feat(cli): add sandbox host alias commands (Fixes #2040)

[deepujain]

Summary

Operators currently have to drop to docker exec and kubectl patch to manage sandbox hostAliases. This adds a supported NemoClaw CLI surface for that workflow.

The new commands let users add, list, and remove host aliases on the Sandbox resource, with validation for hostnames, IP addresses, duplicates, and dry-run output.

Changes

• src/nemoclaw.ts: add hosts-add, hosts-list, and hosts-remove sandbox actions backed by kubectl patch through the NemoClaw k3s container.
• test/cli.test.ts: cover host alias patch construction and list output.
• docs/reference/commands.md: document the new commands and --dry-run behavior.

Testing

• npm run build:cli passed
• npm run typecheck:cli passed
• npm test -- test/cli.test.ts passed
• npm test was also attempted. The full suite is not green on current main in this environment; failures are in existing installer/onboard/legacy-guard tests outside this CLI addition.

Evidence it works

The CLI test stubs the same docker exec openshell-cluster-nemoclaw kubectl ... path used by existing host-side sandbox helpers, then verifies that hosts-add writes the expected merge patch to spec.podTemplate.spec.hostAliases and hosts-list prints configured aliases.

Fixes #2040

Signed-off-by: Deepak Jain deepujain@gmail.com

Summary by CodeRabbit

• New Features

  • Added three host-alias CLI commands: hosts-add (validates host/IP, rejects case-insensitive duplicates, merges or creates IP entries, supports --dry-run), hosts-list (displays configured IP → hostnames), and hosts-remove (removes hostnames, drops empty entries, supports --dry-run).

• Documentation

  • Added CLI reference sections with usage and examples for the new commands.

• Tests

  • Added tests for add/list/remove behavior, duplicate handling, dry-run previews, retries, and update semantics.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds three sandbox-scoped CLI actions—hosts-add, hosts-list, hosts-remove—that read and modify Kubernetes spec.podTemplate.spec.hostAliases via docker exec + kubectl. Commands validate hostnames/IPs, prevent duplicates, support --dry-run, and include tests and documentation updates.

Changes

Cohort / File(s)	Summary
Documentation docs/reference/commands.md	Adds reference docs for nemoclaw <name> hosts-add, hosts-list, and hosts-remove with usage, validation rules, --dry-run behavior, and examples targeting spec.podTemplate.spec.hostAliases.
CLI Implementation src/nemoclaw.ts	Implements the three subcommands: hostname normalization/validation (label regex & length), IP validation via net.isIP, case-insensitive duplicate checks, merge/remove logic for hostAliases, --dry-run preview, JSON-patch creation (including optional test against metadata.resourceVersion), apply with conflict detection and up to 3 retries, and updates dispatcher/help text.
Command Registry src/lib/command-registry.ts	Registers the three new sandbox-scoped commands under the existing help group so they appear in listings and usage output.
Tests test/cli.test.ts	Adds stubs for docker/kubectl responses and tests for hosts-list, hosts-add, and hosts-remove: verifies patch JSON (with test + replace ops), rejects case-insensitive duplicates, validates --dry-run (no patch), failures on unknown flags, and retry-on-conflict behavior.

Sequence Diagram(s)

sequenceDiagram
  participant User as "User (CLI)"
  participant Nemoclaw as "nemoclaw CLI\n(src/nemoclaw.ts)"
  participant Docker as "Docker (container exec)"
  participant KubeAPI as "kube-apiserver\n(Sandbox CR)"
  rect rgba(200,230,201,0.5)
    User->>Nemoclaw: run hosts-add / hosts-list / hosts-remove
  end
  Nemoclaw->>Docker: docker exec openshell-cluster-nemoclaw kubectl get sandbox/<name> -o json
  Docker->>KubeAPI: kubectl GET request (Sandbox CR)
  KubeAPI-->>Docker: Sandbox CR JSON (includes spec.podTemplate.spec.hostAliases)
  Docker-->>Nemoclaw: Sandbox JSON
  Nemoclaw->>Nemoclaw: validate hostname/IP, compute new hostAliases list or removal
  alt dry-run
    Nemoclaw-->>User: print computed JSON patch / preview (no kubectl patch)
  else apply
    Nemoclaw->>Docker: docker exec ... kubectl patch sandbox/<name> --type=json -p '<patch>'
    Docker->>KubeAPI: kubectl PATCH request
    KubeAPI-->>Docker: patch response (may indicate conflict)
    Docker-->>Nemoclaw: patch result
    Nemoclaw-->>User: success or retry on conflict (up to 3 attempts)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through manifests at night,

