fix(channels): apply network policy preset on channels add

[hunglp6d]

Summary

nemoclaw <sandbox> channels add <channel> registered the messaging bridge with the OpenShell gateway and triggered a rebuild, but never applied the channel's matching network policy preset. After the rebuild, the bridge booted with no allow-list entry for its upstream API host, so outbound traffic to api.telegram.org / slack.com / discord.com was denied by the SSRF engine and the channel silently failed to deliver messages. This wires the preset apply into the channels add flow so it is captured in the rebuild backup manifest and restored by Step 5.5 of rebuild.ts.

Related Issue

Fixes #3437

Changes

• Add applyChannelPresetIfAvailable(sandboxName, channelName) helper in src/lib/actions/sandbox/policy-channel.ts — looks up the channel's matching built-in preset by name (e.g. telegram → telegram.yaml) and applies it idempotently via policies.applyPreset. No-op when the channel has no matching preset.
• Call the helper in addSandboxChannel between applyChannelAddToGatewayAndRegistry and promptAndRebuild, so the preset is in place before the rebuild backup manifest is captured.
• Fail-soft: helper logs a warning and points to manual nemoclaw <sandbox> policy-add <channel> recovery if the preset apply fails, mirroring rebuild Step 5.5's tolerance.
• Covers telegram, slack, discord — all KNOWN_CHANNELS entries that ship a matching preset under nemoclaw-blueprint/policies/presets/.
• Add regression test test/channels-add-preset.test.ts — stub-driven integration test mirroring test/onboard-preset-diff.test.ts, asserts the ordering invariant (apply must precede promptAndRebuild) for all three channels plus a negative no-matching-preset case.

Testing

npx tsc -p tsconfig.src.json && npx vitest run --project cli test/channels-add-preset.test.ts

Expected when the fix is in place (passing)

All 4 cases pass, confirming policies.applyPreset(<sandbox>, <channel>) is invoked exactly once before promptAndRebuild for each affected channel:

✓ applies the 'telegram' preset before triggering rebuild
✓ applies the 'slack' preset before triggering rebuild
✓ applies the 'discord' preset before triggering rebuild
✓ skips applyPreset when no matching built-in preset exists
Tests  4 passed (4)

Expected when the fix is reverted (catching the regression)

Comment out the applyChannelPresetIfAvailable(...) call in addSandboxChannel, rebuild dist, and rerun — the three positive cases fail with expected applyPreset(...) exactly once; got [], proving the test catches the bug. The negative case continues to pass because it does not depend on the fix:

× applies the 'telegram' preset before triggering rebuild
× applies the 'slack' preset before triggering rebuild
× applies the 'discord' preset before triggering rebuild
✓ skips applyPreset when no matching built-in preset exists
Tests  3 failed | 1 passed (4)

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Hung Le hple@nvidia.com

Summary by CodeRabbit

• New Features

  • Messaging channels (Telegram, Slack, Discord) now attempt to apply matching built-in policy presets immediately during setup, before the sandbox rebuild; manual policy apply still available for non-matching channels.

• Tests

  • Added a regression test ensuring matching presets are applied prior to the rebuild step and that non-matching channels do not trigger preset application.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 41909b3f-43a6-49b8-b531-c151dd7192ea

📥 Commits

Reviewing files that changed from the base of the PR and between deee1ab and 8592161.

📒 Files selected for processing (1)

• src/lib/actions/sandbox/policy-channel.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/actions/sandbox/policy-channel.ts

---

📝 Walkthrough

Walkthrough

This PR applies a channel's built-in policy preset immediately after gateway/registry registration in addSandboxChannel and adds a regression test that verifies presets (for telegram, slack, discord) are applied before the rebuild prompt; non-matching presets are skipped.

Changes

Messaging Channel Policy Preset Application

Layer / File(s)	Summary
Policy preset application on channel add src/lib/actions/sandbox/policy-channel.ts	After registering the channel bridge, addSandboxChannel calls applyChannelPresetIfAvailable to detect and apply a matching built-in preset before prompting to rebuild; errors are caught and logged with instructions to re-run policy-add.
Regression test harness and instrumentation test/channels-add-preset.test.ts	Adds runScript to execute the CLI in a temp Node script and buildPreamble which stubs external dependencies and records policies.applyPreset calls and a promptAndRebuild marker via console.log interception.
Test cases for preset application test/channels-add-preset.test.ts	Parameterized tests assert applyPreset is called exactly once and occurs before promptAndRebuild for telegram, slack, discord; a negative test constrains available presets (npm,github) and asserts applyPreset is not called.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• #3462 — Tests and fixes for ensuring channel-add applies matching policy presets (similar objective to this PR).

Possibly related PRs

• NVIDIA/NemoClaw#3448 — Modifies policy-channel.ts around channel preset handling during channels add, related to immediate preset application.

Suggested labels

NemoClaw CLI, fix, enhancement: policy

Suggested reviewers

• cv
• prekshivyas
• ericksoa

Poem

🐰 I hopped through code with whiskers twitching bright,
Found channels mute when egress lost from sight.
I nudged presets on before the rebuild bell,
Telegram, Slack, Discord now ring and dwell.
A happy rabbit hops—policies set right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: applying network policy presets when channels are added.
Linked Issues check	✅ Passed	The PR successfully implements all coding objectives from #3437: applies presets via applyChannelPresetIfAvailable after gateway registration and before rebuild, covers telegram/slack/discord, includes regression test with proper ordering assertions.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the fix for #3437: modifying the channels add flow to apply presets and adding comprehensive test coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/apply-preset-after-doing-channels-operations

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: network-policy-e2e, rebuild-openclaw-e2e
Optional E2E: messaging-providers-e2e

Dispatch hint: network-policy-e2e,rebuild-openclaw-e2e

Auto-dispatched E2E: network-policy-e2e, rebuild-openclaw-e2e via nightly-e2e.yaml at 859216106139d386e0ace8c891741a6d4cd91d4a — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• network-policy-e2e (medium (~45 min, requires NVIDIA_API_KEY and Docker/OpenShell sandbox)): Closest existing merge-blocking confidence for policy preset application and live gateway egress behavior. This PR changes automatic preset application from the channel-add path, which can affect security boundaries and service reachability.
• rebuild-openclaw-e2e (high (~60 min, builds old base image and rebuilds sandbox)): Validates that applied policy presets are captured and survive an OpenClaw sandbox rebuild. The PR’s key invariant is that channel presets are applied before rebuild so the rebuild manifest restores them.

Optional E2E

• messaging-providers-e2e (medium/high (~45 min, creates messaging sandbox with fake tokens)): Useful adjacent coverage for Telegram/Discord/Slack provider creation, placeholder isolation, and L7 proxy rewriting. It does not appear to directly exercise nemoclaw <sandbox> channels add, so it is optional rather than sufficient for the changed ordering invariant.

New E2E recommendations

• channels add + policy preset + rebuild (high): Existing E2E coverage validates policy presets and messaging providers separately, but no existing E2E appears to exercise the real nemoclaw <sandbox> channels add <channel> command on a restricted sandbox, assert the matching preset is applied before rebuild, rebuild the sandbox, and verify the channel bridge has egress afterward.
  • Suggested test: Add a targeted E2E/regression job that creates a restricted OpenClaw sandbox, runs nemoclaw <sandbox> channels add telegram or slack with fake tokens in non-interactive mode, verifies the matching policy preset is present in registry/gateway before rebuild, runs the queued rebuild, and verifies the rebuilt sandbox can reach the channel upstream through the gateway policy.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: network-policy-e2e,rebuild-openclaw-e2e

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/channels-add-preset.test.ts`:
- Around line 178-180: Add an assertion that the "__RESULT__" marker exists
before attempting JSON.parse to avoid opaque failures when the spawned script
errors; specifically, right after computing marker (variable marker from
result.stdout.lastIndexOf("__RESULT__")), assert marker !== -1 (or use
assert.ok(marker >= 0, "...")) with a helpful message mirroring the
positive-case guard, then proceed to slice and JSON.parse into payload and keep
the existing assert.ok(!payload.error, ...).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cadf5b14-7915-4bed-80f1-8b99476cfb5c

📥 Commits

Reviewing files that changed from the base of the PR and between 09e1793 and 7ea5cf0.

📒 Files selected for processing (2)

• src/lib/actions/sandbox/policy-channel.ts
• test/channels-add-preset.test.ts

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25855301592
Target ref: 2db15ec957cad824f5903adbf34c052df55ca0ad
Workflow ref: main
Requested jobs: network-policy-e2e,rebuild-openclaw-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	✅ success
rebuild-openclaw-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 25903976355
Target ref: 859216106139d386e0ace8c891741a6d4cd91d4a
Workflow ref: main
Requested jobs: network-policy-e2e,rebuild-openclaw-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	✅ success
rebuild-openclaw-e2e	✅ success