Policy Recipes
Example policies for common scenarios.
Block dangerous shell commands
rules: - match: tool: shell contains: "rm -rf" deny: true reason: "Destructive commands blocked" - match: tool: shell operation: exec require_approval: true reason: "Shell commands need approval"
rules: - match: tool: shell contains: "rm -rf" deny: true reason: "Destructive commands blocked" - match: tool: shell operation: exec require_approval: true reason: "Shell commands need approval"
rules: - match: tool: shell contains: "rm -rf" deny: true reason: "Destructive commands blocked" - match: tool: shell operation: exec require_approval: true reason: "Shell commands need approval"
Require approval for payments and refunds
rules: - match: tool: payment operation: refund require_approval: true reason: "Refunds need manual verification" - match: tool: payment operation: process require_approval: true reason: "Transactions need approval"
rules: - match: tool: payment operation: refund require_approval: true reason: "Refunds need manual verification" - match: tool: payment operation: process require_approval: true reason: "Transactions need approval"
rules: - match: tool: payment operation: refund require_approval: true reason: "Refunds need manual verification" - match: tool: payment operation: process require_approval: true reason: "Transactions need approval"
Protect database operations
rules: - match: tool: database operation: drop_table deny: true reason: "Dropping tables not allowed" - match: tool: database operation: read allow: true reason: "Reads are safe"
rules: - match: tool: database operation: drop_table deny: true reason: "Dropping tables not allowed" - match: tool: database operation: read allow: true reason: "Reads are safe"
rules: - match: tool: database operation: drop_table deny: true reason: "Dropping tables not allowed" - match: tool: database operation: read allow: true reason: "Reads are safe"
GitHub: allow comments, require approval for merges
rules: - match: tool: github operation: merge_pr require_approval: true reason: "PR merges need approval" - match: tool: github operation: create_pr_comment allow: true reason: "Comments allowed"
rules: - match: tool: github operation: merge_pr require_approval: true reason: "PR merges need approval" - match: tool: github operation: create_pr_comment allow: true reason: "Comments allowed"
rules: - match: tool: github operation: merge_pr require_approval: true reason: "PR merges need approval" - match: tool: github operation: create_pr_comment allow: true reason: "Comments allowed"
Allow low-risk reads
rules: - match: tool: http operation: get allow: true reason: "HTTP GET safe" - match: tool: file operation: read allow: true reason: "File reads safe"
rules: - match: tool: http operation: get allow: true reason: "HTTP GET safe" - match: tool: file operation: read allow: true reason: "File reads safe"
rules: - match: tool: http operation: get allow: true reason: "HTTP GET safe" - match: tool: file operation: read allow: true reason: "File reads safe"
Combine and reorder recipes to match your needs. More specific rules first, catch-all last.