fix(start): drop slow-mode polling on late allowlisted scope upgrades

[laitingsheng]

Summary

The in-sandbox auto-pair watcher transitions to slow-mode keepalive after the first device pairs and a handful of quiet polls. A scope upgrade requested after that point — fresh openclaw tui, openclaw agent, or any other allowlisted CLI client — waits up to one slow-poll interval before the watcher revisits the pending list, which exceeds the OpenClaw client's tolerance for scope upgrade pending approval and forces an embedded-mode fallback. Drop the slow-mode default to 5s and arm a bounded fast-reentry counter on the rising edge of each fresh allowlisted approval attempt so the override floors polling at 1s for the next few iterations. The counter is keyed by requestId (garbage-collected against the live pending list) so a sticky failing request bumps once and then yields back to the slow cadence; it is also floored by the caller's existing default so fast-reentry never increases latency on a tight retry pass.

Related Issue

Fixes #5343
Refs #5324
Refs #5409

#5324 is partially addressed by the polling-cadence fix when the failing non-TUI client requests stay within the allowlisted scopes (operator.pairing/read/write). The bug's other symptoms — Unknown command: openclaw device, the dashboard Auth did not match rate-limit, and any subcommand whose pairing genuinely needs operator.admin — sit outside the auto-pair policy boundary and remain open for a separate operator-driven approval surface.

#5409 (nightly E2E Phase 3 fail when onboard auto-pairs the CLI device with full agent scopes) was already fixed in main by #5406 (which introduced the SCOPE_UPGRADE_ALREADY_SATISFIED branch) and #5412 (which extended the same flag to the legacy-repro exit). This PR carries those changes onto the feature branch through the merge of main so the renamed test-cli-scope-upgrade-approval.sh exercises the same preapproved-state-tolerant path.

Changes

• scripts/nemoclaw-start.sh: declare FAST_REENTRY_POLLS / FAST_REENTRY_INTERVAL / FAST_REENTRY_REMAINING / FAST_REENTRY_BUMPED_REQUEST_IDS, add a sleep_for_next_poll(default) helper that floors the override by the caller's default, wire it into every watcher sleep call-site, and bump the counter once on the rising edge of each fresh allowlisted approval attempt — emitting a single [auto-pair] fast-reentry bumped polls=N approved=N mode=slow|fast marker. Lower SLOW_INTERVAL default from 30s to 5s so the worst-case latency on the first late upgrade sits below typical OpenClaw client wait windows.
• test/nemoclaw-start.test.ts: extract a shared late-CLI fixture (setupLateCliFixture) so the existing convergence test and the new fast-reentry assertions share their fake openclaw stub, and fold the fast-reentry marker + ordering + single-rising-edge assertions into the existing late-upgrade test to stay inside the file size budget.
• test/e2e/test-cli-scope-upgrade-approval.sh (renamed from test-issue-4462-scope-upgrade-approval.sh): drop AUTO_PAIR_SLOW_INTERVAL_DEFAULT from 600 to 5 so the in-sandbox watcher is observably exercised by the test, tolerate watcher-wins in Phase 3 via allow_already_approved=1, and make Phase 6 strict — it now fails the test if the watcher did not record a slow-mode transition or did not log the fast-reentry marker.
• test/e2e-script-workflow.test.ts, .github/workflows/nightly-e2e.yaml: update the legacy + nightly script allowlists and CI job script paths to the renamed file, rename the two affected nightly E2E jobs to drop the issue-id prefix (cli-scope-upgrade-approval-e2e, cli-scope-upgrade-legacy-repro-e2e), and sync the approval-job's NEMOCLAW_AUTO_PAIR_SLOW_INTERVAL_SECS from 600 to 5.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• New Features

  • Added bounded “fast re-entry” polling to the auto-pair watcher and reduced the default slow-mode cadence for quicker follow-up after allowlisted approvals.

