test(e2e): migrate scope upgrade approval to Vitest

[cv]

Summary

Migrate test-issue-4462-scope-upgrade-approval.sh into the live Vitest E2E system. Adds test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts and issue-4462-scope-upgrade-approval-vitest workflow wiring. The Vitest test installs a real sandbox, verifies the proxy-env devices-approve guard, approves or observes the CLI scope upgrade without operator.admin, and confirms a final agent turn stays on the gateway path.

Related Issue

Refs #5098

Changes

• Adds or wires the free-standing live Vitest scenario issue-4462-scope-upgrade-approval.
• Adds selective workflow dispatch via issue-4462-scope-upgrade-approval-vitest in .github/workflows/e2e-vitest-scenarios.yaml.
• Preserves the legacy system boundaries from test-issue-4462-scope-upgrade-approval.sh while leaving legacy shell retirement to Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 Phase 11.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes
• Targeted tests pass for changed behavior
• Full npm test passes (broad runtime changes only)
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Targeted local checks run while preparing these branches:

• npx vitest run --project e2e-vitest-support test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts --silent=false --reporter=default
• npm run typecheck:cli for branches adding new TypeScript tests
• git diff --check

Selective same-runner dispatch: https://github.com/NVIDIA/NemoClaw/actions/runs/27649248534 — passed after merge-from-main refresh

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Tests
  • Added a new live end-to-end scenario test to ensure scope-upgrade approval follows the gateway path and does not grant elevated admin access to CLI clients.
• CI / Automation
  • Added a dedicated end-to-end Vitest run that executes the scenario and uploads test artifacts for review.
  • Updated pull request reporting so the new scenario job’s results are included in the PR status summary.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new TypeScript Vitest live E2E test for the issue-4462 scope-upgrade approval scenario, replacing the prior shell-based test. The test embeds a bash/Python script that validates scope-upgrade approval flows and absence of operator.admin leakage. A matching GitHub Actions CI job is added to the e2e-vitest-scenarios.yaml workflow and wired into report-to-pr.

Changes

Scope-upgrade approval Vitest migration

Layer / File(s)	Summary
Test constants, environment setup, and cleanup test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts	Defines scenario name, live-test gating, sandbox naming helper, environment variable constructor, and an async cleanup that destroys the CLI sandbox and OpenShell gateway while swallowing errors.
Embedded bash/Python scope-upgrade approval script test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts	Inline bash script with Python helpers that reads OpenClaw device state, selects or approves a pending scope-upgrade request without granting operator.admin, triggers agent interaction when no pending request exists, and asserts the final output contains 42 via the gateway path.
Live test execution harness and result recording test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts	Wires the full test: writes scenario JSON, checks Docker availability, installs prerequisites with redacted secrets, base64-encodes and executes the embedded script in the sandbox, asserts success marker presence, runs cleanup, and writes scenario-result.json as passed.
CI workflow job and report-to-pr wiring .github/workflows/e2e-vitest-scenarios.yaml	Adds issue-4462-scope-upgrade-approval-vitest job with Node setup, dep install, CLI build, OpenShell install, OPENSHELL_BIN resolution, Vitest run, and artifact upload; extends report-to-pr.needs to include the new job.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Epic: Migrate legacy bash E2E into the Vitest E2E system #5098: Implements the Epic's core objective by migrating a legacy bash E2E scenario to a Vitest test and wiring it into the e2e-vitest-scenarios.yaml workflow, exemplifying the Definition of Done pattern.

Possibly related PRs

• NVIDIA/NemoClaw#5243: Adds the Vitest "jobs selector" workflow plumbing in the same e2e-vitest-scenarios.yaml that gates the new job dispatch logic.
• NVIDIA/NemoClaw#5406: Stabilizes the same issue-4462 scope-upgrade approval scenario by handling preapproved and already-satisfied states in the bash script logic.
• NVIDIA/NemoClaw#5412: Modifies the same E2E #4462 test logic to handle legacy/gateway-mode completion paths via bash script adjustments and post-approval assertions.

Suggested labels

area: e2e, chore, v0.0.65

Poem

🐇 Hop hop, the shell script's gone away,
Now TypeScript Vitest rules the day!
Scope upgrades approved, no admin leak,
The gateway path is what we seek.
42 confirmed—the bunny cheers! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'test(e2e): migrate scope upgrade approval to Vitest' accurately describes the main change—migrating a shell-based E2E test to Vitest. It is specific, clear, and directly reflects the primary objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-migrate/test-issue-4462-scope-upgrade-approval

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: issue-4462-scope-upgrade-approval-vitest

Dispatch hint: issue-4462-scope-upgrade-approval-vitest

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None.

Optional E2E

• issue-4462-scope-upgrade-approval-vitest (high): This is the new workflow job and live scenario added by the PR. Running it validates that the workflow selector, OpenShell setup, install path, scope-upgrade approval flow, and artifact upload configuration work as intended. Because the PR only adds E2E coverage and CI wiring, it is useful confidence but not merge-blocking for runtime behavior.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/e2e-vitest-scenarios.yaml
• jobs input: issue-4462-scope-upgrade-approval-vitest

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: issue-4462-scope-upgrade-approval-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4462-scope-upgrade-approval-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• issue-4462-scope-upgrade-approval-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=issue-4462-scope-upgrade-approval-vitest

Optional Vitest E2E scenarios

• None.

Relevant changed files

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts

[github-actions]

PR Review Advisor

Findings: 3 needs attention, 4 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 5 still apply, 1 new item found

Review findings

🛠️ Needs attention

• Not-reproduced path can skip the no-admin assertion (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:161): The test's stated security contract is that scope-upgrade approval, preapproval, or a not-reproduced state must not grant `operator.admin`. In the branch where no pending request is found, `assert_agent_scopes_without_admin` is tried first, but if that check fails and the trigger agent still returns 42 without fallback markers, the script exits successfully as `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE`. That can let this authorization regression test pass even when a CLI paired device has `operator.admin`.
  • Recommendation: Before taking the `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` success exit, explicitly fail if any CLI paired device has `operator.admin`, or require `assert_agent_scopes_without_admin` to pass for every success path.
  • Evidence: After `assert_agent_scopes_without_admin` fails at lines 159-160, the `elif` at line 161 can still echo `ISSUE_4462_SCOPE_UPGRADE_OK` and `exit 0`. The later final `assert_agent_scopes_without_admin` at line 198 is bypassed by this early exit.
• Scenario can pass without exercising pending scope-upgrade creation and rejection (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:150): Issue OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462's core path says a low-scope CLI agent turn causes the gateway to create a pending `operator.read`/`operator.write` scope-upgrade request and reject the connection until approval. The migrated test detects and approves a pending request when present, but it also accepts preapproved and not-reproduced states where no pending request exists. That means the scenario can pass without proving the request-creation/rejection behavior that caused the regression.
  • Recommendation: Either require the pending request path for this scenario, or split/document the tolerated preapproved/not-reproduced state and add separate regression coverage that proves a low-scope CLI triggers a pending `operator.read`/`operator.write` upgrade before approval.
  • Evidence: When `request_id` is empty, the script triggers an agent turn at line 153, then accepts either `SCOPE_ALREADY_APPROVED` at line 160 or `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` at lines 163-165 instead of requiring a pending scope-upgrade request and rejection.
• Initial low-scope CLI device precondition is not asserted (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:144): The linked issue starts from a CLI device paired only with `operator.pairing`, and says `openclaw devices list --json` should show that state. The migrated test runs `openclaw devices list --json`, but ignores failure and never asserts that the paired CLI is present with only `operator.pairing`. This loses a key reproduction precondition from the legacy shell scenario.
  • Recommendation: Assert that `openclaw devices list --json` succeeds and shows a CLI paired device with `operator.pairing` but without `operator.read`, `operator.write`, or `operator.admin`, or document why this migrated fix gate intentionally starts after that state and identify separate coverage for the precondition.
  • Evidence: Line 144 redirects `openclaw devices list --json` to `/tmp/issue4462-devices-list.json` with `|| true`; the file is not parsed afterward. The new `assert_agent_scopes_without_admin` only accepts read/write-approved devices and does not prove the initial pairing-only state.

🔎 Worth checking

• Source-of-truth review needed: `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` no-pending tolerance: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: Lines 161-165 print `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` and `ISSUE_4462_SCOPE_UPGRADE_OK` before exiting 0.
• Migrated approve-guard check no longer proves the subprocess env boundary (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:75): The new Vitest scenario checks that `/tmp/nemoclaw-proxy-env.sh` contains the devices-approve guard string and then observes approval success. The legacy shell test additionally wrapped `openclaw` to prove that the `devices approve` subprocess saw `OPENCLAW_GATEWAY_URL`, `OPENCLAW_GATEWAY_PORT`, and `OPENCLAW_GATEWAY_TOKEN` unset while the caller shell retained its gateway env. If the intent is full migration parity for the guard boundary, the new test is less precise.
  • Recommendation: Restore the subprocess-env probe in the Vitest sandbox script, or document why guard-string presence plus approval success is sufficient for this migration.
  • Evidence: Line 75 greps for `unset OPENCLAW_GATEWAY_URL OPENCLAW_GATEWAY_PORT OPENCLAW_GATEWAY_TOKEN; command openclaw`; the new script never emits or checks the legacy `__APPROVE_SUBPROCESS_ENV__=unset:unset:unset` evidence.
• New default live job expands inference-secret exposure to dispatched branch code (.github/workflows/e2e-vitest-scenarios.yaml:2023): The workflow adds another free-standing live E2E job that receives `NVIDIA_INFERENCE_API_KEY` and runs repository code from the checked-out ref, including `install.sh`, the built CLI, and the new Vitest test. This follows existing live E2E patterns and uses pinned actions with `persist-credentials: false`, but it still expands the trusted-code boundary for a secret-bearing workflow job.
  • Recommendation: Confirm this job is intended to run in the default secret-bearing workflow set, or restrict it to explicit scenarios/jobs if the issue-4462 migration does not need default execution. Keep the secret redaction and pinned-action boundaries in place.
  • Evidence: The job condition at line 1989 runs when both `inputs.jobs` and `inputs.scenarios` are empty, and the Vitest step passes `NVIDIA_INFERENCE_API_KEY: ${{ secrets.NVIDIA_INFERENCE_API_KEY }}` at line 2023.
• Not-reproduced tolerance lacks source-of-truth criteria (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:161): The `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` path is a localized tolerance for an unexpected/no-pending state, but the migrated test does not identify the invalid state's source boundary, why it cannot be fixed or made deterministic here, what regression test prevents the source from drifting, or when this tolerance can be removed.
  • Recommendation: Document or encode the source-of-truth criteria for the tolerated no-pending state, and prefer making the invalid state impossible at setup time. If the tolerance remains, add a focused regression check and a removal condition.
  • Evidence: The branch at lines 161-165 exits successfully after no pending request is found; the new test's artifact `contracts` list does not explain the tolerated state or removal condition.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — No-request not-reproduced branch fails when any CLI paired device includes `operator.admin`.. The changed behavior crosses live sandbox setup, gateway authorization, scope approval, workflow selector, and inference-secret boundaries. The live Vitest scenario is the right level of validation, but several behavior-specific edges are not yet proved by the migration.
• **Runtime validation** — `openclaw devices list --json` succeeds and shows the paired CLI with only `operator.pairing` before the scope-upgrade trigger.. The changed behavior crosses live sandbox setup, gateway authorization, scope approval, workflow selector, and inference-secret boundaries. The live Vitest scenario is the right level of validation, but several behavior-specific edges are not yet proved by the migration.
• **Runtime validation** — Pending scope-upgrade request is created and the first gateway agent connection is rejected before approval when the bug is reproducible.. The changed behavior crosses live sandbox setup, gateway authorization, scope approval, workflow selector, and inference-secret boundaries. The live Vitest scenario is the right level of validation, but several behavior-specific edges are not yet proved by the migration.
• **Runtime validation** — `openclaw devices approve` subprocess sees `OPENCLAW_GATEWAY_URL`, `OPENCLAW_GATEWAY_PORT`, and `OPENCLAW_GATEWAY_TOKEN` unset while the caller shell retains its gateway env.. The changed behavior crosses live sandbox setup, gateway authorization, scope approval, workflow selector, and inference-secret boundaries. The live Vitest scenario is the right level of validation, but several behavior-specific edges are not yet proved by the migration.
• **Runtime validation** — Preapproved/no-pending tolerated branch has a source-of-truth regression test and documented removal condition.. The changed behavior crosses live sandbox setup, gateway authorization, scope approval, workflow selector, and inference-secret boundaries. The live Vitest scenario is the right level of validation, but several behavior-specific edges are not yet proved by the migration.
• **Migrated approve-guard check no longer proves the subprocess env boundary** — Restore the subprocess-env probe in the Vitest sandbox script, or document why guard-string presence plus approval success is sufficient for this migration.
• **Acceptance clause:** NemoClaw/OpenClaw appears to auto-pair the CLI device with a minimal operator.pairing scope. — add test evidence or identify existing coverage. The new script does not assert an initial paired CLI device with only `operator.pairing`; it starts by ignoring `openclaw devices list --json` failure and reading raw state.
• **Acceptance clause:** In that state, openclaw devices list --json works and shows the CLI under paired, but only with operator.pairing. — add test evidence or identify existing coverage. Line 144 runs `openclaw devices list --json >/tmp/issue4462-devices-list.json 2>&1 || true`, but the test never asserts success or parses the JSON output.

