fix(cli): suppress inference probe upfront on docker/sandbox failure layers and expose failureLayer to status --json

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>

Author: laitingsheng

src/commands/sandbox/status.ts

@@ -28,7 +28,12 @@ export default class SandboxStatusCommand extends NemoClawCommand {
     const { args } = await this.parse(SandboxStatusCommand);
     if (this.jsonEnabled()) {
       const report = await getSandboxStatusReport(args.sandboxName);
-      if (!report.found || report.gatewayState !== "present" || report.rpcIssue) {
+      if (
+        !report.found ||
+        report.gatewayState !== "present" ||
+        report.rpcIssue ||
+        report.failureLayer
+      ) {
         process.exitCode = 1;
       }
       // #4310: route the machine-readable report through the centralized

src/lib/actions/sandbox/docker-health.ts

@@ -4,6 +4,7 @@
 import { dockerContainerInspectFormat } from "../../adapters/docker/inspect";
 import { dockerCapture } from "../../adapters/docker/run";
 import * as registry from "../../state/registry";
+import { resolveSandboxContainerOwner } from "./sandbox-container-owner";
 
 export type DockerHealthState =
   | "healthy"
@@ -48,48 +49,11 @@ function resolveDockerDriverSandboxContainer(
   } catch {
     return null;
   }
-  // OpenShell names sandbox containers either as `openshell-<sandbox>`
-  // (no suffix) or `openshell-<sandbox>-<id>` where <id> is a runtime
-  // identifier appended by openshell. Two ambiguities to avoid:
-  //
-  //   1. A sandbox name can be a prefix of another sandbox name
-  //      (`my` vs `my-assistant`).
-  //   2. Even with a hyphen-free suffix, a sandbox name can be a prefix
-  //      of another sandbox name whose own suffix is hyphen-free
-  //      (`my-assistant` vs `my-assistant-prod`).
-  //
-  // To disambiguate, resolve each candidate to the LONGEST registered
-  // sandbox name it could belong to. We only accept a candidate when
-  // that resolved owner is the sandbox we are looking up. This also
-  // gives the right answer for the `openshell-<sandbox>` exact form.
-  const ourPrefix = `openshell-${sandboxName}-`;
-  const ourExact = `openshell-${sandboxName}`;
-  const knownSandboxes = new Set(deps.listSandboxNames());
-  knownSandboxes.add(sandboxName);
-  const candidates = deps
-    .dockerPsNames()
-    .split("\n")
-    .map((line) => line.trim())
-    .filter((line) => line === ourExact || line.startsWith(ourPrefix));
-  // Prefer the exact-name container before considering suffixed ones.
-  // Without this short-circuit, a suffixed `openshell-<name>-<id>` whose
-  // <id> is a docker runtime suffix (not a registered sandbox name) would
-  // resolve to our sandbox via the longest-match heuristic and beat the
-  // co-existing exact `openshell-<name>` if it appeared earlier in
-  // `docker ps`.
-  if (candidates.includes(ourExact)) return ourExact;
-  for (const candidate of candidates) {
-    const stripped = candidate.replace(/^openshell-/, "");
-    // Find the longest known sandbox whose container name pattern
-    // matches this candidate. Longest-first defeats prefix collisions.
-    const owner = [...knownSandboxes]
-      .filter(
-        (name) => stripped === name || stripped.startsWith(`${name}-`),
-      )
-      .sort((a, b) => b.length - a.length)[0];
-    if (owner === sandboxName) return candidate;
-  }
-  return null;
+  return resolveSandboxContainerOwner(
+    deps.dockerPsNames(),
+    sandboxName,
+    deps.listSandboxNames(),
+  );
 }
 
 function normalizeHealthState(raw: string): DockerHealthState {

src/lib/actions/sandbox/gateway-failure-classifier.ts

@@ -7,6 +7,7 @@ import { dockerInfo } from "../../adapters/docker/info";
 import { dockerCapture } from "../../adapters/docker/run";
 import { GATEWAY_PORT } from "../../core/ports";
 import * as registry from "../../state/registry";
+import { resolveSandboxContainerOwner } from "./sandbox-container-owner";
 
 const DEFAULT_CONTAINER = "openshell-cluster-nemoclaw";
 const DOCKER_TIMEOUT_MS = 3000;
@@ -189,46 +190,6 @@ const defaultSandboxContainerRunners: SandboxContainerFailureRunners = {
   portProbe: defaultPortProbe,
 };
 
-// OpenShell names sandbox containers either as `openshell-<sandbox>` (no
-// suffix) or `openshell-<sandbox>-<id>`, where `<id>` is appended by
-// openshell at runtime. Two prefix collisions are possible:
-//
-//   1. A sandbox name can be a prefix of another sandbox name
-//      (`my` vs `my-assistant`).
-//   2. Even with a hyphen-free `<id>`, a sandbox name can be a prefix
-//      of another sandbox name whose own suffix is hyphen-free
-//      (`my-assistant` vs `my-assistant-prod`).
-//
-// Resolve each candidate to the LONGEST registered sandbox name it could
-// belong to and only accept candidates that resolve to the sandbox we are
-// looking up. The exact-name form is preferred before suffixed forms so
-// that an `openshell-<sandbox>` container always wins over an unrelated
-// `openshell-<sandbox>-<runtime-id>` co-tenant. Mirrors the resolver in
-// `docker-health.ts`.
-function findSandboxContainerName(
-  names: string,
-  sandboxName: string,
-  registeredSandboxNames: readonly string[],
-): string | null {
-  const ourPrefix = `openshell-${sandboxName}-`;
-  const ourExact = `openshell-${sandboxName}`;
-  const known = new Set<string>(registeredSandboxNames);
-  known.add(sandboxName);
-  const candidates = names
-    .split("\n")
-    .map((line) => line.trim())
-    .filter((line) => line === ourExact || line.startsWith(ourPrefix));
-  if (candidates.includes(ourExact)) return ourExact;
-  const knownArr = [...known];
-  for (const candidate of candidates) {
-    const stripped = candidate.replace(/^openshell-/, "");
-    const owner = knownArr
-      .filter((name) => stripped === name || stripped.startsWith(`${name}-`))
-      .sort((a, b) => b.length - a.length)[0];
-    if (owner === sandboxName) return candidate;
-  }
-  return null;
-}
 
 function isValidDashboardPort(port: number | null | undefined): port is number {
   return (
@@ -248,13 +209,13 @@ export async function classifySandboxContainerFailure(
 ): Promise<SandboxContainerFailureResult | null> {
   const runners = opts.runners ?? defaultSandboxContainerRunners;
   const registeredSandboxNames = runners.listSandboxNames();
-  const running = findSandboxContainerName(
+  const running = resolveSandboxContainerOwner(
     runners.listRunningContainerNames(),
     sandboxName,
     registeredSandboxNames,
   );
   if (running) return null;
-  const present = findSandboxContainerName(
+  const present = resolveSandboxContainerOwner(
     runners.listAllContainerNames(),
     sandboxName,
     registeredSandboxNames,

src/lib/actions/sandbox/sandbox-container-owner.ts

@@ -0,0 +1,46 @@
+// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Resolve which OpenShell container owns a given sandbox name.
+ *
+ * OpenShell names sandbox containers either as `openshell-<sandbox>` (no
+ * suffix) or `openshell-<sandbox>-<id>`, where `<id>` is appended by openshell
+ * at runtime. Two prefix collisions are possible:
+ *
+ *   1. A sandbox name can be a prefix of another sandbox name
+ *      (`my` vs `my-assistant`).
+ *   2. Even with a hyphen-free `<id>`, a sandbox name can be a prefix
+ *      of another sandbox name whose own suffix is hyphen-free
+ *      (`my-assistant` vs `my-assistant-prod`).
+ *
+ * The longest-owner rule resolves each candidate to the longest registered
+ * sandbox name that could claim it, then only accepts candidates that resolve
+ * back to the queried sandbox. The exact-name form is preferred before
+ * suffixed forms so `openshell-<sandbox>` always wins over an unrelated
+ * `openshell-<sandbox>-<runtime-id>` co-tenant.
+ */
+export function resolveSandboxContainerOwner(
+  containerNamesRaw: string,
+  sandboxName: string,
+  registeredSandboxNames: Iterable<string>,
+): string | null {
+  const ourPrefix = `openshell-${sandboxName}-`;
+  const ourExact = `openshell-${sandboxName}`;
+  const known = new Set<string>(registeredSandboxNames);
+  known.add(sandboxName);
+  const candidates = containerNamesRaw
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line === ourExact || line.startsWith(ourPrefix));
+  if (candidates.includes(ourExact)) return ourExact;
+  const knownArr = [...known];
+  for (const candidate of candidates) {
+    const stripped = candidate.replace(/^openshell-/, "");
+    const owner = knownArr
+      .filter((name) => stripped === name || stripped.startsWith(`${name}-`))
+      .sort((a, b) => b.length - a.length)[0];
+    if (owner === sandboxName) return candidate;
+  }
+  return null;
+}

src/lib/actions/sandbox/status.test.ts

@@ -6,8 +6,10 @@ import { describe, expect, it } from "vitest";
 import type { ProviderHealthProbeOptions } from "../../../../dist/lib/inference/health";
 import {
   classifySandboxContainerFailureForStatus,
+  classifySandboxStatusPreflightFailure,
   getSandboxStatusInferenceHealth,
   isDockerDaemonUnreachableForStatus,
+  maybeGetSandboxStatusInferenceHealth,
 } from "../../../../dist/lib/actions/sandbox/status";
 
 describe("sandbox status inference health", () => {
@@ -152,3 +154,125 @@ describe("classifySandboxContainerFailureForStatus", () => {
     expect(observed).toEqual([{ sandboxName: "alpha", port: null }]);
   });
 });
+
+describe("maybeGetSandboxStatusInferenceHealth", () => {
+  it("does not invoke the provider probe when suppressInferenceProbe is true even with a present gateway and string provider", () => {
+    let probeCalls = 0;
+    const result = maybeGetSandboxStatusInferenceHealth(
+      true,
+      true,
+      "nvidia-prod",
+      "nvidia/nemotron",
+      (...args) => {
+        probeCalls += 1;
+        throw new Error(`probeProviderHealth should not be invoked (args=${JSON.stringify(args)})`);
+      },
+    );
+    expect(result).toBeNull();
+    expect(probeCalls).toBe(0);
+  });
+
+  it("delegates to the probe when suppressInferenceProbe is false", () => {
+    const calls: { provider: string; options?: ProviderHealthProbeOptions }[] = [];
+    const result = maybeGetSandboxStatusInferenceHealth(
+      false,
+      true,
+      "nvidia-prod",
+      "nvidia/nemotron",
+      (provider, options) => {
+        calls.push({ provider, options });
+        return {
+          ok: true,
+          probed: true,
+          providerLabel: "NVIDIA Endpoints",
+          endpoint: "https://integrate.api.nvidia.com/v1/chat/completions",
+          detail: "healthy",
+        };
+      },
+    );
+    expect(result?.ok).toBe(true);
+    expect(calls).toEqual([
+      { provider: "nvidia-prod", options: { model: "nvidia/nemotron" } },
+    ]);
+  });
+});
+
+describe("classifySandboxStatusPreflightFailure", () => {
+  it("returns docker_unreachable when the daemon probe reports unreachable", async () => {
+    let sandboxProbeCalled = false;
+    const result = await classifySandboxStatusPreflightFailure(
+      { name: "alpha", openshellDriver: "docker" } as never,
+      {
+        dockerProbe: () => false,
+        sandboxContainerProbe: async () => {
+          sandboxProbeCalled = true;
+          return null;
+        },
+      },
+    );
+    expect(result).toEqual({ layer: "docker_unreachable", dockerUnreachable: true });
+    // Short-circuits: a daemon that is already known to be down must not
+    // trigger a follow-up `docker ps` round trip.
+    expect(sandboxProbeCalled).toBe(false);
+  });
+
+  it("returns the sandbox container failure when the daemon is reachable", async () => {
+    const result = await classifySandboxStatusPreflightFailure(
+      { name: "alpha", openshellDriver: "docker", dashboardPort: 18789 } as never,
+      {
+        dockerProbe: () => true,
+        sandboxContainerProbe: async (sandboxName, dashboardPort) => {
+          expect(sandboxName).toBe("alpha");
+          expect(dashboardPort).toBe(18789);
+          return {
+            layer: "sandbox_dashboard_port_conflict",
+            detail: "stub failure",
+          };
+        },
+      },
+    );
+    expect(result).toEqual({
+      layer: "sandbox_dashboard_port_conflict",
+      dockerUnreachable: false,
+    });
+  });
+
+  it("returns null when the sandbox container probe finds no failure", async () => {
+    const result = await classifySandboxStatusPreflightFailure(
+      { name: "alpha", openshellDriver: "docker" } as never,
+      {
+        dockerProbe: () => true,
+        sandboxContainerProbe: async () => null,
+      },
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns null when the sandbox is not on the docker driver", async () => {
+    let dockerCalled = false;
+    let sandboxCalled = false;
+    const result = await classifySandboxStatusPreflightFailure(
+      { name: "alpha", openshellDriver: "vm" } as never,
+      {
+        dockerProbe: () => {
+          dockerCalled = true;
+          return false;
+        },
+        sandboxContainerProbe: async () => {
+          sandboxCalled = true;
+          return null;
+        },
+      },
+    );
+    expect(result).toBeNull();
+    // Both gates are docker-driver-only; a vm sandbox must not provoke
+    // either probe.
+    expect(dockerCalled).toBe(false);
+    expect(sandboxCalled).toBe(false);
+  });
+
+  it("returns null when the sandbox entry is null", async () => {
+    const result = await classifySandboxStatusPreflightFailure(null);
+    expect(result).toBeNull();
+  });
+});