandbox call and redactionValues, creating hidden env coupling; instead,
capture the secret returned by secrets.required("NVIDIA_API_KEY") (e.g., const
nvidiaApiKey = await secrets.required("NVIDIA_API_KEY")) and pass that value
into onboardSandbox's env (set NVIDIA_API_KEY: nvidiaApiKey) and into
redactionValues ([nvidiaApiKey]) so the test is hermetic and no longer reads
process.env directly.

scripts/nemoclaw-start.sh (1)

1744-1767: Run the sandbox entrypoint E2E lanes for this credential-wiring revert.

Please run sandbox-survival-e2e, sandbox-operations-e2e, cloud-e2e, and openclaw-slack-pairing-e2e on this branch to validate startup, recovery, and channel behavior after restoring NVIDIA_API_KEY wiring.

As per coding guidelines, changes in scripts/nemoclaw-start.sh affect every sandbox boot and should be validated with the listed E2E jobs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/nemoclaw-start.sh` around lines 1744 - 1767, Summary: This change
restores NVIDIA_API_KEY credential wiring in the startup script and needs full
sandbox E2E validation. Run the specified E2E pipelines—sandbox-survival-e2e,
sandbox-operations-e2e, cloud-e2e, and openclaw-slack-pairing-e2e—against this
branch, focusing on startup, recovery, and channel behavior after restoring the
NVIDIA_API_KEY/NEMOCLAW_PROVIDER_KEY wiring (verify the provider_key /
auth-profiles.json creation logic in the startup script and the Python snippet
that writes the {provider_key}:manual api_key entry); report any failures or
deviations.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/inference/inference-options.mdx`:
- Around line 112-117: Router pool examples in the docs use the wrong api_base;
update the router pool entries that set api_base:
"https://inference-api.nvidia.com" to use "https://integrate.api.nvidia.com/v1"
so they match the NemoClaw endpoint described earlier and the repo's router pool
config (pool-config.yaml) and allowlist in scripts/validate-configs.ts;
specifically change the api_base value in the router pool examples (the blocks
that include name: super and the surrounding router pool entries) to the
integrate.api.nvidia.com/v1 URL.

In `@scripts/walkthrough.sh`:
- Around line 39-41: Remove the stale in-sandbox API key instruction by deleting
the line that exports the NVIDIA_API_KEY environment variable (the line
containing export NVIDIA_API_KEY=nvapi-...) so the walkthrough no longer tells
operators to set a secret inside the sandbox; leave the surrounding sandbox
commands (e.g., openshell sandbox connect nemoclaw and nemoclaw-start) intact
and do not add any other secret-handling steps.

In `@test/e2e/test-telegram-injection.sh`:
- Around line 290-297: The test currently looks for the literal substring
"nvapi-" in t4_result which can false-negative; update the leak-detection to
check for the actual expanded secret value and the literal placeholder: if echo
"$t4_result" | grep -qF "$NVIDIA_API_KEY"; then fail "T4: \${NVIDIA_API_KEY}
expanded to actual key value — secret leaked!"; elif echo "$t4_result" | grep
-qF '${NVIDIA_API_KEY}'; then pass "T4: \${NVIDIA_API_KEY} treated as literal
string (not expanded)"; else pass "T4: \${NVIDIA_API_KEY} did not expand to key
value (result: ${t4_result:0:100})" — ensure both grep uses are quoted and use
-qF for fixed-string matching.

---

Outside diff comments:
In `@src/lib/onboard.ts`:
- Around line 3999-4016: The code incorrectly falls back to
hydrateCredentialEnv("NVIDIA_API_KEY") when resolving ngcApiKey, which can cause
the wrong credential to be used for NIM pulls; change the resolution to only use
hydrateCredentialEnv("NGC_API_KEY") (i.e., set ngcApiKey =
hydrateCredentialEnv("NGC_API_KEY") without the || fallback), leaving the
interactive prompt logic (credentialPrompt.readValue,
credentialPrompt.returningToProviderSelection, isNonInteractive) and subsequent
use in startNimContainerByName unchanged so that only a true NGC key is accepted
and passed through.

