docs(policy): clarify brew preset requires pre-installed Homebrew (#3757)

[latenighthackathon]

Summary

Closes #3757 (also duplicates the earlier #1767 from 2026-04-10). Clarifies that the brew policy preset whitelists Homebrew network egress and binary paths but does not install Homebrew itself; users must bootstrap brew inside the sandbox once after applying the preset.

Problem

The brew preset's binary list includes /home/linuxbrew/.linuxbrew/bin/brew and the linuxbrew bin glob, alongside the bootstrap binaries /usr/bin/curl and /usr/bin/git. The bootstrap binaries are real and present in the sandbox base image, so the user can run the Homebrew install script. The linuxbrew paths are placeholders that become real once Homebrew is installed inside the sandbox.

Two QA reports (#1767 from 2026-04-10, #3757 from 2026-05-18) hit the same trap: apply the preset, connect into the sandbox, run brew install hello, get bash: brew: command not found. The preset description "Homebrew (Linuxbrew) package manager access" reads as if it provides the manager, not just the network policy for it.

Filesystem-permission caveat (root cause)

This PR is a docs-only band-aid. The Homebrew install script cannot actually succeed in the default sandbox today: /home/linuxbrew/ is not in filesystem_policy.read_write (Landlock denies writes), AND the sandbox runs as the unprivileged sandbox user with no sudo (Homebrew's install script's first step is sudo to create + chown /home/linuxbrew/.linuxbrew).

The root-cause fix lives in #3916, which bakes Homebrew core into the sandbox base image (mirroring the #3682 WeChat-plugin precedent) and adds /home/linuxbrew to the baseline read_write list. Once #3916 lands, users only need to apply the preset; the bootstrap step in this PR becomes optional (and would only matter for sandboxes built before the base-image rebuild).

Until #3916 ships, the bootstrap one-liner in this PR will return Homebrew's "Insufficient permissions" error on a fresh sandbox. The "Untar Anywhere" alternative under /sandbox/ works as a workaround but builds formulae from source (unsupported by Homebrew).

Approach

Documentation + preset description fix, no behavior change:

• nemoclaw-blueprint/policies/presets/brew.yaml - update the preset description to explicitly call out the pre-install requirement, add a file-header comment explaining why the linuxbrew paths are whitelisted before brew exists, and split the binary list into a bootstrap group (curl, git) and a post-install group (linuxbrew paths) with inline comments.
• docs/network-policy/customize-network-policy.mdx - the brew row in the presets table now links to the bootstrap walkthrough.
• docs/network-policy/integration-policy-examples.mdx - new "Homebrew Bootstrap" section after Package and Model Tooling. Shows the policy-add -> connect -> Homebrew install script -> brew shellenv -> brew install hello sequence.

Test plan

• prek run --files clean on all three modified files (yaml + 2 mdx)
• git grep "Homebrew (Linuxbrew) package manager" returns only the updated preset (no test fixture depends on the old description)
• Verified the preset YAML still parses (validated by the schema-check prek hook)

Signed-off-by: latenighthackathon latenighthackathon@users.noreply.github.com

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR clarifies that the brew network-policy preset requires Homebrew to be installed inside the sandbox, updates brew.yaml with explanatory comments and bootstrap-related binary whitelist notes, and adds user documentation with a one-time Homebrew bootstrap workflow and commands.

Changes

Homebrew Preset Bootstrap

Layer / File(s)	Summary
Homebrew preset policy and metadata nemoclaw-blueprint/policies/presets/brew.yaml	Preset description now states Homebrew must be installed inside the sandbox. Added comments and clarified /usr/bin/curl and /usr/bin/git whitelist entries as bootstrap tools and the rationale for post-install whitelisting under /home/linuxbrew/.linuxbrew/....
Homebrew bootstrap guidance and preset reference docs/network-policy/customize-network-policy.mdx, docs/network-policy/integration-policy-examples.mdx	Preset table entry updated with a Homebrew-in-sandbox requirement and link. New "Homebrew Bootstrap" subsection documents the one-time per-sandbox install workflow (apply preset, connect, run Homebrew install script, and configure brew shell environment) with concrete commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3799: Related network-policy documentation updates covering preset application and persistence semantics.

Suggested labels

documentation

Suggested reviewers

• miyoungc
• ericksoa

Poem

🐰 I hopped into docs with a curious brew,
A tiny install dance for users and crew,
Curl and git paved the sandbox trail,
Homebrew wakes where policies prevail,
Sip success — cheers from this rabbit too! 🥂

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: clarifying that the brew preset requires pre-installed Homebrew, which directly addresses the core issue reported in #3757.
Linked Issues check	✅ Passed	The PR directly addresses the primary objective from #3757 by updating documentation and preset description to clarify that the brew preset provides network access only and does not install the brew CLI, requiring users to manually install Homebrew first.
Out of Scope Changes check	✅ Passed	All changes are documentation and preset description updates directly related to clarifying the brew preset's scope; no runtime behavior changes or unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/network-policy/integration-policy-examples.mdx`:
- Line 243: Split the single source line containing two sentences into two
separate lines: keep "After the first install, `brew` is on the sandbox `PATH`
and subsequent `brew install <package>` calls work directly." as one line, and
place "The bootstrap is per-sandbox; recreating the sandbox requires re-running
the install." on the following line so each sentence is on its own source line
for diff readability.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7feb4c98-4a58-470d-bd91-6eb7036b6c2a

📥 Commits

Reviewing files that changed from the base of the PR and between 6d910d3 and 60f929a.

📒 Files selected for processing (3)

• docs/network-policy/customize-network-policy.mdx
• docs/network-policy/integration-policy-examples.mdx
• nemoclaw-blueprint/policies/presets/brew.yaml

[wscurran]

✨ Thanks for submitting this detailed PR about clarifying the brew preset requirements. This PR proposes a way to update the documentation and improve the brew policy preset to avoid confusion about Homebrew installation.

---

Related open issues:

• #1767 [all platform] brew policy preset is effectively unusable — binary brew not exist in sandbox
• #3757 [NemoClaw][Linux] Brew policy preset applies network rules but does not provision brew binary, so brew install step in test cannot succeed

[latenighthackathon]

Closing this docs-only PR in favor of #3916, which fixes the root cause by baking Homebrew into the sandbox base image. Will open a follow-up docs PR with up-to-date content if/when #3916 lands (or receive guidance from maintainers on preferred way to solve for this)!