[NemoClaw][Linux] Brew policy preset applies network rules but does not provision brew binary, so brew install step in test cannot succeed

[zNeill]

Description

[Description]
When the brew policy preset is applied to a NemoClaw sandbox, the documented test case expects both: (a) network egress to Homebrew endpoints (formulae.brew.sh, raw.githubusercontent.com, ghcr.io, GitHub) and (b) a working brew CLI inside the sandbox so brew install hello can complete. In practice, after applying the brew preset, all the curl and git network probes succeed from inside the sandbox, but brew install --quiet hello fails with bash: brew: command not found. This shows that the preset correctly configures network access but does not ensure that the Homebrew/brew binary is installed in the sandbox, so the final “brew install hello” validation step in the test case cannot be executed as written.

[Environment]
NemoClaw: v0.0.44
OpenShell CLI: 0.0.39
OpenClaw: 2026.4.24 (cbcfdf6)
Sandbox OS: Linux (default NemoClaw base image, x86_64)
Container runtime: Docker on DGX Spark host
Network: outbound HTTPS generally allowed; no proxy errors for Homebrew endpoints

[Steps to Reproduce]

Pre-condition:

1. NemoClaw sandbox new-sb is running.
2. No additional network-policy presets have been applied yet.

Steps:

1. On the host, apply the brew preset:nemoclaw new-sb policy-add

   When prompted, select the "brew" preset and confirm.

2. 
   Verify it is active:nemoclaw new-sb policy-list

   Confirm that brew shows as ● (applied) in the preset list.

3. 
   Connect into the sandbox:nemoclaw new-sb connect

   You land at sandbox@...:~$.

4. 
   Inside the sandbox, probe the Homebrew registry:curl -sI --max-time 8 https://formulae.brew.sh
5. 
   Still inside the sandbox, fetch the Homebrew install script:curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh -o /dev/null
6. 
   Check git access to the Homebrew repo:git ls-remote https://github.com/Homebrew/brew.git HEAD
7. 
   Probe ghcr.io:curl -sI --max-time 8 https://ghcr.io
8. 
   Try to install a package via brew:brew install --quiet hello
9. 
   Exit the sandbox:exit

[Expected]

1. nemoclaw new-sb policy-add with the brew preset applies the Homebrew-related network policy; policy version increments.
2. nemoclaw new-sb policy-list shows brew as ● (applied) for sandbox new-sb.
3. nemoclaw new-sb connect enters the sandbox successfully.
4. Inside the sandbox, curl -sI --max-time 8 https://formulae.brew.sh returns HTTP 200 or 301, confirming the Homebrew registry is reachable via /usr/bin/curl (which the test spec assumes is in the brew preset’s binary allowlist).
5. curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh -o /dev/null succeeds, confirming access to the install script.
6. git ls-remote https://github.com/Homebrew/brew.git HEAD succeeds (no TLS errors), confirming git access to the Homebrew repo.
7. curl -sI --max-time 8 https://ghcr.io returns HTTP 200 or 301, confirming ghcr.io is reachable for bottle downloads.
8. brew install --quiet hello succeeds end‑to‑end: the brew binary exists in the sandbox PATH, downloads from ghcr.io / pkg-containers.githubusercontent.com / objects.githubusercontent.com succeed without “server certificate verification failed” errors, and the hello package is installed.
9. Sandbox exits cleanly.

[Actual]

1. nemoclaw new-sb policy-list shows the brew preset as applied (● brew — Homebrew (Linuxbrew) package manager access), alongside other presets (brave, discord, huggingface, local-inference, npm, pypi, etc.).
2. nemoclaw new-sb connect enters the sandbox successfully and reports an inference route using vllm-local/meta/llama-3.1-8b-instruct.
3. Inside the sandbox:
   • curl -sI --max-time 8 https://formulae.brew.sh returns HTTP/2 200 with GitHub/varnish headers, confirming the registry is reachable.
   • curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh -o /dev/null completes successfully (no output, zero exit code).
   • git ls-remote https://github.com/Homebrew/brew.git HEAD returns a valid commit hash (e.g., a7f3847d5f52c123207873b6ca5093e79701d468 HEAD), confirming git access.
   • curl -sI --max-time 8 https://ghcr.io succeeds with HTTP/1.1 200 Connection Established followed by HTTP/2 405, showing TLS and connectivity to ghcr.io are working.
4. However, attempting to install a package via brew fails immediately:sandbox@2549dec54185:~$ brew install --quiet hello bash: brew: command not found

   indicating that the brew binary is not installed in the sandbox at all, even though the brew policy preset is applied and all the network probes succeed.

5. 
   The final step of the test case (“brew install hello SUCCEEDS end‑to‑end”) cannot be executed as written because there is no brew CLI in the sandbox PATH.

[Impact / Notes]

• The brew preset correctly configures network access to the Homebrew registry, GitHub, and ghcr.io, but does not ensure that the Homebrew/brew CLI is present inside the sandbox.
• The documented test case for the brew preset implicitly assumes a working brew binary, so the QA scenario “apply brew preset → brew install hello” cannot be validated in a fresh NemoClaw sandbox without manually installing Homebrew first.
• This may be resolved either by:
  • Updating the test plan/docs to state that the user must install Homebrew inside the sandbox before running brew install checks, or
  • Enhancing the brew preset / onboarding flow to optionally install Homebrew (or to check for the presence of brew and warn clearly if it is missing).

Bug Details

Field	Value
Priority	Unprioritized
Action	Dev - Open - To fix
Disposition	Open issue
Module	Machine Learning - NemoClaw
Keyword	NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw-SWQA-RelBlckr-Recommended, NemoClaw-SWQA-Sprint4-Blocker

---

[NVB#6188343]