Skip to main content

Policy Presets

These presets bundle common guardrail combinations so operators can roll out consistent controls across teams. Apply them per step (via policy.guardrails) and pair them with the appropriate runtime environment variables. For the full guardrail flag matrix and environment variable reference, see Guardrail reference.

See Untrusted context policy for firewall behaviour and Regulated policy packs for HIPAA/GDPR packs.

Field reference

  • guardrails[] — per-step policy bundle toggles (Context Firewall, HTTP allowlists, sandbox hints). Individual flags are documented in Guardrail reference.
  • packs[] — structured policy packs evaluated in pre/mid/post hooks. Each entry accepts a name, optional phase/hooks (any of pre, mid, post), and an options object.
  • egress_profile
    • none — no outbound network access (docker --network none).
    • allowlist — outbound HTTP must match explicit egress_http_allowlist:* entries.
    • tenant-default — defer to tenancy-level defaults (requires platform support).
  • isolation
    • docker — toolbox container with read-only filesystem, seccomp, and no-new-privileges.
    • firecracker — microVM sandbox (requires FLEETFORGE_FIRECRACKER_SHIM).

Baseline packs

Supported pack identifiers:

  • prompt_injection — Wasm-backed prompt injection detection (falls back to heuristics when Wasm unavailable).
  • pii_redaction — Regex-based PII redaction/denial with optional { "mode": "deny|allow|redact" } options.
  • tool_acl — Allow/deny lists for tool slugs/commands, container images, and networks.
  • budget_caps — Reserved/actual token & cost caps with optional warn_ratio watermark.

Example configuration:

{
  "policy": {
    "packs": [
      { "name": "prompt_injection" },
      { "name": "pii_redaction", "phase": ["pre", "post"] },
      { "name": "tool_acl", "options": { "allow": ["safe_tool"] } },
      { "name": "budget_caps", "options": { "max_tokens": 2000, "warn_ratio": 0.8 } }
    ]
  }
}

Baseline (default hardening)

Use when: interacting with untrusted user inputs, RAG snippets, or tool outputs in standard environments.

  • Guardrails: ["redact_pii", "block_injection", "block_command_output"]
  • Sandbox: Docker toolbox (default) with read-only filesystem, network none (both already enforced by DockerToolExecutor unless inputs override network)
  • Environment: do not set FLEETFORGE_ALLOWED_NETWORKS; only grant additional connectivity intentionally.
{
  "policy": {
    "guardrails": [
      "redact_pii",
      "block_injection",
      "block_command_output"
    ],
    "egress_profile": "none",
    "isolation": "docker"
  }
}

Regulated (PII + egress controls + microVM)

Use when: handling regulated data (HIPAA/GDPR) or high-risk tool executions.

  • Guardrails: baseline list plus HTTP allowlists and Firecracker sandbox hint
  • Sandbox: Firecracker (tool_sandbox:firecracker) with runtime configured via FLEETFORGE_FIRECRACKER_SHIM
  • Environment:
    • FLEETFORGE_POLICY_PACK=hipaa (or gdpr) to enable pack-level filters
    • Add explicit allowlist entries (egress_http_allowlist:corp.example)
    • Optional FLEETFORGE_ALLOWED_NETWORKS=loopback (or stricter) for Firecracker
{
  "policy": {
    "guardrails": [
      "redact_pii",
      "block_injection",
      "block_command_output",
      "egress_http_allowlist:corp.example",
      "egress_http_allowlist:partners.example/api",
      "tool_sandbox:firecracker"
    ],
    "egress_profile": "allowlist",
    "isolation": "firecracker"
  }
}

Notes

  • Apply multiple egress_http_allowlist:* entries for each approved domain/path.
  • Keep Docker toolbox available as a fallback; the runtime logs if the shim is missing.

OWASP demo pack

Use when: showcasing OWASP-aligned guardrails in public demos. Enable with:

FLEETFORGE_POLICY_PACK=owasp_demo fleetforge-runtime

The pack definition lives in policy-packs/owasp_demo.yaml and aligns each rule with the OWASP LLM Top 10:

  • LLM01 – Prompt Injection: block_injection fails closed when instructions attempt to override system policy.
  • LLM02 – Data Leakage: redact_pii removes emails, SSNs, and other PII prior to egress.
  • LLM06 – Sensitive Information Disclosure: outbound network access is denied (egress_profile: none) so unreviewed data never leaves the sandbox.
  • Budget watermark (75 %) posts an observation event so operators can catch runaway spend before the run hard-fails.

Pair the pack with the demo presets in examples/_packs/demo-pack/agent_team_openai to illustrate guardrail hits alongside deterministic replay.

Research (flexible output, operator-gated egress)

Use when: prototyping with broader model outputs but still requiring manual approval for outbound requests.

  • Guardrails: ["redact_pii", "block_injection"] (omit block_command_output to allow richer completions)
  • Sandbox: Docker toolbox defaults (--network none, --read-only)
  • Egress approval:
    • Default to no allowlists; researchers request temporary access
    • Operators add egress_http_allowlist:<domain> (or set FLEETFORGE_ALLOWED_NETWORKS) only after review
    • Document approvals alongside the change (e.g., in run labels or change log)
{
  "policy": {
    "guardrails": [
      "redact_pii",
      "block_injection"
    ],
    "egress_profile": "none",
    "isolation": "docker",
    "notes": "Add egress_http_allowlist:<domain> only after operator approval."
  }
}

Operators can enforce approvals by requiring pull requests or change tickets for any updates to the guardrail list or runtime allowlists. Even with relaxed output guarding, the Context Firewall continues to redact PII and prompt-injection cues.