docs: document custom build cold/warm cache and layer ordering

[miyoungc]

Summary

Adds the remaining Docker build performance guidance for custom sandbox images identified in #4683: the cold-build versus warm-rebuild distinction and Dockerfile layer ordering for cache reuse. These were the two gaps not yet covered on main after the .dockerignore support docs landed.

Related Issue

Addresses #4683 (remaining gaps; issue stays open if maintainers want further consolidation).

Changes

• Add a consolidated "Build Performance" section to docs/deployment/install-openclaw-plugins.mdx covering cold vs warm builds, layer ordering, base image pinning, and a practical fast-vs-slow build-directory example.
• Add cold/warm + layer-ordering + base-pinning guidance to the --from <Dockerfile> reference in docs/reference/commands.mdx and docs/reference/commands-nemohermes.mdx, with a pointer to the Onboard Profiling Traces section for diagnosis.
• Add remediation guidance for the >100 MB build-context warning in both reference files.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Miyoung Choi miyoungc@nvidia.com

Summary by CodeRabbit

• Documentation
  • Added build-performance guidance for onboarding via Docker: reduce build context, use .dockerignore or a smaller Dockerfile directory, pin base images, and order instructions to maximize layer cache reuse.
  • Added troubleshooting for cold vs warm builds and a note on capturing build-phase timings (profiling trace) for onboarding performance investigations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f9253fb0-1a57-4b28-915e-ca1228e14f23

📥 Commits

Reviewing files that changed from the base of the PR and between 2fa21c2 and 90c293e.

📒 Files selected for processing (3)

• docs/deployment/install-openclaw-plugins.mdx
• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx

✅ Files skipped from review due to trivial changes (3)

• docs/reference/commands.mdx
• docs/deployment/install-openclaw-plugins.mdx
• docs/reference/commands-nemohermes.mdx

---

📝 Walkthrough

Walkthrough

Three documentation files add guidance on Docker build performance for OpenClaw plugin onboarding and NemoClaw/NemoHermes commands: shrink build context, understand cold vs warm Docker cache, prefer cache-friendly Dockerfile ordering, pin base images, and use NEMOCLAW_TRACE=1 for phase timing diagnostics.

Changes

Docker Build Performance Documentation

Layer / File(s)	Summary
Build Performance section for OpenClaw plugin onboarding docs/deployment/install-openclaw-plugins.mdx	Introduces "Build Performance" subsection covering build-context size reduction, cold vs warm Docker builds, cache-friendly Dockerfile instruction ordering, base-image pinning, and NEMOCLAW_TRACE=1 phase timing diagnostics.
NemoClaw command documentation with caching guidance docs/reference/commands.mdx	Adds advice to shrink Docker build context for --from Dockerfiles (use smaller directory or .dockerignore) and expands Docker cache behavior guidance (cold/warm expectations, instruction ordering, base-image pinning, and NEMOCLAW_TRACE=1 diagnostics).
NemoHermes command documentation with caching guidance docs/reference/commands-nemohermes.mdx	Adds build-context reduction tip for --from builds and expands Docker cache guidance (cold/warm builds, instruction ordering, base-image pinning) plus NEMOCLAW_TRACE=1 pointer to "Onboard Profiling Traces" and a note that timings are approximate.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• docs(onboard): document Docker build performance best practices #4683: Adds the requested Docker build performance guidance for nemoclaw onboard --from <Dockerfile>, matching the issue's documentation objective.

Suggested labels

NV QA

Poem

🐰 I nibble context, tidy and neat,
Layers cached make onboarding fleet.
Pin the base, order each line,
Trace the phases, time will shine.
Hop—builds are faster, neat and sweet!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: documenting Docker custom build performance guidance focusing on cold/warm cache behavior and Dockerfile layer ordering, which is the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/4683-build-performance-cold-warm

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-5371.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No E2E is recommended because this PR only updates documentation prose and examples. The touched files cannot affect runtime behavior or user flows in CI.

Optional E2E

• None.

New E2E recommendations

• None.

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• None. Docs-only changes outside test/e2e-scenario/ and the Vitest scenario workflow do not affect Vitest E2E scenario behavior.

Optional Vitest E2E scenarios

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 1 still applies, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Align the plugin Dockerfile example with base-image pinning guidance (docs/deployment/install-openclaw-plugins.mdx:43): The PR adds guidance telling users to pin custom sandbox base images to an explicit tag or digest for cache stability and supply-chain predictability, but the primary copy-paste Dockerfile example in the same guide still defaults to `ghcr.io/nvidia/nemoclaw/sandbox-base:latest`. Users may copy the example before reaching the later pinning note, which normalizes a mutable base image for custom sandbox builds.
  • Recommendation: Update the example to use an explicit release tag or digest placeholder, or add an inline comment next to `ARG SANDBOX_BASE` making clear that `:latest` is illustrative and should be replaced with a pinned NemoClaw sandbox-base release or digest for real plugin images.
  • Evidence: The new Build Performance section says, "Pin the base image to an explicit tag or digest," while the earlier example still shows `ARG SANDBOX_BASE=ghcr.io/nvidia/nemoclaw/sandbox-base:latest`. This is the same prior advisor finding and it still applies.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Acceptance clause:** No trusted linked issue clauses or issue comments were supplied in deterministic context. — add test evidence or identify existing coverage. `linkedIssues` was empty, so issue docs(onboard): document Docker build performance best practices #4683 acceptance details could not be mapped literally. The diff does add docs for cold versus warm builds, Dockerfile layer ordering, base image pinning, small versus broad build directories, trace guidance, and >100 MB context remediation, but the PR body is treated as untrusted evidence.

Since last review details

Current findings:

• Align the plugin Dockerfile example with base-image pinning guidance (docs/deployment/install-openclaw-plugins.mdx:43): The PR adds guidance telling users to pin custom sandbox base images to an explicit tag or digest for cache stability and supply-chain predictability, but the primary copy-paste Dockerfile example in the same guide still defaults to `ghcr.io/nvidia/nemoclaw/sandbox-base:latest`. Users may copy the example before reaching the later pinning note, which normalizes a mutable base image for custom sandbox builds.
  • Recommendation: Update the example to use an explicit release tag or digest placeholder, or add an inline comment next to `ARG SANDBOX_BASE` making clear that `:latest` is illustrative and should be replaced with a pinned NemoClaw sandbox-base release or digest for real plugin images.
  • Evidence: The new Build Performance section says, "Pin the base image to an explicit tag or digest," while the earlier example still shows `ARG SANDBOX_BASE=ghcr.io/nvidia/nemoclaw/sandbox-base:latest`. This is the same prior advisor finding and it still applies.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

docs/reference/commands.mdx (1)

344-344: 📐 Maintainability & Code Quality | ⚡ Quick win

Wrap file names in inline code formatting.

At Line 344 and Line 368, Dockerfile should be formatted as inline code to match docs formatting rules for file names.

Suggested edit

-Move the Dockerfile into a smaller dedicated directory or add `.dockerignore` entries for generated artifacts to shrink the context.
+Move the `Dockerfile` into a smaller dedicated directory or add `.dockerignore` entries for generated artifacts to shrink the context.

-- Order Dockerfile instructions from least-changing to most-changing: base image, system packages, dependency manifests, dependency install, then application source.
+- Order `Dockerfile` instructions from least-changing to most-changing: base image, system packages, dependency manifests, dependency install, then application source.

As per coding guidelines, CLI commands, file paths, flags, parameter names, and file names must use inline code formatting.

