fix(policy): split Claude Code from permissive policies

[1PoPTRoN]

Summary

Removes Claude Code-specific egress from the permissive sandbox policies and moves it behind an explicit claude-code preset. This keeps shields down from granting Anthropic/telemetry endpoints unless users intentionally opt into Claude Code access.

Related Issue

Fixes #4073

Changes

• Removed the claude_code block from the global permissive policy.
• Removed duplicated claude_code blocks from OpenClaw and Hermes agent-specific permissive policies.
• Added a built-in claude-code policy preset with explicit REST rules and scoped binary allowlist.
• Updated policy preset tests to include the new preset and block regressions where Claude Code hosts reappear in permissive policies.
• Updated network policy docs to clarify that Claude Code direct egress is opt-in and separate from NemoClaw Anthropic inference routing.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional verification run:

• npm run validate:configs passes
• npm run build:cli passes
• npx vitest run test/policies.test.ts passes
• npx vitest run test/validate-blueprint.test.ts test/security-binaries-restriction.test.ts passes
• git diff --check passes

---

Signed-off-by: 1PoPTRoN vrxn.arp1traj@gmail.com

Summary by CodeRabbit

• New Features

  • Added a Claude Code configuration preset that must be explicitly applied to enable Claude Code CLI networking.

• Changes

  • Removed Claude Code hosts and broad binary allow rules from permissive policy tiers so they are no longer implicitly allowed.

• Documentation

  • Clarified that Claude Code direct access is excluded by default and requires the explicit preset; updated best-practices and network-policies reference.

• Tests

  • Updated tests to include the new preset and verify Claude Code endpoints are isolated from permissive policies.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Claude Code hosts and wildcard binary allow were removed from permissive sandbox policies and extracted into a new claude-code preset; docs and tests were updated to document the preset and validate that permissive configs no longer include Claude Code endpoints.

Changes

Claude Code Network Isolation

Layer / File(s)	Summary
Remove Claude Code from default permissive policies agents/hermes/policy-permissive.yaml, agents/openclaw/policy-permissive.yaml, nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml	The claude_code network policy block is deleted from three permissive policy configurations, removing explicit network and binary allow entries for api.anthropic.com, statsig.anthropic.com, and sentry.io.
Introduce dedicated Claude Code preset nemoclaw-blueprint/policies/presets/claude-code.yaml	Adds a claude-code preset that enforces GET/POST HTTPS allow rules for Anthropic/Statsig and Sentry hosts on port 443 and specifies executable path allowlists for the Claude Code CLI and Node runtime.
Document Claude Code isolation and validate preset behavior docs/reference/network-policies.mdx, docs/security/best-practices.mdx, test/policies.test.ts	Reference and best-practices docs clarify that Claude Code egress is excluded from permissive modes and requires the claude-code preset; tests updated to expect the new preset and include validation ensuring permissive files omit Claude hosts while the preset contains the expected rules and binaries.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant PolicyResolver
  participant PresetFile
  participant AppliedPolicy
  participant ClaudeHosts
  User->>PolicyResolver: start sandbox (permissive policies without claude_code)
  User->>PresetFile: opt-in apply `claude-code` preset
  PresetFile->>PolicyResolver: provide `claude_code` rules
  PolicyResolver->>AppliedPolicy: merge preset into effective policy
  AppliedPolicy->>ClaudeHosts: allow GET/POST HTTPS to api.anthropic.com, statsig.anthropic.com, sentry.io

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

fix, enhancement: policy, Sandbox

Suggested reviewers

• ericksoa

Poem

A rabbit hops through policies with care,
Claude Code waits now for an opt-in flair,
Preset tucked in, the gateways realign,
Docs and tests sing the guarded line,
Sandbox hops onward, deliberate and fair. 🐇✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(policy): split Claude Code from permissive policies' accurately describes the main change: removing Claude Code from permissive policy files and creating a separate preset.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #4073: removes claude_code blocks from all three permissive policy files (openclaw-sandbox-permissive.yaml, agents/openclaw/policy-permissive.yaml, agents/hermes/policy-permissive.yaml), creates the new claude-code preset with appropriate REST rules and binary allowlist, and adds validation tests to prevent regressions.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objective of splitting Claude Code from permissive policies: policy file modifications, new preset creation, test additions for validation, and documentation updates explaining the new separation—no unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/policies.test.ts (1)

1479-1498: ⚡ Quick win

Strengthen endpoint invariants in the Claude Code preset test.

This test already checks hosts and methods, but it can still pass if endpoint transport semantics drift. Please also assert port, protocol, and enforcement for each endpoint to prevent silent widening.

