Skip to content

fix(policy): allow openclaw npm plugin installs#4184

Closed
chengjiew wants to merge 1 commit into
mainfrom
fix/4015_npm_openclaw_plugin_registry
Closed

fix(policy): allow openclaw npm plugin installs#4184
chengjiew wants to merge 1 commit into
mainfrom
fix/4015_npm_openclaw_plugin_registry

Conversation

@chengjiew

@chengjiew chengjiew commented May 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fix baseline OpenClaw plugin install egress by making npm_registry use the same L4 passthrough shape as the npm preset for Node 22/undici CONNECT compatibility.
  • Allow the npm/node helper binaries that openclaw plugins install <package> shells through, while keeping the tunnel scoped to registry.npmjs.org:443.
  • Add /usr/bin/node to the baseline clawhub and openclaw_api binary allowlists for sandbox images where OpenClaw helper flows resolve Node there.
  • Update network policy docs/security guidance to describe the npm_registry L4 exception.

Closes #4015.

Repro

On existing local sandbox repro-3113-mac with npm applied, the live policy still had npm_registry as REST GET-only with only /usr/local/bin/openclaw, and clawhub/openclaw_api lacked /usr/bin/node.

openshell sandbox exec --name repro-3113-mac --timeout 120 -- bash -lc 'openclaw plugins install @openclaw/microsoft-speech 2>&1; echo __EXIT__$?'
Resolving clawhub:@openclaw/microsoft-speech…
fetch failed | other side closed
__EXIT__1

Verification

  • ./node_modules/.bin/vitest run --project cli test/validate-blueprint.test.ts -t "regression #4015"
  • npm_config_cache=$PWD/.npm-cache npm run build:cli
  • ./node_modules/.bin/vitest run --project cli test/policies.test.ts test/validate-blueprint.test.ts
  • npm_config_cache=$PWD/.npm-cache npm run typecheck:cli
  • git diff --check

Signed-off-by: Chengjie Wang chengjiew@nvidia.com

Summary by CodeRabbit

  • Documentation

    • Refined network policy documentation for default allowed endpoints and npm registry traffic handling
    • Clarified security best practices regarding read-only endpoints and npm registry exceptions
  • Tests

    • Added regression checks for network policy binary allowlists and npm registry endpoint configuration

Review Change Stack

Signed-off-by: Chengjie Wang <chengjiew@nvidia.com>
@coderabbitai

coderabbitai Bot commented May 25, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

This PR extends the OpenClaw sandbox network policy to enable Node.js processes to access npm registries via L4 passthrough instead of REST, adds /usr/bin/node to helper binary allowlists, updates regression tests to validate the new endpoint shape and binary configuration, and documents the distinction between REST enforcement and L4 passthrough behaviors.

Changes

npm registry L4 tunnel expansion

Layer / File(s) Summary
npm_registry L4 tunnel policy and Node binary allowlist
nemoclaw-blueprint/policies/openclaw-sandbox.yaml
Added /usr/bin/node to nvidia and openclaw_api network policies. Transformed npm_registry policy from GET-only REST enforcement to L4 passthrough endpoint with access: full, tls: skip, and expanded binary allowlist including npm* and node* entrypoints across /usr/local/bin and /usr/bin.
Regression tests for npm_registry and Node binary allowlists
test/validate-blueprint.test.ts
Added regression #4015 tests validating clawhub and openclaw_api network policy binary allowlists include Node helper paths. Replaced previous npm_registry regression (#1458) with new regression asserting registry.npmjs.org:443 endpoint structure with access/tls properties and binary allowlist containing node*, npm*, and openclaw paths.
Network policies and security best practices documentation
docs/reference/network-policies.mdx, docs/security/best-practices.mdx
Updated endpoint table to clarify allowed binaries for clawhub, openclaw_api, and openclaw_docs. Split enforcement descriptions: REST endpoints use TLS termination with method/path enforcement at port 443; npm_registry uses L4 passthrough with TLS skipping for Node 22/undici compatibility, scoped to registry.npmjs.org:443. Documented npm_registry and npm preset as intentional exceptions to read-only policy.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

Integration: OpenClaw, fix, Sandbox

Suggested reviewers

  • cv
  • ericksoa

Poem

A rabbit hops through npm's domain,
Node tunnels data, L4's the plane.
TLS skipping, undici's delight—
Helper binaries bundled tight.
🐰 Tests and docs all align just right!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: enabling OpenClaw npm plugin installations through policy updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/4015_npm_openclaw_plugin_registry

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

E2E Advisor Recommendation

Required E2E: network-policy-e2e
Optional E2E: cloud-onboard-e2e, docs-validation-e2e

Dispatch hint: network-policy-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

  • network-policy-e2e (medium): Required because the PR changes the default sandbox network policy/security boundary. This job exercises deny-by-default behavior, whitelist/preset application, live policy updates, inference.local routing with direct-provider blocking, hot reload, permissive mode, and SSRF validation against a real sandbox.

Optional E2E

  • cloud-onboard-e2e (medium): Useful confidence that a fresh OpenClaw onboard still applies the changed baseline policy and can complete Landlock/read-only checks, inference.local probe, and npm/pypi preset setup in a real cloud sandbox.
  • docs-validation-e2e (low): Optional for the MDX changes to validate docs links and CLI/docs parity; not merge-blocking for the runtime policy change because unit/docs PR checks likely cover most documentation issues.

New E2E recommendations

  • baseline_npm_registry_plugin_install (high): Existing network-policy-e2e covers broad policy behavior but does not appear to verify the specific regression fixed here: under the restricted baseline, openclaw plugins install should work through npm/Node helper binaries using the registry.npmjs.org L4 tunnel, while unrelated hosts remain blocked.
    • Suggested test: Add an E2E case that onboards with the restricted baseline and runs an OpenClaw plugin install flow requiring npm/Node helper access to registry.npmjs.org, then asserts the install succeeds without enabling the npm preset and that npm/node access is still limited to the baseline registry host.
  • baseline_binary_scope_regression (medium): The PR intentionally broadens binary globs for registry.npmjs.org and adds /usr/bin/node to clawhub/openclaw_api. Unit tests validate YAML shape, but runtime coverage should confirm OpenShell enforces the intended binary scoping and does not accidentally allow arbitrary process egress to these services.
    • Suggested test: Add a network-policy E2E assertion that probes allowed and disallowed binaries against clawhub.ai/openclaw.ai/registry.npmjs.org in a running restricted sandbox and verifies only the intended helper paths are permitted.

Dispatch hint

  • Workflow: nightly-e2e.yaml
  • jobs input: network-policy-e2e

@github-actions

Copy link
Copy Markdown
Contributor

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

  • None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

  • None.

Relevant changed files

  • None.

@github-actions

Copy link
Copy Markdown
Contributor

PR Review Advisor

Findings: 1 needs attention, 2 worth checking, 0 nice ideas
Top item: Baseline npm_registry grants direct npm/node L4 access

Review findings

🛠️ Needs attention

  • Baseline npm_registry grants direct npm/node L4 access (nemoclaw-blueprint/policies/openclaw-sandbox.yaml:176): The baseline policy changes `npm_registry` from REST GET-only for `/usr/local/bin/openclaw` to an L4 `access: full` tunnel and adds generic `/usr/local/bin/npm*`, `/usr/local/bin/node*`, `/usr/bin/npm*`, and `/usr/bin/node*` binary patterns. That makes the baseline/restricted sandbox able to run direct npm or Node registry traffic, not just `openclaw plugins install`, and removes method/path inspection for that traffic. This contradicts the stated comment that broader package-manager access still requires the opt-in npm preset and reopens the bypass that the previous [All platforms][Regression] None policy added but NPM install is able to execute #1458 regression test was guarding against.
    • Recommendation: Keep the baseline scoped to an OpenClaw-owned install path rather than generic npm/node binaries, or move this capability behind the npm preset. If OpenShell supports ancestor-aware policy, constrain helper binaries to OpenClaw-launched descendants only; otherwise use a reviewed wrapper/helper with a narrow binary path. Add a runtime negative test showing direct `npm install` or a standalone Node fetch to `registry.npmjs.org` is denied in the baseline while the intended OpenClaw plugin install path succeeds.
    • Evidence: Lines 176-178 set `access: full` and `tls: skip`; lines 180-184 add npm/node wildcard binary paths. The removed test comment said npm/node in this baseline list lets the agent bypass the 'none' policy preset.

🔎 Worth checking

  • Static YAML assertions do not validate runtime policy boundaries (test/validate-blueprint.test.ts:430): The new tests assert that the broad L4 tunnel and npm/node wildcard allowlist are present, but they do not exercise OpenShell runtime behavior or a negative path. For sandbox/network-policy changes, static shape tests cannot prove the intended distinction between OpenClaw plugin installation and direct package-manager access.
    • Recommendation: Add or identify targeted runtime/integration validation for the changed behavior: successful `openclaw plugins install <package>` through the baseline, and denial or explicit product acceptance of direct `npm install` / standalone Node registry access without the npm preset.
    • Evidence: The new regression test at lines 430-459 checks YAML shape only. Trusted test-depth context also flags these sandbox/network-policy paths as requiring runtime validation.
  • Active overlapping policy PR touches the same files: The patch applies to files that still exist and matches the current code structure, but trusted drift context shows active PR fix(policy): allow OpenClaw plugin npm registry access #4125 also changes `docs/reference/network-policies.mdx`, `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`, and `test/validate-blueprint.test.ts` for a very similar OpenClaw plugin npm registry access topic. This increases the chance of duplicate or contradictory policy/test outcomes.
    • Recommendation: Coordinate the policy shape and regression-test expectations with the overlapping work before landing so only one reviewed baseline security posture is introduced.
    • Evidence: Trusted openPrOverlaps lists fix(policy): allow OpenClaw plugin npm registry access #4125, titled `fix(policy): allow OpenClaw plugin npm registry access`, with the same policy, docs, and validation-test files.

🌱 Nice ideas

  • None.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
docs/security/best-practices.mdx (1)

127-127: ⚡ Quick win

Split Line 127 into one sentence per line and avoid a clause-joining colon.

Line 127 currently packs multiple sentences onto one source line and uses a colon to connect clauses rather than introducing a list.

As per coding guidelines: "One sentence per line in source (makes diffs readable)." and "Colons should only introduce a list."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 127, Split the long sentence at
line 127 into multiple sentences (one sentence per source line) and remove the
clause-joining colon; for example, end the first sentence after "for example,
clawhub.ai" and start new sentences for the contrasts ("Others restrict
methods..." with the integrate.api.nvidia.com example), the read-only endpoints
("Read-only endpoints such as docs.openclaw.ai and the pypi preset allow GET
only"), and the npm exception ("The npm_registry baseline entry and the npm
preset are intentional exceptions: npm/Yarn registry traffic uses L4
pass-through for Node 22 undici CONNECT compatibility" should be rephrased as a
separate sentence or converted into a short list item), ensuring each sentence
sits on its own line and any list-like content is introduced as a proper list
rather than joined by a colon.
nemoclaw-blueprint/policies/openclaw-sandbox.yaml (1)

166-185: Run the network-policy e2e suite before merge.

Because this changes baseline egress behavior (npm_registry L4 tunnel + helper binary scope), run network-policy-e2e on this branch to re-validate deny-by-default, whitelist behavior, hot-reload, and SSRF filtering.

As per coding guidelines: "nemoclaw-blueprint/policies/** ... E2E test recommendation: network-policy-e2e."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml` around lines 166 - 185,
This change adds a new npm_registry policy (policy name: npm_registry) that
alters baseline egress behavior (L4 passthrough + helper binaries), so before
merging you must run the network-policy-e2e suite to validate deny-by-default,
whitelist behavior, hot-reload, and SSRF filtering; checkout the branch
containing the modified nemoclaw-blueprint/policies/openclaw-sandbox.yaml, run
the network-policy-e2e tests (per project test harness), address any failing
assertions related to npm_registry endpoints or binaries, and iterate until the
e2e suite passes fully.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 127: Split the long sentence at line 127 into multiple sentences (one
sentence per source line) and remove the clause-joining colon; for example, end
the first sentence after "for example, clawhub.ai" and start new sentences for
the contrasts ("Others restrict methods..." with the integrate.api.nvidia.com
example), the read-only endpoints ("Read-only endpoints such as docs.openclaw.ai
and the pypi preset allow GET only"), and the npm exception ("The npm_registry
baseline entry and the npm preset are intentional exceptions: npm/Yarn registry
traffic uses L4 pass-through for Node 22 undici CONNECT compatibility" should be
rephrased as a separate sentence or converted into a short list item), ensuring
each sentence sits on its own line and any list-like content is introduced as a
proper list rather than joined by a colon.

In `@nemoclaw-blueprint/policies/openclaw-sandbox.yaml`:
- Around line 166-185: This change adds a new npm_registry policy (policy name:
npm_registry) that alters baseline egress behavior (L4 passthrough + helper
binaries), so before merging you must run the network-policy-e2e suite to
validate deny-by-default, whitelist behavior, hot-reload, and SSRF filtering;
checkout the branch containing the modified
nemoclaw-blueprint/policies/openclaw-sandbox.yaml, run the network-policy-e2e
tests (per project test harness), address any failing assertions related to
npm_registry endpoints or binaries, and iterate until the e2e suite passes
fully.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8293862c-e4c7-4091-a86c-65eef50213e5

📥 Commits

Reviewing files that changed from the base of the PR and between 50c208b and d508c44.

📒 Files selected for processing (4)
  • docs/reference/network-policies.mdx
  • docs/security/best-practices.mdx
  • nemoclaw-blueprint/policies/openclaw-sandbox.yaml
  • test/validate-blueprint.test.ts

@chengjiew

Copy link
Copy Markdown
Contributor Author

Follow-up on the PR review advisor item about baseline npm_registry L4 access: this PR keeps that change intentional for #4015 because the OpenClaw plugin install path needs npm/node registry fetches for package metadata and tarballs, and the current REST method/path policy shape was the failure mode under test. I dispatched the required network-policy-e2e against this branch to re-check the live policy behavior: https://github.com/NVIDIA/NemoClaw/actions/runs/26434408359

@chengjiew

Copy link
Copy Markdown
Contributor Author

Correction: the first manual E2E dispatch was cancelled by the nightly workflow concurrency group because I omitted pr_number. I re-dispatched the required network-policy-e2e with pr_number=4184 so it will not be cancelled by the other PR runs: https://github.com/NVIDIA/NemoClaw/actions/runs/26434468301

@github-actions

Copy link
Copy Markdown
Contributor

Selective E2E Results — ✅ All requested jobs passed

Run: 26434468301
Target ref: fix/4015_npm_openclaw_plugin_registry
Workflow ref: main
Requested jobs: network-policy-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job Result
network-policy-e2e ✅ success

@wscurran wscurran added enhancement: policy integration: openclaw OpenClaw integration behavior labels May 26, 2026
@wscurran

Copy link
Copy Markdown
Contributor

@chengjiew

Copy link
Copy Markdown
Contributor Author

Status refresh after the advisor comments:

No additional code change from me right now. Remaining maintainer decision: either keep #4184 as the #4015-linked PR, or hold/close it as duplicate if #4125 is the preferred vehicle for this baseline policy change. I am not closing either PR.

@cv cv left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes based on the PR Review Advisor rubric.

The baseline npm_registry change broadens the default/restricted sandbox boundary too far: access: full + tls: skip for registry.npmjs.org:443, combined with generic npm/node wildcard binaries, permits direct npm/node registry traffic from the baseline policy rather than only the intended openclaw plugins install path. That reopens the boundary the prior #1458 regression test was guarding and contradicts the comment that broader package-manager access requires the npm preset.

Please narrow this to an OpenClaw-owned helper/wrapper path, keep the capability behind the npm preset, or get explicit security/product acceptance for the baseline broadening. Add runtime validation that the intended plugin-install path succeeds while unrelated direct npm/node registry use is denied (or explicitly accepted), and coordinate with overlapping PR #4125 so only one reviewed policy shape lands.

@wscurran wscurran added area: policy Network policy, egress rules, presets, or sandbox policy bug-fix PR fixes a bug or regression feature PR adds or expands user-visible functionality and removed fix feature PR adds or expands user-visible functionality labels Jun 3, 2026
@wscurran wscurran added NV QA Bugs found by the NVIDIA QA Team VDR Linked to VDR finding labels Jun 26, 2026
@apurvvkumaria

Copy link
Copy Markdown
Collaborator

Closing as obsolete after checking the original report against current behavior and current main.

Thank you @chengjiew for the original diagnosis, focused repro, and network-policy E2E validation. No code from this branch is being carried forward because the functional gap is resolved and the proposed policy shape conflicts with the least-privilege boundary retained on current main; accordingly, there is no replacement commit requiring a co-author trailer.

@apurvvkumaria apurvvkumaria added the v0.0.79 Release target label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: policy Network policy, egress rules, presets, or sandbox policy bug-fix PR fixes a bug or regression integration: openclaw OpenClaw integration behavior NV QA Bugs found by the NVIDIA QA Team v0.0.79 Release target VDR Linked to VDR finding

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[NemoClaw][All Platforms][Policy&Network] npm preset does not allow openclaw plugins install @openclaw/microsoft-speech to resolve from registry

4 participants