agentpolicypack 0.1.0a1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- agentpolicypack-0.1.0a1/.gitignore +18 -0
- agentpolicypack-0.1.0a1/LICENSE +22 -0
- agentpolicypack-0.1.0a1/PKG-INFO +198 -0
- agentpolicypack-0.1.0a1/README.md +160 -0
- agentpolicypack-0.1.0a1/docs/ci-security-notes.md +6 -0
- agentpolicypack-0.1.0a1/docs/development.md +18 -0
- agentpolicypack-0.1.0a1/docs/index.md +11 -0
- agentpolicypack-0.1.0a1/docs/policy-format.md +20 -0
- agentpolicypack-0.1.0a1/docs/roadmap.md +29 -0
- agentpolicypack-0.1.0a1/docs/security.md +10 -0
- agentpolicypack-0.1.0a1/examples/tool_governance/allow-search-request.yaml +28 -0
- agentpolicypack-0.1.0a1/examples/tool_governance/policy.yaml +147 -0
- agentpolicypack-0.1.0a1/examples/tool_governance/requests.yaml +63 -0
- agentpolicypack-0.1.0a1/pyproject.toml +87 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/__init__.py +34 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/adapters.py +21 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/cli.py +215 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/conditions.py +120 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/constants.py +49 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/diffing.py +46 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/evaluator.py +242 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/exceptions.py +55 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/field_path.py +29 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/loader.py +99 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/matching.py +137 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/models.py +169 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/py.typed +1 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/reports.py +39 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/serialization.py +36 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/simulation.py +71 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/testing.py +85 -0
- agentpolicypack-0.1.0a1/src/agent_policy_pack/validation.py +337 -0
- agentpolicypack-0.1.0a1/tests/fixtures/diff/policy-v1.yaml +26 -0
- agentpolicypack-0.1.0a1/tests/fixtures/diff/policy-v2.yaml +27 -0
- agentpolicypack-0.1.0a1/tests/fixtures/diff/requests.yaml +49 -0
- agentpolicypack-0.1.0a1/tests/test_core.py +375 -0
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 sekacorn
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
22
|
+
|
|
@@ -0,0 +1,198 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: agentpolicypack
|
|
3
|
+
Version: 0.1.0a1
|
|
4
|
+
Summary: A vendor-neutral policy-as-code toolkit for governing AI agents and agentic workflows.
|
|
5
|
+
Project-URL: Homepage, https://github.com/sekacorn/AgentPolicyPack
|
|
6
|
+
Project-URL: Repository, https://github.com/sekacorn/AgentPolicyPack
|
|
7
|
+
Project-URL: Issues, https://github.com/sekacorn/AgentPolicyPack/issues
|
|
8
|
+
Project-URL: Documentation, https://github.com/sekacorn/AgentPolicyPack/tree/main/docs
|
|
9
|
+
Author: sekacorn
|
|
10
|
+
License: MIT
|
|
11
|
+
License-File: LICENSE
|
|
12
|
+
Classifier: Development Status :: 3 - Alpha
|
|
13
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
14
|
+
Classifier: Operating System :: OS Independent
|
|
15
|
+
Classifier: Programming Language :: Python :: 3
|
|
16
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
18
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
19
|
+
Classifier: Topic :: Security
|
|
20
|
+
Classifier: Topic :: Software Development :: Libraries :: Python Modules
|
|
21
|
+
Classifier: Typing :: Typed
|
|
22
|
+
Requires-Python: <3.14,>=3.11
|
|
23
|
+
Requires-Dist: packaging>=24.0
|
|
24
|
+
Requires-Dist: pydantic>=2.7
|
|
25
|
+
Requires-Dist: pyyaml>=6.0.1
|
|
26
|
+
Requires-Dist: typer>=0.12
|
|
27
|
+
Provides-Extra: dev
|
|
28
|
+
Requires-Dist: bandit[toml]>=1.7.9; extra == 'dev'
|
|
29
|
+
Requires-Dist: build>=1.2; extra == 'dev'
|
|
30
|
+
Requires-Dist: mypy>=1.10; extra == 'dev'
|
|
31
|
+
Requires-Dist: pip-audit>=2.7; extra == 'dev'
|
|
32
|
+
Requires-Dist: pytest-cov>=5.0; extra == 'dev'
|
|
33
|
+
Requires-Dist: pytest>=9.0.3; extra == 'dev'
|
|
34
|
+
Requires-Dist: ruff>=0.5; extra == 'dev'
|
|
35
|
+
Requires-Dist: twine>=5.1; extra == 'dev'
|
|
36
|
+
Requires-Dist: types-pyyaml>=6.0.12; extra == 'dev'
|
|
37
|
+
Description-Content-Type: text/markdown
|
|
38
|
+
|
|
39
|
+
# AgentPolicyPack
|
|
40
|
+
|
|
41
|
+
AgentPolicyPack lets organizations define, test, and carry AI-agent governance rules across models, frameworks, providers, and deployment environments.
