fix(onboard): bypass host proxy for managed inference hostname

[laitingsheng]

Summary

Follow-up to PR #4331 (fix(onboard): forward host proxy env into sandbox). #4331 started forwarding the host HTTP_PROXY / HTTPS_PROXY / NO_PROXY into openshell sandbox create -- env ... so OpenShell-internal traffic could traverse the host proxy when one is configured. The forwarded NO_PROXY seed list did not yet include the OpenShell-managed inference hostname (inference.local) or the rootless container-host alias (host.containers.internal). When a host HTTP_PROXY is active on macOS + Colima, OpenShell's L7 proxy chains inference.local through the host proxy — which cannot reach an OpenShell-internal hostname — and streaming chat completions stall until the 120 s idle timeout fires (#4846).

This PR seeds inference.local and host.containers.internal into the withLocalNoProxy() augmentation so the regression introduced by #4331's host-proxy forwarding stops short of the managed inference hostname.

Related Issue

Fixes #4846 (regression source: #4331).

Changes

• src/lib/subprocess-env.ts and nemoclaw/src/lib/subprocess-env.ts (mirrored): append inference.local and host.containers.internal to the seeded NO_PROXY host list in withLocalNoProxy(); JSDoc documents the boundary (host-side subprocesses + openshell sandbox create -- env ...) and the removal condition.
• src/lib/onboard/http-proxy-preflight.ts: warning copy now names the managed inference hostname and includes it in the suggested export NO_PROXY= line for tools running outside the sandbox. Suppression now also requires inference.local so users with the previous loopback-only guidance still see the new export advice.
• docs/reference/troubleshooting.mdx: document the full set of host names NemoClaw adds to NO_PROXY when a host HTTP proxy is detected.
• Regression tests in src/lib/subprocess-env.test.ts and src/lib/onboard/http-proxy-preflight.test.ts, plus test/host-proxy-inference-local-e2e.test.ts (curl-driven E2E proving inference.local reaches a local listener directly when HTTP_PROXY is set). subprocess-env.test.ts also adds negative tests proving arbitrary *.local / .local hostnames are not added to the bypass and that a caller-provided .local entry does not expand the bypass surface. CLI / plugin sync test in test/credential-exposure.test.ts updated to match the new host list.

Scope and boundaries

• *.local suffix. Deliberately narrow: only exact inference.local is seeded. The reported failure path is the single OpenShell-managed inference hostname; widening to any *.local would change the bypass surface beyond the reported repro without evidence of other affected hostnames. A negative test (subprocess-env.test.ts) pins this behaviour.
• Sandbox-runtime NO_PROXY is unchanged. scripts/nemoclaw-start.sh continues to set NO_PROXY=localhost,127.0.0.1,::1,${PROXY_HOST} inside the sandbox and intentionally does not include inference.local there — OpenShell's L7 proxy resolves that hostname internally, and bypassing it would force a direct DNS lookup that does not resolve from inside the container. This PR does not touch that runtime layer.
• Fix surface is host-side env propagation. withLocalNoProxy() runs through appendHostProxyEnvArgs() into openshell sandbox create -- env .... The NO_PROXY entry is consumed by OpenShell at sandbox-create time when it decides whether to chain its L7 proxy through the host HTTP_PROXY for a given hostname. With inference.local in NO_PROXY at sandbox-create time, OpenShell stops tunneling that hostname through the host proxy (the reported Proxy connection error: Broken pipe (os error 32) path).
• E2E coverage. test/host-proxy-inference-local-e2e.test.ts exercises the env-construction primitive end-to-end via a real curl spawn driven by buildSubprocessEnv() against a local listener bound to inference.local. The full macOS + Colima sandbox path requires a macOS runner and is left to scenario E2E (ubuntu-repo-cloud-openclaw covers the closest cloud-onboard cross-section).

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Summary by CodeRabbit

• Bug Fixes

  • Proxy bypass now also excludes additional local hostnames (inference.local, host.containers.internal, ::1, 0.0.0.0), preventing local services and managed inference from being routed through user proxies; preflight warning now requires inference.local to be present to suppress warnings.

• Documentation

  • Updated proxy-preflight guidance and warning text to show suggested NO_PROXY/no_proxy exports including managed inference hosts and extra local aliases.

• Tests

  • Added/updated unit and e2e tests validating the expanded NO_PROXY/no_proxy behavior and direct reachability of inference.local.

Signed-off-by: Tinson Lai tinsonl@nvidia.com

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ae09239-6ce7-4890-aacd-a519e64153ed

📥 Commits

Reviewing files that changed from the base of the PR and between d277e5f and f19cedb.

📒 Files selected for processing (2)

• docs/reference/troubleshooting.mdx
• test/onboard.test.ts

---

📝 Walkthrough

Walkthrough

This PR expands the NO_PROXY/no_proxy allowlist injected into subprocess environments to include additional local hostnames (notably inference.local and host.containers.internal), updates the proxy preflight warning and docs to show the expanded exports, and adjusts/adds unit and e2e tests to validate the behavior.

Changes

NO_PROXY Allowlist Expansion for Local Inference

Layer / File(s)	Summary
Core NO_PROXY allowlist expansion and implementation src/lib/subprocess-env.ts, nemoclaw/src/lib/subprocess-env.ts	withLocalNoProxy now parses existing NO_PROXY/no_proxy, then appends additional local hostnames (including inference.local and host.containers.internal) when an HTTP/HTTPS proxy is detected.
Tests: constants and assertions updated src/lib/subprocess-env.test.ts, test/credential-exposure.test.ts	Replace the LOCAL_NO_PROXY test constant and update assertions to expect the expanded comma-separated allowlist (adds host.containers.internal, inference.local, ::1, 0.0.0.0, etc.).
Behavioral unit tests for HTTP/HTTPS proxy cases src/lib/subprocess-env.test.ts	Add unit tests asserting withLocalNoProxy includes inference.local when HTTP_PROXY is set and host.containers.internal when HTTPS_PROXY is set; enforce .local injection rules and preserve caller-provided .local values.
Onboard proxy preflight warning and tests src/lib/onboard/http-proxy-preflight.ts, src/lib/onboard/http-proxy-preflight.test.ts	Require inference.local alongside loopback entries to suppress the onboard warning; update warning text and suggested NO_PROXY/no_proxy export examples and tests to include inference.local.
End-to-end test ensuring inference.local bypasses host proxy test/host-proxy-inference-local-e2e.test.ts	New Vitest e2e: starts a local HTTP listener, sets unreachable HTTP_PROXY/HTTPS_PROXY, clears NO_PROXY, builds subprocess env, runs curl --resolve inference.local:..., and asserts curl succeeds and the listener received the request.
Sandbox-create env args test test/onboard.test.ts	Add test asserting appendHostProxyEnvArgs() synthesizes both NO_PROXY= and no_proxy= entries containing inference.local and host.containers.internal when HTTP_PROXY is configured.
Troubleshooting docs docs/reference/troubleshooting.mdx	Expand the documented NO_PROXY configuration to include ::1, 0.0.0.0, host.docker.internal, host.containers.internal, and inference.local in examples for NemoClaw-managed subprocesses.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4215: Both PRs are tied to the shared withLocalNoProxy NO_PROXY augmentation: #4215 makes waitForHttp curl probes use an env built via withLocalNoProxy, while the main PR extends withLocalNoProxy’s injected bypass list (e.g., adding inference.local/host.containers.internal)—so the wait-probe behavior changes in tandem.
• NVIDIA/NemoClaw#4086: Both PRs modify withLocalNoProxy in src/lib/subprocess-env.ts to parse/sanitize the existing NO_PROXY/no_proxy list via split→trim→filter before augmenting it (main PR adds inference.local/host.containers.internal, while the retrieved PR fixes empty comma segments).
• NVIDIA/NemoClaw#4331: Both PRs are tied to the same proxy/no-proxy plumbing: #4331 forwards host HTTP_PROXY/HTTPS_PROXY/NO_PROXY into sandbox creation via appendHostProxyEnvArgs() (calling withLocalNoProxy), and the main PR updates withLocalNoProxy/onboard test expectations to include inference.local and related hosts in the generated NO_PROXY/no_proxy values.

Suggested labels

platform: macos

Suggested reviewers

• cv
• cjagwani

"🐰 I hop the env and tweak the trail,
inference.local follows without fail.
Subprocesses find the local door,
proxies shrug and watch me soar.
Carrots and tests — a tidy trail! 🥕"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(onboard): bypass host proxy for managed inference hostname' is specific and directly related to the main change—seeding inference.local and host.containers.internal into NO_PROXY to prevent the host proxy from tunneling managed inference traffic.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/4846-no-proxy-inference-local

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-onboard-e2e, inference-routing-e2e, credential-sanitization-e2e
Optional E2E: network-policy-e2e, macos-e2e, test-e2e-ollama-proxy

Dispatch hint: cloud-onboard-e2e,inference-routing-e2e,credential-sanitization-e2e

