Skip to content

feat(policy): add agent-readable L7 deny body #1090

Closed
Closed
feat(policy): add agent-readable L7 deny body#1090
Labels
area:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementationtopic:l7Application-layer policy and inspection work
@zredlined

Description

@zredlined
zredlined
opened on Apr 30, 2026

Description

Extend the existing L7 REST 403 JSON body so an in-sandbox agent can understand what was denied and how to start the policy proposal loop. Augment the current response shape rather than introducing a parallel schema.

Context

Parent: #1062
RFC artifact: https://github.com/NVIDIA/OpenShell/blob/feat/agent-driven-policy-management/rfc/0001-agent-driven-policy-management.md

This is part of the locked Agent-Driven Policy Management MVP. GitHub issues are the development source of truth; Linear is only a roadmap pointer.

First implementation target: crates/openshell-sandbox/src/l7/rest.rs around the existing deny response helper.

Definition of Done

  • Existing JSON 403 response includes next_steps.
  • Response includes structured fields for layer, method, path, host, binary, and rule_missing where available.
  • Query parameters and credentials remain redacted.
  • Test covers a denied L7 REST request and asserts the response shape.
  • Architecture docs are updated if the response contract changes materially.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementationtopic:l7Application-layer policy and inspection work

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions