fix(preflight): use uncached .invalid probe for container DNS check (#3630)

[latenighthackathon]

Summary

Closes #3630. The [1/8] Preflight checks step ran docker run --rm --pull=missing busybox:latest nslookup registry.npmjs.org and treated Name: registry.npmjs.org + Address: <ip> as proof that container DNS works. On a host where outbound UDP/TCP port 53 was blocked at the iptables OUTPUT chain, that probe still passed because Docker's embedded DNS resolver (and the upstream resolver before it) had cached the registry.npmjs.org answer from earlier successful lookups. Onboarding then continued past preflight and only hit the real DNS failure deeper in the sandbox build, where the error is much less actionable.

Replace the probe target with a random subdomain of the RFC 6761 reserved .invalid TLD, e.g., nemoclaw-dns-probe-9c4f02a8b1d3e6f7.invalid. Three properties make this resilient to the cache hit that masked #3630:

• The random suffix is never cached anywhere — Docker's embedded resolver, the host's stub resolver, and any upstream caching layer see a brand-new name on every probe and have to forward the query.
• Every compliant resolver returns NXDOMAIN immediately for any .invalid name (RFC 6761 §6.4), so the probe succeeds quickly when DNS works without depending on any specific A record being reachable from the container.
• NXDOMAIN is genuine round-trip evidence: the resolver received the query, decided it does not exist, and answered. If host egress is blocked, busybox prints ;; connection timed out; no servers could be reached (the existing servers_unreachable signature) and the probe fails fast.

The success regex is widened to accept both shapes busybox emits:

1. Server: ... / Name: <name> / Address: <ip> for a real A-record resolution. Kept for back-compat with callers that pass a custom probe name resolving to a real IP.
2. Server: ... / ** server can't find <name>: NXDOMAIN for the .invalid probe sent by default.

The resolver-identification block (Server: <ip> / Address: <ip>:53) appears at the top of every busybox response, including malformed ones, so the new regex requires either a real Name: line OR an NXDOMAIN response body before declaring success. A regression test pins the malformed case (;; reply from unexpected source: ...) so this guard cannot quietly weaken.

Related Issue

Closes #3630

Changes

• src/lib/onboard/preflight.ts:
  • New dnsProbeName() helper returns a random nemoclaw-dns-probe-<16-hex>.invalid name (exported for the test seam; production callers never override).
  • ProbeContainerDnsOpts gains an optional probeName?: string to support pinned-name assertions in tests.
  • Probe command is now templated as docker run --rm --pull=missing busybox:latest nslookup ${probeName} 2>&1.
  • Success-path regex requires ^Server: AND either Name:+Address: or server can't find ... NXDOMAIN.
• src/lib/onboard/preflight.test.ts:
  • The previous "NXDOMAIN → resolution_failed" assertion is replaced by "NXDOMAIN → ok" (the new contract).
  • New regression test for the malformed-response failure case (;; reply from unexpected source: ...).
  • New test for the random .invalid probe-name property (every call returns a distinct name matching the nemoclaw-dns-probe-<16-hex>.invalid shape).
  • New test for the probeName override seam.
  • Existing tests for the spawned command updated to assert the new nslookup nemoclaw-dns-probe-<...>.invalid prefix.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx vitest run src/lib/onboard/preflight.test.ts -t "probeContainerDns" — 18/18 pass
  • Existing success + servers_unreachable + image_pull_failed + no_output/error paths unchanged
  • New: NXDOMAIN-on-default-probe (the [Nemoclaw][All Platforms]Preflight DNS check passes as “Container DNS resolution works” even when host outbound DNS is fully blocked via iptables #3630 case) returns ok: true
  • New: malformed ;; reply from unexpected source returns resolution_failed
  • New: dnsProbeName() returns distinct random .invalid names per call
  • New: probeName override is wired into the spawned script
• Verified busybox output shapes on a working host:
  • DNS works + .invalid name: Server: 192.168.65.7 / Address: 192.168.65.7:53 / ** server can't find <name>: NXDOMAIN
  • DNS broken (via --dns 240.0.0.0 to simulate the iptables DROP path): ;; connection timed out; no servers could be reached
• No regression in existing Name: registry.npmjs.org probe-output tests — the broader success regex still accepts the old shape for back-compat with custom probe names.

Signed-off-by: latenighthackathon support@latenighthackathon.com

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Enhanced DNS preflight probe validation to more reliably detect container resolver connectivity and distinguish between different resolution failure modes, improving overall container health checks.

• Tests

  • Updated preflight DNS probe test suite with comprehensive coverage of enhanced validation logic and configuration scenarios.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ad9eab20-d163-42ab-9959-610d3e7f2fdc

📥 Commits

Reviewing files that changed from the base of the PR and between 17965a7 and 0488130.

📒 Files selected for processing (2)

• src/lib/onboard/preflight.test.ts
• src/lib/onboard/preflight.ts

---

📝 Walkthrough

Walkthrough

This PR updates the container DNS preflight probe to generate randomized .invalid subdomain names instead of querying registry.npmjs.org. A new dnsProbeName() helper generates the probes, ProbeContainerDnsOpts gains an optional probeName override, and success detection is broadened to accept NXDOMAIN responses as proof of resolver reachability. Tests are extended to cover randomization, override behavior, and new response patterns.

Changes

DNS Probe Randomization

Layer / File(s)	Summary
DNS probe name generation and options extension src/lib/onboard/preflight.ts	Import randomBytes and add exported dnsProbeName() function that returns a randomized nemoclaw-dns-probe-<hex>.invalid name; extend ProbeContainerDnsOpts interface with optional probeName field.
Probe execution and success detection src/lib/onboard/preflight.ts	Update probeContainerDns default command to run nslookup against the generated probe name instead of registry.npmjs.org; revise DNS success detection to recognize NXDOMAIN or standard Name:/Address: responses as resolver reachability.
Test coverage for probe randomization and success detection src/lib/onboard/preflight.test.ts	Import dnsProbeName, add NXDOMAIN-based success and malformed-response failure test cases, update script-capture assertions, and add tests validating random probe name generation and probeName override behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

fix, Docker, NemoClaw CLI, Getting Started, Sandbox, bug

Suggested reviewers

• cv

Poem

🐰 A probe hops through the .invalid domain,
Random hashes dancing, never the same—
No registry.npmjs to rely upon,
Just NXDOMAIN whispers when names are gone,
Preflight checks now cached-proof and free! 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: introducing an uncached .invalid probe for the container DNS preflight check, which directly addresses the issue (#3630) described in the PR objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}