Feat/policy guardrails#10
Merged
Merged
Conversation
AGENTOS_API_TARGET env var overrides the hardcoded production api.clawagent.sh target. Defaults preserved (backwards-compatible). Lets developers point `vite dev` at a local computeragent-server without editing the config. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds an engine-agnostic policy abstraction at the ComputerAgent layer.
A PolicyDecider gates every tool call before the engine dispatches it;
denies short-circuit with behavior:"deny" and never reach the tool.
Why ComputerAgent-level, not per-engine: policy is the fourth orthogonal
axis alongside engine/substrate/memory. Configure once at the harness;
all engines (claude-agent-sdk, gitagent) inherit enforcement via the
existing onPermissionRequest contract — engines don't need to know about
Cedar/OPA/SRS.
How it works:
- protocol: PolicyDecider, ToolCallContext, PolicyDecision, PolicyConfig
types; CreateSessionBody gains an optional policy field.
- harness-server: SrsPolicyDecider fetches the RAI policy from SRS once,
caches cedar_guardrail + opa_guardrail, calls
/v1/guardrails/evaluate-tool-call per turn. run-session wraps
onPermissionRequest so a bound decider gates ahead of any client
mediation.
- engine-claude-agent-sdk: PreToolUse hook added so the gate fires even
in bypassPermissions mode (where canUseTool is skipped). gitagent
already routed preToolUse → onPermissionRequest.
- sdk: ComputerAgent constructor accepts policy; forwarded into
POST /v1/sessions.
- AgentOS server: /agentos/api/policies/* proxy SRS (LYZR_API_KEY never
reaches the browser); /agentos/api/opa-policies/* proxies SRS's
standalone Rego policies. agent_policy_bindings collection in Mongo
holds the per-agent policy_id binding. chat-sandbox reads the binding
and forwards a policy spec to /sandboxes.
- AgentOS UI: Policies page (list / create / edit / delete Cedar +
OPA), Rego policy modal, per-agent policy tab with attach/detach.
Mirrors the shape of Lyzr's SRS guardrail-evaluate endpoint:
ToolCallContext → {allowed, deniedBy, reason}. New policy engines drop
in by implementing PolicyDecider and branching on PolicyConfig.kind in
create-session.
Verified end-to-end: claude-code denies Bash with destructive shell
patterns (OPA), Write/Edit (Cedar), WebFetch outside an allowlist (OPA);
safe Bash and allowlisted WebFetch pass through.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The bundle is tracked; source-only commits leave it stale. Regenerate so the runtime actually contains SrsPolicyDecider + run-session's policy gate + claude-agent-sdk's PreToolUse hook. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
shreyas-lyzr
pushed a commit
that referenced
this pull request
May 31, 2026
Resolves 9 conflicts arising from PR #10 (policy guardrails) landing on main after this branch was cut. Strategy: - Backend files where main has the real new policy feature (engine.ts, permission-bridge.ts, run-session.ts, sdk/src/types.ts, protocol/src/ policy.ts, harness-server/services/srs-policy-decider.ts): took main's version, then re-applied the customer-name scrub on top (Lyzr SRS mentions, hardcoded srs-dev.test.studio.lyzr.ai URL). - packages/sdk/src/types.ts: kept main's full ComputerAgentOptions (policy field with structured spec) AND added back the telemetry? field from the cleanup branch (AgentTelemetry hook). Both fields coexist. - 5 source files (engine.ts, permission-bridge.ts, types.ts, run-session.ts, srs-policy-decider.ts) had stale 'import from "@computeragent/protocol"' lines from PR #10 — that package name does not exist on public npm (the scope is unowned; d19ada7 renamed the workspace package to @open-gitagent/protocol). Updated all 5 imports to @open-gitagent/protocol, matching what the other 19 workspace packages already use. - examples/agentos-api.ts: union-merged HEAD's cookie-session login + /me / /logout endpoints with main's SRS policy proxy block. Scrubbed LYZR_API_KEY env var → SRS_API_KEY, dropped hardcoded srs-dev.test.studio.lyzr.ai default (now requires explicit SRS_BASE_URL). - agentos files (App.tsx, vite.config.ts): HEAD's shadcn-based version is strictly newer than main's hand-rolled one (Observability rail item, AgentCard import, full ui/* primitives). Took HEAD. Verification: - pnpm -r build green across all 22 packages - 0 hits of {lyzr, nordstrom, clawagent, shreyas-lyzr} in source (excluding gitignored private.md / PLAN.md / docs.md, none of which make the public surface)
shreyas-lyzr
added a commit
that referenced
this pull request
May 31, 2026
…through fix: 3 regressions from PR #10 merge — Bedrock env passthrough + health route
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.