test(e2e): add onboarding phase fixture

[cv]

Summary

Adds the typed onboarding phase fixture on top of the environment phase. This starts moving live scenario setup into Vitest fixtures by wiring cloud OpenClaw onboarding and the no-Docker preflight-negative fixture path while preserving the legacy shell-dispatched no-Docker worker until that phase is fully migrated.

Related Issue

Refs #4941
Refs #4990

Changes

• Adds OnboardingPhaseFixture with from(...), cloudOpenClaw(...), and cloudOpenClawNoDocker(...) paths.
• Creates a typed temporary failing Docker shim for the no-Docker negative path, with a documented removal condition once the framework can inject a Docker client boundary directly.
• Keeps the live cloud-openclaw-no-docker shell worker as the current dispatcher target during migration, but aligns its Docker-missing signature and redacted negative-preflight.log evidence contract with the typed fixture.
• Registers best-effort onboarding cleanup before launching live cloud onboarding and tolerates already-missing sandboxes during cleanup.
• Exposes onboard on the shared Vitest E2E scenario context.
• Adds tests for non-interactive onboarding env, required secret handling, expected negative failure shape, unsupported profiles, cleanup registration, no-Docker fixture composition, sandbox-name validation, and redacted negative-preflight evidence.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Latest focused verification:

• npx vitest run --project e2e-scenario-framework
• Commit/pre-push hooks, including shfmt and ShellCheck for the changed worker
• GitHub PR checks on the latest pushed head

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Tests
  • Added comprehensive end-to-end onboarding tests, covering success, failure, and negative/no-Docker flows
  • Introduced onboarding test fixture and helpers for sandbox lifecycle, secret handling, redaction, and preflight validation
  • Expanded snapshot, environment, and negative-contract assertion coverage and matcher behavior
• Chores
  • Exposed sandbox name validation for reuse and improved test orchestration/logging of redacted preflight evidence

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 40 minutes and 8 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e5391d76-1835-4b32-9226-fb1d7e6e7d8f

📥 Commits

Reviewing files that changed from the base of the PR and between 15ecaab and 5832fc2.

📒 Files selected for processing (2)

• test/e2e-scenario/framework-tests/e2e-negative-matcher.test.ts
• test/e2e-scenario/scenarios/run.ts

📝 Walkthrough

Walkthrough

Adds an OnboardingPhaseFixture with cloud and no-Docker flows, wires an onboard Vitest fixture, records docker-missing readiness without blocking, streams/redacts negative-preflight evidence in the scenario script, and adds comprehensive tests and assertion-registry adjustments.

