Skip to main content

Policy Packs CLI

Policy packs provide reusable, org-wide security policies for recipes.

Quick Start

Commands

policy show

Display policy configuration.
Options: Examples:

policy init

Create a policy template file.
Options: Examples:

policy validate

Validate a policy file.

Policy File Format

Using Policies

With Recipe Run

With Recipe Serve

Default Denied Tools

These tools are denied by default:
  • shell.exec - Shell execution
  • shell.run - Shell commands
  • file.write - File writing
  • file.delete - File deletion
  • network.unrestricted - Unrestricted network
  • db.write - Database writes
  • db.delete - Database deletes

Mode Differences

Dev Mode

  • Interactive prompts allowed
  • Lenient tool enforcement
  • PII allowed by default

Prod Mode

  • No interactive prompts
  • Strict tool enforcement
  • PII redaction enabled
  • Auth required for serve

Python API

Policy Precedence

  1. CLI flags (highest)
  2. Policy file
  3. Recipe TEMPLATE.yaml
  4. Default policy (lowest)

Next Steps