docs(network-policy): clarify approval and preset persistence

[Iamkewl]

Summary

Clarifies that TUI approvals are session-only and points readers to persistent policy options.
Updates the walkthrough instructions to note repo-root and sandbox prerequisites, and separates baseline edits from live policy-add usage.

Related Issue

Fixes #3772
Fixes #3773
Fixes #3774

Changes

• Clarify approval persistence and add a pointer to baseline policy guidance in approve-network-requests.md.
• Add walkthrough prerequisites for repo context and an onboarded sandbox in approve-network-requests.md.
• Separate baseline policy edits from live preset application guidance in customize-network-policy.md.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Suryaansh Suryaansh.aa@gmail.com

Summary by CodeRabbit

• Documentation
  • Clarified that approved network endpoints are session-only and not persisted across sandbox restarts
  • Added guidance on how to make endpoint allowances survive restarts via policy customization or presets
  • Split flows for applying built-in presets to the baseline versus applying them dynamically to a running sandbox
  • Revised walkthrough to clarify execution and persistence expectations
  • Clarified blueprint-level policy merge/apply behavior and how recorded presets can be removed by name

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a161923c-c9bf-4091-8e88-cd28cbb97e8e

📥 Commits

Reviewing files that changed from the base of the PR and between 1b32c16 and 301c24c.

📒 Files selected for processing (2)

• docs/network-policy/approve-network-requests.mdx
• docs/network-policy/customize-network-policy.mdx

✅ Files skipped from review due to trivial changes (2)

• docs/network-policy/customize-network-policy.mdx
• docs/network-policy/approve-network-requests.mdx

---

📝 Walkthrough

Walkthrough

Docs clarify that TUI approvals are session-only (not persisted) and distinguish merging presets into the baseline YAML vs using nemoclaw <name> policy-add for live sandboxes; the walkthrough now requires running ./scripts/walkthrough.sh from the NemoClaw repo root after onboarding at least one sandbox.

Changes

Network Policy Persistence and Operation

Layer / File(s)	Summary
Static baseline edits versus dynamic runtime changes docs/network-policy/customize-network-policy.md, docs/network-policy/customize-network-policy.mdx	Clarifies two update paths: merge a built-in preset's network_policies into openclaw-sandbox.yaml and re-run nemoclaw onboard for static persistence, or use nemoclaw <name> policy-add to apply a preset to a running sandbox (session-only). Adjusts wording about blueprint validation, sandbox registry preset recording/removal, and related bullet text.
Approval persistence and walkthrough prerequisites docs/network-policy/approve-network-requests.md, docs/network-policy/approve-network-requests.mdx	Adds explicit note that TUI-approved endpoints remain allowed only until the sandbox stops and are not saved to the baseline policy file; adds a “To keep an endpoint allowed after a restart…” note pointing to customization/preset guidance. Updates walkthrough wording and prerequisites to require running ./scripts/walkthrough.sh from the NemoClaw repository root after onboarding at least one sandbox.

Sequence Diagram(s)

sequenceDiagram
  participant Operator
  participant Repo as openclaw-sandbox.yaml
  participant NemoClawCLI as "nemoclaw <name> policy-add"
  participant Sandbox as RunningSandbox

  Operator->>Repo: edit/merge preset into openclaw-sandbox.yaml
  Repo->>NemoClawCLI: run `nemoclaw onboard` / rebuild
  NemoClawCLI->>Sandbox: apply baseline during sandbox creation
  Operator->>NemoClawCLI: run `nemoclaw <name> policy-add`
  NemoClawCLI->>Sandbox: fetch live policy, merge preset, set live policy

Loading

Estimated code review effort:
🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped through docs to chase the night,
Cleared when approvals stay and when they flight—
Session-only nods will fade at stop,
YAML or preset keeps them on top!
(snacks awarded)

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly summarizes the main change: clarifying approval and preset persistence across network policy documentation.
Linked Issues check	✅ Passed	All linked issues (#3772, #3773, #3774) requirements are met: persistence of approvals clarified; static vs dynamic changes separated; walkthrough prerequisites (repo root, onboarded sandbox) specified.
Out of Scope Changes check	✅ Passed	All changes are within scope—purely documentation updates across network policy files addressing the three linked issues without modifying code or adding unrelated content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

docs/network-policy/approve-network-requests.md (1)

69-70: ⚡ Quick win

Keep each sentence on a single source line for docs diffs.

Lines 69-70, 74-75, and 82-83 split single sentences across multiple lines; this breaks the docs formatting rule for sentence-per-line source formatting.

Suggested edit

-To keep an endpoint allowed after a restart, update the policy YAML or apply a preset as described in
-[Customize the Sandbox Network Policy](customize-network-policy.md).
+To keep an endpoint allowed after a restart, update the policy YAML or apply a preset as described in [Customize the Sandbox Network Policy](customize-network-policy.md).

-From the NemoClaw repository root, run the walkthrough script after you have onboarded at least one
-sandbox and it is reachable:
+From the NemoClaw repository root, run the walkthrough script after you have onboarded at least one sandbox and it is reachable:

-The walkthrough requires tmux and the `NVIDIA_API_KEY` environment variable, and it assumes an
-existing sandbox to attach to.
+The walkthrough requires tmux and the `NVIDIA_API_KEY` environment variable, and it assumes an existing sandbox to attach to.

As per coding guidelines, "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

Also applies to: 74-75, 82-83

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/network-policy/approve-network-requests.md` around lines 69 - 70, The
sentences that are currently split across lines must be converted to one
sentence per source line: put the entire sentence "To keep an endpoint allowed
after a restart, update the policy YAML or apply a preset as described in
[Customize the Sandbox Network Policy](customize-network-policy.md)." on a
single line, and similarly join the sentence currently split across lines 74-75
into one line and the sentence split across lines 82-83 into one line so each
sentence occupies exactly one source line.

docs/network-policy/customize-network-policy.md (1)

57-58: ⚡ Quick win

Use single-line source sentences in these new paragraphs.

Lines 57-58 and 60-61 wrap each sentence across multiple lines; please keep each sentence on one source line to match docs formatting standards.

As per coding guidelines, "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

Also applies to: 60-61

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/network-policy/customize-network-policy.md` around lines 57 - 58, Split
the wrapped sentences so each sentence occupies its own source line: locate the
paragraph that begins "If you want a built-in preset to be part of the baseline
policy, merge its `network_policies` entries into this file and re-run `nemoclaw
onboard`" and the nearby paragraph two lines below, and reflow them so every
sentence is on a single source line (one sentence per line) to conform to the
docs formatting standard.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/network-policy/approve-network-requests.md`:
- Around line 69-70: The sentences that are currently split across lines must be
converted to one sentence per source line: put the entire sentence "To keep an
endpoint allowed after a restart, update the policy YAML or apply a preset as
described in [Customize the Sandbox Network
Policy](customize-network-policy.md)." on a single line, and similarly join the
sentence currently split across lines 74-75 into one line and the sentence split
across lines 82-83 into one line so each sentence occupies exactly one source
line.

In `@docs/network-policy/customize-network-policy.md`:
- Around line 57-58: Split the wrapped sentences so each sentence occupies its
own source line: locate the paragraph that begins "If you want a built-in preset
to be part of the baseline policy, merge its `network_policies` entries into
this file and re-run `nemoclaw onboard`" and the nearby paragraph two lines
below, and reflow them so every sentence is on a single source line (one
sentence per line) to conform to the docs formatting standard.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f3f32751-dea2-4c5d-bef8-c00a80a0802a

📥 Commits

Reviewing files that changed from the base of the PR and between c9479ea and d7e5e83.

📒 Files selected for processing (2)

• docs/network-policy/approve-network-requests.md
• docs/network-policy/customize-network-policy.md

[wscurran]

✨ Thanks for submitting this detailed PR about clarifying network policy approval and preset persistence in the documentation. This proposes a way to improve the documentation by separating baseline edits from live preset application guidance and adding walkthrough prerequisites.

---

Related open issues:

• #3774 [All Platforms][Docs]Approve/Deny Network Requests doc under-specifies walkthrough prerequisites and persistence of approved endpoints
• #3773 [All Platforms][Docs]Approve/Deny Network Requests doc under-specifies persistence of approvals and walkthrough prerequisites
• #3772 [All Platforms][Docs]“Static Changes” section mixes baseline edits with policy-add dynamic changes; unclear what actually persists

[ericksoa]

Looks good. I verified the live versus persistent policy semantics, updated the rendered Fern MDX pages so the public docs receive the clarification, and reran focused docs validation: git diff --check, docs:strict, docs-to-skills dry runs, and local link checks.

[Iamkewl]

Cool! thanks a ton @ericksoa!
Let me know any feedback for future PRs!