fix(testing): harden gateway bind verification

[cerebrum330]

Summary

• harden gateway endpoint parsing so loopback enforcement works with ANSI-colored openshell output
• make source checkout detection accept git worktrees
• align the double-onboard lifecycle E2E with current gateway reuse messaging
• keep root lint clean by ignoring generated dist artifacts

Testing

• npm run test
• npm run lint
• npm run format:check
• npm run build:cli
• npm run typecheck:cli
• npm run typecheck
• cd nemoclaw && npm run check
• cd nemoclaw && npm run build
• bash test/e2e/e2e-cloud-experimental/check-docs.sh --local-only
• NEMOCLAW_E2E_NO_TIMEOUT=1 bash test/e2e/test-double-onboard.sh

Summary by CodeRabbit

Release Notes

• New Features

  • Gateway port binding is now automatically enforced to localhost only for local deployments.

• Bug Fixes

  • Improved Git repository detection to support Git worktrees.

• Documentation

  • Updated port conflict troubleshooting guide with current port mappings and automatic repair guidance.

• Tests

  • Added comprehensive test coverage for gateway binding enforcement and improved existing test assertions.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change adds loopback-only binding enforcement for the OpenShell gateway, ensuring the gateway container publishes to 127.0.0.1:8080 instead of 0.0.0.0:8080. The implementation includes helper functions to inspect containers, parse gateway endpoints, and rebuild containers with corrected bindings. Updated documentation, configuration ignores, and comprehensive test coverage accompany the core feature.

Changes

Cohort / File(s)	Summary
Gateway Loopback Binding Enforcement bin/lib/onboard.js	Added enforcement mechanism for loopback-only gateway port binding. Includes helpers to extract container name, parse ANSI-colored gateway info output, serialize docker inspections, check health, and validate bindings. Enforces loopback binding after gateway reuse, health confirmation, and during recovery flows.
Documentation & Configuration docs/reference/troubleshooting.md, eslint.config.mjs	Updated troubleshooting guide to document gateway port 8080 on 127.0.0.1 and dashboard port 18789, with added guidance on automatic loopback binding repair. Added dist/** to ESLint ignores.
Build & Source Detection scripts/install.sh	Changed Git repository detection in is_source_checkout() from directory-only test (-d) to accept any filesystem entry (-e), supporting Git worktree-style .git files.
Test Coverage test/onboard.gateway-bind.test.js, test/install-preflight.test.js, test/e2e/test-double-onboard.sh	Added comprehensive test suite for loopback binding enforcement with docker mocking, updated install tests to handle missing git logs and accept .git file worktrees, and broadened gateway-reuse log pattern matching in end-to-end tests.

Sequence Diagram(s)

sequenceDiagram
    participant Gateway as Gateway Lifecycle
    participant Inspector as Container Inspector
    participant Parser as Output Parser
    participant Docker as Docker Daemon
    participant Health as Health Checker

    Gateway->>Inspector: enforceLoopbackGatewayBinding()
    Inspector->>Docker: docker inspect openshell-cluster-nemoclaw
    Docker-->>Inspector: container config (port bindings)
    
    Inspector->>Parser: parseGatewayEndpointHost(info)
    Parser-->>Inspector: 127.0.0.1 or other host
    
    Inspector->>Inspector: Check if binding<br/>already loopback-only
    
    alt Binding not loopback
        Inspector->>Docker: docker stop container
        Docker-->>Inspector: stopped
        Inspector->>Docker: docker rm container
        Docker-->>Inspector: removed
        Inspector->>Docker: docker run with -p 127.0.0.1:8080:30051/tcp
        Docker-->>Inspector: container created
        Inspector->>Health: Check container health
        Health-->>Inspector: healthy
        Inspector-->>Gateway: repaired: true
    else Already loopback
        Inspector-->>Gateway: repaired: false
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A gateway needs binding so tight,
Loopback-only, held just right,
Docker commands dance and rebuild,
Port 127.0.0.1 perfectly filled,
Tests ensure all stays locked in place! 🔐

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'fix(testing): harden gateway bind verification' is partially related to the changeset but does not reflect the primary change.	The main change is enforcing loopback binding for the OpenShell gateway runtime (bin/lib/onboard.js), not testing/verification hardening. Consider retitling to reflect the core enforcement mechanism, such as 'fix(gateway): enforce loopback binding for local openshell runtime'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch codex/nemoclaw-loopback-gateway-bind

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

bin/lib/onboard.js (1)

769-776: Multi-element entrypoint silently dropped.

Lines 769-771 only handle single-element entrypoints. If the container has a multi-element entrypoint like ["/bin/sh", "-c"], the entrypoint is silently omitted from the recreated container, causing it to fall back to the image default.

For the OpenShell gateway cluster image this is likely fine since the entrypoint is typically a single script, but consider logging a warning or handling multi-element entrypoints for robustness.

💡 Optional: Handle multi-element entrypoints

-  if (Array.isArray(config.Entrypoint) && config.Entrypoint.length === 1) {
-    cmdParts.push("--entrypoint", config.Entrypoint[0]);
+  if (Array.isArray(config.Entrypoint) && config.Entrypoint.length > 0) {
+    // Docker --entrypoint takes the executable; extra args go after the image
+    cmdParts.push("--entrypoint", config.Entrypoint[0]);
+    // Note: Multi-element entrypoints need args passed after the image name,
+    // which is already handled by config.Cmd in most cases.
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bin/lib/onboard.js` around lines 769 - 776, The code currently only handles
single-element entrypoints (config.Entrypoint) and silently drops multi-element
arrays; update the logic around config.Entrypoint and the code that pushes
"--entrypoint" into cmdParts so multi-element entrypoints are preserved (e.g.,
join the array into a single string or iterate and pass each part properly) or,
at minimum, emit a clear warning via the existing logger when config.Entrypoint
is an array with length > 1; adjust the branch that currently does if
(Array.isArray(config.Entrypoint) && config.Entrypoint.length === 1) to handle
multi-element arrays or log the warning while still ensuring cmdParts contains
the intended entrypoint form.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@bin/lib/onboard.js`:
- Around line 769-776: The code currently only handles single-element
entrypoints (config.Entrypoint) and silently drops multi-element arrays; update
the logic around config.Entrypoint and the code that pushes "--entrypoint" into
cmdParts so multi-element entrypoints are preserved (e.g., join the array into a
single string or iterate and pass each part properly) or, at minimum, emit a
clear warning via the existing logger when config.Entrypoint is an array with
length > 1; adjust the branch that currently does if
(Array.isArray(config.Entrypoint) && config.Entrypoint.length === 1) to handle
multi-element arrays or log the warning while still ensuring cmdParts contains
the intended entrypoint form.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a1c36552-7b97-4b17-9db4-b9255dfe83f8

📥 Commits

Reviewing files that changed from the base of the PR and between a064e97 and d604334.

📒 Files selected for processing (7)

• bin/lib/onboard.js
• docs/reference/troubleshooting.md
• eslint.config.mjs
• scripts/install.sh
• test/e2e/test-double-onboard.sh
• test/install-preflight.test.js
• test/onboard.gateway-bind.test.js

[wscurran]

✨ Thanks for submitting this PR, which proposes a way to improve testing and fix issues with gateway bind verification.

[jyaunches]

Hey @cerebrum330 — thanks for working on this! The idea of hardening gateway bind verification and supporting ANSI-colored openshell output was a good catch.

This one has gone a bit stale (no review activity in ~10 days) and touches a broad set of files (onboard.js, install.sh, eslint.config.mjs, etc.) that have seen a lot of churn on main since. It would likely need a significant rebase at this point.

Going to close this for now to keep the PR backlog tidy, but if you'd like to revisit the gateway bind hardening in a fresh PR with a narrower scope, that'd be very welcome. Thanks for the contribution! 🙏