Description
During nemoclaw onboard, policy presets are applied incrementally, advancing the gateway policy version from 2 to 6 (one per preset: pypi, npm, telegram, brave). However, after onboarding completes, nemoclaw <sandbox> status reports version: 1 in the policy section.
This makes it unclear whether the user-selected presets were actually applied. The effective network policies do appear in the status output (e.g. npm_registry, telegram), but the version number does not reflect the latest submission.
It appears that status displays the policy schema version (always 1) rather than the gateway-level active policy version (which was 6 after onboard). This is confusing because onboard explicitly prints messages like Policy version 6 loaded (active version: 6).
Additionally, the status output includes network policies that were not selected by the user during onboard (e.g. github, discord), which are injected from the base blueprint policy. This is tracked separately but contributes to the confusion around what the policy display actually represents.
Reproduction Steps
- Run
nemoclaw onboard on a Brev instance
- Select an inference provider (e.g. Google Gemini)
- Enable at least one messaging channel (e.g. Telegram)
- At the policy presets step, select a few presets (e.g. pypi, npm, telegram, brave)
- Observe onboard output shows incremental policy versions:
✓ Policy version 3 submitted (hash: 49f6d7392055)
✓ Policy version 3 loaded (active version: 3)
Applied preset: pypi
...
✓ Policy version 6 submitted (hash: 738a54c8520a)
✓ Policy version 6 loaded (active version: 6)
Applied preset: brave
- Run
nemoclaw <sandbox> status
- Observe the policy section shows
version: 1 instead of version: 6
Actual Result
nemoclaw <sandbox> status displays version: 1 in the policy section, regardless of how many policy presets were applied during onboard. The version number never reflects the gateway-level active version (e.g. version 6 after applying 4 presets).
Additionally, network policies for github and discord appear in the status output even though they were not selected by the user during onboard.
Expected Result
nemoclaw <sandbox> status should display the current active policy version (e.g. version: 6) that matches the last Policy version N loaded (active version: N) message from onboard.
The policy section should clearly distinguish between base/implicit policies (e.g. claude_code, nvidia, github) and user-selected presets, or at minimum not show unselected presets without explanation.
Logs
Onboard policy output:
Widening sandbox egress — adding: pypi.org, files.pythonhosted.org
✓ Policy version 3 submitted (hash: 49f6d7392055)
✓ Policy version 3 loaded (active version: 3)
Applied preset: pypi
Widening sandbox egress — adding: registry.npmjs.org, registry.yarnpkg.com
✓ Policy version 4 submitted (hash: 31b0a33f64df)
✓ Policy version 4 loaded (active version: 4)
Applied preset: npm
Widening sandbox egress — adding: api.telegram.org
✓ Policy version 5 submitted (hash: 8606726d543e)
✓ Policy version 5 loaded (active version: 5)
Applied preset: telegram
Widening sandbox egress — adding: api.search.brave.com
✓ Policy version 6 submitted (hash: 738a54c8520a)
✓ Policy version 6 loaded (active version: 6)
Applied preset: brave
Status output (truncated to policy section):
Policy:
version: 1
filesystem_policy:
include_workdir: false
...
network_policies:
claude_code:
...
github:
name: github
endpoints:
- host: github.com
port: 443
access: full
- host: api.github.com
port: 443
access: full
binaries:
- path: /usr/bin/gh
- path: /usr/bin/git
discord:
name: discord
endpoints:
- host: discord.com
...
npm_registry:
...
telegram:
...
Environment:
- Platform: Linux (Brev cloud instance)
- NemoClaw: v0.0.10-9-gc4767b63
- OpenShell CLI: 0.0.25
- Node.js: 22.x
Description
During
nemoclaw onboard, policy presets are applied incrementally, advancing the gateway policy version from 2 to 6 (one per preset: pypi, npm, telegram, brave). However, after onboarding completes,nemoclaw <sandbox> statusreportsversion: 1in the policy section.This makes it unclear whether the user-selected presets were actually applied. The effective network policies do appear in the status output (e.g.
npm_registry,telegram), but the version number does not reflect the latest submission.It appears that
statusdisplays the policy schema version (always 1) rather than the gateway-level active policy version (which was 6 after onboard). This is confusing because onboard explicitly prints messages likePolicy version 6 loaded (active version: 6).Additionally, the status output includes network policies that were not selected by the user during onboard (e.g.
github,discord), which are injected from the base blueprint policy. This is tracked separately but contributes to the confusion around what the policy display actually represents.Reproduction Steps
nemoclaw onboardon a Brev instancenemoclaw <sandbox> statusversion: 1instead ofversion: 6Actual Result
nemoclaw <sandbox> statusdisplaysversion: 1in the policy section, regardless of how many policy presets were applied during onboard. The version number never reflects the gateway-level active version (e.g. version 6 after applying 4 presets).Additionally, network policies for
githubanddiscordappear in the status output even though they were not selected by the user during onboard.Expected Result
nemoclaw <sandbox> statusshould display the current active policy version (e.g.version: 6) that matches the lastPolicy version N loaded (active version: N)message from onboard.The policy section should clearly distinguish between base/implicit policies (e.g.
claude_code,nvidia,github) and user-selected presets, or at minimum not show unselected presets without explanation.Logs
Onboard policy output:
Status output (truncated to policy section):
Environment: