fix(policy): suppress agent-required preset additions on restricted tier

[laitingsheng]

Summary

nemoclaw onboard --policy-tier=restricted (and the interactive equivalent) used to apply openclaw-pricing to OpenClaw sandboxes regardless of the chosen tier, because the suggestion pipeline added it as an OpenClaw-required preset before the tier filter ran. The Restricted tier description promises "no third-party network access beyond inference and core agent tooling", so the pricing fetch — which reaches LiteLLM and OpenRouter — directly contradicts the tier intent. This change suppresses the OpenClaw agent-required additions (openclaw-pricing, and the local OTEL preset when OTEL is enabled) on the Restricted tier at both the suggestion helper and the final application boundary, prints a one-line onboard notice listing what was suppressed and how to reapply it, and documents the stricter Restricted behaviour in the tier definition and reference page.

Related Issue

Fixes #5793

Changes

• src/lib/onboard/policy-selection.ts: extract a shared agentRequiredPresetAdditions(agent, env) helper so computeSetupPresetSuggestions and suppressedAgentRequiredPresets cannot drift apart. Gate the OpenClaw agent-required adds (openclaw-pricing and requiredOpenclawOtelPolicyPresets) on tierName !== "restricted" inside computeSetupPresetSuggestions, and filter the same set out of chosen and interactiveChoice after mergeRequiredSetupPolicyPresets so the later merge step cannot reintroduce the OTEL preset for restricted + OpenClaw.
• src/lib/onboard/policy-selection.ts: new exported suppressedAgentRequiredPresets(tierName, agent, env) helper and a follow-up deps.note(...) in setupPoliciesWithSelectionInner that prints Restricted tier suppresses agent-required preset(s): ... Apply later with 'nemoclaw <name> policy-add <preset>' if needed. whenever the helper returns anything.
• nemoclaw-blueprint/policies/tiers.yaml: extend the Restricted tier description (active voice) to call out that Restricted mode suppresses agent-required preset additions and to point operators at policy-add.
• docs/reference/network-policies.mdx: mirror the new Restricted description in the tier table (active voice).
• test/onboard-policy-suggestions.test.ts: ten new tests under computeSetupPresetSuggestions > restricted tier suppresses agent-required preset additions and a new suppressedAgentRequiredPresets block. The OTEL env-var tests save, clear, and restore both NEMOCLAW_OPENCLAW_OTEL and NEMOCLAW_OPENCLAW_OTEL_ENDPOINT so runner-inherited values cannot affect the expectation.
• test/policy-tiers-onboard.test.ts: three new application-path tests that exercise setupPoliciesWithSelection end-to-end — restricted + OpenClaw applies zero presets in non-interactive suggested mode, restricted + OpenClaw with NEMOCLAW_OPENCLAW_OTEL=1 does not re-add openclaw-diagnostics-otel-local after the required-preset merge, and the suppression note matches the final applied set.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
• Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes
• Targeted tests pass for changed behavior
• Full npm test passes (broad runtime changes only)
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• Documentation

  • Updated “Restricted” network policy tier guidance to clarify that specific agent-required preset additions are suppressed and can be re-applied later with policy-add.

• New Features

  • Restricted-tier onboarding now suppresses withheld agent-required presets for applicable agents and surfaces a note listing which presets are suppressed.

• Bug Fixes

  • Correctly limits preset suggestions and prevents restricted presets from being (re-)applied; reconciliation removes previously applied withheld presets.

• Tests

  • Added unit and integration coverage for Restricted-tier behavior, including OTEL-enabled scenarios and applied-vs-suppressed verification.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Restricted-tier policy descriptions were updated to state that agent-required presets are suppressed and must be re-applied later. Onboarding selection now computes, reports, and filters those suppressed presets for OpenClaw restricted mode, and tests cover the new behavior.

Changes

Restricted tier preset suppression

Layer / File(s)	Summary
Restricted tier contract docs/reference/network-policies.mdx, nemoclaw-blueprint/policies/tiers.yaml, src/lib/onboard/policy-selection.ts	The restricted tier description now states that agent-required presets are suppressed in restricted mode, and policy selection adds a restricted-tier constant used by the suppression logic.
Suppression logic src/lib/onboard/policy-selection.ts	OpenClaw agent-required presets are computed, reported as suppressed only for the restricted tier, filtered from preset lists, and skipped when building preset suggestions.
Onboard selection wiring src/lib/onboard/policy-selection.ts	Setup computes suppressed preset names, emits a note when any are suppressed, and removes suppressed presets from non-interactive, preservation, and interactive selection paths.
Suppression tests test/onboard-policy-suggestions.test.ts, test/policy-tiers-onboard.test.ts	The test suite adds environment helpers and assertions for restricted-tier suppression across suggestion output, helper return values, and onboard application flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

area: policy, area: docs

Poem

🐇 I hopped through restricted paths so neat,
and tucked the presets where tests couldీట్?
The docs now whisper, “pause, then add,”
while OpenClaw keeps its footing glad.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly states the main change: suppressing agent-required preset additions on the restricted tier.
Linked Issues check	✅ Passed	The changes address #5793 by preventing restricted-tier onboarding from leaving openclaw-pricing or other agent-required presets active.
Out of Scope Changes check	✅ Passed	The docs and test updates support the same restricted-tier suppression fix and do not introduce unrelated scope.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/restricted-tier-strict-presets

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the fix/restricted-tier-... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	fix/restricted-tier-... 3848465	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the fix/restricted-tier-... branch is 47%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	fix/restricted-tier-... 3848465	+/-
src/lib/state/o...oard-session.ts	—	91%	—
src/lib/actions...dbox/rebuild.ts	—	73%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/onboard/preflight.ts	—	62%	—
src/lib/shields/index.ts	—	62%	—
src/lib/actions...licy-channel.ts	—	60%	—
src/lib/state/sandbox.ts	—	56%	—
src/lib/policy/index.ts	—	48%	—
src/lib/onboard...er-gpu-patch.ts	—	47%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 27, 2026 15:56 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-5798.docs.buildwithfern.com/nemoclaw

[github-actions]

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Source-of-truth review needed: Create-time sandbox policy tier decision.
Open items: 0 required · 3 warnings · 1 suggestion · 4 test follow-ups
Since last review: 2 prior items resolved · 1 still applies · 2 new items found

Action checklist

• PRA-1 Resolve or justify: Source-of-truth review needed: Create-time sandbox policy tier decision
• PRA-2 Resolve or justify: Create-time policy tier detection ignores `--non-interactive` unless the env var is also set in src/lib/onboard/sandbox-create-plan.ts:28
• PRA-3 Resolve or justify: Restricted + OTEL-local suppression lacks a dedicated live OpenShell runtime assertion in test/e2e-scenario/live/network-policy.test.ts:737
• PRA-T1 Add or justify test follow-up: Runtime validation
• PRA-T2 Add or justify test follow-up: Runtime validation
• PRA-T3 Add or justify test follow-up: Restricted + OTEL-local suppression lacks a dedicated live OpenShell runtime assertion
• PRA-T4 Add or justify test follow-up: Create-time sandbox policy tier decision
• PRA-4 In-scope improvement: Restricted live onboard retry logic is still split between a helper and a local loop in test/e2e-scenario/live/network-policy.test.ts:407

Findings index

ID	Severity	Category	Location	Required action
PRA-1	Resolve/justify	architecture	—	Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2	Resolve/justify	correctness	src/lib/onboard/sandbox-create-plan.ts:28	Pass the already-validated selected tier into `prepareSandboxCreatePlan()` from `onboard.ts`, for example `policyTier: isNonInteractive() ? policyTierEnv.resolvePolicyTierFromEnv() : null`, or otherwise thread the parsed `opts.nonInteractive` state into `prepareSandboxCreatePlan()` instead of re-reading only the env var. Keep the interactive path explicit `null` so create-time OTEL remains deferred until the operator-selected tier is known.
PRA-3	Resolve/justify	tests	test/e2e-scenario/live/network-policy.test.ts:737	Add or identify a focused live Vitest assertion for Restricted OpenClaw with `NEMOCLAW_OPENCLAW_OTEL=1` and default/local endpoint that checks the real `policy-list` output has neither `openclaw-diagnostics-otel-local` nor any active bullets before operator mutation. Keep it direct and local to the existing network-policy live suite; do not add a new framework layer.
PRA-4	Improvement	architecture	test/e2e-scenario/live/network-policy.test.ts:407	Either refactor the existing restricted network-policy scenario to use `ensureDockerAvailable()` and `runRestrictedOnboardWithRetry()`, or inline the new helper back into the new scenario if the two scenarios intentionally need different semantics. If the helper remains, delete the unused `scenarioSlug` option and argument. Keep the real CLI/OpenShell shell boundaries direct.

Review findings by urgency: 0 required fixes, 3 items to resolve/justify, 1 in-scope improvement

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: Create-time sandbox policy tier decision

• Location: not file-specific
• Category: architecture
• Problem: The advisor marked localized patch analysis as needs_followup.
• Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
• Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Missing regression test: Existing tests cover interactive/unknown env fail-closed behavior and create-time restricted suppression; the missing regression is the normal `--non-interactive` flag path without `NEMOCLAW_NON_INTERACTIVE=1`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Evidence: Covered by the correctness finding: `readPolicyTierEnv()` checks only the env var, while CLI `--non-interactive` sets `opts.nonInteractive` and `NON_INTERACTIVE`, not necessarily the env var.

PRA-2 Resolve/justify — Create-time policy tier detection ignores `--non-interactive` unless the env var is also set

• Location: src/lib/onboard/sandbox-create-plan.ts:28
• Category: correctness
• Problem: `readPolicyTierEnv()` decides whether it may trust `NEMOCLAW_POLICY_TIER` by checking only `process.env.NEMOCLAW_NON_INTERACTIVE === "1"`. The normal CLI `nemoclaw onboard --non-interactive` path parses the flag into `opts.nonInteractive` and `onboard.ts` sets the internal `NON_INTERACTIVE` global, but it does not set `process.env.NEMOCLAW_NON_INTERACTIVE` before `prepareSandboxCreatePlan()` runs. As a result, a documented non-interactive flag run with `NEMOCLAW_POLICY_TIER=balanced` or `open` is treated as tier-unknown at sandbox create time.
• Impact: This is fail-closed from a sandbox-egress perspective, but it changes intended behavior for known non-Restricted non-interactive runs: `openclaw-diagnostics-otel-local` is deferred instead of being included in the initial create policy when OTEL-local is enabled, so boot/create-time OpenClaw telemetry can be silently lost for `--non-interactive` users who did not also export `NEMOCLAW_NON_INTERACTIVE=1`.
• Recommended action: Pass the already-validated selected tier into `prepareSandboxCreatePlan()` from `onboard.ts`, for example `policyTier: isNonInteractive() ? policyTierEnv.resolvePolicyTierFromEnv() : null`, or otherwise thread the parsed `opts.nonInteractive` state into `prepareSandboxCreatePlan()` instead of re-reading only the env var. Keep the interactive path explicit `null` so create-time OTEL remains deferred until the operator-selected tier is known.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `src/lib/onboard/legacy-command.ts` where `--non-interactive` becomes `options.nonInteractive`, then `src/lib/onboard.ts:4661` where that value only updates `NON_INTERACTIVE`, and finally `src/lib/onboard/sandbox-create-plan.ts:28` where the create-time reader checks only `process.env.NEMOCLAW_NON_INTERACTIVE`.
• Missing regression test: Add a create-plan or CLI-level regression for `nemoclaw onboard --non-interactive` with `NEMOCLAW_POLICY_TIER=balanced`, `NEMOCLAW_OPENCLAW_OTEL=1`, and the default/local OTEL endpoint, without setting `NEMOCLAW_NON_INTERACTIVE`; assert the policy tier passed to `prepareInitialSandboxCreatePolicy` is `balanced` or that the initial create policy includes `openclaw-diagnostics-otel-local`. Add the matching interactive regression with `NEMOCLAW_POLICY_TIER=balanced` but no `--non-interactive` to assert the passed tier remains `null`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `src/lib/onboard/legacy-command.ts` where `--non-interactive` becomes `options.nonInteractive`, then `src/lib/onboard.ts:4661` where that value only updates `NON_INTERACTIVE`, and finally `src/lib/onboard/sandbox-create-plan.ts:28` where the create-time reader checks only `process.env.NEMOCLAW_NON_INTERACTIVE`.
• Evidence: `onboard.ts` calls `sandboxCreatePlan.prepareSandboxCreatePlan({ ... agentName: agent?.name })` without a `policyTier`; `prepareSandboxCreatePlan` defaults `policyTier = readPolicyTierEnv()`; `readPolicyTierEnv()` returns `null` unless `process.env.NEMOCLAW_NON_INTERACTIVE === "1"`, even though `isNonInteractive()` can be true from the CLI flag alone.

PRA-3 Resolve/justify — Restricted + OTEL-local suppression lacks a dedicated live OpenShell runtime assertion

• Location: test/e2e-scenario/live/network-policy.test.ts:737
• Category: tests
• Problem: The PR adds strong unit and stubbed integration coverage for Restricted + `NEMOCLAW_OPENCLAW_OTEL=1`, and the existing live restricted scenario asserts `openclaw-diagnostics-otel-local` is absent after one restricted onboard. However, the new default zero-active-presets live scenario explicitly does not run an OTEL-enabled onboard; its comment defers that live variant. Because the suppressed preset opens host-local OTLP egress, a real OpenShell `policy-list` assertion for the OTEL-enabled restricted path would materially improve confidence in this security boundary.
• Impact: A bug in the real onboard/create/reconcile path that leaves `openclaw-diagnostics-otel-local` active only when OTEL is enabled could pass the default zero-preset live scenario and rely on mocked policy APIs for detection. That would weaken Restricted sandbox egress to `host.openshell.internal:4318`.
• Recommended action: Add or identify a focused live Vitest assertion for Restricted OpenClaw with `NEMOCLAW_OPENCLAW_OTEL=1` and default/local endpoint that checks the real `policy-list` output has neither `openclaw-diagnostics-otel-local` nor any active bullets before operator mutation. Keep it direct and local to the existing network-policy live suite; do not add a new framework layer.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `test/e2e-scenario/live/network-policy.test.ts` around the new `restricted-openclaw-policy-suppression` scenario comments: it states the OTEL-enabled live variant is deferred while the default scenario asserts zero `●` bullets only for no-OTEL onboarding.
• Missing regression test: Add `network-policy: restricted OpenClaw with OTEL enabled leaves policy-list without openclaw-diagnostics-otel-local`, using the existing restricted onboard helper with `extraOnboardEnv: { NEMOCLAW_OPENCLAW_OTEL: "1", NEMOCLAW_OPENCLAW_OTEL_ENDPOINT: undefined }`, then assert `policy-list` contains no `● openclaw-diagnostics-otel-local` and no active preset bullets before any `policy-add`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `test/e2e-scenario/live/network-policy.test.ts` around the new `restricted-openclaw-policy-suppression` scenario comments: it states the OTEL-enabled live variant is deferred while the default scenario asserts zero `●` bullets only for no-OTEL onboarding.
• Evidence: Changed tests include `test/policy-tiers-onboard.test.ts` cases for OTEL-enabled suppression and `test/policy-tiers-onboard-restricted-stale-otel.test.ts` stale cleanup, but the live default zero-preset scenario comments say the OTEL-enabled live variant is deferred to keep wall-clock to a single onboard.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-4 Improvement — Restricted live onboard retry logic is still split between a helper and a local loop

• Location: test/e2e-scenario/live/network-policy.test.ts:407
• Category: architecture
• Problem: The new `restricted-openclaw-policy-suppression` live scenario uses `ensureDockerAvailable()` and `runRestrictedOnboardWithRetry()`, but the existing restricted network-policy scenario in the same file still contains its own Docker prerequisite handling, `ONBOARD_ATTEMPTS` retry loop, transient-provider skip artifact, backoff, and cleanup semantics. The helper also defines and receives `scenarioSlug`, but that option is unused.
• Impact: Duplicated retry/skip behavior in a high-risk live sandbox/network-policy suite can drift, making failures harder to interpret and increasing maintenance cost. The unused option adds API surface without behavior.
• Suggested action: Either refactor the existing restricted network-policy scenario to use `ensureDockerAvailable()` and `runRestrictedOnboardWithRetry()`, or inline the new helper back into the new scenario if the two scenarios intentionally need different semantics. If the helper remains, delete the unused `scenarioSlug` option and argument. Keep the real CLI/OpenShell shell boundaries direct.
• Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
• Verification: Search `test/e2e-scenario/live/network-policy.test.ts` for `ONBOARD_ATTEMPTS` and `runRestrictedOnboardWithRetry`; the original scenario still has the local retry loop while the new scenario calls the helper. Then read `test/e2e-scenario/live/restricted-onboard-helpers.ts` for the unused `scenarioSlug` field.
• Missing regression test: No new behavior test is required for this shape-only cleanup; preserve the existing live assertions that Restricted onboarding completes, suppressed OpenClaw presets are absent, and the default Restricted scenario reports zero active `policy-list` bullets.
• Done when: The local improvement is applied, or the PR notes why it should be deferred.
• Evidence: `network-policy.test.ts` imports and uses the new helper only for the second restricted scenario, while the first scenario still writes `transient-provider-validation.skip.json` and retries locally. `RestrictedOnboardOptions` includes `scenarioSlug`, and the new scenario passes it, but no helper code reads it.

Simplification opportunities: 1 possible cut, net -40 lines possible

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

• PRA-4 shrink (test/e2e-scenario/live/network-policy.test.ts:407): The duplicate local restricted onboard retry/skip loop in the original live network-policy scenario plus the unused `scenarioSlug` helper option.
  • Replacement: Use one shared restricted onboard helper for both live scenarios, or keep both scenarios self-contained and remove the helper; delete `scenarioSlug` if the helper remains.
  • Net: -40 lines
  • Safety boundary: Do not remove the real CLI/OpenShell execution boundaries, policy-list assertions, transient-provider classification, or cleanup of created sandboxes.

Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

• PRA-T1 Runtime validation — `prepareSandboxCreatePlan honors --non-interactive flag tier selection for create-time OTEL on balanced/open without requiring NEMOCLAW_NON_INTERACTIVE=1`. The main linked issue is covered by unit/stubbed integration tests and a live restricted zero-preset scenario, but this PR changes sandbox-create and live policy reconciliation behavior. Runtime validation remains valuable for the OTEL-local egress boundary and for the parsed `--non-interactive` flag path that is not equivalent to the env var used by the create-time helper.
• PRA-T2 Runtime validation — `network-policy live restricted OpenClaw with NEMOCLAW_OPENCLAW_OTEL=1 leaves policy-list without openclaw-diagnostics-otel-local or active preset bullets`. The main linked issue is covered by unit/stubbed integration tests and a live restricted zero-preset scenario, but this PR changes sandbox-create and live policy reconciliation behavior. Runtime validation remains valuable for the OTEL-local egress boundary and for the parsed `--non-interactive` flag path that is not equivalent to the env var used by the create-time helper.
• PRA-T3 Restricted + OTEL-local suppression lacks a dedicated live OpenShell runtime assertion — Add or identify a focused live Vitest assertion for Restricted OpenClaw with `NEMOCLAW_OPENCLAW_OTEL=1` and default/local endpoint that checks the real `policy-list` output has neither `openclaw-diagnostics-otel-local` nor any active bullets before operator mutation. Keep it direct and local to the existing network-policy live suite; do not add a new framework layer.
• PRA-T4 Create-time sandbox policy tier decision — Existing tests cover interactive/unknown env fail-closed behavior and create-time restricted suppression; the missing regression is the normal `--non-interactive` flag path without `NEMOCLAW_NON_INTERACTIVE=1`.. Covered by the correctness finding: `readPolicyTierEnv()` checks only the env var, while CLI `--non-interactive` sets `opts.nonInteractive` and `NON_INTERACTIVE`, not necessarily the env var.

Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: Create-time sandbox policy tier decision

• Location: not file-specific
• Category: architecture
• Problem: The advisor marked localized patch analysis as needs_followup.
• Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
• Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Missing regression test: Existing tests cover interactive/unknown env fail-closed behavior and create-time restricted suppression; the missing regression is the normal `--non-interactive` flag path without `NEMOCLAW_NON_INTERACTIVE=1`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Evidence: Covered by the correctness finding: `readPolicyTierEnv()` checks only the env var, while CLI `--non-interactive` sets `opts.nonInteractive` and `NON_INTERACTIVE`, not necessarily the env var.

PRA-2 Resolve/justify — Create-time policy tier detection ignores `--non-interactive` unless the env var is also set

• Location: src/lib/onboard/sandbox-create-plan.ts:28
• Category: correctness
• Problem: `readPolicyTierEnv()` decides whether it may trust `NEMOCLAW_POLICY_TIER` by checking only `process.env.NEMOCLAW_NON_INTERACTIVE === "1"`. The normal CLI `nemoclaw onboard --non-interactive` path parses the flag into `opts.nonInteractive` and `onboard.ts` sets the internal `NON_INTERACTIVE` global, but it does not set `process.env.NEMOCLAW_NON_INTERACTIVE` before `prepareSandboxCreatePlan()` runs. As a result, a documented non-interactive flag run with `NEMOCLAW_POLICY_TIER=balanced` or `open` is treated as tier-unknown at sandbox create time.
• Impact: This is fail-closed from a sandbox-egress perspective, but it changes intended behavior for known non-Restricted non-interactive runs: `openclaw-diagnostics-otel-local` is deferred instead of being included in the initial create policy when OTEL-local is enabled, so boot/create-time OpenClaw telemetry can be silently lost for `--non-interactive` users who did not also export `NEMOCLAW_NON_INTERACTIVE=1`.
• Recommended action: Pass the already-validated selected tier into `prepareSandboxCreatePlan()` from `onboard.ts`, for example `policyTier: isNonInteractive() ? policyTierEnv.resolvePolicyTierFromEnv() : null`, or otherwise thread the parsed `opts.nonInteractive` state into `prepareSandboxCreatePlan()` instead of re-reading only the env var. Keep the interactive path explicit `null` so create-time OTEL remains deferred until the operator-selected tier is known.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `src/lib/onboard/legacy-command.ts` where `--non-interactive` becomes `options.nonInteractive`, then `src/lib/onboard.ts:4661` where that value only updates `NON_INTERACTIVE`, and finally `src/lib/onboard/sandbox-create-plan.ts:28` where the create-time reader checks only `process.env.NEMOCLAW_NON_INTERACTIVE`.
• Missing regression test: Add a create-plan or CLI-level regression for `nemoclaw onboard --non-interactive` with `NEMOCLAW_POLICY_TIER=balanced`, `NEMOCLAW_OPENCLAW_OTEL=1`, and the default/local OTEL endpoint, without setting `NEMOCLAW_NON_INTERACTIVE`; assert the policy tier passed to `prepareInitialSandboxCreatePolicy` is `balanced` or that the initial create policy includes `openclaw-diagnostics-otel-local`. Add the matching interactive regression with `NEMOCLAW_POLICY_TIER=balanced` but no `--non-interactive` to assert the passed tier remains `null`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `src/lib/onboard/legacy-command.ts` where `--non-interactive` becomes `options.nonInteractive`, then `src/lib/onboard.ts:4661` where that value only updates `NON_INTERACTIVE`, and finally `src/lib/onboard/sandbox-create-plan.ts:28` where the create-time reader checks only `process.env.NEMOCLAW_NON_INTERACTIVE`.
• Evidence: `onboard.ts` calls `sandboxCreatePlan.prepareSandboxCreatePlan({ ... agentName: agent?.name })` without a `policyTier`; `prepareSandboxCreatePlan` defaults `policyTier = readPolicyTierEnv()`; `readPolicyTierEnv()` returns `null` unless `process.env.NEMOCLAW_NON_INTERACTIVE === "1"`, even though `isNonInteractive()` can be true from the CLI flag alone.

PRA-3 Resolve/justify — Restricted + OTEL-local suppression lacks a dedicated live OpenShell runtime assertion

• Location: test/e2e-scenario/live/network-policy.test.ts:737
• Category: tests
• Problem: The PR adds strong unit and stubbed integration coverage for Restricted + `NEMOCLAW_OPENCLAW_OTEL=1`, and the existing live restricted scenario asserts `openclaw-diagnostics-otel-local` is absent after one restricted onboard. However, the new default zero-active-presets live scenario explicitly does not run an OTEL-enabled onboard; its comment defers that live variant. Because the suppressed preset opens host-local OTLP egress, a real OpenShell `policy-list` assertion for the OTEL-enabled restricted path would materially improve confidence in this security boundary.
• Impact: A bug in the real onboard/create/reconcile path that leaves `openclaw-diagnostics-otel-local` active only when OTEL is enabled could pass the default zero-preset live scenario and rely on mocked policy APIs for detection. That would weaken Restricted sandbox egress to `host.openshell.internal:4318`.
• Recommended action: Add or identify a focused live Vitest assertion for Restricted OpenClaw with `NEMOCLAW_OPENCLAW_OTEL=1` and default/local endpoint that checks the real `policy-list` output has neither `openclaw-diagnostics-otel-local` nor any active bullets before operator mutation. Keep it direct and local to the existing network-policy live suite; do not add a new framework layer.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `test/e2e-scenario/live/network-policy.test.ts` around the new `restricted-openclaw-policy-suppression` scenario comments: it states the OTEL-enabled live variant is deferred while the default scenario asserts zero `●` bullets only for no-OTEL onboarding.
• Missing regression test: Add `network-policy: restricted OpenClaw with OTEL enabled leaves policy-list without openclaw-diagnostics-otel-local`, using the existing restricted onboard helper with `extraOnboardEnv: { NEMOCLAW_OPENCLAW_OTEL: "1", NEMOCLAW_OPENCLAW_OTEL_ENDPOINT: undefined }`, then assert `policy-list` contains no `● openclaw-diagnostics-otel-local` and no active preset bullets before any `policy-add`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `test/e2e-scenario/live/network-policy.test.ts` around the new `restricted-openclaw-policy-suppression` scenario comments: it states the OTEL-enabled live variant is deferred while the default scenario asserts zero `●` bullets only for no-OTEL onboarding.
• Evidence: Changed tests include `test/policy-tiers-onboard.test.ts` cases for OTEL-enabled suppression and `test/policy-tiers-onboard-restricted-stale-otel.test.ts` stale cleanup, but the live default zero-preset scenario comments say the OTEL-enabled live variant is deferred to keep wall-clock to a single onboard.

PRA-4 Improvement — Restricted live onboard retry logic is still split between a helper and a local loop

• Location: test/e2e-scenario/live/network-policy.test.ts:407
• Category: architecture
• Problem: The new `restricted-openclaw-policy-suppression` live scenario uses `ensureDockerAvailable()` and `runRestrictedOnboardWithRetry()`, but the existing restricted network-policy scenario in the same file still contains its own Docker prerequisite handling, `ONBOARD_ATTEMPTS` retry loop, transient-provider skip artifact, backoff, and cleanup semantics. The helper also defines and receives `scenarioSlug`, but that option is unused.
• Impact: Duplicated retry/skip behavior in a high-risk live sandbox/network-policy suite can drift, making failures harder to interpret and increasing maintenance cost. The unused option adds API surface without behavior.
• Suggested action: Either refactor the existing restricted network-policy scenario to use `ensureDockerAvailable()` and `runRestrictedOnboardWithRetry()`, or inline the new helper back into the new scenario if the two scenarios intentionally need different semantics. If the helper remains, delete the unused `scenarioSlug` option and argument. Keep the real CLI/OpenShell shell boundaries direct.
• Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
• Verification: Search `test/e2e-scenario/live/network-policy.test.ts` for `ONBOARD_ATTEMPTS` and `runRestrictedOnboardWithRetry`; the original scenario still has the local retry loop while the new scenario calls the helper. Then read `test/e2e-scenario/live/restricted-onboard-helpers.ts` for the unused `scenarioSlug` field.
• Missing regression test: No new behavior test is required for this shape-only cleanup; preserve the existing live assertions that Restricted onboarding completes, suppressed OpenClaw presets are absent, and the default Restricted scenario reports zero active `policy-list` bullets.
• Done when: The local improvement is applied, or the PR notes why it should be deferred.
• Evidence: `network-policy.test.ts` imports and uses the new helper only for the second restricted scenario, while the first scenario still writes `transient-provider-validation.skip.json` and retries locally. `RestrictedOnboardOptions` includes `scenarioSlug`, and the new scenario passes it, but no helper code reads it.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

