fix(policy): remove deprecated tls: terminate from all policy presets

[BenediktSchackenberg]

Problem

tls: terminate is deprecated since OpenShell 0.0.24 (see policy schema docs). Keeping it generates WARN-level log entries on every sandbox start and can interfere with CONNECT tunnel handling in some proxy configurations.

Reported in #1686. Also related to #1798 (CONNECT tunnel 403 for Brave/Slack on some setups).

Fix

Removed tls: terminate from all affected policy files:

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml — 12 instances
• presets/brave.yaml, huggingface.yaml, jira.yaml, npm.yaml, outlook.yaml, pypi.yaml

27 lines removed, no functional change (the field was ignored/deprecated).

Fixes #1686

Signed-off-by: Benedikt Schackenberg 6381261+BenediktSchackenberg@users.noreply.github.com

Summary by CodeRabbit

• Chores
  • Updated network policy configurations across sandbox and preset policy files by removing TLS termination settings from multiple HTTPS endpoints. Affected services include Anthropic, NVIDIA, Hugging Face, Brave, Jira, npm/Yarn, PyPI, Outlook/Microsoft Graph, Discord, Telegram, Sentry, and others. All endpoint hosts, ports, protocols, enforcement settings, and access rules remain unchanged.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 920efc85-5135-4340-968c-9975fe423e94

📥 Commits

Reviewing files that changed from the base of the PR and between f3e9996 and d88e053.

📒 Files selected for processing (1)

• agents/hermes/policy-additions.yaml

💤 Files with no reviewable changes (1)

• agents/hermes/policy-additions.yaml

---

📝 Walkthrough

Walkthrough

Removed deprecated tls: terminate from network policy endpoint definitions across multiple YAML presets and policies; endpoints keep their host/port/protocol/enforcement and existing allow rules unchanged. Changes reduce deprecated warnings without altering access rules.

Changes

Cohort / File(s)	Summary
Main Sandbox Policy nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Removed tls: terminate from multiple endpoint entries (Anthropic, Sentry, NVIDIA, Clawhub/Openclaw, NPM, Telegram, Discord). Endpoint metadata and allow rules unchanged.
Service Presets nemoclaw-blueprint/policies/presets/brave.yaml, nemoclaw-blueprint/policies/presets/huggingface.yaml, nemoclaw-blueprint/policies/presets/jira.yaml, nemoclaw-blueprint/policies/presets/npm.yaml, nemoclaw-blueprint/policies/presets/outlook.yaml, nemoclaw-blueprint/policies/presets/pypi.yaml	Removed tls: terminate from multiple preset endpoints (Brave, Hugging Face, Atlassian/Jira, npm/yarn registries, Outlook/Microsoft Graph, PyPI). All other endpoint fields and rules preserved.
Agent Policy Additions agents/hermes/policy-additions.yaml	Removed tls: terminate from several endpoints used by agents (Claude/Nous Research, NVIDIA, pypi, Telegram, Discord). Access rules and other fields unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through YAML, tidy and spry,
Removed an old flag with a wink of my eye,
No more WARNs at the break of day,
The blueprints now bounce and lightly sway,
Hooray for cleaner logs — hip hip, hooray! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing deprecated tls: terminate configuration from policy files across the codebase.
Linked Issues check	✅ Passed	The PR fully addresses #1686 by removing all tls: terminate instances from policy files, eliminating WARN-level log entries and preventing tunnel interference.
Out of Scope Changes check	✅ Passed	All changes are scoped to removing tls: terminate from policy configuration files; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Removes deprecated tls: terminate entries from NemoClaw policy presets / blueprint policy to avoid OpenShell WARN spam and reduce the risk of interfering with CONNECT tunnel behavior.

Changes:

• Removed tls: terminate from nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
• Removed tls: terminate from multiple preset policy YAMLs (brave, huggingface, jira, npm, outlook, pypi).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
nemoclaw-blueprint/policies/presets/pypi.yaml	Drops deprecated tls: terminate from PyPI endpoints.
nemoclaw-blueprint/policies/presets/outlook.yaml	Drops deprecated tls: terminate from Outlook endpoints.
nemoclaw-blueprint/policies/presets/npm.yaml	Drops deprecated tls: terminate from npm/Yarn registry endpoints.
nemoclaw-blueprint/policies/presets/jira.yaml	Drops deprecated tls: terminate from Jira endpoints.
nemoclaw-blueprint/policies/presets/huggingface.yaml	Drops deprecated tls: terminate from Hugging Face endpoints.
nemoclaw-blueprint/policies/presets/brave.yaml	Drops deprecated tls: terminate from Brave endpoints.
nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Drops deprecated tls: terminate from the default OpenClaw sandbox policy.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description/title indicates tls: terminate has been removed from all affected policy presets/files, but the repo still contains multiple tls: terminate entries in agents/hermes/policy-additions.yaml (used via policyAdditionsPath in src/lib/agent-defs.ts). If the goal is to eliminate WARN logs globally (and fully resolve #1686), consider removing it there too or clarifying the PR scope/description that Hermes is intentionally out of scope.

[BenediktSchackenberg]

Fixed — also removed tls: terminate from agents/hermes/policy-additions.yaml (13 more instances). No tls: terminate entries remain in the repo.

[cjagwani]

@BenediktSchackenberg Heads up — #1821 addresses the same issue (#1686) with the same file changes, and also adds a regression test in test/policies.test.ts to prevent tls: terminate from coming back. Since #1821 has the test and this one doesn't, recommending we merge #1821 and close this one as superseded.

Your contribution is still appreciated — the cleanup is correct. Just a timing overlap.

[BenediktSchackenberg]

Makes sense — #1821 has the test coverage too, so closing this in favor of that. Thanks for the heads up @cjagwani!