fix(installer): clarify express, CDI, and Ollama install prompts

[zyang-dev]

Summary

Clarifies installer and onboarding terminal output for Express install, NVIDIA CDI repair, and Linux Ollama installation. The installer now explains selected inference and policy settings, why host repair may ask for sudo, and streams Ollama installer progress during long-running setup.

Changes

• Move the installer banner before early interactive prompts so resumed installs feel anchored.
• Expand Express install text to explain selected local inference and sandbox policy behavior.
• Add NVIDIA CDI repair context before sudo prompts.
• Stream Linux Ollama installer output and clarify that the step may take a few minutes.
• Update focused tests for Express install, CDI repair messaging, and Ollama install streaming.
• Update quickstart docs for Express install policy behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: zyang-dev 267119621+zyang-dev@users.noreply.github.com

Summary by CodeRabbit

• Documentation

  • Clarified Express install guidance: non-interactive mode, sudo password prompt behavior, and default sandbox policy/tier details.

• Improvements

  • Show live installer output during Linux Ollama install.
  • Expanded express-install summary to surface selected inference setup and sandbox policy.
  • Enhanced CDI/repair messaging with clearer guidance on host-level authorization and password handling.
  • Improved startup error reporting and log capture for the entrypoint.

• Tests

  • Updated tests to assert new messaging, prompts, and live-install behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 127c8727-9d72-4881-ba75-292373518d1d

📥 Commits

Reviewing files that changed from the base of the PR and between 4c1b893 and c261e52.

📒 Files selected for processing (1)

• scripts/nemoclaw-start.sh

---

📝 Walkthrough

Walkthrough

The PR adds an express-install description helper and shows inferred Ollama/inference and sandbox-policy settings before confirmation, runs the Ollama installer with live output via stdio: "inherit", expands NVIDIA CDI repair messaging (including password-security notes), reorders startup steps to show the banner earlier and offer express-install after Docker, and updates tests and docs.

Changes

Express install configuration, Ollama installer streaming, CDI messaging, and startup flow reordering

Layer / File(s)	Summary
Express install configuration messaging scripts/install.sh, docs/get-started/quickstart.mdx, test/install-preflight.test.ts	describe_express_install(platform) prints inferred Ollama/inference setup and sandbox policy (default suggested mode with balanced tier unless NEMOCLAW_POLICY_TIER set); express-install prompt shows these settings and tests/docs updated to assert exact messaging.
Ollama installer output streaming src/lib/onboard.ts, test/onboard-selection.test.ts	Ollama installer (`curl
CDI refresh/repair messaging clarification scripts/install.sh, test/install-preflight.test.ts	CDI repair guidance expanded to describe enabling CDI refresh service, fallback to nvidia-ctk cdi generate, and explicitly state NemoClaw does not store user passwords; tests updated accordingly.
Installer startup flow reordering scripts/install.sh	print_banner moved immediately after exporting NEMOCLAW_NON_INTERACTIVE and NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE; express-install offer occurs after Docker validation; _INSTALL_START set right after express-install decision.
Entrypoint startup logging and error emission scripts/nemoclaw-start.sh	Early stdout/stderr redirection preserves original streams while tee'ing to $_START_LOG; adds emit_startup_error() and uses it for dashboard-port validation failure reporting.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3420: Related changes to the Linux Ollama installer flow and tests around preflight/messaging and installer execution.
• NVIDIA/NemoClaw#3428: Related NVIDIA CDI missing-spec repair/auto-generation flow and messaging.
• NVIDIA/NemoClaw#3824: Related express-install prompt and WSL/Windows-host Ollama routing assertions.

Suggested labels

fix, NemoClaw CLI

Suggested reviewers

• ericksoa
• cv

Poem

🐰 I hopped to tell of installs made bright,
express settings shown before the flight,
Ollama streams its output clear,
CDI guidance now appears,
banner raised and tests alight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: clarifying express install prompts, CDI repair messaging, and Ollama installer output streaming across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/express-install-feedback

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-3940.docs.buildwithfern.com/nemoclaw

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: high
Analyzed HEAD: c261e520b670219d18543b1521ce5ef3b7bce75a
Findings: 2 blocker(s), 3 warning(s), 1 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: Review is based on trusted metadata and the provided diff; no scripts, tests, package-manager commands, or network calls were executed.; CI, E2E recommendation, CodeRabbit, CodeQL, ShellCheck, unit tests, and sandbox image builds were pending, queued, or in progress in the provided context.; No linked issues were present, so acceptance mapping uses PR body summary/change/checklist clauses rather than linked issue clauses.; Real sudo, CDI refresh service behavior, WSL behavior, Linux Ollama installer behavior, systemd timing, and OpenShell sandbox startup cannot be fully validated from mocked unit tests alone.; The diff is truncated to relevant changed regions; conclusions rely on trusted changed-file metadata plus the supplied patch excerpts.; PR-provided title, body, comments, and bot summaries were treated as untrusted evidence and only used where corroborated by trusted metadata or diff evidence.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: c261e520b670219d18543b1521ce5ef3b7bce75a
Recommendation: blocked
Confidence: high

Installer/onboarding changes are narrow and mostly covered by focused tests, but merge is blocked by pending CI, mergeStateStatus=BLOCKED, CodeRabbit still pending, and required E2E not passed for head SHA c261e52.

Gate status

• CI: pending — Latest head SHA c261e52 has multiple incomplete contexts: cli-parity, E2E recommendation, wsl-e2e, macos-e2e, PR review advisor, CodeQL javascript-typescript, CodeQL python, checks, ShellCheck SARIF in progress; unit-vitest-linux, build-sandbox-images, and build-sandbox-images-arm64 queued; CodeRabbit pending.
• Mergeability: fail — GitHub GraphQL reports mergeStateStatus=BLOCKED and reviewDecision=REVIEW_REQUIRED for PR fix(installer): clarify express, CDI, and Ollama install prompts #3940 at headRefOid c261e52; REST mergeable_state is blocked.
• Review threads: warning — GraphQL reviewThreads.nodes is empty, but CodeRabbit is still PENDING and the CodeRabbit issue comment says it is processing new changes for this PR.
• Risky code tested: warning — Risky areas detected: installer/bootstrap shell and onboarding/host glue. Unit tests were updated for prompts and runShell stdio, but trusted testDepth marks docs/get-started/quickstart.mdx, scripts/install.sh, scripts/nemoclaw-start.sh, and src/lib/onboard.ts as e2e_required.

🔴 Blockers

• Hard gates are not green for the current head SHA: The PR cannot be considered ready while required checks are incomplete and GitHub reports the merge state as blocked.
  • Recommendation: Wait for all required checks to complete successfully for head SHA c261e52 and resolve the BLOCKED merge state before merge consideration.
  • Evidence: GraphQL statusCheckRollup for c261e52 shows multiple IN_PROGRESS/QUEUED/PENDING contexts, including CodeQL, ShellCheck SARIF, unit-vitest-linux, sandbox image builds, E2E recommendation, and CodeRabbit; mergeStateStatus=BLOCKED.
• Required E2E jobs have not passed for this head SHA: The PR touches installer/bootstrap shell, onboarding host glue, Linux Ollama installation, CDI repair messaging, and sandbox startup behavior. The E2E Advisor requires cloud-onboard-e2e and gpu-e2e, but there is no trusted evidence that either required job passed for head SHA c261e52.
  • Recommendation: Require cloud-onboard-e2e and gpu-e2e to pass for the current head SHA before merge consideration. Optional wsl-e2e, network-policy-e2e, and onboard-repair-e2e would add useful confidence.
  • Evidence: E2E Advisor comment lists Required E2E: cloud-onboard-e2e, gpu-e2e. Status rollup only shows wsl-e2e in progress and does not show successful cloud-onboard-e2e or gpu-e2e for c261e52.

🟡 Warnings

• Automated review is still in progress: CodeRabbit has not completed processing the current PR changes, so additional review feedback may still arrive.
  • Recommendation: Wait for CodeRabbit to finish and review any generated feedback before final merge consideration.
  • Evidence: Issue comment 4503548744 says CodeRabbit is currently processing new changes, and statusCheckRollup includes StatusContext CodeRabbit=PENDING.
• Onboarding monolith grew amid active overlap (src/lib/onboard.ts:7082): The change is small, but it modifies the large onboard.ts monolith while many active PRs overlap the same file and adjacent installer/sandbox startup paths. This raises drift and conflict risk for onboarding behavior.
  • Recommendation: Before merge, re-check conflicts with active onboard refactor/behavior PRs and consider moving future changes into extracted modules when feasible.
  • Evidence: Trusted monolith delta reports src/lib/onboard.ts grew from 10319 to 10332 lines. Open PR overlaps include fix: allow provider override in non-interactive installs #2083, fix: support reasoning compatible endpoints (Fixes #3279) #3286, feat(cli): add resource profiles to nemoclaw onboard and nemoclaw resources command #3348, fix(onboard): honor navigation at credential prompts #3865, fix(onboard): refresh provider state on agent changes #3857, fix(onboard): skip OpenClaw base resolution for agents #3858, fix(onboard): preserve slack messaging policy #3862, refactor(cli): route onboard step boundaries through runtime #3864, refactor(cli): extract onboard preflight handler #3868, refactor(cli): extract onboard gateway handler #3870, refactor(cli): extract provider inference handlers #3871, refactor(cli): extract onboard sandbox handler #3872, and others touching src/lib/onboard.ts.
• Ollama installer streaming path is only mock-tested (src/lib/onboard.ts:7113): Unit tests assert that runShell is invoked with stdio: inherit, but the real curl|sh Ollama installer, sudo prompt behavior, systemd service timing, loopback override recovery, and host-specific failure modes cannot be proven by mocks alone.
  • Recommendation: Use the required gpu-e2e and consider an additional fresh-host local Ollama onboarding scenario to validate the real install-ollama path on a host without Ollama preinstalled.
  • Evidence: src/lib/onboard.ts now calls runShell("set -o pipefail; curl -fsSL https://ollama.com/install.sh | sh", { stdio: "inherit" }); test/onboard-selection.test.ts asserts stdio inheritance in interactive and non-interactive mocked flows.

🔵 Suggestions

• Startup log redirection change would benefit from a focused regression assertion (scripts/nemoclaw-start.sh:62): The new fd 3/4 redirection and emit_startup_error helper are intended to make invalid dashboard port startup errors deterministic. The diff updates shell code but does not show a focused test for duplicate/missing stderr behavior or log capture permissions on this path.
  • Recommendation: If not already covered elsewhere, add a small shell-level regression that sets an invalid NEMOCLAW_DASHBOARD_PORT and verifies a single clear error is emitted to stderr and captured in /tmp/nemoclaw-start.log without leaking tokens.
  • Evidence: scripts/nemoclaw-start.sh changes exec redirection from tee directly to saved stdout/stderr fds and routes invalid NEMOCLAW_DASHBOARD_PORT errors through emit_startup_error.

