fix(policy): remove telegram + discord from base sandbox policy

[latenighthackathon]

Summary

The base sandbox policy (nemoclaw-blueprint/policies/openclaw-sandbox.yaml) was silently granting every sandbox egress to api.telegram.org, discord.com, gateway.discord.gg, and cdn.discordapp.com — regardless of whether the user enabled the telegram/discord messaging channel in step [5/8] or ticked the preset in step [8/8] of onboard. This is a regression of a previously-fixed behavior.

After a fresh onboard that explicitly skipped messaging channels and did not tick Discord in the Balanced-tier preset picker, nemoclaw <name> policy-list reports:

● discord — Discord API, gateway, and CDN access (active on gateway, missing from local state)

Problem

Regression history:

• #1705 (2026-04-09, 77051cc8) — removed telegram and discord from baseline "for exactly this reason." Explicitly called it a data exfiltration vector.
• #1700 (2026-04-14, 855924fd) — an unrelated npm_registry PR that was rebased on a branch predating fix(security): remove pre-allowed messaging from base sandbox policy #1705. The CodeRabbit release notes on fix(policy): restrict baseline npm_registry to openclaw binary only #1700 even flagged it: "Added network policy entries to enable controlled Telegram and Discord messaging access." The messaging entries came back as part of that PR's conflict-resolution and have been in the baseline since.

Once discord exists as a key in the gateway's loaded policy, policies.getGatewayPresets() detects the Discord preset as active (it matches on key presence). nemoclaw policy-list then renders the misleading "active on gateway, missing from local state" line for a preset the user never selected — and the egress is actually enforced, so it's a real capability grant, not just a display bug.

Test plan

• npx vitest run test/validate-blueprint.test.ts test/policies.test.ts — 124 tests pass, including the three new regression tests that guard against this specific re-add pattern for telegram, discord, and slack.
• npx vitest run test/validate-configs-dangerous-hosts.test.ts test/onboard.test.ts — 160 tests pass. No onboard-flow regressions.
• Manually verified that users who enable a messaging channel in step [5/8] and apply the corresponding preset in step [8/8] still get identical endpoint access via presets/{telegram,discord}.yaml (no preset YAML changes in this PR).
• openclaw-sandbox-permissive.yaml (used for --dangerously-skip-permissions) unchanged — permissive users still get pre-allowed messaging as before.

Fixes #2180.

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

Summary by CodeRabbit

• Bug Fixes

  • Removed default network permissions for Telegram and Discord from the sandbox baseline; messaging endpoints (Telegram, Discord, Slack) are no longer enabled by default and must be added via opt-in presets during onboarding.

• Tests

  • Added regression tests to ensure messaging provider access (Telegram, Discord, Slack) remains restricted in the baseline policy and cannot be reintroduced inadvertently.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed Telegram and Discord network policy entries from the OpenClaw sandbox baseline and added regression tests ensuring messaging providers (Telegram, Discord, Slack) are not present in the base network policy; baseline now documents that messaging endpoints are opt-in via presets.

Changes

Baseline network policy & tests

Layer / File(s)	Summary
Policy comment / intent nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Replaced previous Telegram/Discord blocks with a comment explaining messaging endpoints (telegram/discord/slack) are excluded from the baseline and must be added via opt-in presets.
Policy removal nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Removed top-level telegram and discord network policy entries (endpoints and node binaries restrictions) from the OpenClaw sandbox baseline.
Regression tests test/validate-blueprint.test.ts	Added three Vitest regression cases under base sandbox policy that assert absence of top-level telegram, discord, and slack keys and verify no base-policy endpoints match provider hostnames (including Slack websocket variants).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped the YAML fence at night,
Nibbled out endpoints out of sight.
Opt-in bells now keep the door,
Tests stand guard across the floor.
A tiny hop — policies made right.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: removing Telegram and Discord from the base sandbox policy, which directly addresses the regression described in the linked issue.
Linked Issues check	✅ Passed	The PR fully addresses the objective in issue #2180 by removing messaging endpoints (Telegram and Discord) from the base policy and adding regression tests to prevent re-introduction, restoring the opt-in behavior for messaging presets.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the messaging policy regression: removal of Telegram/Discord from base policy, addition of explanatory comments, and three regression tests covering Telegram, Discord, and Slack prevention.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wscurran]

✨ Thanks for submitting this pull request that proposes a way to fix a bug that causes the base sandbox policy to silently grant egress to Telegram and Discord. This identifies a bug and proposes a change to remove these messaging channels from the baseline policy, addressing a previously-fixed behavior that was reintroduced.

---

Related open PRs:

• #1700 fix(policy): restrict baseline npm_registry to openclaw binary only
• #1705 fix(security): remove pre-allowed messaging from base sandbox policy

[coderabbitai]

🧹 Nitpick comments (1)

nemoclaw-blueprint/policies/openclaw-sandbox.yaml (1)

175-181: Run targeted network policy E2E for this change class.

Given this is a baseline egress policy edit, run the network-policy-e2e job on the PR branch to re-validate deny-by-default, whitelist behavior, hot-reload, and SSRF protections before merge. As per coding guidelines, "E2E test recommendation: network-policy-e2e — deny-by-default, whitelist, hot-reload, SSRF".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml` around lines 175 - 181,
This PR touches the baseline egress policy (the openclaw-sandbox.yaml baseline
comment block) so run the network-policy-e2e job on the PR branch to validate
deny-by-default, whitelist behavior, hot-reload, and SSRF protections; trigger
the network-policy-e2e pipeline (job name: network-policy-e2e) against this
branch and attach the results to the PR, ensuring the e2e passes before merging
to confirm the baseline egress change is safe.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 175-181: This PR touches the baseline egress policy (the
openclaw-sandbox.yaml baseline comment block) so run the network-policy-e2e job
on the PR branch to validate deny-by-default, whitelist behavior, hot-reload,
and SSRF protections; trigger the network-policy-e2e pipeline (job name:
network-policy-e2e) against this branch and attach the results to the PR,
ensuring the e2e passes before merging to confirm the baseline egress change is
safe.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 78e3572c-5e3f-4a3a-88ba-1555155cc2cd

📥 Commits

Reviewing files that changed from the base of the PR and between c47fdd3 and 054392c.

📒 Files selected for processing (2)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• test/validate-blueprint.test.ts