From d2df1457efb65495a7890e30c5e23d171a42d5f0 Mon Sep 17 00:00:00 2001
From: Khush Patel <khush@lyzr.ai>
Date: Thu, 28 May 2026 17:57:37 +0530
Subject: [PATCH 1/3] chore(agentos): make vite dev proxy target
 env-configurable

AGENTOS_API_TARGET env var overrides the hardcoded production
api.clawagent.sh target. Defaults preserved (backwards-compatible).
Lets developers point `vite dev` at a local computeragent-server
without editing the config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 agentos/vite.config.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/agentos/vite.config.ts b/agentos/vite.config.ts
index 47ac941..2b624de 100644
--- a/agentos/vite.config.ts
+++ b/agentos/vite.config.ts
@@ -5,8 +5,10 @@ import react from "@vitejs/plugin-react";
 // proxied to the Node server. For local `vite dev`, proxy /api to the live API
 // (api.clawagent.sh/agentos/api) and inject the Basic Auth header so the
 // dashboard works end-to-end against real data without deploying.
+// Override AGENTOS_API_TARGET to point at a local server (e.g. http://127.0.0.1:8787).
 const API_USER = process.env.AGENTOS_API_USER ?? "clawagent";
 const API_PASS = process.env.AGENTOS_API_PASS ?? "";
+const API_TARGET = process.env.AGENTOS_API_TARGET ?? "https://api.clawagent.sh";
 const authHeader = "Basic " + Buffer.from(`${API_USER}:${API_PASS}`).toString("base64");
 
 export default defineConfig({
@@ -14,7 +16,7 @@ export default defineConfig({
   server: {
     proxy: {
       "/api": {
-        target: "https://api.clawagent.sh",
+        target: API_TARGET,
         changeOrigin: true,
         rewrite: (p) => p.replace(/^\/api/, "/agentos/api"),
         headers: { Authorization: authHeader },

From 8bc02fbfbfab1c7ce5209ff10ad53289602d0135 Mon Sep 17 00:00:00 2001
From: Khush Patel <khush@lyzr.ai>
Date: Thu, 28 May 2026 17:58:05 +0530
Subject: [PATCH 2/3] feat(policy): SRS-backed per-agent guardrails (Cedar +
 OPA)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an engine-agnostic policy abstraction at the ComputerAgent layer.
A PolicyDecider gates every tool call before the engine dispatches it;
denies short-circuit with behavior:"deny" and never reach the tool.

Why ComputerAgent-level, not per-engine: policy is the fourth orthogonal
axis alongside engine/substrate/memory. Configure once at the harness;
all engines (claude-agent-sdk, gitagent) inherit enforcement via the
existing onPermissionRequest contract — engines don't need to know about
Cedar/OPA/SRS.

How it works:
  - protocol: PolicyDecider, ToolCallContext, PolicyDecision, PolicyConfig
    types; CreateSessionBody gains an optional policy field.
  - harness-server: SrsPolicyDecider fetches the RAI policy from SRS once,
    caches cedar_guardrail + opa_guardrail, calls
    /v1/guardrails/evaluate-tool-call per turn. run-session wraps
    onPermissionRequest so a bound decider gates ahead of any client
    mediation.
  - engine-claude-agent-sdk: PreToolUse hook added so the gate fires even
    in bypassPermissions mode (where canUseTool is skipped). gitagent
    already routed preToolUse → onPermissionRequest.
  - sdk: ComputerAgent constructor accepts policy; forwarded into
    POST /v1/sessions.
  - AgentOS server: /agentos/api/policies/* proxy SRS (LYZR_API_KEY never
    reaches the browser); /agentos/api/opa-policies/* proxies SRS's
    standalone Rego policies. agent_policy_bindings collection in Mongo
    holds the per-agent policy_id binding. chat-sandbox reads the binding
    and forwards a policy spec to /sandboxes.
  - AgentOS UI: Policies page (list / create / edit / delete Cedar +
    OPA), Rego policy modal, per-agent policy tab with attach/detach.

Mirrors the shape of Lyzr's SRS guardrail-evaluate endpoint:
ToolCallContext → {allowed, deniedBy, reason}. New policy engines drop
in by implementing PolicyDecider and branching on PolicyConfig.kind in
create-session.

Verified end-to-end: claude-code denies Bash with destructive shell
patterns (OPA), Write/Edit (Cedar), WebFetch outside an allowlist (OPA);
safe Bash and allowlisted WebFetch pass through.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 agentos/src/App.tsx                           |  30 +-
 agentos/src/api.ts                            |  75 +++
 agentos/src/components/PoliciesPage.tsx       | 571 ++++++++++++++++++
 agentos/src/components/PolicyTab.tsx          | 137 +++++
 examples/agent-policy-store.ts                |  56 ++
 examples/agentos-api.ts                       |  86 +++
 examples/computeragent-server.ts              |  23 +-
 examples/slack-bot.ts                         |  17 +-
 .../engine-claude-agent-sdk/src/engine.ts     |  10 +-
 .../src/permission-bridge.ts                  |  39 +-
 .../src/services/create-session.ts            |  14 +
 .../src/services/run-session.ts               |  38 +-
 .../src/services/srs-policy-decider.ts        |  97 +++
 packages/harness-server/src/session.ts        |   2 +
 packages/protocol/src/harness-rest.ts         |  15 +
 packages/protocol/src/index.ts                |   1 +
 packages/protocol/src/policy.ts               |  62 ++
 packages/sdk/src/computer-agent.ts            |   1 +
 packages/sdk/src/types.ts                     |  14 +
 19 files changed, 1272 insertions(+), 16 deletions(-)
 create mode 100644 agentos/src/components/PoliciesPage.tsx
 create mode 100644 agentos/src/components/PolicyTab.tsx
 create mode 100644 examples/agent-policy-store.ts
 create mode 100644 packages/harness-server/src/services/srs-policy-decider.ts
 create mode 100644 packages/protocol/src/policy.ts

diff --git a/agentos/src/App.tsx b/agentos/src/App.tsx
index 09aaaf1..862ebd5 100644
--- a/agentos/src/App.tsx
+++ b/agentos/src/App.tsx
@@ -4,9 +4,11 @@ import { LogsTab } from "./components/LogsTab.tsx";
 import { WorkspaceTab } from "./components/WorkspaceTab.tsx";
 import { SchedulesTab } from "./components/SchedulesTab.tsx";
 import { HomePage } from "./components/HomePage.tsx";
+import { PolicyTab } from "./components/PolicyTab.tsx";
+import { PoliciesPage } from "./components/PoliciesPage.tsx";
 
-type Tab = "chat" | "schedules" | "logs";
-type View = "home" | "dashboard";
+type Tab = "chat" | "schedules" | "policy" | "logs";
+type View = "home" | "dashboard" | "policies";
 
 function timeAgo(iso: string | null): string {
   if (!iso) return "never";
@@ -91,7 +93,7 @@ export default function App() {
             </div>
           </div>
         </div>
-        <div className="px-2 pt-2">
+        <div className="px-2 pt-2 space-y-1">
           <button
             onClick={() => setView("home")}
             className={`w-full text-left rounded-lg px-3 py-2 text-sm transition flex items-center gap-2 ${
@@ -100,6 +102,14 @@ export default function App() {
           >
             <span>🏠</span> Home
           </button>
+          <button
+            onClick={() => setView("policies")}
+            className={`w-full text-left rounded-lg px-3 py-2 text-sm transition flex items-center gap-2 ${
+              view === "policies" ? "bg-ink-600 ring-1 ring-accent/40" : "hover:bg-ink-700"
+            }`}
+          >
+            <span>🛡️</span> Policies
+          </button>
         </div>
         {/* Agents folder (file-system style) */}
         <div className="px-2 pt-2">
@@ -145,7 +155,9 @@ export default function App() {
 
       {/* Main */}
       <main className="flex-1 flex flex-col min-w-0">
-        {view === "home" ? (
+        {view === "policies" ? (
+          <PoliciesPage />
+        ) : view === "home" ? (
           <HomePage onLaunch={launchFromHome} onOpenDashboard={() => agents[0] && openAgent(agents[0].name)} />
         ) : agent ? (
           <>
@@ -161,7 +173,7 @@ export default function App() {
                 </div>
               </div>
               <nav className="ml-auto flex gap-1 bg-ink-800 rounded-lg p-1">
-                {(["chat", "schedules", "logs"] as Tab[]).map((t) => (
+                {(["chat", "schedules", "policy", "logs"] as Tab[]).map((t) => (
                   <button
                     key={t}
                     onClick={() => setTab(t)}
@@ -185,6 +197,14 @@ export default function App() {
                 />
               )}
               {tab === "schedules" && <SchedulesTab key={agent.name} agent={agent.name} agentLabel={agent.label} />}
+              {tab === "policy" && (
+                <PolicyTab
+                  key={agent.name}
+                  agent={agent.name}
+                  agentLabel={agent.label}
+                  onManagePolicies={() => setView("policies")}
+                />
+              )}
               {tab === "logs" && <LogsTab key={agent.name} agent={agent.name} />}
             </section>
           </>
diff --git a/agentos/src/api.ts b/agentos/src/api.ts
index b3ba235..15a09bc 100644
--- a/agentos/src/api.ts
+++ b/agentos/src/api.ts
@@ -48,6 +48,59 @@ export interface SessionDetail {
   entries: TranscriptEntry[];
 }
 
