fix(policy): clarify Jira curl validation after reopen

[chengjiew]

Summary

• Clarify that plain curl -s https://auth.atlassian.com empty output is inconclusive before or after approval.
• Keep users pointed at the body-visible Jira validation probe introduced by fix(policy): make Jira curl validation observable #4579: api.atlassian.com/oauth/token/accessible-resources.
• Update docs, generated skill references, release notes, and the policy warning regression test so the reopen path is explicit.

Root Cause

This does not change Jira policy enforcement. #4579 already made the runtime validation observable and covered TC-NET-08 with network-policy E2E. The reopen happened because QA re-tested v0.0.56 with the older auth.atlassian.com curl -s probe; that endpoint can return an empty redirect body even when reachable, so the old probe makes blocked and allowed cases look the same.

Tests

• npm run build:cli
• npx vitest run test/policies.test.ts
• npm run docs:check-agent-variants
• npm run test-size:check
• python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user --doc-platform fern-mdx --dry-run
• git diff --check

Local hook note

• git commit/git push hooks were attempted, but the full local CLI coverage hook timed out across unrelated CLI suites on this machine. The focused validation above passed, and this PR is docs/CLI-warning scoped.

Fixes #3758

Signed-off-by: Chengjie Wang chengjiew@nvidia.com

Summary by CodeRabbit

• Documentation
  • Updated release notes and guidance to improve Jira/Atlassian validation instructions and recommend body-visible API probes.
  • Clarified that empty curl -s/empty API responses are inconclusive and should not be used as pass/fail signals.
• Bug Fixes / Messaging
  • Refined validation warning text to reflect the above guidance.
• Tests
  • Adjusted test expectation to match the updated warning wording.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 54a381ac-40e8-4180-92bf-3d2ea8c1a6eb

📥 Commits

Reviewing files that changed from the base of the PR and between ca3fbd9 and 048e579.

📒 Files selected for processing (1)

• docs/network-policy/integration-policy-examples.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/network-policy/integration-policy-examples.mdx

---

📝 Walkthrough

Walkthrough

This PR clarifies Jira preset validation guidance: it updates the warning message and its test to state that empty curl -s responses are inconclusive, and updates release notes and integration docs to recommend a Node HTTPS status probe plus a body-visible Atlassian API probe.

Changes

Jira Policy Validation Guidance

Layer / File(s)	Summary
Jira validation warning implementation and test src/lib/policy/index.ts, test/policies.test.ts	The Jira preset validation warning message was updated to note that empty curl redirect/body output is inconclusive and to direct users to body-visible API probes. The unit test assertion was updated to expect the new inconclusive phrase.
Documentation and release notes updates .agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md, .agents/skills/nemoclaw-user-overview/references/release-notes.md, docs/network-policy/integration-policy-examples.mdx, docs/about/release-notes.mdx	Reference docs and release notes updated to align with the new guidance: recommend a Node HTTPS status probe and a body-visible api.atlassian.com/oauth/token/accessible-resources curl probe, and warn that curl -s to auth.atlassian.com may produce empty output and is not a reliable pass/fail signal.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• prekshivyas
• cv

Poem

A rabbit reads docs by soft lamp light,
Hops in the code to make the warning right.
"Empty curl? Don't trust that cue—
Probe for bodies, and you'll see through." 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(policy): clarify Jira curl validation after reopen' directly relates to the main change—clarifying curl validation behavior for Jira policy when reopening access.
Linked Issues check	✅ Passed	The PR addresses issue #3758 by clarifying that empty curl output is inconclusive, documenting the body-visible probe approach, and updating related tests and documentation as required.
Out of Scope Changes check	✅ Passed	All changes are scoped to documentation, generated skill references, release notes, and related policy warning test updates—all directly supporting the curl validation clarification objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/3758_reopen-validation-proof

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-5172.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: network-policy-e2e, docs-validation-e2e

Dispatch hint: network-policy-e2e,docs-validation-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None.

