Skip to main content

Policy Examples

A collection of ready-to-use policy files for common governance scenarios.

Read-Only Agent

Blocks any mutating HTTP methods.

policies/read-only.json
{
  "name": "read-only",
  "description": "Agent may only perform read operations",
  "owner": "platform-team",
  "default": "Deny",
  "rules": [
    {
      "name": "allow-reads",
      "priority": 10,
      "effect": "Allow",
      "conditions": [
        { "field": "input.method", "operator": "in", "value": ["GET", "HEAD", "OPTIONS"] }
      ]
    }
  ]
}

Delete Requires Human Approval

All DELETE requests are held for human review.

policies/safe-delete.json
{
  "name": "safe-delete",
  "description": "Deletes require manual approval",
  "owner": "security-team",
  "default": "Allow",
  "rules": [
    {
      "name": "hitl-on-delete",
      "reason": "Deletion requires human approval",
      "priority": 100,
      "effect": "Hitl",
      "conditions": [
        { "field": "input.method", "operator": "eq", "value": "DELETE" }
      ]
    }
  ]
}

Block Admin Endpoints

Denies access to paths containing /admin/.

policies/no-admin.json
{
  "name": "no-admin",
  "description": "Agents may not access admin endpoints",
  "owner": "security-team",
  "default": "Allow",
  "rules": [
    {
      "name": "deny-admin-paths",
      "reason": "Admin access is restricted",
      "priority": 100,
      "effect": "Deny",
      "conditions": [
        { "field": "input.path", "operator": "regex", "value": "/admin/" }
      ]
    }
  ]
}

Low-Trust Agent Policy

Routes low-trust-score agents to HITL for any write operations.

policies/low-trust.json
{
  "name": "low-trust",
  "description": "Extra scrutiny for low-trust agents",
  "owner": "security-team",
  "default": "Allow",
  "rules": [
    {
      "name": "hitl-writes-for-low-trust",
      "reason": "Low trust score — write requires approval",
      "priority": 50,
      "effect": "Hitl",
      "conditions": [
        { "field": "input.trustScore", "operator": "lt", "value": 0.4 },
        { "field": "input.method", "operator": "in", "value": ["POST", "PUT", "PATCH", "DELETE"] }
      ]
    }
  ]
}

Bulk-Export HITL + Delete Deny

Combines multiple rules at different priorities.

policies/data-agent.json
{
  "name": "data-agent",
  "description": "Governs a data-pipeline agent",
  "owner": "data-team",
  "default": "Deny",
  "rules": [
    {
      "name": "deny-delete",
      "reason": "Data agents may not delete",
      "priority": 200,
      "effect": "Deny",
      "conditions": [
        { "field": "input.method", "operator": "eq", "value": "DELETE" }
      ]
    },
    {
      "name": "hitl-bulk-export",
      "reason": "Bulk operations require approval",
      "priority": 150,
      "effect": "Hitl",
      "conditions": [
        { "field": "input.path", "operator": "regex", "value": "/export|/bulk|/dump" }
      ]
    },
    {
      "name": "allow-reads",
      "priority": 10,
      "effect": "Allow",
      "conditions": [
        { "field": "input.method", "operator": "in", "value": ["GET", "HEAD"] }
      ]
    },
    {
      "name": "allow-standard-writes",
      "priority": 5,
      "effect": "Allow",
      "conditions": [
        { "field": "input.method", "operator": "in", "value": ["POST", "PUT", "PATCH"] }
      ]
    }
  ]
}