fix(policy): add node binary to npm_registry network policy

[jnun]

Summary

npm install inside the sandbox fails with 403 Forbidden because the npm_registry network policy does not include /usr/local/bin/node in its allowed binaries list.

The sandbox proxy checks which binary initiates each outbound HTTPS CONNECT request.
npm is a Node.js script (/usr/local/lib/node_modules/npm/bin/npm-cli.js), so the actual binary making the request is /usr/local/bin/node, not /usr/local/bin/npm.
The proxy sees node as the caller, finds no matching binary in the policy, and returns 403.

Reproduction

$ openshell sandbox create --name demo
$ npm install discord.js
npm error 403 403 Forbidden - GET https://registry.npmjs.org/discord.js

Fix

Add /usr/local/bin/node to the npm_registry binaries list in nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
Update docs/reference/network-policies.md to reflect the corrected binaries and access level.

Test plan

• npm install discord.js succeeds inside the sandbox after applying the updated policy
• Verified the proxy logs show deny_reason="no matching network policy" for /usr/local/bin/node before the fix
• openshell policy set with the corrected YAML resolves the 403
• All existing tests pass (npm test, cd nemoclaw && npm test)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated npm registry network policy documentation.

• Chores

  • Broadened npm registry network policy to allow the Node runtime alongside existing tools and expanded permissions for connecting to the npm registry.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 08c3ffd0-bca7-401c-aff9-cc7d388f1157

📥 Commits

Reviewing files that changed from the base of the PR and between 9d7b90d and dadfa36.

📒 Files selected for processing (1)

• nemoclaw-blueprint/policies/openclaw-sandbox.yaml

---

📝 Walkthrough

Walkthrough

Expanded the npm registry network policy to include /usr/local/bin/node in allowed executables and updated docs to state that connections to registry.npmjs.org:443 from those binaries permit all methods and paths (previously GET-only).

Changes

Cohort / File(s)	Summary
NPM Registry Policy Update nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Added /usr/local/bin/node to the npm_registry policy's allowed executables for connections to registry.npmjs.org:443.
Policy Documentation docs/reference/network-policies.md	Updated npm_registry baseline endpoint group documentation to reflect broadened egress permissions from GET-only to all methods/paths for the listed binaries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A tiny hop to nodes and npm,
Permissions widened, a lively gem,
Docs updated, the policy sings,
Binaries roam with freer wings. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically summarizes the main change: adding the node binary to the npm_registry network policy to fix npm install failures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wscurran]

Thanks for submitting this PR, adding the node binary to the npm_registry network policy should fix the issue with npm install failing with 403 Forbidden.

[senthilr-nv]

Reproduced on DGX Spark (ARM64) and Brev VM (x86_64) with fresh destroy + onboard on current main. The proxy logs confirm the deny:

CONNECT action=deny binary=/usr/local/bin/node dst_host=registry.npmjs.org dst_port=443
reason=binary '/usr/local/bin/node' not allowed in policy 'npm_registry'

Applied the fix via openshell policy set — npm install lodash succeeds immediately after.

[kjw3]

@jnun you need to fix the commits so they have verified signatures. Until then, we cannot merge