fix: add local-inference policy preset for Ollama/vLLM host access (Fixes #693)

[ericksoa]

Summary

• New local-inference.yaml preset allows host.openshell.internal on ports 11434 (Ollama) and 8000 (vLLM) with binary restrictions (openclaw, claude).
• Onboard auto-suggests this preset when a local provider (ollama-local, vllm-local) is selected.
• Supersedes fix: add local-inference policy preset for Ollama/vLLM host access (#693) #781 with improvements listed below.

Improvements over #781

• Shared constant: LOCAL_INFERENCE_PROVIDERS used in both getSuggestedPolicyPresets() and setupPoliciesWithSelection() — no duplicated arrays that can drift.
• Removed nim-local: Not in the approved providers list in inference-config.ts.
• Content-level preset tests: Assert actual hosts, ports, and binary restrictions (not just count/name).
• Auto-suggestion tests: Verify local providers get the preset suggested, cloud providers don't.

Credit

Based on work by @cluster2600 in #781. The preset YAML and auto-suggest approach are theirs; this PR refactors and adds test coverage.

Test plan

• Preset content tests (hosts, ports, binaries)
• Auto-suggestion tests for ollama-local and vllm-local
• Negative tests for cloud providers
• All 200 existing policy + onboard tests pass
• Manual: onboard with ollama-local, verify local-inference is pre-selected

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features
  • Added local-inference policy preset with network policies for HTTP(S) endpoints supporting GET and POST requests on ports 11434 and 8000.
  • Onboarding flow now automatically suggests local-inference policy when using local model providers.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new "local-inference" policy preset is introduced that permits controlled network access to local LLM inference services (Ollama on port 11434 and vLLM on port 8000) running on host.openshell.internal. The onboarding flow is extended to automatically suggest this preset when a local inference provider is selected.

Changes

Cohort / File(s)	Summary
New Policy Preset nemoclaw-blueprint/policies/presets/local-inference.yaml	Defines a new local-inference preset with network policy rules allowing GET and POST requests to Ollama (port 11434) and vLLM (port 8000) endpoints, and associates binaries /usr/local/bin/openclaw and /usr/local/bin/claude.
Onboarding Logic src/lib/onboard.ts	Adds LOCAL_INFERENCE_PROVIDERS constant and extends getSuggestedPolicyPresets() and setupPoliciesWithSelection() to accept an optional provider parameter; automatically includes "local-inference" preset when provider is a local inference type.
Test Coverage test/onboard.test.ts, test/policies.test.ts	Adds unit tests validating that "local-inference" preset is suggested for local providers ("ollama-local", "vllm-local") and excluded for cloud/non-local providers; updates preset inventory tests to verify the new preset exists with correct endpoints and binaries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A whisker-twitch of joy I feel,
Local models now have seal!
Through preset paths and onboard flow,
Ollama and vLLM steal the show! 🚀
Endpoints guarded, binaries blessed,
Inference dreams put to the test!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new local-inference policy preset for Ollama/vLLM host access, which aligns with all four modified files' primary purpose.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/693-local-inference-preset

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

test/onboard.test.ts (1)

157-162: Add an explicit empty-string provider assertion.

Line 161 checks missing provider ({}), but not provider: "". Adding it would lock in the null/empty-input behavior explicitly.

♻️ Suggested test hardening

   it("does not suggest local-inference for cloud providers", () => {
     expect(getSuggestedPolicyPresets({ provider: "nvidia-prod" })).not.toContain("local-inference");
     expect(getSuggestedPolicyPresets({ provider: "openai-api" })).not.toContain("local-inference");
     expect(getSuggestedPolicyPresets({ provider: null })).not.toContain("local-inference");
+    expect(getSuggestedPolicyPresets({ provider: "" })).not.toContain("local-inference");
     expect(getSuggestedPolicyPresets({})).not.toContain("local-inference");
   });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/onboard.test.ts` around lines 157 - 162, The test "does not suggest
local-inference for cloud providers" is missing an explicit assertion for an
empty-string provider; update the test containing getSuggestedPolicyPresets to
also assert that getSuggestedPolicyPresets({ provider: "" }) does not contain
"local-inference" so the behavior for empty-string inputs is locked in (add the
expect call alongside the existing expectations referencing
getSuggestedPolicyPresets).

test/policies.test.ts (1)

99-102: Avoid duplicating the preset count and name source of truth.

The explicit 12 can drift from the expected names array. You can derive count from expected.length in the same assertion block for easier maintenance.

Also applies to: 116-130

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.ts` around lines 99 - 102, The test for
policies.listPresets() currently asserts a hardcoded count (12); replace the
magic number with a derived value from the expected names array (use
expected.length) so the length assertion and the name assertions use the same
single source of truth (referencing policies.listPresets() and the expected
array used later in the test).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/onboard.test.ts`:
- Around line 157-162: The test "does not suggest local-inference for cloud
providers" is missing an explicit assertion for an empty-string provider; update
the test containing getSuggestedPolicyPresets to also assert that
getSuggestedPolicyPresets({ provider: "" }) does not contain "local-inference"
so the behavior for empty-string inputs is locked in (add the expect call
alongside the existing expectations referencing getSuggestedPolicyPresets).

In `@test/policies.test.ts`:
- Around line 99-102: The test for policies.listPresets() currently asserts a
hardcoded count (12); replace the magic number with a derived value from the
expected names array (use expected.length) so the length assertion and the name
assertions use the same single source of truth (referencing
policies.listPresets() and the expected array used later in the test).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0ed0bf61-6f4a-4f61-842c-8f5a1e63930b

📥 Commits

Reviewing files that changed from the base of the PR and between c133bab and f7bbcbd.

📒 Files selected for processing (4)

• nemoclaw-blueprint/policies/presets/local-inference.yaml
• src/lib/onboard.ts
• test/onboard.test.ts
• test/policies.test.ts