VMware Policy

Unified audit logging, policy enforcement, and input sanitization -- the infrastructure layer for the entire VMware MCP skill family.

Infrastructure dependency: All 8 VMware skills depend on vmware-policy. It is auto-installed and provides the @vmware_tool decorator, sanitize(), and the shared audit database.
Family: vmware-aiops (VM lifecycle), vmware-monitor (read-only monitoring), vmware-storage (iSCSI/vSAN), vmware-vks (Tanzu Kubernetes), vmware-nsx (NSX networking), vmware-nsx-security (DFW/firewall), vmware-aria (metrics/alerts/capacity), vmware-avi (AVI/ALB/AKO).
| vmware-pilot (workflow orchestration)

What This Skill Does

Quick Install

CODEBLOCK0

vmware-policy is automatically installed as a dependency of all VMware skills. Manual install is only needed for standalone audit querying.

When to Use This Skill

• - Query the unified audit trail across all VMware skills
• View denied operations and policy violations
• Check audit statistics (by skill, by status, by time range)
• Export audit logs as JSON for external analysis
• Configure deny rules, maintenance windows, or change limits
• Integrate the @vmware_tool decorator into a new VMware skill

This skill is auto-loaded as a dependency -- you do not need to invoke it directly. It activates when:

• - Any VMware skill tool function is called (via @vmware_tool decorator)
• User asks about audit logs, denied operations, or policy rules
• User runs vmware-audit CLI commands

Related Skills -- Skill Routing

Common Workflows

Query Recent Audit Activity

1. 1. View last 20 audit entries: INLINECODE18
2. Filter by skill: INLINECODE19
3. Check denied operations: INLINECODE20
4. View aggregate stats: INLINECODE21

Set Up Policy Rules for Production

1. 1. Copy default rules: INLINECODE22
2. Edit ~/.vmware/rules.yaml -- add deny rules for production:

   deny:
     - name: no-delete-in-prod
       operations: ["delete_*", "cluster_delete"]
       environments: ["production"]
       reason: "Destructive operations blocked in production"
   maintenance_window:
     start: "22:00"
     end: "06:00"
   

1. 3. Rules hot-reload automatically -- no restart needed
2. Verify: vmware-audit log --status denied to see blocked operations

Export Audit Logs for Compliance

1. 1. Export all logs as JSON: INLINECODE25
2. Filter by skill: INLINECODE26
3. Import into your SIEM or compliance tool

Usage Mode

CLI Quick Reference

CODEBLOCK2

Full CLI reference: see INLINECODE30

Python API

CODEBLOCK3

MCP Tools (0)

vmware-policy does not expose MCP tools. It is a Python library and CLI consumed by other VMware skills.

Troubleshooting

"Cannot initialize audit DB" warning

Policy rules not taking effect

Audit log growing too large

"PolicyDenied" exception in skill

Decorator not detecting skill name

SQLite "database is locked" error

Setup

CODEBLOCK4

vmware-policy is auto-installed as a dependency of all VMware skills. The ~/.vmware/ directory is created automatically on first audit write.

Full setup guide, security details, and integration instructions: see INLINECODE48

Security

• - Source Code: github.com/zw008/VMware-Policy
• Config File Contents: ~/.vmware/rules.yaml contains only rule definitions, no credentials
• Webhook Data Scope: N/A -- vmware-policy does not send data externally
• TLS Verification: N/A -- vmware-policy does not make network connections
• Prompt Injection Protection: sanitize() truncates to 500 chars and strips C0/C1 control characters
• Least Privilege: Audit database is local-only (~/.vmware/audit.db), no network exposure

License

MIT -- github.com/zw008/VMware-Policy