Policies
A policy is a set of rules attached to one or more agents. All tool calls are evaluated against it before executing.
Structure
json
{
"name": "production-payment-controls",
"scope": {
"agent_selector": ["payment-agent", "finance-*"],
"environment": ["prod"]
},
"rules": {
"tool_allowlist": ["read_order", "refund_order"],
"approval_required_tools": ["refund_order"],
"model_allowlist": ["gpt-4o-mini"],
"max_tokens_per_request": 2000,
"pii_handling": "redact",
"prompt_injection_action": "deny",
"data_exfiltration_action": "warn"
}
}Default deny
Anything not on tool_allowlist is denied by default. No policy assigned → all tool calls denied.
Scope matching
agent_selector supports glob patterns (*, ?). Blank = match all agents.environment filters by deployment env. Blank = match all environments.
Rules reference
Tool access
| Field | Type | Description |
|---|---|---|
tool_allowlist | list[str] | Tools that may execute immediately |
approval_required_tools | list[str] | Tools that pause for human review (must also be in tool_allowlist) |
Model access
| Field | Type | Description |
|---|---|---|
model_allowlist | list[str] | LLM identifiers permitted for this policy |
Budget limits
| Field | Default | Description |
|---|---|---|
max_tokens_per_request | 1000 | Token ceiling per single preflight |
max_tokens_per_session | unlimited | Token ceiling per session |
max_tokens_per_day | unlimited | Daily token ceiling |
max_cost_per_request_usd | — | USD ceiling per request |
Safety guardrails
| Field | Options |
|---|---|
pii_handling | "allow" | "redact" | "deny" |
prompt_injection_action | "allow" | "warn" | "deny" |
data_exfiltration_action | "allow" | "warn" | "deny" |
Time windows
| Field | Description |
|---|---|
window_allowed_days | e.g. ["mon","tue","wed","thu","fri"] |
window_start_hour | 0–23 |
window_end_hour | 0–23 |
window_timezone | e.g. "America/New_York" |
window_action | "deny" | "defer" (queue for human review) |
Post-flight
| Field | Description |
|---|---|
privilege_deescalation_threshold | After N token-overage strikes, force all tools through human review |
Versioning
Policies are versioned. Creating a new version doesn't take effect until you activate it. Old versions are archived and can be re-activated.
Creating policies
- Dashboard: agentmanager.gavrun.ai/policies/new
- AI-generated: describe what you want in plain English → dashboard generates a draft
- API:
POST /api/v1/policies