Understand Runtime Changes
Use this matrix to choose the operation that makes a sandbox change take effect. NemoClaw applies its security posture in three layers: what onboarding writes into the sandbox image, what the running sandbox can hot-reload, and what requires a rebuild or re-onboard.
OpenClaw Runtime Changes
For a new or pristine OpenClaw workspace, NEMOCLAW_MINIMAL_BOOTSTRAP=1 avoids roughly 3,000 tokens of per-turn project-context overhead by skipping the default template seed.
It does not delete existing workspace files.
The runtime source of truth is /sandbox/.openclaw/openclaw.json.
The host registry caches metadata, but the image and OpenClaw read from the in-sandbox file.
OpenClaw config and inference changes are refused while shields are up.
Run nemoclaw <name> shields down before the change, then restore lockdown with nemoclaw <name> shields up.
Host-side OpenClaw config writes run under the per-sandbox transition lock and bind the replacement to the SHA-256 digest of the matching read. The root-only config guard validates bounded JSON input, transactionally publishes fresh config and hash inodes, and restores the prior mutable posture without adopting concurrent path changes.
In the direct root-entrypoint topology, gateway restart performs a read-only config and hash preflight, temporarily seals fresh inodes while the root PID 1 supervisor replaces the gateway child, and then restores the prior shields posture.
In the OpenShell-managed topology, the installed root controller performs the config preflight while the nonroot nemoclaw-start supervisor replaces the gateway child.
Mutable config in the managed topology keeps the same trust and time-of-check/time-of-use limits as a managed cold start and does not receive the direct root-entrypoint restart seal. If preflight detects an unsafe path, invalid config, invalid ownership posture, or locked hash drift, restart refuses while the old healthy gateway is still serving.
Timed Shields Windows
NemoClaw serializes host-side config and inference writes, snapshot mutation, sandbox destruction, and shields transitions for each sandbox.
When shields down --timeout is active, each mutation binds to that exact timer generation so a replaced or expired timer cannot race a later command or a new sandbox that reuses the same name.
If the timeout expires while a mutation is still changing sandbox state, auto-restore can stop that exact process tree, reclaim the transition, and restore the restrictive policy and config posture. The ownership check includes both the process ID and process start identity so PID reuse does not grant control over an unrelated process.
Retry a command that the auto-restore deadline interrupts after you open a new shields-down window.
Related Topics
- Understand Gateway Lifecycle Control for
recoverandgateway restarttrust boundaries. - Recover and Rebuild Sandboxes for the operational recovery workflow.
- Switch Inference Providers for model and provider changes.
- Customize Network Policy for runtime policy editing.
- Security Best Practices for the broader security posture.
- CLI Commands Reference for command flags and environment variables.