Creating Policies

What you'll learn: How to create policies via the dashboard and the API, how to scope them to specific agents, and how to enable/disable them.

Via the dashboard

Navigate to Policies in the sidebar at platform.kyvvu.com.
Click Create Policy.
Fill in the form:
- Name — a descriptive name (e.g. "No PII to external LLMs").
- Rule type — select from the available rules. The form dynamically renders parameter fields based on the rule's schema.
- Parameters — configure the rule (e.g. regex patterns, step types, field names).
- Scope — agent_registration or step_execution.
- Severity — low, medium, high, or critical.
- Agent (optional) — scope to a specific agent, or leave blank for all agents.
- Risk classification (optional) — scope to agents with this classification.
Click Save.

The policy takes effect within the policy TTL window (default: 5 minutes). No agent restart required.

Via the API

curl -X POST https://platform.kyvvu.com/api/v1/policies \
  -H "Authorization: Bearer <JWT>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "No PII to external LLMs",
    "rule_type": "pii_in_request",
    "params": {
      "patterns": ["\\d{3}-\\d{2}-\\d{4}", "\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}"]
    },
    "scope": "step_execution",
    "severity": "critical",
    "enabled": true
  }'

Response:

{
  "id": 9,
  "name": "No PII to external LLMs",
  "rule_type": "pii_in_request",
  "params": {"patterns": ["\\d{3}-\\d{2}-\\d{4}", "..."]},
  "scope": "step_execution",
  "severity": "critical",
  "enabled": true,
  "agent_id": null,
  "risk_classification": null,
  "created_at": "2026-04-29T10:00:00+00:00"
}

Scoping to an agent

{
  "name": "Per-task $5 LLM budget",
  "rule_type": "usage_budget",
  "params": {"step_type": "step.model", "property_path": "usage.cost_usd", "budget": 5.0},
  "scope": "step_execution",
  "severity": "high",
  "agent_id": "ag_abc123"
}

Scoping to a risk classification

{
  "name": "High-risk agents: working hours only",
  "rule_type": "working_hours_only",
  "params": {"start_hour": 8, "end_hour": 18, "timezone": "Europe/Amsterdam"},
  "scope": "step_execution",
  "severity": "high",
  "risk_classification": "high"
}

Listing available rules

Before creating a policy, you can list all available rule types (the building blocks for policies):

curl https://platform.kyvvu.com/api/v1/policies/rules \
  -H "Authorization: Bearer <JWT>"

Each rule includes its description, parameter schema, and applicable scopes.

Note: kyvvu list-policies lists your active policies (instantiated rules with parameters), not the available rule types. Use the API endpoint above to discover what rules you can build policies from.

Enabling and disabling

Policies can be toggled without deletion:

curl -X PUT https://platform.kyvvu.com/api/v1/policies/9 \
  -H "Authorization: Bearer <JWT>" \
  -H "Content-Type: application/json" \
  -d '{"enabled": false}'

Disabled policies are skipped during evaluation. Re-enable by setting enabled: true.

Deleting policies

curl -X DELETE https://platform.kyvvu.com/api/v1/policies/9 \
  -H "Authorization: Bearer <JWT>"

Deletion is a soft delete — the policy is marked as deleted but retained for audit purposes.

Next steps

OWASP Default Template — the 8 pre-built security policies
Compound Policies — combine rules with all_of, any_of, not
Built-in Rules Reference — all 26 rules and their parameters

PreviousREST API / Local Engine NextOWASP Default Template

Last updated 1 month ago