[github-actions]

E2E Advisor Recommendation

Required E2E: onboard-resume-e2e, onboard-repair-e2e, cloud-onboard-e2e, network-policy-vitest
Optional E2E: network-policy-e2e, double-onboard-e2e, channels-add-remove-e2e

Auto-dispatched E2E: onboard-resume-e2e via nightly-e2e.yaml at 3848465e17f25d658586a77a81255eccf4a658ba — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• onboard-resume-e2e (high): Required by the onboarding resume compatibility rule: this PR changes the live policy-state handler, resume selection, recorded policy reconciliation, and resume skip gating for suppressed live presets.
• onboard-repair-e2e (high): Required by the onboarding resume compatibility rule because the changed policy-state/resume orchestration can affect repair compatibility and session recovery paths after interrupted onboarding.
• cloud-onboard-e2e (high): The PR changes full hosted onboarding behavior: create-time policy generation, policy tier recording, OpenClaw required preset suggestions, and restricted-tier suppression. A full hosted onboard run is needed to catch integration failures outside unit tests.
• network-policy-vitest (high): The PR changes network policy tier definitions and the live network-policy scenario itself. This job exercises a real OpenShell sandbox and verifies live network policy behavior, including restricted onboarding/preset suppression and egress allow/deny behavior.

Optional E2E

• network-policy-e2e (high): Legacy shell coverage for the same policy boundary is useful as a parity check if maintainers want additional confidence beyond the updated Vitest network-policy job.
• double-onboard-e2e (medium): Optional confidence for policy tier persistence and re-onboard behavior, since the PR changes how the selected/recorded tier participates in policy reconciliation.
• channels-add-remove-e2e (high): Optional adjacent coverage because policy preset reconciliation also handles messaging-channel required presets and disabled-channel cleanup.

New E2E recommendations

• None.

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: network-policy-vitest, onboard-resume-vitest, onboard-repair-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=network-policy-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• network-policy-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/network-policy.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=network-policy-vitest
• onboard-resume-vitest: The PR changes onboard machine policy-state resume selection and reconciliation paths, including persisted policy tier handling and suppression of live agent-required presets. The onboarding resume compatibility rule requires this live Vitest job.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
• onboard-repair-vitest: The same onboard state-machine resume and persisted-session policy reconciliation changes can affect repair/backstop execution from persisted sessions, so the onboarding resume compatibility rule requires the repair live Vitest job as well.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Optional Vitest E2E scenarios

• None.

Relevant changed files

• nemoclaw-blueprint/policies/tiers.yaml
• src/lib/onboard.ts
• src/lib/onboard/initial-policy.ts
• src/lib/onboard/machine/handlers/policies.ts
• src/lib/onboard/policy-resume-selection.ts
• src/lib/onboard/policy-selection.ts
• src/lib/onboard/policy-tier-suppression.ts
• src/lib/onboard/sandbox-create-plan.ts
• test/e2e-scenario/live/network-policy.test.ts
• test/e2e-scenario/live/restricted-onboard-helpers.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/reference/network-policies.mdx (1)

71-71: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Passive voice in tier description.

"Agent-required preset additions ... are suppressed" is passive. Consider rephrasing actively, e.g. "Restricted mode suppresses agent-required preset additions, such as OpenClaw pricing fetches; reapply them later with policy-add ...".

As per path instructions: "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/network-policies.mdx` at line 71, The Restricted tier
description uses passive voice in the sentence about agent-required preset
additions, so rewrite it in active voice. Update the wording in the
network-policies documentation so the Restricted mode is the actor that
suppresses those additions, while preserving the meaning about OpenClaw pricing
fetches and reapplying them later with policy-add if needed.

Source: Path instructions

src/lib/onboard/policy-selection.ts (1)

146-154: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Optional: reuse the helper to avoid divergence.

suppressedAgentRequiredPresets (Line 153) and the inline append in computeSetupPresetSuggestions (Lines 191-194) compute the same openclaw-pricing + required-OTEL list under the same restricted/Openclaw conditions. Consider deriving one from the other so the suppression list and the gated additions cannot drift apart.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/policy-selection.ts` around lines 146 - 154, The
restricted/Openclaw preset logic is duplicated between
suppressedAgentRequiredPresets and the inline append in
computeSetupPresetSuggestions, which risks the two lists drifting apart.
Refactor computeSetupPresetSuggestions to derive its gated additions from
suppressedAgentRequiredPresets, or extract a shared helper used by both. Keep
the existing RESTRICTED_TIER_NAME and isOpenclawAgent checks in one place, and
ensure the returned preset list remains the same in both paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/onboard-policy-suggestions.test.ts`:
- Around line 494-506: The test around suppressedAgentRequiredPresets is only
isolating NEMOCLAW_OPENCLAW_OTEL, so it can accidentally inherit
NEMOCLAW_OPENCLAW_OTEL_ENDPOINT from the runner and change whether
openclaw-diagnostics-otel-local is included. Update this test to save, clear,
and restore NEMOCLAW_OPENCLAW_OTEL_ENDPOINT alongside the existing env var
handling in the suppressedAgentRequiredPresets assertion block so the
expectation stays deterministic.

---

Nitpick comments:
In `@docs/reference/network-policies.mdx`:
- Line 71: The Restricted tier description uses passive voice in the sentence
about agent-required preset additions, so rewrite it in active voice. Update the
wording in the network-policies documentation so the Restricted mode is the
actor that suppresses those additions, while preserving the meaning about
OpenClaw pricing fetches and reapplying them later with policy-add if needed.

In `@src/lib/onboard/policy-selection.ts`:
- Around line 146-154: The restricted/Openclaw preset logic is duplicated
between suppressedAgentRequiredPresets and the inline append in
computeSetupPresetSuggestions, which risks the two lists drifting apart.
Refactor computeSetupPresetSuggestions to derive its gated additions from
suppressedAgentRequiredPresets, or extract a shared helper used by both. Keep
the existing RESTRICTED_TIER_NAME and isOpenclawAgent checks in one place, and
ensure the returned preset list remains the same in both paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ebd267a5-4321-4b59-bde2-f9d1d2632167

📥 Commits

Reviewing files that changed from the base of the PR and between e3b8325 and 53170ea.

📒 Files selected for processing (5)

• docs/reference/network-policies.mdx
• nemoclaw-blueprint/policies/tiers.yaml
• src/lib/onboard.ts
• src/lib/onboard/policy-selection.ts
• test/onboard-policy-suggestions.test.ts

[cv]

LGTM after addressing feedback

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28227482209
Target ref: 5c17ae7af5406d93535a2adb376f5a55e2d68cfd
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28228069681
Target ref: 4b2facec83531a0cc27adb492584973f93a98e13
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28230568188
Target ref: 07c489967210ec5ffdb0e7dba1f174336c1f0722
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Vitest E2E Scenario Results — ❌ Some jobs failed

Run: 28230500053
Workflow ref: fix/restricted-tier-strict-presets
Requested scenarios: (default — all supported)
Requested jobs: network-policy-vitest,onboard-resume-vitest,onboard-repair-vitest
Summary: 2 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
network-policy-vitest	❌ failure
onboard-repair-vitest	✅ success
onboard-resume-vitest	✅ success

Failed jobs: network-policy-vitest. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28231278562
Target ref: a0f9089450c0e0db02b9d252c8876d1277642f94
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28233348761
Target ref: 4c83ae385aca47a0fad3966d1a62fe6f63340df6
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28235814381
Target ref: 76be43936de6dfe3c3201fbca3d934bde46a7191
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28236237588
Target ref: f599cf7e992a446b2cb5f8f068672884c11ac39c
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28287032435
Target ref: 52c01fa7e50fb8f80c99f9a9eb43d10cd25ee9c0
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28287505528
Target ref: dc3c2a356060779e4a3a96e9ae8f96790cbe2e1a
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28288050710
Target ref: 0285b83976983e3147790e753e6a6405045abeaa
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28288728405
Target ref: d9a6218de415bd0eec8091ea81f363e4724fbc3e
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28288971975
Target ref: 34c703662a29cde0b055e9cb37f0e09aae59c409
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28291522650
Target ref: 1db243692dc8ca0fe4b4efaf2c317b626a3cb38e
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 28292425428
Target ref: b985d7809adc0112675a7a03d2ca6711f59144d2
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 0 passed, 1 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	❌ failure

Failed jobs: onboard-resume-e2e. Check run artifacts for logs.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 28293019672
Target ref: 1aacda718f75cab9fb8da7b4600f78161bd0a18c
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 28293572844
Target ref: 2378c0c709cba835c4012bdaf2e1df686e40024d
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 28293835725
Target ref: bea83addab4b426d9472c2b3b467528265e310d9
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 28294148783
Target ref: 3848465e17f25d658586a77a81255eccf4a658ba
Workflow ref: main
Requested jobs: onboard-resume-e2e
Summary: 1 passed, 0 failed, 0 cancelled, 0 skipped

Job	Result
onboard-resume-e2e	✅ success