feat(policy): support custom preset files via --from-file / --from-dir (closes #2039)

[KimYannn]

Summary

Lets users apply user-authored preset YAML to a running sandbox without editing the baseline or dropping to openshell policy set. Adds --from-file, --from-dir, --yes/-y, and NEMOCLAW_NON_INTERACTIVE=1 support to nemoclaw <name> policy-add.

Related Issue

Closes #2039

Changes

• src/nemoclaw.ts: extend sandboxPolicyAdd with --from-file <path>, --from-dir <path>, --yes/-y, and NEMOCLAW_NON_INTERACTIVE=1 handling; new applyExternalPreset helper; updated help text.
• src/lib/policies.ts: new loadPresetFromFile (validates path, YAML, preset.name as RFC 1123 label, presence of network_policies, rejects collisions with built-in preset names); refactor applyPreset to delegate to a new applyPresetContent that works on raw content so the external path can reuse the merge + policy-set logic.
• test/policies.test.ts: unit tests for loadPresetFromFile (valid/invalid/missing fields/name collision) and integration tests for the --from-file / --from-dir CLI paths (success, dry-run, non-interactive env, mutually exclusive flags, missing path, abort-on-first-failure).
• docs/network-policy/customize-network-policy.md: new Custom Preset Files section with YAML skeleton, --from-file / --from-dir usage, and a warning that external hosts bypass review.
• .agents/skills/nemoclaw-user-manage-policy/SKILL.md: regenerated from docs via scripts/docs-to-skills.py.

Design decisions

• Name collision: reject any custom preset whose preset.name matches a built-in preset — the user must rename it. Keeps the preset registry unambiguous.
• --from-dir failure mode: stop at the first failure and leave earlier, successfully-applied presets in place. Rollback would require deleting already-merged entries from the running sandbox policy, which is risky; let the user fix the failing file and re-run.
• Custom hosts: trust the user and print a warning rather than SSRF-gate. Documented in the new section of customize-network-policy.md.

Type of Change

• Code change with doc updates

Verification

• npx prek run --all-files passes
• npm test passes (policies project: 95/95; install-preflight project: 57/57)
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

AI Disclosure

• AI-assisted — tool: Claude Code

---

Signed-off-by: Kim Yang [email protected]

Summary by CodeRabbit

• New Features

  • Apply user-authored preset YAMLs via --from-file and bulk via --from-dir (files processed lexicographically; stops on first failure; no rollback). Non-interactive controls: --yes/-y or NEMOCLAW_NON_INTERACTIVE=1; preview with --dry-run; preview shows endpoints and a warning for unvetted targets.

• Documentation

  • Added guide for custom preset structure, name/validation rules, collision behavior, CLI usage, and egress/review warning.

• Tests

  • Added coverage for file/dir workflows, validations, dry-run, prompts, and abort semantics.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds CLI support to apply user-authored preset YAMLs via nemoclaw <sandbox> policy-add --from-file/--from-dir, implements loader/validator/apply helpers in src/lib/policies.ts, updates interactive/non-interactive flows and help text, and adds docs and tests covering these flows. (≤50 words)

Changes

Cohort / File(s)	Summary
Documentation .agents/skills/nemoclaw-user-manage-policy/SKILL.md, docs/network-policy/customize-network-policy.md	New "Custom Preset Files" sections describing required YAML shape (preset.name as a lowercase RFC 1123-like label), built-in-name collision rules, CLI workflows (--from-file, --from-dir), flags (--dry-run, --yes, NEMOCLAW_NON_INTERACTIVE=1), lexicographic dir processing, stop-on-first-failure semantics, and a warning that custom preset hosts bypass review.
Policy library src/lib/policies.ts	Refactored preset application: added exported applyPresetContent(sandboxName, presetName, presetContent, options) and loadPresetFromFile(filePath) (validates extension, YAML, preset.name, network_policies, and collisions with built-ins); applyPreset() now loads built-in YAML and delegates to applyPresetContent. Minor simplification in removePresetFromPolicy.
CLI src/nemoclaw.ts	sandboxPolicyAdd() extended for mutually-exclusive --from-file / --from-dir and non-interactive --yes / NEMOCLAW_NON_INTERACTIVE; added applyExternalPreset(...) helper that loads/validates, previews endpoints, warns about unvetted hosts, honors --dry-run, prompts unless bypassed, and sequentially applies directory entries (lexicographic, abort on first failure). Help text updated.
Tests test/policies.test.ts	Adjusted buildPolicySetCommand expectations; added unit tests for loadPresetFromFile() (success and multiple failure modes: missing file, bad ext, invalid YAML, missing/invalid preset.name, missing network_policies, collision with built-in); added integration-style tests for policy-add --from-file/--from-dir covering apply, dry-run, prompts, non-interactive mode, arg validation, sorted iteration, and abort-on-failure behavior.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant CLI as "nemoclaw CLI"
  participant FS as Filesystem
  participant Policies as policies.ts
  participant OpenShell as openshell

  User->>CLI: run "nemoclaw <sandbox> policy-add --from-file /path/preset.yaml [--dry-run] [--yes]"
  CLI->>FS: read /path/preset.yaml
  FS-->>CLI: file contents
  CLI->>Policies: loadPresetFromFile(filePath)
  Policies-->>CLI: { presetName, content } or error
  alt load success
    CLI->>CLI: show endpoint preview & warning
    alt dry-run
      CLI-->>User: preview only (no apply)
    else apply
      CLI->>Policies: applyPresetContent(sandbox, presetName, content, options)
      Policies->>OpenShell: "openshell policy set --wait" (merge network_policies)
      OpenShell-->>Policies: success / failure
      Policies-->>CLI: result
      CLI-->>User: success / error
    end
  else load failure
    CLI-->>User: error & exit non-zero
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A preset hopped from file to shell,
No more manual merges in the dell,
Validate, preview, then apply—
--yes skips the questions sly,
Custom hosts warned, hop safe, farewell! 🎩

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the primary change: adding support for custom preset files via --from-file and --from-dir flags, matching the core functionality in the changeset.
Linked Issues check	✅ Passed	The PR implements all primary objectives from issue #2039: --from-file flag for custom preset YAML [2039], validation of preset format and name uniqueness [2039], --dry-run support [2039], non-interactive flags (--yes/-y, NEMOCLAW_NON_INTERACTIVE) [2039], and optional --from-dir for batch application [2039].
Out of Scope Changes check	✅ Passed	All changes directly support custom preset file support: refactored policies.ts to handle external content, extended nemoclaw.ts CLI with new flags, added comprehensive tests, and updated documentation. The single-line reformatting in policies.ts and test assertion adjustments are minor incidental refactoring consistent with the scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/policies.test.ts (1)

1120-1164: Make prompt response configurable to cover external decline paths.

runPolicyAddExternal hardcodes prompt return value to "y", so the interactive decline behavior for external presets is untestable. Consider parameterizing it and adding a "no" case to prevent regressions around confirmation safety.

Possible refactor

-    function runPolicyAddExternal(extraArgs = [], envOverrides = {}) {
+    function runPolicyAddExternal(extraArgs = [], envOverrides = {}, promptAnswer = "y") {
...
-credentials.prompt = async (message) => {
+credentials.prompt = async (message) => {
   calls.push({ type: "prompt", message });
-  return "y";
+  return ${JSON.stringify("PROMPT_SENTINEL")};
 };
...
-      fs.writeFileSync(scriptPath, script);
+      fs.writeFileSync(scriptPath, script.replace("PROMPT_SENTINEL", promptAnswer));

+    it("does not apply when external preset confirmation is declined with 'no'", () => {
+      const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-from-file-no-"));
+      const file = path.join(tmp, "custom-rule.yaml");
+      fs.writeFileSync(file, "preset:\n  name: custom-rule\nnetwork_policies: {}\n");
+      const result = runPolicyAddExternal(["--from-file", file], {}, "no");
+      expect(result.status).toBe(0);
+      const calls = JSON.parse(result.stdout.split("__CALLS__")[1].trim());
+      expect(calls.some((c) => c.type === "apply")).toBeFalsy();
+    });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/policies.test.ts` around lines 1120 - 1164, runPolicyAddExternal
currently hardcodes the interactive prompt response by setting policies.prompt =
async (...) => "y", which prevents testing the decline path; change
runPolicyAddExternal to accept a promptResponse parameter (default "y"), pass
that into the generated script and set policies.prompt = async (message) => {
calls.push({ type: "prompt", message }); return promptResponse; }, update any
callers in tests to invoke runPolicyAddExternal(..., ..., "no") to cover the
decline path and assert behavior based on the calls array and process output;
keep existing extraArgs and envOverrides parameters intact so other tests remain
unaffected.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/nemoclaw.ts`:
- Around line 1539-1542: The confirmation logic incorrectly treats only the
exact string "n" as a decline, so inputs like "no" are accepted; update both
confirmation branches (the block using askPrompt and the similar block around
the code handling the alternative at lines ~1572-1577) to normalize the response
with trim() and toLowerCase() and treat any response starting with "n" (e.g.,
response.toLowerCase().trim().startsWith("n")) as a decline; reference the
askPrompt call and the local yes variable to locate and replace the current
exact-equality checks.

---

Nitpick comments:
In `@test/policies.test.ts`:
- Around line 1120-1164: runPolicyAddExternal currently hardcodes the
interactive prompt response by setting policies.prompt = async (...) => "y",
which prevents testing the decline path; change runPolicyAddExternal to accept a
promptResponse parameter (default "y"), pass that into the generated script and
set policies.prompt = async (message) => { calls.push({ type: "prompt", message
}); return promptResponse; }, update any callers in tests to invoke
runPolicyAddExternal(..., ..., "no") to cover the decline path and assert
behavior based on the calls array and process output; keep existing extraArgs
and envOverrides parameters intact so other tests remain unaffected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4f840bb0-6819-4a75-892e-de82dbe3ff7e

📥 Commits

Reviewing files that changed from the base of the PR and between 9e08ba8 and 6ce9ecb.

📒 Files selected for processing (5)

• .agents/skills/nemoclaw-user-manage-policy/SKILL.md
• docs/network-policy/customize-network-policy.md
• src/lib/policies.ts
• src/nemoclaw.ts
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (2)

• docs/network-policy/customize-network-policy.md
• .agents/skills/nemoclaw-user-manage-policy/SKILL.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/policies.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/policies.ts`:
- Around line 519-536: In loadPresetFromFile, fs.readFileSync is called outside
the try-catch which allows a TOCTOU read error to escape; fix by declaring let
content; (and keeping parsed declared) then move the call to
fs.readFileSync(abs, "utf-8") inside the try block before calling
YAML.parse(content), catch any error and call console.error with a descriptive
message (including err.message) and return null so all read/parse failures
follow the same graceful null-return pattern.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cc1781f7-bdb1-42ab-8f84-88dfa7b2d333

📥 Commits

Reviewing files that changed from the base of the PR and between 6ce9ecb and 14ca974.

📒 Files selected for processing (5)

• .agents/skills/nemoclaw-user-manage-policy/SKILL.md
• docs/network-policy/customize-network-policy.md
• src/lib/policies.ts
• src/nemoclaw.ts
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (1)

• docs/network-policy/customize-network-policy.md

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/nemoclaw.ts (1)

1534-1536: ⚠️ Potential issue | 🟠 Major

--dry-run never reaches the diff/merge path.

Both dry-run branches return before policies.applyPreset(...) / policies.applyPresetContent(...) runs, so the command only prints endpoint summaries and never shows the merged policy diff promised by this feature. That leaves operators unable to validate the actual policy change before applying a custom preset.

Also applies to: 1567-1569

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/nemoclaw.ts` around lines 1534 - 1536, The dryRun branch returns early
and thus never invokes policies.applyPreset or policies.applyPresetContent, so
the tool only prints endpoint summaries and never computes/shows the merged
policy diff — remove the early return and instead call the same
applyPreset/applyPresetContent logic in dry-run mode but avoid persisting
changes; specifically, when dryRun is true, call policies.applyPreset(...) or
policies.applyPresetContent(...), capture the merged/updated policy result and
render the diff/merge output (same code used for the real path), but skip any
persistence/commit step; apply this change to both occurrences referencing
dryRun around policies.applyPreset and policies.applyPresetContent so dry-run
shows the merged diff without applying it.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/nemoclaw.ts`:
- Around line 2394-2396: The help text currently claims `--yes /
NEMOCLAW_NON_INTERACTIVE=1 skip prompts`, which is inaccurate; update the string
in the CLI help template that contains `${D}--yes / -y or
NEMOCLAW_NON_INTERACTIVE=1 skip prompts${R}` so it clarifies that `--yes` (or
the env var) only skips the final confirmation prompt and does not bypass the
preset-selection flow — note that preset selection remains interactive unless
`--from-file` or `--from-dir` is supplied; make the wording concise like “skip
confirmation prompt; preset selection remains interactive unless --from-file or
--from-dir is used.”

In `@test/policies.test.ts`:
- Around line 276-286: The tests calling policies.buildPolicySetCommand assume
NEMOCLAW_OPENSHELL_BIN is unset and delete it in finally, making them
non-hermetic; modify the test(s) to capture the current value of
process.env.NEMOCLAW_OPENSHELL_BIN at the start (e.g., const prior =
process.env.NEMOCLAW_OPENSHELL_BIN), then set or delete the env var for the test
case as needed, and in the finally block restore it
(process.env.NEMOCLAW_OPENSHELL_BIN = prior === undefined ? undefined : prior)
so the original environment is preserved; apply the same pattern to the other
argv test(s) that manipulate NEMOCLAW_OPENSHELL_BIN and reference
policies.buildPolicySetCommand to locate the affected tests.

---

Outside diff comments:
In `@src/nemoclaw.ts`:
- Around line 1534-1536: The dryRun branch returns early and thus never invokes
policies.applyPreset or policies.applyPresetContent, so the tool only prints
endpoint summaries and never computes/shows the merged policy diff — remove the
early return and instead call the same applyPreset/applyPresetContent logic in
dry-run mode but avoid persisting changes; specifically, when dryRun is true,
call policies.applyPreset(...) or policies.applyPresetContent(...), capture the
merged/updated policy result and render the diff/merge output (same code used
for the real path), but skip any persistence/commit step; apply this change to
both occurrences referencing dryRun around policies.applyPreset and
policies.applyPresetContent so dry-run shows the merged diff without applying
it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: fa3bcdb8-b5ae-4425-89d6-31dc821775e3

📥 Commits

Reviewing files that changed from the base of the PR and between 14ca974 and 5ba18f5.

📒 Files selected for processing (5)

• .agents/skills/nemoclaw-user-manage-policy/SKILL.md
• docs/network-policy/customize-network-policy.md
• src/lib/policies.ts
• src/nemoclaw.ts
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (2)

• docs/network-policy/customize-network-policy.md
• .agents/skills/nemoclaw-user-manage-policy/SKILL.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/policies.ts

[KimYannn]

Thanks for the review, @coderabbitai. Responses:

✅ Fixed: Help text wording for --yes — updated the policy-add help to clarify that --yes / NEMOCLAW_NON_INTERACTIVE=1 skips the confirmation prompt, and that preset selection remains interactive unless --from-file or --from-dir is supplied.

❌ Declining: --dry-run should show merged policy diff (outside-diff comment on src/nemoclaw.ts:1534-1536) — intentional. This PR keeps the existing --dry-run contract used by policy-remove ("preview endpoints that would be opened/removed; no changes applied"), so both commands behave consistently. Rendering a merged-policy diff would be a useful enhancement but changes the semantics of --dry-run across the policy commands and is better done as a dedicated follow-up that updates both policy-add and policy-remove together.

❌ Declining: test env-var hermeticity (test/policies.test.ts:276-286) — this test lives outside the scope of this PR. The NEMOCLAW_OPENSHELL_BIN set-then-delete pattern is pre-existing on main; I only touched the buildPolicySetCommand assertions' formatting in this area. Happy to open a separate PR if maintainers want that cleaned up.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@KimBioInfoStudio — thanks for the clear write-up!

1. ✅ Help text wording — noted and appreciated.

2. --dry-run contract — that's a solid rationale. Keeping --dry-run semantics uniform across policy-add and policy-remove ("show what would change, don't apply") is the right call here; a merged-policy diff can land in a dedicated follow-up that touches both commands at once. I'll record this intent so future reviews don't re-raise it.

3. Test env-var hermeticity — fair, the NEMOCLAW_OPENSHELL_BIN set-then-delete pattern predates this PR. Would you like me to open a GitHub issue to track the cleanup so it doesn't get lost?

---

✏️ Learnings added

Learnt from: KimBioInfoStudio
URL: https://github.com/NVIDIA/NemoClaw/pull/2077

Timestamp: 2026-04-21T04:56:00.062Z
Learning: In `src/nemoclaw.ts` and `src/lib/policies.ts` (NemoClaw, TypeScript), the `--dry-run` flag for policy commands intentionally previews only the endpoints that would be opened/removed without rendering a merged-policy diff. This contract is shared between `policy-add` and `policy-remove` for consistency. Any enhancement to show a merged-policy diff should be done in a dedicated follow-up that updates both commands together. Do not flag the absence of a merged-policy diff under `--dry-run` as an issue.

---

Learnt from: KimBioInfoStudio
URL: https://github.com/NVIDIA/NemoClaw/pull/2077

Timestamp: 2026-04-21T04:56:00.062Z
Learning: In `test/policies.test.ts` (NemoClaw, TypeScript), the `NEMOCLAW_OPENSHELL_BIN` environment variable set-then-`delete` pattern around `buildPolicySetCommand` tests is pre-existing on `main` and not introduced by any single PR. Do not flag missing test hermeticity (e.g., missing `afterEach`/`beforeEach` teardown) in that test block as a new issue in PRs that only reformat assertions in that area.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: laitingsheng
Repo: NVIDIA/NemoClaw PR: 2139
File: src/nemoclaw.ts:1669-1746
Timestamp: 2026-04-21T04:21:52.946Z
Learning: In `src/nemoclaw.ts` (NemoClaw, TypeScript), sandbox-scoped action handlers such as `sandboxChannelsAdd`, `sandboxChannelsRemove`, `sandboxPolicyAdd`, and `sandboxPolicyRemove` intentionally do not validate unknown flags or extra positional arguments. They follow a shared convention of using `args.find((arg) => !arg.startsWith("-"))` to extract the first positional arg, mirroring the `policy add`/`policy remove` pattern. Do not flag missing strict arg validation in these handlers as an issue.

---

Learnt from: CR
Repo: NVIDIA/NemoClaw PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-21T01:49:06.043Z
Learning: Applies to nemoclaw-blueprint/policies/presets/**/*.yaml : Network policy presets must be added as YAML files to `nemoclaw-blueprint/policies/presets/` following the existing preset structure (see `slack.yaml`, `discord.yaml`)

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/nemoclaw.ts`:
- Around line 1501-1505: The current files list creation accepts directory
entries by name ending with .yml/.yaml which lets directories like
"archived.yaml/" slip through and later cause applyExternalPreset() to fail
isFile(); change the filter to only include regular files: enumerate the
directory with fs.readdirSync(absDir, { withFileTypes: true }) (or stat each
entry) and keep entries where dirent.isFile() is true and
/\.ya?ml$/i.test(dirent.name), then map to path.join(absDir, name) and sort;
update the variable named files accordingly so applyExternalPreset() only
receives real files.
- Around line 1555-1580: applyExternalPreset can throw because
policies.loadPresetFromFile and policies.applyPresetContent may throw; wrap the
load and apply calls in a try/catch so any sync/async exceptions are caught, log
a concise error (including the thrown error message) and return false instead of
letting the CLI crash. Specifically, surround the call to
policies.loadPresetFromFile(filePath) and the call to
policies.applyPresetContent(sandboxName, loaded.presetName, loaded.content)
(awaiting it if it returns a promise) with a single try/catch that handles
errors, logs them, and returns false.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3f4278bd-e469-49c5-b63b-ace810872981

📥 Commits

Reviewing files that changed from the base of the PR and between 5ba18f5 and 1d66a89.

📒 Files selected for processing (5)

• .agents/skills/nemoclaw-user-manage-policy/SKILL.md
• docs/network-policy/customize-network-policy.md
• src/lib/policies.ts
• src/nemoclaw.ts
• test/policies.test.ts

✅ Files skipped from review due to trivial changes (2)

• docs/network-policy/customize-network-policy.md
• .agents/skills/nemoclaw-user-manage-policy/SKILL.md

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/policies.ts

[wscurran]

Thanks for addressing the CodeRabbit feedback! Branch has conflicts with main — could you rebase and we'll get a review queued up.

[KimYannn]

Rebased onto main (resolves merge conflicts from #2081 / getGatewayPresets / --force flag addition).

Conflict resolutions:

• src/nemoclaw.ts — kept main's skipConfirm + --force, merged in --from-file/--from-dir logic, kept robust confirm.trim().toLowerCase().startsWith("n") parsing (addresses earlier feedback about "no" handling).
• src/lib/policies.ts — kept main's new getGatewayPresets alongside this branch's loadPresetFromFile / applyPresetContent.
• Docs + skill file — both additive sections retained.

Force-pushed. CLI tsc --noEmit passes.

[KimYannn]

Pushed 5f4ef0f addressing remaining CodeRabbit feedback:

• loadPresetFromFile — fs.readFileSync now inside the try block, TOCTOU read errors return null like other failures (distinguishes ENOENT/EACCES from YAML parse errors in the logged message).
• policy-remove confirm prompt — normalized to trim().toLowerCase().startsWith("n") to match policy-add; no now declines.

Help-text wording concern is moot — the misleading line was dropped during the rebase.

[KimYannn]

wsl-e2e failure is a pre-existing flake in test/sandbox-build-context.test.ts > optimized staging is smaller than the legacy build context — 30s timeout when copying the full repo over the WSL /mnt/d NTFS mount. Test is unrelated to this PR's changes (it exercises build-context staging, not policy presets).

Can a maintainer rerun the failed job? I don't have repo admin rights.

[jyaunches]

PR Review: feat/2039-policy-add-from-file

Files Changed: 5 | Lines: +629 / -22

Nice work on this, @KimBioInfoStudio — the applyPreset → applyPresetContent refactor is clean, the validation in loadPresetFromFile is thorough, and the test coverage is excellent (103/103 passing). The JSDoc additions throughout are a great bonus. A few things to address before merge:

---

🔴 Blockers (must fix before merge)

1. Custom presets can be applied but cannot be removed.

   removePreset() calls loadPreset(presetName) which only looks in PRESETS_DIR (built-in presets). When a user applies a custom preset via --from-file, it gets recorded in the registry by name (e.g., custom-rule). But policy-remove custom-rule will fail because:

   • sandboxPolicyRemove validates against allPresets = policies.listPresets() — custom presets won't appear in that list
   • Even if bypassed, removePreset → loadPreset("custom-rule") returns null since there's no custom-rule.yaml in PRESETS_DIR

   This creates a one-way door: presets can be added but not removed. The user's only recourse is openshell policy set with a manually edited YAML.

   Suggested fix: At minimum, document this limitation explicitly and file a follow-up issue. Better: add a --from-file flag to policy-remove that loads the custom preset content for removal, or store the custom preset content alongside its name in the registry so removePreset can find it later.

---

🟡 Warnings (should fix)

1. -y added to policy-add but not policy-remove — sandboxPolicyAdd now accepts -y as a shorthand for --yes, but sandboxPolicyRemove (line 2153) still only accepts --yes/--force. This creates an inconsistency in the CLI surface. Consider adding -y to policy-remove as well, or leaving it out of both.

2. Docs missing mention of removal limitation — The doc explains how to apply custom presets but doesn't mention how (or whether) they can be removed. Since policy-remove can't currently handle custom presets, this should be documented.

3. MyST admonition syntax — The doc uses > [!WARNING] (GitHub-flavored Markdown), but the project uses Sphinx/MyST. This should use :::{warning} syntax instead. Verify with make docs that it renders correctly.

---

🔵 Suggestions (nice to have)

1. File size check in loadPresetFromFile — The function reads the entire file with fs.readFileSync. Consider adding a statSync(abs).size guard with a reasonable limit (e.g., 1MB) before reading.

2. Temp file cleanup in tests — The writeTmp helper creates temp directories but never cleans them up. Consider afterEach cleanup or vi.onTestFinished.

3. --from-dir dotfile filtering — readdirSync + .ya?ml filter would pick up files like .hidden-preset.yaml. Consider filtering dotfiles (.filter(f => !f.startsWith('.'))) to match typical directory-scan behavior.

4. Symlink check in loadPresetFromFile — loadPreset (built-in) has path traversal protection. loadPresetFromFile uses fs.statSync which follows symlinks. Low blast radius since the user already has filesystem access, but worth noting for defense-in-depth.

---

Overall this is well-structured and well-tested. The blocker around removal is the main thing to sort out — everything else is polish. 🚀

[KimYannn]

CodeRabbit review triage

Addressed the major findings and responded inline on each thread. Summary:

Fixed in this PR

#	Finding	Commit
Major	applyExternalPreset didn't catch loader/apply exceptions (#3115137587)	59dc4d25
Minor	--from-dir filter accepted sub-directories ending in .yaml/ (#3115137577)	59dc4d25
Major	Confirmation prompt treated only exact "n" as decline (#3108013314)	5f4ef0fb
Minor	fs.readFileSync outside try/catch TOCTOU (#3108621349)	5f4ef0fb
Minor	Help text overstated --yes scope (#3109601365)	resolved by main merge — help now generated from typed command-registry.ts with accurate flag list

Deferred

• --dry-run should show merged-policy diff (Major, outside diff). Intentionally out of scope for this PR. The feature spec in [CLI] nemoclaw policy-add has no custom-preset surface; custom egress targets require dropping to openshell policy set #2039 is "apply custom preset files non-interactively"; dry-run here preserves the existing built-in-preset behavior (print endpoints, skip apply). A real policy-diff renderer needs its own design (structured YAML diff vs. text diff, colorization, how to handle tombstones on remove, etc.) and should ship as a separate feature that improves --dry-run for all policy-add paths, not just --from-file/--from-dir. Happy to open a tracking issue.
• Non-hermetic NEMOCLAW_OPENSHELL_BIN env handling in test/policies.test.ts (Minor, #3109601399). The problematic delete process.env.NEMOCLAW_OPENSHELL_BIN idiom predates this PR and affects multiple call sites. Cleaner as a single chore(test) sweep that introduces a shared withEnv helper than a partial patch here.

[KimYannn]

Thanks @jyaunches — addressing the blocker in ec73dfbc.

🔴 Blocker (custom presets are applied but cannot be removed) — fixed

Rather than require users to keep the original preset file around, I took Option C from the reviewer's three suggestions and persisted the full preset YAML in the sandbox registry when --from-file / --from-dir is used:

• SandboxEntry.customPolicies: { name, content, sourcePath, appliedAt }[] (new field; policies: string[] is unchanged so existing registries keep working).
• applyPresetContent(..., { custom: { sourcePath } }) writes to customPolicies; built-in applyPreset still writes to policies.
• removePreset(sandboxName, name) resolves the preset content from built-ins first, then from customPolicies, and prunes the correct registry bucket.
• policy-remove <custom-name> now works by name alone — no file required. Interactive selector and policy-list mix built-in and custom presets.

Round-trip tests added in test/registry.test.ts (the new helpers) and test/policies.test.ts (policy-remove custom presets describe block).

🟡 -y alias mismatch — fixed

policy-remove now accepts -y in addition to --yes / --force. Updated command-registry.ts so --help advertises both aliases on both commands.

🟡 docs (MyST warning syntax + removal limitation) — fixed

• Converted the GH-flavored > [!WARNING] in docs/network-policy/customize-network-policy.md to MyST :::{warning} so it renders under Sphinx.
• Added a Remove a Custom Preset section explaining that the preset content is persisted in the registry, so policy-remove <name> works without the original file on disk.

🔵 suggestions (file size guard / tmp-dir cleanup / dotfile filter / symlink check)

These are all sensible hardening steps but outside the scope of this blocker fix. I'll file a follow-up issue to track them once this PR is in.

npm run build:cli && npm run typecheck:cli clean; npx vitest run --project cli is 2150 passed / 7 skipped.

[jyaunches]

All blockers and warnings from Friday's review have been addressed. Deferred hardening items tracked in #2521. CI is green — merging.

[jyaunches]

All blockers and warnings from Friday's review have been addressed. Deferred hardening items tracked in #2521. CI is green — merging.