Network Policies
NemoClaw runs with a deny-by-default network policy. The sandbox can only reach endpoints that are explicitly allowed. OpenShell intercepts any request to an unlisted destination and prompts the operator to approve or deny it in real time through the TUI.
Baseline Policy
Hermes sandboxes use an agent-specific baseline policy in agents/hermes/policy-additions.yaml so Hermes runtime binaries can reach the service endpoints they need while keeping the same deny-by-default model.
Hermes sandboxes use an agent-specific baseline policy in agents/hermes/policy-additions.yaml so Hermes runtime binaries can reach the service endpoints they need while keeping the same deny-by-default model.
Filesystem
/dev/pts is the pseudo-terminal (devpts) directory.
It is writable so PTY-based tools (tmux, script, and interactive shells) can allocate a terminal.
Without it, those tools fail with fork failed: Permission denied.
The sandbox process runs as a dedicated sandbox user and group.
Landlock LSM enforcement applies on a best-effort basis.
Network Policies
The following endpoint groups are allowed by default:
Hermes baseline endpoint groups are declared by the Hermes agent policy additions.
Use nemohermes <sandbox> policy-list or openshell policy get --base <sandbox> on a live sandbox to inspect the exact applied baseline.
All endpoints use TLS termination and are enforced at port 443.
Messaging endpoints are not part of the common baseline policy. Enable the channel during onboarding or apply the matching preset so the sandbox can reach that platform.
Policy Tiers
During onboarding, the wizard prompts for a policy tier that determines the default set of presets applied on top of the baseline policy. The baseline policy is always applied regardless of the selected tier.
After selecting a tier, a combined preset and access-mode screen lets you include or exclude individual presets and toggle each between read (GET only) and read-write (GET + POST/PUT/PATCH) access.
Tier-default presets are pre-selected; additional presets can be added from the built-in preset list available to the sandbox’s active agent.
NemoClaw filters tier defaults and built-in preset choices by the active agent’s supported integrations.
Hermes can select tavily only.
NemoClaw automatically suggests the preset that matches the selected provider and removes stale web search presets during resume reconciliation when you switch providers or disable web search.
Explicit custom preset lists and manual interactive selections remain operator-controlled.
Hermes managed-tool gateway selections can add Hermes-specific presets, such as Nous-hosted web, image, audio, browser, or code tools, without applying unsupported OpenClaw-only presets.
When Hermes uses Tavily, NemoClaw removes nous-web from the effective managed-tool selection while preserving other selected Nous tool presets.
The applied set therefore reflects the chosen tier plus any agent-required presets, so policy-list may show one or more presets that do not appear in the tier table above.
The policy-list provenance tags are inferred from the current tier YAML and the active agent at display time and are not persisted per preset.
A preset whose name matches an entry in the sandbox’s current tier definition is labelled [from <tier> tier] even when an operator added it manually with policy-add after onboarding; agent-specific preset names are only labelled [from <agent> agent] when the active agent matches.
Claude Code direct egress is not included in any policy tier.
If you install and run the Claude Code CLI inside the sandbox with its own credentials, apply the claude-code preset explicitly.
Normal NemoClaw Anthropic inference still routes through the OpenShell gateway.
Tier definitions are stored in nemoclaw-blueprint/policies/tiers.yaml.
In non-interactive mode, set the tier with NEMOCLAW_POLICY_TIER:
Unset, blank, or whitespace-only NEMOCLAW_POLICY_TIER values use the balanced default.
In non-interactive onboarding, a non-blank value that does not match a known tier exits before preflight, gateway, or inference side effects and lists the valid options.
Interactive onboarding ignores an invalid environment value and shows the normal tier prompt.
Inference
The baseline policy allows only the local inference route.
External inference providers are reached through the OpenShell gateway, not by direct sandbox egress.
Operator Approval Flow
When the agent attempts to reach an endpoint not listed in the policy, OpenShell intercepts the request and presents it in the TUI for operator review. The flow has these steps:
- The agent makes a network request to an unlisted host.
- OpenShell blocks the connection and logs the attempt.
- The TUI command
openshell termdisplays the blocked request with host, port, and requesting binary. - The operator approves or denies the request.
- If approved, the endpoint is added to the running policy for the session.
To monitor requests as the agent runs, open the TUI:
For step-by-step navigation and approval controls, refer to Approve or Deny Agent Network Requests.
Modifying the Policy
Static Changes
Edit agents/hermes/policy-additions.yaml and re-run the onboard wizard:
Dynamic Changes
Apply policy updates to a running sandbox without restarting:
To replace the live policy with a complete base policy file, export the current base policy and use openshell policy set.
Requires OpenShell 0.0.72+ for the round-trippable policy get --base and policy set --wait syntax.
NemoClaw strips the OpenShell metadata header and exits non-zero if it cannot validate the base policy.
Do not add --raw when you plan to edit and reapply the file.
Edit or review current-policy.yaml, then apply it: