test(e2e): migrate test-snapshot-commands.sh to vitest

[jyaunches]

Summary

Migrate/retire test/e2e/test-snapshot-commands.sh with the simplest equivalent Vitest coverage.

Related Issues

Refs #5098

Contract mapping

• Legacy assertion: install.sh --non-interactive creates a live OpenClaw sandbox for snapshot commands.
  • Replacement: test/e2e-scenario/live/snapshot-commands.test.ts runs bash install.sh --non-interactive with NEMOCLAW_SANDBOX_NAME=e2e-snapshot.
  • Boundary preserved: real installer, Docker/OpenShell, live NVIDIA API key, sandbox cleanup.
• Legacy assertion: nemoclaw <name> snapshot create reports a versioned snapshot and writes ~/.nemoclaw/rebuild-backups/<name>.
  • Replacement: same Vitest file asserts Snapshot v<N>...created and host backup path evidence.
  • Boundary preserved: real nemoclaw CLI and host backup filesystem.
• Legacy assertion: snapshot list includes snapshots and parseable timestamp selectors.
  • Replacement: same Vitest file parses the first timestamp from CLI output.
  • Boundary preserved: real CLI list output.
• Legacy assertion: latest restore and timestamp-targeted restore recover the expected workspace markers.
  • Replacement: same Vitest file mutates /sandbox/.openclaw/workspace, restores latest, then restores the first timestamp.
  • Boundary preserved: openshell sandbox exec against the live sandbox.
• Legacy assertion: snapshots do not contain credential-bearing .env/JSON files and help advertises create/list/restore.
  • Replacement: same Vitest file scans backup files and checks nemoclaw <name> snapshot output.
  • Boundary preserved: host backup directory and real CLI help.

Simplicity check

• Test shape: simple live Vitest test.
• Original runner/lane: nightly-e2e.yaml job snapshot-commands-e2e via e2e-script.yaml, default runs-on: ubuntu-latest, Docker/OpenShell, NVIDIA_API_KEY, Docker Hub auth, NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1, NEMOCLAW_NON_INTERACTIVE=1, NEMOCLAW_SANDBOX_NAME=e2e-snapshot, 30 minute timeout.
• Replacement runner: e2e-vitest-scenarios.yaml job snapshot-commands-vitest, runs-on: ubuntu-latest, Docker/OpenShell, NVIDIA_API_KEY, Docker Hub auth, same sandbox/env and 30 minute timeout.
• New shared helpers: none.
• New framework/registry/ledger: none.
• Workflow changes: add selective free-standing Vitest job and inventory entry; legacy shell deletion/workflow retirement deferred to Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 Phase 11.
• Selective dispatch: gh workflow run e2e-vitest-scenarios.yaml --repo NVIDIA/NemoClaw --ref e2e-migrate/test-snapshot-commands -f jobs=snapshot-commands-vitest -f pr_number=5346.

Verification

• npm run build:cli
• NEMOCLAW_RUN_E2E_SCENARIOS=1 npx vitest run --project e2e-scenarios-live test/e2e-scenario/live/snapshot-commands.test.ts --silent=false --reporter=default (local Docker unavailable, test skips before mutation)
• npx vitest run --project e2e-vitest-support test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts --silent=false --reporter=default
• npx vitest run --project cli test/e2e-script-workflow.test.ts --silent=false --reporter=default
• npm run typecheck:cli
• git diff --check
• Branch refreshed onto current origin/main; support workflow test re-ran locally after refresh.
• PR: test(e2e): migrate test-snapshot-commands.sh to vitest #5346
• Same-runner selective run: https://github.com/NVIDIA/NemoClaw/actions/runs/27596798746 (workflow_dispatch, jobs=snapshot-commands-vitest) — passed

Summary by CodeRabbit

• Tests

  • Added a Live E2E Vitest scenario for snapshot commands, covering snapshot create/list and restore flows (latest and timestamp-based), including verification of restore markers and a no-credential-leak check.
  • Extended workflow-boundary tests to ensure snapshot-commands CI configuration is strictly validated and fails with targeted policy violations.