+// Policies — SRS-managed. The browser only sees the bits that matter for
+// the runtime (name, description, cedar/opa subsections). Everything else
+// is forwarded by the server-side proxy; we don't reshape it.
+export interface CedarPolicyEntry {
+  id: string;
+  name?: string;
+  description?: string;
+  policy_text: string;
+  enabled?: boolean;
+}
+export interface CedarGuardrailConfig {
+  enabled: boolean;
+  policies: CedarPolicyEntry[];
+  fail_open?: boolean;
+}
+export interface OPAManagedBinding {
+  policy_id: string;
+  hooks?: string[];
+}
+export interface OPAGuardrailConfig {
+  enabled: boolean;
+  source: "managed" | "external";
+  managed_policies: OPAManagedBinding[];
+  server_url?: string | null;
+  policy_path?: string | null;
+  mode?: "audit" | "enforce" | "fail_open" | "fail_closed";
+  timeout_seconds?: number;
+}
+export interface PolicyDoc {
+  _id: string;
+  name: string;
+  description: string;
+  cedar_guardrail?: CedarGuardrailConfig | null;
+  opa_guardrail?: OPAGuardrailConfig | null;
+  created_at?: string;
+  updated_at?: string;
+  [k: string]: unknown;
+}
+export interface AgentPolicyBinding {
+  _id: string;          // agent name
+  policyId: string;
+  updatedAt: string;
+}
+
+export interface OPAPolicyDoc {
+  _id: string;
+  name: string;
+  description?: string;
+  rego_content: string;
+  created_at?: string;
+  updated_at?: string;
+}
+
 export interface Schedule {
   _id: string;
   agentName: string;
@@ -122,4 +175,26 @@ export const api = {
     reqJSON<{ schedule: Schedule }>("PATCH", `/schedules/${encodeURIComponent(id)}`, fields).then((d) => d.schedule),
   deleteSchedule: (id: string) => reqJSON<{ ok: boolean }>("DELETE", `/schedules/${encodeURIComponent(id)}`),
   runScheduleNow: (id: string) => postJSON<{ ok: boolean }>(`/schedules/${encodeURIComponent(id)}/run-now`, {}),
+  // Policies — SRS-proxied. Server injects x-api-key.
+  policies: () => getJSON<{ policies: PolicyDoc[] }>("/policies").then((d) => d.policies),
+  policy: (id: string) => getJSON<PolicyDoc>(`/policies/${encodeURIComponent(id)}`),
+  createPolicy: (body: Partial<PolicyDoc>) => postJSON<PolicyDoc>("/policies", body),
+  updatePolicy: (id: string, body: Partial<PolicyDoc>) =>
+    reqJSON<{ success?: boolean } | PolicyDoc>("PUT", `/policies/${encodeURIComponent(id)}`, body),
+  deletePolicy: (id: string) =>
+    reqJSON<{ success?: boolean }>("DELETE", `/policies/${encodeURIComponent(id)}`),
+  // Per-agent policy binding (Mongo, ours).
+  getAgentPolicy: (agent: string) =>
+    getJSON<{ binding: AgentPolicyBinding | null }>(`/agents/${encodeURIComponent(agent)}/policy`).then((d) => d.binding),
+  setAgentPolicy: (agent: string, policyId: string | null) =>
+    reqJSON<{ binding: AgentPolicyBinding | null }>("PUT", `/agents/${encodeURIComponent(agent)}/policy`, { policy_id: policyId }).then((d) => d.binding),
+  // OPA rego policies (managed by SRS, referenced from RAI policies' opa_guardrail).
+  opaPolicies: () => getJSON<{ policies: OPAPolicyDoc[] } | OPAPolicyDoc[]>("/opa-policies").then((d) => (Array.isArray(d) ? d : d.policies)),
+  opaPolicy: (id: string) => getJSON<OPAPolicyDoc>(`/opa-policies/${encodeURIComponent(id)}`),
+  createOpaPolicy: (body: { name: string; description?: string; rego_content: string }) =>
+    postJSON<OPAPolicyDoc>("/opa-policies", body),
+  updateOpaPolicy: (id: string, body: Partial<OPAPolicyDoc>) =>
+    reqJSON<OPAPolicyDoc | { success?: boolean }>("PUT", `/opa-policies/${encodeURIComponent(id)}`, body),
+  deleteOpaPolicy: (id: string) =>
+    reqJSON<{ success?: boolean }>("DELETE", `/opa-policies/${encodeURIComponent(id)}`),
 };
diff --git a/agentos/src/components/PoliciesPage.tsx b/agentos/src/components/PoliciesPage.tsx
new file mode 100644
index 0000000..498a98b
--- /dev/null
+++ b/agentos/src/components/PoliciesPage.tsx
@@ -0,0 +1,571 @@
+import { useEffect, useState } from "react";
+import { api, type PolicyDoc, type CedarPolicyEntry, type OPAPolicyDoc } from "../api.ts";
+
+/**
+ * Global Policies page. List on the left, editor on the right. Focuses on
+ * Cedar + OPA — the two guardrails the ComputerAgent runtime actually
+ * consults via /v1/guardrails/evaluate-tool-call. Other SRS guardrails
+ * (PII, NSFW, topics, etc.) operate on LLM input text and aren't part of
+ * the tool-call gate, so they're hidden here; manage them in SRS directly.
+ */
+export function PoliciesPage() {
+  const [policies, setPolicies] = useState<PolicyDoc[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [err, setErr] = useState<string | null>(null);
+  const [editing, setEditing] = useState<PolicyDoc | "new" | null>(null);
+
+  const load = () => {
+    setLoading(true);
+    setErr(null);
+    api.policies().then(setPolicies).catch((e) => setErr(String(e))).finally(() => setLoading(false));
+  };
+  useEffect(load, []);
+
+  const onSaved = () => {
+    setEditing(null);
+    load();
+  };
+
+  const remove = async (id: string) => {
+    if (!confirm("Delete this policy? Any agent bound to it will fall back to allow-all until rebound.")) return;
+    try {
+      await api.deletePolicy(id);
+      if (editing && editing !== "new" && editing._id === id) setEditing(null);
+      load();
+    } catch (e) {
+      setErr(String(e));
+    }
+  };
+
+  return (
+    <div className="flex h-full">
+      <div className="w-96 shrink-0 border-r border-ink-600 bg-ink-800 flex flex-col">
+        <div className="px-5 py-4 border-b border-ink-600 flex items-center justify-between">
+          <div>
+            <div className="text-base font-semibold">Policies</div>
+            <div className="text-[11px] text-gray-500">SRS-managed · Cedar + OPA</div>
+          </div>
+          <button
+            onClick={() => setEditing("new")}
+            className="text-xs px-2.5 py-1 rounded bg-accent text-white hover:bg-accent/80"
+          >
+            + New
+          </button>
+        </div>
+        {err && <div className="m-3 text-sm text-red-400">{err}</div>}
+        <div className="flex-1 overflow-y-auto p-2 space-y-1">
+          {loading && <div className="text-sm text-gray-500 p-2">Loading…</div>}
+          {!loading && policies.length === 0 && (
+            <div className="text-sm text-gray-500 p-2">No policies yet. Click <span className="text-accent">+ New</span>.</div>
+          )}
+          {policies.map((p) => {
+            const isActive = editing && editing !== "new" && editing._id === p._id;
+            return (
+              <button
+                key={p._id}
+                onClick={() => setEditing(p)}
+                className={`w-full text-left rounded-md px-3 py-2 transition ${
+                  isActive ? "bg-accent/20 ring-1 ring-accent/40" : "hover:bg-ink-700"
+                }`}
+              >
+                <div className="flex items-center gap-2">
+                  <span className="text-sm font-medium truncate">{p.name}</span>
+                  <span className="ml-auto text-[10px] text-gray-600 font-mono">{p._id.slice(-6)}</span>
+                </div>
+                <div className="text-[11px] text-gray-500 mt-0.5 truncate">{p.description || <em>no description</em>}</div>
+                <div className="text-[10px] text-accent-soft mt-1 flex gap-2">
+                  {p.cedar_guardrail?.enabled && <span>Cedar ({p.cedar_guardrail.policies?.length ?? 0})</span>}
+                  {p.opa_guardrail?.enabled && <span>OPA ({p.opa_guardrail.managed_policies?.length ?? 0})</span>}
+                  {!p.cedar_guardrail?.enabled && !p.opa_guardrail?.enabled && <span className="text-gray-600">no guardrails enabled</span>}
+                </div>
+              </button>
+            );
+          })}
+        </div>
+      </div>
+
+      <div className="flex-1 min-w-0 overflow-y-auto">
+        {editing === null ? (
+          <div className="h-full grid place-items-center text-gray-600 text-sm">
+            Select a policy or <button onClick={() => setEditing("new")} className="text-accent hover:underline ml-1">create one</button>.
+          </div>
+        ) : (
+          <PolicyEditor
+            initial={editing === "new" ? null : editing}
+            onSaved={onSaved}
+            onCancel={() => setEditing(null)}
+            onDelete={editing === "new" ? undefined : () => remove(editing._id)}
+          />
+        )}
+      </div>
+    </div>
+  );
+}
+
+interface EditorState {
+  name: string;
+  description: string;
+  cedarEnabled: boolean;
+  cedarFailOpen: boolean;
+  cedarPolicies: CedarPolicyEntry[];
+  opaEnabled: boolean;
+  opaSource: "managed" | "external";
+  opaManagedPolicyIds: string;     // comma-separated for the textarea
+  opaServerUrl: string;
+  opaPolicyPath: string;
+  opaMode: "audit" | "enforce" | "fail_open" | "fail_closed";
+  opaTimeoutSeconds: number;
+}
+
+const FRESH_CEDAR_RULE = (): CedarPolicyEntry => ({
+  id: `rule_${Math.random().toString(36).slice(2, 8)}`,
+  name: "Rule",
+  description: "",
+  policy_text: 'permit (\n  principal,\n  action,\n  resource\n);',
+  enabled: true,
+});
+
+function PolicyEditor({
+  initial,
+  onSaved,
+  onCancel,
+  onDelete,
+}: {
+  initial: PolicyDoc | null;
+  onSaved: () => void;
+  onCancel: () => void;
+  onDelete?: () => void;
+}) {
+  const [s, setS] = useState<EditorState>(() => ({
+    name: initial?.name ?? "",
+    description: initial?.description ?? "",
+    cedarEnabled: initial?.cedar_guardrail?.enabled ?? false,
+    cedarFailOpen: initial?.cedar_guardrail?.fail_open ?? false,
+    cedarPolicies: initial?.cedar_guardrail?.policies ?? [],
+    opaEnabled: initial?.opa_guardrail?.enabled ?? false,
+    opaSource: initial?.opa_guardrail?.source ?? "managed",
+    opaManagedPolicyIds: (initial?.opa_guardrail?.managed_policies ?? []).map((m) => m.policy_id).join(", "),
+    opaServerUrl: initial?.opa_guardrail?.server_url ?? "",
+    opaPolicyPath: initial?.opa_guardrail?.policy_path ?? "",
+    opaMode: initial?.opa_guardrail?.mode ?? "audit",
+    opaTimeoutSeconds: initial?.opa_guardrail?.timeout_seconds ?? 5.0,
+  }));
+  const [saving, setSaving] = useState(false);
+  const [err, setErr] = useState<string | null>(null);
+
+  const upd = <K extends keyof EditorState>(k: K, v: EditorState[K]) => setS((p) => ({ ...p, [k]: v }));
+
+  const updRule = (idx: number, patch: Partial<CedarPolicyEntry>) =>
+    setS((p) => ({ ...p, cedarPolicies: p.cedarPolicies.map((r, i) => (i === idx ? { ...r, ...patch } : r)) }));
+  const addRule = () => setS((p) => ({ ...p, cedarPolicies: [...p.cedarPolicies, FRESH_CEDAR_RULE()] }));
+  const delRule = (idx: number) =>
+    setS((p) => ({ ...p, cedarPolicies: p.cedarPolicies.filter((_, i) => i !== idx) }));
+
+  const save = async () => {
+    if (!s.name.trim()) {
+      setErr("Name is required");
+      return;
+    }
+    setSaving(true);
+    setErr(null);
+    const body: Partial<PolicyDoc> = {
+      name: s.name.trim(),
+      description: s.description.trim(),
+      cedar_guardrail: {
+        enabled: s.cedarEnabled,
+        fail_open: s.cedarFailOpen,
+        policies: s.cedarPolicies,
+      },
+      opa_guardrail: {
+        enabled: s.opaEnabled,
+        source: s.opaSource,
+        managed_policies: s.opaManagedPolicyIds
+          .split(",").map((x) => x.trim()).filter(Boolean)
+          .map((policy_id) => ({ policy_id })),
+        server_url: s.opaServerUrl || null,
+        policy_path: s.opaPolicyPath || null,
+        mode: s.opaMode,
+        timeout_seconds: s.opaTimeoutSeconds,
+      },
+    };
+    try {
+      if (initial) await api.updatePolicy(initial._id, body);
+      else await api.createPolicy(body);
+      onSaved();
+    } catch (e) {
+      setErr(String(e));
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  return (
+    <div className="p-6 max-w-3xl">
+      <div className="flex items-center justify-between mb-5">
+        <h2 className="text-lg font-semibold">{initial ? "Edit policy" : "Create policy"}</h2>
+        {initial && (
+          <div className="text-[11px] text-gray-500 font-mono">{initial._id}</div>
+        )}
+      </div>
+      {err && <div className="mb-3 text-sm text-red-400">{err}</div>}
+
+      <Section title="Identity">
+        <Field label="Name">
+          <input
+            value={s.name}
+            onChange={(e) => upd("name", e.target.value)}
+            placeholder="e.g. production-tool-gate"
+            className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm"
+          />
+        </Field>
+        <Field label="Description">
+          <textarea
+            value={s.description}
+            onChange={(e) => upd("description", e.target.value)}
+            rows={2}
+            placeholder="What this policy enforces and why."
+            className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm"
+          />
+        </Field>
+      </Section>
+
+      <Section title="Cedar" right={<Toggle checked={s.cedarEnabled} onChange={(v) => upd("cedarEnabled", v)} />}>
+        <p className="text-xs text-gray-500 mb-3">
+          PARC policies: <code className="text-accent-soft">forbid (principal, action, resource);</code> denies every tool call.
+          Each rule is a Cedar statement. <code className="text-accent-soft">forbid</code> wins over <code className="text-accent-soft">permit</code>.
+        </p>
+        <div className="space-y-3">
+          {s.cedarPolicies.length === 0 && (
+            <div className="text-xs text-gray-500 italic">No rules yet. Click "Add rule" to start.</div>
+          )}
+          {s.cedarPolicies.map((r, idx) => (
+            <div key={r.id} className="rounded border border-ink-600 bg-ink-700 p-3">
+              <div className="flex items-center gap-2 mb-2">
+                <input
+                  value={r.name ?? ""}
+                  onChange={(e) => updRule(idx, { name: e.target.value })}
+                  placeholder="Rule name"
+                  className="bg-ink-800 border border-ink-600 rounded px-2 py-1 text-xs flex-1"
+                />
+                <Toggle small checked={r.enabled !== false} onChange={(v) => updRule(idx, { enabled: v })} />
+                <button onClick={() => delRule(idx)} className="text-xs text-red-400 hover:text-red-300">Delete</button>
+              </div>
+              <textarea
+                value={r.policy_text}
+                onChange={(e) => updRule(idx, { policy_text: e.target.value })}
+                rows={6}
+                className="w-full bg-ink-800 border border-ink-600 rounded px-2 py-1.5 text-xs font-mono"
+                placeholder="forbid (principal, action, resource);"
+              />
+            </div>
+          ))}
+          <button
+            onClick={addRule}
+            className="text-xs px-2.5 py-1 rounded border border-ink-600 hover:bg-ink-700"
+          >
+            + Add rule
+          </button>
+        </div>
+        <Field label="Fail-open on engine error" inline>
+          <Toggle small checked={s.cedarFailOpen} onChange={(v) => upd("cedarFailOpen", v)} />
+        </Field>
+      </Section>
+
+      <Section title="OPA" right={<Toggle checked={s.opaEnabled} onChange={(v) => upd("opaEnabled", v)} />}>
+        <p className="text-xs text-gray-500 mb-3">
+          Rego policies. <code className="text-accent-soft">managed</code> uses policies stored in SRS; <code className="text-accent-soft">external</code> hits your own OPA server.
+        </p>
+        <Field label="Source">
+          <select
+            value={s.opaSource}
+            onChange={(e) => upd("opaSource", e.target.value as "managed" | "external")}
+            className="bg-ink-700 border border-ink-600 rounded px-2 py-1 text-sm"
+          >
+            <option value="managed">managed (SRS-hosted)</option>
+            <option value="external">external (your own OPA server)</option>
+          </select>
+        </Field>
+        {s.opaSource === "managed" ? (
+          <Field label="Managed policy IDs (comma-separated)">
+            <ManagedPolicyPicker
+              value={s.opaManagedPolicyIds}
+              onChange={(v) => upd("opaManagedPolicyIds", v)}
+            />
+          </Field>
+        ) : (
+          <>
+            <Field label="OPA server URL">
+              <input
+                value={s.opaServerUrl}
+                onChange={(e) => upd("opaServerUrl", e.target.value)}
+                placeholder="http://opa.internal:8181"
+                className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm"
+              />
+            </Field>
+            <Field label="Policy path">
+              <input
+                value={s.opaPolicyPath}
+                onChange={(e) => upd("opaPolicyPath", e.target.value)}
+                placeholder="/v1/data/tools/allow"
+                className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm"
+              />
+            </Field>
+          </>
+        )}
+        <Field label="Mode">
+          <select
+            value={s.opaMode}
+            onChange={(e) => upd("opaMode", e.target.value as EditorState["opaMode"])}
+            className="bg-ink-700 border border-ink-600 rounded px-2 py-1 text-sm"
+          >
+            <option value="audit">audit (log denies but don't block)</option>
+            <option value="enforce">enforce</option>
+            <option value="fail_open">fail-open (allow on engine error)</option>
+            <option value="fail_closed">fail-closed (deny on engine error)</option>
+          </select>
+        </Field>
+        <Field label="Timeout (seconds)" inline>
+          <input
+            type="number"
+            min={0.1}
+            step={0.1}
+            value={s.opaTimeoutSeconds}
+            onChange={(e) => upd("opaTimeoutSeconds", Number(e.target.value))}
+            className="bg-ink-700 border border-ink-600 rounded px-2 py-1 text-sm w-24"
+          />
+        </Field>
+      </Section>
+
+      <div className="mt-6 flex items-center gap-2">
+        <button
+          onClick={save}
+          disabled={saving}
+          className="px-4 py-1.5 rounded bg-accent text-white text-sm hover:bg-accent/80 disabled:opacity-50"
+        >
+          {saving ? "Saving…" : initial ? "Save changes" : "Create policy"}
+        </button>
+        <button
+          onClick={onCancel}
+          className="px-4 py-1.5 rounded border border-ink-600 text-sm hover:bg-ink-700"
+        >
+          Cancel
+        </button>
+        {onDelete && (
+          <button
+            onClick={onDelete}
+            className="ml-auto px-4 py-1.5 rounded border border-red-500/40 text-red-400 text-sm hover:bg-red-500/10"
+          >
+            Delete
+          </button>
+        )}
+      </div>
+    </div>
+  );
+}
+
+/**
+ * Picker for OPA managed_policies. Renders the current comma-separated IDs
+ * with chip-style display, a "Browse / create" button to open the modal,
+ * and a free-text input fallback for direct ID entry.
+ */
+function ManagedPolicyPicker({ value, onChange }: { value: string; onChange: (v: string) => void }) {
+  const [opaPolicies, setOpaPolicies] = useState<OPAPolicyDoc[] | null>(null);
+  const [showModal, setShowModal] = useState(false);
+
+  const refresh = () => api.opaPolicies().then(setOpaPolicies).catch(() => setOpaPolicies([]));
+  useEffect(() => { refresh(); }, []);
+
+  const selectedIds = value.split(",").map((s) => s.trim()).filter(Boolean);
+  const byId = new Map((opaPolicies ?? []).map((p) => [p._id, p]));
+
+  const toggle = (id: string) => {
+    const has = selectedIds.includes(id);
+    const next = has ? selectedIds.filter((x) => x !== id) : [...selectedIds, id];
+    onChange(next.join(", "));
+  };
+
+  return (
+    <>
+      <input
+        value={value}
+        onChange={(e) => onChange(e.target.value)}
+        placeholder="abc123, def456"
+        className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm font-mono"
+      />
+      {selectedIds.length > 0 && (
+        <div className="flex flex-wrap gap-1 mt-2">
+          {selectedIds.map((id) => {
+            const p = byId.get(id);
+            return (
+              <span key={id} className="text-[11px] rounded bg-accent/20 text-accent-soft px-2 py-0.5">
+                {p ? p.name : <em>missing: {id.slice(0, 8)}…</em>}
+              </span>
+            );
+          })}
+        </div>
+      )}
+      <div className="mt-2 flex items-center gap-2">
+        <button
+          type="button"
+          onClick={() => setShowModal(true)}
+          className="text-xs px-2.5 py-1 rounded border border-ink-600 hover:bg-ink-700"
+        >
+          Browse / create Rego policies
+        </button>
+        <span className="text-[11px] text-gray-500">
+          {(opaPolicies?.length ?? 0)} available
+        </span>
+      </div>
+      {showModal && (
+        <RegoPoliciesModal
+          selectedIds={selectedIds}
+          onToggle={toggle}
+          onClose={() => { setShowModal(false); refresh(); }}
+        />
+      )}
+    </>
+  );
+}
+
+/**
+ * Modal for managing OPA rego policies stored in SRS (/v1/opa-policies).
+ * Lists existing rego policies (with checkbox to bind into the parent RAI
+ * policy), supports inline create + delete. The selection state lives in
+ * the parent (PolicyEditor) — this modal just toggles via callbacks.
+ */
+function RegoPoliciesModal({
+  selectedIds,
+  onToggle,
+  onClose,
+}: {
+  selectedIds: string[];
+  onToggle: (id: string) => void;
+  onClose: () => void;
+}) {
+  const [policies, setPolicies] = useState<OPAPolicyDoc[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [err, setErr] = useState<string | null>(null);
+  const [creating, setCreating] = useState(false);
+  const [newName, setNewName] = useState("");
+  const [newDesc, setNewDesc] = useState("");
+  const [newRego, setNewRego] = useState(
+    'package main\n\n# Return a boolean or {allow: bool, reasons: [...]}.\n# Inputs available: input.request.tool_name, input.request.arguments,\n# input.metadata.principal_id, input.metadata.bundle_id.\n\ndefault allow := true\n\nallow := false {\n  input.request.tool_name == "Write"\n}\n',
+  );
+
+  const load = () => {
+    setLoading(true); setErr(null);
+    api.opaPolicies().then(setPolicies).catch((e) => setErr(String(e))).finally(() => setLoading(false));
+  };
+  useEffect(load, []);
+
+  const create = async () => {
+    if (!newName.trim() || !newRego.trim()) { setErr("Name and rego content are required"); return; }
+    setCreating(true); setErr(null);
+    try {
+      await api.createOpaPolicy({ name: newName.trim(), description: newDesc.trim() || undefined, rego_content: newRego });
+      setNewName(""); setNewDesc("");
+      load();
+    } catch (e) { setErr(String(e)); } finally { setCreating(false); }
+  };
+
+  const remove = async (id: string) => {
+    if (!confirm("Delete this rego policy? Any RAI policy referencing it will fail to evaluate.")) return;
+    try { await api.deleteOpaPolicy(id); load(); } catch (e) { setErr(String(e)); }
+  };
+
+  return (
+    <div className="fixed inset-0 bg-black/70 z-50 grid place-items-center p-4">
+      <div className="bg-ink-800 border border-ink-600 rounded-lg w-full max-w-3xl max-h-[90vh] flex flex-col">
+        <div className="px-5 py-3 border-b border-ink-600 flex items-center justify-between">
+          <h3 className="text-sm font-semibold">Rego policies</h3>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-200 text-sm">✕ Close</button>
+        </div>
+        {err && <div className="mx-5 mt-3 text-sm text-red-400">{err}</div>}
+
+        <div className="flex-1 overflow-y-auto p-5 space-y-4">
+          <div>
+            <div className="text-xs uppercase tracking-wide text-gray-500 mb-2">Existing ({policies.length})</div>
+            {loading ? (
+              <div className="text-sm text-gray-500">Loading…</div>
+            ) : policies.length === 0 ? (
+              <div className="text-sm text-gray-500 italic">None yet. Create one below.</div>
+            ) : (
+              <div className="space-y-1">
+                {policies.map((p) => {
+                  const selected = selectedIds.includes(p._id);
+                  return (
+                    <div key={p._id} className={`rounded border ${selected ? "border-accent/40 bg-accent/10" : "border-ink-600 bg-ink-700"} p-3`}>
+                      <div className="flex items-center gap-2">
+                        <input type="checkbox" checked={selected} onChange={() => onToggle(p._id)} />
+                        <span className="text-sm font-medium">{p.name}</span>
+                        <span className="text-[10px] text-gray-500 font-mono ml-auto">{p._id}</span>
+                        <button onClick={() => remove(p._id)} className="text-xs text-red-400 hover:text-red-300">Delete</button>
+                      </div>
+                      {p.description && <div className="text-[11px] text-gray-500 mt-0.5">{p.description}</div>}
+                      <pre className="mt-2 text-[10px] font-mono bg-ink-800 border border-ink-600 rounded p-2 overflow-x-auto max-h-32">{p.rego_content}</pre>
+                    </div>
+                  );
+                })}
+              </div>
+            )}
+          </div>
+
+          <div className="border-t border-ink-600 pt-4">
+            <div className="text-xs uppercase tracking-wide text-gray-500 mb-2">Create new</div>
+            <div className="space-y-2">
+              <input value={newName} onChange={(e) => setNewName(e.target.value)} placeholder="Name (e.g. block-write)" className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm" />
+              <input value={newDesc} onChange={(e) => setNewDesc(e.target.value)} placeholder="Description (optional)" className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-sm" />
+              <textarea value={newRego} onChange={(e) => setNewRego(e.target.value)} rows={10} className="w-full bg-ink-700 border border-ink-600 rounded px-3 py-1.5 text-xs font-mono" />
+              <button onClick={create} disabled={creating} className="px-4 py-1.5 rounded bg-accent text-white text-sm hover:bg-accent/80 disabled:opacity-50">
+                {creating ? "Creating…" : "Create"}
+              </button>
+            </div>
+          </div>
+        </div>
+
+        <div className="px-5 py-3 border-t border-ink-600 flex justify-end">
+          <button onClick={onClose} className="px-4 py-1.5 rounded bg-accent text-white text-sm hover:bg-accent/80">Done</button>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function Section({ title, children, right }: { title: string; children: React.ReactNode; right?: React.ReactNode }) {
+  return (
+    <div className="mb-5 rounded-lg border border-ink-600 bg-ink-800 p-4">
+      <div className="flex items-center justify-between mb-3">
+        <h3 className="text-sm font-semibold">{title}</h3>
+        {right}
+      </div>
+      <div className="space-y-3">{children}</div>
+    </div>
+  );
+}
+
+function Field({ label, children, inline = false }: { label: string; children: React.ReactNode; inline?: boolean }) {
+  return (
+    <div className={inline ? "flex items-center gap-3" : ""}>
+      <label className="block text-[11px] uppercase tracking-wide text-gray-500 mb-1">{label}</label>
+      {children}
+    </div>
+  );
+}
+
+function Toggle({ checked, onChange, small = false }: { checked: boolean; onChange: (v: boolean) => void; small?: boolean }) {
+  const size = small ? "h-4 w-7" : "h-5 w-9";
+  const dot = small ? "h-3 w-3" : "h-4 w-4";
+  return (
+    <button
+      type="button"
+      role="switch"
+      aria-checked={checked}
+      onClick={() => onChange(!checked)}
+      className={`${size} relative rounded-full transition ${checked ? "bg-accent" : "bg-ink-600"}`}
+    >
+      <span
+        className={`${dot} absolute top-0.5 ${checked ? (small ? "left-3" : "left-4") : "left-0.5"} bg-white rounded-full transition`}
+      />
+    </button>
+  );
+}
diff --git a/agentos/src/components/PolicyTab.tsx b/agentos/src/components/PolicyTab.tsx
new file mode 100644
index 0000000..e5b03be
--- /dev/null
+++ b/agentos/src/components/PolicyTab.tsx
@@ -0,0 +1,137 @@
+import { useEffect, useState } from "react";
+import { api, type PolicyDoc, type AgentPolicyBinding } from "../api.ts";
+
+/**
+ * Per-agent policy attachment. Dropdown to bind one of the policies fetched
+ * from SRS; "Detach" clears the binding. Bound policy is enforced inside
+ * every chat sandbox the agent boots (see runtime SrsPolicyDecider).
+ */
+export function PolicyTab({
+  agent,
+  agentLabel,
+  onManagePolicies,
+}: {
+  agent: string;
+  agentLabel: string;
+  onManagePolicies: () => void;
+}) {
+  const [policies, setPolicies] = useState<PolicyDoc[]>([]);
+  const [binding, setBinding] = useState<AgentPolicyBinding | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [err, setErr] = useState<string | null>(null);
+  const [saving, setSaving] = useState(false);
+
+  const load = async () => {
+    setLoading(true);
+    setErr(null);
+    try {
+      const [pols, b] = await Promise.all([api.policies(), api.getAgentPolicy(agent)]);
+      setPolicies(pols);
+      setBinding(b);
+    } catch (e) {
+      setErr(String(e));
+    } finally {
+      setLoading(false);
+    }
+  };
+  useEffect(() => {
+    void load();
+  }, [agent]);
+
+  const attach = async (policyId: string | null) => {
+    setSaving(true);
+    try {
+      const b = await api.setAgentPolicy(agent, policyId);
+      setBinding(b);
+    } catch (e) {
+      setErr(String(e));
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  const boundPolicy = binding ? policies.find((p) => p._id === binding.policyId) : null;
+  const guardrailSummary = (p: PolicyDoc): string => {
+    const parts: string[] = [];
+    if (p.cedar_guardrail?.enabled) parts.push(`Cedar (${p.cedar_guardrail.policies?.length ?? 0})`);
+    if (p.opa_guardrail?.enabled) parts.push(`OPA (${p.opa_guardrail.managed_policies?.length ?? 0})`);
+    return parts.length > 0 ? parts.join(" · ") : "all guardrails disabled";
+  };
+
+  return (
+    <div className="p-6 max-w-3xl">
+      <h2 className="text-lg font-semibold mb-1">Policy</h2>
+      <p className="text-xs text-gray-500 mb-5">
+        Attach one policy to {agentLabel}. The runtime enforces it via SRS on every tool call (Cedar &amp; OPA).
+      </p>
+      {err && <div className="mb-3 text-sm text-red-400">{err}</div>}
+
+      <div className="rounded-lg border border-ink-600 bg-ink-800 p-4 mb-5">
+        <div className="text-xs uppercase tracking-wide text-gray-500 mb-2">Attached</div>
+        {loading ? (
+          <div className="text-sm text-gray-500">Loading…</div>
+        ) : boundPolicy ? (
+          <div>
+            <div className="text-sm font-medium">{boundPolicy.name}</div>
+            <div className="text-xs text-gray-500 mt-0.5">{boundPolicy.description || <em>no description</em>}</div>
+            <div className="text-[11px] text-accent-soft mt-1">{guardrailSummary(boundPolicy)}</div>
+            <button
+              onClick={() => attach(null)}
+              disabled={saving}
+              className="mt-3 text-xs text-red-400 hover:text-red-300 disabled:opacity-50"
+            >
+              Detach
+            </button>
+          </div>
+        ) : binding ? (
+          <div className="text-sm text-amber-400">
+            Bound to <code className="font-mono text-xs">{binding.policyId}</code>, but it was deleted in SRS.
+            <button onClick={() => attach(null)} className="ml-2 text-xs text-red-400">Detach</button>
+          </div>
+        ) : (
+          <div className="text-sm text-gray-500">No policy attached — every tool call allowed.</div>
+        )}
+      </div>
+
+      <div className="rounded-lg border border-ink-600 bg-ink-800 p-4">
+        <div className="flex items-center justify-between mb-2">
+          <div className="text-xs uppercase tracking-wide text-gray-500">Attach a policy</div>
+          <button
+            onClick={onManagePolicies}
+            className="text-xs text-accent hover:text-accent-soft"
+          >
+            Manage policies →
+          </button>
+        </div>
+        {policies.length === 0 ? (
+          <div className="text-sm text-gray-500">
+            No policies yet. <button onClick={onManagePolicies} className="text-accent hover:underline">Create one</button>.
+          </div>
+        ) : (
+          <div className="space-y-1 max-h-96 overflow-y-auto">
+            {policies.map((p) => {
+              const active = binding?.policyId === p._id;
+              return (
+                <button
+                  key={p._id}
+                  onClick={() => attach(p._id)}
+                  disabled={saving || active}
+                  className={`w-full text-left rounded-md px-3 py-2 transition ${
+                    active ? "bg-accent/20 ring-1 ring-accent/40" : "hover:bg-ink-700"
+                  }`}
+                >
+                  <div className="flex items-center gap-2">
+                    <span className="text-sm font-medium">{p.name}</span>
+                    {active && <span className="text-[10px] text-accent">ATTACHED</span>}
+                  </div>
+                  <div className="text-[11px] text-gray-500 mt-0.5 truncate">{p.description || <em>no description</em>}</div>
+                  <div className="text-[10px] text-accent-soft mt-1">{guardrailSummary(p)}</div>
+                </button>
+              );
+            })}
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/examples/agent-policy-store.ts b/examples/agent-policy-store.ts
new file mode 100644
index 0000000..1e547d6
--- /dev/null
+++ b/examples/agent-policy-store.ts
@@ -0,0 +1,56 @@
+/**
+ * AgentPolicyStore — agent → SRS policy_id binding, in MongoDB
+ * (`agent_policy_bindings`).
+ *
+ * One binding per agent. When set, the runtime fetches that policy from SRS
+ * and uses it as a PolicyDecider over every tool call. Detach by passing
+ * `null` to setBinding (or DELETE the route).
+ *
+ * Source of truth for the policy *content* is SRS itself — this collection
+ * stores only the {agent, policy_id} link.
+ */
+import { MongoClient, type Collection } from "mongodb";
+
+export interface AgentPolicyBinding {
+  _id: string;          // agent name (the natural key)
+  policyId: string;
+  updatedAt: Date;
+}
+
+export class AgentPolicyStore {
+  private readonly client: MongoClient;
+  private readonly dbName: string;
+  private connected = false;
+  private connectPromise: Promise<void> | null = null;
+
+  constructor(url: string, dbName: string) {
+    this.client = new MongoClient(url);
+    this.dbName = dbName;
+  }
+
+  private async coll(): Promise<Collection<AgentPolicyBinding>> {
+    if (!this.connected) {
+      if (!this.connectPromise) this.connectPromise = this.client.connect().then(() => { this.connected = true; });
+      await this.connectPromise;
+    }
+    return this.client.db(this.dbName).collection<AgentPolicyBinding>("agent_policy_bindings");
+  }
+
+  async get(agentName: string): Promise<AgentPolicyBinding | null> {
+    return (await this.coll()).findOne({ _id: agentName });
+  }
+
+  async set(agentName: string, policyId: string): Promise<AgentPolicyBinding> {
+    const doc: AgentPolicyBinding = { _id: agentName, policyId, updatedAt: new Date() };
+    await (await this.coll()).updateOne({ _id: agentName }, { $set: doc }, { upsert: true });
+    return doc;
+  }
+
+  async delete(agentName: string): Promise<void> {
+    await (await this.coll()).deleteOne({ _id: agentName });
+  }
+
+  async list(): Promise<AgentPolicyBinding[]> {
+    return (await this.coll()).find({}).toArray();
+  }
+}
diff --git a/examples/agentos-api.ts b/examples/agentos-api.ts
index 7d4cd36..2256799 100644
--- a/examples/agentos-api.ts
+++ b/examples/agentos-api.ts
@@ -18,6 +18,7 @@ import { sandboxBodyForBot } from "./slack-bot.ts";
 import { AgentLogStore } from "./agent-log-store.ts";
 import { ScheduleStore, computeNextRun, describeSchedule, type ScheduleKind } from "./schedule-store.ts";
 import { runAgentOnce } from "./scheduler.ts";
+import { AgentPolicyStore } from "./agent-policy-store.ts";
 
