Skip to content

chore(openclaw): upgrade to 2026.6.10 and harden runtime integration#5595

Merged
ericksoa merged 257 commits into
mainfrom
dep/openclaw-2026.6.9
Jul 4, 2026
Merged

chore(openclaw): upgrade to 2026.6.10 and harden runtime integration#5595
ericksoa merged 257 commits into
mainfrom
dep/openclaw-2026.6.9

Conversation

@ericksoa

@ericksoa ericksoa commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Upgrade NemoClaw to openclaw@2026.6.10 and adapt packaging,
compiled-runtime compatibility patches, messaging plugins, rebuild recovery,
and E2E coverage to the reviewed release. The change retains the existing
fail-closed package, credential-recovery, state-restore, and runtime-proof
boundaries while moving one stable patch release forward from 2026.6.9.

Related Issue

Changes

  • Pin openclaw@2026.6.10, diagnostics, Brave, Discord, Slack, WhatsApp, and
    Microsoft Teams packages to their reviewed npm SRIs across images,
    manifests, package metadata, lifecycle policy, and version-aware tests.
  • Verify registry metadata and downloaded archives before install, suppress
    package-controlled lifecycle scripts, and retain the explicit reviewed
    OpenClaw postinstall boundary.
  • Re-audit the published 2026.6.10 tarball, shrinkwrap, npm graph, Teams
    package-load hashes, weather skill, and every compiled-dist patch selector.
  • Keep the fail-closed sandbox fetch/proxy, chat correlation, compact tool
    catalog, Teams message-hint, and [DGX Spark][CLI&UX] openclaw tui shows indefinite spinner with no error when inference endpoint is unreachable #4434 unreachable-inference compatibility
    patches bound to the reviewed distribution.
  • Route repair-only device self-approval through OpenClaw CLI, authenticated
    gateway dispatch, and canonical locked-state authorization. Exact bounded
    repairs use the existing stored device credential and fail without falling
    back to shared/admin credentials or local approval; no Python process reads
    or writes device credentials or pairing state.
  • Preserve keyless rebuild recovery only for the exact registered provider,
    model, credential binding, endpoint identity, API, and persisted route,
    without reading, exporting, or replacing the credential.
  • Restore registry rows from an atomic removal receipt and reclaim a removed
    default only when no concurrent default transition superseded it.
  • Isolate NEMOCLAW_PREFERRED_API along with all other ambient inference
    selectors during rebuild resume, preserving the recorded sandbox route.
  • Reject multiline production build arguments and decimal-version inputs that
    could inject legacy fixture overrides through workflow dispatch.
  • Scan snapshot credential assignments through the shared credential-name
    classifier while continuing to permit only recognized models.json
    environment/secret references.
  • Classify [DGX Spark][CLI&UX] openclaw tui shows indefinite spinner with no error when inference endpoint is unreachable #4434 diagnostics only from the final contiguous, bounded TUI
    run error: block so unrelated transcript text cannot satisfy the guard.
  • Split generated runtime-proof source into bounded OpenShell arguments,
    validate the proof port as decimal 1..65535, and construct only the fixed
    loopback proof URL.
  • Run the real published-distribution SRI/patch/audit harness from trusted main
    CI while retaining explicit local opt-in proof.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification: focused unit,
    integration, E2E-support, workflow-contract, package-contract, and real
    published-distribution suites exercise every changed boundary.
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight,
    onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded —
    reviewer/approval link/justification: final-head maintainer re-review pending.
  • Non-success, skipped, or missing CI check accepted by maintainer — check
    name, approval link, and follow-up issue: no waiver requested.

Risk Boundaries

  • Keyless provider reuse never reads, exports, or replaces a credential. The
    shared pre-delete/runtime assessment requires the exact registered route and
    gateway binding; missing, oversized, ambiguous, spoofed, or incompatible
    metadata fails before deletion or triggers rollback.
  • OpenShell intentionally redacts provider values. Custom endpoint reuse
    therefore also requires authoritative registry route identity and no
    conflicting recorded endpoint; the recovery path never updates the provider.
  • Rebuild resume cannot borrow ambient agent, provider, model, endpoint,
    credential, preferred API, or reasoning values from another sandbox.
  • Registry rollback restores a removed default only when both the fallback
    pointer and persisted selection revision still match. A later explicit
    default choice is preserved even when it selects that same fallback value.
  • Production build guards reject CR/LF input, the legacy fixture flag, retained
    legacy versions, and fixture-only integrity/tarball overrides before every
    production image build.
  • Snapshot restore accepts only typed or recognized credential references in
    models.json; concrete keys, bearer tokens, assignments, and arbitrary
    credential values remain rejected.
  • Messaging-plugin registry provenance now requires the exact package spec,
    committed registry dist.integrity, committed registry dist.tarball URL,
    and packed-byte SRI before npm pack or plugin installation. Missing or
    mismatched metadata fails closed; Post-tag hardening: close OpenClaw 2026.6.9 trust, live-proof, and compatibility-debt gaps #5896 remains only the shared-installer
    consolidation tracker.
  • The reviewed archive contract remains duplicated across isolated Docker and
    Node execution contexts so each transaction fails before install. Shared
    installer consolidation remains Post-tag hardening: close OpenClaw 2026.6.9 trust, live-proof, and compatibility-debt gaps #5896 rather than widening this bump.
  • Compiled-dist patches are scoped to the SRI-verified 2026.6.10 shapes and
    fail closed on selector drift; they must be removed when upstream supplies
    equivalent behavior.
  • Same-device repair selects stored-device authentication only for the exact
    signed CLI/operator/pairing baseline. A failure rethrows before shared/admin
    or local-state fallback, and the handler plus locked writer revalidate the
    current pending identity and bounded scopes before token rotation.
  • The [DGX Spark][CLI&UX] openclaw tui shows indefinite spinner with no error when inference endpoint is unreachable #4434 shim enriches only reviewed normalized failures inside OpenShell
    sandboxes. Its live guard requires the complete final error block and cannot
    borrow diagnostic keywords from earlier output.
  • No Teams tenant credentials, captured activities, or public-ingress scaffold
    are included; Teams evidence remains package/load-boundary evidence.

Verification

Exact head: 5911445d55dfd10b03233b4133195e6d8c8d0e60
Current main: 06b78aae3816ffe23eab64e9327ca99407a5a527

  • PR description includes the DCO sign-off declaration and the new commit
    includes Signed-off-by
  • Git hooks passed during commit and push, or
    npx prek run --from-ref main --to-ref HEAD passes — all commit/push hooks
    passed except the deliberately skipped unsharded test-cli coverage hook;
    exact-head hosted coverage shards are required below.
  • Targeted tests pass for changed behavior
  • Full npm test passes (broad runtime changes only) — the unsharded local
    coverage hook was attempted on the complete tree but exceeded many existing
    5-second per-test limits under coverage on this Mac. Every changed boundary
    passes in isolated focused runs; authoritative hosted coverage shards are
    required below and no waiver is requested.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the
    style guide
    (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Local exact-tree evidence:

  • npm run build:cli, npm run typecheck:cli, npm run typecheck, repository
    checks, Vitest project/import/title checks, and the 1,216-file test-size scan
    passed on the merged tree.
  • Final exact-head rebuild, registry, provider-recovery, base-image-handoff,
    destroy, DCode, and recovery suites: 167 CLI tests passed.
  • Final exact-head destroy, fetch-guard, stored-device-auth, workflow-contract,
    and scorecard suite: 83 integration tests passed.
  • Final exact-head OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462 fixture boundary and E2E workflow-contract suite: 22
    E2E-support tests passed.
  • OpenClaw archive/build-argument/mcporter provenance suite: 37 passed;
    messaging build-applier provenance suite: 30 passed.
  • OpenClaw chat and device-scope compiled-runtime patch suites: 32 passed.
  • The real OpenClaw 2026.6.10 OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462 pairing-only repair and exact raw CLI
    identity proof passed through the extracted live heredoc path with no pending
    request left behind; the executable fixture contract observes
    paired.jsondevice-auth.jsonpending.json publication.
  • Real openclaw@2026.6.10 published-tarball SRI, patch application, and patch
    audit/config-token gateway harness: 3 passed in 117.43 seconds on Node 22.19
    at the current exact head.
  • Changed files pass Biome formatting, lint, shellcheck, hadolint, YAML/JSON,
    Markdown, secret, schema, repository, source-shape, size, and diff checks.
  • The repository-wide format check still reports two pre-existing clean files
    outside this PR; neither is changed here and no waiver is applied to PR CI.

Hosted exact-head requirements before merge:

  • Ordinary PR matrix, including sharded CLI/plugin coverage, green.
  • Fresh GPT and Nemotron advisor runs completed and dispositioned.
  • Full exact-head E2E matrix green with only documented explicit-only skips.
  • Branch zero commits behind current main after all proof completes.
  • One approving review and no unresolved blocking thread.

Final exact-head hosted evidence:

  • Ordinary PR matrix
    is green, including all five CLI shards, static checks, build/typecheck,
    installer integration, plugin tests, and the aggregate gate.
  • Base images
    and sandbox images plus E2E
    are green at the exact head and exercised the reviewed OpenClaw and locked
    mcporter provenance-reuse paths.
  • Full E2E
    attempt 2 is green: every default-enabled job passed, five explicit-only
    jobs were intentionally skipped, and no failures remain.
  • Targeted #4462 plus rebuild-openclaw
    and the Hermes dashboard rerun
    are green at the exact head.
  • Final advisor run
    completed successfully. GPT reports zero required and zero new findings.
    Its remaining floating-Docker-action warning concerns refs inherited
    unchanged from current main; repository-wide action pinning is accepted
    as separate hardening rather than scope for this dependency bump. The
    duplicate non-interactive-helper suggestion is likewise a non-blocking
    refactor. Nemotron's repeated source-of-truth and structural findings do
    not identify a new final-head defect; the applicable integrity, recovery,
    trusted-main, and decomposition boundaries are documented above and in
    Post-tag hardening: close OpenClaw 2026.6.9 trust, live-proof, and compatibility-debt gaps #5896.

CodeRabbit, CodeQL, and all required contexts are green; all review threads
are resolved. The branch is zero commits behind main, carries label
v0.0.74, and is mergeable. The only outstanding branch-protection gate is
a final approving review; re-review was requested from
@apurvvkumaria
.

Rollback Plan

Revert this PR as a unit, restoring the prior OpenClaw pins, integrity values,
plugin-install behavior, state-restore rules, and compatible patch set. Do not
combine the older runtime pin with 2026.6.10 compiled-dist selectors. Rebuild
base and sandbox images, then rerun the affected E2E lanes.


Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

  • New Features
    • Upgraded bundled OpenClaw runtime to 2026.6.10 with fully version-pinned messaging plugins.
    • Enhanced sandbox rebuild with registry receipts/rollback and improved routing credential preflight.
    • Added an e2e snapshot credential scanner to detect credential leaks.
  • Bug Fixes
    • Improved chat.send compatibility (embedded retry persistence + preserved run/session wiring).
    • Strengthened unreachable-inference UI diagnostics and tightened approval/retry flows to prevent unintended state changes.
  • Documentation
    • Updated Telegram troubleshooting and messaging-channel docs; added the OpenClaw 2026.6.10 dependency review.
  • Chores / CI
    • Hardened Docker build-arg validation and added a real OpenClaw dist harness; added messaging plugin provenance integrity checks.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR upgrades OpenClaw to 2026.6.10, hardens archive and plugin provenance checks, adds diagnostics and self-approval patching, tightens CI and workflow guards, and introduces revision-aware sandbox registry rollback with recovered-route onboarding.

