


























@@ -0,0 +1,205 @@
1+---
2+summary: "Per-agent Policy plugin overlays layered on top of global policy rules."
3+read_when:
4+ - You are designing per-agent policy requirements
5+ - You need to distinguish tool posture policy from workspace policy
6+ - You are configuring stricter policy for one named agent
7+title: "Agent-scoped policy overlays"
8+---
9+10+# Agent-scoped policy overlays
11+12+OpenClaw policy supports global requirements and stricter requirements for
13+explicit runtime agent ids. Some deployments need one agent to use a tighter
14+workspace and tool posture than other agents, but deployment-wide rules should
15+not force every agent to use the same posture.
16+17+This page describes the agent-scoped overlay model. The field reference remains
18+[`openclaw policy`](/cli/policy).
19+20+## Design goals
21+22+- Keep global policy as the deployment baseline.
23+- Let a named agent add stricter requirements without weakening global rules.
24+- Reuse existing policy section shapes where the evidence can be attributed to
25+ an agent.
26+- Avoid making `agents.workspace` a second tool-permission system.
27+- Leave global-only checks global until their evidence can be mapped to an
28+ agent.
29+30+## Shape
31+32+Use `scopes.<scopeName>` for purpose-named agent policy scopes. Each
33+scope lists the runtime `agentIds` it applies to, then reuses the normal
34+top-level policy section grammar where the section evidence can be attributed to
35+those agents. The initial shipped scoped sections are `tools` and
36+`agents.workspace`; sandbox and ingress stay out of this PR and can join the
37+same container once those policy PRs land and their evidence carries agent
38+identity. The scoped field inventory is backed by policy rule metadata that
39+records each field's strictness semantics for later policy-file conformance.
40+41+```jsonc
42+{
43+"tools": {
44+"denyTools": ["process"],
45+ },
46+"agents": {
47+"workspace": {
48+"allowedAccess": ["none", "ro"],
49+ },
50+ },
51+"scopes": {
52+"release-agent-lockdown": {
53+"agentIds": ["release-agent"],
54+"agents": {
55+"workspace": {
56+"allowedAccess": ["none", "ro"],
57+ },
58+ },
59+"tools": {
60+"profiles": { "allow": ["minimal", "messaging"] },
61+"fs": { "requireWorkspaceOnly": true },
62+"exec": {
63+"allowSecurity": ["deny", "allowlist"],
64+"requireAsk": ["always"],
65+"allowHosts": ["sandbox"],
66+ },
67+"elevated": { "allow": false },
68+"alsoAllow": { "expected": ["message", "read"] },
69+"denyTools": ["exec", "process", "write", "edit", "apply_patch"],
70+ },
71+ },
72+ },
73+}
74+```
75+76+`agents.workspace` remains the existing all-agent workspace baseline.
77+`scopes.<scopeName>` is a scoped overlay, not a replacement for global
78+policy. The scope name is descriptive only; matching uses `agentIds`, not
79+display names. It deliberately contains normal section names instead of a
80+bespoke per-agent mini-grammar.
81+Every scope present in `policy.jsonc` must be valid and enforceable. In this
82+PR, the only supported selector is `agentIds`, and it supports only `tools.*`
83+and `agents.workspace.*`.
84+85+## Layering semantics
86+87+Policy evaluation is additive:
88+89+1. Top-level policy applies to all matching evidence.
90+2. Existing `agents.workspace` applies to defaults and every listed agent.
91+3. `scopes.<scopeName>` applies to evidence for each normalized runtime
92+ id in `agentIds`.
93+4. Multiple scope blocks may target the same agent when they govern
94+ different fields, or when a later value for the same field is equally or
95+ more restrictive according to policy metadata.
96+5. A named-agent overlay can tighten policy, but it cannot make a global
97+ violation acceptable.
98+99+If both global and agent-scoped rules fail, findings should point at the rule
100+that was violated:
101+102+```text
103+oc://policy.jsonc/tools/denyTools
104+oc://policy.jsonc/scopes/release-agent-lockdown/tools/denyTools
105+oc://policy.jsonc/scopes/release-agent-lockdown/agents/workspace/allowedAccess
106+```
107+108+That keeps broad tool posture, named-agent tool posture, and workspace posture
109+auditable as separate requirements even when they observe the same config
110+fields.
111+112+Exact-list claims such as `tools.alsoAllow.expected` compare the configured list
113+to the expected list and report both missing expected entries and unexpected
114+extra entries. This is intended for additive posture such as `alsoAllow`, where
115+one extra entry can widen an agent beyond its reviewed role.
116+117+## Policy and config layering
118+119+The overlay model separates where policy is authored from where OpenClaw config
120+is observed:
121+122+| Policy scope | Observed config | Applies to | Example result |
123+| --------------------------------------- | ---------------------------------------------------- | --------------------------------- | ----------------------------------------------------------------------------- |
124+| Top-level `tools.*` | Global `tools.*` and inherited agent tool posture | All agents using matching posture | Deny `gateway` exec host for every agent unless the global policy allows it. |
125+| Top-level `tools.*` | `agents.list[].tools.*` overrides | Any agent with an override | Flag one agent that overrides `tools.exec.host` to an unapproved value. |
126+| `scopes.<scopeName>.tools.*` | Matching `agents.list[]` entry and inherited posture | Only that named agent | Let most agents use `node` exec host while one agent must use only `sandbox`. |
127+| `agents.workspace` | Defaults and every listed agent workspace posture | Defaults and all listed agents | Require every agent workspace access to be `none` or `ro`. |
128+| `scopes.<scopeName>.agents.workspace.*` | Matching `agents.list[]` workspace posture | Only that named agent | Require one agent to be read-only without requiring the same for `main`. |
129+130+Per-agent overlays are additive. A named-agent rule can be stricter than the
131+top-level rule, but it cannot make a global violation acceptable. For allow-list
132+rules, the effective allowed set is the intersection of the global rule and the
133+named-agent overlay when both are present.
134+135+For example, if top-level `tools.exec.allowHosts` permits `["sandbox", "node"]`
136+and `scopes.release-agent-lockdown.tools.exec.allowHosts` permits only
137+`["sandbox"]`, `release-agent` fails when its effective exec host is `node`;
138+another agent can still pass
139+with `node`.
140+141+## Tool posture versus workspace posture
142+143+Tool posture belongs under `tools` because it describes what tool behavior a
144+configuration may expose. The existing `tools.*` policy observes both global
145+`tools.*` config and per-agent `agents.list[].tools.*` overrides.
146+147+Workspace posture belongs under `workspace` because it describes sandbox mode
148+and workspace access. The workspace section should not grow into a general tool
149+policy namespace. If one agent needs stricter tool restrictions to make its
150+workspace posture meaningful, put those restrictions in the same agent overlay
151+under `scopes.<scopeName>.tools`.
152+153+For a restricted release agent, the intended split is:
154+155+```jsonc
156+{
157+"scopes": {
158+"release-agent-lockdown": {
159+"agentIds": ["release-agent"],
160+"agents": {
161+"workspace": { "allowedAccess": ["none", "ro"] },
162+ },
163+"tools": {
164+"denyTools": ["exec", "process", "write", "edit", "apply_patch"],
165+ },
166+ },
167+ },
168+}
169+```
170+171+## Section eligibility
172+173+An agent-scoped section should be added only when policy evidence carries an
174+agent id or can be attributed to one without guessing.
175+176+| Section | Initial agent-scoped status | Reason |
177+| ----------- | --------------------------- | ------------------------------------------------------------------------ |
178+| `workspace` | Include | Agent sandbox/workspace evidence already has agent identity. |
179+| `tools` | Include | Tool posture evidence includes global and per-agent tool config. |
180+| `sandbox` | Pipeline follow-up | Keep out until the sandbox posture PR lands and evidence can be scoped. |
181+| `ingress` | Pipeline follow-up | Keep out until ingress/channel posture lands with agent attribution. |
182+| `models` | Include when mapped | Selected model refs can be agent-specific. |
183+| `mcp` | Include when mapped | Use only when MCP server evidence is attributable to an agent. |
184+| `auth` | Defer | Auth profile metadata is a config catalog unless agent binding is clear. |
185+| `channels` | Defer | Channel provider posture is deployment-level until routing is scoped. |
186+| `gateway` | Keep global | Gateway exposure/auth/http posture is process-level. |
187+| `network` | Keep global | Private-network SSRF posture is runtime-level. |
188+| `secrets` | Keep global first | Secret provider posture is shared unless refs are agent-attributed. |
189+190+## Compatibility
191+192+The implementation is additive:
193+194+- keep all existing top-level policy fields valid;
195+- keep `agents.workspace` semantics unchanged;
196+- validate `scopes` before evaluating scoped rules;
197+- reject unsupported scoped sections clearly until their evidence and policy
198+ contracts are implemented;
199+- do not reinterpret top-level `tools.requireMetadata` as agent-scoped, because
200+ tool metadata describes the declared workspace tool catalog;
201+- include agent-scoped evidence in the attestation hash when any scoped rule is
202+ present.
203+204+This lets broad tool posture remain a top-level policy contract while named
205+agents add stricter observable claims without weakening the global baseline.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。