test(e2e): migrate GPU Ollama flow to vitest

[cv]

Summary

Migrates the GPU/Ollama E2E into a typed live Vitest scenario. The new test runs on the GPU runner, installs Ollama if needed, onboards with the Ollama provider, checks CUDA/GPU status and auth proxy behavior, then verifies direct Ollama and sandbox inference.local chat completions.

Related Issue

Refs #5098

Changes

• Add a typed live Vitest replacement for test/e2e/test-gpu-e2e.sh.
• Wire a free-standing dispatchable Vitest job into .github/workflows/e2e-vitest-scenarios.yaml.
• Preserve legacy shell deletion and any legacy shell workflow cleanup for Phase 11 per Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 migration governance.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
• Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes
• Targeted tests pass for changed behavior
• Full npm test passes (broad runtime changes only)
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Targeted commands run:

• npx biome check --write test/e2e-scenario/live/gpu-e2e.test.ts
• NEMOCLAW_RUN_E2E_SCENARIOS=1 npx vitest run --project e2e-scenarios-live test/e2e-scenario/live/gpu-e2e.test.ts -t __compile_only_nomatch__ --silent=false --reporter=default --passWithNoTests
• npx vitest run --project e2e-vitest-support test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• npx tsx scripts/check-test-file-size-budget.ts test/e2e-scenario/live/gpu-e2e.test.ts
• npx tsc --noEmit --strict --moduleResolution bundler --module preserve --target ES2022 --types node --allowImportingTsExtensions test/e2e-scenario/live/gpu-e2e.test.ts
• git diff --check

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Tests

  • Added a new live GPU end-to-end Vitest scenario with runner readiness checks, Ollama GPU provider install/verification, and best-effort cleanup.
  • Validates auth-proxy behavior for unauthenticated, wrong-token (rejected), and correct-token (allowed) requests.
  • Confirms chat connectivity by verifying “PONG” responses via both direct access and the sandbox inference endpoint.
  • Updated the workflow metadata test to use an explicit 60s timeout.

• CI/CD

  • Added a standalone GPU E2E Vitest job (non-interactive) and included its results in PR reporting, with GPU E2E artifacts uploaded.

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the e2e-migrate/test-gpu... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-gpu... 87b3da6	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the e2e-migrate/test-gpu... branch is 46%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-gpu... 87b3da6	+/-
src/lib/state/o...oard-session.ts	—	90%	—
src/lib/inference/local.ts	—	76%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/actions...dbox/rebuild.ts	—	67%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/actions...licy-channel.ts	—	56%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/onboard...er-gpu-patch.ts	—	50%	—
src/lib/policy/index.ts	—	49%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 19, 2026 21:48 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

E2E Advisor Recommendation

Required E2E: gpu-e2e-vitest
Optional E2E: ollama-auth-proxy-vitest, cron-preflight-inference-local-vitest

Dispatch hint: gpu-e2e-vitest

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• gpu-e2e-vitest (high): This is the newly added live E2E job and directly validates the PR's GPU Ollama install/onboard path, sandbox lifecycle, CUDA proof, auth proxy boundary, and sandbox inference.local routing.

Optional E2E

• ollama-auth-proxy-vitest (medium): Provides adjacent confidence for the auth proxy security behavior that the new GPU scenario depends on, without requiring a GPU runner.
• cron-preflight-inference-local-vitest (medium): Useful adjacent coverage for OpenShell sandbox inference.local availability and preflight behavior, which overlaps with the new GPU sandbox inference path.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/e2e-vitest-scenarios.yaml
• jobs input: gpu-e2e-vitest

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: gpu-e2e-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=gpu-e2e-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• gpu-e2e-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/gpu-e2e.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=gpu-e2e-vitest

Optional Vitest E2E scenarios

• None.

Relevant changed files

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/gpu-e2e.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 3 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 2 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: Ollama remote installer compatibility path: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: Line 180 runs `curl -fsSL https://ollama.com/install.sh | sh`; this is covered by the installer-trust security finding.
• New workflow lane executes the Ollama remote installer without verification (test/e2e-scenario/live/gpu-e2e.test.ts:180): The live GPU test can execute `curl -fsSL https://ollama.com/install.sh | sh` on the GPU runner when `ollama` is absent. The new job is reasonably isolated with SHA-pinned actions, `persist-credentials: false`, top-level `contents: read`, `npm ci --ignore-scripts`, and no repository secrets passed to this job, but the Ollama installer payload itself is still unpinned and unauthenticated by checksum, digest, or signature.
  • Recommendation: Prefer installing a pinned Ollama release/package and verify it with a checksum or signature before execution. If this scenario intentionally tests Ollama's official live installer, keep the no-secrets/no-write-token boundary explicit and isolated.
  • Evidence: `gpu-e2e.test.ts` runs `curl -fsSL https://ollama.com/install.sh | sh`; `.github/workflows/e2e-vitest-scenarios.yaml` adds `gpu-e2e-vitest` with pinned checkout/setup-node/upload-artifact actions and `persist-credentials: false`, but no installer checksum or version pin is provided.
• Proxy restart probe can match and kill its own shell (test/e2e-scenario/live/gpu-e2e.test.ts:293): The restart validation runs a `bash -lc` script containing `pkill -f 'ollama-auth-proxy'`. Because the shell command line itself includes that literal string, `pkill -f` can match the test shell or helper process before the replacement proxy starts, making this negative/recovery check flaky or abortive.
  • Recommendation: Kill the proxy by listener PID after verifying the command, as the legacy shell did, or use a self-excluding pattern such as `[o]llama-auth-proxy` and keep the proxy script path/literal out of the matching command line.
  • Evidence: The new `restartProxy` script starts with `pkill -f 'ollama-auth-proxy' 2>/dev/null || true`. Nearby existing fixture code documents the bracket pattern approach for `pkill -9 -f '[o]penclaw'` to avoid matching the matcher process itself.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — `gpu-e2e-vitest` fails on the GitHub GPU runner when Docker or `nvidia-smi` is unavailable rather than silently skipping.. The changed behavior depends on a real GPU runner, Docker, OpenShell install, the project installer, Ollama/model availability, auth-proxy process lifecycle, and sandbox `inference.local` networking. Static support tests and compile-only checks cannot fully prove those runtime contracts.
• **Runtime validation** — `gpu-e2e` rejects unauthenticated and wrong-token auth-proxy requests, accepts the persisted token, and restarts `ollama-auth-proxy` without killing the restart shell.. The changed behavior depends on a real GPU runner, Docker, OpenShell install, the project installer, Ollama/model availability, auth-proxy process lifecycle, and sandbox `inference.local` networking. Static support tests and compile-only checks cannot fully prove those runtime contracts.
• **Runtime validation** — `gpu-e2e` install output contains the GPU proof lines for `nvidia-smi`, `/proc/<pid>/task/<tid>/comm write`, and `cuInit(0)`, and contains `GPU sandbox runtime reached local inference` when Docker GPU mode is selected.. The changed behavior depends on a real GPU runner, Docker, OpenShell install, the project installer, Ollama/model availability, auth-proxy process lifecycle, and sandbox `inference.local` networking. Static support tests and compile-only checks cannot fully prove those runtime contracts.
• **Runtime validation** — `gpu-e2e` proves both direct Ollama chat and sandbox `https://inference.local/v1/chat/completions\` return the expected PONG.. The changed behavior depends on a real GPU runner, Docker, OpenShell install, the project installer, Ollama/model availability, auth-proxy process lifecycle, and sandbox `inference.local` networking. Static support tests and compile-only checks cannot fully prove those runtime contracts.
• **Runtime validation** — `gpu-e2e` cleanup removes the NemoClaw sandbox entry and destroys the OpenShell `nemoclaw` gateway, or artifacts clearly identify cleanup failure.. The changed behavior depends on a real GPU runner, Docker, OpenShell install, the project installer, Ollama/model availability, auth-proxy process lifecycle, and sandbox `inference.local` networking. Static support tests and compile-only checks cannot fully prove those runtime contracts.
• **Acceptance clause:** Refs Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 — add test evidence or identify existing coverage. The deterministic linked issue context contained no linked issue clauses or comments, so Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 acceptance text could not be verified from trusted issue data.
• **Ollama remote installer compatibility path** — The live test proves the install path works, but does not prove installer integrity.. Line 180 runs `curl -fsSL https://ollama.com/install.sh | sh`; this is covered by the installer-trust security finding.

Since last review details

Current findings:

• Source-of-truth review needed: Ollama remote installer compatibility path: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: Line 180 runs `curl -fsSL https://ollama.com/install.sh | sh`; this is covered by the installer-trust security finding.
• New workflow lane executes the Ollama remote installer without verification (test/e2e-scenario/live/gpu-e2e.test.ts:180): The live GPU test can execute `curl -fsSL https://ollama.com/install.sh | sh` on the GPU runner when `ollama` is absent. The new job is reasonably isolated with SHA-pinned actions, `persist-credentials: false`, top-level `contents: read`, `npm ci --ignore-scripts`, and no repository secrets passed to this job, but the Ollama installer payload itself is still unpinned and unauthenticated by checksum, digest, or signature.
  • Recommendation: Prefer installing a pinned Ollama release/package and verify it with a checksum or signature before execution. If this scenario intentionally tests Ollama's official live installer, keep the no-secrets/no-write-token boundary explicit and isolated.
  • Evidence: `gpu-e2e.test.ts` runs `curl -fsSL https://ollama.com/install.sh | sh`; `.github/workflows/e2e-vitest-scenarios.yaml` adds `gpu-e2e-vitest` with pinned checkout/setup-node/upload-artifact actions and `persist-credentials: false`, but no installer checksum or version pin is provided.
• Proxy restart probe can match and kill its own shell (test/e2e-scenario/live/gpu-e2e.test.ts:293): The restart validation runs a `bash -lc` script containing `pkill -f 'ollama-auth-proxy'`. Because the shell command line itself includes that literal string, `pkill -f` can match the test shell or helper process before the replacement proxy starts, making this negative/recovery check flaky or abortive.
  • Recommendation: Kill the proxy by listener PID after verifying the command, as the legacy shell did, or use a self-excluding pattern such as `[o]llama-auth-proxy` and keep the proxy script path/literal out of the matching command line.
  • Evidence: The new `restartProxy` script starts with `pkill -f 'ollama-auth-proxy' 2>/dev/null || true`. Nearby existing fixture code documents the bracket pattern approach for `pkill -9 -f '[o]penclaw'` to avoid matching the matcher process itself.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 133fc35d-ee6c-4a61-a24d-59d153f4675d

📥 Commits

Reviewing files that changed from the base of the PR and between c2c18a1 and 87b3da6.

📒 Files selected for processing (1)

• .github/workflows/e2e-vitest-scenarios.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/e2e-vitest-scenarios.yaml

---

📝 Walkthrough

Walkthrough

Adds a live GPU end-to-end Vitest test (gpu-e2e.test.ts) that provisions an Ollama GPU provider, validates auth-proxy token authentication, and verifies inference via both the local Ollama API and the sandbox endpoint. A corresponding gpu-e2e-vitest CI job is added to the workflow with GPU runner targeting, and its result is included in the report-to-pr aggregation.

Changes

GPU E2E Ollama Scenario

Layer / File(s)	Summary
Test harness setup and utility helpers test/e2e-scenario/live/gpu-e2e.test.ts	Defines CLI path constants, environment variable defaults, env() composer, plus bestEffort(), readTokenFileChecked(), and chatContent() utilities.
Scenario wrapper, cleanup registration, and pre-cleanup test/e2e-scenario/live/gpu-e2e.test.ts	Implements the skipIf-gated scenario block, writes a scenario.json artifact, registers cleanup for sandbox/gateway/host processes, and performs pre-cleanup before provisioning.
Prerequisite checks, Ollama install, and CLI status assertions test/e2e-scenario/live/gpu-e2e.test.ts	Validates Docker and nvidia-smi, conditionally installs Ollama, stops existing services, runs install.sh, writes install log artifact, and asserts CLI status for CUDA and GPU-enabled markers.
Auth-proxy token validation and restart test/e2e-scenario/live/gpu-e2e.test.ts	Reads proxy token with permission checks, verifies 401/200 HTTP responses for unauthenticated, wrong-token, and correct-token requests, then kills and restarts the auth proxy confirming continued 200 responses.
Ollama model detection and inference endpoint assertions test/e2e-scenario/live/gpu-e2e.test.ts	Detects an Ollama model from the local API, sends PONG chat-completions requests directly to Ollama and via the sandbox inference endpoint, asserts both return PONG.
CI workflow job definition and test boundary integration .github/workflows/e2e-vitest-scenarios.yaml, test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts	Adds the gpu-e2e-vitest job with dispatch gating, GPU runner, Ollama environment config, test execution step, and artifact upload; extends report-to-pr.needs to fan in the new job; updates workflow boundary test timeout configuration and import formatting.

Sequence Diagram

sequenceDiagram
  participant Test as gpu-e2e.test.ts
  participant OllamaAPI as Ollama Local API
  participant AuthProxy as Auth Proxy
  participant SandboxInf as Sandbox Inference Endpoint

  Test->>OllamaAPI: GET /api/tags (detect model)
  OllamaAPI-->>Test: model list
  Test->>OllamaAPI: POST /v1/chat/completions (PONG)
  OllamaAPI-->>Test: response with PONG
  Test->>AuthProxy: POST /v1/chat/completions with token (PONG)
  AuthProxy->>SandboxInf: forward request
  SandboxInf-->>AuthProxy: response with PONG
  AuthProxy-->>Test: response with PONG

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#5243: Both PRs modify .github/workflows/e2e-vitest-scenarios.yaml around the same free-standing Vitest job selector gating and report-to-pr dependency wiring, with the new gpu-e2e-vitest job aligning with the selector-based mechanism introduced in the retrieved PR.
• NVIDIA/NemoClaw#5495: Both PRs modify .github/workflows/e2e-vitest-scenarios.yaml to add a GPU free-standing Vitest job and wire it into the report-to-pr job's needs table, with similarly structured Ollama/auth-proxy live tests in test/e2e-scenario/live/*.
• NVIDIA/NemoClaw#5551: Both PRs add/extend live end-to-end coverage for the Ollama auth-proxy contract—token persistence, 401/200 enforcement, and proxy restart recovery (main: gpu-e2e.test.ts; retrieved: ollama-auth-proxy.test.ts).

Suggested labels

area: e2e

🐇 A GPU awaits, with tensors to flex,
The ollama roars and PONG echoes back!
Auth-proxy guards with tokens in check,
The sandbox spins up, no CUDA to lack.
This bunny tests inference — ears fully stacked! 🎮✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: migrating a GPU Ollama end-to-end test flow to Vitest, which is the primary objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-migrate/test-gpu-e2e

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e-scenario/live/gpu-e2e.test.ts (1)

202-202: 💤 Low value

Consider a more defensive fallback if HOME is unset.

If process.env.HOME is undefined, the path resolves to a relative .nemoclaw/ollama-proxy-token, which may not be the intended behavior. GPU runners should always have HOME set, but a fallback like /tmp or throwing an explicit error would be more defensive.

-    const tokenFile = path.join(process.env.HOME ?? "", ".nemoclaw", "ollama-proxy-token");
+    const home = process.env.HOME;
+    if (!home) throw new Error("HOME environment variable is required");
+    const tokenFile = path.join(home, ".nemoclaw", "ollama-proxy-token");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/live/gpu-e2e.test.ts` at line 202, The tokenFile variable
uses an empty string fallback when process.env.HOME is undefined, which results
in a relative path rather than an absolute path. Instead of using an empty
string as the fallback in the ternary operator, replace it with a defensive
fallback like /tmp, or alternatively throw an explicit error to ensure the
function fails fast if HOME is not set. This ensures the token file path is
always absolute and the intent is clear if the environment is misconfigured.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-scenario/live/gpu-e2e.test.ts`:
- Line 202: The tokenFile variable uses an empty string fallback when
process.env.HOME is undefined, which results in a relative path rather than an
absolute path. Instead of using an empty string as the fallback in the ternary
operator, replace it with a defensive fallback like /tmp, or alternatively throw
an explicit error to ensure the function fails fast if HOME is not set. This
ensures the token file path is always absolute and the intent is clear if the
environment is misconfigured.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 973713fa-d0de-40ed-9e4e-394b972ba3ba

📥 Commits

Reviewing files that changed from the base of the PR and between 9d4d1f5 and d44b775.

📒 Files selected for processing (2)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/gpu-e2e.test.ts