ci(e2e): use jobs selector only

[jyaunches]

Summary

• remove the separate scenarios workflow_dispatch input from the Vitest E2E workflow
• route selective dispatch through jobs only
• delete scenario-alias selector handling and the special hermes_selected output
• shrink workflow-boundary support tests to match the simpler jobs-only model

Validation

• npm test -- --project e2e-vitest-support test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• npm run build:cli && npm run typecheck -- --pretty false

Refs #5098

Summary by CodeRabbit

• Chores

  • Manual E2E dispatch now uses a single jobs selector; legacy scenarios selector removed.
  • Validation, job gating and concurrency now operate on jobs-only; live scenario runs occur only when jobs is empty.
  • Matrix generation emits an empty matrix when jobs are specified; downstream gating updated accordingly.
  • Test and advisor tooling aligned to jobs-only behavior.

• Documentation / UI

  • PR comment shows only "Requested jobs" (scenarios section removed); includes default and selector-rejected messages.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR removes the scenarios workflow input and consolidates free-standing Vitest job selection to the jobs dispatch input, updating concurrency, validation, matrix generation, job gating, PR reporting, tests, boundary validation, and advisor dispatch rules.

Changes

E2E Vitest Dispatch Selector Refactoring

Layer / File(s)	Summary
Workflow input contract and selector evaluation .github/workflows/e2e-vitest-scenarios.yaml, tools/e2e-scenarios/workflow-boundary.mts	Remove workflow_dispatch.inputs.scenarios; replace scenario→job mapping with ALLOWED_FREE_STANDING_JOBS; evaluateE2eVitestWorkflowDispatchSelectors accepts only { jobs?: string }.
Validate-jobs & matrix generation .github/workflows/e2e-vitest-scenarios.yaml, tools/e2e-scenarios/*, test/e2e-scenario/support-tests/*	validate-jobs validates only inputs.jobs against an allowlist; generate-matrix emits matrix: [] when inputs.jobs is non-empty and runs live registry matrix generation only when inputs.jobs is empty.
Free-standing job gating & per-job validators .github/workflows/e2e-vitest-scenarios.yaml, tools/e2e-scenarios/workflow-boundary.mts	All free-standing Vitest jobs now needs: validate-jobs and use a shared freeStandingJobIf expression keyed on inputs.jobs (empty or includes job id); Hermes gating no longer depends on generate-matrix.outputs.hermes_selected.
PR reporting & comment changes .github/workflows/e2e-vitest-scenarios.yaml, test/e2e-scenario/support-tests/*	report-to-pr receives only JOBS env, computes requestedJobs from validate-jobs outcome, and PR comment shows “Requested jobs” (no scenarios section).
Tests & fixtures test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts, test/e2e-scenario-advisor.test.ts	generateMatrixForDispatch now accepts jobsSelector string injecting only JOBS; tests updated to assert jobs-only selector behavior, invalid-job handling, and that non-empty jobs yields matrix: "[]". Advisor tests and fixtures updated to expect jobs-only if: expressions and no --field scenarios= commands.
Advisor dispatch rules tools/e2e-advisor/scenarios.mts	canonicalDispatchCommand() enforces typed scenario ID safety and emits the default fan-out command (no --field scenarios=<id>); system-prompt rules updated to require fan-out dispatch for typed scenario recommendations.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5228: Overlaps on jobs-only selector refactor and credential-migration-vitest allowlist/report wiring.
• NVIDIA/NemoClaw#5150: Related advisor/dispatch changes removing --field scenarios= and updating workflow gating.
• NVIDIA/NemoClaw#5256: Overlaps Hermes gating changes that this PR rewires to jobs-only.

Suggested labels

area: ci, area: e2e

Suggested reviewers

• cv
• prekshivyas

Poem

🐰 Jobs-only whisper hops the night,
Scenarios shelved, the selector’s light,
Matrix rests when jobs are named,
Tests and validators all reclaimed.
Hop on—dispatch is tidy, small, and right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci(e2e): use jobs selector only' clearly and concisely summarizes the main change: removing the scenarios selector and consolidating on the jobs selector.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/e2e-vitest-scenarios.yaml (1)

56-98: ⚠️ Potential issue | 🟠 Major

Make generate-matrix truly no-op for workflow_dispatch runs that supply inputs.jobs.

Even when inputs.jobs is non-empty (so the live-scenarios job is skipped via if: inputs.jobs == '' ... and generate-matrix sets matrix="[]"), the generate-matrix job still runs actions/checkout, actions/setup-node, and npm ci before reaching that logic. A transient failure in those steps will fail generate-matrix and then cause the PR report-to-pr comment to show generate-matrix as failed (it has needs: [...] generate-matrix and if: always()), despite no registry scenarios being requested.

Gate the checkout/node/npm steps behind inputs.jobs == '', or split generate-matrix into a lightweight path that only outputs [] when inputs.jobs is provided.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-vitest-scenarios.yaml around lines 56 - 98, The
generate-matrix job currently always runs heavy setup steps even when
inputs.jobs is provided; update it so the checkout/setup-node/npm steps are
skipped when inputs.jobs is non-empty by gating those steps on the inputs.jobs
check (e.g., add an if condition that runs them only when inputs.jobs == ''), or
split generate-matrix into a lightweight branch that immediately emits
matrix="[]" when inputs.jobs is provided and only runs the npx/tsx generation
path otherwise; reference the job name generate-matrix and the steps
actions/checkout, actions/setup-node, and the "Install root dependencies" npm ci
step to locate where to add the condition.

🧹 Nitpick comments (1)

tools/e2e-scenarios/workflow-boundary.mts (1)

340-345: ⚡ Quick win

Reuse validateFreeStandingJobSelector for the remaining free-standing jobs.

network-policy-vitest, hermes-e2e-vitest, and hermes-root-entrypoint-smoke-vitest still duplicate the shared needs/if contract, and the Hermes root variant hardcodes the full selector expression string. Keeping these copies alongside freeStandingJobIf()/validateFreeStandingJobSelector() makes the jobs-only rule easy to drift again.

♻️ Proposed simplification

-  if (job.needs !== "validate-jobs") {
-    errors.push("hermes-root-entrypoint-smoke-vitest job must depend on validate-jobs");
-  }
-  const expectedIf =
-    "${{ inputs.jobs == '' || contains(format(',{0},', inputs.jobs), ',hermes-root-entrypoint-smoke-vitest,') }}";
-  if (job.if !== expectedIf) {
-    errors.push(
-      "hermes-root-entrypoint-smoke-vitest job must use the shared jobs selector condition",
-    );
-  }
+  validateFreeStandingJobSelector(errors, jobs, jobName);

Also applies to: 973-978, 1073-1080

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/e2e-scenarios/workflow-boundary.mts` around lines 340 - 345, The checks
for the free-standing jobs are duplicated; replace the manual comparisons for
network-policy-vitest, hermes-e2e-vitest, and
hermes-root-entrypoint-smoke-vitest with a single call to the existing
validateFreeStandingJobSelector helper and stop hardcoding the full selector
string (use freeStandingJobIf(jobName) where needed). Locate the blocks that
currently assert job.needs and job.if (the ones using the literal selector or
separate checks) and call validateFreeStandingJobSelector(jobName, job) or
otherwise delegate to that function to validate both needs and if consistently;
remove the duplicated needs/if assertions and the hardcoded selector in
hermes-root-entrypoint-smoke-vitest so all free-standing jobs use the shared
validation logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Line 24: The concurrency.group currently uses the raw `${{ inputs.jobs }}`
string which is order-sensitive; update the workflow so the concurrency key is
order-insensitive by canonicalizing the inputs.jobs string (e.g., split, sort,
and rejoin the job names) before using it in concurrency.group or alternatively
switch the concurrency key to a coarser identifier like `${{ github.ref }}` for
jobs-only runs; locate the concurrency.group usage in e2e-vitest-scenarios.yaml
and modify the expression that references `inputs.jobs` (or replace it) so that
dispatches with the same job set in different orders map to the same concurrency
group.

