Skip to main content

Regulated Policy Packs

FleetForge ships baseline policy packs for regulated workloads. Enable them via the FLEETFORGE_POLICY_PACK environment variable when starting the runtime.

Enabling HIPAA guardrails

FLEETFORGE_POLICY_PACK=hipaa fleetforge-runtime

Behaviour:

  • Denies steps that declare policy.guardrails containing phi.
  • Falls back to the built-in PII detector for redaction (email, SSN, etc.).
  • Permits only approved toolbox commands (echo, python, python3, jq, plus values from FLEETFORGE_ALLOWED_TOOLS). Docker image overrides must stay within ghcr.io/fleetforge/toolbox:latest, FLEETFORGE_TOOLBOX_IMAGE, or any values in FLEETFORGE_ALLOWED_IMAGES.
  • Blocks network egress by default (network must be omitted or none). Extend via FLEETFORGE_ALLOWED_NETWORKS if you need controlled connectivity.
  • Allows non-PHI traffic to proceed after basic PII filtering.

Enabling GDPR guardrails

FLEETFORGE_POLICY_PACK=gdpr fleetforge-runtime

Behaviour:

  • Denies steps when policy.subject_access is set (true) to surface data subject access requests.
  • Redacts PII in inputs/outputs using the baseline PII detector.
  • Enforces the same toolbox and image allowlist as HIPAA, but tolerates loopback network requests (network=loopback). Override via FLEETFORGE_ALLOWED_NETWORKS for broader access.
  • Allows other steps to proceed intact.

Disabling

Omit the variable or set FLEETFORGE_POLICY_PACK=allow_all to revert to the default permissive behaviour (useful for local development).

See core/policy/src/packs/regulated.rs for the full implementation and tests.