Description
[Description]
After nemoclaw <name> rebuild --yes, the sandbox is recreated with workspace data restored,
but previously applied network policy presets (specifically telegram) are NOT restored.
The Telegram bridge process starts inside the sandbox (because the messaging channel config
is baked into the image), but it cannot reach api.telegram.org because the telegram network
policy is missing. The gateway proxy returns 403 Forbidden for all requests to
api.telegram.org. The bridge silently hangs at "starting provider" with no error visible
to the user.
[Environment]
Device: Ubuntu (Brev cloud instance, massedcompute A100)
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker version 28.0.4, build b8034c0
OpenShell CLI: 0.0.26
NemoClaw: v0.0.16
OpenClaw: 2026.4.2 (d74a122)
[Steps to Reproduce]
- nemoclaw onboard (create sandbox "test222" with Cloud API + Telegram)
- nemoclaw test222 policy-add → select telegram → confirm
- Verify: nemoclaw test222 policy-list shows ● telegram
- Verify: Telegram bot responds to messages
- nemoclaw test222 rebuild --yes
- nemoclaw test222 policy-list
[Expected Result]
After rebuild:
- policy-list shows ● telegram (preset restored)
- Telegram bridge can reach api.telegram.org
- Bot responds to messages
[Actual Result]
After rebuild:
- policy-list shows ○ telegram (NOT applied)
- From inside sandbox: node request to https://api.telegram.org returns 403 Forbidden
- /tmp/gateway.log shows only:
[telegram] [default] starting provider (@testnemoclaw001_bot)
and then nothing — no getMe, no getUpdates, no error message
nemoclaw status does not indicate any problem- User must manually re-apply:
nemoclaw test222 policy-add → telegram
[Root Cause Analysis]
- The rebuild flow (in src/lib/rebuild.ts or nemoclaw.ts) performs:
backup → destroy → onboard (recreate) → restore
- The restore step recovers workspace state from the backup directory
(agents/, extensions/, workspace/, skills/, etc.)
- Policy presets are NOT part of the backup/restore flow. Presets are
stored in the gateway's policy engine, not in the sandbox filesystem.
When the sandbox is destroyed and recreated, the policy reverts to
the base policy from nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
- Since v0.0.11, messaging endpoints (telegram, slack, discord) are NOT
in the default policy — they require explicit policy-add.
- The rebuild restore manifest includes: agents, extensions, workspace,
skills, hooks, identity, devices, canvas, cron, memory, telegram,
credentials — but "telegram" here is the telegram bridge config data,
NOT the network policy preset.
Suggested fix:
- During backup, also record the list of applied policy presets
(e.g. from nemoclaw <name> policy-list output or the policy version).
- During restore, after sandbox recreation, automatically re-apply
the backed-up presets via the policy engine.
- Alternatively, at minimum, print a warning after rebuild:
"NOTE: Policy presets were not restored. Previously applied presets:
telegram, npm, pypi. Run nemoclaw <name> policy-add to re-apply."
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NEMOCLAW_GH_SYNC_APPROVAL, NemoClaw_Inference, NemoClaw-SWQA-RelBlckr-Recommended |
[NVB# 6084077]
Description
[Description]
After
nemoclaw <name> rebuild --yes, the sandbox is recreated with workspace data restored,but previously applied network policy presets (specifically telegram) are NOT restored.
The Telegram bridge process starts inside the sandbox (because the messaging channel config
is baked into the image), but it cannot reach api.telegram.org because the telegram network
policy is missing. The gateway proxy returns 403 Forbidden for all requests to
api.telegram.org. The bridge silently hangs at "starting provider" with no error visible
to the user.
[Environment]
Device: Ubuntu (Brev cloud instance, massedcompute A100)
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker version 28.0.4, build b8034c0
OpenShell CLI: 0.0.26
NemoClaw: v0.0.16
OpenClaw: 2026.4.2 (d74a122)
[Steps to Reproduce]
[Expected Result]
After rebuild:
[Actual Result]
After rebuild:
[telegram] [default] starting provider (@testnemoclaw001_bot)
and then nothing — no getMe, no getUpdates, no error message
nemoclaw statusdoes not indicate any problemnemoclaw test222 policy-add→ telegram[Root Cause Analysis]
backup → destroy → onboard (recreate) → restore
(agents/, extensions/, workspace/, skills/, etc.)
stored in the gateway's policy engine, not in the sandbox filesystem.
When the sandbox is destroyed and recreated, the policy reverts to
the base policy from nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
in the default policy — they require explicit
policy-add.skills, hooks, identity, devices, canvas, cron, memory, telegram,
credentials — but "telegram" here is the telegram bridge config data,
NOT the network policy preset.
Suggested fix:
(e.g. from
nemoclaw <name> policy-listoutput or the policy version).the backed-up presets via the policy engine.
"NOTE: Policy presets were not restored. Previously applied presets:
telegram, npm, pypi. Run
nemoclaw <name> policy-addto re-apply."Bug Details
[NVB# 6084077]