Description
[Description]
The “Approve or Deny Agent Network Requests” page correctly explains that OpenShell intercepts network requests and surfaces them in the TUI for operator approval, but it under-specifies how long approvals last and what is required to run the walkthrough.sh script successfully. The page can mislead users into thinking that approved endpoints are persisted to the baseline policy and that ./scripts/walkthrough.sh can be run from anywhere without an existing sandbox or repository context, which contradicts the broader network-policy docs and typical project layout.
[Environment]
Docs: “Approve or Deny Agent Network Requests” in the NemoClaw documentation site
Related docs: “Customize the Sandbox Network Policy” and other policy pages
Runtime: Any NemoClaw + OpenShell environment where network policies and the walkthrough script are available
[Steps to Reproduce]
-
Read the “Approve or Deny Agent Network Requests” page and follow the instructions as written:
-
Start a NemoClaw sandbox.
-
Run
openshell term to open the TUI. -
Trigger a blocked network request from an agent so the TUI displays an approval prompt.
-
Approve a new endpoint via the TUI and observe that it is added to the running policy for that session.
-
Stop the sandbox and restart it (or create a new sandbox), then check whether the previously approved endpoint is still allowed without editing the YAML policy or presets.
-
Separately, from an arbitrary directory, run
./scripts/walkthrough.sh after setting NVIDIA_API_KEY, without ensuring you are in the NemoClaw repo root or that any sandbox has been onboarded.
[Expected Result]
-
The page should clearly state that:
-
Approving an endpoint in the TUI updates only the running policy for the current sandbox session, and does not persist to the baseline policy file or presets unless the user explicitly edits them.
-
To persist an approved endpoint across sandbox restarts, the user must update the policy YAML or apply a preset, as described in the network-policy customization docs.
-
For the walkthrough:
-
The doc should specify that
./scripts/walkthrough.sh must be run from the NemoClaw repository root (where scripts/ exists). -
It should state that at least one sandbox must already be onboarded and reachable for the walkthrough to function as described, and that
NVIDIA_API_KEY is required but not sufficient on its own.
[Actual Result]
-
The page states: “Approved endpoints remain in the running policy until the sandbox stops. They are not persisted to the baseline policy file.” but does not explicitly tie this to the broader guidance on editing the YAML/presets to persist changes.
-
A reader new to the system may still infer that approvals are “the way” to update policy and might expect them to survive sandbox restarts, especially since persistence behavior is explained on a separate page.
-
The walkthrough section says:
-
“To observe the approval flow in a guided session, run the walkthrough script:
./scripts/walkthrough.sh.” -
“This script opens a split tmux session with the TUI on the left and the agent on the right. The walkthrough requires tmux and the NVIDIA_API_KEY environment variable.”
-
It does not mention that the command must be run from the repo root, nor that an onboarded sandbox is required. This can lead to “file not found” (wrong directory) or “no sandbox/agent” issues when users follow the instructions literally.
[Impact / Notes]
-
The missing persistence clarification can cause operators and QA to believe that approving endpoints in the TUI modifies the “real” policy, when in fact those changes disappear when the sandbox stops. This is especially confusing given that other docs emphasize YAML/preset-based persistence.
-
The under-specified walkthrough prerequisites can lead to avoidable errors (missing script, no active sandbox) and extra support load, even though the underlying functionality works correctly when invoked from the right context.
-
Suggested doc changes:
-
Add one explicit sentence: “Approvals in the TUI are session-only; to persist an endpoint across sandbox restarts, update your policy YAML or apply a preset as described in Customize Network Policy.”
-
Clarify walkthrough usage: “Run this from the NemoClaw repository root after you have onboarded at least one sandbox, and ensure
NVIDIA_API_KEY is set. The script expects tmux and an existing sandbox to attach to.”
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NemoClaw_Docs, NEMOCLAW_GH_SYNC_APPROVAL |
[NVB#6188822]
Description
[Description]
The “Approve or Deny Agent Network Requests” page correctly explains that OpenShell intercepts network requests and surfaces them in the TUI for operator approval, but it under-specifies how long approvals last and what is required to run the
walkthrough.shscript successfully. The page can mislead users into thinking that approved endpoints are persisted to the baseline policy and that./scripts/walkthrough.shcan be run from anywhere without an existing sandbox or repository context, which contradicts the broader network-policy docs and typical project layout.[Environment]
Docs: “Approve or Deny Agent Network Requests” in the NemoClaw documentation site
Related docs: “Customize the Sandbox Network Policy” and other policy pages
Runtime: Any NemoClaw + OpenShell environment where network policies and the walkthrough script are available
[Steps to Reproduce]
openshell termto open the TUI../scripts/walkthrough.shafter settingNVIDIA_API_KEY, without ensuring you are in the NemoClaw repo root or that any sandbox has been onboarded.[Expected Result]
./scripts/walkthrough.shmust be run from the NemoClaw repository root (wherescripts/exists).NVIDIA_API_KEYis required but not sufficient on its own.[Actual Result]
./scripts/walkthrough.sh.”[Impact / Notes]
NVIDIA_API_KEYis set. The script expects tmux and an existing sandbox to attach to.”Bug Details
[NVB#6188822]