hcs-policy-tier-entrylisted

Draft a proposed YAML tier entry for a new tool or capability. Target file is canonical in system-config, not this repo. Drafts require `hcs-policy-reviewer` subagent objections and human approval before merge.
jefahnierocks/host-capability-substrate · ★ 0 · Data & Documents · score 65

Install: claude install-skill jefahnierocks/host-capability-substrate

# Skill: Draft a policy tier entry Use when a new tool surfaces in HCS usage and needs a classification in the live policy. **This skill produces a draft only.** The live tier file lives at `~/Organizations/jefahnierocks/system-config/policies/host-capability-substrate/tiers.yaml` — editing it is a human-approved action in the system-config repo, not here. ## Inputs - Tool name (e.g., `terraform`, `kubectl`, `docker`) - Typical invocations + variants (e.g., `brew install`, `brew install --cask`) - Any known destructive variants - Dry-run / validate command (if any) ## Procedure 1. Read the existing tier schema at `policies/generated-snapshot/tiers.schema.json` (if snapshot is populated) or the Zod source at `packages/schemas/src/entities/PolicyRule.ts`. 2. Read existing entries in `~/Organizations/jefahnierocks/system-config/policies/host-capability-substrate/tiers.yaml` to match style and fill gaps. 3. Draft the entry following the schema. Required fields: - `capability` or `tool`: the canonical identifier - `default_tier`: one of `read-safe` | `write-local` | `write-project` | `write-host` | `write-destructive` | `forbidden` - `notes`: human-readable reasoning for the classification 4. Optional fields to populate when applicable: - `approval_required_for`: list of command-shape conditions that escalate one tier above default - `destructive_patterns`: regex list for fast pattern-match gating - `dry_run_command`: native dry-run if supported - `valida