Writing policies

Tyr policies are YAML documents. The server compiles them to Cedar (for expressive userspace evaluation) and BPF map entries (for kernel-level enforcement).

Minimal example

apiVersion: tyr.dev/v1
kind: Policy
metadata:
  name: my-first-policy
spec:
  rules:
    - name: block-writes-to-etc
      action: file_write
      resource_pattern: "/etc/*"
      verdict: deny
      severity: high

Apply it:

tyr policy apply -f my-policy.yaml

Schema

Top-level

Field	Type	Required	Description
`apiVersion`	string	yes	Always `tyr.dev/v1` today
`kind`	string	yes	Always `Policy`
`metadata`	object	yes	see below
`spec`	object	yes	see below

`metadata`

Field	Type	Description
`name`	string	Human identifier; shown in UI and diffs
`labels`	map<string,str>	Arbitrary labels, used for filtering
`description`	string	Free-form description

`spec.rules[]`

Each rule matches an action against a resource pattern and emits a verdict.

Field	Type	Description
`name`	string	Unique within the policy
`action`	enum	`file_read`, `file_write`, `exec`, `net_connect`, `tls_connect`
`resource_pattern`	string	Glob for `file_*`, exact binary for `exec`, `ip/cidr` for `net_connect`, SNI pattern for `tls_connect`
`verdict`	enum	`allow`, `deny`, `alert`
`severity`	enum	`low`, `medium`, `high`, `critical`
`binaries`	[]str	Optional filter — only apply when the calling binary matches
`agent_types`	[]str	Optional filter — only apply when calling agent is of this type
`condition`	cedar	Optional free-form Cedar condition for userspace evaluation

Rule ordering

Rules are evaluated top-to-bottom, first match wins within a given action.

rules:
  - name: allow-project-dir
    action: file_read
    resource_pattern: "/home/alice/project/*"
    verdict: allow
    severity: low
  - name: deny-ssh-keys
    action: file_read
    resource_pattern: "/home/*/.ssh/*"
    verdict: deny
    severity: critical
  - name: default-read
    action: file_read
    resource_pattern: "*"
    verdict: allow
    severity: low

A read of /home/alice/project/src/main.rs matches rule 1 → allow. A read of /home/alice/.ssh/id_ed25519 doesn’t match rule 1, matches rule 2 → deny.

Globs

* — any run of characters except /
** — any run including /
? — single character
[abc] — character class

Examples:

/etc/* — direct children of /etc
/etc/** — anything under /etc
/home/*/.ssh/** — SSH dirs of any user

Agent-type overlays

Overlays are policies assigned to an agent_type rather than a daemon. They’re merged on top of the base:

# base policy for all daemons
rules:
  - { name: allow-read-repo, action: file_read, resource_pattern: "/workspace/**", verdict: allow }

# overlay for agent_type = cursor
rules:
  - { name: cursor-no-dotfiles, action: file_read, resource_pattern: "*/.*", verdict: deny }

Assign both:

tyr policy assign --target-type daemon     --target-id <uuid> --version 1
tyr policy assign --target-type agent-type --target-id cursor --version 2

Cursor processes see the merged effective policy. Non-Cursor processes see only the base.

Inspect:

tyr policy effective <daemon-uuid>

Cedar conditions

For anything path-based, stick with resource_pattern — it compiles to a fast BPF trie. For richer rules, drop into Cedar:

- name: cursor-deny-prod-reads
  action: file_read
  condition: |
    principal.agent_type == "cursor" &&
    resource.path like "/prod/*" &&
    context.time_of_day in ["nights", "weekends"]
  verdict: deny
  severity: high

Cedar conditions are evaluated in userspace. They’re slower than the BPF path, so reserve them for rules you can’t express any other way. See Cedar’s policy language docs.

Versions, rollback, diff

tyr policy list                         # see all versions
tyr policy show 3                       # yaml + compiled cedar
tyr policy diff --from 2 --to 3         # unified diff
tyr policy rollback 2                   # re-apply v2 as a new version (v4)

Tips

Start in audit-only mode. Set all rules to verdict: alert first. Watch for a week. Then flip the dangerous ones to deny.
One policy per concern. Splitting file, exec, and network into different policies makes overlays cleaner.
Test in a VM first. A wrong deny rule on file_read /usr/** will brick your shell.
Check effective policy often. When overlays are layered, the actual behavior can surprise you.

→ Next: Policy YAML reference · Upgrading