• Tests / CI

  • Updated the nightly E2E workflow to run CLI-scoped scope-upgrade approval jobs, adjusting job IDs and workflow inputs.
  • Refreshed CLI scope-upgrade E2E allowlists and strengthened end-to-end assertions with additional phases, including state-log snapshot checks and improved fast-reentry marker handling.

• Tests

  • Refactored late-CLI watcher tests with a shared fixture, added concurrent scenarios, and tightened timing/marker and approvals-log validations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d0988dfd-034f-42b8-a58e-4852e03c4668

📥 Commits

Reviewing files that changed from the base of the PR and between e16cd47 and 25ddfcf.

📒 Files selected for processing (2)

• scripts/nemoclaw-start.sh
• test/e2e/test-cli-scope-upgrade-approval.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/test-cli-scope-upgrade-approval.sh

---

📝 Walkthrough

Walkthrough

This PR adds a bounded "fast-reentry" polling window to the auto-pair watcher that briefly forces faster polling after allowlisted device approvals are attempted, enabling capture of late CLI arrivals. The nightly E2E workflow and test script are unified under CLI scope-upgrade naming instead of issue-4462 prefixes, and Phase 6–7 validate fast-reentry behavior through log snapshots, concurrent execution, and marker assertions.

Changes

Fast-reentry scope-upgrade polling

Layer / File(s)	Summary
Nightly workflow and allowlist updates .github/workflows/nightly-e2e.yaml, test/e2e-script-workflow.test.ts	Replaces issue-4462-scope-upgrade-* job IDs with cli-scope-upgrade-approval-e2e and cli-scope-upgrade-legacy-repro-e2e; both run the unified CLI approval script with CLI-scope environment variables; downstream aggregators (notify-on-failure, report-to-pr, scorecard) updated to reference new job IDs; frozen test allowlists updated to expect the shared CLI script.
Watcher startup and fast-reentry constants scripts/nemoclaw-start.sh	Starts auto-pair watcher with unbuffered Python output and explicit startup log; introduces FAST_REENTRY_POLLS, FAST_REENTRY_INTERVAL, FAST_REENTRY_REMAINING, and FAST_REENTRY_BUMPED_REQUEST_IDS state; sets SLOW_INTERVAL default to 5s.
Sleep helper and failure backoff routing scripts/nemoclaw-start.sh	Adds sleep_for_next_poll(default_seconds) helper that overrides polling intervals when fast-reentry counter is active; routes device-list failure (nonzero rc or empty output) and JSON parse error sleeps through the helper to apply bounded fast-reentry override consistently.
Approval tracking and fast-reentry activation scripts/nemoclaw-start.sh	Adds per-iteration attempted_request_ids and pending_request_ids tracking; records requestIds when approval policy decision is reached; garbage-collects bumped ids post-processing; on rising-edge new attempted requestIds (when FAST_REENTRY_POLLS > 0), arms bounded fast-reentry by setting FAST_REENTRY_REMAINING and updating bumped set; end-of-iteration sleep tiering routed through sleep helper.
E2E script CLI scope-upgrade naming and core instrumentation test/e2e/test-cli-scope-upgrade-approval.sh	Switches environment variable prefixes from NEMOCLAW_4462_* to NEMOCLAW_CLI_SCOPE_* throughout; lowers slow-interval default from 600s to 5s with new override fallbacks; updates device-state and approval env var exports; updates phase naming and pass messaging to remove issue-4462 references.
E2E verification phases 6–7 for fast-reentry and concurrent validation test/e2e/test-cli-scope-upgrade-approval.sh	Phase 6 snapshots /tmp/auto-pair.log, validates slow-mode keepalive marker within bounded wait window, and treats fast-reentry bump marker as informational-only (pass if present). Phase 7 runs two sandboxes' agent turns concurrently, verifies both outputs lack disallowed markers, asserts per-sandbox gateway URL pinning (:18789 vs :18790) and distinct URLs, and only passes when both runs exit successfully and all assertions hold.
Unit tests: late-CLI slow-mode and fast-reentry validation test/nemoclaw-start.test.ts	Extracts reusable setupLateCliFixture(prefix) helper to build workspace and precomputed device payloads; refactors late-CLI test to use explicit fast-reentry env vars, concurrent late requestIds (late-cli, late-cli-b), and strict marker count and sequencing assertions; updates non-zero approve failure test with fast-reentry env vars and validates fast-reentry marker occurrence in both fast and slow modes.

Sequence Diagram(s)

sequenceDiagram
  participant Watcher as Auto-pair watcher
  participant Devices as Device list
  participant Policy as Approval policy
  participant Sleep as sleep_for_next_poll
  
  Watcher->>Devices: poll current pending
  Watcher->>Policy: evaluate pending requestIds
  Policy-->>Watcher: mark attempted (add to set)
  Watcher->>Watcher: garbage-collect FAST_REENTRY_BUMPED against current pending
  rect rgba(0, 200, 0, 0.5)
    Note over Watcher,Sleep: Fast-reentry arm (FAST_REENTRY_POLLS > 0 AND newly attempted)
    Watcher->>Watcher: set FAST_REENTRY_REMAINING = FAST_REENTRY_POLLS
    Watcher->>Watcher: update FAST_REENTRY_BUMPED_REQUEST_IDS
  end
  Watcher->>Sleep: sleep_for_next_poll(SLOW_INTERVAL)
  rect rgba(100, 200, 255, 0.5)
    Note over Sleep: Fast-reentry active (FAST_REENTRY_REMAINING > 0)
    Sleep->>Sleep: decrement FAST_REENTRY_REMAINING
    Sleep->>Sleep: sleep min(FAST_REENTRY_INTERVAL, SLOW_INTERVAL)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5401: Modifies the same auto-pair watcher in scripts/nemoclaw-start.sh but focuses on approval-failure recovery via recover_failed_scope_approval rather than fast-reentry polling behavior.

Suggested labels

area: sandbox, area: onboarding, nightly-e2e

Suggested reviewers

• cv

Poem

A rabbit bounds through approval gates,
Fast-reentry polls for those who wait—
Late CLI friends arrive in time,
In brief bursts, the watcher chimes. 🐰 ⚡

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix(start): drop slow-mode polling on late allowlisted scope upgrades' directly describes the main change: implementing fast-reentry polling to reduce delays for late scope upgrades. It aligns with the core solution of adding a bounded fast-reentry mechanism to avoid slow-mode polling when fresh scope-upgrade approvals are detected.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/scope-upgrade-late-approval-race

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the fix/scope-upgrade-la... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	fix/scope-upgrade-la... 25ddfcf	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the fix/scope-upgrade-la... branch is 46%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	fix/scope-upgrade-la... 25ddfcf	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	76%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/actions...dbox/rebuild.ts	—	67%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/actions...licy-channel.ts	—	56%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/policy/index.ts	—	49%	—
src/lib/onboard...er-gpu-patch.ts	—	44%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 16, 2026 04:03 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cli-scope-upgrade-approval-e2e, cli-scope-upgrade-legacy-repro-e2e, device-auth-health-e2e
Optional E2E: sandbox-survival-e2e

Dispatch hint: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e,device-auth-health-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cli-scope-upgrade-approval-e2e (high): Primary required coverage for the runtime change: builds a real sandbox, triggers the late CLI/operator scope upgrade, validates approval through the fixed proxy-env path or watcher, confirms no operator.admin grant, and proves a real openclaw agent turn stays on the gateway path without embedded fallback.
• cli-scope-upgrade-legacy-repro-e2e (high): Required because the PR changes both the legacy characterization job wiring and the shared script/env names. It validates the gateway-pinned approval characterization/recovery path against a real sandbox and ensures the renamed dispatch job is actually runnable.
• device-auth-health-e2e (medium): Required adjacent validation for the device-auth startup path affected by start_auto_pair: onboard a real sandbox and verify device-auth health while the changed watcher and gateway environment are active.

Optional E2E

• sandbox-survival-e2e (medium): Useful confidence for the long-lived watcher behavior across gateway stop/start and sandbox survival, but less directly targeted than the scope-upgrade and device-auth jobs.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e,device-auth-health-e2e

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: ubuntu-repo-cloud-openclaw
Optional Vitest E2E scenarios: ubuntu-repo-docker-post-reboot-recovery

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• ubuntu-repo-cloud-openclaw: scripts/nemoclaw-start.sh changes the in-sandbox OpenClaw gateway auto-pair watcher and polling behavior used during live OpenClaw onboarding. The ubuntu-repo-cloud-openclaw typed Vitest scenario is the smallest live-supported scenario that provisions the repo-current Docker OpenClaw path and exercises the affected startup/onboarding surface plus gateway-backed inference validation.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional Vitest E2E scenarios

• ubuntu-repo-docker-post-reboot-recovery: Optional adjacent coverage: this live-supported OpenClaw scenario uses the same repo-current Docker onboarding/startup path and adds the post-reboot-recovery lifecycle, which can provide extra confidence that the changed gateway startup/watch behavior remains stable across lifecycle recovery.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-docker-post-reboot-recovery

Relevant changed files

• scripts/nemoclaw-start.sh

[github-actions]

PR Review Advisor

Findings: 1 needs attention, 3 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 2 still apply, 1 new item found

Review findings

🛠️ Needs attention

• [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 two-provider gateway-routing acceptance remains unproven (test/e2e/test-cli-scope-upgrade-approval.sh:1201): The linked issue expects two sandboxes with different inference providers to run prompts in parallel through the gateway/inference.local path. Phase 7 provisions two sandboxes and checks distinct gateway URLs plus absence of fallback markers, but its own comment says both sandboxes share the same NVIDIA Cloud provider and the differing-providers half cannot be exercised in CI. It also does not assert provider/model routing through inference.local.
  • Recommendation: Either add targeted runtime evidence for two differently configured providers/routes, including inference.local/provider assertions, or narrow the PR/issue claim so [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 remains partially addressed rather than fixed.
  • Evidence: Issue [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 Expected Result: "sandbox-A → `inference.local` → NVIDIA Cloud model `nvidia/nemotron-3-super-120b-a12b`" and "sandbox-B → `inference.local` → local Ollama model `qwen3.5:9b`". Diff evidence: Phase 7 comment states "CI has only one inference provider key available, so both sandboxes share the same NVIDIA Cloud provider" and "the differing-providers half cannot be exercised without a second provider key in CI"; the test checks ports :18789/:18790 and fallback markers, not provider/model routing.

🔎 Worth checking

• Source-of-truth review needed: Slow-mode keepalive plus bounded fast-reentry polling: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: Production code sets `SLOW_INTERVAL` default to 5s and arms `FAST_REENTRY_REMAINING`; E2E Phase 6 logs absence of `[auto-pair] fast-reentry bumped` as `info`, so it does not strictly prove the changed runtime path.
• Concurrent Phase 7 agents do not assert the prompt result (test/e2e/test-cli-scope-upgrade-approval.sh:1260): The two-sandbox Phase 7 asks each agent "What is 2 plus 2?" but only checks process exit status, gateway URL, and absence of fallback/scope-upgrade markers. A run that exits 0 with an empty or incorrect model response would still pass, so the phase does not fully prove both concurrent gateway-backed turns completed semantically.
  • Recommendation: Parse each Phase 7 agent output with the existing `parse_openclaw_agent_text` helper and assert the expected answer `4`, similar to the Phase 5 `42` check.
  • Evidence: Phase 5 parses `final_output` and requires reply `42`; Phase 7 runs `openclaw agent ... -m "What is 2 plus 2? Reply with only the integer, no extra words."` but never parses either output or checks for `4`.
• Runtime E2E does not strictly prove fast-reentry watcher approval (test/e2e/test-cli-scope-upgrade-approval.sh:1179): The production fix adds fast-reentry polling so a slow-mode watcher catches late allowlisted scope upgrades before the client falls back. The deterministic unit tests cover this well, but the runtime E2E only strictly requires a slow-mode transition; absence of the fast-reentry marker is logged as informational because the manual `approve_request` path can win the race. That leaves the runtime test unable to distinguish watcher-driven approval from manual recovery for the changed sandbox lifecycle behavior.
  • Recommendation: Add a runtime phase that creates a late allowlisted scope-upgrade after the watcher is already in slow mode and requires watcher-owned approval evidence before manual approval is attempted, such as a strict fast-reentry marker plus device-state transition or no pending request before the explicit approve path runs.
  • Evidence: Phase 6 says the fast-reentry marker is "informational only" and the code calls `info "watcher did not log a fast-reentry marker ..."` instead of failing. The PR body describes making Phase 6 strict, but the diff only strictly fails when no slow-mode transition is observed.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — Two concurrent sandboxes return the expected answers (`4` and `4`) while using distinct gateway URLs and no scope-upgrade, pairing, or embedded-fallback markers.. The unit coverage for watcher polling/security boundaries is strong, but the changed production surfaces include sandbox lifecycle shell, gateway approval timing, inference routing, and a secret-bearing nightly workflow. Runtime coverage still has acceptance gaps for [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 and does not strictly prove watcher-owned fast-reentry approval in E2E.
• **Runtime validation** — Two concurrent sandboxes are configured with different providers/routes and each prompt is observed through `inference.local` to its expected provider/model.. The unit coverage for watcher polling/security boundaries is strong, but the changed production surfaces include sandbox lifecycle shell, gateway approval timing, inference routing, and a secret-bearing nightly workflow. Runtime coverage still has acceptance gaps for [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 and does not strictly prove watcher-owned fast-reentry approval in E2E.
• **Runtime validation** — A late allowlisted scope upgrade after watcher slow-mode is approved by the watcher itself before the client falls back, with strict fast-reentry marker or device-state evidence before manual approval runs.. The unit coverage for watcher polling/security boundaries is strong, but the changed production surfaces include sandbox lifecycle shell, gateway approval timing, inference routing, and a secret-bearing nightly workflow. Runtime coverage still has acceptance gaps for [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 and does not strictly prove watcher-owned fast-reentry approval in E2E.
• **Runtime validation** — Phase 7 verifies `inference.local` route/provider evidence, not just `OPENCLAW_GATEWAY_URL` port pinning.. The unit coverage for watcher polling/security boundaries is strong, but the changed production surfaces include sandbox lifecycle shell, gateway approval timing, inference routing, and a secret-bearing nightly workflow. Runtime coverage still has acceptance gaps for [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 and does not strictly prove watcher-owned fast-reentry approval in E2E.
• **Concurrent Phase 7 agents do not assert the prompt result** — Parse each Phase 7 agent output with the existing `parse_openclaw_agent_text` helper and assert the expected answer `4`, similar to the Phase 5 `42` check.
• **Runtime E2E does not strictly prove fast-reentry watcher approval** — Add a runtime phase that creates a late allowlisted scope-upgrade after the watcher is already in slow mode and requires watcher-owned approval evidence before manual approval is attempted, such as a strict fast-reentry marker plus device-state transition or no pending request before the explicit approve path runs.
• **Acceptance clause:** [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343: "two NemoClaw sandboxes with different inference providers" — add test evidence or identify existing coverage. Phase 7 creates two sandboxes, but its comment states both share the same NVIDIA Cloud provider and the differing-provider half cannot be exercised in CI.
• **Acceptance clause:** [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343: "handle prompts in parallel via the gateway (`inference.local`)" — add test evidence or identify existing coverage. Phase 7 runs two `openclaw agent` commands concurrently and checks distinct gateway URLs plus no fallback markers, but it does not verify `inference.local` routing or parse the prompt responses.

Since last review details

Current findings:

• Source-of-truth review needed: Slow-mode keepalive plus bounded fast-reentry polling: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: Production code sets `SLOW_INTERVAL` default to 5s and arms `FAST_REENTRY_REMAINING`; E2E Phase 6 logs absence of `[auto-pair] fast-reentry bumped` as `info`, so it does not strictly prove the changed runtime path.
• [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 two-provider gateway-routing acceptance remains unproven (test/e2e/test-cli-scope-upgrade-approval.sh:1201): The linked issue expects two sandboxes with different inference providers to run prompts in parallel through the gateway/inference.local path. Phase 7 provisions two sandboxes and checks distinct gateway URLs plus absence of fallback markers, but its own comment says both sandboxes share the same NVIDIA Cloud provider and the differing-providers half cannot be exercised in CI. It also does not assert provider/model routing through inference.local.
  • Recommendation: Either add targeted runtime evidence for two differently configured providers/routes, including inference.local/provider assertions, or narrow the PR/issue claim so [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 remains partially addressed rather than fixed.
  • Evidence: Issue [All Platforms][Inference] Multi-sandbox parallel routing test fails: both sandboxes hit gateway scope-upgrade block and fall back to embedded mode #5343 Expected Result: "sandbox-A → `inference.local` → NVIDIA Cloud model `nvidia/nemotron-3-super-120b-a12b`" and "sandbox-B → `inference.local` → local Ollama model `qwen3.5:9b`". Diff evidence: Phase 7 comment states "CI has only one inference provider key available, so both sandboxes share the same NVIDIA Cloud provider" and "the differing-providers half cannot be exercised without a second provider key in CI"; the test checks ports :18789/:18790 and fallback markers, not provider/model routing.
• Concurrent Phase 7 agents do not assert the prompt result (test/e2e/test-cli-scope-upgrade-approval.sh:1260): The two-sandbox Phase 7 asks each agent "What is 2 plus 2?" but only checks process exit status, gateway URL, and absence of fallback/scope-upgrade markers. A run that exits 0 with an empty or incorrect model response would still pass, so the phase does not fully prove both concurrent gateway-backed turns completed semantically.
  • Recommendation: Parse each Phase 7 agent output with the existing `parse_openclaw_agent_text` helper and assert the expected answer `4`, similar to the Phase 5 `42` check.
  • Evidence: Phase 5 parses `final_output` and requires reply `42`; Phase 7 runs `openclaw agent ... -m "What is 2 plus 2? Reply with only the integer, no extra words."` but never parses either output or checks for `4`.
• Runtime E2E does not strictly prove fast-reentry watcher approval (test/e2e/test-cli-scope-upgrade-approval.sh:1179): The production fix adds fast-reentry polling so a slow-mode watcher catches late allowlisted scope upgrades before the client falls back. The deterministic unit tests cover this well, but the runtime E2E only strictly requires a slow-mode transition; absence of the fast-reentry marker is logged as informational because the manual `approve_request` path can win the race. That leaves the runtime test unable to distinguish watcher-driven approval from manual recovery for the changed sandbox lifecycle behavior.
  • Recommendation: Add a runtime phase that creates a late allowlisted scope-upgrade after the watcher is already in slow mode and requires watcher-owned approval evidence before manual approval is attempted, such as a strict fast-reentry marker plus device-state transition or no pending request before the explicit approve path runs.
  • Evidence: Phase 6 says the fast-reentry marker is "informational only" and the code calls `info "watcher did not log a fast-reentry marker ..."` instead of failing. The PR body describes making Phase 6 strict, but the diff only strictly fails when no slow-mode transition is observed.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27463690336
Target ref: 04069f70a3743c2892e409295d79c3e029d1f638
Workflow ref: main
Requested jobs: issue-4462-scope-upgrade-approval-e2e,issue-4462-gateway-pinned-approval-characterization-e2e
Summary: 0 passed, 2 failed, 0 cancelled, 0 skipped

Job	Result
issue-4462-gateway-pinned-approval-characterization-e2e	❌ failure
issue-4462-scope-upgrade-approval-e2e	❌ failure

Failed jobs: issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e. Check run artifacts for logs.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 2050-2061: The fast-reentry counter is being reinitialized every
loop when attempted_approval is true, allowing a single failing pending request
to keep fast mode indefinitely; change the logic in the watcher loop so
FAST_REENTRY_REMAINING is only reset once per approval lifecycle (e.g., on the
rising edge of attempted_approval or when FAST_REENTRY_REMAINING == 0) instead
of every loop iteration: add a small persistent flag like
prev_attempted_approval or check FAST_REENTRY_REMAINING to detect transitions
and only set FAST_REENTRY_REMAINING = FAST_REENTRY_POLLS and print the log when
the transition occurs (leave APPROVED and SLOW_MODE usage as-is).

In `@test/nemoclaw-start.test.ts`:
- Around line 1746-1859: The test added ("drops slow-mode polling back to fast
cadence when a late scope upgrade arrives") exceeds the file line budget;
extract the duplicated late-cli fixture and setup into a small reusable helper
(e.g. create a function like createLateCliFixture that returns { tmpDir,
fakeOpenclaw, stateFile, approveLog } and sets up the script and permissions)
and call that helper from this test (and the adjacent similar test) instead of
inlining the long bash string and env setup, or alternatively fold the
fast-reentry assertions into the existing late-upgrade test to avoid duplicating
the entire fixture; locate references to fakeOpenclaw, stateFile, approveLog,
and buildAutoPairScript() to update call sites to use the helper and remove the
duplicated lines from the test body.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5b40365e-a235-4bb4-bb63-2de367836ecb

📥 Commits

Reviewing files that changed from the base of the PR and between 39fd60a and 04069f7.

📒 Files selected for processing (5)

• .github/workflows/nightly-e2e.yaml
• scripts/nemoclaw-start.sh
• test/e2e-script-workflow.test.ts
• test/e2e/test-cli-scope-upgrade-approval.sh
• test/nemoclaw-start.test.ts

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27463736935
Target ref: 1ff7eb0c5a32f8b430d88fc5685923744caa1dc8
Workflow ref: main
Requested jobs: issue-4462-scope-upgrade-approval-e2e,issue-4462-gateway-pinned-approval-characterization-e2e
Summary: 0 passed, 2 failed, 0 cancelled, 0 skipped

Job	Result
issue-4462-gateway-pinned-approval-characterization-e2e	❌ failure
issue-4462-scope-upgrade-approval-e2e	❌ failure

Failed jobs: issue-4462-gateway-pinned-approval-characterization-e2e, issue-4462-scope-upgrade-approval-e2e. Check run artifacts for logs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/test-cli-scope-upgrade-approval.sh`:
- Around line 1082-1086: The grep check for '[auto-pair] fast-reentry bumped'
using auto_pair_log_snapshot should be made informational: in the else branch
replace the fail call with a non-fatal log/warn (or call a function like warn or
echo) so the script doesn't hard-fail when the watcher didn't log the marker;
keep the pass branch unchanged. Update the block that currently uses grep -F ...
and calls fail to instead emit a warning/message while allowing the test to
continue.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5a348f44-52fd-43f1-a690-23bae8b5c178

📥 Commits

Reviewing files that changed from the base of the PR and between 04069f7 and 2b040db.

📒 Files selected for processing (4)

• .github/workflows/nightly-e2e.yaml
• scripts/nemoclaw-start.sh
• test/e2e/test-cli-scope-upgrade-approval.sh
• test/nemoclaw-start.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/nemoclaw-start.test.ts

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27464785119
Target ref: fix/scope-upgrade-late-approval-race
Requested jobs: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e
Summary: 0 passed, 2 failed, 0 cancelled, 0 skipped

Job	Result
cli-scope-upgrade-approval-e2e	❌ failure
cli-scope-upgrade-legacy-repro-e2e	❌ failure

Failed jobs: cli-scope-upgrade-approval-e2e, cli-scope-upgrade-legacy-repro-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27465290873
Target ref: fix/scope-upgrade-late-approval-race
Requested jobs: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e
Summary: 0 passed, 2 failed, 0 cancelled, 0 skipped

Job	Result
cli-scope-upgrade-approval-e2e	❌ failure
cli-scope-upgrade-legacy-repro-e2e	❌ failure

Failed jobs: cli-scope-upgrade-approval-e2e, cli-scope-upgrade-legacy-repro-e2e. Check run artifacts for logs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/nemoclaw-start.test.ts`:
- Around line 2248-2250: The test's assertion currently only matches
"fast-reentry bumped polls=3 approved=0 mode=fast" and can miss alternate bump
lines; update the marker and expectation used in test variable markerRe (and the
subsequent expect using run.stdout.match(...).length) to match any "fast-reentry
bumped" line (ignore the particular field values) and assert the total number of
such occurrences is exactly 1 so any extra bump log (e.g., with approved=1) will
fail the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 97da2f1c-484a-4ce2-a416-670cedbb0123

📥 Commits

Reviewing files that changed from the base of the PR and between bba211b and cae6c20.

📒 Files selected for processing (1)

• test/nemoclaw-start.test.ts

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27590027557
Target ref: fix/scope-upgrade-late-approval-race
Requested jobs: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
cli-scope-upgrade-approval-e2e	❌ failure
cli-scope-upgrade-legacy-repro-e2e	✅ success

Failed jobs: cli-scope-upgrade-approval-e2e. Check run artifacts for logs.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/nemoclaw-start.sh (1)

2432-2436: 💤 Low value

Stale comment: SLOW_INTERVAL default is now 5s, not 30s.

The comment mentions "SLOW_INTERVAL (default 30s)" but line 2237 sets the default to 5s. Consider updating for consistency.

     # Back off polling: 1s in fast mode while waiting for first pairing,
-    # 5s in fast mode once anything is paired/approved, and SLOW_INTERVAL
-    # (default 30s) after convergence. Slow-mode keepalive lets late CLI
+    # 5s in fast mode once anything is paired/approved, and SLOW_INTERVAL
+    # (default 5s) after convergence. Slow-mode keepalive lets late CLI

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/nemoclaw-start.sh` around lines 2432 - 2436, The comment block
describing the back-off polling behavior contains outdated information about the
SLOW_INTERVAL default value. Update the comment where it states "SLOW_INTERVAL
(default 30s)" to correctly reflect that the default is now 5s, ensuring the
documentation matches the actual implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/nemoclaw-start.sh`:
- Around line 2432-2436: The comment block describing the back-off polling
behavior contains outdated information about the SLOW_INTERVAL default value.
Update the comment where it states "SLOW_INTERVAL (default 30s)" to correctly
reflect that the default is now 5s, ensuring the documentation matches the
actual implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7d9b99aa-dc58-4f1d-8dd4-a5815f11d976

📥 Commits

Reviewing files that changed from the base of the PR and between 13278bf and e16cd47.

📒 Files selected for processing (3)

• scripts/nemoclaw-start.sh
• test/e2e/test-cli-scope-upgrade-approval.sh
• test/nemoclaw-start.test.ts

💤 Files with no reviewable changes (2)

• test/nemoclaw-start.test.ts
• test/e2e/test-cli-scope-upgrade-approval.sh

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27590823999
Target ref: fix/scope-upgrade-late-approval-race
Requested jobs: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
cli-scope-upgrade-approval-e2e	❌ failure
cli-scope-upgrade-legacy-repro-e2e	✅ success

Failed jobs: cli-scope-upgrade-approval-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 27590823999
Target ref: fix/scope-upgrade-late-approval-race
Requested jobs: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e
Summary: 1 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
cli-scope-upgrade-approval-e2e	❌ failure
cli-scope-upgrade-legacy-repro-e2e	✅ success

Failed jobs: cli-scope-upgrade-approval-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27593190866
Target ref: fix/scope-upgrade-late-approval-race
Requested jobs: cli-scope-upgrade-approval-e2e,cli-scope-upgrade-legacy-repro-e2e
Summary: 2 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
cli-scope-upgrade-approval-e2e	✅ success
cli-scope-upgrade-legacy-repro-e2e	✅ success