Skip to content

fix(policy): allow OpenClaw plugin npm registry access#4125

Closed
chengjiew wants to merge 3 commits into
mainfrom
fix/4104_clawhub-default-policy
Closed

fix(policy): allow OpenClaw plugin npm registry access#4125
chengjiew wants to merge 3 commits into
mainfrom
fix/4104_clawhub-default-policy

Conversation

@chengjiew

@chengjiew chengjiew commented May 23, 2026

Copy link
Copy Markdown
Contributor

Summary

  • allow the default npm registry policy to support OpenClaw plugin installs by permitting npm/Node helper binaries
  • switch the baseline registry.npmjs.org entry to the same L4 tunnel shape used by the npm preset for Node 22/undici compatibility
  • keep ClawHub/OpenClaw API compatible with both /usr/local/bin/node and /usr/bin/node, and update policy docs/tests

Scope

Verification

  • NPM_CONFIG_CACHE=/tmp/nemoclaw-4104-npm-cache npm run build:cli
  • NPM_CONFIG_CACHE=/tmp/nemoclaw-4104-npm-cache npx vitest run test/policies.test.ts test/security-binaries-restriction.test.ts test/validate-blueprint.test.ts
  • Linux live repro on aits-center:
    • before: openclaw plugins install @openclaw/microsoft-speech failed with registry.npmjs.org policy_denied
    • after applying the fixed policy: scoped npm lookup reached the real registry response instead of policy_denied, and openclaw plugins install returned 0 using the bundled microsoft fallback
  • Follow-up docs-only nit: NPM_CONFIG_CACHE=/tmp/nemoclaw-4104-npm-cache npx vitest run test/validate-blueprint.test.ts

Signed-off-by: Chengjie Wang chengjiew@nvidia.com

Fixes #4104

Summary by CodeRabbit

  • Documentation

    • Clarified network policy docs to describe npm registry access, port 443 enforcement, and TLS passthrough behavior.
  • Improvements

    • Expanded registry access to support additional Node/npm helper binaries used during plugin installation.
    • Changed registry access model from REST GET-only to L4 passthrough with TLS skip for better Node.js compatibility.
  • Tests

    • Added validation tests for sandbox policy binary allowlists and registry endpoint configuration.

Review Change Stack

@copy-pr-bot

copy-pr-bot Bot commented May 23, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented May 23, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a9d1d499-8a57-41a1-9d59-3c1234b665d5

📥 Commits

Reviewing files that changed from the base of the PR and between 48e9f8f and 87543c7.

📒 Files selected for processing (1)
  • docs/reference/network-policies.mdx
✅ Files skipped from review due to trivial changes (1)
  • docs/reference/network-policies.mdx

📝 Walkthrough

Walkthrough

Updates sandbox network policies to allow Node/npm helper binaries and change npm_registry to L4 passthrough with tls: skip; adds tests validating binary allowlists and endpoint fields; updates reference docs to match.

Changes

Network Policy Fix for clawhub Access

Layer / File(s) Summary
Clawhub & openclaw_api binaries
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
Adds /usr/bin/node to clawhub and openclaw_api binary allowlists so Node-based helpers are permitted.
npm_registry L4 passthrough and binaries
nemoclaw-blueprint/policies/openclaw-sandbox.yaml, docs/reference/network-policies.mdx
Reworks npm_registry to use access: full with tls: skip scoped to registry.npmjs.org:443, removes prior REST/GET-only rules, and expands binaries to include openclaw, npm*, and node* across /usr/local/bin and /usr/bin. Documentation text and table updated to reflect L4 passthrough and port 443 enforcement.
Policy validation tests
test/validate-blueprint.test.ts
Adds regression #4104 tests asserting exact sorted binary allowlists for clawhub and openclaw_api; replaces prior npm_registry assertion with tests validating registry.npmjs.org endpoint fields (port: 443, access: "full", tls: "skip", no protocol/rules) and expanded wildcarded npm/Node binaries plus /usr/local/bin/openclaw.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

fix, Sandbox, Integration: OpenClaw

Suggested reviewers

  • ericksoa
  • cv

🐰 I found a pathway bright and new,
Nodes and npm helpers passing through,
Tests sing softly, docs agree,
Plugins hop in, happy as me —
Sandbox doors open, joy in view!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main objective: allowing OpenClaw plugin npm registry access by fixing the network policy.
Linked Issues check ✅ Passed All code changes directly address issue #4104: npm_registry policy now allows Node/npm binaries for plugin install, endpoints configured with L4 tunnel for Node 22 compatibility, and tests validate the new policy structure.
Out of Scope Changes check ✅ Passed All changes are directly scoped to fixing #4104: documentation updates, policy configuration for npm registry and clawhub/openclaw_api binaries, and regression tests for the new policy validation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/4104_clawhub-default-policy

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.


Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented May 23, 2026

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: network-policy-e2e
Optional E2E: cloud-onboard-e2e, docs-validation-e2e, openclaw-plugin-runtime-exdev-e2e

Dispatch hint: network-policy-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • network-policy-e2e (medium): Required because this PR modifies the baseline sandbox network policy and loosens npm_registry enforcement. This existing E2E exercises deny-by-default egress, policy-add, hot reload, permissive mode, inference-local behavior, and SSRF-related policy behavior against a live sandbox.

Optional E2E

  • cloud-onboard-e2e (medium): Useful confidence that a fresh OpenClaw cloud onboarding still applies policy configuration and starts a usable sandbox after baseline policy YAML changes.
  • docs-validation-e2e (low): Optional because a docs/reference MDX page changed; this checks documentation validation/link/parity paths but is not merge-blocking for the runtime security policy change.
  • openclaw-plugin-runtime-exdev-e2e (medium): Adjacent plugin-runtime confidence for OpenClaw plugin flows, but it does not directly validate npm_registry network policy or external plugin install egress, so it is optional rather than required.

New E2E recommendations

  • openclaw-plugin-install-egress (high): Existing E2E coverage does not appear to prove that openclaw plugins install succeeds from a restricted baseline sandbox using npm/Node helper binaries through the registry.npmjs.org L4 tunnel, nor that the same npm/Node binaries remain blocked for non-registry egress. Add a focused regression for issue [NemoClaw][All Platforms] Default sandbox network policy blocks clawhub, preventing openclaw plugins install from succeeding #4104.
    • Suggested test: Add an E2E that onboards an OpenClaw sandbox with the restricted baseline policy, runs an OpenClaw external plugin install path that shells out through npm/Node, verifies registry.npmjs.org access succeeds, and verifies npm/Node cannot reach an unrelated host without an opt-in preset.

Dispatch hint

  • Workflow: .github/workflows/nightly-e2e.yaml
  • jobs input: network-policy-e2e

@github-actions

github-actions Bot commented May 23, 2026

Copy link
Copy Markdown
Contributor

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

  • None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

  • None.

Relevant changed files

  • None.

@github-actions

github-actions Bot commented May 23, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 1 still applies, 0 new items found

Review findings

🛠️ Needs attention

  • None.

🔎 Worth checking

  • Baseline npm registry L4 tunnel broadens sandbox egress (nemoclaw-blueprint/policies/openclaw-sandbox.yaml:178): The baseline `npm_registry` policy now uses `access: full` with `tls: skip` and wildcard npm/Node helper paths. This is scoped to `registry.npmjs.org:443` and may be needed for Node 22/undici plugin installs, but it removes REST method/path inspection for those binaries in the default sandbox baseline and expands the least-privilege boundary that prior regressions had intentionally tightened.
    • Recommendation: Confirm the wildcard helper paths are necessary and cannot be narrowed to exact installed paths. Add or identify targeted runtime validation showing `openclaw plugins install` succeeds while unrelated binaries and non-registry package-manager traffic remain denied; keep the L4 tunnel limited to `registry.npmjs.org:443`.
    • Evidence: The diff changes `registry.npmjs.org:443` from REST GET-only rules to `access: full` plus `tls: skip`, and adds `/usr/local/bin/npm*`, `/usr/local/bin/node*`, `/usr/bin/npm*`, and `/usr/bin/node*` to the baseline binary allowlist. `test/validate-blueprint.test.ts` statically asserts this shape, but the provided diff does not add a behavioral sandbox denial-boundary test.

🌱 Nice ideas

  • None.
Since last review details

Current findings:

  • Baseline npm registry L4 tunnel broadens sandbox egress (nemoclaw-blueprint/policies/openclaw-sandbox.yaml:178): The baseline `npm_registry` policy now uses `access: full` with `tls: skip` and wildcard npm/Node helper paths. This is scoped to `registry.npmjs.org:443` and may be needed for Node 22/undici plugin installs, but it removes REST method/path inspection for those binaries in the default sandbox baseline and expands the least-privilege boundary that prior regressions had intentionally tightened.
    • Recommendation: Confirm the wildcard helper paths are necessary and cannot be narrowed to exact installed paths. Add or identify targeted runtime validation showing `openclaw plugins install` succeeds while unrelated binaries and non-registry package-manager traffic remain denied; keep the L4 tunnel limited to `registry.npmjs.org:443`.
    • Evidence: The diff changes `registry.npmjs.org:443` from REST GET-only rules to `access: full` plus `tls: skip`, and adds `/usr/local/bin/npm*`, `/usr/local/bin/node*`, `/usr/bin/npm*`, and `/usr/bin/node*` to the baseline binary allowlist. `test/validate-blueprint.test.ts` statically asserts this shape, but the provided diff does not add a behavioral sandbox denial-boundary test.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
nemoclaw-blueprint/policies/openclaw-sandbox.yaml (1)

137-152: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Mirror the /usr/bin/node allowlist into openclaw_api.

openclaw_api already permits Node-initiated traffic, so fixing the Node path only for clawhub leaves the same compatibility gap on openclaw.ai. On images where these flows run under /usr/bin/node, auth or plugin-discovery calls can still fail with policy_denied.

Suggested policy follow-up
   openclaw_api:
     name: openclaw_api
     endpoints:
       - host: openclaw.ai
         port: 443
         protocol: rest
         enforcement: enforce
         rules:
           - allow: { method: GET, path: "/**" }
           - allow: { method: POST, path: "/**" }
     binaries:
       - { path: /usr/local/bin/openclaw }
       - { path: /usr/local/bin/node }
+      - { path: /usr/bin/node }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml` around lines 137 - 152,
The openclaw_api policy block is missing the /usr/bin/node allowlist entry
causing policy_denied when Node runs from that path; update the openclaw_api
section (the openclaw_api endpoints/binaries entries) to add a binaries
allowlist item for { path: /usr/bin/node } (mirroring the existing
/usr/local/bin/node entry) so that node-initiated traffic under /usr/bin/node is
permitted for openclaw_api.
🧹 Nitpick comments (1)
docs/reference/network-policies.mdx (1)

44-44: ⚡ Quick win

Format the command as inline code.

openclaw plugins install is a CLI command in prose, so it should be wrapped in backticks. That also avoids the lowercase openclaw word-list violation in prose. As per coding guidelines, "CLI commands, file paths, flags, parameter names, and values must use inline code formatting."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/network-policies.mdx` at line 44, The table cell listing
npm_registry currently shows the CLI invocation openclaw plugins install as
plain text; update that cell so the command is formatted inline code (e.g., wrap
the phrase `openclaw plugins install`) to follow the guideline that CLI
commands, file paths, flags and parameter names use inline code—ensure the entry
with `npm_registry`, `registry.npmjs.org:443`, and `/usr/local/bin/openclaw`
reflects this change and keeps the "L4 tunnel" note intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 165-183: The baseline policy npm_registry currently uses access:
full and tls: skip which effectively creates an uninspected tunnel allowing
publishes/tokens from any allowed npm*/node* binary; change this to enforce
read-only registry access by replacing access: full with a read-only access mode
and removing tls: skip (or enable traffic inspection) so publishes/tokens are
blocked, or move the write-capable tunnel into an opt-in preset and keep the
baseline npm_registry restricted; update the npm_registry endpoints and/or
binaries list (the npm_registry entry, access: full, tls: skip, and the binaries
entries for /usr/local/bin/npm*, /usr/local/bin/node*, /usr/bin/npm*,
/usr/bin/node*) accordingly to reflect the read-only restriction.

---

Outside diff comments:
In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 137-152: The openclaw_api policy block is missing the
/usr/bin/node allowlist entry causing policy_denied when Node runs from that
path; update the openclaw_api section (the openclaw_api endpoints/binaries
entries) to add a binaries allowlist item for { path: /usr/bin/node } (mirroring
the existing /usr/local/bin/node entry) so that node-initiated traffic under
/usr/bin/node is permitted for openclaw_api.

---

Nitpick comments:
In `@docs/reference/network-policies.mdx`:
- Line 44: The table cell listing npm_registry currently shows the CLI
invocation openclaw plugins install as plain text; update that cell so the
command is formatted inline code (e.g., wrap the phrase `openclaw plugins
install`) to follow the guideline that CLI commands, file paths, flags and
parameter names use inline code—ensure the entry with `npm_registry`,
`registry.npmjs.org:443`, and `/usr/local/bin/openclaw` reflects this change and
keeps the "L4 tunnel" note intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aee844d4-0a98-4229-b34f-f3799c730d65

📥 Commits

Reviewing files that changed from the base of the PR and between 638bccd and b5840b1.

📒 Files selected for processing (3)
  • docs/reference/network-policies.mdx
  • nemoclaw-blueprint/policies/openclaw-sandbox.yaml
  • test/validate-blueprint.test.ts

Comment on lines 165 to +183
# npm registry — needed for `openclaw plugins install` only.
# Restricted to the openclaw binary so agents cannot use npm directly.
# Users who need npm/node access should add the npm policy preset during onboard.
# Ref: https://github.com/NVIDIA/NemoClaw/issues/1458
# OpenClaw shells out through npm's Node entrypoint when installing external
# package plugins, so this baseline allows the helper binaries but only for
# read-only registry access. Users who need broader npm access should add
# the npm policy preset during onboard.
# Ref: https://github.com/NVIDIA/NemoClaw/issues/4104
npm_registry:
name: npm_registry
endpoints:
- host: registry.npmjs.org
port: 443
protocol: rest
enforcement: enforce
rules:
- allow: { method: GET, path: "/**" }
access: full
tls: skip
binaries:
- { path: /usr/local/bin/openclaw }
- { path: /usr/local/bin/npm* }
- { path: /usr/local/bin/node* }
- { path: /usr/bin/npm* }
- { path: /usr/bin/node* }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

npm_registry is now write-capable in the baseline policy.

access: full with tls: skip turns registry.npmjs.org into an uninspected tunnel, so any allowed npm*/node* binary can send publish or token-management traffic, not only package-download requests. That is a default-policy least-privilege regression, and it contradicts the new "read-only registry access" comment plus the note that broader npm access should stay behind the opt-in preset.

If baseline installs must keep working, this likely needs a different split than tunneling the public registry from the base policy.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml` around lines 165 - 183,
The baseline policy npm_registry currently uses access: full and tls: skip which
effectively creates an uninspected tunnel allowing publishes/tokens from any
allowed npm*/node* binary; change this to enforce read-only registry access by
replacing access: full with a read-only access mode and removing tls: skip (or
enable traffic inspection) so publishes/tokens are blocked, or move the
write-capable tunnel into an opt-in preset and keep the baseline npm_registry
restricted; update the npm_registry endpoints and/or binaries list (the
npm_registry entry, access: full, tls: skip, and the binaries entries for
/usr/local/bin/npm*, /usr/local/bin/node*, /usr/bin/npm*, /usr/bin/node*)
accordingly to reflect the read-only restriction.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
docs/reference/network-policies.mdx (1)

46-46: ⚡ Quick win

Split this into one sentence per source line.

This line currently has two sentences, which hurts diff readability under the docs style rules.

Suggested edit
-REST endpoints use TLS termination and method/path enforcement at port 443. The `npm_registry` baseline uses L4 passthrough (`tls: skip`) for Node 22/undici compatibility and remains scoped to `registry.npmjs.org:443`.
+REST endpoints use TLS termination and method/path enforcement at port 443.
+The `npm_registry` baseline uses L4 passthrough (`tls: skip`) for Node 22/undici compatibility and remains scoped to `registry.npmjs.org:443`.

As per coding guidelines, "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/network-policies.mdx` at line 46, The source line containing
"REST endpoints use TLS termination and method/path enforcement at port 443. The
`npm_registry` baseline uses L4 passthrough (`tls: skip`) for Node 22/undici
compatibility and remains scoped to `registry.npmjs.org:443`" contains two
sentences on one line—split them so each sentence is on its own source line: put
"REST endpoints use TLS termination and method/path enforcement at port 443." on
one line and "`npm_registry` baseline uses L4 passthrough (`tls: skip`) for Node
22/undici compatibility and remains scoped to `registry.npmjs.org:443`." on the
next.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/reference/network-policies.mdx`:
- Line 46: The source line containing "REST endpoints use TLS termination and
method/path enforcement at port 443. The `npm_registry` baseline uses L4
passthrough (`tls: skip`) for Node 22/undici compatibility and remains scoped to
`registry.npmjs.org:443`" contains two sentences on one line—split them so each
sentence is on its own source line: put "REST endpoints use TLS termination and
method/path enforcement at port 443." on one line and "`npm_registry` baseline
uses L4 passthrough (`tls: skip`) for Node 22/undici compatibility and remains
scoped to `registry.npmjs.org:443`." on the next.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 00e0e177-b9fe-4299-a8fe-5e8c9c3d1d58

📥 Commits

Reviewing files that changed from the base of the PR and between b5840b1 and 48e9f8f.

📒 Files selected for processing (3)
  • docs/reference/network-policies.mdx
  • nemoclaw-blueprint/policies/openclaw-sandbox.yaml
  • test/validate-blueprint.test.ts

@chengjiew

Copy link
Copy Markdown
Contributor Author

Addressed current PR actions: DCO sign-off added, CodeRabbit docs/policy comments fixed, required network-policy-e2e dispatched (run), and the requested error-message improvement is split into follow-up #4127.

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ✅ All requested jobs passed

Run: 26332534132
Target ref: fix/4104_clawhub-default-policy
Workflow ref: main
Requested jobs: network-policy-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job Result
network-policy-e2e ✅ success

@wscurran

wscurran commented May 26, 2026

Copy link
Copy Markdown
Contributor

@cv cv added v0.0.52 and removed v0.0.50 labels May 26, 2026

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes based on the PR Review Advisor rubric.

This overlaps #4184 on the same baseline npm registry policy/docs/tests and carries the same security concern: access: full + tls: skip for the baseline registry endpoint plus generic npm/node wildcard binaries broadens default/restricted sandbox egress beyond the intended openclaw plugins install path.

Please do not land this independently. Either close/supersede it in favor of a single coordinated policy PR, or narrow the approach and add runtime validation proving the intended plugin-install path succeeds while unrelated direct npm/node registry use is denied (or explicitly accepted by security/product review).

@ericksoa ericksoa added v0.0.55 and removed v0.0.53 labels May 27, 2026
@cv cv added v0.0.56 and removed v0.0.55 labels May 29, 2026
@cjagwani cjagwani self-requested a review June 1, 2026 16:38
@cv cv added v0.0.57 and removed v0.0.56 labels Jun 1, 2026
@cv cv added v0.0.58 and removed v0.0.57 labels Jun 3, 2026
@wscurran wscurran added area: policy Network policy, egress rules, presets, or sandbox policy bug-fix PR fixes a bug or regression feature PR adds or expands user-visible functionality and removed fix labels Jun 3, 2026
@prekshivyas

Copy link
Copy Markdown
Contributor

Closing this in favor of #4184. Two reasons, same as on the open CR/cv reviews:

  1. Duplicate of fix(policy): allow openclaw npm plugin installs #4184 — same author, near-identical YAML diff, only difference is that fix(policy): allow openclaw npm plugin installs #4184 also includes the docs/security/best-practices.mdx update describing the residual risk of the baseline npm_registry becoming an L4 tunnel. This PR doesn't. Consolidating on fix(policy): allow openclaw npm plugin installs #4184 avoids two-PR drift and gives reviewers one place to discuss the policy tradeoff.

  2. Major CR thread on openclaw-sandbox.yaml:185 still unresolved — the baseline expansion to access: full + tls: skip is justified on its own (Node 22 undici forces L4, matches the existing npm preset shape), but the write-capability surface needs to be explicit in security docs so users with NPM_TOKEN configured know to drop or restrict the baseline. fix(policy): allow openclaw npm plugin installs #4184 has that docs update.

@chengjiew — please update #4184's body to add Closes #4104 (alongside the existing Closes #4015) so both issues get tracked through the surviving PR. Once that's in and the residual-risk note is tightened in the security docs, happy to re-review #4184.

@prekshivyas prekshivyas closed this Jun 3, 2026
@wscurran wscurran removed the feature PR adds or expands user-visible functionality label Jun 9, 2026
@cv cv deleted the fix/4104_clawhub-default-policy branch June 28, 2026 00:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: policy Network policy, egress rules, presets, or sandbox policy bug-fix PR fixes a bug or regression integration: openclaw OpenClaw integration behavior

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[NemoClaw][All Platforms] Default sandbox network policy blocks clawhub, preventing openclaw plugins install from succeeding

5 participants