refactor: convert blueprint Python modules to TypeScript

.agents/skills/nemoclaw-reference/references/architecture.md

@@ -37,12 +37,20 @@ The blueprint drives all interactions with the OpenShell CLI.
 ```text
 nemoclaw-blueprint/
 ├── blueprint.yaml                  Manifest — version, profiles, compatibility
-├── orchestrator/
-│   └── runner.py                   CLI runner — plan / apply / status
 ├── policies/
 │   └── openclaw-sandbox.yaml       Default network + filesystem policy
 ```
 
+The blueprint runtime (TypeScript) lives in the plugin source tree:
+
+```text
+nemoclaw/src/blueprint/
+├── runner.ts                       CLI runner — plan / apply / status / rollback
+├── ssrf.ts                         SSRF endpoint validation (IP + DNS checks)
+├── snapshot.ts                     Migration snapshot / restore lifecycle
+├── state.ts                        Persistent run state management
+```
+
 ### Blueprint Lifecycle
 
 ```mermaid

.github/workflows/pr.yaml

@@ -28,14 +28,6 @@ jobs:
           node-version: "22"
           cache: npm
 
-      - name: Setup Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.11"
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v7
-
       - name: Install hadolint
         run: |
           HADOLINT_URL="https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64"
@@ -49,7 +41,6 @@ jobs:
         run: |
           npm install --ignore-scripts
           cd nemoclaw && npm install
-          cd ../nemoclaw-blueprint && uv sync --extra dev
 
       - name: Build TypeScript plugin
         run: cd nemoclaw && npm run build
@@ -155,21 +146,3 @@ jobs:
 
       - name: Run gateway isolation E2E tests
         run: NEMOCLAW_TEST_IMAGE=nemoclaw-production bash test/e2e-gateway-isolation.sh
-
-  validate-profiles:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-
-      - name: Install PyYAML
-        run: pip install pyyaml
-
-      - name: Validate blueprint and policy
-        run: python3 test/validate-blueprint.py

.pre-commit-config.yaml

@@ -16,7 +16,7 @@
 # Priority groups (prek runs same-priority hooks in parallel):
 #   0  — General file fixers (whitespace, EOF, line endings)
 #   4  — SPDX header insertion (--fix)
-#   5  — Shell / Python / TS formatters (shfmt, ruff format, prettier)
+#   5  — Shell / TS formatters (shfmt, prettier)
 #   6  — Fixes that should follow formatters (ruff check --fix, eslint --fix)
 #  10  — Linters and read-only checks
 #  20  — Project-level checks (vitest)
@@ -81,17 +81,6 @@ repos:
           - -bn
         priority: 5
 
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.7
-    hooks:
-      - id: ruff-format
-        files: ^(nemoclaw-blueprint/.*\.py|scripts/.*\.py)$
-        priority: 5
-      - id: ruff
-        args: [--fix]
-        files: ^(nemoclaw-blueprint/.*\.py|scripts/.*\.py)$
-        priority: 6
-
   - repo: local
     hooks:
       - id: nemoclaw-prettier
@@ -198,15 +187,6 @@ repos:
         stages: [pre-push]
         priority: 10
 
-      - id: pyright-check
-        name: Pyright (nemoclaw-blueprint)
-        entry: bash -c 'cd nemoclaw-blueprint && uv run --with pyright pyright'
-        language: system
-        pass_filenames: false
-        always_run: true
-        stages: [pre-push]
-        priority: 10
-
 default_language_version:
   python: python3
 

Dockerfile

@@ -67,7 +67,7 @@ RUN mkdir -p /sandbox/.openclaw-data/agents/main/agent \
     && ln -s /sandbox/.openclaw-data/update-check.json /sandbox/.openclaw/update-check.json \
     && chown -R sandbox:sandbox /sandbox/.openclaw /sandbox/.openclaw-data
 
-# Install OpenClaw CLI and PyYAML for blueprint runner (single layer)
+# Install OpenClaw CLI + PyYAML for inline Python scripts in e2e tests
 RUN npm install -g openclaw@2026.3.11 \
     && pip3 install --no-cache-dir --break-system-packages "pyyaml==6.0.3"
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: check lint format lint-ts lint-py format-ts format-py docs docs-strict docs-live docs-clean
+.PHONY: check lint format lint-ts format-ts docs docs-strict docs-live docs-clean
 
 check:
 	npx prek run --all-files
@@ -10,17 +10,11 @@ lint: check
 lint-ts:
 	cd nemoclaw && npm run check
 
-lint-py:
-	cd nemoclaw-blueprint && $(MAKE) check
-
-format: format-ts format-py
+format: format-ts
 
 format-ts:
 	cd nemoclaw && npm run lint:fix && npm run format
 
-format-py:
-	cd nemoclaw-blueprint && $(MAKE) format
-
 # --- Documentation ---
 
 docs:

ci/coverage-threshold.json

@@ -1,6 +1,6 @@
 {
-  "lines": 93,
+  "lines": 95,
   "functions": 98,
-  "branches": 87,
-  "statements": 94
+  "branches": 86,
+  "statements": 95
 }

docs/reference/architecture.md

@@ -57,12 +57,20 @@ The blueprint drives all interactions with the OpenShell CLI.
 ```text
 nemoclaw-blueprint/
 ├── blueprint.yaml                  Manifest — version, profiles, compatibility
-├── orchestrator/
-│   └── runner.py                   CLI runner — plan / apply / status
 ├── policies/
 │   └── openclaw-sandbox.yaml       Default network + filesystem policy
 ```
 
+The blueprint runtime (TypeScript) lives in the plugin source tree:
+
+```text
+nemoclaw/src/blueprint/
+├── runner.ts                       CLI runner — plan / apply / status / rollback
+├── ssrf.ts                         SSRF endpoint validation (IP + DNS checks)
+├── snapshot.ts                     Migration snapshot / restore lifecycle
+├── state.ts                        Persistent run state management
+```
+
 ### Blueprint Lifecycle
 
 ```{mermaid}