fix(onboard): skip endpoint validation for sandbox-internal hostnames

[prekshivyas]

Summary

• host.openshell.internal and host.docker.internal only resolve from inside the OpenShell sandbox network. Probing them from the host always fails with curl exit 6 ("Could not resolve host"), blocking nemoclaw onboard even though the endpoint is reachable at runtime.
• Add isSandboxInternalUrl() to detect these hostnames in probeOpenAiLikeEndpoint and return an ok: true result with a note instead of running the curl probe.
• The three validator functions in onboard.ts log the note (prefixed with ℹ) so users know validation was skipped rather than silently pretending it passed.
• preferredInferenceApi propagates as null, which getSandboxInferenceConfig already defaults to openai-completions — the most universally supported API for local models (vLLM, Ollama).

Fixes #893.

Before / After

Before:

OpenAI-compatible base URL: http://host.openshell.internal:8001/v1
Other OpenAI-compatible endpoint endpoint validation failed.
Responses API: curl failed (exit 6): curl: (6) Could not resolve host: host.openshell.internal | Chat Completions API: curl failed (exit 6): ...

After:

OpenAI-compatible base URL: http://host.openshell.internal:8001/v1
ℹ host.openshell.internal only resolves inside the sandbox — validation skipped. If the endpoint is unreachable at runtime, re-run onboard with a routable URL.

Test plan

• New unit tests in onboard-inference-probes.test.ts covering isSandboxInternalUrl and the skipped-probe return value for both host.openshell.internal and host.docker.internal
• npm test — 181 test files, 3158 tests, all pass
• Manually reproduced the original failure (curl exit 6) and confirmed the fix bypasses it

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Detect sandbox-internal endpoints (Docker/OpenShell) and skip unnecessary endpoint validation checks, returning an informational note.

• Bug Fixes

  • Improved Local NVIDIA NIM endpoint selection so the correct URL is used during validation.
  • Endpoint validation messages now show probe-provided informational notes for clearer guidance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 53c7267c-a48c-407b-821b-6cacda310c84

📥 Commits

Reviewing files that changed from the base of the PR and between d8040e5 and 0289684.

📒 Files selected for processing (1)

• src/lib/onboard.ts

✅ Files skipped from review due to trivial changes (1)

• src/lib/onboard.ts

---

📝 Walkthrough

Walkthrough

Adds detection for sandbox-only hostnames (e.g., host.docker.internal, host.openshell.internal) and short-circuits OpenAI-like endpoint probing to return success without running curl. Propagates nullable probe API through validation, prints probe notes when present, and prefers local NIM validation base URL where applicable.

Changes

Sandbox-Internal URL Detection & Probe Short-Circuiting

Layer / File(s)	Summary
Utility & Constants src/lib/onboard-inference-probes.ts	Adds SANDBOX_INTERNAL_HOSTS and isSandboxInternalUrl(url) which parses a URL and checks the hostname against the list (returns false on parse failure).
Probe Short-Circuit Logic src/lib/onboard-inference-probes.ts	probeOpenAiLikeEndpoint() now returns early for sandbox-internal URLs with { ok: true, api: null, label: null, note: "..." }, skipping curl validation.
Module Exports src/lib/onboard-inference-probes.ts	Exports isSandboxInternalUrl via module.exports.
Type & Fallback Handling src/lib/onboard.ts	EndpointValidationResult success case now allows `api: string
Validation Helper Updates src/lib/onboard.ts	validateOpenAiLikeSelection() and validateCustomOpenAiLikeSelection() print ℹ <probe.note> when present and return api: probe.api ?? "openai-completions".
NIM Provider URL Selection src/lib/onboard.ts	Local NVIDIA NIM validation uses `getLocalProviderValidationBaseUrl(provider)
Tests src/lib/onboard-inference-probes.test.ts	Adds import of isSandboxInternalUrl and a describe("sandbox-internal URL handling") block testing hostname detection, rejection of normal hostnames, and that probeOpenAiLikeEndpoint short-circuits with the expected ok, api, and note for sandbox-only hosts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 In a cozy shell where containers sing,
I sniff hostnames and skip the curl ring.
host.docker.internal — a secret key,
Probe says “ok” and sets the API free.
Hoppity hop, validations sing with glee.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and accurately summarizes the main change: skipping endpoint validation for sandbox-internal hostnames to resolve issue #893.
Linked Issues check	✅ Passed	The PR implementation directly addresses issue #893 by detecting sandbox-internal URLs and skipping validation that fails from the host, allowing users to configure self-hosted endpoints.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing #893: adding sandbox URL detection, skipping probes for these URLs, handling null API values, and displaying informational notes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/893-skip-sandbox-internal-host-validation

---

_{Review rate limit: 8/10 reviews remaining, refill in 10 minutes and 18 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ericksoa]

Reviewed current head 300f599. The change is scoped to sandbox-internal OpenAI-compatible endpoint validation, keeps normal localhost/external URL probes intact, defaults skipped probes back to chat completions, and includes focused probe tests. GitHub validation is green.