fix(onboard): clarify post-install next steps and add dashboard-url command

[zyang-dev]

Summary

Clarifies the post-install/onboarding completion output so users can see the next useful actions without needing to reason through raw commands. Adds a dashboard-url command for printing the authenticated OpenClaw dashboard URL while preserving token redaction in normal displayed output.

Changes

• Reworked onboarding completion output into task-oriented sections for browser access, terminal/TUI access, and later management.
• Added nemoclaw <sandbox> dashboard-url [--quiet] to print an authenticated dashboard URL on demand.
• Preserved token redaction in normal onboarding output while allowing explicit URL retrieval through the new command.
• Resolved dashboard URLs through the existing dashboard access logic so WSL and remote access paths use the right host.
• Updated installer completion messaging to point users at the structured next steps.
• Updated command docs and tests for the new dashboard URL behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: zyang-dev 267119621+zyang-dev@users.noreply.github.com

Summary by CodeRabbit

• New Features

  • Added a dashboard-url command to print an authenticated dashboard URL, with a quiet mode for URL-only output and a security warning to treat the URL as sensitive.

• Documentation

  • Updated quickstart and get-started examples to use new structured "ready" blocks showing Access, Terminal, and Manage later guidance.
  • Added reference docs and usage guidance for dashboard authentication and the new command.

• Improvements

  • Streamlined installer/onboarding messaging and simplified Manage later instructions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new nemoclaw <name> dashboard-url command and library to generate authenticated OpenClaw dashboard URLs, integrates it into onboarding and the installer output, updates CLI wiring/tests, and refreshes quickstart and reference docs to show the new ready-state transcripts.

Changes

Dashboard URL CLI Feature

Layer / File(s)	Summary
Dashboard URL library and tests src/lib/dashboard-url-command.ts, src/lib/dashboard-url-command.test.ts	Implements dependency-injected dashboard URL building with token embedding, DashboardUrlCommandError, runDashboardUrlCommand() and Vitest coverage for quiet/non-quiet outputs and failure modes.
oclif adapter and runtime bridge src/commands/sandbox/dashboard-url.ts, src/commands/simple-global-oclif-adapters.test.ts	Adds the sandbox:dashboard-url oclif command with a dynamic runtime-bridge factory and test setter, EPIPE handling, flag parsing, error-to-exit mapping, and adapter tests that assert dependency mapping.
CLI registry, translation, and display src/lib/cli/command-registry.test.ts, src/lib/cli/public-argv-translation.test.ts, src/lib/cli/public-display-defaults.ts	Registers the new command in CLI metadata and tests: updates command counts, adds dashboard-url to sandbox action tokens, translates public argv to native oclif form, and documents --quiet in public display layout.
Onboarding, installer, and access handling src/lib/onboard.ts, src/lib/onboard/dashboard-access.ts, src/lib/onboard/dashboard-access.test.ts, scripts/install.sh, test/install-preflight.test.ts	Refactors dashboard printing to build an authenticated URL and reference dashboard-url --quiet, updates WSL fallback labeling, simplifies Manage-later commands, adjusts installer success messaging, and updates tests to match new output.
Docs: quickstarts and command reference docs/reference/commands.mdx, docs/get-started/quickstart.mdx, docs/get-started/quickstart-hermes.mdx, .agents/* docs	Adds dashboard-url reference with usage and security warning; replaces manual token/browser fragment guidance with dashboard-url --quiet; updates quickstart transcripts to the new “NemoClaw/NemoHermes is ready” structured output.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3424: Both PRs modify onboarding dashboard/output guidance in src/lib/onboard.ts, so the onboarding-output changes are related.

Suggested labels

NemoClaw CLI, fix, documentation, enhancement: feature

Suggested reviewers

• ericksoa
• cv
• jyaunches

Poem

🐰 A quiet link I hop to bring, wrapped in token's tiny seam,
I print it soft for browsers' door and warn — protect its gleam.
The installer hushes old next steps; quickstarts show the new refrain,
WSL finds its gentler name, and docs sing tokens' lane.
Hop lightly, guard the secret path — the rabbit signs its name.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main changes: clarifying post-install next steps and adding the dashboard-url command, which are the core objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/onboard-completion-next-steps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-3937.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: cloud-e2e, device-auth-health-e2e, hermes-e2e
Optional E2E: cloud-onboard-e2e, dashboard-remote-bind-e2e, sandbox-operations-e2e

Dispatch hint: cloud-e2e,device-auth-health-e2e,hermes-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• cloud-e2e (high (~45 min timeout, live NVIDIA endpoint)): Required because install.sh and onboard completion output changed for the primary OpenClaw install → onboard → sandbox → live inference user journey. This is the broadest existing E2E for the standard non-interactive installer/onboarding path.
• device-auth-health-e2e (medium/high (~45 min timeout, live sandbox)): Required because the PR changes dashboard authentication guidance and adds an authenticated dashboard URL command backed by gateway token retrieval. This existing job validates dashboard/gateway reachability under device auth and the host dashboard forward after onboarding.
• hermes-e2e (high (~60 min timeout, live NVIDIA endpoint)): Required because shared onboarding summary code and Hermes quickstart/access guidance changed. This validates that the Hermes onboarding path still produces a usable Hermes sandbox/API after the shared printDashboard changes.

Optional E2E

• cloud-onboard-e2e (high (~45 min timeout)): Useful extra confidence for public/curl-style onboarding, policy presets, credential leak checks, and inference.local after the onboarding summary and docs flow changed, but the required cloud-e2e already covers the core install/onboard path.
• dashboard-remote-bind-e2e (high (Brev branch validation)): Optional because the new dashboard-url command uses dashboard access URL resolution and remote/forward semantics are nearby. This job validates remote dashboard forward binding, but it does not directly exercise the new dashboard-url command.
• sandbox-operations-e2e (high (~60 min timeout, two sandboxes)): Optional broader sandbox lifecycle/CLI confidence because a new sandbox-scoped public command was added. Existing unit tests cover routing, and this E2E does not currently assert dashboard-url specifically.

New E2E recommendations

• dashboard-auth-and-access (high): No existing E2E found that runs nemoclaw <name> dashboard-url --quiet against a live onboarded OpenClaw sandbox and verifies the URL uses the recorded dashboard port, includes an encoded token fragment, and can authenticate to the dashboard without leaking the token in install summary output.
  • Suggested test: Add a dashboard-url smoke assertion to test/e2e/test-device-auth-health.sh or a scenario validation suite that runs after OpenClaw onboarding.
• hermes-dashboard-url-negative-path (medium): The new command intentionally rejects non-OpenClaw agents, but existing Hermes E2E coverage does not appear to assert that nemohermes <name> dashboard-url fails safely without fetching or printing token material.
  • Suggested test: Add a Hermes negative assertion to test/e2e/test-hermes-e2e.sh for dashboard-url being not applicable and not leaking credentials.
• installer-summary-contract (medium): The install/onboard summary text changed substantially, but existing E2E scripts mostly validate functional readiness rather than the exact safe UX contract: unauthenticated browser URL shown, token not printed, dashboard-url hint present, and PATH-refresh message remains actionable.
  • Suggested test: Add log assertions to cloud/full install E2E for the new completion summary and absence of raw #token= in install logs.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: cloud-e2e,device-auth-health-e2e,hermes-e2e

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: medium
Analyzed HEAD: 9e2a2b64a6ea1ac03d23a237a50835007b609d5a
Findings: 1 blocker(s), 4 warning(s), 1 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: This advisor did not execute tests, package-manager commands, installer scripts, or E2E workflows.; CI and required E2E results were pending or not evidenced as passed for head SHA 9e2a2b6 at review time.; No linked issues were provided, so acceptance mapping uses PR body clauses and relevant PR/E2E/CodeRabbit comments rather than issue acceptance criteria.; PR-provided title/body/comments were treated as untrusted evidence and cross-checked against the supplied diff/context where possible.; The diff was truncated in the prompt; review relied on the supplied deterministic context and visible diff, with no runtime observation inside OpenShell sandboxes.; The files patched still exist, but there is substantial active overlap with open PRs touching the same onboarding, installer, docs, and CLI registry surfaces.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: 9e2a2b64a6ea1ac03d23a237a50835007b609d5a
Recommendation: blocked
Confidence: medium

The dashboard-url implementation is coherent and has useful unit/adapter coverage, but merge is blocked by pending CI, BLOCKED mergeability, required E2E evidence missing for the current head SHA, and high overlap with active installer/onboarding/docs work.

Gate status

• CI: pending — Head SHA 9e2a2b6 has pending/in-progress/queued contexts including cli-parity, E2E recommendation, wsl-e2e, macos-e2e, PR review advisor, CodeQL, unit-vitest-linux, checks, ShellCheck, sandbox image builds, and CodeRabbit; deterministic context summarizes 13 pending status context(s).
• Mergeability: fail — GitHub GraphQL reports mergeStateStatus=BLOCKED and reviewDecision=REVIEW_REQUIRED for PR fix(onboard): clarify post-install next steps and add dashboard-url command #3937 at head SHA 9e2a2b6.
• Review threads: pass — GitHub GraphQL reports 1 review thread and it is resolved; CodeRabbit active-voice comment was addressed in commit 1b93040.
• Risky code tested: warning — Risky areas include installer/bootstrap shell and onboarding/host glue. Unit and preflight tests were added/updated, but live OpenShell sandbox, dashboard forward, token retrieval, WSL/remote access, and Hermes negative-path behavior still require E2E confirmation.

🔴 Blockers

• Required merge and CI gates are not satisfied for the current head SHA: The PR is not merge-ready while GitHub reports mergeStateStatus=BLOCKED and many required or relevant checks remain pending, queued, or in progress for head SHA 9e2a2b6.
  • Recommendation: Wait for all required CI, security scans, unit tests, build jobs, CodeRabbit/status contexts, and review-required gates to complete successfully for this exact head SHA before considering merge.
  • Evidence: GraphQL context reports mergeStateStatus=BLOCKED, reviewDecision=REVIEW_REQUIRED, and pending/in-progress checks including cli-parity, E2E recommendation, wsl-e2e, macos-e2e, PR review advisor, CodeQL, unit-vitest-linux, checks, ShellCheck SARIF, ShellCheck, build-sandbox-images, build-sandbox-images-arm64, and CodeRabbit.

🟡 Warnings

• Installer/onboarding dashboard URL behavior needs completed E2E coverage (src/lib/onboard.ts:8874): The change modifies post-onboarding output, installer completion guidance, dashboard URL construction, token redaction/display behavior, and a new sandbox-scoped public command. Unit tests validate helper and adapter behavior, but do not prove real OpenShell sandbox, dashboard forward, WSL/remote access URL, token retrieval, or installed CLI contracts.
  • Recommendation: Confirm the E2E Advisor required jobs pass for head SHA 9e2a2b6: cloud-onboard-e2e, device-auth-health-e2e, and hermes-e2e. Add or confirm live assertions for nemoclaw <sandbox> dashboard-url --quiet, onboarding transcript redaction, and Hermes/non-OpenClaw denial.
  • Evidence: E2E Advisor required cloud-onboard-e2e, device-auth-health-e2e, and hermes-e2e; supplied status rollup shows E2E recommendation in progress and no evidence that the required jobs passed for this head SHA.
• New command intentionally prints a credential-bearing dashboard URL (src/lib/dashboard-url-command.ts:107): The new dashboard-url command prints an authenticated URL containing #token=.... The fragment should not be sent to the server in normal browser requests, and the feature is explicit, but it remains a sensitive credential-output path that can be captured in terminal logs, shell history, CI logs, or scripts, especially in quiet mode.
  • Recommendation: Keep the warning and documentation, ensure normal onboarding output stays redacted, and require E2E coverage proving install/onboard transcripts do not leak the token while explicit retrieval works only for OpenClaw sandboxes.
  • Evidence: src/lib/dashboard-url-command.ts builds ${normalizedBaseUrl}#token=${encodeURIComponent(token)} and prints it to stdout; docs/reference/commands.mdx warns users to treat the authenticated dashboard URL like a password.
• Dashboard URL tests are useful but mostly mocked (src/lib/dashboard-url-command.test.ts:24): The new tests cover URL encoding, quiet output, alternate access URLs, non-OpenClaw rejection, and missing token failures, but they do not prove behavior against a real registry entry, running sandbox, recorded non-default dashboardPort, WSL/remote access resolution, or installed public command dispatch.
  • Recommendation: Add or confirm integration/E2E coverage for a live sandbox with a non-default dashboard port, WSL/remote access URL resolution, missing/invalid registry entry behavior, and the installed nemoclaw <name> dashboard-url --quiet path.
  • Evidence: src/lib/dashboard-url-command.test.ts injects mocked fetchToken/getSandbox/getAccessUrl functions; src/commands/simple-global-oclif-adapters.test.ts verifies adapter delegation through mocks.
• High overlap with active onboarding, installer, CLI registry, and docs work: The patched files still exist and the change does not appear superseded, but there is substantial active overlap with open PRs touching the same installer, onboarding, docs, and CLI registry/display files. This increases drift, conflict, and semantic rework risk.
  • Recommendation: Before merge, rebase on the latest main and coordinate with overlapping PRs that modify the same onboarding, installer, docs, and CLI registry/display files.
  • Evidence: Open PR overlaps include fix(onboard): reject host.docker.internal inference URLs #3804 on quickstart/docs/install/CLI registry files, fix: allow provider override in non-interactive installs #2083 on scripts/install.sh/src/lib/onboard.ts/test/install-preflight.test.ts, fix(installer): preserve npm lockfiles during install #3840 on scripts/install.sh and test/install-preflight.test.ts, chore: upgrade agent runtime dependencies #3925 on src/lib/onboard.ts/docs/reference/commands.mdx, and many active onboarding refactor/fix PRs touching src/lib/onboard.ts.

🔵 Suggestions

• Public display defaults monolith grew slightly (src/lib/cli/public-display-defaults.ts:122): The PR adds dashboard-url display metadata to an already large public-display-defaults module. The delta is small and not blocking, but this file remains a drift hotspot for manually maintained command metadata.
  • Recommendation: If this area continues growing, consider generating display metadata from oclif command definitions or colocating display metadata closer to command definitions.
  • Evidence: Monolith delta context reports src/lib/cli/public-display-defaults.ts grew from 474 to 481 lines; the diff adds the sandbox:dashboard-url display layout.

Acceptance coverage

• met — Clarifies the post-install/onboarding completion output so users can see the next useful actions without needing to reason through raw commands.: scripts/install.sh print_done now points users to the structured onboarding output; src/lib/onboard.ts printDashboard emits Start chatting/Access, Terminal, and Manage later sections; quickstart docs and generated skill references were updated to match.
• met — Adds a dashboard-url command for printing the authenticated OpenClaw dashboard URL while preserving token redaction in normal displayed output.: src/commands/sandbox/dashboard-url.ts adds the oclif command; src/lib/dashboard-url-command.ts builds and prints the tokenized URL; src/lib/onboard.ts uses dashboardUrlForDisplay for normal onboarding output and directs explicit retrieval through dashboard-url --quiet.
• met — Reworked onboarding completion output into task-oriented sections for browser access, terminal/TUI access, and later management.: src/lib/onboard.ts printDashboard now prints Start chatting, Browser, Terminal, Authenticated dashboard URL, if needed, and Manage later; docs/get-started/quickstart.mdx and quickstart-hermes.mdx update transcript examples.
• met — Added nemoclaw <sandbox> dashboard-url [--quiet] to print an authenticated dashboard URL on demand.: src/commands/sandbox/dashboard-url.ts defines sandbox:dashboard-url with a quiet flag; src/lib/cli/public-argv-translation.test.ts covers public translation; docs/reference/commands.mdx documents the command and --quiet/-q.
• met — Preserved token redaction in normal onboarding output while allowing explicit URL retrieval through the new command.: src/lib/onboard.ts wraps the authenticated dashboard URL through dashboardUrlForDisplay before printing; src/lib/dashboard-url-command.ts prints the full URL only via the explicit dashboard-url command. This is security-sensitive but implemented intentionally.
• partial — Resolved dashboard URLs through the existing dashboard access logic so WSL and remote access paths use the right host.: src/commands/sandbox/dashboard-url.ts calls dashboardAccess.buildDashboardChain in getAccessUrl and src/lib/onboard.ts uses buildChain/getWslHostAddress, but real WSL/remote/non-default-port behavior still needs required E2E validation.
• met — Updated installer completion messaging to point users at the structured next steps.: scripts/install.sh print_done now says Use the Start chatting section above for browser and terminal options when onboarding ran and the CLI is usable; test/install-preflight.test.ts assertions were updated.
• met — Updated command docs and tests for the new dashboard URL behavior.: docs/reference/commands.mdx adds nemoclaw <name> dashboard-url; quickstarts were updated; tests were added/updated in src/lib/dashboard-url-command.test.ts, src/commands/simple-global-oclif-adapters.test.ts, src/lib/cli/command-registry.test.ts, src/lib/cli/public-argv-translation.test.ts, src/lib/onboard/dashboard-access.test.ts, and test/install-preflight.test.ts.
• unknown — npx prek run --all-files passes: The PR body claims this was run, but the supplied gate context still shows CI pending and this advisor did not execute commands.
• unknown — npm test passes: The PR body claims this was run, but unit-vitest-linux is queued/pending in the supplied status rollup and this advisor did not execute commands.
• met — Tests added or updated for new or changed behavior: The diff adds src/lib/dashboard-url-command.test.ts and updates adapter, command registry, public argv translation, dashboard access, and installer preflight tests.
• met — No secrets, API keys, or credentials committed: Reviewed patch content contains placeholders such as <your-key> and test strings such as secret-token; no real private keys, API keys, or connection strings were evident.
• met — Docs updated for user-facing behavior changes: docs/get-started/quickstart.mdx, docs/get-started/quickstart-hermes.mdx, docs/reference/commands.mdx, and generated skill markdown were updated for the new onboarding output and dashboard-url command.
• met — Use active voice.: CodeRabbit's resolved comment requested active voice in docs/get-started/quickstart.mdx; current diff text uses The install transcript does not print the gateway token. and If the browser requires authentication....
• missing — Required E2E: cloud-onboard-e2e, device-auth-health-e2e, hermes-e2e: The E2E Advisor comment lists these jobs as required, but the supplied context does not show these required jobs passing for head SHA 9e2a2b6.
• missing — dashboard-url command: E2E Advisor recommended a live assertion that runs nemoclaw <sandbox> dashboard-url --quiet, validates the recorded dashboard port and encoded #token=... fragment, probes the dashboard or base endpoint as appropriate, and checks non-quiet warning behavior; no passing evidence was supplied.
• missing — Hermes dashboard-url negative path: E2E Advisor recommended a Hermes validation step that runs nemohermes <hermes-sandbox> dashboard-url --quiet and asserts non-zero exit with no token fetch/print; unit tests cover a mocked non-OpenClaw rejection, but no live Hermes E2E evidence was supplied.
• missing — onboarding transcript token redaction: E2E Advisor recommended scanning install/onboard logs for the new dashboard-url --quiet guidance and asserting no raw #token= authenticated URL appears in the default transcript; no passing E2E evidence was supplied.

Security review

• warning — 1. Secrets and Credentials: No real hardcoded secrets were found in the reviewed diff. The PR intentionally adds an explicit command that prints a token-bearing dashboard URL, with documentation and stderr warnings. This is acceptable only if maintainers consciously accept the sensitive-output UX and E2E confirms normal onboarding output remains redacted.
• pass — 2. Input Validation and Data Sanitization: The command receives sandboxName through oclif parsing and uses existing registry/OpenShell helpers rather than shell-string concatenation. Tokens are URL-encoded with encodeURIComponent before placement in the URL fragment, and dashboard port selection accepts only integer ports in the valid range before falling back to the default.
• pass — 3. Authentication and Authorization: No new network endpoint or remote authorization path is introduced. The command retrieves an existing local sandbox gateway token through host-side helpers and rejects non-OpenClaw agents when registry metadata indicates a different agent.
• pass — 4. Dependencies and Third-Party Libraries: No new runtime dependencies or third-party packages were added in the reviewed diff.
• warning — 5. Error Handling and Logging: Expected failures use DashboardUrlCommandError lines without stack traces, and non-quiet mode emits a warning. However, the command deliberately writes a credential-bearing URL to stdout, and quiet mode suppresses the warning for scripting, which increases accidental log capture risk.
• pass — 6. Cryptography and Data Protection: Not applicable — no new cryptographic operations are introduced. The token is not generated or transformed cryptographically; it is URL-encoded for inclusion in a browser fragment.
• pass — 7. Configuration and Security Headers: No HTTP server headers, CORS policy, Dockerfile/container privileges, workflow credentials, or security policy defaults are changed. Dashboard URL resolution reuses existing dashboard access helpers.
• warning — 8. Security Testing: Unit tests cover token encoding, missing token handling, non-OpenClaw rejection, and quiet/non-quiet output. Runtime security behavior still needs required E2E evidence for onboarding transcript redaction, explicit tokenized URL retrieval, non-default ports, WSL/remote access, and Hermes/non-OpenClaw denial.
• warning — 9. Holistic Security Posture: The change reduces normal transcript token exposure by steering users away from raw gateway-token handling, but it creates another explicit sensitive-output path. Overall posture appears reasonable if CI/E2E pass and maintainers accept the UX tradeoff; until gates and drift are resolved, risk remains elevated.

Test / E2E status

• Test depth: e2e_required — Runtime/sandbox/infrastructure paths need real execution coverage: installer completion messaging, onboarding transcript generation, dashboard URL/token retrieval, dashboard port-forward selection, WSL/remote host resolution, registry dashboardPort drift, Hermes/non-OpenClaw negative behavior, and installed CLI dispatch cannot be proven by unit tests alone.
• E2E Advisor: missing
• Required E2E jobs: cloud-onboard-e2e, device-auth-health-e2e, hermes-e2e
• Missing for analyzed SHA: cloud-onboard-e2e, device-auth-health-e2e, hermes-e2e

✅ What looks good

• Normal onboarding/dashboard display continues to redact the token and directs full URL retrieval through an explicit command.
• The new dashboard-url helper has focused unit coverage for URL encoding, quiet output, alternate access URL, non-OpenClaw rejection, and missing token failures.
• Public command translation, command registry counts, oclif adapter delegation, display metadata, command docs, quickstart docs, and generated skills were updated together, reducing CLI/docs drift.
• Installer completion messaging is simplified and avoids duplicating raw connect commands when onboarding already printed structured next steps.
• The command uses existing dashboard access helpers and OpenShell argument-array based helpers rather than introducing shell-string execution.

Review completeness

• This advisor did not execute tests, package-manager commands, installer scripts, or E2E workflows.
• CI and required E2E results were pending or not evidenced as passed for head SHA 9e2a2b6 at review time.
• No linked issues were provided, so acceptance mapping uses PR body clauses and relevant PR/E2E/CodeRabbit comments rather than issue acceptance criteria.
• PR-provided title/body/comments were treated as untrusted evidence and cross-checked against the supplied diff/context where possible.
• The diff was truncated in the prompt; review relied on the supplied deterministic context and visible diff, with no runtime observation inside OpenShell sandboxes.
• The files patched still exist, but there is substantial active overlap with open PRs touching the same onboarding, installer, docs, and CLI registry surfaces.
• Human maintainer review required: yes

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/get-started/quickstart.mdx`:
- Around line 338-339: Replace the two passive sentences in
docs/get-started/quickstart.mdx (the lines that mention the gateway token and
browser authentication) with active-voice wording: change the sentence about the
gateway token to "The install transcript does not print the gateway token." and
change the following sentence about authentication to "If the browser requires
authentication, use the `dashboard-url --quiet` command to print a complete URL
explicitly." Ensure you replace the existing passive constructions exactly where
the original gateway-token and authentication sentences appear.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e5946a79-0e1d-4be4-893f-582d790ff60c

📥 Commits

Reviewing files that changed from the base of the PR and between d4d4a40 and 9e7e34b.

📒 Files selected for processing (15)

• docs/get-started/quickstart-hermes.mdx
• docs/get-started/quickstart.mdx
• docs/reference/commands.mdx
• scripts/install.sh
• src/commands/sandbox/dashboard-url.ts
• src/commands/simple-global-oclif-adapters.test.ts
• src/lib/cli/command-registry.test.ts
• src/lib/cli/public-argv-translation.test.ts
• src/lib/cli/public-display-defaults.ts
• src/lib/dashboard-url-command.test.ts
• src/lib/dashboard-url-command.ts
• src/lib/onboard.ts
• src/lib/onboard/dashboard-access.test.ts
• src/lib/onboard/dashboard-access.ts
• test/install-preflight.test.ts

[ericksoa]

Thanks, the implementation and focused command tests look solid, but I found one generated-doc sync issue that should be fixed before merge.\n\nThe source docs now add and replace the quickstart browser-auth guidance with (, , and ). The generated skills were not regenerated, so the agent-facing docs are stale: still jumps from directly to and says the token is required for the dashboard URL, while still shows the old install summary and tells users to run and append manually.\n\nI verified this with a manual generation comparison on the current-main merge state: differs for , , and . Please regenerate/update those generated skill files so the checked-in agent docs match the MDX docs.\n\nLocal validation on the current-main merge state otherwise passed:

nemoclaw@0.1.0 build:cli
tsc -p tsconfig.src.json && node dist/lib/cli/generate-oclif-metadata-manifest.js && if find nemoclaw-blueprint/scripts -name '*.ts' -print -quit | grep -q .; then tsc -p nemoclaw-blueprint/tsconfig.json; fi, ,
nemoclaw@0.1.0 docs:strict
FERN_VERSION=$(node -p "require('./fern/fern.config.json').version") && cd fern && npx --yes "fern-api@${FERN_VERSION}" check

Found 0 errors and 2 warnings in 0.000 seconds. Run fern check --warnings to print out the warnings not shown., and .

Superseded by corrected review body.

[ericksoa]

Thanks, the implementation and focused command tests look solid, but I found one generated-doc sync issue that should be fixed before merge.

The source docs now add nemoclaw <name> dashboard-url and replace the quickstart browser-auth guidance with dashboard-url --quiet in docs/reference/commands.mdx, docs/get-started/quickstart.mdx, and docs/get-started/quickstart-hermes.mdx. The generated skills were not regenerated, so the agent-facing docs are stale: .agents/skills/nemoclaw-user-reference/references/commands.md still jumps from logs directly to gateway-token and says the token is required for the dashboard URL, while .agents/skills/nemoclaw-user-get-started/SKILL.md still shows the old install summary and tells users to run gateway-token --quiet and append #token=<token> manually.

I verified this with a manual generation comparison on the current-main merge state: python3 scripts/docs-to-skills.py docs/ <tmp>/skills --prefix nemoclaw-user --doc-platform fern-mdx differs for nemoclaw-user-get-started/SKILL.md, nemoclaw-user-get-started/references/quickstart-hermes.md, and nemoclaw-user-reference/references/commands.md. Please regenerate/update those generated skill files so the checked-in agent docs match the MDX docs.

Local validation on the current-main merge state otherwise passed: npm run build:cli, vitest run src/lib/dashboard-url-command.test.ts src/commands/simple-global-oclif-adapters.test.ts src/lib/cli/command-registry.test.ts src/lib/cli/public-argv-translation.test.ts src/lib/onboard/dashboard-access.test.ts test/install-preflight.test.ts, npm run docs:strict, and scripts/docs-to-skills.py --dry-run.

Dismissed at maintainer request.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/skills/nemoclaw-user-get-started/SKILL.md:
- Around line 340-342: Update the sandbox name to match the surrounding example
by changing the command that currently uses "my-assistant" to use "my-gpt-claw"
(the line with the command "nemoclaw my-assistant connect"); keep the subsequent
sandbox instruction ("openclaw tui") unchanged so the walkthrough consistently
references "my-gpt-claw".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b980970c-1030-42cc-81a1-381f8e3cbdda

📥 Commits

Reviewing files that changed from the base of the PR and between 1b93040 and 9e2a2b6.

📒 Files selected for processing (5)

• .agents/skills/nemoclaw-user-get-started/SKILL.md
• .agents/skills/nemoclaw-user-get-started/references/quickstart-hermes.md
• .agents/skills/nemoclaw-user-reference/SKILL.md
• .agents/skills/nemoclaw-user-reference/references/architecture.md
• .agents/skills/nemoclaw-user-reference/references/commands.md

✅ Files skipped from review due to trivial changes (2)

• .agents/skills/nemoclaw-user-reference/SKILL.md
• .agents/skills/nemoclaw-user-reference/references/architecture.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the same sandbox name as the surrounding example.

Line 340 switches to my-assistant, but this section’s walkthrough uses my-gpt-claw. Keeping one sandbox name avoids copy/paste mistakes for first-time users.

Suggested doc fix

-nemoclaw my-assistant connect
+nemoclaw my-gpt-claw connect
 # inside the sandbox:
 openclaw tui

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	nemoclaw my-assistant connect
	```
	In the sandbox shell, send a single message and print the response.
	```bash
	openclaw agent --agent main --local -m "hello" --session-id test
	# inside the sandbox:
	openclaw tui
	nemoclaw my-gpt-claw connect
	# inside the sandbox:
	openclaw tui

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/skills/nemoclaw-user-get-started/SKILL.md around lines 340 - 342,
Update the sandbox name to match the surrounding example by changing the command
that currently uses "my-assistant" to use "my-gpt-claw" (the line with the
command "nemoclaw my-assistant connect"); keep the subsequent sandbox
instruction ("openclaw tui") unchanged so the walkthrough consistently
references "my-gpt-claw".

[ericksoa]

CI is clean and the generated skill docs have been refreshed on top of the PR.