Acceptance coverage

• met — Clarifies installer and onboarding terminal output for Express install, NVIDIA CDI repair, and Linux Ollama installation.: scripts/install.sh adds describe_express_install output and expanded NVIDIA CDI repair context; src/lib/onboard.ts updates the Linux Ollama installer message and streams output; tests assert express, CDI, and Ollama streaming behavior.
• met — The installer now explains selected inference and policy settings, why host repair may ask for sudo, and streams Ollama installer progress during long-running setup.: describe_express_install prints platform-specific inference and sandbox policy tier details; repair_installer_nvidia_cdi_spec explains CDI repair and sudo/password handling; setupNim logs that Ollama installer output will stream below and invokes runShell with stdio inherit.
• met — Move the installer banner before early interactive prompts so resumed installs feel anchored.: scripts/install.sh now calls print_banner before preflight_usage_notice_prompt and removed the later print_banner call before setup-jetson.sh.
• met — Expand Express install text to explain selected local inference and sandbox policy behavior.: scripts/install.sh adds describe_express_install(platform), including DGX Spark, DGX Station, and Windows WSL inference summaries plus suggested policy mode/tier descriptions; test/install-preflight.test.ts asserts DGX Spark and Windows WSL prompt text.
• met — Add NVIDIA CDI repair context before sudo prompts.: scripts/install.sh prints CDI purpose, missing spec impact, refresh service/direct generation plan, password authorization note, and non-storage statement before sudo -v; test/install-preflight.test.ts asserts these messages.
• met — Stream Linux Ollama installer output and clarify that the step may take a few minutes.: src/lib/onboard.ts changes the message to say the installer can take a few minutes and output will stream below, then calls runShell with { stdio: "inherit" }; test/onboard-selection.test.ts asserts both interactive and non-interactive install-ollama paths pass stdio inherit.
• met — Update focused tests for Express install, CDI repair messaging, and Ollama install streaming.: test/install-preflight.test.ts adds assertions for express-install configuration and CDI repair messaging; test/onboard-selection.test.ts captures runShell options and asserts stdio inherit for Ollama installer calls.
• met — Update quickstart docs for Express install policy behavior.: docs/get-started/quickstart.mdx now says express install selects managed local inference and, unless NEMOCLAW_POLICY_TIER is set, applies sandbox policy in suggested mode with balanced tier using base sandbox policy plus supported presets.
• unknown — npx prek run --all-files passes: The PR body claims this was run, but trusted status context still shows checks in progress and no completed evidence for this local command was provided.
• unknown — npm test passes: The PR body claims this was run, but unit-vitest-linux is QUEUED for head SHA c261e52 in the trusted status rollup.
• met — Tests added or updated for new or changed behavior: test/install-preflight.test.ts and test/onboard-selection.test.ts were modified with assertions for the changed installer/onboarding behavior.
• met — No secrets, API keys, or credentials committed: The diff contains docs, shell messaging/flow updates, TypeScript onboarding behavior, and tests; no hardcoded tokens, private keys, credential JSON, .env files, or API keys are introduced.
• met — Docs updated for user-facing behavior changes: docs/get-started/quickstart.mdx updates the Express install section to describe policy tier behavior and NEMOCLAW_POLICY_TIER interaction.
• unknown — make docs builds without warnings (doc changes only): The checklist item is unchecked and no trusted completed make docs evidence was provided; preview and markdown-links checks are successful, but they are not the same as make docs.
• unknown — Doc pages follow the style guide (doc changes only): The checklist item is unchecked; markdown-links and preview checks passed, but no explicit style-guide validation evidence was provided.
• met — New doc pages include SPDX header and frontmatter (new pages only): No new doc pages were added; the modified quickstart.mdx already contains SPDX header and frontmatter.

Security review

• pass — 1. Secrets and Credentials: No hardcoded secrets, API keys, passwords, tokens, PEM files, .env files, or credential JSON were added. The CDI sudo messaging explicitly states that NemoClaw does not store the user's password.
• pass — 2. Input Validation and Data Sanitization: No new untrusted parser, eval, unsafe deserialization, path traversal handling, SSRF validation, or URL parsing logic was added. NEMOCLAW_POLICY_TIER is interpolated via printf for user-facing text and is not executed as shell code. scripts/nemoclaw-start.sh retains numeric validation for NEMOCLAW_DASHBOARD_PORT.
• pass — 3. Authentication and Authorization: No endpoints, authentication flows, authorization checks, or token validation code changed. The modified sudo/CDI path uses fixed system commands and retains the existing installer privilege boundary; dashboard device-auth behavior is not changed.
• warning — 4. Dependencies and Third-Party Libraries: No new dependency was added, but the touched onboarding path executes the existing third-party Ollama installer via curl|sh and now streams its output. This is not a new trust boundary, but it remains installer supply-chain-sensitive and requires CI/E2E completion.
• pass — 5. Error Handling and Logging: The PR improves user-facing diagnostics for CDI repair, invalid dashboard port startup errors, and Ollama installation. It does not introduce logging of secrets; sudo passwords are not captured, and stdio inheritance streams installer progress rather than application credentials.
• pass — 6. Cryptography and Data Protection: Not applicable — no cryptographic operations, algorithms, hashing, key handling, or encryption behavior changed.
• pass — 7. Configuration and Security Headers: No HTTP security headers, CORS, Dockerfile base image, container user, or port exposure changes were introduced. Existing loopback-only Ollama behavior is preserved, and tests continue to assert raw Ollama is not exposed on 0.0.0.0.
• warning — 8. Security Testing: Focused tests cover express-install prompt text, CDI repair messaging, zstd ordering, loopback behavior, invalid/host glue contracts, and runShell stdio. However, installer/bootstrap shell, sudo-facing CDI repair, Linux Ollama install, and sandbox startup are high-risk runtime paths; required E2E jobs have not passed for the head SHA.
• warning — 9. Holistic Security Posture: The change appears to preserve security posture and clarify privileged operations, but merge should wait for pending CI, CodeRabbit, and required E2E because the diff touches sudo-facing host repair, CDI, local inference installation, sandbox startup error handling, and sandbox policy messaging.

Test / E2E status

• Test depth: e2e_required — Unit tests are meaningfully updated for changed prompts, CDI messaging, and the runShell stdio contract, but real host behavior around curl|sh, sudo, CDI refresh service, WSL, Ollama installation, systemd timing, and sandbox startup cannot be fully proven by mocks. Trusted context explicitly marks docs/get-started/quickstart.mdx, scripts/install.sh, scripts/nemoclaw-start.sh, and src/lib/onboard.ts as e2e_required.
• E2E Advisor: missing
• Required E2E jobs: cloud-onboard-e2e, gpu-e2e
• Missing for analyzed SHA: cloud-onboard-e2e, gpu-e2e

✅ What looks good

• The diff is narrowly scoped to installer/onboarding user feedback, quickstart docs, startup diagnostics, and focused tests.
• CDI repair messaging now explains why sudo may be needed and states that NemoClaw does not store the password.
• Linux Ollama installation now streams installer output, reducing the chance that a long-running setup appears hung.
• Tests assert important safety properties, including that Linux install fallback uses loopback and does not expose raw Ollama on 0.0.0.0.
• Quickstart documentation now more accurately describes express install policy mode, balanced tier default, and NEMOCLAW_POLICY_TIER behavior.
• Installer banner ordering is improved so early prompts and resumed installs have clearer context.
• The dashboard port validation path now routes errors through a helper intended to make startup failures visible both in the start log and original stderr.

Review completeness

• Review is based on trusted metadata and the provided diff; no scripts, tests, package-manager commands, or network calls were executed.
• CI, E2E recommendation, CodeRabbit, CodeQL, ShellCheck, unit tests, and sandbox image builds were pending, queued, or in progress in the provided context.
• No linked issues were present, so acceptance mapping uses PR body summary/change/checklist clauses rather than linked issue clauses.
• Real sudo, CDI refresh service behavior, WSL behavior, Linux Ollama installer behavior, systemd timing, and OpenShell sandbox startup cannot be fully validated from mocked unit tests alone.
• The diff is truncated to relevant changed regions; conclusions rely on trusted changed-file metadata plus the supplied patch excerpts.
• PR-provided title, body, comments, and bot summaries were treated as untrusted evidence and only used where corroborated by trusted metadata or diff evidence.
• Human maintainer review required: yes

[coderabbitai]

🧹 Nitpick comments (1)

docs/get-started/quickstart.mdx (1)

56-56: ⚡ Quick win

Avoid colon punctuation in this sentence.

The colon after “is set” is used as clause punctuation rather than introducing a list; please rephrase without it.

As per coding guidelines, “Colons should only introduce a list. Flag colons used as general punctuation between clauses.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/get-started/quickstart.mdx` at line 56, Summary: The sentence in
quickstart.mdx uses a colon after “is set” incorrectly; rephrase to remove the
colon and connect the clauses without using colon punctuation. Fix: edit the
sentence that starts "It applies sandbox policy in `suggested` mode with the
`balanced` tier by default, unless `NEMOCLAW_POLICY_TIER` is set:" to remove the
colon and join the clauses (for example using a comma or reworking the clause
order) so it reads smoothly and does not use a colon as general clause
punctuation; ensure the rest of the sentence still mentions "the base sandbox
policy plus supported package, model, web-search, and local-inference presets"
and retains the same meaning.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/get-started/quickstart.mdx`:
- Line 56: Summary: The sentence in quickstart.mdx uses a colon after “is set”
incorrectly; rephrase to remove the colon and connect the clauses without using
colon punctuation. Fix: edit the sentence that starts "It applies sandbox policy
in `suggested` mode with the `balanced` tier by default, unless
`NEMOCLAW_POLICY_TIER` is set:" to remove the colon and join the clauses (for
example using a comma or reworking the clause order) so it reads smoothly and
does not use a colon as general clause punctuation; ensure the rest of the
sentence still mentions "the base sandbox policy plus supported package, model,
web-search, and local-inference presets" and retains the same meaning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 05d320e1-d5ae-4b72-ade2-c6558870aa77

📥 Commits

Reviewing files that changed from the base of the PR and between 139f2b3 and 7622bdd.

📒 Files selected for processing (5)

• docs/get-started/quickstart.mdx
• scripts/install.sh
• src/lib/onboard.ts
• test/install-preflight.test.ts
• test/onboard-selection.test.ts

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e, onboard-negative-paths-e2e, gpu-e2e, test-e2e-port-overrides
Optional E2E: openclaw-onboard-security-posture-e2e, network-policy-e2e, wsl-e2e, runtime-overrides-e2e

Dispatch hint: cloud-onboard-e2e,onboard-negative-paths-e2e,gpu-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-onboard-e2e (high): Covers the public installer plus non-interactive onboarding, sandbox health, policy presets, inference.local, and security checks. Required because install.sh and onboard.ts changed real install/onboard behavior.
• onboard-negative-paths-e2e (high): Exercises non-interactive onboarding edge cases including policy-mode fallback, invalid inputs, custom policy presets, and gateway port conflicts. Required because the PR changes express install policy defaults and onboarding/provider flow.
• gpu-e2e (high): Validates local Ollama onboarding and inference on a GPU/CDI host. Required because the installer now performs NVIDIA CDI remediation messaging/flow and onboard.ts changes Linux Ollama install execution.
• test-e2e-port-overrides (medium): Covers sandbox entrypoint validation for NEMOCLAW_DASHBOARD_PORT and related port overrides. Required because nemoclaw-start.sh changed invalid-port error emission and startup logging plumbing.

Optional E2E

• openclaw-onboard-security-posture-e2e (high): Useful adjacent confidence for full OpenClaw install/onboard/inference with non-root host and sandbox startup posture after entrypoint and installer changes.
• network-policy-e2e (high): Optional confidence that suggested/restricted policy behavior still aligns with express-install messaging and quickstart documentation around balanced policy tiers.
• wsl-e2e (high): Optional platform coverage because install.sh express install now explicitly describes Windows WSL and maps it to Windows-host Ollama, but the main changed runtime path is still covered by unit tests and Linux E2E.
• runtime-overrides-e2e (medium): Optional broader entrypoint regression coverage for runtime config override validation and sandbox startup behavior beyond dashboard-port validation.

New E2E recommendations

• express install on DGX Spark / DGX Station / WSL (high): Existing tests cover express prompt selection at unit level, but there is no dispatchable E2E job that validates the full express-install path on DGX Spark/Station or WSL with managed local inference and suggested balanced policy presets.
  • Suggested test: Add a dispatchable express-install E2E scenario/job that runs install.sh interactively or pseudo-interactively on supported platform fixtures and asserts NEMOCLAW_PROVIDER, NEMOCLAW_POLICY_MODE=suggested, policy tier defaults, and local inference readiness.
• installer NVIDIA CDI remediation (medium): The CDI repair path is covered by installer preflight unit tests, but there is no E2E that runs on a GPU host with Docker CDI configured but missing nvidia.com/gpu specs to validate real systemctl/nvidia-ctk remediation before sandbox startup.
  • Suggested test: Add a GPU host-preflight E2E fixture or self-hosted job that simulates or provisions missing NVIDIA CDI specs and verifies install.sh repairs or clearly reports the condition before onboarding.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: cloud-onboard-e2e,onboard-negative-paths-e2e,gpu-e2e

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26198341669
Target ref: c261e520b670219d18543b1521ce5ef3b7bce75a
Workflow ref: fix/express-install-feedback
Requested jobs: cloud-onboard-e2e,onboard-negative-paths-e2e,gpu-e2e
Summary: 2 passed, 0 failed, 1 skipped

Job	Result
cloud-onboard-e2e	✅ success
gpu-e2e	⏭️ skipped
onboard-negative-paths-e2e	✅ success

[github-actions]

❌ Brev E2E (gpu): FAILED on branch fix/express-install-feedback — See logs

[github-actions]

❌ Brev E2E (gpu): FAILED on branch fix/express-install-feedback — See logs

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26198814402
Target ref: e2e/pr3940-merge-main-1779324758
Workflow ref: main
Requested jobs: all (no filter)
Summary: 46 passed, 1 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	❌ failure
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success

Failed jobs: skill-agent-e2e. Check run artifacts for logs.