feat(policy): allow selecting policy presets by number (NVIDIA#1195)

<!-- markdownlint-disable MD041 -->
<!-- 1-3 sentences: what this PR does and why. -->

Allow `nemoclaw <sandbox> policy-add` to be selected by number instead
of typing preset names.

```bash
root@se7en:/tmp/NemoClaw# node bin/nemoclaw.js seven-demo policy-add

  Available presets:
    1) ○ discord — Discord API, gateway, and CDN access
    2) ○ docker — Docker Hub and NVIDIA container registry access
    3) ○ huggingface — Hugging Face Hub, LFS, and Inference API access
    4) ○ jira — Jira and Atlassian Cloud access
    5) ● npm — npm and Yarn registry access
    6) ○ outlook — Microsoft Outlook and Graph API access
    7) ○ pypi — Python Package Index (PyPI) access
    8) ○ slack — Slack API, Socket Mode, and webhooks access
    9) ○ telegram — Telegram Bot API access

  ● applied, ○ not applied

  Choose preset [1]: 7
  Apply 'pypi' to sandbox 'seven-demo'? [Y/n]: y
✓ Policy version 3 submitted (hash: 462a3f55b4da)
✓ Policy version 3 loaded (active version: 3)
  Applied preset: pypi
```

<!-- Link to the issue: Fixes #NNN or Closes #NNN. Remove this section
if none. -->
Fixes NVIDIA#1164

<!-- Bullet list of key changes. -->

<!-- Check the one that applies. -->
- [x] Code change for a new feature, bug fix, or refactor.
- [ ] Code change with doc updates.
- [ ] Doc only. Prose changes without code sample modifications.
- [ ] Doc only. Includes code sample changes.

<!-- What testing was done? -->
- [x] `npx prek run --all-files` passes (or equivalently `make check`).
- [x] `npm test` passes.
- [ ] `make docs` builds without warnings. (for doc-only changes)

- [x] I have read and followed the [contributing
guide](https://github.com/NVIDIA/NemoClaw/blob/main/CONTRIBUTING.md).
- [x] I have read and followed the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md).
(for doc-only changes)

<!-- Skip if this is a doc-only PR. -->
- [x] Formatters applied — `npx prek run --all-files` auto-fixes
formatting (or `make format` for targeted runs).
- [x] Tests added or updated for new or changed behavior.
- [x] No secrets, API keys, or credentials committed.
- [ ] Doc pages updated for any user-facing behavior changes (new
commands, changed defaults, new features, bug fixes that contradict
existing docs).

<!-- Skip if this PR has no doc changes. -->
- [ ] Follows the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md).
Try running the `update-docs` agent skill to draft changes while
complying with the style guide. For example, prompt your agent with
"`/update-docs` catch up the docs for the new changes I made in this
PR."
- [ ] New pages include SPDX license header and frontmatter, if creating
a new page.
- [ ] Cross-references and links verified.

---
<!-- DCO sign-off (required by CI). Replace with your real name and
email. -->
Signed-off-by: Seven Cheng <sevenc@nvidia.com>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

* **New Features**
* Interactive preset selection menu with visual status (● applied, ○ not
applied)
  * Empty input selects the default (first non-applied) when available
* Policy-add CLI now invokes the interactive selector and asks for
confirmation before applying

* **Validation**
* Rejects invalid, non-numeric, out-of-range, or already-applied
selections and prints feedback

* **Tests**
* Expanded tests covering selection behavior, defaulting, rejection
cases, list rendering, and CLI confirmation flow
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: cr7258

bin/lib/policies.js

@@ -6,6 +6,7 @@
 const fs = require("fs");
 const path = require("path");
 const os = require("os");
+const readline = require("readline");
 const YAML = require("yaml");
 const { ROOT, run, runCapture, shellQuote } = require("./runner");
 const registry = require("./registry");
@@ -293,6 +294,53 @@ function getAppliedPresets(sandboxName) {
   return sandbox ? sandbox.policies || [] : [];
 }
 
+function selectFromList(items, { applied = [] } = {}) {
+  return new Promise((resolve) => {
+    process.stderr.write("\n  Available presets:\n");
+    items.forEach((item, i) => {
+      const marker = applied.includes(item.name) ? "●" : "○";
+      const description = item.description ? ` — ${item.description}` : "";
+      process.stderr.write(`    ${i + 1}) ${marker} ${item.name}${description}\n`);
+    });
+    process.stderr.write("\n  ● applied, ○ not applied\n\n");
+    const defaultIdx = items.findIndex((item) => !applied.includes(item.name));
+    const defaultNum = defaultIdx >= 0 ? defaultIdx + 1 : null;
+    const question = defaultNum ? `  Choose preset [${defaultNum}]: ` : "  Choose preset: ";
+    const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+    rl.question(question, (answer) => {
+      rl.close();
+      if (!process.stdin.isTTY) {
+        if (typeof process.stdin.pause === "function") process.stdin.pause();
+        if (typeof process.stdin.unref === "function") process.stdin.unref();
+      }
+      const trimmed = answer.trim();
+      const effectiveInput = trimmed || (defaultNum ? String(defaultNum) : "");
+      if (!effectiveInput) {
+        resolve(null);
+        return;
+      }
+      if (!/^\d+$/.test(effectiveInput)) {
+        process.stderr.write("\n  Invalid preset number.\n");
+        resolve(null);
+        return;
+      }
+      const num = Number(effectiveInput);
+      const item = items[num - 1];
+      if (!item) {
+        process.stderr.write("\n  Invalid preset number.\n");
+        resolve(null);
+        return;
+      }
+      if (applied.includes(item.name)) {
+        process.stderr.write(`\n  Preset '${item.name}' is already applied.\n`);
+        resolve(null);
+        return;
+      }
+      resolve(item.name);
+    });
+  });
+}
+
 module.exports = {
   PRESETS_DIR,
   listPresets,
@@ -305,4 +353,5 @@ module.exports = {
   mergePresetIntoPolicy,
   applyPreset,
   getAppliedPresets,
+  selectFromList,
 };

bin/nemoclaw.js

@@ -1109,16 +1109,8 @@ async function sandboxPolicyAdd(sandboxName) {
   const allPresets = policies.listPresets();
   const applied = policies.getAppliedPresets(sandboxName);
 
-  console.log("");
-  console.log("  Available presets:");
-  allPresets.forEach((p) => {
-    const marker = applied.includes(p.name) ? "●" : "○";
-    console.log(`    ${marker} ${p.name} — ${p.description}`);
-  });
-  console.log("");
-
   const { prompt: askPrompt } = require("./lib/credentials");
-  const answer = await askPrompt("  Preset to apply: ");
+  const answer = await policies.selectFromList(allPresets, { applied });
   if (!answer) return;
 
   const confirm = await askPrompt(`  Apply '${answer}' to sandbox '${sandboxName}'? [Y/n]: `);

test/policies.test.js

@@ -2,9 +2,95 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
 import { describe, it, expect, vi } from "vitest";
+import { spawnSync } from "node:child_process";
 import policies from "../bin/lib/policies";
 
+const REPO_ROOT = path.join(import.meta.dirname, "..");
+const CLI_PATH = JSON.stringify(path.join(REPO_ROOT, "bin", "nemoclaw.js"));
+const CREDENTIALS_PATH = JSON.stringify(path.join(REPO_ROOT, "bin", "lib", "credentials.js"));
+const POLICIES_PATH = JSON.stringify(path.join(REPO_ROOT, "bin", "lib", "policies.js"));
+const REGISTRY_PATH = JSON.stringify(path.join(REPO_ROOT, "bin", "lib", "registry.js"));
+const SELECT_FROM_LIST_ITEMS = [
+  { name: "npm", description: "npm and Yarn registry access" },
+  { name: "pypi", description: "Python Package Index (PyPI) access" },
+];
+
+function runPolicyAdd(confirmAnswer) {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-policy-add-"));
+  const scriptPath = path.join(tmpDir, "policy-add-check.js");
+  const script = String.raw`
+const registry = require(${REGISTRY_PATH});
+const policies = require(${POLICIES_PATH});
+const credentials = require(${CREDENTIALS_PATH});
+const calls = [];
+policies.selectFromList = async () => "pypi";
+credentials.prompt = async (message) => {
+  calls.push({ type: "prompt", message });
+  return ${JSON.stringify(confirmAnswer)};
+};
+registry.getSandbox = (name) => (name === "test-sandbox" ? { name } : null);
+registry.listSandboxes = () => ({ sandboxes: [{ name: "test-sandbox" }] });
+policies.listPresets = () => [
+  { name: "npm", description: "npm and Yarn registry access" },
+  { name: "pypi", description: "Python Package Index (PyPI) access" },
+];
+policies.getAppliedPresets = () => [];
+policies.applyPreset = (sandboxName, presetName) => {
+  calls.push({ type: "apply", sandboxName, presetName });
+};
+process.argv = ["node", "nemoclaw.js", "test-sandbox", "policy-add"];
+require(${CLI_PATH});
+setImmediate(() => {
+  process.stdout.write(JSON.stringify(calls));
+});
+`;
+
+  fs.writeFileSync(scriptPath, script);
+
+  return spawnSync(process.execPath, [scriptPath], {
+    cwd: REPO_ROOT,
+    encoding: "utf-8",
+    env: {
+      ...process.env,
+      HOME: tmpDir,
+    },
+  });
+}
+
+function runSelectFromList(input, { applied = [] } = {}) {
+  const script = String.raw`
+const { selectFromList } = require(${POLICIES_PATH});
+const items = JSON.parse(process.env.NEMOCLAW_TEST_ITEMS);
+const options = JSON.parse(process.env.NEMOCLAW_TEST_OPTIONS || "{}");
+
+selectFromList(items, options)
+  .then((value) => {
+    process.stdout.write(String(value) + "\n");
+  })
+  .catch((error) => {
+    const message = error && error.message ? error.message : String(error);
+    process.stderr.write(message);
+    process.exit(1);
+  });
+`;
+
+  return spawnSync(process.execPath, ["-e", script], {
+    cwd: REPO_ROOT,
+    encoding: "utf-8",
+    timeout: 5000,
+    input,
+    env: {
+      ...process.env,
+      NEMOCLAW_TEST_ITEMS: JSON.stringify(SELECT_FROM_LIST_ITEMS),
+      NEMOCLAW_TEST_OPTIONS: JSON.stringify({ applied }),
+    },
+  });
+}
+
 describe("policies", () => {
   describe("listPresets", () => {
     it("returns all 9 presets", () => {
@@ -502,4 +588,96 @@ describe("policies", () => {
       }
     });
   });
+
+  describe("selectFromList", () => {
+    it("returns preset name by number from stdin input", () => {
+      const result = runSelectFromList("1\n");
+
+      expect(result.status).toBe(0);
+      expect(result.stdout.trim()).toBe("npm");
+      expect(result.stderr).toContain("Choose preset [1]:");
+    });
+
+    it("uses the first preset as the default when input is empty", () => {
+      const result = runSelectFromList("\n");
+
+      expect(result.status).toBe(0);
+      expect(result.stderr).toContain("Choose preset [1]:");
+      expect(result.stdout.trim()).toBe("npm");
+    });
+
+    it("defaults to the first not-applied preset", () => {
+      const result = runSelectFromList("\n", { applied: ["npm"] });
+
+      expect(result.status).toBe(0);
+      expect(result.stderr).toContain("Choose preset [2]:");
+      expect(result.stdout.trim()).toBe("pypi");
+    });
+
+    it("rejects selecting an already-applied preset", () => {
+      const result = runSelectFromList("1\n", { applied: ["npm"] });
+
+      expect(result.status).toBe(0);
+      expect(result.stderr).toContain("Preset 'npm' is already applied.");
+      expect(result.stdout.trim()).toBe("null");
+    });
+
+    it("rejects out-of-range preset number", () => {
+      const result = runSelectFromList("99\n");
+
+      expect(result.status).toBe(0);
+      expect(result.stderr).toContain("Invalid preset number.");
+      expect(result.stdout.trim()).toBe("null");
+    });
+
+    it("rejects non-numeric preset input", () => {
+      const result = runSelectFromList("npm\n");
+
+      expect(result.status).toBe(0);
+      expect(result.stderr).toContain("Invalid preset number.");
+      expect(result.stdout.trim()).toBe("null");
+    });
+
+    it("prints numbered list with applied markers, legend, and default prompt", () => {
+      const result = runSelectFromList("2\n", { applied: ["npm"] });
+
+      expect(result.status).toBe(0);
+      expect(result.stderr).toMatch(/Available presets:/);
+      expect(result.stderr).toMatch(/1\) ● npm — npm and Yarn registry access/);
+      expect(result.stderr).toMatch(/2\) ○ pypi — Python Package Index \(PyPI\) access/);
+      expect(result.stderr).toMatch(/● applied, ○ not applied/);
+      expect(result.stderr).toMatch(/Choose preset \[2\]:/);
+      expect(result.stdout.trim()).toBe("pypi");
+    });
+  });
+
+  describe("policy-add confirmation", () => {
+    it("prompts for confirmation before applying a preset", () => {
+      const result = runPolicyAdd("y");
+
+      expect(result.status).toBe(0);
+      const calls = JSON.parse(result.stdout.trim());
+      expect(calls).toContainEqual({
+        type: "prompt",
+        message: "  Apply 'pypi' to sandbox 'test-sandbox'? [Y/n]: ",
+      });
+      expect(calls).toContainEqual({
+        type: "apply",
+        sandboxName: "test-sandbox",
+        presetName: "pypi",
+      });
+    });
+
+    it("skips applying the preset when confirmation is declined", () => {
+      const result = runPolicyAdd("n");
+
+      expect(result.status).toBe(0);
+      const calls = JSON.parse(result.stdout.trim());
+      expect(calls).toContainEqual({
+        type: "prompt",
+        message: "  Apply 'pypi' to sandbox 'test-sandbox'? [Y/n]: ",
+      });
+      expect(calls.some((call) => call.type === "apply")).toBeFalsy();
+    });
+  });
 });