fix(policy): split Claude Code from permissive policies

[1PoPTRoN]

Summary

Removes Claude Code-specific egress from the permissive sandbox policies and moves it behind an explicit claude-code preset. This keeps shields down from granting Anthropic/telemetry endpoints unless users intentionally opt into Claude Code access.

Related Issue

Fixes #4073

Changes

• Removed the claude_code block from the global permissive policy.
• Removed duplicated claude_code blocks from OpenClaw and Hermes agent-specific permissive policies.
• Added a built-in claude-code policy preset with explicit REST rules and scoped binary allowlist.
• Updated policy preset tests to include the new preset and block regressions where Claude Code hosts reappear in permissive policies.
• Updated network policy docs to clarify that Claude Code direct egress is opt-in and separate from NemoClaw Anthropic inference routing.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Additional verification run:

• npm run validate:configs passes
• npm run build:cli passes
• npx vitest run test/policies.test.ts passes
• npx vitest run test/validate-blueprint.test.ts test/security-binaries-restriction.test.ts passes
• git diff --check passes

---

Signed-off-by: 1PoPTRoN vrxn.arp1traj@gmail.com

Summary by CodeRabbit

• New Features

  • Added a new Claude Code configuration preset that must be explicitly applied to enable Claude Code CLI/networking.

• Changes

  • Removed Claude Code hosts and broad binary allow rules from permissive policy tiers so they are no longer implicitly allowed.

• Documentation

  • Clarified that Claude Code direct access is excluded by default and requires the explicit preset; updated best-practices and network-policies reference.

• Tests

  • Updated tests to include the new preset and to verify Claude Code endpoints are isolated from permissive policies.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Claude Code endpoints were removed from permissive sandbox policies and placed into a new explicit claude-code preset; documentation and tests were updated to document and validate the preset and its absence from permissive configs.

Changes

Claude Code Network Isolation

Layer / File(s)	Summary
Remove Claude Code from default permissive policies agents/hermes/policy-permissive.yaml, agents/openclaw/policy-permissive.yaml, nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml	The claude_code network policy block is deleted from three permissive policy configurations, removing explicit network and binary allow entries for api.anthropic.com, statsig.anthropic.com, and sentry.io.
Introduce dedicated Claude Code preset nemoclaw-blueprint/policies/presets/claude-code.yaml	Adds a claude-code preset that enforces GET/POST HTTPS allow rules for Anthropic/Statsig and Sentry hosts on port 443 and specifies executable path allowlists for the Claude Code CLI and Node runtime.
Document Claude Code isolation and validate preset behavior docs/reference/network-policies.mdx, docs/security/best-practices.mdx, test/policies.test.ts	Reference and best-practices docs clarify that Claude Code egress is excluded from permissive modes and requires the claude-code preset; tests updated to expect the new preset and include validation ensuring permissive files omit Claude hosts while the preset contains the expected rules and binaries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

fix, enhancement: policy, Sandbox

Suggested reviewers

• ericksoa

Poem

A rabbit hops through policies with care,
Claude Code now waits for an opt-in dare,
Preset in paw, the network gates align,
Docs and tests sing the safety line,
Sandbox hops on a deliberate trail. 🐇✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(policy): split Claude Code from permissive policies' accurately and specifically describes the main change: separating Claude Code network policies from the default permissive sandbox policies into an explicit preset.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #4073: removes claude_code blocks from all three permissive policy files (global, OpenClaw, Hermes), creates a new claude-code preset with proper network and binary rules, adds comprehensive test validation, and updates documentation.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #4073 objectives: policy file modifications, new preset creation, test additions for regression prevention, and documentation updates explaining the split architecture.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/policies.test.ts (1)

1479-1498: ⚡ Quick win

Strengthen endpoint invariants in the Claude Code preset test.

This test already checks hosts and methods, but it can still pass if endpoint transport semantics drift. Please also assert port, protocol, and enforcement for each endpoint to prevent silent widening.

Suggested patch

       ) as {
         preset?: { name?: string };
         network_policies?: Record<
           string,
           {
-            endpoints?: Array<{ host?: string; access?: string; rules?: unknown[] }>;
+            endpoints?: Array<{
+              host?: string;
+              port?: number;
+              protocol?: string;
+              enforcement?: string;
+              access?: string;
+              rules?: unknown[];
+            }>;
             binaries?: Array<{ path?: string }>;
           }
         >;
       };
@@
       for (const endpoint of claudePolicy?.endpoints ?? []) {
+        expect(endpoint.port).toBe(443);
+        expect(endpoint.protocol).toBe("rest");
+        expect(endpoint.enforcement).toBe("enforce");
         expect(endpoint).not.toHaveProperty("access");
         expect(endpoint.rules).toEqual(
           expect.arrayContaining([
             { allow: { method: "GET", path: "/**" } },
             { allow: { method: "POST", path: "/**" } },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/policies.test.ts` around lines 1479 - 1498, The test currently verifies
hosts and allowed methods for preset.network_policies?.claude_code but doesn't
lock down transport semantics; update the loop over claudePolicy?.endpoints to
also assert that each endpoint has port === 443, protocol === "https", and
enforcement === "required" (i.e., add expectations on endpoint.port,
endpoint.protocol, and endpoint.enforcement alongside the existing access/rules
checks) so transport/security widening is caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/policies.test.ts`:
- Around line 1479-1498: The test currently verifies hosts and allowed methods
for preset.network_policies?.claude_code but doesn't lock down transport
semantics; update the loop over claudePolicy?.endpoints to also assert that each
endpoint has port === 443, protocol === "https", and enforcement === "required"
(i.e., add expectations on endpoint.port, endpoint.protocol, and
endpoint.enforcement alongside the existing access/rules checks) so
transport/security widening is caught.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 65f1575a-aa80-41f6-b813-fd2f4dfc1790

📥 Commits

Reviewing files that changed from the base of the PR and between aac4073 and 9e3b66c.

📒 Files selected for processing (6)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• docs/reference/network-policies.mdx
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/presets/claude-code.yaml
• test/policies.test.ts

💤 Files with no reviewable changes (3)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml

[Copilot]

Pull request overview

This PR tightens NemoClaw’s permissive (“shields down”) sandbox network policies by removing Claude Code–specific egress and reintroducing it only via an explicit claude-code policy preset, so Claude Code endpoints aren’t granted unless a user opts in.

Changes:

• Removed claude_code endpoint blocks from the global and agent-specific permissive policy YAMLs.
• Added a new built-in preset claude-code that scopes allowed endpoints and binaries for Claude Code.
• Updated policy preset tests and docs to reflect the new opt-in behavior and prevent regressions.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/policies.test.ts	Updates preset counts/names and adds regression coverage ensuring Claude Code hosts don’t appear in permissive policies and exist only in the new preset.
nemoclaw-blueprint/policies/presets/claude-code.yaml	Introduces the new claude-code preset with explicit REST rules and a scoped binary allowlist.
nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml	Removes the Claude Code network policy block from the global permissive policy.
agents/openclaw/policy-permissive.yaml	Removes the duplicated Claude Code block from OpenClaw’s permissive policy.
agents/hermes/policy-permissive.yaml	Removes the duplicated Claude Code block from Hermes’s permissive policy.
docs/reference/network-policies.mdx	Documents that Claude Code direct egress is opt-in via claude-code and separate from inference routing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

docs/security/best-practices.mdx (1)

163-163: ⚡ Quick win

Use one sentence per source line in these table cells.

Both rows place multiple sentences on a single source line; split them so each sentence is on its own line.

As per coding guidelines, "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

Also applies to: 517-517

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 163, The table cell for the
`claude-code` preset contains multiple sentences on one source line; split that
cell so each sentence is on its own source line (e.g., break "Allows a
separately installed Claude Code CLI to reach Anthropic and telemetry hosts with
its own credentials. Do not use this preset for NemoClaw inference routing."
into two lines). Apply the same one-sentence-per-line fix to the other affected
table row (the row referenced as also applying at 517-517) so every sentence in
each table cell is on its own source line.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 163: The table cell for the `claude-code` preset contains multiple
sentences on one source line; split that cell so each sentence is on its own
source line (e.g., break "Allows a separately installed Claude Code CLI to reach
Anthropic and telemetry hosts with its own credentials. Do not use this preset
for NemoClaw inference routing." into two lines). Apply the same
one-sentence-per-line fix to the other affected table row (the row referenced as
also applying at 517-517) so every sentence in each table cell is on its own
source line.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1d323874-4538-419a-82f2-44450c2fac87

📥 Commits

Reviewing files that changed from the base of the PR and between 9e3b66c and 59d6122.

📒 Files selected for processing (3)

• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/reference/network-policies.mdx

[coderabbitai]

🧹 Nitpick comments (1)

docs/security/best-practices.mdx (1)

163-163: ⚡ Quick win

Split sentences to one-per-line in source.

Line 163, Line 446, and Line 517 each contain multiple sentences on the same source line. Please split them so each sentence is on its own line.

As per coding guidelines, "One sentence per line in source (makes diffs readable)."

Also applies to: 446-446, 517-517

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security/best-practices.mdx` at line 163, The table row containing the
`claude-code` preset currently has multiple sentences on one source line; split
that row so each sentence is on its own line (e.g., break after "telemetry, and
crash-report endpoints." and after "with its own credentials."), and do the same
for the other two occurrences flagged (the other multiline-sentence source
lines) so each sentence occupies its own line in the markdown source; this keeps
the `claude-code` table entry and the two other affected paragraphs
one-sentence-per-line as required.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/security/best-practices.mdx`:
- Line 163: The table row containing the `claude-code` preset currently has
multiple sentences on one source line; split that row so each sentence is on its
own line (e.g., break after "telemetry, and crash-report endpoints." and after
"with its own credentials."), and do the same for the other two occurrences
flagged (the other multiline-sentence source lines) so each sentence occupies
its own line in the markdown source; this keeps the `claude-code` table entry
and the two other affected paragraphs one-sentence-per-line as required.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c392c355-1f77-42af-840b-ee394117468a

📥 Commits

Reviewing files that changed from the base of the PR and between 59d6122 and 16ed019.

📒 Files selected for processing (7)

• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml
• docs/reference/network-policies.mdx
• docs/security/best-practices.mdx
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• nemoclaw-blueprint/policies/presets/claude-code.yaml
• test/policies.test.ts

💤 Files with no reviewable changes (3)

• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• agents/hermes/policy-permissive.yaml
• agents/openclaw/policy-permissive.yaml

[1PoPTRoN]

@cv @ericksoa could you kindly take a look at this when you get a chance? Would appreciate your review/guidance on whether this is aligned with the expected policy direction.