fix(inference): use NVIDIA inference credential env by cv · Pull Request #5366 · NVIDIA/NemoClaw

cv · 2026-06-12T21:23:06Z

Summary

Make NVIDIA_INFERENCE_API_KEY the canonical NVIDIA hosted-inference credential variable while keeping the public/default NVIDIA Endpoints URL as https://integrate.api.nvidia.com/v1.

https://inference-api.nvidia.com/v1 is used only in CI/E2E live validation paths where it is convenient for the repository secret-backed tests.

Changes

Renamed workflow secrets, E2E scenario fixtures, shell tests, docs, and user-facing examples from NVIDIA_API_KEY to NVIDIA_INFERENCE_API_KEY.
Kept NVIDIA_API_KEY as a legacy resolver/redaction alias so existing local env or legacy credentials files can hydrate the new canonical key during migration.
Restored hosted NVIDIA provider constants, blueprint defaults, router config, diagnostics, preflight checks, checked-in network policies, and public docs to reference integrate.api.nvidia.com.
Kept inference-api.nvidia.com references limited to CI/E2E live probes and runtime validation notes.

Type of Change

Code change (feature, bug fix, or refactor)
Code change with doc updates
Doc only (prose changes, no code sample modifications)
Doc only (includes code sample changes)

Verification

npx prek run --all-files passes
npm test passes
Tests added or updated for new or changed behavior
No secrets, API keys, or credentials committed
Docs updated for user-facing behavior changes
npm run docs builds without warnings (doc changes only)
Doc pages follow the style guide (doc changes only)
New doc pages include SPDX header and frontmatter (new pages only)

Additional verification run:

npm run build:cli
npm run typecheck:cli
npm run validate:configs
npx vitest run --project cli test/validate-blueprint.test.ts test/validate-configs-dangerous-hosts.test.ts test/openclaw-config-snapshot.test.ts test/generate-openclaw-config.test.ts test/onboard-selection.test.ts test/canonical-credential-resolution.test.ts test/credentials.test.ts test/no-direct-credential-env.test.ts
npx vitest run --project cli src/lib/onboard/providers.test.ts
npx vitest run --project e2e-vitest-support
npx vitest run --project plugin nemoclaw/src/commands/config-show.test.ts nemoclaw/src/blueprint/runner.test.ts nemoclaw/src/blueprint/ssrf.test.ts
git commit hooks passed, including config validation, docs-to-skills verification, CLI/plugin tests, and commitlint
git push pre-push hooks passed, including TypeScript gates and CLI/plugin tests

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

Configuration Changes
- NVIDIA credential env var renamed to NVIDIA_INFERENCE_API_KEY.
- Default NVIDIA inference endpoint references updated to inference-api.nvidia.com.
Documentation
- Onboarding guides, quickstarts, release notes and examples updated to use the new env var and endpoint.
Tests & CI
- Test suites, E2E scenarios, workflows and nightly jobs updated to accept/validate the new env var.
- CI-only compatibility helpers added to support alternate inference key mappings.
Network & Policies
- Allowed NVIDIA inference host entries and related policy references updated.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

copy-pr-bot · 2026-06-12T21:23:10Z

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

coderabbitai · 2026-06-12T21:23:20Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

Rename NVIDIA API credential to NVIDIA_INFERENCE_API_KEY, update CI/workflow secret wiring, add a CI-compatible inference shim, and propagate the name change across runtime code, onboarding/deploy logic, tests, docs, manifests, and network policies.

Changes

NVIDIA inference key and endpoint migration

Layer / File(s)	Summary
End-to-end migration `.github/workflows/`, `test/e2e/lib/`, `test/e2e/`, `scripts/`, `src/lib/`, `src/onboard`, `docs/`, `nemoclaw-blueprint/`, `agents/*`	Renamed credential from `NVIDIA_API_KEY` → `NVIDIA_INFERENCE_API_KEY` in workflow-call secrets, job envs, e2e scripts, CI shim (`test/e2e/lib/ci-compatible-inference.sh`), runtime credential resolution, deploy credentials, onboarding/provider wiring, redaction patterns, tests, docs, and manifests. Endpoint host references were adjusted between `inference-api.nvidia.com` and `integrate.api.nvidia.com` where shown.

Estimated code review effort:
🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs:

NVIDIA/NemoClaw#5332 — related E2E sandbox-survival and scenario wiring.
NVIDIA/NemoClaw#5221 — overlapping model-router provider-routed E2E changes.
NVIDIA/NemoClaw#5231 — related inference-routing test updates.

Suggested labels:
area: inference, area: e2e, chore, area: docs

Suggested reviewers:

jyaunches
prekshivyas

"I hopped through every file and line,
I renamed the key so tests align.
Docs and workflows now agree,
The CI shim hums, the tests run free.
🐇✨"

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch codex/update-nvidia-inference-endpoint

github-actions · 2026-06-12T21:23:52Z

🌿 Preview your docs: https://nvidia-preview-pr-5366.docs.buildwithfern.com/nemoclaw

github-actions · 2026-06-12T21:27:24Z

E2E Advisor Recommendation

Required E2E: cloud-e2e, cloud-onboard-e2e, cloud-inference-e2e, credential-sanitization-e2e, credential-migration-e2e, inference-routing-e2e, model-router-provider-routed-inference-vitest, network-policy-e2e, token-rotation-e2e, sandbox-rebuild-e2e, sandbox-survival-e2e, hermes-e2e, launchable-smoke-e2e, e2e-branch-validation-full
Optional E2E: messaging-providers-e2e, shields-config-e2e, openclaw-tui-chat-correlation-vitest, issue-4434-tui-unreachable-inference-vitest, macos-e2e, wsl-e2e

Dispatch hint: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,credential-sanitization-e2e,credential-migration-e2e,inference-routing-e2e,network-policy-e2e,token-rotation-e2e,sandbox-rebuild-e2e,sandbox-survival-e2e,hermes-e2e,launchable-smoke-e2e

Auto-dispatched E2E: cloud-e2e, cloud-onboard-e2e, cloud-inference-e2e, credential-sanitization-e2e, credential-migration-e2e, inference-routing-e2e, network-policy-e2e, token-rotation-e2e, sandbox-survival-e2e, hermes-e2e, launchable-smoke-e2e via nightly-e2e.yaml at 43e20d54bee29d9199d7aca449ec0b812013ce8b — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

cloud-e2e (high): Full install → onboard → sandbox → live inference path is required because installer, onboarding, credentials, deploy, inference, blueprint, and e2e-script secret plumbing changed.
cloud-onboard-e2e (medium): Required to validate clean-machine onboarding, provider selection, policy presets, and renamed NVIDIA inference secret handling.
cloud-inference-e2e (medium): Required for changed inference health/model prompt/NIM routing code and workflow-level compatible inference secret export behavior.
credential-sanitization-e2e (medium): Required because credential store, redaction, subprocess env filtering, secret scanner tests, and direct credential env checks changed.
credential-migration-e2e (medium): Required to prove legacy credential migration and renamed NVIDIA inference credential resolution still work without credential exposure.
inference-routing-e2e (medium): Required because model-router/routed-inference/provider code and CI-compatible inference helpers changed.
model-router-provider-routed-inference-vitest (medium): Required focused coverage for provider-routed Model Router onboarding and sandbox inference.local behavior touched by src/lib/onboard/model-router.ts and routed-inference changes.
network-policy-e2e (medium): Required because policy YAML and network-policy assets changed, affecting security allow/deny boundaries.
token-rotation-e2e (medium): Required because src/commands/sandbox/config/rotate-token.ts and credential propagation paths changed.
sandbox-rebuild-e2e (high): Required because deploy, blueprint, sandbox policies, credential hydration, and rebuild-related tests changed.
sandbox-survival-e2e (medium): Required to cover changed sandbox lifecycle/deploy behavior across gateway restart and live inference after state recovery.
hermes-e2e (medium): Required because Hermes policy assets, Hermes onboarding docs, and Hermes live scenario/manifests changed; validates real Hermes install/onboard/inference.
launchable-smoke-e2e (medium): Required because Brev/launchable workflows, manifests, install scripts, and launchable smoke tests changed; validates community/launchable clean-install path.
e2e-branch-validation-full (high): Required for the changed Brev branch-validation workflow and secret contract; validates source install/onboard/inference on an ephemeral clean Linux instance.

Optional E2E

messaging-providers-e2e (medium): Useful adjacent confidence because token handling, policy assets, and messaging channel config tests changed; not the narrowest merge blocker unless messaging provider behavior is in scope.
shields-config-e2e (medium): Useful security/config confidence because policy and credential boundary code changed, but less directly targeted than network-policy and credential-sanitization.
openclaw-tui-chat-correlation-vitest (medium): Useful real assistant-flow coverage for OpenClaw runtime behavior after inference and blueprint changes.
issue-4434-tui-unreachable-inference-vitest (high): Useful focused regression for changed inference health/error handling and TUI unreachable-inference recovery.
macos-e2e (medium): Optional platform confidence because macOS workflow and smoke install script changed; skip as non-blocking if macOS runner/Docker availability is constrained.
wsl-e2e (high): Optional platform confidence because the WSL workflow and WSL scenario manifest changed; not required unless this PR targets Windows/WSL support.

New E2E recommendations

E2E workflow secret contract (high): This PR renames the primary live inference secret across multiple workflows and adds CI-only compatible inference export behavior. Existing live jobs exercise it indirectly, but there is no small targeted E2E that fails fast when NVIDIA_INFERENCE_API_KEY is missing, mis-mapped, or accidentally exposed as NVIDIA_API_KEY.
- Suggested test: Add a focused workflow-dispatched E2E smoke that invokes e2e-script.yaml with nvidia_api_key and nvidia_secret_as_compatible_api_key enabled, asserts NVIDIA_INFERENCE_API_KEY reaches the script, COMPATIBLE_API_KEY is present only when requested, and NVIDIA_API_KEY is absent from process/sandbox environments.
Policy asset regression (medium): Agent policy YAML and blueprint policies changed, but current live coverage validates broad network-policy behavior rather than diffing the effective OpenShell policy generated for each agent/preset combination.
- Suggested test: Add a manifest-driven live policy snapshot/probe scenario for OpenClaw and Hermes that onboards with default and permissive/custom policy modes, captures the effective sandbox policy, and runs minimal allow/deny probes for newly added rules.

Dispatch hint

Workflow: .github/workflows/nightly-e2e.yaml
jobs input: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,credential-sanitization-e2e,credential-migration-e2e,inference-routing-e2e,network-policy-e2e,token-rotation-e2e,sandbox-rebuild-e2e,sandbox-survival-e2e,hermes-e2e,launchable-smoke-e2e

github-actions · 2026-06-12T21:27:25Z

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: credential-migration-vitest, credential-sanitization-vitest, gateway-guard-recovery, inference-routing-vitest, issue-4434-tui-unreachable-inference-vitest, launchable-smoke-vitest, model-router-provider-routed-inference-vitest, network-policy-vitest, onboard-negative-paths-vitest, openclaw-tui-chat-correlation-vitest, rebuild-openclaw-vitest, sandbox-rebuild-vitest, sandbox-survival-vitest, shields-config-vitest, skill-agent-vitest, token-rotation-vitest, e2e-scenarios-all
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-migration-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-sanitization-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=gateway-guard-recovery
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=inference-routing-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4434-tui-unreachable-inference-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=launchable-smoke-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=model-router-provider-routed-inference-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=network-policy-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-negative-paths-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=rebuild-openclaw-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-rebuild-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-survival-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=shields-config-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=skill-agent-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=token-rotation-vitest
gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref>

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

credential-migration-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/credential-migration.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-migration-vitest
credential-sanitization-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/credential-sanitization.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=credential-sanitization-vitest
gateway-guard-recovery: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/gateway-guard-recovery.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=gateway-guard-recovery
inference-routing-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/inference-routing.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=inference-routing-vitest
issue-4434-tui-unreachable-inference-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4434-tui-unreachable-inference-vitest
launchable-smoke-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/launchable-smoke.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=launchable-smoke-vitest
model-router-provider-routed-inference-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/model-router-provider-routed-inference.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=model-router-provider-routed-inference-vitest
network-policy-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/network-policy.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=network-policy-vitest
onboard-negative-paths-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/onboard-negative-paths.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-negative-paths-vitest
openclaw-tui-chat-correlation-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=openclaw-tui-chat-correlation-vitest
rebuild-openclaw-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/rebuild-openclaw.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=rebuild-openclaw-vitest
sandbox-rebuild-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/sandbox-rebuild.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-rebuild-vitest
sandbox-survival-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/sandbox-survival.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=sandbox-survival-vitest
shields-config-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/shields-config.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=shields-config-vitest
skill-agent-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/skill-agent.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=skill-agent-vitest
token-rotation-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/token-rotation.test.ts.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=token-rotation-vitest
e2e-scenarios-all: The PR changes the shared Vitest scenario workflow, shared fixture/onboarding phase helpers, scenario metadata/types, manifests, and broad live/support-test surfaces. Per policy, changes to workflow machinery, matrix/metadata plumbing, shared fixtures, or broad scenario definitions require the full Vitest E2E scenario fan-out rather than a targeted subset.
- Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref>

Optional Vitest E2E scenarios

None.

Relevant changed files

.github/workflows/e2e-vitest-scenarios.yaml
test/e2e-scenario/fixtures/phases/onboarding.ts
test/e2e-scenario/live/credential-migration.test.ts
test/e2e-scenario/live/credential-sanitization.test.ts
test/e2e-scenario/live/gateway-guard-recovery.test.ts
test/e2e-scenario/live/hermes-e2e.test.ts
test/e2e-scenario/live/inference-routing.test.ts
test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts
test/e2e-scenario/live/launchable-smoke.test.ts
test/e2e-scenario/live/model-router-provider-routed-inference.test.ts
test/e2e-scenario/live/network-policy.test.ts
test/e2e-scenario/live/onboard-negative-paths.test.ts
test/e2e-scenario/live/onboard-resume.test.ts
test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts
test/e2e-scenario/live/rebuild-openclaw.test.ts
test/e2e-scenario/live/sandbox-operations.test.ts
test/e2e-scenario/live/sandbox-rebuild.test.ts
test/e2e-scenario/live/sandbox-survival.test.ts
test/e2e-scenario/live/shields-config.test.ts
test/e2e-scenario/live/skill-agent.test.ts
test/e2e-scenario/live/token-rotation.test.ts
test/e2e-scenario/live/whatsapp-qr-compact.test.ts
test/e2e-scenario/manifests/hermes-nvidia-discord.yaml
test/e2e-scenario/manifests/hermes-nvidia-slack.yaml
test/e2e-scenario/manifests/hermes-nvidia.yaml
test/e2e-scenario/manifests/openclaw-nvidia-brave.yaml
test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml
test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml
test/e2e-scenario/manifests/openclaw-nvidia-discord.yaml
test/e2e-scenario/manifests/openclaw-nvidia-double-provider-switch.yaml
test/e2e-scenario/manifests/openclaw-nvidia-double-same-provider.yaml
test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml
test/e2e-scenario/manifests/openclaw-nvidia-invalid-key.yaml
test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml
test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml
test/e2e-scenario/manifests/openclaw-nvidia-post-reboot-recovery.yaml
test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml
test/e2e-scenario/manifests/openclaw-nvidia-repair.yaml
test/e2e-scenario/manifests/openclaw-nvidia-resume.yaml
test/e2e-scenario/manifests/openclaw-nvidia-slack.yaml
test/e2e-scenario/manifests/openclaw-nvidia-telegram.yaml
test/e2e-scenario/manifests/openclaw-nvidia-token-rotation.yaml
test/e2e-scenario/manifests/openclaw-nvidia-wsl.yaml
test/e2e-scenario/manifests/openclaw-nvidia.yaml
test/e2e-scenario/scenarios/scenarios/baseline.ts
test/e2e-scenario/scenarios/types.ts
test/e2e-scenario/support-tests/docker-probe.test.ts
test/e2e-scenario/support-tests/e2e-fixture-context.test.ts
test/e2e-scenario/support-tests/e2e-manifests.test.ts
test/e2e-scenario/support-tests/e2e-phase-environment.test.ts
test/e2e-scenario/support-tests/e2e-phase-onboarding.test.ts
test/e2e-scenario/support-tests/e2e-phase-state-validation.test.ts
test/e2e-scenario/support-tests/e2e-scenario-matrix.test.ts
test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
test/e2e-scenario/support-tests/network-policy-transient-provider.test.ts
tools/e2e-scenarios/workflow-boundary.mts

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

github-actions · 2026-06-12T21:36:30Z

PR Review Advisor

Findings: 3 needs attention, 6 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 9 still apply, 0 new items found

Review findings

🛠️ Needs attention

Messaging providers Vitest still requires the legacy NVIDIA secret (.github/workflows/e2e-vitest-scenarios.yaml:1537): The PR acceptance claim says workflows and E2E scenario fixtures were renamed to the canonical NVIDIA_INFERENCE_API_KEY, but the messaging-providers live Vitest lane still passes the legacy NVIDIA_API_KEY and its test skips unless that legacy variable is present. A repository configured only with the canonical secret can therefore miss this live provider/credential-isolation coverage.
- Recommendation: Pass NVIDIA_INFERENCE_API_KEY to the messaging-providers Vitest job, update test/e2e-scenario/live/messaging-providers.test.ts to require the canonical env name, and update test/e2e-scenario/live/messaging-providers-helpers.ts to forward NVIDIA_INFERENCE_API_KEY. Keep legacy alias behavior in a focused migration test rather than this canonical live lane.
- Evidence: .github/workflows/e2e-vitest-scenarios.yaml still sets NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }} for the messaging providers job. test/e2e-scenario/live/messaging-providers.test.ts checks process.env.NVIDIA_API_KEY and skips when it is absent. test/e2e-scenario/live/messaging-providers-helpers.ts forwards NVIDIA_API_KEY into onboarding.
Generated policy references still advertise the CI-only NVIDIA endpoint as default (skills/nemoclaw-user-reference/references/network-policies.md:31): The checked-in runtime policy and MDX reference now show the default NVIDIA sandbox policy using only integrate.api.nvidia.com, but generated skill/reference artifacts still list inference-api.nvidia.com as part of the default nvidia policy. This leaves the clause that inference-api.nvidia.com is limited to CI/E2E live validation paths only partially met and can mislead operators or agents about baseline sandbox egress.
- Recommendation: Regenerate or update both generated skill trees so their network-policy reference matches docs/reference/network-policies.mdx and nemoclaw-blueprint/policies/openclaw-sandbox.yaml, or add an explicit documented exception plus a source-of-truth test proving the difference is intentional.
- Evidence: docs/reference/network-policies.mdx lists nvidia as integrate.api.nvidia.com:443 and nemoclaw-blueprint/policies/openclaw-sandbox.yaml allows host integrate.api.nvidia.com. skills/nemoclaw-user-reference/references/network-policies.md and .agents/skills/nemoclaw-user-reference/references/network-policies.md still list integrate.api.nvidia.com:443 and inference-api.nvidia.com:443 for the default policy.
Generated user-facing skills still teach the legacy NVIDIA credential name (skills/nemoclaw-user-get-started/references/quickstart-details.md:31): The PR makes NVIDIA_INFERENCE_API_KEY the canonical hosted NVIDIA credential in runtime code and MDX docs, but generated user-facing skill artifacts still instruct users and agents to export or enter NVIDIA_API_KEY. If these generated skills are shipped or consumed by agents, the canonical credential migration is incomplete.
- Recommendation: Regenerate or update generated skills from the updated docs source, or explicitly label remaining NVIDIA_API_KEY mentions as legacy migration documentation. Add generated-artifact parity coverage that fails when user-facing generated skills drift from NVIDIA_INFERENCE_API_KEY.
- Evidence: skills/nemoclaw-user-get-started/references/quickstart-details.md says export NVIDIA_API_KEY=<your-key> and prompts for NVIDIA_API_KEY. skills/nemoclaw-user-configure-security/references/credential-storage.md and skills/nemoclaw-user-configure-inference/references/inference-options.md also use NVIDIA_API_KEY in hosted-inference examples, while corresponding docs/**/*.mdx sources use NVIDIA_INFERENCE_API_KEY.

🔎 Worth checking

Source-of-truth review needed: Legacy NVIDIA_API_KEY compatibility alias: The advisor marked localized patch analysis as needs_followup.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: src/lib/credentials/store.ts defines LEGACY_CREDENTIAL_ENV_ALIASES for NVIDIA_INFERENCE_API_KEY: [NVIDIA_API_KEY]; .github/workflows/e2e-vitest-scenarios.yaml no-secret install commands unset only NVIDIA_INFERENCE_API_KEY.
Source-of-truth review needed: CI-only compatible inference endpoint shim: The advisor marked localized patch analysis as needs_followup.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: .github/workflows/e2e-script.yaml and test/e2e/lib/ci-compatible-inference.sh independently encode inference-api.nvidia.com, nvidia/nvidia/nemotron-3-super-v3, NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE, and COMPATIBLE_API_KEY hydration.
Source-of-truth review needed: Generated network-policy skill references: The advisor marked localized patch analysis as missing.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: skills/nemoclaw-user-reference/references/network-policies.md and .agents/skills/nemoclaw-user-reference/references/network-policies.md still list inference-api.nvidia.com, while docs/reference/network-policies.mdx and nemoclaw-blueprint/policies/openclaw-sandbox.yaml do not.
Source-of-truth review needed: Generated NVIDIA credential skill examples: The advisor marked localized patch analysis as missing.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: skills/nemoclaw-user-get-started/references/quickstart-details.md, skills/nemoclaw-user-configure-security/references/credential-storage.md, and skills/nemoclaw-user-configure-inference/references/inference-options.md still use NVIDIA_API_KEY while corresponding docs/**/*.mdx sources use NVIDIA_INFERENCE_API_KEY.
Secret-free installer steps do not consistently clear the legacy NVIDIA credential alias (.github/workflows/e2e-vitest-scenarios.yaml:1010): The product resolver intentionally maps legacy NVIDIA_API_KEY into canonical NVIDIA_INFERENCE_API_KEY, but changed no-secret OpenShell install/bootstrap steps only unset NVIDIA_INFERENCE_API_KEY. If a runner or caller environment still exports the legacy name, a supposedly secret-free step can hydrate the canonical NVIDIA credential through the compatibility alias.
- Recommendation: Until the legacy alias is removed, treat NVIDIA_API_KEY as secret-bearing everywhere NVIDIA_INFERENCE_API_KEY is secret-bearing. Unset both names in no-secret install/bootstrap steps and update workflow-boundary support tests to reject secret-free jobs or steps that expose either variable.
- Evidence: src/lib/credentials/store.ts defines LEGACY_CREDENTIAL_ENV_ALIASES mapping NVIDIA_INFERENCE_API_KEY from NVIDIA_API_KEY. Changed workflow install commands include -u NVIDIA_INFERENCE_API_KEY but not -u NVIDIA_API_KEY. tools/e2e-scenarios/workflow-boundary.mts has uneven canonical/legacy coverage across common and per-job validators.
CI-compatible inference endpoint and model are duplicated without a sync guard (.github/workflows/e2e-script.yaml:220): The reusable E2E workflow exports the NVIDIA inference secret as COMPATIBLE_API_KEY and hardcodes the CI-only compatible endpoint/model, while the shell helper independently defines the same endpoint/model/flag behavior. This broadens the credential alias surface and can drift so workflow setup and shell validation disagree.
- Recommendation: Use a shared source for the CI-compatible endpoint/model constants, or add a contract test comparing .github/workflows/e2e-script.yaml with test/e2e/lib/ci-compatible-inference.sh for endpoint URL, model id, NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE, and COMPATIBLE_API_KEY hydration. Keep this alias limited to explicitly opted-in, secret-bearing jobs.
- Evidence: .github/workflows/e2e-script.yaml writes NEMOCLAW_ENDPOINT_URL=https://inference-api.nvidia.com/v1, NEMOCLAW_MODEL=nvidia/nvidia/nemotron-3-super-v3, NEMOCLAW_COMPAT_MODEL=nvidia/nvidia/nemotron-3-super-v3, and COMPATIBLE_API_KEY from NVIDIA_INFERENCE_API_KEY. test/e2e/lib/ci-compatible-inference.sh separately defaults the same endpoint/model and copies NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY when NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE=1.

🌱 Nice ideas

None.

Consider writing more tests for

**Runtime validation** — messaging-providers Vitest receives NVIDIA_INFERENCE_API_KEY and does not skip when NVIDIA_API_KEY is absent. This PR changes secret-bearing workflows, installer/bootstrap boundaries, sandbox policies, hosted-inference endpoint handling, shell E2E helpers, and live Vitest scenarios. Static/unit coverage is useful, but the remaining risks are workflow-boundary, generated-artifact parity, and runtime/sandbox behavior rather than pure function behavior.
**Runtime validation** — messaging-providers helper forwards NVIDIA_INFERENCE_API_KEY into onboarding env. This PR changes secret-bearing workflows, installer/bootstrap boundaries, sandbox policies, hosted-inference endpoint handling, shell E2E helpers, and live Vitest scenarios. Static/unit coverage is useful, but the remaining risks are workflow-boundary, generated-artifact parity, and runtime/sandbox behavior rather than pure function behavior.
**Runtime validation** — workflow-boundary rejects no-secret OpenShell install steps unless both NVIDIA_INFERENCE_API_KEY and NVIDIA_API_KEY are unset. This PR changes secret-bearing workflows, installer/bootstrap boundaries, sandbox policies, hosted-inference endpoint handling, shell E2E helpers, and live Vitest scenarios. Static/unit coverage is useful, but the remaining risks are workflow-boundary, generated-artifact parity, and runtime/sandbox behavior rather than pure function behavior.
**Runtime validation** — workflow-boundary rejects secret-free jobs or steps that expose either canonical or legacy NVIDIA credential env. This PR changes secret-bearing workflows, installer/bootstrap boundaries, sandbox policies, hosted-inference endpoint handling, shell E2E helpers, and live Vitest scenarios. Static/unit coverage is useful, but the remaining risks are workflow-boundary, generated-artifact parity, and runtime/sandbox behavior rather than pure function behavior.
**Runtime validation** — e2e-script compatible inference export matches ci-compatible-inference.sh endpoint, model, flag, and COMPATIBLE_API_KEY hydration. This PR changes secret-bearing workflows, installer/bootstrap boundaries, sandbox policies, hosted-inference endpoint handling, shell E2E helpers, and live Vitest scenarios. Static/unit coverage is useful, but the remaining risks are workflow-boundary, generated-artifact parity, and runtime/sandbox behavior rather than pure function behavior.
**CI-compatible inference endpoint and model are duplicated without a sync guard** — Use a shared source for the CI-compatible endpoint/model constants, or add a contract test comparing .github/workflows/e2e-script.yaml with test/e2e/lib/ci-compatible-inference.sh for endpoint URL, model id, NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE, and COMPATIBLE_API_KEY hydration. Keep this alias limited to explicitly opted-in, secret-bearing jobs.
**Acceptance clause:** Make `NVIDIA_INFERENCE_API_KEY` the canonical NVIDIA hosted-inference credential variable while keeping the public/default NVIDIA Endpoints URL as `https://integrate.api.nvidia.com/v1\`. — add test evidence or identify existing coverage. Runtime docs, policies, and tests mostly use NVIDIA_INFERENCE_API_KEY and integrate.api.nvidia.com, and test/validate-blueprint.test.ts asserts router API bases are https://integrate.api.nvidia.com/v1. However the messaging-providers Vitest workflow/test/helper still use NVIDIA_API_KEY, and generated user-facing skills still teach NVIDIA_API_KEY.
**Acceptance clause:** `https://inference-api.nvidia.com/v1\` is used only in CI/E2E live validation paths where it is convenient for the repository secret-backed tests. — add test evidence or identify existing coverage. .github/workflows/e2e-script.yaml and test/e2e/lib/ci-compatible-inference.sh are CI/E2E surfaces that intentionally use inference-api.nvidia.com. But generated network-policy skills still advertise inference-api.nvidia.com as a default nvidia policy endpoint, which is user/agent-facing rather than CI-only.