Lowercased names and checked each bite;
A dry-run whispers what I'll do,
Then patch in three small tries or two;
Now hosts will find their way anew.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding three new sandbox host alias CLI commands (hosts-add, hosts-list, hosts-remove) and references the resolved issue #2040.
Linked Issues check	✅ Passed	The PR implements all required coding objectives from issue #2040: hosts-add/list/remove commands, IP/hostname validation, duplicate prevention, lowercase normalization, --dry-run support, resource-version patching, and error/retry handling.
Out of Scope Changes check	✅ Passed	All changes (src/nemoclaw.ts, test/cli.test.ts, src/lib/command-registry.ts, docs/reference/commands.md) are directly scoped to implementing the host alias management commands and their documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

test/cli.test.ts (1)

445-538: Add one regression test for removal and one for duplicate rejection.

The new command family adds hosts-remove, duplicate-hostname validation, and --dry-run, but this file only exercises happy-path add/list. A bug in removal or duplicate handling would still ship green.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/cli.test.ts` around lines 445 - 538, Add regression tests covering
hosts-remove and duplicate-hostname rejection (and exercise --dry-run) because
current tests only cover add/list; add one test that uses runWithEnv to call
"alpha hosts-remove searxng.local" and assert exit code 0, expected docker patch
includes removal of the hostname (check log contains "patch" and the JSON patch
from log shows the hostname removed from spec.podTemplate.spec.hostAliases), and
another test that calls "alpha hosts-add searxng.local 192.168.1.105" twice (or
calls hosts-add with an existing hostname) and asserts a non-zero exit code and
an error message about duplicate hostnames (and verify no docker patch applied);
also add a short test asserting that using "--dry-run" with
hosts-add/hosts-remove returns success and prints the intended patch without
invoking docker side effects (inspect docker log or absence thereof) — use
runWithEnv, the CLI commands "hosts-remove" and "hosts-add", the "--dry-run"
flag, and the existing log inspection pattern to locate JSON patches in the
docker log.

docs/reference/commands.md (1)

375-399: Format hostAliases as code and keep “sandbox” lowercase in prose.

Line 375 uses Sandbox in prose, and Lines 379 and 399 mention hostAliases without inline code formatting. As per coding guidelines, "sandbox (unless starting a sentence)" and "CLI commands, file paths, flags, parameter names, and values must use inline code formatting."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/commands.md` around lines 375 - 399, Update the prose to use
lowercase "sandbox" (unless it begins a sentence) and wrap all occurrences of
hostAliases in inline code formatting; specifically change the standalone
"Sandbox" mention to "sandbox" and replace bare hostAliases references with
`hostAliases`, and ensure CLI usages and flags like `nemoclaw my-assistant
hosts-list`, `nemoclaw my-assistant hosts-remove searxng.local`, and `--dry-run`
are written with inline code formatting for consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/nemoclaw.ts`:
- Around line 2210-2227: getSandboxResource currently calls execFileSync
directly which can hang or throw; wrap the call to execFileSync in a try/catch,
pass a timeout option (e.g. { timeout: <ms>, encoding: 'utf-8', stdio: [...] })
to avoid indefinite hangs, and handle errors from execFileSync by converting
them into a controlled CLI error path (return null or throw a custom Error with
a descriptive message and include the original error.stdout/stderr when
available). Apply the same pattern wherever execFileSync is used in this file so
callers receive a predictable error instead of an uncaught exception or a hung
process.
- Around line 2280-2318: The add/remove paths are comparing raw host strings
which allows mixed-case duplicates; normalize hostnames to lowercase before
validation, comparison, and storage. In sandboxHostsAdd: immediately set
hostname = hostname.toLowerCase() (or rebuild aliases with alias.hostnames =
alias.hostnames.map(h => h.toLowerCase())) before calling
validateHostAliasHostname and before the aliases.some / existing checks, and
push the lowercased hostname when adding to an alias; ensure patchHostAliases
receives the normalized hostnames. Apply the same lowercase normalization logic
in the hosts-remove implementation (the code around the corresponding remove
function) so comparisons and removals use the same normalized form.

---

Nitpick comments:
In `@docs/reference/commands.md`:
- Around line 375-399: Update the prose to use lowercase "sandbox" (unless it
begins a sentence) and wrap all occurrences of hostAliases in inline code
formatting; specifically change the standalone "Sandbox" mention to "sandbox"
and replace bare hostAliases references with `hostAliases`, and ensure CLI
usages and flags like `nemoclaw my-assistant hosts-list`, `nemoclaw my-assistant
hosts-remove searxng.local`, and `--dry-run` are written with inline code
formatting for consistency.

In `@test/cli.test.ts`:
- Around line 445-538: Add regression tests covering hosts-remove and
duplicate-hostname rejection (and exercise --dry-run) because current tests only
cover add/list; add one test that uses runWithEnv to call "alpha hosts-remove
searxng.local" and assert exit code 0, expected docker patch includes removal of
the hostname (check log contains "patch" and the JSON patch from log shows the
hostname removed from spec.podTemplate.spec.hostAliases), and another test that
calls "alpha hosts-add searxng.local 192.168.1.105" twice (or calls hosts-add
with an existing hostname) and asserts a non-zero exit code and an error message
about duplicate hostnames (and verify no docker patch applied); also add a short
test asserting that using "--dry-run" with hosts-add/hosts-remove returns
success and prints the intended patch without invoking docker side effects
(inspect docker log or absence thereof) — use runWithEnv, the CLI commands
"hosts-remove" and "hosts-add", the "--dry-run" flag, and the existing log
inspection pattern to locate JSON patches in the docker log.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 98b468fa-caf4-4daa-861e-3e526ddbe997

📥 Commits

Reviewing files that changed from the base of the PR and between dc02013 and d7cb1cc.

📒 Files selected for processing (3)

• docs/reference/commands.md
• src/nemoclaw.ts
• test/cli.test.ts

[deepujain]

Hardened the host-alias commands with kubectl timeouts/errors, lowercase hostname normalization, remove/duplicate/dry-run coverage, and the docs formatting cleanup. Reran npm run build:cli, npm run typecheck:cli, and npm test -- test/cli.test.ts.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/nemoclaw.ts`:
- Around line 2234-2272: The current read-modify-write in
getSandboxResource/getHostAliases/patchHostAliases can clobber concurrent
updates because patchHostAliases sends the full hostAliases array; change to an
optimistic-concurrency retry or targeted patch: when fetching the sandbox via
getSandboxResource also capture metadata.resourceVersion, then when updating
call kubectl patch with either a JSON Patch that tests the captured
resourceVersion first (or a strategic merge patch that modifies only the
specific hostAliases entry) and retry the read-modify-patch cycle on conflict
(loop a few times) until success; update references in getSandboxResource,
getHostAliases and patchHostAliases (and the other occurrences noted) to use
resource.metadata.resourceVersion and a test+replace JSON Patch or per-entry
merge so you don't overwrite unrelated concurrent changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c9b6d999-e5a3-428b-a5f0-5d167e851761

📥 Commits

Reviewing files that changed from the base of the PR and between d7cb1cc and ddb6de5.

📒 Files selected for processing (3)

• docs/reference/commands.md
• src/nemoclaw.ts
• test/cli.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/reference/commands.md

🚧 Files skipped from review as they are similar to previous changes (1)

• test/cli.test.ts

[deepujain]

Added resource-version guarded JSON patching for host aliases, made dry-run print the same patch shape, and covered the retry path. Reran npm run build:cli, npm run typecheck:cli, and npm test -- test/cli.test.ts.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/nemoclaw.ts (1)

2215-2252: Consolidate duplicated kubectl execution wrappers.

runKubectlInCluster and runKubectlInClusterForPatch duplicate command construction/options. This is easy to drift over time (timeouts, stdio, namespace, container).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/nemoclaw.ts` around lines 2215 - 2252, The two functions
runKubectlInCluster and runKubectlInClusterForPatch duplicate execFileSync
invocation and options; extract a single helper (e.g., runKubectlInClusterBase
or runKubectlInClusterWithBehavior) that constructs and calls execFileSync using
K3S_CONTAINER, namespace "openshell", and HOST_ALIAS_KUBECTL_TIMEOUT_MS with the
shared stdio/encoding/timeout object, and accept a behavior flag or callback to
control error handling; then make runKubectlInCluster call the new helper and on
catch call throwKubectlError(action, error), and make
runKubectlInClusterForPatch call the new helper but rethrow the error (or return
the raw exec result) so existing semantics remain unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/nemoclaw.ts`:
- Around line 2359-2363: The hosts-add/hosts-remove flag parsing currently
strips all args starting with "-" which silently ignores typos; update the
parsing around args/dryRun/values (the block that sets const dryRun =
args.includes("--dry-run"); const values = args.filter((arg) =>
!arg.startsWith("-")); const [rawHostname, ip] = values) to explicitly validate
flags: compute unknownFlags = args.filter(a => a.startsWith("-") && a !==
"--dry-run"), and if unknownFlags.length > 0 print a clear usage/error message
and exit non‑zero; keep the existing dryRun behavior and the same hostname/ip
validation, and apply the identical validation change to the analogous
hosts-remove block around lines 2403-2407 so unknown flags are rejected for both
commands.

---

Nitpick comments:
In `@src/nemoclaw.ts`:
- Around line 2215-2252: The two functions runKubectlInCluster and
runKubectlInClusterForPatch duplicate execFileSync invocation and options;
extract a single helper (e.g., runKubectlInClusterBase or
runKubectlInClusterWithBehavior) that constructs and calls execFileSync using
K3S_CONTAINER, namespace "openshell", and HOST_ALIAS_KUBECTL_TIMEOUT_MS with the
shared stdio/encoding/timeout object, and accept a behavior flag or callback to
control error handling; then make runKubectlInCluster call the new helper and on
catch call throwKubectlError(action, error), and make
runKubectlInClusterForPatch call the new helper but rethrow the error (or return
the raw exec result) so existing semantics remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 97a9f190-d76d-425b-8e17-e0ad537f387b

📥 Commits

Reviewing files that changed from the base of the PR and between ddb6de5 and 1afd7ca.

📒 Files selected for processing (3)

• docs/reference/commands.md
• src/nemoclaw.ts
• test/cli.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/reference/commands.md

[wscurran]

✨ Thanks for submitting this pull request that proposes a way to add sandbox host alias commands to the NemoClaw CLI. This identifies an enhancement to the CLI and proposes a change to manage host aliases, which will improve the usability of the sandbox resource.

---

Related open issues:

• #2040 [CLI] no CLI surface for sandbox hostAliases management; operators must docker exec + kubectl patch

[deepujain]

Rebased on latest main and resolved the command-registry conflict. Host alias help now flows through the registry, kubectl execution uses one wrapper, and unknown host flags fail fast. npm run build:cli and npm test -- test/cli.test.ts pass.

[deepujain]

Rebased on latest main and resolved the CLI/test conflicts. npm run build:cli and npm test -- test/cli.test.ts pass.

[coderabbitai]

🧹 Nitpick comments (2)

src/nemoclaw.ts (1)

2946-2948: Optional: inline the patch raw-call helper to reduce indirection.

runKubectlInClusterForPatch() currently forwards directly to runKubectlInClusterRaw() without adding behavior. You can inline this call in patchHostAliases() for simpler flow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/nemoclaw.ts` around lines 2946 - 2948, runKubectlInClusterForPatch is a
trivial forwarder to runKubectlInClusterRaw and should be inlined to reduce
indirection: replace calls to runKubectlInClusterForPatch(...) inside
patchHostAliases with direct calls to runKubectlInClusterRaw(...), then remove
the runKubectlInClusterForPatch function declaration; ensure any callers
(patchHostAliases) keep the same argument shape and behavior when switching to
runKubectlInClusterRaw.

test/cli.test.ts (1)

803-905: Reduce duplicated registry fixture setup in host-alias tests

adds host aliases... and lists host aliases... still inline the same sandbox-registry JSON setup instead of reusing writeHostAliasRegistry, which increases maintenance cost.

♻️ Suggested simplification

-    const registryDir = path.join(home, ".nemoclaw");
     fs.mkdirSync(localBin, { recursive: true });
-    fs.mkdirSync(registryDir, { recursive: true });
-    fs.writeFileSync(
-      path.join(registryDir, "sandboxes.json"),
-      JSON.stringify({
-        sandboxes: {
-          alpha: {
-            name: "alpha",
-            model: "test-model",
-            provider: "nvidia-prod",
-            gpuEnabled: false,
-            policies: [],
-          },
-        },
-        defaultSandbox: "alpha",
-      }),
-      { mode: 0o600 },
-    );
+    writeHostAliasRegistry(home);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/cli.test.ts` around lines 803 - 905, Both tests duplicate the same
sandbox registry JSON creation; replace the inline fs.writeFileSync registry
setup in the "adds host aliases..." and "lists host aliases..." tests with a
call to the helper writeHostAliasRegistry to reuse the fixture. Concretely,
remove the block that writes sandboxes.json (the fs.writeFileSync targeting
path.join(registryDir, "sandboxes.json")) and instead call
writeHostAliasRegistry(home, "alpha") (or the existing writeHostAliasRegistry
signature used elsewhere in the test suite) before running runWithEnv, keeping
the rest of each test (local docker stub, runWithEnv, and assertions) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/nemoclaw.ts`:
- Around line 2946-2948: runKubectlInClusterForPatch is a trivial forwarder to
runKubectlInClusterRaw and should be inlined to reduce indirection: replace
calls to runKubectlInClusterForPatch(...) inside patchHostAliases with direct
calls to runKubectlInClusterRaw(...), then remove the
runKubectlInClusterForPatch function declaration; ensure any callers
(patchHostAliases) keep the same argument shape and behavior when switching to
runKubectlInClusterRaw.

In `@test/cli.test.ts`:
- Around line 803-905: Both tests duplicate the same sandbox registry JSON
creation; replace the inline fs.writeFileSync registry setup in the "adds host
aliases..." and "lists host aliases..." tests with a call to the helper
writeHostAliasRegistry to reuse the fixture. Concretely, remove the block that
writes sandboxes.json (the fs.writeFileSync targeting path.join(registryDir,
"sandboxes.json")) and instead call writeHostAliasRegistry(home, "alpha") (or
the existing writeHostAliasRegistry signature used elsewhere in the test suite)
before running runWithEnv, keeping the rest of each test (local docker stub,
runWithEnv, and assertions) unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8b1474f7-7ac6-4ccd-84fd-97ba49ce5e90

📥 Commits

Reviewing files that changed from the base of the PR and between 78fc006 and 1525887.

📒 Files selected for processing (4)

• docs/reference/commands.md
• src/lib/command-registry.ts
• src/nemoclaw.ts
• test/cli.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/reference/commands.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/command-registry.ts

[deepujain]

Cleaned up the last CodeRabbit nits on the host-alias branch. npm run build:cli and npm test -- test/cli.test.ts pass.

[deepujain]

Rebased on latest main and tightened the host-alias retry test for strict typecheck. npm run build:cli, npm run typecheck:cli, and npm test -- test/cli.test.ts pass.

[deepujain]

Rebased onto current main and resolved the TS/CLI conflicts in the host-alias branch. Build, CLI typecheck, and the focused CLI test file pass locally.