agentpolicypack 0.1.0a1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. agentpolicypack-0.1.0a1/.gitignore +18 -0
  2. agentpolicypack-0.1.0a1/LICENSE +22 -0
  3. agentpolicypack-0.1.0a1/PKG-INFO +198 -0
  4. agentpolicypack-0.1.0a1/README.md +160 -0
  5. agentpolicypack-0.1.0a1/docs/ci-security-notes.md +6 -0
  6. agentpolicypack-0.1.0a1/docs/development.md +18 -0
  7. agentpolicypack-0.1.0a1/docs/index.md +11 -0
  8. agentpolicypack-0.1.0a1/docs/policy-format.md +20 -0
  9. agentpolicypack-0.1.0a1/docs/roadmap.md +29 -0
  10. agentpolicypack-0.1.0a1/docs/security.md +10 -0
  11. agentpolicypack-0.1.0a1/examples/tool_governance/allow-search-request.yaml +28 -0
  12. agentpolicypack-0.1.0a1/examples/tool_governance/policy.yaml +147 -0
  13. agentpolicypack-0.1.0a1/examples/tool_governance/requests.yaml +63 -0
  14. agentpolicypack-0.1.0a1/pyproject.toml +87 -0
  15. agentpolicypack-0.1.0a1/src/agent_policy_pack/__init__.py +34 -0
  16. agentpolicypack-0.1.0a1/src/agent_policy_pack/adapters.py +21 -0
  17. agentpolicypack-0.1.0a1/src/agent_policy_pack/cli.py +215 -0
  18. agentpolicypack-0.1.0a1/src/agent_policy_pack/conditions.py +120 -0
  19. agentpolicypack-0.1.0a1/src/agent_policy_pack/constants.py +49 -0
  20. agentpolicypack-0.1.0a1/src/agent_policy_pack/diffing.py +46 -0
  21. agentpolicypack-0.1.0a1/src/agent_policy_pack/evaluator.py +242 -0
  22. agentpolicypack-0.1.0a1/src/agent_policy_pack/exceptions.py +55 -0
  23. agentpolicypack-0.1.0a1/src/agent_policy_pack/field_path.py +29 -0
  24. agentpolicypack-0.1.0a1/src/agent_policy_pack/loader.py +99 -0
  25. agentpolicypack-0.1.0a1/src/agent_policy_pack/matching.py +137 -0
  26. agentpolicypack-0.1.0a1/src/agent_policy_pack/models.py +169 -0
  27. agentpolicypack-0.1.0a1/src/agent_policy_pack/py.typed +1 -0
  28. agentpolicypack-0.1.0a1/src/agent_policy_pack/reports.py +39 -0
  29. agentpolicypack-0.1.0a1/src/agent_policy_pack/serialization.py +36 -0
  30. agentpolicypack-0.1.0a1/src/agent_policy_pack/simulation.py +71 -0
  31. agentpolicypack-0.1.0a1/src/agent_policy_pack/testing.py +85 -0
  32. agentpolicypack-0.1.0a1/src/agent_policy_pack/validation.py +337 -0
  33. agentpolicypack-0.1.0a1/tests/fixtures/diff/policy-v1.yaml +26 -0
  34. agentpolicypack-0.1.0a1/tests/fixtures/diff/policy-v2.yaml +27 -0
  35. agentpolicypack-0.1.0a1/tests/fixtures/diff/requests.yaml +49 -0
  36. agentpolicypack-0.1.0a1/tests/test_core.py +375 -0
@@ -0,0 +1,18 @@
1
+ .coverage
2
+ .mypy_cache/
3
+ .pytest_cache/
4
+ .ruff_cache/
5
+ __pycache__/
6
+ *.py[cod]
7
+ dist/
8
+ build/
9
+ *.egg-info/
10
+ .venv/
11
+ venv/
12
+ .env
13
+ *.sqlite
14
+ *.db
15
+ reports/*.json
16
+ reports/*.csv
17
+ reports/*.tmp
18
+
@@ -0,0 +1,22 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 sekacorn
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
22
+
@@ -0,0 +1,198 @@
1
+ Metadata-Version: 2.4
2
+ Name: agentpolicypack
3
+ Version: 0.1.0a1
4
+ Summary: A vendor-neutral policy-as-code toolkit for governing AI agents and agentic workflows.
5
+ Project-URL: Homepage, https://github.com/sekacorn/AgentPolicyPack
6
+ Project-URL: Repository, https://github.com/sekacorn/AgentPolicyPack
7
+ Project-URL: Issues, https://github.com/sekacorn/AgentPolicyPack/issues
8
+ Project-URL: Documentation, https://github.com/sekacorn/AgentPolicyPack/tree/main/docs
9
+ Author: sekacorn
10
+ License: MIT
11
+ License-File: LICENSE
12
+ Classifier: Development Status :: 3 - Alpha
13
+ Classifier: License :: OSI Approved :: MIT License
14
+ Classifier: Operating System :: OS Independent
15
+ Classifier: Programming Language :: Python :: 3
16
+ Classifier: Programming Language :: Python :: 3.11
17
+ Classifier: Programming Language :: Python :: 3.12
18
+ Classifier: Programming Language :: Python :: 3.13
19
+ Classifier: Topic :: Security
20
+ Classifier: Topic :: Software Development :: Libraries :: Python Modules
21
+ Classifier: Typing :: Typed
22
+ Requires-Python: <3.14,>=3.11
23
+ Requires-Dist: packaging>=24.0
24
+ Requires-Dist: pydantic>=2.7
25
+ Requires-Dist: pyyaml>=6.0.1
26
+ Requires-Dist: typer>=0.12
27
+ Provides-Extra: dev
28
+ Requires-Dist: bandit[toml]>=1.7.9; extra == 'dev'
29
+ Requires-Dist: build>=1.2; extra == 'dev'
30
+ Requires-Dist: mypy>=1.10; extra == 'dev'
31
+ Requires-Dist: pip-audit>=2.7; extra == 'dev'
32
+ Requires-Dist: pytest-cov>=5.0; extra == 'dev'
33
+ Requires-Dist: pytest>=9.0.3; extra == 'dev'
34
+ Requires-Dist: ruff>=0.5; extra == 'dev'
35
+ Requires-Dist: twine>=5.1; extra == 'dev'
36
+ Requires-Dist: types-pyyaml>=6.0.12; extra == 'dev'
37
+ Description-Content-Type: text/markdown
38
+
39
+ # AgentPolicyPack
40
+
41
+ AgentPolicyPack lets organizations define, test, and carry AI-agent governance rules across models, frameworks, providers, and deployment environments.
42
+
43
+ AgentPolicyPack is an alpha project. Version `0.1.0a1` is ready for public alpha release with documented limitations, not production certification.
44
+
45
+ ## Motivation
46
+
47
+ AI-agent governance should be portable, deterministic, auditable, version-controlled, and testable in CI. AgentPolicyPack provides a vendor-neutral policy bundle format, a fail-closed evaluator, policy tests, simulation, diffing, and a Python API plus CLI.
48
+
49
+ ## Problem Statement
50
+
51
+ Organizations often encode agent rules inside one model provider, framework, runtime, or deployment stack. That creates lock-in and makes policy behavior hard to test. AgentPolicyPack separates governance intent from enforcement systems so the same rules can be validated, compared, and evaluated offline.
52
+
53
+ ## Core Capabilities
54
+
55
+ - YAML and JSON policy bundles loaded with safe parsers.
56
+ - Strict schema models that reject unknown fields.
57
+ - Structural and semantic validation with stable finding codes.
58
+ - Safe structured condition language with bounded nesting.
59
+ - Target matching for subjects, actions, resources, tools, models, providers, and environments.
60
+ - Conflict strategies: `deny_overrides`, `allow_overrides`, `first_applicable`, `highest_priority`, and `only_one_applicable`.
61
+ - Effects: `allow`, `deny`, `require_review`, `limit`, `redact`, and `log_only`.
62
+ - Obligations and most-restrictive limit aggregation.
63
+ - Deterministic normalization, digests, decision IDs, and reports.
64
+ - Embedded policy tests, policy-test coverage, simulation, comparison, and conservative diffing.
65
+
66
+ ## Architecture
67
+
68
+ Policy bundles load into typed Pydantic models. Validation runs before evaluation. Invalid bundles fail closed as `indeterminate` with a deny-equivalent effective decision. The evaluator performs deterministic target matching, structured condition evaluation, conflict resolution, obligation aggregation, limit aggregation, and evidence generation. External systems remain responsible for enforcing the returned decision.
69
+
70
+ ## Installation
71
+
72
+ ```powershell
73
+ python -m pip install agentpolicypack
74
+ ```
75
+
76
+ For development:
77
+
78
+ ```powershell
79
+ python -m pip install -e ".[dev]"
80
+ ```
81
+
82
+ ## Quick Start Policy
83
+
84
+ ```yaml
85
+ schema_version: "1.0"
86
+ bundle:
87
+ id: customer-support-governance
88
+ name: Customer Support Agent Governance
89
+ version: "1.0.0"
90
+ namespace: example.customer_support
91
+ default_decision: deny
92
+ conflict_strategy: deny_overrides
93
+ policies:
94
+ - id: allow-ticket-read
95
+ effect: allow
96
+ priority: 100
97
+ targets:
98
+ subjects:
99
+ roles: [support_agent]
100
+ actions: [ticket.read]
101
+ resources:
102
+ types: [SupportTicket]
103
+ conditions:
104
+ all:
105
+ - field: resource.attributes.assigned_agent_id
106
+ operator: equals
107
+ value_from: subject.id
108
+ ```
109
+
110
+ ## Evaluation Example
111
+
112
+ ```powershell
113
+ agentpolicy evaluate examples/tool_governance/policy.yaml --request examples/tool_governance/allow-search-request.yaml
114
+ ```
115
+
116
+ ## Policy-Test Example
117
+
118
+ ```powershell
119
+ agentpolicy test examples/tool_governance/policy.yaml
120
+ agentpolicy coverage examples/tool_governance/policy.yaml
121
+ ```
122
+
123
+ ## CLI Examples
124
+
125
+ ```powershell
126
+ agentpolicy validate examples/tool_governance/policy.yaml
127
+ agentpolicy lint examples/tool_governance/policy.yaml
128
+ agentpolicy inspect examples/tool_governance/policy.yaml
129
+ agentpolicy normalize examples/tool_governance/policy.yaml
130
+ agentpolicy digest examples/tool_governance/policy.yaml
131
+ agentpolicy simulate examples/tool_governance/policy.yaml --requests examples/tool_governance/requests.yaml
132
+ agentpolicy diff tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml
133
+ agentpolicy compare tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml --requests tests/fixtures/diff/requests.yaml
134
+ ```
135
+
136
+ ## Python API Example
137
+
138
+ ```python
139
+ from agent_policy_pack import DecisionRequest, evaluate, load_bundle
140
+
141
+ bundle = load_bundle("examples/tool_governance/policy.yaml")
142
+ request = DecisionRequest(action="tool.call", subject={"roles": ["research_agent"]})
143
+ decision = evaluate(bundle, request)
144
+ print(decision.decision, decision.effective_decision)
145
+ ```
146
+
147
+ ## Conflict Strategies
148
+
149
+ `deny_overrides` is the default. Any matching deny controls before review or allow. `allow_overrides` is supported but dangerous because it may relax denies. `first_applicable` uses deterministic priority-descending, ID-ascending order. `highest_priority` selects the highest priority and resolves equal-priority mixed effects conservatively. `only_one_applicable` returns `indeterminate` when multiple policies match.
150
+
151
+ ## Effects, Obligations, and Limits
152
+
153
+ Policy effects express governance intent. Decisions expose a primary outcome plus structured obligations such as `audit`, `redact`, `mask`, `require_review`, `enforce_limit`, `notify`, `retain_evidence`, and `attach_policy_context`. Custom obligations must use an extension namespace and are preserved, not executed. Limits use exact `Decimal` handling for costs.
154
+
155
+ ## Simulation and Diffing
156
+
157
+ Simulation evaluates request batches offline. Comparison evaluates two bundles against the same requests. Diffing classifies changes conservatively as security relaxation, tightening, potentially breaking, or informational.
158
+
159
+ ## Integration Roadmap
160
+
161
+ The package includes protocol types for future adapters. Version `0.1.0a1` works independently and offline. Forge, PrivateAIStack, ModelSwapBench, OpenOntologyLite, AIAuditLog, and OpenAIMeter integrations are deferred unless optional adapters are installed and tested in later releases.
162
+
163
+ ## Security Model
164
+
165
+ AgentPolicyPack uses safe YAML loading, strict unknown-field rejection, bounded condition nesting, safe glob-style patterns, deterministic serialization, and fail-closed defaults. It never uses Python `eval` or `exec`, never imports modules named by policy files, and never follows remote URLs.
166
+
167
+ ## Limitations
168
+
169
+ - External systems must enforce policy decisions.
170
+ - No identity-provider integration.
171
+ - No secrets management.
172
+ - No network firewall.
173
+ - No operating-system sandbox.
174
+ - No hosted policy server.
175
+ - No graphical editor.
176
+ - No general-purpose expression language.
177
+ - No arbitrary code execution.
178
+ - No legal or regulatory certification.
179
+ - Custom obligations are preserved but not executed.
180
+ - PII obligations do not provide automatic perfect PII discovery.
181
+ - Policies cannot guarantee model behavior.
182
+ - Optional framework adapters may cover only documented integration points.
183
+ - Policy diff classification is conservative and rule-based.
184
+ - Policy-test coverage is not software-code coverage.
185
+ - Bundle format may evolve before version 1.0.
186
+
187
+ ## Contributing
188
+
189
+ Use the development commands in `docs/development.md`. Keep behavior deterministic, typed, local-first, and fail-closed.
190
+
191
+ ## License
192
+
193
+ MIT.
194
+
195
+ ## Author
196
+
197
+ sekacorn
198
+
@@ -0,0 +1,160 @@
1
+ # AgentPolicyPack
2
+
3
+ AgentPolicyPack lets organizations define, test, and carry AI-agent governance rules across models, frameworks, providers, and deployment environments.
4
+
5
+ AgentPolicyPack is an alpha project. Version `0.1.0a1` is ready for public alpha release with documented limitations, not production certification.
6
+
7
+ ## Motivation
8
+
9
+ AI-agent governance should be portable, deterministic, auditable, version-controlled, and testable in CI. AgentPolicyPack provides a vendor-neutral policy bundle format, a fail-closed evaluator, policy tests, simulation, diffing, and a Python API plus CLI.
10
+
11
+ ## Problem Statement
12
+
13
+ Organizations often encode agent rules inside one model provider, framework, runtime, or deployment stack. That creates lock-in and makes policy behavior hard to test. AgentPolicyPack separates governance intent from enforcement systems so the same rules can be validated, compared, and evaluated offline.
14
+
15
+ ## Core Capabilities
16
+
17
+ - YAML and JSON policy bundles loaded with safe parsers.
18
+ - Strict schema models that reject unknown fields.
19
+ - Structural and semantic validation with stable finding codes.
20
+ - Safe structured condition language with bounded nesting.
21
+ - Target matching for subjects, actions, resources, tools, models, providers, and environments.
22
+ - Conflict strategies: `deny_overrides`, `allow_overrides`, `first_applicable`, `highest_priority`, and `only_one_applicable`.
23
+ - Effects: `allow`, `deny`, `require_review`, `limit`, `redact`, and `log_only`.
24
+ - Obligations and most-restrictive limit aggregation.
25
+ - Deterministic normalization, digests, decision IDs, and reports.
26
+ - Embedded policy tests, policy-test coverage, simulation, comparison, and conservative diffing.
27
+
28
+ ## Architecture
29
+
30
+ Policy bundles load into typed Pydantic models. Validation runs before evaluation. Invalid bundles fail closed as `indeterminate` with a deny-equivalent effective decision. The evaluator performs deterministic target matching, structured condition evaluation, conflict resolution, obligation aggregation, limit aggregation, and evidence generation. External systems remain responsible for enforcing the returned decision.
31
+
32
+ ## Installation
33
+
34
+ ```powershell
35
+ python -m pip install agentpolicypack
36
+ ```
37
+
38
+ For development:
39
+
40
+ ```powershell
41
+ python -m pip install -e ".[dev]"
42
+ ```
43
+
44
+ ## Quick Start Policy
45
+
46
+ ```yaml
47
+ schema_version: "1.0"
48
+ bundle:
49
+ id: customer-support-governance
50
+ name: Customer Support Agent Governance
51
+ version: "1.0.0"
52
+ namespace: example.customer_support
53
+ default_decision: deny
54
+ conflict_strategy: deny_overrides
55
+ policies:
56
+ - id: allow-ticket-read
57
+ effect: allow
58
+ priority: 100
59
+ targets:
60
+ subjects:
61
+ roles: [support_agent]
62
+ actions: [ticket.read]
63
+ resources:
64
+ types: [SupportTicket]
65
+ conditions:
66
+ all:
67
+ - field: resource.attributes.assigned_agent_id
68
+ operator: equals
69
+ value_from: subject.id
70
+ ```
71
+
72
+ ## Evaluation Example
73
+
74
+ ```powershell
75
+ agentpolicy evaluate examples/tool_governance/policy.yaml --request examples/tool_governance/allow-search-request.yaml
76
+ ```
77
+
78
+ ## Policy-Test Example
79
+
80
+ ```powershell
81
+ agentpolicy test examples/tool_governance/policy.yaml
82
+ agentpolicy coverage examples/tool_governance/policy.yaml
83
+ ```
84
+
85
+ ## CLI Examples
86
+
87
+ ```powershell
88
+ agentpolicy validate examples/tool_governance/policy.yaml
89
+ agentpolicy lint examples/tool_governance/policy.yaml
90
+ agentpolicy inspect examples/tool_governance/policy.yaml
91
+ agentpolicy normalize examples/tool_governance/policy.yaml
92
+ agentpolicy digest examples/tool_governance/policy.yaml
93
+ agentpolicy simulate examples/tool_governance/policy.yaml --requests examples/tool_governance/requests.yaml
94
+ agentpolicy diff tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml
95
+ agentpolicy compare tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml --requests tests/fixtures/diff/requests.yaml
96
+ ```
97
+
98
+ ## Python API Example
99
+
100
+ ```python
101
+ from agent_policy_pack import DecisionRequest, evaluate, load_bundle
102
+
103
+ bundle = load_bundle("examples/tool_governance/policy.yaml")
104
+ request = DecisionRequest(action="tool.call", subject={"roles": ["research_agent"]})
105
+ decision = evaluate(bundle, request)
106
+ print(decision.decision, decision.effective_decision)
107
+ ```
108
+
109
+ ## Conflict Strategies
110
+
111
+ `deny_overrides` is the default. Any matching deny controls before review or allow. `allow_overrides` is supported but dangerous because it may relax denies. `first_applicable` uses deterministic priority-descending, ID-ascending order. `highest_priority` selects the highest priority and resolves equal-priority mixed effects conservatively. `only_one_applicable` returns `indeterminate` when multiple policies match.
112
+
113
+ ## Effects, Obligations, and Limits
114
+
115
+ Policy effects express governance intent. Decisions expose a primary outcome plus structured obligations such as `audit`, `redact`, `mask`, `require_review`, `enforce_limit`, `notify`, `retain_evidence`, and `attach_policy_context`. Custom obligations must use an extension namespace and are preserved, not executed. Limits use exact `Decimal` handling for costs.
116
+
117
+ ## Simulation and Diffing
118
+
119
+ Simulation evaluates request batches offline. Comparison evaluates two bundles against the same requests. Diffing classifies changes conservatively as security relaxation, tightening, potentially breaking, or informational.
120
+
121
+ ## Integration Roadmap
122
+
123
+ The package includes protocol types for future adapters. Version `0.1.0a1` works independently and offline. Forge, PrivateAIStack, ModelSwapBench, OpenOntologyLite, AIAuditLog, and OpenAIMeter integrations are deferred unless optional adapters are installed and tested in later releases.
124
+
125
+ ## Security Model
126
+
127
+ AgentPolicyPack uses safe YAML loading, strict unknown-field rejection, bounded condition nesting, safe glob-style patterns, deterministic serialization, and fail-closed defaults. It never uses Python `eval` or `exec`, never imports modules named by policy files, and never follows remote URLs.
128
+
129
+ ## Limitations
130
+
131
+ - External systems must enforce policy decisions.
132
+ - No identity-provider integration.
133
+ - No secrets management.
134
+ - No network firewall.
135
+ - No operating-system sandbox.
136
+ - No hosted policy server.
137
+ - No graphical editor.
138
+ - No general-purpose expression language.
139
+ - No arbitrary code execution.
140
+ - No legal or regulatory certification.
141
+ - Custom obligations are preserved but not executed.
142
+ - PII obligations do not provide automatic perfect PII discovery.
143
+ - Policies cannot guarantee model behavior.
144
+ - Optional framework adapters may cover only documented integration points.
145
+ - Policy diff classification is conservative and rule-based.
146
+ - Policy-test coverage is not software-code coverage.
147
+ - Bundle format may evolve before version 1.0.
148
+
149
+ ## Contributing
150
+
151
+ Use the development commands in `docs/development.md`. Keep behavior deterministic, typed, local-first, and fail-closed.
152
+
153
+ ## License
154
+
155
+ MIT.
156
+
157
+ ## Author
158
+
159
+ sekacorn
160
+
@@ -0,0 +1,6 @@
1
+ # CI Security Notes
2
+
3
+ Workflows use official stable action versions because exact verified commit SHAs were not established during local preparation. Human release review should pin each action to a verified commit SHA before enforcing a stricter supply-chain policy.
4
+
5
+ The release workflow is prepared for PyPI Trusted Publishing through OIDC and the protected `pypi` environment. It does not use a PyPI API token.
6
+
@@ -0,0 +1,18 @@
1
+ # Development
2
+
3
+ Use PowerShell-compatible commands:
4
+
5
+ ```powershell
6
+ python -m pip install -e ".[dev]"
7
+ python -m ruff check .
8
+ python -m ruff format --check .
9
+ python -m mypy --strict src
10
+ python -m pytest
11
+ python -m pytest --cov=agent_policy_pack --cov-branch
12
+ python -m bandit -r src
13
+ python -m pip_audit
14
+ python -m build
15
+ python -m twine check dist/*
16
+ ```
17
+
18
+ Release publishing must use the GitHub release workflow with PyPI Trusted Publishing. Do not create a release tag until metadata, checks, artifacts, clean installs, CI, and the PyPI trusted publisher configuration are verified.
@@ -0,0 +1,11 @@
1
+ # AgentPolicyPack Documentation
2
+
3
+ AgentPolicyPack is a local-first policy-as-code toolkit for governing AI agents and agentic workflows. It defines portable bundles, validates them, evaluates requests, produces evidence, runs policy tests, simulates batches, and compares bundles.
4
+
5
+ See:
6
+
7
+ - `policy-format.md` for the complete bundle reference.
8
+ - `security.md` for the threat model and safe-input rules.
9
+ - `development.md` for local verification commands.
10
+ - `roadmap.md` for planned alpha work.
11
+
@@ -0,0 +1,20 @@
1
+ # Policy Format Reference
2
+
3
+ Bundles support YAML and JSON with `schema_version: "1.0"`. Top-level fields are `schema_version`, `bundle`, `data_classifications`, `policies`, and `tests`.
4
+
5
+ `bundle` contains `id`, `name`, `version`, `namespace`, `description`, `default_decision`, `conflict_strategy`, `tags`, and explicit `metadata`.
6
+
7
+ Policies contain `id`, `name`, `description`, `enabled`, `effect`, `priority`, `targets`, `conditions`, `obligations`, `limits`, `reason`, `tags`, and `metadata`.
8
+
9
+ Targets may match subjects, actions, resources, tools, models, providers, and environments. Wildcards are glob-style and intentionally limited.
10
+
11
+ Conditions are structured with `all`, `any`, `not`, or leaf conditions using `field`, `operator`, and either `value` or `value_from`. Operators are `equals`, `not_equals`, `in`, `not_in`, `contains`, `not_contains`, `exists`, `not_exists`, `starts_with`, `ends_with`, numeric comparisons, `between`, and `matches_safe_pattern`.
12
+
13
+ Missing fields make ordinary conditions non-matching. Invalid bundles or unsafe ambiguity produce validation errors and evaluation fails closed.
14
+
15
+ Decisions are `allow`, `deny`, `require_review`, or `indeterminate`. Indeterminate defaults to deny-equivalent behavior.
16
+
17
+ Obligations include `audit`, `redact`, `mask`, `require_review`, `enforce_limit`, `notify`, `retain_evidence`, and `attach_policy_context`. Extension obligations must contain a namespace such as `example.custom_obligation`.
18
+
19
+ Limits include cost, token, tool-call, retry, and agent-step limits. Cost values are handled with `Decimal`, not binary floating point.
20
+
@@ -0,0 +1,29 @@
1
+ # Roadmap
2
+
3
+ ## 0.1.0a2
4
+
5
+ - Stronger policy shadowing analysis.
6
+ - Aliases and renamed policy tracking.
7
+ - Improved security-relaxation diff confidence.
8
+ - Signed bundle manifests.
9
+ - Configurable organizational lint profiles.
10
+ - Richer test data generators.
11
+
12
+ ## 0.1.0a3
13
+
14
+ - Deeper Forge middleware.
15
+ - OpenOntologyLite reference validation.
16
+ - ModelSwapBench compliance benchmark adapter.
17
+ - PrivateAIStack integration examples.
18
+ - Audit-event export for AIAuditLog.
19
+
20
+ ## 0.2
21
+
22
+ - Policy package imports.
23
+ - Namespaced reusable policy modules.
24
+ - Local policy catalog.
25
+ - Optional decision cache.
26
+ - Policy provenance.
27
+ - Signed release bundles.
28
+ - Organization-level policy layering.
29
+
@@ -0,0 +1,10 @@
1
+ # Security and Threat Model
2
+
3
+ AgentPolicyPack treats policy files as untrusted input. It uses safe YAML loading, duplicate-key checks, JSON parsing, UTF-8 validation, file-size limits, strict models, bounded condition nesting, and restricted safe glob patterns.
4
+
5
+ The evaluator does not execute code, does not import policy-named modules, does not use `eval` or `exec`, and does not make network calls during evaluation.
6
+
7
+ Security decision failures are fail-closed. Invalid bundles evaluate to `indeterminate` with a deny-equivalent effective decision by default.
8
+
9
+ Out of scope: identity provider behavior, secrets management, network firewalling, operating-system sandboxing, hosted policy serving, legal certification, and perfect PII discovery.
10
+
@@ -0,0 +1,28 @@
1
+ subject:
2
+ id: agent-1
3
+ type: ai_agent
4
+ roles:
5
+ - research_agent
6
+ action: tool.call
7
+ resource:
8
+ id: web
9
+ type: WebSearch
10
+ attributes:
11
+ classification: public
12
+ tool:
13
+ name: search
14
+ namespace: external.web
15
+ risk: low
16
+ capabilities:
17
+ - search
18
+ model:
19
+ provider: ollama
20
+ name: qwen2.5:3b
21
+ hosting: local
22
+ environment:
23
+ name: production
24
+ context:
25
+ request_id: req-001
26
+ estimated_cost_usd: "0.01"
27
+ tool_calls: 1
28
+
@@ -0,0 +1,147 @@
1
+ schema_version: "1.0"
2
+ bundle:
3
+ id: tool-governance
4
+ name: Tool Governance Example
5
+ version: "1.0.0"
6
+ namespace: example.tool_governance
7
+ description: Example policies for AI-agent tool use.
8
+ default_decision: deny
9
+ conflict_strategy: deny_overrides
10
+ tags:
11
+ - example
12
+ - tools
13
+ data_classifications:
14
+ - public
15
+ - internal
16
+ - confidential
17
+ - restricted
18
+ policies:
19
+ - id: deny-shell
20
+ name: Deny shell execution
21
+ enabled: true
22
+ effect: deny
23
+ priority: 300
24
+ targets:
25
+ tools:
26
+ names:
27
+ - shell
28
+ actions:
29
+ - tool.call
30
+ obligations:
31
+ - type: audit
32
+ parameters:
33
+ level: detailed
34
+ reason: Shell execution is prohibited by default.
35
+ - id: require-review-database-write
36
+ name: Require review for database writes
37
+ effect: require_review
38
+ priority: 250
39
+ targets:
40
+ tools:
41
+ capabilities:
42
+ - database_write
43
+ actions:
44
+ - tool.call
45
+ environments:
46
+ names:
47
+ - production
48
+ obligations:
49
+ - type: require_review
50
+ parameters:
51
+ reviewer_role: data_steward
52
+ timeout_behavior: deny
53
+ reason: Production database writes require human review.
54
+ - id: allow-research-search
55
+ name: Allow research agents to use search
56
+ effect: allow
57
+ priority: 100
58
+ targets:
59
+ subjects:
60
+ roles:
61
+ - research_agent
62
+ tools:
63
+ names:
64
+ - search
65
+ risks:
66
+ - low
67
+ actions:
68
+ - tool.call
69
+ environments:
70
+ names:
71
+ - development
72
+ - production
73
+ conditions:
74
+ all:
75
+ - field: resource.attributes.classification
76
+ operator: in
77
+ value:
78
+ - public
79
+ - internal
80
+ - field: context.estimated_cost_usd
81
+ operator: less_than_or_equal
82
+ value: "0.05"
83
+ obligations:
84
+ - type: audit
85
+ parameters:
86
+ level: standard
87
+ limits:
88
+ max_cost_usd: "0.05"
89
+ max_tool_calls: 5
90
+ reason: Low-risk search is allowed for research agents using non-sensitive data.
91
+ tests:
92
+ - id: allow-search
93
+ name: Search request is allowed
94
+ request:
95
+ subject:
96
+ id: agent-1
97
+ type: ai_agent
98
+ roles:
99
+ - research_agent
100
+ action: tool.call
101
+ resource:
102
+ id: web
103
+ type: WebSearch
104
+ attributes:
105
+ classification: public
106
+ tool:
107
+ name: search
108
+ namespace: external.web
109
+ risk: low
110
+ capabilities:
111
+ - search
112
+ environment:
113
+ name: production
114
+ context:
115
+ estimated_cost_usd: "0.01"
116
+ tool_calls: 1
117
+ expect_decision: allow
118
+ expect_obligations:
119
+ - audit
120
+ expect_matched_policies:
121
+ - allow-research-search
122
+ - id: deny-shell
123
+ request:
124
+ subject:
125
+ id: agent-2
126
+ type: ai_agent
127
+ roles:
128
+ - research_agent
129
+ action: tool.call
130
+ resource:
131
+ id: terminal
132
+ type: Shell
133
+ attributes:
134
+ classification: internal
135
+ tool:
136
+ name: shell
137
+ risk: high
138
+ capabilities:
139
+ - command_execute
140
+ environment:
141
+ name: production
142
+ context:
143
+ estimated_cost_usd: "0.00"
144
+ expect_decision: deny
145
+ expect_matched_policies:
146
+ - deny-shell
147
+