Policy Engine
The policy engine is a declarative rule system that controls what tools an agent can use, what files it can access, and what network requests it can make. Policies are evaluated before every tool call.
Overview
Policies are defined as rules with conditions and actions:
- Allow rules -- explicitly permit specific operations
- Deny rules -- explicitly block specific operations
- Default action -- applied when no rule matches (deny by default)
Policy Format
toml
[security.policy]
default_action = "deny"
[[security.policy.rules]]
name = "allow-read-workspace"
action = "allow"
tools = ["fs_read"]
paths = ["/home/user/workspace/**"]
[[security.policy.rules]]
name = "block-sensitive-dirs"
action = "deny"
tools = ["fs_read", "fs_write"]
paths = ["/etc/**", "/root/**", "**/.ssh/**"]
[[security.policy.rules]]
name = "allow-http-approved-domains"
action = "allow"
tools = ["http_request"]
domains = ["api.github.com", "api.openai.com"]Rule Evaluation
Rules are evaluated in order. The first matching rule determines the action. If no rule matches, the default action is applied.
Built-in Policies
PRX ships with sensible default policies that:
- Block access to system directories and sensitive files
- Require explicit approval for destructive operations
- Rate-limit network requests
- Log all tool executions for audit