test(e2e): migrate test-jetson-nvmap-gpu.sh to vitest

[jyaunches]

Summary

Migrate test/e2e/test-jetson-nvmap-gpu.sh with equivalent live Vitest coverage. Legacy shell deletion and nightly shell retirement are deferred to #5098 Phase 11.

Related Issues

Refs #5098
Refs #4231

Assertion parity

ID	Legacy assertion/check	Replacement Vitest assertion	Boundary preserved	Status
A1	Non-Jetson/Tegra hosts skip cleanly before mutating state, with /dev/nvmap/Tegra model detection.	test/e2e-scenario/live/jetson-nvmap-gpu.test.ts checks /dev/nvmap, /etc/nv_tegra_release, /proc/device-tree/model, then skip(...) before cleanup/onboard.	Host hardware probe	covered
A2	Required non-interactive env is set: NEMOCLAW_NON_INTERACTIVE=1 and NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1.	env() asserts both values before prerequisites/onboard.	Installer env contract	covered
A3	Docker is running and Docker reports the NVIDIA runtime.	docker info exit code is 0; docker info --format '{{json .Runtimes}}' matches nvidia.	Host Docker/NVIDIA runtime	covered
A4	Pre-cleanup destroys any old NemoClaw/OpenShell sandbox/gateway and Ollama processes.	cleanupJetsonSandbox() runs before onboard and is registered with fixture cleanup.	Real nemoclaw, openshell, pkill cleanup	covered
A5	Real install.sh --non-interactive completes the Jetson/Ollama onboard path and leaves nemoclaw on PATH.	host.command("bash", ["install.sh", "--non-interactive"]) exit code is 0; command -v nemoclaw succeeds.	Real installer shell path	covered
A6	Jetson recreate logs Granting sandbox user access to Jetson Tegra GPU device nodes via --group-add.	Install output contains that exact message.	Product Jetson Docker recreate path	covered
A7	Sandbox user supplementary groups include the host /dev/nvmap owning GID.	Host stat -c 'gid=%g' /dev/nvmap; sandbox id; regex asserts GID membership.	Host device metadata + OpenShell sandbox exec	covered
A8	/dev/nvmap is present inside the sandbox.	Sandbox ls -l /dev/nvmap exits 0 and contains /dev/nvmap.	OpenShell sandbox device mount	covered
A9	CUDA initializes in sandbox: cuInit(0)=0; reporter failure NvRmMemInitNvmap/permission denied is rejected.	Sandbox Python ctypes.CDLL("libcuda.so.1").cuInit(0) exits 0, contains cuInit(0)=0, and does not match `NvRmMemInitNvmap	Permission denied`.	Real CUDA driver/library in sandbox
A10	nemoclaw status reports Sandbox GPU: enabled with CUDA verified, not bare enabled, CUDA unverified, or last CUDA proof failed.	Status output contains Sandbox GPU: enabled and CUDA verified, and does not match `last CUDA proof failed	CUDA unverified`.	Real CLI status/state boundary

All legacy assertions are covered or intentionally stronger in Vitest. No row is missing, partial, or candidate only.

Contract mapping

• Legacy assertion family: Jetson/Tegra hardware-gated reporter workflow for [Jetson Orin][CLI&UX] nemoclaw status shows "Sandbox GPU: enabled" but CUDA is unusable inside sandbox — misleading status #4231.
  • Replacement: test/e2e-scenario/live/jetson-nvmap-gpu.test.ts (A1-A10)
  • Boundary preserved: Jetson runner, Docker NVIDIA runtime, install.sh, OpenShell sandbox exec, /dev/nvmap, CUDA cuInit(0), and nemoclaw status.

Simplicity check

• Test shape: simple live Vitest test with local helpers only
• Original runner/lane: .github/workflows/nightly-e2e.yaml job gpu-jetson-nvmap-e2e, runs-on: ${{ vars.JETSON_E2E_RUNNER_LABEL || 'linux-arm64-gpu-jetson-orin-latest-1' }}, gated by Jetson runner availability
• Replacement runner: same runner class in .github/workflows/e2e-vitest-scenarios.yaml job jetson-nvmap-gpu-vitest
• New shared helpers: none
• New framework/registry/ledger: none
• Workflow changes: add selective free-standing Vitest job; legacy shell workflow retained for Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 Phase 11
• Selective dispatch: gh workflow run e2e-vitest-scenarios.yaml --repo NVIDIA/NemoClaw --ref e2e-migrate/test-jetson-nvmap-gpu-vitest -f jobs=jetson-nvmap-gpu-vitest -f pr_number=<PR>

Pre-push parity gate

• Legacy script: test/e2e/test-jetson-nvmap-gpu.sh
• Assertion rows inventoried: 10
• Covered/stronger rows: 10
• Missing/partial/candidate-only rows: 0
• Direct reference only rows: 0
• Runner/resource boundary matched: yes — nightly gpu-jetson-nvmap-e2e Jetson runner class

Verification

• npm run build:cli
• NEMOCLAW_RUN_E2E_SCENARIOS=1 npx vitest run --project e2e-scenarios-live test/e2e-scenario/live/jetson-nvmap-gpu.test.ts --silent=false --reporter=default (skips on local non-Jetson host)
• npx vitest run --project e2e-vitest-support test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts --reporter=default
• npm run typecheck:cli
• npm run test-size:check
• git diff --check
• PR: test(e2e): migrate test-jetson-nvmap-gpu.sh to vitest #5613
• Same-runner selective run: https://github.com/NVIDIA/NemoClaw/actions/runs/27983936614 (pending)

Summary by CodeRabbit

• Tests

  • Added end-to-end testing for Jetson GPU onboarding, validating device availability, CUDA verification, and GPU enablement in sandboxed environments.

• Chores

  • Enhanced CI/CD workflow with new Jetson GPU test integration and optimized test timing configurations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new live Vitest E2E test (jetson-nvmap-gpu.test.ts) that validates Jetson NVMap GPU access, group membership, device visibility inside a sandbox, and CUDA initialization. A corresponding jetson-nvmap-gpu-vitest CI job is wired into the E2E workflow with Jetson ARM64 runner support, and the boundary validator and PR result aggregation are updated accordingly.

Changes

Jetson NVMap GPU E2E Test and CI Wiring

Layer / File(s)	Summary
Live Vitest test for Jetson NVMap GPU access test/e2e-scenario/live/jetson-nvmap-gpu.test.ts	Adds module constants, env() helper, hostShell()/cleanupJetsonSandbox() utilities, expectGroupMembership() assertion, and the full live test scenario covering hardware gate, Docker/NVIDIA runtime checks, installer execution, sandbox group membership and /dev/nvmap visibility, cuInit(0) CUDA proof, and nemoclaw status GPU/CUDA verification.
CI job, workflow boundary registration, and support-test timeout .github/workflows/e2e-vitest-scenarios.yaml, tools/e2e-scenarios/workflow-boundary.mts, test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts	Adds the jetson-nvmap-gpu-vitest free-standing CI job (Jetson ARM64 runner, scoped Docker auth, device presence checks, Vitest execution, artifact upload), adds it to report-to-pr needs, registers it in validateFreeStandingJobSelector, and increases the free-standing scenario boundary validation test timeout from 240 000 to 420 000 ms.

Possibly related issues

• Epic: Migrate legacy bash E2E into the Vitest E2E system #5098: This PR directly implements the Jetson GPU onboarding Vitest migration described in that issue, including typed test assertions, workflow job wiring, and selector validation.

Possibly related PRs

• NVIDIA/NemoClaw#5219: Both PRs extend the same e2e-vitest-scenarios.yaml free-standing Vitest job/selector wiring and update report-to-pr aggregation to include the newly added Vitest job.
• NVIDIA/NemoClaw#5542: Both PRs extend validateE2eVitestScenariosWorkflowBoundary() by adding a new validateFreeStandingJobSelector pairing and updating the corresponding workflow and support tests.
• NVIDIA/NemoClaw#5555: Both PRs add a new free-standing job to .github/workflows/e2e-vitest-scenarios.yaml and wire it into the report-to-pr aggregation via the needs list.

Suggested labels

area: e2e, v0.0.66

Suggested reviewers

• cv

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐇 A new map for the Jetson's GPU glow,
/dev/nvmap and cuInit in tow!
The sandbox joins the group with care,
CUDA verified — proof beyond compare.
CI wired, timeout stretched, all set to go! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: migrating a legacy shell script test (test-jetson-nvmap-gpu.sh) to a Vitest implementation, which is the primary objective of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-migrate/test-jetson-nvmap-gpu-vitest

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-code-quality]

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the e2e-migrate/test-jet... branch is 96%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-jet... 52c886d	+/-
nemoclaw/src/se...cret-scanner.ts	—	100%	—
nemoclaw/src/commands/slash.ts	—	100%	—
nemoclaw/src/li...bprocess-env.ts	—	100%	—
nemoclaw/src/bl...eprint/state.ts	—	98%	—
nemoclaw/src/onboard/config.ts	—	98%	—
nemoclaw/src/bl...int/snapshot.ts	—	97%	—
nemoclaw/src/bl...print/runner.ts	—	95%	—
nemoclaw/src/co...ration-state.ts	—	94%	—
nemoclaw/src/bl...ate-networks.ts	—	94%	—
nemoclaw/src/index.ts	—	94%	—

TypeScript / code-coverage/cli

The overall coverage in the e2e-migrate/test-jet... branch is 46%. Coverage data for the main branch is not yet available.

Show a code coverage summary of the most covered files.

File	main	e2e-migrate/test-jet... 52c886d	+/-
src/lib/state/o...oard-session.ts	—	91%	—
src/lib/inference/local.ts	—	76%	—
src/lib/sandbox/config.ts	—	72%	—
src/lib/actions...dbox/rebuild.ts	—	67%	—
src/lib/onboard/preflight.ts	—	64%	—
src/lib/actions...licy-channel.ts	—	56%	—
src/lib/state/sandbox.ts	—	55%	—
src/lib/onboard...er-gpu-patch.ts	—	50%	—
src/lib/policy/index.ts	—	49%	—
src/lib/onboard.ts	—	18%	—

---

_{Updated June 22, 2026 21:09 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

E2E Advisor Recommendation

Required E2E: jetson-nvmap-gpu-vitest
Optional E2E: gpu-e2e-vitest

Dispatch hint: jetson-nvmap-gpu-vitest

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• jetson-nvmap-gpu-vitest (high): This PR adds the Jetson nvmap GPU live scenario and its workflow job; the new job should run to prove the workflow selector, Jetson runner setup, Docker/NVIDIA runtime assumptions, installer/onboarding path, sandbox GPU group grants, CUDA verification, artifacts, and cleanup all work end-to-end.

Optional E2E

• gpu-e2e-vitest (high): Adjacent confidence check for the existing generic GPU E2E path; useful to compare behavior against the new Jetson-specific GPU coverage, but not merge-blocking because the PR only adds the Jetson workflow/test lane.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/e2e-vitest-scenarios.yaml
• jobs input: jetson-nvmap-gpu-vitest

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: jetson-nvmap-gpu-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

• gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=jetson-nvmap-gpu-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• jetson-nvmap-gpu-vitest: Focused free-standing Vitest job wired for changed live test test/e2e-scenario/live/jetson-nvmap-gpu.test.ts.
  • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=jetson-nvmap-gpu-vitest

Optional Vitest E2E scenarios

• None.

Relevant changed files

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/jetson-nvmap-gpu.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[github-actions]

Vitest E2E Scenario Results — ⚠️ Run cancelled — no signal

Run: 27983832199
Workflow ref: e2e-migrate/test-jetson-nvmap-gpu-vitest
Requested scenarios: (default — all supported)
Requested jobs: jetson-nvmap-gpu-vitest
Summary: 0 passed, 0 failed, 1 cancelled, 0 skipped

Job	Result
jetson-nvmap-gpu-vitest	⚠️ cancelled

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-scenario/live/jetson-nvmap-gpu.test.ts`:
- Around line 66-70: The expectGroupMembership function currently matches the
group ID against the full id command output, which can cause false positives
when the gid appears in uid or primary gid fields instead of supplemental
groups. Change the function to accept output from id -G (which returns only
space-separated numeric group IDs) instead of full id output, and replace the
regex matching logic with a simple token-based check that verifies the gid
exists as a complete whitespace-separated token in the id -G output. Apply the
same fix to the other location mentioned at lines 174-180.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cf1c95fe-a017-45cf-9873-7d1c3c461827

📥 Commits

Reviewing files that changed from the base of the PR and between b241036 and 52c886d.

📒 Files selected for processing (4)

• .github/workflows/e2e-vitest-scenarios.yaml
• test/e2e-scenario/live/jetson-nvmap-gpu.test.ts
• test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
• tools/e2e-scenarios/workflow-boundary.mts

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use numeric group output to avoid false-positive membership checks.

expectGroupMembership() currently matches against full id output, so a hit can come from uid=/primary gid= fields instead of supplemental groups. That can mask a missing --group-add grant. Prefer id -G and token matching.

Suggested patch

 function expectGroupMembership(idOutput: string, gid: string): void {
   expect(gid).toMatch(/^[0-9]+$/u);
-  const groupPattern = new RegExp(`(^|[(,=])${gid}([(,) ]|$)`, "u");
-  expect(idOutput).toMatch(groupPattern);
+  const groups = idOutput.trim().split(/\s+/u).filter(Boolean);
+  expect(groups).toContain(gid);
 }
@@
     const sandboxId = await sandbox.execShell(SANDBOX_NAME, trustedSandboxShellScript("id"), {
+      artifactName: "phase-3-sandbox-id",
+      env: env(),
+      timeoutMs: 60_000,
+    });
+    // numeric-only supplemental group list
+    const sandboxGroups = await sandbox.execShell(
+      SANDBOX_NAME,
+      trustedSandboxShellScript("id -G"),
       artifactName: "phase-3-sandbox-id",
       env: env(),
       timeoutMs: 60_000,
-    });
-    expect(sandboxId.exitCode, resultText(sandboxId)).toBe(0);
-    expectGroupMembership(resultText(sandboxId), hostNvmapGid);
+    );
+    expect(sandboxGroups.exitCode, resultText(sandboxGroups)).toBe(0);
+    expectGroupMembership(resultText(sandboxGroups), hostNvmapGid);

Also applies to: 174-180

🧰 Tools

🪛 ast-grep (0.44.0)

[warning] 67-67: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp((^|[(,=])${gid}([(,) ]|$), "u")
Note: [CWE-1333] Inefficient Regular Expression Complexity

(regexp-from-variable)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/live/jetson-nvmap-gpu.test.ts` around lines 66 - 70, The
expectGroupMembership function currently matches the group ID against the full
id command output, which can cause false positives when the gid appears in uid
or primary gid fields instead of supplemental groups. Change the function to
accept output from id -G (which returns only space-separated numeric group IDs)
instead of full id output, and replace the regex matching logic with a simple
token-based check that verifies the gid exists as a complete
whitespace-separated token in the id -G output. Apply the same fix to the other
location mentioned at lines 174-180.

[github-actions]

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Source-of-truth review needed: Jetson Vitest workflow scheduling.
Open items: 0 required · 4 warnings · 0 suggestions · 8 test follow-ups
Since last review: 0 prior items resolved · 2 still apply · 0 new items found

Action checklist

• PRA-1 Resolve or justify: Source-of-truth review needed: Jetson Vitest workflow scheduling
• PRA-2 Resolve or justify: Source-of-truth review needed: Ollama installer compatibility path
• PRA-3 Resolve or justify: Jetson-only Vitest job runs on default dispatch without the legacy enablement gate in .github/workflows/e2e-vitest-scenarios.yaml:2441
• PRA-4 Resolve or justify: Unpinned remote installer runs while workflow Docker auth is available in test/e2e-scenario/live/jetson-nvmap-gpu.test.ts:146
• PRA-T1 Add or justify test follow-up: Runtime validation
• PRA-T2 Add or justify test follow-up: Runtime validation
• PRA-T3 Add or justify test follow-up: Runtime validation
• PRA-T4 Add or justify test follow-up: Runtime validation
• PRA-T5 Add or justify test follow-up: Acceptance clause
• PRA-T6 Add or justify test follow-up: Acceptance clause
• PRA-T7 Add or justify test follow-up: Jetson Vitest workflow scheduling
• PRA-T8 Add or justify test follow-up: Ollama installer compatibility path

Findings index

ID	Severity	Category	Location	Required action
PRA-1	Resolve/justify	architecture	—	Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-2	Resolve/justify	architecture	—	Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
PRA-3	Resolve/justify	workflow	.github/workflows/e2e-vitest-scenarios.yaml:2441	Preserve the Jetson enablement source of truth in the new workflow. For example, add an explicit `vars.JETSON_E2E_ENABLED == 'true'` requirement for default selection, or otherwise separate Jetson from the default all-free-standing dispatch while retaining explicit `jobs=jetson-nvmap-gpu-vitest` or `scenarios=jetson-nvmap-gpu` behavior only if maintainers intentionally want that path.
PRA-4	Resolve/justify	security	test/e2e-scenario/live/jetson-nvmap-gpu.test.ts:146	Avoid `curl | sh` in this workflow path if possible: preinstall Ollama on the Jetson runner image, pin and verify a versioned artifact/checksum, or move Docker Hub authentication until after the remote installer step if Docker auth is not needed before then. If preserving the exact reporter workflow is required, document that trust decision in code and keep the credential window as narrow as possible.

Review findings by urgency: 0 required fixes, 4 items to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Source-of-truth review needed: Jetson Vitest workflow scheduling

• Location: not file-specific
• Category: architecture
• Problem: The advisor marked localized patch analysis as needs_followup.
• Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
• Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Missing regression test: Missing; add a workflow-boundary/support test for default empty dispatch versus Jetson enablement/explicit selectors.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Evidence: Legacy nightly Jetson lane includes `vars.JETSON_E2E_ENABLED == 'true'`; new `jetson-nvmap-gpu-vitest` starts with `(inputs.jobs == '' && inputs.scenarios == '')`.

PRA-2 Resolve/justify — Source-of-truth review needed: Ollama installer compatibility path

• Location: not file-specific
• Category: architecture
• Problem: The advisor marked localized patch analysis as needs_followup.
• Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
• Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Missing regression test: Missing for the credential/installer ordering; add workflow-boundary coverage for the intended invariant, or remove the remote installer from the credential-bearing job.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Evidence: `jetson-nvmap-gpu.test.ts` conditionally executes `curl -fsSL https://ollama.com/install.sh | sh 2>&1 || true`.

PRA-3 Resolve/justify — Jetson-only Vitest job runs on default dispatch without the legacy enablement gate

• Location: .github/workflows/e2e-vitest-scenarios.yaml:2441
• Category: workflow
• Problem: The legacy nightly Jetson lane documents that the project does not generally host a Jetson runner and gates the Jetson job behind `vars.JETSON_E2E_ENABLED == 'true'`. The new `jetson-nvmap-gpu-vitest` job uses the shared free-standing condition, so an empty manual dispatch selects it by default and schedules the Jetson-specific runner before the in-test non-Jetson skip can run.
• Impact: A default Vitest E2E dispatch can attempt to use a sensitive self-hosted Jetson/GPU runner path and Docker-enabled live installer path that the existing workflow source of truth kept explicitly disabled unless Jetson E2E was enabled. That is trusted-code-boundary and operational drift from the legacy lane.
• Recommended action: Preserve the Jetson enablement source of truth in the new workflow. For example, add an explicit `vars.JETSON_E2E_ENABLED == 'true'` requirement for default selection, or otherwise separate Jetson from the default all-free-standing dispatch while retaining explicit `jobs=jetson-nvmap-gpu-vitest` or `scenarios=jetson-nvmap-gpu` behavior only if maintainers intentionally want that path.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `.github/workflows/nightly-e2e.yaml` around the legacy Jetson lane and compare its `if:` guard with `.github/workflows/e2e-vitest-scenarios.yaml` at `jetson-nvmap-gpu-vitest`; the new condition starts with `(inputs.jobs == '' && inputs.scenarios == '')` and has no `JETSON_E2E_ENABLED` check.
• Missing regression test: Add a workflow-boundary/support test that default empty `workflow_dispatch` does not select `jetson-nvmap-gpu-vitest` unless the Jetson E2E enablement rule is satisfied, and that the intended explicit selector path for `jobs=jetson-nvmap-gpu-vitest` or `scenarios=jetson-nvmap-gpu` remains valid.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `.github/workflows/nightly-e2e.yaml` around the legacy Jetson lane and compare its `if:` guard with `.github/workflows/e2e-vitest-scenarios.yaml` at `jetson-nvmap-gpu-vitest`; the new condition starts with `(inputs.jobs == '' && inputs.scenarios == '')` and has no `JETSON_E2E_ENABLED` check.
• Evidence: `jetson-nvmap-gpu-vitest` is selected by the new free-standing default selector in `.github/workflows/e2e-vitest-scenarios.yaml`, while the legacy nightly Jetson lane uses a separate `vars.JETSON_E2E_ENABLED == 'true'` guard because Jetson hardware is not generally available.

PRA-4 Resolve/justify — Unpinned remote installer runs while workflow Docker auth is available

• Location: test/e2e-scenario/live/jetson-nvmap-gpu.test.ts:146
• Category: security
• Problem: The migrated Vitest test preserves the legacy `curl -fsSL https://ollama.com/install.sh | sh` path. In the new workflow job, Docker Hub authentication happens before the test and `DOCKER_CONFIG` is passed through the fixture environment, so the remote installer runs on a self-hosted Jetson runner while Docker credentials are present in a workspace-scoped Docker config.
• Impact: If the remote installer or its delivery path is compromised, it can execute arbitrary shell code in the live runner context during a credential-bearing job. The job cleans up Docker auth afterward, but cleanup does not reduce exposure while the installer is running.
• Recommended action: Avoid `curl | sh` in this workflow path if possible: preinstall Ollama on the Jetson runner image, pin and verify a versioned artifact/checksum, or move Docker Hub authentication until after the remote installer step if Docker auth is not needed before then. If preserving the exact reporter workflow is required, document that trust decision in code and keep the credential window as narrow as possible.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `.github/workflows/e2e-vitest-scenarios.yaml` in the `jetson-nvmap-gpu-vitest` job: `Authenticate to Docker Hub` precedes `Run Jetson nvmap GPU live Vitest test`; then read `test/e2e-scenario/live/jetson-nvmap-gpu.test.ts` around the Ollama install helper for the unpinned `curl | sh` installer.
• Missing regression test: Add workflow-boundary coverage that asserts the Jetson job either does not run remote installers after Docker auth is established, or, if that ordering is intentional, asserts the documented Docker credential isolation/cleanup invariant for the Jetson job-specific `DOCKER_CONFIG`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `.github/workflows/e2e-vitest-scenarios.yaml` in the `jetson-nvmap-gpu-vitest` job: `Authenticate to Docker Hub` precedes `Run Jetson nvmap GPU live Vitest test`; then read `test/e2e-scenario/live/jetson-nvmap-gpu.test.ts` around the Ollama install helper for the unpinned `curl | sh` installer.
• Evidence: The workflow authenticates to Docker Hub before invoking the live Vitest test, and the live test conditionally executes `curl -fsSL https://ollama.com/install.sh | sh 2>&1 || true` to install Ollama.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

• None.

Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

• PRA-T1 Runtime validation — Workflow-boundary test that default empty dispatch does not select `jetson-nvmap-gpu-vitest` unless the Jetson E2E enablement rule is satisfied.. The PR changes a live sandbox/GPU workflow and a workflow-boundary validator. The new Vitest test covers the Jetson behavior, but the workflow selector and credential/installer boundary need static boundary tests because runner scheduling and credential exposure happen before the live test assertions.
• PRA-T2 Runtime validation — Workflow-boundary test that preserves explicit `jobs=jetson-nvmap-gpu-vitest` and `scenarios=jetson-nvmap-gpu` selection according to the intended Jetson enablement policy.. The PR changes a live sandbox/GPU workflow and a workflow-boundary validator. The new Vitest test covers the Jetson behavior, but the workflow selector and credential/installer boundary need static boundary tests because runner scheduling and credential exposure happen before the live test assertions.
• PRA-T3 Runtime validation — Workflow-boundary test that enforces Jetson job Docker auth isolation with job-specific `DOCKER_CONFIG` and `if: always()` cleanup.. The PR changes a live sandbox/GPU workflow and a workflow-boundary validator. The new Vitest test covers the Jetson behavior, but the workflow selector and credential/installer boundary need static boundary tests because runner scheduling and credential exposure happen before the live test assertions.
• PRA-T4 Runtime validation — Workflow-boundary test that proves remote installer steps do not run after Docker auth is established, or documents and asserts the intended exception.. The PR changes a live sandbox/GPU workflow and a workflow-boundary validator. The new Vitest test covers the Jetson behavior, but the workflow selector and credential/installer boundary need static boundary tests because runner scheduling and credential exposure happen before the live test assertions.
• PRA-T5 Acceptance clause — Install Ollama binary if the provider needs it, while preserving the reporter workflow. — add test evidence or identify existing coverage. The behavior is present via conditional `curl -fsSL https://ollama.com/install.sh | sh`, followed by stopping/killing Ollama, but the remote installer remains unpinned and now runs inside the new Docker-authenticated workflow job.
• PRA-T6 Acceptance clause — Legacy nightly source-of-truth: the Jetson runner lane is gated behind `vars.JETSON_E2E_ENABLED` because the project does not generally host Jetson hardware. — add test evidence or identify existing coverage. The new Vitest job uses the same runner class but does not include the legacy `vars.JETSON_E2E_ENABLED == 'true'` guard and is selected on default empty dispatch.
• PRA-T7 Jetson Vitest workflow scheduling — Missing; add a workflow-boundary/support test for default empty dispatch versus Jetson enablement/explicit selectors.. Legacy nightly Jetson lane includes `vars.JETSON_E2E_ENABLED == 'true'`; new `jetson-nvmap-gpu-vitest` starts with `(inputs.jobs == '' && inputs.scenarios == '')`.
• PRA-T8 Ollama installer compatibility path — Missing for the credential/installer ordering; add workflow-boundary coverage for the intended invariant, or remove the remote installer from the credential-bearing job.. `jetson-nvmap-gpu.test.ts` conditionally executes `curl -fsSL https://ollama.com/install.sh | sh 2>&1 || true`.

Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Source-of-truth review needed: Jetson Vitest workflow scheduling

• Location: not file-specific
• Category: architecture
• Problem: The advisor marked localized patch analysis as needs_followup.
• Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
• Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Missing regression test: Missing; add a workflow-boundary/support test for default empty dispatch versus Jetson enablement/explicit selectors.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Evidence: Legacy nightly Jetson lane includes `vars.JETSON_E2E_ENABLED == 'true'`; new `jetson-nvmap-gpu-vitest` starts with `(inputs.jobs == '' && inputs.scenarios == '')`.

PRA-2 Resolve/justify — Source-of-truth review needed: Ollama installer compatibility path

• Location: not file-specific
• Category: architecture
• Problem: The advisor marked localized patch analysis as needs_followup.
• Impact: A localized workaround can preserve or hide an invalid state when the source boundary is unclear.
• Recommended action: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Missing regression test: Missing for the credential/installer ordering; add workflow-boundary coverage for the intended invariant, or remove the remote installer from the credential-bearing job.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Inspect the localized patch and source-of-truth review fields for a concrete invalid state, source boundary, source-fix constraint, regression test, and removal condition.
• Evidence: `jetson-nvmap-gpu.test.ts` conditionally executes `curl -fsSL https://ollama.com/install.sh | sh 2>&1 || true`.

PRA-3 Resolve/justify — Jetson-only Vitest job runs on default dispatch without the legacy enablement gate

• Location: .github/workflows/e2e-vitest-scenarios.yaml:2441
• Category: workflow
• Problem: The legacy nightly Jetson lane documents that the project does not generally host a Jetson runner and gates the Jetson job behind `vars.JETSON_E2E_ENABLED == 'true'`. The new `jetson-nvmap-gpu-vitest` job uses the shared free-standing condition, so an empty manual dispatch selects it by default and schedules the Jetson-specific runner before the in-test non-Jetson skip can run.
• Impact: A default Vitest E2E dispatch can attempt to use a sensitive self-hosted Jetson/GPU runner path and Docker-enabled live installer path that the existing workflow source of truth kept explicitly disabled unless Jetson E2E was enabled. That is trusted-code-boundary and operational drift from the legacy lane.
• Recommended action: Preserve the Jetson enablement source of truth in the new workflow. For example, add an explicit `vars.JETSON_E2E_ENABLED == 'true'` requirement for default selection, or otherwise separate Jetson from the default all-free-standing dispatch while retaining explicit `jobs=jetson-nvmap-gpu-vitest` or `scenarios=jetson-nvmap-gpu` behavior only if maintainers intentionally want that path.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `.github/workflows/nightly-e2e.yaml` around the legacy Jetson lane and compare its `if:` guard with `.github/workflows/e2e-vitest-scenarios.yaml` at `jetson-nvmap-gpu-vitest`; the new condition starts with `(inputs.jobs == '' && inputs.scenarios == '')` and has no `JETSON_E2E_ENABLED` check.
• Missing regression test: Add a workflow-boundary/support test that default empty `workflow_dispatch` does not select `jetson-nvmap-gpu-vitest` unless the Jetson E2E enablement rule is satisfied, and that the intended explicit selector path for `jobs=jetson-nvmap-gpu-vitest` or `scenarios=jetson-nvmap-gpu` remains valid.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `.github/workflows/nightly-e2e.yaml` around the legacy Jetson lane and compare its `if:` guard with `.github/workflows/e2e-vitest-scenarios.yaml` at `jetson-nvmap-gpu-vitest`; the new condition starts with `(inputs.jobs == '' && inputs.scenarios == '')` and has no `JETSON_E2E_ENABLED` check.
• Evidence: `jetson-nvmap-gpu-vitest` is selected by the new free-standing default selector in `.github/workflows/e2e-vitest-scenarios.yaml`, while the legacy nightly Jetson lane uses a separate `vars.JETSON_E2E_ENABLED == 'true'` guard because Jetson hardware is not generally available.

PRA-4 Resolve/justify — Unpinned remote installer runs while workflow Docker auth is available

• Location: test/e2e-scenario/live/jetson-nvmap-gpu.test.ts:146
• Category: security
• Problem: The migrated Vitest test preserves the legacy `curl -fsSL https://ollama.com/install.sh | sh` path. In the new workflow job, Docker Hub authentication happens before the test and `DOCKER_CONFIG` is passed through the fixture environment, so the remote installer runs on a self-hosted Jetson runner while Docker credentials are present in a workspace-scoped Docker config.
• Impact: If the remote installer or its delivery path is compromised, it can execute arbitrary shell code in the live runner context during a credential-bearing job. The job cleans up Docker auth afterward, but cleanup does not reduce exposure while the installer is running.
• Recommended action: Avoid `curl | sh` in this workflow path if possible: preinstall Ollama on the Jetson runner image, pin and verify a versioned artifact/checksum, or move Docker Hub authentication until after the remote installer step if Docker auth is not needed before then. If preserving the exact reporter workflow is required, document that trust decision in code and keep the credential window as narrow as possible.
• Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
• Verification: Read `.github/workflows/e2e-vitest-scenarios.yaml` in the `jetson-nvmap-gpu-vitest` job: `Authenticate to Docker Hub` precedes `Run Jetson nvmap GPU live Vitest test`; then read `test/e2e-scenario/live/jetson-nvmap-gpu.test.ts` around the Ollama install helper for the unpinned `curl | sh` installer.
• Missing regression test: Add workflow-boundary coverage that asserts the Jetson job either does not run remote installers after Docker auth is established, or, if that ordering is intentional, asserts the documented Docker credential isolation/cleanup invariant for the Jetson job-specific `DOCKER_CONFIG`.
• Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `.github/workflows/e2e-vitest-scenarios.yaml` in the `jetson-nvmap-gpu-vitest` job: `Authenticate to Docker Hub` precedes `Run Jetson nvmap GPU live Vitest test`; then read `test/e2e-scenario/live/jetson-nvmap-gpu.test.ts` around the Ollama install helper for the unpinned `curl | sh` installer.
• Evidence: The workflow authenticates to Docker Hub before invoking the live Vitest test, and the live test conditionally executes `curl -fsSL https://ollama.com/install.sh | sh 2>&1 || true` to install Ollama.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.