Documentation Index
Fetch the complete documentation index at: https://docs.praison.ai/llms.txt
Use this file to discover all available pages before exploring further.
Policy Packs CLI
Policy packs provide reusable, org-wide security policies for recipes.
Quick Start
# Show default policy
praisonai recipe policy show
# Create policy template
praisonai recipe policy init -o my-policy.yaml
# Run with policy
praisonai recipe run my-recipe --policy my-policy.yaml --mode prod
Commands
policy show
Display policy configuration.
praisonai recipe policy show [policy-file] [options]
| Option | Description |
|---|
--json | Output JSON format |
# Show default policy
praisonai recipe policy show
# Show policy from file
praisonai recipe policy show my-policy.yaml
# JSON output
praisonai recipe policy show --json
policy init
Create a policy template file.
praisonai recipe policy init [options]
| Option | Description |
|---|
-o, --output <path> | Output file path (default: policy.yaml) |
# Create default template
praisonai recipe policy init
# Custom output path
praisonai recipe policy init -o my-org-policy.yaml
policy validate
Validate a policy file.
praisonai recipe policy validate <policy-file>
name: my-org-policy
version: "1.0"
description: Organization-wide security policy
tools:
allow:
- web.search
- db.query
- file.read
deny:
- shell.exec
- file.write
- network.unrestricted
network:
allow_domains:
- api.openai.com
- api.anthropic.com
deny_domains:
- localhost
- 127.0.0.1
files:
allow_paths:
- /tmp
- ./outputs
deny_paths:
- /etc
- /var
pii:
mode: redact # allow, deny, redact
fields:
- email
- phone
- ssn
data:
retention_days: 30
export_allowed: true
modes:
dev:
allow_interactive_prompts: true
strict_tool_enforcement: false
prod:
allow_interactive_prompts: false
strict_tool_enforcement: true
require_auth: true
Using Policies
With Recipe Run
# Run with policy file
praisonai recipe run my-recipe --policy my-policy.yaml
# Run in prod mode
praisonai recipe run my-recipe --policy my-policy.yaml --mode prod
With Recipe Serve
# Serve with policy
praisonai serve recipe --policy my-policy.yaml --mode prod
shell.exec - Shell executionshell.run - Shell commandsfile.write - File writingfile.delete - File deletionnetwork.unrestricted - Unrestricted networkdb.write - Database writesdb.delete - Database deletes
Mode Differences
Dev Mode
- Interactive prompts allowed
- Lenient tool enforcement
- PII allowed by default
Prod Mode
- No interactive prompts
- Strict tool enforcement
- PII redaction enabled
- Auth required for serve
Python API
from praisonai.recipe.policy import (
PolicyPack,
get_default_policy,
load_policy,
check_tool_policy,
PolicyDeniedError,
)
# Get default policy
policy = get_default_policy("dev")
# Load from file
policy = PolicyPack.load("my-policy.yaml")
# Create custom policy
policy = PolicyPack(
name="my-policy",
config={
"tools": {
"allow": ["web.search"],
"deny": ["shell.exec"],
},
"pii": {"mode": "redact"},
},
)
# Check tool permission
try:
policy.check_tool("web.search", mode="prod")
print("Tool allowed")
except PolicyDeniedError as e:
print(f"Tool denied: {e}")
# Save policy
policy.save("output-policy.yaml")
# Merge policies
base = get_default_policy("dev")
override = PolicyPack.load("custom.yaml")
merged = base.merge(override)
# Get data policy
data_policy = policy.get_data_policy()
Policy Precedence
- CLI flags (highest)
- Policy file
- Recipe TEMPLATE.yaml
- Default policy (lowest)
Next Steps
