policy

Declares what the agent's sandbox is allowed to do. The runtime enforces this at the capsule boundary — tool calls that exceed the policy are blocked before execution, not after.

export default defineAgent({
    policy: {
        fs: {
            read:  ["./data/**", "./src/**"],
            write: ["./data/**"],
            deny:  ["/etc/**", "~/.ssh/**"],
        },
        network: {
            allow: ["api.github.com", "*.anthropic.com"],
            deny:  ["*"],
        },
        procs: {
            allow:   ["git *", "npm *", "bun *"],
            deny:    ["rm -rf *"],
            escalate: ["docker *"],
        },
    },
})

fs

Controls filesystem access. Patterns are glob strings evaluated against the absolute path of each operation.

fs: {
    read?:    string[]  // paths the agent can read
    write?:   string[]  // paths the agent can write or create
    deny?:    string[]  // takes precedence over read and write
    escalate?: string[] // pause and prompt the user before allowing
}

A path must match read or write to be permitted. deny overrides both — if a path matches deny, it is blocked regardless of read/write lists.

escalate triggers a prompt to the connected TUI before the operation proceeds. The user approves or denies in real time.

network

Controls outbound fetch() calls. Patterns match against hostnames.

network: {
    allow?: string[]  // permitted hostnames or patterns
    deny?:  string[]  // blocked hostnames or patterns
}

deny: ["*"] with a specific allow list is the recommended pattern for agents that only need to reach known endpoints.

procs

Controls axon.proc.spawn() — which shell commands the agent can run as subprocesses. Patterns match against the full command string.

procs: {
    allow?:    string[]  // permitted command patterns
    deny?:     string[]  // blocked command patterns
    escalate?: string[]  // pause and prompt the user before allowing
}

For a deeper explanation of how policy is compiled and enforced, see Capsule & Policy.