# The policy model

> How agentjail policies are written, matched against tool calls, and evaluated offline with deny-by-rule semantics.

agentjail policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/),
the same language used by Open Policy Agent. Each policy is a set of rules that
inspect an incoming tool call and decide whether to allow or deny it.

## The shape of a tool call

Every evaluation receives a structured `input` describing the call the agent
wants to make:

```json
{
  "tool": "Bash",
  "tool_input": { "command": "rm -rf ~/.ssh/" }
}
```

## A rule that fires

A `deny` rule matches when its body holds. When any `deny` produces a message,
the call is blocked and that message is returned to the agent.

```rego
deny[msg] {
  input.tool == "Bash"
  path := input.tool_input.command
  contains(path, "/.ssh/")
  msg := "Blocked: command targets sensitive path ~/.ssh/"
}
```

One rule. Offline. No round-trips.

## Evaluation semantics

- Rules are evaluated locally: there is no network call at decision time.
- A call is denied if **any** `deny` rule produces a message; otherwise it is
  allowed.
- Policies are plain text you can read, diff, and version-control alongside the
  rest of your project.

See **[Installation](/docs/installation)** to get a working policy bundle on your
machine.