fix(onboard): reject the reserved Hermes API port as the dashboard port#5015
Merged
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR hardens Hermes onboarding against port 8642 (reserved for the OpenAI-compatible API) being used as a dashboard port. It adds a reserved-port constant and pre-sandbox validation that checks both the effective port and environment override, plus comprehensive test coverage including whitespace handling and control UI derivation. ChangesReserved Port Validation and Testing
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
cv
approved these changes
Jun 9, 2026
jyaunches
pushed a commit
that referenced
this pull request
Jun 10, 2026
## Summary - Add v0.0.62 release notes from Discussion #5100 and link release highlights to the relevant docs pages. - Document the release's GPU sandbox recreation, sandbox-side local inference verification, and Hermes dashboard port guard in the command and inference references. - Refresh generated NemoClaw user skills for the release-prep docs set. ## Source Summary - #4956 -> `docs/reference/commands.mdx`: Document CDI-first Docker GPU recreation behavior for Linux Docker-driver sandboxes. - #5024 -> `docs/inference/use-local-inference.mdx`: Document sandbox-runtime verification of the `inference.local` local inference route. - #5018 -> `docs/reference/commands.mdx`: Document Jetson/Tegra device-node group propagation for sandbox CUDA initialization. - #5012, #4763, #4706, #5030, #5015 -> `docs/about/release-notes.mdx`: Summarize onboarding and recovery reliability fixes, including the reserved Hermes API port guard. - #5017 and #5043 -> `docs/about/release-notes.mdx`, `docs/reference/commands.mdx`: Summarize mutable OpenClaw config recovery and host-side `agents list` coverage. - #5010 and #5016 -> `docs/about/release-notes.mdx`: Summarize Hermes upstream metadata visibility and WhatsApp QR rendering reliability. - #5045 and prior source docs in the v0.0.62 range -> `.agents/skills/`: Refresh generated user-skill references from the current docs source. ## Skipped - #5019 -> skipped for new prose because it touched `openclaw-sandbox-permissive.yaml`, which matches `docs/.docs-skip`. Existing source docs remain the source for generated skill synchronization. ## Verification - `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user --doc-platform fern-mdx` - `npm run docs` (passes; Fern reports 0 errors and 1 hidden warning) - Pre-commit hooks passed during commit, including docs-to-skills verification, markdown lint, gitleaks, and skills YAML tests. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added `nemoclaw <name> agents list` command. * v0.0.62 release notes added summarizing onboarding and recovery improvements. * **Bug Fixes** * Improved GPU sandbox onboarding reliability (NVIDIA CDI path, Jetson/Tegra device handling). * Better local inference verification and recovery for Linux Docker-driver GPU sandboxes. * Quieter/earlier handling of onboarding drift and port collisions. * **Documentation** * Expanded GPU passthrough, inference verification, writable paths (`/dev/pts`), port 8642 restriction, and command examples. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
7 tasks
cv
added a commit
that referenced
this pull request
Jun 13, 2026
<!-- markdownlint-disable MD041 --> ## Summary <!-- 1-3 sentences: what this PR does and why. --> Extends the #4984 reserved-port guard (PR #5015) to all agents, and adds a fail-fast preflight check. The shipped guard was hermes-gated, so a plain `nemoclaw onboard` (default OpenClaw agent) still accepted `NEMOCLAW_DASHBOARD_PORT=8642` — and, being a single-port agent, actually bound host port 8642. That silently breaks a later `nemoclaw onboard --agent hermes`, whose OpenAI-compatible API must forward 8642 (it warns "cannot be reallocated" but still exits 0, leaving the API unreachable). ## Related Issue <!-- Fixes #NNN or Closes #NNN. Remove this section if none. --> Fixes #4984 ## Changes <!-- Bullet list of key changes. --> - `core/ports.ts`: add `HERMES_OPENAI_API_PORT` (8642) and a shared, agent-neutral rejection message `RESERVED_HERMES_DASHBOARD_PORT_MESSAGE` as the single source of truth for both guards. - New `onboard/preflight-ports.ts`: `buildRequiredPreflightPorts()` (extracted from the inline onboard.ts array) and `assertDashboardPortNotReserved()`. - `onboard.ts` preflight ([1/8]) now rejects an explicit reserved dashboard port fast — before gateway/inference — instead of printing "✓ available" and then hard-failing later. Net change to `onboard.ts` is negative (no growth). - `resolveHermesDashboardOnboardState` ([6/8]) rejection made agent-agnostic (catches deferred `CHAT_UI_URL` / persisted-port paths the preflight can't see). - Message is now agent-neutral ("Invalid dashboard port 8642 - reserved for the Hermes OpenAI-compatible API") since the dashboard belongs to whichever agent is onboarding; the reason still names Hermes. - Tests: new `onboard/preflight-ports` tests + flipped the non-Hermes guard test. ## Type of Change - [√] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [√] `npx prek run --all-files` passes - [√] `npm test` passes - [√] Tests added or updated for new or changed behavior - [√] No secrets, API keys, or credentials committed - [ ] Docs updated for user-facing behavior changes - [ ] `npm run docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off required by CI. Run: git config user.name && git config user.email --> Signed-off-by: rluo8 <ruluo@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Onboarding now rejects the reserved dashboard port 8642 for all agent types (non-Hermes agents no longer bypass this guard). * Explicit dashboard-port preflight checks now fail fast when 8642 is provided. * Error message standardized to begin with "[SECURITY] Invalid dashboard port 8642..." when the reserved port is used. * **Tests** * Added/updated tests to assert the reserved-port rejection and required-port preflight behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Rui Luo <ruluo@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NemoHermes onboarding accepted
NEMOCLAW_DASHBOARD_PORT=8642(the port reserved for the Hermes OpenAI-compatible API) and built the sandbox instead of failing the security check. This adds a host-side guard that rejects the reserved port before any sandbox is created.Related Issue
Fixes #4984
Changes
resolveHermesDashboardOnboardState(src/lib/onboard/hermes-dashboard.ts), emitting[SECURITY] Invalid Hermes dashboard port 8642 - reserved for the Hermes OpenAI-compatible APIand exiting non-zero before sandbox creation — the same message as the in-sandbox guard inagents/hermes/start.sh.effectivePort(--control-ui-port,CHAT_UI_URL, or a persisted registry port) and the rawNEMOCLAW_DASHBOARD_PORTenv (which the host otherwise silently drops to the agent default, soeffectivePortalone would miss it).8642as a placeholder dashboard port (it is the reserved API port, never a valid dashboard port) to the realistic18789.Type of Change
Verification
npx prek run --all-filespassesnpm testpassesnpm run docsbuilds without warnings (doc changes only)Signed-off-by: rluo8 ruluo@nvidia.com
Summary by CodeRabbit
Bug Fixes
Tests