Auto-dispatched E2E: cloud-onboard-e2e, inference-routing-e2e, credential-sanitization-e2e via nightly-e2e.yaml at f19cedb2dab5ad3b2a0f931efd1f360764668e4d — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-onboard-e2e (medium-high; live sandbox with NVIDIA_API_KEY): Validates the public install/onboard flow, sandbox health, API key leak checks, and inference.local HTTPS after changing the proxy env passed through onboarding and sandbox creation.
• inference-routing-e2e (medium; live sandbox, selective tests use NVIDIA_API_KEY where available): Directly exercises inference routing through the OpenShell gateway proxy, credential isolation, and transport/credential error classification, which are the runtime areas most likely to regress if inference.local NO_PROXY seeding is wrong.
• credential-sanitization-e2e (high; installs and onboards a live sandbox): Provides sandbox-level credential boundary coverage after changing subprocess env propagation. The unit tests cover allowlisting, but this E2E verifies no secret-shaped values leak into the running sandbox/config path.

Optional E2E

• network-policy-e2e (high; live sandbox with restricted policy): Useful adjacent confidence that inference exemptions, direct-provider blocking, and OpenShell policy enforcement/audit behavior still hold after changing host proxy bypass entries.
• macos-e2e (medium-high; macOS runner, runs only if Docker is available): The motivating proxy-chain failure mode mentions macOS + Colima/desktop proxy behavior. The existing macOS full E2E is useful platform confidence, though it does not explicitly configure a broken host HTTP_PROXY.
• test-e2e-ollama-proxy (low; mock backend on ubuntu-latest): PR CI already includes this mock Ollama auth proxy E2E for code changes. It is a cheap adjacent check for local proxy behavior, but it does not validate sandbox-create NO_PROXY seeding for inference.local.

New E2E recommendations

• host proxy plus sandbox-create inference.local routing (high): The PR adds a host-level curl/Vitest regression for inference.local NO_PROXY, but there is no existing sandbox E2E that sets HTTP_PROXY/http_proxy to a deliberately broken host proxy during openshell sandbox create and then proves a real onboarded sandbox can still route inference.local through OpenShell without host proxy chaining.
  • Suggested test: Add a dispatchable host-proxy-inference-local-sandbox-e2e script/workflow that onboards with HTTP_PROXY/http_proxy pointing at an unreachable local proxy, verifies sandbox creation succeeds, and performs a real inference.local request through the running sandbox.
• macOS/Colima host proxy regression (medium): The documented failure mode specifically calls out macOS + Colima/desktop proxy behavior, but the existing macOS E2E does not force host HTTP_PROXY/no_proxy conditions. Platform-specific coverage would catch differences in curl/Node/OpenShell proxy handling.
  • Suggested test: Extend or add a macOS E2E variant that configures a broken desktop-style HTTP_PROXY, omits NO_PROXY in the host env, runs onboarding, and asserts inference.local is bypassed only at the host proxy boundary while sandbox runtime still uses OpenShell L7 routing.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: cloud-onboard-e2e,inference-routing-e2e,credential-sanitization-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-openclaw
Optional scenario E2E: wsl-repo-cloud-openclaw

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• ubuntu-repo-cloud-openclaw: Changes modify subprocess environment forwarding and onboarding HTTP proxy preflight behavior, including NO_PROXY seeding for inference.local and container-host aliases at sandbox-create time. The Ubuntu repo cloud OpenClaw scenario is the smallest routed scenario that exercises repo-current onboarding, sandbox creation, gateway health, and the cloud inference.local path from inside the sandbox.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-openclaw

Optional scenario E2E

• wsl-repo-cloud-openclaw: Optional platform coverage for the same onboarding/subprocess environment surface on WSL, where proxy and host-reachability behavior can differ. This is not the primary target because the core changed surface is covered by the Ubuntu cloud OpenClaw scenario.
  • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=wsl-repo-cloud-openclaw

Relevant changed files

• nemoclaw/src/lib/subprocess-env.ts
• src/lib/onboard/http-proxy-preflight.ts
• src/lib/subprocess-env.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Top item: PR review advisor unavailable

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• PR review advisor unavailable: The automated advisor could not complete: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt
  • Recommendation: Re-run the PR Review Advisor or perform a manual review.
  • Evidence: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — Add or identify targeted runtime/integration validation for the changed behavior; do not report external E2E job pass/fail here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, nemoclaw/src/lib/subprocess-env.ts, src/lib/onboard/http-proxy-preflight.ts, src/lib/subprocess-env.ts.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

🧹 Nitpick comments (1)

nemoclaw/src/lib/subprocess-env.ts (1)

63-66: ⚡ Quick win

Minor formatting inconsistency with the CLI mirror.

The CLI version (src/lib/subprocess-env.ts line 63) chains .split(",").map((s) => s.trim()).filter(Boolean) on a single line, while this plugin version spreads it across lines 63-66. Per the mirror-file note (line 17-18), these files should stay in sync.

Consider aligning the formatting to match the CLI version for consistency.

♻️ Align with CLI formatting

-    const parts = current
-      .split(",")
-      .map((s) => s.trim())
-      .filter(Boolean);
+    const parts = current.split(",").map((s) => s.trim()).filter(Boolean);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw/src/lib/subprocess-env.ts` around lines 63 - 66, The file has a
formatting mismatch for the expression that builds parts; change the multi-line
chain in the const parts assignment to the single-line chained form used in the
CLI mirror: replace the current newline-separated ".split(",").map((s) =>
s.trim()).filter(Boolean)" sequence with a single-line chain on the same
statement where const parts = current.split(",").map((s) =>
s.trim()).filter(Boolean); so the expression in subprocess-env.ts (the const
parts assignment) matches the CLI formatting.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@nemoclaw/src/lib/subprocess-env.ts`:
- Around line 63-66: The file has a formatting mismatch for the expression that
builds parts; change the multi-line chain in the const parts assignment to the
single-line chained form used in the CLI mirror: replace the current
newline-separated ".split(",").map((s) => s.trim()).filter(Boolean)" sequence
with a single-line chain on the same statement where const parts =
current.split(",").map((s) => s.trim()).filter(Boolean); so the expression in
subprocess-env.ts (the const parts assignment) matches the CLI formatting.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: be3efee2-52b7-4b58-b8dc-ec91bc808e39

📥 Commits

Reviewing files that changed from the base of the PR and between 76f6c77 and 9998a28.

📒 Files selected for processing (6)

• nemoclaw/src/lib/subprocess-env.ts
• src/lib/onboard/http-proxy-preflight.test.ts
• src/lib/onboard/http-proxy-preflight.ts
• src/lib/subprocess-env.test.ts
• src/lib/subprocess-env.ts
• test/credential-exposure.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27067948583
Target ref: 7c776895b1c426e10c61cff99198ad40fbf54f60
Workflow ref: main
Requested jobs: inference-routing-e2e,credential-sanitization-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
credential-sanitization-e2e	✅ success
inference-routing-e2e	✅ success

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-4897.docs.buildwithfern.com/nemoclaw

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27069185612
Target ref: 55b5f8f30f03d69178c96ff9396b777879d4e409
Workflow ref: main
Requested jobs: inference-routing-e2e,credential-sanitization-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
credential-sanitization-e2e	✅ success
inference-routing-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27069621748
Target ref: 69a3ec7f0b843fbdff2c2da096aec654f5296c64
Workflow ref: main
Requested jobs: cloud-onboard-e2e,messaging-compatible-endpoint-e2e,inference-routing-e2e,credential-sanitization-e2e
Summary: 4 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
credential-sanitization-e2e	✅ success
inference-routing-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27071742298
Target ref: e6dcbd2cbbf48f8bb99903804cc9015540a28b0f
Workflow ref: main
Requested jobs: inference-routing-e2e,messaging-compatible-endpoint-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
inference-routing-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success

[coderabbitai]

🧹 Nitpick comments (2)

src/lib/subprocess-env.test.ts (2)

110-119: ⚡ Quick win

Consider checking both NO_PROXY and no_proxy for consistency.

The implementation in withLocalNoProxy modifies both NO_PROXY and no_proxy (Context snippet 1), and earlier tests (lines 96-101, 103-108) verify both variables. For consistency and completeness, consider adding an assertion for no_proxy as well.

♻️ Proposed enhancement for test completeness

   it("does not inject a broad .local suffix or arbitrary *.local hostnames", () => {
     const env: Record<string, string> = { HTTP_PROXY: "http://127.0.0.1:8118" };
     withLocalNoProxy(env);
     const parts = (env.NO_PROXY ?? "").split(",");
     expect(parts).not.toContain(".local");
     expect(parts).not.toContain("*.local");
     expect(parts).not.toContain("evil.local");
     expect(parts).not.toContain("attacker.local");
     expect(parts.filter((p) => p.endsWith(".local"))).toEqual(["inference.local"]);
+    const noParts = (env.no_proxy ?? "").split(",");
+    expect(noParts.filter((p) => p.endsWith(".local"))).toEqual(["inference.local"]);
   });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/subprocess-env.test.ts` around lines 110 - 119, The test only asserts
against env.NO_PROXY but the helper withLocalNoProxy updates both NO_PROXY and
no_proxy; update this test to also inspect env.no_proxy the same way (split on
commas and assert it does not contain ".local", "*.local", "evil.local",
"attacker.local" and that the only .local suffix present is "inference.local")
so both NO_PROXY and no_proxy are validated consistently alongside the existing
checks in withLocalNoProxy.

