docs: fix QA-reported command drift

[miyoungc]

Summary

Fixes QA-reported documentation drift in the remote GPU deployment, sub-agent setup, command reference, and troubleshooting pages. The updates replace deprecated or removed command paths with the current installer, Docker-driver, and NemoClaw-managed recovery flows.

Related Issue

Fixes #5084
Fixes #3720
Fixes #3685
Fixes #3686

Changes

• Reworked the remote GPU deployment page to lead with the preferred installer plus nemoclaw onboard flow and scope nemoclaw deploy as legacy Brev compatibility.
• Replaced stale kubectl exec sub-agent setup examples with Docker-driver sandbox container commands and current config ownership guidance.
• Removed invalid openshell gateway start, openshell gateway trust, and config web-search references from troubleshooting and command references.
• Added config get and shields command reference coverage for NemoClaw and NemoHermes, and removed stale docs-skip entries that blocked those shipped commands.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Notes:

• npm run docs passed with 0 errors and one pre-existing Fern contrast warning: light-mode accent color contrast ratio is 2.41:1 and should be at least 3:1.
• npx prek run --all-files was attempted. Formatting, lint, secrets, markdownlint, docs-to-skills, and staged-file commit hooks passed, but the full all-files run failed in unrelated CLI test timeouts and one signal assertion outside this docs change.

---

Signed-off-by: Miyoung Choi miyoungc@nvidia.com

Summary by CodeRabbit

• Documentation
  • Updated remote GPU deployment guide with current installer and onboarding workflows
  • Added documentation for advanced sandbox maintenance commands (config get, shields controls)
  • Revised sub-agent setup instructions for Docker-based sandbox configuration
  • Improved troubleshooting guidance for gateway connectivity and sandbox creation issues
  • Updated documentation skip list to reflect current feature coverage

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation updates across deployment, inference, and reference sections to fix CLI drift and add missing command documentation. Changes include restructuring remote GPU deployment docs to emphasize the preferred installer flow, migrating sub-agent setup from Kubernetes to Docker commands, adding missing shields and config command sections to reference docs, and updating troubleshooting recovery flows to use current OpenShell CLI capabilities instead of non-existent gateway subcommands.

Changes

CLI Documentation Alignment and Command Reference

Layer / File(s)	Summary
Documentation skip list updates docs/.docs-skip	Shield and config feature exclusions are removed from the skip list, allowing shields and config command documentation to be included in generated docs while keeping config-show excluded.
Remote GPU deployment: preferred installer flow emphasis docs/deployment/deploy-to-remote-gpu.mdx	Restructured to lead with concrete examples of the preferred "provision VM → installer → nemoclaw onboard" workflow, with environment setup and expected output. Deprecated nemoclaw deploy wrapper moved to condensed legacy compatibility section. Updated post-onboarding commands (nemoclaw <name> connect), monitoring examples, and dashboard access guidance to align with the preferred flow.
Sub-agent setup: kubectl to Docker command migration docs/inference/set-up-sub-agent.mdx	Replaced Kubernetes kubectl commands with Docker host-side workflows for sandbox config updates. Updated config-hash description, sandbox config discovery and modification using docker exec with sandbox labels, and ownership fixes to reflect Docker-driver sandbox architecture and k3s removal.
Hermes command reference: shields/config sections and Brave Search removal docs/reference/commands-nemohermes.mdx	Added "Advanced Sandbox Maintenance Commands" section documenting nemohermes config get and nemohermes shields subcommands with full flag/subcommand tables. Removed Brave Search non-interactive setup instructions and replaced with Hermes-specific managed tool gateway guidance. Updated nemohermes status recovery guidance to recommend onboard --resume instead of non-existent openshell gateway start.
Core commands reference: shields/config sections and OpenClaw boundaries docs/reference/commands.mdx	Added "Advanced Sandbox Maintenance Commands" section documenting nemoclaw config get and nemoclaw shields subcommands with comprehensive flag and subcommand tables. Introduced OpenClaw-only variant wrapper for Brave Search setup, expanded non-interactive recovery instructions with policy preset application, and added Hermes variant notes. Updated nemoclaw status recovery guidance to recommend onboard --resume instead of non-existent openshell gateway start.
Troubleshooting: gateway recovery flow updates docs/reference/troubleshooting.mdx	Updated three recovery flows (connect gateway down, reconnect after reboot, TLS/certificate mismatch) to remove references to non-existent openshell gateway subcommands (start, trust, destroy). Replaced with nemoclaw onboard --resume for managed gateway recreation and openshell gateway remove for stale registration cleanup, aligned with current OpenShell 0.0.39 CLI capabilities.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

area: skills

Suggested reviewers

• cv
• prekshivyas
• jyaunches

Poem

🐰 In docs we fixed the broken paths,
Removed the deprecated wrath,
Shields and configs now take flight,
Docker replaces kubectl's might,
Recovery flows shine clear and bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: fix QA-reported command drift' clearly and concisely identifies the main change—correcting documentation inconsistencies with the actual CLI commands based on QA findings.
Linked Issues check	✅ Passed	All four linked issues are fully addressed: #5084 (deploy-to-remote-gpu.mdx reworked to present preferred installer+onboard flow with nemoclaw deploy marked as legacy), #3720 (sub-agent setup commands updated from kubectl to Docker-driver commands), #3685 (obsolete openshell gateway subcommands removed from troubleshooting), #3686 (shields and config get commands added to reference docs).
Out of Scope Changes check	✅ Passed	All changes are scoped to documentation corrections for command drift: deploy-to-remote-gpu.mdx, set-up-sub-agent.mdx, commands-nemohermes.mdx, commands.mdx, troubleshooting.mdx, and .docs-skip file updates to remove stale entries. No unrelated code changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/qa-issues

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-5247.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. This PR is documentation-only. It updates MDX docs and the docs-generation skip list, with no runtime source, installer scripts, blueprint/network-policy assets, workflow logic, or E2E test harness changes. Existing E2E jobs would not provide additional signal for merge blocking.

Optional E2E

• None.

New E2E recommendations

• None.

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• None. Docs-only changes do not affect the Vitest-backed E2E scenario registry, runtime support, fixtures, live tests, manifests, expected-state metadata, or e2e-vitest-scenarios.yaml workflow behavior.

Optional Vitest E2E scenarios

• None.

Relevant changed files

• None.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

docs/deployment/deploy-to-remote-gpu.mdx (2)

28-28: ⚡ Quick win

Use active voice.

The phrase "created by the Brev CLI" is passive. Rewrite to active voice:

Suggestion: "For Brev, the Brev CLI creates <instance-name> as both the instance name and SSH alias."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment/deploy-to-remote-gpu.mdx` at line 28, Rewrite the passive
phrase "created by the Brev CLI" to active voice so the sentence reads like an
instruction; replace the line containing "<instance-name>" so it says: "For
Brev, the Brev CLI creates `<instance-name>` as both the instance name and SSH
alias." Use the terms "<instance-name>" and "Brev CLI" to locate and update the
sentence.

Source: Coding guidelines

---

46-46: ⚡ Quick win

Use present tense.

"you will open" uses future tense. Use present tense when describing current behavior:

Suggestion: "For example, set the browser origin if you open the dashboard through a Brev public URL, and raise the first-run readiness budget on cold cloud hosts:"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment/deploy-to-remote-gpu.mdx` at line 46, Update the sentence in
deploy-to-remote-gpu.mdx that currently reads "For example, set the browser
origin if you will open the dashboard through a Brev public URL, and raise the
first-run readiness budget on cold cloud hosts:" to present tense; replace "if
you will open" with "if you open" so the line reads "For example, set the
browser origin if you open the dashboard through a Brev public URL, and raise
the first-run readiness budget on cold cloud hosts:" ensuring the example
sentence uses present tense.

Source: Coding guidelines

docs/inference/set-up-sub-agent.mdx (1)

27-27: ⚡ Quick win

Split sentences onto separate lines.

This table cell contains two sentences on the same line. Per the style guide, use one sentence per line for diff readability.

Suggested rewrite

-| `/sandbox/.openclaw/.config-hash` | Hash for `openclaw.json`. Keep it in sync after manual config edits so OpenClaw can detect the updated config. |
+| `/sandbox/.openclaw/.config-hash` | Hash for `openclaw.json`.<br />Keep it in sync after manual config edits so OpenClaw can detect the updated config. |

Note: Markdown tables require <br /> to add line breaks within cells while maintaining the one-sentence-per-line principle in the source.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/inference/set-up-sub-agent.mdx` at line 27, The table cell for the
`/sandbox/.openclaw/.config-hash` entry contains two sentences on one line;
split them into separate lines in the Markdown source (one sentence per line)
and add an explicit HTML line break (<br />) between them so the rendered table
still shows both sentences on separate lines; keep the text referencing
`openclaw.json` and the guidance about syncing after manual edits unchanged.

Source: Coding guidelines

docs/reference/commands.mdx (1)

255-255: ⚡ Quick win

Use API key (not API-key) for terminology consistency.

Line 255 uses API-key mode; change this to API key mode.

As per coding guidelines, the correct form is API key and incorrect forms should be flagged.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands.mdx` at line 255, Replace the incorrect term "API-key
mode" with the standardized "API key mode" in the documentation; locate the
sentence containing "API-key mode is inference-only and does not enable managed
tool gateways." and update it to use "API key mode" to match terminology
consistency.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/commands.mdx`:
- Line 1627: The docs currently recommend only `$$nemoclaw onboard --resume` but
`--resume` only works when an interrupted resumable onboarding session exists;
update the text to recommend the generic recovery command `$$nemoclaw onboard`
as the default recovery path and mention `--resume` as a conditional option that
should only be used when an interrupted session exists (reflecting the behavior
implemented in onboard.ts which only continues an interrupted onboarding
session).

---

Nitpick comments:
In `@docs/deployment/deploy-to-remote-gpu.mdx`:
- Line 28: Rewrite the passive phrase "created by the Brev CLI" to active voice
so the sentence reads like an instruction; replace the line containing
"<instance-name>" so it says: "For Brev, the Brev CLI creates `<instance-name>`
as both the instance name and SSH alias." Use the terms "<instance-name>" and
"Brev CLI" to locate and update the sentence.
- Line 46: Update the sentence in deploy-to-remote-gpu.mdx that currently reads
"For example, set the browser origin if you will open the dashboard through a
Brev public URL, and raise the first-run readiness budget on cold cloud hosts:"
to present tense; replace "if you will open" with "if you open" so the line
reads "For example, set the browser origin if you open the dashboard through a
Brev public URL, and raise the first-run readiness budget on cold cloud hosts:"
ensuring the example sentence uses present tense.

In `@docs/inference/set-up-sub-agent.mdx`:
- Line 27: The table cell for the `/sandbox/.openclaw/.config-hash` entry
contains two sentences on one line; split them into separate lines in the
Markdown source (one sentence per line) and add an explicit HTML line break (<br
/>) between them so the rendered table still shows both sentences on separate
lines; keep the text referencing `openclaw.json` and the guidance about syncing
after manual edits unchanged.

In `@docs/reference/commands.mdx`:
- Line 255: Replace the incorrect term "API-key mode" with the standardized "API
key mode" in the documentation; locate the sentence containing "API-key mode is
inference-only and does not enable managed tool gateways." and update it to use
"API key mode" to match terminology consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7cd201b5-8e63-44bd-b45a-02dda4882321

📥 Commits

Reviewing files that changed from the base of the PR and between c160879 and 841ae78.

📒 Files selected for processing (6)

• docs/.docs-skip
• docs/deployment/deploy-to-remote-gpu.mdx
• docs/inference/set-up-sub-agent.mdx
• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx
• docs/reference/troubleshooting.mdx

💤 Files with no reviewable changes (1)

• docs/.docs-skip

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

--resume is too narrow for generic gateway recovery guidance.

Line 1627 suggests $$nemoclaw onboard --resume, but --resume only works when an interrupted resumable onboarding session exists; otherwise it exits with “No resumable onboarding session was found.”
Please include the non-resume path ($$nemoclaw onboard) as the default recovery instruction and keep --resume as conditional.

Suggested doc tweak

-It then suggests `$$nemoclaw onboard --resume` or equivalent managed-gateway recovery guidance.
+It suggests rerunning `$$nemoclaw onboard` to recover managed gateway state.
+If onboarding was interrupted and a resumable session exists, use `$$nemoclaw onboard --resume`.

Based on learnings from src/lib/onboard.ts (--resume continues only interrupted onboarding sessions).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	It then suggests `$$nemoclaw onboard --resume` or equivalent managed-gateway recovery guidance.
	It suggests rerunning `$$nemoclaw onboard` to recover managed gateway state.
	If onboarding was interrupted and a resumable session exists, use `$$nemoclaw onboard --resume`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands.mdx` at line 1627, The docs currently recommend only
`$$nemoclaw onboard --resume` but `--resume` only works when an interrupted
resumable onboarding session exists; update the text to recommend the generic
recovery command `$$nemoclaw onboard` as the default recovery path and mention
`--resume` as a conditional option that should only be used when an interrupted
session exists (reflecting the behavior implemented in onboard.ts which only
continues an interrupted onboarding session).

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 5 worth checking, 0 nice ideas
Top item: Clarify config-hash hardening after manual sub-agent edits

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: Manual sub-agent config edit flow: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The MDX page changes to direct `docker exec --user root`, but generated skill references still contain kubectl commands and the MDX no longer clearly states the root-owned trust-anchor enforcement condition.
• Source-of-truth review needed: Generated skill reference mirrors: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: `skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md` and `.agents/skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md` still show the old cluster/kubectl commands.
• Manual config-hash guidance no longer states the trust-anchor boundary (docs/inference/set-up-sub-agent.mdx:27): The updated sub-agent page says to keep `.config-hash` in sync so OpenClaw can detect the updated config, and the example later recomputes the hash, `chown`s both files to `sandbox:sandbox`, then `chmod 444`s them. Nearby source-of-truth code and security docs say OpenClaw only enforces this hash as a startup trust anchor when the hash is root-owned and non-writable; a sandbox-owned `444` file is not tamper-proof because the owner can chmod it back.
  • Recommendation: Make the page explicit that the shown manual edit leaves the config in a mutable/non-enforced posture, and tell users to run the reviewed runtime control such as `shields up` when they need startup-enforced integrity. Avoid implying `.config-hash` detects tampering unless it is root-owned and non-writable.
  • Evidence: `scripts/lib/sandbox-init.sh` enforces `verify_config_integrity_if_locked()` only when `.config-hash` uid is 0 and has no write bits; `docs/security/best-practices.mdx` says the same. The PR changes `docs/inference/set-up-sub-agent.mdx` to remove the explicit root-owned/read-only caveat while the example uses `chown sandbox:sandbox ...` followed by `chmod 444`.
• Advanced shields docs should warn that `shields down` lowers protections (docs/reference/commands.mdx:543): The PR intentionally documents hidden advanced maintenance commands, including `shields down --policy permissive`. That command can temporarily unlock sandbox config and apply a permissive policy. The example includes a timeout and reason, but the section does not explicitly warn that this lowers sandbox protections and should be time-bound/audited.
  • Recommendation: Add a short caution in both NemoClaw and NemoHermes command-reference sections explaining that `shields down` lowers the sandbox security posture, should use the shortest practical `--timeout`, should include an audit `--reason`, and should be followed by `shields up` or automatic restoration.
  • Evidence: `src/commands/sandbox/shields/down.ts` defaults `policy` to `permissive`, and the new docs advertise `shields down --timeout 5m --reason "maintenance"` without an inline risk note.
• Generated skill references still contain the old kubectl sub-agent flow (skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md:51): The MDX page with `skill:` metadata was updated to remove `openshell-cluster-nemoclaw` and `kubectl exec`, but the generated skill reference still tells assistants to use the old cluster container and kubectl commands. That means the docs site and assistant skill can now disagree, and users may still receive the exact broken commands that [All Platforms][Docs] inference/set-up-sub-agent still uses kubectl command in docker exec #3720 asks this PR to replace.
  • Recommendation: Regenerate or manually update the affected skill mirrors under `skills/` and `.agents/skills/` so they use the same Docker-driver direct-container commands and the same hardening caveats as `docs/inference/set-up-sub-agent.mdx`.
  • Evidence: `skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md` and `.agents/skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md` still show `export DOCKER_CTR=openshell-cluster-nemoclaw` and `docker exec "$DOCKER_CTR" kubectl exec ...`, while the PR changed only the MDX source.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Acceptance clause:** [All Platforms][Docs] inference/set-up-sub-agent still uses kubectl command in docker exec #3720: "In docs/inference/set-up-sub-agent.md, the docker exec commands running kubectl should be updated due to k3s removal." — add test evidence or identify existing coverage. `docs/inference/set-up-sub-agent.mdx` replaces the kubectl commands with Docker-driver direct `docker exec --user root "$SANDBOX_CTR" ...` examples, but generated skill mirrors still contain the old `openshell-cluster-nemoclaw` + `kubectl exec` flow.
• **Acceptance clause:** [All Platforms][Docs] inference/set-up-sub-agent still uses kubectl command in docker exec #3720: "Please also check if chmod 644 or 444 or root-owned wording still makes sense when the owner of /sandbox/.openclaw becomes the sandbox:sandbox." — add test evidence or identify existing coverage. The PR changed the wording and ownership commands, but the resulting page does not clearly distinguish sandbox-owned `444` from root-owned trust-anchor enforcement. This is covered by the config-hash finding.
• **Manual sub-agent config edit flow** — Docs-to-skills sync should prove generated assistant references no longer contain `openshell-cluster-nemoclaw` or `kubectl exec`, and docs grep should ensure hardening language mentions the root-owned/non-writable trust-anchor or `shields up` follow-up.. The MDX page changes to direct `docker exec --user root`, but generated skill references still contain kubectl commands and the MDX no longer clearly states the root-owned trust-anchor enforcement condition.
• **Generated skill reference mirrors** — Run the docs-to-skills sync/check for the touched skill-backed pages and verify no generated reference contains `kubectl exec` for the sub-agent setup flow.. `skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md` and `.agents/skills/nemoclaw-user-configure-inference/references/set-up-sub-agent.md` still show the old cluster/kubectl commands.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.