Policy Packs CLI
Policy packs provide reusable, org-wide security policies for recipes.Quick Start
Commands
policy show
Display policy configuration.
Examples:
policy init
Create a policy template file.
Examples:
policy validate
Validate a policy file.Policy File Format
Using Policies
With Recipe Run
With Recipe Serve
Default Denied Tools
These tools are denied by default:shell.exec- Shell executionshell.run- Shell commandsfile.write- File writingfile.delete- File deletionnetwork.unrestricted- Unrestricted networkdb.write- Database writesdb.delete- Database deletes
Mode Differences
Dev Mode
- Interactive prompts allowed
- Lenient tool enforcement
- PII allowed by default
Prod Mode
- No interactive prompts
- Strict tool enforcement
- PII redaction enabled
- Auth required for serve
Python API
Policy Precedence
- CLI flags (highest)
- Policy file
- Recipe TEMPLATE.yaml
- Default policy (lowest)
Next Steps
- Recipe Registry - Publish and pull recipes
- Run History - Store and export runs
- Security Features - SBOM, signing, auditing

