Skip to content

perf(onboard): reuse provider validation connections#6661

Merged
cv merged 15 commits into
mainfrom
3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed
Jul 11, 2026
Merged

perf(onboard): reuse provider validation connections#6661
cv merged 15 commits into
mainfrom
3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed

Conversation

@amata-human

@amata-human amata-human commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Reuse DNS resolution and HTTP(S) connections across related OpenAI-compatible provider-validation probes during onboarding. Eligible direct endpoints use a sequence-scoped Node keepalive transport, while unsupported, unsafe, or failed optimized paths retain the existing curl behavior.

Related Issue

Fixes #3771

Changes

  • Add a sequence-scoped Node HTTP(S) validation transport with DNS pre-resolution, keepalive connection reuse, bounded response buffering, and deterministic cleanup.
  • Reuse connections across Responses API, streaming validation, Chat Completions fallback, and transient HTTP retries.
  • Preserve hostname-based TLS verification and support multiple resolved address families.
  • Fall back to curl for proxies, curl-specific TLS configuration, local or sandbox endpoints, IP literals, DNS failures, connection failures, and specialized DeepSeek streaming validation.
  • Preserve existing timeout budgets, provider ordering, recovery prompts, authentication modes, and curl failure diagnostics.
  • Add trace events for transport selection, DNS resolution, socket creation/reuse, cleanup, and fallback reasons without recording credentials.
  • Convert affected onboarding validation and smoke-check boundaries to support asynchronous probes.
  • Add tests covering connection reuse, reconnects, DNS failure, proxy and TLS exclusions, origin confinement, authentication modes, streaming fallback, connection resets, and resource cleanup.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: This changes internal provider-validation transport behavior without changing commands, configuration, or documented user workflows.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Manual sensitive-path review confirmed that credentials remain request-scoped and absent from traces, sessions are confined to one origin, TLS hostname verification remains enabled, response sizes and timeouts are bounded, and uncertain paths fall back to the existing curl implementation.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — 169 tests passed across the focused CLI, integration, and package-contract suites, including provider selection, WSL2 timeout behavior, smoke verification, fallback semantics, and connection lifecycle coverage.
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result: Not run; npm run typecheck:cli and npm run build:cli passed.
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Additional verification:

  • npm run source-shape:check — passed with zero source-shape cases.
  • npm run source-shape:scan — reported zero cases, assertions, and files.
  • npm run test-size:check — passed across 1,311 test files.
  • git diff --check — passed.
  • No new .js, .cjs, or .mjs files were added.
  • Top-level src/lib/onboard.ts is unchanged.
  • Controlled three-request benchmark with 20 ms injected DNS latency:
    • Keepalive session: 21.5 ms median, 22.6 ms p95.
    • Fresh session per request: 62.5 ms median, 65.0 ms p95.

Parent Issue Evidence

Parent issue #2001 is closed and locked, so implementation notes cannot be added there directly. This PR addresses its provider-validation connection-reuse work through a sequence-scoped Node HTTP(S) keepalive transport that reuses DNS resolution and connections across related probes while preserving the established curl fallback paths.

Trace evidence is available through validation_transport_selected, validation_dns_lookup, validation_socket_opened, validation_socket_reused, validation_transport_fallback, and validation_transport_closed. Credentials and response bodies are not recorded in these trace attributes.

A controlled three-request benchmark with 20 ms injected DNS latency measured 21.5 ms median and 22.6 ms p95 with connection reuse, compared with 62.5 ms median and 65.0 ms p95 when creating a fresh session for each request.


Signed-off-by: Angel Mata amata@nvidia.com

Summary by CodeRabbit

  • New Features

    • Added an optimized OpenAI-compatible endpoint validation flow for Responses and Chat Completions, including model-specific probing for DeepSeek V4 Pro and Kimi K2.6.
    • Introduced an HTTP validation session with keep-alive behavior and stricter endpoint gating.
  • Improvements

    • Enforced safer request rules (origin checks, localhost/private blocking), per-request timeouts, and an 8MB response size limit.
    • Enhanced streaming validation plus curl-style retry/fallback behavior.
    • Made onboarding “smoke” verification properly async and improved execution ordering; improved sanitization/parsing for extra OpenAI-like headers.
  • Tests

    • Expanded coverage for keep-alive, DNS/proxy rules, authentication/header behavior, streaming/fallback logic, and async smoke verification.

Signed-off-by: Angel Mata <amata@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds a reusable DNS-aware keep-alive HTTP validation session, native OpenAI-like probing with legacy fallback, model-specific payload helpers, sanitized extra headers, and asynchronous onboarding integration with expanded tests.

Changes

Provider validation transport

Layer / File(s) Summary
Validation session transport and coverage
src/lib/adapters/http/validation-session.ts, src/lib/adapters/http/validation-session.test.ts, src/lib/adapters/http/auth-config.ts, src/lib/adapters/http/auth-config.test.ts
Adds endpoint eligibility checks, DNS and proxy handling, pinned addresses, keep-alive requests, timeout and response-size limits, origin validation, cleanup, normalized header parsing, and transport tests.

OpenAI-like probing

Layer / File(s) Summary
Probe payloads and optimized wrapper
src/lib/inference/openai-probe-models.ts, src/lib/inference/onboard-probes.ts
Extracts model-specific payload helpers and adds an optimized probe wrapper with async smoke verification.
Native validation flow and fallback tests
src/lib/inference/openai-validation-session.ts, src/lib/inference/openai-validation-session.test.ts, src/lib/inference/openai-validation-session-fallback.test.ts, src/lib/inference/openai-validation-session-auth.test.ts, src/lib/inference/openai-validation-session.test-helpers.ts
Adds Responses and Chat Completions validation through reusable sessions, streaming and tool-call checks, retries, authentication modes, and legacy fallback behavior.

Asynchronous onboarding integration

Layer / File(s) Summary
Async contracts and call sites
src/lib/onboard/..., test/helpers/onboard-smoke-verifier-harness.ts, test/onboard-smoke-verifier.test.ts, test/onboard-openrouter-inference.test.ts
Widens probe and smoke-verification types, selects optimized probes, awaits validation calls, and updates smoke harness and runtime tests.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Onboarding
  participant OptimizedProbe
  participant ValidationSession
  participant OpenAIEndpoint
  participant LegacyProbe
  Onboarding->>OptimizedProbe: validate endpoint
  OptimizedProbe->>ValidationSession: create native session
  ValidationSession->>OpenAIEndpoint: send Responses or Chat request
  OpenAIEndpoint-->>ValidationSession: return response
  OptimizedProbe->>LegacyProbe: replay on native failure
  OptimizedProbe-->>Onboarding: return validation result
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: reusing validation connections to reduce onboarding overhead.
Linked Issues check ✅ Passed The PR adds conservative DNS/connection reuse, preserves curl fallbacks, and adds tests for optimized and fallback paths.
Out of Scope Changes check ✅ Passed The changes stay focused on provider-validation optimization and async onboarding plumbing, with no clear unrelated additions.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: inference-routing, network-policy, onboard-repair, onboard-resume, cloud-onboard, bedrock-runtime-compatible-anthropic
Optional E2E: cloud-inference, model-router-provider-routed-inference

Dispatch hint: inference-routing,network-policy,onboard-repair,onboard-resume,cloud-onboard,bedrock-runtime-compatible-anthropic

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • inference-routing: Required by the deterministic risk plan for inference-policy changes. It validates that the selected provider is reachable through the route advertised to the assistant and that route changes work at the real host/sandbox boundary.
  • network-policy: Required by the deterministic risk plan for inference-policy changes. The native validation session and SSRF/private-address fallback logic must still match real network policy allow/deny behavior from the sandbox.
  • onboard-repair: Required by the deterministic risk plan for lifecycle-state changes. Onboarding repair must recover route and provider state after changed setup-inference and provider runtime behavior.
  • onboard-resume: Required by the deterministic risk plan for lifecycle-state changes. Resume must converge after interrupted onboarding with the modified inference setup, smoke validation, and provider route handling.
  • cloud-onboard: The changed onboarding inference setup and OpenAI-compatible smoke validation can affect full hosted onboarding. This job exercises the real non-interactive hosted onboarding flow, credentialed provider verification, route persistence, and assistant startup path.
  • bedrock-runtime-compatible-anthropic: The Bedrock Runtime onboarding helper changed route persistence ordering around async smoke validation. This existing E2E validates the fake Bedrock endpoint, compatible Anthropic adapter route, OpenShell route propagation, agent runtime probes, and credential leak boundary.

