đŸ“Ļ
NemoClaw 2.1 is available now

Update via your NVIDIA NGC account or via nemoclaw update in the NemoClaw CLI. Existing 2.0.x configurations are fully compatible with 2.1 with one exception noted below.

What's New in NemoClaw 2.1

📋

Policy-as-Code Engine

Declare skill permissions and data handling rules in version-controlled YAML files.

🔒

Air-Gap Mode

Deploy NemoClaw in fully disconnected environments with no outbound network calls.

🧠

Nemotron-4 Routing

Native support for NVIDIA Nemotron-4 models with automatic local inference routing.

Feature Deep-Dive: Policy-as-Code Engine

The biggest quality-of-life improvement in NemoClaw 2.1 is the new Policy-as-Code (PaC) engine. Previously, NemoClaw policies were configured through a GUI or JSON config files that were difficult to version-control and share across teams.

NemoClaw 2.1 introduces a declarative YAML policy format (.nemoclaw/policy.yaml) that lets security and engineering teams define skill permissions, data handling rules, and network access controls as code — meaning they can be reviewed in pull requests, audited, and deployed with your existing CI/CD pipeline.

# .nemoclaw/policy.yaml (NemoClaw 2.1 format)
version: "2.1"
name: "Production Policy - Finance Division"

skills:
  allowed:
    - system.read_file:
        paths: ["/data/reports/**", "/tmp/**"]
    - browser.navigate:
        domains: ["*.internal.company.com", "*.bloomberg.com"]
    - data.query_db:
        connections: ["finance_reporting_ro"]
  denied:
    - system.exec          # No shell execution in production
    - system.write_file    # No file writes outside audit workflow
    - network.external_http  # No arbitrary HTTP calls

data:
  pii_detection: enabled
  pii_action: redact        # or: block, alert
  audit_log: enabled
  log_destination: "splunk://logs.internal.company.com"

inference:
  providers:
    - type: nemotron-4
      model: "nemotron-4-340b-instruct"
      endpoint: "https://ai.internal.company.com"
      priority: 1
    - type: anthropic
      model: "claude-opus-4-6"
      priority: 2   # Fallback only
  local_only: false  # Set true for air-gap mode

The PaC engine also introduces policy inheritance, allowing organizations to define a base corporate policy and extend it per-team or per-deployment without duplicating rules.

Why This Matters for Enterprise Teams

Before NemoClaw 2.1, managing policies across dozens of NemoClaw deployments meant either maintaining separate GUI configs or writing custom scripts. Now, policies are first-class artifacts that can be stored in Git, reviewed by security teams, and deployed automatically. This dramatically simplifies compliance workflows for ISO 27001, FedRAMP, and SOC 2 Type II audits.

Feature Deep-Dive: Air-Gap Mode

NemoClaw 2.1 introduces Air-Gap Mode — a deployment configuration that eliminates all outbound network calls from NemoClaw itself. This has been one of the most-requested features from government and defense customers who need to deploy OpenClaw in environments with strict network egress controls.

In Air-Gap Mode:

  • All model inference is routed to a locally deployed NVIDIA Nemotron-4 instance (or another self-hosted model endpoint)
  • NemoClaw's telemetry and update checks are fully disabled
  • The NemoClaw license is verified via an offline license file instead of a network call
  • All Skills and their dependencies are bundled at deployment time via the new nemoclaw bundle command
  • Log forwarding is limited to on-premises SIEM systems (Splunk, Elastic, etc.)
# Enable air-gap mode in policy.yaml
network:
  air_gap: true
  allowed_egress: []   # No outbound connections permitted

inference:
  local_only: true
  providers:
    - type: nemotron-4
      endpoint: "http://nemotron.internal:8000"  # Local inference server

license:
  type: offline
  file: "/etc/nemoclaw/license.lic"

# Bundle skills for offline use (run before deployment)
# $ nemoclaw bundle --output nemoclaw-bundle.tar.gz

Air-Gap Mode is included in NemoClaw Enterprise licenses at no additional cost.

Feature Deep-Dive: Nemotron-4 Native Routing

NemoClaw 2.1 adds first-class support for NVIDIA's Nemotron-4 family of models, including Nemotron-4-340B-Instruct (the flagship reasoning model) and Nemotron-4-15B (optimized for edge deployments).

"Native routing" means NemoClaw can now intelligently route inference requests to the most appropriate model based on task complexity, latency requirements, and cost targets — without requiring custom code.

inference:
  routing:
    strategy: "cost_performance"  # or: latency, quality, local_first
    providers:
      - type: nemotron-4
        model: "nemotron-4-15b"
        priority: 1
        max_cost_per_1k_tokens: 0.05
        use_for: ["simple_tasks", "data_extraction"]
      - type: nemotron-4
        model: "nemotron-4-340b-instruct"
        priority: 2
        use_for: ["complex_reasoning", "code_generation"]
      - type: anthropic
        model: "claude-opus-4-6"
        priority: 3
        use_for: ["fallback"]

In our testing, intelligent routing reduced average inference costs by 37% while maintaining performance on complex tasks, compared to always routing to Nemotron-4-340B.

Full Changelog

Type Change Issue
New

Policy-as-Code engine with YAML policy files, inheritance, and Git-native workflow support

#1847
New

Air-Gap Mode: fully disconnected deployments with offline licensing and local-only inference

#1923
New

Native Nemotron-4 routing with cost/performance/latency optimization strategies

#1901
New

nemoclaw bundle command for packaging Skills and dependencies for offline deployment

#1956
Improved

PII detection engine updated with healthcare-specific patterns (ICD-10, NPI numbers, DEA numbers)

#1872
Improved

Splunk and Elastic log forwarding now support TLS mutual authentication (mTLS)

#1889
Improved

Skills marketplace vetting: added SBOM generation and dependency vulnerability scanning

#1834
Fixed

Race condition in audit log flushing that could drop log entries under high load

#1910
Fixed

Memory leak in the WebSocket proxy when sessions were closed abruptly

#1881
Breaking

Legacy JSON config format (nemoclaw.json) is deprecated. Migrate to policy.yaml using nemoclaw migrate-config. JSON configs will still work in 2.1 but will be removed in 3.0.

#1847

Upgrading from NemoClaw 2.0.x

ℹī¸
Migration Note

Existing nemoclaw.json configurations continue to work in 2.1. Run nemoclaw migrate-config to automatically convert to the new YAML format. The command is non-destructive — it creates a new policy.yaml without removing the old JSON file.

# Update NemoClaw
nemoclaw update --channel stable

# Verify version
nemoclaw --version  # Should show 2.1.0

# Migrate existing config (optional but recommended)
nemoclaw migrate-config \
  --input .nemoclaw/nemoclaw.json \
  --output .nemoclaw/policy.yaml \
  --dry-run  # Preview changes before applying

What's Next: NemoClaw 2.2 Preview

The NemoClaw roadmap for 2.2 (expected Q2 2026) includes:

  • Multi-tenant mode — Run NemoClaw as a shared service with per-tenant policy isolation
  • Workflow approvals — Require human approval for high-risk skill invocations before execution
  • OpenClaw Skills certification program — NVIDIA-vetted "Certified Skills" badge for marketplace integrations

Need Help with the NemoClaw 2.1 Migration?

Migrating to Policy-as-Code or enabling Air-Gap Mode in a complex enterprise environment requires careful planning. ClawConsult offers NemoClaw migration engagements that cover config migration, policy authoring, CI/CD integration, and staff training. See our NemoClaw Migration package or get in touch to discuss your deployment.