> ## Documentation Index > Fetch the complete documentation index at: https://docs.praison.ai/llms.txt > Use this file to discover all available pages before exploring further. # Policy Packs > Manage tool permissions, data policies, and execution modes # Policy Packs CLI Policy packs provide reusable, org-wide security policies for recipes. ## Quick Start ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} # Show default policy praisonai recipe policy show # Create policy template praisonai recipe policy init -o my-policy.yaml # Run with policy praisonai recipe run my-recipe --policy my-policy.yaml --mode prod ``` ## Commands ### policy show Display policy configuration. ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} praisonai recipe policy show [policy-file] [options] ``` **Options:** | Option | Description | | -------- | ------------------ | | `--json` | Output JSON format | **Examples:** ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} # Show default policy praisonai recipe policy show # Show policy from file praisonai recipe policy show my-policy.yaml # JSON output praisonai recipe policy show --json ``` ### policy init Create a policy template file. ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} praisonai recipe policy init [options] ``` **Options:** | Option | Description | | --------------------- | --------------------------------------- | | `-o, --output ` | Output file path (default: policy.yaml) | **Examples:** ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} # Create default template praisonai recipe policy init # Custom output path praisonai recipe policy init -o my-org-policy.yaml ``` ### policy validate Validate a policy file. ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} praisonai recipe policy validate ``` ## Policy File Format ```yaml theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} name: my-org-policy version: "1.0" description: Organization-wide security policy tools: allow: - web.search - db.query - file.read deny: - shell.exec - file.write - network.unrestricted network: allow_domains: - api.openai.com - api.anthropic.com deny_domains: - localhost - 127.0.0.1 files: allow_paths: - /tmp - ./outputs deny_paths: - /etc - /var pii: mode: redact # allow, deny, redact fields: - email - phone - ssn data: retention_days: 30 export_allowed: true modes: dev: allow_interactive_prompts: true strict_tool_enforcement: false prod: allow_interactive_prompts: false strict_tool_enforcement: true require_auth: true ``` ## Using Policies ### With Recipe Run ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} # Run with policy file praisonai recipe run my-recipe --policy my-policy.yaml # Run in prod mode praisonai recipe run my-recipe --policy my-policy.yaml --mode prod ``` ### With Recipe Serve ```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} # Serve with policy praisonai serve recipe --policy my-policy.yaml --mode prod ``` ## Default Denied Tools These tools are denied by default: * `shell.exec` - Shell execution * `shell.run` - Shell commands * `file.write` - File writing * `file.delete` - File deletion * `network.unrestricted` - Unrestricted network * `db.write` - Database writes * `db.delete` - Database deletes ## Mode Differences ### Dev Mode * Interactive prompts allowed * Lenient tool enforcement * PII allowed by default ### Prod Mode * No interactive prompts * Strict tool enforcement * PII redaction enabled * Auth required for serve ## Python API ```python theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}} from praisonai.recipe.policy import ( PolicyPack, get_default_policy, load_policy, check_tool_policy, PolicyDeniedError, ) # Get default policy policy = get_default_policy("dev") # Load from file policy = PolicyPack.load("my-policy.yaml") # Create custom policy policy = PolicyPack( name="my-policy", config={ "tools": { "allow": ["web.search"], "deny": ["shell.exec"], }, "pii": {"mode": "redact"}, }, ) # Check tool permission try: policy.check_tool("web.search", mode="prod") print("Tool allowed") except PolicyDeniedError as e: print(f"Tool denied: {e}") # Save policy policy.save("output-policy.yaml") # Merge policies base = get_default_policy("dev") override = PolicyPack.load("custom.yaml") merged = base.merge(override) # Get data policy data_policy = policy.get_data_policy() ``` ## Policy Precedence 1. CLI flags (highest) 2. Policy file 3. Recipe TEMPLATE.yaml 4. Default policy (lowest) ## Next Steps * [Recipe Registry](/docs/cli/recipe-registry) - Publish and pull recipes * [Run History](/docs/cli/recipe-runs) - Store and export runs * [Security Features](/docs/cli/recipe-security) - SBOM, signing, auditing