fix(cli): add reconfiguration guidance to help and post-onboard output

[latenighthackathon]

Summary

New users hit openclaw configure inside the sandbox and get a read-only error with no guidance on what to do instead. This adds clear reconfiguration instructions in two places.

Problem

openclaw.json is read-only inside the sandbox (Landlock enforced) by design. When users try openclaw configure, they see:

Error: 'openclaw configure' cannot modify config inside the sandbox.
The sandbox config is read-only (Landlock enforced) for security.

No NemoClaw documentation or CLI output explains the three available reconfiguration paths. Users are left guessing.

Changes

1. nemoclaw --help: Added a "Reconfiguration (after onboard)" section listing the three paths:

   • Runtime model switch: openshell inference set
   • Policy presets: nemoclaw <name> policy-add
   • Credential/image changes: nemoclaw credentials reset <KEY> then nemoclaw onboard

2. Post-onboard dashboard: Added a "To change settings later" block at the end of the completion output so users see the reconfiguration paths immediately after their first onboard.

Test plan

• npm run build:cli passes
• npm run typecheck:cli passes
• npm run lint passes
• All 6 messaging onboard tests pass
• All 44 CLI tests pass

Closes #1699

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

Summary by CodeRabbit

• Documentation
  • Added a "To change settings later" section to onboarding output with copy‑paste reconfiguration commands for model routing, sandbox policies, and credential reset.
  • Extended CLI help with a "Reconfiguration (after onboard)" section describing how to change inference models/providers, apply network/policy updates to running sandboxes, and when re‑onboarding is needed.
  • Confirmed runtime behavior and public APIs remain unchanged.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added post-onboard reconfiguration guidance to two CLI outputs (dashboard and help): copy-paste commands for changing model routing, adding sandbox policies, and resetting credentials then re-onboarding. No functional, API, or control-flow changes.

Changes

Cohort / File(s)	Summary
Onboard dashboard text src/lib/onboard.ts	Appended a "To change settings later:" section to the dashboard output with three copy-paste reconfiguration command hints: change model routing via openshell inference set ..., apply policies via nemoclaw <name> policy-add, and reset credentials then run nemoclaw onboard. Text-only; no logic/API changes.
CLI help text src/nemoclaw.ts	Expanded help() output with a "Reconfiguration (after onboard)" section documenting the same runtime guidance and clarifying that openclaw.json is read-only inside the sandbox (Landlock) and that OpenClaw config changes require re-onboarding. Text-only change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I nudged the README, left commands to paste,

Change the model, add policy, reset with haste,
Re-onboard once, and your settings will stick —
A hop, a tweak, then back to the trick! 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding reconfiguration guidance to both help output and post-onboard output, which aligns with the PR's primary objective.
Linked Issues check	✅ Passed	The PR implements documentation-based solutions (#1699 requirements) by providing clear reconfiguration paths in help and post-onboard output, effectively surfacing existing mechanisms.
Out of Scope Changes check	✅ Passed	All changes are focused on adding documentation and UI guidance for reconfiguration; no unrelated code changes or scope creep detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/nemoclaw.ts (1)

1384-1384: Verb choice: "Change" would be more accurate than "Add".

The documented workflow (nemoclaw credentials reset <KEY> then nemoclaw onboard) is for changing existing credentials (reset removes them, re-onboard re-prompts), not adding new ones. The verb "Add" is misleading here.

Suggested wording fix

-    ${D}Add credentials, messaging channels, or sandbox image settings:${R}
+    ${D}Change credentials, messaging channels, or sandbox image settings:${R}
      nemoclaw credentials reset <KEY>   ${D}then${R}   nemoclaw onboard

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/nemoclaw.ts` at line 1384, The message text currently uses the verb "Add"
but should say "Change" to accurately describe the workflow; locate the
template/string in src/nemoclaw.ts that contains "${D}Change credentials,
messaging channels, or sandbox image settings:${R}" (or the version currently
using "Add") and replace "Add" with "Change" so the CLI help/readme reflects the
correct action for the "nemoclaw credentials reset <KEY> then nemoclaw onboard"
flow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/nemoclaw.ts`:
- Line 1384: The message text currently uses the verb "Add" but should say
"Change" to accurately describe the workflow; locate the template/string in
src/nemoclaw.ts that contains "${D}Change credentials, messaging channels, or
sandbox image settings:${R}" (or the version currently using "Add") and replace
"Add" with "Change" so the CLI help/readme reflects the correct action for the
"nemoclaw credentials reset <KEY> then nemoclaw onboard" flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c3d220d6-c05f-4fe5-861e-9f8a5ac35969

📥 Commits

Reviewing files that changed from the base of the PR and between 9f549db and 765fbda.

📒 Files selected for processing (2)

• src/lib/onboard.ts
• src/nemoclaw.ts

[wscurran]

✨ Thanks for submitting this PR, which proposes a fix for a documentation issue and may improve the overall user experience — the added guidance and explanations are clear and easy to follow.

---

Possibly related open issues:

• #1699 Provide a path to edit openclaw.json after setup, or a simple way to fully specify it during onboarding

[wscurran]

Thanks for contributing — adding reconfiguration guidance to the help output and post-onboard messaging fills a real discoverability gap for users who need to change their setup after initial onboard. The codebase has changed significantly since this was opened, including a TypeScript migration (#1673). Could you rebase onto the current main?

[latenighthackathon]

@wscurran Thanks for picking this up — you're right, the branch had gotten stale. Rebased onto latest origin/main — single clean commit (5046888d) against the current TypeScript-migrated src/nemoclaw.ts and src/lib/onboard.ts, docstrings preserved, signed-off. Cheers!

[prekshivyas]

Good UX improvement — fills a real gap for users hitting read-only sandbox config. @latenighthackathon can you rebase onto main?

[latenighthackathon]

@prekshivyas Rebased onto latest origin/main — single clean commit (ea584eeb), signed.

Cheers!

[prekshivyas]

@latenighthackathon please give access to update branch and this should be good to go

[latenighthackathon]

@prekshivyas — maintainer_can_modify has been on since 2026-04-18, but GitHub's Update Branch likely hit the rebaseable: false edge because the branch had drifted. Rebased locally onto current main — single signed commit b3fcdcd8, same diff. Cheers!