Changes

OpenClaw 2026.6.10 upgrade and supporting infrastructure

Layer / File(s) Summary
Version pins and reviewed archive install flow
Dockerfile, Dockerfile.base, agents/openclaw/manifest.yaml, nemoclaw/package.json, nemoclaw/src/package-metadata.test.ts, nemoclaw-blueprint/policies/presets/weather.yaml, scripts/check-production-build-args.sh, .github/workflows/*.yaml, ci/reviewed-npm-lifecycle-allowlist.json
Updates OpenClaw version pins and reviewed metadata, then rewrites build-arg validation and base-image logic to enforce committed integrity and tarball values before building.
Dockerfile upgrade and reviewed archive installs
Dockerfile
Reworks the OpenClaw upgrade/reinstall path, retargets patch markers, and switches Codex ACP and OpenClaw plugin installs to verified local archives with integrity and tarball checks.
Diagnostics, device self-approval, and chat-send patch scripts
scripts/patch-openclaw-issue-4434-diagnostics.ts, scripts/patch-openclaw-device-self-approval.ts, scripts/patch-openclaw-chat-send.js, src/lib/sandbox/build-context.ts, test/openclaw-chat-send-patch.test.ts
Adds patch scripts for diagnostics and bounded self-approval, expands the chat-send patch flow, and stages the diagnostics patch into sandbox builds.
Messaging plugin provenance and archive installs
src/lib/messaging/applier/build/messaging-build-applier.mts, src/lib/messaging/channels/*/manifest.ts, src/lib/messaging/manifest/types.ts, test/messaging-build-applier*.test.ts, docs/security/openclaw-2026.6.10-dependency-review.md
Adds integrity and tarball metadata, verified local archive installs, and provenance tests for built-in messaging plugins, along with the reviewed dependency document.
CI workflow guards and docs
scripts/check-production-build-args.sh, .github/workflows/*.yaml, docs/manage-sandboxes/messaging-channels.mdx, docs/reference/troubleshooting.mdx, test/e2e/lib/telegram-api-proof.sh, test/e2e/live/*, test/openclaw-dependency-review.test.ts
Adds production build-arg validation, workflow gating, and updated Telegram live-test/troubleshooting guidance plus contract coverage.
Device approval, state-dir guard, and cleanup hardening
scripts/lib/openclaw_device_approval_policy.py, scripts/nemoclaw-start.sh, src/lib/actions/sandbox/auto-pair-approval.*, scripts/state-dir-guard.py, src/lib/state/sandbox.ts, test/nemoclaw-start.test.ts, test/destroy-cleanup-sandbox-services.test.ts
Removes approval recovery hooks, tightens device approval and auto-pairing logic, hardens symlink/state cleanup, and updates related tests and helper scripts.

Sandbox registry reversible removal and rebuild rollback

Layer / File(s) Summary
Reversible removal receipts and default revision helpers
src/lib/state/registry-reversible-removal.ts, src/lib/state/registry-reversible-removal.test.ts
Adds registry default-selection revision tracking, removal receipts, and reversible remove/restore helpers with matching unit tests.
registry.ts reversible-removal integration
src/lib/state/registry.ts
Integrates reversible removal into registry normalization, persistence, and default-pointer mutation paths, and adds receipt-based remove/restore helpers.
Destroy-phase removal receipt plumbing
src/lib/actions/sandbox/destroy.ts, src/lib/actions/sandbox/rebuild-destroy-phase.ts
Adds receipt-capable sandbox removal in destroy.ts and threads removalReceipt through the rebuild destroy phase.
Rebuild registry rollback controller
src/lib/actions/sandbox/rebuild-registry-rollback.ts, src/lib/actions/sandbox/rebuild-registry-rollback.test.ts
Adds a rollback controller that restores either preserved snapshots or missing registry metadata during rebuild retries, with tests covering retry, replacement, and failure cases.
Rebuild pipeline and recreate-phase rollback wiring
src/lib/actions/sandbox/rebuild-pipeline.ts, src/lib/actions/sandbox/rebuild-recreate-phase.ts, src/lib/actions/sandbox/rebuild-flow-helpers.ts, src/lib/actions/sandbox/rebuild-env-isolation.ts, related tests
Wires the rollback controller into rebuild pipeline/recreate flow, updates rebuild flow helpers, and expands rollback-oriented tests and env-isolation coverage.
Rebuild resume config and preflight route derivation
src/lib/actions/sandbox/rebuild-resume-config.ts, src/lib/actions/sandbox/rebuild-resume-preflight.ts, tests
Adds registryInferenceRoute to rebuild resume config and computes it from trusted registry metadata and endpoint checks during preflight.
Onboard rebuild-route and credential reuse wiring
src/lib/onboard.ts, src/lib/onboard/types.ts, src/lib/onboard/providers.ts, src/lib/onboard/recovered-provider-reuse.ts, src/lib/onboard/recovered-provider-reuse.test.ts, test/onboard-remote-recreate-credential-reuse.test.ts
Threads rebuildRegistryInferenceRoute and recovered credential reuse through onboarding.
Provider inference options and resume behavior
src/lib/onboard/machine/handlers/provider-inference.ts, src/lib/onboard/machine/handlers/provider-inference.test.ts
Adds provider inference setup options and revalidates compatible-endpoint messaging resume paths.
Sandbox handler endpointUrl and credentialEnv persistence
src/lib/onboard/machine/handlers/sandbox.ts, src/lib/onboard/machine/core-flow-phases.ts, src/lib/onboard/machine/core-flow-phases.test.ts
Persists endpointUrl and credentialEnv through sandbox state handling.
Credential env allowlist and snapshot scanner
src/lib/security/credential-env.ts, src/lib/security/credential-env.test.ts, test/e2e/live/snapshot-credential-scanner.ts, test/e2e/support/snapshot-credential-scanner.test.ts
Expands credential env handling and adds snapshot credential leak scanning with tests.
Rebuild target staging and local-provider recreate tests
src/lib/actions/sandbox/rebuild-target-staging.ts, src/lib/actions/sandbox/rebuild-target-staging.test.ts, src/lib/actions/sandbox/rebuild-local-provider-recreate.test.ts
Threads registry inference routes into recreate options and adds local-provider recreate coverage.
Real device self-approval proof and rebuild-flow harnesses
test/helpers/openclaw-real-device-self-approval-proof.ts, test/helpers/openclaw-device-self-approval-patch-harness.ts, test/helpers/rebuild-flow-harness.ts, test/helpers/rebuild-flow-test-harness.ts, test/helpers/rebuild-flow-test-support.ts, test/helpers/rebuild-flow-recovery-cases.ts, test/helpers/rebuild-flow-target-session-cases.ts, test/issue-4434-tui-unreachable-inference.test.ts, test/mcporter-supply-chain.test.ts
Adds the real distribution self-approval proof harness, rebuild-flow registry/rollback harness updates, target-session and diagnostics tests, and mcporter supply-chain gating.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Workflow
  participant CheckScript as scripts/check-production-build-args.sh
  participant DockerBuild as docker build

  Workflow->>CheckScript: validate build args and env
  CheckScript-->>Workflow: allow or reject
  Workflow->>DockerBuild: run with validated build_args
Loading
sequenceDiagram
  participant RebuildPipeline
  participant DestroyPhase as rebuild-destroy-phase
  participant RegistryRollback as createRebuildRegistryRollback
  participant RecreatePhase as rebuild-recreate-phase

  RebuildPipeline->>DestroyPhase: runRebuildDestroyPhase()
  DestroyPhase-->>RebuildPipeline: removalReceipt
  RebuildPipeline->>RegistryRollback: recordRemoval(removalReceipt)
  RebuildPipeline->>RecreatePhase: runRebuildRecreatePhase(registryRollback)
  RecreatePhase->>RegistryRollback: restoreForRetry()
Loading

Possibly related PRs

Suggested labels: area: sandbox, area: onboarding, area: e2e
Suggested reviewers: cjagwani, jyaunches, cv

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Clearly summarizes the main change: OpenClaw upgrade to 2026.6.10 plus runtime hardening.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dep/openclaw-2026.6.9

Comment @coderabbitai help to get the list of available commands.

@ericksoa ericksoa changed the title Bump OpenClaw to 2026.6.9 chore(openclaw): bump to 2026.6.9 Jun 22, 2026
@github-code-quality

github-code-quality Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 5911445 +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 70%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 5911445 +/-
src/lib/shields...nsition-lock.ts 87%
src/lib/actions...all/run-plan.ts 81%
src/lib/state/o...oard-session.ts 81%
src/lib/onboard/preflight.ts 71%
src/lib/state/sandbox.ts 71%
src/lib/shields/index.ts 69%
src/lib/onboard...er-gpu-patch.ts 69%
src/lib/policy/index.ts 66%
src/lib/actions...licy-channel.ts 60%
src/lib/onboard.ts 22%

Updated July 04, 2026 10:55 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: onboard-resume, onboard-repair, cloud-onboard, rebuild-openclaw, network-policy, openclaw-inference-switch, hermes-inference-switch, device-auth-health, channels-add-remove, messaging-providers, issue-4434-tui-unreachable-inference, issue-4462-scope-upgrade-approval, shields-config, sandbox-images-and-e2e/build-sandbox-images, sandbox-images-and-e2e/test-e2e-sandbox, sandbox-images-and-e2e/test-e2e-gateway-isolation, sandbox-images-and-e2e/runtime-overrides, sandbox-images-and-e2e/build-hermes-sandbox-image
Optional E2E: token-rotation, openclaw-tui-chat-correlation, openshell-gateway-upgrade

Dispatch hint: onboard-resume,onboard-repair,cloud-onboard,rebuild-openclaw,network-policy,openclaw-inference-switch,hermes-inference-switch,device-auth-health,channels-add-remove,messaging-providers,issue-4434-tui-unreachable-inference,issue-4462-scope-upgrade-approval,shields-config

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • onboard-resume (medium): Required by the onboarding resume rule because src/lib/onboard/machine live slice orchestration, handlers, provider inference, and state transition code changed. Unit/runtime-boundary tests are not sufficient for these resume paths.
  • onboard-repair (high): Required by the onboarding resume rule because the same onboarding state-machine and recovery/repair paths changed, including sandbox handler and provider recovery behavior.
  • cloud-onboard (high): Hosted full onboarding can be affected by changes to onboard.ts, provider metadata/remote inference, sandbox create/launch, OpenClaw runtime image pins, and Dockerfile patches.
  • rebuild-openclaw (high): Sandbox rebuild/recreate/resume pipeline files, stale recovery fixtures, registry rollback, provider preflight, target staging, and OpenClaw runtime image behavior changed; the live rebuild flow should block merge.
  • network-policy (medium): Dockerfile fetch-guard/proxy patches and policy presets can affect sandbox egress enforcement and host-gateway/web_fetch behavior; live allow/deny probes are required.
  • openclaw-inference-switch (high): OpenClaw provider routing, remote inference provider metadata, compatible provider handling, and the e2e matrix/secrets for NVIDIA provider switching changed.
  • hermes-inference-switch (high): Hermes base-image resolution, Hermes Dockerfile/runtime image, and the Hermes inference-switch workflow matrix changed; this covers the Hermes assistant routing boundary.
  • device-auth-health (medium): Auto-pair approval, OpenClaw device approval/self-approval patches, and device-auth health workflow/test inputs changed; this is a credential/security boundary.
  • channels-add-remove (high): Messaging channel manifests, metadata, build applier, credential handling, and the channel add/remove live test were changed. This validates real channel lifecycle, rebuild, gateway credential reuse, policy-list, and cleanup.
  • messaging-providers (medium): Provider manifests and messaging runtime proof helpers changed across Slack/Telegram/Discord/Teams/WeChat/WhatsApp surfaces; this covers real provider configuration/runtime behavior.
  • issue-4434-tui-unreachable-inference (medium): The PR changes the OpenClaw issue-4434 diagnostics patch, TUI unreachable inference live test, and OpenClaw runtime patching. The regression needs the assembled runtime boundary.
  • issue-4462-scope-upgrade-approval (medium): Device approval/self-approval patches, scope upgrade fixture, and OpenClaw version/runtime behavior changed. This validates scope upgrade approval at the live OpenShell/OpenClaw boundary.
  • shields-config (medium): Mutable config permissions, shields/OpenClaw transition behavior, Dockerfile runtime hardening, and security docs/policy changed. This covers the live shields configuration boundary.
  • sandbox-images-and-e2e/build-sandbox-images (medium): Production Dockerfile, base image resolution, build-arg validation, OpenClaw pinning, and image provenance changed; the production image must be built in the sandbox-images workflow.
  • sandbox-images-and-e2e/test-e2e-sandbox (medium): The production image and OpenClaw runtime patches changed; the containerized sandbox E2E smoke should validate the assembled OpenClaw sandbox test image.
  • sandbox-images-and-e2e/test-e2e-gateway-isolation (medium): Dockerfile network/proxy hardening, OpenClaw fetch patches, and production image build behavior can affect gateway isolation boundaries.
  • sandbox-images-and-e2e/runtime-overrides (medium): Runtime override behavior depends on the assembled production image and sandbox lifecycle code, both of which changed.
  • sandbox-images-and-e2e/build-hermes-sandbox-image (high): Hermes Dockerfile, base image resolution, and build-arg validation changed. This job also runs Hermes sandbox secret-boundary and root-entrypoint smoke checks against the built image.

Optional E2E

  • token-rotation (medium): Credential env, sandbox state, and registry changes are adjacent to token rotation. Useful extra confidence, but device-auth-health and onboarding/rebuild cover the primary changed boundaries.
  • openclaw-tui-chat-correlation (medium): OpenClaw runtime version/patching and chat-send patch changes could affect TUI/chat correlation. Recommended if time permits after the required runtime and inference jobs.
  • openshell-gateway-upgrade (medium): Gateway drift/preflight and rebuild handoff changes are adjacent to gateway upgrade behavior; run for extra confidence if the PR is expected to interact with existing gateways.

New E2E recommendations

  • production Docker build-arg guard (medium): This PR adds scripts/check-production-build-args.sh and wires it into several image workflows. Existing workflow-boundary/unit tests help, but there is no dedicated live E2E that attempts rejected production Docker build args and proves the guard cannot be bypassed in the real workflow build step.
    • Suggested test: Add a workflow-boundary/live build-guard E2E that runs the production image build command with disallowed OPENCLAW_VERSION/legacy fixture/pin override arguments and asserts the guard fails before docker build.
  • OpenClaw reviewed-provenance marker reuse (high): The Dockerfile now conditionally reuses reviewed base runtime only when provenance markers match. Unit/integration checks can validate file content, but live coverage should prove a malicious or stale custom BASE_IMAGE cannot skip reinstall in an assembled image build.
    • Suggested test: Add a sandbox image E2E that builds from a fixture base with a mismatched or symlinked openclaw-base-provenance marker and asserts the final image reinstalls or fails safely.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: onboard-resume,onboard-repair,cloud-onboard,rebuild-openclaw,network-policy,openclaw-inference-switch,hermes-inference-switch,device-auth-health,channels-add-remove,messaging-providers,issue-4434-tui-unreachable-inference,issue-4462-scope-upgrade-approval,shields-config

@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: issue-4434-tui-unreachable-inference-vitest, openclaw-tui-chat-correlation-vitest, rebuild-openclaw-vitest, ubuntu-repo-cloud-openclaw, upgrade-stale-sandbox-vitest, onboard-resume-vitest, onboard-repair-vitest, state-backup-restore-vitest, messaging-providers-vitest, channels-stop-start-vitest, brave-search-vitest, diagnostics-vitest, cron-preflight-inference-local-vitest
Optional Vitest E2E scenarios: token-rotation-vitest

Dispatch required Vitest E2E scenarios:

  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4434-tui-unreachable-inference-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=rebuild-openclaw-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=upgrade-stale-sandbox-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=state-backup-restore-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=messaging-providers-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=channels-stop-start-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=brave-search-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=diagnostics-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=cron-preflight-inference-local-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

  • issue-4434-tui-unreachable-inference-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4434-tui-unreachable-inference-vitest
  • openclaw-tui-chat-correlation-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation-vitest
  • rebuild-openclaw-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/rebuild-openclaw.test.ts.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=rebuild-openclaw-vitest
  • ubuntu-repo-cloud-openclaw: Baseline live-supported OpenClaw scenario for the OpenClaw version bump, Dockerfile/base-image runtime changes, manifest expected_version update, and onboarding/build-context changes.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw
  • upgrade-stale-sandbox-vitest: Dockerfile and Dockerfile.base add legacy OpenClaw fixture pins and stale-base upgrade safeguards that are specifically exercised by the stale sandbox upgrade lane.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=upgrade-stale-sandbox-vitest
  • onboard-resume-vitest: Onboarding resume/provider recovery/session bootstrap paths changed; the onboarding resume compatibility rule requires this live Vitest job.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • onboard-repair-vitest: The onboarding resume/provider recovery changes can affect repair/backstop behavior from persisted sessions, so repair coverage is required with resume.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest
  • state-backup-restore-vitest: Sandbox backup-on-recreate, rebuild state preservation, and sandbox state code changed; this job validates live backup/restore behavior.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=state-backup-restore-vitest
  • messaging-providers-vitest: Messaging channel manifests, metadata, manifest types, and build applier code changed; this job exercises provider rendering and placeholder contracts.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=messaging-providers-vitest
  • channels-stop-start-vitest: The PR changes the shared channels-stop/start live helper and messaging channel surfaces; this wired job is the direct live coverage.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=channels-stop-start-vitest
  • brave-search-vitest: The Dockerfile changes reviewed OpenClaw plugin integrity/install paths for the Brave plugin and web-search build args, which this job exercises.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=brave-search-vitest
  • diagnostics-vitest: The OpenClaw diagnostics/OTEL plugin install path and diagnostics patching changed; this job validates the live diagnostics surface.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=diagnostics-vitest
  • cron-preflight-inference-local-vitest: The Dockerfile updates the OpenClaw cron model-provider preflight proxy patch for the new OpenClaw runtime; this job is the targeted live guard.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=cron-preflight-inference-local-vitest

Optional Vitest E2E scenarios

  • token-rotation-vitest: Adjacent messaging credential/runtime coverage for the channel metadata and provider-manifest changes; useful if reviewer wants extra credential lifecycle assurance.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=token-rotation-vitest

Relevant changed files

  • Dockerfile
  • Dockerfile.base
  • agents/openclaw/manifest.yaml
  • scripts/check-production-build-args.sh
  • scripts/patch-openclaw-chat-send.js
  • scripts/patch-openclaw-issue-4434-diagnostics.ts
  • src/lib/actions/sandbox/rebuild-env-isolation.ts
  • src/lib/actions/sandbox/rebuild-flow-helpers.ts
  • src/lib/actions/sandbox/rebuild-resume-config.ts
  • src/lib/actions/sandbox/rebuild-resume-session.ts
  • src/lib/actions/sandbox/rebuild.ts
  • src/lib/messaging/applier/build/messaging-build-applier.mts
  • src/lib/messaging/channels/discord/manifest.ts
  • src/lib/messaging/channels/metadata.ts
  • src/lib/messaging/channels/slack/manifest.ts
  • src/lib/messaging/channels/teams/manifest.ts
  • src/lib/messaging/channels/wechat/manifest.ts
  • src/lib/messaging/channels/whatsapp/manifest.ts
  • src/lib/messaging/manifest/types.ts
  • src/lib/onboard.ts
  • src/lib/onboard/provider-recovery.ts
  • src/lib/onboard/sandbox-backup-on-recreate.ts
  • src/lib/onboard/setup-nim-selection.ts
  • src/lib/sandbox/build-context.ts
  • src/lib/state/sandbox.ts
  • test/e2e-scenario/live/channels-stop-start-helpers.ts
  • test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts
  • test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e-scenario/live/rebuild-openclaw.test.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
Dockerfile (1)

39-40: 🧹 Nitpick | 🔵 Trivial

Run the Dockerfile-targeted E2E suite before merge.

These changes are in image-build and runtime patch wiring paths; please run the recommended cloud-e2e,sandbox-survival-e2e,hermes-e2e,rebuild-openclaw-e2e,openclaw-tui-chat-correlation-e2e workflow set to validate real container behavior.
As per coding guidelines, "Dockerfile ... changes are only testable with a real container build" and the listed nightly-e2e jobs are the recommended selective run set.

Also applies to: 126-126, 510-517

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 39 - 40, This is not a code fix but rather a
validation requirement: before merging the Dockerfile changes to
OPENCLAW_VERSION and OPENCLAW_2026_6_9_INTEGRITY (and the related changes at
lines 126 and 510-517), you must run the recommended E2E test workflow set
including cloud-e2e, sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e, and
openclaw-tui-chat-correlation-e2e to validate that the container builds
successfully and the runtime behavior remains correct with these new version and
integrity hash values. Dockerfile changes are only verifiable through actual
container builds and the specified nightly-e2e job set is the recommended
selective test suite for this type of change.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/test-issue-4434-tui-unreachable-inference.sh`:
- Line 26: The EXPECTED_OPENCLAW_VERSION variable assignment on line 26 can
resolve to an empty value, which causes the version verification check using
grep on line 111 to always succeed when given an empty pattern. Add a guard
after line 26 to ensure EXPECTED_OPENCLAW_VERSION is not empty and fail
appropriately if it is. Additionally, update the grep command on line 111 to use
fixed-string matching (grep -F flag) instead of regular expression matching to
properly validate the literal semver value as a fixed string rather than a
pattern.

In `@test/e2e/test-openclaw-tui-chat-correlation.sh`:
- Line 20: The EXPECTED_OPENCLAW_VERSION variable assignment at line 20 can
resolve to an empty string if the sed extraction from Dockerfile.base fails,
which causes the grep assertion at line 50 to become ineffective since grep -Fq
will match empty strings. Add validation immediately after the
EXPECTED_OPENCLAW_VERSION assignment to check that the variable is not empty,
and use a conditional to exit with an error message if the version extraction
fails, ensuring the pinned-version assertion on lines 50-51 actually validates
something meaningful.

