Description
Description
The documentation at docs/reference/network-policies.md (lines 56-60) lists github_rest_api as a separate policy with api.github.com:443 restricted to specific HTTP methods and binary /usr/bin/gh. However, the actual YAML at openclaw-sandbox.yaml (lines 87-94) combines api.github.com under the github policy with access: full (no method restrictions) and allows both gh and git binaries. This creates a false sense of security — users believe method restrictions exist when they don't.
Impact
Operators make security decisions based on inaccurate documentation. The actual policy is significantly more permissive than documented.
Steps to Reproduce
- Read
docs/reference/network-policies.md — note the github_rest_api entry with method restrictions
- Read
nemoclaw-blueprint/policies/openclaw-sandbox.yaml — note api.github.com has access: full
- Observe the inconsistency
Notes
This also extends to Discord (missing from baseline docs table), Telegram (binary restriction mismatch), and Discord preset (described as "webhook API" when it's the full REST API + WebSocket + CDN).
Affected Page
- File(s): docs/reference/network-policies.md, nemoclaw-blueprint/policies/openclaw-sandbox.yaml - Service(s): Network policy documentation
Issue Type
Unclear or confusing
Suggested Fix
File: docs/network-policy/customize-network-policy.md — append after the "Edit the Policy File" subsection (after line ~52):
### Access Modes
Each endpoint supports two access modes that control how OpenShell inspects traffic:
| Field | Value | Behavior |
|-------|-------|----------|
| `protocol` | `rest` | OpenShell terminates TLS and inspects HTTP method/path against `rules`. Only matching requests are forwarded. |
| `access` | `full` | OpenShell creates a raw CONNECT tunnel. No HTTP inspection — all traffic to the host:port is allowed. Use only when protocol-level inspection is not possible (e.g., `git` SSH-over-HTTPS, WebSocket upgrades). |
#### Enforcement and TLS Fields
```yaml
endpoints:
- host: api.example.com
port: 443
protocol: rest # Enable HTTP inspection
enforcement: enforce # Block non-matching requests (vs "audit" = log only)
tls: terminate # OpenShell terminates TLS to inspect HTTP layer
rules:
- allow: { method: GET, path: "/v1/**" }
- allow: { method: POST, path: "/v1/chat/completions" }
Security note: access: full bypasses all HTTP-layer rules.
The github policy uses access: full because git requires CONNECT tunneling.
This means method/path restrictions cannot be enforced on api.github.com —
the agent has full API access. See SEC-HIGH-003 for hardening options.
**Also update** `docs/reference/network-policies.md` lines 56-60:
- Remove the `github_rest_api` entry that claims method restrictions
- Replace with accurate `github` entry showing `access: full` (no method filtering)
Description
Description
The documentation at
docs/reference/network-policies.md(lines 56-60) listsgithub_rest_apias a separate policy withapi.github.com:443restricted to specific HTTP methods and binary/usr/bin/gh. However, the actual YAML atopenclaw-sandbox.yaml(lines 87-94) combinesapi.github.comunder thegithubpolicy withaccess: full(no method restrictions) and allows bothghandgitbinaries. This creates a false sense of security — users believe method restrictions exist when they don't.Impact
Operators make security decisions based on inaccurate documentation. The actual policy is significantly more permissive than documented.
Steps to Reproduce
docs/reference/network-policies.md— note thegithub_rest_apientry with method restrictionsnemoclaw-blueprint/policies/openclaw-sandbox.yaml— noteapi.github.comhasaccess: fullNotes
This also extends to Discord (missing from baseline docs table), Telegram (binary restriction mismatch), and Discord preset (described as "webhook API" when it's the full REST API + WebSocket + CDN).
Affected Page
Issue Type
Unclear or confusing
Suggested Fix
File:
docs/network-policy/customize-network-policy.md— append after the "Edit the Policy File" subsection (after line ~52):