docs: clarify NEMOCLAW_DISABLE_DEVICE_AUTH behavior

[brandonpelfrey]

Summary

Document NEMOCLAW_DISABLE_DEVICE_AUTH more clearly across the user docs so operators understand that it is a build-time-only setting and why changing it after onboarding does not affect an existing sandbox.
This closes the documentation gap called out in issue #1443.

Related Issue

Fixes #1443

Changes

• add a Quickstart note that onboarding bakes NEMOCLAW_DISABLE_DEVICE_AUTH=1 into the sandbox image for immediate dashboard access
• document in the architecture reference that NEMOCLAW_DISABLE_DEVICE_AUTH is build-time only
• add troubleshooting guidance explaining why exporting the variable later does not change an existing sandbox
• add a remote deployment warning about the security implications of disabling device auth on internet-reachable or shared-network hosts

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

---

Signed-off-by: Brandon Pelfrey bpelfrey@nvidia.com

Summary by CodeRabbit

• Documentation
  • Clarified that configuration settings are applied at sandbox image build time and cannot be modified for existing sandboxes
  • Added security warnings for remote and shared-network deployments
  • Enhanced troubleshooting and quickstart guides with rebuild instructions and configuration timing details

[coderabbitai]

📝 Walkthrough

Walkthrough

Four documentation files were updated to clarify that NEMOCLAW_DISABLE_DEVICE_AUTH is a build-time configuration variable that disables device authentication in sandbox images. The updates explain its security implications, build-time evaluation, and that runtime modifications do not affect already-created sandboxes.

Changes

Cohort / File(s)	Summary
Documentation Updates docs/deployment/deploy-to-remote-gpu.md, docs/get-started/quickstart.md, docs/reference/architecture.md, docs/reference/troubleshooting.md	Added documentation clarifying that NEMOCLAW_DISABLE_DEVICE_AUTH is a build-time-only setting baked into sandbox images. Explains security implications, that runtime exports do not affect already-created sandboxes, and directs users to documentation for best practices and remediation steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A warning hops through documentation grand,
Build-time secrets baked into the sand,
Device auth disabled? A security trade—
Read the docs well, and no mistakes are made! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: documenting and clarifying NEMOCLAW_DISABLE_DEVICE_AUTH behavior across multiple documentation files.
Linked Issues check	✅ Passed	The PR addresses all core coding/documentation objectives from issue #1443: documents the NEMOCLAW_DISABLE_DEVICE_AUTH variable, explains what it does, why it is disabled in Docker, provides security guidance for network-accessible deployments, and clarifies that it is a build-time setting.
Out of Scope Changes check	✅ Passed	All changes are documentation-only updates directly addressing issue #1443 objectives. No extraneous code modifications or out-of-scope alterations detected across the four documentation files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/fix-1443-disable-device-auth-docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (5)

docs/deployment/deploy-to-remote-gpu.md (2)

120-120: Use active voice.

The phrase "is evaluated" is passive. Rewrite to clarify the actor.

Suggested revision:

-`NEMOCLAW_DISABLE_DEVICE_AUTH` is also evaluated at image build time.
+NemoClaw reads `NEMOCLAW_DISABLE_DEVICE_AUTH` during image build.

As per coding guidelines: "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/deployment/deploy-to-remote-gpu.md` at line 120, Change the passive
phrase about NEMOCLAW_DISABLE_DEVICE_AUTH to active voice; for example, rewrite
the sentence to say that the build process (or the image build step) actively
evaluates the NEMOCLAW_DISABLE_DEVICE_AUTH environment variable at image build
time, so replace "is evaluated" with "the build process evaluates
NEMOCLAW_DISABLE_DEVICE_AUTH" (or similar) to satisfy active-voice guidelines.

---

121-121: Split sentences to separate lines.

Line 121 contains two sentences on the same line, which reduces diff readability.

Suggested revision:

-If you disable device auth for a remote deployment, any device that can reach the dashboard origin can connect without pairing.
+If you disable device auth for a remote deployment, any device that can reach the dashboard origin can connect without pairing.
+Avoid this on internet-reachable or shared-network deployments.

As per coding guidelines: "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/deployment/deploy-to-remote-gpu.md` at line 121, The line beginning with
"If you disable device auth for a remote deployment, any device that can reach
the dashboard origin can connect without pairing." contains two sentences on one
line; split them into two separate lines so each sentence occupies its own line
(i.e., break after "...remote deployment."). Edit the same sentence text in the
docs/deployment file so diffs show one sentence per line and preserve the exact
wording and punctuation.

docs/reference/architecture.md (1)

192-192: Use active voice.

The phrase "is created" is passive. Rewrite to clarify the actor.

Suggested revision:

-| `NEMOCLAW_DISABLE_DEVICE_AUTH` | Build-time-only toggle that disables gateway device pairing when set to `1` before the sandbox image is created. |
+| `NEMOCLAW_DISABLE_DEVICE_AUTH` | Build-time-only toggle that disables gateway device pairing when set to `1` before you create the sandbox image. |

As per coding guidelines: "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/architecture.md` at line 192, The sentence describing
NEMOCLAW_DISABLE_DEVICE_AUTH uses passive voice ("is created"); change it to
active voice so it names the actor—e.g., rewrite the clause to say the sandbox
image creator or build process performs the action (for example: "before you
create the sandbox image" or "before the build process creates the sandbox
image") so the entry for `NEMOCLAW_DISABLE_DEVICE_AUTH` reads in active voice.

docs/get-started/quickstart.md (2)

85-85: Use active voice.

The phrase "is immediately usable" is passive. Consider rewording to make it active.

Suggested revision:

-The onboard flow builds the sandbox image with `NEMOCLAW_DISABLE_DEVICE_AUTH=1` so the dashboard is immediately usable during setup.
+The onboard flow builds the sandbox image with `NEMOCLAW_DISABLE_DEVICE_AUTH=1` so you can immediately use the dashboard during setup.

As per coding guidelines: "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/get-started/quickstart.md` at line 85, Rewrite the passive sentence in
quickstart.md to active voice: change "The dashboard is immediately usable
during setup" to an active construction that makes the dashboard the subject
(for example, "this setting makes the dashboard immediately usable during setup"
or "the dashboard becomes immediately usable during setup") and keep the rest of
the line about NEMOCLAW_DISABLE_DEVICE_AUTH=1 unchanged.

---

85-85: Use active voice.

The phrase "is immediately usable" is passive. Consider rewording to make it active.

Suggested revision:

-The onboard flow builds the sandbox image with `NEMOCLAW_DISABLE_DEVICE_AUTH=1` so the dashboard is immediately usable during setup.
+The onboard flow builds the sandbox image with `NEMOCLAW_DISABLE_DEVICE_AUTH=1` so you can immediately use the dashboard during setup.

As per coding guidelines: "Active voice required. Flag passive constructions."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/get-started/quickstart.md` at line 85, Rewrite the sentence "The onboard
flow builds the sandbox image with `NEMOCLAW_DISABLE_DEVICE_AUTH=1` so the
dashboard is immediately usable during setup." into active voice; specifically
change the passive clause "is immediately usable" to an active construction such
as "so you can use the dashboard immediately during setup" while keeping the
rest of the sentence (the onboard flow and the env var
`NEMOCLAW_DISABLE_DEVICE_AUTH=1`) intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/deployment/deploy-to-remote-gpu.md`:
- Line 120: Change the passive phrase about NEMOCLAW_DISABLE_DEVICE_AUTH to
active voice; for example, rewrite the sentence to say that the build process
(or the image build step) actively evaluates the NEMOCLAW_DISABLE_DEVICE_AUTH
environment variable at image build time, so replace "is evaluated" with "the
build process evaluates NEMOCLAW_DISABLE_DEVICE_AUTH" (or similar) to satisfy
active-voice guidelines.
- Line 121: The line beginning with "If you disable device auth for a remote
deployment, any device that can reach the dashboard origin can connect without
pairing." contains two sentences on one line; split them into two separate lines
so each sentence occupies its own line (i.e., break after "...remote
deployment."). Edit the same sentence text in the docs/deployment file so diffs
show one sentence per line and preserve the exact wording and punctuation.

In `@docs/get-started/quickstart.md`:
- Line 85: Rewrite the passive sentence in quickstart.md to active voice: change
"The dashboard is immediately usable during setup" to an active construction
that makes the dashboard the subject (for example, "this setting makes the
dashboard immediately usable during setup" or "the dashboard becomes immediately
usable during setup") and keep the rest of the line about
NEMOCLAW_DISABLE_DEVICE_AUTH=1 unchanged.
- Line 85: Rewrite the sentence "The onboard flow builds the sandbox image with
`NEMOCLAW_DISABLE_DEVICE_AUTH=1` so the dashboard is immediately usable during
setup." into active voice; specifically change the passive clause "is
immediately usable" to an active construction such as "so you can use the
dashboard immediately during setup" while keeping the rest of the sentence (the
onboard flow and the env var `NEMOCLAW_DISABLE_DEVICE_AUTH=1`) intact.

In `@docs/reference/architecture.md`:
- Line 192: The sentence describing NEMOCLAW_DISABLE_DEVICE_AUTH uses passive
voice ("is created"); change it to active voice so it names the actor—e.g.,
rewrite the clause to say the sandbox image creator or build process performs
the action (for example: "before you create the sandbox image" or "before the
build process creates the sandbox image") so the entry for
`NEMOCLAW_DISABLE_DEVICE_AUTH` reads in active voice.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f2628ed7-590c-4d5e-b3ed-8a387303646f

📥 Commits

Reviewing files that changed from the base of the PR and between 364969d and 781e048.

📒 Files selected for processing (4)

• docs/deployment/deploy-to-remote-gpu.md
• docs/get-started/quickstart.md
• docs/reference/architecture.md
• docs/reference/troubleshooting.md