Policy Model

Policy Model

The v0 policy effect set is:

allow
ask
deny

Policy applies to commands, filesystem reads and writes, deletion, network egress, secrets, git operations, model providers, extensions, MCP servers, webhooks, memory writes, skill installation, and workflow execution.

The authority rule is simple: the caller can ask, but Kratos decides.

Secrets follow the Harness security profile: redaction is a logging and channel concern, not a fake access barrier against an agent that already has stronger owner-granted capability.

Implemented v0 command surface:

mnemos policy check [--policy PATH] [--home PATH] -- COMMAND [ARG...]
mnemos approvals list [--home PATH]
mnemos approvals approve ID [--actor ACTOR] [--home PATH]
mnemos approvals deny ID [--actor ACTOR] [--home PATH]
mnemos extensions admit MANIFEST [--actor ACTOR] [--home PATH]

The built-in default policy is conservative:

defaults:
  shell: ask

allow:
  - command:
      argv_prefix: ["git", "status"]
  - command:
      argv_prefix: ["zig", "build", "test"]

deny:
  - command:
      argv_prefix: ["git", "push", "--force"]

Custom files may use the same command-prefix subset. The parser is intentionally not a full YAML engine yet.

Every check emits policy.decision to the event and audit logs. ask creates a pending approval and emits approval.requested. Approval resolution emits approval.approved or approval.denied.

mnemos run create enforces command policy before spawning:

  • allow records policy.decision and proceeds to the run supervisor.
  • deny records policy.decision, blocks before run.started, and exits non-zero.
  • ask records policy.decision, creates a pending approval, blocks before run.started, and exits non-zero.

Approval resolution does not yet resume the blocked command. The operator can rerun after approval in v0.

Extension capability admission now reuses the same effect set and approval ledger:

  • low-risk read/display capabilities can be granted by the core evaluator
  • process, filesystem mutation, network, secrets, git mutation, memory writes, and tool invocation require approval
  • ambient, all-power, self-granting, or Mnemos-replacement requests are denied

Every extension grant, request, denial, and manifest admission emits event and audit records. Approval resolution does not yet resume extension execution; runtime dispatch remains a later authority slice.