GitHub network policy should use protocol: rest to enable scoped method/path controls

[zredlined]

Summary

The GitHub network policy in openclaw-sandbox.yaml uses access: full without protocol: rest, which means operators cannot scope what GitHub operations the agent is allowed to perform. An agent with this policy can delete repositories, force-push to branches, create deployments, modify org settings — anything the GitHub token permits — with no policy-level restriction.

github:
  name: github
  endpoints:
    - host: github.com
      port: 443
      access: full
    - host: api.github.com
      port: 443
      access: full
  binaries:
    - { path: /usr/bin/gh }
    - { path: /usr/bin/git }

Why this matters

GitHub is probably the most sensitive egress path for a coding agent. With protocol: rest and enforcement: enforce, operators can write L7 rules that express least-privilege access — for example:

• Allow reading repos and issues, but not deleting them
• Allow creating PRs, but not modifying org membership
• Allow git fetch/clone, but block git push
• Allow GET broadly, restrict POST/PUT/DELETE/PATCH to specific path patterns

Without protocol: rest, none of these controls are possible. The access: full shorthand expands to wildcard method/path rules, but those rules are only evaluated when OpenShell's L7 inspection is active. Without L7, the connection is allowed at the TCP level and all HTTP traffic flows through without per-request evaluation. The rules are effectively decoration.

This also means:

• No per-request logging — you can see that a connection to api.github.com:443 was established, but not which API endpoints were called or what methods were used
• No credential injection — if GitHub tokens are ever managed through the OpenShell provider system (as recommended for other credentials), the SecretResolver only rewrites headers during L7 relay

Every other external service in the policy — NVIDIA inference, Anthropic, Telegram, Discord, OpenClaw, ClawHub — already uses protocol: rest with enforcement: enforce. GitHub is the service where scoped controls matter most and is the one where they're missing.

Suggested fix

Add protocol: rest and enforcement: enforce and split into scoped policy groups:

github_api:
  name: github_api
  endpoints:
    - host: api.github.com
      port: 443
      protocol: rest
      enforcement: enforce
      rules:
        - allow: { method: GET, path: "/**" }
        - allow: { method: POST, path: "/**" }
        - allow: { method: PATCH, path: "/**" }
  binaries:
    - { path: /usr/bin/gh }

github_git:
  name: github_git
  endpoints:
    - host: github.com
      port: 443
      protocol: rest
      enforcement: enforce
      rules:
        - allow: { method: GET, path: "/**" }
        - allow: { method: POST, path: "/**/git-upload-pack" }
        - allow: { method: POST, path: "/**/git-receive-pack" }
  binaries:
    - { path: /usr/bin/git }

This is a starting point — operators can then tighten further (e.g., remove DELETE from github_api, or remove git-receive-pack to block pushes). The important thing is that protocol: rest is present so L7 inspection is active and these controls are enforceable at all.

The npm_registry entry has the same gap and should also move to protocol: rest — npm only needs GET for package resolution.

[WuKongAI-CMU]

We just submitted #1115 addressing the same class of issue for the inference and telemetry endpoints (#1113). Happy to follow up with a PR for the GitHub policy scoping once some of our current PRs clear the review queue — we're at the open-PR limit.