Skip to main content

A vendor-neutral policy-as-code toolkit for governing AI agents and agentic workflows.

Project description

AgentPolicyPack

AgentPolicyPack lets organizations define, test, and carry AI-agent governance rules across models, frameworks, providers, and deployment environments.

AgentPolicyPack is an alpha project. Version 0.1.0a1 is ready for public alpha release with documented limitations, not production certification.

Motivation

AI-agent governance should be portable, deterministic, auditable, version-controlled, and testable in CI. AgentPolicyPack provides a vendor-neutral policy bundle format, a fail-closed evaluator, policy tests, simulation, diffing, and a Python API plus CLI.

Problem Statement

Organizations often encode agent rules inside one model provider, framework, runtime, or deployment stack. That creates lock-in and makes policy behavior hard to test. AgentPolicyPack separates governance intent from enforcement systems so the same rules can be validated, compared, and evaluated offline.

Core Capabilities

  • YAML and JSON policy bundles loaded with safe parsers.
  • Strict schema models that reject unknown fields.
  • Structural and semantic validation with stable finding codes.
  • Safe structured condition language with bounded nesting.
  • Target matching for subjects, actions, resources, tools, models, providers, and environments.
  • Conflict strategies: deny_overrides, allow_overrides, first_applicable, highest_priority, and only_one_applicable.
  • Effects: allow, deny, require_review, limit, redact, and log_only.
  • Obligations and most-restrictive limit aggregation.
  • Deterministic normalization, digests, decision IDs, and reports.
  • Embedded policy tests, policy-test coverage, simulation, comparison, and conservative diffing.

Architecture

Policy bundles load into typed Pydantic models. Validation runs before evaluation. Invalid bundles fail closed as indeterminate with a deny-equivalent effective decision. The evaluator performs deterministic target matching, structured condition evaluation, conflict resolution, obligation aggregation, limit aggregation, and evidence generation. External systems remain responsible for enforcing the returned decision.

Installation

python -m pip install agentpolicypack

For development:

python -m pip install -e ".[dev]"

Quick Start Policy

schema_version: "1.0"
bundle:
  id: customer-support-governance
  name: Customer Support Agent Governance
  version: "1.0.0"
  namespace: example.customer_support
  default_decision: deny
  conflict_strategy: deny_overrides
policies:
  - id: allow-ticket-read
    effect: allow
    priority: 100
    targets:
      subjects:
        roles: [support_agent]
      actions: [ticket.read]
      resources:
        types: [SupportTicket]
    conditions:
      all:
        - field: resource.attributes.assigned_agent_id
          operator: equals
          value_from: subject.id

Evaluation Example

agentpolicy evaluate examples/tool_governance/policy.yaml --request examples/tool_governance/allow-search-request.yaml

Policy-Test Example

agentpolicy test examples/tool_governance/policy.yaml
agentpolicy coverage examples/tool_governance/policy.yaml

CLI Examples

agentpolicy validate examples/tool_governance/policy.yaml
agentpolicy lint examples/tool_governance/policy.yaml
agentpolicy inspect examples/tool_governance/policy.yaml
agentpolicy normalize examples/tool_governance/policy.yaml
agentpolicy digest examples/tool_governance/policy.yaml
agentpolicy simulate examples/tool_governance/policy.yaml --requests examples/tool_governance/requests.yaml
agentpolicy diff tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml
agentpolicy compare tests/fixtures/diff/policy-v1.yaml tests/fixtures/diff/policy-v2.yaml --requests tests/fixtures/diff/requests.yaml

Python API Example

from agent_policy_pack import DecisionRequest, evaluate, load_bundle

bundle = load_bundle("examples/tool_governance/policy.yaml")
request = DecisionRequest(action="tool.call", subject={"roles": ["research_agent"]})
decision = evaluate(bundle, request)
print(decision.decision, decision.effective_decision)

Conflict Strategies

deny_overrides is the default. Any matching deny controls before review or allow. allow_overrides is supported but dangerous because it may relax denies. first_applicable uses deterministic priority-descending, ID-ascending order. highest_priority selects the highest priority and resolves equal-priority mixed effects conservatively. only_one_applicable returns indeterminate when multiple policies match.

Effects, Obligations, and Limits

Policy effects express governance intent. Decisions expose a primary outcome plus structured obligations such as audit, redact, mask, require_review, enforce_limit, notify, retain_evidence, and attach_policy_context. Custom obligations must use an extension namespace and are preserved, not executed. Limits use exact Decimal handling for costs.

Simulation and Diffing

Simulation evaluates request batches offline. Comparison evaluates two bundles against the same requests. Diffing classifies changes conservatively as security relaxation, tightening, potentially breaking, or informational.

Integration Roadmap

The package includes protocol types for future adapters. Version 0.1.0a1 works independently and offline. Forge, PrivateAIStack, ModelSwapBench, OpenOntologyLite, AIAuditLog, and OpenAIMeter integrations are deferred unless optional adapters are installed and tested in later releases.

Security Model

AgentPolicyPack uses safe YAML loading, strict unknown-field rejection, bounded condition nesting, safe glob-style patterns, deterministic serialization, and fail-closed defaults. It never uses Python eval or exec, never imports modules named by policy files, and never follows remote URLs.

Limitations

  • External systems must enforce policy decisions.
  • No identity-provider integration.
  • No secrets management.
  • No network firewall.
  • No operating-system sandbox.
  • No hosted policy server.
  • No graphical editor.
  • No general-purpose expression language.
  • No arbitrary code execution.
  • No legal or regulatory certification.
  • Custom obligations are preserved but not executed.
  • PII obligations do not provide automatic perfect PII discovery.
  • Policies cannot guarantee model behavior.
  • Optional framework adapters may cover only documented integration points.
  • Policy diff classification is conservative and rule-based.
  • Policy-test coverage is not software-code coverage.
  • Bundle format may evolve before version 1.0.

Contributing

Use the development commands in docs/development.md. Keep behavior deterministic, typed, local-first, and fail-closed.

License

MIT.

Author

sekacorn

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agentpolicypack-0.1.0a1.tar.gz (25.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

agentpolicypack-0.1.0a1-py3-none-any.whl (25.7 kB view details)

Uploaded Python 3

File details

Details for the file agentpolicypack-0.1.0a1.tar.gz.

File metadata

  • Download URL: agentpolicypack-0.1.0a1.tar.gz
  • Upload date:
  • Size: 25.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for agentpolicypack-0.1.0a1.tar.gz
Algorithm Hash digest
SHA256 c2b8a3c2166b0e260256c3196ae2f71774a006e220a86ac0be2827346540d891
MD5 81306bb2a60656f25f2c6a0675ce02b7
BLAKE2b-256 14b9d46b5ff6464c0131114026b1dca653aef7e6a11ab34de02b1339d29949c7

See more details on using hashes here.

Provenance

The following attestation bundles were made for agentpolicypack-0.1.0a1.tar.gz:

Publisher: release.yml on sekacorn/AgentPolicyPack

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file agentpolicypack-0.1.0a1-py3-none-any.whl.

File metadata

File hashes

Hashes for agentpolicypack-0.1.0a1-py3-none-any.whl
Algorithm Hash digest
SHA256 89446f0bf9181901fceb537a996d451ad6deb75bb966c38c63051e1f4c88655c
MD5 b5f364c648f8349bf2e56280e3b54a49
BLAKE2b-256 cd1eb267a64acbd5abd09207713e09bce8f5dad3969e3d8c0cd63ac934d09e08

See more details on using hashes here.

Provenance

The following attestation bundles were made for agentpolicypack-0.1.0a1-py3-none-any.whl:

Publisher: release.yml on sekacorn/AgentPolicyPack

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page