Skip to content

feat(observability): enable OCSF JSONL for agent deny inspection #1093

Open
Open
feat(observability): enable OCSF JSONL for agent deny inspection#1093
Labels
area:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementationtopic:observabilityLogging, metrics, and observability work
@zredlined

Description

@zredlined
zredlined
opened on Apr 30, 2026

Description

Make structured OCSF JSONL available to the sandbox-local agent CLI by default for MVP sandboxes, and smoke-test the real deny event path before the L4 CLI behavior depends on it.

Context

Parent: #1062
RFC artifact: https://github.com/NVIDIA/OpenShell/blob/feat/agent-driven-policy-management/rfc/0001-agent-driven-policy-management.md

This is part of the locked Agent-Driven Policy Management MVP. GitHub issues are the development source of truth; Linear is only a roadmap pointer.

OCSF shorthand logs are always active today, but full JSONL is opt-in via ocsf_json_enabled. The MVP's L4 path needs machine-readable denial events.

Definition of Done

  • MVP sandbox profile/settings enable OCSF JSONL by default.
  • Denied L4/CONNECT request writes a structured event to /var/log/openshell-ocsf.YYYY-MM-DD.log.
  • Event includes enough host/port/binary/reason context for openshell-policy denials.
  • Rotation/current-file behavior is documented for the CLI implementation.
  • Smoke test result is posted back to OpenShell Agent-Driven Policy Management #1062 or this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:policyPolicy engine and policy lifecycle workarea:sandboxSandbox runtime and isolation workstate:agent-readyApproved for agent implementationtopic:observabilityLogging, metrics, and observability work

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions