fix(onboard): keep managed Ollama loopback-only

[ericksoa]

Summary

• keep NemoClaw-managed raw Ollama on 127.0.0.1 for native macOS/Linux start and install paths
• configure the Linux systemd drop-in to loopback, repairing older NemoClaw-managed all-interface overrides
• preserve container access through the existing token-gated Ollama auth proxy and add onboarding regressions

Validation

• npm run build:cli
• npm test -- test/onboard-selection.test.ts src/lib/local-inference.test.ts
• npm run lint
• rg -n "ollamaEnv.*0.0.0.0|OLLAMA_HOST=0.0.0.0:${OLLAMA_PORT}|Environment="OLLAMA_HOST=0.0.0.0|OLLAMA_HOST=0.0.0.0:[0-9]+ ollama serve" src/lib/onboard.ts (no matches)

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

• Bug Fixes

  • Onboarding now ensures Ollama binds to the loopback interface on non-WSL hosts (macOS Homebrew, Linux, non-systemd fallbacks). If loopback enforcement fails, onboarding aborts early. The prior non-WSL exposure warning was removed.

• Documentation

  • Clarified that LAN access goes through an authenticated reverse proxy and native installs are never exposed without authentication; WSL notes unchanged.

• Tests

  • Added and extended tests for loopback-only startup and the failure path when enforcement cannot be applied.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Non-WSL Ollama startup/install flows now bind Ollama to loopback (127.0.0.1:) instead of 0.0.0.0. Linux systemd installs apply a drop‑in override to force loopback and abort onboarding on failure. Docs, inline comments, tests, and e2e script comments updated; WSL behavior unchanged.

Changes

Ollama Loopback-Only Binding Migration

Layer / File(s)	Summary
Data / Intent src/lib/onboard.ts	Switch intent for OLLAMA_HOST to 127.0.0.1:<port> (loopback) for non-WSL flows.
Core Implementation src/lib/onboard.ts	Apply loopback binding for managed provider launch, Homebrew start, Linux systemd drop‑in override, and non-systemd fallback. Reload systemd and restart Ollama; abort onboarding with non-zero exit if override/apply/restart fails. Remove prior non-WSL exposure warning.
Comments / Small Logic Note src/lib/local-inference.ts	Clarify comment on using host.docker.internal only when the host explicitly exposes Ollama outside the Windows loopback; no runtime change.
Documentation docs/inference/use-local-inference.md	Document that native systemd paths reset NemoClaw-managed systemd to bind Ollama to loopback and that LAN access goes through the bearer-token–protected authenticated proxy; WSL/Windows notes unchanged.
Tests / Assertions test/onboard-selection.test.ts	Add tests asserting managed Ollama is started on loopback (127.0.0.1:11434) and not 0.0.0.0; add failure test when systemd loopback override cannot be applied; update Linux install tests to expect loopback behavior.
E2E Comments test/e2e/test-gpu-e2e.sh, test/e2e/test-gpu-double-onboard.sh	Update Phase 2 comments to state onboarding will restart Ollama on loopback and expose it to containers only via the authenticated proxy; remove prior OLLAMA_HOST=0.0.0.0:11434 guidance.

Sequence Diagram

sequenceDiagram
    actor Container as Docker Container
    participant Proxy as Authenticated Reverse Proxy
    participant Ollama as Ollama (127.0.0.1:11434)

    Container->>Proxy: HTTP request with Bearer token
    Proxy->>Proxy: Validate token
    Proxy->>Ollama: Forward request to loopback
    Ollama->>Proxy: Response
    Proxy->>Container: Return response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I nudged the daemon snug to loopback land,

Tokens guard the tunnel, warm and planned,
No open gates to the fields outside,
Only the proxy hums as requests glide.
🥕🔒

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main security-focused change: ensuring managed Ollama binds to loopback only, which is the primary objective across all file modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ollama-loopback-proxy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/onboard.ts (1)

6194-6206: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail closed if the systemd loopback override cannot be applied.

This path currently ignores override/restart failures, then treats plain reachability as success. That can leave a previously broad bind in place while onboarding continues.

🔧 Suggested guard

-            runShell(
+            const overrideResult = runShell(
               `sudo install -D -m 0644 ${shellQuote(tmpDropIn)} ${shellQuote("/etc/systemd/system/ollama.service.d/override.conf")} && sudo systemctl daemon-reload && sudo systemctl restart ollama`,
               { ignoreError: true },
             );
             cleanupTempDir(tmpDropIn, "nemoclaw-ollama-override");
+            if (overrideResult.status !== 0) {
+              console.error("  Failed to apply Ollama systemd loopback override.");
+              console.error("  Refusing to continue with a potentially non-loopback Ollama bind.");
+              process.exit(1);
+            }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 6194 - 6206, The code currently calls
runShell(..., { ignoreError: true }) to install the systemd override and
immediately continues; change this to fail closed by checking the result of
runShell (or removing ignoreError) and aborting onboarding if the
install/restart fails: capture the runShell return/error when installing the
override in the same block where cleanupTempDir(tmpDropIn,
"nemoclaw-ollama-override") and the subsequent probe loop run, and if runShell
indicates failure then log/throw/exit (so the loop that calls
findReachableOllamaHost() is not treated as success when the override failed).
Ensure the guard references the same symbols: runShell, cleanupTempDir, and
findReachableOllamaHost, and perform a proper failure path (throw or
process.exit) before entering the retry probe loop.

🧹 Nitpick comments (1)

docs/inference/use-local-inference.md (1)

79-79: ⚡ Quick win

Use active voice for this sentence.

Line 79 is passive (“is never exposed”). Rephrase to active voice to match docs style requirements (for example, “On that native path, NemoClaw never exposes Ollama without authentication.”).

As per coding guidelines, "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/inference/use-local-inference.md` at line 79, Replace the passive
sentence "On that native path, Ollama itself is never exposed without
authentication." with an active-voice construction that names the agent (e.g.,
"On that native path, NemoClaw never exposes Ollama without authentication.") so
it conforms to the active-voice guideline; update the sentence wording wherever
the same phrasing appears in the document to use a similar active formulation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/onboard.ts`:
- Around line 6194-6206: The code currently calls runShell(..., { ignoreError:
true }) to install the systemd override and immediately continues; change this
to fail closed by checking the result of runShell (or removing ignoreError) and
aborting onboarding if the install/restart fails: capture the runShell
return/error when installing the override in the same block where
cleanupTempDir(tmpDropIn, "nemoclaw-ollama-override") and the subsequent probe
loop run, and if runShell indicates failure then log/throw/exit (so the loop
that calls findReachableOllamaHost() is not treated as success when the override
failed). Ensure the guard references the same symbols: runShell, cleanupTempDir,
and findReachableOllamaHost, and perform a proper failure path (throw or
process.exit) before entering the retry probe loop.

---

Nitpick comments:
In `@docs/inference/use-local-inference.md`:
- Line 79: Replace the passive sentence "On that native path, Ollama itself is
never exposed without authentication." with an active-voice construction that
names the agent (e.g., "On that native path, NemoClaw never exposes Ollama
without authentication.") so it conforms to the active-voice guideline; update
the sentence wording wherever the same phrasing appears in the document to use a
similar active formulation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 68c2f02e-62e8-47ef-a5d5-ef7d489362a1

📥 Commits

Reviewing files that changed from the base of the PR and between 6c07b82 and e006491.

📒 Files selected for processing (6)

• docs/inference/use-local-inference.md
• src/lib/local-inference.ts
• src/lib/onboard.ts
• test/e2e/test-gpu-double-onboard.sh
• test/e2e/test-gpu-e2e.sh
• test/onboard-selection.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/onboard-selection.test.ts`:
- Line 3879: The test is brittle because credentials.prompt is hard-coded to
return "7" (menu-index dependent); change the stub for credentials.prompt in the
"systemd failure" test to compute and return the correct menu index at runtime
instead of a literal "7" — for example, inspect the provider choice list used by
the onboarding flow (or the array that builds the menu) to find the index of the
desired provider (e.g., the "systemd" or known provider display name) and return
that index as a string; update the stub in the test (the credentials.prompt
replacement) to use that computed index so the test selects the intended
provider regardless of menu ordering.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c94add35-4a01-4551-8632-132cf2fe13fb

📥 Commits

Reviewing files that changed from the base of the PR and between e006491 and 2064cf0.

📒 Files selected for processing (3)

• docs/inference/use-local-inference.md
• src/lib/onboard.ts
• test/onboard-selection.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/inference/use-local-inference.md
• src/lib/onboard.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25381402324
Branch: fix/ollama-loopback-proxy
Requested jobs: gpu-e2e,gpu-double-onboard-e2e
Summary: 0 passed, 0 failed, 22 skipped

Job	Result
cloud-e2e	⏭️ skipped
cloud-inference-e2e	⏭️ skipped
cloud-onboard-e2e	⏭️ skipped
deployment-services-e2e	⏭️ skipped
diagnostics-e2e	⏭️ skipped
docs-validation-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-e2e	⏭️ skipped
inference-routing-e2e	⏭️ skipped
messaging-compatible-endpoint-e2e	⏭️ skipped
messaging-providers-e2e	⏭️ skipped
network-policy-e2e	⏭️ skipped
overlayfs-autofix-e2e	⏭️ skipped
rebuild-hermes-e2e	⏭️ skipped
rebuild-openclaw-e2e	⏭️ skipped
sandbox-operations-e2e	⏭️ skipped
sandbox-survival-e2e	⏭️ skipped
shields-config-e2e	⏭️ skipped
skill-agent-e2e	⏭️ skipped
snapshot-commands-e2e	⏭️ skipped
token-rotation-e2e	⏭️ skipped
upgrade-stale-sandbox-e2e	⏭️ skipped

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/onboard.ts (1)

6276-6293: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Verify the listen address after the systemd restart.

This only checks that Ollama is reachable again. A daemon still bound to 0.0.0.0:${OLLAMA_PORT} will also satisfy findReachableOllamaHost(), so onboarding can continue while raw Ollama remains externally exposed. The restart path should inspect the actual listener and fail unless it is loopback-only.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 6276 - 6293, After restarting systemd we
only probe reachability via findReachableOllamaHost(), which will be true even
if Ollama is bound to 0.0.0.0; instead, after the restart loop (and before
continuing) call a check that inspects the actual listener address/port (e.g. by
parsing ss/netstat output or using a local connect+getsockname) to ensure the
process is only bound to loopback: use the same restart path around
runShell()/overrideResult/tmpDropIn and, after findReachableOllamaHost()
succeeds, verify the listener is 127.0.0.1:OLLAMA_PORT (fail and process.exit(1)
if not) so onboarding refuses to continue with a non-loopback bind.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Line 6277: The current install command writes tmpDropIn to
/etc/systemd/system/ollama.service.d/override.conf which can overwrite
user-managed drop-ins; change it to install to a NemoClaw-specific filename
(e.g. /etc/systemd/system/ollama.service.d/nemoclaw.conf) instead of
override.conf, update the string that builds the shell command where tmpDropIn
is used, and add a one-time cleanup step that removes the old NemoClaw-managed
override (if present) rather than unconditionally clobbering override.conf;
ensure you still run systemctl daemon-reload and systemctl restart ollama after
the install.

