OpenShell Agent-Driven Policy Management

[linear]

MVP scope

OpenShell should provide an agent-driven policy management workflow that lets agents inspect current policy, draft narrow changes, and route them into a responsive developer inbox. GitHub is the development source of truth for this MVP; Linear should only point here.

RFC artifact: https://github.com/NVIDIA/OpenShell/blob/feat/agent-driven-policy-management/rfc/0001-agent-driven-policy-management.md
Working branch: https://github.com/NVIDIA/OpenShell/tree/feat/agent-driven-policy-management

Locked MVP

• Single-sandbox TUI/CLI review flow.
• Structured L7 REST deny responses for agent-readable failures.
• Sandbox-local policy.local HTTP API using existing files, OCSF JSONL, sandbox-local activity logs, prover/gateway checks, and per-sandbox mTLS gateway calls.
• Agent proposal payloads reuse the existing PolicyMergeOperation / incremental policy update shape as JSON; sandbox-origin operations are bundled by the supervisor/local service into gateway draft chunks, not immediate applies.
• Static /etc/openshell/skills/policy_advisor.md documenting the policy.local workflow.
• Agent-authored proposal provenance, validation status, returned chunk IDs, and rejection guidance.
• Gateway-side static/prover checks on agent-authored submit.
• GitHub dynamic approval demo target: REST repo creation first, L4 fallback where method/path scoping is not available.

Explicit non-goals for MVP

• Multi-sandbox push inbox / WatchProposals.
• Slack or web review adapters.
• Supervisor UDS policy API.
• In-process long-lived prover optimization.
• MCP server/tool wrapper. MCP can wrap policy.local later, but is not load-bearing for MVP.
• Org ceilings, trusted external auto-apply, or force-L7 enterprise policy.

Development issues

• feat(policy): add agent-readable L7 deny body #1090 feat(policy): add agent-readable L7 deny body
• feat(policy): write effective sandbox policy for local agents #1091 feat(policy): write effective sandbox policy for local agents
• feat(policy): expose sandbox-local policy.local API #1092 feat(policy): expose sandbox-local policy.local API
• feat(observability): enable OCSF JSONL for agent deny inspection #1093 feat(observability): enable OCSF JSONL for agent deny inspection
• feat(policy): return draft chunk ids from policy proposal submit #1094 feat(policy): return draft chunk ids from policy proposal submit
• docs(agent): ship static sandbox policy advisor skill #1095 docs(agent): ship static sandbox policy advisor skill
• feat(policy): add proposal provenance, operations, and guidance fields to proto #1096 feat(policy): add proposal provenance, operations, and guidance fields to proto
• feat(gateway): persist and validate agent policy proposal operations #1097 feat(gateway): persist and validate agent policy proposal operations
• feat(tui): render policy proposal inbox metadata #1098 feat(tui): render policy proposal inbox metadata
• feat(policy): suggest L7 scoping for known REST hosts #1099 feat(policy): suggest L7 scoping for known REST hosts

Cross-track notes

• feat(prover): support deny rules in policy verification #1061 improves prover coverage for deny rules and is the first downstream dependency for stronger gateway validation, but it is not an MVP blocker.
• #205 is already closed; the LLM-rationale-enrichment direction remains future work. This MVP delivers the structured deny/proposal loop, not an LLM PolicyAdvisor replacement.
• The old untracked docs/tutorials/policy-advisor.md was removed. Tutorial work should happen after the MVP validates the flow.