// Use when adding, removing, or updating rules in an existing AgentSH policy, modifying security permissions, HTTP service declarations, Postgres-family database rules, resource limits, or policy YAML files
Use when creating a new AgentSH security policy, including agent sandboxes, CI pipelines, development environments, HTTP service gateways, or Postgres-family database access policies
dangerous eval pattern
Has a source frontmatter field
hidden unicode tags
triggers multiple critical-severity rules
A minimal valid skill
| name | agentsh-policy-edit |
| description | Use when adding, removing, or updating rules in an existing AgentSH policy, modifying security permissions, HTTP service declarations, Postgres-family database rules, resource limits, or policy YAML files |
Make targeted edits to existing AgentSH security policies — add, remove, or update rules and declarations. Understands first-match-wins policy categories plus the separate Postgres-family database rule semantics.
http_services, providers)db_services, database_rules, database_connection_rules, policies.db)Locate & read the policy
config.yml/config.yaml for policies.dirconfigs/policies/ directoryUnderstand the intent Map the user's request to:
Determine insertion position (for new rules) First-match-wins means ordering matters:
allow, approve, redirect, audit, absorb, soft_delete) that matches first will shadow the denydatabase_rules or database_connection_rules; see DB rules below.Make the edit Use the Edit tool:
Validate
Run: agentsh policy validate <name>
If validation fails, fix and re-validate.
If agentsh binary is not available, warn the user to validate manually.
Summarize
Show what changed and explain the effect:
"Added network rule allow-stripe before approve-unknown-https. Stripe API traffic on port 443 will now be allowed without approval."
| Scenario | Position |
|---|---|
| New deny rule | Before any broader matching non-deny rule in that category |
| New allow rule | Before the default-deny catch-all |
| More specific rule | Before less specific rules matching the same pattern |
| Uncertain (deny) | Before the first non-deny rule in that category |
| Uncertain (allow) | Immediately before the default-deny rule for that category |
DB policy evaluation is different from file/network/command ordering:
database_rules: any matching deny wins, regardless of order. Non-deny decisions (allow, audit, redirect, approve) must cover every object slot in the effect; uncovered objects become implicit deny. Rule order only breaks ties for reporting the primary contributing rule.database_connection_rules: all matching rules are considered and the most restrictive verb wins (deny > approve > audit > allow).passthrough DB services can use connection rules only; statement rules are unavailable because AgentSH cannot inspect SQL.decision: redirect is statement-level only. It requires read-only operations, exactly one canonical relations source selector, match_object_resolution: catalog_resolved, and redirect.relation as a canonical schema.name target.policies.db.unavoidability: enforce should be paired with declared db_services; it blocks direct DB egress from governed processes and routes through AgentSH-generated DB proxy redirects.require_where: true for sensitive Postgres modify/delete rules when the operator wants no-WHERE mutations to fail closed. Do not add it to MUTATE, *, read, DDL, session, transaction, or procedural rules. Check for overlapping unguarded non-deny rules, because require_where only constrains the rule it appears on.When editing DB rules, prefer adding narrow denies for risky operations and explicit non-deny coverage for intended objects. Avoid broad allow rules across all services unless the user explicitly asks for that posture.
Use http_services when the user needs method/path-level API control or credential substitution for a declared upstream. Keep ordinary network_rules for simple host/port access.
http_services[].upstream must be HTTPS in normal policy files.secret is present, ensure a matching top-level providers entry exists and inject.header.template contains {{secret}}.expose_as must be a valid environment variable name and must not collide with LLM proxy env vars.services: is obsolete; use http_services:.verb-noun format matching the existing policy styleallow, audit, redirect, or approve that covers only one relation/function does not cover other objects touched by the same SQL statement.Read skills/agentsh-policy-shared/schema-reference.md for the complete policy YAML schema before making edits. If this file is not accessible, use the existing policy file as your reference for field names and structure. For rule categories not present in the existing file, ask the user for details rather than guessing.