fix(e2e): adapt network policy tests to non-interactive policy-add CLI

[TruongNguyenG]

Summary

Fix 4 nightly failures in test/e2e/test-network-policy.sh caused by PR #2070 changing nemoclaw policy-add to require a preset name in non-interactive mode.

Related Issue

Fixes #2148

Changes

• Replace expect-based preset application with direct CLI calls: apply_preset now calls nemoclaw <sandbox> policy-add <preset> --yes directly instead of capturing the interactive list, grepping for a number, and automating prompts with expect. This works with the new non-interactive mode from fix(cli): support non-interactive policy preset updates (Fixes #2067) #2070.

• Add interactive mode coverage (TC-NET-03): New apply_preset_interactive function unsets NEMOCLAW_NON_INTERACTIVE and uses expect to exercise the interactive prompt path. TC-NET-03 tries interactive first, falls back to non-interactive. Both CLI code paths are now tested.

• Fix TC-NET-03 reachability assertion: After applying the telegram preset, api.telegram.org returns HTTP 403 (unauthenticated — no bot token). This is correct: the proxy lets the request through, Telegram rejects the bare request. Changed assertion to accept any HTTP status (2xx-4xx) as "reachable" — only ERROR_ responses (proxy blocks) count as failure.

• Remove expect as hard dependency: expect is installed with a warning if missing (only needed for TC-NET-03 interactive test). Non-interactive tests work without it.

Type of Change

• Code change (feature, bug fix, or refactor)

Verification

• npx prek run --all-files passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Verified on CI: 10/10 PASS on ubuntu-latest

AI Disclosure

• AI-assisted — tool: Cursor

---

Signed-off-by: Truong Nguyen tgnguyen@nvidia.com

Made with Cursor

Summary by CodeRabbit

• Tests
  • Tests now tolerate missing interactive tooling and log a warning instead of aborting.
  • Added non-interactive and interactive preset-application flows with automatic fallback when interactive tooling is unavailable.
  • Simplified one preset workflow to a direct dry-run path that checks for "would be opened" output.
  • Improved result classification to better distinguish success, proxy-blocked, and unexpected responses.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updated test/e2e/test-network-policy.sh: made expect non-fatal in preflight(), added non-interactive apply_preset() and interactive apply_preset_interactive() (uses expect), TC-NET-03 now tries interactive then falls back to non-interactive, and TC-NET-04 dry-run handling simplified.

Changes

Cohort / File(s)	Summary
Single script updated test/e2e/test-network-policy.sh	preflight() no longer fails when expect install/detection fails. Added non-interactive apply_preset() (uses --yes) and new apply_preset_interactive() (returns 2 if expect missing, 1 if preset not found, otherwise expect pipeline status). TC-NET-03 now prefers interactive apply with fallback and broadens status/error pattern checks; TC-NET-04 uses direct --dry-run and checks for would be opened.

Sequence Diagram

sequenceDiagram
    participant Test as Test Script
    participant CLI as "nemoclaw CLI"
    participant Expect as Expect
    participant Endpoint as System Endpoint

    Test->>Test: preflight() - check for expect
    alt expect present
        Test->>CLI: run policy-add (interactive mode env)
        CLI->>Expect: present interactive preset list
        Expect->>Test: select preset number & confirm
        CLI->>Endpoint: apply policy
        Endpoint-->>CLI: response (STATUS_/ERROR_)
        CLI-->>Test: output + exit code
    else expect missing
        Test->>CLI: run policy-add <preset> --yes or --dry-run
        CLI->>Endpoint: apply or simulate policy
        Endpoint-->>CLI: response
        CLI-->>Test: output + exit code
    end
    Test->>Test: classify result (success / proxy-blocked / unexpected)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudged the script with a twitch and wink,
Made Expect optional so tests won't sink,
If prompts are gone, a fallback hops in place,
Non-interactive steps still keep up the pace,
A little rabbit nudge—CI keeps its grin.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: adapting network policy e2e tests to work with the non-interactive policy-add CLI.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e/test-network-policy.sh (1)

127-132: ⚠️ Potential issue | 🟠 Major

Make the optional expect install truly non-fatal.

