Docs
Runtime policies for AI agent tool calls.
Policies define what an agent can do, in which environment, on which GitHub repository or Postgres target, and whether the decision is only monitored or actively enforced.
Policy basics
| Concept | Meaning |
|---|---|
| Policy | A set of allow and deny rules evaluated for each tool call. |
| Decision | The runtime result: allow or deny. |
| Monitor mode | Evaluate and log decisions without blocking the action. |
| Enforce mode | Block denied actions before tool execution. |
| Matching | Rules can match agent identity, environment, action, and target resource. |
| Approvals | High-risk database actions can pause for human approval instead of executing immediately. |
| Default posture | If no rule matches, z-gateway treats the action as denied. |
Example policy rules
allow read_repo in dev
agent: codex-dev
environment: dev
action: read_repo
resource: *
effect: allow
allow create_issue on connected repos
agent: *
environment: dev
action: create_issue
resource: connected_repositories
effect: allow
monitor create_pr
agent: *
environment: dev
action: create_pr
resource: connected_repositories
effect: allow
mode: monitor
deny delete_repo
agent: *
action: delete_repo
resource: *
effect: deny
deny push_protected_branch
agent: *
action: push_protected_branch
resource: protected_branches
effect: deny
allow db.query.read on production reporting
agent: analyst-agent
environment: prod
action: query_read
resource: reporting
effect: allow
monitor db_write_propose
agent: *
environment: staging
action: write_propose
resource: assigned_databases
effect: allow
mode: monitorHow to think about scope
Start broad enough to let design partners work in monitor mode, then tighten policy scope around high-risk actions. Common scopes include agent identity, environment, repository, database target, action family, protected branch status, and protected database tables.