Optional E2E

  • cloud-inference: Useful adjacent confidence for hosted inference provider behavior because this PR changes OpenAI-compatible validation transport and probe payloads, but cloud-onboard plus inference-routing are the merge-blocking floor.
  • model-router-provider-routed-inference: Adjacent confidence for provider-routed inference because validation, provider selection, and advertised route semantics changed, but the deterministic required set already covers the core route and policy boundaries.

New E2E recommendations

  • None.

Dispatch hint

  • Workflow: .github/workflows/e2e.yaml
  • jobs input: inference-routing,network-policy,onboard-repair,onboard-resume,cloud-onboard,bedrock-runtime-compatible-anthropic

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

E2E Target Recommendation

Required E2E targets: inference-routing, network-policy, onboard-repair, onboard-resume
Optional E2E targets: None

Dispatch required E2E targets:

  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=inference-routing
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=network-policy
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-repair
  • gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-resume

Workflow run

Full E2E target advisor summary

E2E Target Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E targets

  • inference-routing: Inference selection, reachability, and network policy must agree at the real host-to-sandbox boundary.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=inference-routing
  • network-policy: Inference selection, reachability, and network policy must agree at the real host-to-sandbox boundary.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=network-policy
  • onboard-repair: Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-repair
  • onboard-resume: Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime.
    • Dispatch: gh workflow run e2e.yaml --ref <pr-head-ref> --field jobs=onboard-resume

Optional E2E targets

  • None.

Relevant changed files

  • src/lib/adapters/http/auth-config.ts
  • src/lib/adapters/http/validation-session.ts
  • src/lib/inference/onboard-probes.ts
  • src/lib/inference/openai-probe-models.ts
  • src/lib/inference/openai-validation-session.ts
  • src/lib/onboard/bedrock-runtime.ts
  • src/lib/onboard/inference-providers/hermes.ts
  • src/lib/onboard/inference-providers/remote.ts
  • src/lib/onboard/inference-providers/types.ts
  • src/lib/onboard/inference-selection-validation.ts
  • src/lib/onboard/openrouter-runtime.ts
  • src/lib/onboard/setup-inference.ts
  • src/lib/inference/openai-validation-session.test-helpers.ts

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 5 test follow-ups
Since last review: 1 prior item resolved · 0 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: Runtime validation
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `inference-routing` E2E job for Inference selection, reachability, and network policy must agree at the real host-to-sandbox boundary. Matched files: `src/lib/inference/onboard-probes.ts`, `src/lib/inference/openai-probe-models.ts`, `src/lib/inference/openai-validation-session.test-helpers.ts`, `src/lib/inference/openai-validation-session.ts`, `src/lib/onboard/inference-providers/hermes.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Checked-in unit and integration coverage exercises the changed positive, negative, retry, fallback, SSRF, credential, and async state-transition paths. Tier 2 `lifecycle-state` and `inference-policy` invariants still cross the real OpenShell gateway, host-to-sandbox route, and network-policy boundary, so runtime validation remains recommended as the deterministic validation floor.
  • PRA-T2 Runtime validation — Run or otherwise account for the `inference-routing` E2E job to validate that selected providers remain reachable through the route advertised to the agent after native keepalive validation changes.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Checked-in unit and integration coverage exercises the changed positive, negative, retry, fallback, SSRF, credential, and async state-transition paths. Tier 2 `lifecycle-state` and `inference-policy` invariants still cross the real OpenShell gateway, host-to-sandbox route, and network-policy boundary, so runtime validation remains recommended as the deterministic validation floor.
  • PRA-T3 Runtime validation — Run the `network-policy` E2E job for Inference selection, reachability, and network policy must agree at the real host-to-sandbox boundary. Matched files: `src/lib/inference/onboard-probes.ts`, `src/lib/inference/openai-probe-models.ts`, `src/lib/inference/openai-validation-session.test-helpers.ts`, `src/lib/inference/openai-validation-session.ts`, `src/lib/onboard/inference-providers/hermes.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Checked-in unit and integration coverage exercises the changed positive, negative, retry, fallback, SSRF, credential, and async state-transition paths. Tier 2 `lifecycle-state` and `inference-policy` invariants still cross the real OpenShell gateway, host-to-sandbox route, and network-policy boundary, so runtime validation remains recommended as the deterministic validation floor.
  • PRA-T4 Runtime validation — Run or otherwise account for the `network-policy` E2E job to validate that intended provider routes are permitted and unintended egress remains denied at the real host-to-sandbox boundary.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Checked-in unit and integration coverage exercises the changed positive, negative, retry, fallback, SSRF, credential, and async state-transition paths. Tier 2 `lifecycle-state` and `inference-policy` invariants still cross the real OpenShell gateway, host-to-sandbox route, and network-policy boundary, so runtime validation remains recommended as the deterministic validation floor.
  • PRA-T5 Runtime validation — Run the `onboard-repair` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/onboard/bedrock-runtime.ts`, `src/lib/onboard/inference-providers/hermes.ts`, `src/lib/onboard/inference-providers/remote.ts`, `src/lib/onboard/inference-providers/types.ts`, `src/lib/onboard/inference-selection-validation.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Checked-in unit and integration coverage exercises the changed positive, negative, retry, fallback, SSRF, credential, and async state-transition paths. Tier 2 `lifecycle-state` and `inference-policy` invariants still cross the real OpenShell gateway, host-to-sandbox route, and network-policy boundary, so runtime validation remains recommended as the deterministic validation floor.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/lib/inference/openai-validation-session.ts (1)

171-199: 🚀 Performance & Scalability | 🔵 Trivial

Worst-case validation latency compounds: native retries then legacy retries.

When a provider returns persistent retriable statuses (429/502/503/504), the native path exhausts RETRY_DELAYS_MS (up to ~50s per probe) and then routes to deps.legacyProbe, which runs its own probe sequence with a second independent retry/backoff. For a genuinely-degraded endpoint this can noticeably extend the onboarding hang versus the previous single-transport behavior. Please confirm this is acceptable given issue #3771 explicitly excludes timeout-policy changes, or consider suppressing the legacy retry when the native path already exhausted the same backoff schedule.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/inference/openai-validation-session.ts` around lines 171 - 199,
Review the fallback flow from requestWithHttpRetry and the native validation
path into deps.legacyProbe: avoid running the legacy probe’s independent
retry/backoff after the native request has exhausted RETRY_DELAYS_MS for
retriable HTTP statuses, while preserving existing timeout policy. Track or
propagate the native retry-exhaustion state and suppress only the redundant
legacy retry sequence; retain legacy fallback behavior for non-retriable
failures and update relevant tests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/lib/inference/openai-validation-session.ts`:
- Around line 171-199: Review the fallback flow from requestWithHttpRetry and
the native validation path into deps.legacyProbe: avoid running the legacy
probe’s independent retry/backoff after the native request has exhausted
RETRY_DELAYS_MS for retriable HTTP statuses, while preserving existing timeout
policy. Track or propagate the native retry-exhaustion state and suppress only
the redundant legacy retry sequence; retain legacy fallback behavior for
non-retriable failures and update relevant tests.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 945856e4-0c92-43b4-b931-2862b12c1c46

📥 Commits

Reviewing files that changed from the base of the PR and between fcc121d and 0d775a9.

📒 Files selected for processing (15)
  • src/lib/adapters/http/validation-session.test.ts
  • src/lib/adapters/http/validation-session.ts
  • src/lib/inference/onboard-probes.ts
  • src/lib/inference/openai-probe-models.ts
  • src/lib/inference/openai-validation-session.test.ts
  • src/lib/inference/openai-validation-session.ts
  • src/lib/onboard/bedrock-runtime.ts
  • src/lib/onboard/inference-providers/hermes.ts
  • src/lib/onboard/inference-providers/remote.ts
  • src/lib/onboard/inference-providers/types.ts
  • src/lib/onboard/inference-selection-validation.test.ts
  • src/lib/onboard/inference-selection-validation.ts
  • src/lib/onboard/setup-inference.ts
  • test/helpers/onboard-smoke-verifier-harness.ts
  • test/onboard-smoke-verifier.test.ts

@github-code-quality

github-code-quality Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 78%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File e4d2e91 f6ee326 +/-
src/lib/inferen...board-probes.ts 86% 88% +2%
src/lib/adapters/http/probe.ts 89% 91% +2%
src/lib/trace.ts 89% 91% +2%
src/lib/private-networks.ts 88% 94% +6%
src/lib/messagi...onfig-parser.ts 62% 77% +15%
src/lib/onboard...rock-runtime.ts 76% 92% +16%
src/lib/inferen...tion-session.ts 0% 85% +85%
src/lib/inferen...test-helpers.ts 0% 87% +87%
src/lib/adapter...tion-session.ts 0% 95% +95%
src/lib/inferen...probe-models.ts 0% 100% +100%

Updated July 11, 2026 08:30 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor (Nemotron Ultra) — Changes requested

Merge posture: Do not merge yet
Primary next action: Resolve or justify PRA-1: Native validation session excludes DeepSeek V4 Pro from transport optimization.
Open items: 0 required · 2 warnings · 1 suggestion · 6 test follow-ups
Since last review: 0 prior items resolved · 0 still apply · 3 new items found

Action checklist

  • PRA-1 Resolve or justify: Native validation session excludes DeepSeek V4 Pro from transport optimization in src/lib/inference/openai-validation-session.ts:218
  • PRA-3 Resolve or justify: Remote provider setup switches to async optimized probe without updating all call sites' error handling in src/lib/onboard/inference-providers/remote.ts:3
  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Runtime validation
  • PRA-T5 Add or justify test follow-up: openai-validation-session.ts: DeepSeek V4 Pro → legacy curl fallback
  • PRA-T6 Add or justify test follow-up: types.ts: probeOpenAiLikeEndpoint dual sync/async signature
  • PRA-2 In-scope improvement: @ts-nocheck on onboard-probes.ts remains despite new typed modules in src/lib/inference/onboard-probes.ts:1

Findings index

ID Severity Category Location Required action
PRA-1 Resolve/justify architecture src/lib/inference/openai-validation-session.ts:218 Either extend the native validation session to match DeepSeek V4 Pro's streaming timeout-continuation behavior (shared helper with curl path) or document the exclusion as a known limitation with a follow-up issue. If the latter, add a test asserting the fallback reason is logged for this model.
PRA-2 Improvement architecture src/lib/inference/onboard-probes.ts:1 File a follow-up issue to migrate credentials/store, platform, and trace to typed ESM so @ts-nocheck can be removed. In this PR, consider whether the new probeOpenAiLikeEndpointOptimized export could be moved to a typed module to shrink the @ts-nocheck boundary.
PRA-3 Resolve/justify scope src/lib/onboard/inference-providers/remote.ts:3 Change the type signature in types.ts to require Promise return only (since the optimized probe is async). Update any remaining sync call sites (if any) to be async. This eliminates the ambiguous dual signature.
Review findings by urgency: 0 required fixes, 2 items to resolve/justify, 1 in-scope improvement

⚠️ Resolve or justify before merge

Investigate these in the current review; either fix them, explain why they are not applicable, or document the accepted risk.

PRA-1 Resolve/justify — Native validation session excludes DeepSeek V4 Pro from transport optimization

  • Location: src/lib/inference/openai-validation-session.ts:218
  • Category: architecture
  • Problem: The new Node.js keepalive validation transport (validation-session.ts) explicitly opts out of handling DeepSeek V4 Pro via shouldUseLegacyForModel() at line 218, falling back to the legacy curl probe. The comment states the native session "does not reproduce DeepSeek V4 Pro's accepted late-first-token timeout result" and "trying native first would add a long duplicate request before curl fallback." This means the connection reuse, DNS pinning, and proxy-aware fallback benefits do not apply to this supported model.
  • Impact: DeepSeek V4 Pro onboarding misses the performance and reliability improvements (connection reuse, single DNS lookup, native retry semantics) that the new transport provides for other models. The fallback path also duplicates the initial probe attempt before curl retry.
  • Recommended action: Either extend the native validation session to match DeepSeek V4 Pro's streaming timeout-continuation behavior (shared helper with curl path) or document the exclusion as a known limitation with a follow-up issue. If the latter, add a test asserting the fallback reason is logged for this model.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search for shouldUseLegacyForModel in openai-validation-session.ts and confirm the DeepSeek V4 Pro model string matches onboard-probes.ts isDeepSeekV4ProModel().
  • Missing regression test: Add a test in openai-validation-session-fallback.test.ts that probes DeepSeek V4 Pro and asserts the fallback reason 'special_streaming_model' is traced and legacyProbe is called exactly once.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search for shouldUseLegacyForModel in openai-validation-session.ts and confirm the DeepSeek V4 Pro model string matches onboard-probes.ts isDeepSeekV4ProModel().
  • Evidence: src/lib/inference/openai-validation-session.ts:218-235 (shouldUseLegacyForModel function) src/lib/inference/openai-validation-session.ts:248-252 (fallback dispatch) src/lib/inference/onboard-probes.ts:223-225 (isDeepSeekV4ProModel definition)

PRA-3 Resolve/justify — Remote provider setup switches to async optimized probe without updating all call sites' error handling

  • Location: src/lib/onboard/inference-providers/remote.ts:3
  • Category: scope
  • Problem: remote.ts changes the probe import from synchronous probeOpenAiLikeEndpoint to async probeOpenAiLikeEndpointOptimized (line 3-8) and updates the call site at line 179 to await the result. However, the type signature in types.ts (line 185-188) allows both sync and async return: `() => { ok: boolean; message?: string } | Promise<{ ok: boolean; message?: string }>`. This dual signature permits callers to forget await, silently treating the Promise as a truthy object.
  • Impact: If a test or future caller invokes probeOpenAiLikeEndpoint without await, the Promise object will be truthy and .ok will be undefined, potentially causing silent validation bypass or confusing errors. The dual signature defeats TypeScript's ability to catch missing await.
  • Recommended action: Change the type signature in types.ts to require Promise return only (since the optimized probe is async). Update any remaining sync call sites (if any) to be async. This eliminates the ambiguous dual signature.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check types.ts line 185-188 for the probeOpenAiLikeEndpoint type signature and verify all call sites in remote.ts and inference-selection-validation.ts use await.
  • Missing regression test: Add a TypeScript compile-check test or tsc --noEmit in CI that fails if probeOpenAiLikeEndpoint is called without await in an async context.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check types.ts line 185-188 for the probeOpenAiLikeEndpoint type signature and verify all call sites in remote.ts and inference-selection-validation.ts use await.
  • Evidence: src/lib/onboard/inference-providers/remote.ts:3-8 (import change) src/lib/onboard/inference-providers/remote.ts:179 (await call) src/lib/onboard/inference-providers/types.ts:185-188 (dual sync/async signature)

💡 In-scope improvements

These are lower-risk, not throwaway. Prefer fixing them in this PR when they are local to changed code; defer only with rationale or a linked follow-up.

PRA-2 Improvement — @ts-nocheck on onboard-probes.ts remains despite new typed modules

  • Location: src/lib/inference/onboard-probes.ts:1
  • Category: architecture
  • Problem: The PR adds new fully-typed modules (validation-session.ts, openai-validation-session.ts, openai-probe-models.ts) but onboard-probes.ts retains @ts-nocheck with a comment stating removal is blocked on typed ESM exports for credentials/store, platform, and trace. The PR modifies onboard-probes.ts (+7 lines) but does not reduce the @ts-nocheck surface.
  • Impact: Type safety gaps persist in the probe orchestration layer that bridges typed and untyped code. New validation session logic is typed but the entry point (probeOpenAiLikeEndpointOptimized) calls into untyped onboard-probes helpers.
  • Suggested action: File a follow-up issue to migrate credentials/store, platform, and trace to typed ESM so @ts-nocheck can be removed. In this PR, consider whether the new probeOpenAiLikeEndpointOptimized export could be moved to a typed module to shrink the @ts-nocheck boundary.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check line 1 of onboard-probes.ts for @ts-nocheck and the comment explaining the blocking dependencies.
  • Missing regression test: No test needed; this is a technical debt tracking item. A follow-up issue should be linked from the @ts-nocheck comment.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: src/lib/inference/onboard-probes.ts:1-18 (@ts-nocheck directive and rationale comment) src/lib/inference/openai-validation-session.ts (fully typed new module) src/lib/adapters/http/validation-session.ts (fully typed new module)
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Run the `inference-routing` E2E job for Inference selection, reachability, and network policy must agree at the real host-to-sandbox boundary. Matched files: `src/lib/inference/onboard-probes.ts`, `src/lib/inference/openai-probe-models.ts`, `src/lib/inference/openai-validation-session.test-helpers.ts`, `src/lib/inference/openai-validation-session.ts`, `src/lib/onboard/inference-providers/hermes.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Deterministic regression risks require live validation: lifecycle-state (onboard-repair, onboard-resume) and inference-policy (inference-routing, network-policy) invariants involving cross-boundary state agreement at real host-to-sandbox boundary. Unit/mocked tests cover 4 of 6 riskPlan invariants; 2 require E2E jobs.
  • PRA-T2 Runtime validation — Run the `network-policy` E2E job for Inference selection, reachability, and network policy must agree at the real host-to-sandbox boundary. Matched files: `src/lib/inference/onboard-probes.ts`, `src/lib/inference/openai-probe-models.ts`, `src/lib/inference/openai-validation-session.test-helpers.ts`, `src/lib/inference/openai-validation-session.ts`, `src/lib/onboard/inference-providers/hermes.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Deterministic regression risks require live validation: lifecycle-state (onboard-repair, onboard-resume) and inference-policy (inference-routing, network-policy) invariants involving cross-boundary state agreement at real host-to-sandbox boundary. Unit/mocked tests cover 4 of 6 riskPlan invariants; 2 require E2E jobs.
  • PRA-T3 Runtime validation — Run the `onboard-repair` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/onboard/bedrock-runtime.ts`, `src/lib/onboard/inference-providers/hermes.ts`, `src/lib/onboard/inference-providers/remote.ts`, `src/lib/onboard/inference-providers/types.ts`, `src/lib/onboard/inference-selection-validation.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Deterministic regression risks require live validation: lifecycle-state (onboard-repair, onboard-resume) and inference-policy (inference-routing, network-policy) invariants involving cross-boundary state agreement at real host-to-sandbox boundary. Unit/mocked tests cover 4 of 6 riskPlan invariants; 2 require E2E jobs.
  • PRA-T4 Runtime validation — Run the `onboard-resume` E2E job for Onboarding and sandbox state must converge across persisted metadata, reported status, and the live runtime. Matched files: `src/lib/onboard/bedrock-runtime.ts`, `src/lib/onboard/inference-providers/hermes.ts`, `src/lib/onboard/inference-providers/remote.ts`, `src/lib/onboard/inference-providers/types.ts`, `src/lib/onboard/inference-selection-validation.ts`.. Deterministic regression risks require live validation: lifecycle-state, inference-policy. Deterministic regression risks require live validation: lifecycle-state (onboard-repair, onboard-resume) and inference-policy (inference-routing, network-policy) invariants involving cross-boundary state agreement at real host-to-sandbox boundary. Unit/mocked tests cover 4 of 6 riskPlan invariants; 2 require E2E jobs.
  • PRA-T5 openai-validation-session.ts: DeepSeek V4 Pro → legacy curl fallback — openai-validation-session-fallback.test.ts: 'keeps DeepSeek V4 Pro on its specialized legacy streaming probe' — should also assert 'special_streaming_model' trace reason (missing, see F-001 missingRegressionTest). openai-validation-session.ts lines 218-235 (shouldUseLegacyForModel), 248-252 (fallback dispatch)
  • PRA-T6 types.ts: probeOpenAiLikeEndpoint dual sync/async signature — Add TypeScript compile-check test or tsc --noEmit in CI that fails if probeOpenAiLikeEndpoint called without await (see F-003 missingRegressionTest). types.ts lines 185-188 (dual signature), remote.ts line 3-8 (async import), line 179 (await call)
Since last review details

Current findings, using the urgency labels above:

PRA-1 Resolve/justify — Native validation session excludes DeepSeek V4 Pro from transport optimization

  • Location: src/lib/inference/openai-validation-session.ts:218
  • Category: architecture
  • Problem: The new Node.js keepalive validation transport (validation-session.ts) explicitly opts out of handling DeepSeek V4 Pro via shouldUseLegacyForModel() at line 218, falling back to the legacy curl probe. The comment states the native session "does not reproduce DeepSeek V4 Pro's accepted late-first-token timeout result" and "trying native first would add a long duplicate request before curl fallback." This means the connection reuse, DNS pinning, and proxy-aware fallback benefits do not apply to this supported model.
  • Impact: DeepSeek V4 Pro onboarding misses the performance and reliability improvements (connection reuse, single DNS lookup, native retry semantics) that the new transport provides for other models. The fallback path also duplicates the initial probe attempt before curl retry.
  • Recommended action: Either extend the native validation session to match DeepSeek V4 Pro's streaming timeout-continuation behavior (shared helper with curl path) or document the exclusion as a known limitation with a follow-up issue. If the latter, add a test asserting the fallback reason is logged for this model.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Search for shouldUseLegacyForModel in openai-validation-session.ts and confirm the DeepSeek V4 Pro model string matches onboard-probes.ts isDeepSeekV4ProModel().
  • Missing regression test: Add a test in openai-validation-session-fallback.test.ts that probes DeepSeek V4 Pro and asserts the fallback reason 'special_streaming_model' is traced and legacyProbe is called exactly once.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Search for shouldUseLegacyForModel in openai-validation-session.ts and confirm the DeepSeek V4 Pro model string matches onboard-probes.ts isDeepSeekV4ProModel().
  • Evidence: src/lib/inference/openai-validation-session.ts:218-235 (shouldUseLegacyForModel function) src/lib/inference/openai-validation-session.ts:248-252 (fallback dispatch) src/lib/inference/onboard-probes.ts:223-225 (isDeepSeekV4ProModel definition)

PRA-2 Improvement — @ts-nocheck on onboard-probes.ts remains despite new typed modules

  • Location: src/lib/inference/onboard-probes.ts:1
  • Category: architecture
  • Problem: The PR adds new fully-typed modules (validation-session.ts, openai-validation-session.ts, openai-probe-models.ts) but onboard-probes.ts retains @ts-nocheck with a comment stating removal is blocked on typed ESM exports for credentials/store, platform, and trace. The PR modifies onboard-probes.ts (+7 lines) but does not reduce the @ts-nocheck surface.
  • Impact: Type safety gaps persist in the probe orchestration layer that bridges typed and untyped code. New validation session logic is typed but the entry point (probeOpenAiLikeEndpointOptimized) calls into untyped onboard-probes helpers.
  • Suggested action: File a follow-up issue to migrate credentials/store, platform, and trace to typed ESM so @ts-nocheck can be removed. In this PR, consider whether the new probeOpenAiLikeEndpointOptimized export could be moved to a typed module to shrink the @ts-nocheck boundary.
  • Expected follow-up: Prefer a current-PR fix when local to changed code; defer only with rationale or linked follow-up.
  • Verification: Check line 1 of onboard-probes.ts for @ts-nocheck and the comment explaining the blocking dependencies.
  • Missing regression test: No test needed; this is a technical debt tracking item. A follow-up issue should be linked from the @ts-nocheck comment.
  • Done when: The local improvement is applied, or the PR notes why it should be deferred.
  • Evidence: src/lib/inference/onboard-probes.ts:1-18 (@ts-nocheck directive and rationale comment) src/lib/inference/openai-validation-session.ts (fully typed new module) src/lib/adapters/http/validation-session.ts (fully typed new module)

PRA-3 Resolve/justify — Remote provider setup switches to async optimized probe without updating all call sites' error handling

  • Location: src/lib/onboard/inference-providers/remote.ts:3
  • Category: scope
  • Problem: remote.ts changes the probe import from synchronous probeOpenAiLikeEndpoint to async probeOpenAiLikeEndpointOptimized (line 3-8) and updates the call site at line 179 to await the result. However, the type signature in types.ts (line 185-188) allows both sync and async return: `() => { ok: boolean; message?: string } | Promise<{ ok: boolean; message?: string }>`. This dual signature permits callers to forget await, silently treating the Promise as a truthy object.
  • Impact: If a test or future caller invokes probeOpenAiLikeEndpoint without await, the Promise object will be truthy and .ok will be undefined, potentially causing silent validation bypass or confusing errors. The dual signature defeats TypeScript's ability to catch missing await.
  • Recommended action: Change the type signature in types.ts to require Promise return only (since the optimized probe is async). Update any remaining sync call sites (if any) to be async. This eliminates the ambiguous dual signature.
  • Expected follow-up: Resolve in this PR or explain why the risk is acceptable.
  • Verification: Check types.ts line 185-188 for the probeOpenAiLikeEndpoint type signature and verify all call sites in remote.ts and inference-selection-validation.ts use await.
  • Missing regression test: Add a TypeScript compile-check test or tsc --noEmit in CI that fails if probeOpenAiLikeEndpoint is called without await in an async context.
  • Done when: The risk is fixed or explicitly justified in the PR. Verification: Check types.ts line 185-188 for the probeOpenAiLikeEndpoint type signature and verify all call sites in remote.ts and inference-selection-validation.ts use await.
  • Evidence: src/lib/onboard/inference-providers/remote.ts:3-8 (import change) src/lib/onboard/inference-providers/remote.ts:179 (await call) src/lib/onboard/inference-providers/types.ts:185-188 (dual sync/async signature)

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

Signed-off-by: Angel Mata <amata@nvidia.com>
Signed-off-by: Angel Mata <amata@nvidia.com>
Signed-off-by: Angel Mata <amata@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/adapters/http/auth-config.ts`:
- Around line 141-151: Update parseOpenAiLikeExtraHeaders to trim the extracted
header name before validation, reject empty names, and enforce valid HTTP token
syntax; only return the parsed header after this validation so inputs such as "
: value" cannot produce an empty header name.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0914e886-7ccd-4881-808f-ab5daee77889

📥 Commits

Reviewing files that changed from the base of the PR and between 49c45bc and 2fceb75.

📒 Files selected for processing (3)
  • src/lib/adapters/http/auth-config.ts
  • src/lib/inference/openai-validation-session.test.ts
  • src/lib/inference/openai-validation-session.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/inference/openai-validation-session.ts

Comment thread src/lib/adapters/http/auth-config.ts
Signed-off-by: Angel Mata <amata@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/adapters/http/auth-config.test.ts`:
- Around line 110-113: Expand the fixture in the test named “accepts every HTTP
token character in an OpenAI-like provider header name” to include all digits
(0–9), uppercase letters (A–Z), and lowercase letters (a–z), while retaining the
punctuation characters already covered. Keep the assertion through the public
parseOpenAiLikeExtraHeaders boundary and update the expected header name
accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1e7fa82d-9a1f-4c3a-8f18-d576ecd2e243

📥 Commits

Reviewing files that changed from the base of the PR and between 2fceb75 and 846609e.

📒 Files selected for processing (2)
  • src/lib/adapters/http/auth-config.test.ts
  • src/lib/adapters/http/auth-config.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/adapters/http/auth-config.ts

Comment thread src/lib/adapters/http/auth-config.test.ts
@cv cv added the v0.0.81 Release target label Jul 11, 2026
cv added 2 commits July 10, 2026 21:46
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/inference/openai-validation-session.test-helpers.ts`:
- Around line 24-30: Update the server-start helper’s Promise in the returned
function to reject on `server` errors by registering an error listener before
calling `listen`; resolve only after successful startup, then remove the
listener once resolved or rejected. Preserve the existing address validation and
port return logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8d8c82a1-08c0-48c1-8eea-c9beaee5f93d

📥 Commits

Reviewing files that changed from the base of the PR and between 846609e and 4b6eeac.

📒 Files selected for processing (5)
  • src/lib/adapters/http/auth-config.test.ts
  • src/lib/inference/openai-validation-session-auth.test.ts
  • src/lib/inference/openai-validation-session-fallback.test.ts
  • src/lib/inference/openai-validation-session.test-helpers.ts
  • src/lib/inference/openai-validation-session.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/adapters/http/auth-config.test.ts

Comment thread src/lib/inference/openai-validation-session.test-helpers.ts
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Some jobs cancelled — partial pass

Run: 29140269143
Workflow ref: 3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed
Requested targets: inference-routing,network-policy,onboard-repair,onboard-resume,cloud-onboard
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 4 cancelled, 0 skipped

Job Result
cloud-onboard ⚠️ cancelled
inference-routing ✅ success
network-policy ⚠️ cancelled
onboard-repair ⚠️ cancelled
onboard-resume ⚠️ cancelled

cv added 2 commits July 10, 2026 21:58
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Some jobs cancelled — partial pass

Run: 29140391418
Workflow ref: 3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed
Requested targets: inference-routing,network-policy,onboard-repair,onboard-resume,cloud-onboard,bedrock-runtime-compatible-anthropic
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 5 cancelled, 0 skipped

Job Result
bedrock-runtime-compatible-anthropic ⚠️ cancelled
cloud-onboard ⚠️ cancelled
inference-routing ✅ success
network-policy ⚠️ cancelled
onboard-repair ⚠️ cancelled
onboard-resume ⚠️ cancelled

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ⚠️ Some jobs cancelled — partial pass

Run: 29140496577
Workflow ref: 3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed
Requested targets: inference-routing,network-policy,onboard-repair,onboard-resume,cloud-onboard,bedrock-runtime-compatible-anthropic
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 1 passed, 0 failed, 5 cancelled, 0 skipped

Job Result
bedrock-runtime-compatible-anthropic ⚠️ cancelled
cloud-onboard ⚠️ cancelled
inference-routing ✅ success
network-policy ⚠️ cancelled
onboard-repair ⚠️ cancelled
onboard-resume ⚠️ cancelled

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/inference/openai-validation-session-fallback.test.ts`:
- Around line 24-34: Remove the conditional from the mock server handler in the
test using the request-count-driven response mechanism expected by the
guardrail, such as a predefined sequence of status codes and bodies indexed by
request count. Preserve the 503, 429, and successful responses while keeping the
handler linear and without branching.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c93e1380-e94e-489c-828a-8dab8661eee1

📥 Commits

Reviewing files that changed from the base of the PR and between 846609e and bac39c9.

📒 Files selected for processing (6)
  • src/lib/adapters/http/auth-config.test.ts
  • src/lib/inference/onboard-probes.ts
  • src/lib/inference/openai-validation-session-auth.test.ts
  • src/lib/inference/openai-validation-session-fallback.test.ts
  • src/lib/inference/openai-validation-session.test-helpers.ts
  • src/lib/inference/openai-validation-session.test.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • src/lib/adapters/http/auth-config.test.ts
  • src/lib/inference/openai-validation-session.test-helpers.ts
  • src/lib/inference/openai-validation-session.test.ts
  • src/lib/inference/onboard-probes.ts

Comment thread src/lib/inference/openai-validation-session-fallback.test.ts
@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Maintainer acceptance for the linked #3771 metadata clause: #2001 is closed and locked, so I accept this PR's checked-in implementation, trace events, and exact-head test evidence as the required substitute for a direct #2001 update. The evidence includes validation_transport_selected, validation_dns_lookup, validation_socket_opened, validation_socket_reused, validation_transport_fallback, and validation_transport_closed events; focused connection-reuse/fallback/auth/model/retry coverage; and the required live inference, network, lifecycle, hosted-onboard, and Bedrock runs. No additional #2001 comment or repository documentation is required for this acceptance criterion.

The remaining provider-specific deferred/rejected smoke-test recommendation is non-blocking: those providers use the same awaited VerifyOnboardInferenceSmoke contract and the exact-head live Bedrock variants plus onboard repair/resume validate the changed async boundary. A provider-local unit expansion can be considered separately if a concrete branch-specific regression appears.

@github-actions

Copy link
Copy Markdown
Contributor

E2E Target Results — ✅ All selected jobs passed

Run: 29140576783
Workflow ref: 3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed
Requested targets: inference-routing,network-policy,onboard-repair,onboard-resume,cloud-onboard,bedrock-runtime-compatible-anthropic
Requested jobs: (default — all default-enabled free-standing jobs; explicit-only jobs openshell-gateway-auth-contract, mcp-bridge-dev, hermes-gpu-startup, sandbox-rlimits-connect, and jetson-nvmap-gpu are skipped unless selected)
Summary: 6 passed, 0 failed, 0 cancelled, 0 skipped

Job Result
bedrock-runtime-compatible-anthropic ✅ success
cloud-onboard ✅ success
inference-routing ✅ success
network-policy ✅ success
onboard-repair ✅ success
onboard-resume ✅ success

@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Maintainer exact-head adjudication for 5c80202c4ec3e771be5685f46c24a20fd0045621:

  • PRA-2 accepted/overridden: perf: investigate and reduce networking latency during onboard and validation #2001 is closed and locked. The PR body and prior maintainer acceptance preserve the implementation and trace evidence against perf(onboard): reduce repeated DNS and TLS overhead in provider validation probes #3771. Adding a user-facing docs page or a duplicate tracking issue solely to mirror an unavailable comment would not improve the product record.
  • PRA-1 accepted: the prior concern was a 418-line monolith. The suite is now decomposed by behavior into native-session, fallback/security-boundary, authentication, and shared-helper files. Aggregate line count across focused files is not the monolith threshold; these cases cover distinct retry, transport, auth, timeout, and fail-closed boundaries.
  • PRA-3 accepted: every production consumer either awaits the callback or returns its result from the wrapper. TypeScript does not enforce awaiting merely because the return type is narrowed to Promise<void>. The void | Promise<void> dependency type intentionally permits synchronous injected implementations while await safely normalizes both.
  • PRA-4/PRA-5 accepted: both legacy fallbacks are fail-closed compatibility/security boundaries with explicit removal predicates and dedicated regression tests. Creating speculative follow-up issues for future transport unification or native rebinding parity is outside this issue scope; the present behavior and removal conditions are recorded in code.
  • PRA-T1 through PRA-T4 satisfied: exact-head live run 29140576783 passed inference-routing, network-policy, onboard-repair, onboard-resume, cloud-onboard, and both selected Bedrock variants. Evidence is recorded in the E2E report.

These items are explicitly resolved by maintainer rationale at the exact head. Please evaluate this adjudication on rerun.

cv added 2 commits July 10, 2026 22:33
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Advisor remediation at exact head facb8da9121f1273eaf07c481828da8b5c57abd9:

  • Bedrock now has pending and rejected async smoke-ordering regressions: sandbox persistence and the success log cannot occur before smoke resolves, and never occur after rejection.
  • Hermes has the same pending/rejected lifecycle coverage.
  • The DeepSeek V4 Pro transport exception now uses the shared isDeepSeekV4ProModel predicate instead of duplicating its model string.
  • CURL_CA_BUNDLE, SSL_CERT_FILE, and SSL_CERT_DIR all have explicit curl-fallback coverage.
  • The locked-parent acceptance substitute is recorded on issue #3771, where the advisors can ingest it.

Verification: 88/88 focused CLI tests passed across Bedrock, Hermes, native validation, curl fallback, and probe models; strict CLI typecheck, Biome, conditional scan, normal pre-commit hooks, pre-push CLI typecheck, and package/tag sync passed. Both new commits are signed, signed off, and GitHub Verified.

The broader architecture migrations and speculative tracking issues suggested by Nemotron remain outside #3771 scope; existing exact-head live coverage will be refreshed for this new head.

@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Maintainer exact-head adjudication for facb8da9121f1273eaf07c481828da8b5c57abd9:

  • PRA-1: perf(onboard): reuse provider validation connections #6419 is the same contributor's unsigned/conflicting predecessor. The maintainer instruction there required a fresh branch and PR with GitHub-Verified history; perf(onboard): reuse provider validation connections #6661 is that compliant successor. This is process cleanup, not a second implementation that should block this head.
  • PRA-2 / PRA-T8: satisfied. The PR body records the requested trace events and benchmark evidence, and the #3771 maintainer comment explicitly accepts that repository-visible substitute because perf: investigate and reduce networking latency during onboard and validation #2001 is closed and locked.
  • PRA-3: no migration entry is warranted. This package exposes CLI binaries and no supported library export. The callback is internal, every production caller awaits it, and pending/rejection ordering is covered by the Bedrock, Hermes, and OpenRouter tests.
  • PRA-4 / PRA-5: the rebinding premise is incorrect for the native known-provider path. Known remote origins are hard-coded. createValidationSession performs one lookup, rejects private answers, and supplies only that resolved address set through the Node agent lookup while retaining the hostname URL for SNI and certificate verification. Custom endpoints separately retain preflight plus curl --resolve. Existing validation-session and custom-endpoint tests cover both ownership boundaries.
  • PRA-6 / PRA-T7: DeepSeek V4 Pro intentionally remains on the specialized legacy streaming probe because the native transport does not implement its accepted late-first-token timeout semantics. The fallback dispatch and legacy { ok: true, validated: false } result are both covered. Forcing native parity would implement a deferred feature rather than test this PR's behavior.
  • PRA-T1 through PRA-T5: exact-head run 29140576783 passed inference-routing, network-policy, onboard-repair, onboard-resume, cloud-onboard, and both selected Bedrock variants.

I also reviewed the transport boundary for credentials, origin confinement, DNS/address pinning, hostname-based TLS verification, response limits, cleanup, and fallback behavior. I found no code or security change warranted by the remaining advisor items. Rerunning the exact-head advisor so it can evaluate this rationale.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv

cv commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Maintainer follow-up pushed at exact head 1fbef38e971af850cee6707a2bd77e4306f07a11 for the latest GPT Advisor concern.

The reported write is not final success metadata: SetupInferenceDeps.updateSandbox is bound to reserveSandboxInferenceRoute, which explicitly stores pendingRouteReservation: true, is excluded from default sandbox eligibility, and must be written before smoke validation to preserve the #6315/#6338 one-route-per-gateway race and crash-consistency boundary. Moving it after smoke would reintroduce that defect.

The existing containment regression now proves the async form directly:

  • the first setup enters a controlled pending smoke Promise while holding the gateway lock;
  • exactly one pending reservation exists with the intended provider/model identity;
  • no success message is emitted while smoke is pending or after it rejects;
  • a second incompatible setup cannot mutate early and is rejected after the lock releases because the pending reservation survives;
  • no second route persistence occurs.

This is a test-only clarification; production behavior is unchanged from the previously live-validated head. Focused CLI tests passed 4/4, Biome, CLI typecheck, title checks, normal pre-commit/pre-push hooks, and independent review passed. The docs writer confirmed no user-facing change. GitHub reports the signed commit as Verified.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved on exact head f6ee326. All five required checks pass; DCO/signatures are verified; CodeRabbit threads are resolved. Exact trusted E2E run 29146238988 passed inference-routing, network-policy, onboard-repair, and onboard-resume. GPT is merge_as_is with zero findings. Nemotron warnings are adjudicated: DeepSeek V4 Pro intentionally keeps its established legacy compatibility path, production probe call sites await the sync/async union and no bypass exists, and @ts-nocheck is pre-existing debt. Page-limit/incomplete-signal checks are controller evidence-plumbing failures.

@cv
cv merged commit 3ce4b6e into main Jul 11, 2026
48 of 51 checks passed
@cv
cv deleted the 3771-perf-onboard-reduce-repeated-dns-and-tls-overhead-in-provider-validation-probes-squashed branch July 11, 2026 14:50
@cv cv mentioned this pull request Jul 12, 2026
21 tasks
cv added a commit that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Release-prep documentation for v0.0.81 now summarizes user-facing
changes merged since v0.0.80.
It also closes the Hermes dashboard-profile backup gap and distinguishes
direct blueprint-runner actions from public host CLI commands.

## Changes

- Add the `v0.0.81` section to `docs/about/release-notes.mdx` with links
to the detailed user guides.
- Document that Hermes rebuilds preserve `.hermes/dashboard-home/`,
including Dashboard `MEMORY.md` and `USER.md`.
- Update Hermes manual backup and restore examples to transfer those two
profile files without copying generated configuration or the
secret-bearing dashboard `.env`.
- Explain the new per-item backup failure causes.
- Clarify that migration snapshot retention fragments are direct-runner
arguments and are not exposed by the host `nemoclaw` CLI.

### Source summary

- #6445 -> `docs/about/release-notes.mdx`,
`docs/manage-sandboxes/backup-restore.mdx`, and
`docs/manage-sandboxes/workspace-files.mdx`: Summarize manifest-owned
key-level restore and current-config authority.
- #6617 -> `docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Record the fail-closed
`/proc` fallback used to verify an idle Deep Agents runtime before
snapshot creation.
- #6685 -> `docs/about/release-notes.mdx`,
`docs/manage-sandboxes/backup-restore.mdx`, and
`docs/manage-sandboxes/workspace-files.mdx`: Document Hermes Web
Dashboard profile persistence and safe manual transfer.
- #6649 -> `docs/about/release-notes.mdx`: Summarize host-validated
loopback compatible-endpoint routing through the sandbox gateway.
- #6643 -> `docs/about/release-notes.mdx`: Summarize automatic
`max_completion_tokens` handling for GPT-5 and o-series models.
- #6661 -> `docs/about/release-notes.mdx`: Summarize bounded connection
reuse for eligible provider-validation probes.
- #6704 -> `docs/about/release-notes.mdx`: Record that direct blueprint
apply stops instead of persisting incomplete state after provider or
inference setup fails.
- #6677 -> `docs/about/release-notes.mdx`: Summarize transactional
recovery for legacy Docker containers whose managed supervisor
disappeared after restart.
- #6625 -> `docs/about/release-notes.mdx`: Record Hermes managed-startup
persistence across direct Docker restarts.
- #6597 -> `docs/about/release-notes.mdx`: Record final-sandbox gateway
cleanup on macOS.
- #6680 -> `docs/about/release-notes.mdx`: Summarize managed Deep Agents
first-run and process-tree cleanup improvements.
- #6647 -> `docs/about/release-notes.mdx`: Record fail-closed validation
for the managed Deep Agents fetch CA bundle.
- #6645 -> `docs/about/release-notes.mdx`: Summarize WhatsApp loopback
pairing and trusted npm plugin provenance.
- #6673 -> `docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Document stopped-sandbox
backup remediation.
- #6631 -> `docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Document per-item backup
failure causes.
- #6620 -> `docs/about/release-notes.mdx`: Record the
created-but-not-ready sandbox lifecycle receipt.
- #6664 -> `docs/about/release-notes.mdx`: Record prompt-aware
onboarding progress output.
- #6598 -> `docs/about/release-notes.mdx`: Summarize stale replay-result
invalidation during resumed onboarding.
- #6593 -> `docs/about/release-notes.mdx`: Summarize contextual OpenClaw
audit findings for managed dashboard compatibility settings.
- #6650 -> `docs/about/release-notes.mdx`: Record redaction of
token-shaped URL query values.
- #6638 -> `docs/about/release-notes.mdx`: Record the exact-path MCP
`DELETE` policy recipe for session termination.
- #5453 -> `docs/reference/host-files-and-state.mdx`: Clarify that
snapshot retention actions belong to direct runner integrations and are
not standalone host CLI commands.

### Skipped from docs-skip

- #6633 matched the `openclaw-sandbox-permissive.yaml` path in
`docs/.docs-skip` and produced no documentation in this update.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: This is a documentation-only
release-prep update; behavior is protected by the merged source PRs, and
the documentation build validates the changed examples and routes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — tests are not applicable for this
documentation-only change; `npm run docs` completed successfully.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not run for this
documentation-only change.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — 0
errors; two existing Fern warnings remain.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
— no new pages.

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Documentation**
- Added release notes for v0.0.81 covering state preservation, inference
setup, sandbox recovery, session setup, pairing, diagnostics, and
security policy updates.
- Expanded backup and restore guidance to include dashboard profile
files and clarify files that must not be copied.
- Added dashboard profile persistence details to workspace and rebuild
documentation.
- Clarified snapshot retention guidance and the distinction between host
CLI capabilities and direct runner actions.
  - Added more detailed backup failure reporting information.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Reuse DNS resolution and HTTP(S) connections across related
OpenAI-compatible provider-validation probes during onboarding. Eligible
direct endpoints use a sequence-scoped Node keepalive transport, while
unsupported, unsafe, or failed optimized paths retain the existing curl
behavior.

## Related Issue

Fixes NVIDIA#3771

## Changes

- Add a sequence-scoped Node HTTP(S) validation transport with DNS
pre-resolution, keepalive connection reuse, bounded response buffering,
and deterministic cleanup.
- Reuse connections across Responses API, streaming validation, Chat
Completions fallback, and transient HTTP retries.
- Preserve hostname-based TLS verification and support multiple resolved
address families.
- Fall back to curl for proxies, curl-specific TLS configuration, local
or sandbox endpoints, IP literals, DNS failures, connection failures,
and specialized DeepSeek streaming validation.
- Preserve existing timeout budgets, provider ordering, recovery
prompts, authentication modes, and curl failure diagnostics.
- Add trace events for transport selection, DNS resolution, socket
creation/reuse, cleanup, and fallback reasons without recording
credentials.
- Convert affected onboarding validation and smoke-check boundaries to
support asynchronous probes.
- Add tests covering connection reuse, reconnects, DNS failure, proxy
and TLS exclusions, origin confinement, authentication modes, streaming
fallback, connection resets, and resource cleanup.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates

- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: This changes internal
provider-validation transport behavior without changing commands,
configuration, or documented user workflows.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: Manual sensitive-path
review confirmed that credentials remain request-scoped and absent from
traces, sessions are confined to one origin, TLS hostname verification
remains enabled, response sizes and timeouts are bounded, and uncertain
paths fall back to the existing curl implementation.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [ ] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [ ] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — 169 tests passed across the focused
CLI, integration, and package-contract suites, including provider
selection, WSL2 timeout behavior, smoke verification, fallback
semantics, and connection lifecycle coverage.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: Not run; `npm run
typecheck:cli` and `npm run build:cli` passed.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional verification:

- `npm run source-shape:check` — passed with zero source-shape cases.
- `npm run source-shape:scan` — reported zero cases, assertions, and
files.
- `npm run test-size:check` — passed across 1,311 test files.
- `git diff --check` — passed.
- No new `.js`, `.cjs`, or `.mjs` files were added.
- Top-level `src/lib/onboard.ts` is unchanged.
- Controlled three-request benchmark with 20 ms injected DNS latency:
  - Keepalive session: 21.5 ms median, 22.6 ms p95.
  - Fresh session per request: 62.5 ms median, 65.0 ms p95.
  
## Parent Issue Evidence

Parent issue NVIDIA#2001 is closed and locked, so implementation notes cannot
be added there directly. This PR addresses its provider-validation
connection-reuse work through a sequence-scoped Node HTTP(S) keepalive
transport that reuses DNS resolution and connections across related
probes while preserving the established curl fallback paths.

Trace evidence is available through `validation_transport_selected`,
`validation_dns_lookup`, `validation_socket_opened`,
`validation_socket_reused`, `validation_transport_fallback`, and
`validation_transport_closed`. Credentials and response bodies are not
recorded in these trace attributes.

A controlled three-request benchmark with 20 ms injected DNS latency
measured 21.5 ms median and 22.6 ms p95 with connection reuse, compared
with 62.5 ms median and 65.0 ms p95 when creating a fresh session for
each request.

---
Signed-off-by: Angel Mata <amata@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added an optimized OpenAI-compatible endpoint validation flow for
**Responses** and **Chat Completions**, including model-specific probing
for DeepSeek V4 Pro and Kimi K2.6.
* Introduced an HTTP **validation session** with keep-alive behavior and
stricter endpoint gating.

* **Improvements**
* Enforced safer request rules (origin checks, localhost/private
blocking), per-request timeouts, and an 8MB response size limit.
* Enhanced streaming validation plus curl-style retry/fallback behavior.
* Made onboarding “smoke” verification properly async and improved
execution ordering; improved sanitization/parsing for extra OpenAI-like
headers.

* **Tests**
* Expanded coverage for keep-alive, DNS/proxy rules,
authentication/header behavior, streaming/fallback logic, and async
smoke verification.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Angel Mata <amata@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary

Release-prep documentation for v0.0.81 now summarizes user-facing
changes merged since v0.0.80.
It also closes the Hermes dashboard-profile backup gap and distinguishes
direct blueprint-runner actions from public host CLI commands.

## Changes

- Add the `v0.0.81` section to `docs/about/release-notes.mdx` with links
to the detailed user guides.
- Document that Hermes rebuilds preserve `.hermes/dashboard-home/`,
including Dashboard `MEMORY.md` and `USER.md`.
- Update Hermes manual backup and restore examples to transfer those two
profile files without copying generated configuration or the
secret-bearing dashboard `.env`.
- Explain the new per-item backup failure causes.
- Clarify that migration snapshot retention fragments are direct-runner
arguments and are not exposed by the host `nemoclaw` CLI.

### Source summary

- NVIDIA#6445 -> `docs/about/release-notes.mdx`,
`docs/manage-sandboxes/backup-restore.mdx`, and
`docs/manage-sandboxes/workspace-files.mdx`: Summarize manifest-owned
key-level restore and current-config authority.
- NVIDIA#6617 -> `docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Record the fail-closed
`/proc` fallback used to verify an idle Deep Agents runtime before
snapshot creation.
- NVIDIA#6685 -> `docs/about/release-notes.mdx`,
`docs/manage-sandboxes/backup-restore.mdx`, and
`docs/manage-sandboxes/workspace-files.mdx`: Document Hermes Web
Dashboard profile persistence and safe manual transfer.
- NVIDIA#6649 -> `docs/about/release-notes.mdx`: Summarize host-validated
loopback compatible-endpoint routing through the sandbox gateway.
- NVIDIA#6643 -> `docs/about/release-notes.mdx`: Summarize automatic
`max_completion_tokens` handling for GPT-5 and o-series models.
- NVIDIA#6661 -> `docs/about/release-notes.mdx`: Summarize bounded connection
reuse for eligible provider-validation probes.
- NVIDIA#6704 -> `docs/about/release-notes.mdx`: Record that direct blueprint
apply stops instead of persisting incomplete state after provider or
inference setup fails.
- NVIDIA#6677 -> `docs/about/release-notes.mdx`: Summarize transactional
recovery for legacy Docker containers whose managed supervisor
disappeared after restart.
- NVIDIA#6625 -> `docs/about/release-notes.mdx`: Record Hermes managed-startup
persistence across direct Docker restarts.
- NVIDIA#6597 -> `docs/about/release-notes.mdx`: Record final-sandbox gateway
cleanup on macOS.
- NVIDIA#6680 -> `docs/about/release-notes.mdx`: Summarize managed Deep Agents
first-run and process-tree cleanup improvements.
- NVIDIA#6647 -> `docs/about/release-notes.mdx`: Record fail-closed validation
for the managed Deep Agents fetch CA bundle.
- NVIDIA#6645 -> `docs/about/release-notes.mdx`: Summarize WhatsApp loopback
pairing and trusted npm plugin provenance.
- NVIDIA#6673 -> `docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Document stopped-sandbox
backup remediation.
- NVIDIA#6631 -> `docs/about/release-notes.mdx` and
`docs/manage-sandboxes/backup-restore.mdx`: Document per-item backup
failure causes.
- NVIDIA#6620 -> `docs/about/release-notes.mdx`: Record the
created-but-not-ready sandbox lifecycle receipt.
- NVIDIA#6664 -> `docs/about/release-notes.mdx`: Record prompt-aware
onboarding progress output.
- NVIDIA#6598 -> `docs/about/release-notes.mdx`: Summarize stale replay-result
invalidation during resumed onboarding.
- NVIDIA#6593 -> `docs/about/release-notes.mdx`: Summarize contextual OpenClaw
audit findings for managed dashboard compatibility settings.
- NVIDIA#6650 -> `docs/about/release-notes.mdx`: Record redaction of
token-shaped URL query values.
- NVIDIA#6638 -> `docs/about/release-notes.mdx`: Record the exact-path MCP
`DELETE` policy recipe for session termination.
- NVIDIA#5453 -> `docs/reference/host-files-and-state.mdx`: Clarify that
snapshot retention actions belong to direct runner integrations and are
not standalone host CLI commands.

### Skipped from docs-skip

- NVIDIA#6633 matched the `openclaw-sandbox-permissive.yaml` path in
`docs/.docs-skip` and produced no documentation in this update.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates

- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: This is a documentation-only
release-prep update; behavior is protected by the merged source PRs, and
the documentation build validates the changed examples and routes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification

- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — tests are not applicable for this
documentation-only change; `npm run docs` completed successfully.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result: not run for this
documentation-only change.
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — 0
errors; two existing Fern warnings remain.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
— no new pages.

---
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Documentation**
- Added release notes for v0.0.81 covering state preservation, inference
setup, sandbox recovery, session setup, pairing, diagnostics, and
security policy updates.
- Expanded backup and restore guidance to include dashboard profile
files and clarify files that must not be copied.
- Added dashboard profile persistence details to workspace and rebuild
documentation.
- Clarified snapshot retention guidance and the distinction between host
CLI capabilities and direct runner actions.
  - Added more detailed backup failure reporting information.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v0.0.81 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

perf(onboard): reduce repeated DNS and TLS overhead in provider validation probes

2 participants