fix(snapshot): use registered imageTag for VM-driver auto-create

[cr7258]

Summary

This PR fixes nemoclaw <src> snapshot restore --to <new> aborting on macOS Apple Silicon (VM driver) with Cannot auto-create '<new>': could not resolve '<src>' pod image., because resolveSrcPodImage()'s fast path was still hard-coded to openshellDriver === "docker" — a symmetric gap left by #3784 which only fixed probeGatewayRunning(). Route both Docker and VM driver sandboxes through the same usesGatewayMetadataProbe() helper and gate the auto-create DNS-proxy step on the "kubernetes" driver to match onboard.ts.

Related Issue

Fixes #4071

Changes

• resolveSrcPodImage() fast path now trusts the registered imageTag for both docker and vm drivers via usesGatewayMetadataProbe(), so VM-driver auto-create no longer falls into the kubectl-via-docker probe against a container that does not exist.
• autoCreateSandboxFromSource() DNS-proxy step gated on openshellDriver === "kubernetes", matching the onboard logic (src/lib/onboard.ts). Previously vm-driver sandboxes invoked setup-dns-proxy.sh even though they don't use the kubectl-based DNS proxy.
• Added a regression test in test/snapshot-gateway-guard.test.ts covering snapshot restore --to <new> on a VM-driver sandbox: docker exec emits a sentinel that the test asserts never appears, and the registered imageTag is asserted to show up in the auto-create output.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Test the PR locally on a MacOS Apple Silicon device:

nemoclaw my-assistant snapshot create --name verify-fix
  Creating snapshot of 'my-assistant' (--name verify-fix)...
  ✓ Snapshot v3 name=verify-fix created (13 directories, 0 files)
    /Users/sevenc/.nemoclaw/rebuild-backups/my-assistant/2026-05-22T07-28-20-816Z

nemoclaw my-assistant snapshot restore verify-fix --to clone-1
  'clone-1' does not exist. Creating from 'my-assistant' image (openshell/sandbox-from:1779432198)...
  Creating sandbox in gateway...
  Waiting for sandbox to become ready...
  Sandbox reported Ready before create stream exited; continuing.
  ✓ Sandbox 'clone-1' created

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: sevenc sevenc@nvidia.com

Summary by CodeRabbit

• Bug Fixes

  • Fixed snapshot restore image resolution so sandbox restores use the registered image tag for gateway-backed drivers and avoid inappropriate fallback probes.
  • DNS proxy setup during sandbox auto-creation now runs only for Kubernetes-backed source sandboxes when setup scripts are present.

• Tests

  • Added regression tests covering snapshot restore workflows to verify correct image selection and absence of fallback probe behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0e3359bd-c7a3-4bdf-9c54-7b59a6f1ca9a

📥 Commits

Reviewing files that changed from the base of the PR and between 1cf20fd and 0e8d4de.

📒 Files selected for processing (1)

• src/lib/actions/sandbox/snapshot.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/actions/sandbox/snapshot.ts

---

📝 Walkthrough

Walkthrough

Prefer the sandbox registry's registered imageTag for drivers using gateway metadata probes (docker/vm), restrict the kubectl-in-gateway fallback to the kubernetes driver, gate DNS proxy setup to srcDriver === "kubernetes", and add a VM-driver regression test verifying the registered imageTag is used during restore.

Changes

Snapshot image resolution and proxy setup

Layer / File(s)	Summary
Image resolution and DNS proxy gating src/lib/actions/sandbox/snapshot.ts	resolveSrcPodImage now returns the sandbox registry imageTag for drivers that use the gateway metadata probe and only falls back to kubectl when srcDriver === "kubernetes". DNS proxy setup in autoCreateSandboxFromSource runs only when srcDriver === "kubernetes" and the script exists.
VM-driver restore test with imageTag verification test/snapshot-gateway-guard.test.ts	Adds makeVmRestoreToEnv test helper (sets sandbox registry imageTag, stubs openshell/ssh/docker) and a regression test that restores a snapshot to --to clone-1, asserting the registered imageTag appears in output and that the forbidden docker exec sentinel is absent.

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant resolveSrcPodImage
  participant SandboxRegistry
  participant GatewayMetadataProbe
  participant kubectl
  CLI->>resolveSrcPodImage: request source image for auto-create
  resolveSrcPodImage->>SandboxRegistry: read registered imageTag
  resolveSrcPodImage->>GatewayMetadataProbe: probe gateway metadata (docker/vm)
  resolveSrcPodImage->>kubectl: kubectl fallback (only if srcDriver == "kubernetes")

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

NemoClaw CLI, OpenShell, v0.0.50

Suggested reviewers

• ericksoa

Poem

🐰 A tiny hop through gateway mist,
ImageTag gleams where probes might twist,
Kubernetes hums when DNS must play,
VM restores glide the registry way,
No docker shout to steal the day.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: fixing snapshot restore to use the registered imageTag for VM-driver auto-create operations.
Linked Issues check	✅ Passed	The PR fully addresses all coding objectives from issue #4071: uses registered imageTag for VM/docker drivers, prevents kubectl-via-docker probe failures, updates DNS proxy logic for kubernetes-only, and includes regression tests.
Out of Scope Changes check	✅ Passed	All changes directly address the linked issue objectives; modifications to snapshot.ts and additions to test file are scoped to the VM-driver auto-create fix and regression testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/actions/sandbox/snapshot.ts`:
- Around line 94-96: The current branch returns registeredImage for gateway
metadata probes even when the openshell driver is "vm" or "docker" and the image
lacks an imageTag, causing it to fall through to the kubectl probe; modify the
logic in the block that checks usesGatewayMetadataProbe(registeredDriver) &&
registeredImage so that if registeredDriver is "vm" or "docker" and
registeredImage.imageTag is missing, you return null (fail fast) instead of
registeredImage, otherwise keep the existing return; reference the symbols
usesGatewayMetadataProbe, registeredDriver, registeredImage and the openshell
driver values "vm"/"docker" when updating the condition.

In `@test/snapshot-gateway-guard.test.ts`:
- Around line 220-224: The test currently inspects runCli output but doesn't
assert process exit status; update the assertion after calling runCli (the const
r = runCli(...) invocation) to explicitly verify the command succeeded by
checking the exit code (e.g., assert/expect r.code is 0 or truthy success value
used in your runner). Add this single assertion (using the same test framework
style as other tests, e.g., expect(r.code).toBe(0) or equivalent) immediately
after creating r and before or after the existing output assertions so failures
with partial output fail the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1fbad4c5-6d0b-450c-b57c-e2cf0bb00a2f

📥 Commits

Reviewing files that changed from the base of the PR and between ef84117 and 0c70665.

📒 Files selected for processing (2)

• src/lib/actions/sandbox/snapshot.ts
• test/snapshot-gateway-guard.test.ts

[wscurran]

✨
Related open PRs:

• #3784 fix(snapshot): use gateway metadata for VM-driver health checks