1Purpose
A Policy Pack declares what an APAI-managed workspace allows and forbids. It applies to package installs, runtime actions, external sends, paid API calls, destructive operations, credential moves, and production deploys.
Policy Packs are loadable bundles. A workspace can apply multiple policy packs; the result is the intersection (most restrictive wins). Two examples in the seed registry:
coding-safe-mode- no destructive ops, no force-push, no broad scans, no production deploys without approval.private-workspace-policy- no secrets in prompts, no external sends, no purchases without approval.
2Example
schema: apai.policy.v0.1
name: coding-safe-mode
version: 0.1.0
publisher: apai-official
summary: Safe coding-agent rules. Block destructive ops, force-push, broad scans, production deploys.
applies_to:
- local-tool
- cloud-sandbox
rules:
- id: no-destructive-fs-ops
action: block
matches:
tool_calls:
- rm -rf
- Remove-Item -Recurse -Force
- DROP TABLE
on_match: require_explicit_operator_approval
message: "Destructive filesystem op detected. Operator must approve each."
- id: no-force-push
action: block
matches:
tool_calls:
- "git push --force"
- "git push -f"
on_match: require_explicit_operator_approval
- id: no-broad-scan
action: warn
matches:
file_paths:
- "/"
- "C:\\"
- "**/*"
on_match: emit_warning_and_continue
- id: no-production-deploy
action: block
matches:
env_targets:
- production
- prod
- main
on_match: require_explicit_operator_approval
approvals:
default_timeout_seconds: 60
audit_log_required: true3Required fields
| Field | Type | Req | Description |
|---|---|---|---|
| schema | string | yes | Must be "apai.policy.v0.1" exactly. |
| name | string | yes | Policy slug. |
| version | string | yes | SemVer. |
| publisher | string | yes | Policy publisher. |
| summary | string | yes | One-sentence description. |
| applies_to | enum[] | yes | Which install modes the policy applies to: local-tool, cloud-sandbox, remote-connector. |
| rules | Rule[] | yes | Ordered list of rules. See §4. |
| approvals | object | no | Approval-flow tuning (timeout, audit log). |
4Rule shape
| Field | Type | Req | Description |
|---|---|---|---|
| id | string | yes | Stable rule ID for audit logs. |
| action | enum | yes | block | warn | allow_with_log |
| matches | object | yes | Match conditions: tool_calls (string[]), file_paths (glob[]), env_targets (string[]), or any combination. |
| on_match | enum | yes | require_explicit_operator_approval | emit_warning_and_continue | block_silently | log_and_continue |
| message | string | no | Human-readable message shown to operator on match. |
5Composition
When a workspace applies multiple policy packs, rules merge by ID. Conflicting rules with the same ID across packs resolve to the most restrictive action: block beats warn beats allow_with_log.
Rules with different IDs all apply. There is no rule ordering precedence beyond block-wins.
What this spec is NOT
- ·A firewall. Policy Packs gate AI agent actions inside APAI-aware runtimes. They do not block network traffic at the OS or network layer.
- ·Cryptographically enforced. A determined agent acting outside APAI runtime can ignore the policy. The policy enforces what APAI-compatible agents will refuse to do unprompted.
- ·A replacement for principle of least privilege at the system level. Policy Packs are a layer on top of OS-level permissions, not a substitute.