With set -euo pipefail enabled, a failure in sudo apt-get install -y -qq expect exits the script before Line 131 can evaluate the warning condition. The subshell pattern below prevents the install failure from terminating the script.

Suggested fix

   if ! command -v expect >/dev/null 2>&1; then
     log "Installing expect..."
-    sudo apt-get update -qq && sudo apt-get install -y -qq expect >/dev/null 2>&1
-    if ! command -v expect >/dev/null 2>&1; then
+    if ! (sudo apt-get update -qq && sudo apt-get install -y -qq expect >/dev/null 2>&1); then
+      log "WARNING: failed to install expect — interactive tests will skip"
+    elif ! command -v expect >/dev/null 2>&1; then
       log "WARNING: expect not available — interactive tests will skip"
     fi
   fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/test-network-policy.sh` around lines 127 - 132, The apt-get install
of expect is currently fatal under set -euo pipefail; change the install to be
non-fatal so the subsequent "if ! command -v expect" check can run. Wrap the
update+install in a subshell or append a safe-fail fallback (e.g. (sudo apt-get
update -qq && sudo apt-get install -y -qq expect >/dev/null 2>&1) || true) for
the existing install line that installs expect so the script continues and the
later check for the command can emit the warning as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 156-158: The interactive-mode check currently causes interactive
failures to be treated like a skip; change the logic so that the script only
skips when expect is actually missing: keep the if ! command -v expect check but
return 0 (or otherwise explicitly skip) when expect is unavailable and log that
fact; when expect is present, run the expect-driven interactive test (the block
that exercises policy-add telegram --yes / the expect script) and do NOT swallow
its exit status—propagate any non-zero exit so failures fail the test. Apply the
same change to the duplicate check at the other occurrence (the block around
lines 310-316).

---

Outside diff comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 127-132: The apt-get install of expect is currently fatal under
set -euo pipefail; change the install to be non-fatal so the subsequent "if !
command -v expect" check can run. Wrap the update+install in a subshell or
append a safe-fail fallback (e.g. (sudo apt-get update -qq && sudo apt-get
install -y -qq expect >/dev/null 2>&1) || true) for the existing install line
that installs expect so the script continues and the later check for the command
can emit the warning as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 46018c33-9e46-402a-8a7a-2386169313f8

📥 Commits

Reviewing files that changed from the base of the PR and between bd82e1f and fea48a8.

📒 Files selected for processing (1)

• test/e2e/test-network-policy.sh

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

test/e2e/test-network-policy.sh (2)

305-307: ⚠️ Potential issue | 🟡 Minor

Keep the precondition aligned with the new 4xx == reachable rule.

After this change, STATUS_403 is treated as a successful reachability signal for api.telegram.org, but the pre-check still skips only on 2xx/3xx. If telegram is already reachable and returns 403, TC-NET-03 now misses the intended early skip.

Suggested fix

-  if echo "$before" | grep -qE "STATUS_[23]"; then
+  if echo "$before" | grep -qE "STATUS_[2-4][0-9][0-9]"; then
     skip "TC-NET-03" "api.telegram.org already reachable before policy-add (preset may be pre-applied)"
     return
   fi

Also applies to: 330-335

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/test-network-policy.sh` around lines 305 - 307, The precondition
grep only looks for "STATUS_[23]" so it misses 4xx codes now treated as
reachable; update the check to include 4 (e.g., change the pattern to
"STATUS_[234]") wherever the pre-check appears (the block using the variable
before and the skip "TC-NET-03" and the similar block around lines 330-335) so a
prior STATUS_4 will cause the early skip as intended.

---

127-131: ⚠️ Potential issue | 🟠 Major

Don't let optional expect installation abort preflight.

With set -e, the line sudo apt-get update -qq && sudo apt-get install -y -qq expect will exit the script if apt-get install fails, preventing the subsequent expect availability check from running. Interactive tests are not actually optional in that case.

Suggested fix

   if ! command -v expect >/dev/null 2>&1; then
     log "Installing expect..."
-    sudo apt-get update -qq && sudo apt-get install -y -qq expect >/dev/null 2>&1
+    if ! (sudo apt-get update -qq && sudo apt-get install -y -qq expect >/dev/null 2>&1); then
+      log "WARNING: failed to install expect — interactive tests will skip"
+    fi
     if ! command -v expect >/dev/null 2>&1; then
       log "WARNING: expect not available — interactive tests will skip"
     fi
   fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/test-network-policy.sh` around lines 127 - 131, The install step for
expect can abort the script due to set -e; wrap the apt-get install so failures
don't exit (e.g., run sudo apt-get update -qq && sudo apt-get install -y -qq
expect >/dev/null 2>&1 || true or temporarily disable errexit around that
command), then keep the subsequent command -v expect check and the warning log;
update the block around the log function and the install invocation so the
availability check for expect (command -v expect) always runs regardless of
apt-get install exit status.

♻️ Duplicate comments (1)

test/e2e/test-network-policy.sh (1)

156-158: ⚠️ Potential issue | 🟠 Major

Only fall back when expect is unavailable.

apply_preset_interactive() returns the same status for “expect missing” and for a real interactive failure, and TC-NET-03 falls back on any non-zero exit. That still lets a broken prompt flow go green as long as policy-add telegram --yes works.

Suggested fix

 apply_preset_interactive() {
   local preset_name="$1"
   if ! command -v expect >/dev/null 2>&1; then
     log "  expect not available — cannot test interactive mode"
-    return 1
+    return 2
   fi
@@
   log "  Step 2: Adding telegram preset (interactive mode)..."
   if ! apply_preset_interactive "telegram"; then
-    log "  Interactive mode failed — falling back to non-interactive..."
-    if ! apply_preset "telegram"; then
-      fail "TC-NET-03: Setup" "Could not apply telegram preset"
-      return
-    fi
+    local interactive_rc=$?
+    if [[ $interactive_rc -eq 2 ]]; then
+      skip "TC-NET-03 interactive" "expect not available"
+      log "  Interactive mode unavailable — falling back to non-interactive..."
+      if ! apply_preset "telegram"; then
+        fail "TC-NET-03: Setup" "Could not apply telegram preset"
+        return
+      fi
+    else
+      fail "TC-NET-03: Interactive policy-add" "interactive flow failed"
+      return
+    fi
   fi

Also applies to: 310-316

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/test-network-policy.sh` around lines 156 - 158, The fallback
currently treats any non-zero return from apply_preset_interactive() the same as
"expect" being missing, hiding real interactive failures; change the logic so
you first check for the presence of the expect binary (command -v expect) and
only log "expect not available — cannot test interactive mode" and return 1 when
that check fails; otherwise invoke apply_preset_interactive() and if it returns
non-zero propagate that non-zero (fail the test) instead of falling back to the
non-interactive path. Apply the same change to the other occurrence (lines
around the second block, referenced in the comment).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 358-364: The test swallows the exit status of the nemoclaw call
and uses an overly-broad grep pattern which can mask failures; run the
policy-add command capturing both output and exit code (keep the dry_output
variable and also capture the command's exit status), assert the exit code is
zero before checking output, and tighten the output check to look for explicit
success indicators from the dry-run (e.g., "slack\.com" or the literal phrase
"would be opened" or another known success string) when validating TC-NET-04 for
the command `nemoclaw ... policy-add slack --dry-run`.

---

Outside diff comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 305-307: The precondition grep only looks for "STATUS_[23]" so it
misses 4xx codes now treated as reachable; update the check to include 4 (e.g.,
change the pattern to "STATUS_[234]") wherever the pre-check appears (the block
using the variable before and the skip "TC-NET-03" and the similar block around
lines 330-335) so a prior STATUS_4 will cause the early skip as intended.
- Around line 127-131: The install step for expect can abort the script due to
set -e; wrap the apt-get install so failures don't exit (e.g., run sudo apt-get
update -qq && sudo apt-get install -y -qq expect >/dev/null 2>&1 || true or
temporarily disable errexit around that command), then keep the subsequent
command -v expect check and the warning log; update the block around the log
function and the install invocation so the availability check for expect
(command -v expect) always runs regardless of apt-get install exit status.

---

Duplicate comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 156-158: The fallback currently treats any non-zero return from
apply_preset_interactive() the same as "expect" being missing, hiding real
interactive failures; change the logic so you first check for the presence of
the expect binary (command -v expect) and only log "expect not available —
cannot test interactive mode" and return 1 when that check fails; otherwise
invoke apply_preset_interactive() and if it returns non-zero propagate that
non-zero (fail the test) instead of falling back to the non-interactive path.
Apply the same change to the other occurrence (lines around the second block,
referenced in the comment).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 835c5a33-d484-47d9-83dd-1324e6a30155

📥 Commits

Reviewing files that changed from the base of the PR and between fea48a8 and 63c2cf5.

📒 Files selected for processing (1)

• test/e2e/test-network-policy.sh

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e/test-network-policy.sh (1)

337-343: Consider including 5xx responses as "reachable" for consistency.

The pattern STATUS_[2-4][0-9][0-9] treats 2xx–4xx as success. However, test/e2e/test-skip-permissions-policy.sh uses [2-5][0-9][0-9] since any HTTP response (including 5xx) proves egress works—the request reached the server. While 5xx is unlikely for api.telegram.org, aligning the patterns improves consistency.

Optional fix for consistency

-  if echo "$after" | grep -qE "STATUS_[2-4][0-9][0-9]"; then
+  if echo "$after" | grep -qE "STATUS_[2-5][0-9][0-9]"; then

Apply the same change to line 307 if desired.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/test-network-policy.sh` around lines 337 - 343, Update the grep
pattern that checks the variable after to treat 5xx as reachable by changing the
regex STATUS_[2-4][0-9][0-9] to STATUS_[2-5][0-9][0-9] in the conditional that
inspects "$after" (the block that calls pass "TC-NET-03: Endpoint reachable
after live policy-add"); also apply the same regex change to the other similar
check earlier in the script that uses the same STATUS_[2-4][0-9][0-9] pattern so
both places treat 2xx–5xx as evidence the request reached the server.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 337-343: Update the grep pattern that checks the variable after to
treat 5xx as reachable by changing the regex STATUS_[2-4][0-9][0-9] to
STATUS_[2-5][0-9][0-9] in the conditional that inspects "$after" (the block that
calls pass "TC-NET-03: Endpoint reachable after live policy-add"); also apply
the same regex change to the other similar check earlier in the script that uses
the same STATUS_[2-4][0-9][0-9] pattern so both places treat 2xx–5xx as evidence
the request reached the server.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 685e9b17-ccf7-485e-9e7c-a772b73535a2

📥 Commits

Reviewing files that changed from the base of the PR and between 63c2cf5 and 7477557.

📒 Files selected for processing (1)

• test/e2e/test-network-policy.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/test-network-policy.sh`:
- Around line 307-308: The grep pattern treating 5xx as “reachable” is too broad
in TC-NET-03; update the regex checks that currently use
"STATUS_[2-5][0-9][0-9]" to only match 2xx–4xx by changing them to
"STATUS_[2-4][0-9][0-9]" (apply this change to the occurrences around the checks
that skip with skip "TC-NET-03" and the similar check later in the same script).
Ensure both instances are updated so the test only treats 2xx–4xx responses as
reachable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5c7af532-9787-4e20-805d-bb74e3932b0a

📥 Commits

Reviewing files that changed from the base of the PR and between 7477557 and 53625c7.

📒 Files selected for processing (1)

• test/e2e/test-network-policy.sh