Skip to content
Tyr

Policies

A policy in Tyr is a YAML document that compiles to both Cedar (for rich userspace evaluation) and BPF map entries (for kernel-level enforcement). Policies are stored server-side, versioned, and assigned to targets.

Lifecycle

flowchart TD
    YAML["YAML source"] --> Compile["tyr-server compile"]
    Compile --> Output["Cedar text + BPF entries"]
    Output --> Versions[("policy_versions<br/>immutable, append-only")]
    Versions --> Assignments[("policy_assignments")]
    Assignments --> Tyrd["tyrd (hot-reloads)"]

Versions

Every tyr policy apply creates a new immutable row in policy_versions. You cannot edit a version in place. This means:

  • Full audit trail — any event can be traced back to the exact policy text that evaluated it.
  • Rollbacks are additive — tyr policy rollback N creates a new version whose YAML equals version N’s.

Assignments

Assignments bind a policy version to a target:

target_typetarget_id meansScope
daemonagent UUIDApplies to everything that daemon sees
agent_typetype name (cursor, autogen)Applies to that AI-agent class everywhere

A daemon’s effective policy is computed as:

effective = base (daemon assignment, if any)
          +  merge  of  every agent_type  overlay that applies

Example:

  • Daemon alice-laptop is assigned policy v3 (base: “allow reading project files, deny writes to /etc”).
  • Agent type cursor is assigned policy v5 (overlay: “deny reads of ~/.ssh”).
  • tyrd on Alice’s laptop sees Cursor running → loads merged effective policy for that process.
  • For a non-Cursor process, only v3 applies.

Inspect the merged result:

Terminal window
tyr policy effective <agent_id>

Evaluation layers

Not every rule fits in a BPF map. Tyr’s compiler routes rules to the fastest layer that can express them:

Rule typeEnforced where
Path prefix deny (file_write on /etc/*)BPF map (kernel)
Exact binary deny (exec /bin/rm)BPF map (kernel)
CIDR deny (connect 10.0.0.0/8)BPF map (kernel)
Condition with principal + contextCedar (userspace)
TLS SNI matchCedar (userspace)

Kernel-layer rules are fast and non-bypassable. Userspace rules catch syscalls via ring buffer and emit the event with the evaluated verdict; if the verdict is deny, the server (on drift re-eval) will confirm.

Diffing and auditing

Terminal window
tyr policy list
tyr policy show 4              # yaml + compiled cedar
tyr policy diff --from 3 --to 4
tyr policy rollback 3

The UI shows the same, plus a visual diff.

Deny-by-default

If a daemon has no assignment and no overlay applies, the effective policy is deny everything governed by Tyr. This is the fail-safe default — a compromised server that pushes an empty policy set cannot silently grant access.

Empty policies are not the same as no policy. A policy with zero rules still compiles — and it denies nothing and alerts on nothing.

→ Next: Writing policies · Policy YAML reference