Back to Home
Runtime Governance

POLICY ENFORCEMENT

Define rules in YAML. Enforce them in real-time. Every agent action evaluated against your policies in under 5ms. Allow, deny, or require approval.

<5msEvaluation Latency
95%+Cache Hit Ratio
OPAPowered Engine
Live Platform

See it in action

custodex.vercel.app
POLICY ENFORCEMENT — Custodex Dashboard
Policy Definition

YAML rules. Version controlled. Human readable.

Define governance policies in YAML for version control in git. TypeScript evaluation for dynamic rules. OPA/Rego for formal policy specifications. Pre-built templates for financial controls, data export restrictions, operating hours, and rate limiting.

name: "Financial Controls"
agentSelector: "tag:production"
isActive: true

rules:
  - action: "financial.transfer"
    decision: "allow"
    conditions:
      - field: "amount"
        operator: "lt"
        value: 1000

  - action: "financial.transfer"
    decision: "pending_approval"
    conditions:
      - field: "amount"
        operator: "gte"
        value: 1000

constraints:
  rateLimit:
    maxPerHour: 100
    maxPerDay: 500
  operatingHours:
    start: "09:00"
    end: "17:00"
    timezone: "America/New_York"
Real-Time Decisions

Allow. Deny. Require approval. In under 5ms.

The policy engine evaluates every agent action in real-time. Pattern-based action matching with wildcards. Rich conditions on agent state, action parameters, and context. Three decision types: allowed (proceed), denied (blocked with reason), pending_approval (human required).

Agent Selectors

Target any agent. Any group. Any protocol.

Flexible agent selector patterns: wildcard (*) for all agents, specific agent IDs, tag-based (tag:production), owner-based (owner:user_alice), and protocol-based (protocol:mcp). Policies automatically apply to matching agents.

Constraints

Rate limits. Operating hours. Financial caps.

Built-in constraint system enforces rate limits (actions per hour/day), operating hours (business hours only), financial limits (per-transaction and daily caps), data volume limits, and geographic restrictions. All evaluated before rule matching.

const decision = await engine.evaluate({
  agent: { id: "agent_123", scopes: ["crm:write"] },
  action: "financial.transfer",
  scope: "financial:write",
  metadata: {
    amount: 15000,
    recipient: "vendor_xyz"
  }
});

// { decision: "pending_approval",
//   policyId: "policy_456",
//   reason: "Amount exceeds $1000 threshold" }
Full Capabilities

What's included in
policy enforcement

01

YAML-based rules with git-friendly version control

02

OPA/Rego integration for formal policy specifications

03

Pre-built templates: financial, data export, rate limiting

04

Sub-5ms evaluation with Redis caching (95%+ hit ratio)

05

Pattern-based agent selectors with wildcards

06

Visual policy editor with simulation and testing

Get Started with Custodex