Policy-Based Governance
Define rules for controlling agent actions with YAML-based policies. Simple syntax, powerful control.
What are Policies?
Rules that govern AI agent actions
Policies are sets of rules that determine whether an action should be allowed, denied, or require human approval. Each rule matches actions based on criteria like tool name, operation, parameters, and context.
Policy File Location
Policies are stored in YAML files. By default, FaraCore looks for:
~/.faramesh/policy.yaml(user home directory)- Or set
FARA_POLICY_FILEenvironment variable to specify a custom path
First-Match Wins
Policies are evaluated using a first-match wins strategy:
- Rules evaluated in order
- First matching rule determines decision
- Subsequent rules are skipped
Rule order matters! Put specific rules first.
Default Deny
Faramesh follows a default deny security model:
- No match = automatic deny
- Always include catch-all deny rule
- Only explicitly allowed actions proceed
Basic Policy Structure
Every policy file contains a list of rules:
rules:
- match:
tool: "http"
op: "*"
allow: true
description: "Allow HTTP requests"
- match:
tool: "shell"
op: "*"
require_approval: true
description: "Shell commands require approval"
risk: "medium"
- match:
tool: "*"
op: "*"
deny: true
description: "Default deny"Rule Components
Each rule consists of these components
Policy Refresh
Reload policies without restarting the server
After modifying a policy file, reload it without restarting the server:
faracore policy-refreshThis reloads the policy file and applies changes immediately. Use --hot-reload flag when starting the server for automatic reloading on file changes.