Also applies to: 368-368

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands.mdx` at line 344, Replace the plain occurrences of
Dockerfile with inline code formatting (`Dockerfile`) in the documentation;
specifically update the two instances mentioned (the plain text "Dockerfile" at
the referenced spots) so they use backticks, and scan nearby lines to ensure
other CLI commands, file paths, flags, and file names follow the same inline
`code` formatting convention.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/commands-nemohermes.mdx`:
- Line 286: Update the docs text in docs/reference/commands-nemohermes.mdx to
recommend pinning base images by immutable digest (sha256) rather than by tag or
release ref; reference the implementation in
src/lib/onboard/sandbox-dockerfile-patch-flow.ts which resolves and pins to a
digest and adjust the sentence “Pin the base image to an explicit tag or release
ref…” to something like “Pin the base image to an immutable digest (sha256) so
warm rebuilds resolve the same cached base.” Ensure the doc links or mentions
sandbox-dockerfile-patch-flow.ts as the source of truth for how pinning is
performed.
- Line 260: Replace the plain text file name "Dockerfile" in the sentence that
suggests moving it or adding .dockerignore entries with inline code formatting
(i.e., surround Dockerfile with backticks) so the file name follows the docs
style; update the mention of ".dockerignore" if needed to match surrounding
formatting in the same sentence within the commands-nemohermes.mdx content.

---

Nitpick comments:
In `@docs/reference/commands.mdx`:
- Line 344: Replace the plain occurrences of Dockerfile with inline code
formatting (`Dockerfile`) in the documentation; specifically update the two
instances mentioned (the plain text "Dockerfile" at the referenced spots) so
they use backticks, and scan nearby lines to ensure other CLI commands, file
paths, flags, and file names follow the same inline `code` formatting
convention.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c5ab7779-81b3-49a7-b668-baf2c0fd6d26

📥 Commits

Reviewing files that changed from the base of the PR and between ebd6127 and 2fa21c2.

📒 Files selected for processing (3)

• docs/deployment/install-openclaw-plugins.mdx
• docs/reference/commands-nemohermes.mdx
• docs/reference/commands.mdx

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Format Dockerfile as inline code.

This sentence follows the docs style for .dockerignore, but the file name itself is plain text. As per coding guidelines, file names must use inline code formatting.

♻️ Suggested edit

-Move the Dockerfile into a smaller dedicated directory or add `.dockerignore` entries for generated artifacts to shrink the context.
+Move the `Dockerfile` into a smaller dedicated directory or add `.dockerignore` entries for generated artifacts to shrink the context.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Move the Dockerfile into a smaller dedicated directory or add `.dockerignore` entries for generated artifacts to shrink the context.
	Move the `Dockerfile` into a smaller dedicated directory or add `.dockerignore` entries for generated artifacts to shrink the context.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands-nemohermes.mdx` at line 260, Replace the plain text
file name "Dockerfile" in the sentence that suggests moving it or adding
.dockerignore entries with inline code formatting (i.e., surround Dockerfile
with backticks) so the file name follows the docs style; update the mention of
".dockerignore" if needed to match surrounding formatting in the same sentence
within the commands-nemohermes.mdx content.

Source: Coding guidelines

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use an immutable digest for base-image pinning.

An explicit tag or release ref can move, so it does not guarantee the stable cache key this guidance is trying to describe. Based on src/lib/onboard/sandbox-dockerfile-patch-flow.ts, the implementation resolves and pins the base image to a digest before patching.

♻️ Suggested edit

-- Pin the base image to an explicit tag or release ref so warm rebuilds resolve the same cached base instead of pulling a new one.
+- Pin the base image to an immutable digest so warm rebuilds resolve the same cached base instead of pulling a new one.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Pin the base image to an explicit tag or release ref so warm rebuilds resolve the same cached base instead of pulling a new one.
	- Pin the base image to an immutable digest so warm rebuilds resolve the same cached base instead of pulling a new one.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/commands-nemohermes.mdx` at line 286, Update the docs text in
docs/reference/commands-nemohermes.mdx to recommend pinning base images by
immutable digest (sha256) rather than by tag or release ref; reference the
implementation in src/lib/onboard/sandbox-dockerfile-patch-flow.ts which
resolves and pins to a digest and adjust the sentence “Pin the base image to an
explicit tag or release ref…” to something like “Pin the base image to an
immutable digest (sha256) so warm rebuilds resolve the same cached base.” Ensure
the doc links or mentions sandbox-dockerfile-patch-flow.ts as the source of
truth for how pinning is performed.