# Default policies

> The policy rulesets that ship with agentjail out of the box: file_policy, command_policy, and mcp_policy.

When you install agentjail, three core policy rulesets are embedded in the
binary via `go:embed`. You do not have to write a single rule to be protected
from the most common dangerous tool calls.

The embedded sources live in the repository under:

- `cmd/agentjail/policies/` — core rules (`file_policy.rego`, `command_policy.rego`, `mcp_policy.rego`)
- `cmd/agentjail/library/` — optional library rules that can be enabled/disabled

## `file_policy`

Blocks tool calls that read, write, or delete sensitive paths. The following
paths and patterns are denied:

**Directories**

| Path | Notes |
|------|-------|
| `~/.ssh` | SSH keys and known hosts |
| `~/.aws` | AWS credentials and config |
| `~/.gnupg` | GPG keyring |
| `~/Downloads` | Browser download folder |
| `~/Desktop` | Desktop folder |
| `~/.agentjail` | agentjail config and rules |
| `~/.config` | XDG user config directory |
| `/etc` and `/private/etc` | System configuration |
| `/var` and `/private/var` | System variable data |

**File name patterns**

| Pattern | Notes |
|---------|-------|
| `.env` and `.env.*` | Environment variable files |
| `.envrc` | direnv config |
| `credentials` or `secrets` (any file named exactly) | Generic credential files |
| `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks`, `*.keystore` | Cryptographic key material |
| `.netrc` | Machine credentials file |
| `id_rsa`, `id_ed25519`, `id_ecdsa`, `id_dsa` | SSH private key files |

Any Bash command whose input references one of the paths or patterns above is
denied before it reaches the shell.

## `command_policy`

Enforces safe command patterns regardless of file paths. Verdicts are
**deny** or **ask** (confirm before proceeding).

### Denied (blocked outright)

| Pattern | Reason |
|---------|--------|
| `curl` or `wget` piped into `bash` or `sh` | Remote code execution via download |
| Any command containing `sudo` | Privilege escalation |
| `dd if=/dev/*` | Raw device write |
| `chmod 777` | World-writable permission grant |
| Redirect to block device (`> /dev/disk*`, `/dev/sd*`, `/dev/nvme*`, `/dev/mmcblk*`) | Overwrite block device |
| `rm -rf` on absolute paths (except `/tmp/agentjail`) | Destructive recursive delete |
| `git push --force` | Destructive history rewrite |
| `env` or `printenv` piped to `curl` | Environment variable exfiltration |
| `gpg --export-secret-keys` | Secret key export |
| `launchctl bootout` or `launchctl remove` | macOS service removal |
| `systemctl stop` or `systemctl disable` | Linux service shutdown |
| `ssh-keygen -f` targeting a path outside `/tmp` | Key generation outside temp dir |
| Any Bash command referencing a sensitive path listed in `file_policy` | Cross-policy enforcement |

### Requires confirmation (ask)

| Pattern | Reason |
|---------|--------|
| `git push` (non-force) | Remote repository write |
| `npm publish`, `cargo publish`, `pip upload`, `twine upload` | Package registry publish |
| `curl -O` downloading to a path other than `/tmp` | Persistent file download |

## `mcp_policy`

Controls which MCP servers the agent is permitted to call. By default the
daemon uses an allowlist from `~/.agentjail/policy.yaml` under the `mcp.allowed`
key. When the key is absent, all MCP calls are allowed.

## Verdicts

All three rulesets produce one of three verdicts:

| Verdict | Meaning |
|---------|---------|
| `allow` | Tool call proceeds immediately. |
| `ask` | The agent is prompted to confirm before continuing. |
| `deny` | Tool call is blocked; the agent receives a rejection message. |

## Reading the source

All shipped rules are plain Rego that you can audit before running. The
canonical source is the agentjail repository on GitHub:

[github.com/LuD1161/agentjail](https://github.com/LuD1161/agentjail)

The core rules are in `cmd/agentjail/policies/` and library rules are in
`cmd/agentjail/library/`.

## Verifying what is active

Run `agentjail policy list` to see which rulesets are currently loaded:

```sh
agentjail policy list
```

```text
RULE              STATUS   SOURCE
file_policy       core     agentpolicy/policies/file_policy.rego
command_policy    core     agentpolicy/policies/command_policy.rego
mcp_policy        core     agentpolicy/policies/mcp_policy.rego
```

Core rules always show status `core`. Library rules that you have enabled
appear with status `enabled` and source `library`. See the
[CLI reference](/docs/reference/cli) for full `policy list` and
`policy enable/disable` documentation.

## Extending the defaults

The default bundle is a starting point. You can add your own Rego rules in
`~/.agentjail/rules/` without modifying the shipped files. See
[Writing your first rule](/docs/policies/first-rule) to get started.