DD-09 — NemoClaw: The Governance-Focused Harness

NemoClaw: The Governance-Focused Harness

NVIDIA's hardened OpenClaw fork. NeMo Guardrails. OpenShell sandboxes. Policy enforced OUTSIDE the agent's reach. The governance reference. The anti-Tau.

45
minutes
9
artifacts
39/60
rubric score
NemoClaw is the production proof that governance belongs beneath the agent, not inside it. Its entire contribution over OpenClaw is a governance layer the agent cannot reach: NeMo Guardrails evaluate every call externally; OpenShell sandboxes the agent never touches directly. The +4 over OpenClaw comes entirely from the boundary, not the agent. This is the harness every Course 2B attack is scored against — and the anti-Tau: where NemoClaw has all the controls, Tau has none.
Key Claims
Load-Bearing Claims

NemoClaw's defining principle is governance-beneath-the-agent. The enforcement layer sits in the call path between agent and world, OUTSIDE the agent's trust boundary. The agent has no API to disable, configure, or influence the guardrails. This is Module 0.2's principle realized in production: if the agent can reach the enforcement layer, a compromised agent can disable it.

NemoClaw does not improve the agent — it improves the boundary around the agent. The agent IS OpenClaw's agent (DD-07). The entire +4 over OpenClaw's 35 comes from the governance layer: +3 Module 6 (external guardrails — the highest permission score in the roster at 5/5) and +2 Module 5 (OpenShell sandboxing). Every other module is unchanged. Security is a property of the boundary, not the agent.

The NemoClaw-vs-Tau pairing is load-bearing for Course 2B. NemoClaw is the harness with all the controls (input rail, dialog rail, action rail, sandbox); Tau (DD-21) is the harness with zero defenses. Every Course 2B attack asks "does this harness enforce governance outside the agent's reach?" — NemoClaw is the yes, Tau is the no, most harnesses are a partial yes with a gap the attack exploits. The pairing defines the governance axis.

NemoClaw's pattern is the reference fix for Hermes's memory-write poisoning surface. Harness-managed writes (model proposes, harness validates) are the same principle — governance outside the agent's reach — applied to the memory write path. The write gate is the input rail for persistent storage. NemoClaw provides the template; Hermes omits the gate.

The Anti-Tau Contrast
NemoClaw (DD-09) — governed
  • Input rail — channel content tagged untrusted before model
  • Dialog rail — output checked against policy before action
  • Action rail — tool calls validated against capability policy
  • OpenShell sandbox — agent never touches execution directly
  • Enforcement outside the agent's reach (in the call path)
  • Score: 39/60 (+4 over OpenClaw)
Tau (DD-21) — ungoverned
  • No input rail — all input enters context with full trust
  • No dialog rail — model output acted upon directly
  • No action rail — agent actions execute unvalidated
  • No sandbox — agent executes on the host
  • No enforcement layer exists anywhere
  • Score: near-zero effective security
After This Module
01
State NemoClaw's defining principle — governance lives beneath the agent, outside its reach — and explain why this is the load-bearing security property of the entire course.
02
Distinguish the three layers (OpenClaw core, NeMo Guardrails, OpenShell) and explain why each must be outside the previous one's trust boundary for the governance pattern to hold.
03
Score NemoClaw 39/60 and explain why the +4 over OpenClaw comes almost entirely from the governance layer (+3 Module 6, +2 Module 5), not from any improvement to the agent itself.
04
Construct the NemoClaw-vs-Tau contrast and explain why this pairing is load-bearing for Course 2B — every attack module is scored against the question "does this harness enforce governance outside the agent's reach?"
05
Articulate the costs of external governance (latency, policy maintenance, inherited codebase legibility) and why they are the inherent tax of doing governance right rather than an avoidable overhead.
Artifacts