Optional E2E

• network-policy-e2e (high): Optional confidence check for the adjacent real sandbox policy-add Jira path. It already exercises Jira per-binary policy enforcement and body-visible api.atlassian.com curl probing, but this PR only changes warning text, so it should not be merge-blocking.
• docs-validation-e2e (low): Optional validation for the changed docs and generated skill references if reviewers want extra assurance beyond normal docs/link checks.

New E2E recommendations

• network-policy CLI warning text (low): Existing live network-policy E2E validates Jira enforcement and probes, but does not appear to assert that policy-add/dry-run emits the intended Jira validation guidance text. A lightweight hermetic CLI E2E could prevent future misleading validation instructions without provisioning a full sandbox.
  • Suggested test: Add a hermetic CLI E2E for nemoclaw <sandbox> policy-add jira --dry-run that asserts the body-visible api.atlassian.com probe guidance and rejects auth.atlassian.com curl -s as a pass/fail signal.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: network-policy-e2e,docs-validation-e2e

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required Vitest E2E scenarios

• None. Changes are limited to documentation, a unit test outside test/e2e-scenario/, and Jira policy validation warning text in src/lib/policy/index.ts. The trusted live-supported Vitest scenarios do not exercise this policy-add warning output, so no Vitest scenario dispatch is required.

Optional Vitest E2E scenarios

• None.

Relevant changed files

• None.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

docs/network-policy/integration-policy-examples.mdx (1)

2-3: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the required SPDX header format for MDX.

For .mdx, the SPDX header must use Markdown/HTML comment form per repo rule; the current # lines in frontmatter do not match the required format.

As per coding guidelines, *.md/*.mdx files must carry SPDX headers and Markdown-family files should use HTML comments for that header.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/network-policy/integration-policy-examples.mdx` around lines 2 - 3, The
SPDX frontmatter in integration-policy-examples.mdx uses '#' lines; update it to
the required Markdown/HTML comment form by replacing the two header lines (the
SPDX-FileCopyrightText and SPDX-License-Identifier) with an HTML comment block
such as <!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION &
AFFILIATES. All rights reserved. --> and <!-- SPDX-License-Identifier:
Apache-2.0 --> so the SPDX-... symbols remain identical but are wrapped in HTML
comments for MDX.

Source: Coding guidelines

.agents/skills/nemoclaw-user-overview/references/release-notes.md (1)

1-2: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add required SPDX header for this Markdown file.

This release-notes .md file is missing the mandatory SPDX copyright and license header.

As per coding guidelines, all *.md/*.mdx sources must include SPDX headers using HTML comments for Markdown files.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/skills/nemoclaw-user-overview/references/release-notes.md around
lines 1 - 2, The release-notes.md file is missing the required SPDX header; add
an HTML comment SPDX header at the very top of the file (for example an HTML
comment containing SPDX-FileCopyrightText and SPDX-License-Identifier) so this
Markdown follows the project's *.md/*.mdx SPDX header requirement; update the
top of release-notes.md to include the correct SPDX header lines.

Source: Coding guidelines

.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md (1)

1-2: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add required SPDX header for Markdown files.

This .md file is missing the required SPDX copyright and license header in Markdown comment form.

As per coding guidelines, all *.md/*.mdx files must include SPDX headers, using HTML comments for Markdown files.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
@.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md
around lines 1 - 2, This Markdown file lacks the required SPDX header; add an
HTML comment SPDX header at the very top of the file (above the existing "#
Common NemoClaw Integration Policy Examples" heading) that includes the
SPDX-FileCopyrightText line with the appropriate year/owner and the
SPDX-License-Identifier line with the proper license identifier (e.g.,
Apache-2.0), ensuring the header is in HTML comment form so it remains a
Markdown comment.

Source: Coding guidelines

🧹 Nitpick comments (1)

docs/about/release-notes.mdx (1)

156-156: Consider breaking this into one sentence per line.

