Policy inputs
The policy engine needs enough context to make a useful decision: agent identity, session, owner, team, resource type, resource path, action type, command or tool call, environment, data classification, risk signals, permissions, and approval state.
The same action can have different outcomes depending on context. Reading a normal source file on a feature branch may be allowed. Reading `.env` should be denied. Editing auth code may require approval. Sending a secret-like payload to an unknown domain should be denied or terminated.
Policy outcomes
Permit normal work
Log the action with context and continue.
Block high-risk actions
Prevent secret reads, destructive commands, and production access.
Remove sensitive values
Persist markers and metadata instead of raw secrets.
Pause before execution
Route risky but legitimate actions to a human approver.
Notify security
Surface unknown network egress, unusual access, or repeated denials.
Stop the session
End repeated or severe unsafe behavior.
Default rules for AI coding agents
- Deny `.env` reads, private keys, production secrets, and backup deletion.
- Deny `rm -rf`, `DROP DATABASE`, `terraform destroy`, `kubectl delete`, and force pushes.
- Approval-gate auth, payment, infra, CI/CD, migrations, deployments, and customer-data exports.
- Redact detected API keys, JWTs, SSH keys, cloud credentials, database URLs, and SaaS tokens.
- Alert or deny unknown network egress and upload-like behavior.
Explainability is part of enforcement
A policy decision should include the decision ID, action ID, decision, policy IDs, reason, risk score, approver role, redactions, and timestamp. This makes the runtime usable for developers and credible for auditors.