Skip to content

feat(policy): expose sandbox-local policy.local API #1092

Open
Open
feat(policy): expose sandbox-local policy.local API#1092
Labels
area:cliCLI-related workarea:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementation
@zredlined

Description

@zredlined
zredlined
opened on Apr 30, 2026

Description

Expose a sandbox-local policy.local HTTP API that lets agents inspect current policy, read recent denials, read their own sandbox-local activity logs, run advisory validation, submit policy proposals, and poll proposal status.

Context

Parent: #1062
RFC artifact: https://github.com/NVIDIA/OpenShell/blob/feat/agent-driven-policy-management/rfc/0001-agent-driven-policy-management.md

This is part of the locked Agent-Driven Policy Management MVP. GitHub issues are the development source of truth; Linear is only a roadmap pointer.

This replaces the earlier openshell-policy CLI plan. The MVP should make the local API load-bearing; MCP/CLI wrappers can be added later if they prove useful.

API shape

Initial endpoints:

  • GET /v1/policy/current returns the current effective policy for this sandbox.
  • GET /v1/denials?last=N returns recent structured denial events for this sandbox.
  • GET /v1/logs?last=N returns sandbox-local activity/log events the agent is allowed to inspect.
  • POST /v1/prove runs an advisory static/prover check for a candidate operation set.
  • POST /v1/proposals accepts a JSON body with PolicyMergeOperation-shaped operations, intent/summary metadata, and optional denial/log evidence refs; the supervisor/local service bundles this into the gateway gRPC proposal path for human approval.
  • GET /v1/proposals/{id} returns proposal status, validation result, and rejection guidance.

Definition of Done

  • policy.local resolves from inside the sandbox without requiring policy allow rules.
  • API is sandbox-scoped and cannot read or mutate other sandboxes.
  • Current policy endpoint reads the resolved effective policy.
  • Denials endpoint reads structured OCSF JSONL events.
  • Logs endpoint exposes only sandbox-local activity/log context safe for the in-sandbox agent to inspect.
  • Proposal submit accepts PolicyMergeOperation-shaped JSON payloads instead of CLI flag strings.
  • Supervisor/local service bundles proposal JSON into gateway gRPC draft chunks.
  • Sandbox-origin submit stores draft chunks for approval and never applies policy directly.
  • Submit returns proposal/chunk IDs for watch/status.
  • Status endpoint reads GetDraftPolicy state and surfaces rejection guidance.
  • MCP is explicitly not required for MVP.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:cliCLI-related workarea:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions