fix(policy): suppress agent-required preset additions on restricted tier#5798
Conversation
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughRestricted-tier policy descriptions were updated to state that agent-required presets are suppressed and must be re-applied later. Onboarding selection now computes, reports, and filters those suppressed presets for OpenClaw restricted mode, and tests cover the new behavior. ChangesRestricted tier preset suppression
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Code Coverage OverviewLanguages: TypeScript TypeScript / code-coverage/pluginThe overall coverage in the branch is 96%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
TypeScript / code-coverage/cliThe overall coverage in the branch is 67%. Coverage data for the branch is not yet available. Show a code coverage summary of the most covered files.
Updated |
|
🌿 Preview your docs: https://nvidia-preview-pr-5798.docs.buildwithfern.com/nemoclaw |
PR Review Advisor — Changes requestedMerge posture: Do not merge yet Action checklist
Findings index
Review findings by urgency: 0 required fixes, 3 items to resolve/justify, 1 in-scope improvement
|
E2E Advisor RecommendationRequired E2E: Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
Vitest E2E Scenario RecommendationRequired Vitest E2E scenarios: Dispatch required Vitest E2E scenarios:
Full Vitest E2E advisor summaryVitest E2E Scenario AdvisorBase: Required Vitest E2E scenarios
Optional Vitest E2E scenarios
Relevant changed files
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
docs/reference/network-policies.mdx (1)
71-71: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valuePassive voice in tier description.
"Agent-required preset additions ... are suppressed" is passive. Consider rephrasing actively, e.g. "Restricted mode suppresses agent-required preset additions, such as OpenClaw pricing fetches; reapply them later with
policy-add...".As per path instructions: "Active voice required. Flag passive constructions."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/reference/network-policies.mdx` at line 71, The Restricted tier description uses passive voice in the sentence about agent-required preset additions, so rewrite it in active voice. Update the wording in the network-policies documentation so the Restricted mode is the actor that suppresses those additions, while preserving the meaning about OpenClaw pricing fetches and reapplying them later with policy-add if needed.Source: Path instructions
src/lib/onboard/policy-selection.ts (1)
146-154: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueOptional: reuse the helper to avoid divergence.
suppressedAgentRequiredPresets(Line 153) and the inline append incomputeSetupPresetSuggestions(Lines 191-194) compute the sameopenclaw-pricing+ required-OTEL list under the same restricted/Openclaw conditions. Consider deriving one from the other so the suppression list and the gated additions cannot drift apart.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/onboard/policy-selection.ts` around lines 146 - 154, The restricted/Openclaw preset logic is duplicated between suppressedAgentRequiredPresets and the inline append in computeSetupPresetSuggestions, which risks the two lists drifting apart. Refactor computeSetupPresetSuggestions to derive its gated additions from suppressedAgentRequiredPresets, or extract a shared helper used by both. Keep the existing RESTRICTED_TIER_NAME and isOpenclawAgent checks in one place, and ensure the returned preset list remains the same in both paths.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/onboard-policy-suggestions.test.ts`:
- Around line 494-506: The test around suppressedAgentRequiredPresets is only
isolating NEMOCLAW_OPENCLAW_OTEL, so it can accidentally inherit
NEMOCLAW_OPENCLAW_OTEL_ENDPOINT from the runner and change whether
openclaw-diagnostics-otel-local is included. Update this test to save, clear,
and restore NEMOCLAW_OPENCLAW_OTEL_ENDPOINT alongside the existing env var
handling in the suppressedAgentRequiredPresets assertion block so the
expectation stays deterministic.
---
Nitpick comments:
In `@docs/reference/network-policies.mdx`:
- Line 71: The Restricted tier description uses passive voice in the sentence
about agent-required preset additions, so rewrite it in active voice. Update the
wording in the network-policies documentation so the Restricted mode is the
actor that suppresses those additions, while preserving the meaning about
OpenClaw pricing fetches and reapplying them later with policy-add if needed.
In `@src/lib/onboard/policy-selection.ts`:
- Around line 146-154: The restricted/Openclaw preset logic is duplicated
between suppressedAgentRequiredPresets and the inline append in
computeSetupPresetSuggestions, which risks the two lists drifting apart.
Refactor computeSetupPresetSuggestions to derive its gated additions from
suppressedAgentRequiredPresets, or extract a shared helper used by both. Keep
the existing RESTRICTED_TIER_NAME and isOpenclawAgent checks in one place, and
ensure the returned preset list remains the same in both paths.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: ebd267a5-4321-4b59-bde2-f9d1d2632167
📒 Files selected for processing (5)
docs/reference/network-policies.mdxnemoclaw-blueprint/policies/tiers.yamlsrc/lib/onboard.tssrc/lib/onboard/policy-selection.tstest/onboard-policy-suggestions.test.ts
cv
left a comment
There was a problem hiding this comment.
LGTM after addressing feedback
…dary Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
…wth guardrail Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28227482209
|
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28228069681
|
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28230568188
|
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 28230500053
|
Selective E2E Results — ❌ Some jobs failedRun: 28231278562
|
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28233348761
|
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28235814381
|
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28236237588
|
…ive on restricted resume Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
…d by CodeQL Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28291522650
|
…tier Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
…board.ts Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ❌ Some jobs failedRun: 28292425428
|
…o keep onboard.ts net-neutral Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ✅ All requested jobs passedRun: 28293019672
|
… keep test isolation Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ✅ All requested jobs passedRun: 28293572844
|
…restricted tier Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ✅ All requested jobs passedRun: 28293835725
|
…reate-time path Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
Selective E2E Results — ✅ All requested jobs passedRun: 28294148783
|
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
E2E Target RecommendationRequired E2E targets: Dispatch required E2E targets:
Full E2E target advisor summaryE2E Target AdvisorBase: Required E2E targets
Optional E2E targets
Relevant changed files
|
Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
<!-- markdownlint-disable MD041 --> ## Summary Refreshes the public documentation for NemoClaw v0.0.71 after scanning commits since v0.0.70. Adds release notes and fills the remaining doc gaps for Windows bootstrap diagnostics, OpenClaw agent auto-relock warnings, auto-pair cadence tuning, and plugin-install recovery hints. ## Changes - `docs/about/release-notes.mdx`: adds the v0.0.71 release-note section, grouped by gateway recovery, OpenShell auth, policy provenance, day-two maintenance, messaging/inference, and Windows setup. - `docs/get-started/windows-preparation.mdx`: documents sanitized WSL install output and reboot gating in the Windows bootstrap. - `docs/reference/commands.mdx`: documents the host `agent` wrapper's shields auto-relock warning and OpenClaw auto-pair watcher tuning variables. - `docs/reference/troubleshooting.mdx`: adds plugin-install network failure recovery guidance and updates Windows WSL troubleshooting for sanitized install logs and reboot-required handling. Source summary: - #6065 -> `docs/about/release-notes.mdx`: Notes explicit model override preservation and gateway-log guard-chain recovery diagnostics. - #5874 -> `docs/about/release-notes.mdx`: Summarizes host-mediated `recover` and `gateway restart`, linking to lifecycle, command, troubleshooting, and trusted-boundary docs already added by the source PR. - #5596 -> `docs/about/release-notes.mdx`: Summarizes OpenShell 0.0.71 gateway auth, loopback binding, and compatibility-container docs already added by the source PR. - #5797 and #5798 -> `docs/about/release-notes.mdx`: Summarizes `policy-list` provenance, Restricted tier suppression, and Balanced tier weather behavior already reflected in policy docs. - #5784 -> `docs/about/release-notes.mdx`: Summarizes `--destroy-user-data` and the safe `--yes` uninstall behavior already documented in lifecycle and command docs. - #6034 -> `docs/about/release-notes.mdx`: Summarizes custom Dockerfile warm-build cache behavior already documented in the command reference. - #5951 -> `docs/reference/commands.mdx`: Documents the stderr-only host `agent` wrapper warning after recent shields auto-relock. - #5387 -> `docs/reference/commands.mdx`: Documents OpenClaw auto-pair watcher cadence and fast-reentry tuning variables. - #5835 -> `docs/reference/troubleshooting.mdx`: Adds recovery guidance for OpenClaw plugin-install network failures. - #5995 and #5956 -> `docs/about/release-notes.mdx`: Summarizes Microsoft Teams final-message delivery and runtime mention hints already covered by messaging docs. - #5716 -> `docs/about/release-notes.mdx`: Summarizes non-interactive Ollama loopback safety already covered by local inference docs. - #5505, #5527, and #5528 -> `docs/about/release-notes.mdx`: Summarizes compatible local endpoint, model task-fit, and model capability audit docs. - #6009 -> `docs/get-started/windows-preparation.mdx`, `docs/reference/troubleshooting.mdx`: Documents sanitized Windows bootstrap WSL output and reboot-required gating. - #6055 -> no additional source doc page change needed beyond the already-merged quickstart update; release notes did not duplicate routine quickstart cleanup. No matching v0.0.71 GitHub announcement discussion was found in the latest 20 discussions, so this refresh is based on the commit scan and existing source PR docs. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check all that apply. For any "covered by existing tests", "not applicable", or waiver entry, add a brief justification on the same line or in the Changes section. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: docs-only refresh with no runtime behavior changes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [ ] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — ran `npm run docs`; Fern reported 0 errors and 2 existing warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a new release-notes entry covering gateway recovery, authentication, network policy/provenance output, uninstall safety, Windows bootstrap diagnostics, messaging defaults, and inference setup guidance. * Clarified Windows preparation steps around reboot behavior and redacting troubleshooting transcripts. * Expanded command reference details for OpenClaw wrapper behavior and new auto-pair tuning options. * Improved troubleshooting guidance for plugin installation issues, WSL repair/reboot cases, and install timing problems. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
…ier (NVIDIA#5798) <!-- markdownlint-disable MD041 --> ## Summary `nemoclaw onboard --policy-tier=restricted` (and the interactive equivalent) used to apply `openclaw-pricing` to OpenClaw sandboxes regardless of the chosen tier, because the suggestion pipeline added it as an OpenClaw-required preset before the tier filter ran. The Restricted tier description promises "no third-party network access beyond inference and core agent tooling", so the pricing fetch — which reaches LiteLLM and OpenRouter — directly contradicts the tier intent. This change suppresses the OpenClaw agent-required additions (`openclaw-pricing`, and the local OTEL preset when OTEL is enabled) on the Restricted tier at both the suggestion helper and the final application boundary, prints a one-line onboard notice listing what was suppressed and how to reapply it, and documents the stricter Restricted behaviour in the tier definition and reference page. ## Related Issue Fixes NVIDIA#5793 ## Changes - `src/lib/onboard/policy-selection.ts`: extract a shared `agentRequiredPresetAdditions(agent, env)` helper so `computeSetupPresetSuggestions` and `suppressedAgentRequiredPresets` cannot drift apart. Gate the OpenClaw agent-required adds (`openclaw-pricing` and `requiredOpenclawOtelPolicyPresets`) on `tierName !== "restricted"` inside `computeSetupPresetSuggestions`, and filter the same set out of `chosen` and `interactiveChoice` after `mergeRequiredSetupPolicyPresets` so the later merge step cannot reintroduce the OTEL preset for restricted + OpenClaw. - `src/lib/onboard/policy-selection.ts`: new exported `suppressedAgentRequiredPresets(tierName, agent, env)` helper and a follow-up `deps.note(...)` in `setupPoliciesWithSelectionInner` that prints `Restricted tier suppresses agent-required preset(s): ... Apply later with 'nemoclaw <name> policy-add <preset>' if needed.` whenever the helper returns anything. - `nemoclaw-blueprint/policies/tiers.yaml`: extend the Restricted tier description (active voice) to call out that Restricted mode suppresses agent-required preset additions and to point operators at `policy-add`. - `docs/reference/network-policies.mdx`: mirror the new Restricted description in the tier table (active voice). - `test/onboard-policy-suggestions.test.ts`: ten new tests under `computeSetupPresetSuggestions > restricted tier suppresses agent-required preset additions` and a new `suppressedAgentRequiredPresets` block. The OTEL env-var tests save, clear, and restore both `NEMOCLAW_OPENCLAW_OTEL` and `NEMOCLAW_OPENCLAW_OTEL_ENDPOINT` so runner-inherited values cannot affect the expectation. - `test/policy-tiers-onboard.test.ts`: three new application-path tests that exercise `setupPoliciesWithSelection` end-to-end — restricted + OpenClaw applies zero presets in non-interactive suggested mode, restricted + OpenClaw with `NEMOCLAW_OPENCLAW_OTEL=1` does not re-add `openclaw-diagnostics-otel-local` after the required-preset merge, and the suppression note matches the final applied set. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [x] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [ ] Doc only (includes code sample changes) ## Verification - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [x] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Tests added or updated for new or changed behavior - [x] No secrets, API keys, or credentials committed - [x] Docs updated for user-facing behavior changes - [ ] `npm run docs` builds without warnings (doc changes only) - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- Signed-off-by: Tinson Lai <tinsonl@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Updated “Restricted” network policy tier guidance to clarify that specific agent-required preset additions are suppressed and can be re-applied later with `policy-add`. * **New Features** * Restricted-tier onboarding now suppresses withheld agent-required presets for applicable agents and surfaces a note listing which presets are suppressed. * **Bug Fixes** * Correctly limits preset suggestions and prevents restricted presets from being (re-)applied; reconciliation removes previously applied withheld presets. * **Tests** * Added unit and integration coverage for Restricted-tier behavior, including OTEL-enabled scenarios and applied-vs-suppressed verification. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Tinson Lai <tinsonl@nvidia.com> Co-authored-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
<!-- markdownlint-disable MD041 --> ## Summary Refreshes the public documentation for NemoClaw v0.0.71 after scanning commits since v0.0.70. Adds release notes and fills the remaining doc gaps for Windows bootstrap diagnostics, OpenClaw agent auto-relock warnings, auto-pair cadence tuning, and plugin-install recovery hints. ## Changes - `docs/about/release-notes.mdx`: adds the v0.0.71 release-note section, grouped by gateway recovery, OpenShell auth, policy provenance, day-two maintenance, messaging/inference, and Windows setup. - `docs/get-started/windows-preparation.mdx`: documents sanitized WSL install output and reboot gating in the Windows bootstrap. - `docs/reference/commands.mdx`: documents the host `agent` wrapper's shields auto-relock warning and OpenClaw auto-pair watcher tuning variables. - `docs/reference/troubleshooting.mdx`: adds plugin-install network failure recovery guidance and updates Windows WSL troubleshooting for sanitized install logs and reboot-required handling. Source summary: - NVIDIA#6065 -> `docs/about/release-notes.mdx`: Notes explicit model override preservation and gateway-log guard-chain recovery diagnostics. - NVIDIA#5874 -> `docs/about/release-notes.mdx`: Summarizes host-mediated `recover` and `gateway restart`, linking to lifecycle, command, troubleshooting, and trusted-boundary docs already added by the source PR. - NVIDIA#5596 -> `docs/about/release-notes.mdx`: Summarizes OpenShell 0.0.71 gateway auth, loopback binding, and compatibility-container docs already added by the source PR. - NVIDIA#5797 and NVIDIA#5798 -> `docs/about/release-notes.mdx`: Summarizes `policy-list` provenance, Restricted tier suppression, and Balanced tier weather behavior already reflected in policy docs. - NVIDIA#5784 -> `docs/about/release-notes.mdx`: Summarizes `--destroy-user-data` and the safe `--yes` uninstall behavior already documented in lifecycle and command docs. - NVIDIA#6034 -> `docs/about/release-notes.mdx`: Summarizes custom Dockerfile warm-build cache behavior already documented in the command reference. - NVIDIA#5951 -> `docs/reference/commands.mdx`: Documents the stderr-only host `agent` wrapper warning after recent shields auto-relock. - NVIDIA#5387 -> `docs/reference/commands.mdx`: Documents OpenClaw auto-pair watcher cadence and fast-reentry tuning variables. - NVIDIA#5835 -> `docs/reference/troubleshooting.mdx`: Adds recovery guidance for OpenClaw plugin-install network failures. - NVIDIA#5995 and NVIDIA#5956 -> `docs/about/release-notes.mdx`: Summarizes Microsoft Teams final-message delivery and runtime mention hints already covered by messaging docs. - NVIDIA#5716 -> `docs/about/release-notes.mdx`: Summarizes non-interactive Ollama loopback safety already covered by local inference docs. - NVIDIA#5505, NVIDIA#5527, and NVIDIA#5528 -> `docs/about/release-notes.mdx`: Summarizes compatible local endpoint, model task-fit, and model capability audit docs. - NVIDIA#6009 -> `docs/get-started/windows-preparation.mdx`, `docs/reference/troubleshooting.mdx`: Documents sanitized Windows bootstrap WSL output and reboot-required gating. - NVIDIA#6055 -> no additional source doc page change needed beyond the already-merged quickstart update; release notes did not duplicate routine quickstart cleanup. No matching v0.0.71 GitHub announcement discussion was found in the latest 20 discussions, so this refresh is based on the commit scan and existing source PR docs. ## Type of Change - [ ] Code change (feature, bug fix, or refactor) - [ ] Code change with doc updates - [ ] Doc only (prose changes, no code sample modifications) - [x] Doc only (includes code sample changes) ## Quality Gates <!-- Check all that apply. For any "covered by existing tests", "not applicable", or waiver entry, add a brief justification on the same line or in the Changes section. --> - [ ] Tests added or updated for changed behavior - [ ] Existing tests cover changed behavior — justification: - [x] Tests not applicable — justification: docs-only refresh with no runtime behavior changes. - [x] Docs updated for user-facing behavior changes - [ ] Docs not applicable — justification: - [ ] Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging) - [ ] Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: - [ ] Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue: ## Verification <!-- Check each item you ran and confirmed. Leave unchecked items you skipped. Doc-only changes do not require npm test unless you ran it. --> - [x] PR description includes the DCO sign-off declaration and every commit appears as `Verified` in GitHub - [x] Git hooks passed during commit and push, or `npx prek run --from-ref main --to-ref HEAD` passes - [ ] Targeted tests pass for changed behavior - [ ] Full `npm test` passes (broad runtime changes only) - [x] Quality Gates section completed with required justifications or waivers - [x] No secrets, API keys, or credentials committed - [ ] `npm run docs` builds without warnings (doc changes only) — ran `npm run docs`; Fern reported 0 errors and 2 existing warnings. - [x] Doc pages follow the [style guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md) (doc changes only) - [ ] New doc pages include SPDX header and frontmatter (new pages only) --- <!-- DCO sign-off is required in this PR description, and every commit must appear as Verified in GitHub. Run: git config user.name && git config user.email --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Added a new release-notes entry covering gateway recovery, authentication, network policy/provenance output, uninstall safety, Windows bootstrap diagnostics, messaging defaults, and inference setup guidance. * Clarified Windows preparation steps around reboot behavior and redacting troubleshooting transcripts. * Expanded command reference details for OpenClaw wrapper behavior and new auto-pair tuning options. * Improved troubleshooting guidance for plugin installation issues, WSL repair/reboot cases, and install timing problems. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Julie Yaunches <jyaunches@nvidia.com> Co-authored-by: Prekshi Vyas <34834085+prekshivyas@users.noreply.github.com>
Summary
nemoclaw onboard --policy-tier=restricted(and the interactive equivalent) used to applyopenclaw-pricingto OpenClaw sandboxes regardless of the chosen tier, because the suggestion pipeline added it as an OpenClaw-required preset before the tier filter ran. The Restricted tier description promises "no third-party network access beyond inference and core agent tooling", so the pricing fetch — which reaches LiteLLM and OpenRouter — directly contradicts the tier intent. This change suppresses the OpenClaw agent-required additions (openclaw-pricing, and the local OTEL preset when OTEL is enabled) on the Restricted tier at both the suggestion helper and the final application boundary, prints a one-line onboard notice listing what was suppressed and how to reapply it, and documents the stricter Restricted behaviour in the tier definition and reference page.Related Issue
Fixes #5793
Changes
src/lib/onboard/policy-selection.ts: extract a sharedagentRequiredPresetAdditions(agent, env)helper socomputeSetupPresetSuggestionsandsuppressedAgentRequiredPresetscannot drift apart. Gate the OpenClaw agent-required adds (openclaw-pricingandrequiredOpenclawOtelPolicyPresets) ontierName !== "restricted"insidecomputeSetupPresetSuggestions, and filter the same set out ofchosenandinteractiveChoiceaftermergeRequiredSetupPolicyPresetsso the later merge step cannot reintroduce the OTEL preset for restricted + OpenClaw.src/lib/onboard/policy-selection.ts: new exportedsuppressedAgentRequiredPresets(tierName, agent, env)helper and a follow-updeps.note(...)insetupPoliciesWithSelectionInnerthat printsRestricted tier suppresses agent-required preset(s): ... Apply later with 'nemoclaw <name> policy-add <preset>' if needed.whenever the helper returns anything.nemoclaw-blueprint/policies/tiers.yaml: extend the Restricted tier description (active voice) to call out that Restricted mode suppresses agent-required preset additions and to point operators atpolicy-add.docs/reference/network-policies.mdx: mirror the new Restricted description in the tier table (active voice).test/onboard-policy-suggestions.test.ts: ten new tests undercomputeSetupPresetSuggestions > restricted tier suppresses agent-required preset additionsand a newsuppressedAgentRequiredPresetsblock. The OTEL env-var tests save, clear, and restore bothNEMOCLAW_OPENCLAW_OTELandNEMOCLAW_OPENCLAW_OTEL_ENDPOINTso runner-inherited values cannot affect the expectation.test/policy-tiers-onboard.test.ts: three new application-path tests that exercisesetupPoliciesWithSelectionend-to-end — restricted + OpenClaw applies zero presets in non-interactive suggested mode, restricted + OpenClaw withNEMOCLAW_OPENCLAW_OTEL=1does not re-addopenclaw-diagnostics-otel-localafter the required-preset merge, and the suppression note matches the final applied set.Type of Change
Verification
Verifiedin GitHubnpx prek run --from-ref main --to-ref HEADpassesnpm testpasses (broad runtime changes only)npm run docsbuilds without warnings (doc changes only)Signed-off-by: Tinson Lai tinsonl@nvidia.com
Summary by CodeRabbit
Documentation
policy-add.New Features
Bug Fixes
Tests