feat(cli): add configurable port overrides via environment variables#1645
feat(cli): add configurable port overrides via environment variables#1645cv merged 54 commits intoNVIDIA:mainfrom
Conversation
Add bin/lib/ports.js as central port configuration. All hardcoded service ports can now be overridden via environment variables: - NEMOCLAW_GATEWAY_PORT (default 8080) - NEMOCLAW_DASHBOARD_PORT (default 18789) - NEMOCLAW_VLLM_PORT (default 8000) - NEMOCLAW_OLLAMA_PORT (default 11434) Ports are validated to be non-privileged (1024-65535). Defaults are unchanged so existing setups are unaffected. Closes NVIDIA#684 Based on the approach from PR NVIDIA#683 Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: jnun <imjasonn@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughCentralized port configuration: added a ports module and runtime shim to parse/validate NEMOCLAW_* env vars; replaced hard-coded ports (8080, 18789, 8000, 11434) across TypeScript, shell scripts, tests, CI, and runtime helpers to use the new port constants. Changes
Sequence Diagram(s)mermaid Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…aths Extend port configurability beyond bin/lib/*.js to cover the full runtime: TypeScript source, shell scripts, Dockerfile, and utilities. New file: - src/lib/ports.ts — TypeScript counterpart of bin/lib/ports.js Updated files (13 total): - src/lib/local-inference.ts — 15 hardcoded 8000/11434 → VLLM_PORT/OLLAMA_PORT - src/lib/nim.ts — 6 hardcoded 8000 → VLLM_PORT - src/lib/dashboard.ts — CONTROL_UI_PORT uses DASHBOARD_PORT - src/lib/preflight.ts — fallback uses DASHBOARD_PORT - src/lib/services.ts — fixed env var name (DASHBOARD_PORT → NEMOCLAW_DASHBOARD_PORT) - src/lib/debug.ts — lsof uses DASHBOARD_PORT - nemoclaw/src/blueprint/runner.ts — forward_ports uses DASHBOARD_PORT - scripts/nemoclaw-start.sh — CHAT_UI_URL/PUBLIC_PORT read NEMOCLAW_DASHBOARD_PORT - scripts/lib/runtime.sh — provider URLs read NEMOCLAW_VLLM_PORT/OLLAMA_PORT - scripts/debug.sh, uninstall.sh — use env var with fallback - Dockerfile — added comment noting env var override All 1199 tests pass. Zero behavior change when env vars are unset. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: jnun <imjasonn@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
src/lib/debug.ts (1)
377-377: Consider updating the label to reflect the actual port.The command now uses the configurable
DASHBOARD_PORT, but the label remains hardcoded as"lsof-18789". When users override the dashboard port (e.g., to 19000), the output file will still be namedlsof-18789.txtwhile probing port 19000, which could cause confusion in debug tarballs.Proposed fix
- collect(collectDir, "lsof-18789", "lsof", ["-i", `:${DASHBOARD_PORT}`]); + collect(collectDir, `lsof-${DASHBOARD_PORT}`, "lsof", ["-i", `:${DASHBOARD_PORT}`]);🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/lib/debug.ts` at line 377, The label passed to collect is hardcoded as "lsof-18789" while the command probes the configurable DASHBOARD_PORT; update the label to reflect the actual port (e.g., replace the literal "lsof-18789" with a dynamic label like `lsof-${DASHBOARD_PORT}`) so collect(collectDir, ..., "lsof-<port>", "lsof", ["-i", `:${DASHBOARD_PORT}`]) produces filenames that match the port being inspected; refer to the collect call and the DASHBOARD_PORT symbol to make the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@nemoclaw/src/blueprint/runner.ts`:
- Around line 25-26: Replace the current naive DASHBOARD_PORT assignment with a
local validated parser: add a parsePort function (e.g., parsePort(envVar:
string, fallback: number)) that reads process.env[envVar], trims and ensures it
matches /^\d+$/, converts to Number, checks the allowed range 1024–65535 and
throws a descriptive Error on invalid input, and then set const DASHBOARD_PORT =
parsePort("NEMOCLAW_DASHBOARD_PORT", 18789); this ensures numeric, non-negative,
in-range ports and mirrors the validation logic of the original src/lib/ports.ts
without importing it.
