Skip to main content
The Policy Builder is a visual canvas where you assemble the rules an agent operates under. As you build, Keydris shows a plain-English summary of the policy, and on save it compiles your work to a Rego module.
1

Start a new policy

Open Policy Builder and select Create Policy. The canvas opens with a trigger, the branches you can govern, and an outcome.
2

Choose what to govern

Enable the payments branch, the actions branch, or both. Each branch is independent, so you can govern only what is relevant to this agent.
3

Add action rules

For each permitted tool call, set the tool, the operation, and the decision (allow, approval, or reject). For destination-based tools such as HTTP, cURL, and email, you can:
  • Scope the rule to an allowlist or a blocklist of hosts and ports.
  • Cap the number of matching calls per hour.
  • Bind a Vault credential the agent must use for the call, by token rather than plaintext.
4

Add payment limits

Cap spending and refunds independently. Set a maximum amount and a decision for each, then scope them with a currency, payment rails (card, bank transfer, wallet), and a provider.
5

Set the default decision

Choose what happens to a request that matches no rule. Rejecting everything else is a safe default. Optionally enable team notifications for the policy.
6

Save

Save the policy. Keydris compiles it to a Rego v1 module, stores both the configuration and the compiled module, and assigns it a version.

Reviewing the result

The policies list shows each policy’s name, current version, and last update. Select View on any policy to read its compiled Rego, and copy it if you need it elsewhere. To change a policy, open it from the list, edit it on the canvas, and save a new version.

Policies

The concepts behind branches, decisions, and versioning.

Vault

Store the credentials your rules reference by token.