Changes

End-to-end Onboarding Phase Fixture and Framework Integration

Layer / File(s)	Summary
Shared sandbox validation export surface test/e2e-scenario/framework/clients/sandbox.ts, test/e2e-scenario/framework/clients/index.ts	Exports validateSandboxName and re-exports it from the clients barrel.
Onboarding types, constants, and helpers test/e2e-scenario/framework/phases/onboarding.ts	Adds CLI constants, timeout, gateway URL, regex classifiers, exported interfaces (OnboardingSecrets, OnboardingOptions, OnboardingExpectedFailure, NemoClawInstance), and helpers for sandbox naming, env building, shim creation, probe normalization, and signature detection.
Fixture entry and execution test/e2e-scenario/framework/phases/onboarding.ts	OnboardingPhaseFixture.from() dispatches by profile; cloudOpenClaw() requires Docker, derives sandbox, reads NVIDIA_API_KEY, optionally registers cleanup, runs host.nemoclaw onboard, asserts success, and returns a NemoClawInstance.
No-Docker negative flow and evidence handling test/e2e-scenario/framework/phases/onboarding.ts, test/e2e-scenario/nemoclaw_scenarios/onboard/cloud-openclaw-no-docker.sh	cloudOpenClawNoDocker() enforces docker-missing expectation, creates a failing docker shim, prepends its dir to PATH, runs onboarding, writes redacted negative-preflight.log, asserts non-zero exit and Docker-missing signature, tolerates sandbox-destroy failures matching delete signatures, and always cleans up the shim.
Fixture wiring and exports test/e2e-scenario/framework/e2e-test.ts, test/e2e-scenario/framework/phases/index.ts	Adds OnboardingPhaseFixture import, extends E2EScenarioFixtures with onboard, wires the onboard Vitest fixture, and re-exports onboarding types from phases/index.ts.
Runtime readiness & assertion registry test/e2e-scenario/framework/phases/environment.ts, test/e2e-scenario/scenarios/assertions/registry.ts, test/e2e-scenario/framework-tests/e2e-assertion-modules.test.ts	assertRuntimeReady records Docker availability for docker-missing without failing composition; removes legacy runtime control groups from assertion registry and replaces snapshot lifecycle wiring; adds a test to ensure snapshot and snapshot-lifecycle groups differ.
No-Docker scenario dispatcher script test/e2e-scenario/nemoclaw_scenarios/onboard/cloud-openclaw-no-docker.sh	Creates E2E_CONTEXT_DIR, adds e2e_no_docker_write_redacted_preflight_log (python3 or sed fallback), pipes nemoclaw onboard through the redactor preserving exit codes, validates Docker-missing signature, and ensures shim/temps cleanup.
Onboarding tests and E2E shell helpers test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts, test/e2e-scenario/framework-tests/e2e-lib-helpers.test.ts, test/e2e-scenario/framework-tests/*	Adds test doubles (FakeRunner/FakeSecrets/FakeCleanup), ready() factory, and a comprehensive Vitest suite covering success/failure, cleanup registration, secret ordering, Docker gating, invalid-sandbox validation, no-Docker negative semantics and redaction, PATH construction, and scenario-level dispatch tests verifying preserved seeded context and redacted preflight logs.
Negative-contract matching & orchestrator adjustments test/e2e-scenario/scenarios/orchestrators/negative-matcher.ts, test/e2e-scenario/scenarios/run.ts, test/e2e-scenario/framework-tests/e2e-negative-matcher.test.ts	Expands negative-contract observation to include handled expected-failure evidence, normalizes error-class variants, ignores state-validation probes when locating the originating failure, and updates orchestrator/run logic and tests to rely on state-validation for side-effect checks.

Sequence Diagram(s)

sequenceDiagram
  participant VitestTest
  participant OnboardingPhaseFixture
  participant OnboardingSecrets
  participant HostCliClient
  participant OnboardingCleanup
  VitestTest->>OnboardingPhaseFixture: from(environment, options)
  OnboardingPhaseFixture->>OnboardingSecrets: required("NVIDIA_API_KEY")
  OnboardingPhaseFixture->>HostCliClient: nemoclaw("onboard", args, { env, timeout })
  OnboardingPhaseFixture->>OnboardingCleanup: add(sandboxName, destroyFn)
  HostCliClient-->>OnboardingPhaseFixture: ShellProbeResult (stdout/stderr)
  OnboardingPhaseFixture-->>VitestTest: NemoClawInstance (or expectedFailure)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5002: Related updates touching EnvironmentPhaseFixture and docker readiness semantics.
• NVIDIA/NemoClaw#4965: Prior E2E fixture/context wiring that this PR builds on.
• NVIDIA/NemoClaw#4966: Fixture-client infrastructure used by the new onboarding fixture.

Suggested labels

area: e2e, area: onboarding, v0.0.62

Suggested reviewers

• jyaunches
• ericksoa
• prekshivyas

"I made a tiny shim where Docker would not play,
I queued the cleanup, redacted secrets away,
Two paths I test — success and planned decline,
Logs scrubbed and written, sandboxes align,
Hooray — the rabbit hops, the tests all say 'OK!'"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.90% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(e2e): add onboarding phase fixture' accurately summarizes the main change: introducing a new OnboardingPhaseFixture for e2e testing. It is concise, clear, and specific.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/e2e-4990-stack-02-onboarding-phase

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: ubuntu-no-docker-preflight-negative, ubuntu-invalid-nvidia-key-negative, ubuntu-repo-cloud-openclaw
Optional E2E: ubuntu-gateway-port-conflict-negative, ubuntu-repo-cloud-openclaw-custom-policies, snapshot-commands-e2e

Dispatch hint: ubuntu-no-docker-preflight-negative,ubuntu-invalid-nvidia-key-negative,ubuntu-repo-cloud-openclaw

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• ubuntu-no-docker-preflight-negative (medium): Directly exercises the changed cloud-openclaw-no-docker worker, Docker-missing preflight handling, redacted negative-preflight evidence, negative-contract matching, and forbidden-side-effect state-validation for gateway/sandbox absence.
• ubuntu-invalid-nvidia-key-negative (medium): Covers the other live onboarding expected-failure path affected by negative-matcher aliases and the new planFailed requirement that state-validation pass the declared forbidden-side-effect probes.
• ubuntu-repo-cloud-openclaw (high): Baseline positive OpenClaw scenario validates that runner phase ordering, onboarding, sandbox lifecycle assertions, supplemental assertion registry changes, and removal of the legacy runtime control group do not break the main user flow.

Optional E2E

• ubuntu-gateway-port-conflict-negative (medium): Additional confidence for the shared negative-contract/state-validation logic on a distinct onboarding failure class after changing negative matching and exit-code semantics.
• ubuntu-repo-cloud-openclaw-custom-policies (high): Exercises the scenario that explicitly includes snapshot-lifecycle plus credentials/onboarding-state/model-router suites, useful after splitting snapshot from snapshot-lifecycle in the assertion registry.
• snapshot-commands-e2e (medium): Nightly script-level coverage for real snapshot CLI behavior is a useful adjunct to the assertion registry change that distinguishes snapshot smoke coverage from snapshot lifecycle coverage.

New E2E recommendations

• typed-vitest-onboarding-fixture (high): The new OnboardingPhaseFixture is covered by framework unit tests, but the existing live Vitest E2E project only has a repo CLI smoke test and does not run a real cloud OpenClaw onboarding flow through the fixture.
  • Suggested test: Add test/e2e-scenario/live/ubuntu-repo-cloud-openclaw-onboarding.test.ts that uses environment + onboard fixtures against a real sandbox and verifies cleanup/artifacts.
• typed-no-docker-onboarding-fixture (high): The no-Docker path is still live through the legacy shell dispatcher while a typed fixture path is introduced; add live coverage before migration so dispatcher and fixture behavior cannot drift.
  • Suggested test: Add a live Vitest or typed scenario test for cloud-openclaw-no-docker using OnboardingPhaseFixture and asserting docker-missing expectedFailure plus redacted negative-preflight evidence.
• snapshot-suite-registry-contract (medium): Unit tests assert snapshot and snapshot-lifecycle registry separation, but there is no small live scenario dedicated to proving the selected suite actually runs the intended shell assertions in CI.
  • Suggested test: Add a targeted typed scenario or workflow-dispatched scenario that runs snapshot-lifecycle explicitly and verifies sandbox snapshot create/list/restore evidence is produced.

Dispatch hint

• Workflow: .github/workflows/e2e-scenarios.yaml
• jobs input: ubuntu-no-docker-preflight-negative,ubuntu-invalid-nvidia-key-negative,ubuntu-repo-cloud-openclaw

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: e2e-scenarios-all
Optional scenario E2E: None

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios-all.yaml --ref <pr-head-ref>

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• e2e-scenarios-all: Changes touch shared scenario framework fixtures, onboarding/environment phases, assertion registry mapping, negative-contract matching, scenario runner orchestration, and scenario run exit behavior. These are shared execution and catalog surfaces that can affect many or all scenario IDs, so the all-scenarios fan-out is required.
  • Dispatch: gh workflow run e2e-scenarios-all.yaml --ref <pr-head-ref>

Optional scenario E2E

• None.

