agent-tool-firewall/examples/policy.yaml at main · SecAI-Hub/agent-tool-firewall · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# =============================================================================
# agent-tool-firewall Policy Configuration — Annotated Example
# =============================================================================
# This file controls which tool calls are allowed, denied, and rate-limited.
# All settings follow a secure-by-default philosophy:
#   - Tool calls are default-deny
#   - Paths must be explicitly allowlisted
#   - Arguments are validated against length limits and blocked patterns
# =============================================================================

# Schema version. Used for forward compatibility.
version: 1

# ---------------------------------------------------------------------------
# tools — Tool firewall policy
# ---------------------------------------------------------------------------
# The tool firewall evaluates every tool call against this section.
tools:
  # Default action for tools not in the allow or deny list.
  # "deny" = reject unknown tools (recommended).
  # "allow" = allow unknown tools (NOT recommended).
  default: "deny"

  # Global rate limit across all tool calls.
  rate_limit:
    # Maximum tool calls per minute (sliding window).
    requests_per_minute: 120
    # Burst size for rate limiting.
    burst_size: 20

  # Tools explicitly allowed, with constraints.
  allow:
    - name: "filesystem.read"
      # Only allow reading from these directories.
      paths_allowlist:
        - "/home/user/documents/**"
        - "/home/user/projects/**"
      # Never allow reading these paths, even if they match the allowlist.
      paths_denylist:
        - "/etc/shadow"
        - "/etc/passwd"
      # Maximum length of any single argument (bytes).
      max_arg_length: 4096

    - name: "filesystem.write"
      # Only allow writing to the outputs directory.
      paths_allowlist:
        - "/home/user/outputs/**"
      # Block path traversal and writes to system directories.
      args_blocklist:
        - "../"
        - "/etc/"
        - "/usr/"
      max_arg_length: 4096

    - name: "filesystem.list"
      # Allow listing files in user directories.
      paths_allowlist:
        - "/home/user/documents/**"
        - "/home/user/outputs/**"

    - name: "web.search"
      # No path constraints — argument filtering only.
      args_blocklist:
        - "password"
        - "secret"
        - "api_key"

  # Tools explicitly denied. Deny always wins over allow.
  deny:
    - name: "shell.exec"       # No shell command execution
    - name: "process.spawn"    # No process spawning
    - name: "network.fetch"    # No raw network access
    - name: "filesystem.delete"  # No file deletion