• New Features

  • Added a dedicated CI job to run the snapshot-commands Live E2E scenario in a live, Docker-backed environment and publish Vitest artifacts.

• Chores

  • Updated pull request reporting to include the new job’s results.
  • Strengthened workflow boundary validation for the snapshot-commands job (secrets, Docker auth handling, artifact upload rules, and cleanup behavior).

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new snapshot-commands-vitest free-standing CI job to e2e-vitest-scenarios.yaml that runs a new live Vitest test replacing test/e2e/test-snapshot-commands.sh. The test covers snapshot create/list/restore flows, credential-leak scanning, and help-output validation. A new validateSnapshotCommandsVitestJob boundary validator enforces job policy, wired into the existing boundary validation pipeline along with updated contract tests.

Changes

Snapshot Commands E2E Vitest Migration

Layer / File(s)	Summary
Live E2E snapshot test implementation test/e2e-scenario/live/snapshot-commands.test.ts	Defines test constants, environment helpers, best-effort cleanup routines, sandbox file assertion logic, a credential-leak scanner for local backup directories, and the full live test flow: snapshot create/list/restore (latest and timestamp-targeted) with content verification, leak scan assertion, help-output checks, and JSON artifact writing.
CI job definition and report-to-pr wiring .github/workflows/e2e-vitest-scenarios.yaml	Adds the snapshot-commands-vitest job with isolated Docker auth directory, retry-based Docker Hub login with anonymous fallback, Node install, Vitest invocation, artifact upload, and Docker logout cleanup; adds the job to report-to-pr needs.
Workflow boundary validator tools/e2e-scenarios/workflow-boundary.mts	Implements validateSnapshotCommandsVitestJob enforcing runner, selector gating condition, env pins, secret-exposure prohibitions at job and step levels, required steps with exact command/script contents, stable artifact upload settings, and Docker auth cleanup commands; calls it from validateE2eVitestScenariosWorkflowBoundary.
Boundary validator contract tests test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts	Extends the existing dispatch-interpolation boundary test with a snapshot-commands-vitest missing-job assertion; adds a new test that mutates the job YAML and asserts the full set of expected policy-violation messages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Epic: Migrate legacy bash E2E into the Vitest E2E system #5098: This PR directly implements the epic's Definition of Done by converting test/e2e/test-snapshot-commands.sh into snapshot-commands.test.ts and wiring it into .github/workflows/e2e-vitest-scenarios.yaml with workflow boundary governance.

Possibly related PRs

• NVIDIA/NemoClaw#5243: Adds the shared free-standing job selector plumbing and boundary validator coverage that this PR's snapshot-commands-vitest job depends on.
• NVIDIA/NemoClaw#5231: Extends the same boundary machinery and e2e-scenarios-workflow.test.ts contract tests to add free-standing job coverage for inference-routing-vitest, the same code-level pattern as this PR.
• NVIDIA/NemoClaw#5333: Extends the same workflow-boundary validator pipeline by adding a new free-standing Vitest job validator (sandbox-rebuild-vitest) wired into validateE2eVitestScenariosWorkflowBoundary, plus corresponding workflow/report-to-pr wiring using the identical structure.

Suggested labels

v0.0.65

Suggested reviewers

• cv

Poem

🐇 A snapshot in time, now tested with care,
From bash scripts of old to Vitest so fair,
With markers and restores and leak scans galore,
The boundary validator stands guard at the door—
Hop hop, no credentials left bare! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: migrating a shell script test to Vitest, which is the primary objective across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-migrate/test-snapshot-commands

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: snapshot-commands-vitest
Optional E2E: state-backup-restore-vitest, sandbox-rebuild-vitest, credential-sanitization-vitest

Dispatch hint: snapshot-commands-vitest

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• snapshot-commands-vitest (high): This PR introduces the snapshot commands live scenario and workflow job. It should run to validate the real install/onboard boundary, OpenShell sandbox lifecycle, snapshot create/list/latest restore/timestamp restore behavior, artifact capture, Docker auth cleanup, and backup credential no-leak checks.

Optional E2E

• state-backup-restore-vitest (medium): Adjacent confidence for backup/restore behavior because the new snapshot scenario inspects ~/.nemoclaw/rebuild-backups and validates restored sandbox workspace state.
• sandbox-rebuild-vitest (medium): Useful adjacent coverage for sandbox rebuild/backup lifecycle interactions that are close to snapshot restore semantics, but no runtime rebuild code changed so it is not merge-blocking.
• credential-sanitization-vitest (medium): Optional confidence for secret handling because the new workflow/test adds NVIDIA and Docker secret boundaries plus backup credential leak scanning.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/e2e-vitest-scenarios.yaml
• jobs input: snapshot-commands-vitest

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: snapshot-commands-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=snapshot-commands-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• snapshot-commands-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/snapshot-commands.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=snapshot-commands-vitest

Optional Vitest E2E scenarios

• None.

Relevant changed files

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/snapshot-commands.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[github-actions]

PR Review Advisor

Findings: 1 needs attention, 5 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 4 still apply, 1 new item found

Review findings

🛠️ Needs attention

• Snapshot migration changes the legacy hosted-inference secret contract (.github/workflows/e2e-vitest-scenarios.yaml:2246): The retained legacy snapshot shell test and reusable script lane use NVIDIA_INFERENCE_API_KEY for hosted inference, but the migrated Vitest workflow, live test, and boundary validator require NVIDIA_API_KEY. That is not an equivalent migration for environments where only the legacy hosted-inference secret is configured; the new scenario can skip before exercising install, snapshot restore, and credential-leak coverage.
  • Recommendation: Either keep this migrated scenario on NVIDIA_INFERENCE_API_KEY, or explicitly support both NVIDIA_INFERENCE_API_KEY and NVIDIA_API_KEY in the workflow, live test, and workflow-boundary validator with evidence that the scenario runs under the intended CI secret configuration.
  • Evidence: Legacy test/e2e/test-snapshot-commands.sh preflight checks NVIDIA_INFERENCE_API_KEY. .github/workflows/e2e-script.yaml exposes NVIDIA_INFERENCE_API_KEY when inputs.nvidia_api_key is set and passes it to the script. The new workflow step passes NVIDIA_API_KEY from secrets, test/e2e-scenario/live/snapshot-commands.test.ts calls secrets.required("NVIDIA_API_KEY"), and tools/e2e-scenarios/workflow-boundary.mts validates NVIDIA_API_KEY for snapshot-commands-vitest.

🔎 Worth checking

• Source-of-truth review needed: test/e2e-scenario/live/snapshot-commands.test.ts transient provider validation retry/skip: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The install loop retries when isTransientProviderValidationFailure(install) is true; after exhausted CI attempts it writes transient-provider-validation.skip.json with sourceBoundary and removalCondition before calling skip.
• Source-of-truth review needed: test/e2e-scenario/live/snapshot-commands.test.ts openclaw.json tolerant credential scanning: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: scanSnapshotCredentialLeaks() skips generic structured-key checks for openclaw.json while still checking token-shaped values and env assignments.
• Live provider secret is passed to branch-controlled Vitest and installer code (.github/workflows/e2e-vitest-scenarios.yaml:2246): The new free-standing workflow job exposes a live NVIDIA provider key to npx vitest running checked-out branch code, and the test passes that key into branch-controlled install.sh. The job has good mitigations, but this expands the secret-bearing trusted-code boundary: branch-controlled code could intentionally write the secret into non-hidden artifacts or logs despite fixture redaction.
  • Recommendation: Keep this lane restricted to trusted manual dispatches and trusted refs, and document or enforce that trusted-code boundary. Preserve the current mitigations: pinned actions, contents: read, persist-credentials: false, npm ci --ignore-scripts, isolated Docker auth, redactionValues, and include-hidden-files: false.
  • Evidence: snapshot-commands-vitest runs npx vitest against test/e2e-scenario/live/snapshot-commands.test.ts with NVIDIA_API_KEY from secrets. The test calls commandEnv(apiKey), which sets NVIDIA_API_KEY for bash install.sh --non-interactive --fresh. The workflow uses pinned actions, persist-credentials: false, npm ci --ignore-scripts, isolated DOCKER_CONFIG under RUNNER_TEMP, and include-hidden-files: false, but those mitigations do not prevent intentional exfiltration by branch-controlled code.
• Transient provider retry/skip control flow lacks scenario-specific regression coverage (test/e2e-scenario/live/snapshot-commands.test.ts:214): The live scenario retries install when isTransientProviderValidationFailure() classifies a provider validation error and, after exhausted CI attempts, writes transient-provider-validation.skip.json before skipping. The shared classifier has unit coverage, but this scenario's loop behavior is not covered, so regressions could stop retrying, skip non-CI or non-transient install failures, or omit skip evidence while classifier tests still pass.
  • Recommendation: Add focused coverage for this scenario's install handling: first transient attempt followed by success; exhausted transient CI attempts emit skip evidence with sourceBoundary and removalCondition; and non-transient install failures fail normally.
  • Evidence: The install loop retries on isTransientProviderValidationFailure(install); after exhausted CI attempts it writes transient-provider-validation.skip.json with sourceBoundary and removalCondition and calls skip. Existing support tests cover the classifier in support-tests/network-policy-transient-provider.test.ts, not this loop.
• Snapshot credential leak scanner is not regression-tested (test/e2e-scenario/live/snapshot-commands.test.ts:118): The migrated test relies on a custom scanSnapshotCredentialLeaks() implementation to enforce the no-credential-in-backups contract, including narrowed handling for openclaw.json metadata. Without focused tests, future edits could introduce false negatives for credential-bearing env/json files or false positives for legitimate non-secret metadata.
  • Recommendation: Add or identify a focused test that builds fake backup trees with credential-bearing .env and JSON files and verifies scanSnapshotCredentialLeaks() reports leaked file paths while allowing non-secret openclaw.json credential-env metadata.
  • Evidence: scanSnapshotCredentialLeaks() scans .env, *.env, and .json files, ignores lockfiles, treats openclaw.json specially, and asserts credentialLeaks equals [] in the live scenario. I did not find a focused support test for this scanner behavior.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — Run or simulate snapshot-commands-vitest with only NVIDIA_INFERENCE_API_KEY configured and verify the scenario exercises install/snapshot coverage rather than skipping for missing NVIDIA_API_KEY, or update workflow/test/validator to support the intended secret name.. This PR changes a live workflow, installer execution, Docker/OpenShell sandbox lifecycle coverage, snapshot backup/restore behavior, credential scanning, and workflow-boundary validation. Static workflow-boundary tests cover important drift, but live/sandbox behavior and negative control-flow paths still need behavior-specific confidence.
• **Runtime validation** — Exercise snapshot install retry handling where the first install attempt is classified as transient and the second attempt succeeds.. This PR changes a live workflow, installer execution, Docker/OpenShell sandbox lifecycle coverage, snapshot backup/restore behavior, credential scanning, and workflow-boundary validation. Static workflow-boundary tests cover important drift, but live/sandbox behavior and negative control-flow paths still need behavior-specific confidence.
• **Runtime validation** — Exercise exhausted transient CI install attempts and verify transient-provider-validation.skip.json includes sourceBoundary and removalCondition before the scenario skips.. This PR changes a live workflow, installer execution, Docker/OpenShell sandbox lifecycle coverage, snapshot backup/restore behavior, credential scanning, and workflow-boundary validation. Static workflow-boundary tests cover important drift, but live/sandbox behavior and negative control-flow paths still need behavior-specific confidence.
• **Runtime validation** — Exercise a non-transient install failure and verify snapshot-commands.test.ts fails normally instead of skipping.. This PR changes a live workflow, installer execution, Docker/OpenShell sandbox lifecycle coverage, snapshot backup/restore behavior, credential scanning, and workflow-boundary validation. Static workflow-boundary tests cover important drift, but live/sandbox behavior and negative control-flow paths still need behavior-specific confidence.
• **Runtime validation** — Create fake backup trees with credential-bearing .env and JSON files and verify scanSnapshotCredentialLeaks reports leaked file paths while allowing non-secret openclaw.json credential-env metadata.. This PR changes a live workflow, installer execution, Docker/OpenShell sandbox lifecycle coverage, snapshot backup/restore behavior, credential scanning, and workflow-boundary validation. Static workflow-boundary tests cover important drift, but live/sandbox behavior and negative control-flow paths still need behavior-specific confidence.
• **Transient provider retry/skip control flow lacks scenario-specific regression coverage** — Add focused coverage for this scenario's install handling: first transient attempt followed by success; exhausted transient CI attempts emit skip evidence with sourceBoundary and removalCondition; and non-transient install failures fail normally.
• **Snapshot credential leak scanner is not regression-tested** — Add or identify a focused test that builds fake backup trees with credential-bearing .env and JSON files and verifies scanSnapshotCredentialLeaks() reports leaked file paths while allowing non-secret openclaw.json credential-env metadata.
• **Acceptance clause:** Refs Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 — add test evidence or identify existing coverage. The deterministic validation context did not include linked issue Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 or issue comments, so literal issue clauses could not be verified.

Since last review details

Current findings:

• Source-of-truth review needed: test/e2e-scenario/live/snapshot-commands.test.ts transient provider validation retry/skip: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The install loop retries when isTransientProviderValidationFailure(install) is true; after exhausted CI attempts it writes transient-provider-validation.skip.json with sourceBoundary and removalCondition before calling skip.
• Source-of-truth review needed: test/e2e-scenario/live/snapshot-commands.test.ts openclaw.json tolerant credential scanning: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: scanSnapshotCredentialLeaks() skips generic structured-key checks for openclaw.json while still checking token-shaped values and env assignments.
• Snapshot migration changes the legacy hosted-inference secret contract (.github/workflows/e2e-vitest-scenarios.yaml:2246): The retained legacy snapshot shell test and reusable script lane use NVIDIA_INFERENCE_API_KEY for hosted inference, but the migrated Vitest workflow, live test, and boundary validator require NVIDIA_API_KEY. That is not an equivalent migration for environments where only the legacy hosted-inference secret is configured; the new scenario can skip before exercising install, snapshot restore, and credential-leak coverage.
  • Recommendation: Either keep this migrated scenario on NVIDIA_INFERENCE_API_KEY, or explicitly support both NVIDIA_INFERENCE_API_KEY and NVIDIA_API_KEY in the workflow, live test, and workflow-boundary validator with evidence that the scenario runs under the intended CI secret configuration.
  • Evidence: Legacy test/e2e/test-snapshot-commands.sh preflight checks NVIDIA_INFERENCE_API_KEY. .github/workflows/e2e-script.yaml exposes NVIDIA_INFERENCE_API_KEY when inputs.nvidia_api_key is set and passes it to the script. The new workflow step passes NVIDIA_API_KEY from secrets, test/e2e-scenario/live/snapshot-commands.test.ts calls secrets.required("NVIDIA_API_KEY"), and tools/e2e-scenarios/workflow-boundary.mts validates NVIDIA_API_KEY for snapshot-commands-vitest.
• Live provider secret is passed to branch-controlled Vitest and installer code (.github/workflows/e2e-vitest-scenarios.yaml:2246): The new free-standing workflow job exposes a live NVIDIA provider key to npx vitest running checked-out branch code, and the test passes that key into branch-controlled install.sh. The job has good mitigations, but this expands the secret-bearing trusted-code boundary: branch-controlled code could intentionally write the secret into non-hidden artifacts or logs despite fixture redaction.
  • Recommendation: Keep this lane restricted to trusted manual dispatches and trusted refs, and document or enforce that trusted-code boundary. Preserve the current mitigations: pinned actions, contents: read, persist-credentials: false, npm ci --ignore-scripts, isolated Docker auth, redactionValues, and include-hidden-files: false.
  • Evidence: snapshot-commands-vitest runs npx vitest against test/e2e-scenario/live/snapshot-commands.test.ts with NVIDIA_API_KEY from secrets. The test calls commandEnv(apiKey), which sets NVIDIA_API_KEY for bash install.sh --non-interactive --fresh. The workflow uses pinned actions, persist-credentials: false, npm ci --ignore-scripts, isolated DOCKER_CONFIG under RUNNER_TEMP, and include-hidden-files: false, but those mitigations do not prevent intentional exfiltration by branch-controlled code.
• Transient provider retry/skip control flow lacks scenario-specific regression coverage (test/e2e-scenario/live/snapshot-commands.test.ts:214): The live scenario retries install when isTransientProviderValidationFailure() classifies a provider validation error and, after exhausted CI attempts, writes transient-provider-validation.skip.json before skipping. The shared classifier has unit coverage, but this scenario's loop behavior is not covered, so regressions could stop retrying, skip non-CI or non-transient install failures, or omit skip evidence while classifier tests still pass.
  • Recommendation: Add focused coverage for this scenario's install handling: first transient attempt followed by success; exhausted transient CI attempts emit skip evidence with sourceBoundary and removalCondition; and non-transient install failures fail normally.
  • Evidence: The install loop retries on isTransientProviderValidationFailure(install); after exhausted CI attempts it writes transient-provider-validation.skip.json with sourceBoundary and removalCondition and calls skip. Existing support tests cover the classifier in support-tests/network-policy-transient-provider.test.ts, not this loop.
• Snapshot credential leak scanner is not regression-tested (test/e2e-scenario/live/snapshot-commands.test.ts:118): The migrated test relies on a custom scanSnapshotCredentialLeaks() implementation to enforce the no-credential-in-backups contract, including narrowed handling for openclaw.json metadata. Without focused tests, future edits could introduce false negatives for credential-bearing env/json files or false positives for legitimate non-secret metadata.
  • Recommendation: Add or identify a focused test that builds fake backup trees with credential-bearing .env and JSON files and verifies scanSnapshotCredentialLeaks() reports leaked file paths while allowing non-secret openclaw.json credential-env metadata.
  • Evidence: scanSnapshotCredentialLeaks() scans .env, *.env, and .json files, ignores lockfiles, treats openclaw.json specially, and asserts credentialLeaks equals [] in the live scenario. I did not find a focused support test for this scanner behavior.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27438097815
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 22 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27444788389
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 22 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27446206870
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 22 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27447293697
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 22 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27448496605
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 23 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27452042525
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 23 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27453710229
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 23 skipped

Job	Result
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27454075628
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 28 skipped

Job	Result
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27455034736
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 30 skipped

Job	Result
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27455253108
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 30 skipped

Job	Result
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27457008075
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 31 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27459326274
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 34 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27459963711
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27462306048
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the e2e-migrate/test-sna... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-sna... 2305e3f	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the e2e-migrate/test-sna... branch is 46%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-sna... 2305e3f	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	76%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/actions...dbox/rebuild.ts	—	67%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/actions...licy-channel.ts	—	56%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/policy/index.ts	—	49%	—
src/lib/onboard...er-gpu-patch.ts	—	44%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 16, 2026 05:45 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27594969650
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Around line 2185-2186: The job timeout-minutes is set to 30 minutes, which
matches the Vitest test timeout of 30 minutes. Since setup, npm install, Docker
auth, and artifact upload all consume time within the same job, GitHub Actions
can kill the job before Vitest completes cleanup when the test approaches its
timeout limit. Increase the timeout-minutes value to provide headroom above the
test timeout (for example, change it to 45 minutes) to ensure the job remains
alive long enough for Vitest to finish its cleanup and artifact handling.

In `@test/e2e-scenario/live/snapshot-commands.test.ts`:
- Around line 132-137: The credential leak detection regex pattern
`/nvapi-|sk-|Bearer /` only catches token-shaped values but misses credential
key names. Update this regex pattern in the file body test to detect both
token-shaped values AND common credential/API key variable names such as
NVIDIA_API_KEY, NVIDIA_INFERENCE_API_KEY, OPENAI_API_KEY, and similar provider
key identifiers. The enhanced pattern should flag files containing credential
key definitions regardless of whether the assigned values match token patterns.
- Around line 308-320: The latest-restore test phase only verifies that the
SECOND_MARKER file is correctly restored, but does not check that stale files
like MARKER_FILE (which was deliberately set to BROKEN before the restore) are
actually removed. After the existing expectSandboxFileContent call that
validates SECOND_MARKER content, add another assertion to verify that
MARKER_FILE is absent after the latest restore, using the same absence-checking
pattern that is used for the timestamp-targeted restore phase earlier in the
test.

In `@test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts`:
- Around line 915-917: The test mutation for the checkout action is tightly
coupled to a specific pinned SHA, which causes the test to fail when the pin is
rotated to a new version. Instead of checking for an exact match on the full
`actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` string in the
condition, modify the check to match any version of the `actions/checkout`
action regardless of the SHA (such as checking if `step.uses` starts with or
contains `actions/checkout`). This ensures the mutation applies consistently
across checkout pin updates.

In `@tools/e2e-scenarios/workflow-boundary.mts`:
- Around line 2469-2473: The validator for the snapshot-commands-vitest job is
missing enforcement of the timeout-minutes property, which should be set to 30
minutes according to the intended contract. Add an explicit validation check
after the existing runs-on check that verifies job["timeout-minutes"] equals 30
and pushes an appropriate error message to the errors array if it does not,
similar to the pattern used for validating the runs-on property.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4a6b446b-3047-47f5-a50a-51edc018323a

📥 Commits

Reviewing files that changed from the base of the PR and between 6c0fb04 and c3355fa.

📒 Files selected for processing (4)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/snapshot-commands.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts (1)

908-912: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

TypeScript error: type assertion doesn't allow timeout-minutes property.

The static analysis correctly identifies that "timeout-minutes" cannot index the job type since it only defines env and steps. This will fail the build.

Proposed fix

     const parsedWorkflow = YAML.parse(workflow) as {
-      jobs: Record<string, { env: Record<string, string>; steps: Array<Record<string, unknown>> }>;
+      jobs: Record<string, { env: Record<string, string>; steps: Array<Record<string, unknown>>; "timeout-minutes"?: number; [key: string]: unknown }>;
     };
     const snapshotJob = parsedWorkflow.jobs["snapshot-commands-vitest"];
     snapshotJob["timeout-minutes"] = 30;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts` around lines
908 - 912, The type assertion for parsedWorkflow is too restrictive and does not
account for the timeout-minutes property being assigned to snapshotJob. Modify
the type annotation in the YAML.parse call to include timeout-minutes as an
optional property in the job object type, or restructure the type to allow
additional properties beyond env and steps. This will allow the
snapshotJob["timeout-minutes"] = 30 assignment to pass TypeScript type checking
without errors.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts`:
- Around line 908-912: The type assertion for parsedWorkflow is too restrictive
and does not account for the timeout-minutes property being assigned to
snapshotJob. Modify the type annotation in the YAML.parse call to include
timeout-minutes as an optional property in the job object type, or restructure
the type to allow additional properties beyond env and steps. This will allow
the snapshotJob["timeout-minutes"] = 30 assignment to pass TypeScript type
checking without errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4e2591e2-87b7-4ae1-b742-e552d25d5f9f

📥 Commits

Reviewing files that changed from the base of the PR and between c3355fa and 78a3d66.

📒 Files selected for processing (4)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/snapshot-commands.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/e2e-vitest-scenarios.yaml

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27595607806
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27595810674
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27596164880
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27596480849
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	❌ failure
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: snapshot-commands-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27596798746
Workflow ref: e2e-migrate/test-snapshot-commands
Requested scenarios: (default — all supported)
Requested jobs: snapshot-commands-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
snapshot-commands-vitest	✅ success
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped