Skip to content

Commit 30d1be9

Browse files
authored
docs: fern migration (#3548)
1 parent bc8f9e5 commit 30d1be9

88 files changed

Lines changed: 10050 additions & 603 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.agents/skills/nemoclaw-contributor-update-docs/SKILL.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@ If the user invoked this skill for release prep, finish the release-specific doc
166166
3. Refresh the NemoClaw user skills:
167167

168168
```bash
169-
python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user
169+
python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user --doc-platform fern-mdx
170170
```
171171

172172
## Step 9: Build and Verify
@@ -214,7 +214,7 @@ User says: "Catch up the docs for everything merged since v0.1.0."
214214
4. Read the commit diffs and current doc pages.
215215
5. Draft doc updates reflecting the source code changes in the commits following the style guide.
216216
6. **Release prep only:** Apply release-prep version bumps if the user requested release prep.
217-
7. **Release prep only:** Run `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user`.
217+
7. **Release prep only:** Run `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user --doc-platform fern-mdx`.
218218
8. Present the summary.
219219
9. Build with `make docs` to verify.
220220
10. **Release prep only:** Commit changes and open a pull request with the `documentation` label and the corresponding `vX.Y.Z` release label. Include a concise summary of the doc updates and a source summary that links each identified merged PR to its matching doc page. Include the PR number, affected doc page, links, and description of the doc change in this shape:

.agents/skills/nemoclaw-user-agent-skills/references/agent-skills.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,11 @@ This means you can interact with the full NemoClaw documentation as skills insid
99
Ask your assistant a question about NemoClaw and it responds with the same guidance found in these docs, adapted to your current situation.
1010
Skills cover installation, inference configuration, network policy management, monitoring, deployment, security, workspace management, and the CLI reference.
1111

12-
> **Note:** If you are a contributor and have cloned the full NemoClaw repository, the full set of skills including contributor and maintainer skills are already available at the project root.
13-
> Open the `NemoClaw` directory in your coding assistant and the skills load automatically.
14-
> This page is for users who installed NemoClaw with the installer and do not have a local clone.
12+
**Note:**
13+
14+
If you are a contributor and have cloned the full NemoClaw repository, the full set of skills including contributor and maintainer skills are already available at the project root.
15+
Open the `NemoClaw` directory in your coding assistant and the skills load automatically.
16+
This page is for users who installed NemoClaw with the installer and do not have a local clone.
1517

1618
## Get the Skills
1719

.agents/skills/nemoclaw-user-configure-inference/SKILL.md

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ description: "Connects NemoClaw to a local inference server. Use when setting up
88

99
# Use a Local Inference Server with NemoClaw
1010

11+
## Gotchas
12+
13+
- Ollama is convenient for local chat, but some model/template combinations can return tool calls as plain text under realistic agent load.
14+
1115
## Prerequisites
1216

1317
- NemoClaw installed.
@@ -62,13 +66,13 @@ If the daemon does not become reachable, onboarding prints PowerShell commands y
6266
Use one Ollama instance on port `11434` at a time.
6367
If both WSL and Windows-host Ollama are running, pick the intended menu entry during onboarding so NemoClaw validates and pulls models against the right daemon.
6468

65-
:::{caution}
69+
**Warning:**
70+
6671
Ollama is convenient for local chat, but some model/template combinations can
6772
return tool calls as plain text under realistic agent load. If the TUI shows raw
6873
JSON such as `{"name":"memory_search","arguments":{...}}` instead of running a
6974
tool, switch to vLLM with `--enable-auto-tool-choice` and the correct
7075
`--tool-call-parser`. See Tool-Calling Reliability (use the `nemoclaw-user-configure-inference` skill).
71-
:::
7276

7377
### Authenticated Reverse Proxy
7478

@@ -263,8 +267,10 @@ Managed vLLM uses these profiles:
263267
| DGX Station | `Qwen/Qwen3.6-27B-FP8` |
264268
| Linux with an NVIDIA GPU | `nvidia/NVIDIA-Nemotron-3-Nano-4B-FP8` |
265269

266-
> **Note:** NemoClaw forces the `chat/completions` API path for vLLM.
267-
> The vLLM `/v1/responses` endpoint does not run the `--tool-call-parser`, so tool calls arrive as raw text.
270+
**Note:**
271+
272+
NemoClaw forces the `chat/completions` API path for vLLM.
273+
The vLLM `/v1/responses` endpoint does not run the `--tool-call-parser`, so tool calls arrive as raw text.
268274

269275
### Non-Interactive Setup
270276

@@ -336,8 +342,10 @@ In non-interactive mode, onboard exits with login instructions if Docker is not
336342
If `NGC_API_KEY` or `NVIDIA_API_KEY` is already exported, NemoClaw passes it into the managed NIM container through the process environment instead of command-line arguments.
337343
If the NIM container exits before the health endpoint becomes ready, onboarding stops early and prints the last container log lines.
338344

339-
> **Note:** NIM uses vLLM internally.
340-
> The same `chat/completions` API path restriction applies.
345+
**Note:**
346+
347+
NIM uses vLLM internally.
348+
The same `chat/completions` API path restriction applies.
341349

342350
### Non-Interactive Setup
343351

.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
22
<!-- SPDX-License-Identifier: Apache-2.0 -->
3-
# Inference Options
3+
# NemoClaw Inference Options
44

55
NemoClaw supports multiple inference providers.
66
During onboarding, the `nemoclaw onboard` wizard presents a numbered list of providers to choose from.
@@ -19,7 +19,6 @@ NemoClaw uses provider-specific local tokens for those routes, and rebuilds of l
1919

2020
## Provider Status
2121

22-
<!-- provider-status:begin -->
2322
| Provider | Status | Endpoint type | Notes |
2423
|----------|--------|---------------|-------|
2524
| NVIDIA Endpoints | Tested | OpenAI-compatible | Hosted models on integrate.api.nvidia.com |
@@ -32,7 +31,6 @@ NemoClaw uses provider-specific local tokens for those routes, and rebuilds of l
3231
| Local Ollama | Caveated | Local Ollama API | Available when Ollama is installed or running on the host |
3332
| Local NVIDIA NIM | Experimental | Local OpenAI-compatible | Requires `NEMOCLAW_EXPERIMENTAL=1` and a NIM-capable GPU |
3433
| Local vLLM | Experimental | Local OpenAI-compatible | Requires `NEMOCLAW_EXPERIMENTAL=1` and a server already running on `localhost:8000` |
35-
<!-- provider-status:end -->
3634

3735
## Provider Options
3836

.agents/skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
22
<!-- SPDX-License-Identifier: Apache-2.0 -->
3-
# Set Up Task-Specific Sub-Agents
3+
# Set up a Task-Specific Sub-Agent
44

55
OpenClaw documents the sub-agent behavior, `sessions_spawn` tool, `agents.list` configuration, tool policy, nesting, and auth model in [Sub-Agents](https://docs.openclaw.ai/tools/subagents).
66
Use that page as the source of truth for how OpenClaw sub-agents work.

.agents/skills/nemoclaw-user-configure-inference/references/switch-inference-providers.md

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
22
<!-- SPDX-License-Identifier: Apache-2.0 -->
3-
# Switch Inference Models at Runtime
3+
# Switch NemoClaw Inference Models at Runtime
44

55
Change the active inference model while the sandbox is running.
66
No restart is required.
@@ -88,12 +88,14 @@ To opt in to `/v1/responses` for a backend you have verified end to end, set
8888
$ NEMOCLAW_PREFERRED_API=openai-responses nemoclaw onboard
8989
```
9090

91-
> **Note:** `NEMOCLAW_INFERENCE_API_OVERRIDE` patches the config at container startup but
92-
> does not update the Dockerfile ARG baked into the image.
93-
> If you recreate the sandbox without the override env var, the image reverts to
94-
> the original API path.
95-
> A fresh `nemoclaw onboard` is the reliable fix because it updates both the
96-
> session and the baked image.
91+
**Note:**
92+
93+
`NEMOCLAW_INFERENCE_API_OVERRIDE` patches the config at container startup but
94+
does not update the Dockerfile ARG baked into the image.
95+
If you recreate the sandbox without the override env var, the image reverts to
96+
the original API path.
97+
A fresh `nemoclaw onboard` is the reliable fix because it updates both the
98+
session and the baked image.
9799

98100
## Cross-Provider Switching
99101

.agents/skills/nemoclaw-user-configure-security/references/best-practices.md

Lines changed: 7 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,13 @@
11
<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
22
<!-- SPDX-License-Identifier: Apache-2.0 -->
3-
# Security Best Practices
3+
# NemoClaw Security Best Practices: Controls, Risks, and Posture Profiles
44

55
NemoClaw ships with deny-by-default security controls across four layers: network, filesystem, process, and inference.
66
You can tune every control, but each change shifts the risk profile.
77
This page documents every configurable knob, its default, what it protects, the concrete risk of relaxing it, and a recommendation for common use cases.
88

99
For background on how the layers fit together, refer to How It Works (use the `nemoclaw-user-overview` skill).
1010

11-
<!-- TODO: uncomment after the OpenShell docs are published
12-
:::{seealso}
13-
OpenShell enforces the platform-level mechanisms that NemoClaw configures, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication.
14-
For the full platform-level controls reference, see [OpenShell Security Best Practices](https://docs.nvidia.com/openshell/latest/security/best-practices.html).
15-
:::
16-
-->
17-
1811
## Protection Layers at a Glance
1912

2013
NemoClaw enforces security at four layers.
@@ -72,44 +65,17 @@ flowchart TB
7265
style GW fill:#2a2a2a,stroke:#76b900,stroke-width:2px,color:#fff
7366
```
7467

75-
:::{list-table}
76-
:header-rows: 1
77-
:widths: 20 30 20 30
78-
79-
* - Layer
80-
- What it protects
81-
- Enforcement point
82-
- Changeable at runtime
83-
84-
* - Network
85-
- Unauthorized outbound connections and data exfiltration.
86-
- OpenShell gateway
87-
- Yes. Use `openshell policy set` or operator approval.
88-
89-
* - Filesystem
90-
- System binary tampering, credential theft, config manipulation.
91-
- Landlock LSM + container mounts
92-
- Landlock layout: no. Requires sandbox re-creation. Config lockdown posture: yes, with host-side shields commands.
93-
94-
* - Process
95-
- Privilege escalation, fork bombs, syscall abuse.
96-
- Container runtime (Docker/K8s `securityContext`)
97-
- No. Requires sandbox re-creation.
98-
99-
* - Inference
100-
- Credential exposure, unauthorized model access, cost overruns.
101-
- OpenShell gateway
102-
- Yes. Use `nemoclaw inference set`.
103-
104-
:::
68+
| Layer | What it protects | Enforcement point | Changeable at runtime |
69+
| --- | --- | --- | --- |
70+
| Network | Unauthorized outbound connections and data exfiltration. | OpenShell gateway | Yes. Use `openshell policy set` or operator approval. |
71+
| Filesystem | System binary tampering, credential theft, config manipulation. | Landlock LSM + container mounts | Landlock layout: no. Requires sandbox re-creation. Config lockdown posture: yes, with host-side shields commands. |
72+
| Process | Privilege escalation, fork bombs, syscall abuse. | Container runtime (Docker/K8s `securityContext`) | No. Requires sandbox re-creation. |
73+
| Inference | Credential exposure, unauthorized model access, cost overruns. | OpenShell gateway | Yes. Use `nemoclaw inference set`. |
10574

10675
## Network Controls
10776

10877
NemoClaw controls which hosts, ports, and HTTP methods the sandbox can reach, and lets operators approve or deny requests in real time.
10978

110-
<!-- OpenShell provides additional network enforcement mechanisms not covered here, including network namespace isolation, SSRF protection, TLS auto-detection and termination, and audit-vs-enforce modes.
111-
See the [Network Controls](https://docs.nvidia.com/openshell/latest/security/best-practices.html#network-controls) section of the OpenShell Security Best Practices. -->
112-
11379
### Deny-by-Default Egress
11480

11581
The sandbox blocks all outbound connections unless you explicitly list the endpoint in the policy file `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`.
@@ -194,9 +160,6 @@ NemoClaw ships preset policy files in `nemoclaw-blueprint/policies/presets/` for
194160

195161
NemoClaw restricts which paths the agent can read and write, protecting system binaries, configuration files, and gateway credentials.
196162

197-
<!-- OpenShell covers additional filesystem enforcement details, including `hard_requirement` compatibility mode for Landlock and policy path validation rules.
198-
See the [Filesystem Controls](https://docs.nvidia.com/openshell/latest/security/best-practices.html#filesystem-controls) section of the OpenShell Security Best Practices. -->
199-
200163
### Read-Only System Paths
201164

202165
The container mounts system directories read-only to prevent the agent from modifying binaries, libraries, or configuration files.
@@ -256,9 +219,6 @@ Landlock is a Linux Security Module that enforces filesystem access rules at the
256219

257220
NemoClaw limits the capabilities, user privileges, and resource quotas available to processes inside the sandbox.
258221

259-
<!-- OpenShell enforces additional process-level controls not covered here, including seccomp BPF socket domain filters and a specific enforcement application order (namespace entry, privilege drop, Landlock, seccomp).
260-
See the [Process Controls](https://docs.nvidia.com/openshell/latest/security/best-practices.html#process-controls) section of the OpenShell Security Best Practices. -->
261-
262222
### Capability Drops
263223

264224
The entrypoint drops dangerous Linux capabilities from the bounding set at startup using `capsh`.
@@ -549,4 +509,3 @@ The following patterns weaken security without providing meaningful benefit.
549509
- Sandbox Hardening (use the `nemoclaw-user-deploy-remote` skill) for container-level security measures.
550510
- Inference Options (use the `nemoclaw-user-configure-inference` skill) for provider configuration details.
551511
- How It Works (use the `nemoclaw-user-overview` skill) for the protection layer architecture.
552-
<!-- - OpenShell [Security Best Practices](https://docs.nvidia.com/openshell/latest/security/best-practices.html) for the platform-level controls reference, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication. -->

.agents/skills/nemoclaw-user-configure-security/references/credential-storage.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
22
<!-- SPDX-License-Identifier: Apache-2.0 -->
3-
# Credential Storage
3+
# NemoClaw Credential Storage
44

55
NemoClaw does not persist provider credentials to host disk.
66
The OpenShell gateway is the only system of record for stored credentials.

.agents/skills/nemoclaw-user-deploy-remote/SKILL.md

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,10 @@ If you are connecting from your local machine and still need to provision the re
3939

4040
## Step 2: Deploy the Instance
4141

42-
> **Warning:** The `nemoclaw deploy` command is deprecated.
43-
> Prefer provisioning the remote host separately, then running the standard NemoClaw installer and `nemoclaw onboard` on that host.
42+
**Warning:**
43+
44+
The `nemoclaw deploy` command is deprecated.
45+
Prefer provisioning the remote host separately, then running the standard NemoClaw installer and `nemoclaw onboard` on that host.
4446

4547
Create a Brev instance and run the legacy compatibility flow:
4648

@@ -104,13 +106,15 @@ $ nemoclaw deploy <instance-name>
104106
For SSH port-forwarding, the origin is typically `http://127.0.0.1:18789` (the
105107
default), so no extra configuration is needed.
106108

107-
> **Warning:** On Brev, set `CHAT_UI_URL` in the launchable environment configuration so it is
108-
> available when the installer builds the sandbox image. If `CHAT_UI_URL` is not
109-
> set on a headless host, the compatibility wrapper prints a warning.
110-
>
111-
> `NEMOCLAW_DISABLE_DEVICE_AUTH` is also evaluated at image build time.
112-
> When `CHAT_UI_URL` points at a non-loopback origin, NemoClaw disables OpenClaw device pairing in the generated sandbox configuration because browser-only remote users cannot complete terminal-based pairing.
113-
> Any device that can reach the configured dashboard origin can connect without pairing, so avoid exposing that origin on internet-reachable or shared-network deployments.
109+
**Warning:**
110+
111+
On Brev, set `CHAT_UI_URL` in the launchable environment configuration so it is
112+
available when the installer builds the sandbox image. If `CHAT_UI_URL` is not
113+
set on a headless host, the compatibility wrapper prints a warning.
114+
115+
`NEMOCLAW_DISABLE_DEVICE_AUTH` is also evaluated at image build time.
116+
When `CHAT_UI_URL` points at a non-loopback origin, NemoClaw disables OpenClaw device pairing in the generated sandbox configuration because browser-only remote users cannot complete terminal-based pairing.
117+
Any device that can reach the configured dashboard origin can connect without pairing, so avoid exposing that origin on internet-reachable or shared-network deployments.
114118

115119
## Step 7: First-Run Readiness Budget
116120

.agents/skills/nemoclaw-user-deploy-remote/references/brev-web-ui.md

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,10 @@
55
Use the Brev web UI to launch a hosted NemoClaw sandbox from your browser.
66
This flow provisions a remote VM, configures inference, starts OpenClaw inside an OpenShell sandbox, and opens the OpenClaw dashboard.
77

8-
> **Note:** Use this guide when you want to try NemoClaw without installing the CLI or using a local GPU.
9-
> If you want to manage the remote host from a terminal, see Deploy to a Remote GPU Instance (use the `nemoclaw-user-deploy-remote` skill).
8+
**Note:**
9+
10+
Use this guide when you want to try NemoClaw without installing the CLI or using a local GPU.
11+
If you want to manage the remote host from a terminal, see Deploy to a Remote GPU Instance (use the `nemoclaw-user-deploy-remote` skill).
1012

1113
## What This Flow Creates
1214

@@ -63,10 +65,12 @@ Use the NVIDIA Cloud provider shown on this screen.
6365
2. Paste your `nvapi-` API key.
6466
3. Click **Create Agent**.
6567

66-
> **Note:** The **Show Other Providers** dropdown appears below the **NVIDIA Cloud** card and can be easy to miss.
67-
> Click it to expand the provider list.
68-
> The expanded list includes **OpenAI**, **Anthropic**, and **Google Gemini**.
69-
> For these providers, get the API key from the provider's own console before you create the agent.
68+
**Note:**
69+
70+
The **Show Other Providers** dropdown appears below the **NVIDIA Cloud** card and can be easy to miss.
71+
Click it to expand the provider list.
72+
The expanded list includes **OpenAI**, **Anthropic**, and **Google Gemini**.
73+
For these providers, get the API key from the provider's own console before you create the agent.
7074

7175
### Setup
7276

@@ -90,10 +94,12 @@ Provider: NVIDIA Cloud
9094

9195
Click **Chat With Agent** to open the OpenClaw dashboard.
9296

93-
:> **Note:** The dashboard might initially show a **Pairing required** warning.
94-
> This means the gateway is still completing pairing in the background.
95-
> Wait for about a few minutes for pairing to finish automatically. Refresh the dashboard to see if the warning is resolved and the connection is established.
96-
> If pairing does not finish, go to the **Overview** page in the OpenClaw UI, find the **Gateway Access** panel, and click **Connect**.:
97+
**Note:**
98+
99+
The dashboard might initially show a **Pairing required** warning.
100+
This means the gateway is still completing pairing in the background.
101+
Wait for about a few minutes for pairing to finish automatically. Refresh the dashboard to see if the warning is resolved and the connection is established.
102+
If pairing does not finish, go to the **Overview** page in the OpenClaw UI, find the **Gateway Access** panel, and click **Connect**.
97103

98104
## Start a Chat
99105

0 commit comments

Comments
 (0)