fix(policy): add node binary to npm_registry network policy

[jnun]

Summary

npm install inside the sandbox fails with 403 Forbidden because the npm_registry network policy does not include /usr/local/bin/node in its allowed binaries list.

The sandbox proxy checks which binary initiates each outbound HTTPS CONNECT request.
npm is a Node.js script (/usr/local/lib/node_modules/npm/bin/npm-cli.js), so the actual binary making the request is /usr/local/bin/node, not /usr/local/bin/npm.
The proxy sees node as the caller, finds no matching binary in the policy, and returns 403.

Reproduction

$ openshell sandbox create --name demo
$ npm install discord.js
npm error 403 403 Forbidden - GET https://registry.npmjs.org/discord.js

Fix

Add /usr/local/bin/node to the npm_registry binaries list in nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
Update docs/reference/network-policies.md to reflect the corrected binaries and access level.

Test plan

• npm install discord.js succeeds inside the sandbox after applying the updated policy
• Verified the proxy logs show deny_reason="no matching network policy" for /usr/local/bin/node before the fix
• openshell policy set with the corrected YAML resolves the 403
• All existing tests pass (npm test, cd nemoclaw && npm test)

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Documentation

  • Updated documentation for npm registry network policies.

• Chores

  • Extended npm registry network policy permissions to include Node binary for accessing npm registry with broadened method permissions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43c6876a-f121-4b96-a571-ab5baa0660f8

📥 Commits

Reviewing files that changed from the base of the PR and between d37a09f and 9d7b90d.

📒 Files selected for processing (2)

• docs/reference/network-policies.md
• nemoclaw-blueprint/policies/openclaw-sandbox.yaml

---

📝 Walkthrough

Walkthrough

The changes extend npm registry network policy permissions by adding /usr/local/bin/node to allowed binaries and updating documentation to reflect broadened method permissions (all methods instead of GET only) for connections to registry.npmjs.org:443.

Changes

Cohort / File(s)	Summary
NPM Registry Policy Update nemoclaw-blueprint/policies/openclaw-sandbox.yaml	Added /usr/local/bin/node to the npm_registry network policy's allowed binaries list, extending execution permissions alongside existing openclaw and npm binaries.
Policy Documentation docs/reference/network-policies.md	Updated documentation for npm_registry baseline endpoint group to reflect broadened egress permissions from GET-only to all methods for binaries connecting to registry.npmjs.org:443.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A hop, a skip, a node so fine,
Through npm's path, the permissions align,
One binary added, the docs now gleam,
Network policies flow like a developer's dream! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(policy): add node binary to npm_registry network policy' directly and clearly summarizes the main change: adding the node binary to the npm_registry network policy to fix the 403 Forbidden issue with npm install.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}