From 605d3c7b696720b7948444f5e42256bf708a98c8 Mon Sep 17 00:00:00 2001 From: coder999999999 Date: Mon, 13 Apr 2026 02:57:38 -0400 Subject: [PATCH 1/2] fix(policy): remove deprecated tls termination directives --- agents/hermes/policy-additions.yaml | 13 -------- .../policies/openclaw-sandbox.yaml | 9 ------ .../policies/presets/brave.yaml | 1 - .../policies/presets/huggingface.yaml | 3 -- nemoclaw-blueprint/policies/presets/jira.yaml | 3 -- nemoclaw-blueprint/policies/presets/npm.yaml | 2 -- .../policies/presets/outlook.yaml | 4 --- nemoclaw-blueprint/policies/presets/pypi.yaml | 2 -- test/policies.test.ts | 32 +++++++++++++++++++ 9 files changed, 32 insertions(+), 37 deletions(-) diff --git a/agents/hermes/policy-additions.yaml b/agents/hermes/policy-additions.yaml index 1f23618d76..d8600ec9d8 100644 --- a/agents/hermes/policy-additions.yaml +++ b/agents/hermes/policy-additions.yaml @@ -44,7 +44,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/v1/messages" } - allow: { method: POST, path: "/v1/messages/batches" } @@ -54,14 +53,12 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/**" } - host: sentry.io port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/api/*/envelope/**" } - allow: { method: POST, path: "/api/*/store/**" } @@ -75,7 +72,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/v1/chat/completions" } - allow: { method: POST, path: "/v1/completions" } @@ -86,7 +82,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/v1/chat/completions" } - allow: { method: POST, path: "/v1/completions" } @@ -119,7 +114,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -127,7 +121,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -135,7 +128,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -151,14 +143,12 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - host: files.pythonhosted.org port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } binaries: @@ -173,7 +163,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/bot*/**" } - allow: { method: POST, path: "/bot*/**" } @@ -189,7 +178,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -200,7 +188,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } binaries: diff --git a/nemoclaw-blueprint/policies/openclaw-sandbox.yaml b/nemoclaw-blueprint/policies/openclaw-sandbox.yaml index 2ed1cd353d..2d07650b2e 100644 --- a/nemoclaw-blueprint/policies/openclaw-sandbox.yaml +++ b/nemoclaw-blueprint/policies/openclaw-sandbox.yaml @@ -63,7 +63,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/v1/messages" } - allow: { method: POST, path: "/v1/messages/batches" } @@ -73,7 +72,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/**" } # sentry.io is a multi-tenant SaaS — any authenticated client can POST @@ -94,7 +92,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } binaries: @@ -107,7 +104,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/v1/chat/completions" } - allow: { method: POST, path: "/v1/completions" } @@ -118,7 +114,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: POST, path: "/v1/chat/completions" } - allow: { method: POST, path: "/v1/completions" } @@ -149,7 +144,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -164,7 +158,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -179,7 +172,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } binaries: @@ -194,7 +186,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } binaries: diff --git a/nemoclaw-blueprint/policies/presets/brave.yaml b/nemoclaw-blueprint/policies/presets/brave.yaml index 96cd41da78..e1cf944e0b 100644 --- a/nemoclaw-blueprint/policies/presets/brave.yaml +++ b/nemoclaw-blueprint/policies/presets/brave.yaml @@ -13,7 +13,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } diff --git a/nemoclaw-blueprint/policies/presets/huggingface.yaml b/nemoclaw-blueprint/policies/presets/huggingface.yaml index d4c65ef615..9755d5e679 100644 --- a/nemoclaw-blueprint/policies/presets/huggingface.yaml +++ b/nemoclaw-blueprint/policies/presets/huggingface.yaml @@ -13,7 +13,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: # Download-only. POST /** used to be allowed here, which let # any sandboxed agent that happened to find an HF token in @@ -28,14 +27,12 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - host: router.huggingface.co port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } diff --git a/nemoclaw-blueprint/policies/presets/jira.yaml b/nemoclaw-blueprint/policies/presets/jira.yaml index 9e9df6741e..af7117be85 100644 --- a/nemoclaw-blueprint/policies/presets/jira.yaml +++ b/nemoclaw-blueprint/policies/presets/jira.yaml @@ -13,7 +13,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -21,7 +20,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -29,7 +27,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } diff --git a/nemoclaw-blueprint/policies/presets/npm.yaml b/nemoclaw-blueprint/policies/presets/npm.yaml index afdb15289b..9b429aeca1 100644 --- a/nemoclaw-blueprint/policies/presets/npm.yaml +++ b/nemoclaw-blueprint/policies/presets/npm.yaml @@ -13,14 +13,12 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - host: registry.yarnpkg.com port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } binaries: diff --git a/nemoclaw-blueprint/policies/presets/outlook.yaml b/nemoclaw-blueprint/policies/presets/outlook.yaml index ece3d0e0cb..5faa22bd98 100644 --- a/nemoclaw-blueprint/policies/presets/outlook.yaml +++ b/nemoclaw-blueprint/policies/presets/outlook.yaml @@ -13,7 +13,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -21,7 +20,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -29,7 +27,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } @@ -37,7 +34,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: POST, path: "/**" } diff --git a/nemoclaw-blueprint/policies/presets/pypi.yaml b/nemoclaw-blueprint/policies/presets/pypi.yaml index 0bb65d6b52..364bb4040b 100644 --- a/nemoclaw-blueprint/policies/presets/pypi.yaml +++ b/nemoclaw-blueprint/policies/presets/pypi.yaml @@ -13,7 +13,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: HEAD, path: "/**" } @@ -21,7 +20,6 @@ network_policies: port: 443 protocol: rest enforcement: enforce - tls: terminate rules: - allow: { method: GET, path: "/**" } - allow: { method: HEAD, path: "/**" } diff --git a/test/policies.test.ts b/test/policies.test.ts index 3dee4b2bb4..336637623f 100644 --- a/test/policies.test.ts +++ b/test/policies.test.ts @@ -599,6 +599,38 @@ describe("policies", () => { } }); + it("policy YAML files do not use deprecated tls termination", () => { + const roots = [ + path.join(REPO_ROOT, "nemoclaw-blueprint", "policies"), + path.join(REPO_ROOT, "agents"), + ]; + const stack = [...roots]; + const yamlFiles = []; + + while (stack.length > 0) { + const current = stack.pop(); + for (const entry of fs.readdirSync(current, { withFileTypes: true })) { + const fullPath = path.join(current, entry.name); + if (entry.isDirectory()) { + stack.push(fullPath); + continue; + } + if (entry.name.endsWith(".yaml") || entry.name.endsWith(".yml")) { + yamlFiles.push(fullPath); + } + } + } + + for (const file of yamlFiles) { + const content = fs.readFileSync(file, "utf-8"); + assert.equal( + content.includes("tls: terminate"), + false, + `${path.relative(REPO_ROOT, file)} still contains tls: terminate`, + ); + } + }); + it("pypi preset allows HEAD for pip lazy-wheel metadata checks", () => { // pip and uv use HEAD requests for lazy wheel downloads and // range-request support. GET-only would break pip install. From 741c128c04c09ce1b4d9fee6ebe3f30cbdb38bdb Mon Sep 17 00:00:00 2001 From: coder999999999 Date: Mon, 13 Apr 2026 11:36:17 -0400 Subject: [PATCH 2/2] test: harden deprecated tls regression --- test/policies.test.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/policies.test.ts b/test/policies.test.ts index 336637623f..6806344ca2 100644 --- a/test/policies.test.ts +++ b/test/policies.test.ts @@ -621,10 +621,12 @@ describe("policies", () => { } } + const deprecatedTlsPattern = /^\s*tls\s*:\s*["']?terminate["']?(?:\s+#.*)?\s*$/m; + for (const file of yamlFiles) { const content = fs.readFileSync(file, "utf-8"); assert.equal( - content.includes("tls: terminate"), + deprecatedTlsPattern.test(content), false, `${path.relative(REPO_ROOT, file)} still contains tls: terminate`, );