fix(cli): address onboard FSM follow-up hardening

[cv]

Summary

Address follow-up findings from the final onboarding FSM and onboard-shell extraction reviews. This PR keeps final session completion behind successful verification, hardens extracted onboarding helpers, and prevents stale Model Router PID reuse from killing unrelated processes.

Related Issue

Refs #3883
Refs #3919

Changes

• Split finalization state progression so onboarding enters post_verify before deployment verification and records complete only after verification and dashboard output succeed.
• Harden extracted helper behavior for known-host pruning, messaging credential removal detection, OpenShell version parsing/fallbacks, Brave Search saved credentials, and Docker-driver gateway log opening.
• Add Model Router process ownership checks that require the recorded PID command line to match the expected model-router proxy --port <port> before restart/kill.
• Add regression tests for finalization failure, helper edge cases, and Model Router PID ownership checks.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Bug Fixes

  • Treat removed messaging credentials as rotation changes.
  • Align Docker/OpenShell error text to recommend the supported fallback version.

• Improvements

  • Better Docker gateway log handling and spawn behavior.
  • Use previously saved Brave Search API key in non-interactive flows.
  • Stricter blueprint version parsing.
  • More robust pruning of OpenShell SSH known-host entries.
  • Improved onboarding verification/finalization recording.

• Tests

  • Expanded coverage for router ownership, credential rotation, Brave key fallback, and version parsing.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e446a0c8-ca60-4d6b-aa61-49d65d5f09f0

📥 Commits

Reviewing files that changed from the base of the PR and between 4363765 and 56698f4.

📒 Files selected for processing (1)

• src/lib/onboard/model-router.ts

💤 Files with no reviewable changes (1)

• src/lib/onboard/model-router.ts

---

📝 Walkthrough

Walkthrough

Adds a post-verification recorder and defers session completion, centralizes safe Docker-driver gateway log/spawn, tightens OpenShell version handling, normalizes known-hosts entries, treats removed messaging tokens as rotation, prefers stored Brave API keys in non-interactive web-search, and centralizes model-router process ownership checks.

Changes

Onboarding System Enhancements

Layer / File(s)	Summary
Finalization workflow post-verify instrumentation src/lib/onboard/machine/handlers/finalization.ts, src/lib/onboard/runtime-boundary.ts, src/lib/onboard.ts, src/lib/onboard/machine/handlers/finalization.test.ts	Adds recordPostVerifyStarted(): Promise<Session> to finalization deps; OnboardRuntimeBoundary implements it to transition from "finalizing" to "post_verify"; handleFinalizationState defers session completion until after verification and wires the recorder; tests updated for success, ordering, and failure.
OpenShell version management and validation src/lib/onboard/openshell-version.ts, src/lib/onboard.ts, test/onboard-openshell-version.test.ts	Exports SUPPORTED_OPENSHELL_FALLBACK_VERSION = "0.0.44", tightens blueprint min/max regex to exact x.y.z, updates fallback usage and error messaging, and adds a test rejecting -dev suffixed versions.
Docker-driver gateway log & spawn helpers src/lib/onboard/docker-driver-gateway-launch.ts, src/lib/onboard.ts	Adds openDockerDriverGatewayLog (secure append + O_NOFOLLOW) and spawnDockerDriverGateway (detached spawn with stdout/stderr to provided FD); onboard wiring replaces manual fd open/spawn with these helpers.
Known-hosts entry normalization and OpenShell filtering src/lib/onboard/known-hosts.ts, test/ssh-known-hosts.test.ts	Adds normalizeKnownHostToken to strip ports/brackets, handles @ marker and comma-separated hosts in pruneKnownHostsEntries, and prunes hosts starting with openshell-; tests updated for bracketed and marked entries.
Model-router process ownership verification src/lib/onboard/model-router-process.ts, src/lib/onboard/model-router.ts, src/lib/onboard/model-router.test.ts	Adds command-line readers and ownership helpers (isModelRouterCommandLineForPort, readModelRouterProcessCommandLine, doesModelRouterProcessOwnPort) with injected deps; reconciler verifies recorded PID owns the port before short-circuiting; tests added for patterns and stop gating.
Messaging credential removal detection src/lib/onboard/messaging-credentials.ts, test/credential-rotation.test.ts	detectMessagingCredentialRotation now treats missing/null tokens as rotation when a stored hash exists; test updated to assert removed tokens trigger rotation.
Web search credential sourcing with fallback src/lib/onboard/web-search-flow.ts, test/onboard-brave-validation.test.ts	Non-interactive configureWebSearch prefers stored Brave API key (getCredential) before process.env; test added to verify saved key usage when env var is unset.

Sequence Diagram

sequenceDiagram
  participant Finalizer as handleFinalizationState
  participant Boundary as OnboardRuntimeBoundary
  participant Runtime as RuntimeState
  Finalizer->>Boundary: recordPostVerifyStarted()
  Boundary->>Runtime: read session + state
  alt state == "finalizing"
    Runtime->>Runtime: transition "post_verify"
  end
  Boundary-->>Finalizer: return session
  Finalizer->>Finalizer: build verify chain
  Finalizer->>Finalizer: execute verification
  Finalizer->>Finalizer: log diagnostics + print dashboard
  Finalizer->>Boundary: recordSessionComplete()
  Boundary->>Runtime: transition completion
  Boundary-->>Finalizer: return session

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3876: Overlapping edits to handleFinalizationState and recorder wiring.
• NVIDIA/NemoClaw#3883: Related changes to finalization transitions and runtime-recording logic.
• NVIDIA/NemoClaw#3870: Related gateway startup and onboarding gateway orchestration changes.

Suggested labels

NemoClaw CLI, fix, refactor, v0.0.51

Suggested reviewers

• ericksoa
• jyaunches

Poem

🐰 I hopped through code to mark the stage,
Post-verify now steps onto the page.
One safe log file hums, versions trimmed neat,
Hosts pruned, keys found, and routers kept on beat.
A rabbit cheers: tests green—what a treat!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.52% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: a fix addressing FSM (Finite State Machine) follow-up hardening in the onboarding flow, which aligns with the core refactoring of finalization state progression, helper hardening, and process ownership checks documented in the PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/onboard-fsm-followups-3883-3919

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cv]

Follow-up to feedback from #3883 and #3919.

Local verification performed:

• npm run build:cli ✅
• npx vitest run src/lib/onboard/machine/handlers/finalization.test.ts src/lib/onboard/machine/runtime.test.ts src/lib/onboard/model-router.test.ts test/onboard-model-router.test.ts test/ssh-known-hosts.test.ts test/credential-rotation.test.ts test/onboard-openshell-version.test.ts test/onboard-brave-validation.test.ts test/onboard.test.ts ✅

I intentionally left the full npm test and npx prek run --all-files PR checkboxes unchecked because I did not run those full suites locally.

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e, gateway-health-honest-e2e, openshell-version-pin-e2e, model-router-provider-routed-inference-e2e, token-rotation-e2e, brave-search-e2e
Optional E2E: onboard-resume-e2e, credential-migration-e2e, sandbox-survival-e2e, messaging-providers-e2e

Dispatch hint: cloud-onboard-e2e,token-rotation-e2e,brave-search-e2e

Auto-dispatched E2E: cloud-onboard-e2e, token-rotation-e2e, brave-search-e2e via nightly-e2e.yaml at 56698f42814f8811c146d88153ed698c542b571d — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-onboard-e2e (high): High-signal end-to-end coverage for full non-interactive onboarding, sandbox health, inference.local, credential leak checks, and final deployment verification after changes to finalization/runtime-boundary and gateway startup.
• gateway-health-honest-e2e (medium): Required because Docker-driver gateway process launch/log fd handling changed; this regression job validates gateway startup does not falsely report healthy when the gateway process fails.
• openshell-version-pin-e2e (low): Required because OpenShell fallback compatibility and blueprint version parsing changed; this validates install/onboard pins to a supported OpenShell when a newer incompatible version is present.
• model-router-provider-routed-inference-e2e (high): Required because model-router process ownership/reuse/stop behavior changed; this validates routed provider onboarding produces a healthy model-router and a working inference.local completion.
• token-rotation-e2e (high): Required because messaging credential rotation detection changed; this verifies token changes propagate through re-onboard/rebuild and provider credential isolation remains correct.
• brave-search-e2e (high): Required because non-interactive Brave web-search credential resolution changed; this validates real web-search onboarding, policy/provider setup, placeholder isolation, and sandbox web-search behavior.

Optional E2E

• onboard-resume-e2e (high): Useful adjacent coverage for runtime-boundary/session state transitions and finalization ordering, especially if a failure occurs near post_verify or deployment verification.
• credential-migration-e2e (medium): Useful confidence for credential cleanup/finalization paths and legacy credential removal behavior touched near deployment verification and messaging credential handling.
• sandbox-survival-e2e (high): Useful adjacent lifecycle coverage for gateway restart/recovery after changes to Docker-driver gateway process launching and log handling.
• messaging-providers-e2e (high): Optional broader messaging-provider coverage for placeholder/L7 proxy credential paths beyond token-rotation rebuild behavior.

New E2E recommendations

• model-router-process-ownership (medium): Existing model-router E2E validates routed inference, but not the specific reused-PID safety behavior where a stale recorded routerPid points to an unrelated process and must not be killed or trusted.
  • Suggested test: Add an E2E/regression test that seeds onboard session routerPid with an unrelated long-running process, runs provider/agent change or routed reconcile, and asserts the unrelated process survives while onboarding fails closed or starts an owned model-router.
• ssh-known-hosts-cleanup (low): Known-host pruning has unit coverage but no real sandbox SSH lifecycle assertion that @ marker entries and [openshell-*]:port entries are cleaned without deleting unrelated hosts.
  • Suggested test: Add an onboarding/sandbox lifecycle E2E step that pre-populates ~/.ssh/known_hosts with openshell marker/bracketed entries and verifies onboard/destroy cleanup prunes only OpenShell sandbox hosts.
• docker-driver-gateway-log-hardening (medium): Gateway launch now uses O_NOFOLLOW for log creation, but existing E2E only indirectly exercises healthy/failing gateway startup and may not assert symlink-safe log handling.
  • Suggested test: Add a regression E2E that plants a symlink at the Docker-driver gateway log path before onboard and verifies onboard fails safely without writing through the symlink.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: cloud-onboard-e2e,token-rotation-e2e,brave-search-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 1 still applies, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Supervisor fallback image remains mutable tag-based (src/lib/onboard.ts:1412): The Docker-driver OpenShell supervisor fallback still resolves to a registry tag derived from the installed, blueprint, or fallback OpenShell version. Tags such as `ghcr.io/nvidia/openshell/supervisor:${supportedVersion}` remain mutable unless the release process guarantees immutability, so a later tag move could change sandbox supervisor code without a source change.
  • Recommendation: If the OpenShell release process supports it, pin the supervisor image by digest or verify the resolved digest against trusted release metadata before launching the Docker-driver gateway.
  • Evidence: `getOpenShellDockerSupervisorImage()` now centralizes the fallback via `SUPPORTED_OPENSHELL_FALLBACK_VERSION`, but still returns `ghcr.io/nvidia/openshell/supervisor:${supportedVersion}`. This is the same prior warning and still applies.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Supervisor fallback image remains mutable tag-based (src/lib/onboard.ts:1412): The Docker-driver OpenShell supervisor fallback still resolves to a registry tag derived from the installed, blueprint, or fallback OpenShell version. Tags such as `ghcr.io/nvidia/openshell/supervisor:${supportedVersion}` remain mutable unless the release process guarantees immutability, so a later tag move could change sandbox supervisor code without a source change.
  • Recommendation: If the OpenShell release process supports it, pin the supervisor image by digest or verify the resolved digest against trusted release metadata before launching the Docker-driver gateway.
  • Evidence: `getOpenShellDockerSupervisorImage()` now centralizes the fallback via `SUPPORTED_OPENSHELL_FALLBACK_VERSION`, but still returns `ghcr.io/nvidia/openshell/supervisor:${supportedVersion}`. This is the same prior warning and still applies.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/onboard.ts (1)

2672-2697: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Close parent copy of logFd after spawn() (fd leak)

src/lib/onboard.ts opens logFd for the gateway log and passes it to spawn(..., stdio: ["ignore", logFd, logFd]), but the parent never closes logFd anywhere in the file (no closeSync/fs.closeSync found), leaking an fd on each restart attempt (and if spawn throws synchronously).

Suggested fix

   let logFd: number;
   try {
     logFd = fs.openSync(logPath, appendNoFollow, 0o600);
   } catch (error) {
     console.error(`  Failed to open OpenShell Docker-driver gateway log '${logPath}': ${String(error)}`);
     if (exitOnFailure) process.exit(1);
     throw error;
   }
   console.log("  Starting OpenShell Docker-driver gateway...");
   console.log(`  Gateway log: ${logPath}`);
   const launch = gatewayLaunch ?? {
     command: gatewayBin,
     args: [],
     env: { ...process.env, ...gatewayEnv },
     mode: "host" as const,
     processGatewayBin: gatewayBin,
   };
   dockerDriverGatewayLaunch.prepareAndLogDockerDriverGatewayLaunch(launch);
-  const child = spawn(launch.command, launch.args, {
-    detached: true,
-    stdio: ["ignore", logFd, logFd],
-    env: launch.env,
-  });
+  let child;
+  try {
+    child = spawn(launch.command, launch.args, {
+      detached: true,
+      stdio: ["ignore", logFd, logFd],
+      env: launch.env,
+    });
+  } finally {
+    fs.closeSync(logFd);
+  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 2672 - 2697, The parent process currently
opens logFd and passes it to spawn(...) but never closes its copy, leaking a
file descriptor; wrap the spawn call in a try/catch and after a successful spawn
call immediately call fs.closeSync(logFd) to close the parent's copy (but only
after spawn returns), and if spawn throws synchronously, ensure you
closeSync(logFd) in the catch before rethrowing or exiting; reference logFd and
the spawn(...) call in onboard.ts when making these changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/onboard.ts`:
- Around line 2672-2697: The parent process currently opens logFd and passes it
to spawn(...) but never closes its copy, leaking a file descriptor; wrap the
spawn call in a try/catch and after a successful spawn call immediately call
fs.closeSync(logFd) to close the parent's copy (but only after spawn returns),
and if spawn throws synchronously, ensure you closeSync(logFd) in the catch
before rethrowing or exiting; reference logFd and the spawn(...) call in
onboard.ts when making these changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8cc00749-6055-4f3a-9214-41555d94193d

📥 Commits

Reviewing files that changed from the base of the PR and between 0f48781 and 57cfff6.

📒 Files selected for processing (14)

• src/lib/onboard.ts
• src/lib/onboard/known-hosts.ts
• src/lib/onboard/machine/handlers/finalization.test.ts
• src/lib/onboard/machine/handlers/finalization.ts
• src/lib/onboard/messaging-credentials.ts
• src/lib/onboard/model-router.test.ts
• src/lib/onboard/model-router.ts
• src/lib/onboard/openshell-version.ts
• src/lib/onboard/runtime-boundary.ts
• src/lib/onboard/web-search-flow.ts
• test/credential-rotation.test.ts
• test/onboard-brave-validation.test.ts
• test/onboard-openshell-version.test.ts
• test/ssh-known-hosts.test.ts

[cjagwani]

LGTM

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26338293715
Target ref: 57cfff6ab4993bf59fa6d3fda7f9d76822620ed8
Workflow ref: main
Requested jobs: cloud-onboard-e2e,token-rotation-e2e,brave-search-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
cloud-onboard-e2e	✅ success
token-rotation-e2e	✅ success

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/onboard/model-router.ts (1)

423-468: Run the onboarding/sandbox E2E set for this reconciliation-path hardening.

