chore: fix all prek lint findings and wire prek into CI

.agents/skills/docs/nemoclaw-overview/references/how-it-works.md

@@ -111,4 +111,4 @@ Approved endpoints persist for the current session but are not saved to the base
 
 - Follow the Quickstart (see the `nemoclaw-get-started` skill) to launch your first sandbox.
 - Refer to the Architecture (see the `nemoclaw-reference` skill) for the full technical structure, including file layouts and the blueprint lifecycle.
-- Refer to Inference Profiles (see the `nemoclaw-reference` skill) for detailed provider configuration.
+- Refer to Inference Profiles (see the `nemoclaw-reference` skill) for detailed provider configuration.

.agents/skills/docs/nemoclaw-overview/references/overview.md

@@ -53,4 +53,4 @@ Explore the following pages to learn more about NemoClaw.
 - Switch Inference Providers (see the `nemoclaw-configure-inference` skill) to configure the inference provider.
 - Approve or Deny Network Requests (see the `nemoclaw-manage-policy` skill) to manage egress approvals.
 - Deploy to a Remote GPU Instance (see the `nemoclaw-deploy-remote` skill) for persistent operation.
-- Monitor Sandbox Activity (see the `nemoclaw-monitor-sandbox` skill) to observe agent behavior.
+- Monitor Sandbox Activity (see the `nemoclaw-monitor-sandbox` skill) to observe agent behavior.

.agents/skills/docs/nemoclaw-overview/references/release-notes.md

@@ -12,4 +12,4 @@ NVIDIA NemoClaw is available in early preview starting March 16, 2026. Use the f
 | [Releases](https://github.com/NVIDIA/NemoClaw/releases) | Versioned release notes and downloadable assets. |
 | [Release comparison](https://github.com/NVIDIA/NemoClaw/compare) | Diff between any two tags or branches. |
 | [Merged pull requests](https://github.com/NVIDIA/NemoClaw/pulls?q=is%3Apr+is%3Amerged) | Individual changes with review discussion. |
-| [Commit history](https://github.com/NVIDIA/NemoClaw/commits/main) | Full commit log on `main`. |
+| [Commit history](https://github.com/NVIDIA/NemoClaw/commits/main) | Full commit log on `main`. |

.agents/skills/docs/nemoclaw-reference/SKILL.md

@@ -13,4 +13,4 @@ Learn how NemoClaw combines a lightweight CLI plugin with a versioned blueprint
 - [NemoClaw CLI Commands Reference](references/commands.md)
 - [NemoClaw Inference Profiles — NVIDIA Endpoint](references/inference-profiles.md)
 - [NemoClaw Network Policies — Baseline Rules and Operator Approval](references/network-policies.md)
-- [NemoClaw Troubleshooting Guide](references/troubleshooting.md)
+- [NemoClaw Troubleshooting Guide](references/troubleshooting.md)

.agents/skills/docs/nemoclaw-reference/references/architecture.md

@@ -79,4 +79,4 @@ OpenShell intercepts them and routes to the configured provider:
 Agent (sandbox)  ──▶  OpenShell gateway  ──▶  NVIDIA Endpoint (build.nvidia.com)
 ```
 
-Refer to Inference Profiles (see the `nemoclaw-reference` skill) for provider configuration details.
+Refer to Inference Profiles (see the `nemoclaw-reference` skill) for provider configuration details.

.agents/skills/docs/nemoclaw-reference/references/commands.md

@@ -149,4 +149,4 @@ After the fixes complete, the script prompts you to run `nemoclaw onboard` to co
 
 ```console
 $ sudo nemoclaw setup-spark
-```
+```

.agents/skills/docs/nemoclaw-reference/references/inference-profiles.md

@@ -50,4 +50,4 @@ $ openshell inference set --provider nvidia-nim --model <model-name>
 ```
 
 The change takes effect immediately.
-No sandbox restart is needed.
+No sandbox restart is needed.

.agents/skills/docs/nemoclaw-reference/references/network-policies.md

@@ -119,4 +119,4 @@ Apply policy updates to a running sandbox without restarting:
 
 ```console
 $ openshell policy set <policy-file>
-```
+```

.agents/skills/docs/nemoclaw-reference/references/troubleshooting.md

@@ -161,4 +161,4 @@ View the error output for the failed blueprint run:
 $ nemoclaw <name> logs
 ```
 
-Use `--follow` to stream logs in real time while debugging.
+Use `--follow` to stream logs in real time while debugging.

.github/PULL_REQUEST_TEMPLATE.md

@@ -16,7 +16,7 @@
 
 ## Testing
 <!-- What testing was done? -->
-- [ ] `make check` passes.
+- [ ] `npx prek run --all-files` passes (or equivalently `make check`).
 - [ ] `npm test` passes.
 - [ ] `make docs` builds without warnings. (for doc-only changes)
 
@@ -28,7 +28,7 @@
 
 ### Code Changes
 <!-- Skip if this is a doc-only PR. -->
-- [ ] `make format` applied (TypeScript and Python).
+- [ ] Formatters applied — `npx prek run --all-files` auto-fixes formatting (or `make format` for targeted runs).
 - [ ] Tests added or updated for new or changed behavior.
 - [ ] No secrets, API keys, or credentials committed.
 - [ ] Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

.github/workflows/commit-lint.yaml

@@ -20,12 +20,12 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: "22"
           cache: npm

.github/workflows/docker-pin-check.yaml

@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Check Dockerfile base-image pin
         run: bash scripts/update-docker-pin.sh --check

.github/workflows/docs.yaml

@@ -26,15 +26,15 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
 
       - name: Install doc dependencies
         run: uv sync --group docs

.github/workflows/nightly-e2e.yaml

@@ -29,7 +29,7 @@ jobs:
     timeout-minutes: 45
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Run full E2E test
         env:

.github/workflows/pr.yaml

@@ -17,56 +17,66 @@ concurrency:
 jobs:
   lint:
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: "22"
           cache: npm
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
 
-      - name: Install ruff
-        run: uv tool install ruff
+      - name: Install hadolint
+        run: |
+          HADOLINT_URL="https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64"
+          curl -fsSL -o /usr/local/bin/hadolint "$HADOLINT_URL"
+          EXPECTED=$(curl -fsSL "${HADOLINT_URL}.sha256" | awk '{print $1}')
+          ACTUAL=$(sha256sum /usr/local/bin/hadolint | awk '{print $1}')
+          [ "$EXPECTED" = "$ACTUAL" ] || { echo "::error::hadolint checksum mismatch"; exit 1; }
+          chmod +x /usr/local/bin/hadolint
+
+      - name: Install dependencies
+        run: |
+          npm install --ignore-scripts
+          cd nemoclaw && npm install
+          cd ../nemoclaw-blueprint && uv sync --extra dev
 
-      - name: Install Node dependencies
-        working-directory: nemoclaw
-        run: npm install
+      - name: Build TypeScript plugin
+        run: cd nemoclaw && npm run build
 
-      - name: Run all linters
-        run: make check
+      - name: Run all hooks (pre-commit + pre-push)
+        run: npx prek run --all-files --stage pre-push
 
   test-unit:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: "22"
           cache: npm
 
-      - name: Install root dependencies
-        run: npm install
-
-      - name: Install and build TypeScript plugin
-        working-directory: nemoclaw
+      - name: Install dependencies
         run: |
-          npm install
-          npm run build
+          npm install --ignore-scripts
+          cd nemoclaw && npm install
+
+      - name: Build TypeScript plugin
+        run: cd nemoclaw && npm run build
 
       - name: Run all unit tests with coverage
         run: npx vitest run --coverage
@@ -79,7 +89,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Build sandbox test image
         run: docker build -f test/Dockerfile.sandbox -t nemoclaw-sandbox-test .

.gitignore

@@ -1,5 +1,6 @@
 # Build artifacts and caches
 *.pyc
+*.tsbuildinfo
 .pytest_cache/
 __pycache__/
 coverage/

.pre-commit-config.yaml

@@ -1,8 +1,10 @@
 # NemoClaw — prek hook configuration
 # prek: https://github.com/j178/prek — single binary, no Python required for the runner
 # Installed as an npm devDependency (@j178/prek) — available after `npm install`.
-# All git hooks (pre-commit, commit-msg, pre-push) are managed by prek via this file.
-# The "prepare" script in package.json runs `prek install` to wire them up.
+# All git hooks (pre-commit, commit-msg, pre-push) are managed by prek via this file only.
+# The "prepare" script in package.json runs `prek install` (writes `.git/hooks/*`).
+# If you previously used Husky, run: git config --unset core.hooksPath
+# then `npm install` again so Git uses the hooks prek installs.
 #
 # Usage:
 #   npx prek install
@@ -20,6 +22,13 @@
 
 exclude: ^(nemoclaw/dist/|nemoclaw/node_modules/|docs/_build/|\.venv/|uv\.lock$)
 
+# Which git hook shims `prek install` writes (separate from each hook's `stages:`).
+# https://prek.j178.dev/configuration/#default_install_hook_types
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
+  - pre-push
+
 repos:
   # ── Priority 0: general file fixers ───────────────────────────────────────
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -124,10 +133,14 @@ repos:
           - --exclude=SC1091
         priority: 10
 
-  - repo: https://github.com/hadolint/hadolint
-    rev: v2.14.0
+  - repo: local
     hooks:
       - id: hadolint
+        name: hadolint
+        entry: hadolint
+        language: system
+        files: (Dockerfile[^/]*|.*\.dockerfile)$
+        types: [file]
         priority: 10
 
   - repo: local
@@ -152,32 +165,32 @@ repos:
     hooks:
       - id: vitest-plugin
         name: Vitest (plugin project)
-        entry: npx vitest run --project plugin
+        entry: bash -c 'root="$(git rev-parse --show-toplevel)" && cd "$root" && exec ./node_modules/.bin/vitest run --project plugin'
         language: system
         pass_filenames: false
         files: ^nemoclaw/
         priority: 20
 
   # ── commit-msg hooks ────────────────────────────────────────────────────────
-  - repo: local
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.24.0
     hooks:
       - id: commitlint
-        name: commitlint
-        entry: npx commitlint --edit
-        language: system
         stages: [commit-msg]
-        always_run: true
+        additional_dependencies: ["@commitlint/config-conventional@20"]
+        priority: 10
 
   # ── pre-push hooks ─────────────────────────────────────────────────────────
   - repo: local
     hooks:
       - id: tsc-check
         name: TypeScript type check (tsc --noEmit)
-        entry: bash -c 'cd nemoclaw && npx tsc --noEmit'
+        entry: bash -c 'cd nemoclaw && npx tsc --noEmit --incremental'
         language: system
         pass_filenames: false
         always_run: true
         stages: [pre-push]
+        priority: 10
 
       - id: pyright-check
         name: Pyright (nemoclaw-blueprint)
@@ -186,6 +199,7 @@ repos:
         pass_filenames: false
         always_run: true
         stages: [pre-push]
+        priority: 10
 
 default_language_version:
   python: python3

CODE_OF_CONDUCT.md

@@ -67,7 +67,7 @@ reported by contacting GitHub_Conduct@nvidia.com. All complaints will be reviewe
 investigated and will result in a response that is deemed necessary and appropriate
 to the circumstances. The project team is obligated to maintain confidentiality with
 regard to the reporter of an incident. Further details of specific enforcement policies
-may be posted separately. 
+may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good
 faith may face temporary or permanent repercussions as determined by other
@@ -81,4 +81,4 @@ available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.ht
 [homepage]: https://www.contributor-covenant.org
 
 For answers to common questions about this code of conduct, see
-https://www.contributor-covenant.org/faq
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -18,6 +18,7 @@ Install the following before you begin.
 - Python 3.11+ (for blueprint and documentation builds)
 - Docker (running)
 - [uv](https://docs.astral.sh/uv/) (for Python dependency management)
+- [hadolint](https://github.com/hadolint/hadolint) (Dockerfile linter — `brew install hadolint` on macOS)
 
 ## Getting Started
 
@@ -71,6 +72,8 @@ All git hooks are managed by [prek](https://prek.j178.dev/), a fast, single-bina
 
 For a full manual check: `npx prek run --all-files`. For scoped runs: `npx prek run --from-ref <base> --to-ref HEAD`.
 
+If you still have `core.hooksPath` set from an old Husky setup, Git will ignore `.git/hooks`. Run `git config --unset core.hooksPath` in this repo, then `npm install` so `prek install` (via `prepare`) can register the hooks.
+
 `make check` remains the primary documented linter entry point.
 
 ## Project Structure

Dockerfile

@@ -12,6 +12,7 @@ FROM node:22-slim@sha256:4f77a690f2f8946ab16fe1e791a3ac0667ae1c3575c3e4d0d4589e9
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+# hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
         python3 python3-pip python3-venv \
         curl git ca-certificates \
@@ -51,11 +52,9 @@ RUN mkdir -p /sandbox/.openclaw-data/agents/main/agent \
     && ln -s /sandbox/.openclaw-data/update-check.json /sandbox/.openclaw/update-check.json \
     && chown -R sandbox:sandbox /sandbox/.openclaw /sandbox/.openclaw-data
 
-# Install OpenClaw CLI
-RUN npm install -g openclaw@2026.3.11
-
-# Install PyYAML for blueprint runner
-RUN pip3 install --break-system-packages pyyaml
+# Install OpenClaw CLI and PyYAML for blueprint runner (single layer)
+RUN npm install -g openclaw@2026.3.11 \
+    && pip3 install --no-cache-dir --break-system-packages "pyyaml==6.0.2"
 
 # Copy built plugin and blueprint into the sandbox
 COPY --from=builder /opt/nemoclaw/dist/ /opt/nemoclaw/dist/

Makefile

@@ -1,10 +1,12 @@
 .PHONY: check lint format lint-ts lint-py format-ts format-py docs docs-strict docs-live docs-clean
 
-check: lint-ts lint-py
+check:
+	npx prek run --all-files
 	@echo "All checks passed."
 
-lint: lint-ts lint-py
+lint: check
 
+# Targeted subproject checks (not part of `make check` — use for focused runs).
 lint-ts:
 	cd nemoclaw && npm run check