Merge branch 'main' into fix/2541-build-context-help

Author: prekshivyas

.github/workflows/e2e-brev.yaml …hub/workflows/e2e-branch-validation.yaml.github/workflows/e2e-brev.yaml renamed to .github/workflows/e2e-branch-validation.yaml .github/workflows/e2e-brev.yaml renamed to .github/workflows/e2e-branch-validation.yaml

@@ -1,11 +1,30 @@
 # SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-name: e2e-brev
+name: e2e-branch-validation
 
-# Ephemeral Brev E2E: provisions a cloud instance, bootstraps NemoClaw,
-# runs test suites remotely, then tears down. Use workflow_dispatch to
-# trigger manually from the Actions tab, or workflow_call from other workflows.
+# ─── Branch Validation E2E ───────────────────────────────────────────────────
+#
+# PURPOSE: Validates a specific git branch by installing NemoClaw FROM SOURCE
+# on an ephemeral Brev cloud instance. Answers the question: "Does this branch
+# work if you install from source on a clean machine?"
+#
+# HOW IT WORKS:
+#   1. Provisions a fresh Brev CPU instance (~4 vCPU, 16 GB RAM)
+#   2. Rsyncs the checked-out branch code to the VM
+#   3. Runs install.sh from source + onboards a sandbox
+#   4. Executes the selected test suite against the live sandbox
+#   5. Tears down the instance (unless keep_alive=true)
+#
+# WHEN TO USE:
+#   - Before merging a PR that touches onboard, sandbox, security, or infra
+#   - To validate a branch works end-to-end on a clean Linux environment
+#   - To run security regression suites (credential-sanitization, injection)
+#   - Manually via workflow_dispatch, or called from other workflows
+#
+# NOTE: This does NOT test the community install path (launch-plugin.sh).
+# For validating what Brev Launchable users actually get, see the
+# e2e-launchable-smoke job in nightly-e2e.yaml.
 #
 # Test suites:
 #   full                     — Install → onboard → sandbox verify → live inference
@@ -98,11 +117,11 @@ permissions:
   pull-requests: write
 
 concurrency:
-  group: e2e-brev-${{ inputs.pr_number || github.run_id }}
+  group: e2e-branch-validation-${{ inputs.pr_number || github.run_id }}
   cancel-in-progress: true
 
 jobs:
-  e2e-brev:
+  e2e-branch-validation:
     # if: github.repository == 'NVIDIA/NemoClaw'  # Disabled for fork testing — re-enable before merge
     runs-on: ubuntu-latest
     timeout-minutes: 90
@@ -182,7 +201,7 @@ jobs:
           LAUNCHABLE_SETUP_SCRIPT: ${{ inputs.setup_script_url || '' }}
           BREV_PROVIDER: gcp
           KEEP_ALIVE: ${{ inputs.keep_alive }}
-        run: npx vitest run --project e2e-brev --reporter=verbose
+        run: npx vitest run --project e2e-branch-validation --reporter=verbose
 
       - name: Update check run (completed)
         if: always() && inputs.pr_number != '' && env.CHECK_RUN_ID != ''
@@ -260,6 +279,6 @@ jobs:
         if: failure()
         uses: actions/upload-artifact@v4
         with:
-          name: e2e-brev-logs
+          name: e2e-branch-validation-logs
           path: /tmp/brev-e2e-*.log
           if-no-files-found: ignore

.github/workflows/nightly-e2e.yaml

@@ -18,6 +18,7 @@
 #   credential-migration-e2e Validates legacy ~/.nemoclaw/credentials.json migration to the
 #                            OpenShell gateway, secure zero-fill on unlink, allowlist filter
 #                            on non-credential env keys, and symlink-safe deletion.
+#   launchable-smoke-e2e     Community install path (brev-launchable-ci-cpu.sh) on ubuntu-latest.
 #   gpu-e2e                  Local Ollama inference on an NVKS ephemeral GPU runner.
 #   gpu-double-onboard-e2e   Ollama proxy token consistency after re-onboard (#2553).
 #   notify-on-failure        Auto-creates a GitHub issue when any E2E job fails.
@@ -53,7 +54,7 @@ on:
           upgrade-stale-sandbox-e2e, rebuild-hermes-e2e, double-onboard-e2e,
           onboard-repair-e2e, onboard-resume-e2e, runtime-overrides-e2e,
           credential-sanitization-e2e, telegram-injection-e2e,
-          overlayfs-autofix-e2e, gpu-e2e, gpu-double-onboard-e2e
+          overlayfs-autofix-e2e, launchable-smoke-e2e, gpu-e2e, gpu-double-onboard-e2e
         required: false
         type: string
         default: ""
@@ -1278,6 +1279,59 @@ jobs:
             /tmp/nemoclaw-e2e-onboard-negative.log
           if-no-files-found: ignore
 
+  # ── Launchable Install-Flow Smoke Test ─────────────────────────
+  # Validates the community install path (brev-launchable-ci-cpu.sh) end-to-end.
+  # The launchable script has ZERO Brev dependencies — it's a generic Ubuntu
+  # bootstrap script that runs on ubuntu-latest. Catches regressions like the
+  # Apr 20-25 Brev outage (#2472, #2482) and container reachability fallback (#2425).
+  # See: issue #2599
+  launchable-smoke-e2e:
+    if: >-
+      github.repository == 'NVIDIA/NemoClaw' &&
+      (github.event_name != 'workflow_dispatch' ||
+       inputs.jobs == '' ||
+       contains(format(',{0},', inputs.jobs), ',launchable-smoke-e2e,'))
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run launchable install-flow smoke test
+        env:
+          NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}
+          NEMOCLAW_NON_INTERACTIVE: "1"
+          NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE: "1"
+          NEMOCLAW_SANDBOX_NAME: "e2e-launchable"
+          NEMOCLAW_RECREATE_SANDBOX: "1"
+          SKIP_DOCKER_PULL: "1"
+          GITHUB_TOKEN: ${{ github.token }}
+        run: bash test/e2e/test-launchable-smoke.sh
+
+      - name: Upload install log on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: launchable-smoke-install-log
+          path: /tmp/nemoclaw-launchable-install.log
+          if-no-files-found: ignore
+
+      - name: Upload onboard log on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: launchable-smoke-onboard-log
+          path: /tmp/nemoclaw-launchable-onboard.log
+          if-no-files-found: ignore
+
+      - name: Upload test log on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: launchable-smoke-test-log
+          path: /tmp/nemoclaw-launchable-test.log
+          if-no-files-found: ignore
+
   # ── GPU E2E (Ollama local inference) ──────────────────────────
   # Runs on an NVKS ephemeral GPU runner (RTX Pro 6000, 36 GB VRAM).
   # Each job gets a fresh VM — no state leakage between runs.
@@ -1423,6 +1477,7 @@ jobs:
         credential-sanitization-e2e,
         telegram-injection-e2e,
         overlayfs-autofix-e2e,
+        launchable-smoke-e2e,
         gpu-e2e,
         gpu-double-onboard-e2e,
       ]

AGENTS.md

@@ -59,7 +59,7 @@ Tests are organized into three Vitest projects defined in `vitest.config.ts`:
 
 1. **`cli`** — `test/**/*.test.{js,ts}` — integration tests for CLI behavior
 2. **`plugin`** — `nemoclaw/src/**/*.test.ts` — unit tests co-located with source
-3. **`e2e-brev`** — `test/e2e/brev-e2e.test.js` — cloud E2E (requires `BREV_API_TOKEN`)
+3. **`e2e-branch-validation`** — `test/e2e/brev-e2e.test.ts` — validates a branch from source on ephemeral Brev instance (requires `BREV_API_TOKEN`)
 
 When writing tests:
 

test/e2e/brev-e2e.test.ts

@@ -2,13 +2,20 @@
 // SPDX-License-Identifier: Apache-2.0
 
 /**
- * Ephemeral Brev E2E test suite.
+ * Branch Validation E2E — installs NemoClaw FROM SOURCE on a fresh Brev instance.
  *
- * Creates a fresh Brev instance via the launchable bootstrap path, bootstraps it,
- * runs E2E tests remotely, then tears it down.
+ * Answers: "Does this branch work if you install from source on a clean machine?"
+ *
+ * Creates a fresh Brev instance, rsyncs the checked-out branch code, runs
+ * install.sh from source, onboards a sandbox, then executes the selected test
+ * suite against the live environment. Tears down the instance when done.
+ *
+ * NOTE: This does NOT test the community Launchable install path
+ * (launch-plugin.sh). For that, see test-launchable-smoke.sh wired into
+ * nightly-e2e.yaml.
  *
  * Intended to be run from CI via:
- *   npx vitest run --project e2e-brev
+ *   npx vitest run --project e2e-branch-validation
  *
  * Required env vars:
  *   NVIDIA_API_KEY   — passed to VM for inference config during onboarding