Policy Configuration

Policy File

Policy lives at .agentzero/policy.yml (TOML format):

# AgentZero Policy
version = 1
default_classification = "private"
model_routing = "local_only"
shell_commands = "require_approval"
file_write = "require_approval"
network = "deny"
wasm_execution = "deny"

Options

`default_classification`

How data is classified by default:

public — safe for remote models
private — requires redaction for remote
secret — never sent remotely

`model_routing`

local_only — no remote model calls ever
local_preferred — allow remote with redaction when local unavailable

`shell_commands`

allow — shell commands execute without approval
require_approval — user must approve each command
deny — shell commands always blocked

`file_write`

allow — writes execute without approval
require_approval — user must approve each write
deny — writes always blocked

`network`

allow — network requests permitted
require_approval — user must approve
deny — all network access blocked

`wasm_execution`

Controls whether WASM-backed skills can execute:

allow — WASM skills execute without approval
require_approval — user must approve WASM execution
deny — WASM execution always blocked (default)

WASM execution is denied by default. To run WASM skills, explicitly set this to allow or require_approval. WASM support is compiled in by default (disable with --no-default-features).

az init writes wasm_execution = "require_approval" for the default profile and wasm_execution = "deny" for --private.

View Active Policy

az policy status

How Policy is Enforced

Every tool call passes through the policy engine before execution:

Tool requests a capability (e.g., FileWrite)
Policy engine evaluates against rules
Decision: Allow, Deny, RequiresApproval, or AllowWithRedaction
Audit event emitted with decision and reason
If denied or requires approval, tool call is blocked

No tool, skill, or model call can bypass policy evaluation.