Inbound Rules Engine
Inbound Rules are a Professional / Enterprise feature.
What this is
The Inbound Rules Engine runs on every tool response before it reaches the agent. Where OPA policy decides whether an action is allowed to happen, inbound rules decide whether the content coming back from that action is allowed to land in the agent's context.
Rules are priority-ordered, composable, and evaluated top-to-bottom. The first rule that matches and carries a terminating action stops evaluation. Everything else is stacked (tag, annotate, score).
Rule types
Each rule type corresponds to a matcher module under backend/behavry/policy/inbound_rules/:
| Type | Matcher | Matches on |
|---|---|---|
injection | engine.py → inbound scanner | One of the 7 injection pattern classes |
domain | domain_list.py | URL host in an allow/deny list |
regex | regex_matcher.py | Custom regex against the response body |
semantic | semantic_matcher.py | Embedding similarity to a set of reference strings |
content_length | content_length.py | Response size over/under a threshold |
file_type | file_type.py | Detected MIME type against an allow/deny list |
rate_limit | rate_limiter.py | How often this class of response has been seen per agent / workflow |
Action types
Rules produce one of seven actions (under inbound_rules/actions/):
| Action | Effect |
|---|---|
allow | Pass through (terminating) |
block | Drop the response; return an error to the agent (terminating) |
quarantine | Store the response in the quarantine table for review; the agent receives a redacted placeholder |
redact | Mask matching segments and pass the rest through |
tag | Attach a metadata tag to the response; used by downstream rules or by the behavioral monitor |
escalate | Create a HITL escalation item; the agent waits for human decision |
score | Contribute to a rolling content-risk score on the agent/session |
Priority & evaluation
Each rule has a numeric priority (lower = earlier). On each inbound response, the engine:
- Sorts matching rules by priority
- Applies all non-terminating actions (
tag,score) in order - Stops on the first terminating action (
allow,block,quarantine,redact,escalate) - Writes one
inbound_rules.firedaudit event per rule that matched
If no rule matches, the response passes through unchanged.
Quarantine
quarantine is a terminating action that stores the full response in a separate table (inbound_quarantine) and hands the agent a short placeholder like:
[Response quarantined by rule "Block PowerShell payloads" — pending review]
Operators review quarantined items at Policies → Inbound Rules → Quarantine. Each item shows:
- Which rule fired
- The triggering content (redacted by default)
- Action buttons: release, redact & release, delete
Released items re-enter the agent's context and are re-evaluated by any subsequent rules.
Managing rules
Policies → Inbound Rules lists all rules sorted by priority. Each row has an enable/disable toggle and a one-click clone. New rules are authored through a small form (type, matcher config, action, priority).
API
Routes: backend/behavry/policy/inbound_routes.py.
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/inbound-rules | List rules |
POST | /api/v1/inbound-rules | Create a rule |
PATCH | /api/v1/inbound-rules/{id} | Update fields (priority, matcher, action, enabled) |
DELETE | /api/v1/inbound-rules/{id} | Delete a rule |
GET | /api/v1/inbound-rules/quarantine | List quarantined items |
POST | /api/v1/inbound-rules/quarantine/{id}/release | Release a quarantined response |
Related
- Content Trust Domains & Intent Drift — the detection layer inbound rules read from
- DLP Scanner — runs alongside inbound rules on outbound payloads
- Alerts & Escalations — how
escalateactions show up in the queue