Write Your First Policy
Behavry uses Open Policy Agent (OPA) with Rego policies to decide what agents can and cannot do. Every tool call is evaluated in real-time.
Policy decisions
Every policy evaluation returns one of three decisions:
| Decision | Effect |
|---|---|
| Allow | Tool call is forwarded to the target server |
| Deny | Tool call is blocked; agent receives an error |
| Escalate | Tool call is held in a queue for human approval |
Policies are default deny — if no rule explicitly allows an action, it is blocked.
Your first policy
Create a file at policies/base/my-first-policy.rego:
package behavry.authz
import future.keywords.if
# Allow all actions for the developer role
allow if {
input.agent.role == "developer"
input.action.type in {"read", "list"}
}
# Deny write actions to production paths
deny if {
input.action.type == "write"
startswith(input.resource.path, "/prod/")
}
# Escalate file deletions
escalate if {
input.action.type == "delete"
}
Activate the policy
curl -X POST http://localhost:8000/api/v1/policies \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "my-first-policy",
"description": "Basic developer restrictions",
"content": "'"$(cat policies/base/my-first-policy.rego)"'"
}'
The policy is evaluated on every tool call within seconds of activation.
Testing the policy
# This should succeed (allowed)
# curl ... your agent making a read call
# This should fail (denied)
# curl ... your agent writing to /prod/
# This should trigger escalation (visible in dashboard)
# curl ... your agent deleting a file
Open the dashboard → Escalations to approve or deny the escalation.
Policy input shape
Every policy receives this input object:
{
"agent": {
"id": "agent-uuid",
"name": "my-agent",
"role": "developer",
"risk_tier": "low"
},
"action": {
"type": "write",
"tool": "filesystem/write_file"
},
"resource": {
"path": "/prod/config.yaml",
"server": "filesystem"
},
"session": {
"id": "session-uuid",
"duration_seconds": 120
},
"requester": {
"id": "user@company.com",
"channel": "claude-code"
}
}