In `@scripts/lib/runtime.sh`:
- Around line 241-245: Add shell-side validation for NEMOCLAW_VLLM_PORT and
NEMOCLAW_OLLAMA_PORT by creating/using a validate_port function that checks the
value is a non-empty integer and within 1-65535; call validate_port for each env
var before assigning local vllm_port and ollama_port and before using them in
the provider case branches (vllm-local, ollama-local) so invalid values print a
clear error and exit non‑zero. Apply the same validation calls to the analogous
code block referenced (the other provider branch around the 253-260 region) so
both usages fail fast on bad port input.
In `@src/lib/nim.ts`:
- Line 201: The docker run maps host port Number(port) to ${VLLM_PORT} but the
container actually listens on the fixed internal port 8000, breaking mappings;
update the docker invocation in src/lib/nim.ts so the host port maps to the
container's internal port 8000 (e.g., use `${Number(port)}:8000` or replace
VLLM_PORT with a constant CONTAINER_PORT = 8000) and ensure any related health
check or URL construction that currently uses VLLM_PORT is adjusted to use the
container internal port or the same CONTAINER_PORT constant (refer to the
variables port and VLLM_PORT and the docker run template string).
---
Nitpick comments:
In `@src/lib/debug.ts`:
- Line 377: The label passed to collect is hardcoded as "lsof-18789" while the
command probes the configurable DASHBOARD_PORT; update the label to reflect the
actual port (e.g., replace the literal "lsof-18789" with a dynamic label like
`lsof-${DASHBOARD_PORT}`) so collect(collectDir, ..., "lsof-<port>", "lsof",
["-i", `:${DASHBOARD_PORT}`]) produces filenames that match the port being
inspected; refer to the collect call and the DASHBOARD_PORT symbol to make the
change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f4af93c2-0e0f-4041-a645-59ba067bf7d1
📒 Files selected for processing (13)
Dockerfilenemoclaw/src/blueprint/runner.tsscripts/debug.shscripts/lib/runtime.shscripts/nemoclaw-start.shsrc/lib/dashboard.tssrc/lib/debug.tssrc/lib/local-inference.tssrc/lib/nim.tssrc/lib/ports.tssrc/lib/preflight.tssrc/lib/services.tsuninstall.sh
✅ Files skipped from review due to trivial changes (1)
- Dockerfile
Audit response to @bpelfrey's reviewAll production code paths are now wired to the configurable port constants. Here's the full scorecard against your list: Production code paths — all fixed
Blueprint/config files — intentional defaults, not changed
All 1199 tests pass. Setting any |
Address CodeRabbit review: - Fix NIM docker run: map host port to container internal port 8000 (not VLLM_PORT, which is the host port). Container always listens on 8000 internally regardless of host port override. - Fix docker port query: query container port 8000, not VLLM_PORT. - Add _validate_port() helper in runtime.sh to fail fast on invalid NEMOCLAW_VLLM_PORT / NEMOCLAW_OLLAMA_PORT values. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: jnun <imjasonn@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cv
left a comment
There was a problem hiding this comment.
Security Review — WARNING (3 issues to fix)
Good architectural direction — centralizing ports into validated modules is the right call. But the validation isn't applied consistently.
Required changes
1. runner.ts bypasses validation (CRITICAL):
nemoclaw/src/blueprint/runner.ts uses Number(process.env.NEMOCLAW_DASHBOARD_PORT) || 18789 — no range check, accepts privileged ports, different fallback behavior than everywhere else. Replace with an import from src/lib/ports.ts.
2. Shell scripts lack validation (MEDIUM):
uninstall.sh, debug.sh, and nemoclaw-start.sh read ${NEMOCLAW_DASHBOARD_PORT:-18789} without validation. The pgrep -f usage in uninstall.sh is particularly concerning — a value like .* would match all openshell processes. Add _validate_port calls (already defined in runtime.sh) or source a shared function.
3. No unit tests (MEDIUM):
parsePort() is the security gate for the entire feature. Needs tests for: valid range, below 1024 (rejected), above 65535 (rejected), non-numeric input, empty/undefined, whitespace-padded values.
What's good
parsePort()regex/^\d+$/+ 1024-65535 range check is correct in the JS paths- No traffic redirection risk — hostname is always hardcoded to localhost
- Dockerfile change is comment-only, correct
- All CI checks green
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Address security review (cv): 1. runner.ts: replace unvalidated Number() || with inline parseDashboardPort() that checks range 1024-65535 2. Shell scripts: add validation for NEMOCLAW_DASHBOARD_PORT in nemoclaw-start.sh (range check with fallback), debug.sh, and uninstall.sh (sanitize before pgrep to prevent pattern injection) 3. Add 11 unit tests for parsePort(): valid range, below 1024, above 65535, non-numeric, empty, whitespace, special chars Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: jnun <imjasonn@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
src/lib/ports.test.ts (1)
11-17: Restore pre-existingTEST_PORTinstead of always deleting it.This suite currently removes
TEST_PORTunconditionally, which can leak state if the variable was set by the outer test environment. Capture and restore the original value for safer isolation.♻️ Proposed fix
describe("parsePort", () => { const ENV_KEY = "TEST_PORT"; + let previousEnvValue: string | undefined; beforeEach(() => { + previousEnvValue = process.env[ENV_KEY]; delete process.env[ENV_KEY]; }); afterEach(() => { - delete process.env[ENV_KEY]; + if (previousEnvValue === undefined) { + delete process.env[ENV_KEY]; + } else { + process.env[ENV_KEY] = previousEnvValue; + } });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/lib/ports.test.ts` around lines 11 - 17, Capture the original value of process.env[ENV_KEY] in the test suite setup and restore it after each test instead of unconditionally deleting it: in beforeEach save const originalEnv = process.env[ENV_KEY] (or a suite-scoped variable) and then set/delete process.env[ENV_KEY] for test isolation as needed; in afterEach restore process.env[ENV_KEY] = originalEnv if it was defined or delete it if it was undefined. Update the beforeEach/afterEach logic around ENV_KEY to reference the saved variable so external environment values are preserved.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@nemoclaw/src/blueprint/runner.ts`:
- Around line 25-40: Add unit tests for parseDashboardPort() (and validate
behavior of DASHBOARD_PORT if needed) in the co-located test file: cover unset
env var and empty-string cases to assert default 18789, non-numeric values (e.g.
"abc") to assert it throws with message containing NEMOCLAW_DASHBOARD_PORT and
range text, numeric values below 1024 and above 65535 to assert it throws with
the same message, and valid numeric strings (e.g. "1024", "65535", " 18789 ") to
assert correct parsed numbers; ensure tests temporarily set and restore
process.env.NEMOCLAW_DASHBOARD_PORT and assert thrown Error messages include the
expected text.
In `@scripts/nemoclaw-start.sh`:
- Around line 143-156: The current validation for NEMOCLAW_DASHBOARD_PORT in
nemoclaw-start.sh silently falls back to 18789; change it to match
bin/lib/ports.js by failing fast: when NEMOCLAW_DASHBOARD_PORT (and the derived
_DASHBOARD_PORT) is non-numeric or outside 1024-65535, print a clear error to
stderr and exit 1 instead of resetting to 18789; only set CHAT_UI_URL and
PUBLIC_PORT after successful validation of _DASHBOARD_PORT so the script does
not continue with a hidden default.
---
Nitpick comments:
In `@src/lib/ports.test.ts`:
- Around line 11-17: Capture the original value of process.env[ENV_KEY] in the
test suite setup and restore it after each test instead of unconditionally
deleting it: in beforeEach save const originalEnv = process.env[ENV_KEY] (or a
suite-scoped variable) and then set/delete process.env[ENV_KEY] for test
isolation as needed; in afterEach restore process.env[ENV_KEY] = originalEnv if
it was defined or delete it if it was undefined. Update the beforeEach/afterEach
logic around ENV_KEY to reference the saved variable so external environment
values are preserved.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d2ac1753-9223-4f73-81fc-23e2dc0022a8
📒 Files selected for processing (5)
nemoclaw/src/blueprint/runner.tsscripts/debug.shscripts/nemoclaw-start.shsrc/lib/ports.test.tsuninstall.sh
🚧 Files skipped from review as they are similar to previous changes (2)
- uninstall.sh
- scripts/debug.sh
| /** Dashboard port — validated from NEMOCLAW_DASHBOARD_PORT env var, defaults to 18789. */ | ||
| function parseDashboardPort(): number { | ||
| const raw = process.env.NEMOCLAW_DASHBOARD_PORT; | ||
| if (raw === undefined || raw === "") return 18789; | ||
| const trimmed = raw.trim(); | ||
| if (!/^\d+$/.test(trimmed)) { | ||
| throw new Error(`Invalid NEMOCLAW_DASHBOARD_PORT="${raw}" — must be 1024-65535`); | ||
| } | ||
| const parsed = Number(trimmed); | ||
| if (parsed < 1024 || parsed > 65535) { | ||
| throw new Error(`Invalid NEMOCLAW_DASHBOARD_PORT="${raw}" — must be 1024-65535`); | ||
| } | ||
| return parsed; | ||
| } | ||
| const DASHBOARD_PORT = parseDashboardPort(); | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Co-located tests near runner.ts =="
fd -a -i 'runner*.test.ts' nemoclaw/src || true
echo "== Tests mentioning dashboard port env/default forwarding =="
rg -n --type ts -C2 'NEMOCLAW_DASHBOARD_PORT|DASHBOARD_PORT|forward_ports' --iglob '*test.ts' nemoclaw/src || trueRepository: NVIDIA/NemoClaw
Length of output: 1056
🏁 Script executed:
cat -n nemoclaw/src/blueprint/runner.test.ts | head -250Repository: NVIDIA/NemoClaw
Length of output: 9398
🏁 Script executed:
tail -n +250 nemoclaw/src/blueprint/runner.test.ts | head -200Repository: NVIDIA/NemoClaw
Length of output: 7369
🏁 Script executed:
rg -n 'parseDashboardPort|NEMOCLAW_DASHBOARD_PORT' nemoclaw/src/blueprint/runner.test.tsRepository: NVIDIA/NemoClaw
Length of output: 41
🏁 Script executed:
wc -l nemoclaw/src/blueprint/runner.test.ts && echo "---" && tail -100 nemoclaw/src/blueprint/runner.test.tsRepository: NVIDIA/NemoClaw
Length of output: 3541
🏁 Script executed:
rg -r 'parseDashboardPort|NEMOCLAW_DASHBOARD_PORT' nemoclaw/src --type tsRepository: NVIDIA/NemoClaw
Length of output: 243
🏁 Script executed:
sed -n '1,80p' nemoclaw/src/blueprint/runner.ts && echo "---" && sed -n '200,260p' nemoclaw/src/blueprint/runner.tsRepository: NVIDIA/NemoClaw
Length of output: 4039
🏁 Script executed:
find nemoclaw/src/blueprint -name '*.test.ts' -o -name '*.test.js'Repository: NVIDIA/NemoClaw
Length of output: 209
🏁 Script executed:
rg -n 'parseDashboardPort|NEMOCLAW_DASHBOARD_PORT|forward_ports.*DASHBOARD' nemoclaw/src/blueprint/*.test.tsRepository: NVIDIA/NemoClaw
Length of output: 41
🏁 Script executed:
grep -n 'const DASHBOARD_PORT' nemoclaw/src/blueprint/runner.ts && grep -n 'DASHBOARD_PORT' nemoclaw/src/blueprint/runner.ts | head -20Repository: NVIDIA/NemoClaw
Length of output: 624
Add unit tests for parseDashboardPort() validation and environment variable handling.
The dashboard port parser lacks dedicated test coverage in the co-located test file. Existing tests verify the fallback behavior works (forward_ports defaults to [18789]), but there are no tests for the parser function itself—specifically for unset/empty defaults, invalid values (non-numeric, <1024, >65535), and error messages.
As security-sensitive sandbox initialization code, this warrants explicit unit tests per the coding guidelines.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@nemoclaw/src/blueprint/runner.ts` around lines 25 - 40, Add unit tests for
parseDashboardPort() (and validate behavior of DASHBOARD_PORT if needed) in the
co-located test file: cover unset env var and empty-string cases to assert
default 18789, non-numeric values (e.g. "abc") to assert it throws with message
containing NEMOCLAW_DASHBOARD_PORT and range text, numeric values below 1024 and
above 65535 to assert it throws with the same message, and valid numeric strings
(e.g. "1024", "65535", " 18789 ") to assert correct parsed numbers; ensure tests
temporarily set and restore process.env.NEMOCLAW_DASHBOARD_PORT and assert
thrown Error messages include the expected text.
Add test/e2e-port-overrides.sh with 11 tests covering: - Default ports unchanged when no env vars set - NEMOCLAW_DASHBOARD_PORT overrides PUBLIC_PORT and CHAT_UI_URL - Invalid ports (non-numeric, privileged, out of range) fall back - Pattern injection (e.g., ".*") sanitized before pgrep - Node.js ports.js validates and propagates all 4 port overrides - Boundary values (1024, 65535) accepted Runs as a separate parallel CI job (test-e2e-port-overrides) using the production image, alongside existing sandbox and isolation tests. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: jnun <imjasonn@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add tests 12-13 verifying that NIM docker run maps host port to the fixed internal container port 8000 (not VLLM_PORT), and that docker port queries also use 8000. Catches the CodeRabbit critical finding on nim.ts. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address CodeRabbit review: - nemoclaw-start.sh now exits 1 on invalid NEMOCLAW_DASHBOARD_PORT instead of silently reverting to 18789. Matches ports.js behavior (fail fast, don't hide bad config). - Trims whitespace from env var value before validation. - Update e2e tests 3-6 to expect failure (exit 1) not fallback. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: jnun <imjasonn@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address Carlos's review: bin/lib/ports.js was a full standalone JavaScript module duplicating the logic already in src/lib/ports.ts. Replace with a thin re-export shim (module.exports = require(dist)) following the established pattern used by all other bin/lib/ files. Single source of truth is now src/lib/ports.ts only. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Plugin branch coverage dropped below 86% threshold because nemoclaw/src/lib/ports.ts had 20% branch coverage. Added 9 tests covering all parsePort() branches. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Quick review update after checking the latest branch state locally. Good progress overall — the earlier validation gaps are mostly fixed now. But I still see one blocker and one follow-up bug: 1. Blocker:
|
…ded dashboard port GATEWAY_PORT was validated in preflight but never passed to the actual gateway start/restart commands. Wire --port into both start paths. Replace hardcoded 18789 fallbacks in agent-runtime and agent-defs with the DASHBOARD_PORT constant so custom port overrides take effect. Addresses review feedback from Carlos on PR NVIDIA#1645. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Follow-up after re-checking the latest PR head ( My earlier comment is no longer current as a merge blocker:
So the two concrete correctness issues I called out earlier appear resolved now. The only residual concern I still have is test depth: |
Replace reimplemented shell validation snippets in tests 2-6 and 9-10 with calls to the actual nemoclaw-start entrypoint. This ensures tests break if the runtime validation logic changes without updating tests. Rejection tests verify the entrypoint exits non-zero with the expected error message. Acceptance tests verify no [SECURITY] port error appears. Addresses Carlos's review feedback on test depth. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
One more follow-up after re-checking the latest head ( My remaining test-depth concern is narrower now. The updated What I still do not see is a true runtime test for So at this point I would treat the earlier test-depth concern as mostly resolved, with one remaining coverage gap around runtime validation of custom gateway startup on the overridden port. |
Add source-level assertion that both gateway start paths (primary and recovery) pass --port GATEWAY_PORT. This ensures a custom NEMOCLAW_GATEWAY_PORT flows through to the actual openshell commands, not just the Node.js ports module. Addresses Carlos's remaining test-depth concern on PR NVIDIA#1645. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Final follow-up after checking the latest head ( This addresses my remaining concern well enough for review purposes. The new
That closes the specific plumbing gap I was still worried about. At this point I consider my earlier concerns resolved. |
…VIDIA#1645) ## Summary - Add `bin/lib/ports.js` as central port configuration module - All hardcoded service ports can now be overridden via environment variables - Defaults are unchanged — zero regression for existing setups | Env var | Default | Service | |---------|---------|---------| | `NEMOCLAW_GATEWAY_PORT` | 8080 | OpenShell gateway | | `NEMOCLAW_DASHBOARD_PORT` | 18789 | Dashboard UI | | `NEMOCLAW_VLLM_PORT` | 8000 | vLLM/NIM inference | | `NEMOCLAW_OLLAMA_PORT` | 11434 | Ollama inference | Ports are validated to be non-privileged (1024–65535). ### Usage ```bash export NEMOCLAW_DASHBOARD_PORT=19000 nemoclaw onboard ``` ## Related Issue Closes NVIDIA#684 Based on the approach from PR NVIDIA#683 by @jnun — thank you for the original design. Supersedes NVIDIA#683 (rebased on latest main with correct defaults). Consider closing NVIDIA#703, NVIDIA#357 (subsumed by this). ## Test plan - [ ] `npm test` passes (135 tests in cli + onboard) - [ ] `nemoclaw onboard` works with default ports (no regression) - [ ] Set `NEMOCLAW_DASHBOARD_PORT=19000`, verify dashboard uses port 19000 - [ ] Set invalid port (e.g., `NEMOCLAW_GATEWAY_PORT=abc`), verify startup fails with clear error Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Centralized, configurable ports for dashboard, gateway, vLLM and Ollama via environment variables with validated defaults. * **Improvements** * Startup, health checks, diagnostics, uninstall and helper flows now honor configured ports and enforce numeric/range validation with fail-fast errors. * **Tests** * Added unit and end-to-end tests covering port parsing, boundaries and override scenarios; CI job added to run E2E port-override tests. * **Chore** * Added compatibility shim to surface built artifacts and documented the default dashboard port in the container build. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: jnun <imjasonn@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary - Document tier-based policy selector (Restricted/Balanced/Open) in commands, network policies, and customize-network-policy pages (from #1753) - Document configurable port overrides via environment variables (`NEMOCLAW_GATEWAY_PORT`, `NEMOCLAW_DASHBOARD_PORT`, `NEMOCLAW_VLLM_PORT`, `NEMOCLAW_OLLAMA_PORT`) (from #1645) - Document `nemoclaw <sandbox> skill install <path>` command (from #1845, #1856) - Document reserved sandbox name validation — CLI command collision check (from #1773) - Bump doc version switcher through 0.0.15 - Remove `--dangerously-skip-permissions` from onboard usage synopsis (docs-skip violation) - Regenerate agent skills from updated docs ## Test plan - [x] `make docs` builds without warnings - [x] All pre-commit hooks pass - [ ] Verify rendered pages in docs build output - [ ] Cross-references resolve correctly (`policy-tiers` anchor, `environment-variables` section) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…VIDIA#1645) ## Summary - Add `bin/lib/ports.js` as central port configuration module - All hardcoded service ports can now be overridden via environment variables - Defaults are unchanged — zero regression for existing setups | Env var | Default | Service | |---------|---------|---------| | `NEMOCLAW_GATEWAY_PORT` | 8080 | OpenShell gateway | | `NEMOCLAW_DASHBOARD_PORT` | 18789 | Dashboard UI | | `NEMOCLAW_VLLM_PORT` | 8000 | vLLM/NIM inference | | `NEMOCLAW_OLLAMA_PORT` | 11434 | Ollama inference | Ports are validated to be non-privileged (1024–65535). ### Usage ```bash export NEMOCLAW_DASHBOARD_PORT=19000 nemoclaw onboard ``` ## Related Issue Closes NVIDIA#684 Based on the approach from PR NVIDIA#683 by @jnun — thank you for the original design. Supersedes NVIDIA#683 (rebased on latest main with correct defaults). Consider closing NVIDIA#703, NVIDIA#357 (subsumed by this). ## Test plan - [ ] `npm test` passes (135 tests in cli + onboard) - [ ] `nemoclaw onboard` works with default ports (no regression) - [ ] Set `NEMOCLAW_DASHBOARD_PORT=19000`, verify dashboard uses port 19000 - [ ] Set invalid port (e.g., `NEMOCLAW_GATEWAY_PORT=abc`), verify startup fails with clear error Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Centralized, configurable ports for dashboard, gateway, vLLM and Ollama via environment variables with validated defaults. * **Improvements** * Startup, health checks, diagnostics, uninstall and helper flows now honor configured ports and enforce numeric/range validation with fail-fast errors. * **Tests** * Added unit and end-to-end tests covering port parsing, boundaries and override scenarios; CI job added to run E2E port-override tests. * **Chore** * Added compatibility shim to surface built artifacts and documented the default dashboard port in the container build. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Signed-off-by: Aaron Erickson <aerickson@nvidia.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: jnun <imjasonn@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Aaron Erickson <aerickson@nvidia.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: ColinM-sys <cmcdonough@50words.com>
Summary
bin/lib/ports.jsas central port configuration moduleNEMOCLAW_GATEWAY_PORTNEMOCLAW_DASHBOARD_PORTNEMOCLAW_VLLM_PORTNEMOCLAW_OLLAMA_PORTPorts are validated to be non-privileged (1024–65535).
Usage
export NEMOCLAW_DASHBOARD_PORT=19000 nemoclaw onboardRelated Issue
Closes #684
Based on the approach from PR #683 by @jnun — thank you for the original design.
Supersedes #683 (rebased on latest main with correct defaults).
Consider closing #703, #357 (subsumed by this).
Test plan
npm testpasses (135 tests in cli + onboard)nemoclaw onboardworks with default ports (no regression)NEMOCLAW_DASHBOARD_PORT=19000, verify dashboard uses port 19000NEMOCLAW_GATEWAY_PORT=abc), verify startup fails with clear errorSigned-off-by: Prekshi Vyas prekshiv@nvidia.com
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Improvements
Tests
Chore