Skip to content

fix(runtime): route local Ollama through auth proxy#6579

Closed
apurvvkumaria wants to merge 1 commit into
mainfrom
codex/3136-ollama-proxy-route-verified
Closed

fix(runtime): route local Ollama through auth proxy#6579
apurvvkumaria wants to merge 1 commit into
mainfrom
codex/3136-ollama-proxy-route-verified

Conversation

@apurvvkumaria

@apurvvkumaria apurvvkumaria commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Route the managed ollama-local provider through NemoClaw's token-gated auth proxy on non-WSL runtimes while preserving the Docker Desktop loopback exception on WSL. This is a clean, verified replacement for #6337; Chengjie Wang's original implementation is preserved and credited as co-author.

Related Issue

Refs #3136. Supersedes #6337 because its published commit history cannot satisfy the current GitHub verification requirement.

Changes

  • Detect WSL consistently from environment, kernel release, and /proc/version signals.
  • Select raw host loopback only for WSL with Docker Desktop; fail safe to the auth-proxy port everywhere else.
  • Validate raw and proxy port configuration and keep the host Ollama health check independent from the sandbox-facing route.
  • Add shell/TypeScript parity and routing regression coverage.
  • Document the managed routes and the unsupported direct-provider case.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification:
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — maintainer review confirms that raw loopback is limited to the WSL + Docker Desktop exception and every unknown/non-WSL runtime fails safe to the token-gated proxy.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — npx vitest run --project integration test/runtime-shell.test.ts (65/65 passed)
  • Applicable broad gate passed — broad CI matrix will run on the PR; focused hooks, CLI type-check, and 110 earlier targeted tests passed locally.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only) — passed with 0 errors and 2 pre-existing warnings.
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Apurv Kumaria akumaria@nvidia.com

Summary by CodeRabbit

  • Bug Fixes

    • Improved local Ollama access in sandboxed environments, with clearer routing for Docker Desktop and WSL setups.
    • Fixed health checks and provider URLs so the app uses the correct local endpoint and proxy path automatically.
    • Added validation to prevent invalid or conflicting Ollama port settings.
  • Documentation

    • Updated troubleshooting guidance with clearer setup steps for selecting Local Ollama and using the correct managed URL.

Co-authored-by: Chengjie Wang <chengjiew@nvidia.com>
Signed-off-by: Apurv Kumaria <akumaria@nvidia.com>
@apurvvkumaria apurvvkumaria added provider: ollama Ollama local model provider behavior area: local-models Local model providers, downloads, launch, or connectivity area: routing Request routing, policy routing, model selection, or fallback logic area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression v0.0.79 Release target labels Jul 9, 2026
@apurvvkumaria apurvvkumaria self-assigned this Jul 9, 2026
@github-code-quality

github-code-quality Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 77%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 4970809 3bf8cf8 +/-
src/lib/actions...ge-preflight.ts 89% 74% -15%
src/lib/agent/onboard.ts 71% 70% -1%
src/lib/agent/base-image.ts 82% 84% +2%
src/lib/agent/t...ersion-drift.ts 88% 96% +8%
src/lib/agent/b...availability.ts 63% 74% +11%
src/lib/onboard/config-sync.ts 31% 46% +15%
src/lib/agent/t...-enforcement.ts 75% 100% +25%
src/lib/sandbox...rsion-scheme.ts 73% 100% +27%

Updated July 09, 2026 16:05 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds WSL detection and container-runtime inference to the shell runtime library to route Ollama access between direct host loopback and a managed auth-proxy path, updates provider URL and health-check logic accordingly, expands shell test coverage for these paths, and revises troubleshooting documentation.

Changes

Ollama Routing for WSL/Docker Desktop

Layer / File(s) Summary
WSL and runtime detection helpers
scripts/lib/runtime.sh
Adds is_wsl_runtime(), detect_container_runtime_from_docker(), and container_can_reach_host_loopback() to determine whether direct host loopback access to Ollama is permitted.
Port selection and provider/health wiring
scripts/lib/runtime.sh
Adds get_ollama_container_port() to choose between raw and proxy ports; updates get_local_provider_base_url() for ollama-local and refactors check_local_provider_health() port validation for vllm-local and ollama-local.
Shell test harness and routing fixtures
test/runtime-shell.test.ts
Sanitizes runShell's environment, adds a createFakeDockerInfo helper, and introduces a ROUTING_RUNTIME_FIXTURES table for parameterized tests.
Routing and WSL-detection test coverage
test/runtime-shell.test.ts
Adds tests validating ollama-local base URL routing across native Docker and WSL Docker Desktop hosts, WSL detection via env markers, and cross-checks against TypeScript routing logic.
Validation, fallback, and health-check test coverage
test/runtime-shell.test.ts
Adds tests for invalid port rejection, non-Linux WSL env handling, missing runtime detection fallback, port-equality policy, and health-check behavior against raw vs proxy endpoints.
Troubleshooting documentation update
docs/reference/troubleshooting.mdx
Revises guidance for reaching local Ollama, detailing onboarding steps and auth-proxy URLs for Docker Desktop and WSL scenarios, and clarifying unsupported configurations.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Script as get_local_provider_base_url
  participant RuntimeDetect as detect_container_runtime_from_docker
  participant Loopback as container_can_reach_host_loopback
  participant PortLogic as get_ollama_container_port

  Script->>RuntimeDetect: docker info
  RuntimeDetect-->>Script: ContainerRuntime
  Script->>Loopback: is_wsl_runtime + ContainerRuntime
  Loopback-->>Script: can reach host loopback?
  Script->>PortLogic: NEMOCLAW_OLLAMA_PORT, proxy port
  PortLogic-->>Script: raw port or proxy port
  Script-->>Script: build ollama-local base URL
Loading

Suggested labels: refactor, platform: wsl, area: docs

Suggested reviewers: cv

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main runtime change: routing local Ollama through the auth proxy.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/3136-ollama-proxy-route-verified

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Shell duplicates TypeScript platform routing logic as workaround.
Open items: 0 required · 2 warnings · 1 suggestion · 4 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 3 new items found

Action checklist

  • PRA-1 Resolve or justify: Shell duplicates TypeScript platform routing logic as workaround in scripts/lib/runtime.sh:46
  • PRA-2 Resolve or justify: Troubleshooting doc has high rebase conflict risk with 4 open PRs in docs/reference/troubleshooting.mdx:1988
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: No integration/E2E test for onboarding Ollama routing decision
  • PRA-3 In-scope improvement: No integration/E2E test for onboarding Ollama routing decision in test/runtime-shell.test.ts:1

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture scripts/lib/runtime.sh:46 Track the 2026-12-31 review deadline. Consider generating shell helpers from TS source or adding a CI check that validates shell/TS parity on every change to platform.ts.
PRA-2 Resolve/justify scope docs/reference/troubleshooting.mdx:1988 Coordinate with authors of PRs #5812, #6273, #6292, #6333 to sequence merges or consolidate doc updates. Consider splitting troubleshooting.mdx into smaller files to reduce conflict surface.
PRA-3 Improvement tests test/runtime-shell.test.ts:1 Add a focused integration test (or extend existing e2e) that spins up a test sandbox with ollama-local provider and verifies inference requests succeed via the selected route (proxy vs raw loopback) for at least one non-WSL and one WSL+Docker Desktop scenario.
Review findings by urgency: 0 required fixes, 2 items to resolve/justify, 1 in-scope improvement

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Shell duplicates TypeScript platform routing logic as workaround

  • Location: scripts/lib/runtime.sh:46
  • Category: architecture
  • Problem: scripts/lib/runtime.sh implements is_wsl_runtime() and container_can_reach_host_loopback() mirroring src/lib/platform.ts:isWsl() and containerCanReachHostLoopback(). Comment acknowledges this is a temporary workaround until OpenShell exposes a uniform sandbox-to-host route. Test matrix cross-validates parity but divergence could cause sandbox trust-boundary misclassification.
  • Impact: If shell and TS logic drift, onboarding could select wrong Ollama route (raw loopback vs auth proxy), exposing unauthenticated Ollama to sandbox or blocking valid WSL+Docker Desktop connections.
  • Recommended action: Track the 2026-12-31 review deadline. Consider generating shell helpers from TS source or adding a CI check that validates shell/TS parity on every change to platform.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check scripts/lib/runtime.sh lines 46-85 for is_wsl_runtime and container_can_reach_host_loopback; compare with src/lib/platform.ts isWsl and containerCanReachHostLoopback. Run test/runtime-shell.test.ts matrix tests to confirm current parity.
  • Missing regression test: Add CI job that imports platform.ts logic and asserts shell function outputs match for all WSL/runtime combinations in ROUTING_RUNTIME_FIXTURES.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check scripts/lib/runtime.sh lines 46-85 for is_wsl_runtime and container_can_reach_host_loopback; compare with src/lib/platform.ts isWsl and containerCanReachHostLoopback. Run test/runtime-shell.test.ts matrix tests to confirm current parity.
  • Evidence: scripts/lib/runtime.sh:46-85 (is_wsl_runtime, container_can_reach_host_loopback) src/lib/platform.ts:18-60 (isWsl, containerCanReachHostLoopback) test/runtime-shell.test.ts:200-300 (parity test matrix)

PRA-2 Resolve/justify — Troubleshooting doc has high rebase conflict risk with 4 open PRs

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-3 Improvement — No integration/E2E test for onboarding Ollama routing decision

  • Location: test/runtime-shell.test.ts:1
  • Category: tests
  • Problem: Unit tests validate get_local_provider_base_url output for 14 runtime×WSL combinations against TS logic. However, no test exercises the full onboarding path: runtime detection → provider URL selection → sandbox provider config → actual sandbox connectivity to Ollama via chosen route.
  • Impact: Unit test parity does not guarantee the chosen URL works end-to-end in the sandbox (e.g., auth proxy token propagation, network policy allowing proxy port, host.openshell.internal DNS resolution). A routing regression could pass unit tests but fail in production onboarding.
  • Suggested action: Add a focused integration test (or extend existing e2e) that spins up a test sandbox with ollama-local provider and verifies inference requests succeed via the selected route (proxy vs raw loopback) for at least one non-WSL and one WSL+Docker Desktop scenario.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search test/e2e/ and .github/workflows/e2e.yaml for tests exercising ollama-local provider onboarding. Current test/runtime-shell.test.ts only tests shell function outputs.
  • Missing regression test: E2E test: onboard with ollama-local on native Docker (expects proxy route :11435) and on WSL+Docker Desktop (expects raw route :11434), then verify sandbox can call /v1/models via the configured URL.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: test/runtime-shell.test.ts: 395 lines of unit tests only pr_review_scope_risk_context.workflowSignals: [] (no E2E workflow changes) diff shows no new files under test/e2e/ or .github/workflows/e2e.yaml
Simplification opportunities: 3 possible cuts

