fix(onboard): propagate NEMOCLAW_PROXY_HOST/PORT to sandbox env (#2424)

[yanyunl1991]

Summary

Fix #2424.

patchStagedDockerfile() already substitutes NEMOCLAW_PROXY_HOST and NEMOCLAW_PROXY_PORT into the staged Dockerfile's ARG defaults at build time, so the resulting image's Config.Env carries the user-supplied values. But the runtime container does not see them: the create command emitted by createSandbox() is

  openshell sandbox create … -- env <whitelist> nemoclaw-start                                                                                                                                                                                                                                                                

and only the env vars listed before nemoclaw-start reach the container — image-baked ENV is not forwarded by this path. The whitelist already covers CHAT_UI_URL, NEMOCLAW_DASHBOARD_PORT, Brave/Slack tokens, but omits the proxy pair.

Effect:

• Build time: Dockerfile ENV / RUN python … step sees the override.
• Runtime: nemoclaw-start.sh:898 reads ${NEMOCLAW_PROXY_HOST:-…},
  sees the var unset, falls back to 10.200.0.1:3128, writes that into
  /tmp/nemoclaw-proxy-env.sh, and HTTPS_PROXY inside the sandbox
  ignores the host override entirely.

Adds the two assignments to the whitelist with the same input validation regex used in patchStagedDockerfile() so build-time and runtime accept identical inputs. Conditional push (only when the host env is present) keeps the default behaviour byte-identical when no override is exported.

Diagnosis trace

End-to-end isolated tracing on a Jetson with reporter's exact inputs
(NEMOCLAW_PROXY_HOST=216.81.245.236, NEMOCLAW_PROXY_PORT=1080):

Stage	Evidence	Status
host env	env | grep NEMOCLAW_PROXY shows both	✓
Dockerfile ARG	Step 38/54 : ARG NEMOCLAW_PROXY_HOST=216.81.245.236	✓
image Config.Env	docker inspect shows the override	✓
sandbox runtime ENV	env | grep NEMOCLAW_PROXY empty	✗ break
/tmp/nemoclaw-proxy-env.sh	wrote default 10.200.0.1:3128	✗ default

The break is between image and runtime container ENV —
openshell sandbox create -- env … cmd only forwards explicitly-listed vars.

Test plan

• Isolated test of unchanged patchStagedDockerfile() against the real project Dockerfile with reporter's inputs — confirms ARG substitution still works (both host and port rewritten correctly).
• End-to-end on Ubuntu 2404 with override exported:
  • HTTPS_PROXY inside sandbox now reads http://216.81.245.236:1080
    (was http://10.200.0.1:3128).
  • /tmp/nemoclaw-proxy-env.sh is written with the override values.
• Regression check with no env exported:
  • Build still emits ARG NEMOCLAW_PROXY_HOST=10.200.0.1 /
    ARG NEMOCLAW_PROXY_PORT=3128.
  • Onboard reaches [8/8] without changes to default behaviour.

Summary by CodeRabbit

• Bug Fixes
  • Sandbox creation now correctly respects and validates custom proxy host and port, preventing silent fallback to a default proxy.
  • Proxy settings are reliably forwarded into the sandbox environment so containers use the intended network proxy configuration.
  • Dockerfile argument substitutions for proxy values are now conditionally applied based on validation, reducing misconfigured builds.

---

Signed-off-by: Yanyun Liao yanyunl@nvidia.com

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cd9a884a-4b42-4a5a-985f-cc1c569101bb

📥 Commits

Reviewing files that changed from the base of the PR and between c819d49 and d3e6bb8.

📒 Files selected for processing (1)

• src/lib/onboard.ts

---

📝 Walkthrough

Walkthrough

Adds centralized validation for NEMOCLAW_PROXY_HOST and NEMOCLAW_PROXY_PORT, uses it to gate Dockerfile ARG substitutions, and forwards validated proxy host/port into the sandbox runtime environment passed to openshell sandbox create.

Changes

Cohort / File(s)	Summary
Onboard proxy handling src/lib/onboard.ts	Introduces isValidProxyHost/isValidProxyPort validators, removes local regexes from Dockerfile patching, conditions ARG substitutions on validation, and expands createSandbox() to explicitly pass validated NEMOCLAW_PROXY_HOST and NEMOCLAW_PROXY_PORT into the sandbox creation command environment.

Sequence Diagram(s)

sequenceDiagram
  participant UserEnv as User env vars
  participant Onboard as onboard script
  participant Dockerfile as staged Dockerfile
  participant Openshell as openshell sandbox create
  participant Sandbox as runtime container

  UserEnv->>Onboard: NEMOCLAW_PROXY_HOST/PORT set
  Onboard->>Onboard: validate via isValidProxyHost/Port
  alt valid
    Onboard->>Dockerfile: optionally substitute ARGs
    Onboard->>Openshell: pass env args (--env NEMOCLAW_PROXY_HOST/PORT)
    Openshell->>Sandbox: start container with provided env
    Sandbox->>Sandbox: HTTP_PROXY/HTTPS_PROXY set from env
  else invalid
    Onboard->>Openshell: create sandbox without proxy env
    Sandbox->>Sandbox: uses baked/default proxy values
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I checked each host and port with care,

Hop-scoped regex guarding the air;
Into the sandbox I carry the key,
No more defaults — your proxy rides with me! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: propagating NEMOCLAW_PROXY_HOST/PORT to sandbox environment variables, which directly addresses the issue.
Linked Issues check	✅ Passed	The code changes successfully implement the fix for issue #2424 by adding centralized proxy validation and forwarding validated proxy variables into sandbox runtime environment.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the proxy propagation issue; no unrelated modifications detected outside the scope of issue #2424.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/propagate-proxy-env-to-sandbox-2424

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/onboard.ts`:
- Around line 3601-3609: The current validation allows IPv6 (colons) and
out-of-range ports; update PROXY_HOST_RE to disallow colons (remove ":" from
/^[A-Za-z0-9._:-]+$/) so only hostnames/IPv4-like labels are accepted (e.g.
/^[A-Za-z0-9._-]+$/), and replace the loose PROXY_PORT_RE check with a numeric
range check: after reading sandboxProxyPort parse it to an integer and only
accept (0 <= port <= 65535) before calling formatEnvAssignment; apply the
identical tightened host and port validation logic in patchStagedDockerfile()
(use the same PROXY_HOST_RE/port numeric check and formatEnvAssignment calls) so
build-time and runtime proxy values are validated the same way.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fd6ab830-9ef1-4df7-b396-d7b7c3aa96bd

📥 Commits

Reviewing files that changed from the base of the PR and between 01d8d9c and c819d49.

📒 Files selected for processing (1)

• src/lib/onboard.ts