feat(policy): add provider profile backed presets

[cheese-head]

Summary

Adds NemoClaw provider profile manifests and teaches policy preset discovery to synthesize agent-visible presets from OpenShell provider profiles. Onboarding imports the NemoClaw profiles into OpenShell when supported, while retaining fallback built-in presets for older OpenShell versions.

Changes

• Add provider profiles under nemoclaw-blueprint/provider-profiles/ for Brave, brew, Discord, Hugging Face, Jira, local inference, npm, PyPI, Slack, and Telegram.
• Add src/lib/onboard/provider-profiles.ts and import profiles during onboarding without overwriting existing OpenShell profiles.
• Update policy preset discovery in src/lib/policy/index.ts to merge provider-backed presets with existing built-ins.
• Add provider-profile onboarding and policy tests.
• Add reference documentation for the NemoClaw/OpenShell provider profile flow.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Patrick Riel priel@nvidia.com

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for 10 new provider integrations: Brave Search, Homebrew, Discord, HuggingFace, Jira, Local Inference, NPM, PyPI, Slack, and Telegram
  • Provider profiles are now available as policy presets
  • Enhanced onboarding process with automatic provider profile management

• Documentation

  • Added comprehensive guide documenting the NemoClaw OpenShell Integration workflow and access flow

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces OpenShell provider profile support to NemoClaw by shipping ten pre-configured provider profiles (Brave, Brew, Discord, Hugging Face, Jira, local-inference, npm, PyPI, Slack, Telegram), implementing an onboarding module to import them into OpenShell installations, and extending the policy system to treat imported profiles as dynamically available presets.

Changes

Provider Profile Onboarding & Preset Integration

Layer / File(s)	Summary
Provider profile definitions and integration documentation nemoclaw-blueprint/provider-profiles/*, docs/reference/nemoclaw-openshell-integration.md	Ten provider profile YAML files (brave, brew, discord, huggingface, jira, local-inference, npm, pypi, slack, telegram) define network endpoints, access rules, and required binaries for each provider. Documentation describes the end-to-end integration architecture, three agent tools, adapter contract, and provider-profile onboarding behavior with fallback support.
Provider profile onboarding import module src/lib/onboard/provider-profiles.ts, test/provider-profile-onboard.test.ts	ensureNemoClawProviderProfiles() scans shipped YAML profiles, queries OpenShell for existing profiles, determines missing profiles, copies them to a temporary directory, runs provider profile lint and provider profile import, handles unsupported-gateway errors with graceful fallback, and cleans up temporary files. Exports ProviderProfileImportResult union type and NEMOCLAW_PROVIDER_PROFILES_DIR constant. Comprehensive test coverage validates profile discovery, partial import with skip detection, all-present fast path, and unsupported-command handling.
Policy preset integration for provider profiles src/lib/policy/index.ts, test/policies.test.ts	listPresets() and loadPreset() now merge built-in YAML presets with provider-profile-derived presets by retrieving profiles from environment variable or OpenShell CLI, parsing and caching results, filtering to profiles with policy-relevant endpoints, and synthesizing preset YAML. PresetInfo gains optional provider_profile field. Exports helpers for listing, loading, converting, parsing, and cache-clearing provider profiles. Tests validate preset merging, filtering, and YAML synthesis.
Onboarding wizard integration src/lib/onboard.ts	Imports the provider-profiles module and adds ensureProviderProfilesAvailable() which calls the import function with logging, then clears the provider-profile cache. Wires the function into the wizard immediately after the gateway step completes, ensuring profiles are registered before provider selection.

Sequence Diagram(s)

sequenceDiagram
  participant Wizard as Onboarding Wizard
  participant Onboard as ensureNemoClawProviderProfiles
  participant CLI as OpenShell CLI
  participant FS as Filesystem
  Wizard->>Onboard: import missing profiles
  Onboard->>FS: scan NEMOCLAW_PROVIDER_PROFILES_DIR for .yaml files
  Onboard->>CLI: provider list-profiles -o json
  CLI-->>Onboard: existing profile IDs
  Onboard->>FS: identify missing profiles
  Onboard->>FS: copy missing YAMLs to temp directory
  Onboard->>CLI: provider profile lint
  Onboard->>CLI: provider profile import --from tempDir
  CLI-->>Onboard: import result or error
  Onboard->>FS: remove temp directory
  Onboard-->>Wizard: ProviderProfileImportResult (imported/skipped/unsupported)

Loading

sequenceDiagram
  participant Client as Preset Loader
  participant Policy as src/lib/policy/index.ts
  participant Cache as Provider Profile Cache
  participant CLI as OpenShell CLI
  Client->>Policy: listPresets() or loadPreset(name)
  Policy->>Cache: check cache
  alt Cache Hit
    Cache-->>Policy: cached profiles
  else Cache Miss
    Policy->>Policy: check NEMOCLAW_OPENSHELL_PROVIDER_PROFILES_JSON env
    alt Env Var Present
      Policy->>Policy: parse JSON profiles
    else Env Var Absent
      Policy->>CLI: provider list-profiles -o json
      CLI-->>Policy: profiles JSON
      Policy->>Policy: parse JSON profiles
    end
    Policy->>Cache: store profiles
  end
  Policy->>Policy: filter profiles with policy endpoints
  Policy->>Policy: convert profiles to preset YAML
  Policy-->>Client: merged builtin + provider presets

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• ericksoa

Poem

🐰 Ten profiles shipped in YAML dress,
OpenShell knows each provider's finesse,
From npm to Slack, the paths are clear,
Onboarding guides them without a fear,
Presets bloom where profiles appear! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(policy): add provider profile backed presets' accurately and concisely describes the main change—adding provider profile-backed presets to the policy system. It directly reflects the primary objective of merging provider profiles into policy preset discovery.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch policy-access/provider-profiles

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wscurran]

✨ Thanks for submitting this detailed PR to add provider profile backed presets and improve policy preset discovery. This change aims to enhance the integration of NemoClaw with OpenShell and other providers by adding reusable presets and improving the onboarding process.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

docs/reference/nemoclaw-openshell-integration.md (2)

70-73: ⚡ Quick win

Add a Next Steps section at the bottom.

This new page currently ends without the required related-links section.

As per coding guidelines, new docs pages should include “A ‘Next Steps’ section at the bottom links to related pages.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/nemoclaw-openshell-integration.md` around lines 70 - 73, Add a
final "## Next Steps" section to this page (located near the existing "##
Provider Profiles" heading) that lists related links for readers to continue
(e.g., onboarding guide, policy presets reference, OpenShell gateway docs, and
provider profile management), using the same heading style and relative-link
format as other docs pages so the new section appears at the bottom and follows
project doc conventions.

---

68-72: ⚡ Quick win

Use one sentence per line in prose.

Lines 68 and 72 contain multiple sentences on a single source line; split them so each sentence is on its own line.

As per coding guidelines, “One sentence per line in source (makes diffs readable).”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/nemoclaw-openshell-integration.md` around lines 68 - 72, The
"Provider Profiles" paragraph contains multiple sentences on the same source
line; split that paragraph so each sentence is its own line (e.g., separate
"NemoClaw imports OpenShell provider profiles for its policy presets during
onboarding.", "Existing OpenShell profiles are left untouched, and
already-imported NemoClaw profiles are skipped so repeated onboarding remains
idempotent.", and "If the OpenShell gateway does not support provider-profile
import, NemoClaw continues with local fallback presets." into three separate
lines) to comply with the one-sentence-per-line guideline.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/nemoclaw-openshell-integration.md`:
- Around line 1-2: The new docs page "NemoClaw OpenShell Integration" is missing
required frontmatter and the SPDX header; add YAML frontmatter at the top
containing title, description, keywords, topics, tags, content type, difficulty,
audience, and status fields, then place the SPDX license header immediately
after that frontmatter block (as specified by the guidelines) so the file begins
with a YAML frontmatter block followed by the SPDX markdown header.

In `@src/lib/onboard.ts`:
- Around line 333-334: The onboarding entrypoint has grown heavyweight due to
the provider-profile orchestration wired via the providerProfileOnboard require;
extract the orchestration and logging logic out of src/lib/onboard.ts into a new
module (e.g., ./onboard/provider-profiles-orchestration) and keep
src/lib/onboard.ts as a thin call site that only imports/awaits a single
function (leave the providerProfileOnboard require or switch to an import of the
new module), or alternatively remove the additional orchestration/logging lines
from onboard.ts so it only delegates to providerProfileOnboard; update
references to providerProfileOnboard to call the single exported orchestration
function and ensure logging lives in the new module.

---

Nitpick comments:
In `@docs/reference/nemoclaw-openshell-integration.md`:
- Around line 70-73: Add a final "## Next Steps" section to this page (located
near the existing "## Provider Profiles" heading) that lists related links for
readers to continue (e.g., onboarding guide, policy presets reference, OpenShell
gateway docs, and provider profile management), using the same heading style and
relative-link format as other docs pages so the new section appears at the
bottom and follows project doc conventions.
- Around line 68-72: The "Provider Profiles" paragraph contains multiple
sentences on the same source line; split that paragraph so each sentence is its
own line (e.g., separate "NemoClaw imports OpenShell provider profiles for its
policy presets during onboarding.", "Existing OpenShell profiles are left
untouched, and already-imported NemoClaw profiles are skipped so repeated
onboarding remains idempotent.", and "If the OpenShell gateway does not support
provider-profile import, NemoClaw continues with local fallback presets." into
three separate lines) to comply with the one-sentence-per-line guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2897dc43-81cb-4314-978d-39c6df625cf2

📥 Commits

Reviewing files that changed from the base of the PR and between d7bae57 and e2f6ffc.

📒 Files selected for processing (16)

• docs/reference/nemoclaw-openshell-integration.md
• nemoclaw-blueprint/provider-profiles/brave.yaml
• nemoclaw-blueprint/provider-profiles/brew.yaml
• nemoclaw-blueprint/provider-profiles/discord.yaml
• nemoclaw-blueprint/provider-profiles/huggingface.yaml
• nemoclaw-blueprint/provider-profiles/jira.yaml
• nemoclaw-blueprint/provider-profiles/local-inference.yaml
• nemoclaw-blueprint/provider-profiles/npm.yaml
• nemoclaw-blueprint/provider-profiles/pypi.yaml
• nemoclaw-blueprint/provider-profiles/slack.yaml
• nemoclaw-blueprint/provider-profiles/telegram.yaml
• src/lib/onboard.ts
• src/lib/onboard/provider-profiles.ts
• src/lib/policy/index.ts
• test/policies.test.ts
• test/provider-profile-onboard.test.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add required docs frontmatter and SPDX header placement.

This new docs page is missing required frontmatter fields, and the SPDX markdown header is also missing.

Proposed structure

+---
+title:
+  page: NemoClaw OpenShell Integration
+description: <add description>
+keywords: [<add keywords>]
+topics: [<add topics>]
+tags: [<add tags>]
+content_type: reference
+difficulty: <add difficulty>
+audience: <add audience>
+status: <add status>
+---
+
+<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
 # NemoClaw OpenShell Integration

As per coding guidelines, “SPDX license header is present after frontmatter” and frontmatter must include “title, description, keywords, topics, tags, content type, difficulty, audience, and status fields.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# NemoClaw OpenShell Integration
	---
	title:
	page: NemoClaw OpenShell Integration
	description: <add description>
	keywords: [<add keywords>]
	topics: [<add topics>]
	tags: [<add tags>]
	content_type: reference
	difficulty: <add difficulty>
	audience: <add audience>
	status: <add status>
	---
	<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
	<!-- SPDX-License-Identifier: Apache-2.0 -->
	# NemoClaw OpenShell Integration

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/nemoclaw-openshell-integration.md` around lines 1 - 2, The new
docs page "NemoClaw OpenShell Integration" is missing required frontmatter and
the SPDX header; add YAML frontmatter at the top containing title, description,
keywords, topics, tags, content type, difficulty, audience, and status fields,
then place the SPDX license header immediately after that frontmatter block (as
specified by the guidelines) so the file begins with a YAML frontmatter block
followed by the SPDX markdown header.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Onboard entrypoint budget is currently blocked by this wiring.

CI is failing because src/lib/onboard.ts grew by +16 lines. Please move this provider-profile orchestration/logging out of src/lib/onboard.ts (keep only a thin call site here), or remove equivalent lines in this file so the budget check passes.

Also applies to: 1795-1805, 9751-9751

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/onboard.ts` around lines 333 - 334, The onboarding entrypoint has
grown heavyweight due to the provider-profile orchestration wired via the
providerProfileOnboard require; extract the orchestration and logging logic out
of src/lib/onboard.ts into a new module (e.g.,
./onboard/provider-profiles-orchestration) and keep src/lib/onboard.ts as a thin
call site that only imports/awaits a single function (leave the
providerProfileOnboard require or switch to an import of the new module), or
alternatively remove the additional orchestration/logging lines from onboard.ts
so it only delegates to providerProfileOnboard; update references to
providerProfileOnboard to call the single exported orchestration function and
ensure logging lives in the new module.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not classify every list-profiles failure as unsupported.

On Line 116, any non-zero exit is treated as "unsupported". This can silently suppress transient/runtime failures (timeout, execution failure, malformed runtime output) and skip profile import when OpenShell is actually supported.

Suggested fix

   const list = runOpenshell(["provider", "list-profiles", "-o", "json"], {
     ignoreError: true,
     stdio: ["ignore", "pipe", "pipe"],
     suppressOutput: true,
     timeout: 10_000,
   });
   if (list.status !== 0) {
-    return {
-      status: "unsupported",
-      imported: [],
-      skipped: [],
-      message: "OpenShell provider profiles are not available; using local preset fallbacks.",
-    };
+    if (isUnsupportedProviderProfileCommand(list)) {
+      return {
+        status: "unsupported",
+        imported: [],
+        skipped: [],
+        message: "OpenShell provider profiles are not available; using local preset fallbacks.",
+      };
+    }
+    const details = outputText(list.stderr) || outputText(list.stdout) || "provider list-profiles failed";
+    throw new Error(`NemoClaw provider profile discovery failed: ${details.trim()}`);
   }

Based on learnings: handle failures at external/system boundaries where they can realistically occur, rather than masking them with generic fallbacks.