This bullet point contains three sentences on the same line. The docs style guide requires one sentence per line to make diffs more readable. However, this compact style is used consistently throughout the release notes file.

Suggested format

-- Jira policy validation guidance now matches the maintained preset. Use a Node HTTPS status probe for Atlassian API access and the body-visible `api.atlassian.com/oauth/token/accessible-resources` curl probe when validating approved requests manually. Plain `curl -s` against `auth.atlassian.com` can return empty output even when reachable, so it is not a pass/fail signal.
+- Jira policy validation guidance now matches the maintained preset.
+  Use a Node HTTPS status probe for Atlassian API access and the body-visible `api.atlassian.com/oauth/token/accessible-resources` curl probe when validating approved requests manually.
+  Plain `curl -s` against `auth.atlassian.com` can return empty output even when reachable, so it is not a pass/fail signal.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/about/release-notes.mdx` at line 156, The release-notes bullet currently
contains three sentences on a single line; split that bullet into one sentence
per line so each sentence in the Jira policy validation guidance becomes its own
line. Locate the bullet text starting with "Jira policy validation guidance now
matches the maintained preset." and break it into three separate lines: one for
the statement about matching the preset, one for using a Node HTTPS status probe
and the body-visible curl probe for Atlassian API access, and one noting that
plain `curl -s` against `auth.atlassian.com` can return empty output and is not
a pass/fail signal.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
@.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md:
- Around line 1-2: This Markdown file lacks the required SPDX header; add an
HTML comment SPDX header at the very top of the file (above the existing "#
Common NemoClaw Integration Policy Examples" heading) that includes the
SPDX-FileCopyrightText line with the appropriate year/owner and the
SPDX-License-Identifier line with the proper license identifier (e.g.,
Apache-2.0), ensuring the header is in HTML comment form so it remains a
Markdown comment.

In @.agents/skills/nemoclaw-user-overview/references/release-notes.md:
- Around line 1-2: The release-notes.md file is missing the required SPDX
header; add an HTML comment SPDX header at the very top of the file (for example
an HTML comment containing SPDX-FileCopyrightText and SPDX-License-Identifier)
so this Markdown follows the project's *.md/*.mdx SPDX header requirement;
update the top of release-notes.md to include the correct SPDX header lines.

In `@docs/network-policy/integration-policy-examples.mdx`:
- Around line 2-3: The SPDX frontmatter in integration-policy-examples.mdx uses
'#' lines; update it to the required Markdown/HTML comment form by replacing the
two header lines (the SPDX-FileCopyrightText and SPDX-License-Identifier) with
an HTML comment block such as <!-- SPDX-FileCopyrightText: Copyright (c) 2026
NVIDIA CORPORATION & AFFILIATES. All rights reserved. --> and <!--
SPDX-License-Identifier: Apache-2.0 --> so the SPDX-... symbols remain identical
but are wrapped in HTML comments for MDX.

---

Nitpick comments:
In `@docs/about/release-notes.mdx`:
- Line 156: The release-notes bullet currently contains three sentences on a
single line; split that bullet into one sentence per line so each sentence in
the Jira policy validation guidance becomes its own line. Locate the bullet text
starting with "Jira policy validation guidance now matches the maintained
preset." and break it into three separate lines: one for the statement about
matching the preset, one for using a Node HTTPS status probe and the
body-visible curl probe for Atlassian API access, and one noting that plain
`curl -s` against `auth.atlassian.com` can return empty output and is not a
pass/fail signal.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f128f4ab-03e9-4961-8e9e-6422ef8fd748

📥 Commits

Reviewing files that changed from the base of the PR and between e1240df and eb71373.

📒 Files selected for processing (6)

• .agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md
• .agents/skills/nemoclaw-user-overview/references/release-notes.md
• docs/about/release-notes.mdx
• docs/network-policy/integration-policy-examples.mdx
• src/lib/policy/index.ts
• test/policies.test.ts

[github-actions]

PR Review Advisor

Findings: 1 needs attention, 3 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 3 still apply, 0 new items found

Review findings

🛠️ Needs attention

• Linked Jira issue still asks for an auth.atlassian.com before/after approval signal (docs/network-policy/integration-policy-examples.mdx:215): Issue [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node #3758's literal Expected section asks for curl to auth.atlassian.com to be locally blocked before approval and to succeed with 200/301 after approval. This PR instead documents auth.atlassian.com curl -s output as inconclusive and redirects the manual proof to api.atlassian.com/oauth/token/accessible-resources, where the post-approval success signal is an unauthenticated 401 JSON response. That may be the right validation design, but it does not directly satisfy the linked issue while the PR says Fixes [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node #3758.
  • Recommendation: Either update or explicitly confirm the linked issue acceptance so the api.atlassian.com accessible-resources 401 probe is the intended closure criterion, or add enforcement/runtime evidence showing why the original auth.atlassian.com 200/301 before/after approval clause is no longer required.
  • Evidence: Issue [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node #3758 Expected: "Before approval: curl is locally blocked..." and "After approval: curl succeeds with 200/301...". Changed docs now say: "An empty curl -s output from that endpoint is inconclusive before or after approval" and "After explicitly approving curl for api.atlassian.com... return Atlassian's unauthenticated 401 JSON response."

🔎 Worth checking

• Source-of-truth review needed: Jira validation docs and generated user skills: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: docs/CONTRIBUTING.md says docs/ is the source of truth and generated .agents/skills/nemoclaw-user-* files should not be edited manually. This PR edits .agents/skills files, while skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md still documents the old auth.atlassian.com status probe with 301/200 post-approval guidance.
• Generated user skill documentation is not updated from a single source of truth (.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md:205): The PR edits generated .agents user-skill copies directly while repository documentation says docs/ is the source of truth and generated .agents/skills/nemoclaw-user-* files should not be edited manually. At the same time, the root skills/ generated copies still contain the old Jira auth.atlassian.com status-only curl probe, so users can receive contradictory validation guidance depending on which skill surface is consumed.
  • Recommendation: Keep the source docs as the authoritative change and either regenerate every shipped generated user-skill output consistently or document that the root skills/ tree is intentionally excluded/unshipped. Add a parity check or generation dry-run that catches stale Jira validation text across generated skill outputs.
  • Evidence: docs/CONTRIBUTING.md says "The docs/ directory is the source of truth" and "Never edit generated skill files under .agents/skills/nemoclaw-user-*/". The PR changes .agents/skills copies, but skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md still says "Use an explicit status probe instead" and shows curl against https://auth.atlassian.com with 301/200 post-approval guidance.
• Runtime validation is still missing for the security-sensitive Jira policy probe (test/policies.test.ts:486): The changed unit test checks only string fragments in getPresetValidationWarning. It does not prove the Jira preset still blocks curl before approval, allows Node HTTPS to api.atlassian.com, or makes the explicit post-approval curl probe reach Atlassian without credentials. For a network-policy validation path, this leaves the security posture dependent on documentation text rather than behavioral evidence.
  • Recommendation: Add or identify a sandbox/network-policy integration test for the Jira preset that covers blocked pre-approval curl, allowed Node HTTPS, and explicit post-approval curl to api.atlassian.com returning unauthenticated 401 JSON. Also assert that the dry-run CLI warning surfaces the same actionable guidance.
  • Evidence: test/policies.test.ts now asserts the warning contains "inconclusive before or after approval", "api.atlassian.com/oauth/token/accessible-resources", "401 JSON", and "Node HTTPS". nemo claw-blueprint/policies/presets/jira.yaml still lists only node binaries, but no changed test exercises that policy at runtime.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — Validate `nemoclaw <sandbox> policy-add jira --dry-run` surfaces the full Jira warning, including auth.atlassian.com as inconclusive and api.atlassian.com/oauth/token/accessible-resources as the body-visible probe.. Unit string coverage is useful for the helper text, but the linked issue and security risk are about sandbox network-policy behavior and manual before/after approval observability.
• **Runtime validation** — Validate the Jira preset blocks curl to Atlassian before approval with `000` or an explicit local policy denial and no outbound TLS handshake/audit egress.. Unit string coverage is useful for the helper text, but the linked issue and security risk are about sandbox network-policy behavior and manual before/after approval observability.
• **Runtime validation** — Validate Node HTTPS to `https://api.atlassian.com\` succeeds with 200/301 while curl remains denied under the same Jira preset.. Unit string coverage is useful for the helper text, but the linked issue and security risk are about sandbox network-policy behavior and manual before/after approval observability.
• **Runtime validation** — Validate explicit approval for curl to `api.atlassian.com/oauth/token/accessible-resources` changes the probe from local denial or `000` to Atlassian's unauthenticated 401 JSON without Jira credentials.. Unit string coverage is useful for the helper text, but the linked issue and security risk are about sandbox network-policy behavior and manual before/after approval observability.
• **Runtime validation** — Validate docs-to-skills generation or parity checking covers generated user-skill outputs so no shipped skill still contains the old auth.atlassian.com status-only curl probe or 200/301 approval guidance.. Unit string coverage is useful for the helper text, but the linked issue and security risk are about sandbox network-policy behavior and manual before/after approval observability.
• **Acceptance clause:** When the jira policy preset is applied to a NemoClaw sandbox, the documented test case expects per-binary enforcement: curl to auth.atlassian.com should be locally blocked (exit “000”) while Node to api.atlassian.com is allowed, and approving the curl request in openshell term should then allow curl to work. — add test evidence or identify existing coverage. The PR preserves docs/warning text that Jira allows Node.js and not curl, and jira.yaml still only lists /usr/local/bin/node and /usr/bin/node. However, the manual curl proof is moved from auth.atlassian.com to api.atlassian.com/oauth/token/accessible-resources, and no runtime enforcement evidence is added.
• **Acceptance clause:** Before approval: curl is locally blocked with a non-normal status (“000” or explicit NemoClaw error), and no outbound TLS handshake is attempted (per-binary whitelist enforcement). — add test evidence or identify existing coverage. Changed docs say the new api.atlassian.com curl probe should report 000 or a local policy denial before approval. The diff does not prove no outbound TLS handshake is attempted and does not demonstrate the original auth.atlassian.com command behavior.
• **Acceptance clause:** Node returns 200/301 as it is allowed by the Jira preset. — add test evidence or identify existing coverage. Docs and CLI warning include a Node HTTPS probe to https://api.atlassian.com, and jira.yaml allows /usr/local/bin/node and /usr/bin/node to api.atlassian.com. The changed test only checks warning text and does not run a sandbox policy validation.

Since last review details

Current findings:

• Source-of-truth review needed: Jira validation docs and generated user skills: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: docs/CONTRIBUTING.md says docs/ is the source of truth and generated .agents/skills/nemoclaw-user-* files should not be edited manually. This PR edits .agents/skills files, while skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md still documents the old auth.atlassian.com status probe with 301/200 post-approval guidance.
• Linked Jira issue still asks for an auth.atlassian.com before/after approval signal (docs/network-policy/integration-policy-examples.mdx:215): Issue [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node #3758's literal Expected section asks for curl to auth.atlassian.com to be locally blocked before approval and to succeed with 200/301 after approval. This PR instead documents auth.atlassian.com curl -s output as inconclusive and redirects the manual proof to api.atlassian.com/oauth/token/accessible-resources, where the post-approval success signal is an unauthenticated 401 JSON response. That may be the right validation design, but it does not directly satisfy the linked issue while the PR says Fixes [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node #3758.
  • Recommendation: Either update or explicitly confirm the linked issue acceptance so the api.atlassian.com accessible-resources 401 probe is the intended closure criterion, or add enforcement/runtime evidence showing why the original auth.atlassian.com 200/301 before/after approval clause is no longer required.
  • Evidence: Issue [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node #3758 Expected: "Before approval: curl is locally blocked..." and "After approval: curl succeeds with 200/301...". Changed docs now say: "An empty curl -s output from that endpoint is inconclusive before or after approval" and "After explicitly approving curl for api.atlassian.com... return Atlassian's unauthenticated 401 JSON response."
• Generated user skill documentation is not updated from a single source of truth (.agents/skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md:205): The PR edits generated .agents user-skill copies directly while repository documentation says docs/ is the source of truth and generated .agents/skills/nemoclaw-user-* files should not be edited manually. At the same time, the root skills/ generated copies still contain the old Jira auth.atlassian.com status-only curl probe, so users can receive contradictory validation guidance depending on which skill surface is consumed.
  • Recommendation: Keep the source docs as the authoritative change and either regenerate every shipped generated user-skill output consistently or document that the root skills/ tree is intentionally excluded/unshipped. Add a parity check or generation dry-run that catches stale Jira validation text across generated skill outputs.
  • Evidence: docs/CONTRIBUTING.md says "The docs/ directory is the source of truth" and "Never edit generated skill files under .agents/skills/nemoclaw-user-*/". The PR changes .agents/skills copies, but skills/nemoclaw-user-manage-policy/references/integration-policy-examples.md still says "Use an explicit status probe instead" and shows curl against https://auth.atlassian.com with 301/200 post-approval guidance.
• Runtime validation is still missing for the security-sensitive Jira policy probe (test/policies.test.ts:486): The changed unit test checks only string fragments in getPresetValidationWarning. It does not prove the Jira preset still blocks curl before approval, allows Node HTTPS to api.atlassian.com, or makes the explicit post-approval curl probe reach Atlassian without credentials. For a network-policy validation path, this leaves the security posture dependent on documentation text rather than behavioral evidence.
  • Recommendation: Add or identify a sandbox/network-policy integration test for the Jira preset that covers blocked pre-approval curl, allowed Node HTTPS, and explicit post-approval curl to api.atlassian.com returning unauthenticated 401 JSON. Also assert that the dry-run CLI warning surfaces the same actionable guidance.
  • Evidence: test/policies.test.ts now asserts the warning contains "inconclusive before or after approval", "api.atlassian.com/oauth/token/accessible-resources", "401 JSON", and "Node HTTPS". nemo claw-blueprint/policies/presets/jira.yaml still lists only node binaries, but no changed test exercises that policy at runtime.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[prekshivyas]

Reviewed (code + 9-cat security). Adds one clarifying sentence to the Jira getPresetValidationWarning (mirrored to docs + generated skills + release-notes) plus a test-assertion update. No enforcement logic changes.

✅ Approve — purely additive guidance, does not weaken policy enforcement. Verified: the jira preset allowlists only node (no curl), and test-network-policy.sh TC-NET-08 proves curl is blocked pre-approval (CURL_APPCONNECT_0) and works only after an explicit policy update --binary curl — so #3758's "presets permit any binary" is refuted; the reopen is a QA-observability artifact, not an enforcement gap. The dropped toContain("curl -s") assertion is safe (string still contains it twice). Security: all 9 pass.

Note (pre-existing, not this PR): the legacy skills/ tree lags the maintained .agents/skills/ repo-wide.

[prekshivyas]

@chengjiew the only red check here is dco-check — it validates the PR description (not your commits). To fix it, add a sign-off line to the PR description (Edit → bottom of the body):

Signed-off-by: Your Name <your@email>

Use the same name/email as your commits. Once it's in the PR body, dco-check goes green. Everything else is passing and this is approved.

[wscurran]

✨
Related open PRs:

• #4579 fix(policy): make Jira curl validation observable

---

Related open issues:

• #3758 [NemoClaw][Linux] Jira policy preset does not enforce expected per‑binary network behavior for curl vs Node