← All docs

The policy model

How agentjail policies are written, matched against tool calls, and evaluated offline with deny-by-rule semantics.

agentjail policies are written in Rego, the same language used by Open Policy Agent. Each policy is a set of rules that inspect an incoming tool call and decide whether to allow or deny it.

The shape of a tool call

Every evaluation receives a structured input describing the call the agent wants to make:

{
  "tool": "Bash",
  "tool_input": { "command": "rm -rf ~/.ssh/" }
}

A rule that fires

A deny rule matches when its body holds. When any deny produces a message, the call is blocked and that message is returned to the agent.

deny[msg] {
  input.tool == "Bash"
  path := input.tool_input.command
  contains(path, "/.ssh/")
  msg := "Blocked: command targets sensitive path ~/.ssh/"
}

One rule. Offline. No round-trips.

Evaluation semantics

  • Rules are evaluated locally: there is no network call at decision time.
  • A call is denied if any deny rule produces a message; otherwise it is allowed.
  • Policies are plain text you can read, diff, and version-control alongside the rest of your project.

See Installation to get a working policy bundle on your machine.