fix: remove docker policy preset (#1406)

[zyang-dev]

Summary

Remove the docker policy preset. There is no practical use case for Docker registry access from inside the sandbox.

Related Issue

Fixes #1406

Changes

• Delete nemoclaw-blueprint/policies/presets/docker.yaml
• Update test/policies.test.js — remove docker from expected presets, update count from 11 to 10
• Update docs/security/best-practices.md — remove docker preset reference
• Update .agents/skills/nemoclaw-security-best/references/best-practices.md — same

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the nemoclaw-contributor-update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/nemoclaw-contributor-update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

---

Signed-off-by: zyang-dev 267119621+zyang-dev@users.noreply.github.com

Summary by CodeRabbit

Release Notes

• Documentation

  • Updated security best practices guidance for the Development posture profile, removing the recommendation to apply the Docker policy preset for agents that build or pull container images.

• Chores

  • Removed the Docker policy preset definition and its associated network policy configurations.
  • Updated test expectations to reflect the removal of the Docker preset.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 07498c99-4f92-44df-911c-6fe3d6bb4884

📥 Commits

Reviewing files that changed from the base of the PR and between 8f6995c and 550d57d.

📒 Files selected for processing (4)

• .agents/skills/nemoclaw-user-configure-security/references/best-practices.md
• docs/security/best-practices.md
• nemoclaw-blueprint/policies/presets/docker.yaml
• test/policies.test.js

💤 Files with no reviewable changes (3)

• docs/security/best-practices.md
• .agents/skills/nemoclaw-user-configure-security/references/best-practices.md
• nemoclaw-blueprint/policies/presets/docker.yaml

---

📝 Walkthrough

Walkthrough

This PR removes the non-functional docker policy preset definition and updates all related documentation and test expectations. The preset specified a binary path (/usr/bin/docker) that does not exist in the NemoClaw sandbox environment, rendering the policy ineffective.

Changes

Cohort / File(s)	Summary
Documentation updates .agents/skills/nemoclaw-user-configure-security/references/best-practices.md, docs/security/best-practices.md	Removed guidance instructing agents to apply the docker preset when building or pulling container images.
Policy preset deletion nemoclaw-blueprint/policies/presets/docker.yaml	Deleted entire preset configuration (network_policies.docker_registries for Docker Hub and NVIDIA registries with binary scope /usr/bin/docker).
Test expectations test/policies.test.js	Updated listPresets test to expect 10 presets instead of 11; removed "docker" from asserted preset names list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A docker so broken, now gone with the breeze,
The sandbox ne'er had /usr/bin/docker to please,
With preset removed and tests made anew,
The config now shines, functional and true! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: remove docker policy preset' accurately describes the primary change: removing the unusable docker policy preset file and related references.
Linked Issues check	✅ Passed	The PR fully addresses issue #1406 by removing the docker preset file, updating documentation, and adjusting tests to reflect the removal.
Out of Scope Changes check	✅ Passed	All changes are directly related to removing the docker preset and its references; no out-of-scope modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/remove-docker-preset

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}