docs(reference): document OpenClaw build-time version pin (#2635)

[cjagwani]

Summary

Closes #2635 by documenting the existing build-time pin policy for OpenClaw inside the sandbox. The pin and detection machinery already exist — only the user-facing documentation was missing.

Related Issue

Closes #2635

What's already in main (no code change needed)

• Build-time pin: min_openclaw_version: "2026.4.24" in nemoclaw-blueprint/blueprint.yaml. The Dockerfile (Dockerfile:60-83) upgrades the cached base image to that version on rebuild.
• Version probe: src/lib/sandbox-version.ts SSHs into the sandbox, runs the agent's version command, caches the result in the registry.
• User visibility: src/lib/actions/sandbox/status.ts:107 prints Agent: OpenClaw v<version> in nemoclaw <name> status. connect and doctor emit a staleness warning pointing at nemoclaw <name> rebuild when the running version is older than the pin.

What this PR adds

A new "Checking the OpenClaw version" subsection under nemoclaw <name> status in docs/reference/commands.md that explains:

• We pin OpenClaw at build time, not auto-update at runtime.
• The minimum version source-of-truth is min_openclaw_version in blueprint.yaml.
• Existing sandboxes don't auto-upgrade — users rebuild to pick up a newer pin.
• status prints the running version on the Agent line, and surfaces an Update line when stale.
• rebuild reuses the existing sandbox name and persisted credentials.

Type of Change

• Doc only (prose changes, no code sample modifications)

Verification

• npx prek run --all-files passes (commit went through pre-commit hooks).
• markdownlint clean on docs/reference/commands.md.
• docs-to-skills dry-run clean.
• No code change; doc claims spot-checked against blueprint.yaml, Dockerfile, src/lib/sandbox-version.ts, and src/lib/actions/sandbox/status.ts.

Summary by CodeRabbit

• Documentation
  • Clarifies that sandbox builds pin the OpenClaw component version and that existing sandboxes do not auto-upgrade.
  • Describes how to view the running OpenClaw version via nemoclaw <name> status and explains the Agent and Update lines.
  • Documents using nemoclaw <name> rebuild to update the pinned version while retaining the sandbox name and credentials.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ac5127c0-be0f-40f5-8d05-2ac33f6e86c9

📥 Commits

Reviewing files that changed from the base of the PR and between e3a2938 and 3f62f04.

📒 Files selected for processing (1)

• docs/about/release-notes.md

✅ Files skipped from review due to trivial changes (1)

• docs/about/release-notes.md

---

📝 Walkthrough

Walkthrough

This PR adds documentation describing how NemoClaw pins OpenClaw at sandbox build time, how to view the running OpenClaw version in nemoclaw <name> status, when an Update prompt appears, and that nemoclaw <name> rebuild applies the updated pinned version while preserving sandbox name and persisted credentials.

Changes

OpenClaw Version Management Documentation

Layer / File(s)	Summary
Commands reference: version check and status output docs/reference/commands.md	New "Checking the OpenClaw version" subsection documents build-time pinning sourced from the NemoClaw blueprint, Agent line showing running OpenClaw version, conditions that trigger an Update line directing users to nemoclaw <name> rebuild, and that rebuild preserves sandbox name and persisted credentials.
Release notes: Component Version Policy docs/about/release-notes.md	Adds a release-notes section describing the Component Version Policy: pinning via min_openclaw_version in the blueprint, how to check the running OpenClaw version, and using nemoclaw <name> rebuild to apply updated pins; links to the command reference for details.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through docs to leave a clue,
Which OpenClaw your sandbox runs and who,
If versions lag, a friendly sign:
"Rebuild" — your name and keys align.
Rebuilt and ready, off you flew.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding documentation for the OpenClaw build-time version pin policy in the reference section.
Linked Issues check	✅ Passed	The PR implements the acceptance criteria from #2635 by documenting the build-time pin approach and providing users with methods to check OpenClaw versions.
Out of Scope Changes check	✅ Passed	All changes are documentation-only and directly address the requirements of #2635 regarding version pinning and user visibility into running OpenClaw versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/2635-openclaw-version-policy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ericksoa]

Reviewed current head e3a2938. The OpenClaw version-policy docs match the current implementation: blueprint.yaml and the OpenClaw manifest both pin 2026.4.24, Dockerfile upgrades stale base images during build from min_openclaw_version, and status/connect surface stale-version rebuild guidance. Docs dry-run and diff checks passed. Note: this PR is currently conflicting with main in docs/about/release-notes.md after the newer release-note section landed; resolve by keeping both sections before merge.