Skip to main content
policy.yaml is the main file a developer authors to tell Sec0 what is allowed, what must be denied, and how telemetry and side effects should be handled. This page keeps the parts of the schema that are typically written as part of an SDK integration.

Minimal example

tenant: my-app
security_level: middleware
default_retention: 30d

signing:
  enabled: true
  key_ref: file://./.sec0/keys/ed25519.key

observability:
  otlp_endpoint: https://otlp.example.com
  sample:
    success: 1
    error: 1

tools:
  allowlist:
    - mcp://orders/lookupOrder@1.0
  deny_if_unpinned_version: true

privacy:
  redact_outputs: false
  store_raw_payloads: false
  artifact_retention:
    public: 30d
    pii: 30d
    phi: 90d

side_effects:
  require_idempotency_key: true
  max_retries: 1

enforcement:
  deny_on:
    - tool_not_in_allowlist
    - missing_idempotency_for_side_effect
  circuit_breakers:
    error_rate_pct: 25
    p95_latency_ms: 2000

agent_guard:
  enabled: true
  block_on_severity: high

security:
  egress_allowlist:
    - "*.internal.example.com"
  side_effects:
    require_idempotency_key: true

Top-level

KeyTypeRequiredDescription
tenantstringYesWorkspace or tenant slug
security_level"gateway" or "middleware"NoPolicy tier hint
default_retention"30d", "90d", or "180d"YesDefault retention class
signingobjectYesAudit signing configuration
observabilityobjectYesOTLP endpoint and sampling
toolsobjectYesTool allowlist and version pinning rules
skillsobjectNoSkill allowlist and change-scan controls
privacyobjectYesOutput redaction and raw payload retention
side_effectsobjectYesIdempotency and retry controls
enforcementobjectYesDeny, escalate, and circuit-breaker controls
agent_guardobjectNoPrompt and output guard thresholds
securityobjectNoGateway-style runtime guardrails
Compliance pack authoring and export settings are intentionally not part of the main developer reference. Use the dedicated compliance and operations docs for those flows.

signing

KeyTypeRequiredDescription
signing.enabledbooleanYesEnable audit envelope signing
signing.key_refstringYesKey reference such as file://./.sec0/keys/ed25519.key

observability

KeyTypeRequiredDescription
observability.otlp_endpointstringYesOTLP collector endpoint
observability.sampleobjectYesSampling ratios
observability.enabledbooleanNoEnable tracing
observability.redact_identitiesbooleanNoRedact identity data in spans

observability.sample

KeyTypeRequiredDescription
observability.sample.successnumber (0-1)YesSuccess sampling ratio
observability.sample.errornumber (0-1)YesError sampling ratio

tools

KeyTypeRequiredDescription
tools.allowliststring[]YesAllowed tool patterns such as "*" or "mcp://server/tool@version"
tools.deny_if_unpinned_versionbooleanYesBlock unpinned tool versions

skills

KeyTypeRequiredDescription
skills.allowliststring[]Yes (if set)Allowed skill refs
skills.deny_if_unpinned_versionbooleanYes (if set)Block unpinned skill versions
skills.scan_on_change_onlybooleanNoScan only when version or digest changes
skills.block_on_changebooleanNoBlock while a new result is pending
skills.block_on_severitylow, medium, high, or criticalNoDeny threshold

privacy

KeyTypeRequiredDescription
privacy.redact_outputsbooleanYesRedact tool outputs in audit logs
privacy.store_raw_payloadsbooleanYesPersist raw payload datasets
privacy.artifact_retentionobjectYesRetention by data class

privacy.artifact_retention

KeyTypeRequiredDescription
privacy.artifact_retention.publicstringYesPublic-data retention
privacy.artifact_retention.piistringYesPII retention
privacy.artifact_retention.phistringYesPHI retention

side_effects

KeyTypeRequiredDescription
side_effects.require_idempotency_keybooleanYesRequire idempotency keys for side effects
side_effects.max_retriesnumber (0-10)YesMax retry count

enforcement

KeyTypeRequiredDescription
enforcement.deny_onstring[]YesReasons that trigger a deny
enforcement.escalate_onstring[]NoReasons that trigger human escalation
enforcement.circuit_breakersobjectYesCircuit-breaker thresholds

enforcement.deny_on and enforcement.escalate_on values

ValueMeaning
missing_audit_signatureAudit signature missing or invalid
tool_not_in_allowlistTool not permitted by tools.allowlist
version_unpinnedTool version missing when pinning is required
missing_idempotency_for_side_effectSide-effecting call missing idempotency key
egress_violationEgress target is outside the allowed boundary
fs_violationFilesystem target is outside the allowed boundary
payload_too_largePayload exceeded configured size limits
duration_too_longExecution exceeded configured duration limits
registry_mutationTool registry changed after middleware freeze
handler_swapTool handler changed after registration
server_code_changedServer code hash changed since baseline
tool_code_changedTool handler code hash changed since baseline
skill_version_changedSkill version changed since baseline
skill_code_changedSkill digest changed since baseline
skill_scan_pendingSkill scan is still pending
skill_scan_failedSkill scan failed or exceeded threshold
sast_pendingSAST scan is still pending
sast_failedSAST scan failed or exceeded threshold
dast_pendingDAST scan is still pending
dast_failedDAST scan failed or exceeded threshold
agent_guard_failedAgent Guard findings exceeded the configured threshold

enforcement.circuit_breakers

KeyTypeRequiredDescription
enforcement.circuit_breakers.error_rate_pctnumber (0-100)YesError-rate threshold
enforcement.circuit_breakers.p95_latency_msnumber (>=0)YesP95 latency threshold

agent_guard

This is the preferred place for guard thresholds.
KeyTypeRequiredDescription
agent_guard.enabledbooleanNoEnable Agent Guard
agent_guard.block_on_severitylow, medium, high, or criticalNoDeny threshold
agent_guard.block_on_countnumber (>=1)NoDeny count threshold

security

Use security when the same policy document should also drive gateway-style runtime guardrails.
KeyTypeRequiredDescription
security.allow_versionsobjectNoServer-to-version allowlist map
security.egress_allowliststring[]NoAllowed egress patterns
security.fs_allowliststring[]NoAllowed filesystem patterns
security.limitsobjectNoPayload and duration limits
security.side_effectsobjectNoSide-effect guardrails

security.limits

KeyTypeRequiredDescription
security.limits.max_payload_kbnumberNoMax payload size
security.limits.max_duration_msnumberNoMax duration

security.side_effects

KeyTypeRequiredDescription
security.side_effects.require_idempotency_keybooleanNoRequire idempotency
security.side_effects.approve_high_riskbooleanNoEnable escalation creation
security.side_effects.human_escalationobjectNoSnake-case approval strategy config
security.side_effects.humanEscalationobjectNoCamel-case approval strategy config

security.side_effects.human_escalation / humanEscalation

KeyTypeRequiredDescription
approval_strategyauto_allow, single_approver, or human_quorumNoEscalation approval strategy
timeout_actionauto_approve or auto_rejectNoAction when escalation expires
min_approvalsnumber (>=1)NoApproval quorum
min_rejectionsnumber (>=1)NoRejection quorum
required_rolesstring[]NoRoles that must appear on approval votes
veto_rolesstring[]NoRoles that can force rejection
approval_set_idstringNoExplicit reviewer-set override