@@ -165,6 +165,93 @@ provider/source posture and SecretRef metadata, never raw secret values. Policy
165165does not read or attest per-agent credential stores such as `auth-profiles.json`;
166166those stores remain owned by the existing auth and credential flows.
167167168+### Policy rule reference
169+170+Each policy field below is optional. A check runs only when the matching rule is
171+present in `policy.jsonc`. The observed state is existing OpenClaw config or
172+workspace metadata; policy reports drift but does not rewrite runtime behavior
173+unless a repair path is explicitly available and enabled.
174+175+#### Channels
176+177+| Policy field | Observed state | Use when |
178+| ------------------------------------ | --------------------------------------- | ------------------------------------------------------------ |
179+| `channels.denyRules[].when.provider` | `channels.*` provider and enabled state | Deny configured channels from a provider such as `telegram`. |
180+| `channels.denyRules[].reason` | Finding message and repair hint context | Explain why the provider is denied. |
181+182+#### MCP servers
183+184+| Policy field | Observed state | Use when |
185+| ------------------- | ------------------- | ---------------------------------------------------------- |
186+| `mcp.servers.allow` | `mcp.servers.*` ids | Require every configured MCP server to be in an allowlist. |
187+| `mcp.servers.deny` | `mcp.servers.*` ids | Deny specific configured MCP server ids. |
188+189+#### Model providers
190+191+| Policy field | Observed state | Use when |
192+| ------------------------ | ------------------------------------------------ | ------------------------------------------------------------------------------- |
193+| `models.providers.allow` | `models.providers.*` ids and selected model refs | Require configured providers and selected model refs to use approved providers. |
194+| `models.providers.deny` | `models.providers.*` ids and selected model refs | Deny configured providers and selected model refs by provider id. |
195+196+#### Network
197+198+| Policy field | Observed state | Use when |
199+| ------------------------------ | ----------------------------------- | ------------------------------------------------------------------ |
200+| `network.privateNetwork.allow` | Private-network SSRF escape hatches | Set to `false` to require private-network access to stay disabled. |
201+202+#### Gateway
203+204+| Policy field | Observed state | Use when |
205+| --------------------------------------- | ---------------------------------------------- | ------------------------------------------------------------ |
206+| `gateway.exposure.allowNonLoopbackBind` | `gateway.bind` | Set to `false` to require loopback Gateway binding. |
207+| `gateway.exposure.allowTailscaleFunnel` | Tailscale serve/funnel Gateway posture | Set to `false` to deny Tailscale Funnel exposure. |
208+| `gateway.auth.requireAuth` | `gateway.auth.mode` | Set to `true` to reject disabled Gateway auth. |
209+| `gateway.auth.requireExplicitRateLimit` | `gateway.auth.rateLimit` | Set to `true` to require explicit auth rate-limit config. |
210+| `gateway.controlUi.allowInsecure` | Control UI insecure auth/device/origin toggles | Set to `false` to deny insecure Control UI exposure toggles. |
211+| `gateway.remote.allow` | Remote Gateway mode/config | Set to `false` to deny remote Gateway mode. |
212+| `gateway.http.denyEndpoints` | Gateway HTTP API endpoints | Deny endpoint ids such as `chatCompletions` or `responses`. |
213+| `gateway.http.requireUrlAllowlists` | Gateway HTTP URL-fetch inputs | Set to `true` to require URL allowlists on URL-fetch inputs. |
214+215+#### Agent workspace
216+217+| Policy field | Observed state | Use when |
218+| -------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
219+| `agents.workspace.allowedAccess` | `agents.defaults.sandbox.workspaceAccess` and `agents.list[].sandbox.workspaceAccess` | Allow only sandbox workspace access values such as `none` or `ro`. |
220+| `agents.workspace.denyTools` | Global and per-agent tool deny config | Require workspace/runtime mutation tools such as `exec`, `process`, `write`, `edit`, or `apply_patch` to be denied. |
221+222+#### Secrets
223+224+| Policy field | Observed state | Use when |
225+| --------------------------------- | -------------------------------------------------------- | ----------------------------------------------------------------------- |
226+| `secrets.requireManagedProviders` | Config SecretRefs and `secrets.providers.*` declarations | Set to `true` to require SecretRefs to point at declared providers. |
227+| `secrets.denySources` | Secret provider sources and SecretRef sources | Deny sources such as `exec`, `file`, or another configured source name. |
228+| `secrets.allowInsecureProviders` | Insecure secret-provider posture flags | Set to `false` to reject providers that opt into insecure posture. |
229+230+#### Auth profiles
231+232+| Policy field | Observed state | Use when |
233+| ------------------------------- | -------------------------------------------- | ------------------------------------------------------------------------------------------ |
234+| `auth.profiles.requireMetadata` | `auth.profiles.*` provider and mode metadata | Require metadata keys such as `provider` and `mode` on config auth profiles. |
235+| `auth.profiles.allowModes` | `auth.profiles.*.mode` | Allow only supported auth profile modes such as `api_key`, `aws-sdk`, `oauth`, or `token`. |
236+237+#### Tool metadata
238+239+| Policy field | Observed state | Use when |
240+| ----------------------- | -------------------------------- | ------------------------------------------------------------------------------------------ |
241+| `tools.requireMetadata` | Governed `TOOLS.md` declarations | Require governed tools to declare metadata keys such as `risk`, `sensitivity`, or `owner`. |
242+243+#### Tool posture
244+245+| Policy field | Observed state | Use when |
246+| ------------------------------- | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
247+| `tools.profiles.allow` | `tools.profile` and `agents.list[].tools.profile` | Allow only tool profile ids such as `minimal`, `messaging`, or `coding`. |
248+| `tools.fs.requireWorkspaceOnly` | `tools.fs.workspaceOnly` and per-agent `tools.fs` overrides | Set to `true` to require workspace-only filesystem tool posture. |
249+| `tools.exec.allowSecurity` | `tools.exec.security` and per-agent exec security | Allow only exec security modes such as `deny` or `allowlist`. |
250+| `tools.exec.requireAsk` | `tools.exec.ask` and per-agent exec ask mode | Require approval posture such as `always`. |
251+| `tools.exec.allowHosts` | `tools.exec.host` and per-agent exec host routing | Allow only exec host routing modes such as `sandbox`. |
252+| `tools.elevated.allow` | `tools.elevated.enabled` and per-agent elevated posture | Set to `false` to require elevated tool mode to stay disabled. |
253+| `tools.denyTools` | `tools.deny` and `agents.list[].tools.deny` | Require configured tool deny lists to include tool ids or groups such as `group:runtime` and `group:fs`. |
254+168255Run policy-only checks during authoring:
169256170257```bash
此內容由慣性聚合(RSS閱讀器)自動聚合整理,僅供閱讀參考。 原文來自 — 版權歸原作者所有。