 /** An agent the control panel can list, chat with, and inspect. Covers both
  * Slack bots and web-only agents. */
@@ -43,6 +44,7 @@ export interface AgentOSOptions {
   readonly agents: readonly AgentDef[];
   readonly logStore: AgentLogStore;
   readonly scheduleStore?: ScheduleStore;
+  readonly policyStore?: AgentPolicyStore;
 }
 
 interface SessionDoc {
@@ -90,6 +92,29 @@ export function createAgentOSApp(opts: AgentOSOptions): Hono {
   const byName = new Map<string, AgentDef>(opts.agents.map((a) => [a.name, a]));
   const app = new Hono();
 
+  // SRS (policy backend) — hoisted so the chat-sandbox handler and the
+  // policy-proxy routes share the same config.
+  const srsBase = (process.env.SRS_BASE_URL ?? "https://srs-dev.test.studio.lyzr.ai").replace(/\/+$/, "");
+  const srsKey = process.env.LYZR_API_KEY ?? process.env.SRS_API_KEY ?? "";
+  const srsHeaders = (extra: Record<string, string> = {}): Record<string, string> => {
+    const h: Record<string, string> = { ...extra };
+    if (srsKey) h["x-api-key"] = srsKey;
+    return h;
+  };
+  const srsProxy = async (method: string, path: string, body?: unknown): Promise<Response> => {
+    if (!srsKey) {
+      return new Response(JSON.stringify({ error: { code: "SRS_NOT_CONFIGURED", message: "LYZR_API_KEY not set" } }), { status: 503, headers: { "content-type": "application/json" } });
+    }
+    const init: RequestInit = {
+      method,
+      headers: srsHeaders(body !== undefined ? { "content-type": "application/json" } : {}),
+    };
+    if (body !== undefined) init.body = JSON.stringify(body);
+    const r = await fetch(`${srsBase}${path}`, init);
+    const text = await r.text();
+    return new Response(text, { status: r.status, headers: { "content-type": r.headers.get("content-type") ?? "application/json" } });
+  };
+
   // ── Agents list + per-agent stats ──────────────────────────────────────
   app.get("/agentos/api/agents", async (c) => {
     // Live sandboxes (loopback) — used to mark which agents have warm sessions.
@@ -211,9 +236,24 @@ export function createAgentOSApp(opts: AgentOSOptions): Hono {
     }
     const body = await c.req.json().catch(() => ({})) as { sessionId?: string };
     const sessionId = body.sessionId || `agentos-${agent.name}-${randomUUID().slice(0, 12)}`;
+    // Lookup policy binding (if any) and translate to a sandbox policy spec.
+    let policySpec: { kind: "srs"; endpoint: string; apiKey: string; policyId: string; principalId: string } | undefined;
+    if (opts.policyStore && srsKey) {
+      const binding = await opts.policyStore.get(agent.name);
+      if (binding) {
+        policySpec = {
+          kind: "srs",
+          endpoint: srsBase,
+          apiKey: srsKey,
+          policyId: binding.policyId,
+          principalId: `agentos:${agent.name}`,
+        };
+      }
+    }
     const sandboxBody = sandboxBodyForBot(
       { name: agent.name, harness: agent.harness, source: agent.source, model: agent.model, extraEnvs: agent.envs, gitToken: agent.gitToken },
       sessionId,
+      policySpec,
     );
     const r = await fetch(`${caBase}/sandboxes`, {
       method: "POST",
@@ -370,6 +410,52 @@ export function createAgentOSApp(opts: AgentOSOptions): Hono {
     return c.json({ ok: true, running: true });
   });
 
