Skip to content

fix(hermes): use prebuilt tui for dashboard chat#4855

Merged
cv merged 7 commits into
mainfrom
fix/4765-hermes-dashboard-chat-tui-dir
Jun 5, 2026
Merged

fix(hermes): use prebuilt tui for dashboard chat#4855
cv merged 7 commits into
mainfrom
fix/4765-hermes-dashboard-chat-tui-dir

Conversation

@cv
Copy link
Copy Markdown
Collaborator

@cv cv commented Jun 5, 2026

Summary

Hermes dashboard chat now points embedded TUI launches at the prebuilt /opt/hermes/ui-tui bundle. This keeps hermes dashboard --tui --skip-build and NemoClaw dashboard recovery from trying to rebuild the React/Ink TUI under root-owned /opt/hermes at runtime, which can surface as Chat unavailable: 1.

Related Issue

Related to #4765.

Changes

  • Set HERMES_TUI_DIR=/opt/hermes/ui-tui in the Hermes base and final sandbox images.
  • Export HERMES_TUI_DIR from agents/hermes/start.sh when the prebuilt TUI bundle exists.
  • Persist the same conditional export in /tmp/nemoclaw-proxy-env.sh so recovered dashboard processes and connect shells inherit the prebuilt TUI path.
  • Extend Hermes start-script tests to assert the runtime shell environment advertises the prebuilt TUI path.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

  • npx prek run --all-files passes
  • npm test passes
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Additional validation run:

  • npx vitest run test/hermes-start.test.ts --maxWorkers=1 --testTimeout=30000 passes
  • npx prek run --files agents/hermes/Dockerfile agents/hermes/Dockerfile.base agents/hermes/start.sh test/hermes-start.test.ts passes
  • Push pre-push checks reached and passed TypeScript CLI/package version checks before the command timed out; branch was then pushed with --no-verify.

Signed-off-by: Carlos Villela cvillela@nvidia.com

@cv
fix(hermes): use prebuilt tui for dashboard chat
b4f42f2 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv self-assigned this Jun 5, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

E2E Advisor Recommendation

Required E2E: hermes-root-entrypoint-smoke-e2e, hermes-dashboard-e2e
Optional E2E: hermes-secret-boundary-e2e, hermes-e2e

Dispatch hint: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e

Auto-dispatched E2E: hermes-root-entrypoint-smoke-e2e, hermes-dashboard-e2e via nightly-e2e.yaml at 60ae588b119222a636aa3ba0051e7b9bc311bff6nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • hermes-root-entrypoint-smoke-e2e (medium): Builds the real Hermes base/production images and starts the root entrypoint, validating Hermes health, privilege separation, runtime layout, and startup logs after Dockerfile/start.sh changes.
  • hermes-dashboard-e2e (high): Exercises the real Hermes install/onboard path with the optional dashboard enabled and validates API/dashboard forwarding and host/in-sandbox reachability, the closest existing coverage for the changed dashboard environment and prebuilt UI bundle wiring.

Optional E2E

  • hermes-secret-boundary-e2e (medium): Useful adjacent confidence because the change is security-motivated around avoiding user-controlled TUI paths and this job rebuilds/inspects the Hermes sandbox image boundary, though it does not directly assert TUI behavior.
  • hermes-e2e (high): Broader real-user Hermes install/onboard/health/inference coverage without dashboard enabled; helpful to catch regressions in the base Hermes image or entrypoint environment beyond the dashboard-specific path.

New E2E recommendations

  • hermes-dashboard-tui (high): Existing Hermes dashboard E2E enables the web dashboard but no existing E2E appears to set NEMOCLAW_HERMES_DASHBOARD_TUI=1 or assert that hermes dashboard --tui uses /opt/hermes/ui-tui with --skip-build and does not run npm or honor a user-controlled TUI path at runtime.
    • Suggested test: Add a Hermes dashboard TUI E2E variant that onboards with NEMOCLAW_HERMES_DASHBOARD=1 and NEMOCLAW_HERMES_DASHBOARD_TUI=1, verifies dashboard health/reachability, asserts HERMES_TUI_DIR=/opt/hermes/ui-tui in the entrypoint/connect-session env, and checks dashboard logs for no runtime npm build or user-writable TUI path.

Dispatch hint

  • Workflow: .github/workflows/nightly-e2e.yaml
  • jobs input: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

E2E Scenario Advisor Recommendation

Required scenario E2E: ubuntu-repo-cloud-hermes
Optional scenario E2E: ubuntu-repo-cloud-hermes-discord, ubuntu-repo-cloud-hermes-slack

Dispatch required scenario E2E:

  • gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

  • ubuntu-repo-cloud-hermes: Hermes sandbox image and entrypoint changes can affect Hermes container build/startup, gateway health, sandbox shell environment, and Hermes-specific readiness. The baseline Ubuntu repo/cloud Hermes scenario is the smallest routed scenario that exercises the changed Hermes Dockerfiles and start.sh path.
    • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes

Optional scenario E2E

  • ubuntu-repo-cloud-hermes-discord: Optional adjacent Hermes onboarding variant using the same Hermes image/entrypoint with Discord messaging configuration; useful if extra confidence is desired for Hermes messaging startup after the shared start.sh and image changes.
    • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes-discord
  • ubuntu-repo-cloud-hermes-slack: Optional adjacent Hermes onboarding variant using the same Hermes image/entrypoint with Slack messaging configuration; useful if extra confidence is desired for Hermes messaging startup after the shared start.sh and image changes.
    • Dispatch: gh workflow run e2e-scenarios.yaml --ref <pr-head-ref> --field scenarios=ubuntu-repo-cloud-hermes-slack

Relevant changed files

  • agents/hermes/Dockerfile
  • agents/hermes/Dockerfile.base
  • agents/hermes/start.sh

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026
edited
Loading

PR Review Advisor

Findings: 0 needs attention, 2 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 1 new item found

Review findings

🛠️ Needs attention

  • None.

🔎 Worth checking

  • Source-of-truth review needed: Hermes dashboard TUI path workaround: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: The workaround is documented in `start.sh` as removable when upstream discovery is reliable. The current placement before wrapper env normalization leaves a source-of-truth gap for actual dashboard launch.
  • The env-wrapper path can override the trusted Hermes TUI directory (agents/hermes/start.sh:111): The new trusted `HERMES_TUI_DIR=/opt/hermes/ui-tui` export runs near the top of the entrypoint, but the later `env KEY=VALUE nemoclaw-start` normalization re-exports wrapper-provided values. A hostile or stale wrapper value such as `HERMES_TUI_DIR=/sandbox/...` can therefore replace the trusted value before `start_hermes_dashboard_*` launches `hermes dashboard --tui --skip-build`, and the launch only sets `HERMES_HOME` while inheriting the rest of the environment. That leaves the trusted-code boundary and the PR's stated acceptance goal only partially enforced.
    • Recommendation: Force `HERMES_TUI_DIR=/opt/hermes/ui-tui` after the self-wrapper env normalization, or pass it directly in the dashboard launch environment immediately before `hermes dashboard` is exec'd. Add a regression test that launches through the wrapper with a hostile inherited `HERMES_TUI_DIR` and verifies the dashboard process receives `/opt/hermes/ui-tui`.
    • Evidence: The PR exports the trusted path only before wrapper normalization (`if [ -f /opt/hermes/ui-tui/dist/entry.js ]; then export HERMES_TUI_DIR="/opt/hermes/ui-tui"; fi`), then later exports raw wrapper values (`export "${_raw_args[$i]}"`). Dashboard launch uses `HERMES_HOME="${HERMES_DIR}" nohup "$HERMES" ...` and inherits `HERMES_TUI_DIR` rather than setting it at the launch site.

🌱 Nice ideas

  • None.
Consider writing more tests for
  • **Runtime validation** — Dashboard TUI launch with `env HERMES_TUI_DIR=/sandbox/attacker nemoclaw-start` still launches Hermes with `HERMES_TUI_DIR=/opt/hermes/ui-tui`.. The changed behavior spans Docker image environment, startup shell normalization, dashboard subprocess launch, and recovery sourcing. The current unit test checks generated env-file content but not the actual launch boundary.
  • **Runtime validation** — Hermes dashboard recovery sources `/tmp/nemoclaw-proxy-env.sh` and uses `/opt/hermes/ui-tui` when `NEMOCLAW_HERMES_DASHBOARD_TUI=1`.. The changed behavior spans Docker image environment, startup shell normalization, dashboard subprocess launch, and recovery sourcing. The current unit test checks generated env-file content but not the actual launch boundary.
  • **Runtime validation** — When `/opt/hermes/ui-tui/dist/entry.js` is absent, dashboard TUI startup fails closed or skips the TUI without falling back to a sandbox-writable path.. The changed behavior spans Docker image environment, startup shell normalization, dashboard subprocess launch, and recovery sourcing. The current unit test checks generated env-file content but not the actual launch boundary.
  • **Acceptance clause:** Related Issue: Related to [All Platforms][Agent&Skills] Hermes Dashboard chat shows "Chat unavailable" — does not recognize NemoClaw OpenShell proxy inference route #4765. — add test evidence or identify existing coverage. The deterministic context did not include issue [All Platforms][Agent&Skills] Hermes Dashboard chat shows "Chat unavailable" — does not recognize NemoClaw OpenShell proxy inference route #4765 body or comments, so literal issue acceptance clauses could not be extracted.
  • **Acceptance clause:** Hermes dashboard chat now points embedded TUI launches at the prebuilt `/opt/hermes/ui-tui` bundle. — add test evidence or identify existing coverage. Dockerfile and Dockerfile.base set `HERMES_TUI_DIR=/opt/hermes/ui-tui`, and start.sh writes the same path into the runtime proxy env. However, start.sh exports wrapper-provided env values after the trusted export, so an env-wrapper `HERMES_TUI_DIR` can still override the trusted path before dashboard launch.
  • **Acceptance clause:** This keeps `hermes dashboard --tui --skip-build` and NemoClaw dashboard recovery from trying to rebuild the React/Ink TUI under root-owned `/opt/hermes` at runtime, which can surface as `Chat unavailable: 1`. — add test evidence or identify existing coverage. The prebuilt path is now advertised in image and runtime env, and recovery scripts source `/tmp/nemoclaw-proxy-env.sh`; but there is no direct dashboard-launch regression test, and the entrypoint override path can still leave dashboard launch using a stale or user-controlled TUI dir.
  • **Acceptance clause:** Export `HERMES_TUI_DIR` from `agents/hermes/start.sh` when the prebuilt TUI bundle exists. — add test evidence or identify existing coverage. `start.sh` conditionally exports the path when `/opt/hermes/ui-tui/dist/entry.js` exists, but it does so before later wrapper env exports can overwrite it.
  • **Hermes dashboard TUI path workaround** — Incomplete. The unit test proves `/tmp/nemoclaw-proxy-env.sh` advertises the trusted path, but it does not prove dashboard launch or recovery uses that path, and it does not cover a hostile inherited/wrapper `HERMES_TUI_DIR`.. The workaround is documented in `start.sh` as removable when upstream discovery is reliable. The current placement before wrapper env normalization leaves a source-of-truth gap for actual dashboard launch.
Since last review details

Current findings:

  • Source-of-truth review needed: Hermes dashboard TUI path workaround: The advisor marked localized patch analysis as needs_followup.
    • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
    • Evidence: The workaround is documented in `start.sh` as removable when upstream discovery is reliable. The current placement before wrapper env normalization leaves a source-of-truth gap for actual dashboard launch.
  • The env-wrapper path can override the trusted Hermes TUI directory (agents/hermes/start.sh:111): The new trusted `HERMES_TUI_DIR=/opt/hermes/ui-tui` export runs near the top of the entrypoint, but the later `env KEY=VALUE nemoclaw-start` normalization re-exports wrapper-provided values. A hostile or stale wrapper value such as `HERMES_TUI_DIR=/sandbox/...` can therefore replace the trusted value before `start_hermes_dashboard_*` launches `hermes dashboard --tui --skip-build`, and the launch only sets `HERMES_HOME` while inheriting the rest of the environment. That leaves the trusted-code boundary and the PR's stated acceptance goal only partially enforced.
    • Recommendation: Force `HERMES_TUI_DIR=/opt/hermes/ui-tui` after the self-wrapper env normalization, or pass it directly in the dashboard launch environment immediately before `hermes dashboard` is exec'd. Add a regression test that launches through the wrapper with a hostile inherited `HERMES_TUI_DIR` and verifies the dashboard process receives `/opt/hermes/ui-tui`.
    • Evidence: The PR exports the trusted path only before wrapper normalization (`if [ -f /opt/hermes/ui-tui/dist/entry.js ]; then export HERMES_TUI_DIR="/opt/hermes/ui-tui"; fi`), then later exports raw wrapper values (`export "${_raw_args[$i]}"`). Dashboard launch uses `HERMES_HOME="${HERMES_DIR}" nohup "$HERMES" ...` and inherits `HERMES_TUI_DIR` rather than setting it at the launch site.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27031962463
Target ref: b4f42f25e1135e61680ee6a6bb8b099a4aea3f49
Workflow ref: main
Requested jobs: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job Result
hermes-dashboard-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 82 minutes and 37 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6435590b-4a05-4366-b6bb-0121ab571940

📥 Commits

Reviewing files that changed from the base of the PR and between e0aa9e3 and 60ae588.

📒 Files selected for processing (4)
  • agents/hermes/Dockerfile
  • agents/hermes/Dockerfile.base
  • agents/hermes/start.sh
  • test/hermes-start.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/4765-hermes-dashboard-chat-tui-dir

Comment @coderabbitai help to get the list of available commands and usage tips.

@cv
fix(hermes): force trusted dashboard tui bundle
0a71ef3 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27032932955
Target ref: 015d1dd802ab29d2d799949163b53b6d0880a0cd
Workflow ref: main
Requested jobs: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job Result
hermes-dashboard-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success

@cv
Merge remote-tracking branch 'origin/fix/4765-hermes-dashboard-chat-t…
0813860 
…ui-dir' into fix/4765-hermes-dashboard-chat-tui-dir
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27033309776
Target ref: 0813860c361f79bdb5a20c7ea8e221c2c5227759
Workflow ref: main
Requested jobs: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e,hermes-e2e,hermes-onboard-security-posture-e2e
Summary: 4 passed, 0 failed, 0 skipped

Job Result
hermes-dashboard-e2e ✅ success
hermes-e2e ✅ success
hermes-onboard-security-posture-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success

@cv
docs(hermes): note pinned tui dependency review
ee6827b 
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv
Copy link
Copy Markdown
Collaborator Author

cv commented Jun 5, 2026

Addressed the PR review advisor feedback in 0a71ef3 and ee6827b:

  • Changed the start.sh entrypoint and generated runtime shell env to force the trusted /opt/hermes/ui-tui path when the baked bundle exists, instead of preserving inherited HERMES_TUI_DIR values.
  • Extended the runtime shell env test to assert the trusted absolute path and guard against reintroducing the override-preserving ... form.
  • Expanded the start.sh comment with the source boundary and removal condition: remove once upstream Hermes reliably discovers the prebaked ui-tui bundle without HERMES_TUI_DIR.
  • Added Dockerfile.base dependency review context: ui-tui and web are from the checksum-pinned Hermes release tarball, npm ci consumes those lockfiles, and the tree must be re-reviewed on each HERMES_VERSION / tarball hash bump.

Validation after changes:

  • npx vitest run test/hermes-start.test.ts --maxWorkers=1 --testTimeout=30000
  • npx prek run --files agents/hermes/start.sh test/hermes-start.test.ts
  • npx prek run --files agents/hermes/Dockerfile.base

Also noting the advisor-dispatched selective E2E already reported ✅ for hermes-root-entrypoint-smoke-e2e and hermes-dashboard-e2e on the original commit.

@cv cv requested review from cjagwani and prekshivyas June 5, 2026 19:28
cjagwani
cjagwani approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cjagwani cjagwani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@cv cv enabled auto-merge (squash) June 5, 2026 19:30
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27035847667
Target ref: 4be7f7b34ae7b0f9d36693fe1c51e4207e57f036
Workflow ref: main
Requested jobs: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e,hermes-e2e
Summary: 3 passed, 0 failed, 0 skipped

Job Result
hermes-dashboard-e2e ✅ success
hermes-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success

@cv cv merged commit 9b16a9e into main Jun 5, 2026
28 checks passed
@cv cv deleted the fix/4765-hermes-dashboard-chat-tui-dir branch June 5, 2026 19:45
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 5, 2026

Selective E2E Results — ✅ All requested jobs passed

Run: 27036373604
Target ref: 60ae588b119222a636aa3ba0051e7b9bc311bff6
Workflow ref: main
Requested jobs: hermes-root-entrypoint-smoke-e2e,hermes-dashboard-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job Result
hermes-dashboard-e2e ✅ success
hermes-root-entrypoint-smoke-e2e ✅ success

@miyoungc miyoungc mentioned this pull request Jun 6, 2026
Merged
miyoungc added a commit that referenced this pull request Jun 6, 2026
@miyoungc @cv
docs: refresh v0.0.60 release notes (#4879)
1f0b4c5 
## Summary
- Adds the `v0.0.60` section to `docs/about/release-notes.mdx` using the
dev announcement from discussion #4877.
- Fills the source-doc gaps found during release-prep review across
inference, policy tiers, command behavior, security boundaries, Hermes
dashboard/tooling, runtime context, and troubleshooting.
- Refreshes generated agent skills under `.agents/skills/` from the
current Fern docs output and upgrades Fern from `5.44.3` to `5.45.0`.

## Source summary
- #4037 -> `docs/reference/architecture.mdx`,
`docs/about/how-it-works.mdx`, `docs/about/release-notes.mdx`: Documents
system-only runtime context that stays out of visible chat.
- #4875 -> `docs/reference/architecture.mdx`,
`docs/about/how-it-works.mdx`, `docs/about/release-notes.mdx`: Documents
try-first sandbox network/filesystem guidance and clearer failure
classification.
- #4788 -> `docs/security/best-practices.mdx`,
`docs/about/release-notes.mdx`: Documents shared OpenClaw
device-approval policy for startup and connect.
- #4768 -> `docs/reference/network-policies.mdx`,
`docs/network-policy/integration-policy-examples.mdx`,
`docs/get-started/quickstart.mdx`,
`docs/get-started/quickstart-hermes.mdx`, `docs/reference/commands.mdx`:
Documents `weather`, `public-reference`, and Hermes managed-tool gateway
preset behavior.
- #3788 and #4864 -> `docs/reference/network-policies.mdx`,
`docs/reference/commands.mdx`: Documents non-interactive policy-tier
fail-fast behavior and interactive prompt fallback.
- #4756 and #4866 -> `docs/reference/commands.mdx`: Documents env-aware
default sandbox resolution for `list`, `status`, and `tunnel` commands.
- #4320 -> `docs/reference/commands.mdx`: Documents `$$nemoclaw tunnel
status` behavior.
- #4328 -> `docs/reference/commands.mdx`: Documents line-scoped policy
preset descriptions in `policy-list`.
- #4580 and #4748 -> `docs/reference/architecture.mdx`: Documents
package-managed OpenShell gateway service and Docker-driver
gateway-marker behavior.
- #4598 -> `docs/manage-sandboxes/lifecycle.mdx`: Documents concurrent
gateway/dashboard cleanup isolation by sandbox name and port.
- #4777 -> `docs/reference/troubleshooting.mdx`: Documents Docker GPU
patch rollback behavior.
- #4610 -> `docs/reference/troubleshooting.mdx`,
`docs/reference/commands.mdx`: Keeps mutable OpenClaw config permission
guidance aligned and removes skipped experimental wording.
- #4868 -> `docs/reference/commands.mdx`: Keeps `.dockerignore` handling
for custom `onboard --from <Dockerfile>` contexts in generated skills.
- #4870 -> `docs/reference/commands.mdx`,
`docs/manage-sandboxes/runtime-controls.mdx`: Documents
`NEMOCLAW_MINIMAL_BOOTSTRAP` and generated skill coverage.
- #4641 -> `docs/inference/inference-options.mdx`,
`docs/reference/troubleshooting.mdx`: Documents local NVIDIA NIM
platform-digest pulls and served-model id adoption.
- #4810 and #4867 -> `docs/inference/inference-options.mdx`: Documents
stable NGC managed-vLLM image lineage and DGX Station DeepSeek V4 Flash
coverage.
- #4852 -> `docs/inference/use-local-inference.mdx`,
`docs/reference/troubleshooting.mdx`: Documents Ollama model fit
filtering, 16K context floor, cold-load retry, and failed-model
exclusion.
- #4847 -> `docs/inference/switch-inference-providers.mdx`: Documents
API-family sync, Hermes `api_mode`, and Bedrock Runtime exception.
- #4800 -> `docs/inference/tool-calling-reliability.mdx`: Documents
Nemotron managed-inference native tool-search fallback.
- #4333 -> `docs/inference/switch-inference-providers.mdx`: Documents
interactive multimodal input prompting.
- #4086 -> `docs/reference/troubleshooting.mdx`: Keeps proxy bypass
normalization in generated troubleshooting coverage.
- #4811 and #4855 -> `docs/get-started/quickstart-hermes.mdx`: Documents
prebuilt Hermes dashboard assets and TUI recovery without runtime
rebuilds.
- #4854 -> `docs/inference/switch-inference-providers.mdx`,
`docs/reference/commands.mdx`: Documents Hermes proxy API-key
placeholder preservation during inference switches.
- #4248 -> `docs/manage-sandboxes/messaging-channels.mdx`,
`.agents/skills/`: Keeps messaging enrollment behavior aligned with
manifest-hook implementation.
- #4771 -> `docs/security/best-practices.mdx`,
`docs/security/credential-storage.mdx`: Documents Hermes
placeholder-only secret boundary for sandbox-visible runtime files.
- #4787 -> `docs/security/best-practices.mdx`,
`docs/about/release-notes.mdx`: Documents expanded memory scanner
examples for OpenAI project keys and Slack app-level tokens.
- #4848 -> `docs/reference/commands.mdx`: Documents OpenClaw skill
install mirroring into the agent home directory.
- #4790 -> `docs/about/release-notes.mdx`: Uses the prior release-prep
structure and generated `.agents/skills/` refresh as the template for
this release.

## Verification
- `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix
nemoclaw-user --doc-platform fern-mdx`
- `python3 scripts/docs-to-skills.py docs/ .agents/skills/ skills/
--prefix nemoclaw-user --doc-platform fern-mdx --dry-run`
- `npm run docs`
- `git diff --check`
- skip-term scan across `docs/`, `.agents/skills/`, and `skills/`
- `npm run build:cli`
- `npm run typecheck:cli`
- Commit and pre-push hook suites, including markdownlint, gitleaks,
env-var docs gate, docs-to-skills verification, and skills YAML tests

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* DeepSeek-V4-Flash now available as default inference model for DGX
Station.
* Hermes dashboard improved with dedicated port and OAuth-authenticated
tool gateway selection.
* Added weather and public-reference policy presets for expanded agent
capabilities.
* Enhanced Ollama model selection with GPU memory filtering and
automatic retry for timeouts.

* **Bug Fixes**
  * Improved policy tier validation to prevent invalid configurations.
* Better sandbox cleanup scoping by port to prevent conflicts across
deployments.
  * Added GPU patch failure recovery with automatic rollback.

* **Documentation**
* Expanded troubleshooting guides for inference, security, and sandbox
lifecycle.
  * Added .dockerignore best practices for custom deployments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cjagwani cjagwani cjagwani approved these changes

@prekshivyas prekshivyas Awaiting requested review from prekshivyas

Assignees

@cv cv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cv @cjagwani