Policy Enforcement Loop

The Policy Enforcement Loop is the end-to-end agentic workflow Gomboc uses to verify a codebase against a security or engineering policy and bring it back into compliance. It is the orchestrated chain of skills exposed by the gomboc plugin: diagnose the code, decide whether existing rules cover the violations, apply them or build new ones, and verify the outcome.

You can trigger the entire loop with a single skill (enforce-policy), or step through it manually using the underlying skills when you want finer control.

For installing the plugin in your agent first, see Gomboc Enterprise Skills.

The full loop

┌─────────────────────────────────────────────────────────────────┐
│                         enforce-policy                          │
│                                                                 │
│  1. diagnose ──────────────── Find violations in code           │
│       ↓                                                         │
│  2. orl-existing-rules / rules-service ── Check rule coverage   │
│       ↓                           ↓                             │
│  ┌────────────────┐    ┌──────────────────────────────────────┐ │
│  │ Rules exist    │    │ No rule exists — create one          │ │
│  │ (path 3A)      │    │ (path 3B)                            │ │
│  │                │    │                                      │ │
│  │ orl-remediation│    │ orl-planner                          │ │
│  │   -planner     │    │   ↓                                  │ │
│  │    ↓           │    │ orl-test-planner                     │ │
│  │ orl-remediation│    │   ↓                                  │ │
│  │   -expert      │    │ orl-expert (build + test)            │ │
│  └────────────────┘    │   ↓                                  │ │
│       ↓                │ orl-reviewer (quality gate)          │ │
│                        │   ↓                                  │ │
│                        │ orl-metadata-enricher                │ │
│                        │   ↓                                  │ │
│                        │ rules-service (publish)              │ │
│                        │   ↓                                  │ │
│                        │ orl-remediation-expert (apply)       │ │
│                        └──────────────────────────────────────┘ │
│       ↓                ↓                                        │
│  4. diagnose ──────────────── Verify compliance                 │
└─────────────────────────────────────────────────────────────────┘

The four numbered stages are:

Diagnose — scan the target path against the requested policy and produce a list of violations with file and line locations.
Assess rule coverage — for every violation, look up whether an ORL rule already exists, either locally (in .gomboc/cache/) or in the Gomboc Rules Service.
Apply existing rules (3A) or build new rules (3B) — apply matched rules to fix violations; for uncovered violations, build, review, enrich, publish, and then apply a new rule.
Verify — re-run the diagnosis to confirm the policy is now satisfied.

Stage breakdown

Stage

Skills involved

What it produces

1. Diagnose

diagnose

Prioritized findings with file:line, classification, risk, and existing-rule status

2. Assess rule coverage

orl-existing-rules, rules-service

Decision: every finding is routed to 3A or 3B

3A. Apply existing rules

orl-remediation-planner → orl-remediation-expert

Code is modified by running matched ORL rules

3B. Build a new rule

orl-planner → orl-test-planner → orl-expert → orl-reviewer → orl-metadata-enricher → rules-service → orl-remediation-expert

A new ORL rule is built, tested, reviewed, enriched, published, and applied

4. Verify

diagnose

Confirmation that the violation count for the target policy is zero

For details on what each skill does individually, browse the installed skill catalog in your agent: Settings → Rules in Cursor, /skills in Codex, /plugins in Claude Code, or gemini extensions list then /help in Gemini CLI.

Common starting points (partial loop)

You do not always need the full loop. The right entry point depends on what you already know about the code and the policy:

Starting point

What to run

Code with no policy checked yet

diagnose → routes you into 3A or 3B

Violations are known, rule coverage is unknown

orl-existing-rules or rules-service → routes into 3A or 3B

Rules already exist and you just want to apply them

orl-remediation-planner → orl-remediation-expert → diagnose (to verify)

You have a policy gap and need to build a new rule

orl-planner → orl-test-planner → orl-expert → orl-reviewer → orl-metadata-enricher → rules-service

Code produced by an agent + a policy to enforce

enforce-policy (handles everything above automatically)

How to trigger the loop in each agent

The same underlying enforce-policy skill is exposed differently in each agent runtime. Use the form your agent supports:

Agent

How to trigger

Claude Code

Describe the goal in natural language. Example: "Enforce the gomboc-ai/policy/encryption/encryption_at_rest policy against ./infrastructure as a dry run." Claude activates the enforce-policy skill automatically.

Gemini CLI

/gomboc:enforce <path> <policy> [--create-missing] [--publish] [--dry-run]

OpenAI Codex

$enforce-policy (Codex native skill invocation)

Cursor

Type /enforce-policy in Agent chat, or describe the goal in natural language and let Agent Decides pick the skill.

For more about how each agent exposes Gomboc workflows, see Gomboc Enterprise Skills.

Quick-start examples

Dry run an encryption-at-rest policy against Terraform

In Gemini CLI:

/gomboc:enforce ./infrastructure gomboc-ai/policy/encryption/encryption_at_rest --dry-run

In Claude Code or Cursor, type in Agent chat:

Enforce the gomboc-ai/policy/encryption/encryption_at_rest policy against ./infrastructure as a dry run.

In Codex:

$enforce-policy ./infrastructure gomboc-ai/policy/encryption/encryption_at_rest --dry-run

Full loop: diagnose, create missing rules, publish, apply, verify

In Gemini CLI:

/gomboc:enforce ./src gomboc-ai/policy/prevent_code_injection/sql_injection --create-missing --publish

In Claude Code or Cursor:

Enforce the gomboc-ai/policy/prevent_code_injection/sql_injection policy against ./src. Create any missing rules, publish them to the rules service, then apply and verify.

In Codex:

$enforce-policy ./src gomboc-ai/policy/prevent_code_injection/sql_injection --create-missing --publish

Flag reference for `enforce-policy`

Flag

Effect

--dry-run

Diagnose and plan only. Do not modify code, do not publish rules.

--create-missing

Build new ORL rules for policy gaps (path 3B). Without this flag, uncovered violations are reported but not fixed.

--publish

Push newly built rules to the Gomboc Rules Service. Without this flag, new rules stay local in .gomboc/orl-rules/.

When enforce-policy is invoked through a slash-command form (Gemini, Cursor), pass these flags as shown above. When invoked through natural language (Claude, Cursor), describe the same intent in plain English — "dry run", "create missing rules", "publish to the rules service" — and the agent will set the flags accordingly.