> For the complete documentation index, see [llms.txt](https://docs.gomboc.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.gomboc.ai/orl/agent-skills/gomboc-enterprise-skills/policy-enforcement-loop.md). # Policy Enforcement Loop The Policy Enforcement Loop is the end-to-end agentic workflow Gomboc uses to verify a codebase against a security or engineering policy and bring it back into compliance. It is the orchestrated chain of skills exposed by the `gomboc` plugin: diagnose the code, decide whether existing rules cover the violations, apply them or build new ones, and verify the outcome. You can trigger the entire loop with a single skill (`enforce-policy`), or step through it manually using the underlying skills when you want finer control. For installing the plugin in your agent first, see [Gomboc Enterprise Skills](/orl/agent-skills/gomboc-enterprise-skills.md). *** ### The full loop ``` ┌─────────────────────────────────────────────────────────────────┐ │ enforce-policy │ │ │ │ 1. diagnose ──────────────── Find violations in code │ │ ↓ │ │ 2. orl-existing-rules / rules-service ── Check rule coverage │ │ ↓ ↓ │ │ ┌────────────────┐ ┌──────────────────────────────────────┐ │ │ │ Rules exist │ │ No rule exists — create one │ │ │ │ (path 3A) │ │ (path 3B) │ │ │ │ │ │ │ │ │ │ orl-remediation│ │ orl-planner │ │ │ │ -planner │ │ ↓ │ │ │ │ ↓ │ │ orl-test-planner │ │ │ │ orl-remediation│ │ ↓ │ │ │ │ -expert │ │ orl-expert (build + test) │ │ │ └────────────────┘ │ ↓ │ │ │ ↓ │ orl-reviewer (quality gate) │ │ │ │ ↓ │ │ │ │ orl-metadata-enricher │ │ │ │ ↓ │ │ │ │ rules-service (publish) │ │ │ │ ↓ │ │ │ │ orl-remediation-expert (apply) │ │ │ └──────────────────────────────────────┘ │ │ ↓ ↓ │ │ 4. diagnose ──────────────── Verify compliance │ └─────────────────────────────────────────────────────────────────┘ ``` The four numbered stages are: 1. **Diagnose** — scan the target path against the requested policy and produce a list of violations with file and line locations. 2. **Assess rule coverage** — for every violation, look up whether an ORL rule already exists, either locally (in `.gomboc/cache/`) or in the Gomboc [Rules Service](/orl/publish.md). 3. **Apply existing rules (3A) or build new rules (3B)** — apply matched rules to fix violations; for uncovered violations, build, review, enrich, publish, and then apply a new rule. 4. **Verify** — re-run the diagnosis to confirm the policy is now satisfied. *** ### Stage breakdown | Stage | Skills involved | What it produces | | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | | **1. Diagnose** | `diagnose` | Prioritized findings with `file:line`, classification, risk, and existing-rule status | | **2. Assess rule coverage** | `orl-existing-rules`, `rules-service` | Decision: every finding is routed to 3A or 3B | | **3A. Apply existing rules** | `orl-remediation-planner` → `orl-remediation-expert` | Code is modified by running matched ORL rules | | **3B. Build a new rule** | `orl-planner` → `orl-test-planner` → `orl-expert` → `orl-reviewer` → `orl-metadata-enricher` → `rules-service` → `orl-remediation-expert` | A new ORL rule is built, tested, reviewed, enriched, published, and applied | | **4. Verify** | `diagnose` | Confirmation that the violation count for the target policy is zero | For details on what each skill does individually, browse the installed skill catalog in your agent: **Settings → Rules** in Cursor, `/skills` in Codex, `/plugins` in Claude Code, or `gemini extensions list` then `/help` in Gemini CLI. *** ### Common starting points (partial loop) You do not always need the full loop. The right entry point depends on what you already know about the code and the policy: | Starting point | What to run | | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | Code with no policy checked yet | `diagnose` → routes you into 3A or 3B | | Violations are known, rule coverage is unknown | `orl-existing-rules` or `rules-service` → routes into 3A or 3B | | Rules already exist and you just want to apply them | `orl-remediation-planner` → `orl-remediation-expert` → `diagnose` (to verify) | | You have a policy gap and need to build a new rule | `orl-planner` → `orl-test-planner` → `orl-expert` → `orl-reviewer` → `orl-metadata-enricher` → `rules-service` | | Code produced by an agent + a policy to enforce | `enforce-policy` (handles everything above automatically) | *** ### How to trigger the loop in each agent The same underlying `enforce-policy` skill is exposed differently in each agent runtime. Use the form your agent supports: | Agent | How to trigger | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Claude Code** | Describe the goal in natural language. Example: *"Enforce the `gomboc-ai/policy/encryption/encryption_at_rest` policy against `./infrastructure` as a dry run."* Claude activates the `enforce-policy` skill automatically. | | **Gemini CLI** | `/gomboc:enforce [--create-missing] [--publish] [--dry-run]` | | **OpenAI Codex** | `$enforce-policy` (Codex native skill invocation) | | **Cursor** | Type `/enforce-policy` in Agent chat, or describe the goal in natural language and let Agent Decides pick the skill. | For more about how each agent exposes Gomboc workflows, see [Gomboc Enterprise Skills](/orl/agent-skills/gomboc-enterprise-skills.md). *** ### Quick-start examples **Dry run an encryption-at-rest policy against Terraform** In Gemini CLI: ```bash /gomboc:enforce ./infrastructure gomboc-ai/policy/encryption/encryption_at_rest --dry-run ``` In Claude Code or Cursor, type in Agent chat: ``` Enforce the gomboc-ai/policy/encryption/encryption_at_rest policy against ./infrastructure as a dry run. ``` In Codex: ``` $enforce-policy ./infrastructure gomboc-ai/policy/encryption/encryption_at_rest --dry-run ``` **Full loop: diagnose, create missing rules, publish, apply, verify** In Gemini CLI: ```bash /gomboc:enforce ./src gomboc-ai/policy/prevent_code_injection/sql_injection --create-missing --publish ``` In Claude Code or Cursor: ``` Enforce the gomboc-ai/policy/prevent_code_injection/sql_injection policy against ./src. Create any missing rules, publish them to the rules service, then apply and verify. ``` In Codex: ``` $enforce-policy ./src gomboc-ai/policy/prevent_code_injection/sql_injection --create-missing --publish ``` *** ### Flag reference for `enforce-policy` | Flag | Effect | | ------------------ | -------------------------------------------------------------------------------------------------------------------- | | `--dry-run` | Diagnose and plan only. Do not modify code, do not publish rules. | | `--create-missing` | Build new ORL rules for policy gaps (path 3B). Without this flag, uncovered violations are reported but not fixed. | | `--publish` | Push newly built rules to the Gomboc Rules Service. Without this flag, new rules stay local in `.gomboc/orl-rules/`. | When `enforce-policy` is invoked through a slash-command form (Gemini, Cursor), pass these flags as shown above. When invoked through natural language (Claude, Cursor), describe the same intent in plain English — *"dry run"*, *"create missing rules"*, *"publish to the rules service"* — and the agent will set the flags accordingly. *** ### See also * [Gomboc Enterprise Skills](/orl/agent-skills/gomboc-enterprise-skills.md) — install the plugin in Claude Code, Gemini CLI, OpenAI Codex, or Cursor. * [ORL (Open Remediation Language)](/orl.md) — the language and engine that backs ORL rules. * [Custom Rules Quickstart](/orl/quickstart.md) — write your first ORL rule. * [Publish](/orl/publish.md) — publish ORL rules to the Gomboc Rules Service. * [Rules](/policy-management/rules.md) — Gomboc rule concepts in the platform. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.gomboc.ai/orl/agent-skills/gomboc-enterprise-skills/policy-enforcement-loop.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.