diff --git a/.agents/skills/nemoclaw-user-configure-inference/SKILL.md b/.agents/skills/nemoclaw-user-configure-inference/SKILL.md index 57bd3e2503..f437ede713 100644 --- a/.agents/skills/nemoclaw-user-configure-inference/SKILL.md +++ b/.agents/skills/nemoclaw-user-configure-inference/SKILL.md @@ -119,7 +119,7 @@ This variable is only needed when switching between provider families. ## Step 3: Tune Model Metadata -The sandbox image bakes model metadata (context window, max output tokens, and reasoning mode) into `openclaw.json` at build time. +The sandbox image bakes model metadata (context window, max output tokens, reasoning mode, and accepted input modalities) into `openclaw.json` at build time. To change these values, set the corresponding environment variables before running `nemoclaw onboard` so they patch into the Dockerfile before the image builds. | Variable | Values | Default | @@ -127,14 +127,17 @@ To change these values, set the corresponding environment variables before runni | `NEMOCLAW_CONTEXT_WINDOW` | Positive integer (tokens) | `131072` | | `NEMOCLAW_MAX_TOKENS` | Positive integer (tokens) | `4096` | | `NEMOCLAW_REASONING` | `true` or `false` | `false` | +| `NEMOCLAW_INFERENCE_INPUTS` | `text` or `text,image` | `text` | | `NEMOCLAW_AGENT_TIMEOUT` | Positive integer (seconds) | `600` | Invalid values are ignored, and the default bakes into the image. +Use `NEMOCLAW_INFERENCE_INPUTS=text,image` only for a model that accepts image input through the selected provider. ```console $ export NEMOCLAW_CONTEXT_WINDOW=65536 $ export NEMOCLAW_MAX_TOKENS=8192 $ export NEMOCLAW_REASONING=true +$ export NEMOCLAW_INFERENCE_INPUTS=text,image $ export NEMOCLAW_AGENT_TIMEOUT=1800 $ nemoclaw onboard ``` diff --git a/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md b/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md index 75aa4e6e05..d7cf24868c 100644 --- a/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md +++ b/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md @@ -75,7 +75,9 @@ For setup instructions, refer to Use a Local Inference Server (use the `nemoclaw ## Validation NemoClaw validates the selected provider and model before creating the sandbox. -If validation fails, the wizard returns to provider selection. +If credential validation fails, the wizard asks whether to re-enter the API key, choose a different provider, retry, or exit. +The `nvapi-` prefix check applies only to `NVIDIA_API_KEY`. +Other provider credentials, such as `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GEMINI_API_KEY`, and compatible endpoint keys, use provider-aware validation during retry. | Provider type | Validation method | |---|---| diff --git a/.agents/skills/nemoclaw-user-deploy-remote/SKILL.md b/.agents/skills/nemoclaw-user-deploy-remote/SKILL.md index 9ed32a47dc..c24687d4f7 100644 --- a/.agents/skills/nemoclaw-user-deploy-remote/SKILL.md +++ b/.agents/skills/nemoclaw-user-deploy-remote/SKILL.md @@ -106,8 +106,8 @@ default), so no extra configuration is needed. > set on a headless host, the compatibility wrapper prints a warning. > > `NEMOCLAW_DISABLE_DEVICE_AUTH` is also evaluated at image build time. -> If you disable device auth for a remote deployment, any device that can reach the dashboard origin can connect without pairing. -> Avoid this on internet-reachable or shared-network deployments. +> When `CHAT_UI_URL` points at a non-loopback origin, NemoClaw disables OpenClaw device pairing in the generated sandbox configuration because browser-only remote users cannot complete terminal-based pairing. +> Any device that can reach the configured dashboard origin can connect without pairing, so avoid exposing that origin on internet-reachable or shared-network deployments. ## Step 7: Proxy Configuration diff --git a/.agents/skills/nemoclaw-user-reference/references/commands.md b/.agents/skills/nemoclaw-user-reference/references/commands.md index ec0d925ab5..439ef8f1bc 100644 --- a/.agents/skills/nemoclaw-user-reference/references/commands.md +++ b/.agents/skills/nemoclaw-user-reference/references/commands.md @@ -318,7 +318,9 @@ If the preset name is unknown or already applied, the command exits non-zero wit | Flag | Description | |------|-------------| -| `--yes`, `--force` | Skip the confirmation prompt (requires a preset name) | +| `--from-file ` | Apply a custom preset YAML file instead of a built-in preset | +| `--from-dir ` | Apply every custom preset YAML file in a directory in lexicographic order | +| `--yes`, `--force` | Skip the confirmation prompt (requires a preset name, `--from-file`, or `--from-dir`) | | `--dry-run` | Preview the endpoints a preset would open without applying changes | Use `--dry-run` to audit a preset before applying it: @@ -327,6 +329,21 @@ Use `--dry-run` to audit a preset before applying it: $ nemoclaw my-assistant policy-add --dry-run ``` +Apply a custom preset file when you need to grant access to an endpoint that is not covered by a built-in preset: + +```console +$ nemoclaw my-assistant policy-add --from-file ./presets/my-internal-api.yaml +``` + +For batch workflows, apply all preset files from a directory: + +```console +$ nemoclaw my-assistant policy-add --from-dir ./presets/ --yes +``` + +Review every host in custom preset files before applying them. +Custom presets bypass the built-in preset review process and can widen sandbox egress. + ### `nemoclaw policy-list` List available policy presets and show which ones are applied to the sandbox. diff --git a/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md b/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md index 499ca61650..27e2afd94d 100644 --- a/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md +++ b/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md @@ -466,6 +466,24 @@ The status command detects the sandbox context and reports "active (inside sandb Run `openshell sandbox list` on the host to check the underlying sandbox state. +### Git clone fails with a certificate verification error + +In networks that inspect TLS, OpenShell injects a proxy CA bundle into the sandbox. +Current NemoClaw exports that bundle as `GIT_SSL_CAINFO` during sandbox startup and persists it for `nemoclaw connect` sessions, so Git can trust the proxy CA. +It also forwards standard CA bundle variables for subprocesses, including `GIT_SSL_CAPATH`, `CURL_CA_BUNDLE`, and `REQUESTS_CA_BUNDLE`. + +If Git still reports `server certificate verification failed`, reconnect to the sandbox and check that the CA variables are present: + +```console +$ env | grep -E 'SSL_CERT_FILE|GIT_SSL_CAINFO|CURL_CA_BUNDLE|REQUESTS_CA_BUNDLE' +``` + +If they are missing on an older sandbox, upgrade NemoClaw and run: + +```console +$ nemoclaw rebuild +``` + ### `openclaw update` hangs or times out inside the sandbox This is expected for the current NemoClaw deployment model. diff --git a/docs/deployment/deploy-to-remote-gpu.md b/docs/deployment/deploy-to-remote-gpu.md index 7ade17affa..7d162da2bc 100644 --- a/docs/deployment/deploy-to-remote-gpu.md +++ b/docs/deployment/deploy-to-remote-gpu.md @@ -116,8 +116,8 @@ available when the installer builds the sandbox image. If `CHAT_UI_URL` is not set on a headless host, the compatibility wrapper prints a warning. `NEMOCLAW_DISABLE_DEVICE_AUTH` is also evaluated at image build time. -If you disable device auth for a remote deployment, any device that can reach the dashboard origin can connect without pairing. -Avoid this on internet-reachable or shared-network deployments. +When `CHAT_UI_URL` points at a non-loopback origin, NemoClaw disables OpenClaw device pairing in the generated sandbox configuration because browser-only remote users cannot complete terminal-based pairing. +Any device that can reach the configured dashboard origin can connect without pairing, so avoid exposing that origin on internet-reachable or shared-network deployments. ::: ## Proxy Configuration diff --git a/docs/inference/inference-options.md b/docs/inference/inference-options.md index 6c0fc41888..f7edd9ce85 100644 --- a/docs/inference/inference-options.md +++ b/docs/inference/inference-options.md @@ -95,7 +95,9 @@ For setup instructions, refer to [Use a Local Inference Server](use-local-infere ## Validation NemoClaw validates the selected provider and model before creating the sandbox. -If validation fails, the wizard returns to provider selection. +If credential validation fails, the wizard asks whether to re-enter the API key, choose a different provider, retry, or exit. +The `nvapi-` prefix check applies only to `NVIDIA_API_KEY`. +Other provider credentials, such as `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GEMINI_API_KEY`, and compatible endpoint keys, use provider-aware validation during retry. | Provider type | Validation method | |---|---| diff --git a/docs/inference/switch-inference-providers.md b/docs/inference/switch-inference-providers.md index 921ca19684..cbd66b140a 100644 --- a/docs/inference/switch-inference-providers.md +++ b/docs/inference/switch-inference-providers.md @@ -133,7 +133,7 @@ This variable is only needed when switching between provider families. ## Tune Model Metadata -The sandbox image bakes model metadata (context window, max output tokens, and reasoning mode) into `openclaw.json` at build time. +The sandbox image bakes model metadata (context window, max output tokens, reasoning mode, and accepted input modalities) into `openclaw.json` at build time. To change these values, set the corresponding environment variables before running `nemoclaw onboard` so they patch into the Dockerfile before the image builds. | Variable | Values | Default | @@ -141,14 +141,17 @@ To change these values, set the corresponding environment variables before runni | `NEMOCLAW_CONTEXT_WINDOW` | Positive integer (tokens) | `131072` | | `NEMOCLAW_MAX_TOKENS` | Positive integer (tokens) | `4096` | | `NEMOCLAW_REASONING` | `true` or `false` | `false` | +| `NEMOCLAW_INFERENCE_INPUTS` | `text` or `text,image` | `text` | | `NEMOCLAW_AGENT_TIMEOUT` | Positive integer (seconds) | `600` | Invalid values are ignored, and the default bakes into the image. +Use `NEMOCLAW_INFERENCE_INPUTS=text,image` only for a model that accepts image input through the selected provider. ```console $ export NEMOCLAW_CONTEXT_WINDOW=65536 $ export NEMOCLAW_MAX_TOKENS=8192 $ export NEMOCLAW_REASONING=true +$ export NEMOCLAW_INFERENCE_INPUTS=text,image $ export NEMOCLAW_AGENT_TIMEOUT=1800 $ nemoclaw onboard ``` diff --git a/docs/project.json b/docs/project.json index b5044bb832..b9119c503a 100644 --- a/docs/project.json +++ b/docs/project.json @@ -1 +1 @@ -{"name": "nemoclaw", "version": "0.0.25"} +{"name": "nemoclaw", "version": "0.0.29"} diff --git a/docs/reference/commands.md b/docs/reference/commands.md index cdefa77e2a..8aca2ae456 100644 --- a/docs/reference/commands.md +++ b/docs/reference/commands.md @@ -348,7 +348,9 @@ If the preset name is unknown or already applied, the command exits non-zero wit | Flag | Description | |------|-------------| -| `--yes`, `--force` | Skip the confirmation prompt (requires a preset name) | +| `--from-file ` | Apply a custom preset YAML file instead of a built-in preset | +| `--from-dir ` | Apply every custom preset YAML file in a directory in lexicographic order | +| `--yes`, `--force` | Skip the confirmation prompt (requires a preset name, `--from-file`, or `--from-dir`) | | `--dry-run` | Preview the endpoints a preset would open without applying changes | Use `--dry-run` to audit a preset before applying it: @@ -357,6 +359,21 @@ Use `--dry-run` to audit a preset before applying it: $ nemoclaw my-assistant policy-add --dry-run ``` +Apply a custom preset file when you need to grant access to an endpoint that is not covered by a built-in preset: + +```console +$ nemoclaw my-assistant policy-add --from-file ./presets/my-internal-api.yaml +``` + +For batch workflows, apply all preset files from a directory: + +```console +$ nemoclaw my-assistant policy-add --from-dir ./presets/ --yes +``` + +Review every host in custom preset files before applying them. +Custom presets bypass the built-in preset review process and can widen sandbox egress. + ### `nemoclaw policy-list` List available policy presets and show which ones are applied to the sandbox. diff --git a/docs/reference/troubleshooting.md b/docs/reference/troubleshooting.md index 13c13861af..15ca312f60 100644 --- a/docs/reference/troubleshooting.md +++ b/docs/reference/troubleshooting.md @@ -496,6 +496,24 @@ The status command detects the sandbox context and reports "active (inside sandb Run `openshell sandbox list` on the host to check the underlying sandbox state. +### Git clone fails with a certificate verification error + +In networks that inspect TLS, OpenShell injects a proxy CA bundle into the sandbox. +Current NemoClaw exports that bundle as `GIT_SSL_CAINFO` during sandbox startup and persists it for `nemoclaw connect` sessions, so Git can trust the proxy CA. +It also forwards standard CA bundle variables for subprocesses, including `GIT_SSL_CAPATH`, `CURL_CA_BUNDLE`, and `REQUESTS_CA_BUNDLE`. + +If Git still reports `server certificate verification failed`, reconnect to the sandbox and check that the CA variables are present: + +```console +$ env | grep -E 'SSL_CERT_FILE|GIT_SSL_CAINFO|CURL_CA_BUNDLE|REQUESTS_CA_BUNDLE' +``` + +If they are missing on an older sandbox, upgrade NemoClaw and run: + +```console +$ nemoclaw rebuild +``` + ### `openclaw update` hangs or times out inside the sandbox This is expected for the current NemoClaw deployment model. diff --git a/docs/versions1.json b/docs/versions1.json index 8f609210c1..4fbd1bbfd8 100644 --- a/docs/versions1.json +++ b/docs/versions1.json @@ -1,6 +1,10 @@ [ { "preferred": true, + "version": "0.0.29", + "url": "https://docs.nvidia.com/nemoclaw/0.0.29/" + }, + { "version": "0.0.25", "url": "https://docs.nvidia.com/nemoclaw/0.0.25/" }, @@ -23,21 +27,5 @@ { "version": "0.0.20", "url": "https://docs.nvidia.com/nemoclaw/0.0.20/" - }, - { - "version": "0.0.19", - "url": "https://docs.nvidia.com/nemoclaw/0.0.19/" - }, - { - "version": "0.0.18", - "url": "https://docs.nvidia.com/nemoclaw/0.0.18/" - }, - { - "version": "0.0.17", - "url": "https://docs.nvidia.com/nemoclaw/0.0.17/" - }, - { - "version": "0.0.16", - "url": "https://docs.nvidia.com/nemoclaw/0.0.16/" } ]