Upgrading OpenShell independently breaks NemoClaw sandbox — version coupling should be documented
Environment
- NemoClaw: 0.1.0
- OpenShell: 0.0.7 (pinned by NemoClaw), accidentally upgraded to 0.0.8
- OS: Ubuntu 22.04.5 LTS
- Container runtime: k3s v1.29 (containerd)
Problem
NemoClaw 0.1.0 ships with and expects OpenShell 0.0.7. This version coupling is not documented anywhere — not in the README, not in the onboarding output, and not in nemoclaw --version.
When we ran openshell self-update (thinking it was a safe, independent upgrade), OpenShell upgraded to 0.0.8. On the next sandbox recreation, the sandbox environment changed fundamentally:
- The agent inside the sandbox switched from OpenClaw to Claude Code
- Workspace scaffolding changed (different default files, different directory layout)
- Skills and tools that depended on OpenClaw internals stopped working
- The Teams integration continued to route messages, but the agent behavior was completely different
The root cause: OpenShell 0.0.8 apparently bundles a different agent runtime than 0.0.7, and NemoClaw's configuration assumes the 0.0.7 sandbox layout.
Steps to Reproduce
- Deploy NemoClaw 0.1.0 via
nemoclaw onboard — everything works, OpenShell 0.0.7 is installed
- Run
openshell self-update (or npm update -g openshell)
- OpenShell updates to latest (0.0.8+)
- Restart the pod, or run
openshell gateway start --recreate
- Result: Sandbox is rebuilt with the new OpenShell version; agent runtime inside changes; NemoClaw's expected workspace layout no longer matches
Alternatively:
- Run
openshell sandbox create directly instead of going through nemoclaw onboard
- Result: Same breakage — sandbox is created with OpenShell defaults instead of NemoClaw's expected configuration
Recovery
We had to:
- Downgrade OpenShell:
npm install -g [email protected]
- Re-run
nemoclaw onboard to rebuild the sandbox with the correct version
- Restore workspace from backup (see #[pvc-persistence-issue] for our backup approach)
Total downtime: ~30 minutes, plus loss of any workspace changes since the last backup.
Current Workaround
- Pin OpenShell in our deployment scripts:
npm install -g [email protected] (never @latest)
- Added a pre-flight check in our startup scripts that verifies the OpenShell version matches expectations:
EXPECTED_OPENSHELL="0.0.7"
ACTUAL_OPENSHELL=$(openshell --version 2>/dev/null | grep -oP '\d+\.\d+\.\d+')
if [ "$ACTUAL_OPENSHELL" != "$EXPECTED_OPENSHELL" ]; then
echo "ERROR: OpenShell version mismatch. Expected $EXPECTED_OPENSHELL, got $ACTUAL_OPENSHELL"
echo "Run: npm install -g openshell@$EXPECTED_OPENSHELL"
exit 1
fi
- Never run
openshell commands directly — always go through nemoclaw CLI
Expected Behavior / Suggestion
-
Document the version dependency. The NemoClaw README and nemoclaw onboard output should clearly state which OpenShell version is required and that independent upgrades are not supported.
-
Add a compatibility matrix. A table mapping NemoClaw versions to their required OpenShell versions:
| NemoClaw |
OpenShell |
Notes |
| 0.1.0 |
0.0.7 |
Initial release |
| 0.2.0 |
TBD |
— |
-
Version check at startup. NemoClaw should detect the installed OpenShell version on startup and warn (or refuse to start) if it's incompatible:
⚠️ NemoClaw 0.1.0 requires OpenShell 0.0.7, but 0.0.8 is installed.
Run `npm install -g [email protected]` or upgrade NemoClaw.
-
Lock the upgrade path. Ideally, openshell self-update should be aware that it's being managed by NemoClaw and either refuse to upgrade or warn the user. Alternatively, NemoClaw could install OpenShell as a local dependency rather than a global one, making accidental upgrades impossible.
-
Clarify CLI boundaries. Document that users should always use nemoclaw onboard / nemoclaw start and should never run openshell gateway start --recreate or openshell sandbox create directly when NemoClaw is managing the deployment.
The tight coupling between NemoClaw and OpenShell is understandable at this stage, but it needs to be visible to operators. A silent version mismatch that changes the agent runtime is a significant operational risk.
Upgrading OpenShell independently breaks NemoClaw sandbox — version coupling should be documented
Environment
Problem
NemoClaw 0.1.0 ships with and expects OpenShell 0.0.7. This version coupling is not documented anywhere — not in the README, not in the onboarding output, and not in
nemoclaw --version.When we ran
openshell self-update(thinking it was a safe, independent upgrade), OpenShell upgraded to 0.0.8. On the next sandbox recreation, the sandbox environment changed fundamentally:The root cause: OpenShell 0.0.8 apparently bundles a different agent runtime than 0.0.7, and NemoClaw's configuration assumes the 0.0.7 sandbox layout.
Steps to Reproduce
nemoclaw onboard— everything works, OpenShell 0.0.7 is installedopenshell self-update(ornpm update -g openshell)openshell gateway start --recreateAlternatively:
openshell sandbox createdirectly instead of going throughnemoclaw onboardRecovery
We had to:
npm install -g [email protected]nemoclaw onboardto rebuild the sandbox with the correct versionTotal downtime: ~30 minutes, plus loss of any workspace changes since the last backup.
Current Workaround
npm install -g [email protected](never@latest)openshellcommands directly — always go throughnemoclawCLIExpected Behavior / Suggestion
Document the version dependency. The NemoClaw README and
nemoclaw onboardoutput should clearly state which OpenShell version is required and that independent upgrades are not supported.Add a compatibility matrix. A table mapping NemoClaw versions to their required OpenShell versions:
Version check at startup. NemoClaw should detect the installed OpenShell version on startup and warn (or refuse to start) if it's incompatible:
Lock the upgrade path. Ideally,
openshell self-updateshould be aware that it's being managed by NemoClaw and either refuse to upgrade or warn the user. Alternatively, NemoClaw could install OpenShell as a local dependency rather than a global one, making accidental upgrades impossible.Clarify CLI boundaries. Document that users should always use
nemoclaw onboard/nemoclaw startand should never runopenshell gateway start --recreateoropenshell sandbox createdirectly when NemoClaw is managing the deployment.The tight coupling between NemoClaw and OpenShell is understandable at this stage, but it needs to be visible to operators. A silent version mismatch that changes the agent runtime is a significant operational risk.