Relevant changed files

• test/e2e-scenario/framework-tests/e2e-assertion-modules.test.ts
• test/e2e-scenario/framework-tests/e2e-lib-helpers.test.ts
• test/e2e-scenario/framework-tests/e2e-negative-matcher.test.ts
• test/e2e-scenario/framework-tests/e2e-phase-environment.test.ts
• test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts
• test/e2e-scenario/framework-tests/e2e-phase-orchestrators.test.ts
• test/e2e-scenario/framework/clients/index.ts
• test/e2e-scenario/framework/clients/sandbox.ts
• test/e2e-scenario/framework/e2e-test.ts
• test/e2e-scenario/framework/phases/environment.ts
• test/e2e-scenario/framework/phases/index.ts
• test/e2e-scenario/framework/phases/onboarding.ts
• test/e2e-scenario/nemoclaw_scenarios/onboard/cloud-openclaw-no-docker.sh
• test/e2e-scenario/scenarios/assertions/registry.ts
• test/e2e-scenario/scenarios/orchestrators/negative-matcher.ts
• test/e2e-scenario/scenarios/orchestrators/runner.ts
• test/e2e-scenario/scenarios/run.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Since last review: 2 prior items resolved, 0 still apply, 0 new items found

Consider writing more tests for

• **Acceptance clause:** Refs Adopt Vitest fixtures as the E2E scenario execution model #4941 — add test evidence or identify existing coverage. The PR body references Adopt Vitest fixtures as the E2E scenario execution model #4941, but linked issue body/comment text was not present in the deterministic context, so issue-specific clauses could not be mapped literally.
• **Acceptance clause:** Refs Adopt phase fixtures + registry-driven test discovery for Vitest E2E scenarios #4990 — add test evidence or identify existing coverage. The PR body references Adopt phase fixtures + registry-driven test discovery for Vitest E2E scenarios #4990, but linked issue body/comment text was not present in the deterministic context, so issue-specific clauses could not be mapped literally.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts (1)

42-45: ⚡ Quick win

Fail fast when no queued runner response exists.

Returning a default success (shellResult(0)) can hide missing test setup and produce false positives. Throwing here makes tests deterministic and stricter.

Proposed change

  async run(command: TrustedShellCommand, options?: ShellProbeRunOptions): Promise<ShellProbeResult> {
    this.calls.push({ command: command.command, args: [...command.args], options });
-    return this.responses.shift() ?? shellResult(0);
+    const next = this.responses.shift();
+    if (!next) {
+      throw new Error(`FakeRunner received unexpected command without queued response: ${command.command}`);
+    }
+    return next;
  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts` around lines
42 - 45, The test runner's async run method currently returns a default success
when no queued response exists, which hides missing test setup; modify run (the
method that pushes to this.calls and uses this.responses.shift()) to throw an
informative error when this.responses is empty/undefined instead of returning
shellResult(0), so callers fail fast and tests remain deterministic. Ensure the
thrown error message includes the command and args (from command.command and
command.args) to aid debugging.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-scenario/framework/phases/onboarding.ts`:
- Line 134: Replace the unconditional prepend of shimDir that can create a
trailing colon by only adding the colon when PATH exists: set env.PATH to either
"shimDir:existingPATH" when env.PATH is truthy or to just "shimDir" when
env.PATH is undefined/empty; update the assignment that uses env.PATH and
shimDir in onboarding.ts (the env.PATH = `${shimDir}:${env.PATH ?? ""}` line) to
use this conditional form so you don't introduce an empty PATH segment.

---

Nitpick comments:
In `@test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts`:
- Around line 42-45: The test runner's async run method currently returns a
default success when no queued response exists, which hides missing test setup;
modify run (the method that pushes to this.calls and uses
this.responses.shift()) to throw an informative error when this.responses is
empty/undefined instead of returning shellResult(0), so callers fail fast and
tests remain deterministic. Ensure the thrown error message includes the command
and args (from command.command and command.args) to aid debugging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b320c7ef-7fb5-4442-9385-bed837caa3a3

📥 Commits

Reviewing files that changed from the base of the PR and between d9db199 and 1ce58d8.

📒 Files selected for processing (4)

• test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts
• test/e2e-scenario/framework/e2e-test.ts
• test/e2e-scenario/framework/phases/index.ts
• test/e2e-scenario/framework/phases/onboarding.ts

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e-scenario/scenarios/assertions/registry.ts (1)

283-283: ⚡ Quick win

Use a dedicated snapshot step ID instead of reusing smokeSteps[2].

Right now snapshot shares the same step ID/evidence path as smoke (runtime.smoke.sandbox-listed), which can make evidence attribution ambiguous when both suites are selected.

Suggested diff

-  suiteGroup("snapshot", [smokeSteps[2]]),
+  suiteGroup("snapshot", [
+    shellStep({
+      id: "runtime.snapshot.sandbox-listed",
+      phase: "runtime",
+      ref: "test/e2e-scenario/validation_suites/smoke/02-sandbox-listed.sh",
+    }),
+  ]),

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/scenarios/assertions/registry.ts` at line 283, Replace the
reused step id by creating and using a dedicated snapshot step instead of
smokeSteps[2]; update the suiteGroup call for "snapshot" to reference a new
snapshotSteps entry (e.g., snapshotSteps[0]) and ensure the new step's
id/evidence path is unique (not runtime.smoke.sandbox-listed) so evidence is
attributed to runtime.snapshot.*; locate the definition of smokeSteps and add a
corresponding snapshotSteps array (or an individual snapshot step) with its own
id and evidence path, then change suiteGroup("snapshot", [smokeSteps[2]]) to use
that new snapshot step symbol.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-scenario/scenarios/assertions/registry.ts`:
- Line 283: Replace the reused step id by creating and using a dedicated
snapshot step instead of smokeSteps[2]; update the suiteGroup call for
"snapshot" to reference a new snapshotSteps entry (e.g., snapshotSteps[0]) and
ensure the new step's id/evidence path is unique (not
runtime.smoke.sandbox-listed) so evidence is attributed to runtime.snapshot.*;
locate the definition of smokeSteps and add a corresponding snapshotSteps array
(or an individual snapshot step) with its own id and evidence path, then change
suiteGroup("snapshot", [smokeSteps[2]]) to use that new snapshot step symbol.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9a7cd64a-d6b6-4d70-bb9b-bac8e99978c7

📥 Commits

Reviewing files that changed from the base of the PR and between 1ce58d8 and 7c50df5.

📒 Files selected for processing (11)

• test/e2e-scenario/framework-tests/e2e-assertion-modules.test.ts
• test/e2e-scenario/framework-tests/e2e-lib-helpers.test.ts
• test/e2e-scenario/framework-tests/e2e-phase-environment.test.ts
• test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts
• test/e2e-scenario/framework/clients/index.ts
• test/e2e-scenario/framework/clients/sandbox.ts
• test/e2e-scenario/framework/e2e-test.ts
• test/e2e-scenario/framework/phases/environment.ts
• test/e2e-scenario/framework/phases/onboarding.ts
• test/e2e-scenario/nemoclaw_scenarios/onboard/cloud-openclaw-no-docker.sh
• test/e2e-scenario/scenarios/assertions/registry.ts

✅ Files skipped from review due to trivial changes (1)

• test/e2e-scenario/framework/clients/index.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• test/e2e-scenario/framework/e2e-test.ts
• test/e2e-scenario/framework-tests/e2e-phase-onboarding.test.ts
• test/e2e-scenario/framework/phases/onboarding.ts