Create a policy
Authorizations
Body
Create a policy + its initial main revision in one call.
Identity fields (name/description/metadata) plus the
full revision config. The initial revision is created and set active.
1 - 255How a policy decides whether content/state violates it.
expression: aPolicyExprEvaluatorboolean over turn state.llm_judge: a secondary LLM (via model_router) judges againstguardrail_text.
expression, llm_judge Where in a turn a policy's check fires (v2: one point per policy).
agent_response is the single author-facing reply point — the v1
response (per-streamed-unit) + post_response (complete reply) split is
an internal runtime detail now, selected by the platform-derived enforcement
strategy (buffer-and-gate vs per-unit), not an authored distinction.
input, pre_tool, post_tool, agent_response What happens when a check fails.
block: emit a canned safe message, raisePolicyViolationError, short-circuit.redact: deterministic regex/truncate (NO LLM rewrite).append: append a disclaimer.require_approval: route through the HITL approval seam (pre_toolonly).handoff: hand off viaHandoffService(source="policy").
The v1 monitor action is gone — observe-only is the monitor mode now.
block, redact, append, require_approval, handoff Who the policy applies to.
organization policies auto-apply to every assistant in the org (NOT listed
in an assistant's policy_refs). attachable policies apply only where an
assistant revision opts in via policy_refs.
organization, attachable The author's INTENT dial — act vs observe. Channel-independent.
enforce: the policy acts on a violation (block / redact / append / require_approval / handoff) per the platform-derived strategy.monitor: shadow/canary — the check runs and recordswould_be_actionbut never affects the turn. The safe-rollout default.
The TRANSPORT property v2 conflated into enforcement_mode (buffer-and-gate
vs best-effort) is now platform-derived from transport_class at runtime
(:func:src.policy.resolution.resolve_strategy), never authored. New-policy
default selection is monitor (shadow-first; set at the schema layer).
enforce, monitor What to do when a check errors/times out.
Action-derived default (v2): block action → fail_closed; else fail_open.
fail_open, fail_closed x >= 1The streaming latency/guarantee dial (renamed from the v2 severity).
strict: always enforce before the user sees anything. On a STREAMING transport this holds/buffers (or incrementally gates), accepting brief added latency; on a BLOCKING transport gating is free.relaxed: enforce without slowing the conversation — best-effort on streaming transports (content may stream while the check runs), but still a FULL gate on blocking transports (gating is free there).relaxednever means "off".
Configurable only at input·llm_judge and agent_response·expression; forced
(and hidden in the UI) elsewhere. New-policy default is relaxed.
strict, relaxed Response
Successful Response