---

121-133: ⚡ Quick win

Consider checking both NO_PROXY and no_proxy for consistency.

The test sets both NO_PROXY and no_proxy in the input (lines 124-125), but only verifies NO_PROXY in the assertions. Since withLocalNoProxy modifies both variables and earlier tests verify both, consider adding assertions for no_proxy as well.

♻️ Proposed enhancement for test completeness

   it("preserves a caller-provided .local entry without expanding the bypass", () => {
     const env: Record<string, string> = {
       HTTP_PROXY: "http://127.0.0.1:8118",
       NO_PROXY: "trusted.local",
       no_proxy: "trusted.local",
     };
     withLocalNoProxy(env);
     const parts = (env.NO_PROXY ?? "").split(",");
     expect(parts).toContain("trusted.local");
     expect(parts).toContain("inference.local");
     expect(parts).not.toContain(".local");
     expect(parts).not.toContain("*.local");
+    const noParts = (env.no_proxy ?? "").split(",");
+    expect(noParts).toContain("trusted.local");
+    expect(noParts).toContain("inference.local");
+    expect(noParts).not.toContain(".local");
+    expect(noParts).not.toContain("*.local");
   });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/subprocess-env.test.ts` around lines 121 - 133, The test currently
only asserts against env.NO_PROXY even though the input sets both NO_PROXY and
no_proxy and withLocalNoProxy updates both; update the test for completeness by
also reading and splitting env.no_proxy (e.g., const lowerParts = (env.no_proxy
?? "").split(",")) and add the same expectations used for parts
(expect(lowerParts).toContain("trusted.local");
expect(lowerParts).toContain("inference.local");
expect(lowerParts).not.toContain(".local");
expect(lowerParts).not.toContain("*.local");) so both NO_PROXY and no_proxy are
validated after calling withLocalNoProxy.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/subprocess-env.test.ts`:
- Around line 110-119: The test only asserts against env.NO_PROXY but the helper
withLocalNoProxy updates both NO_PROXY and no_proxy; update this test to also
inspect env.no_proxy the same way (split on commas and assert it does not
contain ".local", "*.local", "evil.local", "attacker.local" and that the only
.local suffix present is "inference.local") so both NO_PROXY and no_proxy are
validated consistently alongside the existing checks in withLocalNoProxy.
- Around line 121-133: The test currently only asserts against env.NO_PROXY even
though the input sets both NO_PROXY and no_proxy and withLocalNoProxy updates
both; update the test for completeness by also reading and splitting
env.no_proxy (e.g., const lowerParts = (env.no_proxy ?? "").split(",")) and add
the same expectations used for parts
(expect(lowerParts).toContain("trusted.local");
expect(lowerParts).toContain("inference.local");
expect(lowerParts).not.toContain(".local");
expect(lowerParts).not.toContain("*.local");) so both NO_PROXY and no_proxy are
validated after calling withLocalNoProxy.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3c817a82-e866-46e7-82db-0543064aaebd

📥 Commits

Reviewing files that changed from the base of the PR and between e6dcbd2 and 0e610b9.

📒 Files selected for processing (3)

• nemoclaw/src/lib/subprocess-env.ts
• src/lib/subprocess-env.test.ts
• src/lib/subprocess-env.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• nemoclaw/src/lib/subprocess-env.ts
• src/lib/subprocess-env.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27072262172
Target ref: 0e610b9848cc0c0109011bd78bdfe4f638202717
Workflow ref: main
Requested jobs: inference-routing-e2e,messaging-compatible-endpoint-e2e,credential-sanitization-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
credential-sanitization-e2e	✅ success
inference-routing-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27082239620
Target ref: d277e5f233e89626a6fa195de69a668cda7ced44
Workflow ref: main
Requested jobs: cloud-onboard-e2e,inference-routing-e2e,messaging-compatible-endpoint-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
inference-routing-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 27082427593
Target ref: f19cedb2dab5ad3b2a0f931efd1f360764668e4d
Workflow ref: main
Requested jobs: cloud-onboard-e2e,inference-routing-e2e,credential-sanitization-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
cloud-onboard-e2e	✅ success
credential-sanitization-e2e	✅ success
inference-routing-e2e	✅ success