fix: repair pypi and npm policy presets for package manager traffic by ericksoa · Pull Request #356 · NVIDIA/NemoClaw

ericksoa · 2026-03-18T21:35:00Z

Closes #19.

Summary

Switch pypi and npm presets from tls: terminate + REST rules to access: full (enables CONNECT tunneling)
Add binaries sections with glob patterns so OpenShell's proxy can match pip/npm/node traffic to the policy
Use glob patterns (python3*, node*) because OpenShell resolves symlinks before matching — /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian

Credit to @futhgar (PR #36) for identifying the access: full fix.

Problem

The onboard wizard suggests pypi and npm presets, but pip install and npm install fail with 403 errors inside the sandbox. Two issues:

tls: terminate breaks CONNECT tunneling that package managers need
Missing binaries section means OpenShell's proxy can't match pip/npm traffic to the policy

Test plan

66/66 unit tests pass (including 2 new preset validation tests)
pip install requests succeeds inside sandbox after applying pypi preset
Preset YAML validated: access: full, no tls: terminate, binaries present

Summary by CodeRabbit

Refactor
- Simplified policy configurations for npm and PyPI package managers with streamlined access models
- Added allowlists for common package manager and Python executables across standard system and sandbox locations
Tests
- Added validation tests for policy preset structure and binary path compliance

@futhgar

Closes #19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR #36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections.

OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.

coderabbitai · 2026-03-18T21:35:15Z

📝 Walkthrough

Walkthrough

The npm and pypi policy presets are simplified by replacing granular per-endpoint rules (protocol, enforcement, tls) with a unified access: full model, and a new binaries section is added to both presets listing filesystem paths for common package manager executables to enable sandbox workflows.

Changes

Cohort / File(s)	Summary
Policy preset simplification `nemoclaw-blueprint/policies/presets/npm.yaml`, `nemoclaw-blueprint/policies/presets/pypi.yaml`	Replaced per-endpoint policy blocks (protocol/rest, enforcement/enforce, tls/terminate, explicit allow rules) with simplified `access: full` for package registry endpoints. Added new `binaries` sections with filesystem glob patterns for common executables (npm, pip, python, etc.).
Preset validation tests `test/policies.test.js`	Added two new tests verifying package-manager presets use `access: full`, do not contain `tls: terminate`, and include expected `binaries` sections.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through policy land,
Where presets now are streamlined, grand!
No more tangles, just access: full,
With binaries listed—so bountiful!
Package managers hop free at last, 🎉
The sandbox walls won't hold them fast!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing pypi and npm policy presets for package manager traffic.
Linked Issues check	✅ Passed	All coding requirements from issue `#19` are met: pypi and npm presets now use access: full (CONNECT-compatible), include binaries sections for proxy matching, and include test validation.
Out of Scope Changes check	✅ Passed	All changes are scoped to the objectives: npm.yaml and pypi.yaml presets are updated, and tests are added to validate the preset YAML schema compliance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch fix/issue-19-pypi-npm-presets

📝 Coding Plan

Generate coding plan for human review comments

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

🧹 Nitpick comments (1)

nemoclaw-blueprint/policies/presets/npm.yaml (1)
18-24: Consider adding missing /usr/bin patterns for yarn and npx.

The binaries section covers yarn* and npx* under /usr/local/bin but not under /usr/bin. Meanwhile, npm* and node* are covered in both locations. This asymmetry could cause 403 errors when yarn or npx is installed via system package managers (e.g., apt install yarnpkg).
Proposed fix to add missing patterns
       - { path: /usr/bin/npm* }
       - { path: /usr/bin/node* }
+      - { path: /usr/bin/yarn* }
+      - { path: /usr/bin/npx* }
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@nemoclaw-blueprint/policies/presets/npm.yaml` around lines 18 - 24, The
binaries list in the npm.yaml preset misses /usr/bin patterns for yarn and npx,
creating an asymmetry with npm/node entries; update the binaries array (the
entries for yarn* and npx* in the same "binaries" mapping) to include
corresponding /usr/bin patterns (add entries for { path: /usr/bin/yarn* } and {
path: /usr/bin/npx* }) so all four tools (npm, npx, node, yarn) are covered in
both /usr/local/bin and /usr/bin.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@nemoclaw-blueprint/policies/presets/npm.yaml`:
- Around line 18-24: The binaries list in the npm.yaml preset misses /usr/bin
patterns for yarn and npx, creating an asymmetry with npm/node entries; update
the binaries array (the entries for yarn* and npx* in the same "binaries"
mapping) to include corresponding /usr/bin patterns (add entries for { path:
/usr/bin/yarn* } and { path: /usr/bin/npx* }) so all four tools (npm, npx, node,
yarn) are covered in both /usr/local/bin and /usr/bin.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a391c31f-21a7-4e02-9b45-b1a7514a2591

📥 Commits

Reviewing files that changed from the base of the PR and between 5dbf8bb and 79852da.

📒 Files selected for processing (3)

nemoclaw-blueprint/policies/presets/npm.yaml
nemoclaw-blueprint/policies/presets/pypi.yaml
test/policies.test.js

…ng fix Package managers use CONNECT tunneling which breaks under tls: terminate. Align with ericksoa's PR NVIDIA#356 which switches npm/pypi to access: full for the same reason.

…discord policies All 9 presets and the default telegram/discord entries in openclaw-sandbox.yaml lacked binaries sections, causing OpenShell's OPA rego to deny every request with 403 regardless of endpoint match. - Add binaries to all presets (discord, docker, huggingface, jira, npm, outlook, pypi, slack, telegram) - Add binaries to default telegram and discord policies - Switch pypi/npm from tls:terminate to access:full for CONNECT tunneling compatibility - Add test ensuring every preset includes a binaries section Closes NVIDIA#676 Related: NVIDIA#19, NVIDIA#356, NVIDIA#585 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cv

LGTM — access: full is the right call for CONNECT tunneling, and the glob patterns for binaries handle symlink resolution. Good tests.

…ng fix Package managers use CONNECT tunneling which breaks under tls: terminate. Align with ericksoa's PR NVIDIA#356 which switches npm/pypi to access: full for the same reason.

Add network policy presets for Rust Cargo, Go modules, Debian/Ubuntu apt repositories, and GitHub Container Registry. Each follows the existing YAML schema with access: full and binary restrictions, consistent with upstream direction (PR NVIDIA#356). Signed-off-by: Brian Taylor <brian.taylor818@gmail.com>

PR #356 added tests using node:assert which is not compatible with the vitest runner. Converts to vitest expect() to fix test-unit on main. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

PR #356 added tests using node:assert which is not compatible with the vitest runner. Converts to vitest expect() to fix test-unit on main. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@futhgar

…VIDIA#356) * fix: repair pypi and npm policy presets for package manager traffic Closes NVIDIA#19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR NVIDIA#36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.