[macOS][Security] nemoclaw shields up/down fails with "No such container: openshell-cluster-nemoclaw" on Docker Desktop VM driver

[mercl-lau]

Description

The nemoclaw <sandbox> shields up and shields down commands fail on macOS Docker Desktop with "No such container: openshell-cluster-nemoclaw". The shields implementation uses docker exec openshell-cluster-nemoclaw kubectl exec to run chmod/chown operations inside the sandbox, but macOS Docker Desktop uses the VM driver (OpenShell 0.0.44 vm) which has no k3s cluster container. Both openclaw and hermes sandboxes are affected — shields cannot be enabled or toggled on macOS, leaving the entire shields feature non-functional on this platform.

Environment

Device:        MacBook Pro (Apple Silicon M4 Pro)
OS:            macOS 26.0.1 (Darwin, arm64)
Architecture:  arm64
Node.js:       v22.22.1
npm:           10.9.4
Docker:        29.2.1 (Docker Desktop)
OpenShell CLI: 0.0.44 (vm)
NemoClaw:      v0.0.50

Steps to Reproduce

1. On macOS with Docker Desktop, onboard two sandboxes:
   • nemoclaw onboard (creates my-assistant, agent=openclaw)
   • nemohermes onboard --name hermes-shield (creates hermes sandbox)
2. Verify both sandboxes are running: nemoclaw list
3. Run: nemoclaw my-assistant shields up
4. Run: nemohermes hermes-shield shields up

Expected Result

Both shields up commands succeed. Shields status shows "UP" with config locked.

Actual Result

Locking openclaw config (/sandbox/.openclaw/openclaw.json)...
Some lock operations failed: chmod 444 /sandbox/.openclaw/openclaw.json, ...
ERROR: Config not locked: ... Command failed:
  docker exec openshell-cluster-nemoclaw kubectl exec -n openshell
  my-assistant -c agent -- stat -c %a %U:%G /sandbox/.openclaw/openclaw.json
  Error response from daemon: No such container: openshell-cluster-nemoclaw
Config remains unlocked — manual intervention required.

Shields status remains "NOT CONFIGURED (default mutable state)" and cannot be changed.

---

NVB#6223120