docs: fix doc-validate findings across guide pages (#5630-#5640)#5645
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (11)
✅ Files skipped from review due to trivial changes (11)
📝 WalkthroughWalkthroughDocumentation-only update across NemoClaw guides: corrects commands and placeholders, adds prerequisite and sequencing notes, improves shell-safe snippets, bumps an install tag, and expands troubleshooting and hardening guidance. ChangesNemoClaw Documentation Corrections and Clarifications
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
✨ Thanks for addressing the doc-validate findings across 11 guide pages including the stale NEMOCLAW_INSTALL_TAG version bump. This proposes a way to correct actionable documentation issues from the 2026-06-19 validation run. Related open issues:
|
2b5fe68 to
c3e4720
Compare
c3e4720 to
a667254
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
docs/manage-sandboxes/messaging-channels.mdx (1)
7-7: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winFormat the shared CLI reference here.
nemoclaw tunnel startis plain prose in the description. Wrap it in inlinecode, and if this text applies to both agents, use$$nemoclawso the published docs render the shared command correctly.As per path instructions, commands should use inline
codeformatting, and based on learnings, shared host CLI commands should use$$nemoclaw.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/manage-sandboxes/messaging-channels.mdx` at line 7, The description text in this docs frontmatter needs the shared CLI command formatted as inline code, and because it applies to both agents it should use the shared command marker instead of plain prose. Update the description around the existing messaging-channel summary so the command is rendered with $$nemoclaw and inline code formatting, keeping the rest of the description unchanged.Sources: Path instructions, Learnings
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@docs/manage-sandboxes/messaging-channels.mdx`:
- Line 7: The description text in this docs frontmatter needs the shared CLI
command formatted as inline code, and because it applies to both agents it
should use the shared command marker instead of plain prose. Update the
description around the existing messaging-channel summary so the command is
rendered with $$nemoclaw and inline code formatting, keeping the rest of the
description unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 0553377a-c188-480e-97a1-45902912b4dd
📒 Files selected for processing (11)
docs/deployment/sandbox-hardening.mdxdocs/get-started/quickstart.mdxdocs/inference/inference-options.mdxdocs/inference/set-up-sub-agent.mdxdocs/inference/switch-inference-providers.mdxdocs/inference/use-local-inference.mdxdocs/manage-sandboxes/lifecycle.mdxdocs/manage-sandboxes/messaging-channels.mdxdocs/monitoring/monitor-sandbox-activity.mdxdocs/network-policy/integration-policy-examples.mdxdocs/reference/troubleshooting.mdx
✅ Files skipped from review due to trivial changes (8)
- docs/inference/switch-inference-providers.mdx
- docs/manage-sandboxes/lifecycle.mdx
- docs/network-policy/integration-policy-examples.mdx
- docs/inference/set-up-sub-agent.mdx
- docs/inference/inference-options.mdx
- docs/deployment/sandbox-hardening.mdx
- docs/inference/use-local-inference.mdx
- docs/reference/troubleshooting.mdx
🚧 Files skipped from review as they are similar to previous changes (2)
- docs/get-started/quickstart.mdx
- docs/monitoring/monitor-sandbox-activity.mdx
a667254 to
982cf21
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/deployment/sandbox-hardening.mdx`:
- Around line 136-143: The Landlock probe guidance in the sandbox hardening docs
is too definitive about kernel support; update the wording around the ls check
on /sys/kernel/security/landlock to note that a missing path may also mean
securityfs is not mounted. Adjust the surrounding explanation to distinguish
“Landlock unavailable” from “securityfs not mounted,” and keep the fallback
description tied to the actual probe behavior rather than assuming a kernel
capability gap.
In `@docs/get-started/quickstart.mdx`:
- Around line 56-63: The installer snippet in the quickstart is too brittle
because the curl-to-bash pipeline can hide download failures and the placeholder
API key can be misread as redirection. Update the command that uses curl and
bash to enable pipeline failure handling, and change the
NVIDIA_INFERENCE_API_KEY placeholder in the documented example so it is clearly
quoted or otherwise shown as a literal value. Keep the fix localized to the
quickstart install example.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 94b04863-7b10-4d36-b652-61797a1c2dc3
📒 Files selected for processing (11)
docs/deployment/sandbox-hardening.mdxdocs/get-started/quickstart.mdxdocs/inference/inference-options.mdxdocs/inference/set-up-sub-agent.mdxdocs/inference/switch-inference-providers.mdxdocs/inference/use-local-inference.mdxdocs/manage-sandboxes/lifecycle.mdxdocs/manage-sandboxes/messaging-channels.mdxdocs/monitoring/monitor-sandbox-activity.mdxdocs/network-policy/integration-policy-examples.mdxdocs/reference/troubleshooting.mdx
✅ Files skipped from review due to trivial changes (5)
- docs/inference/set-up-sub-agent.mdx
- docs/manage-sandboxes/lifecycle.mdx
- docs/inference/use-local-inference.mdx
- docs/inference/inference-options.mdx
- docs/reference/troubleshooting.mdx
🚧 Files skipped from review as they are similar to previous changes (2)
- docs/inference/switch-inference-providers.mdx
- docs/monitoring/monitor-sandbox-activity.mdx
There was a problem hiding this comment.
Caution
Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/deployment/sandbox-hardening.mdx`:
- Around line 136-143: The Landlock probe guidance in the sandbox hardening docs
is too definitive about kernel support; update the wording around the ls check
on /sys/kernel/security/landlock to note that a missing path may also mean
securityfs is not mounted. Adjust the surrounding explanation to distinguish
“Landlock unavailable” from “securityfs not mounted,” and keep the fallback
description tied to the actual probe behavior rather than assuming a kernel
capability gap.
In `@docs/get-started/quickstart.mdx`:
- Around line 56-63: The installer snippet in the quickstart is too brittle
because the curl-to-bash pipeline can hide download failures and the placeholder
API key can be misread as redirection. Update the command that uses curl and
bash to enable pipeline failure handling, and change the
NVIDIA_INFERENCE_API_KEY placeholder in the documented example so it is clearly
quoted or otherwise shown as a literal value. Keep the fix localized to the
quickstart install example.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 94b04863-7b10-4d36-b652-61797a1c2dc3
📒 Files selected for processing (11)
docs/deployment/sandbox-hardening.mdxdocs/get-started/quickstart.mdxdocs/inference/inference-options.mdxdocs/inference/set-up-sub-agent.mdxdocs/inference/switch-inference-providers.mdxdocs/inference/use-local-inference.mdxdocs/manage-sandboxes/lifecycle.mdxdocs/manage-sandboxes/messaging-channels.mdxdocs/monitoring/monitor-sandbox-activity.mdxdocs/network-policy/integration-policy-examples.mdxdocs/reference/troubleshooting.mdx
✅ Files skipped from review due to trivial changes (5)
- docs/inference/set-up-sub-agent.mdx
- docs/manage-sandboxes/lifecycle.mdx
- docs/inference/use-local-inference.mdx
- docs/inference/inference-options.mdx
- docs/reference/troubleshooting.mdx
🚧 Files skipped from review as they are similar to previous changes (2)
- docs/inference/switch-inference-providers.mdx
- docs/monitoring/monitor-sandbox-activity.mdx
🛑 Comments failed to post (2)
docs/deployment/sandbox-hardening.mdx (1)
136-143: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Tighten the Landlock probe wording.
No such file or directoryis not definitive proof that the kernel lacks Landlock support; it can also meansecurityfsis not mounted. As written, the note can misdiagnose a mount issue as a kernel-capability gap.Suggested wording
-If it reports `No such file or directory`, the kernel does not expose Landlock, and the sandbox falls back to DAC-only enforcement as described above. +If it reports `No such file or directory`, verify that `securityfs` is mounted and that the kernel exposes Landlock before assuming the DAC-only fallback path.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.Verify Landlock availability:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/deployment/sandbox-hardening.mdx` around lines 136 - 143, The Landlock probe guidance in the sandbox hardening docs is too definitive about kernel support; update the wording around the ls check on /sys/kernel/security/landlock to note that a missing path may also mean securityfs is not mounted. Adjust the surrounding explanation to distinguish “Landlock unavailable” from “securityfs not mounted,” and keep the fallback description tied to the actual probe behavior rather than assuming a kernel capability gap.docs/get-started/quickstart.mdx (1)
56-63: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Harden the installer snippet.
A failed
curlwill still look successful here because the pipeline does not enablepipefail, and<your-key>is parsed as redirection unless it is quoted.Suggested fix
+set -o pipefail curl -fsSL https://www.nvidia.com/nemoclaw.sh | \ NEMOCLAW_NON_INTERACTIVE=1 \ NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 \ NEMOCLAW_PROVIDER=build \ - NVIDIA_INFERENCE_API_KEY=<your-key> \ + NVIDIA_INFERENCE_API_KEY="<your-key>" \ NEMOCLAW_SANDBOX_NAME=my-gpt-claw \ bash📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.set -o pipefail curl -fsSL https://www.nvidia.com/nemoclaw.sh | \ NEMOCLAW_NON_INTERACTIVE=1 \ NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 \ NEMOCLAW_PROVIDER=build \ NVIDIA_INFERENCE_API_KEY="<your-key>" \ NEMOCLAW_SANDBOX_NAME=my-gpt-claw \ bash🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/get-started/quickstart.mdx` around lines 56 - 63, The installer snippet in the quickstart is too brittle because the curl-to-bash pipeline can hide download failures and the placeholder API key can be misread as redirection. Update the command that uses curl and bash to enable pipeline failure handling, and change the NVIDIA_INFERENCE_API_KEY placeholder in the documented example so it is clearly quoted or otherwise shown as a literal value. Keep the fix localized to the quickstart install example.
…A#5640) Address the actionable findings from the 2026-06-19 doc-validate run: - quickstart: make the non-interactive install example self-contained (provider, API key, sandbox name) and use a consistent sandbox name - lifecycle: bump the stale NEMOCLAW_INSTALL_TAG example to v0.0.65 - monitor-sandbox-activity: correct the legacy 'sandbox exec' syntax to '<name> exec --', use placeholder sandbox names, add context-overflow remediation - switch-inference-providers: show how to list providers before switching - inference-options: state the vLLM install and running-server prerequisites - use-local-inference: add the third-party-software acceptance flag to the non-interactive Ollama example and a docker-network subnet discovery step - integration-policy-examples: note policy-add is non-idempotent - set-up-sub-agent: add guidance for non-Omni sub-agent configs - sandbox-hardening: explain the nemoclaw-sandbox image placeholder and add Landlock verification expected output / fallback - messaging-channels: quote angle-bracket credential placeholders - troubleshooting: add nvm/Docker prerequisites note and make the CA-bundle grep diagnostic non-zero-safe The pervasive "$$nemoclaw breaks copy-paste" findings are not addressed: $$nemoclaw is the intentional CLI_SENTINEL replaced at build time by scripts/sync-agent-variant-docs.ts, so it renders correctly in published docs. Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>
982cf21 to
bca777b
Compare
<!-- markdownlint-disable MD041 --> ## Summary The bundled OpenClaw weather skill calls `wttr.in`, but the NemoClaw `weather` egress preset only allowed Open-Meteo and weather.gov. Under deny-by-default egress, the current host was blocked. This change closes the NemoClaw-owned policy gap while keeping access read-only and least-privileged. ## Related Issue Addresses the NemoClaw-owned `wttr.in` egress portion of #1417. This PR does not claim to change or fully validate OpenClaw skill readiness, browser fallback, pairing behavior, or the entire upstream weather-skill workflow. ## Changes - Allow `wttr.in:443` for GET and HEAD across its location-path namespace. - Do not pre-authorize `wttr.is`; the reviewed OpenClaw 2026.5.27 pin does not require it, and a future pin change must supply new runtime evidence before widening policy. - Record the source boundary next to the policy and enforce it through `loadAgent("openclaw").expectedVersion`: any OpenClaw pin change fails until maintainers revalidate the bundled skill's egress and update the reviewed contract. - Lock the exact weather host set and full `wttr.in` policy shape in `test/weather-policy.test.ts`. - Add live GET, HEAD, denied POST, and unrelated-host probes to the network-policy target. - Make the common-egress target perform one agent-executed `wttr.in/:help` curl, atomically retain the fetched body, and independently validate that proof from the host test. - Keep user documentation capability-based so it does not drift with providers. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only ## Quality Gates - [x] Focused structural coverage locks the exact policy boundary and forces review on OpenClaw pin drift. - [x] Live targets cover allowed GET/HEAD, denied POST, unrelated-host denial, and an agent-executed single-fetch proof. - [x] The broad `/**` path risk is accepted because wttr location identifiers are themselves paths and no stable narrower prefix exists; policy remains limited to one public host, GET/HEAD only, with no credentials sent. - [x] `wttr.is` exclusion is intentional least privilege; there is no reviewed evidence that the pinned runtime needs it. - [x] The C1 test is deliberately an egress/curl-path test, as its name and contract state; full upstream skill readiness is explicitly outside this PR's scope. - [x] The alleged #5645 conflict is not current: GitHub reports this PR mergeable. Any later cross-PR overlap will be resolved by the branch that lands second. - [x] The shell proof remains an array of fixed fragments plus a shell-quoted generated path, and passed exact-head live E2E; moving it to a separate script would add surface without changing the tested boundary. - [x] Docs describe user-facing capability without promising an upstream skill implementation. ## Verification - [x] PR description includes the DCO declaration and every commit appears Verified in GitHub. - [x] Commit and push hooks passed. - [x] `npx vitest run test/weather-policy.test.ts` passed (2/2). - [x] `npm run typecheck:cli` passed. - [x] `npm run source-shape:check` passed with zero source-shape tests. - [x] Full root CLI/integration hook suite passed during commit. - [x] No secrets, API keys, or credentials committed. - [x] `npm run docs` completed with zero errors and two pre-existing warnings. - [x] Exact-head E2E passed `network-policy` and `common-egress-agent`: https://github.com/NVIDIA/NemoClaw/actions/runs/28424896912 --- Signed-off-by: Hung Le <hple@nvidia.com> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary The bundled OpenClaw weather skill calls `wttr.in`, but the NemoClaw `weather` egress preset only allowed Open-Meteo and weather.gov. Under deny-by-default egress, the current host was blocked. This change closes the NemoClaw-owned policy gap while keeping access read-only and least-privileged. ## Related Issue Addresses the NemoClaw-owned `wttr.in` egress portion of NVIDIA#1417. This PR does not claim to change or fully validate OpenClaw skill readiness, browser fallback, pairing behavior, or the entire upstream weather-skill workflow. ## Changes - Allow `wttr.in:443` for GET and HEAD across its location-path namespace. - Do not pre-authorize `wttr.is`; the reviewed OpenClaw 2026.5.27 pin does not require it, and a future pin change must supply new runtime evidence before widening policy. - Record the source boundary next to the policy and enforce it through `loadAgent("openclaw").expectedVersion`: any OpenClaw pin change fails until maintainers revalidate the bundled skill's egress and update the reviewed contract. - Lock the exact weather host set and full `wttr.in` policy shape in `test/weather-policy.test.ts`. - Add live GET, HEAD, denied POST, and unrelated-host probes to the network-policy target. - Make the common-egress target perform one agent-executed `wttr.in/:help` curl, atomically retain the fetched body, and independently validate that proof from the host test. - Keep user documentation capability-based so it does not drift with providers. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only ## Quality Gates - [x] Focused structural coverage locks the exact policy boundary and forces review on OpenClaw pin drift. - [x] Live targets cover allowed GET/HEAD, denied POST, unrelated-host denial, and an agent-executed single-fetch proof. - [x] The broad `/**` path risk is accepted because wttr location identifiers are themselves paths and no stable narrower prefix exists; policy remains limited to one public host, GET/HEAD only, with no credentials sent. - [x] `wttr.is` exclusion is intentional least privilege; there is no reviewed evidence that the pinned runtime needs it. - [x] The C1 test is deliberately an egress/curl-path test, as its name and contract state; full upstream skill readiness is explicitly outside this PR's scope. - [x] The alleged NVIDIA#5645 conflict is not current: GitHub reports this PR mergeable. Any later cross-PR overlap will be resolved by the branch that lands second. - [x] The shell proof remains an array of fixed fragments plus a shell-quoted generated path, and passed exact-head live E2E; moving it to a separate script would add surface without changing the tested boundary. - [x] Docs describe user-facing capability without promising an upstream skill implementation. ## Verification - [x] PR description includes the DCO declaration and every commit appears Verified in GitHub. - [x] Commit and push hooks passed. - [x] `npx vitest run test/weather-policy.test.ts` passed (2/2). - [x] `npm run typecheck:cli` passed. - [x] `npm run source-shape:check` passed with zero source-shape tests. - [x] Full root CLI/integration hook suite passed during commit. - [x] No secrets, API keys, or credentials committed. - [x] `npm run docs` completed with zero errors and two pre-existing warnings. - [x] Exact-head E2E passed `network-policy` and `common-egress-agent`: https://github.com/NVIDIA/NemoClaw/actions/runs/28424896912 --- Signed-off-by: Hung Le <hple@nvidia.com> --------- Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com>
…A#5640) (NVIDIA#5645) Addresses the actionable findings from the 2026-06-19 doc-validate run across 11 guide pages. Closes NVIDIA#5630 Refs NVIDIA#5631 Closes NVIDIA#5632 Closes NVIDIA#5633 Closes NVIDIA#5634 Closes NVIDIA#5635 Closes NVIDIA#5636 Closes NVIDIA#5637 Closes NVIDIA#5638 Closes NVIDIA#5639 Closes NVIDIA#5640 | Issue | Page | Fix | |-------|------|-----| | NVIDIA#5630 | manage-sandboxes/lifecycle | bump stale NEMOCLAW_INSTALL_TAG example v0.0.63 → v0.0.65 | | NVIDIA#5631 | get-started/quickstart | self-contained non-interactive install (provider/key/sandbox name); consistent sandbox name | | NVIDIA#5632 | inference/set-up-sub-agent | guidance for non-Omni sub-agent configs (auth-profiles upload already documented) | | NVIDIA#5633 | inference/switch-inference-providers | show `credentials list` to discover provider names before switching | | NVIDIA#5634 | network-policy/integration-policy-examples | note `policy-add` is non-idempotent; remove before re-applying | | NVIDIA#5635 | inference/inference-options | state vLLM install + running-server prerequisites | | NVIDIA#5636 | inference/use-local-inference | add `--yes-i-accept-third-party-software` to non-interactive Ollama; add `docker network inspect` subnet discovery | | NVIDIA#5637 | reference/troubleshooting | nvm/Docker prerequisites note; make CA-bundle grep non-zero-safe (`|| true`) | | NVIDIA#5638 | deployment/sandbox-hardening | explain `nemoclaw-sandbox` image placeholder; Landlock verify expected output/fallback | | NVIDIA#5639 | manage-sandboxes/messaging-channels | quote angle-bracket credential placeholders | | NVIDIA#5640 | monitoring/monitor-sandbox-activity | correct legacy `sandbox exec` → `<name> exec --`; placeholder names; context-overflow `/reset` remediation | NVIDIA#5631 is referenced rather than closed: this PR fixes the quickstart docs (the non-interactive block now lists the required provider/key/sandbox-name vars, and the `connect` example uses a consistent sandbox name). The exit-1 failure in item 1 is an installer bug, root-caused in NVIDIA#5626 with the fix in flight at NVIDIA#5641, and item 2's name consistency is also covered by NVIDIA#5723. NVIDIA#5631 should close once those land, not on this docs PR. Not changed (with rationale): - The recurring "`$$nemoclaw` breaks copy-paste" finding (NVIDIA#5630, NVIDIA#5634, NVIDIA#5635, NVIDIA#5636, NVIDIA#5639, NVIDIA#5640): `$$nemoclaw` is the intentional `CLI_SENTINEL` replaced at build time by scripts/sync-agent-variant-docs.ts (and required on shared nav pages by `assertNoUnsharedPlaceholders`). It renders as `nemoclaw`/`nemohermes` in published docs, so it is correct as-is; the validator scanned raw MDX rather than rendered output. - NVIDIA#5637 "v0.0.43" string: kept — it is a historical "starting with version X" statement, not a stale version. - Some findings (NVIDIA#5636 hermes tool-calling-reliability link, NVIDIA#5639 hermes deploy link and backtick) are already resolved in current source (links are `AgentOnly variant="openclaw"` gated; backticks balanced). Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Strengthened sandbox hardening guidance with clearer runtime capability-dropping instructions and more explicit Landlock detection/fallback behavior. * Refreshed quickstart and installer/CLI examples, including corrected sandbox naming and a more reliable non-interactive install flow. * Updated inference setup materials (vLLM sequencing, endpoint readiness, provider discovery/selection, and streamlined sub-agent JSON editing). * Improved local inference, sandbox lifecycle install tag, monitoring command examples, and added context-reset troubleshooting. * Enhanced messaging/network-policy/troubleshooting snippets with safer quoting and more resilient command behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Abhimanyu Kumar <abhimanyukumar7290@gmail.com>
Addresses the actionable findings from the 2026-06-19 doc-validate run across 11 guide pages.
Closes #5630
Refs #5631
Closes #5632
Closes #5633
Closes #5634
Closes #5635
Closes #5636
Closes #5637
Closes #5638
Closes #5639
Closes #5640
credentials listto discover provider names before switchingpolicy-addis non-idempotent; remove before re-applying--yes-i-accept-third-party-softwareto non-interactive Ollama; adddocker network inspectsubnet discoverynemoclaw-sandboximage placeholder; Landlock verify expected output/fallbacksandbox exec→<name> exec --; placeholder names; context-overflow/resetremediation#5631 is referenced rather than closed: this PR fixes the quickstart docs (the non-interactive block now lists the required provider/key/sandbox-name vars, and the
connectexample uses a consistent sandbox name). The exit-1 failure in item 1 is an installer bug, root-caused in #5626 with the fix in flight at #5641, and item 2's name consistency is also covered by #5723. #5631 should close once those land, not on this docs PR.Not changed (with rationale):
$$nemoclawbreaks copy-paste" finding ([All Platforms][Docs] docs/manage-sandboxes/manage-sandbox-lifecycle.mdx — stale NEMOCLAW_INSTALL_TAG version and unexplained $$nemoclaw variant placeholder #5630, [All Platforms][Docs] docs/policies/integration-policy-examples.mdx — repeated policy-add calls are non-idempotent; $$nemoclaw macro breaks copy-paste #5634, [All Platforms][Docs] docs/inference/nemoclaw-inference-options.mdx — BYO vLLM and custom provider blocks missing server prerequisites; $$nemoclaw macro breaks copy-paste #5635, [All Platforms][Docs] docs/inference/use-local-inference.mdx — multiple copy-paste and logical flow issues (missing flag, unresolved placeholder, no model server step) #5636, [All Platforms][Docs] docs/messaging/set-up-messaging-channels.mdx — $$nemoclaw macro breaks all command blocks; credential placeholders cause shell syntax errors #5639, [All Platforms][Docs] docs/manage-sandboxes/monitor-sandbox-activity.mdx — legacy exec syntax and unexplained $$ prompt marker #5640):$$nemoclawis the intentionalCLI_SENTINELreplaced at build time by scripts/sync-agent-variant-docs.ts (and required on shared nav pages byassertNoUnsharedPlaceholders). It renders asnemoclaw/nemohermesin published docs, so it is correct as-is; the validator scanned raw MDX rather than rendered output.AgentOnly variant="openclaw"gated; backticks balanced).Signed-off-by: Abhimanyu Kumar abhimanyukumar7290@gmail.com
Summary by CodeRabbit