Skip to content

fix(installer): start fresh when onboarding interrupted before sandbox creation#5641

Merged
cv merged 6 commits into
mainfrom
auto/fix-5626-installer-fresh-recover
Jun 24, 2026
Merged

fix(installer): start fresh when onboarding interrupted before sandbox creation#5641
cv merged 6 commits into
mainfrom
auto/fix-5626-installer-fresh-recover

Conversation

@jason-ma-nv

@jason-ma-nv jason-ma-nv commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

install.sh auto-attaches --resume to any in_progress onboarding session. When a previous run was interrupted before sandbox creation completed, the session has no sandbox name recorded, so the curl|bash flow dead-ended at the CLI's non-interactive resume guard (#2753) with exit 1 and no recovery path. This refines the installer's session classifier so a pre-sandbox-creation session is started fresh instead of force-resumed.

Related Issue

Fixes #5626

Changes

  • scripts/install.sh: the session classifier now only emits resume for an in_progress session once a sandbox actually exists to resume into (a sandboxName is recorded, or the sandbox step completed). A session interrupted before sandbox creation is classified fresh-recover and onboarded with --fresh. The CLI --resume guard from [Ubuntu 24.10][Onboard] sandbox name written to onboard-session.json before creation — nemoclaw list shows phantom entry after SIGINT #2753 is untouched, so an explicit nemoclaw onboard --resume with no name still refuses.
  • test/install-onboard-yes.test.ts: added classifier coverage — pre-sandbox-creation session forwards --fresh (not --resume); a session with a created sandbox still forwards --resume; a completed session forwards neither.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Git hooks passed during commit and push, or npx prek run --from-ref main --to-ref HEAD passes
  • Targeted tests pass for changed behavior
  • Full npm test passes (broad runtime changes only)
  • Tests added or updated for new or changed behavior
  • No secrets, API keys, or credentials committed
  • Docs updated for user-facing behavior changes
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Jason Ma jama@nvidia.com

Summary by CodeRabbit

  • Bug Fixes

    • Improved onboarding interruption recovery by correctly detecting whether a sandbox was created, then selecting the right onboarding mode automatically.
    • Interrupted onboarding sessions without an existing sandbox now start with --fresh (instead of attempting --resume), while sessions with a completed sandbox continue with --resume.
  • Tests

    • Added coverage to confirm the installer forwards --fresh vs --resume according to session state and sandbox step status.
    • Updated the interrupted-onboarding preflight fixture to include sandboxName for more accurate detection.

…x creation

install.sh auto-attaches --resume to any in_progress onboarding session. When
a previous run was interrupted before sandbox creation completed, the session
has no sandbox name recorded, so the curl|bash flow dead-ended at the CLI's
non-interactive resume guard (#2753) with exit 1 and no recovery path.

Refine the install.sh session classifier: an in_progress session is only
auto-resumed once a sandbox actually exists to resume into (sandboxName
recorded or the sandbox step completed). A session interrupted before sandbox
creation is classified 'fresh-recover' and onboarded with --fresh instead.

This fixes the dead-end at its source and leaves the CLI #2753 guard intact:
an explicit 'nemoclaw onboard --resume' with no name still refuses.

Fixes #5626

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Jason Ma <jama@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The onboard session classifier in install.sh gains a fresh-recover state: when a previous run was interrupted before sandbox creation, it now selects --fresh instead of --resume. A new test helper and three assertions in the test suite cover all three classification outcomes, and an existing test fixture is updated to represent a genuinely resumable session.

Changes

fresh-recover session classification

Layer / File(s) Summary
Session classifier and case dispatch
scripts/install.sh
Classifier computes sandboxCreated from sandboxName or sandbox step status and emits the new fresh-recover state when no sandbox exists. The case switch handles fresh-recover by appending --fresh to the onboard command, replacing the previous unconditional --resume path.
Test helper and session classification assertions
test/install-onboard-yes.test.ts, test/install-preflight.test.ts
Adds runOnboardWithSession helper that writes onboard-session.json to a temp HOME and stubs the CLI binary to capture argv. Three new assertions validate --fresh for in-progress/no-sandbox, --resume for in-progress/sandbox-complete, and neither flag for a completed session. The preflight test fixture is updated to represent a resumable session occurring after sandbox creation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

  • #5626 — This PR directly resolves the reported failure: interrupted onboarding with no recorded sandbox name now auto-recovers via fresh-recover--fresh instead of exiting with an error.

