fix(onboard): fail fast in preflight when all dashboard ports are occupied (#3953)

[nvshaxie]

Summary

• findAvailableDashboardPort already raises the right "All dashboard ports in range 18789-18799 are occupied …" error when every port is held, but it only fires in late onboarding (after preflight + gateway start + inference selection). Reporters expect the failure to be upfront.
• Add a narrow preflightDashboardPortRangeAvailability() helper in src/lib/onboard/dashboard-port.ts that only checks host bindings (safe to run before OpenShell is reachable) and call it at the end of preflight(). Exits 1 with the same canonical message when every port in DASHBOARD_PORT_RANGE_START..END is bound.
• Drop the unused findDashboardForwardOwner import/re-export from src/lib/onboard.ts to keep the entrypoint net-neutral per the onboard-entrypoint-budget workflow (the only remaining caller is dashboard-port.test.ts, which imports it directly from the module).

Bug reproduction (pre-fix)

```
$ for p in $(seq 18789 18799); do python3 -m http.server "$p" &>/dev/null & done
$ nemoclaw onboard --non-interactive --yes-i-accept-third-party-software --name overflow-test ...
[1/8] Preflight checks ← passes
[2/8] Starting OpenShell gateway ← runs anyway
[3/8] Configuring inference (NIM) ← runs anyway
Inference options menu … ← reaches the wizard
```

Behavior post-fix (same setup)

```
[1/8] Preflight checks
✓ Docker is running … ✓ Memory OK …
All dashboard ports in range 18789-18799 are occupied:
18789 → non-OpenShell host listener
18790 → non-OpenShell host listener
...
18799 → non-OpenShell host listener
Free a sandbox or use --control-ui-port with a port outside this range.
```

Exit 1. `[2/8] Starting OpenShell gateway` is never printed.

Why the helper is sound at this stage

• findAvailableDashboardPort needs openshell forward list (so it can distinguish "this port is bound by an OpenShell forward that belongs to this sandbox" from "host listener"). The preflight helper deliberately skips that distinction and treats every bound port as a non-OpenShell listener.
• That is correct here: if every port in the range is bound (either by external processes OR by other sandboxes), the new sandbox cannot use any of them anyway, and operator intervention is required either way (--control-ui-port <N> or freeing a sandbox).

Test plan

• New `describe("preflightDashboardPortRangeAvailability ([NemoClaw][All Platforms][Onboard] Onboard does not fail fast when all dashboard ports 18789-18799 are occupied by external processes #3953)")` block in `src/lib/onboard/dashboard-port.test.ts` with 3 cases (every port bound → exit 1 with canonical message; 10/11 bound + 1 free → no exit; no ports bound → no exit). Uses injected stubs for `isPortBoundOnHost` and `process.exit`.
• `npx vitest run src/lib/onboard/dashboard-port.test.ts` — 11/11 pass.
• Manual on Ubuntu 24.04 x86_64: occupied 18789-18799 with `python3 -m http.server`, ran `node bin/nemoclaw.js onboard --non-interactive ...`. Exits at the end of `[1/8] Preflight checks` with the canonical message and the per-port list; `[2/8] Starting OpenShell gateway` never prints.
• `src/lib/onboard.ts` diff stat: `+2/-2` (net 0), within the entrypoint budget.

Fixes #3953.

Signed-off-by: Shawn Xie shaxie@nvidia.com

Summary by CodeRabbit

• New Features

  • Preflight now detects when all dashboard ports are exhausted and blocks startup with a clear error showing per-port details and guidance to specify an alternate control UI port. This check runs on normal start and on resume, but is skipped when a control UI port is explicitly provided (via flag or environment).

• Tests

  • Added tests for fully occupied, partially available, and completely free port-range scenarios.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b4bf4634-4f29-4611-af2a-4d41989a2267

📥 Commits

Reviewing files that changed from the base of the PR and between a0cc430 and 1298197.

📒 Files selected for processing (1)

• src/lib/onboard.ts

💤 Files with no reviewable changes (1)

• src/lib/onboard.ts

---

📝 Walkthrough

Walkthrough

Adds preflightDashboardPortRangeAvailability to scan dashboard ports 18789–18799; it returns early if any port is free, otherwise prints per-port diagnostics and exits(1). Onboard imports and invokes this check only when no explicit control UI port is set (including NEMOCLAW_DASHBOARD_PORT), and the test suite adds cases for full, partial, and empty occupancy.

