Fix broken `pypi` and `npm` policy presets so package managers work inside the sandbox

[kjw3]

Summary

The onboarding wizard suggests pypi and npm presets, but package installation still fails with 403 errors inside the sandbox.

Problem

The current preset rules are not compatible with package-manager traffic patterns such as CONNECT tunneling. Users see green checkmarks during setup and only discover the preset is broken later.

Expected behavior

Suggested presets should enable the workflows they claim to support.

Acceptance criteria

• pip install succeeds after applying the pypi preset.
• npm install succeeds after applying the npm preset.
• Presets use the same access model already proven to work for GitHub if that is the correct fix.
• If a preset cannot support package-manager traffic safely, it should not be suggested during onboarding.

[gauri-nagavkar-memverge]

Confirming persistent 403 errors with suggested npm preset

I've tested NemoClaw onboarding with the suggested presets and consistently encounter the same issue:

Environment:
Host: Ubuntu
OpenClaw: openshell 0.0.9
Model: nvidia/nemotron-3-super-120b-a12b (NVIDIA Cloud API)

Steps:

1. Run nemoclaw onboard
2. Accept suggested presets (npm and pypi)

[7/7] Policy presets
  ──────────────────────────────────────────────────

  Available policy presets:
    ○ discord — Discord API, gateway, and CDN access
    ○ docker — Docker Hub and NVIDIA container registry access
    ○ huggingface — Hugging Face Hub, LFS, and Inference API access
    ○ jira — Jira and Atlassian Cloud access
    ○ npm — npm and Yarn registry access (suggested)
    ○ outlook — Microsoft Outlook and Graph API access
    ○ pypi — Python Package Index (PyPI) access (suggested)
    ○ slack — Slack API and webhooks access
    ○ telegram — Telegram Bot API access

  Apply suggested presets (pypi, npm)? [Y/n/list]: Y
✓ Policy version 2 submitted (hash: 6fa9c625721b)
✓ Policy version 2 loaded (active version: 2)
  Applied preset: pypi
✓ Policy version 3 submitted (hash: 0cbed5c51f86)
✓ Policy version 3 loaded (active version: 3)
  Applied preset: npm
  ✓ Policies applied

3. Connect to sandbox: nemoclaw my-assistant connect
4. Run npm ping

Result:

sandbox@my-assistant:~$ npm ping
(node:494) [UNDICI-EHPA] Warning: EnvHttpProxyAgent is experimental, expect them to change at any time.
(Use `node --trace-warnings ...` to show where the warning was created)
npm notice PING https://registry.npmjs.org/
npm error code E403
npm error 403 403 Forbidden - GET https://registry.npmjs.org/-/ping
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your security policy, or
npm error 403 on a server you do not have access to.
npm error A complete log of this run can be found in: /sandbox/.npm/_logs/2026-03-18T21_43_19_069Z-debug-0.log
sandbox@my-assistant:~$ 

Troubleshooting Attempted:

• Modified npm.yaml to use tls: passthrough instead of terminate
• Added GET, POST, PUT, DELETE methods to rules
• Changed enforcement to report mode
• Validated YAML syntax (policies load cleanly)
• Recreated sandbox multiple times

Finding: The policies are submitted and loaded successfully, but every npm request is blocked by the policy regardless of rule configuration.

[ericksoa]

Hi @gauri-nagavkar-memverge — thanks for the detailed repro.

We're trying to make sure #356 covers your setup. Could you share:

1. The exact policy YAML you applied when troubleshooting
2. Output of which node and ls -la $(which node) from inside the sandbox
3. Your openshell version (openshell --version)

In our testing, the missing binaries section was what caused the 403 regardless of endpoint config — but we want to confirm your node binary path is covered by the globs in the preset.

[gauri-nagavkar-memverge]

Hey @ericksoa thanks for the update.

Here's one of the things I tried while troubleshooting:

preset:
  name: npm
  description: "npm and Yarn registry access"

network_policies:
  npm_yarn:
    name: npm_yarn
    endpoints:
      - host: registry.npmjs.org
        port: 443
        protocol: rest
        enforcement: report
        tls: passthrough
        rules:
          - allow: { method: GET, path: "/**" }
          - allow: { method: POST, path: "/**" }
          - allow: { method: PUT, path: "/**" }
          - allow: { method: DELETE, path: "/**" }
      - host: registry.yarnpkg.com
        port: 443
        protocol: rest
        enforcement: report
        tls: passthrough
        rules:
          - allow: { method: GET, path: "/**" }
          - allow: { method: POST, path: "/**" }

Here are the other details:

sandbox@my-assistant:~$ which node
/usr/local/bin/node
sandbox@my-assistant:~$ ls -la $(which node)
-rwxr-xr-x 1 root root 124674920 Mar  4 18:03 /usr/local/bin/node

ubuntu@ip-172-31-54-81:~$ openshell --version
openshell 0.0.9