name	agentsh-policy-create
description	Use when creating a new AgentSH security policy, including agent sandboxes, CI pipelines, development environments, HTTP service gateways, or Postgres-family database access policies

Create AgentSH Policy

Overview

Create new AgentSH security policies from built-in templates, customized to the user's use case. Produces valid YAML policy files with correct structure, evaluation semantics, and defensive defaults for file, network, command, HTTP service, and Postgres-family database controls.

When to Use

User asks to create/make/generate a new policy
User describes a use case that needs a policy ("policy for my CI pipeline")
User wants to set up AgentSH for the first time
User wants controlled access to a declared HTTP API or Postgres-family database
NOT for editing existing policies (use agentsh-policy-edit)

Flow

Locate policy directory
- Look for config.yml or config.yaml in the project root to find policies.dir
- If not found, look for a configs/policies/ directory
- Fall back to asking the user with AskUserQuestion

Understand the use case Use AskUserQuestion to ask: "What will this policy protect?"

Use Case	Template
AI agent (code tasks)	`default` or `agent-default`
CI/CD pipeline	`ci-strict`
Local development	`dev-safe`
Strict agent sandbox	`agent-sandbox`
Observation/profiling	`agent-observe`
Declared HTTP API gateway	Start from `default`
Postgres-family database access	Start from `default`
Custom / other	Start from `default`

Select template
- Read the matching template from the policy directory (e.g., configs/policies/default.yaml)
- On Windows, prefer the -windows variant if available (e.g., default-windows.yaml, ci-strict-windows.yaml)
- If templates are not available locally, use the schema reference to generate a baseline
Customize Based on the template read in Step 3, ask only about gaps — skip categories the template already handles well:
- "Which domains does your app need to reach?" → add network rules
- "Any paths outside the workspace it needs?" → add file rules
- "Any commands to block or require approval?" → add command rules
- "Should any HTTP APIs be exposed through AgentSH?" → add http_services plus providers when credential substitution is needed
- "Should any Postgres-family databases be mediated?" → add db_services, database_connection_rules, database_rules, and policies.db
For database policies, ask for:
- service name, dialect (postgres, aurora_postgres, redshift, cockroachdb), upstream host:port, and tls_mode
- connection constraints: DB user, database name, application name, replication/cancel handling
- statement intent: read/write/admin operations, schemas/objects, catalog selectors (relations, functions) if known
- redaction preference: policies.db.log_statements, approval_statement_preview, and approval_statement_preview_chars
- unavoidability posture: off, observe, or enforce
Name & write
- Ask for a policy name
- Generate the YAML with descriptive section comments matching built-in policy style
- Write to the policy directory
Validate Run: agentsh policy validate <name> If validation fails, fix and re-validate. If agentsh binary is not available, warn the user to validate manually.
Update config reminder If config.yml has a policies.allowed list, remind the user to add the new policy name.

Guardrails

Always use version: 1
Every policy must have name and description
End rule-list categories (file_rules, network_rules, command_rules) with a default-deny catch-all
Use descriptive rule names in verb-noun format (e.g., allow-npm, deny-ssh-keys)
Include section comment headers matching built-in policy style
First match wins — place specific rules before general ones
Do not invent runtime support for non-Postgres databases. Current DB enforcement is Postgres-family only.
For http_services, prefer path/method rules over broad network allows when the user needs audited API surface control.
For database_rules, remember DB evaluation is not simple first-match-wins: any matching deny wins, non-deny rules must cover every object slot, and uncovered objects fail closed.
For Postgres UPDATE/DELETE access to sensitive relations, ask whether accidental full-table mutation should be blocked. Use require_where: true only on rules whose operations expand exclusively to modify and/or delete; explain that it is syntactic, WHERE true still satisfies it, and another unguarded non-deny rule can still cover the same effect.
For DB redirect, only author safe read-only Postgres relation replacement: one canonical source in relations, match_object_resolution: catalog_resolved, and redirect.relation.

Schema Reference

Read skills/agentsh-policy-shared/schema-reference.md for the complete policy YAML schema before generating any policy content. If this file is not accessible, proceed using only the guardrails above plus the template file read in Step 3. Do not generate policy YAML without either the schema reference or a template.

Create AgentSH Policy

Overview

When to Use

User asks to create/make/generate a new policy

User describes a use case that needs a policy ("policy for my CI pipeline")

User wants to set up AgentSH for the first time

User wants controlled access to a declared HTTP API or Postgres-family database

NOT for editing existing policies (use agentsh-policy-edit)

Flow

Locate policy directory

Look for config.yml or config.yaml in the project root to find policies.dir
If not found, look for a configs/policies/ directory
Fall back to asking the user with AskUserQuestion

Understand the use case Use AskUserQuestion to ask: "What will this policy protect?"

Use Case	Template
AI agent (code tasks)	`default` or `agent-default`
CI/CD pipeline	`ci-strict`
Local development	`dev-safe`
Strict agent sandbox	`agent-sandbox`
Observation/profiling	`agent-observe`
Declared HTTP API gateway	Start from `default`
Postgres-family database access	Start from `default`
Custom / other	Start from `default`

Select template

Read the matching template from the policy directory (e.g., configs/policies/default.yaml)
On Windows, prefer the -windows variant if available (e.g., default-windows.yaml, ci-strict-windows.yaml)
If templates are not available locally, use the schema reference to generate a baseline

Customize Based on the template read in Step 3, ask only about gaps — skip categories the template already handles well:

"Which domains does your app need to reach?" → add network rules
"Any paths outside the workspace it needs?" → add file rules
"Any commands to block or require approval?" → add command rules
"Should any HTTP APIs be exposed through AgentSH?" → add http_services plus providers when credential substitution is needed
"Should any Postgres-family databases be mediated?" → add db_services, database_connection_rules, database_rules, and policies.db

For database policies, ask for:

service name, dialect (postgres, aurora_postgres, redshift, cockroachdb), upstream host:port, and tls_mode
connection constraints: DB user, database name, application name, replication/cancel handling
statement intent: read/write/admin operations, schemas/objects, catalog selectors (relations, functions) if known
redaction preference: policies.db.log_statements, approval_statement_preview, and approval_statement_preview_chars
unavoidability posture: off, observe, or enforce

Name & write

Ask for a policy name
Generate the YAML with descriptive section comments matching built-in policy style
Write to the policy directory

Validate Run: agentsh policy validate <name> If validation fails, fix and re-validate. If agentsh binary is not available, warn the user to validate manually.

Update config reminder If config.yml has a policies.allowed list, remind the user to add the new policy name.

Guardrails

Always use version: 1

Every policy must have name and description

End rule-list categories (file_rules, network_rules, command_rules) with a default-deny catch-all

Use descriptive rule names in verb-noun format (e.g., allow-npm, deny-ssh-keys)

Include section comment headers matching built-in policy style

First match wins — place specific rules before general ones

Do not invent runtime support for non-Postgres databases. Current DB enforcement is Postgres-family only.

For http_services, prefer path/method rules over broad network allows when the user needs audited API surface control.

For database_rules, remember DB evaluation is not simple first-match-wins: any matching deny wins, non-deny rules must cover every object slot, and uncovered objects fail closed.

For Postgres UPDATE/DELETE access to sensitive relations, ask whether accidental full-table mutation should be blocked. Use require_where: true only on rules whose operations expand exclusively to modify and/or delete; explain that it is syntactic, WHERE true still satisfies it, and another unguarded non-deny rule can still cover the same effect.

For DB redirect, only author safe read-only Postgres relation replacement: one canonical source in relations, match_object_resolution: catalog_resolved, and redirect.relation.

Schema Reference

agentsh-policy-create

Create AgentSH Policy

Overview

When to Use

Flow

Guardrails

Schema Reference

Mais deste repositório

Mais deste repositório

Create AgentSH Policy

Overview

When to Use

Flow

Guardrails

Schema Reference