GUIDE
Policy Enforcement
Govern agent behavior with Policy-as-Code using Open Policy Agent (OPA).
Consonant intercepts every agent call before it reaches the agent. It evaluates the request against your defined OPA policies. If the policy denies the action, the agent is never invoked.
Writing Policies
Policies are written in Rego. Consonant provides the following input to your policies:
json
{
"agent": "stripe-agent",
"capability": "refund_charge",
"parameters": {
"amount": 500,
"user_id": "cust_123"
},
"user": {
"role": "support_agent"
}
}Example: Limit Refund Amount
rego
package consonant.policies
default allow = false
# Allow refunds under $100 automatically
allow {
input.capability == "refund_charge"
input.parameters.amount < 100
}
# Require approval for refunds over $100
require_approval {
input.capability == "refund_charge"
input.parameters.amount >= 100
}Human-in-the-Loop
When a policy returns require_approval, the workflow pauses. An operator must approve the action via the Consonant UI or API before it proceeds.
Timeout Configuration
Approvals have a configurable timeout (default: 24h). If not approved in time, the workflow step fails withAPPROVAL_TIMEOUT.Global vs. Agent Policies
You can apply policies at different levels:
- Global: Apply to all agents (e.g., "No PII in logs")
- Namespace: Apply to specific teams (e.g., "Finance team only")
- Agent: Specific constraints (e.g., "Read-only DB access")