fix(onboard): early-validate NEMOCLAW_POLICY_TIER before preflight (#3741)

[nvshaxie]

Summary

• commands.md promises NEMOCLAW_POLICY_TIER validation is upfront, but the check only ran inside selectPolicyTier() — which executes after preflight, gateway start, and inference setup have already had side effects.
• Extract the env parsing into a small resolvePolicyTierFromEnv() helper and gate it both early in onboard() (mirrors the existing NEMOCLAW_PROVIDER fail-fast block right above) and inside selectPolicyTier().
• The early gate is a no-op when the env var is unset, so the interactive prompt's default behavior is unchanged.

Bug reproduction (pre-fix, current main)

```
NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1
NEMOCLAW_POLICY_TIER=invalid_tier NEMOCLAW_PROVIDER=ollama
NEMOCLAW_MODEL=qwen2.5:0.5b NEMOCLAW_SANDBOX_NAME=tier-test
CHAT_UI_URL=http://127.0.0.1:18789 nemoclaw onboard

[1/8] Preflight checks ← runs anyway
✓ Docker is running … ✓ NVIDIA GPU detected …
[2/8] Starting OpenShell gateway ← runs anyway
[3/8] Configuring inference (NIM) ← runs anyway
✓ Using Ollama on localhost:11434 (proxy on :11435)
Loading Ollama model: qwen2.5:0.5b …
(eventually fails for an unrelated reason — the bogus tier is never surfaced)
```

Behavior post-fix (same command)

```
Unknown policy tier: invalid_tier. Valid: restricted, balanced, open
```

Exit 1. Nothing else printed. No preflight, no gateway probe, no Ollama systemd override.

Test plan

• New vitest case rejects unknown NEMOCLAW_POLICY_TIER with a clear error and non-zero exit (#3741) in test/policy-tiers-onboard.test.ts — uses the existing runScript/buildPreamble harness, asserts exit code 1, asserts stderr matches the canonical message, asserts the unreachable marker is not printed.
• npx vitest run test/policy-tiers-onboard.test.ts — 23/23 pass.
• Manual end-to-end on Ubuntu 24.04 x86_64 against the source build (node bin/nemoclaw.js onboard): verified both directions — invalid tier exits before [1/8] preflight, valid tier (restricted) proceeds normally past validation, no env var defaults to balanced and proceeds normally.

Fixes #3741.

Signed-off-by: Shawn Xie shaxie@nvidia.com

Summary by CodeRabbit

• Bug Fixes

  • Onboarding now validates NEMOCLAW_POLICY_TIER earlier: unset/blank defaults to "balanced", while any non-blank invalid value aborts onboarding with an error listing valid tiers ("restricted, balanced, open").

• Documentation

  • Updated CLI and policy docs to describe the new defaulting and strict non-interactive validation behavior for NEMOCLAW_POLICY_TIER.

• Tests

  • Added an integration test verifying invalid policy-tier env values exit with an error and do not continue onboarding.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b474489e-8fad-48b9-8b5c-73d7a80df92e

📥 Commits

Reviewing files that changed from the base of the PR and between 7fb6933 and 7c5b963.

📒 Files selected for processing (3)

• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx
• docs/reference/network-policies.mdx

💤 Files with no reviewable changes (3)

• docs/reference/network-policies.mdx
• docs/reference/commands.mdx
• docs/reference/commands-nemohermes.mdx

---

📝 Walkthrough

Walkthrough

Centralizes NEMOCLAW_POLICY_TIER handling in a new helper that normalizes and validates the env var, integrates it into selectPolicyTier(), and invokes an early validator in onboard() to fail fast on non-empty invalid values. Adds an integration test asserting the fast-fail behavior.

Changes

Early NEMOCLAW_POLICY_TIER validation

Layer / File(s)	Summary
Policy tier resolver and early validator src/lib/onboard/policy-tier-env.ts	Adds resolvePolicyTierFromEnv() and validatePolicyTierEnvEarly() to normalize, default (balanced), validate via getTier, and exit with an error listing valid tiers when a non-blank invalid value is provided.
onboard.ts: import and selectPolicyTier integration src/lib/onboard.ts	Imports policyTierEnv and replaces inline non-interactive parsing/validation in selectPolicyTier() with policyTierEnv.resolvePolicyTierFromEnv().
onboard.ts: early validation gate src/lib/onboard.ts	Calls policyTierEnv.validatePolicyTierEnvEarly() early in onboard() so non-empty invalid NEMOCLAW_POLICY_TIER values abort before preflight/gateway/inference steps.
Integration test: invalid tier rejection test/policy-tiers-onboard.test.ts	New Vitest test spawns Node to assert that NEMOCLAW_POLICY_TIER=invalid_tier causes process exit code 1, stderr lists exact valid tiers (restricted, balanced, open), and success output is not produced.
Docs: reference updates docs/reference/commands-nemohermes.mdx, docs/reference/commands.mdx, docs/reference/network-policies.mdx	Document that unset/blank/whitespace defaults to balanced and that any non-blank invalid value is rejected early with an error enumerating valid tiers.

Sequence Diagram(s)

sequenceDiagram
  participant Onboard
  participant PolicyTierEnv
  Onboard->>PolicyTierEnv: validatePolicyTierEnvEarly() (if env set & non-blank)
  PolicyTierEnv->>PolicyTierEnv: normalize value, getTier()
  PolicyTierEnv-->>Onboard: return normalized tier OR call process.exit(1) with error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4581: Also modifies non-interactive policy-tier handling inside selectPolicyTier() and related validation/selection logic.

Suggested labels

area: onboarding, fix

Suggested reviewers

• prekshivyas
• cjagwani

Poem

🐰 I hopped into code, a tiny patch to mend,
Bad tiers no longer slip—I'll catch them at the end,
Trim, lowercase, check the list, and if you stray away,
I'll shout the valid names and gently send you on your way.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly reflects the main change: implementing early validation of NEMOCLAW_POLICY_TIER before preflight steps in onboarding.
Linked Issues check	✅ Passed	All requirements from issue #3741 are met: invalid tier values now cause immediate exit with non-zero code before preflight, valid error messages list correct tiers, and early validation is implemented in the onboarding entrypoint.
Out of Scope Changes check	✅ Passed	All changes directly address the requirements in issue #3741; the refactoring into policy-tier-env.ts is a proper implementation detail, and documentation updates align with the enforced behavior.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/policy-tier-early-validate-3741

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: onboard-negative-paths-e2e, cloud-onboard-e2e
Optional E2E: network-policy-e2e, docs-validation-e2e

Dispatch hint: onboard-negative-paths-e2e,cloud-onboard-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• onboard-negative-paths-e2e (high; live install/onboard path with 75 minute job timeout): Best existing targeted E2E for non-interactive onboarding validation and negative/edge-case behavior. This PR changes fail-fast validation for an onboarding environment variable before usage notice and preflight, so this should block merge.
• cloud-onboard-e2e (high; live install/onboard with NVIDIA_API_KEY and sandbox checks): Exercises the real non-interactive install and onboard flow with policy configuration and sandbox health/security checks. Required because the changed early validation and default policy-tier handling can break real unattended onboarding even when NEMOCLAW_POLICY_TIER is unset.

Optional E2E

• network-policy-e2e (high; live sandbox/network policy suite): Useful adjacent confidence for the policy-tier/security-boundary area: it onboards with NEMOCLAW_POLICY_TIER=restricted and validates deny-by-default egress, preset application, and live policy behavior. The PR does not change policy enforcement YAML, so this is optional rather than merge-blocking.
• docs-validation-e2e (low; no sandbox required): Optional documentation confidence because command and network policy reference docs changed. This checks CLI/docs parity and markdown links, but the runtime risk is covered by onboarding E2E.

New E2E recommendations

• onboarding policy-tier validation (medium): Existing E2E coverage is adjacent but does not appear to explicitly assert that an invalid non-blank NEMOCLAW_POLICY_TIER exits before usage-notice writes, lock/session creation, preflight, gateway, or inference work, nor that whitespace-only values fall back to balanced in an end-to-end CLI invocation.
  • Suggested test: Add focused cases to the onboard negative-path E2E suite that run non-interactive onboard with NEMOCLAW_POLICY_TIER=invalid_tier and with whitespace-only NEMOCLAW_POLICY_TIER, asserting the documented exit ordering and balanced default behavior.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: onboard-negative-paths-e2e,cloud-onboard-e2e

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Around line 8039-8052: The large explanatory docblock above the function that
resolves NEMOCLAW_POLICY_TIER should be shortened to a compact summary that
preserves the contract (default "balanced", exits with status 1 on unknown
value, safe/pure aside from process.exit) and references the function name
resolve/validate behavior so callers know its guarantees; move the longer
historical/contextual paragraphs (notes about where it's called, issue numbers,
and extended rationale) into an external docs/ or issues/ entry and remove the
extra lines in this file (also apply the same trimming to the similar block at
the other location reported around the selectPolicyTier/use-site lines). Ensure
the shortened comment still mentions accepted-options behavior and that callers
can rely on early fail-fast semantics.
- Around line 8053-8063: resolvePolicyTierFromEnv() currently trims the env var
then treats an originally-whitespace-only value as empty, bypassing the earlier
explicit-env validation; update the function to detect when
process.env.NEMOCLAW_POLICY_TIER is set but trims to an empty string and treat
that as an explicit invalid value: use the raw env presence check
(process.env.NEMOCLAW_POLICY_TIER !== undefined) combined with the trimmed name
=== "" (or check raw.trim().length === 0) and, when true, log the same "Unknown
policy tier" message (using tiers.listTiers() for valid names) and exit(1); keep
the existing tiers.getTier(name) validation for non-empty trimmed names so all
other behavior is unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b3e7b1a2-b109-4126-be99-9f385463b36b

📥 Commits

Reviewing files that changed from the base of the PR and between 0164e6c and 65ca0d3.

📒 Files selected for processing (2)

• src/lib/onboard.ts
• test/policy-tiers-onboard.test.ts

[wscurran]

✨ Related open issues:

• #3741 [All Platforms][Runtime] NEMOCLAW_POLICY_TIER invalid value not rejected as commands.md claims

[nvshaxie]

Thanks @coderabbitai — both findings addressed in the follow-up commit:

1. onboard-entrypoint-budget fail. Moved resolvePolicyTierFromEnv + a new validatePolicyTierEnvEarly helper into src/lib/onboard/policy-tier-env.ts. src/lib/onboard.ts now imports them via the existing policyTierEnv.* namespace pattern. The entrypoint diff drops to +4/-7 (net -3), well within the budget.

2. Whitespace-only NEMOCLAW_POLICY_TIER bypassed the early gate. Real edge case — the early gate's .trim() !== "" check skipped validation for a blank value, but the trimmed empty string then tripped getTier("") later. The new helper now treats whitespace-only as unset and defaults to balanced, matching the gate's intent. Verified end-to-end:

   ```
   NEMOCLAW_POLICY_TIER=" " ... node bin/nemoclaw.js onboard
   → proceeds past validation (no exit), uses balanced default
   ```

Existing positive/negative cases unchanged:

• NEMOCLAW_POLICY_TIER=invalid_tier → immediate exit with the canonical error before preflight ✓
• NEMOCLAW_POLICY_TIER=restricted → proceeds past validation ✓
• NEMOCLAW_POLICY_TIER unset → proceeds past validation (defaults to balanced) ✓

npx vitest run test/policy-tiers-onboard.test.ts — 23/23 pass.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@nvshaxie Both fixes look excellent — thank you for the thorough follow-up!

1. Module extraction — pulling resolvePolicyTierFromEnv and validatePolicyTierEnvEarly into src/lib/onboard/policy-tier-env.ts is the right call. The policyTierEnv.* import pattern keeps onboard.ts clean and the net −3 diff easily stays within budget.

2. Whitespace edge case — the fix is semantically correct: treating a whitespace-only value as "unset" and defaulting to balanced matches the documented intent perfectly, and avoids the degenerate getTier("") path that would have caused a confusing failure downstream.

All edge cases covered and 23/23 green — this is in great shape. 🐇 ✨

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 0 new items found

Consider writing more tests for

• **Runtime validation** — Runtime CLI validation that NEMOCLAW_POLICY_TIER=invalid_tier with non-interactive onboarding exits 1 before printing "[1/8] Preflight checks".. The patch has strong targeted tests with mocked heavy I/O, but onboarding is a runtime/sandbox-adjacent path where one behavioral CLI validation would improve confidence in the real entrypoint packaging and output order.
• **Runtime validation** — Runtime CLI validation that NEMOCLAW_POLICY_TIER=restricted proceeds past the early validation gate without emitting the unknown-tier error.. The patch has strong targeted tests with mocked heavy I/O, but onboarding is a runtime/sandbox-adjacent path where one behavioral CLI validation would improve confidence in the real entrypoint packaging and output order.
• **Runtime validation** — Runtime CLI validation that unset or whitespace-only NEMOCLAW_POLICY_TIER uses the balanced default in non-interactive onboarding.. The patch has strong targeted tests with mocked heavy I/O, but onboarding is a runtime/sandbox-adjacent path where one behavioral CLI validation would improve confidence in the real entrypoint packaging and output order.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: ubuntu-repo-cloud-hermes

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw: Core non-interactive onboarding was changed to validate and resolve NEMOCLAW_POLICY_TIER early. This Ubuntu repo-current OpenClaw scenario is the smallest routed scenario that exercises the modified onboarding path with the default policy-tier environment.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• ubuntu-repo-cloud-hermes: Adjacent coverage for the same shared onboarding policy-tier path with the Hermes agent profile, useful because the PR also updates Hermes-facing onboarding documentation.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Relevant changed files

• src/lib/onboard.ts
• src/lib/onboard/policy-tier-env.ts

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-3788.docs.buildwithfern.com/nemoclaw

[prekshivyas]

Re-reviewed against the current head (7c5b963) — refreshing the earlier approval after the rework + main merge. The net change is small and focused (policy-tier-env.ts + one call in onboard.ts + docs):

• validatePolicyTierEnvEarly() runs the check only when NEMOCLAW_POLICY_TIER is explicitly set to a non-blank value; unset/blank is a no-op that flows through to the interactive default. So it fails fast only on an explicit invalid value (listing valid tiers via the canonical getTier/listTiers) and can't break the common unset path.
• It's now called at the very top of onboard() — before ensureUsageNoticeConsent, getRequestedProviderHint, and acquireOnboardLock — so a typo'd tier errors immediately rather than after consent/preflight/lock. The post-approval reorder (from after-provider-hint to before-consent) is a refinement in the same fail-fast direction, not a change of intent. Main's #4454 FSM refactor is downstream of this pre-FSM gate and doesn't interact; the merge is clean.

policy-tiers-onboard.test.ts covers the early-validate behavior. CI green. Good to merge.