In `@test/e2e/test-model-router-provider-routed-inference.sh`:
- Around line 68-75: The script currently replaces exact env-secret values and
writes a generic "<REDACTED>" placeholder; change it so NVIDIA_API_KEY is
redacted using the standardized placeholder "[REDACTED_NVIDIA_API_KEY]" and also
redact any token patterns matching the nvapi prefix (e.g. regex like
r"nvapi-[A-Za-z0-9_-]+") anywhere in the file; keep replacing exact
NEMOCLAW_PROVIDER_KEY value as before (or use a distinct placeholder if
required) and ensure the code updates the variable secrets/text replacement
logic to perform both exact-value replacement for env vars and regex-based
replacement for nvapi tokens before writing the file.

---

Nitpick comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 1744-1767: Summary: This change restores NVIDIA_API_KEY credential
wiring in the startup script and needs full sandbox E2E validation. Run the
specified E2E pipelines—sandbox-survival-e2e, sandbox-operations-e2e, cloud-e2e,
and openclaw-slack-pairing-e2e—against this branch, focusing on startup,
recovery, and channel behavior after restoring the
NVIDIA_API_KEY/NEMOCLAW_PROVIDER_KEY wiring (verify the provider_key /
auth-profiles.json creation logic in the startup script and the Python snippet
that writes the {provider_key}:manual api_key entry); report any failures or
deviations.

In `@test/e2e-scenario/live/sandbox-operations.test.ts`:
- Around line 101-104: The test currently re-reads process.env for the NVIDIA
API key inside the onboardSandbox call and redactionValues, creating hidden env
coupling; instead, capture the secret returned by
secrets.required("NVIDIA_API_KEY") (e.g., const nvidiaApiKey = await
secrets.required("NVIDIA_API_KEY")) and pass that value into onboardSandbox's
env (set NVIDIA_API_KEY: nvidiaApiKey) and into redactionValues ([nvidiaApiKey])
so the test is hermetic and no longer reads process.env directly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b2e40073-e8dd-459a-8c4b-414faa4f851c

📥 Commits

Reviewing files that changed from the base of the PR and between 158f575 and 59f78b4.

📒 Files selected for processing (217)

• .github/workflows/brev-nightly-e2e.yaml
• .github/workflows/e2e-branch-validation.yaml
• .github/workflows/e2e-script.yaml
• .github/workflows/e2e-vitest-scenarios.yaml
• .github/workflows/macos-e2e.yaml
• .github/workflows/nightly-e2e.yaml
• .github/workflows/regression-e2e.yaml
• .github/workflows/wsl-e2e.yaml
• agents/hermes/policy-additions.yaml
• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• docs/_components/StarterPromptButton.tsx
• docs/about/release-notes.mdx
• docs/get-started/quickstart-hermes.mdx
• docs/get-started/quickstart.mdx
• docs/inference/inference-options.mdx
• docs/network-policy/approve-network-requests.mdx
• docs/reference/network-policies.mdx
• docs/security/credential-storage.mdx
• nemoclaw-blueprint/blueprint.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• nemoclaw/src/blueprint/runner.test.ts
• nemoclaw/src/commands/config-show.test.ts
• nemoclaw/src/commands/slash.test.ts
• nemoclaw/src/index.ts
• nemoclaw/src/lib/subprocess-env.ts
• nemoclaw/src/onboard/config.test.ts
• nemoclaw/src/register.test.ts
• nemoclaw/src/security/secret-scanner.test.ts
• scripts/checks/direct-credential-env.ts
• scripts/install.sh
• scripts/nemoclaw-start.sh
• scripts/smoke-macos-install.sh
• scripts/walkthrough.sh
• src/commands/sandbox/config/rotate-token.ts
• src/lib/actions/dev/npm-link-or-shim.test.ts
• src/lib/credentials/store.ts
• src/lib/deploy/index.test.ts
• src/lib/deploy/index.ts
• src/lib/diagnostics/debug.test.ts
• src/lib/inference/health.test.ts
• src/lib/inference/health.ts
• src/lib/inference/model-prompts.test.ts
• src/lib/inference/model-prompts.ts
• src/lib/inference/nim.test.ts
• src/lib/inference/nim.ts
• src/lib/messaging-channel-config.test.ts
• src/lib/onboard.ts
• src/lib/onboard/docker-gpu-patch.test.ts
• src/lib/onboard/machine/core-flow-phases.test.ts
• src/lib/onboard/machine/flow-phases/provider-sandbox.test.ts
• src/lib/onboard/machine/handlers/finalization.test.ts
• src/lib/onboard/machine/handlers/policies.test.ts
• src/lib/onboard/machine/handlers/provider-inference.test.ts
• src/lib/onboard/machine/runtime.test.ts
• src/lib/onboard/missing-credential-hints.ts
• src/lib/onboard/model-router.ts
• src/lib/onboard/providers.test.ts
• src/lib/onboard/providers.ts
• src/lib/onboard/routed-inference.test.ts
• src/lib/onboard/routed-inference.ts
• src/lib/onboard/summary.test.ts
• src/lib/onboard/validation-recovery-prompt.ts
• src/lib/security/redact.test.ts
• src/lib/security/redact.ts
• src/lib/state/onboard-session.test.ts
• src/lib/state/onboard-step-mutation.test.ts
• src/lib/subprocess-env.ts
• src/lib/trace.test.ts
• src/lib/validation.test.ts
• src/lib/validation.ts
• test/canonical-credential-resolution.test.ts
• test/check-env-var-docs.test.ts
• test/cli/dispatch-basics.test.ts
• test/config-set-nested-ssrf.test.ts
• test/credential-exposure.test.ts
• test/credentials-cli-command.test.ts
• test/credentials-shim.test.ts
• test/credentials.test.ts
• test/e2e-runtime/4851-ultra-toolless-validation.md
• test/e2e-scenario/fixtures/hosted-inference.ts
• test/e2e-scenario/fixtures/phases/onboarding.ts
• test/e2e-scenario/live/credential-migration.test.ts
• test/e2e-scenario/live/credential-sanitization.test.ts
• test/e2e-scenario/live/gateway-guard-recovery.test.ts
• test/e2e-scenario/live/hermes-e2e.test.ts
• test/e2e-scenario/live/inference-routing.test.ts
• test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts
• test/e2e-scenario/live/launchable-smoke.test.ts
• test/e2e-scenario/live/model-router-provider-routed-inference.test.ts
• test/e2e-scenario/live/network-policy.test.ts
• test/e2e-scenario/live/onboard-negative-paths.test.ts
• test/e2e-scenario/live/onboard-resume.test.ts
• test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts
• test/e2e-scenario/live/rebuild-openclaw.test.ts
• test/e2e-scenario/live/sandbox-operations.test.ts
• test/e2e-scenario/live/sandbox-rebuild.test.ts
• test/e2e-scenario/live/sandbox-survival.test.ts
• test/e2e-scenario/live/shields-config.test.ts
• test/e2e-scenario/live/skill-agent.test.ts
• test/e2e-scenario/live/token-rotation.test.ts
• test/e2e-scenario/live/whatsapp-qr-compact.test.ts
• test/e2e-scenario/manifests/hermes-nvidia-discord.yaml
• test/e2e-scenario/manifests/hermes-nvidia-slack.yaml
• test/e2e-scenario/manifests/hermes-nvidia.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-brave.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-discord.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-double-provider-switch.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-double-same-provider.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-invalid-key.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-post-reboot-recovery.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-repair.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-resume.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-slack.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-telegram.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-token-rotation.yaml
• test/e2e-scenario/manifests/openclaw-nvidia-wsl.yaml
• test/e2e-scenario/manifests/openclaw-nvidia.yaml
• test/e2e-scenario/scenarios/scenarios/baseline.ts
• test/e2e-scenario/scenarios/types.ts
• test/e2e-scenario/support-tests/docker-probe.test.ts
• test/e2e-scenario/support-tests/e2e-fixture-context.test.ts
• test/e2e-scenario/support-tests/e2e-manifests.test.ts
• test/e2e-scenario/support-tests/e2e-phase-environment.test.ts
• test/e2e-scenario/support-tests/e2e-phase-onboarding.test.ts
• test/e2e-scenario/support-tests/e2e-phase-state-validation.test.ts
• test/e2e-scenario/support-tests/e2e-scenario-matrix.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• test/e2e-scenario/support-tests/hosted-inference.test.ts
• test/e2e-scenario/support-tests/network-policy-transient-provider.test.ts
• test/e2e-script-workflow.test.ts
• test/e2e/brev-e2e.test.ts
• test/e2e/e2e-cloud-experimental/checks/03-security-checks.sh
• test/e2e/e2e-cloud-experimental/expect-interactive-install.sh
• test/e2e/e2e-cloud-experimental/features/skill/add-sandbox-skill.sh
• test/e2e/e2e-cloud-experimental/features/skill/verify-sandbox-skill-via-agent.sh
• test/e2e/e2e-cloud-experimental/test-port8080-conflict.sh
• test/e2e/lib/ci-compatible-inference.sh
• test/e2e/test-agent-turn-latency-e2e.sh
• test/e2e/test-bedrock-runtime-compatible-anthropic.sh
• test/e2e/test-brave-search-e2e.sh
• test/e2e/test-channels-add-remove.sh
• test/e2e/test-channels-stop-start.sh
• test/e2e/test-cloud-inference-e2e.sh
• test/e2e/test-cloud-onboard-e2e.sh
• test/e2e/test-common-egress-agent-e2e.sh
• test/e2e/test-credential-migration.sh
• test/e2e/test-credential-sanitization.sh
• test/e2e/test-cron-preflight-inference-local-e2e.sh
• test/e2e/test-device-auth-health.sh
• test/e2e/test-diagnostics.sh
• test/e2e/test-double-onboard.sh
• test/e2e/test-full-e2e.sh
• test/e2e/test-hermes-discord-e2e.sh
• test/e2e/test-hermes-e2e.sh
• test/e2e/test-hermes-inference-switch.sh
• test/e2e/test-hermes-slack-e2e.sh
• test/e2e/test-inference-routing.sh
• test/e2e/test-issue-2478-crash-loop-recovery.sh
• test/e2e/test-issue-4434-tui-unreachable-inference.sh
• test/e2e/test-issue-4462-scope-upgrade-approval.sh
• test/e2e/test-kimi-inference-compat.sh
• test/e2e/test-launchable-smoke.sh
• test/e2e/test-messaging-providers.sh
• test/e2e/test-model-router-provider-routed-inference.sh
• test/e2e/test-network-policy.sh
• test/e2e/test-onboard-negative-paths.sh
• test/e2e/test-onboard-repair.sh
• test/e2e/test-onboard-resume.sh
• test/e2e/test-openclaw-discord-pairing.sh
• test/e2e/test-openclaw-inference-switch.sh
• test/e2e/test-openclaw-plugin-runtime-exdev.sh
• test/e2e/test-openclaw-skill-cli-e2e.sh
• test/e2e/test-openclaw-slack-pairing.sh
• test/e2e/test-overlayfs-autofix.sh
• test/e2e/test-rebuild-hermes.sh
• test/e2e/test-rebuild-openclaw.sh
• test/e2e/test-sandbox-operations.sh
• test/e2e/test-sandbox-rebuild.sh
• test/e2e/test-sandbox-survival.sh
• test/e2e/test-sessions-agents-cli.sh
• test/e2e/test-shields-config.sh
• test/e2e/test-skill-agent-e2e.sh
• test/e2e/test-snapshot-commands.sh
• test/e2e/test-state-backup-restore.sh
• test/e2e/test-telegram-injection.sh
• test/e2e/test-token-rotation.sh
• test/e2e/test-tunnel-lifecycle.sh
• test/e2e/test-upgrade-stale-sandbox.sh
• test/gateway-state-reconcile-2276.test.ts
• test/helpers/onboard-final-flow-phases.ts
• test/host-artifact-cleanup.test.ts
• test/nemoclaw-start.test.ts
• test/no-direct-credential-env.test.ts
• test/ollama-proxy-recovery.test.ts
• test/onboard-messaging.test.ts
• test/onboard-model-router.test.ts
• test/onboard-selection-vllm.test.ts
• test/onboard-selection.test.ts
• test/onboard.test.ts
• test/rebuild-credential-hydration.test.ts
• test/rebuild-credential-preflight.test.ts
• test/rebuild-shields-auto-unlock.test.ts
• test/rebuild-stale-recovery.test.ts
• test/regression-e2e-workflow.test.ts
• test/runner.test.ts
• test/secret-redaction.test.ts
• test/smoke-macos-install.test.ts
• test/validate-blueprint.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

💤 Files with no reviewable changes (3)

• test/e2e-scenario/support-tests/hosted-inference.test.ts
• test/e2e-scenario/fixtures/hosted-inference.ts
• test/e2e/lib/ci-compatible-inference.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if both NVIDIA endpoints are consistently referenced across docs and config

# Search for all references to NVIDIA API endpoints in docs and config
rg -n --type=md --type=mdx --type=yaml -C2 'integrate\.api\.nvidia\.com|inference-api\.nvidia\.com'

Repository: NVIDIA/NemoClaw

Length of output: 87

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="docs/inference/inference-options.mdx"

echo "---- Inspect target file around lines 70-130 ----"
nl -ba "$FILE" | sed -n '70,130p'

echo
echo "---- Repo-wide occurrences of both endpoints (explicit globs) ----"
rg -n -C2 "integrate\.api\.nvidia\.com|inference-api\.nvidia\.com" \
  -g'*.md' -g'*.mdx' -g'*.yml' -g'*.yaml'

Repository: NVIDIA/NemoClaw

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="docs/inference/inference-options.mdx"

echo "---- Inspect target file around lines 70-130 ----"
# Line-numbered output without `nl`
awk 'NR>=70 && NR<=130 {printf "%4d:%s\n", NR, $0}' "$FILE"

echo
echo "---- Repo-wide occurrences of both endpoints (explicit globs) ----"
rg -n -C2 "integrate\.api\.nvidia\.com|inference-api\.nvidia\.com" \
  -g'*.md' -g'*.mdx' -g'*.yml' -g'*.yaml'

Repository: NVIDIA/NemoClaw

Length of output: 24942

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- Show router pool-config.yaml ----"
sed -n '1,120p' nemocl…/router/pool-config.yaml 2>/dev/null || true
# safer: print with actual path from earlier results
sed -n '1,120p' nemoclaw-blueprint/router/pool-config.yaml

echo
echo "---- Find where 'api_base' is used for router/nemotron ----"
rg -n --hidden --glob '!.git' "api_base" nemoclaw-blueprint docs agents src test tools 2>/dev/null || true

echo
echo "---- Find litellm router/provider config usage (nvidia-router, routed) ----"
rg -n --hidden --glob '!.git' "nvidia-router|provider_type: \"nvidia\"|routed\"|nemoclaw-blueprint/router" . 2>/dev/null || true

Repository: NVIDIA/NemoClaw

Length of output: 14824

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- Inspect src/lib/onboard/routed-inference.ts ----"
sed -n '1,220p' src/lib/onboard/routed-inference.ts
echo
echo "---- Find how router pool 'api_base' is interpreted ----"
rg -n "pool-config.yaml|api_base|inference-api\.nvidia\.com|integrate\.api\.nvidia\.com|v1" src/lib/onboard src/lib/inference src/lib/actions src/lib/domain 2>/dev/null || true

echo
echo "---- Inspect router config tests mentioning api_base ----"
sed -n '180,320p' test/validate-config-schemas.test.ts
sed -n '1,140p' test/validate-configs-dangerous-hosts.test.ts

Repository: NVIDIA/NemoClaw

Length of output: 50371

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' scripts/validate-configs.ts

echo
echo "---- show ROUTER_API_BASE_HOST_ALLOWLIST definition ----"
rg -n "ROUTER_API_BASE_HOST_ALLOWLIST" scripts/validate-configs.ts
sed -n '220,360p' scripts/validate-configs.ts

Repository: NVIDIA/NemoClaw

Length of output: 13336

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,260p' src/lib/inference/provider-models.ts

Repository: NVIDIA/NemoClaw

Length of output: 7638

---

Fix router pool api_base endpoint mismatch in NVIDIA inference options docs.
In docs/inference/inference-options.mdx, the NVIDIA Endpoints description (line 83) says NemoClaw uses https://integrate.api.nvidia.com/v1, but the router pool examples (lines 112 and 117) use https://inference-api.nvidia.com.
The repo’s actual router pool config nemoclaw-blueprint/router/pool-config.yaml uses api_base: "https://integrate.api.nvidia.com/v1", and scripts/validate-configs.ts only allowlists integrate.api.nvidia.com as a safe router pool api_base host.
Update the router pool examples to https://integrate.api.nvidia.com/v1 (or update the router implementation + config validation + docs to justify https://inference-api.nvidia.com).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/inference/inference-options.mdx` around lines 112 - 117, Router pool
examples in the docs use the wrong api_base; update the router pool entries that
set api_base: "https://inference-api.nvidia.com" to use
"https://integrate.api.nvidia.com/v1" so they match the NemoClaw endpoint
described earlier and the repo's router pool config (pool-config.yaml) and
allowlist in scripts/validate-configs.ts; specifically change the api_base value
in the router pool examples (the blocks that include name: super and the
surrounding router pool entries) to the integrate.api.nvidia.com/v1 URL.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove the stale in-sandbox API key export instruction.

Line 40 conflicts with the behavior explained on Line 88-89 (“not needed inside the sandbox”). Keeping both instructions can confuse operators and promotes unnecessary secret handling in the sandbox shell.

Suggested update

   Terminal 2 (Agent):
     openshell sandbox connect nemoclaw
-    export NVIDIA_API_KEY=nvapi-...
     nemoclaw-start
     openclaw agent --agent main --local --session-id live

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/walkthrough.sh` around lines 39 - 41, Remove the stale in-sandbox API
key instruction by deleting the line that exports the NVIDIA_API_KEY environment
variable (the line containing export NVIDIA_API_KEY=nvapi-...) so the
walkthrough no longer tells operators to set a secret inside the sandbox; leave
the surrounding sandbox commands (e.g., openshell sandbox connect nemoclaw and
nemoclaw-start) intact and do not add any other secret-handling steps.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

T4 leak detection can false-negative by matching only nvapi- instead of the actual secret value.

Line 291 should check for ${NVIDIA_API_KEY} directly. Right now, if the key format changes, the test can pass even when expansion leaked the real key.

Suggested fix

-# The result should contain the literal string ${NVIDIA_API_KEY}, not a nvapi- value
-if echo "$t4_result" | grep -q "nvapi-"; then
+# The result should contain the literal string ${NVIDIA_API_KEY}, not the real key value
+if echo "$t4_result" | grep -qF "$NVIDIA_API_KEY"; then
   fail "T4: \${NVIDIA_API_KEY} expanded to actual key value — secret leaked!"
 elif echo "$t4_result" | grep -qF '${NVIDIA_API_KEY}'; then
   pass "T4: \${NVIDIA_API_KEY} treated as literal string (not expanded)"
 else

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/test-telegram-injection.sh` around lines 290 - 297, The test
currently looks for the literal substring "nvapi-" in t4_result which can
false-negative; update the leak-detection to check for the actual expanded
secret value and the literal placeholder: if echo "$t4_result" | grep -qF
"$NVIDIA_API_KEY"; then fail "T4: \${NVIDIA_API_KEY} expanded to actual key
value — secret leaked!"; elif echo "$t4_result" | grep -qF '${NVIDIA_API_KEY}';
then pass "T4: \${NVIDIA_API_KEY} treated as literal string (not expanded)";
else pass "T4: \${NVIDIA_API_KEY} did not expand to key value (result:
${t4_result:0:100})" — ensure both grep uses are quoted and use -qF for
fixed-string matching.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27472269478
Workflow ref: jyaunches/revert-inference-api-key-migration
Requested scenarios: (default — all supported)
Requested jobs: (default — all free-standing when no scenarios are requested)
Summary: 33 passed, 3 failed, 0 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	✅ success
channels-add-remove-vitest	❌ failure
cloud-inference-vitest	✅ success
common-egress-agent-vitest	✅ success
credential-migration-vitest	✅ success
credential-sanitization-vitest	✅ success
double-onboard-vitest	✅ success
gateway-drift-preflight-vitest	✅ success
gateway-guard-recovery	✅ success
gateway-health-honest-vitest	✅ success
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
hermes-root-entrypoint-smoke-vitest	✅ success
inference-routing-vitest	✅ success
issue-2478-crash-loop-recovery-vitest	✅ success
issue-4434-tui-unreachable-inference-vitest	✅ success
launchable-smoke-vitest	✅ success
live-scenarios	✅ success
messaging-compatible-endpoint-vitest	✅ success
messaging-providers-vitest	❌ failure
model-router-provider-routed-inference-vitest	✅ success
network-policy-vitest	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-inference-switch-vitest	✅ success
openclaw-skill-cli-vitest	✅ success
openclaw-tui-chat-correlation-vitest	✅ success
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	✅ success
runtime-overrides-vitest	✅ success
sandbox-rebuild-vitest	✅ success
sandbox-survival-vitest	✅ success
sessions-agents-cli-vitest	✅ success
shields-config-vitest	✅ success
skill-agent-vitest	✅ success
state-backup-restore-vitest	✅ success
token-rotation-vitest	✅ success

Failed jobs: channels-add-remove-vitest, messaging-providers-vitest, network-policy-vitest. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27472268756
Target ref: jyaunches/revert-inference-api-key-migration
Requested jobs: all (no filter)
Summary: 59 passed, 6 failed, 0 cancelled, 3 skipped

Job	Result
agent-turn-latency-e2e	✅ success
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-hermes-e2e	✅ success
channels-stop-start-openclaw-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
common-egress-agent-e2e	✅ success
concurrent-gateway-ports-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
cron-preflight-inference-local-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
gpu-jetson-nvmap-e2e	⏭️ skipped
hermes-anthropic-inference-switch-e2e	✅ success
hermes-dashboard-e2e	✅ success
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-secret-boundary-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	❌ failure
issue-3600-gpu-proof-optional-e2e	✅ success
issue-4434-tui-unreachable-inference-e2e	✅ success
issue-4462-gateway-pinned-approval-characterization-e2e	❌ failure
issue-4462-scope-upgrade-approval-e2e	❌ failure
kimi-inference-compat-e2e	❌ failure
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	❌ failure
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-anthropic-inference-switch-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-skill-cli-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	❌ failure
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
sessions-agents-cli-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: issue-2478-crash-loop-recovery-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, messaging-providers-e2e, openclaw-tui-chat-correlation-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27472268756
Target ref: jyaunches/revert-inference-api-key-migration
Requested jobs: all (no filter)
Summary: 61 passed, 4 failed, 0 cancelled, 3 skipped

Job	Result
agent-turn-latency-e2e	✅ success
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-hermes-e2e	✅ success
channels-stop-start-openclaw-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
common-egress-agent-e2e	✅ success
concurrent-gateway-ports-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
cron-preflight-inference-local-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
gpu-jetson-nvmap-e2e	⏭️ skipped
hermes-anthropic-inference-switch-e2e	✅ success
hermes-dashboard-e2e	✅ success
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-secret-boundary-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	❌ failure
issue-3600-gpu-proof-optional-e2e	✅ success
issue-4434-tui-unreachable-inference-e2e	✅ success
issue-4462-gateway-pinned-approval-characterization-e2e	❌ failure
issue-4462-scope-upgrade-approval-e2e	❌ failure
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	❌ failure
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-anthropic-inference-switch-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-skill-cli-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	✅ success
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
sessions-agents-cli-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: issue-2478-crash-loop-recovery-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, messaging-providers-e2e. Check run artifacts for logs.

[cv]

Let's hold on merging this one. I still have hope that I can get E2Es pointing at the custom inference API with a few tweaks, and then we can further replace the inference API calls entirely for a fake server where it makes sense to do so.