Use Cases
1. Block dangerous shell commands
Scenario: Your OpenClaw agent can execute bash commands. You want to block destructive operations (rm -rf, shutdown, etc.) and require approval for others.
Simple policy:
Bash: Ask (every shell command needs approval)
File System: Allow (safe file operations)
Advanced YAML:
rules:
- match:
tool: bash
params:
command: "rm -rf|shutdown|reboot|mkfs|dd if="
deny: true
reason: "Destructive command blocked"
- match:
tool: bash
require_approval: true
reason: "Shell command requires approval"rules:
- match:
tool: bash
params:
command: "rm -rf|shutdown|reboot|mkfs|dd if="
deny: true
reason: "Destructive command blocked"
- match:
tool: bash
require_approval: true
reason: "Shell command requires approval"rules:
- match:
tool: bash
params:
command: "rm -rf|shutdown|reboot|mkfs|dd if="
deny: true
reason: "Destructive command blocked"
- match:
tool: bash
require_approval: true
reason: "Shell command requires approval"2. Allow browsing, deny file writes
Scenario: Your agent browses the web for research but shouldn't write files.
Simple policy:
Browser: Allow
File System: Deny
Network: Allow
Bash: Deny
3. Require approval for payments
Scenario: Your agent processes Stripe payments. Any payment over $100 needs approval.
Advanced YAML:
rules:
- match:
tool: stripe
op: charge
amount_gt: 100
require_approval: true
risk: high
reason: "Payment over $100 requires approval"
- match:
tool: stripe
op: charge
allow: truerules:
- match:
tool: stripe
op: charge
amount_gt: 100
require_approval: true
risk: high
reason: "Payment over $100 requires approval"
- match:
tool: stripe
op: charge
allow: truerules:
- match:
tool: stripe
op: charge
amount_gt: 100
require_approval: true
risk: high
reason: "Payment over $100 requires approval"
- match:
tool: stripe
op: charge
allow: true4. Different policies per agent
Scenario: You have a research agent that browses freely, and a deployment agent that needs strict controls.
Simple policies:
Research agent: Everything Allow except Bash (Ask)
Deployment agent: Everything Ask except Browser (Deny)
Set per-agent policies via the dashboard or API:
faramesh policy set bash allow --agent-id research-agent
faramesh policy set bash ask --agent-id deploy-agent
faramesh policy set browser deny --agent-id
faramesh policy set bash allow --agent-id research-agent
faramesh policy set bash ask --agent-id deploy-agent
faramesh policy set browser deny --agent-id
faramesh policy set bash allow --agent-id research-agent
faramesh policy set bash ask --agent-id deploy-agent
faramesh policy set browser deny --agent-id
5. Audit compliance
Scenario: You need a complete audit trail of every AI agent action for compliance.
Faramesh records every decision — allow, ask, and deny — with:
Timestamp
Agent ID
Tool name and parameters
Category
Decision and reason
Risk level
Runtime ID (which machine)
Policy version at the time of decision
Export via the dashboard (JSON/CSV) or query the API:
faramesh list --limit 1000 --json
faramesh list --limit 1000 --json
faramesh list --limit 1000 --json
6. Multi-machine fleet monitoring
Scenario: You have OpenClaw agents running on 5 VPS servers. You want to see all activity in one place.
Each plugin instance sends a runtime_id (hostname) with every action. The Fleet page in the dashboard shows all runtimes under your org account, with action counts and last-seen timestamps.
