907e410d8d
Some checks failed
Images / Base Images / build-and-push (push) Waiting to run
Images / Base Images / build-and-push-hermes (push) Waiting to run
Security / Code Scanning / CodeQL (javascript-typescript) (push) Waiting to run
Security / Code Scanning / CodeQL (python) (push) Waiting to run
Security / Code Scanning / ShellCheck SARIF (push) Waiting to run
e2e-branch-validation.yaml / feat(channels): add WhatsApp messaging channel with QR pairing (#3392) (push) Failing after 0s
Security / Installer Hash Check / check-hash (push) Waiting to run
E2E / macOS / macos-e2e (push) Waiting to run
CI / Main / checks (push) Waiting to run
CI / Main / sandbox-images-and-e2e (push) Blocked by required conditions
CI / Platform Vitest Main Watch / macos-vitest (push) Waiting to run
CI / Platform Vitest Main Watch / wsl-vitest (push) Waiting to run
E2E / WSL / wsl-e2e (push) Waiting to run
## Summary Adds WhatsApp as a QR-paired messaging channel alongside Telegram/Discord/Slack, and ships the network policy preset that unblocks the consumer WhatsApp Web protocol from inside an OpenShell sandbox. WhatsApp uses Curve25519 QR pairing rather than a static token, so `ChannelDef.envKey` becomes optional and the wizard skips the token prompt for QR-paired channels. ## Related Issue Fixes #361 Fixes #513 ## Changes - New `nemoclaw-blueprint/policies/presets/whatsapp.yaml`: - L4 CONNECT tunnel (`access: full, tls: skip`) for `web.whatsapp.com` and `*.web.whatsapp.com` so the proxy stops negotiating h2 on the `/ws/chat` upgrade and stops auto-terminating TLS on the Noise handshake. - REST allow-lists for the apex `whatsapp.net` and the `*.whatsapp.net` wildcard (covers `mmg`, `static`, `cdn`, `pps`, `v`, `e1`, `f`, `s`, etc. — all Meta-controlled; mirrors the `*.atlassian.net` precedent in the jira preset). - **Non-Meta endpoint:** a GET-only rule pinned to the single path `raw.githubusercontent.com/WhiskeySockets/Baileys/master/src/Defaults/index.ts` so Baileys' `fetchLatestBaileysVersion()` succeeds at runtime. Without it Baileys advertises its bundled (stale) WA protocol constant and Meta rejects pairing with `<failure reason="405"/>`. - WhatsApp joins the **Open** tier in `tiers.yaml`. - `ChannelDef` gains `loginMethod` (`"token-paste"` / `"host-qr"` / `"in-sandbox-qr"`); `envKey` becomes optional. New `channelUsesInSandboxQrPairing` and `channelHasStaticToken` helpers in `sandbox/channels.ts`. - `onboard.ts`: wizard prompt loop short-circuits for in-sandbox-QR channels (prints pairing instructions, skips token prompt). `getMessagingToken`, conflict-detection, `enabledEnvKeys` / `disabledEnvKeys`, and the userId loop now tolerate tokenless channels. `setupMessagingChannels` filters available channels by the active agent's `messagingPlatforms` so each agent only sees what it advertises. `activeMessagingChannels` now includes QR-selected channels so the sandbox image, registry state, and policy bootstrap all preserve them. - `policy-channel.ts`: `addSandboxChannel` and `removeSandboxChannel` normalise `channelArg` before logging, registry writes, and rebuild reasons. The in-sandbox-QR path registers the channel in the registry without upserting a bridge provider. The matching built-in network policy preset is applied to the sandbox before the rebuild so the bridge has egress on first start; failures warn and tell the user to run `policy-add` manually. - `agents/openclaw/manifest.yaml`: `whatsapp` moves from the `# Future:` comment into `supported:` and into `state_dirs:` (Baileys session state is durable across rebuilds, not baked into the image). Hermes intentionally does not advertise WhatsApp, and the wizard filter respects that. - `policy/index.ts`: messaging-preset warning text now uses generic "channel setup, pairing, and runtime configuration" wording so it reads correctly for QR-paired channels. - In-sandbox guard (`scripts/nemoclaw-start.sh`): `openclaw channels login` and `channels status` are intentionally allowed; mutating ops stay blocked. The error message distinguishes WhatsApp's in-sandbox pairing path from WeChat's host-side QR. - Tests: `channels.test.ts` covers the in-sandbox-QR shape, the three `loginMethod` values, and mixed-case canonicalisation; `policies.test.ts` adds regression cases for `whatsapp.yaml` (L4 + `tls: skip` on `web.whatsapp.com`; apex+wildcard `whatsapp.net` REST methods; the GET-pinned `raw.githubusercontent.com` rule). - Docs: `messaging-channels.md` describes the QR-pair flow, the durable `whatsapp` state directory, and the three login modes; `commands.md` describes `token-paste` / `host-qr` / `in-sandbox-qr` for `channels add` and the auto-applied preset behaviour; `network-policies.md` and `integration-policy-examples.md` fold `wechat` and `whatsapp` into the baseline-policy and matching-preset wording; user-reference skill regenerated. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Verification - [x] `npx prek run --all-files` passes - [x] `npm test` passes - [x] Tests added or updated for new or changed behavior - [x] No secrets, API keys, or credentials committed - [x] Docs updated for user-facing behavior changes - [ ] `make docs` builds without warnings (doc changes only) - [ ] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Tinson Lai <tinsonl@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * WhatsApp channel added with in‑sandbox QR pairing; supported in onboarding for both agents and persisted across rebuilds. * **Documentation** * Expanded onboarding, channel setup, CLI reference, troubleshooting, network-policy, and integration docs to cover WhatsApp workflows, pairing, and persistence. * **Policy** * New WhatsApp network preset (endpoints, node runtime scope) and added to the Open tier. * **Chores / CLI** * In‑sandbox WhatsApp login permitted; config generation and agent manifests updated to handle tokenless WhatsApp sessions. * **Tests** * Unit, integration, and E2E tests added/updated for WhatsApp behavior. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/NVIDIA/NemoClaw/pull/3392?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Tinson Lai <tinsonl@nvidia.com> Signed-off-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: J. Yaunches <jyaunches@nvidia.com> Co-authored-by: Carlos Villela <cvillela@nvidia.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Aaron Erickson <aerickson@nvidia.com> |
||
|---|---|---|
| .agents/skills | ||
| .claude | ||
| .github | ||
| agents | ||
| bin | ||
| ci | ||
| docs | ||
| fern | ||
| ISSUE_TEMPLATE | ||
| nemoclaw | ||
| nemoclaw-blueprint | ||
| schemas | ||
| scripts | ||
| src | ||
| test | ||
| tools/e2e-advisor | ||
| .coderabbit.yaml | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitignore | ||
| .gitleaksignore | ||
| .gitmodules | ||
| .markdownlint-cli2.yaml | ||
| .pre-commit-config.yaml | ||
| .prettierignore | ||
| .shellcheckrc | ||
| AGENTS.md | ||
| biome.json | ||
| CLAUDE.md | ||
| CODE_OF_CONDUCT.md | ||
| commitlint.config.js | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| Dockerfile.base | ||
| install.sh | ||
| jsconfig.json | ||
| LICENSE | ||
| Makefile | ||
| package-lock.json | ||
| package.json | ||
| pyproject.toml | ||
| README.md | ||
| SECURITY.md | ||
| spark-install.md | ||
| tsconfig.cli.json | ||
| tsconfig.src.json | ||
| uninstall.sh | ||
| uv.lock | ||
| vitest.config.ts | ||
🦞 NVIDIA NemoClaw: Reference Stack for Running OpenClaw in OpenShell
NVIDIA NemoClaw is an open source reference stack that simplifies running OpenClaw always-on assistants more safely. It installs the NVIDIA OpenShell runtime, part of NVIDIA Agent Toolkit, which provides additional security for running autonomous agents.
Alpha software
NemoClaw is available in early preview starting March 16, 2026. This software is not production-ready. Interfaces, APIs, and behavior may change without notice as we iterate on the design. The project is shared to gather feedback and enable early experimentation. We welcome issues and discussion from the community while the project evolves.
NemoClaw adds guided onboarding, a hardened blueprint, state management, OpenShell-managed channel messaging, routed inference, and layered protection on top of the NVIDIA OpenShell runtime. For the full feature list, refer to Overview. For the system diagram, component model, and blueprint lifecycle, refer to How It Works and Architecture.
Getting Started
Follow these steps to install NemoClaw and run your first sandboxed OpenClaw agent.
Prerequisites
Before getting started, check the prerequisites to ensure you have the necessary software and hardware to run NemoClaw.
Hardware
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 4 vCPU | 4+ vCPU |
| RAM | 8 GB | 16 GB |
| Disk | 20 GB free | 40 GB free |
The sandbox image is approximately 2.4 GB compressed. During image push, the Docker daemon, k3s, and the OpenShell gateway run alongside the export pipeline, which buffers decompressed layers in memory. On machines with less than 8 GB of RAM, this combined usage can trigger the OOM killer. If you cannot add memory, configuring at least 8 GB of swap can work around the issue at the cost of slower performance.
Software
| Dependency | Version |
|---|---|
| Node.js | 22.16 or later |
| npm | 10 or later |
| Platform | See below |
OpenShell Lifecycle
For NemoClaw-managed environments, use nemoclaw onboard when you need to create or recreate the OpenShell gateway or sandbox.
Avoid openshell self-update, npm update -g openshell, openshell gateway start --recreate, or openshell sandbox create directly unless you intend to manage OpenShell separately and then rerun nemoclaw onboard.
Container Runtimes
The following table lists tested platform and runtime combinations. Availability is not limited to these entries, but untested configurations may have issues.
| OS | Container runtime | Status | Notes |
|---|---|---|---|
| Linux | Docker | Tested | Primary tested path. |
| macOS (Apple Silicon) | Colima, Docker Desktop | Tested with limitations | Install Xcode Command Line Tools (xcode-select --install) and start the runtime before running the installer. |
| DGX Spark | Docker | Tested | Use the standard installer and nemoclaw onboard. For an end-to-end walkthrough with local Ollama inference, see the NVIDIA Spark playbook. |
| Windows WSL2 | Docker Desktop (WSL backend) | Tested with limitations | Requires WSL2 with Docker Desktop backend. |
For platform-specific pre-setup (for example, Windows WSL 2), see Prerequisites.
Install NemoClaw and Onboard OpenClaw Agent
Download and run the installer script. The script installs Node.js if it is not already present, then runs the guided onboard wizard to create a sandbox, configure inference, and apply security policies.
ℹ️ Note
NemoClaw creates a fresh OpenClaw instance inside the sandbox during the onboarding process.
The installer runs as your normal user and does not require
sudoor root. It installs Node.js via nvm and NemoClaw via npm, both into user-local directories. Docker must be installed and running before you run the installer. Installing Docker may require elevated privileges on Linux.
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
The piped installer prompts through your terminal. In headless scripts or CI,
pass explicit acceptance to the bash side of the pipe:
curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash
If you use nvm or fnm to manage Node.js, the installer may not update your current shell's PATH.
If nemoclaw is not found after install, run source ~/.bashrc (or source ~/.zshrc for zsh) or open a new terminal.
When the install completes, a summary confirms the running environment:
──────────────────────────────────────────────────
Sandbox my-assistant (Landlock + seccomp + netns)
Model nvidia/nemotron-3-super-120b-a12b (NVIDIA Endpoints)
──────────────────────────────────────────────────
Run: nemoclaw my-assistant connect
Status: nemoclaw my-assistant status
Logs: nemoclaw my-assistant logs --follow
──────────────────────────────────────────────────
To change settings later:
Model: nemoclaw inference get
nemoclaw inference set --model <model> --provider <provider> --sandbox my-assistant
[INFO] === Installation complete ===
Chat with the Agent
Connect to the sandbox, then chat with the agent through the TUI or the CLI.
nemoclaw my-assistant connect
In the sandbox shell, open the OpenClaw terminal UI and start a chat:
openclaw tui
Alternatively, send a single message and print the response:
openclaw agent --agent main --local -m "hello" --session-id test
Model Router (Experimental)
NemoClaw includes an optional model router that automatically picks the most efficient model for each query. Instead of sending every request to a single large model, the router uses a lightweight encoder to predict which model in a pool can handle each query correctly, then routes to the cheapest one that meets an accuracy threshold.
The router uses the NVIDIA LLM Router v3 prefill routing engine and runs on the host as a LiteLLM proxy. The sandbox reaches it through the OpenShell gateway and continues to call https://inference.local/v1; do not probe localhost:4000 or host.openshell.internal directly from inside the sandbox.
Enable during onboard
Select Model Router (experimental) during the onboard wizard, or set NEMOCLAW_PROVIDER=routed for non-interactive mode:
NEMOCLAW_PROVIDER=routed nemoclaw onboard --non-interactive
The onboard wizard starts the router, configures the OpenShell provider, and creates the sandbox. The router process runs on the host on port 4000.
Configure the model pool
Edit nemoclaw-blueprint/router/pool-config.yaml to define which models the router can choose from:
routing:
method: prefill
checkpoint: llm-router/checkpoints/prefill_router_qwen08b.pt
tolerance: 0.20
encoder: Qwen/Qwen3.5-0.8B
models:
- name: nano
litellm_model: "openai/nvidia/nvidia/Nemotron-3-Nano-30B-A3B"
cost_per_m_input_tokens: 0.05
api_base: "https://inference-api.nvidia.com"
- name: super
litellm_model: "openai/nvidia/nvidia/nemotron-3-super-v3"
cost_per_m_input_tokens: 0.10
api_base: "https://inference-api.nvidia.com"
The tolerance parameter controls the accuracy-cost tradeoff: 0.0 always picks the most accurate model, 1.0 always picks the cheapest, and 0.20 (default) allows up to 20 percentage points below the best for a cheaper model.
Architecture
The router runs on the host, not inside the sandbox:
Sandbox (OpenClaw) ──> OpenShell Gateway (L7 proxy) ──> Model Router (:4000) ──> NVIDIA API
└── PrefillRouter selects model
Credentials flow through the OpenShell provider system. The sandbox never sees raw API keys.
Uninstall
To remove NemoClaw and all resources created during setup, run the CLI's built-in uninstall command:
nemoclaw uninstall
| Flag | Effect |
|---|---|
--yes |
Skip the confirmation prompt. |
--keep-openshell |
Leave OpenShell binaries installed. |
--delete-models |
Also remove NemoClaw-pulled Ollama models. |
nemoclaw uninstall runs the version-pinned uninstall.sh shipped with your installed CLI, with no network fetch at uninstall time.
If the nemoclaw CLI is missing or broken, fall back to the hosted script:
curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash
For a full comparison of the two forms, see nemoclaw uninstall vs. the hosted uninstall.sh.
For troubleshooting installation or onboarding issues, see the Troubleshooting guide.
Documentation
Refer to the following pages on the official documentation website for more information on NemoClaw.
| Page | Description |
|---|---|
| Overview | What NemoClaw does and how it fits together. |
| Architecture Overview | High-level overview of Plugin, blueprint, sandbox lifecycle, and protection layers. |
| Ecosystem | How OpenClaw, OpenShell, and NemoClaw form a stack and when to use NemoClaw versus OpenShell alone. |
| Architecture Details | Detailed description of Plugin structure, blueprint lifecycle, sandbox environment, and host-side state. |
| Prerequisites | Hardware, software, and supported platforms, with any platform-specific pre-setup. |
| Inference Options | Supported providers, validation, and routed inference configuration. |
| Network Policies | Baseline rules, operator approval flow, and egress control. |
| Customize Network Policy | Static and dynamic policy changes, presets. |
| Security Best Practices | Controls reference, risk framework, and posture profiles for sandbox security. |
| Sandbox Hardening | Container security measures, capability drops, process limits. |
| CLI Commands | Full NemoClaw CLI command reference. |
| Troubleshooting | Common issues and resolution steps. |
Project Structure
The following directories make up the NemoClaw repository.
NemoClaw/
├── bin/ # CLI entry point and library modules (CJS)
├── nemoclaw/ # TypeScript plugin (Commander CLI extension)
│ └── src/
│ ├── blueprint/ # Runner, snapshot, SSRF validation, state
│ ├── commands/ # Slash commands, migration state
│ └── onboard/ # Onboarding config
├── nemoclaw-blueprint/ # Blueprint YAML and network policies
│ └── router/
│ ├── pool-config.yaml # Model pool and routing config
│ └── llm-router/ # LLM Router v3 submodule (prefill routing engine)
├── scripts/ # Install helpers, setup, automation
├── test/ # Integration and E2E tests
├── fern/ # Fern site configuration and shared assets
└── docs/ # User-facing docs (Fern MDX plus legacy MyST source during migration)
Community
Join the NemoClaw community to ask questions, share feedback, and report issues.
Contributing
We welcome contributions. See CONTRIBUTING.md for development setup, coding standards, and the PR process.
Security
NVIDIA takes security seriously. If you discover a vulnerability in NemoClaw, DO NOT open a public issue. Use one of the private reporting channels described in SECURITY.md:
- Submit a report through the NVIDIA Vulnerability Disclosure Program.
- Send an email to psirt@nvidia.com encrypted with the NVIDIA PGP key.
- Use GitHub's private vulnerability reporting to submit a report directly on this repository.
For security bulletins and PSIRT policies, visit the NVIDIA Product Security portal.
Notice and Disclaimer
This software automatically retrieves, accesses or interacts with external materials. Those retrieved materials are not distributed with this software and are governed solely by separate terms, conditions and licenses. You are solely responsible for finding, reviewing and complying with all applicable terms, conditions, and licenses, and for verifying the security, integrity and suitability of any retrieved materials for your specific use case. This software is provided "AS IS", without warranty of any kind. The author makes no representations or warranties regarding any retrieved materials, and assumes no liability for any losses, damages, liabilities or legal consequences from your use or inability to use this software or any retrieved materials. Use this software and the retrieved materials at your own risk.
License
Apache 2.0. See LICENSE.