---

Nitpick comments:
In `@Dockerfile`:
- Around line 39-40: This is not a code fix but rather a validation requirement:
before merging the Dockerfile changes to OPENCLAW_VERSION and
OPENCLAW_2026_6_9_INTEGRITY (and the related changes at lines 126 and 510-517),
you must run the recommended E2E test workflow set including cloud-e2e,
sandbox-survival-e2e, hermes-e2e, rebuild-openclaw-e2e, and
openclaw-tui-chat-correlation-e2e to validate that the container builds
successfully and the runtime behavior remains correct with these new version and
integrity hash values. Dockerfile changes are only verifiable through actual
container builds and the specified nightly-e2e job set is the recommended
selective test suite for this type of change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 29550b71-4be1-4bd2-9f64-bf03e6dd372e

📥 Commits

Reviewing files that changed from the base of the PR and between 32d5008 and 83dc191.

📒 Files selected for processing (10)
  • Dockerfile
  • Dockerfile.base
  • agents/openclaw/manifest.yaml
  • nemoclaw/package.json
  • scripts/patch-openclaw-chat-send.js
  • test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts
  • test/e2e/test-issue-4434-tui-unreachable-inference.sh
  • test/e2e/test-openclaw-tui-chat-correlation.sh
  • test/fetch-guard-patch-regression.test.ts
  • test/openclaw-chat-send-patch.test.ts

Comment thread test/e2e/test-issue-4434-tui-unreachable-inference.sh Outdated
Comment thread test/e2e/test-openclaw-tui-chat-correlation.sh Outdated
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Pin floating Docker actions in the package-write GHCR workflow.
Open items: 0 required · 1 warning · 1 suggestion · 4 test follow-ups
Since last review: 0 prior items resolved · 2 still apply · 0 new items found

Action checklist

  • PRA-1 Resolve or justify: Pin floating Docker actions in the package-write GHCR workflow in .github/workflows/base-image.yaml:55
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Acceptance clause
  • PRA-2 In-scope improvement: Shrink duplicate non-interactive detection in the touched destroy hotspot in src/lib/actions/sandbox/destroy.ts:82

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify security .github/workflows/base-image.yaml:55 Pin `docker/setup-qemu-action`, `docker/setup-buildx-action`, and `docker/metadata-action` to full 40-character commit SHAs in both `build-and-push` jobs, or add an explicit repository policy exception documenting why floating tags are accepted for this package-write workflow.
PRA-2 Improvement architecture src/lib/actions/sandbox/destroy.ts:82 If feasible in this PR, extract a small shared helper such as `src/lib/core/non-interactive.ts` and update `destroy.ts` plus the existing onboard caller to use it. Preserve destroy's exact environment-only behavior and onboarding's `NON_INTERACTIVE || env` behavior.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 1 in-scope improvement

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Pin floating Docker actions in the package-write GHCR workflow

  • Location: .github/workflows/base-image.yaml:55
  • Category: security
  • Problem: The base-image publishing workflow still uses `docker/setup-qemu-action@v4`, `docker/setup-buildx-action@v4`, and `docker/metadata-action@v6` in both image-publishing jobs while the workflow grants `permissions.packages: write` and logs into GHCR with `secrets.GITHUB_TOKEN`.
  • Impact: If any floating Docker action tag is retargeted or compromised, attacker-controlled action code can run in a trusted package-write workflow and publish a poisoned NemoClaw sandbox base image consumed by downstream production builds.
  • Recommended action: Pin `docker/setup-qemu-action`, `docker/setup-buildx-action`, and `docker/metadata-action` to full 40-character commit SHAs in both `build-and-push` jobs, or add an explicit repository policy exception documenting why floating tags are accepted for this package-write workflow.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read `.github/workflows/base-image.yaml` and confirm the QEMU, Buildx, and metadata `uses:` refs near lines 55, 58, 69, 126, 129, and 140 are full 40-character SHAs rather than `@v4` or `@v6` tags.
  • Missing regression test: Add a workflow-contract test that parses `.github/workflows/base-image.yaml` and rejects non-SHA third-party `uses:` refs in jobs that request `packages: write` or publish images to GHCR.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `.github/workflows/base-image.yaml` and confirm the QEMU, Buildx, and metadata `uses:` refs near lines 55, 58, 69, 126, 129, and 140 are full 40-character SHAs rather than `@v4` or `@v6` tags.
  • Evidence: `permissions.packages: write` is set at line 35; GHCR login uses `secrets.GITHUB_TOKEN` at lines 65 and 136; Docker setup/metadata actions remain floating at lines 55, 58, 69, 126, 129, and 140.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-2 Improvement — Shrink duplicate non-interactive detection in the touched destroy hotspot

  • Location: src/lib/actions/sandbox/destroy.ts:82
  • Category: architecture
  • Problem: `destroy.ts` still carries a local `isNonInteractive()` helper with a comment saying it mirrors `src/lib/onboard.ts` and should be lifted to `src/lib/core/`. This PR touches and grows the destroy lifecycle file, so the duplicate prompt contract remains local drift in a changed sandbox lifecycle hotspot.
  • Impact: If the non-interactive contract changes in onboarding or a related lazy-require path without the destroy copy changing, destroy prompt behavior or gateway cleanup defaults can diverge and surprise automation.
  • Suggested action: If feasible in this PR, extract a small shared helper such as `src/lib/core/non-interactive.ts` and update `destroy.ts` plus the existing onboard caller to use it. Preserve destroy's exact environment-only behavior and onboarding's `NON_INTERACTIVE || env` behavior.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Compare `src/lib/actions/sandbox/destroy.ts:82-87` with `src/lib/onboard.ts` around its `NON_INTERACTIVE` and `NEMOCLAW_NON_INTERACTIVE` handling and confirm there is one shared core helper rather than two local implementations.
  • Missing regression test: Add focused unit coverage proving destroy preserves the gateway without prompting when `NEMOCLAW_NON_INTERACTIVE=1`, while onboarding still treats either its `--non-interactive` state or the environment variable as non-interactive.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: `destroy.ts` defines `function isNonInteractive(): boolean { return process.env.NEMOCLAW_NON_INTERACTIVE === "1"; }` and its comment says the canonical helper should be lifted; `src/lib/onboard.ts` separately handles `NON_INTERACTIVE || process.env.NEMOCLAW_NON_INTERACTIVE === "1"`.
Simplification opportunities: 1 possible cut

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-2 shrink (src/lib/actions/sandbox/destroy.ts:82): Remove the duplicated local helper and drift comment from `destroy.ts`.
    • Replacement: Use a shared core helper that can express destroy's environment-only check and onboarding's flag-or-environment check without importing onboard from a sibling action.
    • Safety boundary: Do not change prompt safety defaults: destroy must still preserve the shared gateway in non-interactive, `--yes`, or `--force` paths unless cleanup was explicitly requested.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Workflow contract: `.github/workflows/base-image.yaml` package-write GHCR jobs reject non-SHA third-party `uses:` refs.. The PR changes Dockerfiles, workflow trusted-code boundaries, OpenClaw compiled-runtime monkeypatches, sandbox lifecycle recovery, and assembled image behavior. Static/unit/integration coverage is extensive, but final confidence still depends on targeted runtime validation of the built images and workflow contract.
  • PRA-T2 Runtime validation — Assembled `nemoclaw-production` image reports OpenClaw `2026.6.10` and in-image fetch/chat/device/[DGX Spark][CLI&UX] openclaw tui shows indefinite spinner with no error when inference endpoint is unreachable #4434 patch audits pass.. The PR changes Dockerfiles, workflow trusted-code boundaries, OpenClaw compiled-runtime monkeypatches, sandbox lifecycle recovery, and assembled image behavior. Static/unit/integration coverage is extensive, but final confidence still depends on targeted runtime validation of the built images and workflow contract.
  • PRA-T3 Runtime validation — Assembled `nemoclaw-production` image has reviewed OpenClaw plugins installed from verified local archives with npm lifecycle scripts disabled.. The PR changes Dockerfiles, workflow trusted-code boundaries, OpenClaw compiled-runtime monkeypatches, sandbox lifecycle recovery, and assembled image behavior. Static/unit/integration coverage is extensive, but final confidence still depends on targeted runtime validation of the built images and workflow contract.
  • PRA-T4 Acceptance clause — No deterministic linked issue acceptance clauses were available for this review. — add test evidence or identify existing coverage. The validation context reports `linkedIssues: []`. PR-body references such as `Refs [NemoClaw] Dependency Updates (Hermes, OpenShell, OpenClaw) #5591` and the dependency-review note's acceptance mapping were treated as untrusted scope evidence rather than literal linked-issue clauses.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Pin floating Docker actions in the package-write GHCR workflow

  • Location: .github/workflows/base-image.yaml:55
  • Category: security
  • Problem: The base-image publishing workflow still uses `docker/setup-qemu-action@v4`, `docker/setup-buildx-action@v4`, and `docker/metadata-action@v6` in both image-publishing jobs while the workflow grants `permissions.packages: write` and logs into GHCR with `secrets.GITHUB_TOKEN`.
  • Impact: If any floating Docker action tag is retargeted or compromised, attacker-controlled action code can run in a trusted package-write workflow and publish a poisoned NemoClaw sandbox base image consumed by downstream production builds.
  • Recommended action: Pin `docker/setup-qemu-action`, `docker/setup-buildx-action`, and `docker/metadata-action` to full 40-character commit SHAs in both `build-and-push` jobs, or add an explicit repository policy exception documenting why floating tags are accepted for this package-write workflow.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read `.github/workflows/base-image.yaml` and confirm the QEMU, Buildx, and metadata `uses:` refs near lines 55, 58, 69, 126, 129, and 140 are full 40-character SHAs rather than `@v4` or `@v6` tags.
  • Missing regression test: Add a workflow-contract test that parses `.github/workflows/base-image.yaml` and rejects non-SHA third-party `uses:` refs in jobs that request `packages: write` or publish images to GHCR.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `.github/workflows/base-image.yaml` and confirm the QEMU, Buildx, and metadata `uses:` refs near lines 55, 58, 69, 126, 129, and 140 are full 40-character SHAs rather than `@v4` or `@v6` tags.
  • Evidence: `permissions.packages: write` is set at line 35; GHCR login uses `secrets.GITHUB_TOKEN` at lines 65 and 136; Docker setup/metadata actions remain floating at lines 55, 58, 69, 126, 129, and 140.

PRA-2 Improvement — Shrink duplicate non-interactive detection in the touched destroy hotspot

  • Location: src/lib/actions/sandbox/destroy.ts:82
  • Category: architecture
  • Problem: `destroy.ts` still carries a local `isNonInteractive()` helper with a comment saying it mirrors `src/lib/onboard.ts` and should be lifted to `src/lib/core/`. This PR touches and grows the destroy lifecycle file, so the duplicate prompt contract remains local drift in a changed sandbox lifecycle hotspot.
  • Impact: If the non-interactive contract changes in onboarding or a related lazy-require path without the destroy copy changing, destroy prompt behavior or gateway cleanup defaults can diverge and surprise automation.
  • Suggested action: If feasible in this PR, extract a small shared helper such as `src/lib/core/non-interactive.ts` and update `destroy.ts` plus the existing onboard caller to use it. Preserve destroy's exact environment-only behavior and onboarding's `NON_INTERACTIVE || env` behavior.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Compare `src/lib/actions/sandbox/destroy.ts:82-87` with `src/lib/onboard.ts` around its `NON_INTERACTIVE` and `NEMOCLAW_NON_INTERACTIVE` handling and confirm there is one shared core helper rather than two local implementations.
  • Missing regression test: Add focused unit coverage proving destroy preserves the gateway without prompting when `NEMOCLAW_NON_INTERACTIVE=1`, while onboarding still treats either its `--non-interactive` state or the environment variable as non-interactive.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: `destroy.ts` defines `function isNonInteractive(): boolean { return process.env.NEMOCLAW_NON_INTERACTIVE === "1"; }` and its comment says the canonical helper should be lifted; `src/lib/onboard.ts` separately handles `NON_INTERACTIVE || process.env.NEMOCLAW_NON_INTERACTIVE === "1"`.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@ericksoa ericksoa self-assigned this Jun 22, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27974744043
Target ref: dep/openclaw-2026.6.9
Requested jobs: all (no filter)
Summary: 43 passed, 22 failed, 0 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ✅ success
brave-search-e2e ✅ success
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ✅ success
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ✅ success
credential-migration-e2e ✅ success
credential-sanitization-e2e ✅ success
cron-preflight-inference-local-e2e ✅ success
device-auth-health-e2e ✅ success
diagnostics-e2e ✅ success
docs-validation-e2e ✅ success
double-onboard-e2e ✅ success
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ✅ success
hermes-dashboard-e2e ✅ success
hermes-discord-e2e ✅ success
hermes-e2e ✅ success
hermes-inference-switch-e2e ✅ success
hermes-onboard-security-posture-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ✅ success
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ✅ success
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ✅ success
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ✅ success
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ✅ success
messaging-providers-e2e ❌ failure
network-policy-e2e ✅ success
onboard-negative-paths-e2e ✅ success
onboard-repair-e2e ❌ failure
onboard-resume-e2e ✅ success
openclaw-anthropic-inference-switch-e2e ✅ success
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ✅ success
openclaw-slack-pairing-e2e ✅ success
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ✅ success
overlayfs-autofix-e2e ✅ success
rebuild-hermes-e2e ✅ success
rebuild-hermes-stale-base-e2e ✅ success
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ✅ success
sandbox-operations-e2e ✅ success
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ✅ success
skill-agent-e2e ✅ success
snapshot-commands-e2e ✅ success
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ✅ success
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ✅ success
upgrade-stale-sandbox-e2e ✅ success