In `@test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts`:
- Around line 473-477: The arrayContaining assertion in the test is missing the
check that the "report-to-pr" step passes jobs via the JOBS env, which lets a
broken boundary slip through; add the string "report-to-pr step must pass jobs
through JOBS env" into the arrayContaining list used when validating
validateE2eVitestScenariosWorkflowBoundary() so the test will fail when the
fixture (which sets report-to-pr.env.JOBS to "bad") violates the JOBS wiring
contract for the report-to-pr step.
- Around line 69-76: The test currently uses the selector string
"network-policy,../escape" which mixes a traversal token with a non-existent job
id and can mask whether selector-pattern validation or allowed-job validation is
failing; update the test to use a valid job id plus the traversal token (e.g.
"network-policy-vitest,../escape") and change the expectation to assert the
specific error path by matching the "Invalid jobs input" failure from
evaluateE2eVitestWorkflowDispatchSelectors so the malformed-selector (traversal)
rejection is isolated; locate the test case in e2e-scenarios-workflow.test.ts
and update the input string and expected result accordingly.

In `@tools/e2e-scenarios/workflow-boundary.mts`:
- Around line 21-37: ALLOWED_FREE_STANDING_JOBS has drifted from the downstream
validators: either remove the two outdated ids ("launchable-smoke-vitest" and
"issue-4434-tui-unreachable-inference-vitest") from the
ALLOWED_FREE_STANDING_JOBS set or make validate-jobs, generate-matrix, the
per-job selector assertions (allowed_jobs), and report-to-pr.needs derive their
allowed list from ALLOWED_FREE_STANDING_JOBS or the same shared source used by
evaluateE2eVitestWorkflowDispatchSelectors() so all checks use a single source
of truth (update references in evaluateE2eVitestWorkflowDispatchSelectors(),
validate-jobs, generate-matrix, allowed_jobs assertions, and report-to-pr.needs
accordingly).

---

Outside diff comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Around line 56-98: The generate-matrix job currently always runs heavy setup
steps even when inputs.jobs is provided; update it so the
checkout/setup-node/npm steps are skipped when inputs.jobs is non-empty by
gating those steps on the inputs.jobs check (e.g., add an if condition that runs
them only when inputs.jobs == ''), or split generate-matrix into a lightweight
branch that immediately emits matrix="[]" when inputs.jobs is provided and only
runs the npx/tsx generation path otherwise; reference the job name
generate-matrix and the steps actions/checkout, actions/setup-node, and the
"Install root dependencies" npm ci step to locate where to add the condition.

---

Nitpick comments:
In `@tools/e2e-scenarios/workflow-boundary.mts`:
- Around line 340-345: The checks for the free-standing jobs are duplicated;
replace the manual comparisons for network-policy-vitest, hermes-e2e-vitest, and
hermes-root-entrypoint-smoke-vitest with a single call to the existing
validateFreeStandingJobSelector helper and stop hardcoding the full selector
string (use freeStandingJobIf(jobName) where needed). Locate the blocks that
currently assert job.needs and job.if (the ones using the literal selector or
separate checks) and call validateFreeStandingJobSelector(jobName, job) or
otherwise delegate to that function to validate both needs and if consistently;
remove the duplicated needs/if assertions and the hardcoded selector in
hermes-root-entrypoint-smoke-vitest so all free-standing jobs use the shared
validation logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ec6a73c2-eb2a-48e1-82ea-fdc00efd7068

📥 Commits

Reviewing files that changed from the base of the PR and between 561bd2f and cc9d953.

📒 Files selected for processing (3)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[jyaunches]

Thanks for pushing this simplification. I think the direction is right, but I’m requesting changes because this needs a little more cleanup before it becomes the base for #5098 execution.

Required before merge:

1. Rebase on current main and preserve the newly merged model-router-provider-routed-inference-vitest job from test(e2e): migrate test-model-router-provider-routed-inference.sh to vitest [IND-2] #5221. The PR is currently conflicting and behind the workflow state we need to validate.
2. Complete the selector migration end-to-end. If jobs is now the only operator-facing selector, update the E2E scenario advisor prompt/docs/examples that still tell maintainers to dispatch with --field scenarios=....
3. Make the “run all E2E Vitests” contract explicit. Empty jobs should clearly mean all supported registry scenarios + all free-standing live Vitest jobs, and a non-empty jobs value should run only those jobs.
4. Avoid wasted/fragile setup for selected free-standing jobs. If generate-matrix is only needed for registry scenarios, selected free-standing jobs should not be able to fail because unused matrix setup/npm work failed.
5. Add/update tests proving the new jobs-only behavior for: empty jobs, a registry scenario job, a free-standing job, invalid job input, and PR result reporting.

This would help a lot with #5098 because it removes the confusing scenarios vs jobs split, but it needs to carry current main and update the advisor-facing contract before it is safe to rely on.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Around line 1062-1067: The job-level env block uses runner.temp (invalid at
job scope) for DOCKER_CONFIG; fix by either (A) replacing the runner.temp
reference with a workspace-based fixed path such as using ${{ github.workspace
}} for DOCKER_CONFIG, or (B) remove DOCKER_CONFIG from the job-level env and set
it in the specific step that requires it (e.g., the "Authenticate to Docker Hub"
step) using a step-level env or by exporting it to $GITHUB_ENV so subsequent
steps see it; leave the other job env entries (E2E_ARTIFACT_DIR,
NEMOCLAW_CLI_BIN, NEMOCLAW_RUN_E2E_SCENARIOS, OPENSHELL_GATEWAY) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fa907bd3-3c45-4e86-bf73-1f845f83480e

📥 Commits

Reviewing files that changed from the base of the PR and between cc9d953 and 34c072a.

📒 Files selected for processing (3)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Around line 1062-1067: The job-level env block uses runner.temp (invalid at
job scope) for DOCKER_CONFIG; fix by either (A) replacing the runner.temp
reference with a workspace-based fixed path such as using ${{ github.workspace
}} for DOCKER_CONFIG, or (B) remove DOCKER_CONFIG from the job-level env and set
it in the specific step that requires it (e.g., the "Authenticate to Docker Hub"
step) using a step-level env or by exporting it to $GITHUB_ENV so subsequent
steps see it; leave the other job env entries (E2E_ARTIFACT_DIR,
NEMOCLAW_CLI_BIN, NEMOCLAW_RUN_E2E_SCENARIOS, OPENSHELL_GATEWAY) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fa907bd3-3c45-4e86-bf73-1f845f83480e

📥 Commits

Reviewing files that changed from the base of the PR and between cc9d953 and 34c072a.

📒 Files selected for processing (3)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

🛑 Comments failed to post (1)

.github/workflows/e2e-vitest-scenarios.yaml (1)

1062-1067: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

runner context unavailable in job-level env: block.

The runner context is only available within step contexts, not in job-level env: blocks. Per GitHub Actions documentation, the available contexts at this level are: github, inputs, matrix, needs, secrets, strategy, vars. This will cause the workflow to fail at parse/runtime.

🔧 Proposed fix: move DOCKER_CONFIG to step-level or use a fixed path

Option 1: Use a fixed path under $GITHUB_WORKSPACE

     env:
-      DOCKER_CONFIG: ${{ runner.temp }}/docker-config-model-router-provider-routed-inference
+      DOCKER_CONFIG: /tmp/docker-config-model-router-provider-routed-inference
       E2E_ARTIFACT_DIR: ${{ github.workspace }}/e2e-artifacts/vitest/model-router-provider-routed-inference

Option 2: Set DOCKER_CONFIG in the step that needs it
Remove DOCKER_CONFIG from job-level env: and add it to the "Authenticate to Docker Hub" step:

       - name: Authenticate to Docker Hub
         env:
           DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          DOCKER_CONFIG: ${{ runner.temp }}/docker-config-model-router-provider-routed-inference
         shell: bash
         run: |
           set -euo pipefail
+          export DOCKER_CONFIG

Then export DOCKER_CONFIG in subsequent steps that need it, or use $GITHUB_ENV to persist it.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    env:
      DOCKER_CONFIG: /tmp/docker-config-model-router-provider-routed-inference
      E2E_ARTIFACT_DIR: ${{ github.workspace }}/e2e-artifacts/vitest/model-router-provider-routed-inference
      NEMOCLAW_CLI_BIN: ${{ github.workspace }}/bin/nemoclaw.js
      NEMOCLAW_RUN_E2E_SCENARIOS: "1"
      OPENSHELL_GATEWAY: "nemoclaw"

🧰 Tools

🪛 actionlint (1.7.12)

[error] 1063-1063: context "runner" is not allowed here. available contexts are "github", "inputs", "matrix", "needs", "secrets", "strategy", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-vitest-scenarios.yaml around lines 1062 - 1067, The
job-level env block uses runner.temp (invalid at job scope) for DOCKER_CONFIG;
fix by either (A) replacing the runner.temp reference with a workspace-based
fixed path such as using ${{ github.workspace }} for DOCKER_CONFIG, or (B)
remove DOCKER_CONFIG from the job-level env and set it in the specific step that
requires it (e.g., the "Authenticate to Docker Hub" step) using a step-level env
or by exporting it to $GITHUB_ENV so subsequent steps see it; leave the other
job env entries (E2E_ARTIFACT_DIR, NEMOCLAW_CLI_BIN, NEMOCLAW_RUN_E2E_SCENARIOS,
OPENSHELL_GATEWAY) unchanged.

Source: Linters/SAST tools

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e-scenario-advisor.test.ts (1)

357-376: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a negative case for an invalid free-standing job selector.

These fixtures now use the shared jobs-only predicate, but there is still no test for the malformed variant that omits the inputs.jobs == '' arm. That matters because extractFreeStandingVitestJobs() currently accepts any body containing inputs.jobs and ,token-rotation-vitest,, so it can treat a boundary-invalid selector as workflow-wired. A negative case here would keep the advisor aligned with the workflow-boundary contract. Based on workflow-boundary support logic, free-standing jobs must use the shared ${{ inputs.jobs == '' || contains(format(',{0},', inputs.jobs), ',<job>,') }} selector.

Also applies to: 378-418

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario-advisor.test.ts` around lines 357 - 376, Add a negative
test case that verifies extractFreeStandingVitestJobs rejects selectors that
omit the leading "inputs.jobs == ''" arm; create a fixture string in
test/e2e-scenario-advisor.test.ts where the job selector only contains
"contains(format(',{0},', inputs.jobs), ',token-rotation-vitest,')" (no
inputs.jobs == '' check) and assert the function returns an empty array. Update
both places noted (the existing positive case around the current diff and the
similar block at 378-418) to include this malformed-selector test so the advisor
stays aligned with the workflow-boundary contract; reference
extractFreeStandingVitestJobs when locating the implementation under test.

🧹 Nitpick comments (1)

tools/e2e-advisor/scenarios.mts (1)

76-77: ⚡ Quick win

Clarify or collapse duplicate fan-out dispatches for multi-scenario recommendations.

After this change, every typed scenario recommendation gets the same fan-out command. If the advisor returns two targeted scenarios, renderScenarioSummary() will print that identical dispatch line twice, which reads like two separate runs even though one fan-out run covers both. Consider collapsing typed-scenario recommendations onto one shared fan-out dispatch, or at least making the “run once” contract explicit in the rendered output.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/e2e-advisor/scenarios.mts` around lines 76 - 77, The generated fan-out
command is identical for each scenario id causing duplicate dispatch lines;
update the logic so duplicates are collapsed or an explicit "run once for all
scenarios" message is emitted. Specifically, deduplicate scenario ids before
mapping to commands (use SCENARIO_ID_PATTERN to validate then unique the ids) or
change renderScenarioSummary() to group typed-scenario recommendations and print
a single shared dispatch line (or add an explicit note that one fan-out covers
all listed scenarios) rather than repeating the same `gh workflow run
${SCENARIO_WORKFLOW} --ref <pr-head-ref>` for each id.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@test/e2e-scenario-advisor.test.ts`:
- Around line 357-376: Add a negative test case that verifies
extractFreeStandingVitestJobs rejects selectors that omit the leading
"inputs.jobs == ''" arm; create a fixture string in
test/e2e-scenario-advisor.test.ts where the job selector only contains
"contains(format(',{0},', inputs.jobs), ',token-rotation-vitest,')" (no
inputs.jobs == '' check) and assert the function returns an empty array. Update
both places noted (the existing positive case around the current diff and the
similar block at 378-418) to include this malformed-selector test so the advisor
stays aligned with the workflow-boundary contract; reference
extractFreeStandingVitestJobs when locating the implementation under test.

---

Nitpick comments:
In `@tools/e2e-advisor/scenarios.mts`:
- Around line 76-77: The generated fan-out command is identical for each
scenario id causing duplicate dispatch lines; update the logic so duplicates are
collapsed or an explicit "run once for all scenarios" message is emitted.
Specifically, deduplicate scenario ids before mapping to commands (use
SCENARIO_ID_PATTERN to validate then unique the ids) or change
renderScenarioSummary() to group typed-scenario recommendations and print a
single shared dispatch line (or add an explicit note that one fan-out covers all
listed scenarios) rather than repeating the same `gh workflow run
${SCENARIO_WORKFLOW} --ref <pr-head-ref>` for each id.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4f8ec727-acb3-42d9-bb29-492eb50348b3

📥 Commits

Reviewing files that changed from the base of the PR and between 67cf895 and d4684a3.

📒 Files selected for processing (2)

• test/e2e-scenario-advisor.test.ts
• tools/e2e-advisor/scenarios.mts

[wscurran]

✨
Related open issues:

• #5098 Epic: Migrate legacy bash E2E into the Vitest E2E system

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27425512277
Workflow ref: ci/pr-5329-e2e-45ccf6f1
Requested jobs: openshell-version-pin-vitest
Summary: 3 passed, 0 failed, 18 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped
validate-jobs	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27427156289
Workflow ref: ci/pr-5329-e2e-7b99f1c0
Requested jobs: (default — all free-standing jobs and supported registry scenarios)
Summary: 20 passed, 2 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
double-onboard-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
hermes-root-entrypoint-smoke-vitest	✅ success
inference-routing-vitest	✅ success
issue-4434-tui-unreachable-inference-vitest	✅ success
launchable-smoke-vitest	✅ success
live-scenarios	✅ success
model-router-provider-routed-inference-vitest	✅ success
network-policy-vitest	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	✅ success
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	✅ success
runtime-overrides-vitest	✅ success
sandbox-rebuild-vitest	✅ success
sandbox-survival-vitest	✅ success
skill-agent-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: gateway-guard-recovery, network-policy-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27428450458
Workflow ref: ci/pr-5329-e2e-d3a28504
Requested jobs: (default — all free-standing jobs and supported registry scenarios)
Summary: 20 passed, 3 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
double-onboard-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
hermes-root-entrypoint-smoke-vitest	✅ success
inference-routing-vitest	✅ success
issue-4434-tui-unreachable-inference-vitest	✅ success
launchable-smoke-vitest	❌ failure
live-scenarios	✅ success
model-router-provider-routed-inference-vitest	✅ success
network-policy-vitest	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	✅ success
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	✅ success
runtime-overrides-vitest	✅ success
sandbox-rebuild-vitest	✅ success
sandbox-survival-vitest	✅ success
shields-config-vitest	✅ success
skill-agent-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: gateway-guard-recovery, launchable-smoke-vitest, network-policy-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27432588145
Workflow ref: ci/pr-5329-e2e-7b6fb294
Requested jobs: openshell-version-pin-vitest
Summary: 3 passed, 0 failed, 20 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped
validate-jobs	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27432590206
Workflow ref: ci/pr-5329-e2e-7b6fb294
Requested jobs: (default — all free-standing jobs and supported registry scenarios)
Summary: 21 passed, 2 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
double-onboard-vitest	✅ success
gateway-guard-recovery	✅ success
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
hermes-root-entrypoint-smoke-vitest	✅ success
inference-routing-vitest	✅ success
issue-4434-tui-unreachable-inference-vitest	✅ success
launchable-smoke-vitest	❌ failure
live-scenarios	✅ success
model-router-provider-routed-inference-vitest	✅ success
network-policy-vitest	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	✅ success
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	✅ success
runtime-overrides-vitest	✅ success
sandbox-rebuild-vitest	✅ success
sandbox-survival-vitest	✅ success
shields-config-vitest	✅ success
skill-agent-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: launchable-smoke-vitest, network-policy-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27435916094
Workflow ref: ci/pr-5329-e2e-47333ed1
Requested jobs: openshell-version-pin-vitest
Summary: 3 passed, 0 failed, 21 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped
validate-jobs	✅ success

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27435217295
Workflow ref: ci/pr-5329-e2e-ccec8049
Requested jobs: (default — all free-standing jobs and supported registry scenarios)
Summary: 22 passed, 2 failed, 0 skipped

Job	Result
credential-migration-vitest	❌ failure
credential-sanitization-vitest	✅ success
double-onboard-vitest	✅ success
gateway-guard-recovery	✅ success
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
hermes-root-entrypoint-smoke-vitest	✅ success
inference-routing-vitest	✅ success
issue-4434-tui-unreachable-inference-vitest	✅ success
launchable-smoke-vitest	✅ success
live-scenarios	✅ success
model-router-provider-routed-inference-vitest	✅ success
network-policy-vitest	❌ failure
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	✅ success
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	✅ success
runtime-overrides-vitest	✅ success
sandbox-rebuild-vitest	✅ success
sandbox-survival-vitest	✅ success
shields-config-vitest	✅ success
skill-agent-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: credential-migration-vitest, network-policy-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27435918149
Workflow ref: ci/pr-5329-e2e-47333ed1
Requested jobs: (default — all free-standing jobs and supported registry scenarios)
Summary: 18 passed, 6 failed, 0 skipped

Job	Result
credential-migration-vitest	✅ success
credential-sanitization-vitest	❌ failure
double-onboard-vitest	✅ success
gateway-guard-recovery	❌ failure
generate-matrix	✅ success
hermes-e2e-vitest	✅ success
hermes-root-entrypoint-smoke-vitest	✅ success
inference-routing-vitest	✅ success
issue-4434-tui-unreachable-inference-vitest	❌ failure
launchable-smoke-vitest	✅ success
live-scenarios	✅ success
model-router-provider-routed-inference-vitest	✅ success
network-policy-vitest	✅ success
onboard-negative-paths-vitest	✅ success
openclaw-tui-chat-correlation-vitest	❌ failure
openshell-version-pin-vitest	✅ success
rebuild-openclaw-vitest	✅ success
runtime-overrides-vitest	✅ success
sandbox-rebuild-vitest	❌ failure
sandbox-survival-vitest	❌ failure
shields-config-vitest	✅ success
skill-agent-vitest	✅ success
token-rotation-vitest	✅ success
validate-jobs	✅ success

Failed jobs: credential-sanitization-vitest, gateway-guard-recovery, issue-4434-tui-unreachable-inference-vitest, openclaw-tui-chat-correlation-vitest, sandbox-rebuild-vitest, sandbox-survival-vitest. Check run artifacts for logs.