Changes

Dashboard Port Exhaustion Preflight

Layer / File(s)	Summary
Dashboard port exhaustion check implementation and tests src/lib/onboard/dashboard-port.ts, src/lib/onboard/dashboard-port.test.ts	preflightDashboardPortRangeAvailability iterates the dashboard port range with an injectable bound check, returns early if any port is free, and emits a per-port error + non-zero exit when all ports are occupied. Tests cover full exhaustion (exit+error), partial availability, and no-bound scenarios.
Onboard preflight integration src/lib/onboard.ts	Imports and conditionally invokes preflightDashboardPortRangeAvailability() during preflight when no explicit --control-ui-port or NEMOCLAW_DASHBOARD_PORT is set, updates _preflightDashboardPort initialization, and removes findDashboardForwardOwner from module.exports.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

OpenShell, Networking

Suggested reviewers

• cv
• jyaunches
• ericksoa

Poem

🐰
I hopped the ports from nine to nine,
I sniffed and tapped each hollow line.
If every gate returns a lock,
I call the halt — I stop the clock.
Now onboarding hears my sign.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a fail-fast check for when all dashboard ports are occupied during preflight.
Linked Issues check	✅ Passed	The PR implements all requirements from #3953: detects when all dashboard ports 18789-18799 are occupied, prints a clear error message listing each port, exits with non-zero status, and prevents further onboarding steps.
Out of Scope Changes check	✅ Passed	All changes are directly related to the dashboard port preflight check objective. Removal of unused findDashboardForwardOwner is justified as keeping the entrypoint net-neutral.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dashboard-port-preflight-3953

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-advisor-raw-output.txt

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 2 worth checking, 0 nice ideas
Since last review: 2 prior items resolved, 2 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Unit tests do not prove the full onboard fail-fast boundary (src/lib/onboard/dashboard-port.test.ts:99): The new tests validate preflightDashboardPortRangeAvailability in isolation using injected port-bound and exit stubs. They do not run the full onboard path, so they do not prove that gateway startup, inference selection, or sandbox creation are skipped when all ports are occupied, nor do they cover the resume path or explicit dashboard-port override path in integrated execution.
  • Recommendation: Add or identify targeted integration/runtime validation that binds 18789-18799, runs onboard without an explicit dashboard port, asserts non-zero exit before gateway/sandbox side effects, and covers resume plus NEMOCLAW_DASHBOARD_PORT/--control-ui-port bypass behavior.
  • Evidence: dashboard-port.test.ts directly invokes preflightDashboardPortRangeAvailability(allBound, exitFn), partial-bound, and free-port stubs. The production call sites are in src/lib/onboard.ts preflight() and the resume branch after handlePreflightState().
• Active onboard.ts overlap increases drift risk (src/lib/onboard.ts:2442): The patched code still exists and the diff is small, but src/lib/onboard.ts remains a large active onboard entrypoint with recent and open overlapping work in preflight, gateway, sandbox, policy, and provider areas. This raises sequencing risk for where this pre-gateway fail-fast check belongs after nearby refactors land.
  • Recommendation: Before merge, re-check the latest main and overlapping onboard refactors to ensure both normal and resume guarded calls remain before gateway/inference/sandbox side effects and still respect explicit dashboard-port overrides.
  • Evidence: Trusted drift evidence shows many recent onboard.ts changes and open PR overlaps on src/lib/onboard.ts. The current PR modifies src/lib/onboard.ts with net-zero line delta but integrates behavior into a high-churn monolith.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Unit tests do not prove the full onboard fail-fast boundary (src/lib/onboard/dashboard-port.test.ts:99): The new tests validate preflightDashboardPortRangeAvailability in isolation using injected port-bound and exit stubs. They do not run the full onboard path, so they do not prove that gateway startup, inference selection, or sandbox creation are skipped when all ports are occupied, nor do they cover the resume path or explicit dashboard-port override path in integrated execution.
  • Recommendation: Add or identify targeted integration/runtime validation that binds 18789-18799, runs onboard without an explicit dashboard port, asserts non-zero exit before gateway/sandbox side effects, and covers resume plus NEMOCLAW_DASHBOARD_PORT/--control-ui-port bypass behavior.
  • Evidence: dashboard-port.test.ts directly invokes preflightDashboardPortRangeAvailability(allBound, exitFn), partial-bound, and free-port stubs. The production call sites are in src/lib/onboard.ts preflight() and the resume branch after handlePreflightState().
• Active onboard.ts overlap increases drift risk (src/lib/onboard.ts:2442): The patched code still exists and the diff is small, but src/lib/onboard.ts remains a large active onboard entrypoint with recent and open overlapping work in preflight, gateway, sandbox, policy, and provider areas. This raises sequencing risk for where this pre-gateway fail-fast check belongs after nearby refactors land.
  • Recommendation: Before merge, re-check the latest main and overlapping onboard refactors to ensure both normal and resume guarded calls remain before gateway/inference/sandbox side effects and still respect explicit dashboard-port overrides.
  • Evidence: Trusted drift evidence shows many recent onboard.ts changes and open PR overlaps on src/lib/onboard.ts. The current PR modifies src/lib/onboard.ts with net-zero line delta but integrates behavior into a high-churn monolith.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Line 3844: preflightDashboardPortRangeAvailability() is being called
unconditionally which causes failures even when the user provided an explicit
--control-ui-port; update the logic so the range-exhaustion check runs only when
no explicit control UI port override is present — detect the override (the CLI
option or config value that represents the explicit port, e.g. controlUiPort /
controlUiPortOverride / options.controlUiPort or the corresponding env var used
earlier in the file) and skip calling preflightDashboardPortRangeAvailability()
when that override is set, leaving the existing explicit-port path intact (the
explicit-port handling you preserved earlier) so the onboarding respects
--control-ui-port inputs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a75a1aed-7ee0-41b2-be45-486dcc29bbfe

📥 Commits

Reviewing files that changed from the base of the PR and between 18c7265 and a916031.

📒 Files selected for processing (3)

• src/lib/onboard.ts
• src/lib/onboard/dashboard-port.test.ts
• src/lib/onboard/dashboard-port.ts

[wscurran]

✨
Related open issues:

• #3953 [NemoClaw][All Platforms][Onboard] Onboard does not fail fast when all dashboard ports 18789-18799 are occupied by external processes

[nvshaxie]

Thanks @coderabbitai — applied your suggested guard in the followup commit. preflightDashboardPortRangeAvailability() is now only called when _preflightDashboardPort === null (i.e. no --control-ui-port override). The explicit-port path on lines ~3670-3700 already validates the chosen port separately, so no double-checking is needed.

Verified end-to-end on Ubuntu 24.04 with 18789-18799 held by python3 -m http.server placeholders:

```
$ nemoclaw onboard --control-ui-port 23000 --non-interactive ...
[1/8] Preflight checks
✓ Memory OK …
[2/8] Starting OpenShell gateway ← proceeds past preflight (would have exited before)
…
```

Without the flag, the existing fail-fast behavior is unchanged (still prints All dashboard ports in range 18789-18799 are occupied: and exits 1 before step 2).

onboard.ts diff stays at +2/-2, net 0, within the entrypoint budget.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@nvshaxie: The guard makes perfect sense — skipping the range check when an explicit --control-ui-port is provided avoids redundant validation and keeps the explicit-port path self-contained. The end-to-end verification on Ubuntu 24.04 with all 18789–18799 ports occupied confirms both the fail-fast path and the bypass path behave correctly. Looks good! 🐇 ✨

---

✏️ Learnings added

Learnt from: nvshaxie
URL: https://github.com/NVIDIA/NemoClaw/pull/3980

Timestamp: 2026-05-22T01:44:56.363Z
Learning: In `src/lib/onboard.ts`, `preflightDashboardPortRangeAvailability()` (imported from `./onboard/dashboard-port`) is guarded to only be called when `_preflightDashboardPort === null` (i.e., no `--control-ui-port` override was provided). The explicit-port validation path (around lines 3670–3700 of `onboard.ts`) handles its own port availability check separately, so calling `preflightDashboardPortRangeAvailability()` in that branch would be a double-check.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

src/lib/onboard.ts (3)

3545-3551: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t only release the default dashboard port during gateway cleanup.

This cleanup path tears down the gateway but only stops DASHBOARD_PORT. NemoClaw can be forwarding on an auto-allocated or explicit port, so those SSH forwards survive the cleanup and can later show up as bogus host listeners that block onboarding. The same default-port assumption is repeated in the other new cleanup call sites below.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 3545 - 3551, The cleanup currently only
stops DASHBOARD_PORT (calling bestEffortForwardStop(runOpenshell,
DASHBOARD_PORT)), which leaves other NemoClaw forwards (auto-allocated or
explicit ports) active and can create stale host listeners; update the gateway
teardown path in the block using destroyGatewayForReuse and
bestEffortForwardStop to stop all active forwards instead of just DASHBOARD_PORT
— either by retrieving the gateway's list of forwarded ports and calling
bestEffortForwardStop for each, or by adding/using a helper (e.g.,
stopAllForwards or similar) that accepts runOpenshell/gatewayForwardState and
stops every forwarded port before calling destroyGatewayForReuse; ensure you
update the other new cleanup call sites that mirror this pattern so all
forwarded ports are cleaned up, referencing bestEffortForwardStop, runOpenshell,
DASHBOARD_PORT, and destroyGatewayForReuse to locate the changes.

---

8981-8981: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Treat NEMOCLAW_DASHBOARD_PORT as an explicit preflight override.

Line 8981 only seeds _preflightDashboardPort from opts.controlUiPort. If the operator sets NEMOCLAW_DASHBOARD_PORT=23000 and the default 18789-18799 range is full, this still takes the auto-allocation branch, runs the new range-exhaustion check, and exits even though 23000 is the intended dashboard port. The explicit-port path and the fail-fast skip need to use the resolved env override too.

💡 Suggested fix

-  _preflightDashboardPort = opts.controlUiPort || null;
+  const envDashboardPort =
+    process.env.NEMOCLAW_DASHBOARD_PORT != null ? DASHBOARD_PORT : null;
+  _preflightDashboardPort = opts.controlUiPort ?? envDashboardPort ?? null;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` at line 8981, The code only initializes
_preflightDashboardPort from opts.controlUiPort; treat the environment override
NEMOCLAW_DASHBOARD_PORT as an explicit preflight override by reading
process.env.NEMOCLAW_DASHBOARD_PORT (if present) when setting
_preflightDashboardPort so that the explicit-port path is taken; update the
dashboard-preflight logic that runs the range-exhaustion check (the
auto-allocation branch) to skip that check when _preflightDashboardPort is
resolved from either opts.controlUiPort or process.env.NEMOCLAW_DASHBOARD_PORT
so the operator-provided port (23000) is honored instead of triggering
range-exhaustion exit.

---

9328-9350: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Resume still bypasses the new dashboard-range fail-fast.

When cached preflight is reused here, the new guard at Line 3827 never runs. If the default range becomes fully occupied after the initial attempt, --resume can still progress into later steps and only fail in dashboard allocation after sandbox work has started, which is exactly the late failure this PR is trying to move forward.

💡 Suggested fix

       assertCdiNvidiaGpuSpecPresent(assessHost(), resumeOptedOutGpuPassthrough);
       validateSandboxGpuPreflight(resumeSandboxGpuConfig);
+      if (_preflightDashboardPort === null) {
+        preflightDashboardPortRangeAvailability();
+      }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 9328 - 9350, Resume path skips the new
dashboard-range fail-fast guard; ensure the same dashboard allocation check used
in the normal preflight path is invoked during resume so we fail fast on range
exhaustion. Modify the resumePreflight branch (the if (resumePreflight) block
that calls skippedStepMessage, resolveSandboxGpuConfig,
exitOnSandboxGpuConfigErrors, assertCdiNvidiaGpuSpecPresent, and
validateSandboxGpuPreflight) to call the dashboard-range fail-fast function used
by the non-resume flow (the same guard invoked outside this block) before
proceeding to sandbox GPU validation so resume cannot bypass dashboard
allocation checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/onboard.ts`:
- Around line 3545-3551: The cleanup currently only stops DASHBOARD_PORT
(calling bestEffortForwardStop(runOpenshell, DASHBOARD_PORT)), which leaves
other NemoClaw forwards (auto-allocated or explicit ports) active and can create
stale host listeners; update the gateway teardown path in the block using
destroyGatewayForReuse and bestEffortForwardStop to stop all active forwards
instead of just DASHBOARD_PORT — either by retrieving the gateway's list of
forwarded ports and calling bestEffortForwardStop for each, or by adding/using a
helper (e.g., stopAllForwards or similar) that accepts
runOpenshell/gatewayForwardState and stops every forwarded port before calling
destroyGatewayForReuse; ensure you update the other new cleanup call sites that
mirror this pattern so all forwarded ports are cleaned up, referencing
bestEffortForwardStop, runOpenshell, DASHBOARD_PORT, and destroyGatewayForReuse
to locate the changes.
- Line 8981: The code only initializes _preflightDashboardPort from
opts.controlUiPort; treat the environment override NEMOCLAW_DASHBOARD_PORT as an
explicit preflight override by reading process.env.NEMOCLAW_DASHBOARD_PORT (if
present) when setting _preflightDashboardPort so that the explicit-port path is
taken; update the dashboard-preflight logic that runs the range-exhaustion check
(the auto-allocation branch) to skip that check when _preflightDashboardPort is
resolved from either opts.controlUiPort or process.env.NEMOCLAW_DASHBOARD_PORT
so the operator-provided port (23000) is honored instead of triggering
range-exhaustion exit.
- Around line 9328-9350: Resume path skips the new dashboard-range fail-fast
guard; ensure the same dashboard allocation check used in the normal preflight
path is invoked during resume so we fail fast on range exhaustion. Modify the
resumePreflight branch (the if (resumePreflight) block that calls
skippedStepMessage, resolveSandboxGpuConfig, exitOnSandboxGpuConfigErrors,
assertCdiNvidiaGpuSpecPresent, and validateSandboxGpuPreflight) to call the
dashboard-range fail-fast function used by the non-resume flow (the same guard
invoked outside this block) before proceeding to sandbox GPU validation so
resume cannot bypass dashboard allocation checks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fefc6d8c-a930-484a-b4e7-033502152492

📥 Commits

Reviewing files that changed from the base of the PR and between a916031 and 37d5531.

📒 Files selected for processing (1)

• src/lib/onboard.ts

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[nvshaxie]

Thanks @coderabbitai — addressed the two findings that scope to this PR's preflight change in commit ec7e315:

• 8981 — NEMOCLAW_DASHBOARD_PORT env override now disables the range-exhaustion fail-fast the same way --control-ui-port does. Implemented as suggested via the resolved DASHBOARD_PORT constant from ./core/ports.
• 9328-9350 — added the same if (_preflightDashboardPort === null) preflightDashboardPortRangeAvailability() guard in the --resume branch so cached preflight no longer skips it.

Skipping 3545-3551 (and the mirrored cleanup call sites) — only releasing DASHBOARD_PORT in cleanup is pre-existing behavior unrelated to the fail-fast added here. Happy to file it as a separate issue if that's the right move.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@nvshaxie: All three points make sense — great follow-through on the two in-scope fixes:

• NEMOCLAW_DASHBOARD_PORT guard (line 8981): Using the resolved DASHBOARD_PORT constant from ./core/ports as the env-override signal is the right approach — it keeps the guard symmetric with the --control-ui-port path and avoids a raw string comparison.
• --resume branch guard (lines 9328–9350): Adding the same if (_preflightDashboardPort === null) check there ensures cached-preflight runs are protected too. Good catch closing that gap.

On lines 3545–3551 — filing it as a separate issue is exactly the right call. Would you like me to open a follow-up issue in this repo to track the cleanup of those DASHBOARD_PORT release call sites?

🐇 ✨

---

✏️ Learnings added

Learnt from: nvshaxie
URL: https://github.com/NVIDIA/NemoClaw/pull/3980

Timestamp: 2026-05-22T02:05:42.745Z
Learning: In `src/lib/onboard.ts`, the `preflightDashboardPortRangeAvailability()` range-exhaustion fail-fast is disabled not only when `--control-ui-port` is provided (`_preflightDashboardPort !== null`) but also when `NEMOCLAW_DASHBOARD_PORT` env override is set (detected via the resolved `DASHBOARD_PORT` constant from `./core/ports`). Both explicit-port paths skip the default-range check.

---

Learnt from: nvshaxie
URL: https://github.com/NVIDIA/NemoClaw/pull/3980

Timestamp: 2026-05-22T02:05:42.745Z
Learning: In `src/lib/onboard.ts`, the `if (_preflightDashboardPort === null) preflightDashboardPortRangeAvailability()` guard is present in both the standard preflight branch and the `--resume` (cached-preflight) branch (around lines 9328–9350) so that range-exhaustion detection is not bypassed when onboarding resumes from a cached state.

---

Learnt from: nvshaxie
URL: https://github.com/NVIDIA/NemoClaw/pull/3980

Timestamp: 2026-05-22T02:05:42.745Z
Learning: The DASHBOARD_PORT release/cleanup call sites around lines 3545–3551 of `src/lib/onboard.ts` represent pre-existing behavior unrelated to the fail-fast preflight change introduced in PR `#3980`. Any cleanup or refactor of those call sites should be tracked as a separate issue.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/onboard.ts`:
- Around line 8981-8985: The new const envDashboardPort is both wrong (uses
DASHBOARD_PORT instead of the env value) and adds lines; replace the two-line
block with a single expression that uses the env var directly and preserves the
precedence: set _preflightDashboardPort = opts.controlUiPort ??
(process.env.NEMOCLAW_DASHBOARD_PORT ?? null); do the same collapse for the
other occurrence that mirrors this logic (the block around the symbols at the
second location).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a30a6e9f-573d-4e98-a9a2-bf83c2497dc5

📥 Commits

Reviewing files that changed from the base of the PR and between 37d5531 and ec7e315.

📒 Files selected for processing (1)

• src/lib/onboard.ts

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.