Failed jobs: agent-turn-latency-e2e, channels-add-remove-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, inference-routing-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, launchable-smoke-e2e, messaging-providers-e2e, onboard-repair-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-tui-chat-correlation-e2e, rebuild-openclaw-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, state-backup-restore-e2e, token-rotation-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27976420827
Target ref: 732d17232daa76dbfa443587cdb68a6fb6ebd70c
Workflow ref: main
Requested jobs: all (no filter)
Summary: 5 passed, 54 failed, 6 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ⚠️ cancelled
brave-search-e2e ❌ failure
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ❌ failure
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ⚠️ cancelled
credential-migration-e2e ✅ success
credential-sanitization-e2e ❌ failure
cron-preflight-inference-local-e2e ❌ failure
device-auth-health-e2e ❌ failure
diagnostics-e2e ❌ failure
docs-validation-e2e ✅ success
double-onboard-e2e ⚠️ cancelled
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ❌ failure
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ❌ failure
hermes-e2e ❌ failure
hermes-inference-switch-e2e ❌ failure
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ❌ failure
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ⚠️ cancelled
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ❌ failure
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ⚠️ cancelled
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ❌ failure
onboard-repair-e2e ❌ failure
onboard-resume-e2e ❌ failure
openclaw-anthropic-inference-switch-e2e ❌ failure
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ❌ failure
openclaw-slack-pairing-e2e ❌ failure
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ⚠️ cancelled
overlayfs-autofix-e2e ❌ failure
rebuild-hermes-e2e ❌ failure
rebuild-hermes-stale-base-e2e ❌ failure
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ❌ failure
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ❌ failure
skill-agent-e2e ❌ failure
snapshot-commands-e2e ❌ failure
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ❌ failure
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ❌ failure
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, brave-search-e2e, channels-add-remove-e2e, channels-stop-start-hermes-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, credential-sanitization-e2e, cron-preflight-inference-local-e2e, device-auth-health-e2e, diagnostics-e2e, hermes-anthropic-inference-switch-e2e, hermes-dashboard-e2e, hermes-discord-e2e, hermes-e2e, hermes-inference-switch-e2e, hermes-onboard-security-posture-e2e, hermes-slack-e2e, inference-routing-e2e, issue-4434-tui-unreachable-inference-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-providers-e2e, network-policy-e2e, onboard-negative-paths-e2e, onboard-repair-e2e, onboard-resume-e2e, openclaw-anthropic-inference-switch-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-skill-cli-e2e, openclaw-slack-pairing-e2e, openclaw-tui-chat-correlation-e2e, overlayfs-autofix-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e, rebuild-openclaw-e2e, runtime-overrides-e2e, sandbox-operations-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, shields-config-e2e, skill-agent-e2e, snapshot-commands-e2e, state-backup-restore-e2e, telegram-injection-e2e, token-rotation-e2e, tunnel-lifecycle-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27976652520
Target ref: 41659f51851343794692f80ce75752dcb008714e
Workflow ref: main
Requested jobs: all (no filter)
Summary: 0 passed, 65 failed, 0 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ❌ failure
brave-search-e2e ❌ failure
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ❌ failure
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ❌ failure
credential-migration-e2e ❌ failure
credential-sanitization-e2e ❌ failure
cron-preflight-inference-local-e2e ❌ failure
device-auth-health-e2e ❌ failure
diagnostics-e2e ❌ failure
docs-validation-e2e ❌ failure
double-onboard-e2e ❌ failure
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ❌ failure
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ❌ failure
hermes-e2e ❌ failure
hermes-inference-switch-e2e ❌ failure
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ❌ failure
hermes-secret-boundary-e2e ❌ failure
hermes-slack-e2e ❌ failure
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ❌ failure
issue-3600-gpu-proof-optional-e2e ❌ failure
issue-4434-tui-unreachable-inference-e2e ❌ failure
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ❌ failure
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ❌ failure
onboard-repair-e2e ❌ failure
onboard-resume-e2e ❌ failure
openclaw-anthropic-inference-switch-e2e ❌ failure
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ❌ failure
openclaw-slack-pairing-e2e ❌ failure
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ❌ failure
overlayfs-autofix-e2e ❌ failure
rebuild-hermes-e2e ❌ failure
rebuild-hermes-stale-base-e2e ❌ failure
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ❌ failure
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ❌ failure
skill-agent-e2e ❌ failure
snapshot-commands-e2e ❌ failure
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ❌ failure
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ❌ failure
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, bedrock-runtime-compatible-anthropic-e2e, brave-search-e2e, channels-add-remove-e2e, channels-stop-start-hermes-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, concurrent-gateway-ports-e2e, credential-migration-e2e, credential-sanitization-e2e, cron-preflight-inference-local-e2e, device-auth-health-e2e, diagnostics-e2e, docs-validation-e2e, double-onboard-e2e, hermes-anthropic-inference-switch-e2e, hermes-dashboard-e2e, hermes-discord-e2e, hermes-e2e, hermes-inference-switch-e2e, hermes-onboard-security-posture-e2e, hermes-root-entrypoint-smoke-e2e, hermes-secret-boundary-e2e, hermes-slack-e2e, inference-routing-e2e, issue-2478-crash-loop-recovery-e2e, issue-3600-gpu-proof-optional-e2e, issue-4434-tui-unreachable-inference-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-compatible-endpoint-e2e, messaging-providers-e2e, network-policy-e2e, onboard-negative-paths-e2e, onboard-repair-e2e, onboard-resume-e2e, openclaw-anthropic-inference-switch-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-skill-cli-e2e, openclaw-slack-pairing-e2e, openclaw-tui-chat-correlation-e2e, openshell-gateway-upgrade-e2e, overlayfs-autofix-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e, rebuild-openclaw-e2e, runtime-overrides-e2e, sandbox-operations-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, shields-config-e2e, skill-agent-e2e, snapshot-commands-e2e, state-backup-restore-e2e, telegram-injection-e2e, token-rotation-e2e, tunnel-lifecycle-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27976953419
Target ref: 41659f518252dbf05c7ccf8301c053861a4c8307
Workflow ref: main
Requested jobs: all (no filter)
Summary: 5 passed, 54 failed, 6 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ⚠️ cancelled
brave-search-e2e ❌ failure
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ❌ failure
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ⚠️ cancelled
credential-migration-e2e ✅ success
credential-sanitization-e2e ❌ failure
cron-preflight-inference-local-e2e ❌ failure
device-auth-health-e2e ❌ failure
diagnostics-e2e ❌ failure
docs-validation-e2e ✅ success
double-onboard-e2e ⚠️ cancelled
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ❌ failure
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ❌ failure
hermes-e2e ❌ failure
hermes-inference-switch-e2e ❌ failure
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ❌ failure
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ⚠️ cancelled
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ❌ failure
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ⚠️ cancelled
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ❌ failure
onboard-repair-e2e ❌ failure
onboard-resume-e2e ❌ failure
openclaw-anthropic-inference-switch-e2e ❌ failure
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ❌ failure
openclaw-slack-pairing-e2e ❌ failure
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ⚠️ cancelled
overlayfs-autofix-e2e ❌ failure
rebuild-hermes-e2e ❌ failure
rebuild-hermes-stale-base-e2e ❌ failure
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ❌ failure
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ❌ failure
skill-agent-e2e ❌ failure
snapshot-commands-e2e ❌ failure
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ❌ failure
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ❌ failure
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, brave-search-e2e, channels-add-remove-e2e, channels-stop-start-hermes-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, credential-sanitization-e2e, cron-preflight-inference-local-e2e, device-auth-health-e2e, diagnostics-e2e, hermes-anthropic-inference-switch-e2e, hermes-dashboard-e2e, hermes-discord-e2e, hermes-e2e, hermes-inference-switch-e2e, hermes-onboard-security-posture-e2e, hermes-slack-e2e, inference-routing-e2e, issue-4434-tui-unreachable-inference-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-providers-e2e, network-policy-e2e, onboard-negative-paths-e2e, onboard-repair-e2e, onboard-resume-e2e, openclaw-anthropic-inference-switch-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-skill-cli-e2e, openclaw-slack-pairing-e2e, openclaw-tui-chat-correlation-e2e, overlayfs-autofix-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e, rebuild-openclaw-e2e, runtime-overrides-e2e, sandbox-operations-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, shields-config-e2e, skill-agent-e2e, snapshot-commands-e2e, state-backup-restore-e2e, telegram-injection-e2e, token-rotation-e2e, tunnel-lifecycle-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27977193069
Target ref: 00bdf5ae052e6b587dcc29c6576d68f6dedb7786
Workflow ref: main
Requested jobs: all (no filter)
Summary: 5 passed, 54 failed, 6 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ⚠️ cancelled
brave-search-e2e ❌ failure
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ❌ failure
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ⚠️ cancelled
credential-migration-e2e ✅ success
credential-sanitization-e2e ❌ failure
cron-preflight-inference-local-e2e ❌ failure
device-auth-health-e2e ❌ failure
diagnostics-e2e ❌ failure
docs-validation-e2e ✅ success
double-onboard-e2e ⚠️ cancelled
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ❌ failure
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ❌ failure
hermes-e2e ❌ failure
hermes-inference-switch-e2e ❌ failure
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ❌ failure
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ⚠️ cancelled
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ❌ failure
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ⚠️ cancelled
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ❌ failure
onboard-repair-e2e ❌ failure
onboard-resume-e2e ❌ failure
openclaw-anthropic-inference-switch-e2e ❌ failure
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ❌ failure
openclaw-slack-pairing-e2e ❌ failure
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ⚠️ cancelled
overlayfs-autofix-e2e ❌ failure
rebuild-hermes-e2e ❌ failure
rebuild-hermes-stale-base-e2e ❌ failure
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ❌ failure
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ❌ failure
skill-agent-e2e ❌ failure
snapshot-commands-e2e ❌ failure
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ❌ failure
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ❌ failure
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, brave-search-e2e, channels-add-remove-e2e, channels-stop-start-hermes-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, credential-sanitization-e2e, cron-preflight-inference-local-e2e, device-auth-health-e2e, diagnostics-e2e, hermes-anthropic-inference-switch-e2e, hermes-dashboard-e2e, hermes-discord-e2e, hermes-e2e, hermes-inference-switch-e2e, hermes-onboard-security-posture-e2e, hermes-slack-e2e, inference-routing-e2e, issue-4434-tui-unreachable-inference-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-providers-e2e, network-policy-e2e, onboard-negative-paths-e2e, onboard-repair-e2e, onboard-resume-e2e, openclaw-anthropic-inference-switch-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-skill-cli-e2e, openclaw-slack-pairing-e2e, openclaw-tui-chat-correlation-e2e, overlayfs-autofix-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e, rebuild-openclaw-e2e, runtime-overrides-e2e, sandbox-operations-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, shields-config-e2e, skill-agent-e2e, snapshot-commands-e2e, state-backup-restore-e2e, telegram-injection-e2e, token-rotation-e2e, tunnel-lifecycle-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@ericksoa ericksoa added dependencies Pull requests that update a dependency file chore Build, CI, dependency, or tooling maintenance integration: openclaw OpenClaw integration behavior area: packaging Packages, images, registries, installers, or distribution area: messaging Messaging channels, bridges, manifests, or channel lifecycle area: inference Inference routing, serving, model selection, or outputs labels Jun 22, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27977524161
Target ref: ce559c3b855745b4e722a28e66c99019532243c7
Workflow ref: main
Requested jobs: all (no filter)
Summary: 8 passed, 54 failed, 3 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ✅ success
brave-search-e2e ❌ failure
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ❌ failure
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ✅ success
credential-migration-e2e ✅ success
credential-sanitization-e2e ❌ failure
cron-preflight-inference-local-e2e ❌ failure
device-auth-health-e2e ❌ failure
diagnostics-e2e ❌ failure
docs-validation-e2e ✅ success
double-onboard-e2e ⚠️ cancelled
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ❌ failure
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ❌ failure
hermes-e2e ❌ failure
hermes-inference-switch-e2e ❌ failure
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ❌ failure
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ⚠️ cancelled
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ❌ failure
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ✅ success
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ❌ failure
onboard-repair-e2e ❌ failure
onboard-resume-e2e ❌ failure
openclaw-anthropic-inference-switch-e2e ❌ failure
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ❌ failure
openclaw-slack-pairing-e2e ❌ failure
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ⚠️ cancelled
overlayfs-autofix-e2e ❌ failure
rebuild-hermes-e2e ❌ failure
rebuild-hermes-stale-base-e2e ❌ failure
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ❌ failure
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ❌ failure
skill-agent-e2e ❌ failure
snapshot-commands-e2e ❌ failure
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ❌ failure
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ❌ failure
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, brave-search-e2e, channels-add-remove-e2e, channels-stop-start-hermes-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, credential-sanitization-e2e, cron-preflight-inference-local-e2e, device-auth-health-e2e, diagnostics-e2e, hermes-anthropic-inference-switch-e2e, hermes-dashboard-e2e, hermes-discord-e2e, hermes-e2e, hermes-inference-switch-e2e, hermes-onboard-security-posture-e2e, hermes-slack-e2e, inference-routing-e2e, issue-4434-tui-unreachable-inference-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-providers-e2e, network-policy-e2e, onboard-negative-paths-e2e, onboard-repair-e2e, onboard-resume-e2e, openclaw-anthropic-inference-switch-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-skill-cli-e2e, openclaw-slack-pairing-e2e, openclaw-tui-chat-correlation-e2e, overlayfs-autofix-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e, rebuild-openclaw-e2e, runtime-overrides-e2e, sandbox-operations-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, shields-config-e2e, skill-agent-e2e, snapshot-commands-e2e, state-backup-restore-e2e, telegram-injection-e2e, token-rotation-e2e, tunnel-lifecycle-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27978429157
Target ref: aafabd5c87e37ac194ecae5f7b07ae7135a58b75
Workflow ref: main
Requested jobs: all (no filter)
Summary: 5 passed, 54 failed, 6 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ⚠️ cancelled
brave-search-e2e ❌ failure
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ❌ failure
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ❌ failure
cloud-inference-e2e ❌ failure
cloud-onboard-e2e ❌ failure
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ⚠️ cancelled
credential-migration-e2e ✅ success
credential-sanitization-e2e ❌ failure
cron-preflight-inference-local-e2e ❌ failure
device-auth-health-e2e ❌ failure
diagnostics-e2e ❌ failure
docs-validation-e2e ✅ success
double-onboard-e2e ⚠️ cancelled
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ❌ failure
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ❌ failure
hermes-e2e ❌ failure
hermes-inference-switch-e2e ❌ failure
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ❌ failure
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ⚠️ cancelled
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ❌ failure
issue-4462-gateway-pinned-approval-characterization-e2e ❌ failure
issue-4462-scope-upgrade-approval-e2e ❌ failure
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ❌ failure
messaging-compatible-endpoint-e2e ⚠️ cancelled
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ❌ failure
onboard-repair-e2e ❌ failure
onboard-resume-e2e ❌ failure
openclaw-anthropic-inference-switch-e2e ❌ failure
openclaw-discord-pairing-e2e ❌ failure
openclaw-inference-switch-e2e ❌ failure
openclaw-onboard-security-posture-e2e ❌ failure
openclaw-skill-cli-e2e ❌ failure
openclaw-slack-pairing-e2e ❌ failure
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ⚠️ cancelled
overlayfs-autofix-e2e ❌ failure
rebuild-hermes-e2e ❌ failure
rebuild-hermes-stale-base-e2e ❌ failure
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ❌ failure
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ❌ failure
skill-agent-e2e ❌ failure
snapshot-commands-e2e ❌ failure
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ❌ failure
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ❌ failure
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, brave-search-e2e, channels-add-remove-e2e, channels-stop-start-hermes-e2e, channels-stop-start-openclaw-e2e, cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, common-egress-agent-e2e, credential-sanitization-e2e, cron-preflight-inference-local-e2e, device-auth-health-e2e, diagnostics-e2e, hermes-anthropic-inference-switch-e2e, hermes-dashboard-e2e, hermes-discord-e2e, hermes-e2e, hermes-inference-switch-e2e, hermes-onboard-security-posture-e2e, hermes-slack-e2e, inference-routing-e2e, issue-4434-tui-unreachable-inference-e2e, issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e, kimi-inference-compat-e2e, launchable-smoke-e2e, messaging-providers-e2e, network-policy-e2e, onboard-negative-paths-e2e, onboard-repair-e2e, onboard-resume-e2e, openclaw-anthropic-inference-switch-e2e, openclaw-discord-pairing-e2e, openclaw-inference-switch-e2e, openclaw-onboard-security-posture-e2e, openclaw-skill-cli-e2e, openclaw-slack-pairing-e2e, openclaw-tui-chat-correlation-e2e, overlayfs-autofix-e2e, rebuild-hermes-e2e, rebuild-hermes-stale-base-e2e, rebuild-openclaw-e2e, runtime-overrides-e2e, sandbox-operations-e2e, sandbox-survival-e2e, sessions-agents-cli-e2e, shields-config-e2e, skill-agent-e2e, snapshot-commands-e2e, state-backup-restore-e2e, telegram-injection-e2e, token-rotation-e2e, tunnel-lifecycle-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27978910665
Target ref: dep/openclaw-2026.6.9
Requested jobs: all (no filter)
Summary: 57 passed, 8 failed, 0 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ✅ success
bedrock-runtime-compatible-anthropic-e2e ✅ success
brave-search-e2e ✅ success
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ✅ success
channels-stop-start-openclaw-e2e ✅ success
cloud-e2e ✅ success
cloud-inference-e2e ✅ success
cloud-onboard-e2e ✅ success
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ✅ success
credential-migration-e2e ✅ success
credential-sanitization-e2e ✅ success
cron-preflight-inference-local-e2e ✅ success
device-auth-health-e2e ✅ success
diagnostics-e2e ✅ success
docs-validation-e2e ✅ success
double-onboard-e2e ✅ success
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ✅ success
hermes-dashboard-e2e ✅ success
hermes-discord-e2e ✅ success
hermes-e2e ✅ success
hermes-inference-switch-e2e ✅ success
hermes-onboard-security-posture-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ✅ success
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ✅ success
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ✅ success
issue-4462-gateway-pinned-approval-characterization-e2e ✅ success
issue-4462-scope-upgrade-approval-e2e ✅ success
kimi-inference-compat-e2e ✅ success
launchable-smoke-e2e ✅ success
messaging-compatible-endpoint-e2e ✅ success
messaging-providers-e2e ✅ success
network-policy-e2e ✅ success
onboard-negative-paths-e2e ✅ success
onboard-repair-e2e ✅ success
onboard-resume-e2e ✅ success
openclaw-anthropic-inference-switch-e2e ✅ success
openclaw-discord-pairing-e2e ✅ success
openclaw-inference-switch-e2e ✅ success
openclaw-onboard-security-posture-e2e ✅ success
openclaw-skill-cli-e2e ✅ success
openclaw-slack-pairing-e2e ✅ success
openclaw-tui-chat-correlation-e2e ✅ success
openshell-gateway-upgrade-e2e ✅ success
overlayfs-autofix-e2e ✅ success
rebuild-hermes-e2e ✅ success
rebuild-hermes-stale-base-e2e ✅ success
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ✅ success
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ✅ success
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ✅ success
skill-agent-e2e ❌ failure
snapshot-commands-e2e ✅ success
state-backup-restore-e2e ✅ success
telegram-injection-e2e ✅ success
token-rotation-e2e ✅ success
tunnel-lifecycle-e2e ✅ success
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: channels-add-remove-e2e, common-egress-agent-e2e, inference-routing-e2e, rebuild-openclaw-e2e, sandbox-operations-e2e, sessions-agents-cli-e2e, skill-agent-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27980563206
Target ref: dep/openclaw-2026.6.9
Requested jobs: all (no filter)
Summary: 45 passed, 11 failed, 9 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ✅ success
bedrock-runtime-compatible-anthropic-e2e ✅ success
brave-search-e2e ✅ success
channels-add-remove-e2e ⚠️ cancelled
channels-stop-start-hermes-e2e ✅ success
channels-stop-start-openclaw-e2e ⚠️ cancelled
cloud-e2e ✅ success
cloud-inference-e2e ✅ success
cloud-onboard-e2e ✅ success
common-egress-agent-e2e ⚠️ cancelled
concurrent-gateway-ports-e2e ✅ success
credential-migration-e2e ✅ success
credential-sanitization-e2e ✅ success
cron-preflight-inference-local-e2e ✅ success
device-auth-health-e2e ✅ success
diagnostics-e2e ❌ failure
docs-validation-e2e ✅ success
double-onboard-e2e ⚠️ cancelled
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ✅ success
hermes-dashboard-e2e ❌ failure
hermes-discord-e2e ✅ success
hermes-e2e ❌ failure
hermes-inference-switch-e2e ✅ success
hermes-onboard-security-posture-e2e ❌ failure
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ❌ failure
inference-routing-e2e ✅ success
issue-2478-crash-loop-recovery-e2e ⚠️ cancelled
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ✅ success
issue-4462-gateway-pinned-approval-characterization-e2e ✅ success
issue-4462-scope-upgrade-approval-e2e ✅ success
kimi-inference-compat-e2e ❌ failure
launchable-smoke-e2e ✅ success
messaging-compatible-endpoint-e2e ✅ success
messaging-providers-e2e ⚠️ cancelled
network-policy-e2e ✅ success
onboard-negative-paths-e2e ✅ success
onboard-repair-e2e ✅ success
onboard-resume-e2e ✅ success
openclaw-anthropic-inference-switch-e2e ✅ success
openclaw-discord-pairing-e2e ✅ success
openclaw-inference-switch-e2e ✅ success
openclaw-onboard-security-posture-e2e ✅ success
openclaw-skill-cli-e2e ✅ success
openclaw-slack-pairing-e2e ✅ success
openclaw-tui-chat-correlation-e2e ❌ failure
openshell-gateway-upgrade-e2e ⚠️ cancelled
overlayfs-autofix-e2e ✅ success
rebuild-hermes-e2e ✅ success
rebuild-hermes-stale-base-e2e ✅ success
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ✅ success
sandbox-operations-e2e ⚠️ cancelled
sandbox-survival-e2e ❌ failure
sessions-agents-cli-e2e ✅ success
shields-config-e2e ✅ success
skill-agent-e2e ✅ success
snapshot-commands-e2e ✅ success
state-backup-restore-e2e ❌ failure
telegram-injection-e2e ✅ success
token-rotation-e2e ⚠️ cancelled
tunnel-lifecycle-e2e ✅ success
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: diagnostics-e2e, hermes-dashboard-e2e, hermes-e2e, hermes-onboard-security-posture-e2e, hermes-slack-e2e, kimi-inference-compat-e2e, openclaw-tui-chat-correlation-e2e, rebuild-openclaw-e2e, sandbox-survival-e2e, state-backup-restore-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ❌ Some jobs failed

Run: 27981428527
Target ref: dep/openclaw-2026.6.9
Requested jobs: all (no filter)
Summary: 52 passed, 13 failed, 0 cancelled, 3 skipped

Job Result
agent-turn-latency-e2e ❌ failure
bedrock-runtime-compatible-anthropic-e2e ✅ success
brave-search-e2e ✅ success
channels-add-remove-e2e ❌ failure
channels-stop-start-hermes-e2e ✅ success
channels-stop-start-openclaw-e2e ❌ failure
cloud-e2e ✅ success
cloud-inference-e2e ✅ success
cloud-onboard-e2e ✅ success
common-egress-agent-e2e ❌ failure
concurrent-gateway-ports-e2e ✅ success
credential-migration-e2e ✅ success
credential-sanitization-e2e ✅ success
cron-preflight-inference-local-e2e ✅ success
device-auth-health-e2e ✅ success
diagnostics-e2e ✅ success
docs-validation-e2e ✅ success
double-onboard-e2e ✅ success
gpu-double-onboard-e2e ⏭️ skipped
gpu-e2e ⏭️ skipped
gpu-jetson-nvmap-e2e ⏭️ skipped
hermes-anthropic-inference-switch-e2e ✅ success
hermes-dashboard-e2e ✅ success
hermes-discord-e2e ✅ success
hermes-e2e ✅ success
hermes-inference-switch-e2e ✅ success
hermes-onboard-security-posture-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success
hermes-secret-boundary-e2e ✅ success
hermes-slack-e2e ✅ success
inference-routing-e2e ❌ failure
issue-2478-crash-loop-recovery-e2e ✅ success
issue-3600-gpu-proof-optional-e2e ✅ success
issue-4434-tui-unreachable-inference-e2e ✅ success
issue-4462-gateway-pinned-approval-characterization-e2e ✅ success
issue-4462-scope-upgrade-approval-e2e ✅ success
kimi-inference-compat-e2e ✅ success
launchable-smoke-e2e ✅ success
messaging-compatible-endpoint-e2e ✅ success
messaging-providers-e2e ❌ failure
network-policy-e2e ❌ failure
onboard-negative-paths-e2e ✅ success
onboard-repair-e2e ❌ failure
onboard-resume-e2e ✅ success
openclaw-anthropic-inference-switch-e2e ✅ success
openclaw-discord-pairing-e2e ✅ success
openclaw-inference-switch-e2e ✅ success
openclaw-onboard-security-posture-e2e ✅ success
openclaw-skill-cli-e2e ✅ success
openclaw-slack-pairing-e2e ✅ success
openclaw-tui-chat-correlation-e2e ✅ success
openshell-gateway-upgrade-e2e ✅ success
overlayfs-autofix-e2e ✅ success
rebuild-hermes-e2e ✅ success
rebuild-hermes-stale-base-e2e ✅ success
rebuild-openclaw-e2e ❌ failure
runtime-overrides-e2e ✅ success
sandbox-operations-e2e ❌ failure
sandbox-survival-e2e ✅ success
sessions-agents-cli-e2e ❌ failure
shields-config-e2e ✅ success
skill-agent-e2e ✅ success
snapshot-commands-e2e ✅ success
state-backup-restore-e2e ✅ success
telegram-injection-e2e ✅ success
token-rotation-e2e ❌ failure
tunnel-lifecycle-e2e ✅ success
upgrade-stale-sandbox-e2e ❌ failure

Failed jobs: agent-turn-latency-e2e, channels-add-remove-e2e, channels-stop-start-openclaw-e2e, common-egress-agent-e2e, inference-routing-e2e, messaging-providers-e2e, network-policy-e2e, onboard-repair-e2e, rebuild-openclaw-e2e, sandbox-operations-e2e, sessions-agents-cli-e2e, token-rotation-e2e, upgrade-stale-sandbox-e2e. Check run artifacts for logs.

@copy-pr-bot

copy-pr-bot Bot commented Jul 4, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28701818159
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 65 passed, 4 failed, 0 cancelled, 5 skipped

Job Result
agent-turn-latency ✅ success
bedrock-runtime-compatible-anthropic ✅ success
brave-search ✅ success
channels-add-remove ✅ success
channels-stop-start ✅ success
cloud-inference ✅ success
cloud-onboard ✅ success
common-egress-agent ✅ success
concurrent-gateway-ports ✅ success
credential-migration ✅ success
credential-sanitization ✅ success
cron-preflight-inference-local ✅ success
device-auth-health ✅ success
diagnostics ✅ success
docs-validation ✅ success
double-onboard ✅ success
full-e2e ❌ failure
gateway-drift-preflight ✅ success
gateway-guard-recovery ✅ success
gateway-health-honest ✅ success
generate-matrix ✅ success
gpu-double-onboard ✅ success
gpu-e2e ✅ success
hermes-dashboard ✅ success
hermes-discord ✅ success
hermes-e2e ✅ success
hermes-gpu-startup ⏭️ skipped
hermes-inference-switch ✅ success
hermes-slack ✅ success
inference-routing ✅ success
issue-2478-crash-loop-recovery ✅ success
issue-4434-tui-unreachable-inference ✅ success
issue-4462-scope-upgrade-approval ❌ failure
jetson-nvmap-gpu ⏭️ skipped
kimi-inference-compat ✅ success
launchable-smoke ✅ success
live ✅ success
mcp-bridge ❌ failure
mcp-bridge-dev ⏭️ skipped
messaging-compatible-endpoint ✅ success
messaging-providers ✅ success
model-router-provider-routed-inference ✅ success
network-policy ✅ success
ollama-auth-proxy ✅ success
onboard-negative-paths ✅ success
onboard-repair ✅ success
onboard-resume ✅ success
openclaw-discord-pairing ✅ success
openclaw-inference-switch ✅ success
openclaw-skill-cli ✅ success
openclaw-slack-pairing ✅ success
openclaw-tui-chat-correlation ✅ success
openshell-gateway-auth-contract ⏭️ skipped
openshell-gateway-upgrade ✅ success
openshell-version-pin ✅ success
overlayfs-autofix ✅ success
rebuild-hermes ✅ success
rebuild-hermes-stale-base ✅ success
rebuild-openclaw ❌ failure
sandbox-operations ✅ success
sandbox-rebuild ✅ success
sandbox-rlimits-connect ⏭️ skipped
sandbox-survival ✅ success
security-posture ✅ success
sessions-agents-cli ✅ success
shields-config ✅ success
skill-agent ✅ success
snapshot-commands ✅ success
spark-install ✅ success
state-backup-restore ✅ success
telegram-injection ✅ success
token-rotation ✅ success
tunnel-lifecycle ✅ success
upgrade-stale-sandbox ✅ success

Explicit-only jobs skipped: openshell-gateway-auth-contract (default dispatch excludes the resource-heavy OpenShell auth-contract probe unless selected; validate with jobs=openshell-gateway-auth-contract or targets=openshell-gateway-auth-contract), mcp-bridge-dev (default dispatch excludes moving OpenShell dev artifacts unless explicitly selected; validate with jobs=mcp-bridge-dev or targets=mcp-bridge-dev), hermes-gpu-startup (default dispatch excludes this explicit-only job unless selected; validate with jobs=hermes-gpu-startup or targets=hermes-gpu-startup), sandbox-rlimits-connect (default dispatch excludes the destructive rlimit fork/connect probe unless selected; validate with jobs=sandbox-rlimits-connect or targets=sandbox-rlimits-connect), jetson-nvmap-gpu (default dispatch excludes Jetson until a stable Jetson runner is available; validate with jobs=jetson-nvmap-gpu or targets=jetson-nvmap-gpu).

Failed jobs: full-e2e, issue-4462-scope-upgrade-approval, mcp-bridge, rebuild-openclaw. Check run artifacts for logs.

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28702387037
Workflow ref: dep/openclaw-2026.6.9
Requested targets: issue-4462-scope-upgrade-approval,rebuild-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success
rebuild-openclaw ✅ success

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 28702496126
Workflow ref: dep/openclaw-2026.6.9
Requested targets: issue-4462-scope-upgrade-approval,rebuild-openclaw
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success
rebuild-openclaw ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28703058981
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: full-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
full-e2e ❌ failure

Failed jobs: full-e2e. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28703052490
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval,rebuild-openclaw
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ❌ failure
rebuild-openclaw ✅ success

Failed jobs: issue-4462-scope-upgrade-approval. Check run artifacts for logs.

ericksoa added 3 commits July 4, 2026 03:31
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28703588816
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: full-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
full-e2e ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28703575911
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval,rebuild-openclaw
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success
rebuild-openclaw ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28703787702
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval,rebuild-openclaw
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
issue-4462-scope-upgrade-approval ✅ success
rebuild-openclaw ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All requested jobs passed

Run: 28704016943
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: hermes-dashboard
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
hermes-dashboard ✅ success

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ❌ Some jobs failed

Run: 28703774060
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 68 passed, 1 failed, 0 cancelled, 5 skipped

Job Result
agent-turn-latency ✅ success
bedrock-runtime-compatible-anthropic ✅ success
brave-search ✅ success
channels-add-remove ✅ success
channels-stop-start ✅ success
cloud-inference ✅ success
cloud-onboard ✅ success
common-egress-agent ✅ success
concurrent-gateway-ports ✅ success
credential-migration ✅ success
credential-sanitization ✅ success
cron-preflight-inference-local ✅ success
device-auth-health ✅ success
diagnostics ✅ success
docs-validation ✅ success
double-onboard ✅ success
full-e2e ✅ success
gateway-drift-preflight ✅ success
gateway-guard-recovery ✅ success
gateway-health-honest ✅ success
generate-matrix ✅ success
gpu-double-onboard ✅ success
gpu-e2e ✅ success
hermes-dashboard ❌ failure
hermes-discord ✅ success
hermes-e2e ✅ success
hermes-gpu-startup ⏭️ skipped
hermes-inference-switch ✅ success
hermes-slack ✅ success
inference-routing ✅ success
issue-2478-crash-loop-recovery ✅ success
issue-4434-tui-unreachable-inference ✅ success
issue-4462-scope-upgrade-approval ✅ success
jetson-nvmap-gpu ⏭️ skipped
kimi-inference-compat ✅ success
launchable-smoke ✅ success
live ✅ success
mcp-bridge ✅ success
mcp-bridge-dev ⏭️ skipped
messaging-compatible-endpoint ✅ success
messaging-providers ✅ success
model-router-provider-routed-inference ✅ success
network-policy ✅ success
ollama-auth-proxy ✅ success
onboard-negative-paths ✅ success
onboard-repair ✅ success
onboard-resume ✅ success
openclaw-discord-pairing ✅ success
openclaw-inference-switch ✅ success
openclaw-skill-cli ✅ success
openclaw-slack-pairing ✅ success
openclaw-tui-chat-correlation ✅ success
openshell-gateway-auth-contract ⏭️ skipped
openshell-gateway-upgrade ✅ success
openshell-version-pin ✅ success
overlayfs-autofix ✅ success
rebuild-hermes ✅ success
rebuild-hermes-stale-base ✅ success
rebuild-openclaw ✅ success
sandbox-operations ✅ success
sandbox-rebuild ✅ success
sandbox-rlimits-connect ⏭️ skipped
sandbox-survival ✅ success
security-posture ✅ success
sessions-agents-cli ✅ success
shields-config ✅ success
skill-agent ✅ success
snapshot-commands ✅ success
spark-install ✅ success
state-backup-restore ✅ success
telegram-injection ✅ success
token-rotation ✅ success
tunnel-lifecycle ✅ success
upgrade-stale-sandbox ✅ success

Explicit-only jobs skipped: openshell-gateway-auth-contract (default dispatch excludes the resource-heavy OpenShell auth-contract probe unless selected; validate with jobs=openshell-gateway-auth-contract or targets=openshell-gateway-auth-contract), mcp-bridge-dev (default dispatch excludes moving OpenShell dev artifacts unless explicitly selected; validate with jobs=mcp-bridge-dev or targets=mcp-bridge-dev), hermes-gpu-startup (default dispatch excludes this explicit-only job unless selected; validate with jobs=hermes-gpu-startup or targets=hermes-gpu-startup), sandbox-rlimits-connect (default dispatch excludes the destructive rlimit fork/connect probe unless selected; validate with jobs=sandbox-rlimits-connect or targets=sandbox-rlimits-connect), jetson-nvmap-gpu (default dispatch excludes Jetson until a stable Jetson runner is available; validate with jobs=jetson-nvmap-gpu or targets=jetson-nvmap-gpu).

Failed jobs: hermes-dashboard. Check run artifacts for logs.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All default jobs passed

Run: 28703774060
Workflow ref: dep/openclaw-2026.6.9
Requested targets: (default — all supported)
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 69 passed, 0 failed, 0 cancelled, 5 skipped

Job Result
agent-turn-latency ✅ success
bedrock-runtime-compatible-anthropic ✅ success
brave-search ✅ success
channels-add-remove ✅ success
channels-stop-start ✅ success
cloud-inference ✅ success
cloud-onboard ✅ success
common-egress-agent ✅ success
concurrent-gateway-ports ✅ success
credential-migration ✅ success
credential-sanitization ✅ success
cron-preflight-inference-local ✅ success
device-auth-health ✅ success
diagnostics ✅ success
docs-validation ✅ success
double-onboard ✅ success
full-e2e ✅ success
gateway-drift-preflight ✅ success
gateway-guard-recovery ✅ success
gateway-health-honest ✅ success
generate-matrix ✅ success
gpu-double-onboard ✅ success
gpu-e2e ✅ success
hermes-dashboard ✅ success
hermes-discord ✅ success
hermes-e2e ✅ success
hermes-gpu-startup ⏭️ skipped
hermes-inference-switch ✅ success
hermes-slack ✅ success
inference-routing ✅ success
issue-2478-crash-loop-recovery ✅ success
issue-4434-tui-unreachable-inference ✅ success
issue-4462-scope-upgrade-approval ✅ success
jetson-nvmap-gpu ⏭️ skipped
kimi-inference-compat ✅ success
launchable-smoke ✅ success
live ✅ success
mcp-bridge ✅ success
mcp-bridge-dev ⏭️ skipped
messaging-compatible-endpoint ✅ success
messaging-providers ✅ success
model-router-provider-routed-inference ✅ success
network-policy ✅ success
ollama-auth-proxy ✅ success
onboard-negative-paths ✅ success
onboard-repair ✅ success
onboard-resume ✅ success
openclaw-discord-pairing ✅ success
openclaw-inference-switch ✅ success
openclaw-skill-cli ✅ success
openclaw-slack-pairing ✅ success
openclaw-tui-chat-correlation ✅ success
openshell-gateway-auth-contract ⏭️ skipped
openshell-gateway-upgrade ✅ success
openshell-version-pin ✅ success
overlayfs-autofix ✅ success
rebuild-hermes ✅ success
rebuild-hermes-stale-base ✅ success
rebuild-openclaw ✅ success
sandbox-operations ✅ success
sandbox-rebuild ✅ success
sandbox-rlimits-connect ⏭️ skipped
sandbox-survival ✅ success
security-posture ✅ success
sessions-agents-cli ✅ success
shields-config ✅ success
skill-agent ✅ success
snapshot-commands ✅ success
spark-install ✅ success
state-backup-restore ✅ success
telegram-injection ✅ success
token-rotation ✅ success
tunnel-lifecycle ✅ success
upgrade-stale-sandbox ✅ success

Explicit-only jobs skipped: openshell-gateway-auth-contract (default dispatch excludes the resource-heavy OpenShell auth-contract probe unless selected; validate with jobs=openshell-gateway-auth-contract or targets=openshell-gateway-auth-contract), mcp-bridge-dev (default dispatch excludes moving OpenShell dev artifacts unless explicitly selected; validate with jobs=mcp-bridge-dev or targets=mcp-bridge-dev), hermes-gpu-startup (default dispatch excludes this explicit-only job unless selected; validate with jobs=hermes-gpu-startup or targets=hermes-gpu-startup), sandbox-rlimits-connect (default dispatch excludes the destructive rlimit fork/connect probe unless selected; validate with jobs=sandbox-rlimits-connect or targets=sandbox-rlimits-connect), jetson-nvmap-gpu (default dispatch excludes Jetson until a stable Jetson runner is available; validate with jobs=jetson-nvmap-gpu or targets=jetson-nvmap-gpu).

@ericksoa

ericksoa commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

@apurvvkumaria — the requested fixes are complete on final head 5911445d55dfd10b03233b4133195e6d8c8d0e60. Could you please take another look and approve this for v0.0.74?

Final evidence:

  • Ordinary PR matrix: green, including all five CLI shards, static checks, build/typecheck, and the growth guard.
  • Base images and sandbox images/E2E: green at the exact head; both reviewed OpenClaw and locked mcporter provenance reuse paths were exercised.
  • Full exact-head E2E: attempt 2 is green with 78 successful jobs, 5 intentional skips, and 0 failures. Cold onboard-to-first-response was 178.306s against the unchanged 180s budget.
  • Issue #4462 + rebuild-openclaw: both green at the exact head.
  • CodeRabbit is green, GPT advisor reports 0 required / 0 new, all review threads are resolved, and the branch is zero commits behind main.

The attempt-1 Hermes dashboard readiness timeout passed both an isolated exact-head rerun and the in-place failed-job rerun without code changes; both channel restart lanes were also green.

@ericksoa ericksoa added v0.0.75 Release target and removed v0.0.74 Release target labels Jul 4, 2026
@ericksoa ericksoa merged commit 1162e89 into main Jul 4, 2026
366 of 367 checks passed
@ericksoa ericksoa deleted the dep/openclaw-2026.6.9 branch July 4, 2026 14:41
prekshivyas added a commit that referenced this pull request Jul 6, 2026
The second harness in this file (runRuntimeEnvValidation) was not part of the
main-merge conflict, so it kept the pre-merge shape: it ran
validate_hermes_runtime_env_secret_boundary — which main's #5595 changed to
invoke $_HERMES_PYTHON — without defining _HERMES_PYTHON, and still used the
non-portable env -- no-op. Under set -u this aborted with '_HERMES_PYTHON:
unbound variable', failing cli-test-shards (3). Align it with the start-env
harness: command builtin no-op + _HERMES_PYTHON from command -v python3.

Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com>
ericksoa added a commit that referenced this pull request Jul 7, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 sentences: what this PR does and why. -->
Correct the v0.0.75 release-note entry merged in #6371 before the
release tag is cut.
This follow-up restores the omitted OpenClaw `2026.6.10` upgrade and
narrows three claims to the runtime contracts that actually shipped.

## Changes
<!-- Bullet list of key changes. -->
- #5595 -> `docs/about/release-notes.mdx`: add the bundled OpenClaw
`2026.6.10` upgrade and its reviewed package, pairing, and recovery
boundaries.
- #6370 -> `docs/about/release-notes.mdx`: state that authoritative
onboarding restores the gateway provider and inference route during
rebuild, before sandbox recreation.
- #6335 and #6298 -> `docs/about/release-notes.mdx`: scope the OpenAI
frontend to Hermes while retaining the separate OpenAI-only-agent
behavior.
- #6304 -> `docs/about/release-notes.mdx`: name the non-expiring local
Docker-driver sandbox JWT contract precisely and link its gateway-auth
review.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [x] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: prose-only release-note
corrections with no runtime behavior or code samples.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: tests
are not applicable; `npm run docs` passed with 0 errors and 2
pre-existing warnings.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) —
result: 0 errors and 2 pre-existing warnings (missing authenticated
redirects check and existing light-theme accent contrast).
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Updated the `v0.0.75` release notes with clearer wording and expanded
details.
* Added more specific notes about the runtime upgrade, sandbox recovery
behavior, and routing safeguards.
* Refined the description of inference routing behavior and local
Docker-driver sandbox authentication handling.
* Adjusted the linked references and final release-note wording for
consistency.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: inference Inference routing, serving, model selection, or outputs area: messaging Messaging channels, bridges, manifests, or channel lifecycle area: packaging Packages, images, registries, installers, or distribution area: security Security controls, permissions, secrets, or hardening chore Build, CI, dependency, or tooling maintenance dependencies Pull requests that update a dependency file integration: openclaw OpenClaw integration behavior v0.0.75 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants