Guardrail Reference
FleetForge guardrails keep agent runs within approved safety, cost, and
compliance boundaries. Configure step-level guardrails in the run spec
(policy.guardrails[]), pair them with a policy pack, and enforce runtime-wide
allowlists via environment variables.
Need the big picture? Start with the Policy system concept. For deployment walkthroughs, see Demo hardening and Deploy with Helm.
Step-level flags (policy.guardrails[])
Attach guardrails directly to a step in the run spec. Multiple flags can be combined; conflicting directives fail validation. Example:
{
"policy": {
"guardrails": [
"block_injection",
"egress_http_allowlist:corp.example",
"tool_sandbox:firecracker"
]
}
}
| Flag | Effect | Configure in | Related docs |
|---|---|---|---|
redact_pii | Redacts PII before the step returns data. | Run spec (policy.guardrails[]) | Policy system, Policy presets |
deny_on_pii | Fails the step when PII is detected. | Run spec | Policy presets |
block_injection | Runs the prompt-injection Wasm pack (deny/redact). | Run spec | Untrusted context policy |
block_command_output | Redacts shell/SQL command strings in outputs. | Run spec | Policy presets |
egress_http_allowlist:<domain> | Allows HTTP proxy egress only to the given domain or subpath. Repeat the flag for multiple domains. | Run spec | Untrusted context policy |
egress_http_content_type:<mime> | Restricts HTTP proxy responses to specific MIME types. | Run spec | Untrusted context policy |
egress_http_max_bytes:<n> | Caps HTTP proxy response size (n bytes). | Run spec | Untrusted context policy |
tool_sandbox:firecracker | Prefers the Firecracker sandbox for the step (falls back to Docker). | Run spec | Demo hardening |
Policy packs (FLEETFORGE_POLICY_PACK)
Policy packs apply global guardrail defaults. Set FLEETFORGE_POLICY_PACK=<name>
before starting the runtime.
| Pack | Use when… | Highlights | Docs |
|---|---|---|---|
allow_all | Running local experiments or the demo. | Toolbox image keeps permissive commands; network open. | — |
hipaa | Handling PHI or regulated healthcare data. | Denies PHI guardrails, enforces tool/image/network allowlists. | Regulated packs |
gdpr | Operating on EU personal data. | Similar to HIPAA; loopback network allowed for intra-cluster calls. | Regulated packs |
owasp_demo | Demonstrating OWASP LLM Top 10 mitigations. | Aligns with the demo presets, pairs with public walkthroughs. | Policy presets |
Pack definitions live in policy-packs/. Update this list when behaviour changes
or new packs ship.
Runtime environment variables
Use environment variables at deployment time (Helm values, Cloud Run env vars, Compose files) to lock down executors and allowlists.
| Variable | Purpose | Typical usage |
|---|---|---|
FLEETFORGE_POLICY_PACK | Selects the global policy pack. | hipaa, gdpr, allow_all, owasp_demo |
FLEETFORGE_ALLOWED_TOOLS | Comma-separated toolbox command allowlist. | Tighten demos or regulated clusters (echo,python,jq). |
FLEETFORGE_ALLOWED_IMAGES | Additional container images permitted for tool steps. | Approve custom tool images. |
FLEETFORGE_ALLOWED_NETWORKS | Declares outbound network profiles beyond defaults (none, loopback). | Grant curated egress for regulated packs. |
FLEETFORGE_FIRECRACKER_SHIM | Path to the Firecracker launcher. | Required when tool_sandbox:firecracker is used. |
FLEETFORGE_HTTP_ALLOWLIST | Runtime-wide HTTP proxy allowlist (domains/paths). | Match step-level guardrails with operator defaults. |
FLEETFORGE_HTTP_CONTENT_TYPES | Overrides allowed response MIME types for the HTTP proxy. | Permit additional formats (e.g. application/pdf). |
FLEETFORGE_HTTP_MAX_BYTES | Sets the maximum HTTP proxy response size. | Prevent large downloads during egress. |
Document approvals whenever you expand allowlists or sandbox exceptions.
Where to go next
- Concepts: Policy system overview, ChangeOps governance.
- How-to guides: Demo hardening checklist, Deploy with Helm, Enable OIDC.
- Reference: Policy implementation in
core/policy/, prompt firewall details in Untrusted context policy, curated bundles in Policy presets.