Since last review details

Current findings:

Source-of-truth review needed: Legacy NVIDIA_API_KEY compatibility alias: The advisor marked localized patch analysis as needs_followup.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: src/lib/credentials/store.ts defines LEGACY_CREDENTIAL_ENV_ALIASES for NVIDIA_INFERENCE_API_KEY: [NVIDIA_API_KEY]; .github/workflows/e2e-vitest-scenarios.yaml no-secret install commands unset only NVIDIA_INFERENCE_API_KEY.
Source-of-truth review needed: CI-only compatible inference endpoint shim: The advisor marked localized patch analysis as needs_followup.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: .github/workflows/e2e-script.yaml and test/e2e/lib/ci-compatible-inference.sh independently encode inference-api.nvidia.com, nvidia/nvidia/nemotron-3-super-v3, NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE, and COMPATIBLE_API_KEY hydration.
Source-of-truth review needed: Generated network-policy skill references: The advisor marked localized patch analysis as missing.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: skills/nemoclaw-user-reference/references/network-policies.md and .agents/skills/nemoclaw-user-reference/references/network-policies.md still list inference-api.nvidia.com, while docs/reference/network-policies.mdx and nemoclaw-blueprint/policies/openclaw-sandbox.yaml do not.
Source-of-truth review needed: Generated NVIDIA credential skill examples: The advisor marked localized patch analysis as missing.
- Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
- Evidence: skills/nemoclaw-user-get-started/references/quickstart-details.md, skills/nemoclaw-user-configure-security/references/credential-storage.md, and skills/nemoclaw-user-configure-inference/references/inference-options.md still use NVIDIA_API_KEY while corresponding docs/**/*.mdx sources use NVIDIA_INFERENCE_API_KEY.
Messaging providers Vitest still requires the legacy NVIDIA secret (.github/workflows/e2e-vitest-scenarios.yaml:1537): The PR acceptance claim says workflows and E2E scenario fixtures were renamed to the canonical NVIDIA_INFERENCE_API_KEY, but the messaging-providers live Vitest lane still passes the legacy NVIDIA_API_KEY and its test skips unless that legacy variable is present. A repository configured only with the canonical secret can therefore miss this live provider/credential-isolation coverage.
- Recommendation: Pass NVIDIA_INFERENCE_API_KEY to the messaging-providers Vitest job, update test/e2e-scenario/live/messaging-providers.test.ts to require the canonical env name, and update test/e2e-scenario/live/messaging-providers-helpers.ts to forward NVIDIA_INFERENCE_API_KEY. Keep legacy alias behavior in a focused migration test rather than this canonical live lane.
- Evidence: .github/workflows/e2e-vitest-scenarios.yaml still sets NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }} for the messaging providers job. test/e2e-scenario/live/messaging-providers.test.ts checks process.env.NVIDIA_API_KEY and skips when it is absent. test/e2e-scenario/live/messaging-providers-helpers.ts forwards NVIDIA_API_KEY into onboarding.
Generated policy references still advertise the CI-only NVIDIA endpoint as default (skills/nemoclaw-user-reference/references/network-policies.md:31): The checked-in runtime policy and MDX reference now show the default NVIDIA sandbox policy using only integrate.api.nvidia.com, but generated skill/reference artifacts still list inference-api.nvidia.com as part of the default nvidia policy. This leaves the clause that inference-api.nvidia.com is limited to CI/E2E live validation paths only partially met and can mislead operators or agents about baseline sandbox egress.
- Recommendation: Regenerate or update both generated skill trees so their network-policy reference matches docs/reference/network-policies.mdx and nemoclaw-blueprint/policies/openclaw-sandbox.yaml, or add an explicit documented exception plus a source-of-truth test proving the difference is intentional.
- Evidence: docs/reference/network-policies.mdx lists nvidia as integrate.api.nvidia.com:443 and nemoclaw-blueprint/policies/openclaw-sandbox.yaml allows host integrate.api.nvidia.com. skills/nemoclaw-user-reference/references/network-policies.md and .agents/skills/nemoclaw-user-reference/references/network-policies.md still list integrate.api.nvidia.com:443 and inference-api.nvidia.com:443 for the default policy.
Generated user-facing skills still teach the legacy NVIDIA credential name (skills/nemoclaw-user-get-started/references/quickstart-details.md:31): The PR makes NVIDIA_INFERENCE_API_KEY the canonical hosted NVIDIA credential in runtime code and MDX docs, but generated user-facing skill artifacts still instruct users and agents to export or enter NVIDIA_API_KEY. If these generated skills are shipped or consumed by agents, the canonical credential migration is incomplete.
- Recommendation: Regenerate or update generated skills from the updated docs source, or explicitly label remaining NVIDIA_API_KEY mentions as legacy migration documentation. Add generated-artifact parity coverage that fails when user-facing generated skills drift from NVIDIA_INFERENCE_API_KEY.
- Evidence: skills/nemoclaw-user-get-started/references/quickstart-details.md says export NVIDIA_API_KEY=<your-key> and prompts for NVIDIA_API_KEY. skills/nemoclaw-user-configure-security/references/credential-storage.md and skills/nemoclaw-user-configure-inference/references/inference-options.md also use NVIDIA_API_KEY in hosted-inference examples, while corresponding docs/**/*.mdx sources use NVIDIA_INFERENCE_API_KEY.
Secret-free installer steps do not consistently clear the legacy NVIDIA credential alias (.github/workflows/e2e-vitest-scenarios.yaml:1010): The product resolver intentionally maps legacy NVIDIA_API_KEY into canonical NVIDIA_INFERENCE_API_KEY, but changed no-secret OpenShell install/bootstrap steps only unset NVIDIA_INFERENCE_API_KEY. If a runner or caller environment still exports the legacy name, a supposedly secret-free step can hydrate the canonical NVIDIA credential through the compatibility alias.
- Recommendation: Until the legacy alias is removed, treat NVIDIA_API_KEY as secret-bearing everywhere NVIDIA_INFERENCE_API_KEY is secret-bearing. Unset both names in no-secret install/bootstrap steps and update workflow-boundary support tests to reject secret-free jobs or steps that expose either variable.
- Evidence: src/lib/credentials/store.ts defines LEGACY_CREDENTIAL_ENV_ALIASES mapping NVIDIA_INFERENCE_API_KEY from NVIDIA_API_KEY. Changed workflow install commands include -u NVIDIA_INFERENCE_API_KEY but not -u NVIDIA_API_KEY. tools/e2e-scenarios/workflow-boundary.mts has uneven canonical/legacy coverage across common and per-job validators.
CI-compatible inference endpoint and model are duplicated without a sync guard (.github/workflows/e2e-script.yaml:220): The reusable E2E workflow exports the NVIDIA inference secret as COMPATIBLE_API_KEY and hardcodes the CI-only compatible endpoint/model, while the shell helper independently defines the same endpoint/model/flag behavior. This broadens the credential alias surface and can drift so workflow setup and shell validation disagree.
- Recommendation: Use a shared source for the CI-compatible endpoint/model constants, or add a contract test comparing .github/workflows/e2e-script.yaml with test/e2e/lib/ci-compatible-inference.sh for endpoint URL, model id, NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE, and COMPATIBLE_API_KEY hydration. Keep this alias limited to explicitly opted-in, secret-bearing jobs.
- Evidence: .github/workflows/e2e-script.yaml writes NEMOCLAW_ENDPOINT_URL=https://inference-api.nvidia.com/v1, NEMOCLAW_MODEL=nvidia/nvidia/nemotron-3-super-v3, NEMOCLAW_COMPAT_MODEL=nvidia/nvidia/nemotron-3-super-v3, and COMPATIBLE_API_KEY from NVIDIA_INFERENCE_API_KEY. test/e2e/lib/ci-compatible-inference.sh separately defaults the same endpoint/model and copies NVIDIA_INFERENCE_API_KEY into COMPATIBLE_API_KEY when NEMOCLAW_E2E_USE_NVIDIA_SECRET_AS_COMPATIBLE=1.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

coderabbitai

Actionable comments posted: 13

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (9)

test/e2e-scenario/manifests/hermes-nvidia-slack.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Missing SPDX header across YAML manifests (hermes-nvidia-slack.yaml, openclaw-nvidia-resume.yaml, and openclaw-nvidia-double-same-provider.yaml).

All three changed YAML manifests are missing the required SPDX license header at the top of the file. Please add the SPDX header consistently to each manifest.
As per coding guidelines, all *.yaml files must include SPDX headers.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/hermes-nvidia-slack.yaml` at line 1, Add the
required SPDX license header to the top of each YAML manifest
(hermes-nvidia-slack.yaml, openclaw-nvidia-resume.yaml,
openclaw-nvidia-double-same-provider.yaml) by inserting the standard single-line
header comment, e.g. "# SPDX-License-Identifier: Apache-2.0", as the very first
line of each file so it precedes any YAML content such as "apiVersion" entries.
Source: Coding guidelines
test/e2e-scenario/manifests/hermes-nvidia.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add required SPDX license header.

YAML files must include an SPDX license header. Add the following at the top of the file:
# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
As per coding guidelines, all source files including YAML must include an SPDX license header.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/hermes-nvidia.yaml` at line 1, Add the required
SPDX header to the very top of hermes-nvidia.yaml (above the existing
apiVersion: nemoclaw.io/v1 line) by inserting the two SPDX lines specified in
the review: the SPDX-FileCopyrightText line for NVIDIA CORPORATION & AFFILIATES
and the SPDX-License-Identifier: Apache-2.0 line so the YAML includes the
mandated license header.
Source: Coding guidelines
test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add the required SPDX header to this YAML file.

This file is missing the mandatory SPDX license header for YAML sources.
Proposed fix
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
 apiVersion: nemoclaw.io/v1
 kind: NemoClawInstance
As per coding guidelines, all *.yaml/*.yml source files must include SPDX headers.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml` at line 1, Add the
mandatory SPDX license header at the top of the YAML file (before the apiVersion
line) to satisfy project policy; update
test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml by inserting the SPDX
header line (e.g., "SPDX-License-Identifier: <LICENSE-ID>") as the first
non-comment line so the file begins with the required SPDX identifier above
apiVersion: nemoclaw.io/v1.
Source: Coding guidelines
test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml (1)
1-1: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Shared compliance root cause: missing SPDX headers in YAML manifests.
Both test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml and test/e2e-scenario/manifests/openclaw-nvidia-brave.yaml need SPDX headers to satisfy repository license-header policy for YAML files.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml` at line 1,
Add the required SPDX license header to the top of the YAML manifest(s) that
start with "apiVersion: nemoclaw.io/v1" so they comply with the repository
license-header policy; insert a single-line SPDX tag (e.g.,
"SPDX-License-Identifier: <LICENSE>") or the project's canonical multi-line SPDX
header immediately above the apiVersion line in both manifests that contain
"apiVersion: nemoclaw.io/v1" to satisfy license checks.
Source: Coding guidelines
test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Missing SPDX license header.

This YAML file is missing the required SPDX license header. As per coding guidelines, all source files matching **/*.{yaml,yml} must include an SPDX license header.
📝 Proposed fix

Add the following header at the top of the file:
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: nemoclaw.io/v1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml` at line 1,
This file is missing the required SPDX license header; add the SPDX header as
the very first lines of the YAML (above the existing "apiVersion:
nemoclaw.io/v1" line) so all files matching **/*.{yaml,yml} include the license
header required by project guidelines; ensure the header is formatted as a YAML
comment (prefixed with #) and placed before any content so tools and linters
detect it.
Source: Coding guidelines
test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Missing SPDX license header.

This YAML file is missing the required SPDX license header. As per coding guidelines, all source files matching **/*.{yaml,yml} must include an SPDX license header.
📝 Proposed fix

Add the following header at the top of the file:
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: nemoclaw.io/v1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml` at line 1, This file
is missing the required SPDX license header; add a single SPDX header line at
the very top of the YAML (above the existing "apiVersion: nemoclaw.io/v1") using
the project's required identifier (e.g., "SPDX-License-Identifier: Apache-2.0"
or the license specified by project policy) so all YAML files match the SPDX
header requirement.
Source: Coding guidelines
test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add the required SPDX header to this YAML source file.

This file is missing the repository-required SPDX license header for source files.

As per coding guidelines, all files matching **/*.{js,ts,tsx,jsx,sh,md,mdx,json,yaml,yml,css,svg} must include the SPDX copyright and license header.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml` at
line 1, Add the repository-required SPDX copyright and license header at the top
of this YAML file (the file whose first line is "apiVersion: nemoclaw.io/v1");
prepend the standard SPDX header used across the repo to the very beginning of
the file so the YAML still starts with the header followed by the existing
apiVersion and content.
Source: Coding guidelines
test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml (1)
1-1: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add the required SPDX header to this YAML file.

This manifest is missing the required SPDX license header for YAML source files.
Proposed fix
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: nemoclaw.io/v1
 kind: NemoClawInstance
 metadata:
As per coding guidelines, **/*.{js,ts,tsx,jsx,sh,md,mdx,json,yaml,yml,css,svg} files must include SPDX headers.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml` at line
1, This YAML manifest is missing the required SPDX license header; add the
project's standard SPDX header as a YAML comment at the very top of the file
(placed before the existing apiVersion: nemoclaw.io/v1 line) using the same
SPDX-License-Identifier value used by other repo YAML files so the file begins
with the SPDX header comment.
Source: Coding guidelines
docs/inference/inference-options.mdx (1)
44-44: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Stale NVIDIA endpoint in provider status table

Line 44 still says hosted models are on integrate.api.nvidia.com, which conflicts with the migrated hosted endpoint and can misdirect users during setup.
Proposed doc fix
-| NVIDIA Endpoints | Tested | OpenAI-compatible | Hosted models on integrate.api.nvidia.com |
+| NVIDIA Endpoints | Tested | OpenAI-compatible | Hosted models on inference-api.nvidia.com |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/inference/inference-options.mdx` at line 44, Update the stale NVIDIA
endpoint in the provider status table: locate the row labeled "NVIDIA Endpoints"
in docs/inference/inference-options.mdx (the table cell containing the string
"integrate.api.nvidia.com") and replace that domain with the migrated hosted
endpoint URL used by NVIDIA's hosted models; confirm the entry is accurate and
consistent with the migrated endpoint used elsewhere in the docs and tests.

🧹 Nitpick comments (3)

src/lib/credentials/store.ts (1)

747-748: 📐 Maintainability & Code Quality | 💤 Low value

Redundant process.env assignment.

saveCredential (line 747) already sets process.env.NVIDIA_INFERENCE_API_KEY internally. The explicit assignment on line 748 is redundant.

♻️ Suggested simplification

   saveCredential("NVIDIA_INFERENCE_API_KEY", key);
-  process.env.NVIDIA_INFERENCE_API_KEY = key;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/credentials/store.ts` around lines 747 - 748, The explicit assignment
to process.env.NVIDIA_INFERENCE_API_KEY is redundant because saveCredential
already sets that environment variable; remove the duplicate line
"process.env.NVIDIA_INFERENCE_API_KEY = key" and keep the single call to
saveCredential("NVIDIA_INFERENCE_API_KEY", key) (or if you prefer an explicit
env write, ensure saveCredential does not also set process.env to avoid
duplication) so only one place updates the environment variable.

src/lib/inference/health.test.ts (1)

250-274: 📐 Maintainability & Code Quality | ⚡ Quick win

Add a legacy-alias coverage case for credential lookup.

Given migration support for NVIDIA_API_KEY, add a focused test asserting Kimi probe behavior when only the legacy alias is available, to prevent regressions in the compatibility path.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/inference/health.test.ts` around lines 250 - 274, Add a new unit test
alongside the existing Kimi credential test that verifies the legacy alias
lookup (NVIDIA_API_KEY) is honored: call
probeRemoteProviderHealth("nvidia-prod", ...) with model "moonshotai/kimi-k2.6",
a getCredentialImpl stub that returns a credential only for the legacy name
"NVIDIA_API_KEY" (and null for other names), and a runCurlProbeImpl that should
not be invoked; then assert the probe result indicates no network probe was
performed (probed false), result.ok true, endpoint equals BUILD_ENDPOINT_URL +
"/chat/completions", and result.detail contains both "NVIDIA_INFERENCE_API_KEY"
and a note about "provider-level /models" to ensure the compatibility path is
covered.

test/ollama-proxy-recovery.test.ts (1)

170-170: 🔒 Security & Privacy | ⚡ Quick win

Keep legacy alias leak coverage in this proxy-env assertion.

The migration keeps NVIDIA_API_KEY as a legacy alias, but this test now only asserts scrubbing of NVIDIA_INFERENCE_API_KEY. Add a legacy alias injection + assertion here too, so leakage regressions on legacy env setups are still caught.

Suggested test hardening

       env: {
         ...process.env,
         HTTP_PROXY: "http://proxy.invalid:8888",
         HOME: tmpDir,
         NVIDIA_INFERENCE_API_KEY: "must-not-leak",
+        NVIDIA_API_KEY: "must-not-leak-legacy",
         NO_PROXY: "",
       },
     });
@@
     assert.equal(payload.proxySpawns.length, 0);
     assert.equal(payload.curlEnv.NVIDIA_INFERENCE_API_KEY, undefined);
+    assert.equal(payload.curlEnv.NVIDIA_API_KEY, undefined);
     assert.equal(payload.curlEnv.HTTP_PROXY, "http://proxy.invalid:8888");

Also applies to: 181-181

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/ollama-proxy-recovery.test.ts` at line 170, Add the legacy alias
injection and assertion: when the test injects NVIDIA_INFERENCE_API_KEY:
"must-not-leak" into the proxy env, also inject NVIDIA_API_KEY: "must-not-leak"
and extend the existing scrubbed-environment assertion (the same assertion that
checks NVIDIA_INFERENCE_API_KEY is removed) to assert that NVIDIA_API_KEY is
also scrubbed from the proxied response; apply this addition at both locations
where NVIDIA_INFERENCE_API_KEY is set in the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/network-policy/approve-network-requests.mdx`:
- Line 67: Split the single line containing "The walkthrough requires tmux and
the `NVIDIA_INFERENCE_API_KEY` environment variable, and it assumes an existing
sandbox to attach to." into two sentences, placing each sentence on its own
line: one line stating the tmux and NVIDIA_INFERENCE_API_KEY requirement, and
the next line stating the assumption about an existing sandbox to attach to;
ensure line breaks are literal (one sentence per line) to follow the
one-sentence-per-line documentation guideline.

In `@nemoclaw/src/index.ts`:
- Around line 286-288: The ternary that sets the label based on
providerCredentialEnv mislabels the legacy NVIDIA alias; update the condition in
that expression (the code using providerCredentialEnv) to treat both
"NVIDIA_INFERENCE_API_KEY" and the legacy "NVIDIA_API_KEY" as NVIDIA keys (e.g.,
check providerCredentialEnv === "NVIDIA_INFERENCE_API_KEY" ||
providerCredentialEnv === "NVIDIA_API_KEY") so the label becomes "NVIDIA API Key
(…)" for either value, otherwise fall back to the OpenAI label.

In `@scripts/nemoclaw-start.sh`:
- Around line 1703-1704: The startup script currently returns early if
NVIDIA_INFERENCE_API_KEY is unset, skipping write_auth_profile; update the check
so it preserves legacy NVIDIA_API_KEY by treating NVIDIA_API_KEY as a valid
fallback before returning or before calling write_auth_profile (i.e., if
NVIDIA_INFERENCE_API_KEY is empty but NVIDIA_API_KEY is set, use that value for
the auth profile generation), and ensure write_auth_profile uses the resolved
key variable; reference the conditional around NVIDIA_INFERENCE_API_KEY and the
write_auth_profile invocation to implement the fallback logic.

In `@src/lib/diagnostics/debug.test.ts`:
- Around line 20-22: The test description expects to validate redaction of
"NVIDIA_INFERENCE_API_KEY" but the test builds "NVIDIA_API_KEY"; update the test
to construct or use the correct canonical key ("NVIDIA_INFERENCE_API_KEY") so
the assertion against redact(...) checks the renamed key; locate the spec in
src/lib/diagnostics/debug.test.ts (the it block that calls redact) and change
the key variable or literal to include "INFERENCE" (e.g.,
["NVIDIA","INFERENCE","API","KEY"].join("_") or the string
"NVIDIA_INFERENCE_API_KEY") and keep the expectation toBe(`${key}=<REDACTED>`).

In `@src/lib/inference/nim.ts`:
- Around line 824-830: The ngcApiKey resolver currently omits the legacy
environment name; update the ngcApiKey assignment (the const ngcApiKey and its
resolution chain that references opts.ngcApiKey, process.env.NGC_API_KEY, and
process.env.NVIDIA_INFERENCE_API_KEY) to also include process.env.NVIDIA_API_KEY
as a fallback before or alongside process.env.NVIDIA_INFERENCE_API_KEY so legacy
NVIDIA_API_KEY users continue to authenticate; ensure the precedence remains:
explicit opts.ngcApiKey, then NGC_API_KEY, then NVIDIA_API_KEY (legacy), then
NVIDIA_INFERENCE_API_KEY, and finally default to an empty string.

In `@src/lib/onboard.ts`:
- Around line 3649-3656: The code uses getCredential(...) to decide whether to
let NEMOCLAW_PROVIDER_KEY fill NVIDIA_INFERENCE_API_KEY, which allows stored
credentials to block an explicit environment override; change the gate to only
consider raw environment variables so exported NEMOCLAW_PROVIDER_KEY can
override stored creds. Specifically, in the block that computes _nvProviderKey
and existingNvidiaKey, replace the getCredential(...) checks with direct checks
of process.env.NVIDIA_INFERENCE_API_KEY and process.env.NVIDIA_API_KEY
(trimmed/empty), and only set process.env.NVIDIA_INFERENCE_API_KEY =
_nvProviderKey when those raw env vars are absent.

In `@test/e2e/test-hermes-discord-e2e.sh`:
- Around line 604-607: Phase 8 currently only backs up and unsets
NVIDIA_INFERENCE_API_KEY (NVIDIA_INFERENCE_API_KEY_BACKUP /
NVIDIA_INFERENCE_API_KEY) but must also handle the legacy alias NVIDIA_API_KEY;
update the rebuild credential-isolation step to similarly back up NVIDIA_API_KEY
(e.g., NVIDIA_API_KEY_BACKUP="${NVIDIA_API_KEY:-}"), unset NVIDIA_API_KEY before
the test assertion so the gateway must provide the credential, and ensure both
NVIDIA_INFERENCE_API_KEY and NVIDIA_API_KEY are restored from their backups at
the end of the step.

In `@test/e2e/test-hermes-e2e.sh`:
- Around line 206-210: The reachability probe uses an unauthenticated curl which
treats a 401 as failure; update the check to use the NVIDIA_INFERENCE_API_KEY by
adding an Authorization header (e.g. "Authorization: Bearer
${NVIDIA_INFERENCE_API_KEY}") to the curl invocation and ensure the script
verifies NVIDIA_INFERENCE_API_KEY is non-empty before the probe; keep using the
same pass/fail handlers (pass, fail) and preserve --max-time/quiet flags so the
probe reports true network connectivity rather than unauthenticated 401s.

In `@test/e2e/test-kimi-inference-compat.sh`:
- Around line 397-398: The unset list in the test script leaves the legacy
NVIDIA_API_KEY variable intact, which can leak credentials; update the unset
commands (the block that currently unsets NVIDIA_INFERENCE_API_KEY
OPENAI_API_KEY ANTHROPIC_API_KEY GEMINI_API_KEY and the block that unsets
TELEGRAM_BOT_TOKEN DISCORD_BOT_TOKEN SLACK_BOT_TOKEN SLACK_APP_TOKEN) to also
include NVIDIA_API_KEY so the legacy alias is cleared before onboarding.

In `@test/e2e/test-messaging-providers.sh`:
- Around line 636-640: The check currently hard-fails when the
NVIDA_INFERENCE_API_KEY env var is empty; change the guard in the script so it
first prefers NVIDIA_INFERENCE_API_KEY but falls back to the legacy
NVIDIA_API_KEY before calling fail. Update the conditional around the check that
calls fail/pass (the block referencing NVIDIA_INFERENCE_API_KEY, NVIDIA_API_KEY,
fail, and pass) to test for ${NVIDIA_INFERENCE_API_KEY:-${NVIDIA_API_KEY:-}} and
only call fail if both are empty, and ensure pass prints when either value is
present.

In `@test/no-direct-credential-env.test.ts`:
- Around line 20-23: Add back explicit legacy NVIDIA key tests: in the test case
arrays that currently include 'process.env.NVIDIA_INFERENCE_API_KEY = "test";'
and "process.env.OPENAI_API_KEY = value;", add one write-allowed test string
'process.env.NVIDIA_API_KEY = "test";' and one flag-read test that references
the legacy env var (e.g. a read/usage case containing
'process.env.NVIDIA_API_KEY') so the suite continues to assert legacy alias
support alongside NVIDIA_INFERENCE_API_KEY and OPENAI_API_KEY.

In `@test/onboard-selection-vllm.test.ts`:
- Line 426: Tests currently only clear process.env.NVIDIA_INFERENCE_API_KEY
which lets the legacy alias process.env.NVIDIA_API_KEY leak state; update the
teardown/setup in the test to clear both environment names (e.g., delete
process.env.NVIDIA_INFERENCE_API_KEY and delete process.env.NVIDIA_API_KEY or
assign undefined/"" for both) so the test is hermetic and cannot be influenced
by the legacy variable.

In `@test/rebuild-credential-hydration.test.ts`:
- Around line 111-115: The test removed legacy NVIDIA alias coverage by only
asserting canonical "NVIDIA_INFERENCE_API_KEY" in the "NVIDIA Endpoints" test
case; restore explicit legacy-key assertions by adding parallel test entries
that use the legacy env name "NVIDIA_API_KEY" (same value "nvapi-test-hydrate")
so the migration behavior is still validated—update the test data used by
rebuild-credential-hydration.test.ts (and mirror the same change in
no-direct-credential-env.test.ts) ensuring the cases reference the "NVIDIA
Endpoints" case name or its test data object and include both credentialEnv:
"NVIDIA_INFERENCE_API_KEY" and credentialEnv: "NVIDIA_API_KEY".

---

Outside diff comments:
In `@docs/inference/inference-options.mdx`:
- Line 44: Update the stale NVIDIA endpoint in the provider status table: locate
the row labeled "NVIDIA Endpoints" in docs/inference/inference-options.mdx (the
table cell containing the string "integrate.api.nvidia.com") and replace that
domain with the migrated hosted endpoint URL used by NVIDIA's hosted models;
confirm the entry is accurate and consistent with the migrated endpoint used
elsewhere in the docs and tests.

In `@test/e2e-scenario/manifests/hermes-nvidia-slack.yaml`:
- Line 1: Add the required SPDX license header to the top of each YAML manifest
(hermes-nvidia-slack.yaml, openclaw-nvidia-resume.yaml,
openclaw-nvidia-double-same-provider.yaml) by inserting the standard single-line
header comment, e.g. "# SPDX-License-Identifier: Apache-2.0", as the very first
line of each file so it precedes any YAML content such as "apiVersion" entries.

In `@test/e2e-scenario/manifests/hermes-nvidia.yaml`:
- Line 1: Add the required SPDX header to the very top of hermes-nvidia.yaml
(above the existing apiVersion: nemoclaw.io/v1 line) by inserting the two SPDX
lines specified in the review: the SPDX-FileCopyrightText line for NVIDIA
CORPORATION & AFFILIATES and the SPDX-License-Identifier: Apache-2.0 line so the
YAML includes the mandated license header.

In `@test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml`:
- Line 1: Add the required SPDX license header to the top of the YAML
manifest(s) that start with "apiVersion: nemoclaw.io/v1" so they comply with the
repository license-header policy; insert a single-line SPDX tag (e.g.,
"SPDX-License-Identifier: <LICENSE>") or the project's canonical multi-line SPDX
header immediately above the apiVersion line in both manifests that contain
"apiVersion: nemoclaw.io/v1" to satisfy license checks.

In `@test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml`:
- Line 1: This file is missing the required SPDX license header; add the SPDX
header as the very first lines of the YAML (above the existing "apiVersion:
nemoclaw.io/v1" line) so all files matching **/*.{yaml,yml} include the license
header required by project guidelines; ensure the header is formatted as a YAML
comment (prefixed with #) and placed before any content so tools and linters
detect it.

In `@test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml`:
- Line 1: Add the repository-required SPDX copyright and license header at the
top of this YAML file (the file whose first line is "apiVersion:
nemoclaw.io/v1"); prepend the standard SPDX header used across the repo to the
very beginning of the file so the YAML still starts with the header followed by
the existing apiVersion and content.

In `@test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml`:
- Line 1: This file is missing the required SPDX license header; add a single
SPDX header line at the very top of the YAML (above the existing "apiVersion:
nemoclaw.io/v1") using the project's required identifier (e.g.,
"SPDX-License-Identifier: Apache-2.0" or the license specified by project
policy) so all YAML files match the SPDX header requirement.

In `@test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml`:
- Line 1: This YAML manifest is missing the required SPDX license header; add
the project's standard SPDX header as a YAML comment at the very top of the file
(placed before the existing apiVersion: nemoclaw.io/v1 line) using the same
SPDX-License-Identifier value used by other repo YAML files so the file begins
with the SPDX header comment.

In `@test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml`:
- Line 1: Add the mandatory SPDX license header at the top of the YAML file
(before the apiVersion line) to satisfy project policy; update
test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml by inserting the SPDX
header line (e.g., "SPDX-License-Identifier: <LICENSE-ID>") as the first
non-comment line so the file begins with the required SPDX identifier above
apiVersion: nemoclaw.io/v1.

---

Nitpick comments:
In `@src/lib/credentials/store.ts`:
- Around line 747-748: The explicit assignment to
process.env.NVIDIA_INFERENCE_API_KEY is redundant because saveCredential already
sets that environment variable; remove the duplicate line
"process.env.NVIDIA_INFERENCE_API_KEY = key" and keep the single call to
saveCredential("NVIDIA_INFERENCE_API_KEY", key) (or if you prefer an explicit
env write, ensure saveCredential does not also set process.env to avoid
duplication) so only one place updates the environment variable.

In `@src/lib/inference/health.test.ts`:
- Around line 250-274: Add a new unit test alongside the existing Kimi
credential test that verifies the legacy alias lookup (NVIDIA_API_KEY) is
honored: call probeRemoteProviderHealth("nvidia-prod", ...) with model
"moonshotai/kimi-k2.6", a getCredentialImpl stub that returns a credential only
for the legacy name "NVIDIA_API_KEY" (and null for other names), and a
runCurlProbeImpl that should not be invoked; then assert the probe result
indicates no network probe was performed (probed false), result.ok true,
endpoint equals BUILD_ENDPOINT_URL + "/chat/completions", and result.detail
contains both "NVIDIA_INFERENCE_API_KEY" and a note about "provider-level
/models" to ensure the compatibility path is covered.

In `@test/ollama-proxy-recovery.test.ts`:
- Line 170: Add the legacy alias injection and assertion: when the test injects
NVIDIA_INFERENCE_API_KEY: "must-not-leak" into the proxy env, also inject
NVIDIA_API_KEY: "must-not-leak" and extend the existing scrubbed-environment
assertion (the same assertion that checks NVIDIA_INFERENCE_API_KEY is removed)
to assert that NVIDIA_API_KEY is also scrubbed from the proxied response; apply
this addition at both locations where NVIDIA_INFERENCE_API_KEY is set in the
test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 039fc6a9-ea08-401d-9a2e-0fe1f2bd1ea1

📥 Commits

Reviewing files that changed from the base of the PR and between d284022 and 81512ef.

📒 Files selected for processing (234)

.github/workflows/brev-nightly-e2e.yaml
.github/workflows/e2e-branch-validation.yaml
.github/workflows/e2e-script.yaml
.github/workflows/e2e-vitest-scenarios.yaml
.github/workflows/macos-e2e.yaml
.github/workflows/nightly-e2e.yaml
.github/workflows/regression-e2e.yaml
.github/workflows/wsl-e2e.yaml
agents/hermes/policy-additions.yaml
agents/hermes/policy-permissive.yaml
agents/openclaw/policy-permissive.yaml
docs/_components/StarterPromptButton.tsx
docs/about/release-notes.mdx
docs/get-started/quickstart-hermes.mdx
docs/get-started/quickstart.mdx
docs/inference/inference-options.mdx
docs/network-policy/approve-network-requests.mdx
docs/reference/network-policies.mdx
docs/reference/troubleshooting.mdx
docs/security/best-practices.mdx
docs/security/credential-storage.mdx
nemoclaw-blueprint/blueprint.yaml
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
nemoclaw-blueprint/router/pool-config.yaml
nemoclaw-blueprint/scripts/nemotron-inference-fix.js
nemoclaw/src/banner.test.ts
nemoclaw/src/blueprint/runner.test.ts
nemoclaw/src/blueprint/ssrf.test.ts
nemoclaw/src/commands/config-show.test.ts
nemoclaw/src/commands/slash.test.ts
nemoclaw/src/index.ts
nemoclaw/src/lib/subprocess-env.ts
nemoclaw/src/onboard/config.test.ts
nemoclaw/src/register.test.ts
nemoclaw/src/security/secret-scanner.test.ts
scripts/checks/direct-credential-env.ts
scripts/install.sh
scripts/nemoclaw-start.sh
scripts/smoke-macos-install.sh
scripts/validate-configs.ts
scripts/walkthrough.sh
src/commands/sandbox/config/rotate-token.ts
src/lib/actions/dev/npm-link-or-shim.test.ts
src/lib/actions/sandbox/status.test.ts
src/lib/credentials/store.ts
src/lib/deploy/index.test.ts
src/lib/deploy/index.ts
src/lib/diagnostics/debug.test.ts
src/lib/diagnostics/debug.ts
src/lib/inference/health.test.ts
src/lib/inference/health.ts
src/lib/inference/model-prompts.test.ts
src/lib/inference/model-prompts.ts
src/lib/inference/nim.test.ts
src/lib/inference/nim.ts
src/lib/inference/onboard-probes.test.ts
src/lib/inference/provider-models.ts
src/lib/messaging-channel-config.test.ts
src/lib/onboard.ts
src/lib/onboard/bridge-dns-preflight.ts
src/lib/onboard/docker-gpu-patch.test.ts
src/lib/onboard/host-dns-preflight.test.ts
src/lib/onboard/initial-policy.test.ts
src/lib/onboard/machine/core-flow-phases.test.ts
src/lib/onboard/machine/flow-phases/provider-sandbox.test.ts
src/lib/onboard/machine/handlers/finalization.test.ts
src/lib/onboard/machine/handlers/policies.test.ts
src/lib/onboard/machine/handlers/provider-inference.test.ts
src/lib/onboard/machine/runtime.test.ts
src/lib/onboard/missing-credential-hints.ts
src/lib/onboard/model-router.ts
src/lib/onboard/preflight.ts
src/lib/onboard/providers.test.ts
src/lib/onboard/providers.ts
src/lib/onboard/routed-inference.test.ts
src/lib/onboard/routed-inference.ts
src/lib/onboard/summary.test.ts
src/lib/onboard/validation-recovery-prompt.ts
src/lib/security/credential-filter.test.ts
src/lib/security/redact.test.ts
src/lib/security/redact.ts
src/lib/state/onboard-session.test.ts
src/lib/state/onboard-step-mutation.test.ts
src/lib/subprocess-env.ts
src/lib/trace.test.ts
src/lib/validation.test.ts
src/lib/validation.ts
test/canonical-credential-resolution.test.ts
test/check-env-var-docs.test.ts
test/cli/dispatch-basics.test.ts
test/config-set-nested-ssrf.test.ts
test/credential-exposure.test.ts
test/credentials-cli-command.test.ts
test/credentials-shim.test.ts
test/credentials.test.ts
test/e2e-runtime/4851-ultra-toolless-validation.md
test/e2e-scenario/fixtures/phases/onboarding.ts
test/e2e-scenario/live/credential-migration.test.ts
test/e2e-scenario/live/credential-sanitization.test.ts
test/e2e-scenario/live/gateway-guard-recovery.test.ts
test/e2e-scenario/live/hermes-e2e.test.ts
test/e2e-scenario/live/inference-routing.test.ts
test/e2e-scenario/live/issue-4434-tui-unreachable-inference.test.ts
test/e2e-scenario/live/launchable-smoke.test.ts
test/e2e-scenario/live/model-router-provider-routed-inference.test.ts
test/e2e-scenario/live/network-policy.test.ts
test/e2e-scenario/live/onboard-negative-paths.test.ts
test/e2e-scenario/live/onboard-resume.test.ts
test/e2e-scenario/live/openclaw-tui-chat-correlation.test.ts
test/e2e-scenario/live/rebuild-openclaw.test.ts
test/e2e-scenario/live/sandbox-operations.test.ts
test/e2e-scenario/live/sandbox-rebuild.test.ts
test/e2e-scenario/live/sandbox-survival.test.ts
test/e2e-scenario/live/shields-config.test.ts
test/e2e-scenario/live/skill-agent.test.ts
test/e2e-scenario/live/token-rotation.test.ts
test/e2e-scenario/live/whatsapp-qr-compact.test.ts
test/e2e-scenario/manifests/hermes-nvidia-discord.yaml
test/e2e-scenario/manifests/hermes-nvidia-slack.yaml
test/e2e-scenario/manifests/hermes-nvidia.yaml
test/e2e-scenario/manifests/openclaw-nvidia-brave.yaml
test/e2e-scenario/manifests/openclaw-nvidia-brev-launchable.yaml
test/e2e-scenario/manifests/openclaw-nvidia-custom-policies.yaml
test/e2e-scenario/manifests/openclaw-nvidia-discord.yaml
test/e2e-scenario/manifests/openclaw-nvidia-double-provider-switch.yaml
test/e2e-scenario/manifests/openclaw-nvidia-double-same-provider.yaml
test/e2e-scenario/manifests/openclaw-nvidia-gateway-port-conflict.yaml
test/e2e-scenario/manifests/openclaw-nvidia-invalid-key.yaml
test/e2e-scenario/manifests/openclaw-nvidia-macos.yaml
test/e2e-scenario/manifests/openclaw-nvidia-no-docker-negative.yaml
test/e2e-scenario/manifests/openclaw-nvidia-post-reboot-recovery.yaml
test/e2e-scenario/manifests/openclaw-nvidia-rebuild.yaml
test/e2e-scenario/manifests/openclaw-nvidia-repair.yaml
test/e2e-scenario/manifests/openclaw-nvidia-resume.yaml
test/e2e-scenario/manifests/openclaw-nvidia-slack.yaml
test/e2e-scenario/manifests/openclaw-nvidia-telegram.yaml
test/e2e-scenario/manifests/openclaw-nvidia-token-rotation.yaml
test/e2e-scenario/manifests/openclaw-nvidia-wsl.yaml
test/e2e-scenario/manifests/openclaw-nvidia.yaml
test/e2e-scenario/scenarios/scenarios/baseline.ts
test/e2e-scenario/scenarios/types.ts
test/e2e-scenario/support-tests/docker-probe.test.ts
test/e2e-scenario/support-tests/e2e-fixture-context.test.ts
test/e2e-scenario/support-tests/e2e-manifests.test.ts
test/e2e-scenario/support-tests/e2e-phase-environment.test.ts
test/e2e-scenario/support-tests/e2e-phase-onboarding.test.ts
test/e2e-scenario/support-tests/e2e-phase-state-validation.test.ts
test/e2e-scenario/support-tests/e2e-scenario-matrix.test.ts
test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
test/e2e-scenario/support-tests/network-policy-transient-provider.test.ts
test/e2e-script-workflow.test.ts
test/e2e/brev-e2e.test.ts
test/e2e/e2e-cloud-experimental/expect-interactive-install.sh
test/e2e/e2e-cloud-experimental/features/skill/add-sandbox-skill.sh
test/e2e/e2e-cloud-experimental/features/skill/verify-sandbox-skill-via-agent.sh
test/e2e/e2e-cloud-experimental/test-port8080-conflict.sh
test/e2e/test-agent-turn-latency-e2e.sh
test/e2e/test-bedrock-runtime-compatible-anthropic.sh
test/e2e/test-brave-search-e2e.sh
test/e2e/test-channels-add-remove.sh
test/e2e/test-channels-stop-start.sh
test/e2e/test-cloud-inference-e2e.sh
test/e2e/test-cloud-onboard-e2e.sh
test/e2e/test-common-egress-agent-e2e.sh
test/e2e/test-credential-migration.sh
test/e2e/test-credential-sanitization.sh
test/e2e/test-cron-preflight-inference-local-e2e.sh
test/e2e/test-device-auth-health.sh
test/e2e/test-diagnostics.sh
test/e2e/test-double-onboard.sh
test/e2e/test-full-e2e.sh
test/e2e/test-hermes-discord-e2e.sh
test/e2e/test-hermes-e2e.sh
test/e2e/test-hermes-inference-switch.sh
test/e2e/test-hermes-slack-e2e.sh
test/e2e/test-inference-routing.sh
test/e2e/test-issue-2478-crash-loop-recovery.sh
test/e2e/test-issue-4434-tui-unreachable-inference.sh
test/e2e/test-issue-4462-scope-upgrade-approval.sh
test/e2e/test-kimi-inference-compat.sh
test/e2e/test-launchable-smoke.sh
test/e2e/test-messaging-providers.sh
test/e2e/test-model-router-provider-routed-inference.sh
test/e2e/test-network-policy.sh
test/e2e/test-onboard-negative-paths.sh
test/e2e/test-onboard-repair.sh
test/e2e/test-onboard-resume.sh
test/e2e/test-openclaw-discord-pairing.sh
test/e2e/test-openclaw-inference-switch.sh
test/e2e/test-openclaw-plugin-runtime-exdev.sh
test/e2e/test-openclaw-skill-cli-e2e.sh
test/e2e/test-openclaw-slack-pairing.sh
test/e2e/test-overlayfs-autofix.sh
test/e2e/test-rebuild-hermes.sh
test/e2e/test-rebuild-openclaw.sh
test/e2e/test-sandbox-operations.sh
test/e2e/test-sandbox-rebuild.sh
test/e2e/test-sandbox-survival.sh
test/e2e/test-sessions-agents-cli.sh
test/e2e/test-shields-config.sh
test/e2e/test-skill-agent-e2e.sh
test/e2e/test-snapshot-commands.sh
test/e2e/test-state-backup-restore.sh
test/e2e/test-telegram-injection.sh
test/e2e/test-token-rotation.sh
test/e2e/test-tunnel-lifecycle.sh
test/e2e/test-upgrade-stale-sandbox.sh
test/gateway-state-reconcile-2276.test.ts
test/generate-openclaw-config.test.ts
test/helpers/onboard-final-flow-phases.ts
test/host-artifact-cleanup.test.ts
test/nemoclaw-start.test.ts
test/nemotron-inference-fix.test.ts
test/no-direct-credential-env.test.ts
test/ollama-proxy-recovery.test.ts
test/onboard-messaging.test.ts
test/onboard-model-router.test.ts
test/onboard-selection-vllm.test.ts
test/onboard-selection.test.ts
test/onboard.test.ts
test/openclaw-config-snapshot.test.ts
test/rebuild-credential-hydration.test.ts
test/rebuild-credential-preflight.test.ts
test/rebuild-shields-auto-unlock.test.ts
test/rebuild-stale-recovery.test.ts
test/regression-e2e-workflow.test.ts
test/runner.test.ts
test/secret-redaction.test.ts
test/smoke-macos-install.test.ts
test/validate-blueprint.test.ts
test/validate-config-schemas.test.ts
test/validate-configs-dangerous-hosts.test.ts
tools/e2e-scenarios/workflow-boundary.mts

💤 Files with no reviewable changes (5)

agents/openclaw/policy-permissive.yaml
agents/hermes/policy-permissive.yaml
agents/hermes/policy-additions.yaml
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml

coderabbitai

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

agents/hermes/policy-additions.yaml (1)
62-62: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Inconsistent Python binary restrictions between network policies.

The managed_inference policy (line 62) tightens the Python binary allowlist to the specific /usr/bin/python3.11, but the nvidia policy (line 80) retains the wildcard /usr/bin/python3*. This creates an inconsistency within the same file.

If the Python version is being tightened for security or compatibility reasons, both policies should be updated consistently. If there's a specific reason managed_inference requires Python 3.11 but nvidia can work with any 3.x version, that rationale should be documented.

Additionally, this Python version tightening is not mentioned in the PR summary, suggesting possible scope creep beyond the credential/endpoint rename.

As per coding guidelines, changes that tighten the python runtime path may require corresponding updates in this file. The current state leaves an unexplained discrepancy between the two policies.

Also applies to: 80-80
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/hermes/policy-additions.yaml` at line 62, The managed_inference policy
currently restricts the Python binary to /usr/bin/python3.11 while the nvidia
policy still allows /usr/bin/python3*; make these policies consistent by
choosing one allowlist format and applying it to both policy blocks (update the
list entry in the managed_inference and nvidia policy definitions to the same
path), or if they must differ, add a comment in the file and a note in the PR
summary explaining why managed_inference requires Python 3.11 while nvidia
accepts any 3.x binary; ensure the change is applied to the Python binary
entries in both policy definitions (managed_inference, nvidia) and update
documentation/PR description accordingly.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nemoclaw/src/blueprint/runner.test.ts`:
- Around line 667-670: In the blueprint runner tests the NVIDIA endpoint host
string used in policy additions is incorrect; update every policy addition that
sets host: "integrate.api.nvidia.com" to host: "inference-api.nvidia.com" so the
tests validate the intended runtime target (search for the test blocks that
create policies with a host property, e.g., the policy addition objects in
runner.test.ts around the policy-add/test helper code referenced at the shown
diffs and the other occurrences noted).

In `@nemoclaw/src/commands/config-show.test.ts`:
- Line 39: Update the test fixtures' endpointUrl value from
"https://integrate.api.nvidia.com/v1" to the intended
"https://inference-api.nvidia.com" (adjust path suffix if needed) in the config
fixtures checked by the tests (look for the endpointUrl property in the config
fixture objects inside nemoclaw/src/commands/config-show.test.ts and the other
listed test fixtures), and apply the same replacement for all other occurrences
noted in the comment so the fixtures match the PR intent.

In `@src/lib/inference/model-prompts.test.ts`:
- Line 57: Update the hardcoded NVIDIA endpoint URL in the test error messages
to match the PR intent: replace occurrences of
"https://integrate.api.nvidia.com/v1/models" with the correct
"https://inference-api.nvidia.com/v1/models" in the test assertions inside
src/lib/inference/model-prompts.test.ts (look for the message template using
Model '${model}' is not available from NVIDIA Endpoints and any other similar
message strings around the same test block, including the second occurrence
referenced near the other assertion).

In `@src/lib/onboard/machine/handlers/provider-inference.test.ts`:
- Line 20: The PR summary is reversed relative to the code changes: update the
PR summary to reflect that the NVIDIA inference endpoint is being switched to
https://integrate.api.nvidia.com/v1 (not from it), and ensure the summary
explicitly lists the affected files (e.g., provider-inference.test.ts,
model-prompts.test.ts, config-show.test.ts, openclaw-sandbox.yaml,
runner.test.ts, providers.test.ts, agents/hermes/policy-additions.yaml,
policy-additions.yaml) and the corrected direction "to
https://integrate.api.nvidia.com/v1" so it matches the endpoint changes in the
diffs and the network policy reference to integrate.api.nvidia.com:443.
- Line 20: Test fixtures set endpointUrl to
"https://integrate.api.nvidia.com/v1" but PR intent says switch from
integrate.api.nvidia.com to inference-api.nvidia.com; confirm intended direction
and update the test fixtures (the endpointUrl values) to match the correct new
NVIDIA inference endpoint (use "https://inference-api.nvidia.com/v1" if the PR
intends to replace integrate.api with inference-api) in both occurrences
referenced (the endpointUrl test fixture and the other occurrence around the
second mention).

In `@src/lib/onboard/providers.test.ts`:
- Line 167: Tests in the provider upsert suite reference the wrong NVIDIA
endpoint string; replace all occurrences of
"https://integrate.api.nvidia.com/v1" in the provider upsert tests with the
intended endpoint "https://inference-api.nvidia.com" so the tests exercise the
actual inference provider wiring (search for the provider upsert test block and
string literals in src/lib/onboard/providers.test.ts, e.g., the
upsertProvider/upsert tests where the NVIDIA base URL is asserted or stubbed).

---

Outside diff comments:
In `@agents/hermes/policy-additions.yaml`:
- Line 62: The managed_inference policy currently restricts the Python binary to
/usr/bin/python3.11 while the nvidia policy still allows /usr/bin/python3*; make
these policies consistent by choosing one allowlist format and applying it to
both policy blocks (update the list entry in the managed_inference and nvidia
policy definitions to the same path), or if they must differ, add a comment in
the file and a note in the PR summary explaining why managed_inference requires
Python 3.11 while nvidia accepts any 3.x binary; ensure the change is applied to
the Python binary entries in both policy definitions (managed_inference, nvidia)
and update documentation/PR description accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7a2cd516-6b82-4c4d-a370-841aadb9e747

📥 Commits

Reviewing files that changed from the base of the PR and between 81512ef and b137299.

📒 Files selected for processing (19)

agents/hermes/policy-additions.yaml
agents/hermes/policy-permissive.yaml
agents/openclaw/policy-permissive.yaml
docs/inference/inference-options.mdx
docs/reference/network-policies.mdx
nemoclaw-blueprint/blueprint.yaml
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
nemoclaw/src/blueprint/runner.test.ts
nemoclaw/src/commands/config-show.test.ts
src/lib/inference/model-prompts.test.ts
src/lib/onboard/docker-gpu-patch.test.ts
src/lib/onboard/machine/handlers/provider-inference.test.ts
src/lib/onboard/providers.test.ts
src/lib/onboard/providers.ts
src/lib/validation.ts
test/onboard-selection.test.ts
test/validate-blueprint.test.ts
tools/advisors/session.mts

🚧 Files skipped from review as they are similar to previous changes (4)

docs/reference/network-policies.mdx
src/lib/validation.ts
docs/inference/inference-options.mdx
test/onboard-selection.test.ts

coderabbitai

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

agents/hermes/policy-additions.yaml (1)
62-62: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Inconsistent Python binary restrictions between network policies.

The managed_inference policy (line 62) tightens the Python binary allowlist to the specific /usr/bin/python3.11, but the nvidia policy (line 80) retains the wildcard /usr/bin/python3*. This creates an inconsistency within the same file.

If the Python version is being tightened for security or compatibility reasons, both policies should be updated consistently. If there's a specific reason managed_inference requires Python 3.11 but nvidia can work with any 3.x version, that rationale should be documented.

Additionally, this Python version tightening is not mentioned in the PR summary, suggesting possible scope creep beyond the credential/endpoint rename.

As per coding guidelines, changes that tighten the python runtime path may require corresponding updates in this file. The current state leaves an unexplained discrepancy between the two policies.

Also applies to: 80-80
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/hermes/policy-additions.yaml` at line 62, The managed_inference policy
currently restricts the Python binary to /usr/bin/python3.11 while the nvidia
policy still allows /usr/bin/python3*; make these policies consistent by
choosing one allowlist format and applying it to both policy blocks (update the
list entry in the managed_inference and nvidia policy definitions to the same
path), or if they must differ, add a comment in the file and a note in the PR
summary explaining why managed_inference requires Python 3.11 while nvidia
accepts any 3.x binary; ensure the change is applied to the Python binary
entries in both policy definitions (managed_inference, nvidia) and update
documentation/PR description accordingly.
Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nemoclaw/src/blueprint/runner.test.ts`:
- Around line 667-670: In the blueprint runner tests the NVIDIA endpoint host
string used in policy additions is incorrect; update every policy addition that
sets host: "integrate.api.nvidia.com" to host: "inference-api.nvidia.com" so the
tests validate the intended runtime target (search for the test blocks that
create policies with a host property, e.g., the policy addition objects in
runner.test.ts around the policy-add/test helper code referenced at the shown
diffs and the other occurrences noted).

In `@nemoclaw/src/commands/config-show.test.ts`:
- Line 39: Update the test fixtures' endpointUrl value from
"https://integrate.api.nvidia.com/v1" to the intended
"https://inference-api.nvidia.com" (adjust path suffix if needed) in the config
fixtures checked by the tests (look for the endpointUrl property in the config
fixture objects inside nemoclaw/src/commands/config-show.test.ts and the other
listed test fixtures), and apply the same replacement for all other occurrences
noted in the comment so the fixtures match the PR intent.

In `@src/lib/inference/model-prompts.test.ts`:
- Line 57: Update the hardcoded NVIDIA endpoint URL in the test error messages
to match the PR intent: replace occurrences of
"https://integrate.api.nvidia.com/v1/models" with the correct
"https://inference-api.nvidia.com/v1/models" in the test assertions inside
src/lib/inference/model-prompts.test.ts (look for the message template using
Model '${model}' is not available from NVIDIA Endpoints and any other similar
message strings around the same test block, including the second occurrence
referenced near the other assertion).

In `@src/lib/onboard/machine/handlers/provider-inference.test.ts`:
- Line 20: The PR summary is reversed relative to the code changes: update the
PR summary to reflect that the NVIDIA inference endpoint is being switched to
https://integrate.api.nvidia.com/v1 (not from it), and ensure the summary
explicitly lists the affected files (e.g., provider-inference.test.ts,
model-prompts.test.ts, config-show.test.ts, openclaw-sandbox.yaml,
runner.test.ts, providers.test.ts, agents/hermes/policy-additions.yaml,
policy-additions.yaml) and the corrected direction "to
https://integrate.api.nvidia.com/v1" so it matches the endpoint changes in the
diffs and the network policy reference to integrate.api.nvidia.com:443.
- Line 20: Test fixtures set endpointUrl to
"https://integrate.api.nvidia.com/v1" but PR intent says switch from
integrate.api.nvidia.com to inference-api.nvidia.com; confirm intended direction
and update the test fixtures (the endpointUrl values) to match the correct new
NVIDIA inference endpoint (use "https://inference-api.nvidia.com/v1" if the PR
intends to replace integrate.api with inference-api) in both occurrences
referenced (the endpointUrl test fixture and the other occurrence around the
second mention).

In `@src/lib/onboard/providers.test.ts`:
- Line 167: Tests in the provider upsert suite reference the wrong NVIDIA
endpoint string; replace all occurrences of
"https://integrate.api.nvidia.com/v1" in the provider upsert tests with the
intended endpoint "https://inference-api.nvidia.com" so the tests exercise the
actual inference provider wiring (search for the provider upsert test block and
string literals in src/lib/onboard/providers.test.ts, e.g., the
upsertProvider/upsert tests where the NVIDIA base URL is asserted or stubbed).

---

Outside diff comments:
In `@agents/hermes/policy-additions.yaml`:
- Line 62: The managed_inference policy currently restricts the Python binary to
/usr/bin/python3.11 while the nvidia policy still allows /usr/bin/python3*; make
these policies consistent by choosing one allowlist format and applying it to
both policy blocks (update the list entry in the managed_inference and nvidia
policy definitions to the same path), or if they must differ, add a comment in
the file and a note in the PR summary explaining why managed_inference requires
Python 3.11 while nvidia accepts any 3.x binary; ensure the change is applied to
the Python binary entries in both policy definitions (managed_inference, nvidia)
and update documentation/PR description accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7a2cd516-6b82-4c4d-a370-841aadb9e747

📥 Commits

Reviewing files that changed from the base of the PR and between 81512ef and b137299.

📒 Files selected for processing (19)

agents/hermes/policy-additions.yaml
agents/hermes/policy-permissive.yaml
agents/openclaw/policy-permissive.yaml
docs/inference/inference-options.mdx
docs/reference/network-policies.mdx
nemoclaw-blueprint/blueprint.yaml
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
nemoclaw/src/blueprint/runner.test.ts
nemoclaw/src/commands/config-show.test.ts
src/lib/inference/model-prompts.test.ts
src/lib/onboard/docker-gpu-patch.test.ts
src/lib/onboard/machine/handlers/provider-inference.test.ts
src/lib/onboard/providers.test.ts
src/lib/onboard/providers.ts
src/lib/validation.ts
test/onboard-selection.test.ts
test/validate-blueprint.test.ts
tools/advisors/session.mts

🚧 Files skipped from review as they are similar to previous changes (4)

docs/reference/network-policies.mdx
src/lib/validation.ts
docs/inference/inference-options.mdx
test/onboard-selection.test.ts

🛑 Comments failed to post (5)

nemoclaw/src/blueprint/runner.test.ts (1)
667-670: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Verify NVIDIA endpoint host in policy addition tests matches PR intent.

The blueprint runner tests now use integrate.api.nvidia.com in policy additions, but the PR summary indicates the target should be inference-api.nvidia.com. This affects E2E test coverage—if the endpoint is wrong, tests won't validate the actual runtime configuration.

Also applies to: 739-742, 762-762, 782-782, 800-800
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw/src/blueprint/runner.test.ts` around lines 667 - 670, In the
blueprint runner tests the NVIDIA endpoint host string used in policy additions
is incorrect; update every policy addition that sets host:
"integrate.api.nvidia.com" to host: "inference-api.nvidia.com" so the tests
validate the intended runtime target (search for the test blocks that create
policies with a host property, e.g., the policy addition objects in
runner.test.ts around the policy-add/test helper code referenced at the shown
diffs and the other occurrences noted).
nemoclaw/src/commands/config-show.test.ts (1)
39-39: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Verify endpoint URL in config fixtures matches PR intent.

The test config fixtures now use https://integrate.api.nvidia.com/v1, but the PR summary indicates the target should be inference-api.nvidia.com. This is the same directional inconsistency found across all changed files in this PR.

Also applies to: 47-47, 52-52, 62-62, 100-100, 118-118
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw/src/commands/config-show.test.ts` at line 39, Update the test
fixtures' endpointUrl value from "https://integrate.api.nvidia.com/v1" to the
intended "https://inference-api.nvidia.com" (adjust path suffix if needed) in
the config fixtures checked by the tests (look for the endpointUrl property in
the config fixture objects inside nemoclaw/src/commands/config-show.test.ts and
the other listed test fixtures), and apply the same replacement for all other
occurrences noted in the comment so the fixtures match the PR intent.
src/lib/inference/model-prompts.test.ts (1)
57-57: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Verify endpoint URL in error messages matches PR intent.

The validation error messages now reference https://integrate.api.nvidia.com/v1/models, but the PR summary indicates the target endpoint should be inference-api.nvidia.com, not integrate.api.nvidia.com. This is the same inconsistency flagged in provider-inference.test.ts.

Also applies to: 63-63
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/inference/model-prompts.test.ts` at line 57, Update the hardcoded
NVIDIA endpoint URL in the test error messages to match the PR intent: replace
occurrences of "https://integrate.api.nvidia.com/v1/models" with the correct
"https://inference-api.nvidia.com/v1/models" in the test assertions inside
src/lib/inference/model-prompts.test.ts (look for the message template using
Model '${model}' is not available from NVIDIA Endpoints and any other similar
message strings around the same test block, including the second occurrence
referenced near the other assertion).
src/lib/onboard/machine/handlers/provider-inference.test.ts (1)
20-20: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Critical inconsistency: PR summary contradicts code changes on NVIDIA endpoint direction.

All code changes across provider-inference.test.ts, model-prompts.test.ts, config-show.test.ts, openclaw-sandbox.yaml, runner.test.ts, providers.test.ts, and policy-additions.yaml consistently set the NVIDIA inference endpoint to https://integrate.api.nvidia.com/v1.

However, the PR summary states: "Switch hosted NVIDIA inference endpoint from https://integrate.api.nvidia.com/v1 to https://inference-api.nvidia.com/v1", which would imply the opposite direction.

This creates a critical ambiguity:

If the PR summary is correct, all these code changes are wrong and will break NVIDIA inference by pointing to the old/wrong endpoint

If the code changes are correct, the PR summary has "from" and "to" reversed

The coding guidelines for agents/hermes/policy-additions.yaml reference integrate.api.nvidia.com:443 as the expected NVIDIA host, which suggests the code changes may be correct and the PR summary is backwards.

Please clarify and correct the PR summary to match the actual endpoint direction, as this affects E2E test validation, network policy security posture, and production inference routing.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/machine/handlers/provider-inference.test.ts` at line 20, The
PR summary is reversed relative to the code changes: update the PR summary to
reflect that the NVIDIA inference endpoint is being switched to
https://integrate.api.nvidia.com/v1 (not from it), and ensure the summary
explicitly lists the affected files (e.g., provider-inference.test.ts,
model-prompts.test.ts, config-show.test.ts, openclaw-sandbox.yaml,
runner.test.ts, providers.test.ts, agents/hermes/policy-additions.yaml,
policy-additions.yaml) and the corrected direction "to
https://integrate.api.nvidia.com/v1" so it matches the endpoint changes in the
diffs and the network policy reference to integrate.api.nvidia.com:443.
Source: Coding guidelines

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Verify endpoint URL direction matches PR intent.

These test fixtures now use https://integrate.api.nvidia.com/v1 as the NVIDIA inference endpoint. However, the PR summary states: "Switch hosted NVIDIA inference endpoint from https://integrate.api.nvidia.com/v1 to https://inference-api.nvidia.com/v1", which would imply the NEW endpoint should be inference-api.nvidia.com, not integrate.api.nvidia.com.

Either the PR summary has "from" and "to" reversed, or these test values are incorrect. Please confirm the intended endpoint direction.

Also applies to: 161-161
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/machine/handlers/provider-inference.test.ts` at line 20, Test
fixtures set endpointUrl to "https://integrate.api.nvidia.com/v1" but PR intent
says switch from integrate.api.nvidia.com to inference-api.nvidia.com; confirm
intended direction and update the test fixtures (the endpointUrl values) to
match the correct new NVIDIA inference endpoint (use
"https://inference-api.nvidia.com/v1" if the PR intends to replace integrate.api
with inference-api) in both occurrences referenced (the endpointUrl test fixture
and the other occurrence around the second mention).
src/lib/onboard/providers.test.ts (1)
167-167: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Verify NVIDIA base URL in provider tests matches PR intent.

The provider upsert tests now use https://integrate.api.nvidia.com/v1 as the NVIDIA endpoint, but the PR summary indicates the target should be inference-api.nvidia.com. This inconsistency affects test coverage for the actual inference provider wiring.

Also applies to: 180-180, 190-190, 205-205
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/providers.test.ts` at line 167, Tests in the provider upsert
suite reference the wrong NVIDIA endpoint string; replace all occurrences of
"https://integrate.api.nvidia.com/v1" in the provider upsert tests with the
intended endpoint "https://inference-api.nvidia.com" so the tests exercise the
actual inference provider wiring (search for the provider upsert test block and
string literals in src/lib/onboard/providers.test.ts, e.g., the
upsertProvider/upsert tests where the NVIDIA base URL is asserted or stubbed).

copy-pr-bot · 2026-06-12T23:23:12Z

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

github-actions · 2026-06-12T23:25:04Z

Selective E2E Results — ❌ Some jobs failed

Run: 27448774906
Target ref: codex/update-nvidia-inference-endpoint
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e
Summary: 0 passed, 3 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e. Check run artifacts for logs.

github-actions · 2026-06-12T23:26:34Z

Selective E2E Results — ❌ Some jobs failed

Run: 27448873091
Target ref: b27ac36f09d013a8709eb5ceae5ee639fcbc0141
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e
Summary: 0 passed, 3 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e. Check run artifacts for logs.

github-actions · 2026-06-12T23:40:55Z

Selective E2E Results — ❌ Some jobs failed

Run: 27449158808
Target ref: codex/update-nvidia-inference-endpoint
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e
Summary: 1 passed, 2 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	✅ success
cloud-onboard-e2e	❌ failure

Failed jobs: cloud-e2e, cloud-onboard-e2e. Check run artifacts for logs.

github-actions · 2026-06-12T23:52:17Z

Selective E2E Results — ❌ Some jobs failed

Run: 27449346702
Target ref: 87c0ec0eeac12fcaa95dcee7648caeac5ff24ec0
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,sandbox-survival-e2e,sandbox-operations-e2e,rebuild-openclaw-e2e,token-rotation-e2e,hermes-e2e,launchable-smoke-e2e
Summary: 2 passed, 10 failed, 1 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
credential-migration-e2e	✅ success
credential-sanitization-e2e	❌ failure
hermes-e2e	❌ failure
inference-routing-e2e	✅ success
launchable-smoke-e2e	❌ failure
network-policy-e2e	❌ failure
rebuild-openclaw-e2e	❌ failure
sandbox-operations-e2e	❌ failure
sandbox-survival-e2e	❌ failure
token-rotation-e2e	⚠️ cancelled

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, credential-sanitization-e2e, hermes-e2e, launchable-smoke-e2e, network-policy-e2e, rebuild-openclaw-e2e, sandbox-operations-e2e, sandbox-survival-e2e. Check run artifacts for logs.

github-actions · 2026-06-12T23:54:03Z

Selective E2E Results — ❌ Some jobs failed

Run: 27449623165
Target ref: codex/update-nvidia-inference-endpoint
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e
Summary: 0 passed, 1 failed, 2 cancelled, 0 skipped

Job	Result
cloud-e2e	⚠️ cancelled
cloud-inference-e2e	⚠️ cancelled
cloud-onboard-e2e	❌ failure

Failed jobs: cloud-onboard-e2e. Check run artifacts for logs.

github-actions · 2026-06-12T23:54:32Z

Selective E2E Results — ❌ Some jobs failed

Run: 27449749031
Target ref: b9d9ffed9089c7067df0d05e01270dfc3dd645bf
Workflow ref: main
Requested jobs: cloud-onboard-e2e,cloud-inference-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,inference-routing-e2e,token-rotation-e2e,hermes-e2e,launchable-smoke-e2e,sandbox-survival-e2e
Summary: 2 passed, 8 failed, 0 cancelled, 0 skipped

Job	Result
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
credential-migration-e2e	✅ success
credential-sanitization-e2e	❌ failure
hermes-e2e	❌ failure
inference-routing-e2e	✅ success
launchable-smoke-e2e	❌ failure
network-policy-e2e	❌ failure
sandbox-survival-e2e	❌ failure
token-rotation-e2e	❌ failure

Failed jobs: cloud-inference-e2e, cloud-onboard-e2e, credential-sanitization-e2e, hermes-e2e, launchable-smoke-e2e, network-policy-e2e, sandbox-survival-e2e, token-rotation-e2e. Check run artifacts for logs.

github-actions · 2026-06-13T00:00:49Z

Selective E2E Results — ❌ Some jobs failed

Run: 27449811156
Target ref: codex/update-nvidia-inference-endpoint
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e
Summary: 2 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success

Failed jobs: cloud-e2e. Check run artifacts for logs.

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/e2e-cloud-experimental/checks/03-security-checks.sh`:
- Around line 40-51: The auto-set default argv-leak marker logic only triggers
for _api_key_env_name == "NVIDIA_INFERENCE_API_KEY", so when callers use
"COMPATIBLE_API_KEY" the marker remains empty and the argv leak scan (using
_key_argv_needle, ps_lines and die) is skipped; update the conditional that sets
_key_argv_prefix_marker (and/or the check for
NEMOCLAW_E2E_CLOUD_API_KEY_ARGV_PREFIX) to also apply when _api_key_env_name ==
"COMPATIBLE_API_KEY" (or otherwise include both names) so the default marker is
populated for compatible mode and the subsequent _key_argv_needle-based ps_lines
scan runs as intended.

In `@test/e2e/test-full-e2e.sh`:
- Around line 243-249: The script validates compatible-mode using
HOSTED_INFERENCE_MODEL earlier but later in Phase 4b still hardcodes
"nvidia/nemotron-3-super-120b-a12b"; update the Phase 4b usage to respect
compatible mode by replacing the hardcoded model string with the
HOSTED_INFERENCE_MODEL variable and/or branching on
nemoclaw_e2e_using_compatible_inference to select HOSTED_INFERENCE_MODEL when
true, and ensure any grep/tests that currently look for the hardcoded name
instead check for the HOSTED_INFERENCE_MODEL value (or reuse the same grep logic
that checks inf_check).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3eb5df17-eca0-4e31-83b4-fbbea2ee49f2

📥 Commits

Reviewing files that changed from the base of the PR and between 87c0ec0 and d8c0689.

📒 Files selected for processing (4)

test/e2e/e2e-cloud-experimental/checks/03-security-checks.sh
test/e2e/lib/ci-compatible-inference.sh
test/e2e/test-cloud-onboard-e2e.sh
test/e2e/test-full-e2e.sh

🚧 Files skipped from review as they are similar to previous changes (1)

test/e2e/lib/ci-compatible-inference.sh

github-actions · 2026-06-13T00:08:43Z

Selective E2E Results — ❌ Some jobs failed

Run: 27449922166
Target ref: d8c068949b6eccd8fa8d6ee5bf349e8c419b7067
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,credential-migration-e2e,credential-sanitization-e2e,network-policy-e2e,sandbox-operations-e2e,rebuild-openclaw-e2e,token-rotation-e2e,hermes-e2e,launchable-smoke-e2e
Summary: 2 passed, 9 failed, 1 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
credential-migration-e2e	✅ success
credential-sanitization-e2e	❌ failure
hermes-e2e	❌ failure
inference-routing-e2e	✅ success
launchable-smoke-e2e	❌ failure
network-policy-e2e	❌ failure
rebuild-openclaw-e2e	❌ failure
sandbox-operations-e2e	⚠️ cancelled
token-rotation-e2e	❌ failure

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, credential-sanitization-e2e, hermes-e2e, launchable-smoke-e2e, network-policy-e2e, rebuild-openclaw-e2e, token-rotation-e2e. Check run artifacts for logs.

github-actions · 2026-06-13T00:09:03Z

Selective E2E Results — ❌ Some jobs failed

Run: 27450272030
Target ref: 5d7de67e6b8a437149415783a6c40c7f8104bcf2
Workflow ref: main
Requested jobs: cloud-e2e,messaging-providers-e2e
Summary: 0 passed, 2 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
messaging-providers-e2e	❌ failure

Failed jobs: cloud-e2e, messaging-providers-e2e. Check run artifacts for logs.

github-actions · 2026-06-13T00:10:26Z

Selective E2E Results — ❌ Some jobs failed

Run: 27450143122
Target ref: codex/update-nvidia-inference-endpoint
Requested jobs: cloud-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure

Failed jobs: cloud-e2e. Check run artifacts for logs.

github-actions · 2026-06-13T00:19:35Z

Selective E2E Results — ✅ All requested jobs passed

Run: 27450416388
Target ref: codex/update-nvidia-inference-endpoint
Requested jobs: cloud-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	✅ success

…nference-endpoint # Conflicts: # test/e2e/test-issue-2478-crash-loop-recovery.sh

github-actions · 2026-06-13T00:35:57Z

Selective E2E Results — ❌ Some jobs failed

Run: 27450531111
Target ref: 7f1c6a158dd2660dd36d8b08ebb622cafa2c0e8f
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,credential-migration-e2e,token-rotation-e2e,launchable-smoke-e2e
Summary: 3 passed, 4 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
credential-migration-e2e	✅ success
inference-routing-e2e	✅ success
launchable-smoke-e2e	❌ failure
token-rotation-e2e	✅ success

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, launchable-smoke-e2e. Check run artifacts for logs.

…dpoint' into codex/update-nvidia-inference-endpoint # Conflicts: # src/lib/onboard.ts

github-actions · 2026-06-13T00:49:28Z

Selective E2E Results — ❌ Some jobs failed

Run: 27451202014
Target ref: f8c8ab004f30c75ecea69f09c9b12e11099e7e56
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,inference-routing-e2e,token-rotation-e2e
Summary: 1 passed, 3 failed, 1 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
inference-routing-e2e	✅ success
token-rotation-e2e	⚠️ cancelled

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e. Check run artifacts for logs.

…nference-endpoint # Conflicts: # .github/workflows/e2e-vitest-scenarios.yaml

github-actions · 2026-06-13T01:05:33Z

Selective E2E Results — ❌ Some jobs failed

Run: 27451451097
Target ref: 460e5727a9998d6f6a790ce27c2d951dd2841129
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,token-rotation-e2e
Summary: 0 passed, 3 failed, 1 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
token-rotation-e2e	⚠️ cancelled

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e. Check run artifacts for logs.

github-actions · 2026-06-13T01:31:55Z

Selective E2E Results — ❌ Some jobs failed

Run: 27451890065
Target ref: 43e20d54bee29d9199d7aca449ec0b812013ce8b
Workflow ref: main
Requested jobs: cloud-e2e,cloud-onboard-e2e,cloud-inference-e2e,credential-sanitization-e2e,credential-migration-e2e,inference-routing-e2e,network-policy-e2e,token-rotation-e2e,sandbox-survival-e2e,hermes-e2e,launchable-smoke-e2e
Summary: 3 passed, 8 failed, 0 cancelled, 0 skipped

Job	Result
cloud-e2e	❌ failure
cloud-inference-e2e	❌ failure
cloud-onboard-e2e	❌ failure
credential-migration-e2e	✅ success
credential-sanitization-e2e	❌ failure
hermes-e2e	❌ failure
inference-routing-e2e	✅ success
launchable-smoke-e2e	❌ failure
network-policy-e2e	❌ failure
sandbox-survival-e2e	❌ failure
token-rotation-e2e	✅ success

Failed jobs: cloud-e2e, cloud-inference-e2e, cloud-onboard-e2e, credential-sanitization-e2e, hermes-e2e, launchable-smoke-e2e, network-policy-e2e, sandbox-survival-e2e. Check run artifacts for logs.

## Summary Refreshes release-prep documentation for NemoClaw v0.0.65. Adds the v0.0.65 release-notes section and refreshes generated `nemoclaw-user-*` skills from the Fern MDX source docs. ## Changes - Added the v0.0.65 release notes to `docs/about/release-notes.mdx` with links to the deeper docs pages for lifecycle, troubleshooting, inference, CLI commands, messaging, credentials, network policy, Hermes, and sub-agents. - Regenerated the `nemoclaw-user-*` skills with `scripts/docs-to-skills.py` so release-prep skill output matches the merged source docs. - Used the v0.0.65 announcement discussion as release context: #5472. ## Source Summary - #2492 -> `docs/about/release-notes.mdx`: Documents deadline-based gateway wait reliability in the v0.0.65 recovery summary. - #4958 -> `docs/about/release-notes.mdx`: Documents re-execed OpenClaw gateway health check recovery in the sandbox recovery summary. - #5163 -> `docs/about/release-notes.mdx`: Documents safer uninstall TTY confirmation behavior in the day-two CLI summary. - #5178 -> `docs/about/release-notes.mdx`: Documents fail-closed config restore merge behavior in the rebuild and restore summary. - #5179 -> `docs/about/release-notes.mdx`: Documents WeChat QR token redaction in the messaging summary. - #5182 -> `docs/about/release-notes.mdx`: Documents sustained gateway serving checks in the recovery summary. - #5194 -> `docs/about/release-notes.mdx`: Documents model-router teardown during uninstall in the day-two CLI summary. - #5195 -> `docs/about/release-notes.mdx`: Documents Shields auto-restore lock reconfirmation in the rebuild and restore summary. - #5198 -> `docs/about/release-notes.mdx`: Documents Docker Desktop WSL CDI injection failure handling in the onboarding diagnostics summary. - #5201 -> `docs/about/release-notes.mdx`: Documents sandbox download/upload wrappers and sessions export in the day-two CLI summary. - #5205 -> `docs/about/release-notes.mdx`: Documents reporter-owned model metadata preservation in the rebuild and restore summary. - #5214 -> `docs/about/release-notes.mdx`: Documents managed vLLM model preflight before side effects in the inference setup summary. - #5215 -> `docs/about/release-notes.mdx`: Documents managed vLLM extra serve arguments in the inference setup summary. - #5216 -> `docs/about/release-notes.mdx`: Documents silent OpenClaw runtime fallback surfacing in the onboarding diagnostics summary. - #5225 -> `docs/about/release-notes.mdx`: Documents persisted sandbox gateway lookup in the gateway recovery summary. - #5238 -> `docs/about/release-notes.mdx`: Documents sub-agent gateway dial-back through the sandbox interface in the Hermes and sub-agent summary. - #5248 -> `docs/about/release-notes.mdx`: Documents Discord per-account proxy resolution in the messaging summary. - #5264 -> `docs/about/release-notes.mdx`: Documents reserved Hermes port `8642` handling in the Hermes compatibility summary. - #5267 -> `docs/about/release-notes.mdx`: Documents the narrower Hermes baseline policy in the Hermes compatibility summary. - #5321 -> `docs/about/release-notes.mdx`: Documents restored gateway guard chains in the gateway recovery summary. - #5328 -> `docs/about/release-notes.mdx`: Documents compact persisted messaging plans in the messaging summary. - #5338 -> `docs/about/release-notes.mdx`: Documents manifest channel migration in the messaging summary. - #5352 -> `docs/about/release-notes.mdx`: Documents persisted agent preservation through registry recovery in the rebuild and restore summary. - #5371 -> `.agents/skills/nemoclaw-user-reference/references/commands.md`: Refreshes generated skill output for custom build cache and layer-ordering source docs. - #5379 -> `docs/about/release-notes.mdx`: Documents dashboard port allocation across multiple NemoClaw gateways in the recovery summary. - #5382 -> `docs/about/release-notes.mdx`: Documents recovery when an active gateway has no sandbox spec in the recovery summary. - #5389 -> `.agents/skills/nemoclaw-user-reference/references/troubleshooting.md`: Refreshes generated skill output for declared agent `forward_ports` recovery source docs. - #5400 -> `docs/about/release-notes.mdx`: Documents bounded compatible endpoint probes in the inference setup summary. - #5410 -> `docs/about/release-notes.mdx`: Documents provider credential hash removal from sandbox registry entries in the messaging summary. - #5418 -> `docs/about/release-notes.mdx`: Documents summarized inference validation failures in the onboarding diagnostics summary. - #5457 -> `docs/about/release-notes.mdx`: Documents context-window recomputation after runtime model switches in the inference setup summary. - #5463 -> `docs/about/release-notes.mdx`: Documents cleanup of hard-coded messaging channel stragglers in the messaging summary. ## Skipped - #5366 matched `docs/.docs-skip` entries through skipped experimental paths, so this PR does not add new release-note text for that commit. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Verification - [x] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [ ] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [ ] Tests added or updated for new or changed behavior - [x] No secrets, API keys, or credentials committed - [x] Docs updated for user-facing behavior changes - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) Verification notes: - `npm run docs` passed after rerunning outside the sandbox. Fern reported 0 errors and 1 hidden warning. - The first sandboxed `npm run docs` attempt failed before validation because `tsx` could not create its local IPC pipe under sandbox restrictions. - `npm run build:cli` passed before push to refresh the local `dist/` artifacts used by the CLI typecheck hook. - `npm test` was not run because this is a docs-only release refresh. --- Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>  ## Summary by CodeRabbit * **New Features** * Released NemoClaw v0.0.65 with improved gateway/sandbox recovery, safer day-two workflows, and enhanced Hermes compatibility. * Added managed vLLM extra-arguments configuration via `NEMOCLAW_VLLM_EXTRA_ARGS_JSON`. * Added Hermes troubleshooting guidance for port forwarding and health checks. * **Documentation** * Updated NVIDIA Endpoints/NIM setup and examples to use `NVIDIA_INFERENCE_API_KEY`. * Refined NVIDIA network policy and Model Router API base configuration. * Expanded CLI/environment variable documentation (including sub-agent gateway connectivity) and plugin build performance tips. * **Tests** * Expanded Vitest-backed E2E release validation coverage.

fix(inference): use NVIDIA inference endpoint

974943e

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

cv changed the title ~~Use NVIDIA inference endpoint and credential env~~ fix(inference): use NVIDIA inference endpoint Jun 12, 2026

chore(inference): keep onboard entrypoint net neutral

81512ef

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

cv marked this pull request as ready for review June 12, 2026 21:30

coderabbitai Bot reviewed Jun 12, 2026

View reviewed changes

fix(inference): keep public NVIDIA endpoint

b137299

cv changed the title ~~fix(inference): use NVIDIA inference endpoint~~ fix(inference): use NVIDIA inference credential env Jun 12, 2026

coderabbitai Bot reviewed Jun 12, 2026

View reviewed changes

This comment was marked as outdated.

Sign in to view

ci(e2e): route cloud smoke through compatible endpoint

b27ac36

ci(e2e): use compatible NVIDIA model id

87c0ec0

cv self-assigned this Jun 12, 2026

ci(e2e): accept compatible inference route

b9d9ffe

ci(e2e): probe compatible endpoint with chat

d8c0689

ci(e2e): accept compatible provider name

5d7de67

coderabbitai Bot reviewed Jun 13, 2026

View reviewed changes

Comment thread test/e2e/e2e-cloud-experimental/checks/03-security-checks.sh

Comment thread test/e2e/test-full-e2e.sh Outdated

cv added the v0.0.65 Release target label Jun 13, 2026

ci(e2e): strip styled inference output

7f1c6a1

cv added 2 commits June 12, 2026 17:26

Merge remote-tracking branch 'origin/main' into codex/update-nvidia-i…

51e73dc

…nference-endpoint # Conflicts: # test/e2e/test-issue-2478-crash-loop-recovery.sh

ci(e2e): preserve NVIDIA key alias fallbacks

f8c8ab0

cv added 2 commits June 12, 2026 17:41

ci(e2e): preserve NVIDIA key alias fallbacks

9010359

Merge remote-tracking branch 'origin/codex/update-nvidia-inference-en…

460e572

…dpoint' into codex/update-nvidia-inference-endpoint # Conflicts: # src/lib/onboard.ts

Merge remote-tracking branch 'origin/main' into codex/update-nvidia-i…

43e20d5

…nference-endpoint # Conflicts: # .github/workflows/e2e-vitest-scenarios.yaml

cv merged commit ef8e43b into main Jun 13, 2026
33 checks passed

cv deleted the codex/update-nvidia-inference-endpoint branch June 13, 2026 01:22

coderabbitai Bot mentioned this pull request Jun 13, 2026

fix(e2e): route nightly hosted inference as custom #5385

Merged

12 tasks

jyaunches mentioned this pull request Jun 13, 2026

fix: restore NVIDIA_API_KEY inference wiring #5390

Closed

miyoungc mentioned this pull request Jun 16, 2026

docs: refresh v0.0.65 release docs #5519

Merged

13 tasks

Conversation

cv commented Jun 12, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Type of Change

Verification

Summary by CodeRabbit

Uh oh!

copy-pr-bot Bot commented Jun 12, 2026

Uh oh!

coderabbitai Bot commented Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Uh oh!

github-actions Bot commented Jun 12, 2026

Uh oh!

github-actions Bot commented Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

E2E Advisor Recommendation

E2E Recommendation Advisor

Required E2E

Optional E2E

New E2E recommendations

Dispatch hint

Uh oh!

github-actions Bot commented Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Vitest E2E Scenario Recommendation

Vitest E2E Scenario Advisor

Required Vitest E2E scenarios

Optional Vitest E2E scenarios

Relevant changed files

Uh oh!

github-actions Bot commented Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Review Advisor

🛠️ Needs attention

🔎 Worth checking

🌱 Nice ideas

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

copy-pr-bot Bot commented Jun 12, 2026

Uh oh!

github-actions Bot commented Jun 12, 2026

Selective E2E Results — ❌ Some jobs failed

Uh oh!

github-actions Bot commented Jun 12, 2026

Selective E2E Results — ❌ Some jobs failed

Uh oh!

github-actions Bot commented Jun 12, 2026

Selective E2E Results — ❌ Some jobs failed

Uh oh!

github-actions Bot commented Jun 12, 2026

Selective E2E Results — ❌ Some jobs failed

Uh oh!

github-actions Bot commented Jun 12, 2026

Selective E2E Results — ❌ Some jobs failed

cv commented Jun 12, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 12, 2026 •

edited

Loading

github-actions Bot commented Jun 12, 2026 •

edited

Loading

github-actions Bot commented Jun 12, 2026 •

edited

Loading

github-actions Bot commented Jun 12, 2026 •

edited

Loading