Network Policies
NemoClaw runs with a deny-by-default network policy. The sandbox can only reach endpoints that are explicitly allowed. OpenShell intercepts any request to an unlisted destination and prompts the operator to approve or deny it in real time through the TUI.
Baseline Policy
Deep Agents sandboxes use an agent-specific baseline policy in agents/langchain-deepagents-code/policy-additions.yaml so the managed dcode runtime can reach inference, GitHub, and package endpoints while keeping the same deny-by-default model.
Deep Agents uses strict Landlock compatibility, so sandbox startup fails when OpenShell cannot enforce the managed filesystem policy.
Filesystem
/dev/pts is the pseudo-terminal (devpts) directory.
It is writable so PTY-based tools (tmux, script, and interactive shells) can allocate a terminal.
Without it, those tools fail with fork failed: Permission denied.
The sandbox process runs as a dedicated sandbox user and group.
For Deep Agents, Landlock enforcement is strict. If the kernel or runtime cannot enforce the managed filesystem policy, sandbox startup fails closed.
Network Policies
The following endpoint groups are allowed by default:
All endpoints use TLS termination and are enforced at port 443.
Deep Agents is a terminal-oriented harness.
NemoClaw does not configure messaging channel bridges for Deep Agents today, and the baseline policy does not include Tavily, LangSmith, MCP hosts, or arbitrary web endpoints.
Apply maintained presets such as github, pypi, or tavily only when the sandbox needs that access.
Policy Tiers
During onboarding, the wizard prompts for a policy tier that determines the default set of presets applied on top of the baseline policy. The baseline policy is always applied regardless of the selected tier.
After selecting a tier, a combined preset and access-mode screen lets you include or exclude individual presets and toggle each between read (GET only) and read-write (GET + POST/PUT/PATCH) access. Tier-default presets are pre-selected; additional presets can be added from the built-in preset list available to the sandbox’s active agent. NemoClaw filters tier defaults and built-in preset choices by the active agent’s supported integrations.
Deep Agents can use the maintained tavily opt-in path, but messaging channel presets are omitted because the terminal harness does not run a NemoClaw messaging bridge today.
NemoClaw automatically suggests the preset that matches the selected provider and removes stale web search presets during resume reconciliation when you switch providers or disable web search.
Explicit custom preset lists and manual interactive selections remain operator-controlled.
When LangChain Deep Agents Code is onboarded with --observability, NemoClaw adds the observability-otlp-local preset on Balanced and Open tiers.
The Restricted tier suppresses this agent-required preset during onboarding and rebuild reconciliation.
An operator can add it manually after reviewing the additional egress, but the next Restricted reconciliation removes it.
The applied set therefore reflects the chosen tier plus any agent-required presets, so policy-list may show one or more presets that do not appear in the tier table above.
The policy-list provenance tags are inferred from the current tier YAML and the active agent at display time and are not persisted per preset.
A preset whose name matches an entry in the sandbox’s current tier definition is labelled [from <tier> tier] even when an operator added it manually with policy-add after onboarding; agent-specific preset names are only labelled [from <agent> agent] when the active agent matches.
Claude Code direct egress is not included in any policy tier.
If you install and run the Claude Code CLI inside the sandbox with its own credentials, apply the claude-code preset explicitly.
Normal NemoClaw Anthropic inference still routes through the OpenShell gateway.
Tier definitions are stored in nemoclaw-blueprint/policies/tiers.yaml.
In non-interactive mode, set the tier with NEMOCLAW_POLICY_TIER:
Unset, blank, or whitespace-only NEMOCLAW_POLICY_TIER values use the balanced default.
In non-interactive onboarding, a non-blank value that does not match a known tier exits before preflight, gateway, or inference side effects and lists the valid options.
Interactive onboarding ignores an invalid environment value and shows the normal tier prompt.
Inference
The baseline policy allows only the local inference route.
External inference providers are reached through the OpenShell gateway, not by direct sandbox egress.
Local OTLP Trace Export
The observability-otlp-local preset supports the opt-in LangChain Deep Agents Code trace path.
It is not a general remote observability policy.
The sandbox sends OTLP/HTTP protobuf traces to a collector that the operator runs on the host. The managed exporter uses standard OTLP transport headers but does not accept operator-supplied custom or authentication headers. Remote backend endpoints and credentials stay in that collector. The policy does not allow direct LangSmith, Jaeger, Phoenix, or other backend egress from Deep Agents Code. Changing the collector’s downstream exporter requires no sandbox policy change.
OpenShell observes Deep Agents Code export as the managed Python interpreter, so this permission is process-wide for /opt/venv/bin/python3* rather than limited to the dcode launcher.
Sandbox Python can forge spans and resource attributes.
The explicit --observability opt-in can export bounded prompts, responses, tool arguments, tool results, and operational metadata.
Managed size and recognized-key redaction do not detect secrets embedded in ordinary content values.
The collector must enforce the operator’s filtering and redaction requirements before forwarding traces, and it must not treat span fields such as service.name as authenticated tenant identity.
For a safe host binding, policy recovery commands, a runnable collector, and end-to-end verification, refer to Export Traces Through a Local Collector.
Operator Approval Flow
When the agent attempts to reach an endpoint not listed in the policy, OpenShell intercepts the request and presents it in the TUI for operator review. The flow has these steps:
- The agent makes a network request to an unlisted host.
- OpenShell blocks the connection and logs the attempt.
- The TUI command
openshell termdisplays the blocked request with host, port, and requesting binary. - The operator approves or denies the request.
- If approved, the endpoint is added to the running policy for the session.
To try this, run the walkthrough:
This opens a split tmux session with the TUI on the left and the agent on the right.
Modifying the Policy
Static Changes
Edit agents/langchain-deepagents-code/policy-additions.yaml and re-run the onboard wizard:
Dynamic Changes
Apply policy updates to a running sandbox without restarting:
To replace the live policy with a complete raw policy file, start from the live policy and use openshell policy set.
Requires OpenShell 0.0.72+ for the round-trippable policy get --base and policy set --wait syntax.
Edit or review current-policy.yaml, then apply it: