fix(policy): restrict baseline npm_registry to openclaw binary only

[BenediktSchackenberg]

Problem

With 'none' policy selected during onboard, npm install still succeeded because the baseline policy (openclaw-sandbox.yaml) included /usr/local/bin/npm and /usr/local/bin/node in the npm_registry binaries list. This bypassed the user's intent of no external network access.

The baseline npm_registry entry exists solely for openclaw plugins install — not for agent-driven npm usage. Any sandbox with 'none' preset should block npm from the agent.

Fix

Removed /usr/local/bin/npm and /usr/local/bin/node from the baseline npm_registry binaries list. Only /usr/local/bin/openclaw retains access to registry.npmjs.org by default.

Users who need npm/node network access in the sandbox should add the npm preset during onboard or afterwards via nemoclaw policy.

Testing

• nemoclaw onboard with no policy presets → npm install should now be blocked (403 Forbidden from proxy)
• openclaw plugins install <plugin> should still work (uses the openclaw binary)
• nemoclaw onboard with npm preset → npm install still works as expected

Fixes #1458

Signed-off-by: Benedikt Schackenberg 6381261+BenediktSchackenberg@users.noreply.github.com

Summary by CodeRabbit

• New Features
  • Added network policy entries to enable controlled Telegram and Discord messaging access.
• Chores
  • Restricted registry access so only the plugin installer retains direct registry rights; npm/node are no longer allowed by default and require a separate preset.
• Documentation
  • Updated network policy docs to reflect stricter allowed binaries and GET-only registry requests.
• Tests
  • Added a regression test to enforce the registry access whitelist.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Restricted the npm_registry network policy to only allow /usr/local/bin/openclaw with GET requests, added new messaging network policies for telegram and discord constrained to /usr/local/bin/node (discord also allows gateway WebSocket CONNECT), and added a test validating the narrowed npm binary allowlist. Documentation was updated accordingly.

Changes

Cohort / File(s)	Summary
Policy file nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Narrowed network_policies.npm_registry.binaries to only /usr/local/bin/openclaw and limited rules to GET; removed /usr/local/bin/npm and /usr/local/bin/node. Added telegram and discord messaging endpoint groups: both restrict binaries to /usr/local/bin/node; telegram allows GET/POST to api.telegram.org under bot paths; discord allows REST GET/POST to discord.com, CDN GETs, and gateway WebSocket traffic via gateway.discord.gg using access: full (CONNECT).
Documentation docs/reference/network-policies.md, .agents/skills/nemoclaw-user-reference/references/network-policies.md	Updated docs to reflect that npm_registry only permits /usr/local/bin/openclaw (for openclaw plugins install) and limited methods (GET). Documented new telegram and discord policy entries and their intended binary constraints.
Tests test/validate-blueprint.test.ts	Added Vitest regression test that reads policy.network_policies.npm_registry, asserts binaries exists and is an array, and enforces the exact allowlist of ["/usr/local/bin/openclaw"] for binary paths.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant User as "Sandboxed User Process"
participant Policy as "Network Policy Engine\n(openclaw-sandbox.yaml)"
participant Binary as "Binary invoked\n(openclaw / node)"
participant External as "External API\n(telegram/discord/npm)"
rect rgba(200,230,255,0.5)
User->>Binary: execute (e.g. openclaw/plugins or node script)
Binary->>Policy: request network access (method, host, path, proto)
Policy-->>Binary: allow/deny (based on binaries list & rules)
Binary->>External: network request (if allowed)
External-->>Binary: response
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hop through YAML and gates so tight,
OpenClaw peeks — npm dimmed to light,
Node speaks to bots with careful tread,
Discord webs and Telegram threads,
I nibble rules and guard the night.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: restricting the baseline npm_registry policy to only the openclaw binary, which directly addresses the core fix for the regression.
Linked Issues check	✅ Passed	All coding requirements from issue #1458 are met: npm/node binaries removed from baseline npm_registry [#1458], regression test added to prevent recurrence [#1458], documentation updated to reflect the restriction [#1458], and the fix ensures policy enforcement blocks npm access under 'none' preset [#1458].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the npm_registry policy regression: policy YAML updates, documentation edits, and regression tests all address the linked issue without unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the baseline OpenClaw sandbox network policy so that “none” onboarding no longer permits agent-driven npm install egress to registry.npmjs.org, while keeping plugin installation working via the openclaw CLI.

Changes:

• Removed /usr/local/bin/npm and /usr/local/bin/node from the baseline npm_registry policy’s allowed binaries.
• Clarified inline policy comments to document that npm_registry is intended for openclaw plugins install only and references issue #1458.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation tables still describe the baseline npm_registry policy as allowing /usr/local/bin/npm and /usr/local/bin/node (and even “All methods”), but the baseline policy is now restricted to /usr/local/bin/openclaw with GET-only. Please update docs/reference/network-policies.md and .agents/skills/nemoclaw-user-reference/references/network-policies.md to match this policy change so users aren’t misled.

