Description
Description
After fresh install + onboard with cloud OpenAI provider on multiple Linux hosts (Brev cloud + on-prem Ubuntu), OpenClaw TUI inside the sandbox returns "Connection error" when sending any prompt. Sandbox logs show OpenClaw's url-fetch security guard is blocking https://inference.local/v1/responses (the Gateway's own inference proxy route) as a "private/internal/special-use IP address", which prevents both cloud(OpenAI) from working through the TUI.
Environment
Device: Brev cloud (host: brev-ydoa5pmhb), NVIDIA GPU 1x 80GB VRAM
OS: Ubuntu (version not captured — typical Brev base)
Architecture: x86_64
Node.js: v22.22.2
npm: 10.9.7
Docker: not captured (preflight: "Docker is running", "Container runtime: docker")
OpenShell CLI: openshell 0.0.36
NemoClaw: v0.0.26
OpenClaw: 2026.4.9 (0512059)
Environment2:
Host: local-glennz@2u1g-b650-0082 (Ubuntu host with Docker CE)
NemoClaw: v0.0.26
OpenShell: 0.0.36
OpenClaw: 2026.4.9 (0512059)
Sandbox name: lynn0426
Onboard: OpenAI provider, gpt-5.4-mini, default Balanced policy preset
(local-inference NOT enabled)
Steps to Reproduce
1. On a fresh Linux host with NVIDIA GPU and Docker running, run:
curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_INSTALL_TAG=v0.0.26 bash
2. In the onboard wizard, choose:
- Provider: 2 (OpenAI)
- Model: 2 (gpt-5.4-mini)
- API key: valid OpenAI key
- Sandbox name: lynn0427
- Web search: enable Brave (optional, not required to repro)
- Telegram: enable (optional, not required to repro)
- Policy tier: Balanced (default presets — local-inference is NOT enabled)
3. Wait for sandbox build + Gateway ready.
4. Run: nemoclaw lynn0427 connect
5. Inside sandbox: openclaw tui
6. Type any prompt (e.g. "hello") and press Enter.
Expected Result
TUI displays a valid agent reply via the configured cloud provider (OpenAI gpt-5.4-mini), confirming inference flows TUI -> Gateway (inference.local route) -> OpenAI API.
Actual Result
TUI returns "Connection error." repeatedly for every prompt. Status bar shows: "connected | error" / "agent main | session main (openclaw-tui) | openai/gpt-5.4-mini | tokens ?/131k".
Sandbox logs (nemoclaw lynn0427 logs --follow) show:
[security] blocked URL fetch (url-fetch) reason=Blocked hostname or private/internal/special-use IP address
[agent] embedded run agent end: runId=2d399f3d-... isError=true model=gpt-5.4-mini provider=openai error=LLM request failed: network connection error. rawError=Connection error.
[agent] embedded run failover decision: runId=... stage=assistant decision=surface_error reason=timeout provider=openai/gpt-5.4-mini profile=-
The block + agent error pattern repeats for every prompt. Inference never succeeds.
Logs
Excerpt from nemoclaw lynn0427 logs --follow:
2026-04-27T08:51:24.478+00:00 [security] blocked URL fetch (url-fetch) reason=Blocked hostname or private/internal/special-use IP address
2026-04-27T08:51:24.971+00:00 [security] blocked URL fetch (url-fetch) reason=Blocked hostname or private/internal/special-use IP address
2026-04-27T08:51:25.824+00:00 [security] blocked URL fetch (url-fetch) reason=Blocked hostname or private/internal/special-use IP address
2026-04-27T08:51:25.844+00:00 [agent] embedded run agent end: runId=2d399f3d-e86b-4905-acf2-8964f90e3611 isError=true model=gpt-5.4-mini provider=openai error=LLM request failed: network connection error. rawError=Connection error.
2026-04-27T08:51:43.846+00:00 [agent] embedded run failover decision: runId=2d399f3d-e86b-4905-acf2-8964f90e3611 stage=assistant decision=surface_error reason=timeout provider=openai/gpt-5.4-mini profile=-
Also seen continuously (likely cosmetic / sandbox-locked syscall, may be unrelated):
[guard] os.networkInterfaces() failed: A system error occurred: uv_interface_addresses returned Unknown system error 1 (Unknown system error 1) — returning empty (mDNS disabled)
Onboard policy step (Balanced tier, default selection — local-inference NOT enabled):
[✓] npm [✓] pypi [✓] huggingface [✓] brew [✓] brave [✓] telegram
[ ] discord [ ] github [ ] jira [ ] local-inference [ ] outlook [ ] slack
Environment 2 (Ubuntu host 2u1g-b650-0082, NemoClaw v0.0.26 + OpenClaw 2026.4.9):
2026-04-27T09:26:22.747+00:00 [security] blocked URL fetch (url-fetch)
reason=Blocked hostname or private/internal/special-use IP address
2026-04-27T09:26:24.053+00:00 [agent] embedded run agent end:
runId=9c6de9ae-c6a7-4851-ad30-e20d5a660235 isError=true
model=gpt-5.4-mini provider=openai
error=LLM request failed: network connection error
2026-04-27T09:26:41.851+00:00 [agent] embedded run failover decision: ...
decision=surface_error reason=timeout provider=openai/gpt-5.4-mini
---
Suggested Fix
inference.local is the Gateway's own routing hostname (set during onboard: "Route: inference.local / Provider: openai-api / Model: gpt-5.4-mini"). All TUI inference traffic — including cloud provider calls — flows TUI -> inference.local -> Gateway proxy -> external API. The url-fetch guard appears to resolve inference.local through the sandbox DNS proxy (10.200.0.1) and classify the result as a private/internal address, then deny it.
Possible fixes (engineering decision):
(a) Whitelist the Gateway's managed inference.local route in the url-fetch guard by default.
(b) Auto-enable the local-inference policy preset whenever any inference provider is configured (cloud or local), since inference.local is required regardless of provider type.
(c) Surface a more actionable error in the TUI ("blocked by sandbox policy: enable local-inference preset") instead of generic "Connection error.".
Reproduces on default Balanced policy preset with the most common cloud provider choice.
Breaks the primary install → onboard → TUI → chat user journey end-to-end.
Affects every cloud provider option in the wizard (1, 2, 3, 4, 5, 6) since all cloud inference traffic routes through inference.local.
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Inference, NemoClaw_Policy&Network, NemoClaw-SWQA-RelBlckr-Recommended |
[NVB#6115797]
Description
Description
EnvironmentDevice: Brev cloud (host: brev-ydoa5pmhb), NVIDIA GPU 1x 80GB VRAM OS: Ubuntu (version not captured — typical Brev base) Architecture: x86_64 Node.js: v22.22.2 npm: 10.9.7 Docker: not captured (preflight: "Docker is running", "Container runtime: docker") OpenShell CLI: openshell 0.0.36 NemoClaw: v0.0.26 OpenClaw: 2026.4.9 (0512059) Environment2: Host: local-glennz@2u1g-b650-0082 (Ubuntu host with Docker CE) NemoClaw: v0.0.26 OpenShell: 0.0.36 OpenClaw: 2026.4.9 (0512059) Sandbox name: lynn0426 Onboard: OpenAI provider, gpt-5.4-mini, default Balanced policy preset (local-inference NOT enabled)Steps to Reproduce Expected Result Actual Result LogsEnvironment 2 (Ubuntu host 2u1g-b650-0082, NemoClaw v0.0.26 + OpenClaw 2026.4.9):
2026-04-27T09:26:22.747+00:00 [security] blocked URL fetch (url-fetch) reason=Blocked hostname or private/internal/special-use IP address 2026-04-27T09:26:24.053+00:00 [agent] embedded run agent end: runId=9c6de9ae-c6a7-4851-ad30-e20d5a660235 isError=true model=gpt-5.4-mini provider=openai error=LLM request failed: network connection error 2026-04-27T09:26:41.851+00:00 [agent] embedded run failover decision: ... decision=surface_error reason=timeout provider=openai/gpt-5.4-mini---
Suggested Fix
inference.local is the Gateway's own routing hostname (set during onboard: "Route: inference.local / Provider: openai-api / Model: gpt-5.4-mini"). All TUI inference traffic — including cloud provider calls — flows TUI -> inference.local -> Gateway proxy -> external API. The url-fetch guard appears to resolve inference.local through the sandbox DNS proxy (10.200.0.1) and classify the result as a private/internal address, then deny it. Possible fixes (engineering decision): (a) Whitelist the Gateway's managed inference.local route in the url-fetch guard by default. (b) Auto-enable the local-inference policy preset whenever any inference provider is configured (cloud or local), since inference.local is required regardless of provider type. (c) Surface a more actionable error in the TUI ("blocked by sandbox policy: enable local-inference preset") instead of generic "Connection error.". Reproduces on default Balanced policy preset with the most common cloud provider choice. Breaks the primary install → onboard → TUI → chat user journey end-to-end. Affects every cloud provider option in the wizard (1, 2, 3, 4, 5, 6) since all cloud inference traffic routes through inference.local.Bug Details
[NVB#6115797]