The new PID-ownership gate changes restart vs. abort behavior on healthy-port detection, so this is worth validating via the recommended nightly E2E job subset before merge.

As per coding guidelines: "E2E test recommendation: cloud-e2e ... sandbox-operations-e2e ... rebuild-openclaw-e2e ... channels-stop-start-e2e ... messaging-compatible-endpoint-e2e ... bedrock-runtime-compatible-anthropic-e2e ... hermes-discord-e2e ... hermes-slack-e2e ... openshell-gateway-upgrade-e2e".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/model-router.ts` around lines 423 - 468, The
reconcileModelRouter change adds a PID-ownership gate that alters restart vs
abort behavior when a healthy router is found (see reconcileModelRouter,
isRouterHealthy, doesModelRouterProcessOwnPort, startModelRouter,
stopModelRouterProcess); run the recommended E2E subset before merging to
validate both branches (recorded PID owns port -> restart, recorded PID
absent/different -> abort) by executing the nightly cloud-e2e list:
sandbox-operations-e2e, rebuild-openclaw-e2e, channels-stop-start-e2e,
messaging-compatible-endpoint-e2e, bedrock-runtime-compatible-anthropic-e2e,
hermes-discord-e2e, hermes-slack-e2e and openshell-gateway-upgrade-e2e, and
verify session updates (routerPid, routerCredentialHash) and correct process
stop/start behavior in each scenario.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/onboard/model-router.ts`:
- Around line 423-468: The reconcileModelRouter change adds a PID-ownership gate
that alters restart vs abort behavior when a healthy router is found (see
reconcileModelRouter, isRouterHealthy, doesModelRouterProcessOwnPort,
startModelRouter, stopModelRouterProcess); run the recommended E2E subset before
merging to validate both branches (recorded PID owns port -> restart, recorded
PID absent/different -> abort) by executing the nightly cloud-e2e list:
sandbox-operations-e2e, rebuild-openclaw-e2e, channels-stop-start-e2e,
messaging-compatible-endpoint-e2e, bedrock-runtime-compatible-anthropic-e2e,
hermes-discord-e2e, hermes-slack-e2e and openshell-gateway-upgrade-e2e, and
verify session updates (routerPid, routerCredentialHash) and correct process
stop/start behavior in each scenario.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bd38f7b8-2944-4d05-8afc-32af4ce11b9e

📥 Commits

Reviewing files that changed from the base of the PR and between 57cfff6 and 1912d83.

📒 Files selected for processing (6)

• src/lib/onboard.ts
• src/lib/onboard/docker-driver-gateway-launch.ts
• src/lib/onboard/model-router-process.ts
• src/lib/onboard/model-router.test.ts
• src/lib/onboard/model-router.ts
• src/lib/onboard/openshell-version.ts

✅ Files skipped from review due to trivial changes (1)

• src/lib/onboard/model-router.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26339241455
Target ref: 1912d83b0ada94f2617b0b11416e59d42be5766d
Workflow ref: main
Requested jobs: cloud-onboard-e2e,token-rotation-e2e,brave-search-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
cloud-onboard-e2e	✅ success
token-rotation-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26339435452
Target ref: 436376533ca01499b7d24631c41f91e13cd0449f
Workflow ref: main
Requested jobs: cloud-onboard-e2e,token-rotation-e2e,credential-migration-e2e,brave-search-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
cloud-onboard-e2e	⚠️ cancelled
credential-migration-e2e	⚠️ cancelled
token-rotation-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26339533418
Target ref: 56698f42814f8811c146d88153ed698c542b571d
Workflow ref: main
Requested jobs: cloud-onboard-e2e,token-rotation-e2e,brave-search-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
cloud-onboard-e2e	✅ success
token-rotation-e2e	✅ success