Policy Recipes

Ready-to-Use Policy Examples

Copy and customize these policy recipes for common scenarios. Each recipe is production-tested and ready to use.

Basic Allow + Approval + Default Deny

Most common pattern: allow some actions, require approval for others, deny everything else

rules:
  - match: { tool: "http", op: "*" }
    allow: true
    description: "Allow HTTP"

  - match: { tool: "shell", op: "*" }
    require_approval: true
    description: "Shell requires approval"
    risk: "medium"

  - match: { tool: "*", op: "*" }
    deny: true
    description: "Default deny"

Deny Destructive Shell Commands

Block dangerous shell commands using pattern matching

rules:
  - match:
      tool: "shell"
      op: "*"
      pattern: "rm -rf|shutdown|reboot|mkfs|:(){:|:&};:"
    deny: true
    description: "Block destructive shell commands"
    risk: "high"

  - match: { tool: "*", op: "*" }
    deny: true
    description: "Default deny"

Require Approval for Large Stripe Refunds

Use amount_gt to require approval for high-value financial operations

rules:
  - match:
      tool: "stripe"
      op: "refund"
      amount_gt: 1000
    require_approval: true
    description: "Large refunds require approval"
    risk: "medium"

  - match: { tool: "stripe", op: "*" }
    allow: true
    description: "Allow other Stripe operations"
    risk: "low"

  - match: { tool: "*", op: "*" }
    deny: true
    description: "Default deny"

Allow HTTP Requests

Simple policy to allow all HTTP operations.

rules:
  - match:
      tool: "http"
      op: "*"
    allow: true
    description: "Allow all HTTP operations"

  - match: { tool: "*", op: "*" }
    deny: true
    description: "Default deny (first-match wins)"

Deny Unknown Tools

Only allow explicitly trusted tools, deny everything else.

rules:
  - match:
      tool: "trusted_tool"
      op: "*"
    allow: true
    description: "Allow trusted tool"

  - match: { tool: "*", op: "*" }
    deny: true
    description: "Deny everything else (default deny)"

Shell Commands Require Approval

Require approval for all shell operations while allowing other tools.

rules:
  - match: { tool: "http", op: "*" }
    allow: true
    description: "Allow HTTP"

  - match: { tool: "shell", op: "*" }
    require_approval: true
    description: "Shell requires approval"
    risk: "medium"

  - match: { tool: "*", op: "*" }
    deny: true
    description: "Default deny (first-match wins)"

Tips for Writing Policies

Best practices for creating effective policies

1
Order matters
Put specific rules before general ones (first-match wins)
2
Always include default deny
End with a catch-all deny rule for security
3
Use descriptions
Help others understand your rules with clear descriptions
4
Set risk levels
Helps prioritize approvals and understand action severity
5
Test policies
Use faracore policy-test before deploying to production
Previous
Policy Reference
Next
SDK Overview