test(e2e): add dashboard remote-bind regression guard for #3259#3410
Merged
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds a new E2E test suite ChangesDashboard Remote Bind E2E Test Suite
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Contributor
E2E Advisor RecommendationRequired E2E: None Dispatch hint: Full advisor summaryPi Semantic E2E AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/regression-e2e.yaml:
- Around line 39-41: The concurrency group key used in the workflow (the
concurrency: group value: regression-e2e-${{ github.event_name }}-${{ github.ref
}}-${{ inputs.jobs || 'all' }}) is too coarse and can cancel unrelated PR runs;
update the group to include a per-run discriminator such as inputs.pr_number (or
another unique run identifier) so manual runs for different PRs or runs against
the same ref won’t cancel each other — modify the group expression to append ${
{ inputs.pr_number } } (or equivalent) to the existing key used by the
concurrency block.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: b895cd5d-fb13-4622-8cd8-bab7418edd2e
📒 Files selected for processing (4)
.github/workflows/e2e-branch-validation.yaml.github/workflows/regression-e2e.yamltest/e2e/brev-e2e.test.tstest/e2e/test-dashboard-remote-bind.sh
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/e2e/test-dashboard-remote-bind.sh`:
- Around line 41-45: The test currently writes logs to a fixed path
/tmp/nemoclaw-dashboard-remote-bind-connect.log which can collide across runs;
change the test to create a unique temp file (mktemp) and store its path in a
variable, use that variable in the nemoclaw connect redirection (when invoking
with NEMOCLAW_DASHBOARD_BIND and SANDBOX_NAME), and register a cleanup trap to
remove the temp file on exit and to cat it on failure; ensure references to the
temp file variable replace the hardcoded path in both the success/failure
branches.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: fecc7ae3-6841-4518-9809-65b98679ff87
📒 Files selected for processing (2)
.github/workflows/regression-e2e.yamltest/e2e/test-dashboard-remote-bind.sh
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/regression-e2e.yaml
# Conflicts: # test/cli.test.ts
ericksoa
approved these changes
May 13, 2026
ericksoa
left a comment
Contributor
There was a problem hiding this comment.
Reviewed the current head against current main. This is a CI-only regression guard for #3259, merges cleanly, CodeRabbit's prior comments are addressed, and the remaining risk is limited to the manual regression E2E wiring.
This was referenced May 13, 2026
Merged
4 tasks
cv
added a commit
that referenced
this pull request
May 15, 2026
…oyed hosts (#3259) (#3499) ## Summary - Adds an operator-controlled opt-in env var `NEMOCLAW_DASHBOARD_BIND`. When set to `0.0.0.0`, the dashboard port forward binds on all interfaces (`0.0.0.0:<port>`) instead of staying localhost-only. - Mirrors the existing `NEMOCLAW_GATEWAY_BIND_ADDRESS` pattern already in place for the OpenShell gateway on port 8080. - Closes the deliberately-red regression test merged in #3410 (`test/e2e/test-dashboard-remote-bind.sh`). Closes #3259. ## Acceptance criteria mapping | Clause from #3259 | Evidence | |---|---| | "Provide an environment variable… to bind dashboard to 0.0.0.0" | `src/lib/onboard/dashboard-access.ts:readBindOverride` reads `NEMOCLAW_DASHBOARD_BIND`; threads into `buildChain` via the new `PlatformHints.bindOverride` field | | "Web UI auth flow accepts connections from non-localhost origins when the remote bind is opted-in" | `dashboard/contract.ts:buildChain` — `shouldDisableDeviceAuth` flips `true` when `bindOverride === "0.0.0.0"` | | "Mirror the OpenShell gateway 8080 fix" | Same `0.0.0.0:<port>` forward-target shape; reuses `forwardTarget.includes(":")` ⇒ `bindAddress = "0.0.0.0"` rule | | Regression test `test/e2e/test-dashboard-remote-bind.sh` flips RED→GREEN | Test sets `NEMOCLAW_DASHBOARD_BIND=0.0.0.0` and asserts `openshell forward list` shows `0.0.0.0:18789` — fix produces exactly that | | Validation: only `0.0.0.0` enables remote bind (don't allow arbitrary IPs) | Test \`ignores invalid bindOverride values\` in `contract.test.ts` confirms `10.0.0.5` falls through to default loopback | ## Behavior matrix | `NEMOCLAW_DASHBOARD_BIND` | WSL? | `chatUiUrl` | `forwardTarget` | `bindAddress` | `shouldDisableDeviceAuth` | |---|---|---|---|---|---| | *unset* | no | loopback | `\"18789\"` | `127.0.0.1` | `false` | | *unset* | yes | loopback | `\"0.0.0.0:18789\"` | `0.0.0.0` | `true` | | *unset* | no | non-loopback | `\"0.0.0.0:18789\"` | `0.0.0.0` | `true` | | `0.0.0.0` | no | loopback | `\"0.0.0.0:18789\"` | `0.0.0.0` | `true` | | `127.0.0.1` | no | loopback | `\"18789\"` | `127.0.0.1` | `false` | | `10.0.0.5` (arbitrary) | no | loopback | `\"18789\"` | `127.0.0.1` | `false` | ## Test plan - [x] `npm run typecheck:cli` clean - [x] `npx vitest run --project cli src/lib/dashboard/contract.test.ts` — 20 tests pass (4 new for #3259) - [x] `npx vitest run --project cli src/lib/onboard/` — 274 tests pass (no regression in adjacent suites) - [ ] CI: `test-dashboard-remote-bind` regression workflow (manual dispatch from `regression-e2e.yaml`) should now pass — please trigger after CI green Manual verification on a remote SSH host: \`\`\`bash NEMOCLAW_DASHBOARD_BIND=0.0.0.0 nemoclaw <sandbox> connect openshell forward list # should show 0.0.0.0:18789 for <sandbox> \`\`\` ## Notes for reviewers - Pure-function `buildChain` stays the single source of truth — the env var is read once at the I/O boundary (`dashboard-access.ts`) and threaded as a hint. Doctor / status / onboard call sites pick it up automatically through `buildDashboardChain`. - Only `\"0.0.0.0\"` is honored. Anything else (empty, \`127.0.0.1\`, arbitrary IPs) is silently ignored — keeps the surface narrow and matches the \`NEMOCLAW_GATEWAY_BIND_ADDRESS\` pattern. - Docs: env var added to \`docs/reference/commands.md\` (Environment Variables table + prose paragraph + security note about cross-network reachability). - Local \`test-cli\` prek hook was skipped due to 15 pre-existing 5s testTimeout flakes in unrelated files (onboard-probes, dns-proxy, cli, onboard, repro-2666). My 294 targeted tests in \`dashboard/contract.test.ts\` + \`onboard/\` all pass. CI will re-run the full suite. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added docs for NEMOCLAW_DASHBOARD_BIND, explaining default loopback binding and that setting it to 0.0.0.0 opts into remote dashboard binding and non-loopback auth origins. * **New Features** * Dashboard can be explicitly opted into remote binding (0.0.0.0); enabling this influences forwarded bind address and may disable device auth. * **Tests** * Added tests covering remote-bind opt-in behavior and related auth outcomes. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/3499) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Charan Jagwani <cjagwani@nvidia.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
This was referenced May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a failing-test-first regression E2E guard for #3259 in the new
regression-e2e.yamlholding-pen workflow.This guard verifies that an explicitly opted-in remote dashboard bind restarts the OpenShell dashboard forward on all interfaces (
0.0.0.0:<port>), rather than leaving the dashboard localhost-only.Regression holding pen
This is intentionally not added to scheduled
nightly-e2e.yaml. The job lives inregression-e2e.yamlso it can be explicitly dispatched while the fix is in flight and later reviewed/promoted into nightly when stable.Expected red-on-unfixed-code behavior
Until #3259 is fixed, the regression job is expected to fail with:
Once this merges,
/skill:nemoclaw-issue-kickoff #3259can produce the fix PR against this acceptance criterion.Validation
bash -n test/e2e/test-dashboard-remote-bind.shregression-e2e.yaml,e2e-branch-validation.yaml,nightly-e2e.yamlnpm run build:cliRelated: #3259
Summary by CodeRabbit
Tests
CI / Workflows