docs(plugin): policy examples — block outcomes, not just tools#4
Merged
Conversation
Captures the lesson from end-to-end testing: blocking web_fetch alone doesn't block the outcome because Copilot routes around via shell+curl. Adds: - Real-world example showing the tool-vs-outcome gap - Recommended starter policy (6 rules covering network egress, shell routing, destructive deletes, PCI) - Patterns-at-a-glance table for common block scenarios - Link to full docs at docs.armoriq.ai/armorcopilot/getting-started/policies Mirrors the content in armoriq-docs#34 (companion docs PR).
There was a problem hiding this comment.
Pull request overview
Adds guidance to the ArmorCopilot plugin README about writing outcome-focused policies instead of blocking only a single tool.
Changes:
- Adds a “Writing effective policies” section with a planner bypass example.
- Adds a recommended starter policy for network egress, destructive deletes, and payment data.
- Adds a quick-reference table of common policy patterns plus a link to full policy docs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Denying a single tool blocks that tool, but Copilot's planner can often achieve the same outcome with a different tool. Real example: | ||
|
|
||
| ``` | ||
| > Policy new: deny webfetch |
| ### Recommended starter policy | ||
|
|
||
| ``` | ||
| > Policy new: deny webfetch |
| > Policy new: deny * for payment data | ||
| ``` | ||
|
|
||
| Six rules cover: network egress via dedicated tools, network egress via shell, destructive deletes, PCI exfiltration. |
|
|
||
| | Block | Rule | | ||
| |---|---| | ||
| | Network egress (any tool) | Deny webfetch + websearch + shell-with-curl + shell-with-URL | |
| | Block | Rule | | ||
| |---|---| | ||
| | Network egress (any tool) | Deny webfetch + websearch + shell-with-curl + shell-with-URL | | ||
| | Writes outside `/tmp` | `Policy new: deny write when path not starts with "/tmp"` | |
| |---|---| | ||
| | Network egress (any tool) | Deny webfetch + websearch + shell-with-curl + shell-with-URL | | ||
| | Writes outside `/tmp` | `Policy new: deny write when path not starts with "/tmp"` | | ||
| | Email exfiltration via shell | `Policy new: deny shell when args contain "@" and contain "."` | |
Pulkit7070
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a 'Writing effective policies' section to
plugins/armorcopilot/README.md.Captures the lesson from end-to-end testing: when you deny
web_fetchalone, Copilot's planner routes around it viashell+curlto achieve the same outcome. The fix is policy authoring — write broader rules.New content:
Refs #1.