fix(policy): convert npm_registry endpoint from access: full to protocol: rest (GET-only)

[coderabbitai]

Summary

The npm_registry endpoint in nemoclaw-blueprint/policies/openclaw-sandbox.yaml currently uses access: full, which causes the proxy to treat connections as L4-only. This prevents per-request rule evaluation, per-request logging, and SecretResolver credential injection.

Proposed Change

Convert the npm_registry endpoint to use:

• protocol: rest
• enforcement: enforce
• tls: terminate
• Method restricted to GET /** only (npm registry reads are GET-only; no writes are expected from NemoClaw agents)

This aligns npm_registry with the pattern established for other external REST endpoints in the policy file (e.g., github.com, api.github.com after PR #1225).

Motivation

• Issue GitHub network policy should use protocol: rest to enable scoped method/path controls #1111 explicitly called out converting npm_registry as a related change alongside the GitHub endpoints.
• This was discussed and agreed upon during review of PR fix(policy): add protocol/enforcement/tls to GitHub endpoints #1225 but deferred to keep that PR scoped.

References

• Raised during review of: fix(policy): add protocol/enforcement/tls to GitHub endpoints #1225
• Related issue: GitHub network policy should use protocol: rest to enable scoped method/path controls #1111
• Requested by: @latenighthackathon