refactor(onboard): extract web search verification probe (#3305)

## Summary
Extract the post-create web-search verification probe out of the large
onboarding module. This keeps web-search setup and verification in
focused helper modules while leaving onboarding flow orchestration
unchanged.

## Changes
- Add `src/lib/onboard/web-search-verify.ts` for best-effort
Hermes/OpenClaw web-search runtime verification.
- Update `src/lib/onboard.ts` to delegate web-search verification
through the extracted helper.
- Add unit tests covering active Hermes/OpenClaw detection,
disabled/malformed OpenClaw config warnings, unsupported-agent warnings,
and probe-error handling.
- Update the source-shape regression to include the extracted
verification module.

## Type of Change
- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Verification
- [x] `npx prek run --all-files` passes
- [x] `npm test` passes
- [x] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [ ] Docs updated for user-facing behavior changes
- [ ] `make docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Runtime verification that web search is actually enabled inside
sandboxes; logs success or emits non-fatal warnings when verification
cannot be completed.

* **Tests**
* Expanded automated tests covering multiple agent/config scenarios,
parsing edge cases, and probe failures to ensure robust verification
behavior.

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/3305)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: cjagwani <cjagwani@nvidia.com>

Author: 3 people

src/lib/onboard.ts

@@ -44,6 +44,9 @@ const {
 const {
   agentSupportsWebSearch,
 }: typeof import("./onboard/web-search-support") = require("./onboard/web-search-support");
+const {
+  verifyWebSearchInsideSandbox: verifyWebSearchInsideSandboxWithDeps,
+}: typeof import("./onboard/web-search-verify") = require("./onboard/web-search-verify");
 const {
   buildDirectGpuPolicyYaml,
   buildDirectSandboxGpuProofCommands,
@@ -2406,80 +2409,14 @@ async function configureWebSearch(
   return { fetchEnabled: true };
 }
 
-/**
- * Post-creation probe: verify web search is actually functional inside the
- * sandbox. Hermes silently ignores unknown web.backend values, so checking
- * the config file alone is insufficient — we need to ask the runtime.
- *
- * For Hermes: runs `hermes dump` and checks for an active web backend.
- * For OpenClaw: checks that the tools.web.search block is present in the config.
- *
- * This is a best-effort warning — it does not abort onboarding.
- */
 function verifyWebSearchInsideSandbox(
   sandboxName: string,
   agent: AgentDefinition | null | undefined,
 ): void {
-  const agentName = agent?.name || "openclaw";
-  try {
-    if (agentName === "hermes") {
-      // `hermes dump` outputs config_overrides and active toolsets.
-      // Look for the web backend in its output.
-      const dump = runCaptureOpenshell(
-        ["sandbox", "exec", "-n", sandboxName, "--", "hermes", "dump"],
-        {
-          ignoreError: true,
-          timeout: 10_000,
-        },
-      );
-      if (!dump) {
-        console.warn("  ⚠ Could not verify web search config inside sandbox (hermes dump failed).");
-        return;
-      }
-      // A working web backend shows as an explicit config override or active-toolset entry.
-      // Avoid broad /web.*search/ matching so warning text never looks like success.
-      const hasWebBackend =
-        /^\s*web\.backend:\s*\S+/m.test(dump) ||
-        /^\s*active toolsets:\s*.*\bweb\b/im.test(dump) ||
-        /^\s*toolsets:\s*.*\bweb\b/im.test(dump);
-      if (!hasWebBackend) {
-        console.warn(
-          "  ⚠ Web search was configured but Hermes does not report an active web backend.",
-        );
-        console.warn("    The agent may not have accepted the web search configuration.");
-        console.warn(`    Check: ${cliName()} ${sandboxName} exec hermes dump`);
-      } else {
-        console.log("  ✓ Web search is active inside sandbox");
-      }
-    } else if (agentName === "openclaw") {
-      // OpenClaw: verify tools.web.search block exists in the baked config.
-      const configCheck = runCaptureOpenshell(
-        ["sandbox", "exec", "-n", sandboxName, "--", "cat", "/sandbox/.openclaw/openclaw.json"],
-        { ignoreError: true, timeout: 10_000 },
-      );
-      if (!configCheck) {
-        console.warn("  ⚠ Could not verify web search config inside sandbox.");
-        return;
-      }
-      try {
-        const parsed = JSON.parse(configCheck);
-        if (parsed?.tools?.web?.search?.enabled) {
-          console.log("  ✓ Web search is active inside sandbox");
-        } else {
-          console.warn(
-            "  ⚠ Web search was configured but tools.web.search is not enabled in openclaw.json.",
-          );
-        }
-      } catch {
-        console.warn("  ⚠ Could not parse openclaw.json to verify web search config.");
-      }
-    } else {
-      console.warn(`  ⚠ Web search verification is not implemented for agent '${agentName}'.`);
-    }
-  } catch {
-    // Best-effort — don't let probe failures derail onboarding.
-    console.warn("  ⚠ Web search verification probe failed (non-fatal).");
-  }
+  verifyWebSearchInsideSandboxWithDeps(sandboxName, agent, {
+    runCaptureOpenshell,
+    cliName,
+  });
 }
 
 // getSandboxInferenceConfig — moved to onboard-providers.ts

src/lib/onboard/web-search-verify.test.ts

@@ -0,0 +1,74 @@
+// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { describe, expect, it, vi } from "vitest";
+
+import { verifyWebSearchInsideSandbox, type WebSearchVerifyDeps } from "./web-search-verify";
+
+function deps(output: string | null) {
+  return {
+    runCaptureOpenshell: vi.fn(() => output),
+    cliName: vi.fn(() => "nemoclaw"),
+    log: vi.fn(),
+    warn: vi.fn(),
+  } satisfies WebSearchVerifyDeps;
+}
+
+describe("verifyWebSearchInsideSandbox", () => {
+  it("reports active Hermes web backend", () => {
+    const d = deps("web.backend: brave\n");
+
+    verifyWebSearchInsideSandbox("alpha", { name: "hermes" }, d);
+
+    expect(d.log).toHaveBeenCalledWith("  ✓ Web search is active inside sandbox");
+    expect(d.warn).not.toHaveBeenCalled();
+  });
+
+  it("warns when Hermes does not report active web backend", () => {
+    const d = deps("active toolsets: shell\n");
+
+    verifyWebSearchInsideSandbox("alpha", { name: "hermes" }, d);
+
+    expect(d.warn).toHaveBeenCalledWith(
+      "  ⚠ Web search was configured but Hermes does not report an active web backend.",
+    );
+    expect(d.warn).toHaveBeenCalledWith("    Check: nemoclaw alpha exec hermes dump");
+  });
+
+  it("reports active OpenClaw web search config", () => {
+    const d = deps(JSON.stringify({ tools: { web: { search: { enabled: true } } } }));
+
+    verifyWebSearchInsideSandbox("alpha", { name: "openclaw" }, d);
+
+    expect(d.log).toHaveBeenCalledWith("  ✓ Web search is active inside sandbox");
+  });
+
+  it("warns when OpenClaw config is malformed or disabled", () => {
+    const malformed = deps("not-json");
+    verifyWebSearchInsideSandbox("alpha", { name: "openclaw" }, malformed);
+    expect(malformed.warn).toHaveBeenCalledWith(
+      "  ⚠ Could not parse openclaw.json to verify web search config.",
+    );
+
+    const disabled = deps(JSON.stringify({ tools: { web: { search: { enabled: false } } } }));
+    verifyWebSearchInsideSandbox("alpha", { name: "openclaw" }, disabled);
+    expect(disabled.warn).toHaveBeenCalledWith(
+      "  ⚠ Web search was configured but tools.web.search is not enabled in openclaw.json.",
+    );
+  });
+
+  it("warns for unknown agents and catches probe errors", () => {
+    const unknown = deps(null);
+    verifyWebSearchInsideSandbox("alpha", { name: "other" }, unknown);
+    expect(unknown.warn).toHaveBeenCalledWith(
+      "  ⚠ Web search verification is not implemented for agent 'other'.",
+    );
+
+    const throwing = deps(null);
+    throwing.runCaptureOpenshell = vi.fn(() => {
+      throw new Error("boom");
+    });
+    verifyWebSearchInsideSandbox("alpha", { name: "openclaw" }, throwing);
+    expect(throwing.warn).toHaveBeenCalledWith("  ⚠ Web search verification probe failed (non-fatal).");
+  });
+});

src/lib/onboard/web-search-verify.ts

@@ -0,0 +1,88 @@
+// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+export type WebSearchVerifyAgent = {
+  name?: string | null;
+} | null | undefined;
+
+export type WebSearchVerifyDeps = {
+  runCaptureOpenshell: (args: string[], options: { ignoreError: true; timeout: number }) => string | null;
+  cliName: () => string;
+  log?: (message?: string) => void;
+  warn?: (message?: string) => void;
+};
+
+/**
+ * Post-creation probe: verify web search is actually functional inside the
+ * sandbox. Hermes silently ignores unknown web.backend values, so checking
+ * the config file alone is insufficient — we need to ask the runtime.
+ *
+ * For Hermes: runs `hermes dump` and checks for an active web backend.
+ * For OpenClaw: checks that the tools.web.search block is present in the config.
+ *
+ * This is a best-effort warning — it does not abort onboarding.
+ */
+export function verifyWebSearchInsideSandbox(
+  sandboxName: string,
+  agent: WebSearchVerifyAgent,
+  deps: WebSearchVerifyDeps,
+): void {
+  const log = deps.log ?? console.log;
+  const warn = deps.warn ?? console.warn;
+  const agentName = agent?.name || "openclaw";
+  try {
+    if (agentName === "hermes") {
+      // `hermes dump` outputs config_overrides and active toolsets.
+      // Look for the web backend in its output.
+      const dump = deps.runCaptureOpenshell(
+        ["sandbox", "exec", "-n", sandboxName, "--", "hermes", "dump"],
+        {
+          ignoreError: true,
+          timeout: 10_000,
+        },
+      );
+      if (!dump) {
+        warn("  ⚠ Could not verify web search config inside sandbox (hermes dump failed).");
+        return;
+      }
+      // A working web backend shows as an explicit config override or active-toolset entry.
+      // Avoid broad /web.*search/ matching so warning text never looks like success.
+      const hasWebBackend =
+        /^\s*web\.backend:\s*\S+/m.test(dump) ||
+        /^\s*active toolsets:\s*.*\bweb\b/im.test(dump) ||
+        /^\s*toolsets:\s*.*\bweb\b/im.test(dump);
+      if (!hasWebBackend) {
+        warn("  ⚠ Web search was configured but Hermes does not report an active web backend.");
+        warn("    The agent may not have accepted the web search configuration.");
+        warn(`    Check: ${deps.cliName()} ${sandboxName} exec hermes dump`);
+      } else {
+        log("  ✓ Web search is active inside sandbox");
+      }
+    } else if (agentName === "openclaw") {
+      // OpenClaw: verify tools.web.search block exists in the baked config.
+      const configCheck = deps.runCaptureOpenshell(
+        ["sandbox", "exec", "-n", sandboxName, "--", "cat", "/sandbox/.openclaw/openclaw.json"],
+        { ignoreError: true, timeout: 10_000 },
+      );
+      if (!configCheck) {
+        warn("  ⚠ Could not verify web search config inside sandbox.");
+        return;
+      }
+      try {
+        const parsed = JSON.parse(configCheck);
+        if (parsed?.tools?.web?.search?.enabled) {
+          log("  ✓ Web search is active inside sandbox");
+        } else {
+          warn("  ⚠ Web search was configured but tools.web.search is not enabled in openclaw.json.");
+        }
+      } catch {
+        warn("  ⚠ Could not parse openclaw.json to verify web search config.");
+      }
+    } else {
+      warn(`  ⚠ Web search verification is not implemented for agent '${agentName}'.`);
+    }
+  } catch {
+    // Best-effort — don't let probe failures derail onboarding.
+    warn("  ⚠ Web search verification probe failed (non-fatal).");
+  }
+}

test/onboard.test.ts

@@ -4952,10 +4952,16 @@ const { setupInference } = require(${onboardPath});
   });
 
   it("uses named sandbox exec for dashboard and web-search probes", () => {
-    const source = fs.readFileSync(
+    const onboardSource = fs.readFileSync(
       path.join(import.meta.dirname, "..", "src", "lib", "onboard.ts"),
       "utf-8",
     );
+    const webSearchVerifySource = fs.readFileSync(
+      path.join(import.meta.dirname, "..", "src", "lib", "onboard", "web-search-verify.ts"),
+      "utf-8",
+    );
+    const source = `${onboardSource}
+${webSearchVerifySource}`;
 
     assert.match(source, /"sandbox",\s*"exec",\s*"-n",\s*sandboxName,\s*"--",\s*"curl"/);
     assert.match(source, /"sandbox",\s*"exec",\s*"-n",\s*sandboxName,\s*"--",\s*"hermes"/);