---

Outside diff comments:
In `@src/lib/onboard.ts`:
- Around line 6276-6293: After restarting systemd we only probe reachability via
findReachableOllamaHost(), which will be true even if Ollama is bound to
0.0.0.0; instead, after the restart loop (and before continuing) call a check
that inspects the actual listener address/port (e.g. by parsing ss/netstat
output or using a local connect+getsockname) to ensure the process is only bound
to loopback: use the same restart path around
runShell()/overrideResult/tmpDropIn and, after findReachableOllamaHost()
succeeds, verify the listener is 127.0.0.1:OLLAMA_PORT (fail and process.exit(1)
if not) so onboarding refuses to continue with a non-loopback bind.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: eaf3932d-24dc-4ffb-a182-daeaff9dec87

📥 Commits

Reviewing files that changed from the base of the PR and between 167f681 and 0b434da.

📒 Files selected for processing (2)

• docs/inference/use-local-inference.md
• src/lib/onboard.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid clobbering an existing override.conf.

Writing directly to /etc/systemd/system/ollama.service.d/override.conf will replace any user-managed drop-in already living at that path. That can silently discard unrelated Ollama service customizations. A NemoClaw-specific drop-in filename is safer, with legacy cleanup limited to the old NemoClaw-managed override.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` at line 6277, The current install command writes
tmpDropIn to /etc/systemd/system/ollama.service.d/override.conf which can
overwrite user-managed drop-ins; change it to install to a NemoClaw-specific
filename (e.g. /etc/systemd/system/ollama.service.d/nemoclaw.conf) instead of
override.conf, update the string that builds the shell command where tmpDropIn
is used, and add a one-time cleanup step that removes the old NemoClaw-managed
override (if present) rather than unconditionally clobbering override.conf;
ensure you still run systemctl daemon-reload and systemctl restart ollama after
the install.

[coderabbitai]

♻️ Duplicate comments (1)

test/onboard-selection.test.ts (1)

850-855: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid hard-coded provider indices in the new Ollama tests.

Both stubs still assume the target provider stays at option 7. That makes the tests menu-order dependent again; adding or reordering providers can select the wrong path and hide regressions. Please derive the choice from the rendered menu, like the findInstallOllamaChoice() pattern used below.

Also applies to: 3730-3731, 3767-3772

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/onboard-selection.test.ts` around lines 850 - 855, The test currently
hard-codes provider menu selections by returning "7" from the credentials.prompt
stub (credentials.prompt), which is brittle; replace those hard-coded indices
with logic that inspects the rendered menu text collected in messages and
computes the correct choice string like the existing findInstallOllamaChoice()
helper does. Update the stub(s) that push messages and shift answers to parse
messages (or call findInstallOllamaChoice(messages)) to derive the numeric
choice for the target provider and return that instead of "7"; apply the same
change to the other occurrences referenced (around the findInstallOllamaChoice
usage locations) so tests select the provider dynamically from the menu output.

🧹 Nitpick comments (2)

test/onboard-selection.test.ts (2)

838-845: ⚡ Quick win

Assert the auth-proxy launch too, not just the raw Ollama bind.

Right now this test only inspects shellCommands, so it still passes if the proxy is never started. Capturing child_process.spawn arguments and asserting ollama-auth-proxy is launched after the loopback ollama serve would make the test match its name and cover the container-access guarantee from this PR.

Also applies to: 867-874, 911-922

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/onboard-selection.test.ts` around lines 838 - 845, The test currently
stubs child_process.spawn but never asserts it was called with the auth-proxy,
so update the test to capture spawn invocations (wrap/spy child_process.spawn)
and assert that after the loopback "ollama serve" invocation the code launches
"ollama-auth-proxy" with the expected arguments (e.g., verify the spawn call
sequence and that one call's command/first arg contains "ollama-auth-proxy");
also update the other test stubs that override child_process.spawn/spawnSync in
the same file (the other two test blocks) to use the same capture-and-assert
pattern so each test verifies the proxy was actually started in addition to
inspecting shellCommands.