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-1 shrink (scripts/lib/runtime.sh:46): Duplicated is_wsl_runtime() and container_can_reach_host_loopback() in runtime.sh (~40 lines)
    • Replacement: Generated shell helpers from platform.ts or shared test-only parity validation
    • Net: -35 lines
    • Safety boundary: Sandbox trust boundary for Ollama auth proxy routing — must not weaken default-deny proxy stance
  • PRA-2 yagni (docs/reference/troubleshooting.mdx:1988): N/A — coordination overhead
    • Replacement: N/A
    • Net: 0 lines
    • Safety boundary: Documentation accuracy for security-critical routing guidance
  • PRA-3 native (test/runtime-shell.test.ts:1): N/A — gap, not excess
    • Replacement: Focused E2E test reusing existing onboarding fixtures
    • Net: 50 lines
    • Safety boundary: Validates sandbox trust boundary enforcement end-to-end
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add or identify targeted runtime/integration validation for the changed behavior; do not report external E2E job pass/fail here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, scripts/lib/runtime.sh. Unit test matrix comprehensive (20 new test blocks, 14 runtime×WSL combinations, all error paths, mocking purity via fake docker binary). Test depth tool confirms runtime_validation_recommended for scripts/lib/runtime.sh (runtime/sandbox/infrastructure path). Gap: no test validates auth proxy token propagation, network policy, DNS resolution, or actual sandbox connectivity via chosen route.
  • PRA-T2 Runtime validation — E2E test: onboard with ollama-local on native Docker (expects proxy route :11435) and verify sandbox can call /v1/models via configured URL. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, scripts/lib/runtime.sh. Unit test matrix comprehensive (20 new test blocks, 14 runtime×WSL combinations, all error paths, mocking purity via fake docker binary). Test depth tool confirms runtime_validation_recommended for scripts/lib/runtime.sh (runtime/sandbox/infrastructure path). Gap: no test validates auth proxy token propagation, network policy, DNS resolution, or actual sandbox connectivity via chosen route.
  • PRA-T3 Runtime validation — E2E test: onboard with ollama-local on WSL+Docker Desktop (expects raw route :11434) and verify sandbox can call /v1/models via configured URL. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, scripts/lib/runtime.sh. Unit test matrix comprehensive (20 new test blocks, 14 runtime×WSL combinations, all error paths, mocking purity via fake docker binary). Test depth tool confirms runtime_validation_recommended for scripts/lib/runtime.sh (runtime/sandbox/infrastructure path). Gap: no test validates auth proxy token propagation, network policy, DNS resolution, or actual sandbox connectivity via chosen route.
  • PRA-T4 No integration/E2E test for onboarding Ollama routing decision — Add a focused integration test (or extend existing e2e) that spins up a test sandbox with ollama-local provider and verifies inference requests succeed via the selected route (proxy vs raw loopback) for at least one non-WSL and one WSL+Docker Desktop scenario.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Shell duplicates TypeScript platform routing logic as workaround

  • Location: scripts/lib/runtime.sh:46
  • Category: architecture
  • Problem: scripts/lib/runtime.sh implements is_wsl_runtime() and container_can_reach_host_loopback() mirroring src/lib/platform.ts:isWsl() and containerCanReachHostLoopback(). Comment acknowledges this is a temporary workaround until OpenShell exposes a uniform sandbox-to-host route. Test matrix cross-validates parity but divergence could cause sandbox trust-boundary misclassification.
  • Impact: If shell and TS logic drift, onboarding could select wrong Ollama route (raw loopback vs auth proxy), exposing unauthenticated Ollama to sandbox or blocking valid WSL+Docker Desktop connections.
  • Recommended action: Track the 2026-12-31 review deadline. Consider generating shell helpers from TS source or adding a CI check that validates shell/TS parity on every change to platform.ts.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check scripts/lib/runtime.sh lines 46-85 for is_wsl_runtime and container_can_reach_host_loopback; compare with src/lib/platform.ts isWsl and containerCanReachHostLoopback. Run test/runtime-shell.test.ts matrix tests to confirm current parity.
  • Missing regression test: Add CI job that imports platform.ts logic and asserts shell function outputs match for all WSL/runtime combinations in ROUTING_RUNTIME_FIXTURES.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check scripts/lib/runtime.sh lines 46-85 for is_wsl_runtime and container_can_reach_host_loopback; compare with src/lib/platform.ts isWsl and containerCanReachHostLoopback. Run test/runtime-shell.test.ts matrix tests to confirm current parity.
  • Evidence: scripts/lib/runtime.sh:46-85 (is_wsl_runtime, container_can_reach_host_loopback) src/lib/platform.ts:18-60 (isWsl, containerCanReachHostLoopback) test/runtime-shell.test.ts:200-300 (parity test matrix)

PRA-2 Resolve/justify — Troubleshooting doc has high rebase conflict risk with 4 open PRs

PRA-3 Improvement — No integration/E2E test for onboarding Ollama routing decision

  • Location: test/runtime-shell.test.ts:1
  • Category: tests
  • Problem: Unit tests validate get_local_provider_base_url output for 14 runtime×WSL combinations against TS logic. However, no test exercises the full onboarding path: runtime detection → provider URL selection → sandbox provider config → actual sandbox connectivity to Ollama via chosen route.
  • Impact: Unit test parity does not guarantee the chosen URL works end-to-end in the sandbox (e.g., auth proxy token propagation, network policy allowing proxy port, host.openshell.internal DNS resolution). A routing regression could pass unit tests but fail in production onboarding.
  • Suggested action: Add a focused integration test (or extend existing e2e) that spins up a test sandbox with ollama-local provider and verifies inference requests succeed via the selected route (proxy vs raw loopback) for at least one non-WSL and one WSL+Docker Desktop scenario.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Search test/e2e/ and .github/workflows/e2e.yaml for tests exercising ollama-local provider onboarding. Current test/runtime-shell.test.ts only tests shell function outputs.
  • Missing regression test: E2E test: onboard with ollama-local on native Docker (expects proxy route :11435) and on WSL+Docker Desktop (expects raw route :11434), then verify sandbox can call /v1/models via the configured URL.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: test/runtime-shell.test.ts: 395 lines of unit tests only pr_review_scope_risk_context.workflowSignals: [] (no E2E workflow changes) diff shows no new files under test/e2e/ or .github/workflows/e2e.yaml

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: ollama-auth-proxy, wsl-e2e
Optional E2E: macos-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • ollama-auth-proxy (medium): Validates the managed Ollama auth proxy end-to-end, including token auth, real inference, persistence/recovery, and container reachability for the non-WSL route this PR now selects.
  • wsl-e2e (high): Runs the real install/onboarding/full sandbox flow inside Ubuntu WSL, covering the WSL Docker Desktop routing branch that can bypass the Ollama proxy and use the raw host-loopback port.

Optional E2E

  • macos-e2e (medium): Useful adjacent confidence for non-WSL Docker Desktop/macOS behavior and sandbox lifecycle after changing runtime shell helpers, though the required proxy E2E is the stronger coverage for the local Ollama security boundary.

New E2E recommendations

  • WSL Docker Desktop local Ollama routing (high): Existing WSL full E2E uses the general full-e2e hosted inference path and may not assert that an ollama-local provider inside the sandbox reaches host.openshell.internal:11434 on WSL Docker Desktop.
    • Suggested test: Add a targeted live E2E that onboards/configures ollama-local on WSL Docker Desktop, verifies the saved provider base URL uses host.openshell.internal:11434, and performs an in-sandbox model/list or inference request against real host Ollama.
  • non-WSL local Ollama provider URL (medium): The auth proxy E2E validates the proxy itself, but a targeted install/onboarding assertion would catch regressions where the generated ollama-local provider URL incorrectly points at the raw host port on native Linux or macOS.
    • Suggested test: Add a live E2E that selects Local Ollama during onboarding on a non-WSL Docker host and asserts the persisted OpenClaw provider uses host.openshell.internal:${NEMOCLAW_OLLAMA_PROXY_PORT}/v1 with the expected proxy token path.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: ubuntu-repo-cloud-openclaw, gpu-e2e
Optional E2E targets: inference-routing

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=gpu-e2e

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: medium

Required E2E targets

  • ubuntu-repo-cloud-openclaw: scripts/lib/runtime.sh is a host runtime/onboarding helper used by the standard repo-current Docker onboarding path; run the primary live-supported Ubuntu OpenClaw target to guard baseline install, Docker runtime detection, sandbox setup, and inference credentials behavior.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field targets=ubuntu-repo-cloud-openclaw
  • gpu-e2e: The runtime.sh change alters ollama-local sandbox-facing URL selection and health checks. The gpu-e2e free-standing live job is the e2e.yaml path that onboards with NEMOCLAW_PROVIDER=ollama and exercises the managed local Ollama route.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=gpu-e2e

Optional E2E targets

  • inference-routing: Optional adjacent coverage for inference route validation and provider error handling after changing local provider URL construction in runtime.sh.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=inference-routing

Relevant changed files

  • scripts/lib/runtime.sh

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
scripts/lib/runtime.sh (1)

140-148: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider bounding the docker info call with a timeout.

