From 6fc79a46b46e1740595a0be63a24f3a92f1dd117 Mon Sep 17 00:00:00 2001
From: TalhaSumra <talha.sumra11@gmail.com>
Date: Tue, 17 Mar 2026 01:53:09 +0500
Subject: [PATCH] Fix preset application for versionless policies

Signed-off-by: TalhaSumra <talha.sumra11@gmail.com>
---
 bin/lib/policies.js   |  2 +-
 test/policies.test.js | 47 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/bin/lib/policies.js b/bin/lib/policies.js
index 575fcdee27..a422133a50 100644
--- a/bin/lib/policies.js
+++ b/bin/lib/policies.js
@@ -91,7 +91,7 @@ function applyPreset(sandboxName, presetName) {
     );
   } catch {}
 
-  const currentPolicy = parseCurrentPolicy(rawPolicy);
+  let currentPolicy = parseCurrentPolicy(rawPolicy);
 
   // Merge: inject preset entries under the existing network_policies key
   let merged;
diff --git a/test/policies.test.js b/test/policies.test.js
index 3d8f13c380..1dfd313812 100644
--- a/test/policies.test.js
+++ b/test/policies.test.js
@@ -3,6 +3,8 @@
 
 const { describe, it } = require("node:test");
 const assert = require("node:assert/strict");
+const fs = require("fs");
+const os = require("os");
 const path = require("path");
 
 const policies = require("../bin/lib/policies");
@@ -89,4 +91,49 @@ describe("policies", () => {
       }
     });
   });
+
+  describe("applyPreset", () => {
+    it("adds a version header before appending preset entries to versionless policies", () => {
+      const fakeBinDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-openshell-"));
+      const capturedPolicy = path.join(fakeBinDir, "captured-policy.yaml");
+      const fakeOpenShell = path.join(fakeBinDir, "openshell");
+      const originalPath = process.env.PATH || "";
+      const originalCaptureFile = process.env.TEST_CAPTURE_FILE;
+
+      fs.writeFileSync(fakeOpenShell, `#!/bin/sh
+if [ "$1" = "policy" ] && [ "$2" = "get" ] && [ "$3" = "--full" ]; then
+  printf 'filesystem:\\n  mode: strict\\n'
+  exit 0
+fi
+if [ "$1" = "policy" ] && [ "$2" = "set" ]; then
+  while [ "$#" -gt 0 ]; do
+    if [ "$1" = "--policy" ]; then
+      cp "$2" "$TEST_CAPTURE_FILE"
+      exit 0
+    fi
+    shift
+  done
+fi
+exit 1
+`, { mode: 0o755 });
+
+      process.env.PATH = `${fakeBinDir}:${originalPath}`;
+      process.env.TEST_CAPTURE_FILE = capturedPolicy;
+
+      try {
+        assert.equal(policies.applyPreset("demo", "telegram"), true);
+        const merged = fs.readFileSync(capturedPolicy, "utf-8");
+        assert.match(merged, /^version: 1\nfilesystem:\n  mode: strict\n\nnetwork_policies:\n/m);
+        assert.match(merged, /name: telegram/);
+        assert.match(merged, /host: api\.telegram\.org/);
+      } finally {
+        process.env.PATH = originalPath;
+        if (originalCaptureFile === undefined) {
+          delete process.env.TEST_CAPTURE_FILE;
+        } else {
+          process.env.TEST_CAPTURE_FILE = originalCaptureFile;
+        }
+      }
+    });
+  });
 });