v0.0.52

NemoClaw v0.0.52 upgrades the bundled OpenClaw runtime, repairs Hermes sandbox startup, restores onboarding ready output, and hardens Slack onboarding, Windows bootstrap, and private-network handling:

  • Bundles OpenClaw 2026.5.22 as the NemoClaw runtime target through OPENCLAW_VERSION in the NemoClaw Dockerfiles. The runtime upgrade addresses Telegram, Discord, and Slack channel registration issues seen on the 2026.5.18 runtime. nemoclaw-blueprint/blueprint.yaml keeps min_openclaw_version as a compatibility floor for direct blueprint consumers, so the blueprint floor can be lower than the Dockerfile target. Run nemoclaw <name> rebuild to pick up the new OpenClaw runtime in existing sandboxes.
  • Hermes sandbox startup is more reliable on the v0.14 root entrypoint. NemoClaw precreates hooks, image_cache, audio_cache, and logs/curator under HERMES_HOME, makes /sandbox/.hermes sticky group-writable so the gateway user can create runtime state without removing sandbox-owned config files, stops precreating /sandbox/.hermes/gateway.pid as a symlink that Hermes v0.14 treats as a PID race, and clears legacy PID and lock state before launch.
  • nemoclaw onboard ready output points users at nemoclaw <name> dashboard-url --quiet again, restoring the dashboard guidance that regressed during an earlier onboarding refactor.
  • Slack onboarding validates preconfigured Slack tokens before treating Slack as configured. Invalid SLACK_BOT_TOKEN values from the environment or stored credentials no longer cause onboarding to skip the Slack prompt, so the wizard re-prompts for a valid xoxb-... token instead of silently advancing with a token Slack cannot use.
  • The Windows bootstrap script defers first-run Ubuntu account setup to a separate WSL handoff window again, which keeps PowerShell prompt alignment intact during install. The default distro is Ubuntu-24.04, and bootstrap-windows.ps1 -DistroName Ubuntu reuses an existing Ubuntu distribution.
  • The blueprint private-network blocklist reloads when private-networks.yaml changes on disk, so long-running NemoClaw processes validate SSRF and private-network rules against the current file instead of stale cached data.

v0.0.51

NemoClaw v0.0.51 improves messaging controls, local inference setup, sandbox diagnostics, policy validation, and onboarding recovery:

  • Slack setup now supports channel allowlisting. During onboarding, channels add slack, and non-interactive rebuilds, set SLACK_ALLOWED_CHANNELS to restrict channel @mention handling to selected Slack channel IDs. Combine it with SLACK_ALLOWED_USERS when you want both channel and member checks.
  • Local Ollama setup now detects host installations that are below the minimum supported version and offers an explicit upgrade path. On macOS, NemoClaw uses Homebrew. On Linux, NemoClaw uses the system installer for upgrades and refuses non-interactive upgrade paths that would require a hidden sudo prompt.
  • Non-interactive Linux Ollama setup can use a sudo-free user-local install path when passwordless sudo is unavailable. The docs now describe NEMOCLAW_OLLAMA_INSTALL_MODE, the user-local install trade-offs, and the manual zstd requirement.
  • Managed Ollama model selection now uses a memory-aware registry for starter models. If a known bootstrap model does not fit currently available GPU memory, NemoClaw warns and falls back to the largest known model that does fit instead of starting a model that is likely to fail.
  • nemoclaw onboard restores the managed vLLM menu entry for DGX Spark and DGX Station hosts, which had been hidden after a previous onboard refactor dropped the gpu.platform value the vLLM menu builder relies on.
  • nemoclaw resources and NEMOCLAW_RESOURCE_PROFILE expose sandbox CPU and memory profiles. Profiles can be selected during onboarding, and NEMOCLAW_CPU or NEMOCLAW_RAM can override the selected profile for scripted runs.
  • Cloudflare named tunnels are supported through CLOUDFLARE_TUNNEL_TOKEN. nemoclaw tunnel start passes the token through the environment and expects the named tunnel route to already point at the dashboard port.
  • Jira policy validation guidance now matches the maintained preset. Use a Node HTTPS status probe for Atlassian API access and the body-visible api.atlassian.com/oauth/token/accessible-resources curl probe when validating approved requests manually. Plain curl -s against auth.atlassian.com can return empty output even when reachable, so it is not a pass/fail signal.
  • Sandbox logs merge OpenClaw gateway output and OpenShell audit events into one stream, and --tail applies once to the merged result so policy denials appear beside gateway logs.
  • Onboarding recovers more cleanly across host and runtime edge cases, including root-owned config sync directories, stale dashboard port allocation, unreachable Docker daemons, stale dashboard forwards, default NVIDIA CDI spec directories, and Linux Docker-driver health checks.