fix: add policy preset for brew

[laitingsheng]

Summary

• Add a brew network policy preset that allows scoped HTTPS access to the
  Homebrew/Linuxbrew package registry domains (formulae.brew.sh, github.com/Homebrew,
  ghcr.io, and associated GitHub CDN hosts).
• This preset only provides default network endpoints — it does not install
  Homebrew into the sandbox image. The sandbox image is immutable by design;
  embedding a full Linuxbrew installation would add significant bloat for a
  tool that not every sandbox needs.
• For workflows that require installing system packages, the recommended
  approach is to customise the OpenShell sandbox policy to allow the
  necessary network access, rather than baking package managers into the
  base image.
• Since the sandbox runs as a non-root user, the standard Homebrew installer
  will refuse to run. There is an undocumented workaround for non-root
  installations discussed in Homebrew on linux without root access Homebrew/discussions#3386.

Related Issue

Fixes #491

Changes

• nemoclaw-blueprint/policies/presets/brew.yaml
• test/policies.test.js

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• New Features

  • Added a Homebrew (Linuxbrew) policy preset enabling package manager access to required external hosts with enforced network rules and an allowlist of Homebrew binaries.

• Tests

  • Updated tests to include and validate the newly added brew policy preset.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1a83def5-68c1-491f-a125-443fd8fb6ef0

📥 Commits

Reviewing files that changed from the base of the PR and between 33ab5ae and c79b707.

📒 Files selected for processing (1)

• test/policies.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• test/policies.test.js

---

📝 Walkthrough

Walkthrough

Adds a new brew policy preset granting Homebrew (Linuxbrew) network access to specific hosts on TCP/443 and whitelists Linuxbrew binary paths; updates tests to include the new preset.

Changes

Cohort / File(s)	Summary
New Brew Policy Preset nemoclaw-blueprint/policies/presets/brew.yaml	Adds preset.name: brew and network_policies.brew (name: brew) with enforcement settings; permits access: full to TCP/443 for formulae.brew.sh, github.com, ghcr.io, pkg-containers.githubusercontent.com, objects.githubusercontent.com, raw.githubusercontent.com; adds binary allowlist entries: /home/linuxbrew/.linuxbrew/bin/brew, /home/linuxbrew/.linuxbrew/bin/*, /home/linuxbrew/.linuxbrew/Homebrew/bin/*.
Test Suite Update test/policies.test.js	Updates listPresets test expectation: presets.length incremented from 10 to 11 and the sorted preset names array now includes "brew".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I nibbled on YAML, tidy and new,
A brew path unfolded where network winds blew,
Bin trails and hosts aligned in a stitch,
The sandbox hops forward — sip, fetch, and switch.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: adding a new policy preset for brew/Linuxbrew package manager support.
Linked Issues check	✅ Passed	The PR implements the proposed design from issue #491 by adding a network policy preset for Homebrew with required hosts and binary paths, addressing the core objective.
Out of Scope Changes check	✅ Passed	All changes are directly related to issue #491: the new brew.yaml preset and test update are within scope and necessary for the feature implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/brew-policy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nemoclaw-blueprint/policies/presets/brew.yaml`:
- Around line 14-54: Change the brew preset entries that currently use "tls:
terminate" and path-based REST rules to use CONNECT-style full access: for each
host block (github.com, ghcr.io, pkg-containers.githubusercontent.com,
objects.githubusercontent.com, raw.githubusercontent.com) replace the "tls:
terminate" key with "access: full" and remove the method/path rules under
"rules" (path filtering won't work over CONNECT tunneling); keep
protocol/enforcement as needed but ensure the host blocks use "access: full" to
allow CONNECT-tunneled package/registry traffic.

In `@test/policies.test.js`:
- Line 28: Update the tests that assert the list of preset names and
package-manager invariants to account for the newly added "brew" preset: add
"brew" to the expected names array used in the preset-name test (the array that
currently includes "brew" on line shown), increment the related total preset
count assertion (preset-count) to reflect one more preset, and include "brew" in
the package-manager schema guardrail checks (the package-manager invariant tests
that assert access: "full" / CONNECT model). Ensure the same package-manager
validation logic used for other managers is applied to "brew" so it follows the
standardized CONNECT/access: full expectations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 29ef03ca-0a24-4019-a811-a0744e3a565f

📥 Commits

Reviewing files that changed from the base of the PR and between 98e1b98 and 9e72c50.

📒 Files selected for processing (2)

• nemoclaw-blueprint/policies/presets/brew.yaml
• test/policies.test.js

[wscurran]

✨ Thanks for submitting this pull request, which proposes a way to support Homebrew package access in sandboxes by adding a new network policy preset.

[ericksoa]

Reviewed: purely additive — new brew preset file and test count bump. No existing behavior modified. access: full is consistent with npm/pypi presets. Low regression risk. LGTM.