fix(onboard): catch host DNS block before provider validation (#4784)

[yimoj]

Summary

A host firewall that drops outbound DNS (tcp/udp:53) leaves the NemoClaw CLI unable to resolve the provider endpoint, but the existing container DNS probe still passes — so preflight printed ✓ Container DNS resolution works and onboarding only failed much later at NVIDIA Endpoints validation with the cryptic curl: (6) Could not resolve host: integrate.api.nvidia.com. This adds a host-side DNS preflight that catches the blocked condition up front with targeted remediation.

Related Issue

Fixes #4784

Changes

• src/lib/onboard/preflight.ts — new probeHostDns() / isFatalHostDnsProbeFailure(). The probe resolves the provider host from the CLI process using dns.lookup (getaddrinfo), so it follows the same /etc/hosts/nsswitch path the later curl-based provider validation uses (won't false-fail hosts that reach the provider via /etc/hosts). Runs as a bounded node -e child so it stays synchronous and fully injectable for tests.
• src/lib/onboard/bridge-dns-preflight.ts — assertHostDnsHealthy() + printHostDnsRemediation(), invoked from assertDockerBridgeAndContainerDnsHealthy before the container DNS probe. Prints a Host DNS resolution line distinct from the container one; on a fatal failure it fails early with host-DNS / VPN / firewall / iptables OUTPUT remediation.
• Scoped to the NVIDIA Endpoints path so it never blocks valid local/air-gapped/proxy onboarding:
  • Runs only when NVIDIA Endpoints is the effective provider: non-interactive NEMOCLAW_PROVIDER, else the recorded session/registry provider (handles reruns and --resume, incl. the legacy nvidia-nim alias), else the non-interactive default. Interactive runs (provider not yet chosen) and explicit local/non-NVIDIA providers skip it.
  • Skips when the provider host is reached via a configured proxy (HTTPS_PROXY/ALL_PROXY, honoring NO_PROXY).
  • Escape hatch: NEMOCLAW_SKIP_HOST_DNS_PREFLIGHT=1.
• src/lib/onboard.ts stays net-neutral (4 single-line modifications, +4/−4); all logic lives under src/lib/onboard/.
• src/lib/onboard/host-dns-preflight.test.ts — new focused test file (25 tests) covering probe classification, remediation output, the fatal/warn/skip branches, provider gating, recorded-provider/nvidia-nim handling, and proxy/NO_PROXY behavior. (Kept out of preflight.test.ts, which is frozen at its CI line-size budget.)

Type of Change

• Code change (feature, bug fix, or refactor)

Verification

• npm test (targeted: host-dns-preflight, preflight, bridge-dns-preflight, test-file-size-budget, onboard machine/handlers + onboard.test.ts — all pass; CLI type-check clean; Biome lint clean)
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Reproduced and re-verified end-to-end against a real host DNS block (sudo iptables -I OUTPUT -p {udp,tcp} --dport 53 -j DROP): default non-interactive onboard now aborts at the host DNS gate with remediation; NEMOCLAW_PROVIDER=ollama correctly skips it; an /etc/hosts-resolvable name passes even under the block. Firewall rules were trap-cleaned after each run.

---

Signed-off-by: Yimo Jiang yimoj@nvidia.com

Summary by CodeRabbit

• New Features

  • Added host-side DNS health checking during onboarding to detect DNS blocking issues earlier.
  • Provides targeted diagnostics and remediation guidance when host DNS fails.
  • Host DNS check can be skipped via environment variable if needed.

• Tests

  • Added comprehensive test coverage for host DNS preflight validation.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a host-side DNS preflight check to detect NVIDIA Endpoints provider hostname resolution failures before container DNS tests run. The feature includes a probe implementation, assertion logic with remediation output, integration into the onboarding flow, and comprehensive test coverage.

Changes

Host-side DNS preflight checks

Layer / File(s)	Summary
Host DNS probe implementation and types src/lib/onboard/preflight.ts	Introduces probeHostDns to spawn a Node child process that resolves the NVIDIA Endpoints hostname, classifying outcomes into fatal (servers_unreachable, resolution_failed, timeout, killed) or inconclusive (error) states. Adds HostDnsProbeResult, ProbeHostDnsOpts, and isFatalHostDnsProbeFailure types/helpers.
Host DNS assertion, gating, and remediation src/lib/onboard/bridge-dns-preflight.ts	Extends assertDockerBridgeAndContainerDnsHealthy to accept provider context and gating parameters. Implements assertHostDnsHealthy to run the probe only when the effective provider is NVIDIA Endpoints (unless skipped via environment or proxy), exit early with remediation on fatal failures, and continue on inconclusive results. Adds printHostDnsRemediation for platform-specific remediation output.
Onboarding wiring for provider context src/lib/onboard.ts	Extends PreflightOptions with recordedProviderForHostDns and threads it through onboarding by passing it to assertDockerBridgeAndContainerDnsHealthy alongside isNonInteractive. The runPreflight dependency injection resolves the recorded provider from session or sandbox state.
Host DNS preflight test suite src/lib/onboard/host-dns-preflight.test.ts	Comprehensive tests for probeHostDns (classification, hostname validation), printHostDnsRemediation (platform-specific output), and assertHostDnsHealthy (provider selection, mode gating, environment control, proxy handling).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [All Platforms][Install] Host DNS blocking via iptables OUTPUT is not caught in preflight; failures only surface during provider validation #4784: Implements the missing host-side DNS check for NVIDIA Endpoints provider resolution, addressing the reported gap in early DNS failure detection during onboarding.

Suggested labels

fix, onboarding, area: networking, bug-fix

Suggested reviewers

• laitingsheng
• cv
• sandl99

Poem

🐰 A rabbit hops through DNS gates,
Checking hosts before it's late,
NVIDIA paths now verified fast,
No more Docker dreams unsurpassed!
Resolution flows, remediation shows—
One hop closer, on it goes! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(onboard): catch host DNS block before provider validation (#4784)' directly and clearly summarizes the main change: a host DNS check added to the onboarding flow that detects DNS blocks before provider validation occurs, matching the PR's core objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/lib/onboard.ts (1)

6189-6199: Run the recommended onboarding E2E slices for this wiring change.

Since this change threads provider context through preflight in src/lib/onboard.ts, run the targeted nightly E2E subset to validate resume/non-interactive provider-gating behavior end to end.

As per coding guidelines, "src/lib/onboard.ts: This file contains core onboarding logic. Changes here affect the full sandbox creation and configuration flow."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 6189 - 6199, Change threads provider context
through preflight; run targeted nightly E2E slices to validate
resume/non-interactive provider-gating behavior by exercising the wiring around
runPreflight (preflight), assertDockerBridgeAndContainerDnsHealthy,
rejectUnsupportedContainerRuntime, and assertCdiNvidiaGpuSpecPresent;
specifically run the subset that covers resume paths, non-interactive flows,
provider-recorded session reads (readRecordedProvider), and Docker/Podman
runtime gating to ensure the new session?.provider propagation behaves correctly
end-to-end.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/onboard.ts`:
- Around line 6189-6199: Change threads provider context through preflight; run
targeted nightly E2E slices to validate resume/non-interactive provider-gating
behavior by exercising the wiring around runPreflight (preflight),
assertDockerBridgeAndContainerDnsHealthy, rejectUnsupportedContainerRuntime, and
assertCdiNvidiaGpuSpecPresent; specifically run the subset that covers resume
paths, non-interactive flows, provider-recorded session reads
(readRecordedProvider), and Docker/Podman runtime gating to ensure the new
session?.provider propagation behaves correctly end-to-end.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 15a037c5-ceb5-401a-b25a-b7dec35677d4

📥 Commits

Reviewing files that changed from the base of the PR and between 784f573 and 55417d9.

📒 Files selected for processing (4)

• src/lib/onboard.ts
• src/lib/onboard/bridge-dns-preflight.ts
• src/lib/onboard/host-dns-preflight.test.ts
• src/lib/onboard/preflight.ts

[yimoj]

Re: CodeRabbit nitpick on the src/lib/onboard.ts preflight wiring (run onboarding E2E for resume/non-interactive provider gating) — validated end-to-end:

• Real-CLI E2E under a live host DNS block (sudo iptables -I OUTPUT -p {udp,tcp} --dport 53 -j DROP), going through runPreflight → preflight() → assertDockerBridgeAndContainerDnsHealthy(host, isNonInteractive(), recordedProviderForHostDns):
  • Default --non-interactive (NVIDIA Endpoints default): aborts at the new ✗ Host DNS resolution failed (could not resolve integrate.api.nvidia.com) gate at step [1/8], with remediation — before the misleading container-DNS line and before later provider validation.
  • NEMOCLAW_PROVIDER=ollama: host DNS gate is skipped, onboarding proceeds past preflight into Ollama setup (no NVIDIA-domain DNS dependency).
  • A /etc/hosts-resolvable name resolves OK even under the block, confirming the probe uses dns.lookup/getaddrinfo (same path as the later curl validation) and won't false-fail proxy//etc/hosts setups.
  • Firewall rules trap-cleaned after each run (verified none left behind).
• Unit coverage for the gating matrix in src/lib/onboard/host-dns-preflight.test.ts: non-interactive default → run; interactive/unset → skip; explicit + recorded providers (build/cloud/routed/nvidia-prod/nvidia-nim/nvidia-router → run; ollama-local/vllm-local/nim-local → skip); proxy/NO_PROXY; and the NEMOCLAW_SKIP_HOST_DNS_PREFLIGHT escape hatch.

src/lib/onboard.ts itself is net-neutral (4 single-line modifications) per the entrypoint budget; all logic lives under src/lib/onboard/.

[wscurran]

✨
Related open issues:

• #4784 [All Platforms][Install] Host DNS blocking via iptables OUTPUT is not caught in preflight; failures only surface during provider validation

[prekshivyas]

LGTM. Correctly addresses #4784 by catching a blocked host DNS in preflight instead of late during provider validation — and it's appropriately fail-safe for a blocking check:

• Only a fatal probe result aborts; inconclusive/transient failures warn-and-continue (!isFatalHostDnsProbeFailure → console.warn).
• Skips when an HTTPS proxy is configured (provider reached via proxy, host DNS irrelevant) and via the NEMOCLAW_SKIP_HOST_DNS_PREFLIGHT escape hatch.
• Gated to NVIDIA-endpoint providers, so local/Ollama onboards aren't subjected to it.
  The error path names the skip env. CI green, test present. Given the size (~833 LOC) the probe internals (probeHostDns/isFatalHostDnsProbeFailure) are worth a maintainer eyeball, but the decision-boundary behavior is sound and won't over-block.