Since last review details

Current findings:

• Source-of-truth review needed: `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` no-pending tolerance: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: Lines 161-165 print `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` and `ISSUE_4462_SCOPE_UPGRADE_OK` before exiting 0.
• Not-reproduced path can skip the no-admin assertion (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:161): The test's stated security contract is that scope-upgrade approval, preapproval, or a not-reproduced state must not grant `operator.admin`. In the branch where no pending request is found, `assert_agent_scopes_without_admin` is tried first, but if that check fails and the trigger agent still returns 42 without fallback markers, the script exits successfully as `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE`. That can let this authorization regression test pass even when a CLI paired device has `operator.admin`.
  • Recommendation: Before taking the `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` success exit, explicitly fail if any CLI paired device has `operator.admin`, or require `assert_agent_scopes_without_admin` to pass for every success path.
  • Evidence: After `assert_agent_scopes_without_admin` fails at lines 159-160, the `elif` at line 161 can still echo `ISSUE_4462_SCOPE_UPGRADE_OK` and `exit 0`. The later final `assert_agent_scopes_without_admin` at line 198 is bypassed by this early exit.
• Scenario can pass without exercising pending scope-upgrade creation and rejection (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:150): Issue OpenClaw CLI scope-upgrade approval deadlocks and forces openclaw agent into embedded fallback #4462's core path says a low-scope CLI agent turn causes the gateway to create a pending `operator.read`/`operator.write` scope-upgrade request and reject the connection until approval. The migrated test detects and approves a pending request when present, but it also accepts preapproved and not-reproduced states where no pending request exists. That means the scenario can pass without proving the request-creation/rejection behavior that caused the regression.
  • Recommendation: Either require the pending request path for this scenario, or split/document the tolerated preapproved/not-reproduced state and add separate regression coverage that proves a low-scope CLI triggers a pending `operator.read`/`operator.write` upgrade before approval.
  • Evidence: When `request_id` is empty, the script triggers an agent turn at line 153, then accepts either `SCOPE_ALREADY_APPROVED` at line 160 or `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` at lines 163-165 instead of requiring a pending scope-upgrade request and rejection.
• Initial low-scope CLI device precondition is not asserted (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:144): The linked issue starts from a CLI device paired only with `operator.pairing`, and says `openclaw devices list --json` should show that state. The migrated test runs `openclaw devices list --json`, but ignores failure and never asserts that the paired CLI is present with only `operator.pairing`. This loses a key reproduction precondition from the legacy shell scenario.
  • Recommendation: Assert that `openclaw devices list --json` succeeds and shows a CLI paired device with `operator.pairing` but without `operator.read`, `operator.write`, or `operator.admin`, or document why this migrated fix gate intentionally starts after that state and identify separate coverage for the precondition.
  • Evidence: Line 144 redirects `openclaw devices list --json` to `/tmp/issue4462-devices-list.json` with `|| true`; the file is not parsed afterward. The new `assert_agent_scopes_without_admin` only accepts read/write-approved devices and does not prove the initial pairing-only state.
• Migrated approve-guard check no longer proves the subprocess env boundary (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:75): The new Vitest scenario checks that `/tmp/nemoclaw-proxy-env.sh` contains the devices-approve guard string and then observes approval success. The legacy shell test additionally wrapped `openclaw` to prove that the `devices approve` subprocess saw `OPENCLAW_GATEWAY_URL`, `OPENCLAW_GATEWAY_PORT`, and `OPENCLAW_GATEWAY_TOKEN` unset while the caller shell retained its gateway env. If the intent is full migration parity for the guard boundary, the new test is less precise.
  • Recommendation: Restore the subprocess-env probe in the Vitest sandbox script, or document why guard-string presence plus approval success is sufficient for this migration.
  • Evidence: Line 75 greps for `unset OPENCLAW_GATEWAY_URL OPENCLAW_GATEWAY_PORT OPENCLAW_GATEWAY_TOKEN; command openclaw`; the new script never emits or checks the legacy `__APPROVE_SUBPROCESS_ENV__=unset:unset:unset` evidence.
• New default live job expands inference-secret exposure to dispatched branch code (.github/workflows/e2e-vitest-scenarios.yaml:2023): The workflow adds another free-standing live E2E job that receives `NVIDIA_INFERENCE_API_KEY` and runs repository code from the checked-out ref, including `install.sh`, the built CLI, and the new Vitest test. This follows existing live E2E patterns and uses pinned actions with `persist-credentials: false`, but it still expands the trusted-code boundary for a secret-bearing workflow job.
  • Recommendation: Confirm this job is intended to run in the default secret-bearing workflow set, or restrict it to explicit scenarios/jobs if the issue-4462 migration does not need default execution. Keep the secret redaction and pinned-action boundaries in place.
  • Evidence: The job condition at line 1989 runs when both `inputs.jobs` and `inputs.scenarios` are empty, and the Vitest step passes `NVIDIA_INFERENCE_API_KEY: ${{ secrets.NVIDIA_INFERENCE_API_KEY }}` at line 2023.
• Not-reproduced tolerance lacks source-of-truth criteria (test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts:161): The `TRIGGER_COMPLETED_WITHOUT_PENDING_SCOPE_UPGRADE` path is a localized tolerance for an unexpected/no-pending state, but the migrated test does not identify the invalid state's source boundary, why it cannot be fixed or made deterministic here, what regression test prevents the source from drifting, or when this tolerance can be removed.
  • Recommendation: Document or encode the source-of-truth criteria for the tolerated no-pending state, and prefer making the invalid state impossible at setup time. If the tolerance remains, add a focused regression check and a removal condition.
  • Evidence: The branch at lines 161-165 exits successfully after no pending request is found; the new test's artifact `contracts` list does not explain the tolerated state or removal condition.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the e2e-migrate/test-iss... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-iss... e16f24f	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the e2e-migrate/test-iss... branch is 46%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-iss... e16f24f	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	76%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/actions...dbox/rebuild.ts	—	67%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/actions...licy-channel.ts	—	56%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/policy/index.ts	—	49%	—
src/lib/onboard...er-gpu-patch.ts	—	44%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 16, 2026 21:29 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27629709761
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	❌ failure
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: issue-4462-scope-upgrade-approval-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27630405507
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	❌ failure
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: issue-4462-scope-upgrade-approval-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 27631165609
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 1 passed, 1 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	❌ failure
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