[Copilot]

Given this is a security regression fix (#1458), consider adding a small regression test that asserts the baseline npm_registry binaries list does not include npm/node (e.g., in test/validate-blueprint.test.ts). That will prevent accidental reintroduction of agent npm egress in future edits.

[BenediktSchackenberg]

Addressed both review points:

1. Docs updated — docs/reference/network-policies.md and .agents/skills/nemoclaw-user-reference/references/network-policies.md now show openclaw only + GET-only for npm_registry
2. Regression test added — test/validate-blueprint.test.ts now asserts that /usr/local/bin/npm and /usr/local/bin/node are absent from the baseline npm_registry binaries list (28 tests pass)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/validate-blueprint.test.ts (1)

192-204: Strengthen the regression test to enforce an exact allowlist.

Current assertions still pass if another unexpected binary gets added. Consider asserting the final list is exactly openclaw.

Suggested test hardening

-    const paths = (binaries ?? []).map((b) => b.path);
+    const paths = (binaries ?? []).map((b) => b.path).sort();
@@
-    expect(paths).not.toContain("/usr/local/bin/npm");
-    expect(paths).not.toContain("/usr/local/bin/node");
-    expect(paths).toContain("/usr/local/bin/openclaw");
+    expect(paths).toEqual(["/usr/local/bin/openclaw"]);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/validate-blueprint.test.ts` around lines 192 - 204, The test "regression
`#1458`: baseline npm_registry must not include npm or node binaries" currently
checks only that npm/node are absent and openclaw is present; change it to
enforce an exact allowlist by asserting that the computed paths (from np,
npm_registry, binaries, paths) equal exactly ['/usr/local/bin/openclaw'] (use a
strict equality assertion such as toEqual/toStrictEqual) so no other unexpected
binaries are allowed; replace or augment the existing expect(...) checks with a
single exact-match assertion on paths.

docs/reference/network-policies.md (1)

93-94: Format the CLI command as inline code in the table cell.

In Line 93, openclaw plugins install is a CLI command in prose; wrap it in inline code.

Suggested doc fix

-  - `/usr/local/bin/openclaw` only (openclaw plugins install)
+  - `/usr/local/bin/openclaw` only (`openclaw plugins install`)

As per coding guidelines, “CLI commands, file paths, flags, parameter names, and values must use inline code formatting,” and word-list casing checks are exempt inside code spans.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/network-policies.md` around lines 93 - 94, Wrap the inline CLI
command and any file paths in code formatting: replace the plain text "openclaw
plugins install" and "/usr/local/bin/openclaw" in the table cell with inline
code spans (e.g., `openclaw plugins install` and `/usr/local/bin/openclaw`) so
they follow the guideline that CLI commands, file paths, flags, parameter names,
and values use inline code formatting.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/skills/nemoclaw-user-reference/references/network-policies.md:
- Around line 71-72: This change edited an autogenerated skill doc under the
.agents/skills/nemoclaw-user-* tree; revert the direct edit and instead make the
content change in the source docs (docs/), then regenerate the skill markdown
using the generator script so the update is not lost: update the relevant file
in docs/, run python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix
nemoclaw-user to produce refreshed .agents/skills/nemoclaw-user-*.md files, and
commit the regenerated artifacts (do not edit .agents/skills/nemoclaw-user-*.md
by hand).

---

Nitpick comments:
In `@docs/reference/network-policies.md`:
- Around line 93-94: Wrap the inline CLI command and any file paths in code
formatting: replace the plain text "openclaw plugins install" and
"/usr/local/bin/openclaw" in the table cell with inline code spans (e.g.,
`openclaw plugins install` and `/usr/local/bin/openclaw`) so they follow the
guideline that CLI commands, file paths, flags, parameter names, and values use
inline code formatting.

In `@test/validate-blueprint.test.ts`:
- Around line 192-204: The test "regression `#1458`: baseline npm_registry must
not include npm or node binaries" currently checks only that npm/node are absent
and openclaw is present; change it to enforce an exact allowlist by asserting
that the computed paths (from np, npm_registry, binaries, paths) equal exactly
['/usr/local/bin/openclaw'] (use a strict equality assertion such as
toEqual/toStrictEqual) so no other unexpected binaries are allowed; replace or
augment the existing expect(...) checks with a single exact-match assertion on
paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1e544d00-127e-442d-b1e2-a4ac6efe093b

📥 Commits

Reviewing files that changed from the base of the PR and between d8b13c0 and aa599c2.

📒 Files selected for processing (3)

• .agents/skills/nemoclaw-user-reference/references/network-policies.md
• docs/reference/network-policies.md
• test/validate-blueprint.test.ts

[BenediktSchackenberg]

Addressed both CodeRabbit points:

1. Skills docs: reverted the direct edit, ran python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user to regenerate — fix is now in sync
2. Regression test: switched to exact allowlist (toEqual(["/usr/local/bin/openclaw"])) — any unexpected binary addition will now fail the test

[wscurran]

✨ Thanks for submitting this PR, which proposes a fix for an issue with the baseline npm registry policy and may improve the overall security of the system.

---

Possibly related open issues:

• #1458 [NemoClaw][All platforms][Regression] None policy added but NPM install is able to execute