Policies
The allow / deny / require-approval gate on every action and proxy call, plus default-deny on writes.
A policy decides what happens when an action runs: allow, deny, or require approval. Policies are evaluated on direct action execution and on proxy calls — before anything reaches the provider.
What a policy matches
A policy in an environment has:
provider_config_key— which provider (default*= all).action_pattern— which actions, e.g.*,send-*,list-repos(actions are matched in slash form, e.g.github/send-message).effect—allow,deny,require_approval, ortransform.condition— an optional condition (DSL, or Rego with the OPA backend) so a rule applies only when the payload/context matches.transform— for thetransformeffect, which payload fields to sanitize before the action runs.enabledandaudit_only—audit_onlyevaluates the rule and records what it would have done without actually enforcing it (a safe way to trial a policy).
How a decision is reached
When several policies match, the most restrictive wins: deny > require_approval > allow. An
enforcing rule beats an audit_only shadow of the same rank.
The outcome:
- deny → the call returns
403and never executes (anaudit_onlydeny returns200but is recorded as a would-deny). - require_approval → the call returns
202with anapproval_id; the action is held for approval. - transform → the action runs against a sanitized payload (the listed fields are redacted); the response tells the agent exactly which fields were transformed. A field outside the payload fails closed.
- allow → the action executes.
For payload-level sanitization across all actions (not just one policy), see content-level data redaction, which also writes signed receipts.
Default-deny on writes
Actions are classified read, write, or destructive (from HTTP method + name —
delete/remove/refund/… are destructive; create/update/send/charge/… are writes). With the
environment flag POLICY_DEFAULT_DENY_WRITES (on by default — secure by default), any write or
destructive action with no matching allow policy is denied, so an agent can only write where you've
explicitly permitted it. Reads always default to allow. Set the flag to false only for an environment
you intend to leave open.
Manage policies
Policies are managed under /api/v1/governance/policies (JWT auth; canManagePolicies).
| Method | Path | Purpose |
|---|---|---|
GET | /governance/policies?environment_id= | List policies |
GET | /governance/policies/effective?environment_id= | Merged environment + org-default policies |
POST | /governance/policies | Create a policy |
PATCH | /governance/policies/{policy_id} | Update |
DELETE | /governance/policies/{policy_id} | Delete |
POST | /governance/policies/simulate | Simulate a draft rule against an action |
GET | /governance/policy-lineage | Signed, diffable version history |
Dry-run a check
returns the disposition (allowed / approval / denied) and the matching policy without executing
anything.