fix(policy): convert npm_registry from access: full to REST GET-only

[latenighthackathon]

Summary

• Replace L4 pass-through (access: full) on npm_registry endpoint with L7-enforced REST policy restricted to GET /**
• Agents only fetch packages from the npm registry and never publish, so write methods are not needed
• Enables per-request rule evaluation, per-request logging, and SecretResolver credential injection

Motivation

• Issue GitHub network policy should use protocol: rest to enable scoped method/path controls #1111 called out converting npm_registry alongside the GitHub endpoints
• Discussed and agreed upon during review of PR fix(policy): add protocol/enforcement/tls to GitHub endpoints #1225 but deferred to keep that PR scoped
• CodeRabbit filed fix(policy): convert npm_registry endpoint from access: full to protocol: rest (GET-only) #1355 to track this follow-up

Test plan

• Verify openclaw plugins install succeeds with GET-only policy
• Verify npm install inside sandbox completes normally
• Confirm write attempts (e.g. npm publish) are blocked by the policy

Closes #1355

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

Summary by CodeRabbit

• Security
  • Registry access is now read-only (HTTP GET only) and TLS termination is enforced for registry connections, tightening network access and transport security for package registry interactions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6f728247-9de3-498c-9045-4c3726762b97

📥 Commits

Reviewing files that changed from the base of the PR and between 0115c01 and adef897.

📒 Files selected for processing (1)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml

---

📝 Walkthrough

Walkthrough

The npm_registry endpoint in nemoclaw-blueprint/policies/openclaw-sandbox.yaml was changed from L4 access: full to REST enforcement: protocol: rest, enforcement: enforce, tls: terminate, with a rule allowing only HTTP GET to "/**" for registry.npmjs.org:443.

Changes

Cohort / File(s)	Summary
npm Registry Endpoint Security Policy nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Replaced access: full with protocol: rest, enforcement: enforce, and tls: terminate for the registry.npmjs.org:443 endpoint. Added a rule permitting only GET requests to "/**", converting npm access to read-only REST with per-request enforcement.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Proxy as "Sandbox Proxy\n(protocol: rest\nenforcement: enforce\ntls: terminate)"
    participant NPM as "registry.npmjs.org:443"

    Client->>Proxy: TLS handshake (terminated at Proxy)
    Client->>Proxy: HTTP GET /package (only allowed method)
    Proxy->>NPM: Forward GET over TLS
    NPM-->>Proxy: 200 OK (package data)
    Proxy-->>Client: 200 OK (response)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop to the registry, careful and spry,
GET-only paths beneath the sky,
TLS wrapped snug, rules set just right,
I fetch the packages, quiet as night.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: converting npm_registry policy from unrestricted access to GET-only REST enforcement.
Linked Issues check	✅ Passed	Code changes fully implement issue #1355 requirements: protocol changed to REST, enforcement enabled, TLS termination configured, and GET-only rules applied.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the npm_registry endpoint policy update; no extraneous modifications are present in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[prekshivyas]

Thanks @latenighthackathon — this is a good security tightening.

The change itself looks correct:

• protocol: rest / enforcement: enforce / tls: terminate matches the established pattern from the GitHub endpoints in #1225 ✓
• GET /** is appropriate — agents only fetch packages, never publish ✓
• Blocks write operations (npm publish, PUT, DELETE) from the sandbox ✓
• Enables per-request logging and SecretResolver credential injection ✓

One concern before merging: the manual test plan items are all unchecked:

• Verify openclaw plugins install succeeds with GET-only policy
• Verify npm install inside sandbox completes normally
• Confirm write attempts (e.g. npm publish) are blocked by the policy

The tls: terminate means the proxy terminates TLS and re-establishes it to registry.npmjs.org:443. If npm does any form of certificate pinning or integrity checking on the TLS session, this could break installs silently. Could you confirm the manual tests pass and check the boxes before we merge?

[latenighthackathon]

@prekshivyas Thanks for the review and the valid concern about tls: terminate.

Test results:

Unit tests: All 46 policy and security-method-wildcard tests pass (vitest, Node 22.16).

E2E validation on live NemoClaw sandbox (WSL2 + Docker Desktop):

1. Deployed sandbox test-npm-policy via nemoclaw onboard --non-interactive
2. Applied updated policy (npm_registry: protocol: rest, tls: terminate, GET-only) via openshell policy set
3. npm install lodash — PASS (added 1 package in 959ms)
4. npm install axios — PASS (added 23 packages in 3s)
5. openclaw plugins list — PASS (38 plugins enumerated)
6. curl -X PUT https://registry.npmjs.org/... — BLOCKED (proxy returned 403 Forbidden as expected)

All three test plan items verified:

• openclaw plugins install succeeds with GET-only policy
• npm install inside sandbox completes normally
• Write attempts (PUT) are blocked by the policy

On the TLS concern: tls: terminate is already the established pattern for every other REST-enforced endpoint in this file (GitHub, Anthropic, statsig, sentry). npm registry client does not do certificate pinning — it uses the system trust store and respects NODE_EXTRA_CA_CERTS. Confirmed working end-to-end.

[ericksoa]

Thanks for this contribution — clean change and consistent with the existing REST endpoint pattern. Could you please rebase onto current main? Once that's done we'll likely accept this.

[latenighthackathon]

Rebased onto current main. Thanks for the feedback @ericksoa!

[latenighthackathon]

@ericksoa Thanks for the review! Rebased onto current main — clean linear history, ready for review.

[latenighthackathon]

@ericksoa Friendly ping — rebased onto current main yesterday with clean linear history. Ready for your approving review whenever you have a moment, thanks!

[ericksoa]

Reviewed: clean security hardening — converts npm_registry from L4 pass-through to L7 REST GET-only, consistent with all other REST endpoints in the policy. npm audit POSTs will be blocked but fail gracefully (confirmed by e2e). LGTM.