---

3867-3940: ⚡ Quick win

Add a happy-path systemd override test alongside this fail-closed case.

This covers the refusal path, but it will not catch regressions where the systemd branch “succeeds” with the wrong bind or incorrectly falls back to manual ollama serve. A companion success-path test that records the generated override/restart flow and asserts loopback-only configuration would close the remaining coverage gap here.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/onboard-selection.test.ts` around lines 3867 - 3940, Add a companion
happy-path test to the existing "fails closed when the Linux systemd loopback
override cannot be applied" case: create a new test that uses the same script
scaffolding (reusing setupNim via require(${onboardPath}) and the
runner/credentials/platform stubs) but change runner.runShell/runner.runCapture
behavior to simulate a successful systemd override (e.g., return { status: 0 }
for the "sudo install -D -m 0644" and any restart commands, and ensure systemctl
shows the override applied), run setupNim("systemd-success-test", null) and
assert process exit status is 0 and that stdout/stderr contains the expected
messages indicating the override file was written, systemctl
daemon-reload/restart were invoked, and that the configured bind is
loopback-only (match strings produced by setupNim that indicate 127.0.0.1 or
"loopback" in the override). Use the same helper names (setupNim,
runner.runShell, runner.runCapture, platform.isWsl, credentials.prompt) so the
test mirrors the fail case but verifies the successful branch and generated
override content.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/onboard-selection.test.ts`:
- Around line 850-855: The test currently hard-codes provider menu selections by
returning "7" from the credentials.prompt stub (credentials.prompt), which is
brittle; replace those hard-coded indices with logic that inspects the rendered
menu text collected in messages and computes the correct choice string like the
existing findInstallOllamaChoice() helper does. Update the stub(s) that push
messages and shift answers to parse messages (or call
findInstallOllamaChoice(messages)) to derive the numeric choice for the target
provider and return that instead of "7"; apply the same change to the other
occurrences referenced (around the findInstallOllamaChoice usage locations) so
tests select the provider dynamically from the menu output.

---

Nitpick comments:
In `@test/onboard-selection.test.ts`:
- Around line 838-845: The test currently stubs child_process.spawn but never
asserts it was called with the auth-proxy, so update the test to capture spawn
invocations (wrap/spy child_process.spawn) and assert that after the loopback
"ollama serve" invocation the code launches "ollama-auth-proxy" with the
expected arguments (e.g., verify the spawn call sequence and that one call's
command/first arg contains "ollama-auth-proxy"); also update the other test
stubs that override child_process.spawn/spawnSync in the same file (the other
two test blocks) to use the same capture-and-assert pattern so each test
verifies the proxy was actually started in addition to inspecting shellCommands.
- Around line 3867-3940: Add a companion happy-path test to the existing "fails
closed when the Linux systemd loopback override cannot be applied" case: create
a new test that uses the same script scaffolding (reusing setupNim via
require(${onboardPath}) and the runner/credentials/platform stubs) but change
runner.runShell/runner.runCapture behavior to simulate a successful systemd
override (e.g., return { status: 0 } for the "sudo install -D -m 0644" and any
restart commands, and ensure systemctl shows the override applied), run
setupNim("systemd-success-test", null) and assert process exit status is 0 and
that stdout/stderr contains the expected messages indicating the override file
was written, systemctl daemon-reload/restart were invoked, and that the
configured bind is loopback-only (match strings produced by setupNim that
indicate 127.0.0.1 or "loopback" in the override). Use the same helper names
(setupNim, runner.runShell, runner.runCapture, platform.isWsl,
credentials.prompt) so the test mirrors the fail case but verifies the
successful branch and generated override content.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 24d751c3-7f53-4550-a01f-2662473a17c7

📥 Commits

Reviewing files that changed from the base of the PR and between 0b434da and d63f9c9.

📒 Files selected for processing (1)

• test/onboard-selection.test.ts