Skip to main content
Note: This is a user-friendly guide to writing AIP policies. For the formal specification, see AIP v1alpha1.
Complete reference for AIP policy YAML files (agent.yaml).

Table of Contents

Overview

AIP policies are declarative YAML files that define what tools an agent can use and under what conditions. The policy is loaded at proxy startup and evaluated for every tools/call request. Design principle: Default deny. If a tool is not explicitly allowed, it’s blocked.

Schema

apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
  name: string           # Policy identifier
  version: string        # Semantic version (optional)
  owner: string          # Contact email (optional)
  signature: string      # Policy signature (optional, v1alpha2)
spec:
  mode: enforce | monitor
  allowed_tools: [string]
  tool_rules: [ToolRule]
  dlp: DLPConfig
  identity: IdentityConfig # (optional, v1alpha2)
  server: ServerConfig     # (optional, v1alpha2)

Metadata

FieldTypeRequiredDescription
namestringYesUnique identifier for this policy
versionstringNoSemantic version (e.g., “1.0.0”)
ownerstringNoContact email for policy questions
signaturestringNoEd25519 signature for policy integrity (v1alpha2)
Example: 
metadata:
  name: code-review-agent
  version: "2.1.0"
  owner: [email protected]
  signature: "ed25519:YWJjZGVm..."

Spec Fields

mode

Controls whether policy violations are enforced or just logged.
ValueBehavior
enforceBlock violations, return JSON-RPC error (default)
monitorLog violations but allow through (dry-run)
spec:
  mode: enforce  # or "monitor"
Use case for monitor mode: Test new policies in production before enforcement.

allowed_tools

Allowlist of tool names that the agent can invoke. Tool names must exactly match what the MCP server reports. 
spec:
  allowed_tools:
    - github_get_repo
    - github_list_pulls
    - read_file
    - list_directory
Important: If a tool is not in this list AND not in tool_rules with action: allow, it will be blocked.

Tool Rules

Fine-grained control over individual tools. Each rule can specify an action and argument validation.

Structure

spec:
  tool_rules:
    - tool: string          # Tool name (required)
      action: string        # allow | block | ask (default: allow)
      allow_args: object    # Argument validation patterns
      rate_limit: string    # Rate limiting (e.g., "10/minute")
      schema_hash: string   # Tool schema integrity hash (v1alpha2)

Actions

ActionDescription
allowPermit the tool call (subject to allow_args validation)
blockDeny unconditionally
askPrompt user via native OS dialog for approval

Block Action

Explicitly deny a tool: 
tool_rules:
  - tool: github_delete_repo
    action: block
  
  - tool: exec_command
    action: block

Ask Action (Human-in-the-Loop)

Require user approval for sensitive operations: 
tool_rules:
  - tool: run_training
    action: ask
  
  - tool: deploy_production
    action: ask
When triggered:
  1. Native OS dialog appears: “Allow tool ‘run_training’?”
  2. User clicks “Allow” or “Deny”
  3. If no response in 60 seconds: auto-deny

Argument Validation

Use allow_args to validate tool arguments with regex patterns: 
tool_rules:
  - tool: exec_command
    action: ask
    allow_args:
      command: "^(ls|cat|echo|pwd)\\s.*"  # Only safe commands
  
  - tool: postgres_query
    action: allow
    allow_args:
      query: "^SELECT\\s+.*"  # Only SELECT, no INSERT/UPDATE/DELETE
Rules:
  • Regex must match the entire argument value (implicit ^...$)
  • If any allow_args pattern fails, the request is blocked
  • Arguments not in allow_args are not validated

Rate Limiting

Limit how often a tool can be called: 
tool_rules:
  - tool: list_gpus
    rate_limit: "10/minute"
  
  - tool: search_files
    rate_limit: "100/minute"
Format: <count>/<period> where period is second, minute, or hour. When rate limit is exceeded:
  • Request is blocked with JSON-RPC error code -32003
  • Audit log records RATE_LIMITED event

Identity Configuration (v1alpha2)

Configure agent identity and session management. 
spec:
  identity:
    enabled: true             # Enable identity management
    token_ttl: "10m"          # Token lifetime
    rotation_interval: "8m"   # Rotate before expiry
    require_token: true       # Enforce token presence
    session_binding: "strict" # Binding mode
    audience: "https://api.example.com" # Token audience

Fields

FieldTypeDefaultDescription
enabledboolfalseEnable identity features
token_ttlduration"5m"Token time-to-live
rotation_intervalduration"4m"When to rotate token
require_tokenboolfalseBlock requests without valid token
session_bindingstring"process"process, policy, or strict
audiencestringmetadata.nameToken audience URI

Session Binding Modes

ModeDescriptionUse Case
processBinds to OS process IDSingle-machine, local agents
policyBinds to policy hashDistributed agents sharing policy
strictBinds to process + policy + hostHigh security, non-ephemeral

Server Configuration (v1alpha2)

Configure the built-in HTTP server for remote validation. 
spec:
  server:
    enabled: true
    listen: "127.0.0.1:9443"
    failover_mode: "fail_closed"
    tls:
      cert: "/path/to/cert.pem"
      key: "/path/to/key.pem"

Fields

FieldTypeDefaultDescription
enabledboolfalseEnable HTTP server
listenstring"127.0.0.1:9443"Bind address
failover_modestring"fail_closed"fail_closed, fail_open, local_policy
timeoutduration"5s"Validation timeout

DLP Configuration

Data Loss Prevention scans tool responses for sensitive patterns and redacts matches.

Structure

spec:
  dlp:
    enabled: true          # Optional, true when dlp block present
    patterns:
      - name: string       # Rule name for audit log
        regex: string      # Regex pattern to match

Built-in Pattern Library

dlp:
  patterns:
    # API Keys
    - name: "AWS Key"
      regex: "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
    
    - name: "GitHub Token"
      regex: "ghp_[a-zA-Z0-9]{36}"
    
    - name: "Generic Secret"
      regex: "(?i)(api_key|secret|password)\\s*[:=]\\s*['\"]?([a-zA-Z0-9-_]+)['\"]?"
    
    # PII
    - name: "Email"
      regex: "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
    
    - name: "SSN"
      regex: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
    
    - name: "Credit Card"
      regex: "\\b(?:\\d{4}[- ]?){3}\\d{4}\\b"
    
    # Secrets
    - name: "Private Key"
      regex: "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"

Redaction Output

Matched content is replaced with: [REDACTED:<RuleName>] 
Before: "Connect with: AKIAIOSFODNN7EXAMPLE"
After:  "Connect with: [REDACTED:AWS Key]"

Examples

Read-Only Policy

apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
  name: read-only
spec:
  mode: enforce
  allowed_tools:
    - read_file
    - list_directory
    - search_files
  tool_rules:
    - tool: write_file
      action: block
    - tool: delete_file
      action: block

GPU/ML Policy

apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
  name: gpu-policy
spec:
  mode: enforce
  allowed_tools:
    - list_gpus
    - get_gpu_metrics
  tool_rules:
    - tool: list_gpus
      rate_limit: "10/minute"
    - tool: run_training
      action: ask  # Interactive approval
    - tool: allocate_gpu
      action: ask

Prompt Injection Defense

apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
  name: gemini-jack-defense
spec:
  mode: enforce
  allowed_tools:
    - read_file
    - search_code
  tool_rules:
    # Block all external communication
    - tool: send_email
      action: block
    - tool: post_slack
      action: block
    - tool: http_request
      action: block
    
    # Block file system writes
    - tool: write_file
      action: block
    - tool: exec_command
      action: block
  
  dlp:
    patterns:
      - name: "Exfil URL"
        regex: "https?://[a-zA-Z0-9.-]+\\.(ngrok|requestbin|pipedream)"

Monitor Mode (Testing)

apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
  name: test-policy
spec:
  mode: monitor  # Log only, don't block
  allowed_tools:
    - list_files

Validation

Policy File Validation

AIP validates policies at startup. Common errors:
ErrorCauseFix
invalid apiVersionWrong API versionUse aip.io/v1alpha1
empty allowed_toolsNo tools specifiedAdd tools or tool_rules
invalid regex in allow_argsBad regex patternValidate regex syntax
invalid rate_limit formatWrong rate limit formatUse <N>/<period>
rotation_interval >= token_ttlRotation must happen before expiryReduce rotation_interval

Common Error Codes

CodeNameDescription
-32001ForbiddenTool not allowed
-32002Rate LimitedToo many requests
-32008Token RequiredMissing identity token (v1alpha2)
-32009Token InvalidExpired or invalid token (v1alpha2)
-32010Signature InvalidPolicy signature verification failed (v1alpha2)
-32013Schema MismatchTool definition changed (v1alpha2)

Testing Policies

  1. Dry run with monitor mode: 
    spec:
  mode: monitor
  2. Check audit logs: 
    cat aip-audit.jsonl | jq 'select(.violation == true)'
  3. Verbose logging: 
    ./aip --policy policy.yaml --target "..." --verbose

Best Practices

  1. Start restrictive: Begin with minimal allowed_tools, expand as needed
  2. Use monitor mode first: Test policies before enforcement
  3. Review audit logs: Regularly check for unexpected tool usage
  4. Version your policies: Use semantic versioning in metadata
  5. Document decisions: Add comments explaining why tools are blocked
  6. Separate policies per agent type: Different agents need different permissions