Documentation Claims GitHub API Method Restrictions That Don't Exist in Policy YAML - IssueFinder - SN 17

[dinuduke]

Description

Description

The documentation at docs/reference/network-policies.md (lines 56-60) lists github_rest_api as a separate policy with api.github.com:443 restricted to specific HTTP methods and binary /usr/bin/gh. However, the actual YAML at openclaw-sandbox.yaml (lines 87-94) combines api.github.com under the github policy with access: full (no method restrictions) and allows both gh and git binaries. This creates a false sense of security — users believe method restrictions exist when they don't.

Impact

Operators make security decisions based on inaccurate documentation. The actual policy is significantly more permissive than documented.

Steps to Reproduce

1. Read docs/reference/network-policies.md — note the github_rest_api entry with method restrictions
2. Read nemoclaw-blueprint/policies/openclaw-sandbox.yaml — note api.github.com has access: full
3. Observe the inconsistency

Notes

This also extends to Discord (missing from baseline docs table), Telegram (binary restriction mismatch), and Discord preset (described as "webhook API" when it's the full REST API + WebSocket + CDN).

Affected Page

• File(s): docs/reference/network-policies.md, nemoclaw-blueprint/policies/openclaw-sandbox.yaml - Service(s): Network policy documentation

Issue Type

Unclear or confusing

Suggested Fix

File: docs/network-policy/customize-network-policy.md — append after the "Edit the Policy File" subsection (after line ~52):

### Access Modes

Each endpoint supports two access modes that control how OpenShell inspects traffic:

| Field | Value | Behavior |
|-------|-------|----------|
| `protocol` | `rest` | OpenShell terminates TLS and inspects HTTP method/path against `rules`. Only matching requests are forwarded. |
| `access` | `full` | OpenShell creates a raw CONNECT tunnel. No HTTP inspection — all traffic to the host:port is allowed. Use only when protocol-level inspection is not possible (e.g., `git` SSH-over-HTTPS, WebSocket upgrades). |

#### Enforcement and TLS Fields

```yaml
endpoints:
  - host: api.example.com
    port: 443
    protocol: rest        # Enable HTTP inspection
    enforcement: enforce  # Block non-matching requests (vs "audit" = log only)
    tls: terminate        # OpenShell terminates TLS to inspect HTTP layer
    rules:
      - allow: { method: GET, path: "/v1/**" }
      - allow: { method: POST, path: "/v1/chat/completions" }

Security note: access: full bypasses all HTTP-layer rules.
The github policy uses access: full because git requires CONNECT tunneling.
This means method/path restrictions cannot be enforced on api.github.com —
the agent has full API access. See SEC-HIGH-003 for hardening options.

**Also update** `docs/reference/network-policies.md` lines 56-60:
- Remove the `github_rest_api` entry that claims method restrictions
- Replace with accurate `github` entry showing `access: full` (no method filtering)

[latenighthackathon]

Good find — the docs vs YAML mismatch is real. PR #1225 has a related fix that proposes converting both github.com and api.github.com from access: full to protocol: rest with scoped method/path rules.