feat(onboard): disable GPU sandbox passthrough by default on Jetson

[paritoshd-nv]

GPU sandbox passthrough through the OpenShell Docker driver currently fails on Jetson (L4T R39). Until this is fixed, default NEMOCLAW_SANDBOX_GPU to "0" on Jetson so a fresh nemoclaw onboard completes without manual host workarounds. Explicit NEMOCLAW_SANDBOX_GPU=1 or --gpu still opts in.

Preflight emits a short note on Jetson explaining the default and suppresses the misleading lspci-driven "install NVIDIA drivers and the Container Toolkit" hint on a host where drivers are already installed.

Summary

Related Issue

Changes

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Your Name your-email@example.com

Summary by CodeRabbit

• New Features

  • Wizard now displays a note about GPU sandbox passthrough default behavior on Jetson devices.

• Bug Fixes

  • GPU sandbox passthrough defaults to disabled on Jetson platforms unless explicitly enabled by the user (flag or env).

• Tests

  • Added a unit test ensuring Jetson defaults to CPU (GPU disabled) unless explicitly opted into GPU.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9d913cfd-b888-4f35-8233-6b0b29ccc848

📥 Commits

Reviewing files that changed from the base of the PR and between ef40a66 and 65a1761.

📒 Files selected for processing (3)

• src/lib/onboard.ts
• src/lib/onboard/sandbox-gpu-mode.ts
• test/onboard.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• test/onboard.test.ts
• src/lib/onboard.ts

---

📝 Walkthrough

Walkthrough

GPU sandbox configuration is factored into a new resolver and applied in onboarding. On Jetson, sandbox GPU passthrough now defaults to disabled when unset; onboarding prints a platform-specific note. A unit test validates the default and explicit opt-in behaviors.

Changes

Jetson GPU Sandbox Defaults

Layer / File(s)	Summary
Sandbox GPU mode resolver src/lib/onboard/sandbox-gpu-mode.ts	Adds SandboxGpuMode/SandboxGpuFlag and resolveSandboxGpuMode which computes `"auto"
Onboard integration and messaging src/lib/onboard.ts	Imports the resolver/types, uses resolveSandboxGpuMode({ envMode, gpu, flag: options.flag }) in resolveSandboxGpuConfig, and adds onboarding messaging noting sandbox GPU passthrough is disabled by default on Jetson when passthrough is not enabled.
Unit test for Jetson defaulting test/onboard.test.ts	Adds a test asserting Jetson defaults to GPU disabled when NEMOCLAW_SANDBOX_GPU is unset and that explicit opt-in via env or flag: "enable" enables GPU.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Docker, OpenShell, Platform: ARM64, Sandbox

Suggested reviewers

• ericksoa
• cv
• jyaunches

Poem

🐰 In Jetson sands I hop and peep,
Default to CPU, safe and neat.
A resolver born to mind the place,
Flags can whisper, env can trace,
Tests nod yes — the logic's neat!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: disabling GPU sandbox passthrough by default on Jetson platforms, which is the primary objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/onboard.test.ts (1)

389-398: ⚡ Quick win

Add an explicit invalid-env fallback assertion for Jetson.

This test locks the unset and opt-in paths, but not the Jetson invalid-value fallback mentioned in the behavior change. Please add one assertion for an invalid value (e.g., "invalid"), expecting GPU to stay disabled.

Suggested test addition

   it("defaults to CPU sandbox on Jetson when NEMOCLAW_SANDBOX_GPU is unset", () => {
     const jetson = { type: "nvidia", platform: "jetson" as const };
     expect(resolveSandboxGpuConfig(jetson, { env: {} }).sandboxGpuEnabled).toBe(false);
+    expect(
+      resolveSandboxGpuConfig(jetson, { env: { NEMOCLAW_SANDBOX_GPU: "invalid" } })
+        .sandboxGpuEnabled,
+    ).toBe(false);
     // Explicit env opt-in still wins over the platform default.
     expect(
       resolveSandboxGpuConfig(jetson, { env: { NEMOCLAW_SANDBOX_GPU: "1" } }).sandboxGpuEnabled,
     ).toBe(true);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/onboard.test.ts` around lines 389 - 398, Add an assertion to the
existing Jetson test that verifies an explicitly invalid NEMOCLAW_SANDBOX_GPU
value falls back to GPU disabled: call resolveSandboxGpuConfig with the same
jetson object and env: { NEMOCLAW_SANDBOX_GPU: "invalid" } and assert
.sandboxGpuEnabled is false; place this alongside the other expectations in the
"defaults to CPU sandbox on Jetson..." test so it covers the invalid-env
fallback for the resolveSandboxGpuConfig behavior (use the existing symbols
resolveSandboxGpuConfig, sandboxGpuEnabled).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Around line 1291-1294: The new Jetson-only passthrough logic (checking
gpu?.platform === "jetson" and setting mode = "0" when envMode === null) expands
src/lib/onboard.ts and must be moved or compacted; extract this into a small
helper under src/lib/onboard (e.g., a function like isJetsonDisableGPU(gpu,
envMode) in a new module under src/lib/onboard/) and call it from onboard.ts, or
fold the condition into an existing nearby statement (combine with the prior
gpu/envMode checks) so you avoid adding extra lines in onboard.ts — reference
the variables gpu, gpu?.platform, envMode, and mode and ensure behavior remains
identical (set mode = "0" when gpu?.platform === "jetson" && envMode === null).

---

Nitpick comments:
In `@test/onboard.test.ts`:
- Around line 389-398: Add an assertion to the existing Jetson test that
verifies an explicitly invalid NEMOCLAW_SANDBOX_GPU value falls back to GPU
disabled: call resolveSandboxGpuConfig with the same jetson object and env: {
NEMOCLAW_SANDBOX_GPU: "invalid" } and assert .sandboxGpuEnabled is false; place
this alongside the other expectations in the "defaults to CPU sandbox on
Jetson..." test so it covers the invalid-env fallback for the
resolveSandboxGpuConfig behavior (use the existing symbols
resolveSandboxGpuConfig, sandboxGpuEnabled).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 25769c9d-9c2f-468b-99db-e425a6822ca8

📥 Commits

Reviewing files that changed from the base of the PR and between 0964a7e and ef40a66.

📒 Files selected for processing (2)

• src/lib/onboard.ts
• test/onboard.test.ts