[codex] fix(policy): remove deprecated tls termination directives

[coder999999999]

Fixes #1686.

What changed

• removed the remaining deprecated tls: terminate directives from shipped policy YAML
• updated both the main blueprint policies and the Hermes agent policy additions
• added a regression test that scans policy YAML under nemoclaw-blueprint/policies and agents to keep the deprecated directive from returning

Why

tls: terminate is deprecated, and the repository still had several remaining occurrences outside the earlier messaging-preset cleanup. This finishes the cleanup so the shipped policy blueprints no longer pin the deprecated setting.

Validation

• npm run validate:configs
• npm run lint
• npm run typecheck
• npm run typecheck:cli
• npx vitest run test/policies.test.ts test/validate-blueprint.test.ts test/onboard.test.ts
• npm run build:cli
• npm test

Summary by CodeRabbit

• Chores

  • Removed deprecated TLS termination configuration from network policies across multiple services, including AI APIs, package registries, and messaging platforms.

• Tests

  • Added a validation test that scans policy files and fails if the deprecated TLS termination setting is present to prevent regressions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed the deprecated tls: terminate configuration from network policy endpoint definitions across multiple policy files and agent configurations, and added a test to prevent future usage of this deprecated field. TLS termination is now handled automatically by the platform.

Changes

Cohort / File(s)	Summary
Hermes Agent Policies agents/hermes/policy-additions.yaml	Removed tls: terminate from endpoint definitions for claude_code, nvidia, nous_research, pypi, telegram, and discord services (13 endpoints total).
OpenClaw Sandbox Policy nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Removed tls: terminate from endpoint definitions for claude_code, nvidia, clawhub, openclaw_api, openclaw_docs, and npm_registry (9 endpoints total).
Policy Presets nemoclaw-blueprint/policies/presets/brave.yaml, nemoclaw-blueprint/policies/presets/huggingface.yaml, nemoclaw-blueprint/policies/presets/jira.yaml, nemoclaw-blueprint/policies/presets/npm.yaml, nemoclaw-blueprint/policies/presets/outlook.yaml, nemoclaw-blueprint/policies/presets/pypi.yaml	Removed tls: terminate from endpoint definitions across six preset policy files covering Brave, HuggingFace, Jira, npm, Outlook, and PyPI services (13 endpoints total).
Policy Validation Test test/policies.test.ts	Added new test to verify that all policy YAML files in nemoclaw-blueprint/policies and agents directories do not contain the deprecated tls: terminate field.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Off with deprecated TLS!
No more warnings, no more mess!
Terminate the terminate field,
Let automation be revealed.
Logs shine bright, clear, and free—
What a hopping victory! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: removal of deprecated tls termination directives from policy files.
Linked Issues check	✅ Passed	The PR fully addresses issue #1686 by removing all deprecated 'tls: terminate' directives from blueprints and adding regression tests to prevent reintroduction.
Out of Scope Changes check	✅ Passed	All changes are scoped to removing 'tls: terminate' from policy YAML files and adding a regression test; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR completes the cleanup of deprecated tls: terminate directives from shipped policy YAML, aligning the repo’s policy blueprints with the current OpenShell policy schema and preventing WARN-level log noise (Fixes #1686).

Changes:

• Removed remaining tls: terminate entries from blueprint preset policies and sandbox/agent policy YAML.
• Updated Hermes agent policy additions to match the deprecation removal.
• Added a regression test that scans policy YAML directories to ensure tls: terminate does not reappear.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
test/policies.test.ts	Adds a regression test that walks policy YAML trees and fails if tls: terminate is present.
nemoclaw-blueprint/policies/presets/pypi.yaml	Removes deprecated TLS termination directive from endpoints.
nemoclaw-blueprint/policies/presets/outlook.yaml	Removes deprecated TLS termination directive from endpoints.
nemoclaw-blueprint/policies/presets/npm.yaml	Removes deprecated TLS termination directive from endpoints.
nemoclaw-blueprint/policies/presets/jira.yaml	Removes deprecated TLS termination directive from endpoints.
nemoclaw-blueprint/policies/presets/huggingface.yaml	Removes deprecated TLS termination directive from endpoints.
nemoclaw-blueprint/policies/presets/brave.yaml	Removes deprecated TLS termination directive from endpoint.
nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Removes deprecated TLS termination directive from sandbox policy endpoints.
agents/hermes/policy-additions.yaml	Removes deprecated TLS termination directive from Hermes-specific policy endpoints.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

test/policies.test.ts (1)

626-629: Harden the deprecated TLS check to catch YAML-equivalent variants.

Line 627 currently checks only the exact literal tls: terminate, so variants like tls: "terminate" (or spacing differences) can bypass this regression test.

Diff suggestion

-      for (const file of yamlFiles) {
+      const deprecatedTlsPattern = /^\s*tls\s*:\s*["']?terminate["']?(?:\s+#.*)?\s*$/m;
+      for (const file of yamlFiles) {
         const content = fs.readFileSync(file, "utf-8");
         assert.equal(
-          content.includes("tls: terminate"),
+          deprecatedTlsPattern.test(content),
           false,
           `${path.relative(REPO_ROOT, file)} still contains tls: terminate`,
         );
       }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.ts` around lines 626 - 629, The test currently checks only
for the exact substring "tls: terminate" using content.includes; change it to
detect YAML-equivalent variants by replacing that includes check with a regex
test against content (for example use /tls:\s*(['"])?terminate\1/ to match
optional quotes and varying whitespace) so the assertion becomes something like
assert.equal(/tls:\s*(['"])?terminate\1/.test(content), false,
`${path.relative(REPO_ROOT, file)} still contains tls: terminate`), referencing
the existing assert.equal, content and file variables shown in the diff.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/policies.test.ts`:
- Around line 626-629: The test currently checks only for the exact substring
"tls: terminate" using content.includes; change it to detect YAML-equivalent
variants by replacing that includes check with a regex test against content (for
example use /tls:\s*(['"])?terminate\1/ to match optional quotes and varying
whitespace) so the assertion becomes something like
assert.equal(/tls:\s*(['"])?terminate\1/.test(content), false,
`${path.relative(REPO_ROOT, file)} still contains tls: terminate`), referencing
the existing assert.equal, content and file variables shown in the diff.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 83ba0d7c-f624-4493-90b8-2b6d39d1a0c6

📥 Commits

Reviewing files that changed from the base of the PR and between d4aac4c and 605d3c7.

📒 Files selected for processing (9)

• agents/hermes/policy-additions.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• nemoclaw-blueprint/policies/presets/brave.yaml
• nemoclaw-blueprint/policies/presets/huggingface.yaml
• nemoclaw-blueprint/policies/presets/jira.yaml
• nemoclaw-blueprint/policies/presets/npm.yaml
• nemoclaw-blueprint/policies/presets/outlook.yaml
• nemoclaw-blueprint/policies/presets/pypi.yaml
• test/policies.test.ts

💤 Files with no reviewable changes (8)

• nemoclaw-blueprint/policies/presets/jira.yaml
• nemoclaw-blueprint/policies/presets/npm.yaml
• nemoclaw-blueprint/policies/presets/outlook.yaml
• nemoclaw-blueprint/policies/presets/brave.yaml
• nemoclaw-blueprint/policies/presets/pypi.yaml
• nemoclaw-blueprint/policies/presets/huggingface.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml
• agents/hermes/policy-additions.yaml

[wscurran]

✨ Thanks for submitting this PR, which proposes a fix for a CI/CD issue and may improve the overall reliability of the test suite.

---

Possibly related open issues:

• #1686 Please remove all the "tls: terminate" from the blueprints

[coderabbitai]

🧹 Nitpick comments (1)

test/policies.test.ts (1)

608-634: Add a non-empty scan assertion to avoid a vacuous pass.

If traversal finds zero YAML files, this regression still passes without validating deprecation usage. Add a guard assertion before running the regex checks.

Proposed patch

       while (stack.length > 0) {
         const current = stack.pop();
         for (const entry of fs.readdirSync(current, { withFileTypes: true })) {
@@
           }
         }
       }
 
+      expect(yamlFiles.length).toBeGreaterThan(0);
+
       const deprecatedTlsPattern = /^\s*tls\s*:\s*["']?terminate["']?(?:\s+#.*)?\s*$/m;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.ts` around lines 608 - 634, The test currently collects
YAML files into yamlFiles and then asserts none match deprecatedTlsPattern but
can vacuously pass when yamlFiles is empty; add a guard assertion asserting
yamlFiles.length > 0 (with a clear message e.g. "no YAML files found under
REPO_ROOT to scan") immediately after the file discovery loop (after stack
traversal and before iterating over yamlFiles) so the test fails if nothing was
scanned; reference the variables yamlFiles, deprecatedTlsPattern and REPO_ROOT
when adding this assertion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/policies.test.ts`:
- Around line 608-634: The test currently collects YAML files into yamlFiles and
then asserts none match deprecatedTlsPattern but can vacuously pass when
yamlFiles is empty; add a guard assertion asserting yamlFiles.length > 0 (with a
clear message e.g. "no YAML files found under REPO_ROOT to scan") immediately
after the file discovery loop (after stack traversal and before iterating over
yamlFiles) so the test fails if nothing was scanned; reference the variables
yamlFiles, deprecatedTlsPattern and REPO_ROOT when adding this assertion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 151ce792-160b-4820-80f4-f21e6e1af398

📥 Commits

Reviewing files that changed from the base of the PR and between 605d3c7 and 741c128.

📒 Files selected for processing (1)

• test/policies.test.ts