Skip to main content

Policy Builder

Status: Beta

The visual policy builder lives at /policies/builder. It is an alternative to editing policy YAML directly: you compose rules in a structured UI, preview their effect against sample requests, and publish when ready.

When to use the builder vs YAML

  • Builder: you are new to Control Zero, you want to move quickly, you are composing standard rules (tool allow-lists, DLP blocks, rate limits).
  • YAML editor: you need multi-line expressions, complex conditionals, or you want to version control policies outside the dashboard. The YAML editor lives on each policy's detail page.

Both views operate on the same underlying policy document — switching between them is lossless as long as the rule shape is one the builder recognizes.

Composing rules

The left pane lists rule types. Each rule is a card:

  • Tool rules — allow, deny, or transform a tool call. Pick the tool, pick the action, set optional conditions on arguments.
  • DLP rules — scan request / response text against a DLP pattern (regex, classifier, keyword list). Pick action: block, redact, or alert only. Only available on Solo+.
  • Rate / quota rules — per-user or per-project rate limits.
  • Identity rules — constraints on which identities can invoke which tools.

Drag a card from the left pane into the canvas, or click + Add rule. Each rule has its own configuration form with inline validation.

Preview mode

At the top right of the canvas is Preview. Click it and paste a sample request (JSON or plain text). The builder evaluates the full rule set against the sample and shows:

  • Which rules fired.
  • The resulting decision (allow / transform / deny).
  • Any transforms applied, with a before / after diff for text.

Preview runs entirely in the browser against a local evaluator — it does not emit audit logs and does not touch the production policy store.

Save and publish

The bottom bar has two buttons:

  • Save draft — persists the current state as a draft of the policy. Drafts do not affect live traffic.
  • Publish — writes a new published version and signs a fresh bundle. Published versions propagate to SDKs via the bundle pull endpoint.

If your org has the approval workflow enabled, Publish becomes Request approval, and a second admin must approve from the policy detail page before the version goes live.

JSON export

The three-dot menu on the top right exposes Export JSON. The export is the canonical policy document; paste it into version control or share it with another tenant to seed a similar policy.

Import JSON accepts a previously exported file. Imports go into the draft state; publish separately.