Failed jobs: issue-4462-scope-upgrade-approval-vitest. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27631676124
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	✅ success
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27633396676
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	✅ success
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-vitest-scenarios.yaml:
- Around line 1822-1840: The NVIDIA_INFERENCE_API_KEY environment variable in
the "Run issue-4462-scope-upgrade-approval live Vitest test" job is
inconsistently sourced from secrets.NVIDIA_API_KEY, while all other occurrences
throughout the workflow use secrets.NVIDIA_INFERENCE_API_KEY. Update the env
section for this job to source NVIDIA_INFERENCE_API_KEY from
secrets.NVIDIA_INFERENCE_API_KEY to maintain consistency with the rest of the
workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 81c266e9-91f7-4ec8-93b7-327d627cdbd6

📥 Commits

Reviewing files that changed from the base of the PR and between 6c0fb04 and 87d5cc8.

📒 Files selected for processing (2)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/issue-4462-scope-upgrade-approval.test.ts

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27635628747
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	✅ success
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27636908661
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 2 passed, 0 failed, 35 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	✅ success
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27638947760
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 2 passed, 0 failed, 36 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	✅ success
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
onboard-resume-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped

[github-actions]

Vitest E2E Scenario Results — ✅ All jobs passed

Run: 27649248534
Workflow ref: e2e-migrate/test-issue-4462-scope-upgrade-approval
Requested scenarios: (default — all supported)
Requested jobs: issue-4462-scope-upgrade-approval-vitest
Summary: 2 passed, 0 failed, 38 skipped

Job	Result
bedrock-runtime-compatible-anthropic-vitest	⏭️ skipped
channels-add-remove-vitest	⏭️ skipped
cloud-inference-vitest	⏭️ skipped
cloud-onboard-vitest	⏭️ skipped
common-egress-agent-vitest	⏭️ skipped
credential-migration-vitest	⏭️ skipped
credential-sanitization-vitest	⏭️ skipped
double-onboard-vitest	⏭️ skipped
full-e2e-vitest	⏭️ skipped
gateway-drift-preflight-vitest	⏭️ skipped
gateway-guard-recovery	⏭️ skipped
gateway-health-honest-vitest	⏭️ skipped
generate-matrix	✅ success
hermes-e2e-vitest	⏭️ skipped
hermes-root-entrypoint-smoke-vitest	⏭️ skipped
inference-routing-vitest	⏭️ skipped
issue-2478-crash-loop-recovery-vitest	⏭️ skipped
issue-4434-tui-unreachable-inference-vitest	⏭️ skipped
issue-4462-scope-upgrade-approval-vitest	✅ success
launchable-smoke-vitest	⏭️ skipped
live-scenarios	⏭️ skipped
messaging-compatible-endpoint-vitest	⏭️ skipped
messaging-providers-vitest	⏭️ skipped
model-router-provider-routed-inference-vitest	⏭️ skipped
network-policy-vitest	⏭️ skipped
onboard-negative-paths-vitest	⏭️ skipped
onboard-resume-vitest	⏭️ skipped
openclaw-inference-switch-vitest	⏭️ skipped
openclaw-skill-cli-vitest	⏭️ skipped
openclaw-tui-chat-correlation-vitest	⏭️ skipped
openshell-version-pin-vitest	⏭️ skipped
rebuild-openclaw-vitest	⏭️ skipped
runtime-overrides-vitest	⏭️ skipped
sandbox-rebuild-vitest	⏭️ skipped
sandbox-survival-vitest	⏭️ skipped
sessions-agents-cli-vitest	⏭️ skipped
shields-config-vitest	⏭️ skipped
skill-agent-vitest	⏭️ skipped
state-backup-restore-vitest	⏭️ skipped
token-rotation-vitest	⏭️ skipped