feat(onboard): add --name flag for explicit sandbox naming (#2591)

## Summary

`nemoclaw onboard` had no `--name` flag, so picking a sandbox name in
non-interactive or no-TTY runs required the undiscoverable
`NEMOCLAW_SANDBOX_NAME` env var, and `--from <Dockerfile>` without a TTY
silently fell back to the `my-assistant` default — clobbering the
default sandbox. This adds `--name <sandbox>`, plumbed through
`OnboardCommandOptions` and `OnboardOptions`. The flag wins over the env
var. When prompting is impossible (no TTY or `--non-interactive`) the
env var is now seeded into the same path the flag takes, so it actually
flows through to `createSandbox` instead of being dropped silently.
`--from` runs that cannot prompt and have no resolved name now error
cleanly. Both the flag and the env-var seed go through the same
`validateName` + reserved-name guard the interactive prompt enforces, so
a name like `status` is rejected before it can shadow a CLI command.

## Related Issues

Fixes #2543
Fixes #2534

## Changes

- `src/lib/onboard-command.ts`: parse `--name <sandbox>`, validate the
value, surface it on `OnboardCommandOptions.sandboxName`, list it in the
usage line.
- `src/lib/onboard.ts`: add `sandboxName` to `OnboardOptions`; lift
`RESERVED_SANDBOX_NAMES` out of `promptValidatedSandboxName` so the flag
and env-var paths share it; resolve the requested name early (flag, then
env var when prompting is impossible), validate once, and seed it into
the local `sandboxName` so `createSandbox` receives the override; reject
`--from` runs that cannot prompt and have no resolved name; teach
`getRequestedSandboxNameHint` / `getResumeSandboxConflict` /
`getResumeConfigConflicts` to prefer `opts.sandboxName` over the env
var; thread it through the resume-conflict caller. Re-check
`RESERVED_SANDBOX_NAMES` against the resumed `session?.sandboxName` so a
stale pre-PR session whose recorded name now collides with a CLI command
(e.g. `status`) is rejected before any sandbox operation runs.
- `src/lib/onboard-command.test.ts`: positive test for `--name` parsing
alongside `--from`, plus the missing-value and flag-as-value error
paths.
- `test/onboard.test.ts`: cover hint precedence (option over env) and
the resume conflict produced when `--name` diverges from the recorded
sandbox; static-source assertion that the resumed-session reserved-name
guard stays in place.
- `docs/reference/commands.md`: add `--name <sandbox>` to the `onboard`
usage line, document the flag with its precedence and reserved-name
semantics next to `--from`, and update the non-interactive `--from`
example to set `NEMOCLAW_SANDBOX_NAME` so the new no-prompt guard is
satisfied.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [x] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Verification

- [x] `npx prek run --all-files` passes
- [x] `npm test` passes
- [x] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [x] Docs updated for user-facing behavior changes
- [ ] `make docs` builds without warnings (doc changes only)
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

## AI Disclosure

- [x] AI-assisted — tool: Claude Code, Codex

---
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a --name <sandbox> flag to specify sandbox names during
onboarding; explicit name now takes precedence over env var.

* **Bug Fixes**
* Onboarding fails early with clear messaging and exit code when a
sandbox name is required but missing or invalid (non-interactive/--from
cases); reserved names are rejected.

* **Tests**
* Added tests for parsing, help text, validation, precedence,
reserved-name checks, and non-interactive failure cases.

* **Documentation**
* Updated command reference to document the new flag, validation rules,
precedence, and failure behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Tinson Lai <tinsonl@nvidia.com>

Author: laitingsheng

docs/reference/commands.md

@@ -64,7 +64,7 @@ The wizard creates an OpenShell gateway, registers inference providers, builds t
 Use this command for new installs and for recreating a sandbox after changes to policy or configuration.
 
 ```console
-$ nemoclaw onboard [--non-interactive] [--resume] [--recreate-sandbox] [--from <Dockerfile>] [--agent <name>] [--dangerously-skip-permissions] [--yes-i-accept-third-party-software]
+$ nemoclaw onboard [--non-interactive] [--resume] [--recreate-sandbox] [--from <Dockerfile>] [--name <sandbox>] [--agent <name>] [--dangerously-skip-permissions] [--yes-i-accept-third-party-software]
 ```
 
 :::{warning}
@@ -170,14 +170,28 @@ $ nemoclaw onboard --from path/to/Dockerfile
 The file can have any name; if it is not already named `Dockerfile`, onboard copies it to `Dockerfile` inside the staged build context automatically.
 All NemoClaw build arguments (`NEMOCLAW_MODEL`, `NEMOCLAW_PROVIDER_KEY`, `NEMOCLAW_INFERENCE_BASE_URL`, etc.) are injected as `ARG` overrides at build time, so declare them in your Dockerfile if you need to reference them.
 
-In non-interactive mode, the path can also be supplied via the `NEMOCLAW_FROM_DOCKERFILE` environment variable:
+In non-interactive mode, the path can also be supplied via the `NEMOCLAW_FROM_DOCKERFILE` environment variable.
+You must also supply a sandbox name via `--name <sandbox>` or `NEMOCLAW_SANDBOX_NAME` so a `--from` build cannot silently clobber the default `my-assistant` sandbox.
 
 ```console
-$ NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_FROM_DOCKERFILE=path/to/Dockerfile nemoclaw onboard
+$ NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_FROM_DOCKERFILE=path/to/Dockerfile NEMOCLAW_SANDBOX_NAME=my-build nemoclaw onboard
 ```
 
 If a `--resume` is attempted with a different `--from` path than the original session, onboarding exits with a conflict error rather than silently building from the wrong image.
 
+#### `--name <sandbox>`
+
+Set the sandbox name without going through the interactive prompt.
+The same RFC 1123 and reserved-name rules that the wizard enforces apply here too — names that match a NemoClaw CLI command (`status`, `list`, `debug`, etc.) are rejected up front.
+
+```console
+$ nemoclaw onboard --non-interactive --name my-build --from path/to/Dockerfile
+```
+
+The flag wins over `NEMOCLAW_SANDBOX_NAME`.
+When prompting is impossible (no TTY or `--non-interactive`), the env var is also honoured so existing CI scripts keep working.
+Combining `--from <Dockerfile>` with non-interactive onboarding requires one of `--name` or `NEMOCLAW_SANDBOX_NAME`; otherwise onboarding exits rather than silently defaulting to `my-assistant` and clobbering the default sandbox.
+
 #### `--dangerously-skip-permissions`
 
 :::{warning}

src/lib/onboard-command.test.ts

@@ -40,6 +40,7 @@ describe("onboard command", () => {
       fresh: false,
       recreateSandbox: false,
       fromDockerfile: null,
+      sandboxName: null,
       acceptThirdPartySoftware: true,
       agent: null,
       dangerouslySkipPermissions: false,
@@ -65,6 +66,7 @@ describe("onboard command", () => {
       fresh: false,
       recreateSandbox: false,
       fromDockerfile: null,
+      sandboxName: null,
       acceptThirdPartySoftware: true,
       agent: null,
       dangerouslySkipPermissions: false,
@@ -89,6 +91,7 @@ describe("onboard command", () => {
       fresh: false,
       recreateSandbox: false,
       fromDockerfile: null,
+      sandboxName: null,
       acceptThirdPartySoftware: false,
       agent: null,
       dangerouslySkipPermissions: false,
@@ -112,6 +115,7 @@ describe("onboard command", () => {
     expect(runOnboard).not.toHaveBeenCalled();
     expect(lines.join("\n")).toContain("Usage: nemoclaw onboard");
     expect(lines.join("\n")).toContain("--from <Dockerfile>");
+    expect(lines.join("\n")).toContain("--name <sandbox>");
     expect(lines.join("\n")).toContain("--agent <name>");
     expect(lines.join("\n")).toContain("--dangerously-skip-permissions");
   });
@@ -138,6 +142,7 @@ describe("onboard command", () => {
       fresh: false,
       recreateSandbox: false,
       fromDockerfile: dockerfilePath,
+      sandboxName: null,
       acceptThirdPartySoftware: false,
       agent: null,
       dangerouslySkipPermissions: false,
@@ -163,6 +168,7 @@ describe("onboard command", () => {
       fresh: true,
       recreateSandbox: false,
       fromDockerfile: null,
+      sandboxName: null,
       acceptThirdPartySoftware: false,
       agent: null,
       dangerouslySkipPermissions: false,
@@ -187,6 +193,70 @@ describe("onboard command", () => {
     expect(errors.join("\n")).toContain("--resume and --fresh are mutually exclusive");
   });
 
+  it("parses --name <sandbox>", () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-onboard-name-parse-"));
+    const dockerfilePath = path.join(tmpDir, "Custom.Dockerfile");
+    fs.writeFileSync(dockerfilePath, "FROM scratch\n");
+
+    expect(
+      parseOnboardArgs(
+        ["--non-interactive", "--from", dockerfilePath, "--name", "second-assistant"],
+        "--yes-i-accept-third-party-software",
+        "NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE",
+        {
+          env: {},
+          error: () => {},
+          exit: exitWithCode,
+        },
+      ),
+    ).toEqual({
+      nonInteractive: true,
+      resume: false,
+      fresh: false,
+      recreateSandbox: false,
+      fromDockerfile: dockerfilePath,
+      sandboxName: "second-assistant",
+      acceptThirdPartySoftware: false,
+      agent: null,
+      dangerouslySkipPermissions: false,
+      controlUiPort: null,
+    });
+  });
+
+  it("exits when --name is missing its sandbox value", () => {
+    const errors: string[] = [];
+    expect(() =>
+      parseOnboardArgs(
+        ["--name"],
+        "--yes-i-accept-third-party-software",
+        "NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE",
+        {
+          env: {},
+          error: (message = "") => errors.push(message),
+          exit: exitWithPrefixedCode,
+        },
+      ),
+    ).toThrow("exit:1");
+    expect(errors.join("\n")).toContain("--name requires a sandbox name");
+  });
+
+  it("exits when --name is followed by another flag instead of a value", () => {
+    const errors: string[] = [];
+    expect(() =>
+      parseOnboardArgs(
+        ["--name", "--resume"],
+        "--yes-i-accept-third-party-software",
+        "NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE",
+        {
+          env: {},
+          error: (message = "") => errors.push(message),
+          exit: exitWithPrefixedCode,
+        },
+      ),
+    ).toThrow("exit:1");
+    expect(errors.join("\n")).toContain("--name requires a sandbox name");
+  });
+
   it("exits when --from is missing its Dockerfile path", () => {
     expect(() =>
       parseOnboardArgs(
@@ -260,6 +330,7 @@ describe("onboard command", () => {
       fresh: false,
       recreateSandbox: false,
       fromDockerfile: null,
+      sandboxName: null,
       acceptThirdPartySoftware: false,
       agent: "openclaw",
       dangerouslySkipPermissions: true,
@@ -394,6 +465,7 @@ describe("onboard command", () => {
       fresh: false,
       recreateSandbox: false,
       fromDockerfile: null,
+      sandboxName: null,
       acceptThirdPartySoftware: false,
       agent: null,
       dangerouslySkipPermissions: false,

src/lib/onboard-command.ts

@@ -10,6 +10,7 @@ export interface OnboardCommandOptions {
   fresh: boolean;
   recreateSandbox: boolean;
   fromDockerfile: string | null;
+  sandboxName: string | null;
   acceptThirdPartySoftware: boolean;
   agent: string | null;
   dangerouslySkipPermissions: boolean;
@@ -42,7 +43,7 @@ const ONBOARD_BASE_ARGS = [
 
 function onboardUsageLines(noticeAcceptFlag: string): string[] {
   return [
-    `  Usage: nemoclaw onboard [--non-interactive] [--resume | --fresh] [--recreate-sandbox] [--from <Dockerfile>] [--agent <name>] [--control-ui-port <N>] [--dangerously-skip-permissions] [${noticeAcceptFlag}]`,
+    `  Usage: nemoclaw onboard [--non-interactive] [--resume | --fresh] [--recreate-sandbox] [--from <Dockerfile>] [--name <sandbox>] [--agent <name>] [--control-ui-port <N>] [--dangerously-skip-permissions] [${noticeAcceptFlag}]`,
     "",
   ];
 }
@@ -81,6 +82,19 @@ export function parseOnboardArgs(
     parsedArgs.splice(fromIdx, 2);
   }
 
+  let sandboxName: string | null = null;
+  const nameIdx = parsedArgs.indexOf("--name");
+  if (nameIdx !== -1) {
+    const nameValue = parsedArgs[nameIdx + 1];
+    if (typeof nameValue !== "string" || nameValue.length === 0 || nameValue.startsWith("--")) {
+      error("  --name requires a sandbox name");
+      printOnboardUsage(error, noticeAcceptFlag);
+      exit(1);
+    }
+    sandboxName = nameValue;
+    parsedArgs.splice(nameIdx, 2);
+  }
+
   let agent: string | null = null;
   const agentIdx = parsedArgs.indexOf("--agent");
   if (agentIdx !== -1) {
@@ -141,6 +155,7 @@ export function parseOnboardArgs(
     fresh,
     recreateSandbox: parsedArgs.includes("--recreate-sandbox"),
     fromDockerfile,
+    sandboxName,
     acceptThirdPartySoftware:
       parsedArgs.includes(noticeAcceptFlag) || String(deps.env[noticeAcceptEnv] || "") === "1",
     agent,