fix(presets): add /usr/bin/node to communication preset binaries (#481)

[latenighthackathon]

Summary

• Add /usr/bin/node alongside the existing /usr/local/bin/node in the binaries allowlist for the telegram, discord, and slack presets
• Add a regression test asserting both paths are present in all three communication presets
• Closes Can't connect discord or tg to neemoclaw #481

Problem

The telegram, discord, and slack presets only allowlist /usr/local/bin/node in the binaries field. OPA does exact-path matching on this list, so on sandbox base images that install Node.js to /usr/bin/node (Debian/Ubuntu apt default, instead of the manual install / nvm path), the L7 proxy silently 403s every outbound HTTPS request from the bot — even though the endpoint policies are correctly applied and showing in openshell policy get.

The user-visible symptom is the bot failing to talk to its API with CONNECT tunnel failed, response 403, while openshell policy get cheerfully reports the preset as applied. The disconnect is hard to diagnose because the binary allowlist is invisible to the user-facing policy view. Multiple users in #481 confirmed this across WSL2 Ubuntu, DGX Spark ARM, Pop!_OS x86_64, and Ubuntu Server.

This PR augments #1084 with the maintainer review feedback applied: just /usr/bin/node, no curl/bash additions, no package-lock.json churn.

Test plan

• New regression test in test/policies.test.js asserts both /usr/local/bin/node and /usr/bin/node are present in the binaries section of all three communication presets
• All 60 policies tests pass (npx vitest run test/policies.test.js) — including the existing extractPresetEntries "works on every real preset file" test that catches preset YAML structural breakage
• Prettier clean
• Signed commit + DCO sign-off

Closes #481

Signed-off-by: latenighthackathon [email protected]

Summary by CodeRabbit

• Configuration Updates

  • Expanded presets to allow additional Node.js runtime locations across Discord, Slack, Telegram, Jira, Outlook and Huggingface; Huggingface also accepts an additional Python runtime location.

• Tests

  • Added tests to verify presets include both common Node.js and Python runtime locations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cb0ec61c-2e32-4dc6-b70e-d713ca0312fb

📥 Commits

Reviewing files that changed from the base of the PR and between cdf46fc and 65ee7a3.

📒 Files selected for processing (5)

• nemoclaw-blueprint/policies/presets/discord.yaml
• nemoclaw-blueprint/policies/presets/huggingface.yaml
• nemoclaw-blueprint/policies/presets/jira.yaml
• nemoclaw-blueprint/policies/presets/outlook.yaml
• test/policies.test.js

✅ Files skipped from review due to trivial changes (3)

• nemoclaw-blueprint/policies/presets/jira.yaml
• test/policies.test.js
• nemoclaw-blueprint/policies/presets/huggingface.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• nemoclaw-blueprint/policies/presets/discord.yaml

---

📝 Walkthrough

Walkthrough

Added additional exact-path binary allowlist entries (/usr/bin/node and /usr/bin/python3 where applicable) across multiple network policy presets and updated tests to assert presence of both common installation paths for Node and Python in relevant presets.

Changes

Cohort / File(s)	Summary
Communication presets (Node allowlist) nemoclaw-blueprint/policies/presets/discord.yaml, nemoclaw-blueprint/policies/presets/slack.yaml, nemoclaw-blueprint/policies/presets/telegram.yaml, nemoclaw-blueprint/policies/presets/jira.yaml, nemoclaw-blueprint/policies/presets/outlook.yaml	Added { path: /usr/bin/node } alongside existing { path: /usr/local/bin/node } in each preset's network policy binaries allowlist; Slack includes explanatory comments about differing install locations and exact-path matching.
Huggingface preset (Node & Python allowlist) nemoclaw-blueprint/policies/presets/huggingface.yaml	Added { path: /usr/bin/python3 } and { path: /usr/bin/node } alongside existing /usr/local/bin/... entries in the binaries allowlist (with inline comments).
Tests test/policies.test.js	Added tests that load presets and assert presence of both /usr/local/bin/node and /usr/bin/node for node-gating presets, and that huggingface contains both /usr/local/bin/python3 and /usr/bin/python3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibble docs and hop along,
Two paths for Node make policy strong.
Python too joins the merry crew,
No more surprises — paths are two! 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding /usr/bin/node to communication preset binaries across multiple presets to fix the Debian/Ubuntu Node.js installation path issue.
Linked Issues check	✅ Passed	The PR successfully addresses issue #481's requirement by adding /usr/bin/node binary allowlist entries to all affected communication presets (telegram, discord, slack, outlook, jira) and huggingface, plus adding regression tests validating both node paths are present.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the binary allowlist paths in presets and adding corresponding regression tests; no unrelated modifications were introduced beyond the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cv]

LGTM — security review PASS.

• Same binary (Node.js), alternate installation path — no new attack surface
• Pattern already established in brave.yaml
• Only communication presets modified (discord, slack, telegram)
• Regression test included

Note: outlook.yaml, jira.yaml, huggingface.yaml likely need the same fix in a follow-up.

[latenighthackathon]

@cv Thanks for the security review and the follow-up flag — pushed a second commit applying the same fix to outlook, jira, and huggingface. The huggingface preset also gates on python3 so I added /usr/bin/python3 alongside /usr/local/bin/python3 for the same Debian/Ubuntu split. Test extended to cover all six node-gated presets plus the huggingface python3 paths. Cheers!

[latenighthackathon]

Closing in favor of #1653 — that PR includes the same /usr/bin/node change for the communication presets plus broader work on messaging policy suggestions, troubleshooting docs, and a Discord gateway probe test. Cheers!