feat(inference): add Azure OpenAI as inference provider

[g4ur4vs]

Summary

• Adds Azure OpenAI as a first-class inference provider alongside NVIDIA, OpenAI, Anthropic, Gemini, and the generic OpenAI-compatible option
• Users select "Azure OpenAI" during onboarding, supply their resource endpoint URL (https://<resource>.openai.azure.com/v1) and AZURE_OPENAI_API_KEY, then enter a deployment model name
• Adds a network policy for *.openai.azure.com in the sandbox egress rules

Files changed

File	Change
src/lib/inference-config.ts	New azure-openai case in getProviderSelectionConfig()
bin/lib/onboard.js	REMOTE_PROVIDER_CONFIG entry, menu option, endpoint URL prompt, getSandboxInferenceConfig case, setupInference allowlist, dashboard label
nemoclaw-blueprint/policies/openclaw-sandbox.yaml	azure_openai network policy
src/lib/inference-config.test.ts	Moved azure-openai from blocked candidates to approved providers, added full-object and default-model tests
test/onboard-selection.test.js	Updated menu indices shifted by the new option

Test plan

• npm run build in nemoclaw/ — TypeScript compiles cleanly
• vitest run --project plugin — 234 tests passed
• vitest run --project cli — 1178 tests passed (including all 29 onboard-selection tests)
• Manual onboard with a real Azure OpenAI endpoint and API key

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added Azure OpenAI as a selectable inference provider (default model gpt-4o, credential env AZURE_OPENAI_API_KEY); CLI and dashboard support for selecting provider and model.

• Behavior

  • Azure OpenAI is handled via the OpenAI-compatible routing/validation path (including responses/tool-calling probe with fallback to chat completions).

• Network Policies

  • Added secure egress policy for Azure OpenAI endpoints covering completions, embeddings, chat, and model discovery.

• Documentation

  • Updated onboarding, provider options, validation, and switching guides for Azure OpenAI.

• Tests

  • Added/updated tests for Azure OpenAI selection and defaults.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 951bb0e7-4674-4b66-90e7-e6ac5e5d560d

📥 Commits

Reviewing files that changed from the base of the PR and between d8ee8ac and b1a0042.

📒 Files selected for processing (1)

• src/lib/inference-config.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/inference-config.ts

---

📝 Walkthrough

Walkthrough

Added Azure OpenAI provider support across onboarding, inference routing/validation, network policies, docs, and tests; introduces AZURE_OPENAI_API_KEY, default model gpt-4o, Azure endpoint handling/normalization, and sandbox egress rules for *.openai.azure.com.

Changes

Cohort / File(s)	Summary
Onboarding & CLI flow bin/lib/onboard.js, test/onboard-selection.test.js	Added azureOpenAi/azure-openai option; interactive and non-interactive endpoint URL handling, normalization, back/exit navigation; updated test selection indices.
Inference selection & routing src/lib/inference-config.ts, src/lib/inference-config.test.ts	Treat azure-openai as OpenAI-compatible (providerKey = "openai"), default model gpt-4o, credentialEnv = "AZURE_OPENAI_API_KEY", updated mappings and tests.
Network policy / sandbox nemoclaw-blueprint/policies/openclaw-sandbox.yaml, .agents/skills/.../network-policies.md	Added azure_openai network policy allowing TLS-enforced egress to *.openai.azure.com:443 with method/path-scoped allow rules; allowed binaries /usr/local/bin/claude, /usr/local/bin/openclaw.
Documentation & skill references .agents/skills/nemoclaw-configure-inference/SKILL.md, .agents/skills/.../references/inference-options.md, docs/inference/*, docs/reference/network-policies.md	Documented Azure OpenAI as an always-available provider, required inputs (endpoint + deployment/model), credential env, validation flow (try /responses with tool-calling probe, fallback /chat/completions), and inference set --provider azure-openai --model <deployment-name> examples.

sequenceDiagram
    participant User as CLI User
    participant Onboard as onboard.js
    participant Inference as inference-config
    participant Validator as Validation Probe
    participant Server as Upsert Provider / Inference Set
    participant Policy as Network Policy

    User->>Onboard: select "azure-openai" and provide endpoint & model
    Onboard->>Inference: request provider selection config
    Inference->>Validator: probe /responses (tool-calling) then fallback /chat/completions
    Validator-->>Inference: probe result (compatible / not compatible)
    Inference->>Server: upsertProvider / inference set with metadata and AZURE_OPENAI_API_KEY
    Server->>Policy: ensure azure_openai egress rules exist
    Server-->>User: confirm provider configured

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped to add an Azure key,
endpoint set and models free,
policies guard the outbound way,
tests and docs all join the play,
a little rabbit cheers with glee. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding Azure OpenAI as a new inference provider option. It is concise, descriptive, and directly reflects the primary objective of the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.agents/skills/nemoclaw-configure-inference/SKILL.md (1)

1-4: ⚠️ Potential issue | 🟠 Major

Add the required SPDX header to this skill file.

The file currently starts without the mandated SPDX license header.

Suggested fix

 ---
 name: "nemoclaw-configure-inference"
 description: "Lists all inference providers offered during NemoClaw onboarding. Use when explaining which providers are available, what the onboard wizard presents, or how inference routing works. Changes the active inference model without restarting the sandbox. Use when switching inference providers, changing the model runtime, or reconfiguring inference routing. Connects NemoClaw to a local inference server. Use when setting up Ollama, vLLM, TensorRT-LLM, NIM, or any OpenAI-compatible local model server with NemoClaw."
 ---
+
+<!--
+  SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-License-Identifier: Apache-2.0
+-->

As per coding guidelines, "**/*.{js,ts,tsx,sh,md}: Every source file must include an SPDX license header: '// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.' and '// SPDX-License-Identifier: Apache-2.0' (use # for shell scripts, HTML comments for Markdown)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/nemoclaw-configure-inference/SKILL.md around lines 1 - 4, Add
the required SPDX license header to the top of the SKILL.md file for the skill
"nemoclaw-configure-inference": insert HTML comment lines containing "//
SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All
rights reserved." and "// SPDX-License-Identifier: Apache-2.0" (as HTML comments
for Markdown) before the existing front-matter so the file begins with the
mandated SPDX header.

docs/inference/inference-options.md (1)

18-21: ⚠️ Potential issue | 🟠 Major

Update SPDX header to the repository-required canonical text.

The Markdown SPDX header is present, but the copyright line does not match the required 2026-only text.

Suggested fix

 <!--
-  SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
   SPDX-License-Identifier: Apache-2.0
 -->

As per coding guidelines, "**/*.{js,ts,tsx,sh,md}: Every source file must include an SPDX license header: '// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.' and '// SPDX-License-Identifier: Apache-2.0' (use # for shell scripts, HTML comments for Markdown)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/inference/inference-options.md` around lines 18 - 21, Replace the
existing multi-year SPDX HTML comment in docs/inference/inference-options.md
with the repository-required canonical SPDX header: use an HTML comment
containing the single-year copyright line "SPDX-FileCopyrightText: Copyright (c)
2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved." followed by
"SPDX-License-Identifier: Apache-2.0"; update the header where the current <!--
SPDX-FileCopyrightText: Copyright (c) 2025-2026 ... --> appears so it exactly
matches the required 2026-only text and comment style for Markdown.

.agents/skills/nemoclaw-configure-inference/references/inference-options.md (1)

1-3: ⚠️ Potential issue | 🟠 Major

Add the required SPDX license header at the top of this Markdown file.

This file is missing the repository-mandated SPDX header.

Suggested fix

+<!--
+  SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-License-Identifier: Apache-2.0
+-->
+
 # Inference Options

As per coding guidelines, "**/*.{js,ts,tsx,sh,md}: Every source file must include an SPDX license header: '// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.' and '// SPDX-License-Identifier: Apache-2.0' (use # for shell scripts, HTML comments for Markdown)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/nemoclaw-configure-inference/references/inference-options.md
around lines 1 - 3, Add the repository-mandated SPDX license header as an HTML
comment at the very top of this Markdown file (above the "# Inference Options"
header): include the exact two lines for copyright and license ("//
SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All
rights reserved." and "// SPDX-License-Identifier: Apache-2.0"), but formatted
as an HTML comment for Markdown (i.e., <!-- ... -->) so the header is present
without affecting rendered content; ensure there are no blank lines above the
comment and that the existing "# Inference Options" heading remains immediately
after the SPDX comment.

🧹 Nitpick comments (1)

.agents/skills/nemoclaw-reference/references/network-policies.md (1)

44-48: Documented azure_openai rules are incomplete vs actual sandbox policy

Line 47 only lists two routes, but nemoclaw-blueprint/policies/openclaw-sandbox.yaml (lines 107-126) allows additional Azure OpenAI paths (completions, embeddings, deployments list/detail, and models detail). Please align this row with the full rule set so docs match enforcement.

Proposed doc update

 * - `azure_openai`
   - `*.openai.azure.com:443`
   - `/usr/local/bin/claude`, `/usr/local/bin/openclaw`
-  - POST on `/openai/deployments/*/chat/completions`, GET on `/openai/models`
+  - POST on `/openai/deployments/*/chat/completions`, `/openai/deployments/*/completions`, `/openai/deployments/*/embeddings`; GET on `/openai/deployments`, `/openai/deployments/**`, `/openai/models`, `/openai/models/**`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/nemoclaw-reference/references/network-policies.md around
lines 44 - 48, The documented `azure_openai` network-policies row is incomplete
compared to the sandbox enforcement in `openclaw-sandbox.yaml`; update the
`azure_openai` entry in network-policies.md to list all allowed Azure OpenAI
endpoints (add POST on `/openai/deployments/*/completions`, POST on
`/openai/deployments/*/embeddings`, GET on `/openai/deployments` and
`/openai/deployments/*`, and GET on `/openai/models/*`), and ensure the existing
entries (`*.openai.azure.com:443`, `/usr/local/bin/claude`,
`/usr/local/bin/openclaw`, POST on `/openai/deployments/*/chat/completions`, GET
on `/openai/models`) remain present so the doc matches `openclaw-sandbox.yaml`'s
full rule set.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.agents/skills/nemoclaw-configure-inference/references/inference-options.md:
- Around line 1-3: Add the repository-mandated SPDX license header as an HTML
comment at the very top of this Markdown file (above the "# Inference Options"
header): include the exact two lines for copyright and license ("//
SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All
rights reserved." and "// SPDX-License-Identifier: Apache-2.0"), but formatted
as an HTML comment for Markdown (i.e., <!-- ... -->) so the header is present
without affecting rendered content; ensure there are no blank lines above the
comment and that the existing "# Inference Options" heading remains immediately
after the SPDX comment.

In @.agents/skills/nemoclaw-configure-inference/SKILL.md:
- Around line 1-4: Add the required SPDX license header to the top of the
SKILL.md file for the skill "nemoclaw-configure-inference": insert HTML comment
lines containing "// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA
CORPORATION & AFFILIATES. All rights reserved." and "// SPDX-License-Identifier:
Apache-2.0" (as HTML comments for Markdown) before the existing front-matter so
the file begins with the mandated SPDX header.

In `@docs/inference/inference-options.md`:
- Around line 18-21: Replace the existing multi-year SPDX HTML comment in
docs/inference/inference-options.md with the repository-required canonical SPDX
header: use an HTML comment containing the single-year copyright line
"SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All
rights reserved." followed by "SPDX-License-Identifier: Apache-2.0"; update the
header where the current <!-- SPDX-FileCopyrightText: Copyright (c) 2025-2026
... --> appears so it exactly matches the required 2026-only text and comment
style for Markdown.

---

Nitpick comments:
In @.agents/skills/nemoclaw-reference/references/network-policies.md:
- Around line 44-48: The documented `azure_openai` network-policies row is
incomplete compared to the sandbox enforcement in `openclaw-sandbox.yaml`;
update the `azure_openai` entry in network-policies.md to list all allowed Azure
OpenAI endpoints (add POST on `/openai/deployments/*/completions`, POST on
`/openai/deployments/*/embeddings`, GET on `/openai/deployments` and
`/openai/deployments/*`, and GET on `/openai/models/*`), and ensure the existing
entries (`*.openai.azure.com:443`, `/usr/local/bin/claude`,
`/usr/local/bin/openclaw`, POST on `/openai/deployments/*/chat/completions`, GET
on `/openai/models`) remain present so the doc matches `openclaw-sandbox.yaml`'s
full rule set.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d885cf46-17a7-4777-9c55-af94153900db

📥 Commits

Reviewing files that changed from the base of the PR and between 9451269 and e6dec7c.

📒 Files selected for processing (6)

• .agents/skills/nemoclaw-configure-inference/SKILL.md
• .agents/skills/nemoclaw-configure-inference/references/inference-options.md
• .agents/skills/nemoclaw-reference/references/network-policies.md
• docs/inference/inference-options.md
• docs/inference/switch-inference-providers.md
• docs/reference/network-policies.md

✅ Files skipped from review due to trivial changes (2)

• docs/inference/switch-inference-providers.md
• docs/reference/network-policies.md

[cv]

LGTM — security review WARNING (non-blocking).

Approved with follow-up suggestions:

1. SSRF defense-in-depth: The Azure flow accepts a user-provided endpoint URL but doesn't call validateEndpointUrl() from ssrf.ts. This is a pre-existing pattern (all custom endpoint flows skip it), mitigated by network policies at runtime. Consider filing a follow-up to add SSRF validation for all user-provided URLs during onboarding.

2. Test coverage: No onboard wizard test for the Azure-specific path — only config tests and menu index offsets. Consider adding a test exercising the Azure endpoint URL prompt, empty URL rejection, and back navigation.

Otherwise clean:

• Network policy properly scoped (*.openai.azure.com, method+path restricted, port 443, TLS, enforce)
• Credentials use existing secure store (getCredential/saveCredential)
• Inference routing correctly mediated through proxy
• Endpoint probe validation present via validateCustomOpenAiLikeSelection()

[cv]

Several v0.0.10 PRs just merged, including changes to onboard.js. Could you rebase on main to retrigger CI? Thanks!

[cv]

Withdrawing approval after maintainer discussion.

We don't want to add dedicated provider entries for individual CSP-hosted OpenAI-compatible endpoints. If we add Azure OpenAI, the next ask is AWS Bedrock, then Google Vertex, etc. — each with their own network policy preset, onboard wizard path, and maintenance burden.

Azure OpenAI is OpenAI-compatible and should work through the existing "Other OpenAI-compatible endpoint" option. Users just need to provide their Azure endpoint URL (e.g., https://<resource>.openai.azure.com) and API key.

If there's a specific gap that prevents Azure OpenAI from working through the generic flow, please open an issue describing the blocker and we can address it there. Thank you for the contribution!