# Show default policy
praisonai recipe policy show

# Create policy template
praisonai recipe policy init -o my-policy.yaml

# Run with policy
praisonai recipe run my-recipe --policy my-policy.yaml --mode prod

praisonai recipe policy show [policy-file] [options]

# Show default policy
praisonai recipe policy show

# Show policy from file
praisonai recipe policy show my-policy.yaml

# JSON output
praisonai recipe policy show --json

praisonai recipe policy init [options]

# Create default template
praisonai recipe policy init

# Custom output path
praisonai recipe policy init -o my-org-policy.yaml

praisonai recipe policy validate <policy-file>

name: my-org-policy
version: "1.0"
description: Organization-wide security policy

tools:
  allow:
    - web.search
    - db.query
    - file.read
  deny:
    - shell.exec
    - file.write
    - network.unrestricted

network:
  allow_domains:
    - api.openai.com
    - api.anthropic.com
  deny_domains:
    - localhost
    - 127.0.0.1

files:
  allow_paths:
    - /tmp
    - ./outputs
  deny_paths:
    - /etc
    - /var

pii:
  mode: redact  # allow, deny, redact
  fields:
    - email
    - phone
    - ssn

data:
  retention_days: 30
  export_allowed: true

modes:
  dev:
    allow_interactive_prompts: true
    strict_tool_enforcement: false
  prod:
    allow_interactive_prompts: false
    strict_tool_enforcement: true
    require_auth: true

# Run with policy file
praisonai recipe run my-recipe --policy my-policy.yaml

# Run in prod mode
praisonai recipe run my-recipe --policy my-policy.yaml --mode prod

# Serve with policy
praisonai recipe serve --policy my-policy.yaml --mode prod

from praisonai.recipe.policy import (
    PolicyPack,
    get_default_policy,
    load_policy,
    check_tool_policy,
    PolicyDeniedError,
)

# Get default policy
policy = get_default_policy("dev")

# Load from file
policy = PolicyPack.load("my-policy.yaml")

# Create custom policy
policy = PolicyPack(
    name="my-policy",
    config={
        "tools": {
            "allow": ["web.search"],
            "deny": ["shell.exec"],
        },
        "pii": {"mode": "redact"},
    },
)

# Check tool permission
try:
    policy.check_tool("web.search", mode="prod")
    print("Tool allowed")
except PolicyDeniedError as e:
    print(f"Tool denied: {e}")

# Save policy
policy.save("output-policy.yaml")

# Merge policies
base = get_default_policy("dev")
override = PolicyPack.load("custom.yaml")
merged = base.merge(override)

# Get data policy
data_policy = policy.get_data_policy()