fix(policy): make Jira curl validation observable

[ericksoa]

Summary

• keep the Jira policy preset Node-only, but replace the ambiguous auth.atlassian.com curl validation with a body-visible Atlassian API probe
• update CLI guidance and network-policy docs to expect unauthenticated 401 JSON after explicitly approving curl
• strengthen TC-NET-08 so curl must be locally denied before approval and must return the visible Atlassian 401 body after approval

Root Cause

The previous Jira-policy fix landed in v0.0.52, but QA validated with curl -s --max-time 10 https://auth.atlassian.com before and after approval. That endpoint can return an empty redirect body even when reachable, so blocked and allowed cases can both look like no output.

https://api.atlassian.com/oauth/token/accessible-resources returns visible 401 JSON without Jira credentials, which makes the approval transition observable.

Tests

• bash -n test/e2e/test-network-policy.sh
• shellcheck test/e2e/test-network-policy.sh
• git diff --check
• python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user --doc-platform fern-mdx --dry-run
• npm run build:cli
• npx vitest run test/policies.test.ts test/validate-blueprint.test.ts test/e2e-script-workflow.test.ts test/validate-e2e-coverage.test.ts
• npm run validate:configs
• npm run docs:strict
• live host probe: curl -sS --max-time 10 -o /tmp/nemoclaw-jira-api-probe-body -w status=%{http_code} https://api.atlassian.com/oauth/token/accessible-resources returned 401 with Unauthorized JSON

Fixes #3758

Summary by CodeRabbit

• Documentation
  • Updated Jira integration validation guidance to use a body-visible Atlassian OAuth probe and to treat an unauthenticated 401 JSON response as the post-approval success signal.
• Tests
  • Updated end-to-end and unit tests to validate Jira integration behavior against the new probe and the 401 JSON post-approval expectation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: acb03de8-09e0-440f-85e5-290d8193cb4f

📥 Commits

Reviewing files that changed from the base of the PR and between c15111a and 8b90b63.

📒 Files selected for processing (1)

• docs/network-policy/integration-policy-examples.mdx

✅ Files skipped from review due to trivial changes (1)

• docs/network-policy/integration-policy-examples.mdx

---

📝 Walkthrough

Walkthrough

The PR changes Jira preset validation to use api.atlassian.com/oauth/token/accessible-resources for manual probes (body-visible curl), updates the expected pre/post-approval signals to include Atlassian’s unauthenticated 401 JSON, and adjusts docs, e2e, and unit tests accordingly.

Changes

Jira Preset Validation Endpoint Update

Layer / File(s)	Summary
Docs and preset warning text docs/network-policy/integration-policy-examples.mdx, src/lib/policy/index.ts	Replaced auth.atlassian.com status-probe guidance with a body-visible probe against api.atlassian.com/oauth/token/accessible-resources and updated expected pre/post-approval outcomes.
E2E test: probe URL, blocked/allowed checks, response validation test/e2e/test-network-policy.sh	Centralized curl_probe_url, updated pre-approval probe and blocked-condition checks to use it, changed policy approval to allow api.atlassian.com:443 for curl binaries, and validate post-approval response body for a 401 Unauthorized JSON.
Unit test assertions for preset warning test/policies.test.ts	Updated getPresetValidationWarning("jira") test to expect the api.atlassian.com/oauth/token/accessible-resources path and a 401 JSON indicator.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4185: Switches Jira manual probe validation to the same api.atlassian.com/oauth/token/accessible-resources endpoint and adjusts related warning text and tests.

Suggested labels

fix

Suggested reviewers

• cv

Poem

🐰 I hopped from auth to api with care,
Sniffed headers and bodies in the air,
A 401 greeted my curious probe,
Now docs and tests follow that globe,
Per-binary checks snug in their lair.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix(policy): make Jira curl validation observable' directly reflects the main objective: replacing ambiguous curl validation with an observable probe that shows clear approval transitions.
Linked Issues check	✅ Passed	All objectives from issue #3758 are met: per-binary enforcement for Jira preset is maintained, curl validation against api.atlassian.com/oauth/token/accessible-resources replaces auth.atlassian.com, observable 401 JSON response indicates approval success, and tests verify the approval transition.
Out of Scope Changes check	✅ Passed	All changes are within scope: documentation updates, validation warning text, e2e test probe updates, and test assertions all directly support the Jira policy observability fix without introducing unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/3758-jira-policy-observable-curl

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-4579.docs.buildwithfern.com/nemoclaw

[github-actions]

E2E Advisor Recommendation

Required E2E: network-policy-e2e
Optional E2E: docs-validation-e2e

Dispatch hint: network-policy-e2e

Auto-dispatched E2E: network-policy-e2e via nightly-e2e.yaml at 8b90b63fb70637f2965cd390bd0df3179fb330dd — nightly run

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• network-policy-e2e (high: provisions a real sandbox/OpenShell environment and uses NVIDIA_API_KEY for live validation): Directly exercises test/e2e/test-network-policy.sh, including TC-NET-08 Jira per-binary policy enforcement, live policy-add behavior, dry-run behavior, hot reload, and inference exemption under restricted policy. Required because the PR changes network-policy/security-boundary behavior and its corresponding E2E assertions.

Optional E2E

• docs-validation-e2e (low-medium: installs NemoClaw and runs documentation validation): Useful confidence check for the updated network-policy documentation and CLI/docs consistency, but not merge-blocking because the runtime-sensitive change is covered by network-policy-e2e.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: network-policy-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario E2E jobs are recommended. The changed E2E script is under legacy test/e2e/ and is owned by the general E2E advisor, not the scenario advisor. No files under test/e2e-scenario/ or .github/workflows/e2e-scenarios*.yaml changed, and the source change updates Jira policy validation guidance rather than a surface currently covered by a dispatchable scenario suite.

Optional scenario E2E

• None.

Relevant changed files

• None.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/network-policy/integration-policy-examples.mdx (1)

225-228: ⚡ Quick win

Split this into one sentence per line and avoid colon-as-punctuation.

The sentence currently spans multiple lines, and the colon in “manual probe: it proves …” is clause punctuation rather than list introduction.

As per coding guidelines: “One sentence per line in source” and “Colons should only introduce a list.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/network-policy/integration-policy-examples.mdx` around lines 225 - 228,
Split the paragraph that begins "After explicitly approving curl for
`api.atlassian.com` in OpenShell, it should return Atlassian's unauthenticated
`401` JSON response." into one sentence per line, and remove the colon in
"manual probe: it proves ..." by rephrasing to a full sentence such as "This
manual probe proves curl reached Atlassian but no Jira credentials were
supplied." Ensure each sentence from that paragraph is its own line in the
source and no colon is used as clause punctuation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/network-policy/integration-policy-examples.mdx`:
- Around line 219-222: Replace the non-copyable console transcript block
containing the two commands (the node -e require('https').get(...) line and the
curl -sS ... line) with a copyable shell code block: change the triple-backtick
language tag from ```console to ```bash (or ```sh) and remove the leading "$ "
prompt markers so the block contains only the raw commands.

---

Nitpick comments:
In `@docs/network-policy/integration-policy-examples.mdx`:
- Around line 225-228: Split the paragraph that begins "After explicitly
approving curl for `api.atlassian.com` in OpenShell, it should return
Atlassian's unauthenticated `401` JSON response." into one sentence per line,
and remove the colon in "manual probe: it proves ..." by rephrasing to a full
sentence such as "This manual probe proves curl reached Atlassian but no Jira
credentials were supplied." Ensure each sentence from that paragraph is its own
line in the source and no colon is used as clause punctuation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 37924a65-45a6-4836-b5b4-e6473173da37

📥 Commits

Reviewing files that changed from the base of the PR and between 9641ce0 and 878b45a.

📒 Files selected for processing (4)

• docs/network-policy/integration-policy-examples.mdx
• src/lib/policy/index.ts
• test/e2e/test-network-policy.sh
• test/policies.test.ts

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 0 still apply, 0 new items found

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26716712184
Target ref: 878b45ab991c27197c62702f0b38ff818fdd073b
Workflow ref: main
Requested jobs: network-policy-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	✅ success

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26717009252
Target ref: 8b90b63fb70637f2965cd390bd0df3179fb330dd
Workflow ref: main
Requested jobs: network-policy-e2e
Summary: 0 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	⚠️ cancelled

[github-actions]

Selective E2E Results — ✅ All requested jobs passed

Run: 26717027566
Target ref: 8b90b63fb70637f2965cd390bd0df3179fb330dd
Workflow ref: main
Requested jobs: network-policy-e2e
Summary: 1 passed, 0 failed, 0 skipped

Job	Result
network-policy-e2e	✅ success