Policies

Declarative YAML policies control what your agents can and cannot do. Define rules for tool access, data protection, rate limiting, and more.

How Policies Work

Policies are YAML files that define security rules. The SDK evaluates them locally at runtime with near-zero latency. Policies sync from the dashboard to the SDK every 60 seconds (configurable).

  1. Create a policy in the dashboard or as a local YAML file
  2. The SDK downloads and caches policies on startup
  3. Every validate_action() or @protect call evaluates matching policies
  4. Violations are blocked, logged, or alerted based on the rule action

Policy Format

policy.yamlyaml
version: "1.0"
rules:
  - name: block-prompt-injection
    scanner: prompt_injection
    action: block
    severity: critical

  - name: no-pii-in-output
    scanner: pii_detection
    direction: output
    action: block
    severity: high

  - name: log-all-tool-calls
    scanner: tool_call
    action: log
    severity: low

Rule Types

Scanner Rules

Trigger on scan results from the security scanner:

# Block prompt injection attempts
- name: block-injection
  scanner: prompt_injection
  action: block
  severity: critical

# Block data exfiltration
- name: block-exfil
  scanner: data_exfiltration
  action: block
  severity: high

# Alert on jailbreak attempts (don't block)
- name: alert-jailbreak
  scanner: jailbreak
  action: alert
  severity: medium

Tool Access Rules

Control which tools agents can use:

# Allow only specific tools
- name: allowed-tools
  type: tool_allowlist
  tools:
    - search
    - read_file
    - calculate
  action: block
  severity: high

# Deny specific dangerous tools
- name: no-destructive-tools
  type: tool_denylist
  tools:
    - delete_file
    - drop_table
    - rm_rf
  action: block
  severity: critical

Rate Limiting Rules

# Limit tool calls per minute
- name: rate-limit
  type: rate_limit
  max_calls: 100
  window_seconds: 60
  action: block
  severity: medium

Data Protection Rules

# Block outputs containing PII
- name: no-pii-leak
  type: data_protection
  patterns:
    - ssn
    - credit_card
    - email
    - phone_number
  direction: output
  action: block
  severity: high

Agent Targeting

Use match: to apply policies to specific agents or groups:

version: "1.0"
rules:
  # Only applies to agents tagged "customer-facing"
  - name: strict-pii-check
    scanner: pii_detection
    action: block
    severity: critical
    match:
      tags:
        - customer-facing

  # Only applies to a specific agent
  - name: research-agent-limits
    type: rate_limit
    max_calls: 50
    window_seconds: 60
    action: block
    match:
      agent_id: research-agent

  # Applies to all agents in production
  - name: prod-injection-block
    scanner: prompt_injection
    action: block
    severity: critical
    match:
      tags:
        - prod

Policy Actions

ActionBehavior
blockPrevents execution. Raises ShieldBlockedError or returns None.
alertAllows execution but emits an alert event. Shows in dashboard.
logAllows execution and logs the event. No dashboard alert.

Local Policies

Load policies from local YAML files instead of (or in addition to) the dashboard:

# Load from directory
shield = Shield(
    api_key="rune_live_xxx",
    local_policies_path="./policies",  # loads all .yaml files
)

# Or add a policy at runtime
shield.add_policy("""
version: "1.0"
rules:
  - name: custom-rule
    scanner: prompt_injection
    action: block
    severity: critical
""")

Production Example

A comprehensive policy combining scanner rules, tool allowlists, data protection, and rate limits with agent targeting:

production-policy.yamlyaml
version: "1.0"
rules:
  # Threat detection — all agents
  - name: block-prompt-injection
    scanner: prompt_injection
    action: block
    severity: critical

  - name: block-data-exfil
    scanner: data_exfiltration
    action: block
    severity: critical

  # Tool access — customer-facing agents only
  - name: customer-agent-tools
    type: tool_allowlist
    tools: [search_kb, create_ticket, get_order_status]
    action: block
    severity: high
    match:
      tags: [customer-facing]

  # Data protection — customer-facing agents only
  - name: no-pii-in-output
    type: data_protection
    patterns: [ssn, credit_card, email]
    direction: output
    action: block
    severity: high
    match:
      tags: [customer-facing]

  # Rate limiting — all agents
  - name: global-rate-limit
    type: rate_limit
    max_calls: 200
    window_seconds: 60
    action: block
    severity: medium

  # Research agents — more permissive, alert only
  - name: research-alert-only
    scanner: prompt_injection
    action: alert
    severity: medium
    match:
      tags: [research, internal]

Dashboard Policy Editor

The dashboard provides a visual policy editor with:

  • YAML editor with syntax highlighting
  • Policy test panel — test inputs against your policies before deploying
  • Version history and rollback
  • Active/inactive toggle for quick enable/disable

Go to Policies in the dashboard sidebar to manage your policies.

Programmatic Policy Management

Policies can also be managed programmatically via the REST API or MCP server, enabling agent-driven and CI/CD workflows:

  • REST API — Create, update, toggle, and delete policies via HTTP
  • MCP Server — AI agents can create and validate policies as MCP tool calls
  • OpenAPI Spec — Machine-readable API specification