When you install agentjail, three core policy rulesets are embedded in the
binary via go:embed. You do not have to write a single rule to be protected
from the most common dangerous tool calls.
The embedded sources live in the repository under:
cmd/agentjail/policies/— core rules (file_policy.rego,command_policy.rego,mcp_policy.rego)cmd/agentjail/library/— optional library rules that can be enabled/disabled
file_policy
Blocks tool calls that read, write, or delete sensitive paths. The following paths and patterns are denied:
Directories
| Path | Notes |
|---|---|
~/.ssh | SSH keys and known hosts |
~/.aws | AWS credentials and config |
~/.gnupg | GPG keyring |
~/Downloads | Browser download folder |
~/Desktop | Desktop folder |
~/.agentjail | agentjail config and rules |
~/.config | XDG user config directory |
/etc and /private/etc | System configuration |
/var and /private/var | System variable data |
File name patterns
| Pattern | Notes |
|---|---|
.env and .env.* | Environment variable files |
.envrc | direnv config |
credentials or secrets (any file named exactly) | Generic credential files |
*.pem, *.key, *.p12, *.pfx, *.jks, *.keystore | Cryptographic key material |
.netrc | Machine credentials file |
id_rsa, id_ed25519, id_ecdsa, id_dsa | SSH private key files |
Any Bash command whose input references one of the paths or patterns above is denied before it reaches the shell.
command_policy
Enforces safe command patterns regardless of file paths. Verdicts are deny or ask (confirm before proceeding).
Denied (blocked outright)
| Pattern | Reason |
|---|---|
curl or wget piped into bash or sh | Remote code execution via download |
Any command containing sudo | Privilege escalation |
dd if=/dev/* | Raw device write |
chmod 777 | World-writable permission grant |
Redirect to block device (> /dev/disk*, /dev/sd*, /dev/nvme*, /dev/mmcblk*) | Overwrite block device |
rm -rf on absolute paths (except /tmp/agentjail) | Destructive recursive delete |
git push --force | Destructive history rewrite |
env or printenv piped to curl | Environment variable exfiltration |
gpg --export-secret-keys | Secret key export |
launchctl bootout or launchctl remove | macOS service removal |
systemctl stop or systemctl disable | Linux service shutdown |
ssh-keygen -f targeting a path outside /tmp | Key generation outside temp dir |
Any Bash command referencing a sensitive path listed in file_policy | Cross-policy enforcement |
Requires confirmation (ask)
| Pattern | Reason |
|---|---|
git push (non-force) | Remote repository write |
npm publish, cargo publish, pip upload, twine upload | Package registry publish |
curl -O downloading to a path other than /tmp | Persistent file download |
mcp_policy
Controls which MCP servers the agent is permitted to call. By default the
daemon uses an allowlist from ~/.agentjail/policy.yaml under the mcp.allowed
key. When the key is absent, all MCP calls are allowed.
Verdicts
All three rulesets produce one of three verdicts:
| Verdict | Meaning |
|---|---|
allow | Tool call proceeds immediately. |
ask | The agent is prompted to confirm before continuing. |
deny | Tool call is blocked; the agent receives a rejection message. |
Reading the source
All shipped rules are plain Rego that you can audit before running. The canonical source is the agentjail repository on GitHub:
The core rules are in cmd/agentjail/policies/ and library rules are in
cmd/agentjail/library/.
Verifying what is active
Run agentjail policy list to see which rulesets are currently loaded:
agentjail policy listRULE STATUS SOURCE
file_policy core agentpolicy/policies/file_policy.rego
command_policy core agentpolicy/policies/command_policy.rego
mcp_policy core agentpolicy/policies/mcp_policy.regoCore rules always show status core. Library rules that you have enabled
appear with status enabled and source library. See the
CLI reference for full policy list and
policy enable/disable documentation.
Extending the defaults
The default bundle is a starting point. You can add your own Rego rules in
~/.agentjail/rules/ without modifying the shipped files. See
Writing your first rule to get started.