What policies can do
- Budgets — session, run, or per-action USD caps
- Allow/Deny lists — block named actions, or allowlist a closed set
- Rate limits — per-action
max_countperwindow_seconds - Approvals — require human approval by action name, tag, risk level, or USD threshold
- Guardrails (Phase 7) — built-in PII detection, content moderation, loop protection, idempotency replay
- Evidence graph —
evidence_requirements,commit_actions,evidence_actions— enforce that commit actions only run after prerequisite reads - Grounding rules — field-level constraints (
commit_action.amountmust equallookup_action.amount) - Argument constraints — JSON Schema applied to action kwargs before execution
- Kill switch — emergency org-scoped halt for an
agent,run, ormission
BudgetExceededErrorPolicyViolationError
Authoring formats
Policies can be authored in any of:- Code —
PolicyEngine.configure(...)in the SDK - YAML / JSON —
callguard.yaml(SDK) orPOST /api/v1/policies/compile(platform) - Plain English — paste prose into the console editor; the platform routes it through
gemini-2.5-flash(POST /api/v1/policies/compilewithsource_format: prose) to lower it into the policy IR. The same Pydantic validator runs over the LLM output, so a hallucinated field cannot produce an invalid policy.
Versioning
Every successful update on the platform creates an immutablePolicyVersion snapshot — full diff history, author/reviewer attribution, and one-click rollback. Rollback itself writes a new version, so the audit trail is preserved.
Remote policy sync (platform)
If you enable remote policy sync, the SDK downloads policies from:- global (
scope="global") - agent (
scope="agent",target_id=<agent_id>) - run (
scope="run",target_id=<run_id>)