Problem
The existing policy skills in skills/ only create policies; none let a user reorder the policies already applied to an instance. Policy order matters operationally — authentication must run before rate limiting, transformations should run last, etc.
Three current skills cite ordering as best practice but don't implement it:
skills/protect-api-with-policies/SKILL.md:467skills/protect-agent-with-policies/SKILL.md:527skills/protect-mcp-server-with-policies/SKILL.md:527
And skills/apply-policy-to-api-instance/SKILL.md:267 explicitly points at the endpoint as a follow-up:
"Use updateOrganizationsEnvironmentsApisPoliciesBulk to control execution order."
…but there's no skill that wraps it, so users (and agents) are on their own.
Endpoint already exists and is purpose-built
apis/api-manager/api.yaml:550 defines updateOrganizationsEnvironmentsApisPoliciesBulk, and its description at line 535 states:
"Updates multiple policies. Currently, only updates in order field are supported."
Request body is minimal (apis/api-manager/api.yaml:539-547):
```json
[
{ "id": 51, "order": 1 },
{ "id": 63, "order": 2 }
]
```
One skill covers APIs, MCP servers, and agents
protect-agent-with-policies and protect-mcp-server-with-policies both register their resource through createOrganizationsEnvironmentsApis (line 215 / 349 in each) — i.e., agents and MCP servers are API instances, just differentiated by the technology: field. The bulk-reorder endpoint operates on the same /apis/{environmentApiId}/policies path, so one skill handles all three resource types.
(The separate /managedServiceApis/... path at line 1720 has no bulk endpoint — out of scope.)
Proposed skill
Name: reorder-applied-policies (or mulesoft-dx-reorder-applied-policies if #42 lands first).
Flow:
listMe → organizationIdlistEnvironments → environmentIdlistOrganizationsEnvironmentsApis → environmentApiId (works for APIs, MCPs, agents)listOrganizationsEnvironmentsApisPolicies → current {id, order}- User provides new order
updateOrganizationsEnvironmentsApisPoliciesBulk with [{id, order}, ...]- Re-list to verify
Steps 1–3 are identical to apply-policy-to-api-instance and can be copied verbatim.
Trigger verbs would be deliberately disjoint from the existing "apply / protect / add / enforce" skills ("reorder", "sequence", "priority", "move X before Y") so the router doesn't see new competition.
Problem
The existing policy skills in
skills/only create policies; none let a user reorder the policies already applied to an instance. Policy order matters operationally — authentication must run before rate limiting, transformations should run last, etc.Three current skills cite ordering as best practice but don't implement it:
skills/protect-api-with-policies/SKILL.md:467skills/protect-agent-with-policies/SKILL.md:527skills/protect-mcp-server-with-policies/SKILL.md:527And
skills/apply-policy-to-api-instance/SKILL.md:267explicitly points at the endpoint as a follow-up:…but there's no skill that wraps it, so users (and agents) are on their own.
Endpoint already exists and is purpose-built
apis/api-manager/api.yaml:550definesupdateOrganizationsEnvironmentsApisPoliciesBulk, and its description at line 535 states:Request body is minimal (
apis/api-manager/api.yaml:539-547):```json
[
{ "id": 51, "order": 1 },
{ "id": 63, "order": 2 }
]
```
One skill covers APIs, MCP servers, and agents
protect-agent-with-policiesandprotect-mcp-server-with-policiesboth register their resource throughcreateOrganizationsEnvironmentsApis(line 215 / 349 in each) — i.e., agents and MCP servers are API instances, just differentiated by thetechnology:field. The bulk-reorder endpoint operates on the same/apis/{environmentApiId}/policiespath, so one skill handles all three resource types.(The separate
/managedServiceApis/...path at line 1720 has no bulk endpoint — out of scope.)Proposed skill
Name:
reorder-applied-policies(ormulesoft-dx-reorder-applied-policiesif #42 lands first).Flow:
listMe→organizationIdlistEnvironments→environmentIdlistOrganizationsEnvironmentsApis→environmentApiId(works for APIs, MCPs, agents)listOrganizationsEnvironmentsApisPolicies→ current{id, order}updateOrganizationsEnvironmentsApisPoliciesBulkwith[{id, order}, ...]Steps 1–3 are identical to
apply-policy-to-api-instanceand can be copied verbatim.Trigger verbs would be deliberately disjoint from the existing "apply / protect / add / enforce" skills ("reorder", "sequence", "priority", "move X before Y") so the router doesn't see new competition.