# Creating Policies **What you'll learn:** How to create policies via the dashboard and the API, how to scope them to specific agents, and how to enable/disable them. *** ## Via the dashboard 1. Navigate to **Policies** in the sidebar at [platform.kyvvu.com](https://platform.kyvvu.com). 2. Click **Create Policy**. 3. Fill in the form: * **Name** — a descriptive name (e.g. "No PII to external LLMs"). * **Rule type** — select from the available rules. The form dynamically renders parameter fields based on the rule's schema. * **Parameters** — configure the rule (e.g. regex patterns, step types, field names). * **Scope** — `agent_registration` or `step_execution`. * **Severity** — `low`, `medium`, `high`, or `critical`. * **Agent** (optional) — scope to a specific agent, or leave blank for all agents. * **Risk classification** (optional) — scope to agents with this classification. 4. Click **Save**. The policy takes effect within the policy TTL window (default: 5 minutes). No agent restart required. ## Via the API ```bash curl -X POST https://platform.kyvvu.com/api/v1/policies \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "name": "No PII to external LLMs", "rule_type": "pii_in_request", "params": { "patterns": ["\\d{3}-\\d{2}-\\d{4}", "\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}"] }, "scope": "step_execution", "severity": "critical", "enabled": true }' ``` Response: ```json { "id": 9, "name": "No PII to external LLMs", "rule_type": "pii_in_request", "params": {"patterns": ["\\d{3}-\\d{2}-\\d{4}", "..."]}, "scope": "step_execution", "severity": "critical", "enabled": true, "agent_id": null, "risk_classification": null, "created_at": "2026-04-29T10:00:00+00:00" } ``` ### Scoping to an agent ```json { "name": "Per-task $5 LLM budget", "rule_type": "usage_budget", "params": {"step_type": "step.model", "property_path": "usage.cost_usd", "budget": 5.0}, "scope": "step_execution", "severity": "high", "agent_id": "ag_abc123" } ``` ### Scoping to a risk classification ```json { "name": "High-risk agents: working hours only", "rule_type": "working_hours_only", "params": {"start_hour": 8, "end_hour": 18, "timezone": "Europe/Amsterdam"}, "scope": "step_execution", "severity": "high", "risk_classification": "high" } ``` ## Listing available rules Before creating a policy, you can list all available rule types (the building blocks for policies): ```bash curl https://platform.kyvvu.com/api/v1/policies/rules \ -H "Authorization: Bearer " ``` Each rule includes its description, parameter schema, and applicable scopes. > **Note:** `kyvvu list-policies` lists your *active policies* (instantiated rules with parameters), not the available rule types. Use the API endpoint above to discover what rules you can build policies from. ## Enabling and disabling Policies can be toggled without deletion: ```bash curl -X PUT https://platform.kyvvu.com/api/v1/policies/9 \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{"enabled": false}' ``` Disabled policies are skipped during evaluation. Re-enable by setting `enabled: true`. ## Deleting policies ```bash curl -X DELETE https://platform.kyvvu.com/api/v1/policies/9 \ -H "Authorization: Bearer " ``` Deletion is a soft delete — the policy is marked as deleted but retained for audit purposes. *** ## Next steps * [OWASP Default Template](/policy-authoring/owasp-default.md) — the 8 pre-built security policies * [Compound Policies](/policy-authoring/compound.md) — combine rules with `all_of`, `any_of`, `not` * [Built-in Rules Reference](/policy-authoring/rules-reference.md) — all 26 rules and their parameters --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kyvvu.com/policy-authoring/creating.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.