agentjail works with zero configuration: install it, and the three core
rulesets (file_policy, command_policy, mcp_policy) are active
immediately. When you want to tune behaviour you have three levers: the
policy.yaml overlay file, user-supplied Rego rules, and daemon startup flags.
Config file — ~/.agentjail/policy.yaml
The primary configuration file is ~/.agentjail/policy.yaml (YAML). The
daemon reads it at startup and re-reads it on SIGHUP (which agentjail policy enable/disable triggers automatically).
The top-level keys map to per-category tuning:
file:
extra_deny:
- ~/Projects/secrets
commands:
extra_block:
- "curl.*internal.corp"
mcp:
allowed:
- filesystem
- github
network:
allowed_hosts:
- api.openai.com
- api.anthropic.com| Key | Purpose |
|---|---|
file.extra_deny | Additional path patterns to block on top of the built-in file policy. |
commands.extra_block | Additional command patterns (regex) to deny on top of the built-in command policy. |
mcp.allowed | Allowlist of MCP server names the agent may call. |
network.allowed_hosts | Allowlist of hostnames the agent may reach. |
A sample strict configuration suitable for tightly controlled environments is
provided in the repository at samples/configs/policy-strict.yaml.
Daemon startup flags
| Flag | Description |
|---|---|
--policy <path> | Path to a policy.yaml overlay (defaults to ~/.agentjail/policy.yaml). |
--rules <dir> | Directory of *.rego files to load in addition to the embedded core rules (non-recursive). |
Adding custom Rego rules
Drop a .rego file into ~/.agentjail/rules/. The daemon loads every
*.rego in that directory (non-recursive) at startup and on SIGHUP.
Alternatively, point the daemon at a different directory with --rules <dir>.
# Example: add a custom rule
cp my-org-policy.rego ~/.agentjail/rules/my-org-policy.rego
# Send SIGHUP to reload without restarting
kill -HUP $(pgrep agentjail-daemon)Any deny rule in any loaded file causes the call to be blocked. There is no
concept of overriding a built-in rule — rules are additive.
Which rules can be disabled
Core rules (file_policy, command_policy, mcp_policy) are always
active. agentjail policy disable rejects them with an error. These cannot be
turned off.
Library rules can be toggled individually:
agentjail policy enable secret-scanner
agentjail policy disable network-guardEnabling a library rule copies it into ~/.agentjail/rules/ and sends
SIGHUP to the daemon. Disabling removes it and sends SIGHUP.
Per-category tuning (extra paths, extra blocked command patterns, allowlists)
is done via policy.yaml keys, not by disabling core rules.
Viewing active configuration
agentjail policy list shows every rule, its status, and its source:
agentjail policy listRULE STATUS SOURCE
file_policy core agentpolicy/policies/file_policy.rego
command_policy core agentpolicy/policies/command_policy.rego
mcp_policy core agentpolicy/policies/mcp_policy.rego
network-guard enabled library
secret-scanner disabled libraryLibrary rules show source library (a literal string, not an on-disk path).
Core rules show their embedded source path under agentpolicy/policies/.
See also
- Default policies: what the core rulesets block.
- CLI reference:
policy list,policy enable/disable, and daemon flags.