Skip to content

Policy System (Local)#

Locally-executing agents run under composable policies. A policy expresses what a sandbox can reach, which credentials are available, and how those credentials are injected. Multiple policies combine into a single resolved policy at runtime.

What a policy expresses#

A local policy describes three things:

  • Allowed destinations — the set of domains (exact or wildcard) that the sandbox's default-deny network is permitted to reach, and whether each is allowed or explicitly denied.
  • Required credentials — the secrets the sandbox needs in order to call allowed destinations. Each credential declares where it should be injected (which domain, which HTTP header, in which format).
  • Environment values — free-form environment variables that the sandbox should inherit, for cases where an upstream tool requires configuration via env rather than HTTP headers.

A policy never contains credential values — only the shape of what's needed. Values are resolved separately at runtime, then injected by the proxy.

Bundled, project, and user policies#

Three sources contribute policies to a local sandbox:

  • Bundled policies ship with the platform and cover the most common upstream systems (Anthropic API access, GitHub, local Kubernetes API access). They are updated as the platform evolves.
  • Project-scoped policies live with a specific project's configuration. They are the right place to declare access rules that are unique to a codebase or customer workspace.
  • User-scoped policies are personal to an engineer and available across any project they work on.

Any of these can be composed together.

Policy composition#

At runtime, an agent selects one or more policies. The platform resolves them into a single effective policy:

  • Compatible overlaps are deduplicated. If two policies both allow the same domain with the same action, the overlap is collapsed.
  • Conflicts are surfaced, not silently resolved. If two policies allow and deny the same domain, or declare credentials with the same identifier but different contents, composition fails with an explicit error. Administrators fix the conflict by editing one of the policies rather than debugging a subtle merge outcome.
  • Credential injections remain scoped. A credential declared in one policy is injected only against the domains that policy explicitly names. Composing policies does not widen injection scope.

This composition model makes it safe to start from a bundled policy, add an organization-specific policy on top, and add a per-project extension — each layer is explicit and auditable.

Credential injection#

Credential injection for local sandboxes follows the same model as platform credential bindings. The sandbox proxy terminates the agent's TLS, injects credential headers in the agreed format, and establishes a fresh TLS connection to the real upstream. Supported injection formats include Bearer tokens, custom header values, Basic auth, and mTLS against destinations that require it.

The agent never reads the credential value — not from environment variables, not from filesystem, not from tool output.