|
|
42
|
+
|
|
43
|
+
AgentPolicyPack is an alpha project. Version `0.1.0a1` is ready for public alpha release with documented limitations, not production certification.
|
|
44
|
+
|
|
45
|
+
## Motivation
|
|
46
|
+
|
|
47
|
+
AI-agent governance should be portable, deterministic, auditable, version-controlled, and testable in CI. AgentPolicyPack provides a vendor-neutral policy bundle format, a fail-closed evaluator, policy tests, simulation, diffing, and a Python API plus CLI.
|
|
48
|
+
|
|
49
|
+
## Problem Statement
|
|
50
|
+
|
|
51
|
+
Organizations often encode agent rules inside one model provider, framework, runtime, or deployment stack. That creates lock-in and makes policy behavior hard to test. AgentPolicyPack separates governance intent from enforcement systems so the same rules can be validated, compared, and evaluated offline.
|
|
52
|
+
|
|
53
|
+
## Core Capabilities
|
|
54
|
+
|
|
55
|
+
- YAML and JSON policy bundles loaded with safe parsers.
|
|
56
|
+
- Strict schema models that reject unknown fields.
|
|
57
|
+
- Structural and semantic validation with stable finding codes.
|
|
58
|
+
- Safe structured condition language with bounded nesting.
|
|
59
|
+
- Target matching for subjects, actions, resources, tools, models, providers, and environments.
|
|
60
|
+
- Conflict strategies: `deny_overrides`, `allow_overrides`, `first_applicable`, `highest_priority`, and `only_one_applicable`.
|
|
61
|
+
- Effects: `allow`, `deny`, `require_review`, `limit`, `redact`, and `log_only`.
|
|
62
|
+
- Obligations and most-restrictive limit aggregation.
|
|
63
|
+
- Deterministic normalization, digests, decision IDs, and reports.
|
|
64
|
+
- Embedded policy tests, policy-test coverage, simulation, comparison, and conservative diffing.
|
|
65
|
+
|
|
66
|
+
## Architecture
|
|
67
|
+
|
|
68
|
+
Policy bundles load into typed Pydantic models. Validation runs before evaluation. Invalid bundles fail closed as `indeterminate` with a deny-equivalent effective decision. The evaluator performs deterministic target matching, structured condition evaluation, conflict resolution, obligation aggregation, limit aggregation, and evidence generation. External systems remain responsible for enforcing the returned decision.
|
|
69
|
+
|
|
70
|
+
## Installation
|
|
71
|
+
|
|
72
|
+
```powershell
|
|
73
|
+
python -m pip install agentpolicypack
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
For development:
|
|
77
|
+
|
|
78
|
+
```powershell
|
|
79
|
+
python -m pip install -e ".[dev]"
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
## Quick Start Policy
|
|
83
|
+
|
|
84
|
+
```yaml
|
|
85
|
+
schema_version: "1.0"
|
|
86
|
+
bundle:
|
|
87
|
+
id: customer-support-governance
|
|
88
|
+
name: Customer Support Agent Governance
|
|
89
|
+
version: "1.0.0"
|
|
90
|
+
namespace: example.customer_support
|
|
91
|
+
default_decision: deny
|
|
92
|
+
conflict_strategy: deny_overrides
|
|
93
|
+
policies:
|
|
94
|
+
- id: allow-ticket-read
|
|
95
|
+
effect: allow
|
|
96
|
+
priority: 100
|
|
97
|
+
targets:
|
|
98
|
+
subjects:
|
|
99
|
+
roles: [support_agent]
|
|
100
|
+
actions: [ticket.read]
|
|
101
|
+
resources:
|
|
102
|
+
types: [SupportTicket]
|
|
103
|
+
conditions:
|
|
104
|
+
all:
|
|
105
|
+
- field: resource.attributes.assigned_agent_id
|
|
106
|
+
operator: equals
|
|
107
|
+
value_from: subject.id
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
## Evaluation Example
|
|
111
|
+
|
|
112
|
+
```powershell
|
|
113
|
+
agentpolicy evaluate examples/tool_governance/policy.yaml --request examples/tool_governance/allow-search-request.yaml
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
## Policy-Test Example
|
|
117
|
+
|
|
118
|
+
```powershell
|
|
119
|
+
agentpolicy test examples/tool_governance/policy.yaml
|
|
120
|
+
agentpolicy coverage examples/tool_governance/policy.yaml
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
## CLI Examples
|
|
124
|
+
|
|
125
|
+
```powershell
|
|
126
|
+
agentpolicy validate examples/tool_governance/policy.yaml
|
|
127
|
+
agentpolicy lint examples/tool_governance/policy.yaml
|
|
128
|
+
agentpolicy inspect examples/tool_governance/policy.yaml
|
|
129
|
+
agentpolicy normalize examples/tool_governance/policy.yaml
|
|
130
|
+
agentpolicy digest examples/tool_governance/policy.yaml
|
|
131
|
+
agentpolicy simulate examples/tool_governance/policy.yaml --requests examples/tool_governance/requests.yaml
|
|
132
|
+
agentpolicy diff tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml
|
|
133
|
+
agentpolicy compare tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml --requests tests/fixtures/diff/requests.yaml
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
## Python API Example
|
|
137
|
+
|
|
138
|
+
```python
|
|
139
|
+
from agent_policy_pack import DecisionRequest, evaluate, load_bundle
|
|
140
|
+
|
|
141
|
+
bundle = load_bundle("examples/tool_governance/policy.yaml")
|
|
142
|
+
request = DecisionRequest(action="tool.call", subject={"roles": ["research_agent"]})
|
|
143
|
+
decision = evaluate(bundle, request)
|
|
144
|
+
print(decision.decision, decision.effective_decision)
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
## Conflict Strategies
|
|
148
|
+
|
|
149
|
+
`deny_overrides` is the default. Any matching deny controls before review or allow. `allow_overrides` is supported but dangerous because it may relax denies. `first_applicable` uses deterministic priority-descending, ID-ascending order. `highest_priority` selects the highest priority and resolves equal-priority mixed effects conservatively. `only_one_applicable` returns `indeterminate` when multiple policies match.
|
|
150
|
+
|
|
151
|
+
## Effects, Obligations, and Limits
|
|
152
|
+
|
|
153
|
+
Policy effects express governance intent. Decisions expose a primary outcome plus structured obligations such as `audit`, `redact`, `mask`, `require_review`, `enforce_limit`, `notify`, `retain_evidence`, and `attach_policy_context`. Custom obligations must use an extension namespace and are preserved, not executed. Limits use exact `Decimal` handling for costs.
|
|
154
|
+
|
|
155
|
+
## Simulation and Diffing
|
|
156
|
+
|
|
157
|
+
Simulation evaluates request batches offline. Comparison evaluates two bundles against the same requests. Diffing classifies changes conservatively as security relaxation, tightening, potentially breaking, or informational.
|
|
158
|
+
|
|
159
|
+
## Integration Roadmap
|
|
160
|
+
|
|
161
|
+
The package includes protocol types for future adapters. Version `0.1.0a1` works independently and offline. Forge, PrivateAIStack, ModelSwapBench, OpenOntologyLite, AIAuditLog, and OpenAIMeter integrations are deferred unless optional adapters are installed and tested in later releases.
|
|
162
|
+
|
|
163
|
+
## Security Model
|
|
164
|
+
|
|
165
|
+
AgentPolicyPack uses safe YAML loading, strict unknown-field rejection, bounded condition nesting, safe glob-style patterns, deterministic serialization, and fail-closed defaults. It never uses Python `eval` or `exec`, never imports modules named by policy files, and never follows remote URLs.
|
|
166
|
+
|
|
167
|
+
## Limitations
|
|
168
|
+
|
|
169
|
+
- External systems must enforce policy decisions.
|
|
170
|
+
- No identity-provider integration.
|
|
171
|
+
- No secrets management.
|
|
172
|
+
- No network firewall.
|
|
173
|
+
- No operating-system sandbox.
|
|
174
|
+
- No hosted policy server.
|
|
175
|
+
- No graphical editor.
|
|
176
|
+
- No general-purpose expression language.
|
|
177
|
+
- No arbitrary code execution.
|
|
178
|
+
- No legal or regulatory certification.
|
|
179
|
+
- Custom obligations are preserved but not executed.
|
|
180
|
+
- PII obligations do not provide automatic perfect PII discovery.
|
|
181
|
+
- Policies cannot guarantee model behavior.
|
|
182
|
+
- Optional framework adapters may cover only documented integration points.
|
|
183
|
+
- Policy diff classification is conservative and rule-based.
|
|
184
|
+
- Policy-test coverage is not software-code coverage.
|
|
185
|
+
- Bundle format may evolve before version 1.0.
|
|
186
|
+
|
|
187
|
+
## Contributing
|
|
188
|
+
|
|
189
|
+
Use the development commands in `docs/development.md`. Keep behavior deterministic, typed, local-first, and fail-closed.
|
|
190
|
+
|
|
191
|
+
## License
|
|
192
|
+
|
|
193
|
+
MIT.
|
|
194
|
+
|
|
195
|
+
## Author
|
|
196
|
+
|
|
197
|
+
sekacorn
|
|
198
|
+
|
|
@@ -0,0 +1,160 @@
|
|
|
1
|
+
# AgentPolicyPack
|
|
2
|
+
|
|
3
|
+
AgentPolicyPack lets organizations define, test, and carry AI-agent governance rules across models, frameworks, providers, and deployment environments.
|
|
4
|
+
|
|
5
|
+
AgentPolicyPack is an alpha project. Version `0.1.0a1` is ready for public alpha release with documented limitations, not production certification.
|
|
6
|
+
|
|
7
|
+
## Motivation
|
|
8
|
+
|
|
9
|
+
AI-agent governance should be portable, deterministic, auditable, version-controlled, and testable in CI. AgentPolicyPack provides a vendor-neutral policy bundle format, a fail-closed evaluator, policy tests, simulation, diffing, and a Python API plus CLI.
|
|
10
|
+
|
|
11
|
+
## Problem Statement
|
|
12
|
+
|
|
13
|
+
Organizations often encode agent rules inside one model provider, framework, runtime, or deployment stack. That creates lock-in and makes policy behavior hard to test. AgentPolicyPack separates governance intent from enforcement systems so the same rules can be validated, compared, and evaluated offline.
|
|
14
|
+
|
|
15
|
+
## Core Capabilities
|
|
16
|
+
|
|
17
|
+
- YAML and JSON policy bundles loaded with safe parsers.
|
|
18
|
+
- Strict schema models that reject unknown fields.
|
|
19
|
+
- Structural and semantic validation with stable finding codes.
|
|
20
|
+
- Safe structured condition language with bounded nesting.
|
|
21
|
+
- Target matching for subjects, actions, resources, tools, models, providers, and environments.
|
|
22
|
+
- Conflict strategies: `deny_overrides`, `allow_overrides`, `first_applicable`, `highest_priority`, and `only_one_applicable`.
|
|
23
|
+
- Effects: `allow`, `deny`, `require_review`, `limit`, `redact`, and `log_only`.
|
|
24
|
+
- Obligations and most-restrictive limit aggregation.
|
|
25
|
+
- Deterministic normalization, digests, decision IDs, and reports.
|
|
26
|
+
- Embedded policy tests, policy-test coverage, simulation, comparison, and conservative diffing.
|
|
27
|
+
|
|
28
|
+
## Architecture
|
|
29
|
+
|
|
30
|
+
Policy bundles load into typed Pydantic models. Validation runs before evaluation. Invalid bundles fail closed as `indeterminate` with a deny-equivalent effective decision. The evaluator performs deterministic target matching, structured condition evaluation, conflict resolution, obligation aggregation, limit aggregation, and evidence generation. External systems remain responsible for enforcing the returned decision.
|
|
31
|
+
|
|
32
|
+
## Installation
|
|
33
|
+
|
|
34
|
+
```powershell
|
|
35
|
+
python -m pip install agentpolicypack
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
For development:
|
|
39
|
+
|
|
40
|
+
```powershell
|
|
41
|
+
python -m pip install -e ".[dev]"
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
## Quick Start Policy
|
|
45
|
+
|
|
46
|
+
```yaml
|
|
47
|
+
schema_version: "1.0"
|
|
48
|
+
bundle:
|
|
49
|
+
id: customer-support-governance
|
|
50
|
+
name: Customer Support Agent Governance
|
|
51
|
+
version: "1.0.0"
|
|
52
|
+
namespace: example.customer_support
|
|
53
|
+
default_decision: deny
|
|
54
|
+
conflict_strategy: deny_overrides
|
|
55
|
+
policies:
|
|
56
|
+
- id: allow-ticket-read
|
|
57
|
+
effect: allow
|
|
58
|
+
priority: 100
|
|
59
|
+
targets:
|
|
60
|
+
subjects:
|
|
61
|
+
roles: [support_agent]
|
|
62
|
+
actions: [ticket.read]
|
|
63
|
+
resources:
|
|
64
|
+
types: [SupportTicket]
|
|
65
|
+
conditions:
|
|
66
|
+
all:
|
|
67
|
+
- field: resource.attributes.assigned_agent_id
|
|
68
|
+
operator: equals
|
|
69
|
+
value_from: subject.id
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
## Evaluation Example
|
|
73
|
+
|
|
74
|
+
```powershell
|
|
75
|
+
agentpolicy evaluate examples/tool_governance/policy.yaml --request examples/tool_governance/allow-search-request.yaml
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
## Policy-Test Example
|
|
79
|
+
|
|
80
|
+
```powershell
|
|
81
|
+
agentpolicy test examples/tool_governance/policy.yaml
|
|
82
|
+
agentpolicy coverage examples/tool_governance/policy.yaml
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
## CLI Examples
|
|
86
|
+
|
|
87
|
+
```powershell
|
|
88
|
+
agentpolicy validate examples/tool_governance/policy.yaml
|
|
89
|
+
agentpolicy lint examples/tool_governance/policy.yaml
|
|
90
|
+
agentpolicy inspect examples/tool_governance/policy.yaml
|
|
91
|
+
agentpolicy normalize examples/tool_governance/policy.yaml
|
|
92
|
+
agentpolicy digest examples/tool_governance/policy.yaml
|
|
93
|
+
agentpolicy simulate examples/tool_governance/policy.yaml --requests examples/tool_governance/requests.yaml
|
|
94
|
+
agentpolicy diff tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml
|
|
95
|
+
agentpolicy compare tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml --requests tests/fixtures/diff/requests.yaml
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
## Python API Example
|
|
99
|
+
|
|
100
|
+
```python
|
|
101
|
+
from agent_policy_pack import DecisionRequest, evaluate, load_bundle
|
|
102
|
+
|
|
103
|
+
bundle = load_bundle("examples/tool_governance/policy.yaml")
|
|
104
|
+
request = DecisionRequest(action="tool.call", subject={"roles": ["research_agent"]})
|
|
105
|
+
decision = evaluate(bundle, request)
|
|
106
|
+
print(decision.decision, decision.effective_decision)
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
## Conflict Strategies
|
|
110
|
+
|
|
111
|
+
`deny_overrides` is the default. Any matching deny controls before review or allow. `allow_overrides` is supported but dangerous because it may relax denies. `first_applicable` uses deterministic priority-descending, ID-ascending order. `highest_priority` selects the highest priority and resolves equal-priority mixed effects conservatively. `only_one_applicable` returns `indeterminate` when multiple policies match.
|
|
112
|
+
|
|
113
|
+
## Effects, Obligations, and Limits
|
|
114
|
+
|
|
115
|
+
Policy effects express governance intent. Decisions expose a primary outcome plus structured obligations such as `audit`, `redact`, `mask`, `require_review`, `enforce_limit`, `notify`, `retain_evidence`, and `attach_policy_context`. Custom obligations must use an extension namespace and are preserved, not executed. Limits use exact `Decimal` handling for costs.
|
|
116
|
+
|
|
117
|
+
## Simulation and Diffing
|
|
118
|
+
|
|
119
|
+
Simulation evaluates request batches offline. Comparison evaluates two bundles against the same requests. Diffing classifies changes conservatively as security relaxation, tightening, potentially breaking, or informational.
|
|
120
|
+
|
|
121
|
+
## Integration Roadmap
|
|
122
|
+
|
|
123
|
+
The package includes protocol types for future adapters. Version `0.1.0a1` works independently and offline. Forge, PrivateAIStack, ModelSwapBench, OpenOntologyLite, AIAuditLog, and OpenAIMeter integrations are deferred unless optional adapters are installed and tested in later releases.
|
|
124
|
+
|
|
125
|
+
## Security Model
|
|
126
|
+
|
|
127
|
+
AgentPolicyPack uses safe YAML loading, strict unknown-field rejection, bounded condition nesting, safe glob-style patterns, deterministic serialization, and fail-closed defaults. It never uses Python `eval` or `exec`, never imports modules named by policy files, and never follows remote URLs.
|
|
128
|
+
|
|
129
|
+
## Limitations
|
|
130
|
+
|
|
131
|
+
- External systems must enforce policy decisions.
|
|
132
|
+
- No identity-provider integration.
|
|
133
|
+
- No secrets management.
|
|
134
|
+
- No network firewall.
|
|
135
|
+
- No operating-system sandbox.
|
|
136
|
+
- No hosted policy server.
|
|
137
|
+
- No graphical editor.
|
|
138
|
+
- No general-purpose expression language.
|
|
139
|
+
- No arbitrary code execution.
|
|
140
|
+
- No legal or regulatory certification.
|
|
141
|
+
- Custom obligations are preserved but not executed.
|
|
142
|
+
- PII obligations do not provide automatic perfect PII discovery.
|
|
143
|
+
- Policies cannot guarantee model behavior.
|
|
144
|
+
- Optional framework adapters may cover only documented integration points.
|
|
145
|
+
- Policy diff classification is conservative and rule-based.
|
|
146
|
+
- Policy-test coverage is not software-code coverage.
|
|
147
|
+
- Bundle format may evolve before version 1.0.
|
|
148
|
+
|
|
149
|
+
## Contributing
|
|
150
|
+
|
|
151
|
+
Use the development commands in `docs/development.md`. Keep behavior deterministic, typed, local-first, and fail-closed.
|
|
152
|
+
|
|
153
|
+
## License
|
|
154
|
+
|
|
155
|
+
MIT.
|
|
156
|
+
|
|
157
|
+
## Author
|
|
158
|
+
|
|
159
|
+
sekacorn
|
|
160
|
+
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
# CI Security Notes
|
|
2
|
+
|
|
3
|
+
Workflows use official stable action versions because exact verified commit SHAs were not established during local preparation. Human release review should pin each action to a verified commit SHA before enforcing a stricter supply-chain policy.
|
|
4
|
+
|
|
5
|
+
The release workflow is prepared for PyPI Trusted Publishing through OIDC and the protected `pypi` environment. It does not use a PyPI API token.
|
|
6
|
+
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# Development
|
|
2
|
+
|
|
3
|
+
Use PowerShell-compatible commands:
|
|
4
|
+
|
|
5
|
+
```powershell
|
|
6
|
+
python -m pip install -e ".[dev]"
|
|
7
|
+
python -m ruff check .
|
|
8
|
+
python -m ruff format --check .
|
|
9
|
+
python -m mypy --strict src
|
|
10
|
+
python -m pytest
|
|
11
|
+
python -m pytest --cov=agent_policy_pack --cov-branch
|
|
12
|
+
python -m bandit -r src
|
|
13
|
+
python -m pip_audit
|
|
14
|
+
python -m build
|
|
15
|
+
python -m twine check dist/*
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
Release publishing must use the GitHub release workflow with PyPI Trusted Publishing. Do not create a release tag until metadata, checks, artifacts, clean installs, CI, and the PyPI trusted publisher configuration are verified.
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
# AgentPolicyPack Documentation
|
|
2
|
+
|
|
3
|
+
AgentPolicyPack is a local-first policy-as-code toolkit for governing AI agents and agentic workflows. It defines portable bundles, validates them, evaluates requests, produces evidence, runs policy tests, simulates batches, and compares bundles.
|
|
4
|
+
|
|
5
|
+
See:
|
|
6
|
+
|
|
7
|
+
- `policy-format.md` for the complete bundle reference.
|
|
8
|
+
- `security.md` for the threat model and safe-input rules.
|
|
9
|
+
- `development.md` for local verification commands.
|
|
10
|
+
- `roadmap.md` for planned alpha work.
|
|
11
|
+
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# Policy Format Reference
|
|
2
|
+
|
|
3
|
+
Bundles support YAML and JSON with `schema_version: "1.0"`. Top-level fields are `schema_version`, `bundle`, `data_classifications`, `policies`, and `tests`.
|
|
4
|
+
|
|
5
|
+
`bundle` contains `id`, `name`, `version`, `namespace`, `description`, `default_decision`, `conflict_strategy`, `tags`, and explicit `metadata`.
|
|
6
|
+
|
|
7
|
+
Policies contain `id`, `name`, `description`, `enabled`, `effect`, `priority`, `targets`, `conditions`, `obligations`, `limits`, `reason`, `tags`, and `metadata`.
|
|
8
|
+
|
|
9
|
+
Targets may match subjects, actions, resources, tools, models, providers, and environments. Wildcards are glob-style and intentionally limited.
|
|
10
|
+
|
|
11
|
+
Conditions are structured with `all`, `any`, `not`, or leaf conditions using `field`, `operator`, and either `value` or `value_from`. Operators are `equals`, `not_equals`, `in`, `not_in`, `contains`, `not_contains`, `exists`, `not_exists`, `starts_with`, `ends_with`, numeric comparisons, `between`, and `matches_safe_pattern`.
|
|
12
|
+
|
|
13
|
+
Missing fields make ordinary conditions non-matching. Invalid bundles or unsafe ambiguity produce validation errors and evaluation fails closed.
|
|
14
|
+
|
|
15
|
+
Decisions are `allow`, `deny`, `require_review`, or `indeterminate`. Indeterminate defaults to deny-equivalent behavior.
|
|
16
|
+
|
|
17
|
+
Obligations include `audit`, `redact`, `mask`, `require_review`, `enforce_limit`, `notify`, `retain_evidence`, and `attach_policy_context`. Extension obligations must contain a namespace such as `example.custom_obligation`.
|
|
18
|
+
|
|
19
|
+
Limits include cost, token, tool-call, retry, and agent-step limits. Cost values are handled with `Decimal`, not binary floating point.
|
|
20
|
+
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
# Roadmap
|
|
2
|
+
|
|
3
|
+
## 0.1.0a2
|
|
4
|
+
|
|
5
|
+
- Stronger policy shadowing analysis.
|
|
6
|
+
- Aliases and renamed policy tracking.
|
|
7
|
+
- Improved security-relaxation diff confidence.
|
|
8
|
+
- Signed bundle manifests.
|
|
9
|
+
- Configurable organizational lint profiles.
|
|
10
|
+
- Richer test data generators.
|
|
11
|
+
|
|
12
|
+
## 0.1.0a3
|
|
13
|
+
|
|
14
|
+
- Deeper Forge middleware.
|
|
15
|
+
- OpenOntologyLite reference validation.
|
|
16
|
+
- ModelSwapBench compliance benchmark adapter.
|
|
17
|
+
- PrivateAIStack integration examples.
|
|
18
|
+
- Audit-event export for AIAuditLog.
|
|
19
|
+
|
|
20
|
+
## 0.2
|
|
21
|
+
|
|
22
|
+
- Policy package imports.
|
|
23
|
+
- Namespaced reusable policy modules.
|
|
24
|
+
- Local policy catalog.
|
|
25
|
+
- Optional decision cache.
|
|
26
|
+
- Policy provenance.
|
|
27
|
+
- Signed release bundles.
|
|
28
|
+
- Organization-level policy layering.
|
|
29
|
+
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
# Security and Threat Model
|
|
2
|
+
|
|
3
|
+
AgentPolicyPack treats policy files as untrusted input. It uses safe YAML loading, duplicate-key checks, JSON parsing, UTF-8 validation, file-size limits, strict models, bounded condition nesting, and restricted safe glob patterns.
|
|
4
|
+
|
|
5
|
+
The evaluator does not execute code, does not import policy-named modules, does not use `eval` or `exec`, and does not make network calls during evaluation.
|
|
6
|
+
|
|
7
|
+
Security decision failures are fail-closed. Invalid bundles evaluate to `indeterminate` with a deny-equivalent effective decision by default.
|
|
8
|
+
|
|
9
|
+
Out of scope: identity provider behavior, secrets management, network firewalling, operating-system sandboxing, hosted policy serving, legal certification, and perfect PII discovery.
|
|
10
|
+
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
subject:
|
|
2
|
+
id: agent-1
|
|
3
|
+
type: ai_agent
|
|
4
|
+
roles:
|
|
5
|
+
- research_agent
|
|
6
|
+
action: tool.call
|
|
7
|
+
resource:
|
|
8
|
+
id: web
|
|
9
|
+
type: WebSearch
|
|
10
|
+
attributes:
|
|
11
|
+
classification: public
|
|
12
|
+
tool:
|
|
13
|
+
name: search
|
|
14
|
+
namespace: external.web
|
|
15
|
+
risk: low
|
|
16
|
+
capabilities:
|
|
17
|
+
- search
|
|
18
|
+
model:
|
|
19
|
+
provider: ollama
|
|
20
|
+
name: qwen2.5:3b
|
|
21
|
+
hosting: local
|
|
22
|
+
environment:
|
|
23
|
+
name: production
|
|
24
|
+
context:
|
|
25
|
+
request_id: req-001
|
|
26
|
+
estimated_cost_usd: "0.01"
|
|
27
|
+
tool_calls: 1
|
|
28
|
+
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
schema_version: "1.0"
|
|
2
|
+
bundle:
|
|
3
|
+
id: tool-governance
|
|
4
|
+
name: Tool Governance Example
|
|
5
|
+
version: "1.0.0"
|
|
6
|
+
namespace: example.tool_governance
|
|
7
|
+
description: Example policies for AI-agent tool use.
|
|
8
|
+
default_decision: deny
|
|
9
|
+
conflict_strategy: deny_overrides
|
|
10
|
+
tags:
|
|
11
|
+
- example
|
|
12
|
+
- tools
|
|
13
|
+
data_classifications:
|
|
14
|
+
- public
|
|
15
|
+
- internal
|
|
16
|
+
- confidential
|
|
17
|
+
- restricted
|
|
18
|
+
policies:
|
|
19
|
+
- id: deny-shell
|
|
20
|
+
name: Deny shell execution
|
|
21
|
+
enabled: true
|
|
22
|
+
effect: deny
|
|
23
|
+
priority: 300
|
|
24
|
+
targets:
|
|
25
|
+
tools:
|
|
26
|
+
names:
|
|
27
|
+
- shell
|
|
28
|
+
actions:
|
|
29
|
+
- tool.call
|
|
30
|
+
obligations:
|
|
31
|
+
- type: audit
|
|
32
|
+
parameters:
|
|
33
|
+
level: detailed
|
|
34
|
+
reason: Shell execution is prohibited by default.
|
|
35
|
+
- id: require-review-database-write
|
|
36
|
+
name: Require review for database writes
|
|
37
|
+
effect: require_review
|
|
38
|
+
priority: 250
|
|
39
|
+
targets:
|
|
40
|
+
tools:
|
|
41
|
+
capabilities:
|
|
42
|
+
- database_write
|
|
43
|
+
actions:
|
|
44
|
+
- tool.call
|
|
45
|
+
environments:
|
|
46
|
+
names:
|
|
47
|
+
- production
|
|
48
|
+
obligations:
|
|
49
|
+
- type: require_review
|
|
50
|
+
parameters:
|
|
51
|
+
reviewer_role: data_steward
|
|
52
|
+
timeout_behavior: deny
|
|
53
|
+
reason: Production database writes require human review.
|
|
54
|
+
- id: allow-research-search
|
|
55
|
+
name: Allow research agents to use search
|
|
56
|
+
effect: allow
|
|
57
|
+
priority: 100
|
|
58
|
+
targets:
|
|
59
|
+
subjects:
|
|
60
|
+
roles:
|
|
61
|
+
- research_agent
|
|
62
|
+
tools:
|
|
63
|
+
names:
|
|
64
|
+
- search
|
|
65
|
+
risks:
|
|
66
|
+
- low
|
|
67
|
+
actions:
|
|
68
|
+
- tool.call
|
|
69
|
+
environments:
|
|
70
|
+
names:
|
|
71
|
+
- development
|
|
72
|
+
- production
|
|
73
|
+
conditions:
|
|
74
|
+
all:
|
|
75
|
+
- field: resource.attributes.classification
|
|
76
|
+
operator: in
|
|
77
|
+
value:
|
|
78
|
+
- public
|
|
79
|
+
- internal
|
|
80
|
+
- field: context.estimated_cost_usd
|
|
81
|
+
operator: less_than_or_equal
|
|
82
|
+
value: "0.05"
|
|
83
|
+
obligations:
|
|
84
|
+
- type: audit
|
|
85
|
+
parameters:
|
|
86
|
+
level: standard
|
|
87
|
+
limits:
|
|
88
|
+
max_cost_usd: "0.05"
|
|
89
|
+
max_tool_calls: 5
|
|
90
|
+
reason: Low-risk search is allowed for research agents using non-sensitive data.
|
|
91
|
+
tests:
|
|
92
|
+
- id: allow-search
|
|
93
|
+
name: Search request is allowed
|
|
94
|
+
request:
|
|
95
|
+
subject:
|
|
96
|
+
id: agent-1
|
|
97
|
+
type: ai_agent
|
|
98
|
+
roles:
|
|
99
|
+
- research_agent
|
|
100
|
+
action: tool.call
|
|
101
|
+
resource:
|
|
102
|
+
id: web
|
|
103
|
+
type: WebSearch
|
|
104
|
+
attributes:
|
|
105
|
+
classification: public
|
|
106
|
+
tool:
|
|
107
|
+
name: search
|
|
108
|
+
namespace: external.web
|
|
109
|
+
risk: low
|
|
110
|
+
capabilities:
|
|
111
|
+
- search
|
|
112
|
+
environment:
|
|
113
|
+
name: production
|
|
114
|
+
context:
|
|
115
|
+
estimated_cost_usd: "0.01"
|
|
116
|
+
tool_calls: 1
|
|
117
|
+
expect_decision: allow
|
|
118
|
+
expect_obligations:
|
|
119
|
+
- audit
|
|
120
|
+
expect_matched_policies:
|
|
121
|
+
- allow-research-search
|
|
122
|
+
- id: deny-shell
|
|
123
|
+
request:
|
|
124
|
+
subject:
|
|
125
|
+
id: agent-2
|
|
126
|
+
type: ai_agent
|
|
127
|
+
roles:
|
|
128
|
+
- research_agent
|
|
129
|
+
action: tool.call
|
|
130
|
+
resource:
|
|
131
|
+
id: terminal
|
|
132
|
+
type: Shell
|
|
133
|
+
attributes:
|
|
134
|
+
classification: internal
|
|
135
|
+
tool:
|
|
136
|
+
name: shell
|
|
137
|
+
risk: high
|
|
138
|
+
capabilities:
|
|
139
|
+
- command_execute
|
|
140
|
+
environment:
|
|
141
|
+
name: production
|
|
142
|
+
context:
|
|
143
|
+
estimated_cost_usd: "0.00"
|
|
144
|
+
expect_decision: deny
|
|
145
|
+
expect_matched_policies:
|
|
146
|
+
- deny-shell
|
|
147
|
+
|