Phase 2 – Policy Engine & Guardrails

Phase 2 extends FleetForge's policy surface with structured packs, phase-aware hooks, and richer baseline protections.

Highlights

• Pre/mid/post hooks – policy evaluations now run at scheduler ingress, executor ingress/egress, and document ingestion boundaries. Packs declare the hooks they participate in via phase/hooks (pre, mid, post).
• Structured packs – policy.packs[] entries specify a name, optional phase / hooks, and an options object. Packs ship as native policies and can also be backed by Wasm (prompt-injection).
• Baseline packs – included packs cover:
  • prompt_injection (Wasm, falls back to heuristics)
  • pii_redaction (mode: redact|deny|allow)
  • tool_acl (allow/deny lists for tool slugs, commands, images, networks)
  • budget_caps (token/cost caps + optional warn_ratio watermark)
• UI/telemetry parity – denial/redaction events persist as artifacts and annotate OTEL spans across scheduler and executor phases.

Pack schema (excerpt)

{
  "policy": {
    "packs": [
      { "name": "prompt_injection" },
      { "name": "pii_redaction", "phase": ["pre", "post"] },
      { "name": "tool_acl", "options": { "allow": ["safe_tool"] } },
      { "name": "budget_caps", "options": { "max_tokens": 5000, "warn_ratio": 0.75 } }
    ]
  }
}

Each pack's options shape is documented inline with the implementation and in docs/reference/policy/presets.md.

Acceptance Criteria

• Scheduler-denied steps (packs or guardrails) persist policy artifacts and annotate spans.
• Egress payloads (LLM/tool/HTTP) now include budget + execution metadata for pack evaluation.
• Budget caps deny when reserved/actual usage exceed limits and emit warnings at configured watermarks.
• Tool ACL packs gate ingress based on tool, slug, image, and network options.
• Regression tests cover PII redaction on ingress/egress, ACL allow/deny flows, and budget cap denial/warning scenarios.