feat(policy): built-in policy presets strict, permissive, shell_safe (#104)

Ship named presets resolvable from Project defaults, direct policy references,
or Policy.spec.preset with local overrides layered on top. Expand presets during
normalize so validate/plan show effective rules. shell_safe classifies native
shell command tokens and integrates with tool safety metadata from #103.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: leo-aa88

CHANGELOG.md

@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Added
 
+- **Built-in policy presets** (issue #104): `strict`, `permissive`, and `shell_safe`. Select via `Project.spec.defaults.policy`, by referencing a preset name on agents/workflows, or with `Policy.spec.preset` (local rules layer on top). Presets expand during [NormalizeProjectGraph] so plan/validate show effective rules.
+- **`shell_safe` token classification** for native `command.run` / `run` / `exec` / `shell` operations: read-only tokens (`ls`, `cat`, …) run unattended; risky/unknown tokens and tools with side-effect metadata require `--approve`.
 - **`spec.safety` on Tool resources** (issue #103): optional `trusted`, `sideEffects`, and `requiresApproval` fields. [NormalizeProjectGraph] materializes fail-closed defaults on load.
 - **Policy safety fallback**: when no `approvals.requiredFor` entry matches the exact `uses` string, [policy.Derive] consults resolved safety metadata. Unattended mutating tools require `--approve` (exit code **5**, `approval_required`).
 - **Plan risk hints** for tools that will require approval at run, including decision source (`explicit_policy_rule`, `safety_metadata`, `fail_closed_default`).

internal/cli/initembed/policies/default.yaml

@@ -3,6 +3,7 @@ kind: Policy
 metadata:
   name: default
 spec:
+  preset: shell_safe
   execution:
     maxWallClockSeconds: 300
     maxTotalCostUsd: 5

internal/engine/steps.go

@@ -46,7 +46,7 @@ func parseAgentJSONObject(content string) (map[string]any, error) {
 
 func (e *Executor) runToolStep(ctx context.Context, pol policy.PolicyEvaluator, runID string, step spec.WorkflowStep, with map[string]any, pctx policy.RunContext) (map[string]any, tools.ToolCallMeta, error) {
 	uses := strings.TrimSpace(step.Uses)
-	if err := pol.CheckToolCall(ctx, policy.ToolCallContext{Run: pctx, StepID: step.ID, Uses: uses}); err != nil {
+	if err := pol.CheckToolCall(ctx, policy.ToolCallContext{Run: pctx, StepID: step.ID, Uses: uses, With: with}); err != nil {
 		if e.Trace != nil {
 			if d, ok := policy.AsDenied(err); ok {
 				_, _ = e.Trace.Append(ctx, runID, step.ID, trace.EventPolicyDenied, d.TraceData())

internal/policy/context.go

@@ -25,4 +25,6 @@ type ToolCallContext struct {
 	Run    RunContext
 	StepID string
 	Uses   string
+	// With is the interpolated workflow step input (used by shell_safe token classification).
+	With map[string]any
 }

internal/policy/derive.go

@@ -49,6 +49,31 @@ func Derive(safety spec.ResolvedToolSafety) Decision {
 func EffectiveToolDecision(graph *spec.ProjectGraph, pol *spec.PolicySpec, toolName string) ToolDecision {
 	toolName = strings.TrimSpace(toolName)
 	safety := resolvedSafetyForTool(graph, toolName)
+	if pol != nil && pol.Approvals != nil {
+		if pol.Approvals.Permissive {
+			return ToolDecision{
+				Decision: DecisionAllow,
+				Source:   SourceExplicitPolicyRule,
+				Safety:   safety,
+			}
+		}
+		if pol.Approvals.RequireAllTools {
+			return ToolDecision{
+				Decision: DecisionRequireApproval,
+				Source:   SourceExplicitPolicyRule,
+				Safety:   safety,
+			}
+		}
+		if spec.ResolvedPresetName(pol) == spec.PresetShellSafe {
+			if safety.RequiresApproval || safety.SideEffects {
+				return ToolDecision{
+					Decision: DecisionRequireApproval,
+					Source:   SourceExplicitPolicyRule,
+					Safety:   safety,
+				}
+			}
+		}
+	}
 	if pol != nil && pol.Approvals != nil {
 		prefix := toolUsesPrefix(toolName)
 		for _, r := range pol.Approvals.RequiredFor {

internal/policy/doc.go

@@ -5,6 +5,10 @@
 // Run context should carry elapsed wall clock, accumulated cost, and repeated --approve action strings
 // matching policy approvals.requiredFor entries.
 //
+// Built-in policy presets (issue #104): strict, permissive, and shell_safe. Select via
+// Project.spec.defaults.policy, a Policy resource spec.preset, or by referencing a preset name
+// as the workflow/agent policy. [spec.ExpandPresetsInGraph] materializes effective rules during normalize.
+//
 // When no explicit approvals.requiredFor rule matches a tool call, [Derive] consults
 // [spec.ResolveToolSafety] metadata (fail-closed defaults; issue #103).
 //

internal/policy/evaluator.go

@@ -54,13 +54,60 @@ func (e *evaluator) CheckStep(ctx context.Context, step StepContext) error {
 func (e *evaluator) CheckToolCall(ctx context.Context, call ToolCallContext) error {
 	_ = ctx
 	p := e.spec()
+	if p != nil && p.Approvals != nil && p.Approvals.Permissive {
+		if err := checkKnownTool(e.graph, call.Uses, p.Tools); err != nil {
+			return err
+		}
+		return nil
+	}
 	if p != nil {
 		if err := checkKnownTool(e.graph, call.Uses, p.Tools); err != nil {
 			return err
 		}
+		if p.Approvals != nil && p.Approvals.RequireAllTools {
+			if actionApproved(call.Uses, call.Run.ApprovedActions) {
+				return nil
+			}
+			return denied(
+				ReasonApprovalRequired,
+				"policy: action requires explicit approval (--approve)",
+				call.Uses,
+				map[string]any{"requiredFor": call.Uses, "preset": spec.PresetStrict},
+			)
+		}
+		if spec.ResolvedPresetName(p) == spec.PresetShellSafe && !shellSafeRequiresApproval(e.graph, call) {
+			return nil
+		}
+		if presetRequiresApproval(p, e.graph, call) {
+			if actionApproved(call.Uses, call.Run.ApprovedActions) {
+				return nil
+			}
+			return denied(
+				ReasonApprovalRequired,
+				"policy: action requires explicit approval (--approve)",
+				call.Uses,
+				map[string]any{
+					"requiredFor": call.Uses,
+					"preset":      spec.ResolvedPresetName(p),
+				},
+			)
+		}
 		if approvalRequired(call.Uses, p.Approvals) {
 			return checkApprovalGranted(call.Uses, p.Approvals, call.Run.ApprovedActions)
 		}
 	}
 	return checkSafetyDerived(e.graph, call)
 }
+
+func presetRequiresApproval(p *spec.PolicySpec, graph *spec.ProjectGraph, call ToolCallContext) bool {
+	if p == nil || p.Approvals == nil {
+		return false
+	}
+	if p.Approvals.RequireAllTools {
+		return true
+	}
+	if spec.ResolvedPresetName(p) == spec.PresetShellSafe {
+		return shellSafeRequiresApproval(graph, call)
+	}
+	return false
+}

internal/policy/presets_eval_test.go

@@ -0,0 +1,141 @@
+package policy
+
+import (
+	"context"
+	"testing"
+
+	"github.com/LAA-Software-Engineering/agentic-control-plane/internal/spec"
+)
+
+func shellSafeGraph() *spec.ProjectGraph {
+	return &spec.ProjectGraph{
+		Tools: map[string]*spec.ToolResource{
+			"shell": {
+				Metadata: spec.Metadata{Name: "shell"},
+				Spec: spec.ToolSpec{
+					Type: "native",
+					Safety: &spec.ToolSafety{
+						SideEffects: spec.BoolPtr(true),
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestCheckToolCall_shellSafe_allowsLs(t *testing.T) {
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(shellSafeGraph(), &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.shell.command.run",
+		With: map[string]any{"command": "ls -la"},
+	})
+	if err != nil {
+		t.Fatalf("ls should be allowed: %v", err)
+	}
+}
+
+func TestCheckToolCall_shellSafe_gatesRm(t *testing.T) {
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(shellSafeGraph(), &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.shell.command.run",
+		With: map[string]any{"command": "rm -rf /tmp/x"},
+	})
+	if err == nil {
+		t.Fatal("expected rm to require approval")
+	}
+	d, ok := AsDenied(err)
+	if !ok || d.Reason != ReasonApprovalRequired {
+		t.Fatalf("got %v", err)
+	}
+}
+
+func TestCheckToolCall_shellSafe_unknownTokenGated(t *testing.T) {
+	pol, err := spec.BuildPreset(spec.PresetShellSafe)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(shellSafeGraph(), &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.shell.command.run",
+		With: map[string]any{"command": "totally-unknown"},
+	})
+	if err == nil {
+		t.Fatal("expected unknown token to gate")
+	}
+}
+
+func TestCheckToolCall_strict_gatesAllTools(t *testing.T) {
+	g := testGraphWithTools("helper")
+	g.Tools["helper"].Spec.Safety = &spec.ToolSafety{SideEffects: spec.BoolPtr(false)}
+	pol, err := spec.BuildPreset(spec.PresetStrict)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(g, &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.helper.echo",
+	})
+	if err == nil {
+		t.Fatal("strict should gate all tools")
+	}
+}
+
+func TestCheckToolCall_permissive_allowsMutatingTool(t *testing.T) {
+	g := testGraphWithTools("slack")
+	g.Tools["slack"].Spec.Safety = &spec.ToolSafety{SideEffects: spec.BoolPtr(true)}
+	pol, err := spec.BuildPreset(spec.PresetPermissive)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ev := NewEvaluator(g, &pol)
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Uses: "tool.slack.message.send",
+	})
+	if err != nil {
+		t.Fatalf("permissive should allow: %v", err)
+	}
+}
+
+func TestExpandPresetsInGraph_materializesDefault(t *testing.T) {
+	g := &spec.ProjectGraph{
+		Spec: spec.ProjectSpec{
+			Defaults: &spec.ProjectDefaults{Policy: spec.PresetShellSafe},
+		},
+	}
+	spec.ExpandPresetsInGraph(g)
+	pr, ok := g.Policies[spec.PresetShellSafe]
+	if !ok || pr == nil {
+		t.Fatal("expected injected shell_safe policy")
+	}
+	if pr.Spec.ResolvedPreset != spec.PresetShellSafe {
+		t.Fatalf("ResolvedPreset = %q", pr.Spec.ResolvedPreset)
+	}
+}
+
+func TestExpandPresetsInGraph_userPolicyOverridesBuiltin(t *testing.T) {
+	g := &spec.ProjectGraph{
+		Spec: spec.ProjectSpec{
+			Defaults: &spec.ProjectDefaults{Policy: spec.PresetStrict},
+		},
+		Policies: map[string]*spec.PolicyResource{
+			spec.PresetStrict: {
+				Metadata: spec.Metadata{Name: spec.PresetStrict},
+				Spec: spec.PolicySpec{
+					Execution: &spec.PolicyExecution{MaxWallClockSeconds: 99},
+				},
+			},
+		},
+	}
+	spec.ExpandPresetsInGraph(g)
+	if g.Policies[spec.PresetStrict].Spec.Execution.MaxWallClockSeconds != 99 {
+		t.Fatal("user policy should not be replaced by builtin")
+	}
+}

internal/policy/shell_safe.go

@@ -0,0 +1,29 @@
+package policy
+
+import (
+	"github.com/LAA-Software-Engineering/agentic-control-plane/internal/spec"
+	"github.com/LAA-Software-Engineering/agentic-control-plane/internal/tools"
+)
+
+// shellSafeRequiresApproval reports whether a tool call should be gated under shell_safe.
+func shellSafeRequiresApproval(graph *spec.ProjectGraph, call ToolCallContext) bool {
+	toolName, operation, err := tools.ParseUses(call.Uses)
+	if err != nil {
+		return true
+	}
+	if spec.IsShellCommandOperation(operation) {
+		cmd := spec.ExtractShellCommand(call.With)
+		token := spec.FirstShellToken(cmd)
+		switch spec.ClassifyShellToken(token) {
+		case spec.ShellTokenReadOnly:
+			return false
+		case spec.ShellTokenGate, spec.ShellTokenUnknown:
+			return true
+		}
+	}
+	safety := resolvedSafetyForTool(graph, toolName)
+	if safety.RequiresApproval || safety.SideEffects {
+		return true
+	}
+	return false
+}

internal/spec/doc.go

@@ -6,4 +6,7 @@
 //
 // Tool resources may declare spec.safety (trusted, sideEffects, requiresApproval) for
 // fail-closed policy derivation when explicit Policy rules do not apply (issue #103).
+//
+// Built-in policy presets (strict, permissive, shell_safe) are defined in this package and
+// expanded during [NormalizeProjectGraph] via [ExpandPresetsInGraph] (issue #104).
 package spec