Policy YAML
Policies are YAML documents following the schema below. Also see the authoring guide: Writing policies.
Root
apiVersion: tyr.dev/v1 # required, currently v1kind: Policy # requiredmetadata: # required name: string # required labels: { key: value } # optional description: string # optionalspec: # required rules: # required (may be empty) - <rule>Rule
- name: string # required, unique within the policy action: enum # required — see below resource_pattern: string # optional (required for file_*, exec) verdict: enum # required — allow | deny | alert severity: enum # optional, default low — low | medium | high | critical binaries: [string] # optional — only match when calling binary path matches agent_types: [string] # optional — only match when AI agent type matches cidr_allow: [string] # optional — used with net_connect cidr_deny: [string] # optional — used with net_connect sni_pattern: string # optional — used with tls_connect condition: string # optional — Cedar expression evaluated in userspaceActions
action | Governs | Compiles to |
|---|---|---|
file_read | open(), openat() with read flag | BPF map (path prefix) |
file_write | open(), openat() with write/create | BPF map (path prefix) |
exec | execve() | BPF map (exact binary) |
net_connect | connect() syscall | BPF map (LPM CIDR) |
tls_connect | Outbound TLS handshake (requires --tls-capture) | Cedar (SNI match) |
resource_pattern
Glob with *, **, ?, [abc]. Examples:
/etc/*— direct children of /etc/home/*/.ssh/**— any user’s SSH contents/bin/rm(forexec) — exact path
For net_connect, use cidr_allow/cidr_deny instead of resource_pattern.
For tls_connect, use sni_pattern — supports * wildcard (*.openai.com) and | alternation (*.openai.com|*.anthropic.com).
verdict
| Value | Action on match |
|---|---|
allow | Syscall proceeds, ALLOW event emitted |
deny | Syscall returns EPERM, DENY event |
alert | Syscall proceeds, ALERT event |
severity
Metadata only — used for filtering and alerting. No effect on enforcement.
binaries filter
Restrict the rule to specific calling binaries:
- name: only-my-agent-reads-config action: file_read resource_pattern: "/etc/myapp/*" binaries: ["/usr/local/bin/myagent"] verdict: allowagent_types filter
Restrict to specific AI agent classes. Matches the discovered_agent’s classification:
- name: cursor-no-secrets action: file_read resource_pattern: "/home/*/.ssh/**" agent_types: ["cursor"] verdict: deny severity: criticalcondition (Cedar)
For rules that can’t be expressed with the fields above, drop into Cedar:
- name: business-hours-only action: exec condition: | context.time_of_day in ["night", "weekend"] && principal.agent_type == "autogen" verdict: denyCedar conditions evaluate in userspace — slower than BPF but expressive.
Complete example
apiVersion: tyr.dev/v1kind: Policymetadata: name: production-ai-agents description: Strict policy for autonomous LLM workers in prod labels: env: production owner: platform-teamspec: rules: # Credentials — never - name: deny-aws-credentials action: file_read resource_pattern: "/home/*/.aws/credentials" verdict: deny severity: critical
- name: deny-ssh-keys action: file_read resource_pattern: "/home/*/.ssh/**" verdict: deny severity: critical
# Exec — only allow specific binaries - name: allow-git action: exec resource_pattern: "/usr/bin/git" verdict: allow severity: low
- name: deny-all-other-exec action: exec resource_pattern: "*" verdict: deny severity: high
# Network — only known LLM providers - name: allow-openai action: tls_connect sni_pattern: "*.openai.com" verdict: allow severity: low
- name: allow-anthropic action: tls_connect sni_pattern: "*.anthropic.com" verdict: allow severity: low
- name: deny-other-tls action: tls_connect verdict: deny severity: highValidation
tyr policy apply -f my-policy.yaml --dry-run # validate without creating a version (roadmap)tyr policy apply -f my-policy.yaml # validates then creates a versionInvalid YAML or unknown fields return a 400 with a detailed error.