From 47b0bfbeab8c36c083ea744c00a0558505ca57da Mon Sep 17 00:00:00 2001 From: Miyoung Choi Date: Tue, 26 May 2026 21:28:13 -0700 Subject: [PATCH] docs: refresh release notes and skills for v0.0.52 Add v0.0.52 release-notes entry covering the OpenClaw 2026.5.22 runtime bump, Hermes root-entrypoint sandbox layout fix, onboard dashboard-url guidance restore, Slack token validation hardening, Windows bootstrap handoff fix, and the private-network cache reload on file changes. Regenerate nemoclaw-user skills so the generated reference pages match the published Fern docs for the v0.0.52 release. --- .../references/inference-options.md | 14 +-- .../skills/nemoclaw-user-get-started/SKILL.md | 4 +- .../references/windows-preparation.md | 14 ++- .../nemoclaw-user-manage-policy/SKILL.md | 3 +- .../references/integration-policy-examples.md | 38 ++++++- .../nemoclaw-user-manage-sandboxes/SKILL.md | 4 +- .../references/messaging-channels.md | 106 +++++++++++++++--- .../references/release-notes.md | 24 +++- .../references/architecture.md | 8 +- .../references/commands.md | 27 +++-- .../references/network-policies.md | 6 +- .../references/troubleshooting.md | 17 ++- docs/about/release-notes.mdx | 11 ++ 13 files changed, 216 insertions(+), 60 deletions(-) diff --git a/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md b/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md index c81c15c521..dc5441bdf5 100644 --- a/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md +++ b/.agents/skills/nemoclaw-user-configure-inference/references/inference-options.md @@ -45,10 +45,10 @@ The managed install/start vLLM entry appears by default on DGX Spark and DGX Sta |--------|-------------|----------------| | NVIDIA Endpoints | Routes to models hosted on [build.nvidia.com](https://build.nvidia.com). You can also enter any model ID from the catalog. Set `NVIDIA_API_KEY`. | Nemotron 3 Super 120B, GLM-5.1, MiniMax M2.7, GPT-OSS 120B, DeepSeek V4 Pro | | OpenAI | Routes to the OpenAI API. Set `OPENAI_API_KEY`. | `gpt-5.4`, `gpt-5.4-mini`, `gpt-5.4-nano`, `gpt-5.4-pro-2026-03-05` | -| Other OpenAI-compatible endpoint | Routes to any server that implements `/v1/chat/completions`. If the endpoint also supports `/responses` with OpenClaw-style tool calling, NemoClaw can use that path; otherwise it falls back to `/chat/completions`. The wizard prompts for a base URL and model name. Works with OpenRouter, LocalAI, llama.cpp, or any compatible proxy. When you enable Telegram messaging, onboarding also runs a bounded sandbox-side smoke check through `https://inference.local/v1/chat/completions`. Set `COMPATIBLE_API_KEY`. | You provide the model name. | +| Other OpenAI-compatible endpoint | Routes to any server that implements `/v1/chat/completions`. NemoClaw uses `/v1/chat/completions` at runtime by default; set `NEMOCLAW_PREFERRED_API=openai-responses` to allow `/v1/responses` for proxies that implement it, such as some llama.cpp builds. The wizard prompts for a base URL and model name. Works with OpenRouter, LocalAI, llama.cpp, or any compatible proxy. When you enable Telegram messaging, onboarding also runs a bounded sandbox-side smoke check through `https://inference.local/v1/chat/completions`. Set `COMPATIBLE_API_KEY`. | You provide the model name. | | Anthropic | Routes to the Anthropic Messages API. Set `ANTHROPIC_API_KEY`. | `claude-sonnet-4-6`, `claude-haiku-4-5`, `claude-opus-4-6` | | Other Anthropic-compatible endpoint | Routes to any server that implements the Anthropic Messages API (`/v1/messages`). The wizard prompts for a base URL and model name. Set `COMPATIBLE_ANTHROPIC_API_KEY`. | You provide the model name. | -| Google Gemini | Routes to Google's OpenAI-compatible endpoint. NemoClaw prefers `/responses` only when the endpoint proves it can handle tool calling in a way OpenClaw uses; otherwise it falls back to `/chat/completions`. Set `GEMINI_API_KEY`. | `gemini-3.1-pro-preview`, `gemini-3.1-flash-lite-preview`, `gemini-3-flash-preview`, `gemini-2.5-pro`, `gemini-2.5-flash`, `gemini-2.5-flash-lite` | +| Google Gemini | Routes to Google's OpenAI-compatible chat-completions endpoint. NemoClaw skips the Responses-API probe because Gemini does not support `/v1/responses`. Set `GEMINI_API_KEY`. | `gemini-3.1-pro-preview`, `gemini-3.1-flash-lite-preview`, `gemini-3-flash-preview`, `gemini-2.5-pro`, `gemini-2.5-flash`, `gemini-2.5-flash-lite` | | Hermes Provider | Routes Hermes Agent through the host OpenShell provider registered by NemoClaw when onboarding Hermes Agent. | Curated Hermes Provider models such as `moonshotai/kimi-k2.6`, `openai/gpt-5.4-mini`, and `z-ai/glm-5.1`. | | Local Ollama | Routes to a local Ollama instance on `localhost:11434`. NemoClaw detects installed models, offers starter models if none are present, pulls and warms the selected model, and validates it. | Selected during onboarding. For more information, refer to Use a Local Inference Server (use the `nemoclaw-user-configure-inference` skill). | | Model Router | Starts a host-side router on port `4000`, registers it as an OpenAI-compatible provider, and keeps the sandbox pointed at `inference.local`. Set `NEMOCLAW_PROVIDER=routed` for non-interactive setup. | The router pool defines the model names. | @@ -127,13 +127,13 @@ Other provider credentials, such as `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GEMI | Provider type | Validation method | |---|---| | OpenAI | Tries `/responses` first, then `/chat/completions`. | -| NVIDIA Endpoints | Tries `/responses` first with a tool-calling probe that matches OpenClaw behavior. Falls back to `/chat/completions` if the endpoint does not return a compatible tool call. | -| Google Gemini | Tries `/responses` first with a tool-calling probe that matches OpenClaw behavior. Falls back to `/chat/completions` if the endpoint does not return a compatible tool call. | -| Other OpenAI-compatible endpoint | Tries `/responses` first with a tool-calling probe that matches OpenClaw behavior. Falls back to `/chat/completions` if the endpoint does not return a compatible tool call. | +| NVIDIA Endpoints | Validates via `/v1/chat/completions` only; the `/v1/responses` probe is skipped because NVIDIA Build does not expose `/v1/responses` (returns 404 for every model). | +| Google Gemini | Validates via Gemini's OpenAI-compatible chat-completions path only; the `/v1/responses` probe is skipped because Gemini does not support the Responses API. | +| Other OpenAI-compatible endpoint | Tries `/v1/responses` first with a tool-calling probe; falls back to `/v1/chat/completions`. Selected runtime API defaults to `/v1/chat/completions`; set `NEMOCLAW_PREFERRED_API=openai-responses` to allow `/v1/responses` at runtime when validation succeeds. | | Anthropic-compatible | Tries `/v1/messages`. | | NVIDIA Endpoints (manual model entry) | Validates the model name against the catalog API. | -| Compatible endpoints | Sends a real inference request because many proxies do not expose a `/models` endpoint. For OpenAI-compatible endpoints, the probe includes tool calling before NemoClaw favors `/responses`. | -| Local NVIDIA NIM | Uses the same validation behavior as NVIDIA Endpoints and skips the `/v1/responses` probe for endpoints that do not expose it. | +| Compatible endpoints | Sends a real inference request because many proxies do not expose a `/models` endpoint. For OpenAI-compatible endpoints, the probe tries `/v1/responses` first then falls back to `/v1/chat/completions`; the selected runtime API defaults to `/v1/chat/completions`. Set `NEMOCLAW_PREFERRED_API=openai-responses` to allow `/v1/responses` at runtime when validation succeeds. | +| Local NVIDIA NIM | Validates via `/v1/chat/completions` only; the `/v1/responses` probe is skipped (same as NVIDIA Endpoints). | ## Next Steps diff --git a/.agents/skills/nemoclaw-user-get-started/SKILL.md b/.agents/skills/nemoclaw-user-get-started/SKILL.md index 6b239be3f0..eec110b31a 100644 --- a/.agents/skills/nemoclaw-user-get-started/SKILL.md +++ b/.agents/skills/nemoclaw-user-get-started/SKILL.md @@ -259,10 +259,12 @@ After you confirm the summary, NemoClaw registers the selected provider with the The wizard then asks whether to enable Brave Web Search. If you enable it, enter a Brave Search API key when prompted. -The wizard also offers messaging channels such as Telegram, Discord, Slack, and WhatsApp. +The wizard also offers messaging channels such as Telegram, Discord, Slack, WeChat, and WhatsApp. Press a channel number to toggle it, then press Enter to continue. If you select a channel, NemoClaw validates the token format before it bakes the channel configuration into the sandbox. For example, Slack bot tokens must start with `xoxb-`. +WeChat and WhatsApp are experimental. +Review Messaging Channels (use the `nemoclaw-user-manage-sandboxes` skill) before enabling them. ### Choose Network Policy Presets diff --git a/.agents/skills/nemoclaw-user-get-started/references/windows-preparation.md b/.agents/skills/nemoclaw-user-get-started/references/windows-preparation.md index ddc656854a..4976143474 100644 --- a/.agents/skills/nemoclaw-user-get-started/references/windows-preparation.md +++ b/.agents/skills/nemoclaw-user-get-started/references/windows-preparation.md @@ -28,13 +28,15 @@ $ Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/NVIDIA/NemoClaw/main The command downloads the script to a temporary file before running it. `-ExecutionPolicy Bypass` applies only to that PowerShell process and avoids local policy blocking the downloaded script. Run it from Windows, not from inside WSL. -The script requests Administrator privileges when needed, enables the required WSL 2 Windows features, installs or opens Ubuntu, and installs and starts Docker Desktop. -If Ubuntu is already registered, the script confirms it uses WSL 2, converts it from WSL 1 when needed, and verifies Docker is reachable from WSL. +The script requests Administrator privileges when needed, enables the required WSL 2 Windows features, installs or opens Ubuntu 24.04, and installs and starts Docker Desktop. +If the target Ubuntu distro is already registered, the script confirms it uses WSL 2, converts it from WSL 1 when needed, and verifies Docker is reachable from WSL. If Windows requires a reboot after enabling WSL features, the script prompts for the reboot and registers a one-time continuation for the next sign-in. If Docker Desktop shows first-run prompts, complete them and return to the PowerShell window. For advanced options, download the script first and run `Get-Help "$env:TEMP\bootstrap-windows.ps1" -Detailed`. Useful parameters include `-DistroName`, `-InstallerUrl`, `-InstallerArgs`, and `-InstallDockerDesktop`. +The default distro is `Ubuntu-24.04`. +To reuse an existing distro named `Ubuntu`, pass `-DistroName Ubuntu`. The bootstrap script does not install NemoClaw itself. When Windows preparation is complete, it opens Ubuntu and prints the standard installer command to run inside Ubuntu: @@ -67,7 +69,7 @@ Reboot if prompted. After reboot, open an elevated PowerShell again: ```console -$ wsl --install -d Ubuntu +$ wsl --install -d Ubuntu-24.04 ``` Let the distribution launch and complete first-run setup (pick a Unix username and password), then type `exit` to return to PowerShell. @@ -76,7 +78,7 @@ Let the distribution launch and complete first-run setup (pick a Unix username a Do not use the `--no-launch` flag. The `--no-launch` flag downloads the package but does not register the distribution with WSL. -Commands like `wsl -d Ubuntu` fail with "There is no distribution with the supplied name" until the distribution has been launched at least once. +Commands like `wsl -d Ubuntu-24.04` fail with "There is no distribution with the supplied name" until the distribution has been launched at least once. Verify the distribution is registered and running WSL 2: @@ -87,8 +89,8 @@ $ wsl -l -v Expected output: ```text - NAME STATE VERSION -* Ubuntu Running 2 + NAME STATE VERSION +* Ubuntu-24.04 Running 2 ``` ## Install Docker Desktop diff --git a/.agents/skills/nemoclaw-user-manage-policy/SKILL.md b/.agents/skills/nemoclaw-user-manage-policy/SKILL.md index bc4d0a85a8..b375cd7e44 100644 --- a/.agents/skills/nemoclaw-user-manage-policy/SKILL.md +++ b/.agents/skills/nemoclaw-user-manage-policy/SKILL.md @@ -179,7 +179,8 @@ Available presets: | `pypi` | Python Package Index | | `slack` | Slack API and webhooks | | `telegram` | Telegram Bot API | -| `whatsapp` | WhatsApp Web messaging | +| `wechat` | WeChat (personal) iLink Bot API (experimental) | +| `whatsapp` | WhatsApp Web messaging (experimental) | To apply a preset to a running sandbox: diff --git a/.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md b/.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md index 0403b3e5b6..3a715b7863 100644 --- a/.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md +++ b/.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md @@ -50,7 +50,8 @@ NemoClaw ships maintained policy presets for common services in `nemoclaw-bluepr | Python Package Index | `pypi` | | Slack messaging | `slack` | | Telegram Bot API | `telegram` | -| WhatsApp Web messaging | `whatsapp` | +| WeChat (personal) iLink Bot API (experimental) | `wechat` | +| WhatsApp Web messaging (experimental) | `whatsapp` | Preview the endpoints before applying: @@ -110,7 +111,7 @@ If delivery fails, open the TUI and send a test message to the bot: $ openshell term ``` -The matching preset for each supported messaging channel is the channel name (`telegram`, `discord`, `slack`, or `whatsapp`). +The matching preset for each supported messaging channel is the channel name (`telegram`, `discord`, `slack`, `wechat`, or `whatsapp`). ## Slack or Discord Messaging @@ -144,6 +145,37 @@ $ nemoclaw my-assistant policy-add slack --yes $ nemoclaw my-assistant policy-add discord --yes ``` +## WeChat or WhatsApp Messaging (Experimental) + +WeChat and WhatsApp are experimental. +Both rely on QR-based pairing flows that are more fragile than token-based bots, and the upstream client libraries can change behavior without notice. + +WeChat uses Tencent's iLink Bot API for personal accounts. +The bot token is captured by a host-side QR scan during onboarding rather than pasted from a developer portal. +Add the channel interactively and apply the preset: + +```console +$ nemoclaw my-assistant channels add wechat +$ nemoclaw my-assistant rebuild +$ nemoclaw my-assistant policy-add wechat --yes +``` + +WhatsApp Web pairs entirely inside the sandbox via QR scan, so `channels add` does not collect a host-side token. +Apply the preset and complete the in-sandbox pairing after the rebuild: + +```console +$ NEMOCLAW_NON_INTERACTIVE=1 nemoclaw my-assistant channels add whatsapp +$ nemoclaw my-assistant rebuild +$ nemoclaw my-assistant policy-add whatsapp --yes +``` + +If you enabled WeChat or WhatsApp during onboarding, apply only the matching preset: + +```console +$ nemoclaw my-assistant policy-add wechat --yes +$ nemoclaw my-assistant policy-add whatsapp --yes +``` + ## GitHub and Jira Use `github` when the agent needs GitHub API or Git access. @@ -282,5 +314,5 @@ Use `nemoclaw my-assistant policy-add` for maintained NemoClaw presets. - Approve or Deny Agent Network Requests (use the `nemoclaw-user-manage-policy` skill) for the interactive OpenShell TUI flow. - Customize the Sandbox Network Policy (use the `nemoclaw-user-manage-policy` skill) for static policy edits and raw OpenShell policy files. -- Messaging Channels (use the `nemoclaw-user-manage-sandboxes` skill) for Telegram, Discord, Slack, and WhatsApp channel configuration. +- Messaging Channels (use the `nemoclaw-user-manage-sandboxes` skill) for Telegram, Discord, Slack, WeChat, and WhatsApp channel configuration. - Commands (use the `nemoclaw-user-reference` skill) for the full `policy-add`, `policy-list`, `policy-remove`, and `channels` command reference. diff --git a/.agents/skills/nemoclaw-user-manage-sandboxes/SKILL.md b/.agents/skills/nemoclaw-user-manage-sandboxes/SKILL.md index b923861f87..dbed6690e0 100644 --- a/.agents/skills/nemoclaw-user-manage-sandboxes/SKILL.md +++ b/.agents/skills/nemoclaw-user-manage-sandboxes/SKILL.md @@ -1,6 +1,6 @@ --- name: "nemoclaw-user-manage-sandboxes" -description: "Explains operational tasks after the quickstart: listing sandboxes, status and health checks, logs, diagnostics, port forwards, multiple sandboxes, credential reset, rebuilds, network presets, upgrades, and uninstall. Trigger keywords - manage nemoclaw sandboxes, nemoclaw status, nemoclaw list, nemoclaw dashboard port, nemoclaw rebuild, nemoclaw upgrade sandboxes, nemoclaw uninstall, sandbox mutability, sandbox runtime configuration, sandbox rebuild, nemoclaw backup, nemoclaw restore, workspace backup, openshell sandbox download upload, nemoclaw messaging channels, nemoclaw telegram, nemoclaw discord, nemoclaw slack, nemoclaw whatsapp, openshell channel messaging, nemoclaw workspace files, soul.md, user.md, identity.md, agents.md, sandbox persistence." +description: "Explains operational tasks after the quickstart: listing sandboxes, status and health checks, logs, diagnostics, port forwards, multiple sandboxes, credential reset, rebuilds, network presets, upgrades, and uninstall. Trigger keywords - manage nemoclaw sandboxes, nemoclaw status, nemoclaw list, nemoclaw dashboard port, nemoclaw rebuild, nemoclaw upgrade sandboxes, nemoclaw uninstall, sandbox mutability, sandbox runtime configuration, sandbox rebuild, nemoclaw backup, nemoclaw restore, workspace backup, openshell sandbox download upload, nemoclaw messaging channels, nemoclaw telegram, nemoclaw discord, nemoclaw slack, nemoclaw wechat, nemoclaw whatsapp, openshell channel messaging, nemoclaw workspace files, soul.md, user.md, identity.md, agents.md, sandbox persistence." --- @@ -274,7 +274,7 @@ For a full comparison of the two forms, including what they fetch, what they tru - **[references/runtime-controls.md](references/runtime-controls.md)** — Single page that answers what can change at runtime versus what requires a rebuild for NemoClaw sandboxes. - **Load [references/backup-restore.md](references/backup-restore.md)** when downloading workspace files from a sandbox, uploading restored files into a new sandbox, or preserving sandbox state across rebuilds. Backs up and restores OpenClaw workspace files before destructive operations such as sandbox rebuilds. -- **Load [references/messaging-channels.md](references/messaging-channels.md)** when setting up messaging channels, chat interfaces, or integrations without relying on nemoclaw tunnel start for bridges. Explains how Telegram, Discord, Slack, and WhatsApp reach sandboxed OpenClaw and Hermes agents through OpenShell-managed processes and NemoClaw channel commands. +- **Load [references/messaging-channels.md](references/messaging-channels.md)** when setting up messaging channels, chat interfaces, or integrations without relying on nemoclaw tunnel start for bridges. Explains how Telegram, Discord, Slack, WeChat, and WhatsApp reach sandboxed OpenClaw and Hermes agents through OpenShell-managed processes and NemoClaw channel commands. - **Load [references/workspace-files.md](references/workspace-files.md)** when users ask about `SOUL.md`, `USER.md`, `IDENTITY.md`, `AGENTS.md`, or other workspace files, or when preparing to back up or restore workspace state. Explains what workspace personality and configuration files are, where they live, and how they persist across sandbox restarts. ## Related Skills diff --git a/.agents/skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md b/.agents/skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md index 31c17763fb..38114460ad 100644 --- a/.agents/skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md +++ b/.agents/skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md @@ -2,10 +2,18 @@ # Messaging Channels -Telegram, Discord, Slack, and WhatsApp reach your OpenClaw or Hermes agent through OpenShell-managed processes and gateway constructs. -For token-based channels, NemoClaw registers credentials with OpenShell providers; WhatsApp pairs inside the sandbox via QR scan and intentionally stores mutable session state there. +Telegram, Discord, Slack, WeChat, and WhatsApp reach your OpenClaw or Hermes agent through OpenShell-managed processes and gateway constructs. +For token-based channels, NemoClaw registers credentials with OpenShell providers. +WeChat captures a token through a host-side QR scan during onboarding. +WhatsApp pairs inside the sandbox via QR scan and intentionally stores mutable session state there. NemoClaw bakes the selected channel configuration into the sandbox image and keeps runtime delivery under OpenShell control. +**Experimental Channels:** + +WeChat and WhatsApp are experimental. +Both rely on QR-based pairing flows that are more fragile than token-based bots, and the upstream client libraries can change behavior without notice. +Interfaces, defaults, and supported features may change, and these channels are not recommended for production use. + You can enable channels during `nemoclaw onboard` or add them later with host-side `nemoclaw channels` commands. Do not run agent-specific channel mutation commands such as `openclaw channels add` or `openclaw channels remove` inside the sandbox because NemoClaw generates `/sandbox/.openclaw/openclaw.json` for OpenClaw and `/sandbox/.hermes/.env` for Hermes at image build time, and changes inside the running container do not persist across rebuilds. @@ -16,7 +24,7 @@ For details, refer to Commands (use the `nemoclaw-user-reference` skill). ## Prerequisites - A machine where you can run `nemoclaw onboard` (local or remote host that runs the gateway and sandbox). -- A token for each token-based messaging platform you want to enable, or a phone you can use to scan the QR code for WhatsApp pairing. +- A token for each token-based messaging platform you want to enable, a personal WeChat account on your phone for the host-side QR scan during onboarding, or a phone you can use to scan the QR code for WhatsApp pairing. - A network policy preset for each enabled channel, or equivalent custom egress rules. ## Channel Requirements @@ -26,7 +34,8 @@ For details, refer to Commands (use the `nemoclaw-user-reference` skill). | Telegram | `TELEGRAM_BOT_TOKEN` | `TELEGRAM_ALLOWED_IDS` for DM allowlisting, `TELEGRAM_REQUIRE_MENTION` for group-chat replies | | Discord | `DISCORD_BOT_TOKEN` | `DISCORD_SERVER_ID`, `DISCORD_USER_ID`, `DISCORD_REQUIRE_MENTION` | | Slack | `SLACK_BOT_TOKEN`, `SLACK_APP_TOKEN` | `SLACK_ALLOWED_USERS` for DM and channel `@mention` user allowlisting, `SLACK_ALLOWED_CHANNELS` for channel ID allowlisting | -| WhatsApp | None. Pair via QR after rebuild | None | +| WeChat (experimental) | None. Captured via host-side QR scan during `nemoclaw onboard` | `WECHAT_ALLOWED_IDS` for DM allowlisting | +| WhatsApp (experimental) | None. Pair via QR after rebuild | None | Telegram uses a bot token from [BotFather](https://t.me/BotFather). Open Telegram, send `/newbot` to [@BotFather](https://t.me/BotFather), follow the prompts, and copy the token. @@ -50,7 +59,23 @@ Set `SLACK_ALLOWED_CHANNELS` to comma-separated Slack channel IDs to restrict ch When both Slack allowlists are set, NemoClaw requires the mention to come from one of the allowed channels and one of the allowed members. Channel messages still require an explicit bot mention. -WhatsApp Web does not use a host-side token or OpenShell credential provider. +WeChat (experimental) delivers messages over Tencent's iLink gateway via the upstream `@tencent-weixin/openclaw-weixin` plugin baked into the sandbox base image and the built-in Hermes iLink WeChat adapter. +The supported mode in this release is **personal WeChat** (`bot_type=3`). +WeChat Official Account and WeCom/Enterprise WeChat are not wired up. + +Because the bot token only exists after a successful iLink QR handshake, NemoClaw runs the QR login on the host during `nemoclaw onboard`. +You scan the QR with WeChat on your phone (Discover → Scan), confirm the login, and NemoClaw captures the token, `accountId`, `baseUrl`, and `userId` from the iLink response. +NemoClaw registers the token as the `-wechat-bridge` OpenShell provider and substitutes the `openshell:resolve:env:WECHAT_BOT_TOKEN` placeholder for it inside the sandbox, so the token never lands in the image or on disk inside the running container. +The non-secret per-account metadata (`WECHAT_ACCOUNT_ID`, `WECHAT_BASE_URL`, `WECHAT_USER_ID`) is baked into the sandbox image so the in-sandbox bridge can pre-seed the per-account context tokens without re-running the QR handshake. + +WeChat is DM-only (`allowIdsMode: "dm"`). +NemoClaw adds the operator who scanned the QR to `WECHAT_ALLOWED_IDS` automatically, and you can append more comma-separated WeChat user IDs through the same env var. +You can silence the host-side `[wechat]` diagnostic lines (poll status, IDC redirects, swallowed gateway errors) by exporting `NEMOCLAW_WECHAT_QUIET=1` once the flow is stable in your environment. + +Tencent's iLink gateway is a third-party service. +Review your organization's terms-of-service, compliance, and data-residency constraints before enabling WeChat. + +WhatsApp (experimental) Web does not use a host-side token or OpenShell credential provider. NemoClaw advertises WhatsApp for both OpenClaw and Hermes sandboxes, and each agent completes pairing with its own in-sandbox command. Pairing happens inside the sandbox after the rebuild completes and creates mutable session credentials there. Run `openshell term` and then use the agent-specific pairing command to render the QR code in the terminal: @@ -67,10 +92,16 @@ Pair only one sandbox per WhatsApp account at a time. ## Enable Channels During Onboarding -When the wizard reaches **Messaging channels**, it lists Telegram, Discord, Slack, and WhatsApp. +When the wizard reaches **Messaging channels**, it lists Telegram, Discord, Slack, WeChat, and WhatsApp. Press a channel number to toggle it on or off, then press **Enter** when done. If a token-based channel token is not already in the environment or credential store, the wizard prompts for it and saves it. -WhatsApp uses QR pairing instead of a host-side token, so the wizard does not prompt. + +If you enable WeChat (experimental), the wizard does not prompt for a paste token. +Instead, it renders a QR code in your terminal, polls Tencent's iLink gateway, and captures the bot token after you scan the QR with WeChat on your phone. +The login has an eight-minute deadline, refreshes the QR up to three times on expiry, and follows iLink's IDC redirects automatically. +Keep the terminal in the foreground until you see `✓ WeChat login confirmed`. + +WhatsApp (experimental) uses QR pairing instead of a host-side token, so the wizard does not prompt. It prints pairing instructions and you complete the pairing inside the sandbox after rebuild. NemoClaw also selects the matching network policy preset during policy setup so the channel can reach its provider API. @@ -87,13 +118,16 @@ $ export SLACK_ALLOWED_USERS= $ export SLACK_ALLOWED_CHANNELS= ``` +This release does not support non-interactive WeChat configuration because the iLink QR handshake requires a human to scan the QR on a paired phone. +Run `nemoclaw onboard` interactively when you want to enable WeChat. + Then run onboarding: ```console $ nemoclaw onboard ``` -Complete the rest of the wizard so the blueprint can create OpenShell providers where needed (for example `-telegram-bridge`), bake channel configuration into the image (`NEMOCLAW_MESSAGING_CHANNELS_B64`), and start the sandbox. +Complete the rest of the wizard so the blueprint can create OpenShell providers where needed (for example `-telegram-bridge` or `-wechat-bridge`), bake channel configuration into the image (`NEMOCLAW_MESSAGING_CHANNELS_B64`), and start the sandbox. ## Add Channels After Onboarding @@ -110,12 +144,16 @@ Add the channel you want: $ nemoclaw my-assistant channels add telegram $ nemoclaw my-assistant channels add discord $ nemoclaw my-assistant channels add slack +$ nemoclaw my-assistant channels add wechat $ nemoclaw my-assistant channels add whatsapp ``` -`channels add` collects whatever each channel needs (token prompts for Telegram, Discord, and Slack; nothing for WhatsApp because pairing happens in-sandbox after rebuild), registers bridge providers with the OpenShell gateway when tokens were captured, records the channel in the sandbox registry, and asks whether to rebuild immediately. +`channels add` collects whatever each channel needs. +It prompts for Telegram, Discord, and Slack tokens, runs an interactive host-side QR scan for WeChat, and collects nothing for WhatsApp because pairing happens in-sandbox after rebuild. +It registers bridge providers with the OpenShell gateway when tokens were captured, records the channel in the sandbox registry, and asks whether to rebuild immediately. The command accepts mixed-case input such as `Telegram`, then stores and prints the canonical lowercase channel name. -If a matching built-in network policy preset exists, `channels add` applies it to the sandbox automatically before the rebuild so the bridge has egress to its upstream API; if applying the preset fails, NemoClaw warns and tells you to re-apply manually with `nemoclaw policy-add ` after the rebuild. +If a matching built-in network policy preset exists, `channels add` applies it to the sandbox automatically before the rebuild so the bridge has egress to its upstream API. +If applying the preset fails, NemoClaw warns and tells you to re-apply manually with `nemoclaw policy-add ` after the rebuild. Choose the rebuild so the running sandbox image picks up the new channel. If you need optional channel settings such as `TELEGRAM_ALLOWED_IDS`, `TELEGRAM_REQUIRE_MENTION`, `DISCORD_SERVER_ID`, `DISCORD_USER_ID`, `DISCORD_REQUIRE_MENTION`, `SLACK_ALLOWED_USERS`, or `SLACK_ALLOWED_CHANNELS`, export them before the rebuild starts. If you defer the rebuild, apply the change later: @@ -142,18 +180,44 @@ $ DISCORD_BOT_TOKEN= \ nemoclaw my-assistant channels add discord ``` +### `channels add wechat` + +`channels add wechat` (experimental) follows the same shape as the other channels with two differences driven by the iLink QR handshake. + +First, the command does not prompt for a paste token. +Instead, it renders a QR code in your terminal, polls Tencent's iLink gateway, and captures both the bot token and the per-account metadata (`accountId`, `baseUrl`, `userId`) once you scan the QR with WeChat on your phone (Discover → Scan). +The login has an eight-minute deadline and refreshes the QR up to three times on expiry. +Keep the terminal in the foreground until you see `✓ WeChat login confirmed`. + +Second, the command requires an interactive terminal. +Non-interactive mode (`NEMOCLAW_NON_INTERACTIVE=1`) fails fast with a clear error because the QR handshake needs a paired phone. + +```console +$ nemoclaw my-assistant channels add wechat +``` + +If `WECHAT_BOT_TOKEN` is already cached for this sandbox (the operator onboarded with WeChat earlier), `channels add wechat` reuses the cached token and skips the QR scan to keep the upstream plugin's existing iLink session intact. +Re-running QR would invalidate that session. +Use `channels remove wechat` first if you intend to acquire a fresh account. + ## Rotate or Remove Credentials Running `channels add` for a channel that is already configured overwrites the stored tokens and registers the updated bridge provider. +For WeChat the cached-token short-circuit applies. +See [`channels add wechat`](#channels-add-wechat) for how to acquire a fresh account. Rebuild the sandbox after the update so the image reflects the current channel set. To remove a channel and clear its stored credentials, run: ```console $ nemoclaw my-assistant channels remove telegram +$ nemoclaw my-assistant channels remove wechat ``` -For QR-paired channels (today: WhatsApp), `channels remove` destructively clears the in-sandbox session directory before the rebuild so the next rebuild does not restore stale auth files and reconnect the channel. +`channels remove wechat` clears the bot token, deletes the `-wechat-bridge` OpenShell provider, and drops `wechat` from the sandbox's enabled-channel set. +The next rebuild produces an image without the WeChat channel block in `openclaw.json` and without the per-account state files under `/sandbox/.openclaw/openclaw-weixin/`. + +For in-sandbox QR-paired channels (today: WhatsApp), `channels remove` destructively clears the in-sandbox session directory before the rebuild so the next rebuild does not restore stale auth files and reconnect the channel. The cleanup targets `/sandbox/.openclaw//` for OpenClaw and `/sandbox/.hermes/platforms//` for Hermes. The cleanup tries `openshell sandbox exec` and falls back to SSH if that does not produce the success sentinel. If neither transport can reach a running sandbox for a QR-paired channel, the command exits non-zero and asks you to start the sandbox and re-run. @@ -168,26 +232,36 @@ Use `channels stop` when you want to pause a bridge without deleting credentials ```console $ nemoclaw my-assistant channels stop telegram $ nemoclaw my-assistant channels start telegram + +$ nemoclaw my-assistant channels stop wechat +$ nemoclaw my-assistant channels start wechat ``` -Telegram, Discord, and Slack each allow only one active consumer per channel credential. -Multiple sandboxes can use the same channel type at the same time when each sandbox uses a distinct bot/app token. +For WeChat specifically, `channels stop wechat` followed by a rebuild keeps the per-account state files under `/sandbox/.openclaw/openclaw-weixin/accounts/` intact even though the bridge is no longer wired up in `openclaw.json`. +A subsequent `channels start wechat` plus rebuild revives the bridge against the same iLink account without a fresh QR scan. +The bot token is held by the OpenShell provider across the stop/start cycle. + +Telegram, Discord, Slack, and WeChat each allow only one active consumer per channel credential. +Multiple sandboxes can use the same channel type at the same time when each sandbox uses a distinct bot/app token (or a distinct WeChat iLink bot account). For example, two Telegram sandboxes can DM the same `TELEGRAM_ALLOWED_IDS` account as long as they use different `TELEGRAM_BOT_TOKEN` values. +For WeChat, each sandbox must own a distinct iLink `accountId` (bot identity). +Running two sandboxes against the same WeChat account causes one of them to lose messages. If you enable a messaging channel and another sandbox already uses the same token, onboarding prompts you to confirm before continuing in interactive mode and exits non-zero in non-interactive mode. -If NemoClaw only has legacy channel metadata and cannot compare credential hashes, it keeps the conservative warning; re-run `channels add ` with the intended token to refresh the stored non-secret hash. +If NemoClaw only has legacy channel metadata and cannot compare credential hashes, it keeps the conservative warning. +Re-run `channels add ` with the intended token to refresh the stored non-secret hash. `nemoclaw status` reports cross-sandbox overlaps so you can resolve duplicates before messages start dropping. ## Stop Messaging Delivery Use `channels stop` when you want to pause one bridge and keep the sandbox running. Use `nemoclaw tunnel stop` or its deprecated alias `nemoclaw stop` when you want to stop host auxiliary services and also ask NemoClaw to stop the OpenClaw gateway inside the selected sandbox. -Stopping the in-sandbox gateway stops Telegram, Discord, Slack, and WhatsApp polling for that sandbox until you restart the sandbox or gateway. +Stopping the in-sandbox gateway stops Telegram, Discord, Slack, WeChat, and WhatsApp polling for that sandbox until you restart the sandbox or gateway. ## Confirm Delivery After the sandbox is running, send a message to the configured bot or app. If delivery fails, use `openshell term` on the host, check gateway logs, and verify network policy allows the channel API. -Use the matching policy preset (`telegram`, `discord`, `slack`, or `whatsapp`) or review Common Integration Policy Examples (use the `nemoclaw-user-manage-policy` skill). +Use the matching policy preset (`telegram`, `discord`, `slack`, `wechat`, or `whatsapp`) or review Common Integration Policy Examples (use the `nemoclaw-user-manage-policy` skill). ## Tunnel Command diff --git a/.agents/skills/nemoclaw-user-overview/references/release-notes.md b/.agents/skills/nemoclaw-user-overview/references/release-notes.md index a672daf780..45c25b6c9c 100644 --- a/.agents/skills/nemoclaw-user-overview/references/release-notes.md +++ b/.agents/skills/nemoclaw-user-overview/references/release-notes.md @@ -4,27 +4,39 @@ NVIDIA NemoClaw is available in early preview starting March 16, 2026. Use this page to track changes. +## v0.0.52 + +NemoClaw v0.0.52 upgrades the bundled OpenClaw runtime, repairs Hermes sandbox startup, restores onboarding ready output, and hardens Slack onboarding, Windows bootstrap, and private-network handling: + +- Bundles OpenClaw 2026.5.22 as the NemoClaw runtime target through `OPENCLAW_VERSION` in the NemoClaw Dockerfiles. The runtime upgrade addresses Telegram, Discord, and Slack channel registration issues seen on the 2026.5.18 runtime. `nemoclaw-blueprint/blueprint.yaml` keeps `min_openclaw_version` as a compatibility floor for direct blueprint consumers, so the blueprint floor can be lower than the Dockerfile target. Run `nemoclaw rebuild` to pick up the new OpenClaw runtime in existing sandboxes. +- Hermes sandbox startup is more reliable on the v0.14 root entrypoint. NemoClaw precreates `hooks`, `image_cache`, `audio_cache`, and `logs/curator` under `HERMES_HOME`, makes `/sandbox/.hermes` sticky group-writable so the `gateway` user can create runtime state without removing sandbox-owned config files, stops precreating `/sandbox/.hermes/gateway.pid` as a symlink that Hermes v0.14 treats as a PID race, and clears legacy PID and lock state before launch. +- `nemoclaw onboard` ready output points users at `nemoclaw dashboard-url --quiet` again, restoring the dashboard guidance that regressed during an earlier onboarding refactor. +- Slack onboarding validates preconfigured Slack tokens before treating Slack as configured. Invalid `SLACK_BOT_TOKEN` values from the environment or stored credentials no longer cause onboarding to skip the Slack prompt, so the wizard re-prompts for a valid `xoxb-...` token instead of silently advancing with a token Slack cannot use. +- The Windows bootstrap script defers first-run Ubuntu account setup to a separate WSL handoff window again, which keeps PowerShell prompt alignment intact during install. The default distro is `Ubuntu-24.04`, and `bootstrap-windows.ps1 -DistroName Ubuntu` reuses an existing `Ubuntu` distribution. +- The blueprint private-network blocklist reloads when `private-networks.yaml` changes on disk, so long-running NemoClaw processes validate SSRF and private-network rules against the current file instead of stale cached data. + ## v0.0.51 -NemoClaw v0.0.51 improves messaging controls, local inference setup, policy validation, and onboarding recovery: +NemoClaw v0.0.51 improves messaging controls, local inference setup, sandbox diagnostics, policy validation, and onboarding recovery: - Slack setup now supports channel allowlisting. During onboarding, `channels add slack`, and non-interactive rebuilds, set `SLACK_ALLOWED_CHANNELS` to restrict channel `@mention` handling to selected Slack channel IDs. Combine it with `SLACK_ALLOWED_USERS` when you want both channel and member checks. - Local Ollama setup now detects host installations that are below the minimum supported version and offers an explicit upgrade path. On macOS, NemoClaw uses Homebrew. On Linux, NemoClaw uses the system installer for upgrades and refuses non-interactive upgrade paths that would require a hidden sudo prompt. +- Non-interactive Linux Ollama setup can use a sudo-free user-local install path when passwordless sudo is unavailable. The docs now describe `NEMOCLAW_OLLAMA_INSTALL_MODE`, the user-local install trade-offs, and the manual `zstd` requirement. - Managed Ollama model selection now uses a memory-aware registry for starter models. If a known bootstrap model does not fit currently available GPU memory, NemoClaw warns and falls back to the largest known model that does fit instead of starting a model that is likely to fail. +- `nemoclaw onboard` restores the managed vLLM menu entry for DGX Spark and DGX Station hosts, which had been hidden after a previous onboard refactor dropped the `gpu.platform` value the vLLM menu builder relies on. - `nemoclaw resources` and `NEMOCLAW_RESOURCE_PROFILE` expose sandbox CPU and memory profiles. Profiles can be selected during onboarding, and `NEMOCLAW_CPU` or `NEMOCLAW_RAM` can override the selected profile for scripted runs. - Cloudflare named tunnels are supported through `CLOUDFLARE_TUNNEL_TOKEN`. `nemoclaw tunnel start` passes the token through the environment and expects the named tunnel route to already point at the dashboard port. - Jira policy validation guidance now matches the maintained preset. Use a Node HTTPS status probe for Atlassian API access and an explicit status-only curl probe for `auth.atlassian.com` when validating approved requests manually. +- Sandbox logs merge OpenClaw gateway output and OpenShell audit events into one stream, and `--tail` applies once to the merged result so policy denials appear beside gateway logs. - Onboarding recovers more cleanly across host and runtime edge cases, including root-owned config sync directories, stale dashboard port allocation, unreachable Docker daemons, stale dashboard forwards, default NVIDIA CDI spec directories, and Linux Docker-driver health checks. ## v0.0.50 NemoClaw v0.0.50 focused on onboarding reliability, local inference hardening, messaging diagnostics, and sandbox lifecycle cleanup: -- `nemoclaw onboard` handles DGX Spark and DGX Station managed vLLM setup more consistently, including restored vLLM menu entries and CPU-fallback detection on Spark hosts. -- Non-interactive Linux Ollama setup can use a sudo-free user-local install path when passwordless sudo is unavailable. The docs now describe `NEMOCLAW_OLLAMA_INSTALL_MODE`, the user-local install trade-offs, and the manual `zstd` requirement. +- `nemoclaw onboard` detects DGX Spark hosts where managed Ollama falls back to CPU execution. Local inference setup fails the Ollama validation step with a tailored diagnostic, adds a Spark `OLLAMA_LLM_LIBRARY=cuda_v13` systemd override when that backend is installed, and enables the managed Linux Ollama service so local inference survives reboot. - Compatible endpoint setup rejects `host.docker.internal` inference URLs because OpenShell sandboxes do not have a portable host-service route through that name. Use Local Ollama's authenticated proxy path or a policy-managed host service instead. - Telegram setup now surfaces BotFather group privacy guidance. Disable privacy mode, then remove and re-add the bot to each group before testing group delivery. -- Sandbox logs merge OpenClaw gateway output and OpenShell audit events into one stream, and `--tail` applies once to the merged result so policy denials appear beside gateway logs. - Maintenance commands recover the OpenShell gateway before retrying sandbox-list operations, which makes rebuild, recover, upgrade, and backup flows more resilient after gateway drift. - NemoClaw no longer writes proxy hooks into sandbox shell startup files. Local proxy configuration stays on supported OpenShell and NemoClaw paths rather than mutating user shell rc files. - Windows bootstrap installs Ubuntu 24.04 when WSL is present but no Ubuntu distribution is registered. @@ -212,6 +224,8 @@ The installer error message in v0.0.35+ surfaces all three invocations directly ## Component Version Policy -NemoClaw pins the OpenClaw version inside the sandbox at build time via `min_openclaw_version` in `nemoclaw-blueprint/blueprint.yaml`; existing sandboxes do not auto-upgrade. +NemoClaw pins the OpenClaw version inside the sandbox at build time via `OPENCLAW_VERSION` in the NemoClaw Dockerfiles. +The `min_openclaw_version` field in `nemoclaw-blueprint/blueprint.yaml` is the compatibility floor for direct blueprint consumers and may be lower than the NemoClaw runtime target. +Existing sandboxes do not auto-upgrade. Run `nemoclaw status` to see the OpenClaw version currently running in a sandbox, and `nemoclaw rebuild` to pick up a newer pin from a NemoClaw upgrade. See Checking the OpenClaw version (use the `nemoclaw-user-reference` skill) for the full policy. diff --git a/.agents/skills/nemoclaw-user-reference/references/architecture.md b/.agents/skills/nemoclaw-user-reference/references/architecture.md index 14a5c352f5..07e193434a 100644 --- a/.agents/skills/nemoclaw-user-reference/references/architecture.md +++ b/.agents/skills/nemoclaw-user-reference/references/architecture.md @@ -197,9 +197,11 @@ flowchart LR ## Sandbox Environment -The sandbox runs the -[`ghcr.io/nvidia/openshell-community/sandboxes/openclaw`](https://github.com/NVIDIA/OpenShell-Community) -container image. Inside the sandbox: +Normal NemoClaw onboarding builds from the +[`ghcr.io/nvidia/nemoclaw/sandbox-base`](https://github.com/NVIDIA/NemoClaw/pkgs/container/nemoclaw%2Fsandbox-base) +base image and layers the NemoClaw runtime Dockerfile on top. The direct blueprint +runner still carries a pinned OpenShell Community OpenClaw image for legacy +`openshell sandbox create --from` compatibility. Inside the sandbox: - OpenClaw runs with the NemoClaw plugin pre-installed. - Inference calls are routed through OpenShell to the configured provider. diff --git a/.agents/skills/nemoclaw-user-reference/references/commands.md b/.agents/skills/nemoclaw-user-reference/references/commands.md index b6f96b32ae..2d740c1dd4 100644 --- a/.agents/skills/nemoclaw-user-reference/references/commands.md +++ b/.agents/skills/nemoclaw-user-reference/references/commands.md @@ -56,7 +56,7 @@ The wizard creates an OpenShell gateway, registers inference providers, builds t Use this command for new installs and for recreating a sandbox after changes to policy or configuration. ```console -$ nemoclaw onboard [--non-interactive] [--resume | --fresh] [--recreate-sandbox] [--gpu | --no-gpu] [--from ] [--name ] [--sandbox-gpu | --no-sandbox-gpu] [--sandbox-gpu-device ] [--agent ] [--control-ui-port ] [--yes | -y] [--yes-i-accept-third-party-software] +$ nemoclaw onboard [--non-interactive] [--resume | --fresh] [--recreate-sandbox] [--gpu | --no-gpu] [--from ] [--name ] [--sandbox-gpu | --no-sandbox-gpu] [--sandbox-gpu-device ] [--agent ] [--control-ui-port ] [--yes | -y] [--no-ollama-autostart] [--yes-i-accept-third-party-software] ``` **Warning:** @@ -400,7 +400,8 @@ $ nemoclaw my-assistant status #### Checking the OpenClaw version NemoClaw pins the OpenClaw version inside the sandbox at build time, not at runtime. -The minimum version comes from `min_openclaw_version` in `nemoclaw-blueprint/blueprint.yaml`, and the sandbox image upgrades OpenClaw to that version during `docker build` if the cached base image is older. +The NemoClaw runtime build target is declared by `OPENCLAW_VERSION` in the NemoClaw Dockerfiles. +The `min_openclaw_version` field in `nemoclaw-blueprint/blueprint.yaml` remains the compatibility floor for direct blueprint consumers, so it can be lower than the Dockerfile target. Existing sandboxes do not auto-upgrade when a newer NemoClaw release ships a newer pin — you upgrade by rebuilding the sandbox. `nemoclaw status` prints the running OpenClaw version on the `Agent` line: @@ -408,7 +409,7 @@ Existing sandboxes do not auto-upgrade when a newer NemoClaw release ships a new ```console $ nemoclaw my-assistant status ... - Agent: OpenClaw v2026.5.18 + Agent: OpenClaw v2026.5.22 ... ``` @@ -645,8 +646,9 @@ $ nemoclaw my-assistant hosts-remove searxng.local ### `nemoclaw channels list` -List the messaging channels NemoClaw knows about (`telegram`, `discord`, `slack`, `whatsapp`) with a short description. +List the messaging channels NemoClaw knows about (`telegram`, `discord`, `slack`, `wechat`, `whatsapp`) with a short description. The command is a static reference; it does not consult credentials or the running sandbox. +WeChat and WhatsApp are experimental. ```console $ nemoclaw my-assistant channels list @@ -658,7 +660,12 @@ Register a messaging channel with the sandbox and rebuild so the image picks up Channels fall into three login modes: - **Token paste** (`telegram`, `discord`, `slack`): the command prompts for any missing token and registers it with the OpenShell gateway. -- **In-sandbox QR** (`whatsapp`): the command records the channel without a host-side token or OpenShell credential provider. +- **Host-side QR** (`wechat`, experimental): the command renders an iLink QR code on the host and you scan it from WeChat on your phone. + On confirm, NemoClaw captures the bot token, registers it with the OpenShell gateway, and stores non-secret per-account metadata (`WECHAT_ACCOUNT_ID`, `WECHAT_BASE_URL`, `WECHAT_USER_ID`) for the in-sandbox bridge. + NemoClaw automatically adds the scanning operator's WeChat user ID to `WECHAT_ALLOWED_IDS`. + Supply additional comma-separated IDs to authorize more DM senders. + NemoClaw advertises WeChat for both OpenClaw (the `@tencent-weixin/openclaw-weixin` plugin) and Hermes (the built-in iLink WeChat adapter). +- **In-sandbox QR** (`whatsapp`, experimental): the command records the channel without a host-side token or OpenShell credential provider. NemoClaw advertises WhatsApp for OpenClaw and Hermes sandboxes; after rebuild, run `openclaw channels login --channel whatsapp` for OpenClaw or `hermes whatsapp` for Hermes. This intentionally leaves QR-created mutable session state in the sandbox until you unpair it or clear the durable agent state. @@ -685,7 +692,7 @@ If you omit the required `` argument, the CLI prints the `channels add Clear the stored credentials for a messaging channel and rebuild the sandbox so the image drops the channel. Running `remove` for a channel that was never configured is a no-op against the credentials file and still triggers the rebuild prompt. When the bridge provider is attached to a live sandbox, NemoClaw detaches it before deleting the provider from the OpenShell gateway. -If the matching built-in policy preset is applied, such as `telegram`, `discord`, `slack`, or `whatsapp`, NemoClaw also removes that preset so the upstream API is no longer allow-listed after the channel is gone. +If the matching built-in policy preset is applied, such as `telegram`, `discord`, `slack`, `wechat`, or `whatsapp`, NemoClaw also removes that preset so the upstream API is no longer allow-listed after the channel is gone. NemoClaw also strips the channel from `session.policyPresets` so a subsequent `onboard --resume` does not re-apply the preset on the next rebuild. For QR-paired channels (today: WhatsApp), NemoClaw destructively clears the in-sandbox session directory before the rebuild so the `state_dirs` backup does not restore the auth blob and let the channel reconnect: @@ -710,7 +717,7 @@ Host-side removal is the supported path because agent channel config is baked in ### `nemoclaw channels stop ` -Pause a single messaging bridge (`telegram`, `discord`, `slack`, or `whatsapp`) without clearing its credentials. +Pause a single messaging bridge (`telegram`, `discord`, `slack`, `wechat`, or `whatsapp`) without clearing its credentials. The channel is marked disabled in the per-sandbox registry, and the sandbox is rebuilt so the onboard step skips registering the bridge with the gateway. The provider stays registered with the OpenShell gateway, so a later `channels start` brings the bridge back without re-entering tokens. @@ -1072,7 +1079,7 @@ Use `--no-verify` only when OpenShell cannot verify the provider at switch time The `nemoclaw setup` command is deprecated. Use `nemoclaw onboard` instead. -This command remains as a compatibility alias to `nemoclaw onboard` and accepts the same flags: `--non-interactive`, `--resume`, `--fresh`, `--recreate-sandbox`, `--gpu` / `--no-gpu`, `--from`, `--name`, `--sandbox-gpu` / `--no-sandbox-gpu`, `--sandbox-gpu-device`, `--agent`, `--control-ui-port`, `--yes` / `-y`, `--yes-i-accept-third-party-software`. +This command remains as a compatibility alias to `nemoclaw onboard` and accepts the same flags: `--non-interactive`, `--resume`, `--fresh`, `--recreate-sandbox`, `--gpu` / `--no-gpu`, `--from`, `--name`, `--sandbox-gpu` / `--no-sandbox-gpu`, `--sandbox-gpu-device`, `--agent`, `--control-ui-port`, `--yes` / `-y`, `--no-ollama-autostart`, `--yes-i-accept-third-party-software`. ```console $ nemoclaw setup @@ -1085,7 +1092,7 @@ $ nemoclaw setup The `nemoclaw setup-spark` command is deprecated. Use the standard installer and run `nemoclaw onboard` instead, because current OpenShell releases handle the older DGX Spark cgroup behavior. -This command remains as a compatibility alias to `nemoclaw onboard` and accepts the same flags: `--non-interactive`, `--resume`, `--fresh`, `--recreate-sandbox`, `--gpu` / `--no-gpu`, `--from`, `--name`, `--sandbox-gpu` / `--no-sandbox-gpu`, `--sandbox-gpu-device`, `--agent`, `--control-ui-port`, `--yes` / `-y`, `--yes-i-accept-third-party-software`. +This command remains as a compatibility alias to `nemoclaw onboard` and accepts the same flags: `--non-interactive`, `--resume`, `--fresh`, `--recreate-sandbox`, `--gpu` / `--no-gpu`, `--from`, `--name`, `--sandbox-gpu` / `--no-sandbox-gpu`, `--sandbox-gpu-device`, `--agent`, `--control-ui-port`, `--yes` / `-y`, `--no-ollama-autostart`, `--yes-i-accept-third-party-software`. ```console $ nemoclaw setup-spark @@ -1281,6 +1288,7 @@ These flags toggle optional behaviors during onboarding; set them before running | Variable | Format | Effect | |----------|--------|--------| | `NEMOCLAW_YES` | `1` to enable | Auto-accepts confirmation prompts (`--yes` equivalent) including in helpers like the Ollama proxy auth setup. | +| `NEMOCLAW_OLLAMA_NO_AUTOSTART` | `1` to enable | Skips the wizard's eager Ollama auto-start during inference-provider selection (equivalent to passing `--no-ollama-autostart`). When set and Ollama is not running on `localhost:11434`, the `nemoclaw onboard` Local Ollama path prints a warning and selects the default fallback model instead of spawning `ollama serve`. The flag covers only the provider-selection step; later setup steps (auth proxy, validation, model warm) still expect a reachable Ollama. On Linux hosts with a systemd Ollama unit, the loopback-override path may still restart the daemon before this gate runs. | | `NEMOCLAW_NON_INTERACTIVE_SUDO_MODE` | `prompt` or empty/unset | When set to `prompt`, allows non-interactive onboarding to use prompt-capable `sudo` for host setup steps that require elevation, which can ask for a password. Empty/unset is the default and uses `sudo -n`, which fails instead of asking for a password. Any other value is rejected. | | `NEMOCLAW_NO_EXPRESS` | `1` to enable | Installer-only. Skips the DGX Spark, DGX Station, and Windows WSL express install prompt and continues with the normal interactive onboarding flow. | | `NEMOCLAW_EXPERIMENTAL` | `1` to enable | Surfaces experimental providers and flows in onboarding. | @@ -1298,6 +1306,7 @@ These flags toggle optional behaviors during onboarding; set them before running | `NEMOCLAW_OPENSHELL_GATEWAY_BIN` | path | Advanced override for the `openshell-gateway` binary used by the Linux Docker-driver gateway. Defaults to the binary next to `openshell`, then common install paths. | | `NEMOCLAW_OPENSHELL_SANDBOX_BIN` | path | Advanced override for the `openshell-sandbox` binary passed to the Linux Docker-driver gateway supervisor. Defaults to the binary next to `openshell`, then common install paths. | | `NEMOCLAW_OPENSHELL_GATEWAY_STATE_DIR` | path | Advanced override for the Linux Docker-driver gateway pid file and SQLite state directory. Defaults to `~/.local/state/nemoclaw/openshell-docker-gateway`. | +| `NEMOCLAW_WECHAT_QUIET` | `1` to enable | Silences the `[wechat]` diagnostic lines printed during the host-side WeChat QR login (poll status, IDC redirects, swallowed gateway errors), which are visible by default while the experimental WeChat path stabilizes; set `1` once the flow is reliable in your environment. | ### Probe Timeouts diff --git a/.agents/skills/nemoclaw-user-reference/references/network-policies.md b/.agents/skills/nemoclaw-user-reference/references/network-policies.md index dae511f6fc..40a480a307 100644 --- a/.agents/skills/nemoclaw-user-reference/references/network-policies.md +++ b/.agents/skills/nemoclaw-user-reference/references/network-policies.md @@ -44,8 +44,10 @@ GitHub access (`github.com`, `api.github.com`) is not included in the baseline p Apply the `github` preset during onboarding if your agent needs GitHub access. See Customize the Network Policy (use the `nemoclaw-user-manage-policy` skill). -The baseline policy does not include messaging endpoints for Telegram, Discord, Slack, and WhatsApp. +The baseline policy does not include messaging endpoints for Telegram, Discord, Slack, WeChat, or WhatsApp. Enable the channel during onboarding or apply the matching messaging preset so the sandbox can reach that platform. +WeChat and WhatsApp are experimental. +Review Messaging Channels (use the `nemoclaw-user-manage-sandboxes` skill) before enabling them. @@ -58,7 +60,7 @@ The baseline policy is always applied regardless of the selected tier. |------|------------------|-------------| | Restricted | None | Base sandbox only. No third-party network access beyond inference and core agent tooling. | | Balanced (default) | `npm`, `pypi`, `huggingface`, `brew`, `brave when supported` | Full dev tooling and web search for agents that support web search. No messaging platform access. | -| Open | `npm`, `pypi`, `huggingface`, `brew`, `brave when supported`, `slack`, `discord`, `telegram`, `whatsapp`, `jira`, `outlook` | Broad access across third-party services including messaging and productivity. | +| Open | `npm`, `pypi`, `huggingface`, `brew`, `brave when supported`, `slack`, `discord`, `telegram`, `wechat` (experimental), `whatsapp` (experimental), `jira`, `outlook` | Broad access across third-party services including messaging and productivity. | After selecting a tier, a combined preset and access-mode screen lets you include or exclude individual presets and toggle each between read (GET only) and read-write (GET + POST/PUT/PATCH) access. Tier-default presets are pre-selected; additional presets can be added from the full list. diff --git a/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md b/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md index 3f586df360..c51bd536a1 100644 --- a/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md +++ b/.agents/skills/nemoclaw-user-reference/references/troubleshooting.md @@ -547,7 +547,8 @@ Follow these steps to reconnect. $ nemoclaw tunnel start ``` - OpenShell-managed channel messaging handles Telegram, Discord, Slack, and WhatsApp at onboarding, not through a separate bridge process from `nemoclaw tunnel start`. + OpenShell-managed channel messaging handles Telegram, Discord, Slack, WeChat, and WhatsApp at onboarding, not through a separate bridge process from `nemoclaw tunnel start`. + WeChat and WhatsApp are experimental. To pause a single bridge without destroying the sandbox, use `nemoclaw channels stop `. **If the sandbox does not recover:** @@ -756,12 +757,18 @@ Run the equivalent host-side command instead: ```console $ nemoclaw channels list -$ nemoclaw channels add -$ nemoclaw channels remove +$ nemoclaw channels add +$ nemoclaw channels remove ``` -`channels add` registers credentials with the OpenShell gateway and `channels remove` clears them; both offer to rebuild the sandbox so the image reflects the new channel set. +`channels add` registers credentials with the OpenShell gateway and `channels remove` clears them. +Both offer to rebuild the sandbox so the image reflects the new channel set. In non-interactive mode (`NEMOCLAW_NON_INTERACTIVE=1`), the commands stage the change and leave the rebuild to a follow-up `nemoclaw rebuild`. +WeChat and WhatsApp are experimental. +Review Messaging Channels (use the `nemoclaw-user-manage-sandboxes` skill) before enabling them. + +WeChat captures its bot token through a host-side QR scan during `nemoclaw onboard` or `channels add wechat`. +You scan the iLink QR from WeChat on your phone and NemoClaw registers the captured token with the OpenShell gateway. WhatsApp pairs entirely inside the sandbox. NemoClaw advertises WhatsApp for OpenClaw and Hermes sandboxes after you add the channel on the host. @@ -1322,7 +1329,7 @@ Skills that require macOS-only binaries cannot be enabled on Brev. Skills that require additional CLI binaries require a custom sandbox image rebuild. For credentials, use the supported host-side setup flow. -Re-run onboarding for inference or Brave Search credentials, or use `nemoclaw channels add ` for messaging channels. +Re-run onboarding for inference or Brave Search credentials, or use `nemoclaw channels add ` for messaging channels. To add a binary to the sandbox image, update the sandbox `Dockerfile.base` to install the required package, then rebuild: ```console diff --git a/docs/about/release-notes.mdx b/docs/about/release-notes.mdx index 260a8e0aa6..f9f9ec1136 100644 --- a/docs/about/release-notes.mdx +++ b/docs/about/release-notes.mdx @@ -11,6 +11,17 @@ content: --- NVIDIA NemoClaw is available in early preview starting March 16, 2026. Use this page to track changes. +## v0.0.52 + +NemoClaw v0.0.52 upgrades the bundled OpenClaw runtime, repairs Hermes sandbox startup, restores onboarding ready output, and hardens Slack onboarding, Windows bootstrap, and private-network handling: + +- Bundles OpenClaw 2026.5.22 as the NemoClaw runtime target through `OPENCLAW_VERSION` in the NemoClaw Dockerfiles. The runtime upgrade addresses Telegram, Discord, and Slack channel registration issues seen on the 2026.5.18 runtime. `nemoclaw-blueprint/blueprint.yaml` keeps `min_openclaw_version` as a compatibility floor for direct blueprint consumers, so the blueprint floor can be lower than the Dockerfile target. Run `nemoclaw rebuild` to pick up the new OpenClaw runtime in existing sandboxes. +- Hermes sandbox startup is more reliable on the v0.14 root entrypoint. NemoClaw precreates `hooks`, `image_cache`, `audio_cache`, and `logs/curator` under `HERMES_HOME`, makes `/sandbox/.hermes` sticky group-writable so the `gateway` user can create runtime state without removing sandbox-owned config files, stops precreating `/sandbox/.hermes/gateway.pid` as a symlink that Hermes v0.14 treats as a PID race, and clears legacy PID and lock state before launch. +- `nemoclaw onboard` ready output points users at `nemoclaw dashboard-url --quiet` again, restoring the dashboard guidance that regressed during an earlier onboarding refactor. +- Slack onboarding validates preconfigured Slack tokens before treating Slack as configured. Invalid `SLACK_BOT_TOKEN` values from the environment or stored credentials no longer cause onboarding to skip the Slack prompt, so the wizard re-prompts for a valid `xoxb-...` token instead of silently advancing with a token Slack cannot use. +- The Windows bootstrap script defers first-run Ubuntu account setup to a separate WSL handoff window again, which keeps PowerShell prompt alignment intact during install. The default distro is `Ubuntu-24.04`, and `bootstrap-windows.ps1 -DistroName Ubuntu` reuses an existing `Ubuntu` distribution. +- The blueprint private-network blocklist reloads when `private-networks.yaml` changes on disk, so long-running NemoClaw processes validate SSRF and private-network rules against the current file instead of stale cached data. + ## v0.0.51 NemoClaw v0.0.51 improves messaging controls, local inference setup, sandbox diagnostics, policy validation, and onboarding recovery: