You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<!-- markdownlint-disable MD041 -->
## Summary
This PR prepares the user-facing documentation for v0.0.74 before the
release plan is frozen.
It expands the release notes across the 56-commit train and closes
durable documentation gaps found during the pre-tag commit scan.
## Changes
- Expand the `v0.0.74` release notes to cover OpenShell 0.0.72, managed
MCP, progressive tool disclosure, LangChain Deep Agents Code,
onboarding, local inference, messaging, recovery, and contributor
workflows.
- Correct the `destroy` contract for retained per-name volumes,
gateway-unreachable `--force` cleanup, managed MCP ownership, and
same-name recovery.
- Document separate remediation for an unreachable container DNS
resolver versus one that answers with `NXDOMAIN` or `REFUSED`.
- Document the Windows on Arm N1X automatic Ollama safeguard and its
remaining large-model limitations.
- State that messaging conflicts abort rebuild before backup or
deletion, leaving the original sandbox intact.
- Link the agent-runnable value benchmark from the contributor task
index.
- Synchronize generated agent command variants.
- Validate with `npm run docs:sync-agent-variants` and `npm run docs`;
Fern completed with 0 errors and 2 existing warnings.
- Source summary:
- [NVIDIA#6020](NVIDIA#6020) and
[NVIDIA#5876](NVIDIA#5876) ->
`docs/about/release-notes.mdx`: Consolidate the OpenShell 0.0.72 policy
boundary and managed MCP lifecycle.
- [NVIDIA#6251](NVIDIA#6251) and
[NVIDIA#5989](NVIDIA#5989) ->
`docs/about/release-notes.mdx`: Summarize progressive tool disclosure
and sandbox-first inference controls.
- [NVIDIA#6232](NVIDIA#6232),
[NVIDIA#6082](NVIDIA#6082),
[NVIDIA#6219](NVIDIA#6219),
[NVIDIA#6214](NVIDIA#6214),
[NVIDIA#6215](NVIDIA#6215),
[NVIDIA#6230](NVIDIA#6230), and
[NVIDIA#6260](NVIDIA#6260) ->
`docs/about/release-notes.mdx`: Summarize the experimental LangChain
Deep Agents Code status, secret, version, rebuild, snapshot, and MCP
boundaries.
- [NVIDIA#6166](NVIDIA#6166),
[NVIDIA#6254](NVIDIA#6254),
[NVIDIA#6265](NVIDIA#6265),
[NVIDIA#6164](NVIDIA#6164), and
[NVIDIA#6017](NVIDIA#6017) ->
`docs/about/release-notes.mdx`: Summarize BuildKit prebuild, validated
image reuse, bounded readiness, and preflight improvements.
- [NVIDIA#6150](NVIDIA#6150) ->
`docs/about/release-notes.mdx` and `docs/reference/troubleshooting.mdx`:
Separate unreachable-resolver remediation from reachable-but-rejected
DNS responses.
- [NVIDIA#6234](NVIDIA#6234) ->
`docs/about/release-notes.mdx`,
`docs/inference/use-local-inference.mdx`, and
`docs/get-started/windows-preparation.mdx`: Document N1X automatic 9B
selection and the remaining explicit-large-model boundary.
- [NVIDIA#6129](NVIDIA#6129),
[NVIDIA#5987](NVIDIA#5987),
[NVIDIA#5955](NVIDIA#5955), and
[NVIDIA#6220](NVIDIA#6220) ->
`docs/about/release-notes.mdx`,
`docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/commands.mdx`, and
`docs/reference/commands-nemohermes.mdx`: Document messaging policy
persistence, status, and the pre-destructive conflict check.
- [NVIDIA#5963](NVIDIA#5963),
[NVIDIA#6050](NVIDIA#6050),
[NVIDIA#6094](NVIDIA#6094),
[NVIDIA#6238](NVIDIA#6238),
[NVIDIA#5988](NVIDIA#5988),
[NVIDIA#6235](NVIDIA#6235),
[NVIDIA#6181](NVIDIA#6181), and
[NVIDIA#5986](NVIDIA#5986) ->
`docs/about/release-notes.mdx`, `docs/reference/commands.mdx`, and
`docs/reference/commands-nemohermes.mdx`: Summarize day-two recovery and
clarify retained-volume and local-only destroy semantics.
- [NVIDIA#6200](NVIDIA#6200),
[NVIDIA#6248](NVIDIA#6248),
[NVIDIA#6168](NVIDIA#6168),
[NVIDIA#6270](NVIDIA#6270), and
[NVIDIA#5649](NVIDIA#5649) ->
`docs/about/release-notes.mdx` and `CONTRIBUTING.md`: Summarize
contributor setup and verification improvements and expose the advisory
value benchmark.
## Type of Change
- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)
## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: documentation-only release
preparation; generated-variant synchronization and the Fern docs build
validate the changed pages and routes.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:
## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect the tested behavior.
Do not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — command/result or justification: tests
are not applicable to this documentation-only change; `npm run docs`
validates the source and generated routes.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)
---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Expanded setup guidance for Windows on Arm devices with safer default
local model selection.
* Clarified local inference and sandbox messaging behavior, including
conflict checks before rebuilds and safer recovery steps.
* Updated destroy/rebuild/reference docs with more detailed warnings,
failure handling, and volume-retention guidance.
* Improved troubleshooting instructions for Docker DNS issues with
clearer paths for unreachable vs. blocked resolvers.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Copy file name to clipboardExpand all lines: docs/about/release-notes.mdx
+26-5Lines changed: 26 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,13 +18,34 @@ For more detailed release notes, refer to the [NemoClaw GitHub announcements](ht
18
18
19
19
## v0.0.74
20
20
21
-
NemoClaw v0.0.74 advances to OpenShell `0.0.72`and adopts its safe policy round-trip boundary:
21
+
NemoClaw v0.0.74 upgrades the OpenShell policy boundary, adds managed MCP and progressive tool disclosure, strengthens the experimental LangChain Deep Agents Code integration, and improves onboarding, local inference, messaging, recovery, and contributor workflows.
22
22
23
-
- Stable installs pin OpenShell `0.0.72` release artifacts and supervisor image, adding MCP Streamable HTTP and JSON-RPC request-policy enforcement.
24
-
-Policy mutations now read the round-trippable base policy instead of the effective policy, preventing provider-composed `_provider_*` entries from being sent back through `policy set` while preserving existing MCP rules.
23
+
- Stable installs pin OpenShell `0.0.72` release artifacts and the supervisor image, adding MCP Streamable HTTP and JSON-RPC request-policy enforcement.
24
+
Policy mutations read the round-trippable base policy instead of the effective policy, which preserves existing MCP rules without sending provider-composed `_provider_*` entries back through `policy set`.
25
25
For more information, refer to [OpenShell 0.0.72 Compatibility Review](../security/openshell-0.0.72-compatibility-review) and [Customize the Network Policy](../network-policy/customize-network-policy).
26
-
- Managed MCP commands now add, list, inspect, rotate, restart, and remove authenticated HTTPS Streamable HTTP servers for OpenClaw, Hermes, and LangChain Deep Agents Code through native OpenShell policy enforcement and provider-backed credential replacement.
27
-
For more information, refer to [Set Up MCP Servers](../manage-sandboxes/set-up-mcp-servers) and the [accepted architecture decision](https://github.com/NVIDIA/NemoClaw/issues/566#issuecomment-4847534784).
26
+
- Managed MCP commands use `add`, `list`, `status`, `restart`, and `remove` to manage authenticated HTTPS Streamable HTTP servers for OpenClaw, Hermes, and experimental LangChain Deep Agents Code through native OpenShell policy enforcement and provider-backed credential replacement.
27
+
The LangChain Deep Agents Code rebuild path validates the recorded gateway, route, image, staged build context, and prepared replacement inputs before deleting the previous sandbox, then restores managed MCP state after the recreated runtime is ready.
28
+
For more information, refer to [Set Up MCP Servers](../manage-sandboxes/set-up-mcp-servers), [Quickstart with LangChain Deep Agents Code](../../openclaw/get-started/quickstart-langchain-deepagents-code), and the [accepted architecture decision](https://github.com/NVIDIA/NemoClaw/issues/566#issuecomment-4847534784).
29
+
- New sandboxes default to progressive tool disclosure across OpenClaw, Hermes, and LangChain Deep Agents Code, while `--tool-disclosure direct` restores the full visible catalog.
30
+
The selected mode persists through resume and transactional rebuilds, and model-specific compatibility safeguards can keep an incompatible model on direct disclosure.
31
+
Sandbox-first `inference get` and `inference set` commands now provide the same route controls as their global forms.
32
+
For more information, refer to [Tool Calling Reliability](../inference/tool-calling-reliability), [Model Capability Audit](../inference/model-capability-audit), and [NemoClaw CLI Commands Reference](../reference/commands).
33
+
- LangChain Deep Agents Code now provides managed `status`, `whoami`, and `identity` commands without launching the interactive UI, validates the installed agent version during onboarding, and keeps credential-shaped or tracing configuration out of persisted runtime metadata.
34
+
Its rebuild path validates recreation before destructive handoff and preserves the managed proxy, tool-disclosure, and MCP boundaries.
35
+
For more information, refer to [Quickstart with LangChain Deep Agents Code](../../openclaw/get-started/quickstart-langchain-deepagents-code), [NemoClaw CLI Commands Reference](../reference/commands), and [Security Best Practices](../security/best-practices).
36
+
- Onboarding uses BuildKit prebuilds with bounded progress heartbeats, reuses validated release and source-commit sandbox images, and rejects stale or incompatible image contracts before sandbox creation.
37
+
Readiness handling tolerates a bounded run of transient OpenShell `Error` phases, while preflight output distinguishes an unreachable container DNS resolver from one that answers but rejects the query.
38
+
On Windows on Arm N1X systems, automatic Local Ollama setup treats the integrated GPU as compute-constrained and selects `qwen3.5:9b` instead of the 30B and 35B starter models.
39
+
For more information, refer to [NemoClaw CLI Commands Reference](../reference/commands), [Install OpenClaw Plugins](../deployment/install-openclaw-plugins), [Use a Local Inference Server](../inference/use-local-inference), [Prepare Windows for NemoClaw](../get-started/windows-preparation), and [Troubleshooting](../reference/troubleshooting).
40
+
- Messaging configuration now keeps channel policy ownership with the enabled channel, persists selected policy presets through onboarding and rebuilds, reports Telegram mention mode in channel status, and detects credential conflicts before a destructive rebuild starts.
41
+
For more information, refer to [Messaging Channels](../manage-sandboxes/messaging-channels), [Customize the Network Policy](../network-policy/customize-network-policy), and [NemoClaw CLI Commands Reference](../reference/commands).
42
+
- Day-two commands provide safer recovery and clearer automation behavior.
43
+
`update --fresh` can reinstall the current version, and `destroy --force` can remove a local record when the OpenShell gateway is unavailable while warning that the sandbox and retained volume may still exist.
44
+
Failed `exec` commands can surface recent policy-denial context, tunnel stop releases its gateway port, WSL keeps a usable loopback dashboard URL, and affected CLI user-error surfaces preserve a nonzero exit status.
45
+
For more information, refer to [NemoClaw CLI Commands Reference](../reference/commands), [Troubleshooting](../reference/troubleshooting), and [NemoClaw Inference Options](../inference/inference-options).
46
+
- Contributor workflows now provide idempotent one-command setup, read-only readiness checks, diff-scoped local verification, and validated Git signing configuration while preserving development dependencies during installation.
47
+
The new agent-runnable value benchmark emits machine-readable and Markdown reports for inference latency and trace-backed sandbox startup without turning advisory timings into a release gate.
48
+
For more information, refer to the [NemoClaw Contributor Guide](https://github.com/NVIDIA/NemoClaw/blob/main/CONTRIBUTING.md) and [NemoClaw Value Benchmark](https://github.com/NVIDIA/NemoClaw/blob/main/scripts/bench/README.md).
Copy file name to clipboardExpand all lines: docs/get-started/windows-preparation.mdx
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -166,6 +166,9 @@ If the installer offers express install on WSL, accepting it selects this Window
166
166
When Ollama runs on the Windows host, NemoClaw detects it from WSL through `host.docker.internal` and pulls missing models through the Ollama HTTP API.
167
167
Do not run both the Windows and WSL Ollama instances on port `11434` at the same time.
168
168
Use one instance, or move one of them to a different port before running `$$nemoclaw onboard`.
169
+
On Windows on Arm N1X systems with a Snapdragon X processor, let NemoClaw choose the Ollama starter model automatically.
170
+
It selects the compute-constrained `qwen3.5:9b` path instead of recommending the 30B and 35B starter models.
171
+
For the selection boundary and remaining N1X limitations, refer to [Use a Local Inference Server](../inference/use-local-inference).
Copy file name to clipboardExpand all lines: docs/inference/use-local-inference.mdx
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -191,6 +191,10 @@ The Ollama runner validates the choice itself.
191
191
In interactive onboarding, registry-known installed tags that do not fit current GPU memory are filtered out of the installed-model menu.
192
192
If none of the installed registry-known tags fit, NemoClaw shows the starter-model choices and warns when even the smallest bootstrap tag may not fit.
193
193
After a selected model fails validation, NemoClaw excludes that tag from the next installed-model menu so pressing Enter cannot select the same failing model repeatedly.
194
+
On Windows on Arm N1X systems with a Snapdragon X processor, NemoClaw treats the integrated GPU as compute-constrained even when its shared-memory total appears large enough for a bigger model.
195
+
Automatic Ollama bootstrap selection omits `qwen3.6:35b` and `nemotron-3-nano:30b` and selects `qwen3.5:9b` instead.
196
+
This is a model-selection safeguard only.
197
+
It does not make 30B or 35B models usable on N1X, add a general refusal for an explicitly selected large model, or resolve the OpenClaw `1006` disconnect, embedded fallback, and model-timeout behavior tracked in [issue #3707](https://github.com/NVIDIA/NemoClaw/issues/3707).
194
198
When Ollama reports a loaded-model context length below `16384` and `NEMOCLAW_CONTEXT_WINDOW` is unset, NemoClaw raises the baked `contextWindow` to `16384` so the agent prompt and tool definitions fit better than the stock daemon default.
195
199
If the initial Ollama validation probe times out during a cold load, NemoClaw retries once with a 300-second probe budget.
196
200
This applies beyond DGX Spark, including tight-VRAM dGPU hosts where warm-up can spill from GPU to CPU.
Copy file name to clipboardExpand all lines: docs/manage-sandboxes/messaging-channels.mdx
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -369,6 +369,9 @@ For Slack, NemoClaw checks both the bot token and the Socket Mode app token so d
369
369
For Microsoft Teams, NemoClaw also checks the local webhook port because active Teams sandboxes cannot share the same forwarded port.
370
370
If NemoClaw only has legacy channel metadata and cannot compare credential hashes, it keeps the conservative warning.
371
371
Re-run `channels add <channel>` with the intended token to refresh the stored non-secret hash.
372
+
Before any rebuild, including one started by `channels add` or `channels start`, NemoClaw rechecks the staged messaging plan against other registered sandboxes.
373
+
A credential or channel-resource conflict aborts before backup or deletion and leaves the original sandbox registered and intact.
374
+
Resolve the conflict, then rerun the operation.
372
375
`$$nemoclaw status` reports cross-sandbox overlaps so you can resolve duplicates before messages start dropping.
Copy file name to clipboardExpand all lines: docs/reference/commands-nemohermes.mdx
+12-2Lines changed: 12 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -880,8 +880,10 @@ This removes the sandbox from the registry.
880
880
For Ollama-backed sandboxes, `destroy` also asks Ollama to unload currently loaded models and clears stale auth proxy state on a best-effort basis.
881
881
882
882
<Warning>
883
-
This command permanently deletes the sandbox **and its persistent volume**.
884
-
All [workspace files](../manage-sandboxes/workspace-files) (SOUL.md, USER.md, IDENTITY.md, AGENTS.md, MEMORY.md, and daily memory notes) are lost.
883
+
This command attempts to wipe the manifest-defined agent state while its persistent volume is mounted, then removes the sandbox.
884
+
OpenShell can retain the per-name persistent volume after sandbox deletion.
885
+
If the wipe cannot complete, onboarding with the same name can resurface old files.
886
+
Do not rely on a retained volume as a backup.
885
887
Back up your workspace first with `nemohermes <name> snapshot create` or refer to [Backup and Restore](../manage-sandboxes/backup-restore).
886
888
If you want to upgrade the sandbox while preserving state, use `nemohermes <name> rebuild` instead.
887
889
</Warning>
@@ -900,6 +902,12 @@ If hardening fails, the command refuses deletion and leaves the timer authority
900
902
If deletion fails after hardening, the command keeps the surviving sandbox's locked shields state instead of cleaning it up as though deletion succeeded.
901
903
By default, `destroy` preserves the shared NemoClaw gateway.
902
904
Pass `--cleanup-gateway` to remove the shared gateway when destroying the last sandbox, or `--no-cleanup-gateway` to force preservation when environment defaults request cleanup.
905
+
If the pre-delete workspace wipe cannot run, use a different sandbox name for a clean start.
906
+
When this is the last sandbox, pass `--cleanup-gateway` to purge the shared cluster volume that retains the per-name persistent volume.
907
+
If the OpenShell gateway is unreachable and the sandbox has no managed MCP ownership state, `--force` removes only NemoClaw's local registry entry and local artifacts.
908
+
Gateway-side deletion remains unconfirmed, shared host-service and gateway teardown are skipped, and the sandbox and retained volume may still exist if the gateway returns.
909
+
Start the gateway with `nemohermes <name> status` and retry destroy when you need a confirmed deletion.
910
+
Managed MCP ownership disables the local-only fallback because exact provider cleanup requires the retained ownership state, and other delete failures remain fatal.
@@ -1529,6 +1537,8 @@ Pass `--yes`, `-y`, or `--force` to skip the prompt in scripted workflows.
1529
1537
The sandbox must be running for the backup step to succeed.
1530
1538
If an archive command reports partial output while still producing usable data, `rebuild` keeps the captured backup entries and reports only the manifest-defined paths that could not be archived.
1531
1539
If any required state path still cannot be backed up, `rebuild` exits before destroying the original sandbox.
1540
+
Before backup or deletion, rebuild checks the staged messaging configuration for credentials or channel resources already used by another registered sandbox.
1541
+
A conflict aborts with the original sandbox registered and intact so you can resolve the conflict before retrying.
1532
1542
When rebuild starts with shields up, NemoClaw opens a 30-minute shields-down window for backup and recreation.
1533
1543
A detached auto-lock timer remains active until NemoClaw commits a successful shields-up state, so it can attempt to restore lockdown if the host rebuild process exits unexpectedly.
Copy file name to clipboardExpand all lines: docs/reference/commands.mdx
+12-2Lines changed: 12 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1194,8 +1194,10 @@ This removes the sandbox from the registry.
1194
1194
For Ollama-backed sandboxes, `destroy` also asks Ollama to unload currently loaded models and clears stale auth proxy state on a best-effort basis.
1195
1195
1196
1196
<Warning>
1197
-
This command permanently deletes the sandbox **and its persistent volume**.
1198
-
All [workspace files](../manage-sandboxes/workspace-files) (SOUL.md, USER.md, IDENTITY.md, AGENTS.md, MEMORY.md, and daily memory notes) are lost.
1197
+
This command attempts to wipe the manifest-defined agent state while its persistent volume is mounted, then removes the sandbox.
1198
+
OpenShell can retain the per-name persistent volume after sandbox deletion.
1199
+
If the wipe cannot complete, onboarding with the same name can resurface old files.
1200
+
Do not rely on a retained volume as a backup.
1199
1201
Back up your workspace first with `$$nemoclaw <name> snapshot create` or refer to [Backup and Restore](../manage-sandboxes/backup-restore).
1200
1202
If you want to upgrade the sandbox while preserving state, use `$$nemoclaw <name> rebuild` instead.
1201
1203
</Warning>
@@ -1218,6 +1220,12 @@ If hardening fails, the command refuses deletion and leaves the timer authority
1218
1220
If deletion fails after hardening, the command keeps the surviving sandbox's locked shields state instead of cleaning it up as though deletion succeeded.
1219
1221
By default, `destroy` preserves the shared NemoClaw gateway.
1220
1222
Pass `--cleanup-gateway` to remove the shared gateway when destroying the last sandbox, or `--no-cleanup-gateway` to force preservation when environment defaults request cleanup.
1223
+
If the pre-delete workspace wipe cannot run, use a different sandbox name for a clean start.
1224
+
When this is the last sandbox, pass `--cleanup-gateway` to purge the shared cluster volume that retains the per-name persistent volume.
1225
+
If the OpenShell gateway is unreachable and the sandbox has no managed MCP ownership state, `--force` removes only NemoClaw's local registry entry and local artifacts.
1226
+
Gateway-side deletion remains unconfirmed, shared host-service and gateway teardown are skipped, and the sandbox and retained volume may still exist if the gateway returns.
1227
+
Start the gateway with `$$nemoclaw <name> status` and retry destroy when you need a confirmed deletion.
1228
+
Managed MCP ownership disables the local-only fallback because exact provider cleanup requires the retained ownership state, and other delete failures remain fatal.
@@ -1915,6 +1923,8 @@ Pass `--yes`, `-y`, or `--force` to skip the prompt in scripted workflows.
1915
1923
The sandbox must be running for the backup step to succeed.
1916
1924
If an archive command reports partial output while still producing usable data, `rebuild` keeps the captured backup entries and reports only the manifest-defined paths that could not be archived.
1917
1925
If any required state path still cannot be backed up, `rebuild` exits before destroying the original sandbox.
1926
+
Before backup or deletion, rebuild checks the staged messaging configuration for credentials or channel resources already used by another registered sandbox.
1927
+
A conflict aborts with the original sandbox registered and intact so you can resolve the conflict before retrying.
1918
1928
When rebuild starts with shields up, NemoClaw opens a 30-minute shields-down window for backup and recreation.
1919
1929
A detached auto-lock timer remains active until NemoClaw commits a successful shields-up state, so it can attempt to restore lockdown if the host rebuild process exits unexpectedly.
Copy file name to clipboardExpand all lines: docs/reference/troubleshooting.mdx
+10-2Lines changed: 10 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -185,7 +185,15 @@ Some corporate networks block outbound UDP port 53 to public DNS servers and for
185
185
186
186
NemoClaw's preflight runs a short `docker run --rm busybox nslookup nemoclaw-dns-probe-<random>.invalid` probe before starting the sandbox build. The fresh `.invalid` name should return NXDOMAIN through a working resolver, so cached answers cannot hide blocked DNS egress. When the probe confirms a DNS failure, onboarding stops with platform-specific remediation instead of hanging for ~15 minutes and printing a cryptic `Exit handler never called`.
187
187
188
-
The fix depends on your platform and runtime. Pick the matching path from the preflight output, apply it, then re-run `$$nemoclaw onboard`.
188
+
Use the preflight headline to choose the recovery path:
189
+
190
+
- If no DNS servers could be reached, Docker could not reach its configured resolver.
191
+
Follow the platform-specific UDP port 53 and Docker DNS steps below.
192
+
- If the DNS server was reachable but rejected the query with `NXDOMAIN` or `REFUSED`, the resolver answered, so the UDP port 53 fix is not relevant.
193
+
Check the resolver used by Docker, such as dnsmasq, Pi-hole, unbound, or systemd-resolved, and remove any forwarding rule, blocklist entry, or ACL that rejects `registry.npmjs.org`.
194
+
If needed, configure Docker to use an organization-approved resolver that can resolve public names, restart Docker, and retry onboarding.
195
+
196
+
For an unreachable resolver, pick the matching platform path below, apply it, then re-run `$$nemoclaw onboard`.
189
197
190
198
-**Linux with systemd-resolved.** Add a `DNSStubListenerExtra` drop-in pointing at the docker bridge gateway IP (the preflight prints the detected IP), then add the same IP to `/etc/docker/daemon.json` under `dns`. Restart `systemd-resolved` and `docker`.
191
199
-**macOS with Colima.** Restart Colima with the corporate DNS address, for example `colima stop && colima start --dns <corp-dns-ip>`.
@@ -195,7 +203,7 @@ The fix depends on your platform and runtime. Pick the matching path from the pr
195
203
Verify the fix worked:
196
204
197
205
```bash
198
-
docker run --rm busybox nslookup example.com
206
+
docker run --rm busybox nslookup registry.npmjs.org
199
207
```
200
208
201
209
When the lookup returns an answer, retry onboarding.
0 commit comments