Skip to content

Policies

A policy is a set of rules attached to one or more agents. All tool calls are evaluated against it before executing.

Structure

json
{
  "name": "production-payment-controls",
  "scope": {
    "agent_selector": ["payment-agent", "finance-*"],
    "environment": ["prod"]
  },
  "rules": {
    "tool_allowlist": ["read_order", "refund_order"],
    "approval_required_tools": ["refund_order"],
    "model_allowlist": ["gpt-4o-mini"],
    "max_tokens_per_request": 2000,
    "pii_handling": "redact",
    "prompt_injection_action": "deny",
    "data_exfiltration_action": "warn"
  }
}

Default deny

Anything not on tool_allowlist is denied by default. No policy assigned → all tool calls denied.

Scope matching

agent_selector supports glob patterns (*, ?). Blank = match all agents.
environment filters by deployment env. Blank = match all environments.

Rules reference

Tool access

FieldTypeDescription
tool_allowlistlist[str]Tools that may execute immediately
approval_required_toolslist[str]Tools that pause for human review (must also be in tool_allowlist)

Model access

FieldTypeDescription
model_allowlistlist[str]LLM identifiers permitted for this policy

Budget limits

FieldDefaultDescription
max_tokens_per_request1000Token ceiling per single preflight
max_tokens_per_sessionunlimitedToken ceiling per session
max_tokens_per_dayunlimitedDaily token ceiling
max_cost_per_request_usdUSD ceiling per request

Safety guardrails

FieldOptions
pii_handling"allow" | "redact" | "deny"
prompt_injection_action"allow" | "warn" | "deny"
data_exfiltration_action"allow" | "warn" | "deny"

Time windows

FieldDescription
window_allowed_dayse.g. ["mon","tue","wed","thu","fri"]
window_start_hour0–23
window_end_hour0–23
window_timezonee.g. "America/New_York"
window_action"deny" | "defer" (queue for human review)

Post-flight

FieldDescription
privilege_deescalation_thresholdAfter N token-overage strikes, force all tools through human review

Versioning

Policies are versioned. Creating a new version doesn't take effect until you activate it. Old versions are archived and can be re-activated.

Creating policies

Apache 2.0 License