fix(install): add Docker group access security note in install flow and docs#4011
Merged
Conversation
…nd docs Signed-off-by: zyang-dev <267119621+zyang-dev@users.noreply.github.com>
Contributor
📝 WalkthroughWalkthroughAdds Docker-access warning text in two docs, expands installer messaging when the user lacks docker-group membership, and updates the onboarding preflight remediation reason to include security rationale and a link to Docker daemon attack-surface guidance. ChangesDocker Group Access Security Communication
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint skipped: no ESLint configuration detected in root package.json. To enable, add Comment |
Contributor
|
🌿 Preview your docs: https://nvidia-preview-pr-4011.docs.buildwithfern.com/nemoclaw |
Contributor
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (2)
docs/get-started/prerequisites.mdx (1)
39-40: ⚡ Quick winUse inline code formatting for the
dockergroup references.Please wrap
dockeras inline code in this warning text for consistency with docs formatting rules.As per coding guidelines: "CLI commands, file paths, flags, parameter names, and values must use inline
codeformatting."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/get-started/prerequisites.mdx` around lines 39 - 40, Update the warning text so all occurrences of the docker group use inline code formatting: replace the plain text "docker" where it references the group (e.g., "docker group" and "Docker group members") with inline `docker` code formatting to match docs guidelines and ensure consistency in the "On personal Linux development machines..." warning paragraph.docs/reference/troubleshooting.mdx (1)
85-86: ⚡ Quick winFormat
dockeras inline code in this warning.Use inline code for the
dockergroup mentions to match the docs formatting standard.As per coding guidelines: "CLI commands, file paths, flags, parameter names, and values must use inline
codeformatting."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/reference/troubleshooting.mdx` around lines 85 - 86, Update the warning sentence to format the docker group name as inline code: replace plain occurrences of the word docker (e.g., "docker group", "Docker group members") with backticked `docker` so CLI/group mentions follow the docs' inline `code` formatting standard; ensure both instances in the warning use `docker` and preserve the rest of the wording and punctuation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@docs/get-started/prerequisites.mdx`:
- Around line 39-40: Update the warning text so all occurrences of the docker
group use inline code formatting: replace the plain text "docker" where it
references the group (e.g., "docker group" and "Docker group members") with
inline `docker` code formatting to match docs guidelines and ensure consistency
in the "On personal Linux development machines..." warning paragraph.
In `@docs/reference/troubleshooting.mdx`:
- Around line 85-86: Update the warning sentence to format the docker group name
as inline code: replace plain occurrences of the word docker (e.g., "docker
group", "Docker group members") with backticked `docker` so CLI/group mentions
follow the docs' inline `code` formatting standard; ensure both instances in the
warning use `docker` and preserve the rest of the wording and punctuation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 84f06532-5c64-48d9-9c52-a871804fc5f5
📒 Files selected for processing (4)
docs/get-started/prerequisites.mdxdocs/reference/troubleshooting.mdxscripts/install.shsrc/lib/onboard/preflight.ts
Contributor
PR Review AdvisorRecommendation: blocked This is an automated advisory review. A human maintainer must make the final merge decision. Limitations: Review used the provided trusted deterministic context and diff; no scripts, tests, package-manager commands, or E2E workflows were executed by this advisor.; No linked issues were present, so acceptance mapping is based on PR-described clauses and E2E Advisor comment clauses rather than issue acceptance criteria.; Review thread state was unavailable; GraphQL reviewDecision=REVIEW_REQUIRED indicates maintainer review remains required.; Line numbers are based on the provided diff context and may need confirmation in the GitHub UI after rebases.; The E2E status assessment is based on the provided status rollup; required E2E job pass evidence for the current head SHA was not present.; PR-provided titles, bodies, comments, and bot summaries were treated as untrusted evidence and cross-checked against trusted deterministic context and diff where possible. Full advisor summaryPR Review AdvisorBase: The Docker group privilege-warning changes are security-positive and focused, but the PR remains blocked by mergeStateStatus=BLOCKED and missing required E2E evidence for the current head SHA. Gate status
🔴 Blockers
🟡 Warnings
🔵 Suggestions
Acceptance coverage
Security review
Test / E2E status
✅ What looks good
Review completeness
|
…arning text Signed-off-by: zyang-dev <267119621+zyang-dev@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
docs/reference/troubleshooting.mdx (1)
1200-1213: ⚡ Quick winRewrite passive constructions to use active voice.
Several sentences use passive voice where active voice would be clearer:
- Line 1202: "When NemoClaw runs inside WSL, it checks..." is good, but later "Ollama is installed" is passive
- Line 1203: "daemon is not reachable" → prefer "you cannot reach the daemon" or "the wizard cannot reach the daemon"
- Line 1205: "PowerShell interop is enabled" → prefer "WSL has PowerShell interop enabled" or "you have enabled PowerShell interop"
- Line 1211: "process is missing" → prefer "the process does not exist"
- Line 1212: "endpoint is unreachable" → prefer "you cannot reach the endpoint"
As per coding guidelines, active voice is required throughout documentation. The guideline example shows: Bad: "A gateway is created by the CLI." Good: "The CLI creates a gateway."
Additionally, four consecutive sentences begin with "If" (lines 1203, 1205, 1211, 1212), which reduces readability. Consider varying sentence structure.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/reference/troubleshooting.mdx` around lines 1200 - 1213, Rewrite the passive sentences in the "Windows-host Ollama is installed but not shown during onboarding" section to active voice and vary sentence openings: change "Ollama is installed but the daemon is not reachable" to "You have Ollama installed but cannot reach the daemon" or "the wizard cannot reach the daemon"; change "daemon is not reachable" occurrences to "you cannot reach the daemon" or "the wizard cannot reach the endpoint"; change "PowerShell interop is enabled in WSL" to "you have enabled PowerShell interop in WSL" or "WSL has PowerShell interop enabled"; change "process is missing" to "the process does not exist" and "endpoint is unreachable" to "you cannot reach the endpoint"; also reduce repetitive sentence openings by combining or reordering the four consecutive "If" sentences for clearer flow while preserving the original troubleshooting steps and commands.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@docs/reference/troubleshooting.mdx`:
- Around line 1200-1213: Rewrite the passive sentences in the "Windows-host
Ollama is installed but not shown during onboarding" section to active voice and
vary sentence openings: change "Ollama is installed but the daemon is not
reachable" to "You have Ollama installed but cannot reach the daemon" or "the
wizard cannot reach the daemon"; change "daemon is not reachable" occurrences to
"you cannot reach the daemon" or "the wizard cannot reach the endpoint"; change
"PowerShell interop is enabled in WSL" to "you have enabled PowerShell interop
in WSL" or "WSL has PowerShell interop enabled"; change "process is missing" to
"the process does not exist" and "endpoint is unreachable" to "you cannot reach
the endpoint"; also reduce repetitive sentence openings by combining or
reordering the four consecutive "If" sentences for clearer flow while preserving
the original troubleshooting steps and commands.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 5de88d39-843a-4d33-b546-b263db16fa36
📒 Files selected for processing (2)
docs/reference/troubleshooting.mdxscripts/install.sh
✅ Files skipped from review due to trivial changes (1)
- scripts/install.sh
Contributor
Selective E2E Results — ✅ All requested jobs passedRun: 26255963909
|
jyaunches
approved these changes
May 21, 2026
8 tasks
12 tasks
miyoungc
added a commit
that referenced
this pull request
May 22, 2026
Audit found the v0.0.49 release notes promised behaviors that did not ship or were never implemented. Realign to the actual code on main. - Drop the EXDEV runtime-deps claim: #3820 was reverted by #4051 in this release window, so the behavior is not present. - Drop the "skip broad permission repair" claim: no corresponding commit in v0.0.48..v0.0.49. - Rewrite the gateway probe classifier list in release-notes.mdx and commands.mdx to match the real states emitted by src/lib/status-command-deps.ts (named gateway unreachable / present but not Connected / pointing at a different name / not configured). The previous "non-JSON health response" example did not exist in code. - Expand the channel-removal bullet to describe #4001's user-visible teardown (durable QR-paired state wipe, abort-on-failure, config.json re-sync) in addition to the existing #4013 sync. - Add bullets for user-visible PRs that were merged in the release window but missing from the notes: #3854 (restricted dmesg in debug output), #3866 (shields status and logs --tail UX), #3984 (Hermes messaging policy scoping), and #4011 (Docker group security note). Regenerated nemoclaw-user-overview and nemoclaw-user-reference skills from the updated docs via scripts/docs-to-skills.py. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cv
pushed a commit
that referenced
this pull request
May 22, 2026
## Summary Refreshes the NemoClaw docs for the v0.0.49 hardening release, including release notes, command reference updates, troubleshooting guidance, version metadata, and regenerated user skills. ## Changes - #3796, #3854, #3863, #3866, #3984, #4001, #4011, #4013, #4020, #4022, #4023, #4060, #4062 -> `docs/about/release-notes.mdx`: Adds the v0.0.49 hardening release summary covering gateway reliability, status/doctor/shields and debug UX, OpenClaw compatibility, messaging channel teardown, Hermes policy scoping, snapshots, source installs and Docker group security note, GPU preflight, CLI usage, E2E, and CI improvements. - #3796 -> `docs/manage-sandboxes/backup-restore.mdx` and `docs/reference/commands.mdx`: Documents `snapshot restore --to` overwrite protection and the `--force` opt-in. - #3863, #4013, #4020, #4023 -> `docs/reference/commands.mdx`: Documents missing channel argument usage, sandbox-scoped custom preset matching, session policy preset sync, and gateway failure classification (uses the real probe states from `src/lib/status-command-deps.ts`). - #4022, #4060, #4062 -> `docs/reference/troubleshooting.mdx`: Adds guidance for gateway-down `connect`, source checkout OpenShell bootstrapping, WDDM placeholder GPU names, and Jetson sandbox GPU passthrough. - Release prep -> `docs/project.json`, `docs/versions1.json`, `.agents/skills/nemoclaw-user-*`: Bumps docs metadata to 0.0.49 and refreshes generated user skills from the Fern docs. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Verification - [x] `npx prek run --all-files` passes - [ ] `npm test` passes - [ ] Tests added or updated for new or changed behavior - [x] No secrets, API keys, or credentials committed - [x] Docs updated for user-facing behavior changes - [ ] `make docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) \`make docs\` was attempted locally but did not complete because \`npm\` returned \`403 Forbidden\` while fetching \`fern-api\` from \`registry.npmjs.org\` in the sandboxed environment. --- Signed-off-by: Miyoung Choi <miyoungc@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Released v0.0.49 with reliability and compatibility improvements including faster gateway failure diagnostics and safer snapshot restore behavior * Enhanced snapshot restore documentation with `--to` cloning and `--force` overwrite requirements * Expanded troubleshooting guides for source installs, GPU setup, and gateway recovery * Clarified Docker group access requirements and improved CLI command reference * **Chores** * Version bumped to 0.0.49 <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4078?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/4078?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Docker group security context to the Linux install and onboarding guidance so users understand both why NemoClaw needs Docker access and the privilege impact of granting it.
Changes
Type of Change
Verification
npx prek run --all-filespassesnpm testpassesmake docsbuilds without warnings (doc changes only)Signed-off-by: zyang-dev 267119621+zyang-dev@users.noreply.github.com
Summary by CodeRabbit