Summary
components.policy.additions (declared in schemas/blueprint.schema.json) is parsed by nemoclaw/src/blueprint/runner.ts into policy_additions, but no other code in v0.0.29 consumes it — the value is dropped with no error or warning.
Repro
# nemoclaw-blueprint/blueprint.yaml — what ships by default
components:
policy:
base: "sandboxes/openclaw/policy.yaml"
additions:
nim_service:
name: nim_service
endpoints:
- host: "nim-service.local"
port: 8000
access: fullAfter nemoclaw <name> rebuild, openshell policy get <name> --full shows the active network_policies block does not contain a nim_service entry. Same outcome for any user-added additions.* entry.
Code path
nemoclaw/src/blueprint/runner.ts (line ~360):
return {
...
policy_additions: blueprint.components?.policy?.additions ?? {},
};grep -rEn 'policy_additions' src nemoclaw returns only this assignment, the type declaration, and the compiled dist/ mirror — no consumers anywhere in the repo.
Why it matters
The schema + field name strongly suggest this is the intended way for a blueprint author to extend egress policy at the blueprint layer (vs. the runtime-preset layer). New users following the schema get no runtime effect and no diagnostic. I hit this while building a custom blueprint and only noticed because the change failed silently.
Suggested fix
One of:
- Implement — wire
policy_additions into the active policy at sandbox-build time so the schema's promise holds. (Probably feeding into the same path that policies/openclaw-sandbox.yaml's network_policies flows through.)
- Document and warn — until implemented, surface a build-time warning (
[WARN] components.policy.additions is parsed but not yet applied; use policies/openclaw-sandbox.yaml or a preset under policies/presets/) and add a deprecation note to the schema.
- Remove — drop the field from the schema and the runner if it's not on the roadmap.
Happy to send a PR for whichever direction fits.
Environment
Summary
components.policy.additions(declared inschemas/blueprint.schema.json) is parsed bynemoclaw/src/blueprint/runner.tsintopolicy_additions, but no other code in v0.0.29 consumes it — the value is dropped with no error or warning.Repro
After
nemoclaw <name> rebuild,openshell policy get <name> --fullshows the activenetwork_policiesblock does not contain anim_serviceentry. Same outcome for any user-addedadditions.*entry.Code path
nemoclaw/src/blueprint/runner.ts(line ~360):grep -rEn 'policy_additions' src nemoclawreturns only this assignment, the type declaration, and the compileddist/mirror — no consumers anywhere in the repo.Why it matters
The schema + field name strongly suggest this is the intended way for a blueprint author to extend egress policy at the blueprint layer (vs. the runtime-preset layer). New users following the schema get no runtime effect and no diagnostic. I hit this while building a custom blueprint and only noticed because the change failed silently.
Suggested fix
One of:
policy_additionsinto the active policy at sandbox-build time so the schema's promise holds. (Probably feeding into the same path thatpolicies/openclaw-sandbox.yaml'snetwork_policiesflows through.)[WARN] components.policy.additions is parsed but not yet applied; use policies/openclaw-sandbox.yaml or a preset under policies/presets/) and add a deprecation note to the schema.Happy to send a PR for whichever direction fits.
Environment