Policy outside agent code
Security and governance are runtime primitives, not bolt-ons. Policy bundles (JsonLogic) are evaluated at the boundary; approval-mode tiers are bound to every capability and decision; OTEL traces and evaluators make every run replayable and scorable.
Policy, approvals, evaluation, traces, and replay sit outside model code, so every risky action crosses a deterministic boundary.
- 01Policy Engine
Evaluates rules at compiler, critic, and tool boundaries.
- 02Approval modes
Bind read, write, network, delegated, and destructive risk.
- 03Identity
Propagates user delegation and agent workload identity.
- 04Evaluators
Score safety, utility, cost, latency, and compliance.
- 05Replay record
Keeps evidence, controls, approvals, and trace handles.
Five-tier approval modes
read_only · local_write · network · delegated · destructive — bound to every capability and every decision.
Anti-pattern prevented
Model self-policing: security must not depend on the model. The Policy Engine is the deterministic boundary; the model proposes, the boundary decides.
evaluators
Policy compliance · Utility · Latency · Safety · Economics. Tracked per intent, per tenant, per pack version; deltas gate every release.
Policy bundle (JsonLogic) outside agent code
Policy is authored, signed, and evaluated at the boundary. The Compiler, Critic, and Tool Gateway all consult the Policy Engine at the right runtime checkpoint.
{
"rule_id": "R_HIGH_VALUE_REQUIRES_APPROVAL",
"applies_to": { "intent": "support.refund" },
"if": {
"and": [
{ "==": [{ "var": "user.role" }, "support_agent"] },
{ ">": [{ "var": "request.context.refund_amount" }, 3000] }
]
},
"then": {
"allow": true,
"approval_mode": "destructive",
"requires_approval_gate": "GATE_FINANCE_APPROVAL",
"arg_constraints": {
"refund_amount": { "max": 3000, "unless_approved": true },
"currency": { "enum": ["INR"] }
}
},
"decision_binding": "support.refund.execute"
}