Poem

🐇 A session was broken, no sandbox in sight,
The installer would stumble and give up the fight.
But now with fresh-recover, we start fresh and new,
No error, no crying — we just follow through!
Hop hop, little onboard, you're whole again! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly describes the main change: fixing the installer to start fresh when onboarding is interrupted before sandbox creation, which aligns with the primary objective.
Linked Issues check ✅ Passed The PR fully addresses issue #5626 by implementing option (a) to auto-recover from pre-sandbox-creation interruptions by classifying them as fresh starts, with comprehensive test coverage.
Out of Scope Changes check ✅ Passed All changes are directly scoped to fixing the installer's session classifier logic and adding corresponding test coverage, with no unrelated modifications.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch auto/fix-5626-installer-fresh-recover

Comment @coderabbitai help to get the list of available commands.

@github-code-quality

github-code-quality Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage in the branch is 96%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 24e49ee +/-
nemoclaw/src/se...cret-scanner.ts 100%
nemoclaw/src/commands/slash.ts 100%
nemoclaw/src/li...bprocess-env.ts 100%
nemoclaw/src/bl...eprint/state.ts 98%
nemoclaw/src/onboard/config.ts 98%
nemoclaw/src/bl...int/snapshot.ts 97%
nemoclaw/src/bl...print/runner.ts 95%
nemoclaw/src/co...ration-state.ts 94%
nemoclaw/src/bl...ate-networks.ts 94%
nemoclaw/src/index.ts 94%

TypeScript / code-coverage/cli

The overall coverage in the branch is 46%. Coverage data for the branch is not yet available.

Show a code coverage summary of the most covered files.
File 24e49ee +/-
src/lib/state/o...oard-session.ts 91%
src/lib/inference/local.ts 76%
src/lib/sandbox/config.ts 72%
src/lib/actions...dbox/rebuild.ts 67%
src/lib/onboard/preflight.ts 64%
src/lib/actions...licy-channel.ts 56%
src/lib/state/sandbox.ts 55%
src/lib/onboard...er-gpu-patch.ts 50%
src/lib/policy/index.ts 49%
src/lib/onboard.ts 18%

Updated June 24, 2026 00:09 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

…elper

The codebase-growth-guardrails check forbids adding if-statements in changed
test files. Always write the session fixture and assert the shell exit via
expect() instead of guarding with if-statements.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Jason Ma <jama@nvidia.com>
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — No blocking findings

Merge posture: No blocking advisor findings
Primary next action: Add or justify PRA-T1 and any related test follow-ups.
Open items: 0 required · 0 warnings · 0 suggestions · 5 test follow-ups
Since last review: 0 prior items resolved · 3 still apply · 0 new items found

Action checklist

  • PRA-T1 Add or justify test follow-up: Runtime validation
  • PRA-T2 Add or justify test follow-up: Runtime validation
  • PRA-T3 Add or justify test follow-up: Runtime validation
  • PRA-T4 Add or justify test follow-up: Acceptance clause
  • PRA-T5 Add or justify test follow-up: Acceptance clause
Test follow-ups to resolve or justify

If these cover changed behavior, prefer adding them in this PR; otherwise state why existing coverage is enough or link the follow-up.

  • PRA-T1 Runtime validation — Full installer non-interactive fresh-recovery: with `HOME/.nemoclaw/onboard-session.json` containing `status: "in_progress"`, `sandboxName: null`, and `steps.sandbox.status: "pending"`, assert the installed stub receives `onboard --fresh --non-interactive --yes-i-accept-third-party-software --yes` and never `--resume`.. The changed source is installer/bootstrap shell controlling onboarding and sandbox lifecycle recovery. The PR includes focused shell-sourced Vitest coverage and a full-installer confirmed-resume fixture, which is enough for review; a few runtime/edge tests would further reduce regression risk.
  • PRA-T2 Runtime validation — Classifier blank sandbox name: with `status: "in_progress"`, `sandboxName: " "`, and `steps.sandbox.status: "complete"`, assert `run_onboard` passes `--fresh` and not `--resume`.. The changed source is installer/bootstrap shell controlling onboarding and sandbox lifecycle recovery. The PR includes focused shell-sourced Vitest coverage and a full-installer confirmed-resume fixture, which is enough for review; a few runtime/edge tests would further reduce regression risk.
  • PRA-T3 Runtime validation — Classifier missing sandbox step: with `status: "in_progress"`, `sandboxName: "box"`, and no `steps.sandbox`, assert `run_onboard` passes `--fresh` and not `--resume`.. The changed source is installer/bootstrap shell controlling onboarding and sandbox lifecycle recovery. The PR includes focused shell-sourced Vitest coverage and a full-installer confirmed-resume fixture, which is enough for review; a few runtime/edge tests would further reduce regression risk.
  • PRA-T4 Acceptance clause — 1. Run `nemoclaw onboard` (interactive or non-interactive) and interrupt it before sandbox creation completes (e.g. Ctrl-C at step [2/8] or [3/8]). — add test evidence or identify existing coverage. The PR simulates the persisted interrupted session state directly in `test/install-onboard-yes.test.ts`; it does not add a real SIGINT/runtime reproduction, which is reasonable for review but remains a useful test-depth follow-up.
  • PRA-T5 Acceptance clause — 2. Re-run: ```bash curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash ``` — add test evidence or identify existing coverage. The changed code is in installer `run_onboard()`, the curl-piped installer path, and the focused shell-sourced test sets `NON_INTERACTIVE=1`; a full installer fresh-recovery fixture for this exact stale state is still a confidence-improving follow-up.

Workflow run details

This is an automated, non-binding review; it still expects maintainers and agents to respond to each required or warning item. Treat suggestions as current-PR improvements when they touch changed code; defer only with maintainer rationale or a linked follow-up. A human maintainer must make the final merge decision.

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: onboard-resume-e2e, onboard-repair-e2e, cloud-onboard-e2e
Optional E2E: onboard-negative-paths-e2e, full-e2e-vitest

Dispatch hint: onboard-resume-e2e,onboard-repair-e2e,cloud-onboard-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • onboard-resume-e2e (medium): Required because the PR changes installer session classification for interrupted onboarding and the automatic --resume decision; this must be validated against the real resume E2E flow.
  • onboard-repair-e2e (medium): Required by the onboarding resume compatibility policy because changes to session-state handling can interact with failed/repaired onboarding sessions and must not be covered only by unit/runtime-boundary tests.
  • cloud-onboard-e2e (medium): Required because scripts/install.sh drives full non-interactive hosted onboarding; the changed resume/fresh flag selection can affect cloud onboarding from install.sh.

Optional E2E

  • onboard-negative-paths-e2e (medium): Optional adjacent coverage for installer/onboard behavior around non-happy-path session states such as failed, corrupt, or otherwise non-resumable sessions.
  • full-e2e-vitest (medium): Optional broad smoke coverage that the standard full onboarding/install lifecycle still works after the installer flag-selection change.

New E2E recommendations

  • installer pre-sandbox resume recovery (high): Existing resume/repair E2E jobs cover real resume and repair paths, but this PR's exact behavior is an installer-owned recovery path for an interrupted session before sandbox creation that should start fresh instead of passing --resume.
    • Suggested test: Add an installer-pre-sandbox-fresh-recover-e2e scenario that seeds ~/.nemoclaw/onboard-session.json with in_progress/no completed sandbox, runs install.sh non-interactively, and asserts the real CLI receives/executes a fresh onboarding path rather than dead-ending on resume.

Dispatch hint

  • Workflow: .github/workflows/nightly-e2e.yaml
  • jobs input: onboard-resume-e2e,onboard-repair-e2e,cloud-onboard-e2e

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: onboard-resume-vitest, onboard-repair-vitest
Optional Vitest E2E scenarios: None

Dispatch required Vitest E2E scenarios:

  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

  • onboard-resume-vitest: scripts/install.sh changes onboarding session classification for persisted in-progress sessions, including whether the installer passes --resume or --fresh. The onboarding resume compatibility rule requires the wired live onboard-resume Vitest job for session bootstrap/resume-path changes.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-resume-vitest
  • onboard-repair-vitest: The changed persisted-session classifier can affect repair/backstop behavior from existing onboarding sessions. Per the onboarding resume compatibility rule, repair coverage is required, not optional, for these resume/session-state paths.
    • Dispatch: gh workflow run e2e-vitest-scenarios.yaml --ref <pr-head-ref> --field jobs=onboard-repair-vitest

Optional Vitest E2E scenarios

  • None.

Relevant changed files

  • scripts/install.sh

jason-ma-nv and others added 2 commits June 23, 2026 13:41
…ed session

The classifier now only auto-resumes an in_progress session once a sandbox
exists to resume into. Update the auto-resume integration test fixture to a
genuinely resumable session (sandboxName + completed sandbox step) so it still
exercises the --resume path; the pre-sandbox fresh-recover path is covered by
test/install-onboard-yes.test.ts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Jason Ma <jama@nvidia.com>
Use a single-line resumable fixture (sandboxName alone marks the sandbox as
created) and drop the added comment so test/install-preflight.test.ts stays at
its 4207-line legacy budget.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Jason Ma <jama@nvidia.com>
@wscurran wscurran added area: install Install, setup, prerequisites, or uninstall flow area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression labels Jun 23, 2026
@wscurran

Copy link
Copy Markdown
Contributor

✨ Thanks for refining the installer's session classifier to only emit resume when a sandbox actually exists to resume into. This proposes a way to classify pre-sandbox-creation interruptions as fresh-recover so the curl|bash flow starts onboarding cleanly instead of hitting the non-interactive resume guard.


Related open issues:

@prekshivyas prekshivyas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reproduced the bug and verified the fix on a fresh x86_64 Brev instance (n2d-standard-2). The session classifier logic is pure bash/node so it reproduces identically across architectures.

Reproduction (v0.0.67 classifier)

Created ~/.nemoclaw/onboard-session.json with in_progress status, sandboxName: null, steps.sandbox.status: "pending" — the exact state from issue #5720. The pre-fix classifier returns resume, which dead-ends at the CLI non-interactive resume guard with exit 1 and no recovery path. ✓ bug confirmed.

Fix verification

Session state v0.0.67 This PR
in_progress, no sandboxName, sandbox pending resume fresh-recover
in_progress, sandboxName set, sandbox complete resume resume

The sandboxCreated gate (sandboxName non-empty string and steps.sandbox.status === "complete") correctly partitions the two cases. Legitimate resume sessions keep --resume; pre-sandbox-creation sessions get --fresh instead of dead-ending.

Code review notes

  • The sandboxCreated check requires both fields to be present — guards against partially-written session files where one field exists without the other (covered by the it.each test cases for the split conditions).
  • install-preflight.test.ts update (adding sandboxName/steps.sandbox.complete to the existing fixture) is correct — that test exercises the resume path, so the fixture should satisfy sandboxCreated.
  • All CI green including installer-integration.

LGTM.

@prekshivyas prekshivyas left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified via live Brev reproduction — LGTM.

@cv cv merged commit 169ba50 into main Jun 24, 2026
41 checks passed
@cv cv deleted the auto/fix-5626-installer-fresh-recover branch June 24, 2026 21:08
@miyoungc miyoungc mentioned this pull request Jun 25, 2026
21 tasks
cv pushed a commit that referenced this pull request Jun 25, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Refreshes the v0.0.68 docs with release notes, Microsoft Teams messaging
guidance, and generated support-matrix coverage.
Also corrects the Hermes generated command reference so `sessions
export` examples match Hermes-only behavior while keeping the shared
command heading compatible with CLI parity checks.

## Changes
- #5585 -> `docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/platform-support.mdx`: Documents experimental Microsoft
Teams channel setup, Bot Framework credentials, webhook forwarding,
local `MSTEAMS_PORT` conflicts, and the generated integration support
row.
- #5526 -> `docs/reference/commands.mdx`,
`docs/reference/commands-nemohermes.mdx`: Keeps Hermes `sessions export`
examples on the supported single-JSONL export path while preserving the
canonical shared CLI heading.
- #5044 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for installer onboarding failure propagation.
- #5641 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for fresh recovery after pre-sandbox installer interruption.
- #5673 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for explicit deny-all messaging manifests.
- #5743 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for unsupported-agent channel-add rejection.
- #5252 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for Hermes `gateway-token` dashboard guidance.
- #5659 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for local OpenClaw `agent` wrapper help.
- #5661 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for default extra-agent paths.
- #5669 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for Deep Agents Code branding.
- #5672 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for hosted-compatible default model ID preservation.
- #5725 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for Deep Agents Code sandbox liveness.
- #5644 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for DGX Spark managed-vLLM express install defaults.
- #5712 -> `docs/about/release-notes.mdx`,
`docs/reference/platform-support.mdx`: Adds v0.0.68 release-note
coverage for the canonical support matrix and updates the matrix source
with Teams.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: docs-only release refresh;
no runtime code changed.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — `npm
run docs` passed with 0 errors; Fern reported the existing light-mode
accent contrast warning.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional verification:
- `python3 scripts/generate-platform-docs.py --check` passed.
- `npm run docs:sync-agent-variants` passed.
- `bash test/e2e/e2e-cloud-experimental/check-docs.sh --only-cli`
passed.
- `npm run docs` passed with 0 errors and one Fern theme warning:
light-mode accent contrast ratio is 2.41:1 and should be at least 3:1.
- `npm run build:cli` refreshed local untracked `dist/` artifacts after
rebase; no tracked files changed.
- `npm run typecheck:cli` passed.
- Normal commit and push hooks passed after the local CLI rebuild.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added **Microsoft Teams** as an experimental messaging channel,
including manifest-first onboarding, local port routing/conflict
handling, sandbox delivery controls, and policy preset support.

* **Documentation**
* Expanded messaging-channel setup for Teams (prerequisites,
credential/webhook setup, wizard flow, and add/remove commands).
* Updated reference docs for **agent-specific** session export examples
(OpenClaw vs Hermes).
* Refreshed platform support guidance and added the latest release-notes
entry.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@wscurran wscurran added the NV QA Bugs found by the NVIDIA QA Team label Jun 26, 2026
miyoungc pushed a commit that referenced this pull request Jun 30, 2026
Addresses the actionable findings from the 2026-06-19 doc-validate run
across 11 guide pages.

Closes #5630
Refs #5631
Closes #5632
Closes #5633
Closes #5634
Closes #5635
Closes #5636
Closes #5637
Closes #5638
Closes #5639
Closes #5640

| Issue | Page | Fix |
|-------|------|-----|
| #5630 | manage-sandboxes/lifecycle | bump stale NEMOCLAW_INSTALL_TAG
example v0.0.63 → v0.0.65 |
| #5631 | get-started/quickstart | self-contained non-interactive
install (provider/key/sandbox name); consistent sandbox name |
| #5632 | inference/set-up-sub-agent | guidance for non-Omni sub-agent
configs (auth-profiles upload already documented) |
| #5633 | inference/switch-inference-providers | show `credentials list`
to discover provider names before switching |
| #5634 | network-policy/integration-policy-examples | note `policy-add`
is non-idempotent; remove before re-applying |
| #5635 | inference/inference-options | state vLLM install +
running-server prerequisites |
| #5636 | inference/use-local-inference | add
`--yes-i-accept-third-party-software` to non-interactive Ollama; add
`docker network inspect` subnet discovery |
| #5637 | reference/troubleshooting | nvm/Docker prerequisites note;
make CA-bundle grep non-zero-safe (`|| true`) |
| #5638 | deployment/sandbox-hardening | explain `nemoclaw-sandbox`
image placeholder; Landlock verify expected output/fallback |
| #5639 | manage-sandboxes/messaging-channels | quote angle-bracket
credential placeholders |
| #5640 | monitoring/monitor-sandbox-activity | correct legacy `sandbox
exec` → `<name> exec --`; placeholder names; context-overflow `/reset`
remediation |

#5631 is referenced rather than closed: this PR fixes the quickstart
docs (the non-interactive block now lists the required
provider/key/sandbox-name vars, and the `connect` example uses a
consistent sandbox name). The exit-1 failure in item 1 is an installer
bug, root-caused in #5626 with the fix in flight at #5641, and item 2's
name consistency is also covered by #5723. #5631 should close once those
land, not on this docs PR.

Not changed (with rationale):
- The recurring "`$$nemoclaw` breaks copy-paste" finding (#5630, #5634,
#5635, #5636, #5639, #5640): `$$nemoclaw` is the intentional
`CLI_SENTINEL` replaced at build time by
scripts/sync-agent-variant-docs.ts (and required on shared nav pages by
`assertNoUnsharedPlaceholders`). It renders as `nemoclaw`/`nemohermes`
in published docs, so it is correct as-is; the validator scanned raw MDX
rather than rendered output.
- #5637 "v0.0.43" string: kept — it is a historical "starting with
version X" statement, not a stale version.
- Some findings (#5636 hermes tool-calling-reliability link, #5639
hermes deploy link and backtick) are already resolved in current source
(links are `AgentOnly variant="openclaw"` gated; backticks balanced).

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Strengthened sandbox hardening guidance with clearer runtime
capability-dropping instructions and more explicit Landlock
detection/fallback behavior.
* Refreshed quickstart and installer/CLI examples, including corrected
sandbox naming and a more reliable non-interactive install flow.
* Updated inference setup materials (vLLM sequencing, endpoint
readiness, provider discovery/selection, and streamlined sub-agent JSON
editing).
* Improved local inference, sandbox lifecycle install tag, monitoring
command examples, and added context-reset troubleshooting.
* Enhanced messaging/network-policy/troubleshooting snippets with safer
quoting and more resilient command behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…x creation (NVIDIA#5641)

## Summary
`install.sh` auto-attaches `--resume` to any `in_progress` onboarding
session. When a previous run was interrupted before sandbox creation
completed, the session has no sandbox name recorded, so the `curl|bash`
flow dead-ended at the CLI's non-interactive resume guard (NVIDIA#2753) with
exit 1 and no recovery path. This refines the installer's session
classifier so a pre-sandbox-creation session is started fresh instead of
force-resumed.

## Related Issue
Fixes NVIDIA#5626

## Changes
- `scripts/install.sh`: the session classifier now only emits `resume`
for an `in_progress` session once a sandbox actually exists to resume
into (a `sandboxName` is recorded, or the sandbox step completed). A
session interrupted before sandbox creation is classified
`fresh-recover` and onboarded with `--fresh`. The CLI `--resume` guard
from NVIDIA#2753 is untouched, so an explicit `nemoclaw onboard --resume` with
no name still refuses.
- `test/install-onboard-yes.test.ts`: added classifier coverage —
pre-sandbox-creation session forwards `--fresh` (not `--resume`); a
session with a created sandbox still forwards `--resume`; a completed
session forwards neither.

## Type of Change
- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [x] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Tests added or updated for new or changed behavior
- [x] No secrets, API keys, or credentials committed
- [ ] Docs updated for user-facing behavior changes
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off required by CI. Run: git config user.name && git
config user.email -->
Signed-off-by: Jason Ma <jama@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Improved onboarding interruption recovery by correctly detecting
whether a sandbox was created, then selecting the right onboarding mode
automatically.
* Interrupted onboarding sessions without an existing sandbox now start
with `--fresh` (instead of attempting `--resume`), while sessions with a
completed sandbox continue with `--resume`.

* **Tests**
* Added coverage to confirm the installer forwards `--fresh` vs
`--resume` according to session state and sandbox step status.
* Updated the interrupted-onboarding preflight fixture to include
`sandboxName` for more accurate detection.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Jason Ma <jama@nvidia.com>
Signed-off-by: Carlos Villela <cvillela@nvidia.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Carlos Villela <cvillela@nvidia.com>
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
<!-- markdownlint-disable MD041 -->
## Summary
Refreshes the v0.0.68 docs with release notes, Microsoft Teams messaging
guidance, and generated support-matrix coverage.
Also corrects the Hermes generated command reference so `sessions
export` examples match Hermes-only behavior while keeping the shared
command heading compatible with CLI parity checks.

## Changes
- NVIDIA#5585 -> `docs/manage-sandboxes/messaging-channels.mdx`,
`docs/reference/platform-support.mdx`: Documents experimental Microsoft
Teams channel setup, Bot Framework credentials, webhook forwarding,
local `MSTEAMS_PORT` conflicts, and the generated integration support
row.
- NVIDIA#5526 -> `docs/reference/commands.mdx`,
`docs/reference/commands-nemohermes.mdx`: Keeps Hermes `sessions export`
examples on the supported single-JSONL export path while preserving the
canonical shared CLI heading.
- NVIDIA#5044 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for installer onboarding failure propagation.
- NVIDIA#5641 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for fresh recovery after pre-sandbox installer interruption.
- NVIDIA#5673 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for explicit deny-all messaging manifests.
- NVIDIA#5743 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for unsupported-agent channel-add rejection.
- NVIDIA#5252 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for Hermes `gateway-token` dashboard guidance.
- NVIDIA#5659 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for local OpenClaw `agent` wrapper help.
- NVIDIA#5661 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for default extra-agent paths.
- NVIDIA#5669 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for Deep Agents Code branding.
- NVIDIA#5672 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for hosted-compatible default model ID preservation.
- NVIDIA#5725 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for Deep Agents Code sandbox liveness.
- NVIDIA#5644 -> `docs/about/release-notes.mdx`: Adds v0.0.68 release-note
coverage for DGX Spark managed-vLLM express install defaults.
- NVIDIA#5712 -> `docs/about/release-notes.mdx`,
`docs/reference/platform-support.mdx`: Adds v0.0.68 release-note
coverage for the canonical support matrix and updates the matrix source
with Teams.

## Type of Change

- [ ] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [x] Doc only (includes code sample changes)

## Quality Gates
<!-- Check all that apply. For any "covered by existing tests", "not
applicable", or waiver entry, add a brief justification on the same line
or in the Changes section. -->
- [ ] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [x] Tests not applicable — justification: docs-only release refresh;
no runtime code changed.
- [x] Docs updated for user-facing behavior changes
- [ ] Docs not applicable — justification:
- [ ] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [ ] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification:
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each item you ran and confirmed. Leave unchecked items you
skipped. Doc-only changes do not require npm test unless you ran it. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Git hooks passed during commit and push, or `npx prek run
--from-ref main --to-ref HEAD` passes
- [ ] Targeted tests pass for changed behavior
- [ ] Full `npm test` passes (broad runtime changes only)
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only) — `npm
run docs` passed with 0 errors; Fern reported the existing light-mode
accent contrast warning.
- [x] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

Additional verification:
- `python3 scripts/generate-platform-docs.py --check` passed.
- `npm run docs:sync-agent-variants` passed.
- `bash test/e2e/e2e-cloud-experimental/check-docs.sh --only-cli`
passed.
- `npm run docs` passed with 0 errors and one Fern theme warning:
light-mode accent contrast ratio is 2.41:1 and should be at least 3:1.
- `npm run build:cli` refreshed local untracked `dist/` artifacts after
rebase; no tracked files changed.
- `npm run typecheck:cli` passed.
- Normal commit and push hooks passed after the local CLI rebuild.

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Miyoung Choi <miyoungc@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added **Microsoft Teams** as an experimental messaging channel,
including manifest-first onboarding, local port routing/conflict
handling, sandbox delivery controls, and policy preset support.

* **Documentation**
* Expanded messaging-channel setup for Teams (prerequisites,
credential/webhook setup, wizard flow, and add/remove commands).
* Updated reference docs for **agent-specific** session export examples
(OpenClaw vs Hermes).
* Refreshed platform support guidance and added the latest release-notes
entry.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Hadar301 pushed a commit to Hadar301/NemoClaw-OpenShift that referenced this pull request Jul 12, 2026
…A#5640) (NVIDIA#5645)

Addresses the actionable findings from the 2026-06-19 doc-validate run
across 11 guide pages.

Closes NVIDIA#5630
Refs NVIDIA#5631
Closes NVIDIA#5632
Closes NVIDIA#5633
Closes NVIDIA#5634
Closes NVIDIA#5635
Closes NVIDIA#5636
Closes NVIDIA#5637
Closes NVIDIA#5638
Closes NVIDIA#5639
Closes NVIDIA#5640

| Issue | Page | Fix |
|-------|------|-----|
| NVIDIA#5630 | manage-sandboxes/lifecycle | bump stale NEMOCLAW_INSTALL_TAG
example v0.0.63 → v0.0.65 |
| NVIDIA#5631 | get-started/quickstart | self-contained non-interactive
install (provider/key/sandbox name); consistent sandbox name |
| NVIDIA#5632 | inference/set-up-sub-agent | guidance for non-Omni sub-agent
configs (auth-profiles upload already documented) |
| NVIDIA#5633 | inference/switch-inference-providers | show `credentials list`
to discover provider names before switching |
| NVIDIA#5634 | network-policy/integration-policy-examples | note `policy-add`
is non-idempotent; remove before re-applying |
| NVIDIA#5635 | inference/inference-options | state vLLM install +
running-server prerequisites |
| NVIDIA#5636 | inference/use-local-inference | add
`--yes-i-accept-third-party-software` to non-interactive Ollama; add
`docker network inspect` subnet discovery |
| NVIDIA#5637 | reference/troubleshooting | nvm/Docker prerequisites note;
make CA-bundle grep non-zero-safe (`|| true`) |
| NVIDIA#5638 | deployment/sandbox-hardening | explain `nemoclaw-sandbox`
image placeholder; Landlock verify expected output/fallback |
| NVIDIA#5639 | manage-sandboxes/messaging-channels | quote angle-bracket
credential placeholders |
| NVIDIA#5640 | monitoring/monitor-sandbox-activity | correct legacy `sandbox
exec` → `<name> exec --`; placeholder names; context-overflow `/reset`
remediation |

NVIDIA#5631 is referenced rather than closed: this PR fixes the quickstart
docs (the non-interactive block now lists the required
provider/key/sandbox-name vars, and the `connect` example uses a
consistent sandbox name). The exit-1 failure in item 1 is an installer
bug, root-caused in NVIDIA#5626 with the fix in flight at NVIDIA#5641, and item 2's
name consistency is also covered by NVIDIA#5723. NVIDIA#5631 should close once those
land, not on this docs PR.

Not changed (with rationale):
- The recurring "`$$nemoclaw` breaks copy-paste" finding (NVIDIA#5630, NVIDIA#5634,
NVIDIA#5635, NVIDIA#5636, NVIDIA#5639, NVIDIA#5640): `$$nemoclaw` is the intentional
`CLI_SENTINEL` replaced at build time by
scripts/sync-agent-variant-docs.ts (and required on shared nav pages by
`assertNoUnsharedPlaceholders`). It renders as `nemoclaw`/`nemohermes`
in published docs, so it is correct as-is; the validator scanned raw MDX
rather than rendered output.
- NVIDIA#5637 "v0.0.43" string: kept — it is a historical "starting with
version X" statement, not a stale version.
- Some findings (NVIDIA#5636 hermes tool-calling-reliability link, NVIDIA#5639
hermes deploy link and backtick) are already resolved in current source
(links are `AgentOnly variant="openclaw"` gated; backticks balanced).

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Documentation**
* Strengthened sandbox hardening guidance with clearer runtime
capability-dropping instructions and more explicit Landlock
detection/fallback behavior.
* Refreshed quickstart and installer/CLI examples, including corrected
sandbox naming and a more reliable non-interactive install flow.
* Updated inference setup materials (vLLM sequencing, endpoint
readiness, provider discovery/selection, and streamlined sub-agent JSON
editing).
* Improved local inference, sandbox lifecycle install tag, monitoring
command examples, and added context-reset troubleshooting.
* Enhanced messaging/network-policy/troubleshooting snippets with safer
quoting and more resilient command behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: install Install, setup, prerequisites, or uninstall flow area: onboarding Onboarding FSM, provider setup, sandbox launch, or first-run flow bug-fix PR fixes a bug or regression NV QA Bugs found by the NVIDIA QA Team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Linux][Onboard] nemoclaw onboard --non-interactive fails with "no sandbox name recorded" when a previous run was interrupted before sandbox creation

5 participants