fix(policy): preserve Homebrew in permissive OpenClaw policies

[ericksoa]

Summary

• Preserve /home/linuxbrew in the global OpenClaw permissive policy used directly by network-policy-e2e TC-NET-06.
• Preserve /home/linuxbrew in the agent-specific OpenClaw permissive policy used by nemoclaw <sandbox> shields down.
• Add regression coverage that both OpenClaw permissive policy files retain every baseline filesystem_policy.read_write path.

Failure

Pinned nightly: https://github.com/NVIDIA/NemoClaw/actions/runs/26197248467 at 413503870a01f0e2ed27c8d9e067a7003af66cb2 after PR #3916.

• shields-config-e2e: https://github.com/NVIDIA/NemoClaw/actions/runs/26197248467/job/77079286013
• network-policy-e2e: https://github.com/NVIDIA/NemoClaw/actions/runs/26197248467/job/77079286006

Both failed while applying a permissive policy because OpenShell rejected the live removal of the PR #3916 Homebrew writable path: filesystem read_write path '/home/linuxbrew' cannot be removed on a live sandbox.

Verification

• git diff --check
• npm test -- test/policies.test.ts
• npm run validate:configs
• npm run typecheck

No focused E2E was dispatched from this branch; the change is a static policy alignment plus targeted regression coverage.

Summary by CodeRabbit

• New Features

  • Enabled write access to the Homebrew installation directory within sandbox environments, improving compatibility with package management operations.

• Tests

  • Added validation tests to ensure baseline filesystem access policies are preserved across permissive sandbox configurations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 881c9b4c-4ad1-45e5-8785-4158911b6af9

📥 Commits

Reviewing files that changed from the base of the PR and between f19061e and b2e0659.

📒 Files selected for processing (3)

• agents/openclaw/policy-permissive.yaml
• nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml
• test/policies.test.ts

---

📝 Walkthrough

Walkthrough

This PR updates permissive OpenClaw sandbox policies to grant write access to the /home/linuxbrew directory, enabling Homebrew operations in the sandbox. Two policy files are modified to add this path to their read_write allowlists, documentation is clarified, and a test validates that all permissive variants preserve baseline policy paths.

Changes

Homebrew Path Write Access in Permissive Policies

Layer / File(s)	Summary
Permissive policy updates for Homebrew write access agents/openclaw/policy-permissive.yaml, nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml	Added /home/linuxbrew to the read_write allowlist in both permissive sandbox policy variants. Updated the documentation comment in the nemoclaw-blueprint policy to use accurate terminology for filesystem path handling.
Permissive policy baseline consistency test test/policies.test.ts	New test asserts that OpenClaw permissive policy files preserve the baseline filesystem_policy.read_write paths by parsing each permissive policy YAML and verifying its read_write array includes all baseline entries via array matching.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3169: Updates how shieldsDown selects the agent-aware permissive policy path, which complements the permissive policy modifications in this PR.
• NVIDIA/NemoClaw#3916: Adds /home/linuxbrew to sandbox filesystem_policy.read_write and corresponding policy tests, directly aligned with the permissive-policy Homebrew write-access work here.

Suggested labels

fix, Integration: OpenClaw, Sandbox

Suggested reviewers

• cv

Poem

A rabbit hops through brewed affairs,
Where Homebrew paths now have fares,
To /home/linuxbrew we grant the key,
With tests that guard what all should be,
The sandbox opens—permits flow free! 🐰🔑

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: preserving Homebrew paths in permissive OpenClaw policies, which is the core intent of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/shields-homebrew-live-policy

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: network-policy-e2e, shields-config-e2e
Optional E2E: None

Dispatch hint: network-policy-e2e,shields-config-e2e

Auto-dispatched E2E: network-policy-e2e, shields-config-e2e via nightly-e2e.yaml at b2e0659e34c2beca7790f1738e2eb3adbead47a2 — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• network-policy-e2e (~45 min): Required because test/e2e/test-network-policy.sh applies nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml in TC-NET-06 and validates that permissive policy can be hot-applied to a live sandbox without breaking policy behavior.
• shields-config-e2e (~30 min): Required because the changed permissive policies are documented as applied by shields down. This job exercises the live shields up/down lifecycle, config mutability restoration, audit trail, and auto-restore behavior against a real sandbox.

Optional E2E

• None.

New E2E recommendations

• permissive filesystem write coverage (medium): Existing E2E applies permissive policy and exercises shields-down mutability, but does not appear to explicitly verify that /home/linuxbrew is writable after applying permissive policy or after shields down. The new unit test covers YAML structure only; a live regression could still occur if OpenShell rejects or mishandles this read_write addition.
  • Suggested test: Add a live E2E assertion to network-policy-e2e or shields-config-e2e that applies the permissive policy/shields down and runs a sandbox write probe such as touch under /home/linuxbrew, ideally followed by a minimal brew write/install smoke if stable.

Dispatch hint

• Workflow: nightly-e2e.yaml
• jobs input: network-policy-e2e,shields-config-e2e

[github-actions]

PR Review Advisor

Recommendation: blocked
Confidence: medium
Analyzed HEAD: b2e0659e34c2beca7790f1738e2eb3adbead47a2
Findings: 2 blocker(s), 2 warning(s), 2 suggestion(s)

This is an automated advisory review. A human maintainer must make the final merge decision.

Limitations: This review used provided trusted PR metadata, diff, and read-only file inspection only; it did not execute tests, package-manager commands, or E2E jobs.; CI and E2E status were still in progress/queued at the time of review, so final pass/fail status for head SHA b2e0659 is unknown.; No linked issues were present in the trusted metadata; acceptance coverage maps PR body clauses and referenced failure/verification bullets instead.; CodeRabbit final review state was unavailable because its comment/status indicated review was still pending.; E2E Advisor produced an in-progress check but no final recommendation/comment was available in the provided context.

Workflow run

Full advisor summary

PR Review Advisor

Base: origin/main
Head: HEAD
Analyzed SHA: b2e0659e34c2beca7790f1738e2eb3adbead47a2
Recommendation: blocked
Confidence: medium

The policy alignment looks narrowly scoped and has a useful regression test, but the PR is not merge-ready because CI/E2E recommendation are still pending and mergeStateStatus is BLOCKED.

Gate status

• CI: pending — Latest head SHA b2e0659 has pending/queued contexts including E2E recommendation, wsl-e2e, macos-e2e, PR review advisor, CodeQL, unit-vitest-linux, checks, ShellCheck SARIF, build-sandbox-images, build-sandbox-images-arm64, and CodeRabbit.
• Mergeability: fail — GraphQL mergeStateStatus=BLOCKED for PR fix(policy): preserve Homebrew in permissive OpenClaw policies #3943 at head b2e0659.
• Review threads: unknown — GraphQL reviewThreads.nodes is empty, but CodeRabbit posted a review-in-progress comment and its status context remains PENDING; no final CodeRabbit review state was available.
• Risky code tested: warning — Risky sandbox/policy area changed and a static policy regression test was added, but runtime/live sandbox behavior still needs E2E confirmation for this head SHA.

🔴 Blockers

• Required checks are still pending for the latest head SHA: The PR cannot be treated as ready while multiple checks for b2e0659 are pending or queued, including E2E recommendation and sandbox-relevant E2E/build jobs.
  • Recommendation: Wait for all required CI, CodeQL, E2E recommendation, and sandbox image/build jobs to complete successfully for the exact head SHA before considering merge.
  • Evidence: Status rollup shows E2E recommendation IN_PROGRESS, wsl-e2e IN_PROGRESS, macos-e2e IN_PROGRESS, CodeQL IN_PROGRESS, unit-vitest-linux QUEUED, build-sandbox-images QUEUED, build-sandbox-images-arm64 QUEUED, and CodeRabbit PENDING.
• GitHub reports the PR merge state as blocked: The PR is currently blocked by GitHub mergeability gates.
  • Recommendation: Resolve the blocking branch protection/check/review conditions and re-check mergeStateStatus at the latest head SHA.
  • Evidence: GraphQL mergeStateStatus=BLOCKED; deterministic context also reports mergeability.status=fail.

🟡 Warnings

• Sandbox policy change needs runtime E2E confirmation (nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml:31): This PR changes permissive sandbox filesystem policy semantics by preserving /home/linuxbrew as read_write. Static YAML tests prove the path is present, but they do not prove that OpenShell accepts the live policy transition or that the previously failing network/shields scenarios now pass.
  • Recommendation: Confirm E2E Advisor completes and that the required runtime jobs pass for b2e0659; given the PR body, network-policy-e2e/TC-NET-06 and shields-config-e2e coverage are especially relevant if not included in required jobs.
  • Evidence: PR body cites failures from network-policy-e2e and shields-config-e2e due to live removal of /home/linuxbrew; current E2E recommendation, wsl-e2e, and macos-e2e are still IN_PROGRESS.
• Permissive policy widens writable filesystem surface to Homebrew prefix (agents/openclaw/policy-permissive.yaml:26): Adding /home/linuxbrew to read_write is likely needed to avoid live-policy removal failures and preserve Homebrew functionality, but it also keeps a package-manager prefix writable in a policy that already disables most sandbox restrictions. Writable package-manager paths can affect executable/tool integrity inside permissive sandboxes.
  • Recommendation: Keep this limited to documented permissive/non-production policy paths, ensure stricter/default policies are not unintentionally widened, and rely on E2E plus regression tests to catch future drift from the baseline filesystem policy.
  • Evidence: Both permissive policy files warn not to use in production and now include /home/linuxbrew under filesystem_policy.read_write.

🔵 Suggestions

• Regression test could guard against vacuous baseline matches (test/policies.test.ts:1267): The new test compares permissive read_write paths against baselineReadWrite, but baselineReadWrite defaults to [] if the baseline field is missing, which would make arrayContaining([]) pass vacuously.
  • Recommendation: Assert that baseline.filesystem_policy.read_write is a non-empty array before comparing, or reuse an existing policy schema helper if available.
  • Evidence: The test uses const baselineReadWrite = baseline.filesystem_policy?.read_write ?? []; followed by expect.arrayContaining(baselineReadWrite).
• Active PRs overlap the policy test file (test/policies.test.ts:1267): No codebase drift was found for the policy files themselves, but two open PRs also touch test/policies.test.ts, which can cause merge or assertion-order drift.
  • Recommendation: Before merge, rebase or re-run the policy test after any overlapping PR lands, especially PR fix(sandbox): replace brew policy preset with first-class brew subcommand #3878 and PR chore: upgrade agent runtime dependencies #3925.
  • Evidence: Trusted overlap data lists open PR fix(sandbox): replace brew policy preset with first-class brew subcommand #3878 and PR chore: upgrade agent runtime dependencies #3925 with sameFiles containing test/policies.test.ts.

Acceptance coverage

• met — Preserve /home/linuxbrew in the global OpenClaw permissive policy used directly by network-policy-e2e TC-NET-06.: The diff adds - /home/linuxbrew under filesystem_policy.read_write in agents/openclaw/policy-permissive.yaml.
• met — Preserve /home/linuxbrew in the agent-specific OpenClaw permissive policy used by nemoclaw <sandbox> shields down.: The diff adds - /home/linuxbrew under filesystem_policy.read_write in nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml.
• met — Add regression coverage that both OpenClaw permissive policy files retain every baseline filesystem_policy.read_write path.: test/policies.test.ts adds OpenClaw permissive policies preserve baseline read_write paths (#3916), loading the baseline policy and checking both permissive files with expect.arrayContaining(baselineReadWrite).
• unknown — shields-config-e2e: https://github.com/NVIDIA/NemoClaw/actions/runs/26197248467/job/77079286013: The PR body identifies this historical failing job, but no current shields-config-e2e pass for head SHA b2e0659 was present in the provided status rollup.
• unknown — network-policy-e2e: https://github.com/NVIDIA/NemoClaw/actions/runs/26197248467/job/77079286006: The PR body identifies this historical failing job, but no current network-policy-e2e pass for head SHA b2e0659 was present in the provided status rollup.
• partial — Both failed while applying a permissive policy because OpenShell rejected the live removal of the PR feat(sandbox): bake Homebrew core into the sandbox base image (#3913) #3916 Homebrew writable path: filesystem read_write path '/home/linuxbrew' cannot be removed on a live sandbox.: The diff preserves /home/linuxbrew in both permissive policy files, addressing the static cause, but live OpenShell application behavior has not yet passed E2E for the current head SHA.
• unknown — git diff --check: Listed in PR verification, but this advisor did not execute commands and CI is still pending.
• unknown — npm test -- test/policies.test.ts: Listed in PR verification; the relevant test was added, but unit-vitest-linux is still QUEUED in the provided status rollup.
• unknown — npm run validate:configs: Listed in PR verification, but no completed validate:configs result for this head SHA was provided.
• unknown — npm run typecheck: Listed in PR verification, but no completed typecheck result for this head SHA was provided.
• partial — No focused E2E was dispatched from this branch; the change is a static policy alignment plus targeted regression coverage.: The status rollup now shows E2E recommendation, wsl-e2e, and macos-e2e in progress, but no focused network-policy/shields-config E2E pass was available for the current head SHA.

Security review

• pass — 1. Secrets and Credentials: No hardcoded credentials, tokens, PEM files, .env files, or secret-bearing strings were added. The changed YAML entries only add a filesystem path, and the test reads repository policy fixtures.
• pass — 2. Input Validation and Data Sanitization: No new user-controlled input parsing, URL handling, command construction, deserialization of untrusted data, or SSRF validation logic is introduced. YAML parsing in the test is limited to trusted repository files.
• pass — 3. Authentication and Authorization: No endpoints, authentication checks, authorization decisions, token validation, or privilege checks are added or modified.
• pass — 4. Dependencies and Third-Party Libraries: No package manifests, dependency versions, registries, or third-party library usage are changed.
• pass — 5. Error Handling and Logging: No runtime error responses, exception handling, logging, telemetry, or sensitive output behavior is changed.
• pass — 6. Cryptography and Data Protection: Not applicable — no cryptographic operations, key management, hashing, encryption, or transport security code is changed.
• warning — 7. Configuration and Security Headers: The change is a sandbox configuration update that keeps /home/linuxbrew writable in permissive policies. This is plausibly correct for live-policy compatibility and Homebrew operation, but it widens/retains writable package-manager surface in a policy explicitly documented as disabling most sandbox restrictions.
• warning — 8. Security Testing: A targeted static regression test was added, but sandbox policy changes are security-sensitive and need live E2E confirmation. Current E2E recommendation and E2E jobs are not complete for the head SHA.
• warning — 9. Holistic Security Posture: The PR appears to align permissive policy with the baseline to prevent live sandbox policy removal failures, but permissive sandbox policies, writable installer prefixes, and network-policy/runtime behavior remain high-risk areas until current CI/E2E completes.

Test / E2E status

• Test depth: e2e_required — Runtime/sandbox/infrastructure paths need real execution coverage: nemoclaw-blueprint/policies/openclaw-sandbox-permissive.yaml and agents/openclaw/policy-permissive.yaml change live sandbox filesystem-policy behavior. The added unit/static test checks policy alignment but cannot prove OpenShell accepts the live policy update or that the prior E2E failures are fixed.
• E2E Advisor: ambiguous
• Missing for analyzed SHA: E2E recommendation

✅ What looks good

• The patch is small and narrowly scoped: two permissive policy files plus one targeted regression test.
• Both policy files still carry explicit warnings that permissive mode disables most sandbox restrictions and is not for production.
• The new regression test checks both the blueprint permissive policy and the agent OpenClaw permissive policy against the baseline read_write list, reducing future drift risk.
• No secrets, dependency changes, workflow trust-boundary changes, or new shell-string execution were introduced.
• Drift evidence indicates all changed files still exist on the active code path; recent history shows policy/test files are actively maintained.

Review completeness

• This review used provided trusted PR metadata, diff, and read-only file inspection only; it did not execute tests, package-manager commands, or E2E jobs.
• CI and E2E status were still in progress/queued at the time of review, so final pass/fail status for head SHA b2e0659 is unknown.
• No linked issues were present in the trusted metadata; acceptance coverage maps PR body clauses and referenced failure/verification bullets instead.
• CodeRabbit final review state was unavailable because its comment/status indicated review was still pending.
• E2E Advisor produced an in-progress check but no final recommendation/comment was available in the provided context.
• Human maintainer review required: yes

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26197888412
Target ref: b2e0659e34c2beca7790f1738e2eb3adbead47a2
Workflow ref: main
Requested jobs: network-policy-e2e,shields-config-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	⚠️ cancelled
shields-config-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26198021532
Target ref: b2e0659e34c2beca7790f1738e2eb3adbead47a2
Workflow ref: main
Requested jobs: shields-config-e2e,network-policy-e2e
Summary: 2 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	✅ success
shields-config-e2e	✅ success