NemoClaw

The Governance-Focused Harness · Deep-Dive DD-09 · Course 1

45 minutes · NVIDIA's hardened OpenClaw fork · NeMo Guardrails · OpenShell sandboxes

Policy enforced OUTSIDE the agent's reach. The governance reference. The anti-Tau. Every Course 2 attack question starts here: does this harness enforce governance outside the agent's reach?

Deep-Dives · The Harness Roster

The principle — governance outside the reach

Module 0.2: if the agent can reach the enforcement layer, a compromised agent can disable it.
NAIVE: policy INSIDE the agent

A policy tool the model calls (can be not-called). A system-prompt instruction (can be ignored). The guard is inside the trust boundary of the thing it guards.

NEMOCLAW: policy OUTSIDE the agent

NeMo Guardrails in the call path between agent and world. The agent has no API to disable, configure, or influence it. Enforcement by construction, not persuasion.

The three layers — each outside the previous one's reach

LAYER 1
OpenClaw core

The agent: loop, 40+ channels, memory. DD-07's harness, largely intact. Reasons, proposes, calls tools.

LAYER 2
NeMo Guardrails

Governance: every call passes through. Input/output/action classifiers + policy rules. Agent cannot reach this layer.

LAYER 3
OpenShell sandbox

Execution: agent never touches it directly. Goes through governed API. Blast radius = sandbox, not host.

The nesting is the property. Each layer is outside the previous one's trust boundary. The agent cannot reach the guardrails; the guardrails cannot be bypassed to reach the sandbox.

The three rails — how the guardrails bracket the agent

RailWhen it runsWhat it catchesCourse 2 mapping
Input railBefore the model is calledTags channel content untrusted; scans for injectionASI01 fix (cross-channel injection)
Dialog railAfter the model respondsChecks output against policy before actionCatches hijacked output regardless of how
Action railBefore the tool executesValidates tool calls against capability policyModule 6 realized externally
All three rails run outside the agent's trust boundary. The agent cannot disable an input rail by injection (it runs before the model). It cannot bypass an action rail by reasoning (it runs after the proposal). The guardrails bracket the agent.

The anti-Tau contrast — load-bearing for Course 2B

NEMOCLAW (DD-09) — all the controls

Input rail + dialog rail + action rail + OpenShell sandbox. Enforcement OUTSIDE the agent's reach. The governance reference. 39/60 (+4 over OpenClaw).

TAU (DD-21) — zero defenses

No rails, no sandbox, no enforcement. All input full trust; output acted on directly; actions execute unvalidated. The attack lab target.

Governance is NOT a feature you add to an agent. It is an architectural property of WHERE the enforcement layer sits relative to the agent. NemoClaw puts it outside; Tau does not have one. Every other harness sits between these two poles. Every Course 2B attack is scored against this question.

The score — 39/60 (+4 vs OpenClaw)

ModuleScorevs OpenClaw
6 Permission5/5+3 — external guardrails (highest in roster)
5 Sandbox4/5+2 — OpenShell (agent-governed access)
1 Loop4/5= (OpenClaw core unchanged)
2 Tools4/5=
12 Prompt4/5=
3, 4, 7-113/5 avg=
TOTAL39/60+4
The +4 comes almost entirely from the governance layer. NemoClaw does NOT improve the agent — it improves the boundary around the agent. The agent is OpenClaw's agent; the boundary is new.

The costs — the tax of governance done right

Latency. Every call passes through three external checks (input, dialog, action). You cannot make policy free without making it optional, and optional policy is not policy.
Policy maintenance burden. Every new channel or tool requires a new policy rule. A policy gap is a vulnerability gap — a new channel without an input-rail rule inherits OpenClaw's cross-channel injection vulnerability.
Inherited legibility. NemoClaw inherits OpenClaw's large codebase. The governance layer is legible; the core is not.
These are the inherent tax of external enforcement, not avoidable overhead. Accept them as the cost of governance done right.

Anti-patterns

Putting the policy check inside the agent. A policy tool the model calls, or a system-prompt instruction, is inside the trust boundary. Cure: enforce policy in the call path, in a layer the agent has no API to reach.
Treating governance latency as overhead to optimize away. The latency is the cost of external enforcement. Cure: accept it, or use a faster governance layer — do not remove the layer.
Assuming a policy rule covers a new channel. Every new channel needs a new input-rail rule. Cure: treat policy maintenance as a first-class operational responsibility; gate new registrations on policy review.

What you can now do

  1. State NemoClaw's defining principle — governance beneath the agent, outside its reach — and why it is the load-bearing security property of the course.
  2. Distinguish the three layers (core, guardrails, sandbox) and why each must be outside the previous one's trust boundary.
  3. Score NemoClaw 39/60 and explain why the +4 comes from the boundary, not the agent.
  4. Construct the NemoClaw-vs-Tau contrast and explain why the pairing is load-bearing for Course 2B.
  5. Articulate the costs of external governance and why they are the inherent tax, not avoidable overhead.
The lab: simulate a NemoClaw governance gate, observe which actions are allowed vs denied, then remove the gate (the Tau configuration) and confirm every attack succeeds — the empirical anchor for the anti-Tau contrast.

Next: DD-10 — LangGraph: The graph-based agent framework