+  // ── Policies — proxy SRS so the browser never sees LYZR_API_KEY ─────────
+  //
+  // SRS (Lyzr Studio Responsible AI APIs) owns policy CRUD. We forward
+  // GET/POST/PUT/DELETE on /v1/rai/policies, inject `x-api-key` server-side,
+  // and pass the body through unchanged. The dropdown on the agent screen
+  // uses GET /policies to populate; the policy editor uses POST/PUT.
+  app.get("/agentos/api/policies", async () => srsProxy("GET", "/v1/rai/policies"));
+  app.get("/agentos/api/policies/:id", async (c) => srsProxy("GET", `/v1/rai/policies/${encodeURIComponent(c.req.param("id"))}`));
+  app.post("/agentos/api/policies", async (c) => srsProxy("POST", "/v1/rai/policies", await c.req.json().catch(() => ({}))));
+  app.put("/agentos/api/policies/:id", async (c) => srsProxy("PUT", `/v1/rai/policies/${encodeURIComponent(c.req.param("id"))}`, await c.req.json().catch(() => ({}))));
+  app.delete("/agentos/api/policies/:id", async (c) => srsProxy("DELETE", `/v1/rai/policies/${encodeURIComponent(c.req.param("id"))}`));
+
+  // OPA rego policies — referenced by RAI policies' opa_guardrail.managed_policies[].policy_id.
+  app.get("/agentos/api/opa-policies", async () => srsProxy("GET", "/v1/opa-policies"));
+  app.get("/agentos/api/opa-policies/:id", async (c) => srsProxy("GET", `/v1/opa-policies/${encodeURIComponent(c.req.param("id"))}`));
+  app.post("/agentos/api/opa-policies", async (c) => srsProxy("POST", "/v1/opa-policies", await c.req.json().catch(() => ({}))));
+  app.put("/agentos/api/opa-policies/:id", async (c) => srsProxy("PUT", `/v1/opa-policies/${encodeURIComponent(c.req.param("id"))}`, await c.req.json().catch(() => ({}))));
+  app.delete("/agentos/api/opa-policies/:id", async (c) => srsProxy("DELETE", `/v1/opa-policies/${encodeURIComponent(c.req.param("id"))}`));
+
+  // ── Agent → policy binding (our own; lives in Mongo, not SRS) ───────────
+  //
+  // One policy_id per agent. The runtime reads this at sandbox-create time
+  // and feeds it into the SrsPolicyDecider that gates every tool call.
+  app.get("/agentos/api/agents/:name/policy", async (c) => {
+    if (!opts.policyStore) return c.json({ error: { code: "NO_POLICY_STORE" } }, 503);
+    if (!byName.has(c.req.param("name"))) return c.json({ error: { code: "UNKNOWN_AGENT" } }, 404);
+    const b = await opts.policyStore.get(c.req.param("name"));
+    return c.json({ binding: b });
+  });
+  app.put("/agentos/api/agents/:name/policy", async (c) => {
+    if (!opts.policyStore) return c.json({ error: { code: "NO_POLICY_STORE" } }, 503);
+    if (!byName.has(c.req.param("name"))) return c.json({ error: { code: "UNKNOWN_AGENT" } }, 404);
+    const body = await c.req.json().catch(() => ({})) as { policy_id?: string | null };
+    if (body.policy_id == null) {
+      await opts.policyStore.delete(c.req.param("name"));
+      return c.json({ binding: null });
+    }
+    const b = await opts.policyStore.set(c.req.param("name"), body.policy_id);
+    return c.json({ binding: b });
+  });
+  app.delete("/agentos/api/agents/:name/policy", async (c) => {
+    if (!opts.policyStore) return c.json({ error: { code: "NO_POLICY_STORE" } }, 503);
+    await opts.policyStore.delete(c.req.param("name"));
+    return c.json({ ok: true });
+  });
+
   app.get("/agentos/api/health", (c) => c.json({ ok: true, agents: opts.agents.map((a) => a.name) }));
 
   return app;
diff --git a/examples/computeragent-server.ts b/examples/computeragent-server.ts
index e1dfca2..945f841 100644
--- a/examples/computeragent-server.ts
+++ b/examples/computeragent-server.ts
@@ -592,6 +592,7 @@ interface SandboxBody {
   sessionId?: string;
   debug?: boolean;
   sessionStore?: { kind: string; options?: unknown };
+  policy?: { kind: "srs"; endpoint: string; apiKey: string; policyId: string; principalId: string };
   attachments?: Array<{ path: string; content: string; encoding?: "utf8" | "base64" }>;
   idleTtlMs?: number;
   ttlMs?: number;
@@ -1152,6 +1153,7 @@ export class ComputerAgentServer {
         ...(body.baseUrl ? { baseUrl: body.baseUrl } : {}),
         ...(body.debug ? { debug: true } : {}),
         ...(body.sessionStore ? { sessionStore: body.sessionStore as never } : {}),
+        ...(body.policy ? { policy: body.policy as never } : {}),
         ...(body.attachments && body.attachments.length > 0 ? { attachments: body.attachments } : {}),
       });
 
@@ -2276,12 +2278,13 @@ if (import.meta.url === `file://${process.argv[1]}`) {
     if (!process.env.MONGO_URL) {
       console.error("[slack-bot] SLACK_BOTS_ENABLED=1 but MONGO_URL not set — Slack thread map needs mongo; skipping");
     } else {
-      const [{ createSlackBotsApp, botsFromEnv }, { AgentLogStore }, { createAgentOSApp }, { ScheduleStore }, { startScheduler }] = await Promise.all([
+      const [{ createSlackBotsApp, botsFromEnv }, { AgentLogStore }, { createAgentOSApp }, { ScheduleStore }, { startScheduler }, { AgentPolicyStore }] = await Promise.all([
         import("./slack-bot.ts"),
         import("./agent-log-store.ts"),
         import("./agentos-api.ts"),
         import("./schedule-store.ts"),
         import("./scheduler.ts"),
+        import("./agent-policy-store.ts"),
       ]);
       const bots = botsFromEnv();
       if (bots.length === 0) {
@@ -2329,10 +2332,13 @@ if (import.meta.url === `file://${process.argv[1]}`) {
         if (anthropicEnvs) {
           // Claude Code — claude-agent-sdk on the same repo. Multi-turn via /sandboxes.
           if (!agentDefs.some((a) => a.name === "claude-code")) {
+            const claudeCodeModel = process.env.CLAUDE_CODE_MODEL;
+            const cEnvs: Record<string, string> = { ...anthropicEnvs };
+            if (claudeCodeModel) cEnvs.ANTHROPIC_MODEL = claudeCodeModel;
             agentDefs.push({
               name: "claude-code", label: "Claude Code", harness: "claude-agent-sdk",
-              source: generalAgentSource, model: undefined,
-              envs: { ...anthropicEnvs }, gitToken: githubToken,
+              source: generalAgentSource, model: claudeCodeModel,
+              envs: cEnvs, gitToken: githubToken,
             });
           }
           // Deep Agent — deepagents on the same repo. One-shot via /run.
@@ -2414,15 +2420,20 @@ if (import.meta.url === `file://${process.argv[1]}`) {
         } else {
           console.warn("[agentos] no LYZR proxy or ANTHROPIC_API_KEY — Claude Code / Deep Agent not registered");
         }
+        const onlyEnv = process.env.AGENTOS_AGENTS_ONLY;
+        const filteredAgentDefs = onlyEnv
+          ? agentDefs.filter((a) => onlyEnv.split(",").map((s) => s.trim()).includes(a.name))
+          : agentDefs;
         const scheduleStore = new ScheduleStore(mongoUrl, mongoDb);
-        const agentosApp = createAgentOSApp({ caBase, mongoUrl, mongoDb, agents: agentDefs, logStore, scheduleStore });
+        const policyStore = new AgentPolicyStore(mongoUrl, mongoDb);
+        const agentosApp = createAgentOSApp({ caBase, mongoUrl, mongoDb, agents: filteredAgentDefs, logStore, scheduleStore, policyStore });
         server.mount(agentosApp);
-        console.log("AgentOS control panel API: /agentos/api/* — agents:", agentDefs.map((a) => a.name).join(", "));
+        console.log("AgentOS control panel API: /agentos/api/* — agents:", filteredAgentDefs.map((a) => a.name).join(", "));
 
         // Scheduler — fires due agent schedules on a tick.
         const u = process.env.API_AUTH_USER, p = process.env.API_AUTH_PASS;
         const authHeader = (u && p) ? { authorization: "Basic " + Buffer.from(`${u}:${p}`).toString("base64") } : {};
-        startScheduler({ caBase, authHeader, store: scheduleStore, logStore, agents: agentDefs });
+        startScheduler({ caBase, authHeader, store: scheduleStore, logStore, agents: filteredAgentDefs });
       }
     }
   }
diff --git a/examples/slack-bot.ts b/examples/slack-bot.ts
index a98a3d5..9a87dec 100644
--- a/examples/slack-bot.ts
+++ b/examples/slack-bot.ts
@@ -404,11 +404,23 @@ export interface AgentRuntimeSpec {
  * session store, S3 auto-save, TTLs) so the Slack flow and the AgentOS web console
  * create identically-configured sandboxes. Secrets stay server-side.
  */
-export function sandboxBodyForBot(bot: AgentRuntimeSpec, sessionId: string): Record<string, unknown> {
+export interface SandboxPolicySpec {
+  readonly kind: "srs";
+  readonly endpoint: string;
+  readonly apiKey: string;
+  readonly policyId: string;
+  readonly principalId: string;
+}
+
+export function sandboxBodyForBot(
+  bot: AgentRuntimeSpec,
+  sessionId: string,
+  policy?: SandboxPolicySpec,
+): Record<string, unknown> {
   const body: Record<string, unknown> = {
     source: bot.source,
     harness: bot.harness,
-    runtime: "bwrap",
+    runtime: process.env.DEFAULT_SANDBOX_RUNTIME ?? "bwrap",
     options: { permissionMode: "bypassPermissions", settingSources: ["project"] },
     sessionId,
     sessionStore: { kind: "mongo" },
@@ -421,6 +433,7 @@ export function sandboxBodyForBot(bot: AgentRuntimeSpec, sessionId: string): Rec
   };
   if (bot.model) body.model = bot.model;
   if (bot.gitToken) body.gitToken = bot.gitToken;
+  if (policy) body.policy = policy;
   return body;
 }
 
diff --git a/packages/engine-claude-agent-sdk/src/engine.ts b/packages/engine-claude-agent-sdk/src/engine.ts
index db0656b..e47e640 100644
--- a/packages/engine-claude-agent-sdk/src/engine.ts
+++ b/packages/engine-claude-agent-sdk/src/engine.ts
@@ -8,7 +8,7 @@ import type {
   UserMessage,
 } from "@computeragent/protocol";
 import { nopLogger } from "@computeragent/protocol";
-import { buildCanUseTool } from "./permission-bridge.js";
+import { buildCanUseTool, buildPreToolUseHook } from "./permission-bridge.js";
 import { deriveEngineUuid } from "./derive-uuid.js";
 
 const CAPABILITIES: EngineCapabilities = {
@@ -106,6 +106,14 @@ export class ClaudeAgentEngine implements EngineDriver<ClaudeAgentOptions> {
       includePartialMessages: true,
       abortController,
       canUseTool: buildCanUseTool(ctx.onPermissionRequest),
+      // PreToolUse hook — fires even in bypassPermissions mode (where canUseTool
+      // is skipped) and its deny overrides any other permission decision. The
+      // harness routes this to its policy decider; without one, the hook
+      // returns allow and falls through to canUseTool / the default flow.
+      hooks: {
+        ...((ctx.options as { hooks?: ClaudeAgentOptions["hooks"] }).hooks ?? {}),
+        PreToolUse: [{ hooks: [buildPreToolUseHook(ctx.onPermissionRequest)] }],
+      },
       ...(ctx.budget?.maxUsd !== undefined ? { maxBudgetUsd: ctx.budget.maxUsd } : {}),
       ...storeOpts,
     };
diff --git a/packages/engine-claude-agent-sdk/src/permission-bridge.ts b/packages/engine-claude-agent-sdk/src/permission-bridge.ts
index 18cc911..40e2e2c 100644
--- a/packages/engine-claude-agent-sdk/src/permission-bridge.ts
+++ b/packages/engine-claude-agent-sdk/src/permission-bridge.ts
@@ -1,4 +1,4 @@
-import type { CanUseTool, PermissionResult } from "@anthropic-ai/claude-agent-sdk";
+import type { CanUseTool, HookCallback, PermissionResult } from "@anthropic-ai/claude-agent-sdk";
 import type { PermissionRequest } from "@computeragent/protocol";
 import { classifyRisk } from "./risk.js";
 
@@ -19,6 +19,43 @@ export function buildCanUseTool(
   };
 }
 
+/**
+ * PreToolUse hook bridge — fires for every tool call regardless of
+ * permissionMode (canUseTool is skipped in bypassPermissions, but
+ * PreToolUse hooks always run and their deny overrides canUseTool).
+ *
+ * The same `onPermissionRequest` callback is reused — the harness uses
+ * it for policy enforcement (SrsPolicyDecider gates here in
+ * bypassPermissions sandboxes).
+ */
+export function buildPreToolUseHook(
+  onPermissionRequest: (req: PermissionRequest) => Promise<PermissionResult>,
+): HookCallback {
+  return async (input, toolUseID) => {
+    if (input.hook_event_name !== "PreToolUse") return {};
+    const callId = toolUseID ?? `call_${cryptoRandomId()}`;
+    const toolName = input.tool_name;
+    const toolInput = input.tool_input;
+    const risk = classifyRisk(toolName, toolInput);
+    const decision = await onPermissionRequest({ callId, toolName, input: toolInput, risk });
+    if (decision.behavior === "deny") {
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: decision.message ?? "denied by policy",
+        },
+      };
+    }
+    return {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "allow",
+      },
+    };
+  };
+}
+
 function cryptoRandomId(): string {
   return Math.random().toString(36).slice(2, 10);
 }
diff --git a/packages/harness-server/src/services/create-session.ts b/packages/harness-server/src/services/create-session.ts
index 75172ee..784c760 100644
--- a/packages/harness-server/src/services/create-session.ts
+++ b/packages/harness-server/src/services/create-session.ts
@@ -4,6 +4,7 @@ import { join } from "node:path";
 import { randomUUID } from "node:crypto";
 import type { Attachment, CreateSessionBody } from "@computeragent/protocol";
 import { Session } from "../session.js";
+import { SrsPolicyDecider } from "./srs-policy-decider.js";
 import { SessionRegistry } from "../registry.js";
 import { BadRequest } from "../error-mapper.js";
 import { PathEscapeError } from "../path-jail.js";
@@ -63,6 +64,18 @@ export async function createSession(
     ? wrapValidatingStore(rawStore)
     : rawStore;
 
+  // Build a policy decider from wire-side config. Only "srs" is supported
+  // today — extend by branching on body.policy.kind here.
+  const policyDecider = body.policy
+    ? new SrsPolicyDecider({
+        kind: "srs",
+        endpoint: body.policy.endpoint,
+        apiKey: body.policy.apiKey,
+        policyId: body.policy.policyId,
+        principalId: body.policy.principalId,
+      })
+    : undefined;
+
   const session = new Session(
     sessionId,
     body.engine,
@@ -76,6 +89,7 @@ export async function createSession(
     1000,
     deps.auditSink,
     sessionStore,
+    policyDecider,
   );
 
   // Initial messages from the body get enqueued immediately. The engine sees them
diff --git a/packages/harness-server/src/services/run-session.ts b/packages/harness-server/src/services/run-session.ts
index 0d9c158..89095de 100644
--- a/packages/harness-server/src/services/run-session.ts
+++ b/packages/harness-server/src/services/run-session.ts
@@ -1,4 +1,4 @@
-import type { EngineDriver, HarnessEvent, Logger } from "@computeragent/protocol";
+import type { EngineDriver, HarnessEvent, Logger, PermissionResult } from "@computeragent/protocol";
 import { nopLogger } from "@computeragent/protocol";
 import type { Session } from "../session.js";
 import { EventChannel } from "../event-channel.js";
@@ -64,6 +64,42 @@ export async function runSession(
             toolName: req.toolName,
             risk: req.risk,
           });
+          // Policy gate — if bound, consult before SSE round-trip. Deny short-circuits
+          // with a behavior:"deny" PermissionResult; allow short-circuits with allow
+          // (skip the SSE event entirely, no client mediation needed).
+          if (session.policyDecider) {
+            try {
+              const decision = await session.policyDecider.evaluate({
+                agentName: session.identity.name,
+                sessionId: session.sessionId,
+                toolName: req.toolName,
+                toolArgs: (req.input as Record<string, unknown>) ?? {},
+                principalId: session.identity.name,
+              });
+              logger.info("session.policy_decision", {
+                sessionId: session.sessionId,
+                callId: req.callId,
+                toolName: req.toolName,
+                allowed: decision.allowed,
+                deniedBy: decision.deniedBy,
+              });
+              if (!decision.allowed) {
+                return {
+                  behavior: "deny",
+                  message: decision.reason ?? `policy denied (${decision.deniedBy ?? "policy"})`,
+                  interrupt: true,
+                } as PermissionResult;
+              }
+              return { behavior: "allow", updatedInput: (req.input as Record<string, unknown>) ?? {} } as PermissionResult;
+            } catch (err) {
+              logger.warn("session.policy_error", { sessionId: session.sessionId, error: (err as Error).message });
+              return {
+                behavior: "deny",
+                message: `policy decider error: ${(err as Error).message}`,
+                interrupt: true,
+              } as PermissionResult;
+            }
+          }
           channel.push({
             kind: "ca_permission_request",
             sessionId: session.sessionId,
diff --git a/packages/harness-server/src/services/srs-policy-decider.ts b/packages/harness-server/src/services/srs-policy-decider.ts
new file mode 100644
index 0000000..958fe05
--- /dev/null
+++ b/packages/harness-server/src/services/srs-policy-decider.ts
@@ -0,0 +1,97 @@
+import type {
+  PolicyDecider,
+  PolicyDecision,
+  SrsPolicyConfig,
+  ToolCallContext,
+} from "@computeragent/protocol";
+
+/**
+ * SrsPolicyDecider — calls Lyzr SRS to gate tool calls.
+ *
+ * Fetches the RAI policy once (GET /v1/rai/policies/{policy_id}), caches
+ * the cedar_guardrail + opa_guardrail subsections, and on every evaluate()
+ * POSTs to /v1/guardrails/evaluate-tool-call with the cached configs +
+ * tool_name + tool_args + principal_id.
+ *
+ * The SRS endpoint takes inline guardrail configs (not policy_id) today —
+ * caching the once-fetched policy keeps every tool call to one round-trip.
+ * If SRS later ships a policy_id-aware tool-call endpoint, this class
+ * swaps its body without changing PolicyDecider's public shape.
+ *
+ * Failure policy: if SRS returns 5xx or times out, default DENY. Caller can
+ * change this by wrapping in a permissive decider; the default here is
+ * fail-closed because a guardrail outage shouldn't silently disable
+ * enforcement.
+ */
+export class SrsPolicyDecider implements PolicyDecider {
+  private readonly endpoint: string;
+  private readonly apiKey: string;
+  private readonly policyId: string;
+  private readonly principalId: string;
+  private policyCache: { cedar?: unknown; opa?: unknown } | null = null;
+  private cachePromise: Promise<void> | null = null;
+
+  constructor(cfg: SrsPolicyConfig) {
+    this.endpoint = cfg.endpoint.replace(/\/+$/, "");
+    this.apiKey = cfg.apiKey;
+    this.policyId = cfg.policyId;
+    this.principalId = cfg.principalId;
+  }
+
+  private async loadPolicy(): Promise<void> {
+    if (this.policyCache) return;
+    if (this.cachePromise) return this.cachePromise;
+    this.cachePromise = (async () => {
+      const r = await fetch(`${this.endpoint}/v1/rai/policies/${encodeURIComponent(this.policyId)}`, {
+        headers: { "x-api-key": this.apiKey },
+      });
+      if (!r.ok) {
+        const text = await r.text().catch(() => "");
+        throw new Error(`SRS policy fetch failed (${r.status}): ${text.slice(0, 200)}`);
+      }
+      const doc = await r.json() as { cedar_guardrail?: unknown; opa_guardrail?: unknown };
+      this.policyCache = { cedar: doc.cedar_guardrail, opa: doc.opa_guardrail };
+    })();
+    try {
+      await this.cachePromise;
+    } finally {
+      this.cachePromise = null;
+    }
+  }
+
+  async evaluate(ctx: ToolCallContext): Promise<PolicyDecision> {
+    try {
+      await this.loadPolicy();
+    } catch (err) {
+      return { allowed: false, deniedBy: "srs", reason: `policy load failed: ${(err as Error).message}` };
+    }
+    const body = {
+      cedar_guardrail: this.policyCache?.cedar ?? undefined,
+      opa_guardrail: this.policyCache?.opa ?? undefined,
+      tool_name: ctx.toolName,
+      tool_args: ctx.toolArgs,
+      principal_id: this.principalId,
+      bundle_id: ctx.agentName,
+      bundle_name: ctx.agentName,
+    };
+    try {
+      const r = await fetch(`${this.endpoint}/v1/guardrails/evaluate-tool-call`, {
+        method: "POST",
+        headers: { "content-type": "application/json", "x-api-key": this.apiKey },
+        body: JSON.stringify(body),
+      });
+      if (!r.ok) {
+        const text = await r.text().catch(() => "");
+        return { allowed: false, deniedBy: "srs", reason: `SRS ${r.status}: ${text.slice(0, 200)}` };
+      }
+      const out = await r.json() as { allowed?: boolean; denied_by?: string; reason?: string };
+      return {
+        allowed: !!out.allowed,
+        ...(out.denied_by ? { deniedBy: out.denied_by } : {}),
+        ...(out.reason ? { reason: out.reason } : {}),
+      };
+    } catch (err) {
+      return { allowed: false, deniedBy: "srs", reason: `SRS unreachable: ${(err as Error).message}` };
+    }
+  }
+}
diff --git a/packages/harness-server/src/session.ts b/packages/harness-server/src/session.ts
index dbc035c..23f1cda 100644
--- a/packages/harness-server/src/session.ts
+++ b/packages/harness-server/src/session.ts
@@ -3,6 +3,7 @@ import type {
   HarnessEvent,
   PermissionRequest,
   PermissionResult,
+  PolicyDecider,
   SessionStore,
   UserMessage,
 } from "@computeragent/protocol";
@@ -57,6 +58,7 @@ export class Session {
     replayBufferSize: number = 1000,
     private readonly auditSink?: AuditSink,
     readonly sessionStore?: SessionStore,
+    readonly policyDecider?: PolicyDecider,
   ) {
     this.events = new ReplayBuffer<HarnessEvent>(replayBufferSize);
   }
diff --git a/packages/protocol/src/harness-rest.ts b/packages/protocol/src/harness-rest.ts
index 7543c51..05491ad 100644
--- a/packages/protocol/src/harness-rest.ts
+++ b/packages/protocol/src/harness-rest.ts
@@ -75,6 +75,21 @@ export const CreateSessionBody = z.object({
    * config overlays per request.
    */
   attachments: z.array(Attachment).optional(),
+  /**
+   * Optional per-session policy decider config. When set, the harness
+   * builds the matching decider (e.g. SrsPolicyDecider) and gates every
+   * tool call through it. Deny short-circuits the engine's permission
+   * request with `behavior: "deny"` — no SSE round-trip to a client.
+   *
+   * Currently supported: `{ kind: "srs", endpoint, apiKey, policyId, principalId }`.
+   */
+  policy: z.object({
+    kind: z.literal("srs"),
+    endpoint: z.string().min(1),
+    apiKey: z.string().min(1),
+    policyId: z.string().min(1),
+    principalId: z.string().min(1),
+  }).optional(),
 });
 export type CreateSessionBody = z.infer<typeof CreateSessionBody>;
 
diff --git a/packages/protocol/src/index.ts b/packages/protocol/src/index.ts
index a0e0f82..e3954e7 100644
--- a/packages/protocol/src/index.ts
+++ b/packages/protocol/src/index.ts
@@ -4,6 +4,7 @@ export * from "./identity-source.js";
 export * from "./harness-rest.js";
 export * from "./sse-events.js";
 export * from "./contracts.js";
+export * from "./policy.js";
 export { SessionStoreConfig } from "./session-store-config.js";
 export { TaskStoreConfig } from "./task-store.js";
 export type {
diff --git a/packages/protocol/src/policy.ts b/packages/protocol/src/policy.ts
new file mode 100644
index 0000000..6e78348
--- /dev/null
+++ b/packages/protocol/src/policy.ts
@@ -0,0 +1,62 @@
+/**
+ * Policy abstraction — engine-agnostic per-tool-call authorization.
+ *
+ * Inspired by Lyzr SRS's `/v1/guardrails/evaluate-tool-call`: one universal
+ * tool-call shape, one allow/deny decision, no engine-specific knowledge.
+ * Implementations bridge to the actual enforcement engine (Cedar/OPA via
+ * SRS, or local impls).
+ *
+ * The harness runs the decider INSIDE the per-session permission wrapper
+ * (see harness-server/services/run-session.ts). If the decider says deny,
+ * the harness returns a deny PermissionResult to the engine immediately —
+ * no SSE round-trip to a client. If it says allow, the harness short-circuits
+ * the round-trip and resolves the permission as allow.
+ */
+
+/** What the harness hands to the decider for each tool call. */
+export interface ToolCallContext {
+  /** Stable agent identifier (e.g. "claude-code", "gitagent"). */
+  readonly agentName: string;
+  /** Session this tool call belongs to. */
+  readonly sessionId: string;
+  /** Tool the engine wants to invoke (e.g. "Bash", "Read", "Write"). */
+  readonly toolName: string;
+  /** Tool input the engine wants to invoke it with. */
+  readonly toolArgs: Record<string, unknown>;
+  /** Caller identity passed to the policy engine — forwarded for audit. */
+  readonly principalId: string;
+}
+
+/** What the decider returns to the harness. */
+export interface PolicyDecision {
+  readonly allowed: boolean;
+  /** Which sub-engine produced the deny (e.g. "cedar", "opa", "srs"). */
+  readonly deniedBy?: string;
+  /** Human-readable reason — surfaced to the engine and audit log. */
+  readonly reason?: string;
+}
+
+/** Engine-agnostic policy contract. One method, sync/async indifferent. */
+export interface PolicyDecider {
+  evaluate(ctx: ToolCallContext): Promise<PolicyDecision>;
+}
+
+/**
+ * Wire-side policy config carried on session-create requests. The harness
+ * builds the right decider from `kind`.
+ *
+ *   { kind: "srs", endpoint: "...", apiKey: "...", policyId: "...", principalId: "..." }
+ */
+export type PolicyConfig = SrsPolicyConfig;
+
+export interface SrsPolicyConfig {
+  readonly kind: "srs";
+  /** SRS base URL — e.g. "https://srs-dev.test.studio.lyzr.ai". */
+  readonly endpoint: string;
+  /** x-api-key for SRS. Never leaves the harness. */
+  readonly apiKey: string;
+  /** RAI policy_id whose cedar_guardrail + opa_guardrail to apply. */
+  readonly policyId: string;
+  /** Forwarded to SRS as the `principal_id` for audit. */
+  readonly principalId: string;
+}
diff --git a/packages/sdk/src/computer-agent.ts b/packages/sdk/src/computer-agent.ts
index 4b0f6e3..c784104 100644
--- a/packages/sdk/src/computer-agent.ts
+++ b/packages/sdk/src/computer-agent.ts
@@ -361,6 +361,7 @@ export class ComputerAgent {
     if (this.effectiveOptions) body.options = this.effectiveOptions;
     if (this.opts.sessionId) body.sessionId = this.opts.sessionId;
     if (this.opts.sessionStore) body.sessionStore = this.opts.sessionStore;
+    if (this.opts.policy) body.policy = this.opts.policy;
     if (this.opts.attachments && this.opts.attachments.length > 0) {
       body.attachments = this.opts.attachments;
     }
diff --git a/packages/sdk/src/types.ts b/packages/sdk/src/types.ts
index 789bede..94bce81 100644
--- a/packages/sdk/src/types.ts
+++ b/packages/sdk/src/types.ts
@@ -142,6 +142,20 @@ export interface ComputerAgentOptions {
    *   ]
    */
   readonly attachments?: readonly Attachment[];
+  /**
+   * Optional per-session policy decider config. When set, the harness
+   * builds the matching decider (today: SrsPolicyDecider) and gates every
+   * tool call through it. Engine-agnostic; works for any harness that
+   * routes tool calls through onPermissionRequest (claude-agent-sdk via
+   * PreToolUse hook, gitagent via preToolUse).
+   */
+  readonly policy?: {
+    readonly kind: "srs";
+    readonly endpoint: string;
+    readonly apiKey: string;
+    readonly policyId: string;
+    readonly principalId: string;
+  };
   /**
    * When true, sets `COMPUTERAGENT_LOG=debug` in the harness env (forcing
    * every engine + framework log line to surface) and emits one client-side

From 0427ad097cf7e8c8910eca8952a55072e750711d Mon Sep 17 00:00:00 2001
From: Khush Patel <khush@lyzr.ai>
Date: Thu, 28 May 2026 18:08:50 +0530
Subject: [PATCH 3/3] chore(runtime-local): rebuild harness bundle with policy
 code

The bundle is tracked; source-only commits leave it stale. Regenerate
so the runtime actually contains SrsPolicyDecider + run-session's
policy gate + claude-agent-sdk's PreToolUse hook.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../runtime-local/assets/harness-bundle.mjs   | 287 ++++++++++--------
 1 file changed, 165 insertions(+), 122 deletions(-)

diff --git a/packages/runtime-local/assets/harness-bundle.mjs b/packages/runtime-local/assets/harness-bundle.mjs
index 65c0d95..8f140e3 100644
--- a/packages/runtime-local/assets/harness-bundle.mjs
+++ b/packages/runtime-local/assets/harness-bundle.mjs
@@ -11279,7 +11279,7 @@ function finalize(ctx, schema) {
     result.$schema = "http://json-schema.org/draft-07/schema#";
   } else if (ctx.target === "draft-04") {
     result.$schema = "http://json-schema.org/draft-04/schema#";
-  } else if (ctx.target === "openapi-3.0") {} else {}
+  } else if (ctx.target === "openapi-3.0") {}
   if (ctx.external?.uri) {
     const id = ctx.external.registry.get(schema)?.id;
     if (!id)
@@ -11540,7 +11540,7 @@ var formatMap, stringProcessor = (schema, ctx, _json, _params) => {
     if (val === undefined) {
       if (ctx.unrepresentable === "throw") {
         throw new Error("Literal `undefined` cannot be represented in JSON Schema");
-      } else {}
+      }
     } else if (typeof val === "bigint") {
       if (ctx.unrepresentable === "throw") {
         throw new Error("BigInt literals cannot be represented in JSON Schema");
@@ -121173,7 +121173,7 @@ class JSONSchemaGenerator2 {
               if (val === undefined) {
                 if (this.unrepresentable === "throw") {
                   throw new Error("Literal `undefined` cannot be represented in JSON Schema");
-                } else {}
+                }
               } else if (typeof val === "bigint") {
                 if (this.unrepresentable === "throw") {
                   throw new Error("BigInt literals cannot be represented in JSON Schema");
@@ -129586,115 +129586,6 @@ var require_browser = __commonJS((exports, module) => {
   };
 });
 
-// ../../../node_modules/has-flag/index.js
-var require_has_flag = __commonJS((exports, module) => {
-  module.exports = (flag, argv = process.argv) => {
-    const prefix = flag.startsWith("-") ? "" : flag.length === 1 ? "-" : "--";
-    const position = argv.indexOf(prefix + flag);
-    const terminatorPosition = argv.indexOf("--");
-    return position !== -1 && (terminatorPosition === -1 || position < terminatorPosition);
-  };
-});
-
-// ../../../node_modules/supports-color/index.js
-var require_supports_color = __commonJS((exports, module) => {
-  var os2 = __require("os");
-  var tty = __require("tty");
-  var hasFlag = require_has_flag();
-  var { env: env2 } = process;
-  var forceColor;
-  if (hasFlag("no-color") || hasFlag("no-colors") || hasFlag("color=false") || hasFlag("color=never")) {
-    forceColor = 0;
-  } else if (hasFlag("color") || hasFlag("colors") || hasFlag("color=true") || hasFlag("color=always")) {
-    forceColor = 1;
-  }
-  if ("FORCE_COLOR" in env2) {
-    if (env2.FORCE_COLOR === "true") {
-      forceColor = 1;
-    } else if (env2.FORCE_COLOR === "false") {
-      forceColor = 0;
-    } else {
-      forceColor = env2.FORCE_COLOR.length === 0 ? 1 : Math.min(parseInt(env2.FORCE_COLOR, 10), 3);
-    }
-  }
-  function translateLevel(level) {
-    if (level === 0) {
-      return false;
-    }
-    return {
-      level,
-      hasBasic: true,
-      has256: level >= 2,
-      has16m: level >= 3
-    };
-  }
-  function supportsColor(haveStream, streamIsTTY) {
-    if (forceColor === 0) {
-      return 0;
-    }
-    if (hasFlag("color=16m") || hasFlag("color=full") || hasFlag("color=truecolor")) {
-      return 3;
-    }
-    if (hasFlag("color=256")) {
-      return 2;
-    }
-    if (haveStream && !streamIsTTY && forceColor === undefined) {
-      return 0;
-    }
-    const min = forceColor || 0;
-    if (env2.TERM === "dumb") {
-      return min;
-    }
-    if (process.platform === "win32") {
-      const osRelease = os2.release().split(".");
-      if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) {
-        return Number(osRelease[2]) >= 14931 ? 3 : 2;
-      }
-      return 1;
-    }
-    if ("CI" in env2) {
-      if (["TRAVIS", "CIRCLECI", "APPVEYOR", "GITLAB_CI", "GITHUB_ACTIONS", "BUILDKITE"].some((sign) => (sign in env2)) || env2.CI_NAME === "codeship") {
-        return 1;
-      }
-      return min;
-    }
-    if ("TEAMCITY_VERSION" in env2) {
-      return /^(9\.(0*[1-9]\d*)\.|\d{2,}\.)/.test(env2.TEAMCITY_VERSION) ? 1 : 0;
-    }
-    if (env2.COLORTERM === "truecolor") {
-      return 3;
-    }
-    if ("TERM_PROGRAM" in env2) {
-      const version5 = parseInt((env2.TERM_PROGRAM_VERSION || "").split(".")[0], 10);
-      switch (env2.TERM_PROGRAM) {
-        case "iTerm.app":
-          return version5 >= 3 ? 3 : 2;
-        case "Apple_Terminal":
-          return 2;
-      }
-    }
-    if (/-256(color)?$/i.test(env2.TERM)) {
-      return 2;
-    }
-    if (/^screen|^xterm|^vt100|^vt220|^rxvt|color|ansi|cygwin|linux/i.test(env2.TERM)) {
-      return 1;
-    }
-    if ("COLORTERM" in env2) {
-      return 1;
-    }
-    return min;
-  }
-  function getSupportLevel(stream2) {
-    const level = supportsColor(stream2, stream2 && stream2.isTTY);
-    return translateLevel(level);
-  }
-  module.exports = {
-    supportsColor: getSupportLevel,
-    stdout: translateLevel(supportsColor(true, tty.isatty(1))),
-    stderr: translateLevel(supportsColor(true, tty.isatty(2)))
-  };
-});
-
 // ../../node_modules/.pnpm/debug@4.4.3/node_modules/debug/src/node.js
 var require_node = __commonJS((exports, module) => {
   var tty = __require("tty");
@@ -129708,7 +129599,7 @@ var require_node = __commonJS((exports, module) => {
   exports.destroy = util5.deprecate(() => {}, "Instance method `debug.destroy()` is deprecated and no longer does anything. It will be removed in the next major version of `debug`.");
   exports.colors = [6, 2, 3, 4, 5, 1];
   try {
-    const supportsColor = require_supports_color();
+    const supportsColor = (()=>{throw new Error("Cannot require module "+"supports-color");})();
     if (supportsColor && (supportsColor.stderr || supportsColor).level >= 2) {
       exports.colors = [
         20,
@@ -146161,7 +146052,7 @@ function determineRequestsReferrer(request, { referrerURLCallback, referrerOrigi
   if (request.referrer === "no-referrer" || request.referrerPolicy === "") {
     return null;
   }
-  const policy = request.referrerPolicy;
+  const policy2 = request.referrerPolicy;
   if (request.referrer === "about:client") {
     return "no-referrer";
   }
@@ -146178,7 +146069,7 @@ function determineRequestsReferrer(request, { referrerURLCallback, referrerOrigi
     referrerOrigin = referrerOriginCallback(referrerOrigin);
   }
   const currentURL = new URL(request.url);
-  switch (policy) {
+  switch (policy2) {
     case "no-referrer":
       return "no-referrer";
     case "origin":
@@ -146214,18 +146105,18 @@ function determineRequestsReferrer(request, { referrerURLCallback, referrerOrigi
       }
       return referrerURL;
     default:
-      throw new TypeError(`Invalid referrerPolicy: ${policy}`);
+      throw new TypeError(`Invalid referrerPolicy: ${policy2}`);
   }
 }
 function parseReferrerPolicyFromHeader(headers) {
   const policyTokens = (headers.get("referrer-policy") || "").split(/[,\s]+/);
-  let policy = "";
+  let policy2 = "";
   for (const token of policyTokens) {
     if (token && ReferrerPolicy.has(token)) {
-      policy = token;
+      policy2 = token;
     }
   }
-  return policy;
+  return policy2;
 }
 var ReferrerPolicy, DEFAULT_REFERRER_POLICY = "strict-origin-when-cross-origin";
 var init_referrer = __esm(() => {
@@ -173324,7 +173215,14 @@ var CreateSessionBody = exports_external.object({
   options: exports_external.record(exports_external.string(), exports_external.unknown()).optional(),
   streamingInput: exports_external.boolean().optional(),
   sessionStore: SessionStoreConfig.optional(),
-  attachments: exports_external.array(Attachment).optional()
+  attachments: exports_external.array(Attachment).optional(),
+  policy: exports_external.object({
+    kind: exports_external.literal("srs"),
+    endpoint: exports_external.string().min(1),
+    apiKey: exports_external.string().min(1),
+    policyId: exports_external.string().min(1),
+    principalId: exports_external.string().min(1)
+  }).optional()
 });
 var CreateSessionResponse = exports_external.object({
   sessionId: exports_external.string(),
@@ -173806,6 +173704,7 @@ class Session {
   cleanup;
   auditSink;
   sessionStore;
+  policyDecider;
   status = "pending";
   userQueue = [];
   userResolvers = [];
@@ -173814,7 +173713,7 @@ class Session {
   engineStarted = false;
   abortController = new AbortController;
   events;
-  constructor(sessionId, engineName, loaderName, workdir, engineOptions, envs, capabilities, identity, cleanup, replayBufferSize = 1000, auditSink, sessionStore) {
+  constructor(sessionId, engineName, loaderName, workdir, engineOptions, envs, capabilities, identity, cleanup, replayBufferSize = 1000, auditSink, sessionStore, policyDecider) {
     this.sessionId = sessionId;
     this.engineName = engineName;
     this.loaderName = loaderName;
@@ -173826,6 +173725,7 @@ class Session {
     this.cleanup = cleanup;
     this.auditSink = auditSink;
     this.sessionStore = sessionStore;
+    this.policyDecider = policyDecider;
     this.events = new ReplayBuffer(replayBufferSize);
   }
   claimEngineStart() {
@@ -173917,6 +173817,79 @@ class Session {
   }
 }
 
+// ../harness-server/dist/services/srs-policy-decider.js
+class SrsPolicyDecider {
+  endpoint;
+  apiKey;
+  policyId;
+  principalId;
+  policyCache = null;
+  cachePromise = null;
+  constructor(cfg) {
+    this.endpoint = cfg.endpoint.replace(/\/+$/, "");
+    this.apiKey = cfg.apiKey;
+    this.policyId = cfg.policyId;
+    this.principalId = cfg.principalId;
+  }
+  async loadPolicy() {
+    if (this.policyCache)
+      return;
+    if (this.cachePromise)
+      return this.cachePromise;
+    this.cachePromise = (async () => {
+      const r = await fetch(`${this.endpoint}/v1/rai/policies/${encodeURIComponent(this.policyId)}`, {
+        headers: { "x-api-key": this.apiKey }
+      });
+      if (!r.ok) {
+        const text = await r.text().catch(() => "");
+        throw new Error(`SRS policy fetch failed (${r.status}): ${text.slice(0, 200)}`);
+      }
+      const doc2 = await r.json();
+      this.policyCache = { cedar: doc2.cedar_guardrail, opa: doc2.opa_guardrail };
+    })();
+    try {
+      await this.cachePromise;
+    } finally {
+      this.cachePromise = null;
+    }
+  }
+  async evaluate(ctx) {
+    try {
+      await this.loadPolicy();
+    } catch (err) {
+      return { allowed: false, deniedBy: "srs", reason: `policy load failed: ${err.message}` };
+    }
+    const body = {
+      cedar_guardrail: this.policyCache?.cedar ?? undefined,
+      opa_guardrail: this.policyCache?.opa ?? undefined,
+      tool_name: ctx.toolName,
+      tool_args: ctx.toolArgs,
+      principal_id: this.principalId,
+      bundle_id: ctx.agentName,
+      bundle_name: ctx.agentName
+    };
+    try {
+      const r = await fetch(`${this.endpoint}/v1/guardrails/evaluate-tool-call`, {
+        method: "POST",
+        headers: { "content-type": "application/json", "x-api-key": this.apiKey },
+        body: JSON.stringify(body)
+      });
+      if (!r.ok) {
+        const text = await r.text().catch(() => "");
+        return { allowed: false, deniedBy: "srs", reason: `SRS ${r.status}: ${text.slice(0, 200)}` };
+      }
+      const out = await r.json();
+      return {
+        allowed: !!out.allowed,
+        ...out.denied_by ? { deniedBy: out.denied_by } : {},
+        ...out.reason ? { reason: out.reason } : {}
+      };
+    } catch (err) {
+      return { allowed: false, deniedBy: "srs", reason: `SRS unreachable: ${err.message}` };
+    }
+  }
+}
+
 // ../harness-server/dist/path-jail.js
 import { realpath } from "node:fs/promises";
 import { isAbsolute, normalize, resolve, sep } from "node:path";
@@ -174139,7 +174112,14 @@ async function createSession(deps, registry2, body) {
   const final = result.harden ? result.harden(merged) : merged;
   const rawStore = body.sessionStore ? resolveStore(deps.sessionStores, body.sessionStore) : undefined;
   const sessionStore = rawStore && deps.validateStoreEntries ? wrapValidatingStore(rawStore) : rawStore;
-  const session = new Session(sessionId, body.engine, body.identity.loader, workdir, final, body.envs ?? {}, engine.capabilities, result.metadata, result.cleanup, 1000, deps.auditSink, sessionStore);
+  const policyDecider = body.policy ? new SrsPolicyDecider({
+    kind: "srs",
+    endpoint: body.policy.endpoint,
+    apiKey: body.policy.apiKey,
+    policyId: body.policy.policyId,
+    principalId: body.policy.principalId
+  }) : undefined;
+  const session = new Session(sessionId, body.engine, body.identity.loader, workdir, final, body.envs ?? {}, engine.capabilities, result.metadata, result.cleanup, 1000, deps.auditSink, sessionStore, policyDecider);
   if (body.messages) {
     for (const m of body.messages)
       session.pushUserMessage(m);
@@ -174444,6 +174424,39 @@ async function runSession(engine, session, logger = nopLogger) {
             toolName: req.toolName,
             risk: req.risk
           });
+          if (session.policyDecider) {
+            try {
+              const decision = await session.policyDecider.evaluate({
+                agentName: session.identity.name,
+                sessionId: session.sessionId,
+                toolName: req.toolName,
+                toolArgs: req.input ?? {},
+                principalId: session.identity.name
+              });
+              logger.info("session.policy_decision", {
+                sessionId: session.sessionId,
+                callId: req.callId,
+                toolName: req.toolName,
+                allowed: decision.allowed,
+                deniedBy: decision.deniedBy
+              });
+              if (!decision.allowed) {
+                return {
+                  behavior: "deny",
+                  message: decision.reason ?? `policy denied (${decision.deniedBy ?? "policy"})`,
+                  interrupt: true
+                };
+              }
+              return { behavior: "allow", updatedInput: req.input ?? {} };
+            } catch (err) {
+              logger.warn("session.policy_error", { sessionId: session.sessionId, error: err.message });
+              return {
+                behavior: "deny",
+                message: `policy decider error: ${err.message}`,
+                interrupt: true
+              };
+            }
+          }
           channel.push({
             kind: "ca_permission_request",
             sessionId: session.sessionId,
@@ -174949,6 +174962,32 @@ function buildCanUseTool(onPermissionRequest) {
     return onPermissionRequest({ callId, toolName, input, risk });
   };
 }
+function buildPreToolUseHook(onPermissionRequest) {
+  return async (input, toolUseID) => {
+    if (input.hook_event_name !== "PreToolUse")
+      return {};
+    const callId = toolUseID ?? `call_${cryptoRandomId()}`;
+    const toolName = input.tool_name;
+    const toolInput = input.tool_input;
+    const risk = classifyRisk(toolName, toolInput);
+    const decision = await onPermissionRequest({ callId, toolName, input: toolInput, risk });
+    if (decision.behavior === "deny") {
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: decision.message ?? "denied by policy"
+        }
+      };
+    }
+    return {
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "allow"
+      }
+    };
+  };
+}
 function cryptoRandomId() {
   return Math.random().toString(36).slice(2, 10);
 }
@@ -175091,6 +175130,10 @@ class ClaudeAgentEngine {
       includePartialMessages: true,
       abortController,
       canUseTool: buildCanUseTool(ctx.onPermissionRequest),
+      hooks: {
+        ...ctx.options.hooks ?? {},
+        PreToolUse: [{ hooks: [buildPreToolUseHook(ctx.onPermissionRequest)] }]
+      },
       ...ctx.budget?.maxUsd !== undefined ? { maxBudgetUsd: ctx.budget.maxUsd } : {},
       ...storeOpts
     };