Skip to main content
A policy defines what an agent may do, spend, and call. Every request an agent makes with a KIT is checked against the policy attached to that KIT. You author policies visually, and Keydris compiles each one to a Rego module and versions it.

What a policy can govern

A policy can govern payments, actions, or both at once. Each branch is an independent sub-configuration you can turn on or off.

Actions

The tool calls an agent is permitted, each with its own decision. For destinations such as HTTP and email, you can scope a rule to an allowlist or a blocklist of hosts, cap calls per hour, and bind a Vault credential the agent must use.

Payments

Independent caps on spending and refunds over a shared currency, payment rail, and provider scope. For example, allow spend up to a limit while requiring approval for refunds.

Decisions

Each rule carries a decision that Keydris applies when a request matches it:
DecisionEffect
AllowThe request proceeds.
ApprovalThe request is held until a person approves it.
RejectThe request is denied.
A policy also sets a default decision for any request that matches no rule in either branch. A common pattern is to allow or require approval for specific operations and reject everything else.

Versioning

Saving a policy compiles it to a Rego v1 module and increments its version. The policies list shows each policy’s current version and when it was last updated, and you can view the compiled Rego for any version at any time.

Build a policy

Author a policy on the visual canvas.

Policy Builder

Browse, version, and inspect your policies.