Suggested patch

       ) as {
         preset?: { name?: string };
         network_policies?: Record<
           string,
           {
-            endpoints?: Array<{ host?: string; access?: string; rules?: unknown[] }>;
+            endpoints?: Array<{
+              host?: string;
+              port?: number;
+              protocol?: string;
+              enforcement?: string;
+              access?: string;
+              rules?: unknown[];
+            }>;
             binaries?: Array<{ path?: string }>;
           }
         >;
       };
@@
       for (const endpoint of claudePolicy?.endpoints ?? []) {
+        expect(endpoint.port).toBe(443);
+        expect(endpoint.protocol).toBe("rest");
+        expect(endpoint.enforcement).toBe("enforce");
         expect(endpoint).not.toHaveProperty("access");
         expect(endpoint.rules).toEqual(
           expect.arrayContaining([
             { allow: { method: "GET", path: "/**" } },
             { allow: { method: "POST", path: "/**" } },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/policies.test.ts` around lines 1479 - 1498, The test currently verifies
hosts and allowed methods for preset.network_policies?.claude_code but doesn't
lock down transport semantics; update the loop over claudePolicy?.endpoints to
also assert that each endpoint has port === 443, protocol === "https", and
enforcement === "required" (i.e., add expectations on endpoint.port,
endpoint.protocol, and endpoint.enforcement alongside the existing access/rules
checks) so transport/security widening is caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/policies.test.ts`:
- Around line 1479-1498: The test currently verifies hosts and allowed methods
for preset.network_policies?.claude_code but doesn't lock down transport
semantics; update the loop over claudePolicy?.endpoints to also assert that each
endpoint has port === 443, protocol === "https", and enforcement === "required"
(i.e., add expectations on endpoint.port, endpoint.protocol, and
endpoint.enforcement alongside the existing access/rules checks) so
transport/security widening is caught.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 65f1575a-aa80-41f6-b813-fd2f4dfc1790

📥 Commits

Reviewing files that changed from the base of the PR and between aac4073 and 9e3b66c.

📒 Files selected for processing (6)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• docs/reference/network-policies.mdx
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/presets/claude-code.yaml
• test/policies.test.ts

💤 Files with no reviewable changes (3)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml

[Copilot]

Pull request overview

This PR tightens NemoClaw’s permissive (“shields down”) sandbox network policies by removing Claude Code–specific egress and reintroducing it only via an explicit claude-code policy preset, so Claude Code endpoints aren’t granted unless a user opts in.

Changes:

• Removed claude_code endpoint blocks from the global and agent-specific permissive policy YAMLs.
• Added a new built-in preset claude-code that scopes allowed endpoints and binaries for Claude Code.
• Updated policy preset tests and docs to reflect the new opt-in behavior and prevent regressions.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/policies.test.ts	Updates preset counts/names and adds regression coverage ensuring Claude Code hosts don’t appear in permissive policies and exist only in the new preset.
nemoclaw-blueprint/policies/presets/claude-code.yaml	Introduces the new claude-code preset with explicit REST rules and a scoped binary allowlist.
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml	Removes the Claude Code network policy block from the global permissive policy.
agents/openclaw/policy-permissive.yaml	Removes the duplicated Claude Code block from OpenClaw’s permissive policy.
agents/hermes/policy-permissive.yaml	Removes the duplicated Claude Code block from Hermes’s permissive policy.
docs/reference/network-policies.mdx	Documents that Claude Code direct egress is opt-in via claude-code and separate from inference routing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

docs/security/best-practices.mdx (1)

163-163: ⚡ Quick win

Use one sentence per source line in these table cells.

Both rows place multiple sentences on a single source line; split them so each sentence is on its own line.

As per coding guidelines, "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

Also applies to: 517-517

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 163, The table cell for the
`claude-code` preset contains multiple sentences on one source line; split that
cell so each sentence is on its own source line (e.g., break "Allows a
separately installed Claude Code CLI to reach Anthropic and telemetry hosts with
its own credentials. Do not use this preset for NemoClaw inference routing."
into two lines). Apply the same one-sentence-per-line fix to the other affected
table row (the row referenced as also applying at 517-517) so every sentence in
each table cell is on its own source line.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 163: The table cell for the `claude-code` preset contains multiple
sentences on one source line; split that cell so each sentence is on its own
source line (e.g., break "Allows a separately installed Claude Code CLI to reach
Anthropic and telemetry hosts with its own credentials. Do not use this preset
for NemoClaw inference routing." into two lines). Apply the same
one-sentence-per-line fix to the other affected table row (the row referenced as
also applying at 517-517) so every sentence in each table cell is on its own
source line.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1d323874-4538-419a-82f2-44450c2fac87

📥 Commits

Reviewing files that changed from the base of the PR and between 9e3b66c and 59d6122.

📒 Files selected for processing (3)

• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/reference/network-policies.mdx

[coderabbitai]

🧹 Nitpick comments (1)

docs/security/best-practices.mdx (1)

163-163: ⚡ Quick win

Split sentences to one-per-line in source.

Line 163, Line 446, and Line 517 each contain multiple sentences on the same source line. Please split them so each sentence is on its own line.

As per coding guidelines, "One sentence per line in source (makes diffs readable)."

Also applies to: 446-446, 517-517

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 163, The table row containing the
`claude-code` preset currently has multiple sentences on one source line; split
that row so each sentence is on its own line (e.g., break after "telemetry, and
crash-report endpoints." and after "with its own credentials."), and do the same
for the other two occurrences flagged (the other multiline-sentence source
lines) so each sentence occupies its own line in the markdown source; this keeps
the `claude-code` table entry and the two other affected paragraphs
one-sentence-per-line as required.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 163: The table row containing the `claude-code` preset currently has
multiple sentences on one source line; split that row so each sentence is on its
own line (e.g., break after "telemetry, and crash-report endpoints." and after
"with its own credentials."), and do the same for the other two occurrences
flagged (the other multiline-sentence source lines) so each sentence occupies
its own line in the markdown source; this keeps the `claude-code` table entry
and the two other affected paragraphs one-sentence-per-line as required.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c392c355-1f77-42af-840b-ee394117468a

📥 Commits

Reviewing files that changed from the base of the PR and between 59d6122 and 16ed019.

📒 Files selected for processing (7)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/presets/claude-code.yaml
• test/policies.test.ts

💤 Files with no reviewable changes (3)

• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml

[1PoPTRoN]

@cv @ericksoa could you kindly take a look at this when you get a chance? Would appreciate your review/guidance on whether this is aligned with the expected policy direction.

[1PoPTRoN]

@ericksoa @cv @jyaunches

[coderabbitai]

🧹 Nitpick comments (1)

test/policies.test.ts (1)

1438-1449: 💤 Low value

Consider using parseRepoYaml helper for consistency.

This test section uses direct fs.readFileSync/YAML.parse while nearby refactored code uses the new parseRepoYaml helper. Using the helper would maintain consistency with the rest of the file.

♻️ Suggested refactor

      for (const relativePath of permissivePolicyPaths) {
-       const parsed = YAML.parse(
-         fs.readFileSync(path.join(REPO_ROOT, relativePath), "utf-8"),
-       ) as {
+       const parsed = parseRepoYaml(relativePath) as {
          network_policies?: Record<string, { endpoints?: Array<{ host?: string }> }>;
        };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/policies.test.ts` around lines 1438 - 1449, The test reads and parses
YAML with fs.readFileSync/YAML.parse; replace that with the existing
parseRepoYaml helper to stay consistent: for each relativePath in
permissivePolicyPaths call parseRepoYaml(relativePath) (or await if it's async)
and assign the result to parsed, then proceed to assert parsed.network_policies,
extract hosts and compare against claudeHosts as before; update references to
REPO_ROOT removal if parseRepoYaml handles repo root resolution and ensure you
use the same parsed shape expected by the subsequent code.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/policies.test.ts`:
- Around line 1438-1449: The test reads and parses YAML with
fs.readFileSync/YAML.parse; replace that with the existing parseRepoYaml helper
to stay consistent: for each relativePath in permissivePolicyPaths call
parseRepoYaml(relativePath) (or await if it's async) and assign the result to
parsed, then proceed to assert parsed.network_policies, extract hosts and
compare against claudeHosts as before; update references to REPO_ROOT removal if
parseRepoYaml handles repo root resolution and ensure you use the same parsed
shape expected by the subsequent code.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9fa27531-ab12-4f58-9adc-eff9b0d1ab2b

📥 Commits

Reviewing files that changed from the base of the PR and between aa1c4cb and 786f3a1.

📒 Files selected for processing (7)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/presets/claude-code.yaml
• test/policies.test.ts

💤 Files with no reviewable changes (3)

• agents/openclaw/policy-permissive.yaml
• agents/hermes/policy-permissive.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml

✅ Files skipped from review due to trivial changes (2)

• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx

[wscurran]

✨ Thanks for submitting this detailed PR about splitting Claude Code from permissive policies. This proposes a way to remove Claude Code-specific egress from the permissive sandbox policies and move it behind an explicit preset, keeping shields down from granting Anthropic/telemetry endpoints unless users intentionally opt into Claude Code access.

---

Related open issues:

• #4073 Permissive sandbox policies include Claude Code endpoints without explicit opt-in

[1PoPTRoN]

@cv @ericksoa @jyaunches Kindly have a look into it when you free.