feat(web-search): add DuckDuckGo provider gated behind experimental

[laitingsheng]

Summary

Adds a keyless DuckDuckGo Web Search provider as an experimental alternative to Brave Search. Activation is gated by NEMOCLAW_EXPERIMENTAL=1 in non-interactive mode and by an additional provider prompt in interactive mode; without that flag, the existing Brave-only behavior is preserved.

Related Issue

Resolves #4559.

Changes

• WebSearchConfig gains an optional provider discriminant (brave | duckduckgo); onboard-session serialization preserves it.
• scripts/generate-openclaw-config.mts branches on NEMOCLAW_WEB_SEARCH_PROVIDER: DuckDuckGo emits tools.web.search.provider = "duckduckgo" with no apiKey field; Brave keeps its OpenShell placeholder.
• Dockerfile declares NEMOCLAW_WEB_SEARCH_PROVIDER and src/lib/onboard/dockerfile-patch.ts threads it from the onboard config.
• src/lib/onboard/web-search-flow.ts configureWebSearch adds a DuckDuckGo path that bypasses the Brave API-key flow entirely. src/lib/onboard/brave-provider-profile.ts no longer treats a non-Brave provider as Brave-active. src/lib/onboard/web-search-verify.ts recognizes the DuckDuckGo branch.
• New nemoclaw-blueprint/provider-profiles/duckduckgo.yaml and nemoclaw-blueprint/policies/presets/duckduckgo.yaml allow GET/POST on duckduckgo.com and lite.duckduckgo.com from the same node/curl binaries Brave whitelists.
• Meta-policies (tiers, permissive bundles) are intentionally left untouched so the experimental gate stays mandatory before any DuckDuckGo preset attaches.
• E2E test/e2e/test-duckduckgo-search-e2e.sh mirrors the Brave suite minus the secret-handling phases and asserts that no apiKey/api_key field is emitted.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• `npx prek run --all-files` passes
• `npm test` passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• `npm run docs` builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• New Features

  • Experimental DuckDuckGo added as an alternative web-search provider; selectable via env, onboarding prompt, or non-interactive flag. Runtime exposes NEMOCLAW_WEB_SEARCH_PROVIDER (defaults to Brave); DuckDuckGo is keyless and gated by experimental mode.

• Policy

  • Preset suggestions and pruning now respect the chosen web-search provider (DuckDuckGo or Brave).

• Documentation

  • Quickstart and reference docs updated to describe DuckDuckGo onboarding, experimental mode, and policy impacts.

• Tests / CI

  • New unit tests, E2E script, and CI job coverage for DuckDuckGo flows.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ec68127-36b3-4957-8c27-88b4fac0a96a

📥 Commits

Reviewing files that changed from the base of the PR and between ec9713d and e5c5f60.

📒 Files selected for processing (11)

• Dockerfile
• docs/reference/commands.mdx
• scripts/generate-openclaw-config.mts
• src/lib/onboard/dockerfile-patch.test.ts
• src/lib/onboard/dockerfile-patch.ts
• src/lib/onboard/policy-presets.ts
• src/lib/onboard/policy-selection.ts
• src/lib/policy/index.ts
• test/generate-openclaw-config.test.ts
• test/onboard-policy-suggestions.test.ts
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (2)

• docs/reference/commands.mdx
• test/generate-openclaw-config.test.ts

🚧 Files skipped from review as they are similar to previous changes (6)

• src/lib/onboard/policy-presets.ts
• scripts/generate-openclaw-config.mts
• src/lib/policy/index.ts
• src/lib/onboard/dockerfile-patch.test.ts
• test/onboard-policy-suggestions.test.ts
• src/lib/onboard/policy-selection.ts

---

📝 Walkthrough

Walkthrough

Adds DuckDuckGo as a selectable, keyless web-search provider and propagates provider choice through Docker/ENV, generated OpenClaw config, onboarding/session handling, policy presets and staleness logic, sandbox verification, provider/preset YAMLs, tests, docs, and nightly E2E CI.

Changes

DuckDuckGo Web Search Provider

Layer / File(s)	Summary
Web Search Provider Type System src/lib/inference/web-search.ts	Adds WebSearchProvider (`"brave"
Docker Build and Runtime Configuration Dockerfile, src/lib/onboard/dockerfile-patch.ts, scripts/generate-openclaw-config.mts	Adds ARG NEMOCLAW_WEB_SEARCH_PROVIDER=brave and ENV NEMOCLAW_WEB_SEARCH_PROVIDER=${NEMOCLAW_WEB_SEARCH_PROVIDER}, patches staged Dockerfile with selected provider, and generates OpenClaw tools.web.search config for duckduckgo (keyless) or Brave (with apiKey).
DuckDuckGo Provider Profile & Policy Preset nemoclaw-blueprint/provider-profiles/duckduckgo.yaml, nemoclaw-blueprint/policies/presets/duckduckgo.yaml	Adds DuckDuckGo provider profile and a network policy preset allowing duckduckgo.com and lite.duckduckgo.com over TLS and permitting Node/curl binaries.
Web Search Onboarding Flow & Session Sanitization src/lib/onboard/web-search-flow.ts, src/lib/state/onboard-session.ts, src/lib/onboard/brave-provider-profile.ts	Interactive flow generalized to “Enable Web Search?”, provider prompt (accepts brave/duckduckgo/ddg), non-interactive honors NEMOCLAW_WEB_SEARCH_PROVIDER, existing DuckDuckGo config short-circuits, and session parsing/sanitization preserves only validated providers.
Provider-Aware Onboarding Module Updates src/lib/onboard/policy-presets.ts, src/lib/onboard/policy-selection.ts, src/lib/onboard/web-search-verify.ts, src/lib/onboard.ts, src/lib/policy/index.ts	Preset suggestion and staleness logic become provider-aware (brave vs duckduckgo), Brave enablement respects provider, verifyWebSearchInsideSandbox short-circuits for DuckDuckGo, finalization uses isWebSearchEnabled, and setupPolicyPresetSupported gates both brave and duckduckgo by options.webSearchSupported.
Onboarding Session State Management src/lib/state/onboard-session.ts	parseWebSearchConfig requires fetchEnabled === true, validates provider via isWebSearchProvider, and sanitizes persistence and updates accordingly.
User-Facing Documentation docs/reference/commands.mdx, docs/get-started/quickstart.mdx, docs/reference/network-policies.mdx	Documents experimental DuckDuckGo onboarding usage (NEMOCLAW_EXPERIMENTAL=1, NEMOCLAW_WEB_SEARCH_PROVIDER=duckduckgo), provider preselection behavior, and provider-dependent web-search preset descriptions.
Comprehensive DuckDuckGo E2E & CI test/e2e/test-duckduckgo-search-e2e.sh, .github/workflows/nightly-e2e.yaml	Adds E2E script that provisions a sandbox, runs non-interactive DuckDuckGo onboarding, verifies policy and openclaw.json, asserts no apiKey emitted, optionally exercises live search via agent and curl; workflow adds duckduckgo-search-e2e job and aggregator wiring.
Unit & Integration Test Updates test/onboard-brave-validation.test.ts, test/policies.test.ts, test/generate-openclaw-config.test.ts, src/lib/inference/web-search.test.ts, src/lib/onboard/dockerfile-patch.test.ts, src/lib/state/onboard-session.test.ts, src/lib/onboard/web-search-verify.test.ts, test/onboard-policy-suggestions.test.ts	Adds/updates tests to cover provider normalization, provider-based config emission, Dockerfile patching for provider ARG, session persistence and sanitization, prompt text change, preset counts and ordering, and verifier DuckDuckGo short-circuit behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

area: onboarding, enhancement: policy, documentation

Suggested reviewers

• cv

"A search without keys, so light and so free,
DuckDuckGo hops through the sandbox with glee,
No API to guard, just a provider to pick,
The logs hum in silence, responses come quick,
A rabbit tip‑toe, happy and slick."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.45% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: adding DuckDuckGo as a web-search provider with experimental gating.
Linked Issues check	✅ Passed	The code changes fully implement the proposed design from issue #4559, including DuckDuckGo provider support, WebSearchConfig extension, onboarding integration, and Docker/OpenClaw configuration handling.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #4559 objectives; no unrelated modifications detected beyond the scope of adding DuckDuckGo web-search provider support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/4559-duckduckgo-web-search

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-advisor-raw-output.txt

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-scenario-advisor-raw-output.txt

[github-actions]

PR Review Advisor

Findings: 3 needs attention, 4 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 7 still apply, 0 new items found

Review findings

🛠️ Needs attention

• Onboard session monolith grows further (src/lib/state/onboard-session.ts): This PR adds web-search provider parsing and normalization to an existing large onboarding session file. The deterministic monolith drift check still reports this hotspot growing beyond the repository threshold.
  • Recommendation: Extract the new web-search session parsing/normalization helper into a focused module, or offset this growth by moving nearby session parsing helpers out of the monolith.
  • Evidence: Monolith drift evidence reports src/lib/state/onboard-session.ts baseLines=1206, headLines=1238, delta=32, severity=blocker.
• Dockerfile patch test monolith grows further (src/lib/onboard/dockerfile-patch.test.ts): The PR adds DuckDuckGo Dockerfile patch coverage to an already large test file. The deterministic monolith drift check still reports growth above the repository threshold.
  • Recommendation: Move the new web-search Dockerfile patch cases into a smaller focused test file, or extract enough existing cases to keep this hotspot from growing.
  • Evidence: Monolith drift evidence reports src/lib/onboard/dockerfile-patch.test.ts baseLines=1314, headLines=1354, delta=40, severity=blocker.
• Onboard session test monolith grows further (src/lib/state/onboard-session.test.ts): The PR adds DuckDuckGo web-search session coverage to an already large test file. The deterministic monolith drift check still reports growth above the repository threshold.
  • Recommendation: Move the web-search session normalization tests into a focused session-web-search test file, or extract existing groups to offset the growth.
  • Evidence: Monolith drift evidence reports src/lib/state/onboard-session.test.ts baseLines=1171, headLines=1208, delta=37, severity=blocker.

🔎 Worth checking

• Source-of-truth review needed: src/lib/onboard/dockerfile-patch.ts webSearchConfig enablement: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: src/lib/onboard/dockerfile-patch.ts uses webSearchConfig ? '1' : '0' for NEMOCLAW_WEB_SEARCH_ENABLED.
• DuckDuckGo preset grants write-capable egress broader than the feature proves (nemoclaw-blueprint/policies/presets/duckduckgo.yaml:16): The new DuckDuckGo preset allows POST to every path on duckduckgo.com and lite.duckduckgo.com, and the provider profile marks both endpoints read-write. The feature is keyless search, and the added E2E evidence demonstrates only GET access to the lite endpoint. Allowing POST/read-write increases sandbox exfiltration surface for an optional web-search preset without evidence that OpenClaw needs it.
  • Recommendation: Make the DuckDuckGo preset and provider profile read-only unless the backend requires POST. If POST is required, document the exact endpoint/flow and add a targeted test proving it is needed while keeping the policy as narrow as possible.
  • Evidence: nemoclaw-blueprint/policies/presets/duckduckgo.yaml allows GET and POST on '/**' for duckduckgo.com and lite.duckduckgo.com; nemoclaw-blueprint/provider-profiles/duckduckgo.yaml marks both endpoints access: read-write; test/e2e/test-duckduckgo-search-e2e.sh D4b validates a GET request to https://lite.duckduckgo.com/lite/.
• Keyless DuckDuckGo E2E job inherits the Brave secret mapping (.github/workflows/nightly-e2e.yaml:603): The DuckDuckGo job is keyless and does not set the reusable workflow's brave_api_key input, but it still uses the default secrets map whose anchor includes BRAVE_API_KEY. The reusable workflow exports an empty BRAVE_API_KEY unless brave_api_key is true, so this is not a confirmed leak, but the real secret is unnecessarily made available at the workflow-call boundary for a job that executes checked-out target-ref E2E code.
  • Recommendation: Remove BRAVE_API_KEY from the duckduckgo-search-e2e job's secrets block unless the job actually needs it. If the workflow needs a shared secret map, create a narrower map for keyless jobs.
  • Evidence: .github/workflows/nightly-e2e.yaml defines duckduckgo-search-e2e with secrets: *nightly-e2e-default-secrets; the anchor maps BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }}; .github/workflows/e2e-script.yaml only passes BRAVE_API_KEY to the script when inputs.brave_api_key is true.
• Dockerfile patching relies on a truthy webSearchConfig contract (src/lib/onboard/dockerfile-patch.ts:199): The Dockerfile patcher bakes NEMOCLAW_WEB_SEARCH_ENABLED=1 for any non-null webSearchConfig, even though the shared WebSearchConfig type has an explicit fetchEnabled flag and finalization/session paths treat only fetchEnabled === true as enabled. Current onboarding callers mostly pass null-or-enabled configs, but a direct or future caller passing { fetchEnabled: false } would still enable web search in the image. This is also the remaining source-of-truth follow-up: the invalid state, source boundary, regression test, and removal condition are not handled at this patch boundary.
  • Recommendation: Use isWebSearchEnabled(webSearchConfig) in patchStagedDockerfile and add a negative Dockerfile patch test proving { fetchEnabled: false } leaves NEMOCLAW_WEB_SEARCH_ENABLED=0.
  • Evidence: src/lib/onboard/dockerfile-patch.ts writes NEMOCLAW_WEB_SEARCH_ENABLED from webSearchConfig ? '1' : '0'; src/lib/inference/web-search.ts defines isWebSearchEnabled as fetchEnabled === true; src/lib/onboard.ts uses isWebSearchEnabled for finalization; grep found no fetchEnabled:false negative case in src/lib/onboard/dockerfile-patch.test.ts.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Source-of-truth review needed: src/lib/onboard/dockerfile-patch.ts webSearchConfig enablement: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: src/lib/onboard/dockerfile-patch.ts uses webSearchConfig ? '1' : '0' for NEMOCLAW_WEB_SEARCH_ENABLED.
• Onboard session monolith grows further (src/lib/state/onboard-session.ts): This PR adds web-search provider parsing and normalization to an existing large onboarding session file. The deterministic monolith drift check still reports this hotspot growing beyond the repository threshold.
  • Recommendation: Extract the new web-search session parsing/normalization helper into a focused module, or offset this growth by moving nearby session parsing helpers out of the monolith.
  • Evidence: Monolith drift evidence reports src/lib/state/onboard-session.ts baseLines=1206, headLines=1238, delta=32, severity=blocker.
• Dockerfile patch test monolith grows further (src/lib/onboard/dockerfile-patch.test.ts): The PR adds DuckDuckGo Dockerfile patch coverage to an already large test file. The deterministic monolith drift check still reports growth above the repository threshold.
  • Recommendation: Move the new web-search Dockerfile patch cases into a smaller focused test file, or extract enough existing cases to keep this hotspot from growing.
  • Evidence: Monolith drift evidence reports src/lib/onboard/dockerfile-patch.test.ts baseLines=1314, headLines=1354, delta=40, severity=blocker.
• Onboard session test monolith grows further (src/lib/state/onboard-session.test.ts): The PR adds DuckDuckGo web-search session coverage to an already large test file. The deterministic monolith drift check still reports growth above the repository threshold.
  • Recommendation: Move the web-search session normalization tests into a focused session-web-search test file, or extract existing groups to offset the growth.
  • Evidence: Monolith drift evidence reports src/lib/state/onboard-session.test.ts baseLines=1171, headLines=1208, delta=37, severity=blocker.
• DuckDuckGo preset grants write-capable egress broader than the feature proves (nemoclaw-blueprint/policies/presets/duckduckgo.yaml:16): The new DuckDuckGo preset allows POST to every path on duckduckgo.com and lite.duckduckgo.com, and the provider profile marks both endpoints read-write. The feature is keyless search, and the added E2E evidence demonstrates only GET access to the lite endpoint. Allowing POST/read-write increases sandbox exfiltration surface for an optional web-search preset without evidence that OpenClaw needs it.
  • Recommendation: Make the DuckDuckGo preset and provider profile read-only unless the backend requires POST. If POST is required, document the exact endpoint/flow and add a targeted test proving it is needed while keeping the policy as narrow as possible.
  • Evidence: nemoclaw-blueprint/policies/presets/duckduckgo.yaml allows GET and POST on '/**' for duckduckgo.com and lite.duckduckgo.com; nemoclaw-blueprint/provider-profiles/duckduckgo.yaml marks both endpoints access: read-write; test/e2e/test-duckduckgo-search-e2e.sh D4b validates a GET request to https://lite.duckduckgo.com/lite/.
• Keyless DuckDuckGo E2E job inherits the Brave secret mapping (.github/workflows/nightly-e2e.yaml:603): The DuckDuckGo job is keyless and does not set the reusable workflow's brave_api_key input, but it still uses the default secrets map whose anchor includes BRAVE_API_KEY. The reusable workflow exports an empty BRAVE_API_KEY unless brave_api_key is true, so this is not a confirmed leak, but the real secret is unnecessarily made available at the workflow-call boundary for a job that executes checked-out target-ref E2E code.
  • Recommendation: Remove BRAVE_API_KEY from the duckduckgo-search-e2e job's secrets block unless the job actually needs it. If the workflow needs a shared secret map, create a narrower map for keyless jobs.
  • Evidence: .github/workflows/nightly-e2e.yaml defines duckduckgo-search-e2e with secrets: *nightly-e2e-default-secrets; the anchor maps BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }}; .github/workflows/e2e-script.yaml only passes BRAVE_API_KEY to the script when inputs.brave_api_key is true.
• Dockerfile patching relies on a truthy webSearchConfig contract (src/lib/onboard/dockerfile-patch.ts:199): The Dockerfile patcher bakes NEMOCLAW_WEB_SEARCH_ENABLED=1 for any non-null webSearchConfig, even though the shared WebSearchConfig type has an explicit fetchEnabled flag and finalization/session paths treat only fetchEnabled === true as enabled. Current onboarding callers mostly pass null-or-enabled configs, but a direct or future caller passing { fetchEnabled: false } would still enable web search in the image. This is also the remaining source-of-truth follow-up: the invalid state, source boundary, regression test, and removal condition are not handled at this patch boundary.
  • Recommendation: Use isWebSearchEnabled(webSearchConfig) in patchStagedDockerfile and add a negative Dockerfile patch test proving { fetchEnabled: false } leaves NEMOCLAW_WEB_SEARCH_ENABLED=0.
  • Evidence: src/lib/onboard/dockerfile-patch.ts writes NEMOCLAW_WEB_SEARCH_ENABLED from webSearchConfig ? '1' : '0'; src/lib/inference/web-search.ts defines isWebSearchEnabled as fetchEnabled === true; src/lib/onboard.ts uses isWebSearchEnabled for finalization; grep found no fetchEnabled:false negative case in src/lib/onboard/dockerfile-patch.test.ts.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-4674.docs.buildwithfern.com/nemoclaw

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

src/lib/onboard/web-search-flow.ts (1)

245-248: 💤 Low value

Remove unreachable null check.

Since promptWebSearchProvider() never returns null (it returns "brave" or "duckduckgo", or exits), and duckDuckGoRequested is boolean, provider cannot be null at line 246. Based on learnings, avoid defensive handling when there is no realistic failure mode.

♻️ Proposed simplification

     const provider = duckDuckGoRequested ? "duckduckgo" : await promptWebSearchProvider();
-    if (provider === null) {
-      return null;
-    }
 
     if (provider === "duckduckgo") {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/web-search-flow.ts` around lines 245 - 248, The null check
for provider is unreachable because provider is assigned from
duckDuckGoRequested (boolean) or promptWebSearchProvider() which never returns
null; remove the defensive branch that returns null. Specifically, delete the if
(provider === null) { return null; } block in the web-search flow so callers can
assume provider is a valid string (from promptWebSearchProvider or
"duckduckgo"); ensure any downstream code relies on provider as a non-null
string and adjust types if necessary.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/commands.mdx`:
- Around line 238-239: Update the non-interactive onboarding example so it
explicitly accepts third-party software; add the flag
--yes-i-accept-third-party-software (or set
NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1) to the command shown (the example with
NEMOCLAW_EXPERIMENTAL and NEMOCLAW_WEB_SEARCH_PROVIDER=duckduckgo that runs
`nemoclaw onboard --non-interactive`) so the copy-pasteable example succeeds
without manual interaction.

In `@nemoclaw-blueprint/policies/presets/duckduckgo.yaml`:
- Around line 24-27: Mismatch in the binaries allowlist: the duckduckgo preset's
binaries block only lists "/usr/bin/curl" while the provider profile allows both
"/usr/local/bin/curl" and "/usr/bin/curl"; update the binaries array in the
presets file (the "binaries" entry and its curl item) to include the same curl
paths as the provider profile so egress checks won't be blocked (i.e., add the
"/usr/local/bin/curl" entry alongside "/usr/bin/curl").

In `@src/lib/onboard/web-search-flow.ts`:
- Around line 175-190: The function promptWebSearchProvider never returns null,
so update its signature to return Promise<WebSearchProvider> instead of
Promise<WebSearchProvider | null>; modify the declaration of
promptWebSearchProvider accordingly and ensure any call sites expecting null are
adjusted (there should be none since the function either returns
"brave"/"duckduckgo" or exits via exitOnboardFromPrompt); keep the internal
logic returning "brave" or "duckduckgo" unchanged.

---

Nitpick comments:
In `@src/lib/onboard/web-search-flow.ts`:
- Around line 245-248: The null check for provider is unreachable because
provider is assigned from duckDuckGoRequested (boolean) or
promptWebSearchProvider() which never returns null; remove the defensive branch
that returns null. Specifically, delete the if (provider === null) { return
null; } block in the web-search flow so callers can assume provider is a valid
string (from promptWebSearchProvider or "duckduckgo"); ensure any downstream
code relies on provider as a non-null string and adjust types if necessary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1a061b8d-8478-41e1-8fe6-77d1528e96a3

📥 Commits

Reviewing files that changed from the base of the PR and between ac5b144 and 503eabd.

📒 Files selected for processing (18)

• Dockerfile
• docs/reference/commands.mdx
• nemoclaw-blueprint/policies/presets/duckduckgo.yaml
• nemoclaw-blueprint/provider-profiles/duckduckgo.yaml
• scripts/generate-openclaw-config.mts
• src/lib/inference/web-search.ts
• src/lib/onboard.ts
• src/lib/onboard/brave-provider-profile.ts
• src/lib/onboard/dockerfile-patch.ts
• src/lib/onboard/policy-presets.ts
• src/lib/onboard/policy-selection.ts
• src/lib/onboard/web-search-flow.ts
• src/lib/onboard/web-search-verify.ts
• src/lib/policy/index.ts
• src/lib/state/onboard-session.ts
• test/e2e/test-duckduckgo-search-e2e.sh
• test/onboard-brave-validation.test.ts
• test/policies.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26860420350
Target ref: 503eabd97c68a7ec1bc09340acca800f8098a287
Workflow ref: main
Requested jobs: brave-search-e2e,network-policy-e2e,cloud-onboard-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
cloud-onboard-e2e	✅ success
network-policy-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26861505717
Target ref: 16a38718cff96d163af95e49c3ee0d2757732ddc
Workflow ref: main
Requested jobs: brave-search-e2e,network-policy-e2e,cloud-onboard-e2e,onboard-resume-e2e
Summary: 4 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
cloud-onboard-e2e	✅ success
network-policy-e2e	✅ success
onboard-resume-e2e	✅ success

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/lib/onboard/policy-selection.ts (1)

201-205: 💤 Low value

Local alias isStaleBuiltinBrave is now misleading.

The helper is provider-aware (handles duckduckgo too), so the local name reads as Brave-only. Optional rename to isStaleBuiltinWebSearch for clarity; behavior is correct as-is.

Also applies to: 292-293

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard/policy-selection.ts` around lines 201 - 205, The local alias
isStaleBuiltinBrave is misleading because the underlying helper is
provider-aware; rename the alias to isStaleBuiltinWebSearch to reflect that it
covers Brave and DuckDuckGo and update all usages (the alias definition that
calls isStaleBuiltinWebSearchPolicyPreset and the later reference at the other
occurrence) to the new name; keep the call arguments (webSearchConfig and
customPolicyPresetNames) unchanged so behavior stays the same.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/network-policies.mdx`:
- Line 75: Replace the passive sentence "The unused web-search preset is pruned
from the tier defaults." with an active-voice version; update the text to
"NemoClaw prunes the unused web-search preset from the tier defaults." so the
docs follow the active-voice guideline for docs/**.

---

Nitpick comments:
In `@src/lib/onboard/policy-selection.ts`:
- Around line 201-205: The local alias isStaleBuiltinBrave is misleading because
the underlying helper is provider-aware; rename the alias to
isStaleBuiltinWebSearch to reflect that it covers Brave and DuckDuckGo and
update all usages (the alias definition that calls
isStaleBuiltinWebSearchPolicyPreset and the later reference at the other
occurrence) to the new name; keep the call arguments (webSearchConfig and
customPolicyPresetNames) unchanged so behavior stays the same.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 28e6d8ba-7ee5-48b4-a95d-a4197557a542

📥 Commits

Reviewing files that changed from the base of the PR and between 16a3871 and b5653a0.

📒 Files selected for processing (8)

• .github/workflows/nightly-e2e.yaml
• docs/get-started/quickstart.mdx
• docs/reference/network-policies.mdx
• src/lib/onboard/policy-selection.ts
• src/lib/onboard/web-search-verify.test.ts
• src/lib/onboard/web-search-verify.ts
• src/lib/state/onboard-session.ts
• test/onboard-policy-suggestions.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/get-started/quickstart.mdx

🚧 Files skipped from review as they are similar to previous changes (2)

• src/lib/onboard/web-search-verify.ts
• src/lib/state/onboard-session.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26863024417
Target ref: b5653a065c5bdec7919405705e45e3ee8c43f8f8
Workflow ref: main
Requested jobs: brave-search-e2e,network-policy-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
network-policy-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26864205349
Target ref: feat/4559-duckduckgo-web-search
Workflow ref: feat/4559-duckduckgo-web-search
Requested jobs: duckduckgo-search-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
duckduckgo-search-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26865473413
Target ref: 989958b7373e4f96afc68debd2999eed2cdd03e3
Workflow ref: main
Requested jobs: brave-search-e2e,network-policy-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
network-policy-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26887302061
Target ref: 94f919e977fd896b906897aeb7f5dc384284f18c
Workflow ref: main
Requested jobs: brave-search-e2e,network-policy-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
brave-search-e2e	✅ success
network-policy-e2e	✅ success