fix(onboard): suppress docker manifest/build noise during gateway setup (#3311)

## Summary

During `nemoclaw onboard` step [2/8], the `docker manifest inspect` JSON
output and the BuildKit build log (apt-get output, layer hashes, debconf
warnings) are forwarded to the user's terminal alongside the curated
progress lines we already log ("Pulling upstream cluster image…",
"Building patched cluster image…"). This PR keeps the curated lines as
the user-facing signal and routes the raw command output to
internal-only handling.

## Related Issue

Closes #3248

## Changes

- Add `suppressOutput?: boolean` to the `RunOpts` interface in
[src/lib/cluster-image-patch.ts](src/lib/cluster-image-patch.ts) and
plumb it through `defaultRun` so callers can opt into dropping captured
stdio instead of forwarding it to the user.
- Pass `suppressOutput: true` on the `docker manifest inspect`
reachability probe.
- Pass `--quiet` and `suppressOutput: true` on the `docker build`
invocation so BuildKit no longer streams its full log to the user.
- Add a unit test in
[src/lib/cluster-image-patch.test.ts](src/lib/cluster-image-patch.test.ts)
asserting both call sites carry `suppressOutput: true` and that build
now includes `--quiet`.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Verification

- [x] `npx prek run --all-files` passes
- [x] `npm test` passes
- [x] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [ ] Docs updated for user-facing behavior changes
- [ ] `make docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Improvements**
* Reduced output verbosity from Docker operations by suppressing output
during manifest inspection and build steps.

* **Tests**
* Added test coverage for output suppression behavior in Docker
operations.

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/3311)

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>

Author: laitingsheng

src/lib/cluster-image-patch.test.ts

@@ -331,6 +331,42 @@ describe("ensurePatchedClusterImage", () => {
     ).toThrow(ClusterImagePatchError);
   });
 
+  it("suppresses raw docker manifest/build output so onboard does not leak internal noise (#3248)", () => {
+    // The manifest probe dumps a multi-line JSON manifest list, and `docker build`
+    // dumps its full BuildKit log (apt-get, layer hashes, debconf warnings) to
+    // the user's terminal. Both must be suppressed so the install transcript
+    // stays clean. The caller already prints its own "Pulling …"/"Building …"
+    // progress lines.
+    const fsImpl = createMockFs();
+    const runCalls: { cmd: string[]; opts: { suppressOutput?: boolean } | undefined }[] = [];
+    let upstreamInspectCount = 0;
+
+    ensurePatchedClusterImage({
+      upstreamImage: UPSTREAM,
+      runCaptureImpl: (cmd) => {
+        if (inspectAt(cmd) === "upstream") {
+          upstreamInspectCount += 1;
+          return upstreamInspectCount === 1 ? "" : "sha256:9999aaaa";
+        }
+        return "";
+      },
+      runImpl: (cmd, opts) => {
+        runCalls.push({ cmd: [...cmd], opts });
+        return { status: 0 };
+      },
+      logger: () => {},
+      fsImpl,
+      tmpdirImpl: () => "/tmp",
+    });
+
+    const manifestCall = runCalls.find((entry) => entry.cmd[1] === "manifest");
+    expect(manifestCall?.opts).toMatchObject({ suppressOutput: true });
+
+    const buildCall = runCalls.find((entry) => entry.cmd[1] === "build");
+    expect(buildCall?.cmd).toContain("--quiet");
+    expect(buildCall?.opts).toMatchObject({ suppressOutput: true });
+  });
+
   it("throws ClusterImagePatchError on docker build failure", () => {
     let upstreamInspectCount = 0;
     expect(() =>

src/lib/cluster-image-patch.ts

@@ -42,6 +42,13 @@ export interface RunOpts {
   ignoreError?: boolean;
   /** Hard wall-clock timeout (ms). Child is killed on expiry. */
   timeoutMs?: number;
+  /**
+   * Drop captured stdout/stderr instead of forwarding them to the user's
+   * terminal. Used for noisy commands (`docker manifest inspect`,
+   * `docker build`) whose raw output is internal-only — the caller logs
+   * its own progress lines.
+   */
+  suppressOutput?: boolean;
 }
 
 export interface EnsurePatchedClusterImageOpts {
@@ -260,6 +267,7 @@ export function ensurePatchedClusterImage(opts: EnsurePatchedClusterImageOpts):
     // and restricted-network hosts fail in seconds instead of minutes.
     const probeResult = runImpl(["docker", "manifest", "inspect", opts.upstreamImage], {
       ignoreError: true,
+      suppressOutput: true,
       timeoutMs: inspectTimeoutMs,
     });
     if (probeResult.status !== 0) {
@@ -321,13 +329,14 @@ export function ensurePatchedClusterImage(opts: EnsurePatchedClusterImageOpts):
       [
         "docker",
         "build",
+        "--quiet",
         "--build-arg",
         `UPSTREAM=${opts.upstreamImage}`,
         "-t",
         tag,
         tmpDir,
       ],
-      { ignoreError: true, timeoutMs: buildTimeoutMs },
+      { ignoreError: true, suppressOutput: true, timeoutMs: buildTimeoutMs },
     );
 
     if (buildResult.status !== 0) {
@@ -397,6 +406,7 @@ function defaultRunCapture(cmd: readonly string[], opts: RunOpts = {}): string {
 function defaultRun(cmd: readonly string[], opts: RunOpts = {}): { status: number | null } {
   const result = runner.run(cmd, {
     ignoreError: opts.ignoreError,
+    suppressOutput: opts.suppressOutput,
     ...(opts.timeoutMs !== undefined ? { timeout: opts.timeoutMs } : {}),
   });
   return { status: result.status ?? null };