The comment states an unhealthy Docker maps to unknown, but a hung/unresponsive daemon won't return promptly, and this runs on the provider-URL resolution path, so it can stall the caller instead of fail-safing to the proxy route.

♻️ Suggested change
-    info="$(docker info --format '{{.OperatingSystem}} {{range .Labels}}{{.}} {{end}}' 2>/dev/null || true)"
+    info="$(timeout 5 docker info --format '{{.OperatingSystem}} {{range .Labels}}{{.}} {{end}}' 2>/dev/null || true)"

Please confirm timeout is available on all supported runtimes (it may be absent on stock macOS without coreutils).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/lib/runtime.sh` around lines 140 - 148, Add a timeout around the
docker info probe in detect_container_runtime_from_docker so an unresponsive
daemon can’t stall provider URL resolution; keep the existing best-effort
behavior by falling back to unknown when the command times out or fails. Use the
existing detect_container_runtime_from_docker and
infer_container_runtime_from_info flow, and verify whether timeout is guaranteed
on all supported runtimes; if not, add a portable fallback or guard for
environments like stock macOS where timeout may be unavailable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/lib/runtime.sh`:
- Around line 140-148: Add a timeout around the docker info probe in
detect_container_runtime_from_docker so an unresponsive daemon can’t stall
provider URL resolution; keep the existing best-effort behavior by falling back
to unknown when the command times out or fails. Use the existing
detect_container_runtime_from_docker and infer_container_runtime_from_info flow,
and verify whether timeout is guaranteed on all supported runtimes; if not, add
a portable fallback or guard for environments like stock macOS where timeout may
be unavailable.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2e8c38ac-e29a-4283-b28e-be77a5cdcb88

📥 Commits

Reviewing files that changed from the base of the PR and between 4970809 and 3bf8cf8.

📒 Files selected for processing (3)
  • docs/reference/troubleshooting.mdx
  • scripts/lib/runtime.sh
  • test/runtime-shell.test.ts

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Bound the shell Docker runtime probe so fail-safe routing cannot hang.
Open items: 0 required · 1 warning · 0 suggestions · 5 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 1 new item found

Action checklist

  • PRA-1 Resolve or justify: Bound the shell Docker runtime probe so fail-safe routing cannot hang in scripts/lib/runtime.sh:145
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Acceptance clause
  • PRA-T5 Add or justify test follow-up: scripts/lib/runtime.sh:detect_container_runtime_from_docker fail-safe

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify correctness scripts/lib/runtime.sh:145 Wrap the shell `docker info` call with an available timeout mechanism (for example `timeout 5s docker info ...` when `timeout` exists, with a bounded fallback strategy) or otherwise ensure the probe cannot block indefinitely before returning `unknown`.
Review findings by urgency: 0 required fixes, 1 item to resolve/justify, 0 in-scope improvements

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Bound the shell Docker runtime probe so fail-safe routing cannot hang

  • Location: scripts/lib/runtime.sh:145
  • Category: correctness
  • Problem: The new shell-side `detect_container_runtime_from_docker` is documented as best-effort and intended to map missing or unhealthy Docker to `unknown` so callers can fall back to the token-gated proxy. However, it runs `docker info --format ...` with no timeout. If Docker is installed but the daemon or socket hangs, onboarding/provider URL selection can block instead of reaching the intended fail-safe proxy route.
  • Impact: A user with a wedged Docker CLI/daemon, especially during WSL Docker Desktop detection, may see onboarding hang before configuring local Ollama instead of failing closed to the proxy route.
  • Recommended action: Wrap the shell `docker info` call with an available timeout mechanism (for example `timeout 5s docker info ...` when `timeout` exists, with a bounded fallback strategy) or otherwise ensure the probe cannot block indefinitely before returning `unknown`.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read `scripts/lib/runtime.sh` around `detect_container_runtime_from_docker` and compare to `src/lib/adapters/docker/runtime.ts` timeout constants; confirm the shell command is bounded.
  • Missing regression test: Add a shell runtime test that places a fake `docker` earlier in `PATH` which sleeps or blocks beyond the configured probe timeout, then asserts `get_local_provider_base_url ollama-local` returns the proxy URL promptly instead of hanging.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `scripts/lib/runtime.sh` around `detect_container_runtime_from_docker` and compare to `src/lib/adapters/docker/runtime.ts` timeout constants; confirm the shell command is bounded.
  • Evidence: scripts/lib/runtime.sh:141-147 comments: missing/unhealthy Docker should map to unknown and fail safe to the auth proxy. scripts/lib/runtime.sh:145 runs `docker info --format '{{.OperatingSystem}} {{range .Labels}}{{.}} {{end}}' 2>/dev/null || true` without a timeout. src/lib/adapters/docker/runtime.ts:7-23 shows the TypeScript counterpart uses bounded `DOCKER_INFO_RUNTIME_PROBE_TIMEOUT_MS = 5000` probes before returning `unknown`. test/runtime-shell.test.ts includes absent-Docker fallback coverage but no hanging-Docker regression.

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

  • None.
Simplification opportunities: 1 possible cut

These are safe simplification checks only. Do not remove validation, security controls, data-loss prevention, or required tests.

  • PRA-1 native (scripts/lib/runtime.sh:145): Avoid a custom unbounded Docker probe where the native `timeout` utility (when available) can enforce the documented best-effort behavior.
    • Replacement: Use a bounded shell command for `docker info` and return `unknown` on timeout.
    • Net: 3 lines
    • Safety boundary: Do not remove runtime detection or the auth-proxy fail-safe; only bound the probe so the existing safety behavior is reachable.
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Add or identify targeted runtime/integration validation for the changed behavior; do not report external E2E job pass/fail here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, scripts/lib/runtime.sh. The PR adds strong direct shell-level coverage for routing and validation behavior, but the changed surface is onboarding/host glue. The only missing concrete regression evidence is the unhealthy/hanging Docker CLI path represented by F-001.
  • PRA-T2 Runtime validation — Add a shell runtime test with a fake `docker` executable earlier in `PATH` that sleeps longer than the bounded probe timeout, then assert `get_local_provider_base_url ollama-local` completes promptly with `http://host.openshell.internal:11435/v1\`.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, scripts/lib/runtime.sh. The PR adds strong direct shell-level coverage for routing and validation behavior, but the changed surface is onboarding/host glue. The only missing concrete regression evidence is the unhealthy/hanging Docker CLI path represented by F-001.
  • PRA-T3 Runtime validation — If maintainers want additional runtime confidence beyond unit-level shell tests, run or document a targeted local onboarding validation for managed `ollama-local` on a non-WSL Docker Desktop/macOS host and a WSL Docker Desktop host; do not treat external E2E status as reviewed here.. Runtime/sandbox/infrastructure paths need behavioral runtime validation: docs/reference/troubleshooting.mdx, scripts/lib/runtime.sh. The PR adds strong direct shell-level coverage for routing and validation behavior, but the changed surface is onboarding/host glue. The only missing concrete regression evidence is the unhealthy/hanging Docker CLI path represented by F-001.
  • PRA-T4 Acceptance clause — Expected Behavior Inference requests from sandbox to host.docker.internal:11434 should reach the macOS host Ollama service and return valid responses. — add test evidence or identify existing coverage. The managed NemoClaw `ollama-local` path is remediated by using the auth proxy route, but docs explicitly state manually created OpenShell providers and direct sandbox requests to `host.docker.internal:11434` remain unsupported.
  • PRA-T5 scripts/lib/runtime.sh:detect_container_runtime_from_docker fail-safe — Existing tests cover absent Docker returning `unknown`; missing coverage should simulate a hanging fake Docker CLI and assert the proxy URL is returned promptly.. `detect_container_runtime_from_docker` says missing/unhealthy Docker maps to `unknown`, but runs `docker info --format ...` without a timeout; `src/lib/adapters/docker/runtime.ts` uses a bounded timeout for the TypeScript counterpart.
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Bound the shell Docker runtime probe so fail-safe routing cannot hang

  • Location: scripts/lib/runtime.sh:145
  • Category: correctness
  • Problem: The new shell-side `detect_container_runtime_from_docker` is documented as best-effort and intended to map missing or unhealthy Docker to `unknown` so callers can fall back to the token-gated proxy. However, it runs `docker info --format ...` with no timeout. If Docker is installed but the daemon or socket hangs, onboarding/provider URL selection can block instead of reaching the intended fail-safe proxy route.
  • Impact: A user with a wedged Docker CLI/daemon, especially during WSL Docker Desktop detection, may see onboarding hang before configuring local Ollama instead of failing closed to the proxy route.
  • Recommended action: Wrap the shell `docker info` call with an available timeout mechanism (for example `timeout 5s docker info ...` when `timeout` exists, with a bounded fallback strategy) or otherwise ensure the probe cannot block indefinitely before returning `unknown`.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Read `scripts/lib/runtime.sh` around `detect_container_runtime_from_docker` and compare to `src/lib/adapters/docker/runtime.ts` timeout constants; confirm the shell command is bounded.
  • Missing regression test: Add a shell runtime test that places a fake `docker` earlier in `PATH` which sleeps or blocks beyond the configured probe timeout, then asserts `get_local_provider_base_url ollama-local` returns the proxy URL promptly instead of hanging.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Read `scripts/lib/runtime.sh` around `detect_container_runtime_from_docker` and compare to `src/lib/adapters/docker/runtime.ts` timeout constants; confirm the shell command is bounded.
  • Evidence: scripts/lib/runtime.sh:141-147 comments: missing/unhealthy Docker should map to unknown and fail safe to the auth proxy. scripts/lib/runtime.sh:145 runs `docker info --format '{{.OperatingSystem}} {{range .Labels}}{{.}} {{end}}' 2>/dev/null || true` without a timeout. src/lib/adapters/docker/runtime.ts:7-23 shows the TypeScript counterpart uses bounded `DOCKER_INFO_RUNTIME_PROBE_TIMEOUT_MS = 5000` probes before returning `unknown`. test/runtime-shell.test.ts includes absent-Docker fallback coverage but no hanging-Docker regression.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@cjagwani cjagwani left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HOLD on exact head 3bf8cf8 for two concrete blockers:

  1. The new get_local_provider_base_url and check_local_provider_health behavior has no production caller. At this head, repository search finds only the definitions and tests; smoke-macos-install.sh sources runtime.sh but never invokes either function. Managed onboarding routes Ollama through src/lib/inference/local.ts, which this PR does not change. Please identify and wire the live consumer with acceptance coverage, or narrow/rework the PR so its claimed behavior matches what actually ships.

  2. detect_container_runtime_from_docker runs docker info without a bound. An unhealthy daemon can therefore hang this provider-URL path instead of falling back to the token proxy as the comment promises. Please add a portable bounded probe and a hanging-fake-docker regression.

The fail-safe port selection, DCO, verified commit, and static security posture otherwise look sound. Once a live path exists, please provide exact-head acceptance evidence for that path.

@apurvvkumaria

Copy link
Copy Markdown
Collaborator Author

Closing after exact-head review found that this patch changes only uncoupled shell helpers: repository search shows no production caller for get_local_provider_base_url or check_local_provider_health. Managed onboarding already selects the Ollama sandbox port in src/lib/inference/local.ts through detectContainerRuntimeFromDockerInfo(), whose Docker probe is bounded in src/lib/adapters/docker/runtime.ts. Wiring the dead shell helper would duplicate that live path, while #3136's manually created host.docker.internal provider remains an OpenShell networking limitation. Chengjie Wang's original work and co-author credit remain preserved here; no functional fix should be merged from an unused path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: local-models Local model providers, downloads, launch, or connectivity area: routing Request routing, policy routing, model selection, or fallback logic area: sandbox OpenShell sandbox lifecycle, runtime, config, or recovery bug-fix PR fixes a bug or regression provider: ollama Ollama local model provider behavior v0.0.79 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants