Policy Enforcement

Runtime policy enforcement that validates agent actions against workspace governance rules before execution.

PolicyClient

Fetch and cache policies from the backend:

typescript

import { PolicyClient } from '@sekuire/sdk';

const policyClient = new PolicyClient({
  backendUrl: 'https://api.sekuire.com',
  workspaceId: 'ws_abc123',
  cacheTimeout: 300_000 // 5 minutes
});

// Fetch active policy
const policy = await policyClient.getActivePolicy();

// Check if an action is allowed
const allowed = policy.allows({
  action: 'network:request',
  resource: 'https://api.external.com/data'
});

PolicyEnforcer

Wrap agent actions with automatic policy enforcement:

typescript

import { PolicyEnforcer } from '@sekuire/sdk';

const enforcer = new PolicyEnforcer({
  policyClient,
  onViolation: (violation) => {
    console.error('Policy violation:', violation);
    // Log to audit trail, alert, etc.
  }
});

// Enforce before executing actions
await enforcer.enforce({
  action: 'tool:execute',
  resource: 'web_search',
  context: { query: 'user query' }
});

// If policy denies, throws PolicyViolationError
// If allowed, continues execution

Agent Integration

The SDK agent automatically enforces policies when configured:

typescript

import { getAgent } from '@sekuire/sdk';

const agent = await getAgent('assistant', {
  policyEnforcement: {
    enabled: true,
    workspaceId: 'ws_abc123',
    mode: 'block' // 'block' | 'warn' | 'audit'
  }
});

// Tool calls are automatically checked against policy
// Blocked actions throw PolicyViolationError
const response = await agent.chat('Search the web for news');

⚠️In block mode, policy violations throw exceptions. In warn mode, violations are logged but execution continues. In audit mode, all actions are logged for review.

Next Steps

Policy System - Policy syntax and configuration
sekuire policy - CLI policy management
Enterprise Policies - Governance guide