docs: refresh 0.0.54 release docs

.agents/skills/nemoclaw-contributor-update-docs/SKILL.md

@@ -132,6 +132,13 @@ When updating an existing page:
 - Do not reorganize sections unless the change requires it.
 - Update any cross-references or "Next Steps" links if relevant.
 
+**Release prep only:** When updating `docs/about/release-notes.mdx`:
+
+- For each release-note bullet that corresponds to a deeper doc page, end the bullet with `For more information, refer to [DOC PAGE](/doc/path).`
+- Link to the most specific existing page that explains the behavior, command, setup flow, or troubleshooting path.
+- Do not add a link when no deeper page exists or when the only possible target is unrelated or too broad.
+- Keep the source docs link as a normal MDX link. The docs-to-skills generator will convert it to the appropriate generated skill reference where needed.
+
 When creating a new page:
 
 - Follow the frontmatter template from existing pages in `docs/`.

.agents/skills/nemoclaw-user-configure-inference/SKILL.md

@@ -96,6 +96,10 @@ If the HTTP endpoint is not reachable yet, NemoClaw also checks for the Windows
 If the daemon does not become reachable, onboarding prints PowerShell commands you can run to inspect the Windows-side process and port state. Use one Ollama instance on port `11434` at a time.
 If both WSL and Windows-host Ollama are running, pick the intended menu entry during onboarding so NemoClaw validates and pulls models against the right daemon.
 
+Windows-host Ollama requires Docker Desktop WSL integration because the sandbox reaches the Windows daemon through Docker Desktop's WSL routing path.
+If NemoClaw detects native Docker Engine inside WSL, the provider menu labels Windows-host Ollama actions as requiring Docker Desktop integration.
+Selecting one of those actions in the unsupported native Docker topology exits early with a remediation message instead of trying to start or install Ollama on Windows.
+
 **Warning:**
 
 Ollama is convenient for local chat, but some model/template combinations can
@@ -150,13 +154,7 @@ If Ollama is already running on a non-loopback address when you start onboard,
 the wizard restarts it on `127.0.0.1:11434` so the proxy is the only network
 path to the model server.
 
-### GPU Memory Cleanup
-
-When you switch away from Ollama, stop host services, or destroy an Ollama-backed sandbox, NemoClaw asks Ollama to unload currently loaded models from GPU memory.
-The cleanup sends `keep_alive: 0` for each model reported by Ollama and runs on a best-effort basis, so shutdown continues if Ollama is already stopped.
-This does not delete downloaded model files.
-
-Load [references/use-local-inference-details.md](references/use-local-inference-details.md) for detailed steps on Non-Interactive Setup.
+Load [references/use-local-inference-details.md](references/use-local-inference-details.md) for detailed steps on GPU Memory Cleanup, Non-Interactive Setup.
 
 ## OpenAI-Compatible Server
 
@@ -275,7 +273,7 @@ Load [references/use-local-inference-details.md](references/use-local-inference-
 - **Load [references/set-up-sub-agent.md](references/set-up-sub-agent.md)** when users ask how to add a second model, configure a sub-agent model, use Omni for vision tasks, configure agents.list, or use sessions_spawn in NemoClaw. Shows the NemoClaw-specific file paths and update flow for adding an auxiliary OpenClaw sub-agent model.
 - **[references/tool-calling-reliability.md](references/tool-calling-reliability.md)** — Explains Ollama tool-call leak symptoms, when vLLM with a tool-call parser is recommended, and how to repoint NemoClaw to a parser-aware local endpoint.
 - **Load [references/inference-options.md](references/inference-options.md)** when explaining which providers are available, what the onboard wizard presents, or how inference routing works. Lists all inference providers offered during NemoClaw onboarding.
-- **Load [references/use-local-inference-details.md](references/use-local-inference-details.md)** when you need detailed steps for Non-Interactive Setup, Selecting the API Path, Anthropic-Compatible Server, and related details.
+- **Load [references/use-local-inference-details.md](references/use-local-inference-details.md)** when you need detailed steps for GPU Memory Cleanup, Non-Interactive Setup, Selecting the API Path, and related details.
 
 ## Related Skills
 

.agents/skills/nemoclaw-user-configure-inference/references/use-local-inference-details.md

@@ -2,7 +2,13 @@
 <!-- SPDX-License-Identifier: Apache-2.0 -->
 # Use a Local Inference Server: Details
 
-## Non-Interactive Setup
+## GPU Memory Cleanup
+
+When you switch away from Ollama, stop host services, or destroy an Ollama-backed sandbox, NemoClaw asks Ollama to unload currently loaded models from GPU memory.
+The cleanup sends `keep_alive: 0` for each model reported by Ollama and runs on a best-effort basis, so shutdown continues if Ollama is already stopped.
+This does not delete downloaded model files.
+
+### Non-Interactive Setup
 
 ```console
 $ NEMOCLAW_PROVIDER=ollama \

.agents/skills/nemoclaw-user-deploy-remote/references/sandbox-hardening.md

@@ -85,9 +85,13 @@ The agent's home directory (`/sandbox`) is writable by default:
 |------|--------|---------|
 | `/sandbox` | read-write | Home directory — agents can create files and use standard home paths |
 | `/sandbox/.openclaw` | read-write | Agent config, state, workspace, plugins |
-| `/sandbox/.nemoclaw` | read-write | Plugin state and config; blueprints within are DAC-protected (root-owned) |
+| `/sandbox/.nemoclaw` | read-write (Landlock); DAC-restricted | Parent directory is `root:root` mode `1755`; the sandbox user can write only to `state/`, `migration/`, `snapshots/`, `staging/`, and `config.json`. `blueprints/` and the parent itself are root-owned to prevent tampering. |
 | `/tmp` | read-write | Temporary files and logs |
 
+The `Access` column reflects the Landlock policy declaration only.
+Actual write success additionally requires POSIX (DAC) ownership and permissions to allow it.
+For example, Landlock lists `/sandbox/.nemoclaw` as writable, but the sandbox user cannot create files directly under it because the parent directory is root-owned; writes must target the sandbox-owned subdirectories listed above.
+
 This writable default is intentional.
 Seeing the sandbox user create files under `/sandbox` or `/sandbox/.openclaw` in a fresh sandbox does not mean Landlock failed.
 Landlock still enforces the fixed read-only system paths below.

.agents/skills/nemoclaw-user-get-started/SKILL.md

@@ -28,13 +28,29 @@ NemoClaw creates a fresh OpenClaw instance inside the sandbox during the onboard
 curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
 ```
 
-The piped installer prompts through your terminal. In headless scripts or CI,
-pass explicit acceptance to the `bash` side of the pipe:
+The third-party software notice runs before Node.js or the NemoClaw CLI is installed.
+The piped installer can prompt through your terminal when a TTY is available.
+In non-TTY contexts, such as CI, an SSH command with piped stdin, or a shell script, pass explicit acceptance to the `bash` side of the pipe:
 
-```console
-$ curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash
+```bash
+curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash
+```
+
+or pass the installer flag through `bash -s`:
+
+```bash
+curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash -s -- --yes-i-accept-third-party-software
 ```
 
+To run both installation and onboarding without prompts, also set non-interactive mode and the provider variables your chosen inference path requires:
+
+```bash
+curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash
+```
+
+Do not place `NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1` before `curl`.
+In `NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 curl ... | bash`, the variable applies only to `curl`, so the installer process cannot see the acceptance.
+
 If you use nvm or fnm to manage Node.js, the installer might not update your current shell's PATH.
 If `nemoclaw` is not found after install, run `source ~/.bashrc` (or `source ~/.zshrc` for zsh) or open a new terminal.
 
@@ -76,8 +92,9 @@ For example, if you picked an OpenAI-compatible endpoint, the summary looks like
   ──────────────────────────────────────────────────
   Provider:      compatible-endpoint
   Model:         openai/openai/gpt-5.5
-  API key:       COMPATIBLE_API_KEY (staged for OpenShell gateway registration)
+  API key:       configured for OpenShell gateway registration
   Web search:    disabled
+  Managed tools: none
   Messaging:     none
   Sandbox name:  my-gpt-claw
   Note:          Sandbox build typically takes 5–15 minutes on this host.
@@ -106,6 +123,7 @@ Review Messaging Channels (use the `nemoclaw-user-manage-sandboxes` skill) befor
 ### Choose Network Policy Presets
 
 After the sandbox image builds and OpenClaw starts inside the sandbox, NemoClaw asks which network policy tier to apply.
+Web search and messaging selections happen before this point so the sandbox image and the policy suggestions stay aligned.
 The default **Balanced** tier includes common development presets such as npm, PyPI, Hugging Face, Homebrew, and Brave Search when the selected agent supports web search.
 Use the arrow keys or `j` and `k` to move, Space to select, and Enter to confirm.
 

.agents/skills/nemoclaw-user-get-started/references/quickstart-details.md

@@ -4,7 +4,9 @@
 
 ## Respond to the Onboard Wizard
 
-After the installer launches `nemoclaw onboard`, the wizard runs preflight checks, starts or reuses the OpenShell gateway, and asks for an inference provider, sandbox name, optional web search, optional messaging channels, and network policy presets.
+After the installer launches `nemoclaw onboard`, the wizard runs preflight checks, starts or reuses the OpenShell gateway, asks for an inference provider and model, collects any required credential, then asks for the sandbox name.
+It prints a review summary before it registers the provider with OpenShell.
+After you confirm, NemoClaw registers inference, prompts for optional web search and messaging channels, builds and starts the sandbox, sets up OpenClaw, then applies the selected network policy tier and presets.
 At any prompt, press Enter to accept the default shown in `[brackets]`, type `back` to return to the previous prompt, or type `exit` to quit.
 If existing sandbox sessions are running, the installer warns before onboarding because the setup can rebuild or upgrade sandboxes after the new sandbox launches.
 

.agents/skills/nemoclaw-user-get-started/references/quickstart-hermes.md

@@ -11,6 +11,10 @@ The Hermes agent option is experimental.
 Interfaces, defaults, and supported features may change without notice, and it is not recommended for production use.
 
 Review the [Prerequisites](prerequisites.md) before starting.
+Docker must be installed, running, and reachable from the current shell before Hermes onboarding can build the sandbox image.
+On Linux, the installer can install Docker, start the service, and add your user to the `docker` group.
+If it changes group membership, run the printed `newgrp docker` recovery command before rerunning the installer.
+On macOS, start Docker Desktop or Colima before you run the installer.
 The first Hermes build can take several minutes because NemoClaw builds the Hermes sandbox base image if it is not already cached.
 
 ## Install and Onboard
@@ -23,6 +27,20 @@ $ export NEMOCLAW_AGENT=hermes
 $ curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
 ```
 
+If a headless host needs to expose the Hermes API through a remote URL or tunnel, set `CHAT_UI_URL` before onboarding.
+Use the externally reachable origin for port `8642`, without the `/v1` path.
+NemoClaw derives the forwarded port from this value, binds the forward for remote access when the origin is non-loopback, and prints the final OpenAI-compatible base URL with `/v1` in the ready summary.
+
+```console
+$ export NEMOCLAW_AGENT=hermes
+$ export CHAT_UI_URL="https://hermes.example.com:8642"
+$ curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
+```
+
+For SSH local port forwarding to `127.0.0.1:8642`, leave `CHAT_UI_URL` unset.
+Do not append an OpenClaw `#token=` fragment to the Hermes URL.
+Hermes API clients authenticate with the bearer token from the generated Hermes environment instead of an OpenClaw dashboard URL token.
+
 If NemoClaw is already installed, start Hermes onboarding directly.
 
 ```console
@@ -31,7 +49,8 @@ $ nemohermes onboard
 
 ## Respond to the Wizard
 
-The onboard wizard asks for a sandbox name, inference provider, model, credentials, and network policy preset.
+The onboard wizard asks for an inference provider, model, any required credential, and sandbox name before it prints the review summary.
+After you confirm, NemoClaw registers inference, prompts for supported messaging channels, builds and starts the sandbox, sets up Hermes, then applies the selected network policy tier and presets.
 At any prompt, press Enter to accept the default shown in `[brackets]`, type `back` to return to the previous prompt, or type `exit` to quit.
 
 The default Hermes sandbox name is `hermes`.
@@ -47,7 +66,7 @@ The provider options and credential environment variables are the same as the st
 For provider-specific prompts, refer to the [Respond to the Onboard Wizard](../SKILL.md#respond-to-the-onboard-wizard) section and the Inference Options (use the `nemoclaw-user-configure-inference` skill) page.
 The Hermes wizard does not ask for Brave Web Search because Hermes does not use NemoClaw's OpenClaw web-search configuration.
 
-After provider and policy selection, review the summary and confirm the build.
+After provider and model selection, review the summary and confirm the build.
 NemoClaw writes Hermes configuration into `/sandbox/.hermes`, routes model traffic through `inference.local`, and starts the Hermes gateway inside the sandbox.
 The Hermes image includes runtime dependencies for the supported NemoClaw messaging integrations, API service, and health endpoint.
 The base image does not include unsupported Hermes integrations.
@@ -76,6 +95,18 @@ Use the provider variables from Inference Options (use the `nemoclaw-user-config
 
 When onboarding completes, NemoClaw prints the sandbox name, model, lifecycle commands, and Hermes API endpoint.
 Hermes exposes an OpenAI-compatible API on port `8642`, not a browser dashboard.
+To also launch the native Hermes web dashboard, opt in before onboarding:
+
+```bash
+export NEMOCLAW_HERMES_DASHBOARD=1
+nemohermes onboard
+```
+
+The dashboard uses port `9119` by default.
+Set `NEMOCLAW_HERMES_DASHBOARD_PORT` before onboarding to choose a different port.
+Set `NEMOCLAW_HERMES_DASHBOARD_TUI=1` to enable Hermes' optional in-browser TUI tab.
+For upstream dashboard features, see the
+[Hermes web dashboard documentation](https://hermes-agent.nousresearch.com/docs/user-guide/features/web-dashboard).
 
 ```text
 ──────────────────────────────────────────────────
@@ -90,6 +121,10 @@ Access
   Port 8642 must be forwarded before connecting.
   http://127.0.0.1:8642/v1
 
+  Hermes Agent Web dashboard
+  Port 9119 must be forwarded before opening this URL.
+  http://127.0.0.1:9119/
+
 Terminal:
   nemohermes my-hermes connect
 
@@ -136,6 +171,20 @@ Configure an OpenAI-compatible client with the base URL `http://127.0.0.1:8642/v
 Hermes uses API header authentication for client requests.
 Do not append an OpenClaw `#token=` URL fragment to the Hermes endpoint.
 
+## Open the Optional Dashboard
+
+When `NEMOCLAW_HERMES_DASHBOARD=1` is set during onboarding, NemoClaw starts `hermes dashboard --no-open` inside the sandbox and forwards `http://127.0.0.1:9119/` on the host.
+The API endpoint remains separate on `8642`.
+
+If the dashboard forward is missing after a reboot or terminal restart, start it again:
+
+```bash
+openshell forward start --background 9119 my-hermes
+```
+
+Treat the dashboard as a local management UI.
+Avoid exposing it on shared or public networks unless you put it behind your own access controls.
+
 ## Manage the Sandbox
 
 Use the same lifecycle commands as a standard NemoClaw sandbox.

.agents/skills/nemoclaw-user-get-started/references/windows-preparation.md

@@ -29,6 +29,8 @@ The command downloads the script to a temporary file before running it.
 `-ExecutionPolicy Bypass` applies only to that PowerShell process and avoids local policy blocking the downloaded script.
 Run it from Windows, not from inside WSL.
 The script requests Administrator privileges when needed, enables the required WSL 2 Windows features, installs or opens Ubuntu 24.04, and installs and starts Docker Desktop.
+When Ubuntu needs first-run account setup, the script opens a handoff window and waits for that account to exist before it changes Docker settings.
+It enables Docker Desktop WSL integration for the target distro, restarts Docker Desktop only when Docker was already running, and leaves your global default WSL distro unchanged.
 If the target Ubuntu distro is already registered, the script confirms it uses WSL 2, converts it from WSL 1 when needed, and verifies Docker is reachable from WSL.
 If Windows requires a reboot after enabling WSL features, the script prompts for the reboot and registers a one-time continuation for the next sign-in.
 If Docker Desktop shows first-run prompts, complete them and return to the PowerShell window.
@@ -45,7 +47,7 @@ When Windows preparation is complete, it opens Ubuntu and prints the standard in
 curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
 ```
 
-If the bootstrap script reports that Docker is not reachable from Ubuntu, open Docker Desktop Settings and confirm that WSL integration is enabled for Ubuntu (Settings > Resources > WSL integration), then rerun the script.
+If the bootstrap script reports that Docker is not reachable from Ubuntu, open Docker Desktop Settings and confirm that WSL integration is enabled for Ubuntu (Settings > Resources > WSL integration), make sure Docker Desktop is running, then rerun the script.
 
 If the bootstrap script reports that `winget.exe` is not available (common on Windows Server or stripped Windows installs), install **App Installer** from the Microsoft Store (which provides `winget`), or download and install Docker Desktop manually from [docker.com](https://www.docker.com/products/docker-desktop/).
 Rerun the bootstrap script after Docker Desktop is installed; the script skips the install step once it detects Docker Desktop is present.

.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md

@@ -261,11 +261,13 @@ $ nemoclaw my-assistant policy-remove huggingface --yes
 ### Homebrew Specifics
 
 The sandbox base image includes Homebrew (Linuxbrew), so applying the `brew` preset is the only step needed before installing a formula.
-A `/usr/local/bin/brew` symlink puts the entry point on the sandbox `PATH`, so the agent can run `brew install <formula>` directly:
+A `/usr/local/bin/brew` wrapper puts the entry point on the sandbox `PATH` while delegating to the Linuxbrew prefix.
+Installed formula commands are available from the Linuxbrew bin directory in sandbox shell sessions:
 
 ```console
 $ nemoclaw my-assistant policy-add brew --yes
 $ nemoclaw my-assistant exec -- brew install <formula>
+$ nemoclaw my-assistant exec -- bash -lc '<formula-command>'
 ```
 
 You do not need to bootstrap Homebrew, install build dependencies, or source `brew shellenv` inside the sandbox.

.agents/skills/nemoclaw-user-manage-sandboxes/references/messaging-channels.md

@@ -155,6 +155,7 @@ The command accepts mixed-case input such as `Telegram`, then stores and prints
 If a matching built-in network policy preset exists, `channels add` applies it to the sandbox automatically before the rebuild so the bridge has egress to its upstream API.
 If applying the preset fails, NemoClaw warns and tells you to re-apply manually with `nemoclaw <sandbox> policy-add <channel>` after the rebuild.
 Choose the rebuild so the running sandbox image picks up the new channel.
+For Telegram, Discord, and Slack, `channels add` also checks the rebuilt runtime for the selected bridge and reports startup, credential, or missing-plugin warnings before returning.
 If you need optional channel settings such as `TELEGRAM_ALLOWED_IDS`, `TELEGRAM_REQUIRE_MENTION`, `DISCORD_SERVER_ID`, `DISCORD_USER_ID`, `DISCORD_REQUIRE_MENTION`, `SLACK_ALLOWED_USERS`, or `SLACK_ALLOWED_CHANNELS`, export them before the rebuild starts.
 If you defer the rebuild, apply the change later: