fix: use access: full for pypi and npm policy presets#36
Closed
futhgar wants to merge 2 commits into
Closed
Conversation
The pypi and npm presets used protocol: rest with tls: terminate, which intercepts TLS connections and restricts traffic to explicit HTTP method rules. This breaks pip and npm because both tools establish HTTPS connections via CONNECT tunneling, which the TLS-terminating proxy rejects with 403 errors. Switch both presets to access: full, matching the pattern already used by the github and npm_registry policies in the base sandbox configuration (openclaw-sandbox.yaml). This allows package managers to establish direct TLS connections to their registries. Fixes NVIDIA#19 Signed-off-by: futhgar <jmaldonado.rosa@gmail.com>
2a8010e to
44088d4
Compare
Contributor
There was a problem hiding this comment.
Fix looks correct — access: full matches the pattern already established in openclaw-sandbox.yaml (lines 88, 91, 149 for github, npm_registry, etc.) and avoids the CONNECT-vs-TLS-termination mismatch that was breaking pip and npm.
One suggestion: it would be great to add a regression test that validates the preset YAML structure. Something like a test in test/policies.test.js that loads each preset and asserts the endpoints use access: full rather than protocol: rest + tls: terminate — that way this class of bug can't sneak back in as new presets are added.
(Disclosure: my PR #141 adds 4 new presets — i can eventually rebase onto this once it merges and use the same access: full pattern.)
-brian
Ensure pypi and npm presets use access: full (not tls: terminate) to prevent CONNECT tunneling breakage from sneaking back in. Per review feedback from @brianwtaylor. Signed-off-by: futhgar <jmaldonado.rosa@gmail.com>
Contributor
Author
|
Thanks @brianwtaylor — great suggestion. Added a regression test in Happy to coordinate with your preset PR — the pattern should carry over cleanly. |
ericksoa
added a commit
that referenced
this pull request
Mar 18, 2026
Closes #19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR #36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections.
3 tasks
Contributor
|
Thanks @futhgar — your |
Contributor
Author
brianwtaylor
added a commit
to brianwtaylor/NemoClaw
that referenced
this pull request
Mar 20, 2026
Switch all 4 new presets from protocol: rest + tls: terminate to access: full (matches PR NVIDIA#36 fix for pypi/npm). Add binaries restriction to each preset so only openclaw and the relevant package manager can reach allowed endpoints (addresses NVIDIA#272).
brianwtaylor
added a commit
to brianwtaylor/NemoClaw
that referenced
this pull request
Mar 23, 2026
Switch all 4 new presets from protocol: rest + tls: terminate to access: full (matches PR NVIDIA#36 fix for pypi/npm). Add binaries restriction to each preset so only openclaw and the relevant package manager can reach allowed endpoints (addresses NVIDIA#272).
kjw3
pushed a commit
that referenced
this pull request
Mar 23, 2026
…356) * fix: repair pypi and npm policy presets for package manager traffic Closes #19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR #36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.
Ryuketsukami
pushed a commit
to Ryuketsukami/NemoClaw
that referenced
this pull request
Mar 24, 2026
…VIDIA#356) * fix: repair pypi and npm policy presets for package manager traffic Closes NVIDIA#19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR NVIDIA#36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.
alexcode-cc
pushed a commit
to alexcode-cc/NemoClaw
that referenced
this pull request
Mar 24, 2026
…VIDIA#356) * fix: repair pypi and npm policy presets for package manager traffic Closes NVIDIA#19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR NVIDIA#36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.
HagegeR
pushed a commit
to HagegeR/NemoClaw
that referenced
this pull request
Mar 24, 2026
…VIDIA#356) * fix: repair pypi and npm policy presets for package manager traffic Closes NVIDIA#19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR NVIDIA#36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.
jessesanford
pushed a commit
to jessesanford/NemoClaw
that referenced
this pull request
Mar 24, 2026
…VIDIA#356) * fix: repair pypi and npm policy presets for package manager traffic Closes NVIDIA#19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR NVIDIA#36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.
mafueee
pushed a commit
to mafueee/NemoClaw
that referenced
this pull request
Mar 28, 2026
Closes NVIDIA#20, NVIDIA#36, NVIDIA#46 ## Summary - Replace the external `rsync` dependency with built-in tar-over-SSH for file synchronization, using the `tar` crate to stream archives through the existing SSH proxy tunnel - Add a new `nav sandbox sync` subcommand supporting bidirectional file transfer (`--up` to push local files, `--down` to pull sandbox files) - Add sync workflow example in `examples/sync-files.md` ## Changes | File | Change | |---|---| | `crates/navigator-cli/Cargo.toml` | Add `tar = "0.4"` dependency | | `crates/navigator-cli/src/ssh.rs` | Remove `sandbox_rsync()`, add `sandbox_sync_up()`, `sandbox_sync_down()`, `sandbox_sync_up_files()` | | `crates/navigator-cli/src/run.rs` | Add `sandbox_sync_command()` dispatcher, update re-exports, update `--sync` call site | | `crates/navigator-cli/src/main.rs` | Add `Sync` variant to `SandboxCommands` with `--up`/`--down` flags | | `architecture/sandbox-connect.md` | Rewrite File Sync section for tar-over-SSH and new command | | `examples/sync-files.md` | New example walkthrough for sync workflows | ## New UX ```bash # Push local files up to sandbox nav sandbox sync my-sandbox --up ./src /sandbox/src # Pull sandbox files down to local nav sandbox sync my-sandbox --down /sandbox/output ./output # Existing --sync flag on create still works (now uses tar internally) nav sandbox create --sync -- python main.py ``` ## Design - **No new host dependencies**: `tar` crate handles archive creation/extraction in Rust; `ssh` is already required. The sandbox side uses the `tar` binary from the base image. - **No new server-side infrastructure**: reuses the existing SSH tunnel, no new gRPC RPCs or gateway changes. - **Bidirectional**: the same tar-pipe pattern works for both push and pull by reversing which side produces and which consumes the archive. - **No compression** for v1 — the SSH tunnel is local-network; can add gzip via `flate2` later. ## Test Plan - All existing tests pass (`mise run pre-commit` green: fmt, clippy, 206 Rust tests, 6 Python tests) - Manual e2e testing required for actual sandbox sync operations
jacobtomlinson
pushed a commit
to jacobtomlinson/NemoClaw
that referenced
this pull request
Apr 30, 2026
…VIDIA#356) * fix: repair pypi and npm policy presets for package manager traffic Closes NVIDIA#19. Two problems prevented pip install and npm install from working inside the sandbox even after applying the presets: 1. Presets used tls: terminate with REST method rules, which breaks CONNECT tunneling that package managers need. Switched to access: full (matching the working github preset pattern). Credit: @futhgar (PR NVIDIA#36) identified this fix. 2. Presets had no binaries section. Without it, OpenShell's proxy can't match pip/npm/node traffic to the policy and returns 403. Added binary paths covering system installs, venv, and uv-managed Python installations. Adds 2 regression tests verifying access: full and binaries sections. * fix: use glob patterns for binary paths in pypi/npm presets OpenShell resolves symlinks before matching binaries. /usr/bin/python3 is a symlink to /usr/bin/python3.11 on Debian, so the exact path didn't match. Use python3* and node* globs to cover all versions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the
pypiandnpmpolicy presets sopip installandnpm installwork inside the sandbox.Problem
Both presets used
protocol: restwithtls: terminate, which intercepts TLS and restricts traffic to explicit HTTP method rules. Package managers likepipandnpmestablish HTTPS connections via CONNECT tunneling, which the TLS-terminating proxy rejects with403errors. Users see green checkmarks during onboarding but package installs fail later.Fix
Switch both presets to
access: full, matching the pattern already used by thegithubandnpm_registrypolicies in the base sandbox config (openclaw-sandbox.yamllines 88, 91, 149). This allows direct TLS passthrough so package managers can negotiate their own TLS sessions.Changes
nemoclaw-blueprint/policies/presets/pypi.yaml— switch endpoints toaccess: fullnemoclaw-blueprint/policies/presets/npm.yaml— switch endpoints toaccess: fullFixes #19