Module DD-09 — NemoClaw: The Governance-Focused Harness

NemoClaw: The Governance-Focused Harness

NVIDIA's hardened OpenClaw fork. NeMo Guardrails. OpenShell sandboxes. Policy enforced OUTSIDE the agent's reach. The governance reference. The anti-Tau. 39/60 (+4 over OpenClaw) — the +4 comes entirely from the boundary, not the agent.

45
minutes
8
artifacts
3
sub-sections
NemoClaw is the production proof that governance belongs beneath the agent, not inside it. Its entire contribution over OpenClaw (DD-07) is a governance layer the agent cannot reach: NeMo Guardrails evaluate every call externally; OpenShell sandboxes the agent never touches directly. NemoClaw does not improve the agent — it improves the boundary around the agent. This is the harness every Course 2B attack module is scored against, and the anti-Tau: where NemoClaw has all the controls (input rail, dialog rail, action rail, sandbox), Tau (DD-21) has none. The pairing defines the governance axis every other harness sits between.
Key Claims
Load-Bearing Claims

NemoClaw's defining principle is governance-beneath-the-agent: the enforcement layer sits in the call path between agent and world, OUTSIDE the agent's trust boundary. The agent has no API to disable, configure, or influence the guardrails. This is Module 0.2's principle realized in production — if the agent can reach the enforcement layer, a compromised agent can disable it. The naive approaches (a policy tool the model calls, a system-prompt instruction) put the guard inside the trust boundary of the thing it guards, where a compromised agent can not-call it, sanitize its arguments, or ignore it.

NemoClaw does not improve the agent — it improves the boundary around the agent. The agent IS OpenClaw's agent (DD-07): the same loop, the same 40+ channel integrations, the same memory. The entire +4 over OpenClaw's 35 comes from the governance layer: +3 Module 6 (external guardrails — the highest permission score in the roster at 5/5) and +2 Module 5 (OpenShell sandboxing). Every other module is unchanged. Security is a property of the boundary, not the agent.

The NemoClaw-vs-Tau pairing is load-bearing for Course 2B. NemoClaw is the harness with all the controls (input rail, dialog rail, action rail, sandbox); Tau (DD-21) is the harness with zero defenses. Every Course 2B attack asks 'does this harness enforce governance outside the agent's reach?' — NemoClaw is the yes, Tau is the no, and most harnesses are a partial yes with a gap the attack exploits. The pairing teaches that governance is an architectural property of where the enforcement sits relative to the agent, not a feature you add.

NemoClaw's governance pattern is the reference fix for Hermes's (DD-08) memory-write poisoning surface. Harness-managed writes (model proposes, harness validates) are the same principle — governance outside the agent's reach — applied to the memory write path rather than the channel/action path. The write gate is the input rail for persistent storage. NemoClaw provides the template; Hermes omits the gate. The depth-versus-governance contrast between Hermes (the depth reference) and NemoClaw (the governance reference) is load-bearing for the roster.

After This Module
01
State NemoClaw's defining principle — governance lives beneath the agent, outside its reach — and explain why this is the load-bearing security property of the entire course.
02
Distinguish the three layers (OpenClaw core, NeMo Guardrails, OpenShell) and explain why each must be outside the previous one's trust boundary for the governance pattern to hold.
03
Score NemoClaw 39/60 and explain why the +4 over OpenClaw comes almost entirely from the governance layer (+3 Module 6, +2 Module 5), not from any improvement to the agent itself.
04
Construct the NemoClaw-vs-Tau contrast: NemoClaw is the harness with all the controls; Tau (DD-21) is the harness with zero defenses. Explain why this pairing is load-bearing for Course 2B — every attack module is scored against the question 'does this harness enforce governance outside the agent's reach?'
05
Articulate the costs of external governance (latency, policy maintenance, inherited codebase legibility) and why they are the inherent tax of doing governance right rather than an avoidable overhead.
Artifacts
01
Teaching Document
Teaching document — the governance-beneath-the-agent principle (Module 0.2 realized), the three layers (OpenClaw core, NeMo Guardrails, OpenShell), the three rails (input/dialog/action) bracketing the agent, the +4 score breakdown (entirely from the boundary, not the agent), the NemoClaw-vs-Tau contrast (load-bearing for C2B), the NemoClaw-as-Hermes-fix connection, the three costs; with learning objectives, anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid/n8n diagrams — the governance layer nesting (three layers, each outside the previous), the NemoClaw vs OpenClaw fix (input rail tags channel content), the three rails bracketing the agent (input before, action after, neither reachable), the NemoClaw-vs-Tau contrast (governed vs ungoverned), the n8n governance gate workflow (agent proposes, NeMo evaluates, OpenShell executes or DENY)
READ
03
Slide Deck
9 slides — reveal.js, dark theme, design-system teal; covers the governance principle, the three layers, the three rails, the +4 breakdown, the anti-Tau contrast, the Hermes-fix connection, the three costs, anti-patterns, the lab
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~3,000 words spoken at ~140 wpm across 9 slide cues
READ
05
Flashcards
21 flashcards (TSV) — mix of recall, application, and analysis; covers the governance principle, the three layers, the three rails, the +4 breakdown, the anti-Tau contrast, the Hermes-fix connection, the three costs, the anti-patterns
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
The Governance Gate and the Anti-Tau Contrast — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): build a NemoClaw-style governance gate with three rails, confirm attacks are blocked at the appropriate rail, toggle governance OFF (Tau) and confirm every attack succeeds, prove the agent-cannot-disable-guardrails property, measure the latency tax (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE