Policy Syntax Guide

Complete reference for policy JSON structure and fields.

Full Policy Schema

policy.json
{
  "policy_id": "string",
  "workspace_id": "string",
  "version": "string",
  "status": "draft | active | archived",
  "content": {
    "agent": {
      "models": {
        "allowed_providers": ["string"],
        "allowed_models": ["string"],
        "denied_models": ["string"]
      },
      "capabilities": {
        "allowed_tools": ["string"],
        "denied_tools": ["string"],
        "require_tool_approval": "boolean"
      }
    },
    "compliance": {
      "frameworks": ["string"],
      "require_audit_logging": "boolean",
      "require_encryption": "boolean",
      "data_residency": "string",
      "retention_days": "number"
    }
  },
  "hash": "string",
  "signature": "string",
  "signing_key_id": "string",
  "created_at": "ISO8601",
  "updated_at": "ISO8601"
}

Metadata Fields

Field	Type	Description
`policy_id`	string	Unique policy identifier (policy_...)
`workspace_id`	string	Target workspace (ws_...)
`version`	string	Policy version number
`status`	enum	draft, active, or archived
`hash`	string	BLAKE3 hash of content
`signature`	string	Ed25519 signature
`signing_key_id`	string	Admin key that signed

content.agent.models

Field	Type	Description
`allowed_providers`	array	Permitted LLM providers
`allowed_models`	array	Permitted model names
`denied_models`	array	Explicitly blocked models

Example

"models": {
  "allowed_providers": ["openai", "anthropic"],
  "allowed_models": [
    "gpt-4",
    "gpt-4-turbo",
    "gpt-4o",
    "claude-3-opus-20240229",
    "claude-3-sonnet-20240229"
  ],
  "denied_models": [
    "gpt-3.5-turbo"
  ]
}

note

If allowed_models is empty, all models from allowed providers are permitted.

content.agent.capabilities

Field	Type	Description
`allowed_tools`	array	Permitted tool names
`denied_tools`	array	Blocked tool names
`require_tool_approval`	boolean	Require admin approval for new tools

Example

"capabilities": {
  "allowed_tools": [
    "calculator",
    "web_search",
    "http_request",
    "file_read"
  ],
  "denied_tools": [
    "file_write",
    "file_delete",
    "shell_exec",
    "send_email"
  ],
  "require_tool_approval": true
}

content.compliance

Field	Type	Description
`frameworks`	array	soc2, hipaa, gdpr, pci-dss
`require_audit_logging`	boolean	Log all agent actions
`require_encryption`	boolean	Encrypt data at rest
`data_residency`	string	us, eu, asia-pacific
`retention_days`	number	Audit log retention period

Example

"compliance": {
  "frameworks": ["soc2", "hipaa"],
  "require_audit_logging": true,
  "require_encryption": true,
  "data_residency": "us",
  "retention_days": 90
}

Complete Example

policy.json
{
  "policy_id": "policy_abc123",
  "workspace_id": "ws_xyz789",
  "version": "1",
  "status": "active",
  "content": {
    "agent": {
      "models": {
        "allowed_providers": ["openai", "anthropic"],
        "allowed_models": ["gpt-4", "gpt-4-turbo", "claude-3-opus-20240229"],
        "denied_models": []
      },
      "capabilities": {
        "allowed_tools": ["calculator", "web_search"],
        "denied_tools": ["shell_exec"],
        "require_tool_approval": false
      }
    },
    "compliance": {
      "frameworks": ["soc2"],
      "require_audit_logging": true,
      "require_encryption": true,
      "data_residency": "us",
      "retention_days": 365
    }
  },
  "hash": "a1b2c3d4e5f6...",
  "signature": "ed25519_sig_...",
  "signing_key_id": "key_admin123",
  "created_at": "2024-01-15T10:30:00Z",
  "updated_at": "2024-01-15T10:30:00Z"
}

Full Policy Schema​

Metadata Fields​

content.agent.models​

Example​

content.agent.capabilities​

Example​

content.compliance​

Example​

Complete Example​

Full Policy Schema

Metadata Fields

content.agent.models

Example

content.agent.capabilities

Example

content.compliance

Example

Complete Example