fix: add auth proxy port to local-inference policy (#709)

[ericksoa]

Summary

Fixes the remaining open issue in #709 — local Ollama inference from inside sandbox containers returns HTTP 403/401 even with local-inference policy enabled.

Root cause: PR #1922 introduced an authenticated reverse proxy on port 11435, but PR #2000's local-inference policy preset only allows port 11434 (direct Ollama) and 8000 (vLLM). On non-WSL Linux systems, container traffic is routed to port 11435 (src/lib/local-inference.ts:21), which the policy blocks.

Changes:

• local-inference.yaml: Add port 11435 (auth proxy) endpoint so containers can reach the proxy on non-WSL systems
• onboard.ts: Upgrade proxy startup failure from a soft warning to a hard error with actionable diagnostics — prevents onboarding from completing with a broken provider config
• policies.test.ts: Assert port 11435 is present in the preset to prevent regression

Test plan

• All 79 policy tests pass (including updated port assertion)
• All 34 local-inference unit tests pass
• 125/129 onboard tests pass (4 pre-existing timeout failures in unrelated --from test)
• Ollama proxy recovery tests pass
• Manual: onboard with Local Ollama on Linux Docker CE, verify inference works through proxy

Summary by CodeRabbit

• New Features

  • Added support for an additional local inference network endpoint (host internal, port 11435).

• Bug Fixes

  • Onboarding now fails gracefully when the local auth proxy cannot start and logs actionable diagnostic hints.

• Tests

  • Updated tests and mocks to validate the new endpoint and the revised onboarding behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: aa962b99-d960-43e4-ab80-10df276544d4

📥 Commits

Reviewing files that changed from the base of the PR and between c168878 and aab6367.

📒 Files selected for processing (1)

• test/policies.test.ts

✅ Files skipped from review due to trivial changes (1)

• test/policies.test.ts

---

📝 Walkthrough

Walkthrough

Added a new network policy endpoint for host.openshell.internal:11435. Made Ollama auth-proxy startup detectable by returning boolean from startOllamaAuthProxy() and treating failures as fatal during onboarding. Updated tests to expect the new port and to mock proxy invocation output.

Changes

Cohort / File(s)	Summary
Network Policy Configuration nemoclaw-blueprint/policies/presets/local-inference.yaml	Added a new network endpoint for host.openshell.internal on port 11435 (protocol: rest, enforcement: enforce) with the same allow rules (GET /**, POST /**).
Onboarding / Ollama Proxy src/lib/onboard.ts	Changed startOllamaAuthProxy() signature to return boolean; on failure it now logs error-level diagnostics (including an lsof port hint) and setupNim() treats a failed start as fatal via process.exit(1).
Tests — policy and onboarding mocks test/policies.test.ts, test/onboard-selection.test.ts	Policy test updated to expect port: 11435. Onboarding tests' runner.runCapture mocks now recognize commands containing -o args= and return "node ollama-auth-proxy.js" to simulate proxy invocation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I nibble logs and count each port,
A new one blooms beside the fort,
If proxy stumbles, I will cry,
Then hop away — no half-baked try,
11435 — a carrot sortie! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding port 11435 to the local-inference policy for the auth proxy, which is the primary fix addressing the blocked network traffic issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ollama-proxy-port-policy-709

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}