Skip to content

feat(policy): write effective sandbox policy for local agents #1091

Open
Open
feat(policy): write effective sandbox policy for local agents#1091
Labels
area:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementation
@zredlined

Description

@zredlined
zredlined
opened on Apr 30, 2026

Description

Write the resolved effective policy to /etc/openshell/policy.yaml after each successful policy poll/reload so the sandbox-local openshell-policy current command can read it without a new IPC surface.

Context

Parent: #1062
RFC artifact: https://github.com/NVIDIA/OpenShell/blob/feat/agent-driven-policy-management/rfc/0001-agent-driven-policy-management.md

This is part of the locked Agent-Driven Policy Management MVP. GitHub issues are the development source of truth; Linear is only a roadmap pointer.

The MVP deliberately avoids a supervisor UDS API; local policy state is exposed through the filesystem.

Definition of Done

  • Successful policy poll/reload writes the effective policy to /etc/openshell/policy.yaml.
  • Failed reload preserves last-known-good policy file semantics.
  • File permissions are agent-readable but do not expose secrets.
  • Test or smoke coverage confirms the file updates after policy reload.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions