Recover and Rebuild Sandboxes

View as Markdown

Use the lightest recovery operation that repairs the sandbox while preserving its supported state.

Recover the Agent Runtime

Deep Agents sandboxes are terminal runtimes and do not expose an OpenClaw or Hermes in-sandbox gateway. Use nemo-deepagents <sandbox-name> status, logs, connect, and rebuild for recovery. If the terminal runtime reports degraded health, rebuild the sandbox instead of using recover or gateway restart.

Rebuild While Preserving State

If you changed the underlying Dockerfile, upgraded Deep Agents Code, enabled Tavily Search, or want to pick up a new base image without losing manifest-defined Deep Agents state, use rebuild instead of destroying and recreating.

$nemo-deepagents <sandbox-name> rebuild

The rebuild command preserves manifest-defined Deep Agents state, regenerates config.toml, reconstructs managed MCP projection state, and reapplies registered policies while recreating the container.

If an archive command produces some usable entries, NemoClaw preserves those entries and reports the manifest-defined paths that could not be archived. If backup fails before producing any usable entry, NemoClaw stops before deleting the original sandbox unless you explicitly pass --force.

rebuild --force can continue after a total backup failure by recreating the sandbox from recorded registry metadata without restoring prior sandbox state. Use this recovery path only when losing uncommitted or otherwise unsnapshotted state is acceptable.

When rebuild starts with shields up, NemoClaw opens a 30-minute shields-down window for backup and recreation. A detached auto-lock timer remains the recovery authority until NemoClaw commits a successful shields-up state, including when the host rebuild process exits unexpectedly.

Refer to nemo-deepagents <name> rebuild for flag details.

Use the Canonical Configuration Workflows