feat: add cargo, go, apt, and ghcr policy presets

[brianwtaylor]

Summary

• Add 4 new network policy presets for package ecosystems with no existing coverage: Cargo (Rust), Go modules, apt (Debian/Ubuntu), and GHCR (GitHub Container Registry)
• Each preset uses access: full with binary restrictions, consistent with the upstream direction for package manager presets (see fix: repair pypi and npm policy presets for package manager traffic #356)
• Update preset count assertion and add endpoint validation tests for all 4 new presets

Related to #19 — expanding preset coverage so additional package managers work inside the sandbox out of the box

Motivation

The sandbox ships with presets for npm, PyPI, Docker Hub, and a few messaging services, but developers using Rust, Go, Debian-based system packages, or GitHub Container Registry have no preset available. These 4 presets cover the most common gaps.

Test plan

Automated Tests

node --test test/policies.test.js

18 tests covering preset listing, endpoint extraction, YAML schema validation, and new preset endpoint verification.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds four new network-policy preset YAMLs (apt, cargo, ghcr, go) defining registry endpoints (mostly on port 443) with protocol/ enforcement details and binaries lists. Tests updated to expect the expanded presets and validate the new preset endpoints.

Changes

Cohort / File(s)	Summary
Policy Presets nemoclaw-blueprint/policies/presets/apt.yaml, .../cargo.yaml, .../ghcr.yaml, .../go.yaml	Added four new preset YAMLs. apt.yaml defines apt_repositories endpoints (archive.ubuntu.com, security.ubuntu.com, deb.debian.org) with port: 443, protocol: rest, enforcement: enforce, tls: terminate, and per-endpoint GET access; includes binaries list. cargo.yaml adds cargo_registry endpoints (crates.io, static.crates.io, index.crates.io) on 443 with full access and binaries list. ghcr.yaml adds ghcr_registry with ghcr.io:443 (full access) and binaries. go.yaml adds go_proxy endpoints (proxy.golang.org, sum.golang.org, storage.googleapis.com) with TLS termination and GET access plus binaries.
Tests test/policies.test.js	Expanded test expectations to account for the new presets, removed hard-coded preset count/names, and added a new suite validating endpoints for cargo, go, apt, and ghcr presets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through YAML rows tonight,
apt, cargo, go, ghcr aligned just right,
TLS snug, endpoints gleam bright,
Binaries ready for morning flight,
I nibble bytes and sigh with delight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding four new policy presets (cargo, go, apt, ghcr) for package and registry management.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/policies.test.js (1)

12-27: Avoid dual source of truth for preset totals.

Line 14 hardcodes 13 while Line 26 already defines the expected preset set. Consider deriving the count assertion from the expected list length to keep these checks in sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.js` around lines 12 - 27, The test contains a duplicated
source of truth: the hardcoded count 13 in the "returns all 13 presets"
assertion and the explicit expected array in the "returns expected preset names"
test; replace the numeric literal with a reference to the expected list length
so they stay in sync by deriving the count from the expected array (use the same
expected array used in the second test or move it to a shared variable) and
assert that policies.listPresets().length equals expected.length; reference
policies.listPresets, the presets/names variables and the expected array when
making the change.

nemoclaw-blueprint/policies/presets/ghcr.yaml (1)

18-19: Scope POST rule to specific OCI v2 API paths rather than /** (least privilege).

Line 19 currently allows POST on /**. While POST is necessary for push operations (e.g., starting blob uploads via POST /v2/<name>/blobs/uploads/), it should be scoped to the OCI Registry v2 API paths (e.g., /v2/**) instead of allowing it globally. This reduces the attack surface while still supporting docker push.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nemoclaw-blueprint/policies/presets/ghcr.yaml` around lines 18 - 19, Replace
the overly-broad POST rule "- allow: { method: POST, path: "/**" }" with a
scoped rule that only permits POST to the OCI v2 registry paths (for example "-
allow: { method: POST, path: "/v2/**" }") so POST actions (like initiating blob
uploads) are limited to /v2/* endpoints; update the corresponding entry in the
YAML preset (the POST allow mapping) to use "/v2/**" instead of "/**".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/policies.test.js`:
- Around line 144-148: The test title "ghcr preset has registry and token
endpoints" doesn't match its assertion; either rename the test to reflect that
it only checks registry hosts or add a token-related assertion: locate the test
using the it(...) string and the calls to policies.loadPreset and
policies.getPresetEndpoints, then either change the it(...) description to "ghcr
preset has registry endpoint" or extend the test to assert the token endpoint is
present (e.g., call the appropriate token endpoint extractor or inspect the
preset object returned by policies.loadPreset for the token host/URL and assert
it includes the expected token endpoint).

---

Nitpick comments:
In `@nemoclaw-blueprint/policies/presets/ghcr.yaml`:
- Around line 18-19: Replace the overly-broad POST rule "- allow: { method:
POST, path: "/**" }" with a scoped rule that only permits POST to the OCI v2
registry paths (for example "- allow: { method: POST, path: "/v2/**" }") so POST
actions (like initiating blob uploads) are limited to /v2/* endpoints; update
the corresponding entry in the YAML preset (the POST allow mapping) to use
"/v2/**" instead of "/**".

In `@test/policies.test.js`:
- Around line 12-27: The test contains a duplicated source of truth: the
hardcoded count 13 in the "returns all 13 presets" assertion and the explicit
expected array in the "returns expected preset names" test; replace the numeric
literal with a reference to the expected list length so they stay in sync by
deriving the count from the expected array (use the same expected array used in
the second test or move it to a shared variable) and assert that
policies.listPresets().length equals expected.length; reference
policies.listPresets, the presets/names variables and the expected array when
making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4e0809c3-c27c-42ee-8bf1-d35cf26a95b1

📥 Commits

Reviewing files that changed from the base of the PR and between 2a9afbc and 2b4c6a5.

📒 Files selected for processing (5)

• nemoclaw-blueprint/policies/presets/apt.yaml
• nemoclaw-blueprint/policies/presets/cargo.yaml
• nemoclaw-blueprint/policies/presets/ghcr.yaml
• nemoclaw-blueprint/policies/presets/go.yaml
• test/policies.test.js

[brianwtaylor]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[wscurran]

Thanks for adding the new policy presets for Cargo, Go modules, apt, and GHCR, this expands the coverage of our network policies and could be helpful for users working with these package ecosystems.