NemoClaw 0.0.58 is out

[cv]

NemoClaw 0.0.58 focuses on making the sandbox boundary more predictable across the machines people actually use: Windows with WSL, Docker Desktop, proxy-heavy networks, GPU-backed local inference, and long-running Hermes/OpenClaw sessions. This release tightens failure reporting and recovery paths so operators can see what went wrong before the agent or sandbox drifts into an ambiguous state.

The biggest user-facing improvements are in onboarding, inference, messaging, and Hermes runtime stability. Local Ollama and vLLM setups get better capability detection, WSL GPU proof reporting, and probe-only recovery behavior; Hermes sessions get safer history, command-dispatch, Slack, Telegram, and LiteLLM handling; OpenClaw gets opt-in OTEL diagnostics for more observable sandboxes.

We also continued the documentation and release-surface cleanup that makes NemoClaw easier to operate and maintain. The docs now cover more of the remote deploy, SSRF, session-state, command-execution, and agent-variant surfaces, while CI and E2E improvements keep the next round of changes easier to validate.

Sandbox, onboarding, and platform reliability

• #4128 fails fast when Docker is unreachable during gateway startup, replacing late, opaque onboarding failures with an actionable runtime precondition.
• #4330 explains Docker Desktop WSL integration gaps during onboarding, helping Windows users identify the missing Docker/WSL wiring instead of chasing sandbox symptoms.
• #4331 forwards host proxy environment into the sandbox, improving first-run behavior on networks that require HTTP or HTTPS proxy configuration.
• #4215 injects NO_PROXY into loopback HTTP probes, preventing local health checks from being routed through external proxies on macOS and other proxy-configured hosts.
• #4491 fails fast when binutils is missing during install preflight, making a required host dependency visible before setup work proceeds.
• #4375 introduces explicit onboarding state result types, reducing ambiguity in the onboarding state machine and making future recovery work safer.
• #4720 removes deprecated setup-spark and legacy k3s-gateway kubelet helpers, narrowing the maintained setup surface.

Inference and local model behavior

• #3683 records Ollama streaming usage compatibility, improving provider capability modeling for ollama-local inference.
• #4089 detects installed Windows Ollama even when the daemon is stopped, so onboarding can distinguish “installed but not running” from “not installed.”
• #4188 patches fetch handling for DeepSeek runtime kwargs, improving compatibility with DeepSeek-style inference options.
• #4588 skips vLLM model preflight during probe-only connect and focuses on recovery, so diagnostics can repair connectivity without triggering unnecessary model validation.
• #4599 proves WSL Docker Desktop GPU visibility and reports sandbox CUDA proof state, giving GPU users a clearer signal about whether acceleration is actually available in the sandbox.
• #4689 uses vLLM runtime max_model_len for context-window handling, aligning NemoClaw’s inference metadata with the live vLLM runtime.

Hermes, messaging, and runtime activation

• #4175 normalizes Telegram send_message pseudo-call leaks in Hermes flows, reducing malformed tool-call behavior in Telegram-backed sessions.
• #4587 rejects unknown sandboxes in channels start, matching the safer behavior already used by channels stop.
• #4666 clears the Tirith retry marker before command dispatch, preventing stale retry state from affecting Hermes command handling.
• #4703 suspends the Hermes kanban dispatcher under shields-up, keeping protected runtime modes from launching work that should remain gated.
• #4708 pre-creates .hermes_history so shields-up does not lock the Hermes TUI on startup.
• #4714 enables platforms.slack in Hermes sandbox config when a Slack channel is attached, making Slack enrollment reflected in runtime configuration.
• #4718 sets a placeholder model.api_key so LiteLLM accepts the inference.local route used inside Hermes sandboxes.
• #4722 hardens the Hermes history repair contract, improving security-sensitive repair behavior around persisted shell and TUI history.
• #4731 preserves the Hermes strip-think method binding, keeping thought-stripping behavior attached correctly at runtime.

Policy, sandbox security, and observability

• #4576 reports custom policy presets that cannot be recorded locally, making policy persistence failures visible to the operator.
• #4589 refuses to apply a policy preset when the live policy cannot be read, avoiding accidental overwrites from stale or incomplete state.
• #4686 enables OpenClaw OTEL diagnostics during onboarding, giving operators a clearer path to inspect OpenClaw behavior inside managed sandboxes.
• #4707 adds opt-in fail-closed capability-drop enforcement, allowing stricter sandbox hardening for deployments that prefer startup failure over a partially hardened runtime.

CLI, status, and operator ergonomics

• #4117 recommends nemoclaw exec for one-off commands, steering operators toward the supported command path for ad hoc sandbox inspection.
• #4644 keeps status --json stdout clean during gateway recovery, preserving machine-readable output for scripts and automation.

Docs, CI, and release confidence

• #4116 documents agent session state paths, making it easier to understand what persists between sandbox runs.
• #4166 documents remote-deploy environment variables, improving the reference surface for remote GPU and automation workflows.
• #4217 explains the SSRF and egress-policy interaction, clarifying how network policy and sandbox SSRF protections work together.
• #4649 keeps E2E migration state in issues, improving contributor handoff for ongoing scenario migration work.
• #4651 adds scenario aliases for layered E2E plans, making multi-layer scenario execution easier to address and validate.
• #4697 authenticates Docker Hub pulls in nightly E2E, reducing CI noise from unauthenticated pull limits.
• #4715 stabilizes the platform Vitest main workflow, improving signal quality for platform-specific checks.
• #4716 refreshes the 0.0.57 release docs, keeping the documentation trail aligned with shipped behavior.
• #4717 documents remaining 0.0.57 behavior changes, reducing drift between released functionality and user-facing docs.
• #4721 generates agent-variant code samples, making OpenClaw and Hermes examples easier to keep consistent.
• #4724 hides generated variant pages, reducing duplicate navigation while preserving generated doc coverage.
• #4727 fixes remote GPU command links in the reference docs.
• #4732 fixes the broken Sandbox Hardening link in the README.

Thank you

Thank you to external contributors @Thabhelo, @glenn-agent, @omribz156, and @deepujain for helping improve Windows Ollama detection, command and session-state docs, SSRF guidance, and Docker Desktop/WSL plus proxy onboarding behavior in this release.