feat: add github network policy preset

[Ryuketsukami]

Adds a github network policy preset covering api.github.com (full REST CRUD),
github.com, raw.githubusercontent.com, and uploads.github.com.

GitHub API access is the most commonly requested missing preset for a coding assistant
running in a sandboxed environment — a natural addition alongside the existing
huggingface, npm, pypi, and docker presets.

Updates the preset count and endpoint assertions in test/policies.test.js and adds
github to the presets table in docs/reference/network-policies.md.

Summary by CodeRabbit

• Documentation

  • Added a "Policy Presets" section documenting preset-based policy extension and listing via CLI, with a reference table of available presets (discord, docker, github, huggingface, jira, npm, outlook, pypi, slack, telegram).

• New Features

  • Added a GitHub policy preset enabling controlled access to GitHub API, web, raw content, and uploads.

• Tests

  • Updated tests to include the new preset and verify its endpoint listings.

[wscurran]

Thanks for adding the github network policy preset, this will be helpful for users who need to access GitHub APIs from within their sandboxes.

[cv]

Hey @Ryuketsukami, thanks for putting together the GitHub network policy preset — this is a really useful addition! Just a heads-up: the repo has been moving pretty fast lately, and we've landed a bunch of new features plus CI checks since this PR was opened. Would you mind rebasing onto the latest main? That way we can give it a proper review with everything up to date. Appreciate your contribution!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub policy preset, documentation for "Policy Presets", and test updates. The preset defines network policies for GitHub endpoints (api.github.com, github.com, raw.githubusercontent.com, uploads.github.com) and tests/assertions were updated to include the new preset.

Changes

Cohort / File(s)	Summary
Documentation docs/reference/network-policies.md	Inserts a "Policy Presets" section describing preset discovery and extension via nemoclaw <name> policy-list and nemoclaw <name> policy-add, and adds a table enumerating 10 named presets and their allowed endpoint hostnames.
Policy Preset nemoclaw-blueprint/policies/presets/github.yaml	Adds a new github preset with description and network_policies for api.github.com, github.com, raw.githubusercontent.com, and uploads.github.com on TCP/443 (REST), with TLS termination and per-host method/path allow rules.
Tests test/policies.test.js	Updates preset count expectation from 9 to 10, includes "github" in expected preset names, switches some assertions to assert.*, and adds a new test that extracts and asserts GitHub preset endpoints include the four hosts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I nibble docs and YAML leaves,

A GitHub preset seeds the breeze,
Tests hop through fields, tidy and neat,
Endpoints gathered, paws light and fleet,
Cheers from the warren — progress sweet!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add github network policy preset' directly and clearly summarizes the main change in the changeset—adding a new GitHub network policy preset with supporting documentation and tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

docs/reference/network-policies.md (1)

128-129: One sentence per line.

Per coding guidelines, each sentence should be on its own line to make diffs readable. Line 129 contains two sentences.

📝 Suggested fix

 Presets extend the baseline network policy with additional endpoints for common services.
-Apply a preset with `nemoclaw <name> policy-add` and list available presets with `nemoclaw <name> policy-list`.
+Apply a preset with `nemoclaw <name> policy-add`.
+List available presets with `nemoclaw <name> policy-list`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/network-policies.md` around lines 128 - 129, The paragraph
"Presets extend the baseline network policy with additional endpoints for common
services. Apply a preset with `nemoclaw <name> policy-add` and list available
presets with `nemoclaw <name> policy-list`." contains two sentences on one line;
split them so each sentence is on its own line (e.g., keep the first sentence as
its own line starting with "Presets extend..." and move the second sentence to
the next line starting with "Apply a preset..."), preserving the existing
wording and backticks for the commands.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nemoclaw-blueprint/policies/presets/github.yaml`:
- Around line 23-30: The github.com entry in the preset uses tls: terminate
which conflicts with the baseline's openclaw-sandbox.yaml that expects access:
full; update the github.com block (host: github.com) to use access: full instead
of tls: terminate (or remove the github.com block entirely to inherit the
baseline), leaving api.github.com and other REST-only entries with tls:
terminate unchanged so REST API endpoints keep their current behavior.

In `@test/policies.test.js`:
- Around line 10-12: The test is using Node's assert but that symbol isn't
imported; update the "returns all 10 presets" test to use vitest's expect API
instead of assert — call policies.listPresets() and replace
assert.equal(presets.length, 10) with expect(presets).toHaveLength(10) (or
expect(presets.length).toBe(10)); ensure no leftover assert usage remains in
this test.
- Around line 24-25: The test currently calls assert.deepEqual(names, expected)
but assert is not imported; change the assertion to use the test framework's
expect API by replacing assert.deepEqual(names, expected) with
expect(names).toEqual(expected) and remove any unused assert import or require;
ensure the variables names and expected remain unchanged so the test compares
the same arrays.
- Around line 62-69: The test "extracts hosts from github preset" uses assert.ok
which is undefined in our environment; update the assertions to use Jest's
expect and toContain for clarity: call policies.loadPreset and
policies.getPresetEndpoints as before, then replace each
assert.ok(hosts.includes("...")) with expect(hosts).toContain("api.github.com"),
expect(hosts).toContain("github.com"),
expect(hosts).toContain("raw.githubusercontent.com"), and
expect(hosts).toContain("uploads.github.com"); also remove or stop using the
unused assert import if present.

---

Nitpick comments:
In `@docs/reference/network-policies.md`:
- Around line 128-129: The paragraph "Presets extend the baseline network policy
with additional endpoints for common services. Apply a preset with `nemoclaw
<name> policy-add` and list available presets with `nemoclaw <name>
policy-list`." contains two sentences on one line; split them so each sentence
is on its own line (e.g., keep the first sentence as its own line starting with
"Presets extend..." and move the second sentence to the next line starting with
"Apply a preset..."), preserving the existing wording and backticks for the
commands.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b5ff5de-8a32-4825-b35f-74e7b8fe89a0

📥 Commits

Reviewing files that changed from the base of the PR and between 166319d and f1b1afc.

📒 Files selected for processing (3)

• docs/reference/network-policies.md
• nemoclaw-blueprint/policies/presets/github.yaml
• test/policies.test.js

[coderabbitai]

♻️ Duplicate comments (3)

test/policies.test.js (3)

24-25: ⚠️ Potential issue | 🔴 Critical

assert.deepEqual is undefined — use expect instead.

Same issue: assert is not imported. The preset list update to include "github" is correct, but the assertion method will fail.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.js` around lines 24 - 25, The test currently calls
assert.deepEqual which fails because assert isn't imported; replace that
assertion with the test framework's expect style (e.g., assert -> expect) by
asserting that the names variable equals the expected array (use
expect(names).to.deep.equal(expected) or equivalently
expect(names).to.eql(expected)), and remove any leftover/assert import
references so the test uses expect exclusively (refer to the names and expected
variables in the test/policies.test.js assertion).

---

62-69: ⚠️ Potential issue | 🔴 Critical

assert.ok is undefined — use expect for consistency.

The new test for the github preset correctly validates all four expected hosts, but uses assert.ok which is not imported. Use vitest's expect API consistently with other tests in this file (e.g., lines 47-54 use expect(...).toBeTruthy()).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.js` around lines 62 - 69, The test "extracts hosts from
github preset" uses undefined assert.ok; update it to use vitest's expect API
for consistency by replacing the four assert.ok(hosts.includes(...)) calls with
expect(hosts).toContain(...) (or expect(hosts.includes("...")).toBeTruthy()) so
the assertions call expect and validate the results of policies.loadPreset and
policies.getPresetEndpoints.

---

10-12: ⚠️ Potential issue | 🔴 Critical

assert is not imported — tests will fail at runtime.

The test uses assert.equal but only expect is imported from vitest on line 4. This will throw ReferenceError: assert is not defined.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.js` around lines 10 - 12, The test calls assert.equal on
the result of policies.listPresets but never imports assert, causing a
ReferenceError; fix by importing Node's assert at the top of
test/policies.test.js (e.g., add "import assert from 'assert'") or alternatively
replace assert.equal(presets.length, 10) with a vitest assertion like
expect(presets).toHaveLength(10) so the test uses the already-imported expect.

🧹 Nitpick comments (1)

docs/reference/network-policies.md (1)

128-129: Multiple sentences on one line — use one sentence per line.

Line 129 contains two sentences. Per the style guide, each sentence should be on its own line to make diffs more readable.

 Presets extend the baseline network policy with additional endpoints for common services.
-Apply a preset with `nemoclaw <name> policy-add` and list available presets with `nemoclaw <name> policy-list`.
+Apply a preset with `nemoclaw <name> policy-add`.
+List available presets with `nemoclaw <name> policy-list`.

As per coding guidelines: "One sentence per line in source (makes diffs readable). Flag paragraphs where multiple sentences appear on the same line."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/reference/network-policies.md` around lines 128 - 129, The sentence pair
in the paragraph describing presets is on one line; split them so each sentence
is its own line (e.g., break "Presets extend the baseline network policy with
additional endpoints for common services." and "Apply a preset with `nemoclaw
<name> policy-add` and list available presets with `nemoclaw <name>
policy-list`." into separate lines) to follow the "one sentence per line" style
guide.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/policies.test.js`:
- Around line 24-25: The test currently calls assert.deepEqual which fails
because assert isn't imported; replace that assertion with the test framework's
expect style (e.g., assert -> expect) by asserting that the names variable
equals the expected array (use expect(names).to.deep.equal(expected) or
equivalently expect(names).to.eql(expected)), and remove any leftover/assert
import references so the test uses expect exclusively (refer to the names and
expected variables in the test/policies.test.js assertion).
- Around line 62-69: The test "extracts hosts from github preset" uses undefined
assert.ok; update it to use vitest's expect API for consistency by replacing the
four assert.ok(hosts.includes(...)) calls with expect(hosts).toContain(...) (or
expect(hosts.includes("...")).toBeTruthy()) so the assertions call expect and
validate the results of policies.loadPreset and policies.getPresetEndpoints.
- Around line 10-12: The test calls assert.equal on the result of
policies.listPresets but never imports assert, causing a ReferenceError; fix by
importing Node's assert at the top of test/policies.test.js (e.g., add "import
assert from 'assert'") or alternatively replace assert.equal(presets.length, 10)
with a vitest assertion like expect(presets).toHaveLength(10) so the test uses
the already-imported expect.

---

Nitpick comments:
In `@docs/reference/network-policies.md`:
- Around line 128-129: The sentence pair in the paragraph describing presets is
on one line; split them so each sentence is its own line (e.g., break "Presets
extend the baseline network policy with additional endpoints for common
services." and "Apply a preset with `nemoclaw <name> policy-add` and list
available presets with `nemoclaw <name> policy-list`." into separate lines) to
follow the "one sentence per line" style guide.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aab3a41d-931d-4be3-a2a7-350bfa81e435

📥 Commits

Reviewing files that changed from the base of the PR and between f1b1afc and 889d474.

📒 Files selected for processing (3)

• docs/reference/network-policies.md
• nemoclaw-blueprint/policies/presets/github.yaml
• test/policies.test.js

✅ Files skipped from review due to trivial changes (1)

• nemoclaw-blueprint/policies/presets/github.yaml

[Ryuketsukami]

Hey @cv, done! I've rebased onto the latest main — the branch is now clean with just my commit on top. Sorry for the mess, not used to doing rebases! if there is an issue with anything let me know!