feat(policy): add missing Copilot API endpoints to base sandbox policy

OpenClaw Agent · OpenClaw Agent · commit 0156ab9fd3ce · 2026-04-01T16:28:14.000Z
The existing copilot policy was missing endpoints needed for Copilot CLI
to function inside OpenShell sandboxes. This adds:

- api.individual/business.githubcopilot.com (subscription-tier routing)
- origin-tracker.githubusercontent.com (tracking)
- telemetry.enterprise.githubcopilot.com (telemetry)
- L7 inspection config (protocol: rest, tls: terminate) on API endpoints
  for proxy-based credential injection support
- Additional binary paths (/usr/bin/node, /usr/bin/copilot, node_modules)

Also adds copilot/node binary paths to github_rest_api and
github_ssh_over_https policies so Copilot can access GitHub API and git.

Tested end-to-end in a live OpenShell sandbox with proxy-based
credential injection. All auth formats verified working.
diff --git a/sandboxes/base/policy.yaml b/sandboxes/base/policy.yaml
@@ -71,6 +71,10 @@ network_policies:
           #    path: "/**/git-receive-pack"
     binaries:
       - { path: /usr/bin/git }
+      - { path: /usr/bin/node }
+      - { path: /usr/bin/copilot }
+      - { path: "/usr/lib/node_modules/**" }
+      - { path: "/usr/lib/git-core/**" }
 
   nvidia_inference:
     name: nvidia-inference
@@ -94,6 +98,35 @@ network_policies:
     binaries:
       - { path: /usr/local/bin/claude }
       - { path: /usr/bin/gh }
+      - { path: /usr/bin/node }
+      - { path: /usr/bin/copilot }
+      - { path: "/usr/lib/node_modules/**" }
+
+  # --- GitHub Copilot API ---
+  # Endpoints from https://docs.github.com/en/copilot/reference/copilot-allowlist-reference
+  copilot:
+    name: copilot
+    endpoints:
+      # Auth and user management
+      - { host: github.com, port: 443 }
+      - { host: api.github.com, port: 443 }
+      # Copilot API (subscription-tier routing)
+      - { host: api.githubcopilot.com, port: 443, protocol: rest, enforcement: enforce, access: read-write }
+      - { host: api.individual.githubcopilot.com, port: 443, protocol: rest, enforcement: enforce, access: read-write }
+      - { host: api.business.githubcopilot.com, port: 443, protocol: rest, enforcement: enforce, access: read-write }
+      - { host: api.enterprise.githubcopilot.com, port: 443, protocol: rest, enforcement: enforce, access: read-write }
+      # Model proxy
+      - { host: copilot-proxy.githubusercontent.com, port: 443, protocol: rest, enforcement: enforce, access: read-write }
+      # Telemetry, feature flags, updates
+      - { host: origin-tracker.githubusercontent.com, port: 443 }
+      - { host: telemetry.enterprise.githubcopilot.com, port: 443 }
+      - { host: default.exp-tas.com, port: 443 }
+      - { host: release-assets.githubusercontent.com, port: 443 }
+    binaries:
+      - { path: /usr/bin/node }
+      - { path: /usr/bin/copilot }
+      - { path: "/usr/lib/node_modules/@github/copilot/node_modules/@github/**/copilot" }
+      - { path: "/usr/lib/node_modules/**" }
 
   pypi:
     name: pypi
@@ -160,19 +193,6 @@ network_policies:
     - path: /usr/bin/node
     - path: /usr/local/bin/opencode
 
-  copilot:
-    name: copilot
-    endpoints:
-    - { host: github.com, port: 443 }
-    - { host: api.github.com, port: 443 }
-    - { host: api.githubcopilot.com, port: 443 }
-    - { host: api.enterprise.githubcopilot.com, port: 443 }
-    - { host: release-assets.githubusercontent.com, port: 443 }
-    - { host: copilot-proxy.githubusercontent.com, port: 443 }
-    - { host: default.exp-tas.com, port: 443 }
-    binaries:
-    - { path: /usr/lib/node_modules/@github/copilot/node_modules/@github/**/copilot }
-
   codex:
     name: codex
     endpoints:
