# Configuration > What you can configure in agentjail: the policy.yaml overlay, custom Rego rules, daemon flags, and how rules compose. agentjail works with zero configuration: install it, and the three core rulesets (`file_policy`, `command_policy`, `mcp_policy`) are active immediately. When you want to tune behaviour you have three levers: the `policy.yaml` overlay file, user-supplied Rego rules, and daemon startup flags. ## Config file — `~/.agentjail/policy.yaml` The primary configuration file is `~/.agentjail/policy.yaml` (YAML). The daemon reads it at startup and re-reads it on `SIGHUP` (which `agentjail policy enable/disable` triggers automatically). The top-level keys map to per-category tuning: ```yaml file: extra_deny: - ~/Projects/secrets commands: extra_block: - "curl.*internal.corp" mcp: allowed: - filesystem - github network: allowed_hosts: - api.openai.com - api.anthropic.com ``` | Key | Purpose | |-----|---------| | `file.extra_deny` | Additional path patterns to block on top of the built-in file policy. | | `commands.extra_block` | Additional command patterns (regex) to deny on top of the built-in command policy. | | `mcp.allowed` | Allowlist of MCP server names the agent may call. | | `network.allowed_hosts` | Allowlist of hostnames the agent may reach. | A sample strict configuration suitable for tightly controlled environments is provided in the repository at `samples/configs/policy-strict.yaml`. ## Daemon startup flags | Flag | Description | |------|-------------| | `--policy ` | Path to a `policy.yaml` overlay (defaults to `~/.agentjail/policy.yaml`). | | `--rules ` | Directory of `*.rego` files to load in addition to the embedded core rules (non-recursive). | ## Adding custom Rego rules Drop a `.rego` file into `~/.agentjail/rules/`. The daemon loads every `*.rego` in that directory (non-recursive) at startup and on `SIGHUP`. Alternatively, point the daemon at a different directory with `--rules `. ```sh # Example: add a custom rule cp my-org-policy.rego ~/.agentjail/rules/my-org-policy.rego # Send SIGHUP to reload without restarting kill -HUP $(pgrep agentjail-daemon) ``` Any `deny` rule in any loaded file causes the call to be blocked. There is no concept of overriding a built-in rule — rules are additive. ## Which rules can be disabled **Core rules** (`file_policy`, `command_policy`, `mcp_policy`) are always active. `agentjail policy disable` rejects them with an error. These cannot be turned off. **Library rules** can be toggled individually: ```sh agentjail policy enable secret-scanner agentjail policy disable network-guard ``` Enabling a library rule copies it into `~/.agentjail/rules/` and sends `SIGHUP` to the daemon. Disabling removes it and sends `SIGHUP`. Per-category tuning (extra paths, extra blocked command patterns, allowlists) is done via `policy.yaml` keys, not by disabling core rules. ## Viewing active configuration `agentjail policy list` shows every rule, its status, and its source: ```sh agentjail policy list ``` ```text RULE STATUS SOURCE file_policy core agentpolicy/policies/file_policy.rego command_policy core agentpolicy/policies/command_policy.rego mcp_policy core agentpolicy/policies/mcp_policy.rego network-guard enabled library secret-scanner disabled library ``` Library rules show source `library` (a literal string, not an on-disk path). Core rules show their embedded source path under `agentpolicy/policies/`. ## See also - [Default policies](/docs/reference/default-policies): what the core rulesets block. - [CLI reference](/docs/reference/cli): `policy list`, `policy enable/disable`, and daemon flags.