- Added configuration options for requiring human approval before applying LLM-generated MCP patches. - Updated Docker setup to include skills directory. - Integrated skills management into the backend, allowing for procedural guides and skill matching. - Refactored database initialization to apply Alembic migrations. - Enhanced task approval process to handle MCP patch applications with optional approval. - Introduced new schemas for skills and updated existing APIs to support skills functionality. This commit lays the groundwork for improved agent capabilities and better management of MCP development processes.
2.3 KiB
2.3 KiB
id, name, description, priority, rule_ids, match
| id | name | description | priority | rule_ids | match | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| pfsense-change-safe | Safe pfSense changes | Backup-before-change workflow, evidence capture, and approval gates for production firewall/NAT edits on vessel pfSense instances. | 80 |
|
|
Safe pfSense changes on vessels
Read before write (always)
- List current state: interfaces, firewall rules, port forwards, outbound NAT.
- Identify the exact gap with filter.log or rule tracker IDs — not theory.
- Capture config backup or export before any write.
Agentic OS routes config-changing fixes through human approval. Proposed fixes with is_config_change: true appear in the task approval queue.
Pre-change checklist
- Confirmed interface names live (
vtnet2CREW,vtnet3Business, etc.) - Identified associated NAT + filter rule pairs
- Documented evidence (filter.log line, blocked port/proto, source/dest)
- Backup taken or backup tool available
- Change is minimal — one rule/NAT entry, not broad "allow all"
Common safe patterns (GeneseasX VoIP)
| Fix | Typical rule |
|---|---|
| One-way audio | Pass UDP 10000-10029 phone VLAN → shipPortal |
| RTP SNAT | Outbound NAT for phone subnet RTP to segment VIP |
| SIP registration | Port-forward UDP 5060 + pass on phone VLAN |
What NOT to do
- Do not disable pfSense entirely or add overly broad "any any" rules.
- Do not assume golden-lab IPs — confirm vessel inventory addresses.
- Do not list connect/diagnostic steps as
proposed_fixes— those belong insteps_taken.
Report expectations
When recommending a change:
- Describe exact rule (interface, proto, ports, source, dest)
- Reference evidence from diagnostics already collected
- Set
is_config_change: trueonly for actual pfSense write operations - Note if MCP writes require
PFSENSE_ALLOW_WRITES=trueon the MCP server
Post-change verification
- Re-test the original symptom (registration, RTP counters, filter.log clean)
- Upsert a memory record with rule tracker IDs and outcome for future tasks