Forem: Sami Marreed The latest articles on Forem by Sami Marreed (@sami_marreed_9bbc8fe7e28c). https://forem.com/sami_marreed_9bbc8fe7e28c https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3578634%2Fe1e4f6c0-834b-437a-9557-fd0c8491a451.jpg Forem: Sami Marreed https://forem.com/sami_marreed_9bbc8fe7e28c en Introducing CUGA Policies: The Runtime Governance Layer for AI Agents Sami Marreed Wed, 29 Apr 2026 22:13:21 +0000 https://forem.com/sami_marreed_9bbc8fe7e28c/introducing-cuga-policies-the-runtime-governance-layer-for-ai-agents-ajm https://forem.com/sami_marreed_9bbc8fe7e28c/introducing-cuga-policies-the-runtime-governance-layer-for-ai-agents-ajm <p><em>Co-authored by CUGA Team: Asaf Adi, Offer Akrabi, Ido Levy, Nir Mashkif, Alon Oved, Segev Shlomov, Harold Ship, Iftach Shoham, Noa Wegerhoff, Avi Yaeli, Sergey Zeltyn</em></p> <h2> In this article </h2> <ol> <li>The Problem: Agents Without Guardrails</li> <li>What Is the Policy System?</li> <li>Architecture Overview</li> <li> The Five Policy Types <ul> <li>Playbooks</li> <li>Intent Guards</li> <li>Tool Guides</li> <li>Tool Approvals</li> <li>Output Formatters</li> </ul> </li> <li>Trigger System</li> <li>Matching Algorithm</li> <li>Enforcement &amp; Action Types</li> <li>Storage &amp; Vector Search</li> <li>Filesystem Sync (.cuga folder)</li> <li>SDK API</li> <li>Configuration Reference</li> <li>Real-World Recipes</li> <li>Conclusion</li> <li>Try it, star us, give feedback</li> </ol> <h2> 1 · The Problem: Agents Without Guardrails </h2> <p>Deploying an AI agent to production is not the finish line — it is the starting gun. The moment real users get their hands on an autonomous agent, you discover a humbling set of edge cases that no amount of system-prompt engineering fully prevents:</p> <ul> <li>Users ask the agent to do things that are legally or operationally off-limits.</li> <li>The agent is helpful in ways that are <em>too</em> helpful — deleting records, sending emails, charging cards without confirmation.</li> <li>Different tenants or deployment contexts require different behavior from the same codebase.</li> <li>Regulatory requirements (GDPR, HIPAA, SOC 2) demand auditable, deterministic enforcement of certain rules.</li> <li>The reliability problem: without guardrails, agents behave unpredictably, which prevents teams from deploying them to production with confidence.</li> </ul> <p>The traditional answer is to litter your agent code with <code>if</code>-checks, hard-coded system prompt fragments, and custom pre-/post-processing logic. The result: a tightly coupled, brittle codebase where business rules are indistinguishable from core logic.</p> <blockquote> <p>"Policies give you a declarative, version-controllable, runtime-configurable governance layer — completely decoupled from the agent's reasoning engine."</p> </blockquote> <p>CUGA's policy system solves this cleanly. Policies are first-class runtime objects that intercept the agent's execution graph at well-defined points, without requiring you to change a single line of agent code. They are stored in a database, matched semantically against conversation context, and enforced deterministically.</p> <h2> 2 · What Is the Policy System? </h2> <p>At its core, a CUGA policy is a structured rule with three parts:</p> <ol> <li> <strong>When to activate</strong> — zero or more <em>triggers</em> that pattern-match against conversation context: keywords, semantic embeddings, active apps, available tools, or graph state.</li> <li> <strong>What to do</strong> — an <em>action type</em> that defines how the agent's behavior is modified (block, guide, filter, gate, reformat).</li> <li> <strong>Payload</strong> — type-specific content: markdown guidance, a canned response, tool descriptions to inject, an approval message, or an output format schema.</li> </ol> <p>Policies are stored persistently (SQLite locally, PostgreSQL in production), complete with vector embeddings for semantic matching. They can also be defined as markdown files in a <code>.cuga/</code> folder in your repository, enabling full version-control workflows.</p> <blockquote> <p><strong>Key insight</strong> — The policy system is entirely <strong>orthogonal</strong> to your agent's reasoning logic. You can add, remove, or modify policies at runtime without redeploying your agent.</p> </blockquote> <h2> 3 · Architecture Overview </h2> <p>The policy system is composed of four distinct layers, each with a single, well-defined responsibility:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5gr7syr0c0yfvyzvqq86.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5gr7syr0c0yfvyzvqq86.png" alt="Architecture Overview" width="800" height="561"></a></p> <p><em>Figure 1 — Four-layer architecture of the CUGA policy system</em></p> <p>What makes this design powerful is the <strong>PolicyConfigurable</strong> singleton pattern: a single shared instance is injected into the LangGraph execution context and made available to every node in the graph. Nodes that need policy enforcement simply call into <code>PolicyEnactment</code> — they do not own any policy logic themselves.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv3oa1e7r0ltk83i11itv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv3oa1e7r0ltk83i11itv.png" alt="Policy enforcement" width="800" height="602"></a></p> <p><em>Figure 2 — Policy enforcement sequence during graph execution</em></p> <h2> 4 · The Five Policy Types </h2> <p>These five types emerged from real-world engagements where we had to make CUGA reliable and consistent enough for production. Each addresses a specific governance need we encountered when teams tried to ship agents at scale.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>Playbook</strong></td> <td>Step-by-step guidance injection — shapes <em>how</em> the agent responds without blocking it</td> </tr> <tr> <td><strong>Intent Guard</strong></td> <td>Hard stop on forbidden intents — the agent never processes the request</td> </tr> <tr> <td><strong>Tool Guide</strong></td> <td>Enriched tool descriptions — appends contextual instructions to tool descriptions at runtime</td> </tr> <tr> <td><strong>Tool Approval</strong></td> <td>Human-in-the-loop gating — intercepts generated code before tool execution</td> </tr> <tr> <td><strong>Output Formatter</strong></td> <td>Response reshaping — post-processes the agent's final answer through an LLM call</td> </tr> </tbody> </table></div> <h3> 4.1 · Playbooks </h3> <p>A <strong>Playbook</strong> is the gentlest form of policy enforcement. Rather than blocking or redirecting the user, it shapes the agent's behavior by injecting a structured guide into the system prompt when a relevant topic is detected.</p> <p>Playbooks consist of free-form <code>markdown_content</code> and an optional ordered list of <code>steps</code>, each with a title, description, and optional tool hints. When <code>policy.playbook_refine</code> is enabled, the injected playbook is also refined by an LLM pass that trims irrelevant steps based on how far the conversation has progressed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># As a markdown file in .cuga/playbooks/checkout.md</span> <span class="nn">---</span> <span class="na">id</span><span class="pi">:</span> <span class="s">playbook_checkout</span> <span class="na">name</span><span class="pi">:</span> <span class="s">E-Commerce Checkout Guide</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Step-by-step guide for checkout flow</span> <span class="na">type</span><span class="pi">:</span> <span class="s">playbook</span> <span class="na">priority</span><span class="pi">:</span> <span class="m">60</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">triggers</span><span class="pi">:</span> <span class="na">keywords</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">checkout</span><span class="pi">,</span> <span class="nv">buy</span><span class="pi">,</span> <span class="nv">purchase</span><span class="pi">,</span> <span class="nv">cart</span><span class="pi">]</span> <span class="na">target</span><span class="pi">:</span> <span class="s">intent</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">or</span> <span class="nn">---</span> <span class="c1">## Checkout Playbook</span> <span class="c1">### Steps</span> <span class="s">1. Verify cart is not empty before proceeding</span> <span class="s">2. Validate shipping address with the address verification tool</span> <span class="s">3. Present available payment methods</span> <span class="s">4. Confirm order summary before charging</span> <span class="s">5. Generate and send order confirmation email</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Or via the SDK </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_playbook</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">E-Commerce Checkout Guide</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="sh">"""</span><span class="s"> ## Checkout Playbook 1. Verify cart is not empty 2. Validate shipping address 3. Confirm payment method 4. Send confirmation email </span><span class="sh">"""</span><span class="p">,</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">checkout</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">buy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">purchase</span><span class="sh">"</span><span class="p">],</span> <span class="n">target</span><span class="o">=</span><span class="sh">"</span><span class="s">intent</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">60</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> 4.2 · Intent Guards </h3> <p><strong>Intent Guards</strong> are the hardest policy type. When triggered, they immediately issue a <code>Command(goto=END)</code> to the LangGraph runtime, bypassing all downstream nodes. The agent never reasons about the request — the guard response is returned directly to the user.</p> <p>Guards support three response formats:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Response Type</th> <th>Description</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td><code>natural_language</code></td> <td>Plain text explanation returned to the user</td> <td>Friendly declination of off-topic requests</td> </tr> <tr> <td><code>json</code></td> <td>Structured JSON payload with a <code>status_code</code> </td> <td>API-facing agents; programmatic error handling</td> </tr> <tr> <td><code>template</code></td> <td>Jinja-style template with context interpolation</td> <td>Branded, dynamic decline messages</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_intent_guard</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">No Competitor Mentions</span><span class="sh">"</span><span class="p">,</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">competitor_a</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">competitor_b</span><span class="sh">"</span><span class="p">],</span> <span class="n">target</span><span class="o">=</span><span class="sh">"</span><span class="s">user_input</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="o">=</span><span class="sh">"</span><span class="s">I</span><span class="sh">'</span><span class="s">m not able to discuss third-party products. How can I help you with our platform?</span><span class="sh">"</span><span class="p">,</span> <span class="n">allow_override</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">90</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <blockquote> <p><strong>Important</strong> — Intent Guards with <code>allow_override=False</code> cannot be bypassed even by subsequent policies with higher priority. Use this for hard regulatory requirements.</p> </blockquote> <h3> 4.3 · Tool Guides </h3> <p><strong>Tool Guides</strong> enhance the agent's understanding of how to use specific tools in a given context. Rather than changing the tool's implementation, they append or prepend markdown instructions to the tool's description at runtime, giving the LLM richer context for that specific interaction.</p> <p>A single Tool Guide can target specific tools by name or use <code>["*"]</code> to enrich all available tools. Multiple Tool Guides can match simultaneously — their results are merged into a list and applied together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_tool_guide</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Payment Tool Safety Instructions</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="sh">"""</span><span class="s"> ⚠️ ALWAYS confirm the exact charge amount with the user before calling this tool. ⚠️ Never retry on a timeout — contact support instead. ⚠️ Log all call attempts regardless of outcome. </span><span class="sh">"""</span><span class="p">,</span> <span class="n">target_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">charge_card</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">process_refund</span><span class="sh">"</span><span class="p">],</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">payment</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">charge</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">refund</span><span class="sh">"</span><span class="p">],</span> <span class="n">prepend</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">80</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> 4.4 · Tool Approvals </h3> <p><strong>Tool Approvals</strong> implement a human-in-the-loop checkpoint. Unlike other policy types, approval policies are checked <em>after</em> code generation — they inspect the actual generated code text to determine whether execution should be gated, not the user's intent.</p> <p>This is a critical distinction: a user might innocuously say "send a summary to the team" — but if the generated code calls a <code>send_bulk_email</code> tool to a list of 50,000 addresses, the approval policy catches that before execution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_tool_approval</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Bulk Email Approval</span><span class="sh">"</span><span class="p">,</span> <span class="n">required_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">send_bulk_email</span><span class="sh">"</span><span class="p">],</span> <span class="n">approval_message</span><span class="o">=</span><span class="sh">"</span><span class="s">This action will send emails to multiple recipients. Please review and confirm.</span><span class="sh">"</span><span class="p">,</span> <span class="n">show_code_preview</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">auto_approve_after</span><span class="o">=</span><span class="mi">300</span><span class="p">,</span> <span class="c1"># seconds; None = wait indefinitely </span> <span class="n">priority</span><span class="o">=</span><span class="mi">70</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> 4.5 · Output Formatters </h3> <p><strong>Output Formatters</strong> are the final policy type, acting as a post-processing pass on the agent's completed response. They trigger based on the content of <code>agent_response</code> and call an LLM to reformat it according to a specified format configuration.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Format Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>markdown</code></td> <td>Restructure the response as formatted markdown with headers, lists, and emphasis</td> </tr> <tr> <td><code>json_schema</code></td> <td>Extract and return a structured JSON object matching a provided schema</td> </tr> <tr> <td><code>direct</code></td> <td>Replace the response verbatim with a template string</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_output_formatter</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">JSON API Response Format</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_type</span><span class="o">=</span><span class="sh">"</span><span class="s">json_schema</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_config</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">schema</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">action_taken</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">next_steps</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">array</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">items</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">},</span> <span class="n">priority</span><span class="o">=</span><span class="mi">40</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> 5 · Trigger System </h2> <p>Every policy has a <code>triggers</code> list. Each trigger in the list must pass for the policy to activate — triggers are combined with <strong>AND logic</strong> across the list. Within a single keyword trigger, individual keywords use the configured <code>operator</code> (<code>and</code> or <code>or</code>).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3ienhhpt5z1ktfhw8md3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3ienhhpt5z1ktfhw8md3.png" alt="Trigger types" width="800" height="566"></a></p> <p><em>Figure 3 — Trigger types and the target fields they can examine</em></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Trigger Type</th> <th>Matching Strategy</th> <th>Speed</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td><code>KeywordTrigger</code></td> <td>Case-insensitive substring in target field</td> <td>⚡ Instant</td> <td>Deterministic brand/compliance keywords</td> </tr> <tr> <td><code>NaturalLanguageTrigger</code></td> <td>Embedding cosine similarity + LLM conflict resolution</td> <td>🐢 ~200–500ms</td> <td>Semantic intent matching, paraphrase handling</td> </tr> <tr> <td><code>AppTrigger</code></td> <td>Exact match against <code>context.active_apps</code> </td> <td>⚡ Instant</td> <td>App-specific rules (only apply in Salesforce, etc.)</td> </tr> <tr> <td><code>ToolTrigger</code></td> <td>Exact match against <code>context.available_tools</code> </td> <td>⚡ Instant</td> <td>Tool-scoped guides (activate when certain tools present)</td> </tr> <tr> <td><code>StateTrigger</code></td> <td>State key inspection: <code>equals</code> / <code>contains</code> / <code>regex</code> </td> <td>⚡ Instant</td> <td>Workflow-stage–specific rules</td> </tr> <tr> <td><code>AlwaysTrigger</code></td> <td>Always matches (no evaluation)</td> <td>⚡ Instant</td> <td>Universal tool guides, global output formatting</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Performance Tip</strong> — Combine a fast <code>KeywordTrigger</code> with a <code>NaturalLanguageTrigger</code> in the same triggers list when you need both precision for known exact phrases and semantic coverage for paraphrases. The keyword check gates the expensive NL check.</p> </blockquote> <h2> 6 · Matching Algorithm </h2> <p>The <code>PolicyAgent.match_policy(context)</code> method orchestrates a two-phase matching pipeline designed to balance determinism with semantic flexibility:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiy0s3l2tlwed5wzoiz8o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiy0s3l2tlwed5wzoiz8o.png" alt="Matching Algorithm" width="800" height="2868"></a></p> <p><em>Figure 4 — Two-phase policy matching pipeline</em></p> <p><strong>Priority Tiebreaking</strong> — When multiple policies of the same type match at the same confidence level, <code>priority</code> is the tiebreaker (higher number = higher priority). Intent Guards always outrank Playbooks regardless of priority, because blocking an intent is fundamentally more important than guiding it.</p> <p><strong>Confidence Threshold</strong> — Each <code>NaturalLanguageTrigger</code> carries a <code>threshold</code> field (default <code>0.7</code>). The LLM conflict resolution step returns a <code>confidence</code> score for its chosen policy. If <code>confidence &lt; threshold</code>, the match is discarded — preventing low-confidence false positives from firing policies.</p> <p><strong>Multi-Match for Tool Guides</strong> — Unlike Playbooks and Guards, Tool Guide matching does not stop at the first match. <code>check_tool_guide_policies()</code> returns <em>all</em> matching guides, which are then merged and applied together. This allows you to have a generic "all tools" safety guide alongside specific per-tool instructions — both activate simultaneously.</p> <h2> 7 · Enforcement &amp; Action Types </h2> <p><code>PolicyEnactment.check_and_enact()</code> is the central dispatch method. It receives a <code>PolicyMatch</code> and returns a <code>(command, metadata)</code> tuple that the calling graph node interprets.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Action Type</th> <th>Effect on the Graph</th> <th>Returned By</th> </tr> </thead> <tbody> <tr> <td><code>BLOCK_INTENT</code></td> <td>Issues <code>Command(goto=END)</code>; <code>final_answer</code> is set to the guard response. Graph terminates immediately.</td> <td>IntentGuard</td> </tr> <tr> <td><code>GUIDE_PROMPT</code></td> <td>Returns metadata containing <code>playbook_guidance</code>. Node calls <code>inject_playbook_into_prompt()</code> to stitch it into the system prompt.</td> <td>Playbook</td> </tr> <tr> <td><code>TOOL_INJECT_DESCRIPTION</code></td> <td>Returns metadata with guide content and target tools. Node calls <code>apply_tool_guide()</code>, which deep-copies and mutates tool objects.</td> <td>ToolGuide</td> </tr> <tr> <td><code>TOOL_REQUIRE_APPROVAL</code></td> <td>Returns metadata; the <code>tool_approval_handler</code> node checks generated code and pauses for human confirmation before execution.</td> <td>ToolApproval</td> </tr> <tr> <td><code>FORMAT_OUTPUT</code></td> <td>Calls an LLM with the final answer and format spec. Replaces <code>state.final_answer</code> in-place.</td> <td>OutputFormatter</td> </tr> <tr> <td><code>INJECT_CONTEXT</code></td> <td>Merges extra key-value pairs into the graph state.</td> <td>CustomPolicy</td> </tr> <tr> <td><code>LOG_ONLY</code></td> <td>Records the match in logs/audit trail without changing behavior. Useful for shadow-mode testing.</td> <td>Any policy type</td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg3t25rm774szpiedm0w5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg3t25rm774szpiedm0w5.png" alt="State machine of policy" width="800" height="807"></a></p> <p><em>Figure 5 — State machine of policy enforcement through the agent lifecycle</em></p> <h2> 8 · Storage &amp; Vector Search </h2> <p>The storage layer is designed around a pluggable <code>PolicyStoreBackend</code> protocol, with two concrete implementations:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Backend</th> <th>Database</th> <th>Vector Extension</th> <th>Environment</th> </tr> </thead> <tbody> <tr> <td><code>LocalPolicyStore</code></td> <td>SQLite</td> <td>sqlite-vec</td> <td>Local development, single-tenant</td> </tr> <tr> <td><code>ProdPolicyStore</code></td> <td>PostgreSQL</td> <td>pgvector</td> <td>Production, multi-tenant</td> </tr> </tbody> </table></div> <p>Each policy is stored with the following columns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Simplified schema</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">policies</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">TEXT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">policy_type</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="c1">-- playbook | intent_guard | tool_guide | ...</span> <span class="n">policy_json</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="c1">-- full serialized policy object</span> <span class="n">enabled</span> <span class="nb">BOOLEAN</span><span class="p">,</span> <span class="n">priority</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">tenant_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">instance_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">embedding</span> <span class="n">VECTOR</span><span class="p">(</span><span class="mi">1536</span><span class="p">)</span> <span class="c1">-- auto-generated at write time</span> <span class="p">);</span> </code></pre> </div> <p><strong>Embedding Generation</strong> — Embeddings are generated automatically at write time from a concatenation of the policy's <code>description</code>, all natural language trigger values, and type-specific content (playbook markdown, tool names, etc.). This means a semantic search over policies effectively queries their <em>intent and content</em>, not just their metadata.</p> <p><strong>Multi-Tenancy</strong> — The <code>tenant_id</code> and <code>instance_id</code> columns enable hard isolation of policy sets across tenants and deployment instances. All queries are automatically scoped to the current tenant/instance from the LangGraph config context.</p> <h2> 9 · Filesystem Sync — The .cuga Folder </h2> <p>One of the most developer-friendly features of the policy system is the <strong>.cuga folder</strong>. When <code>policy.filesystem_sync</code> is enabled, the policy system maintains a bidirectional sync between your database and a set of markdown files on disk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.cuga/ ├── playbooks/ │ ├── checkout_guide.md │ └── onboarding_flow.md ├── intent_guards/ │ ├── no_competitors.md │ └── gdpr_block.md ├── tool_guides/ │ └── payment_safety.md ├── tool_approvals/ │ └── bulk_email_approval.md └── output_formatters/ └── api_json_format.md </code></pre> </div> <p>Each file uses YAML frontmatter for metadata and markdown body for content. The <code>PolicyFilesystemSync</code> class handles:</p> <ul> <li> <strong>Upsert on load</strong> — reads all files and syncs them into the database, updating existing policies by ID.</li> <li> <strong>Removal sync</strong> — <code>sync_removals()</code> deletes from the database any policies whose files were deleted from disk.</li> <li> <strong>Version control friendly</strong> — all policies are reviewable, diffable, and auditable in your git history.</li> <li> <strong>CI/CD integration</strong> — policies can be loaded in your deployment pipeline before the agent starts. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Load all policies from your .cuga folder </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">load_from_folder</span><span class="p">(</span><span class="sh">"</span><span class="s">.cuga</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Or from a JSON export </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">load_from_json</span><span class="p">(</span><span class="sh">"</span><span class="s">policies-backup.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">clear_existing</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <h2> 10 · SDK API </h2> <p>The <code>PoliciesManager</code> is exposed as <code>agent.policies</code> on any <code>CugaAgent</code> instance. It provides a clean async API for all CRUD operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">cuga</span> <span class="kn">import</span> <span class="n">CugaAgent</span> <span class="n">agent</span> <span class="o">=</span> <span class="nc">CugaAgent</span><span class="p">(...)</span> <span class="c1"># ── CREATE ────────────────────────────────────────────────────── </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_playbook</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Support Escalation Guide</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="sh">"</span><span class="s">## Steps</span><span class="se">\n</span><span class="s">1. Gather issue details</span><span class="se">\n</span><span class="s">2. Check KB</span><span class="se">\n</span><span class="s">3. Escalate if needed</span><span class="sh">"</span><span class="p">,</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">escalate</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">supervisor</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">manager</span><span class="sh">"</span><span class="p">],</span> <span class="n">natural_language_trigger</span><span class="o">=</span><span class="sh">"</span><span class="s">user wants to speak to a human or escalate the issue</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">70</span><span class="p">,</span> <span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_intent_guard</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">PII Guard</span><span class="sh">"</span><span class="p">,</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">ssn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">social security</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">credit card number</span><span class="sh">"</span><span class="p">],</span> <span class="n">target</span><span class="o">=</span><span class="sh">"</span><span class="s">user_input</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="o">=</span><span class="sh">"</span><span class="s">I cannot process requests involving sensitive personal information.</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_tool_guide</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Database Safety Guide</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="sh">"</span><span class="s">Never run DELETE without a WHERE clause. Always prefer soft deletes.</span><span class="sh">"</span><span class="p">,</span> <span class="n">target_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">execute_sql</span><span class="sh">"</span><span class="p">],</span> <span class="n">prepend</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_tool_approval</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Production DB Approval</span><span class="sh">"</span><span class="p">,</span> <span class="n">required_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">execute_sql</span><span class="sh">"</span><span class="p">],</span> <span class="n">required_apps</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">production_db</span><span class="sh">"</span><span class="p">],</span> <span class="n">approval_message</span><span class="o">=</span><span class="sh">"</span><span class="s">Confirm SQL execution on PRODUCTION database.</span><span class="sh">"</span><span class="p">,</span> <span class="n">show_code_preview</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_output_formatter</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Markdown Formatter</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_type</span><span class="o">=</span><span class="sh">"</span><span class="s">markdown</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_config</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">style</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">structured with headers and bullet points</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="c1"># ── READ ──────────────────────────────────────────────────────── </span><span class="n">policies</span> <span class="o">=</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">list</span><span class="p">()</span> <span class="n">policy</span> <span class="o">=</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">policy_id_here</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ── DELETE ────────────────────────────────────────────────────── </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="sh">"</span><span class="s">policy_id_here</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">clear</span><span class="p">()</span> <span class="c1"># remove ALL policies </span> <span class="c1"># ── BULK OPERATIONS ───────────────────────────────────────────── </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">load_from_folder</span><span class="p">(</span><span class="sh">"</span><span class="s">.cuga</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">load_from_json</span><span class="p">(</span><span class="sh">"</span><span class="s">policies.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">clear_existing</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <h3> Working Example </h3> <p>A complete runnable example that creates an agent with tools, adds an Intent Guard and Playbook, then invokes it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">cuga</span> <span class="kn">import</span> <span class="n">CugaAgent</span> <span class="kn">from</span> <span class="n">langchain_core.tools</span> <span class="kn">import</span> <span class="n">tool</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="nd">@tool</span> <span class="k">def</span> <span class="nf">add_numbers</span><span class="p">(</span><span class="n">a</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">b</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="sh">'''</span><span class="s">Add two numbers together</span><span class="sh">'''</span> <span class="k">return</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span> <span class="nd">@tool</span> <span class="k">def</span> <span class="nf">multiply_numbers</span><span class="p">(</span><span class="n">a</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">b</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="sh">'''</span><span class="s">Multiply two numbers together</span><span class="sh">'''</span> <span class="k">return</span> <span class="n">a</span> <span class="o">*</span> <span class="n">b</span> <span class="n">agent</span> <span class="o">=</span> <span class="nc">CugaAgent</span><span class="p">(</span><span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="n">add_numbers</span><span class="p">,</span> <span class="n">multiply_numbers</span><span class="p">])</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_intent_guard</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Block Delete Operations</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Prevents deletion of critical data</span><span class="sh">"</span><span class="p">,</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">remove</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">erase</span><span class="sh">"</span><span class="p">],</span> <span class="n">response</span><span class="o">=</span><span class="sh">"</span><span class="s">Deletion operations are not permitted for security reasons.</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">100</span> <span class="p">)</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_playbook</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Budget Analysis Workflow</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Multi-step process for analyzing financial budgets</span><span class="sh">"</span><span class="p">,</span> <span class="n">natural_language_trigger</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">When user asks to analyze their budget</span><span class="sh">"</span><span class="p">],</span> <span class="n">content</span><span class="o">=</span><span class="sh">"""</span><span class="s"># Budget Analysis Workflow ## Step 1: Calculate Total Expenses - Sum all expense categories using add_numbers - Document each category amount ## Step 2: Calculate Total Revenue - Sum all revenue streams using add_numbers - Include all income sources ## Step 3: Calculate Profit Margin - Use multiply_numbers to calculate profit (revenue - expenses) - Calculate margin percentage ## Step 4: Generate Recommendations - Compare against target budget - Identify areas for optimization - Provide actionable insights</span><span class="sh">"""</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">50</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="nf">invoke</span><span class="p">(</span><span class="sh">"</span><span class="s">Analyze my budget: expenses are 5000 and 3000, revenue is 12000</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">answer</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">main</span><span class="p">())</span> </code></pre> </div> <h2> 11 · Configuration Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Type</th> <th>Default</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>policy.enabled</code></td> <td>bool</td> <td><code>True</code></td> <td>Global kill switch. If <code>False</code>, all policy checks are silently skipped.</td> </tr> <tr> <td><code>policy.policy_db_path</code></td> <td>str</td> <td><code>"policies.db"</code></td> <td>Path to the local SQLite database file (relative to <code>DBS_DIR</code>).</td> </tr> <tr> <td><code>policy.collection_name</code></td> <td>str</td> <td><code>"policies"</code></td> <td>Vector store collection name for policy embeddings.</td> </tr> <tr> <td><code>policy.cuga_folder</code></td> <td>str</td> <td><code>".cuga"</code></td> <td>Default folder for filesystem sync.</td> </tr> <tr> <td><code>policy.filesystem_sync</code></td> <td>bool</td> <td><code>False</code></td> <td>Enable auto-sync between <code>.cuga/</code> folder and database on startup.</td> </tr> <tr> <td><code>policy.playbook_refine</code></td> <td>bool</td> <td><code>False</code></td> <td>If <code>True</code>, an LLM pass trims irrelevant playbook steps based on conversation progress.</td> </tr> <tr> <td><code>storage.embedding.provider</code></td> <td>str</td> <td>—</td> <td>Embedding provider (e.g., <code>"openai"</code>, <code>"anthropic"</code>).</td> </tr> <tr> <td><code>storage.embedding.model</code></td> <td>str</td> <td>—</td> <td>Embedding model name (e.g., <code>"text-embedding-3-small"</code>).</td> </tr> </tbody> </table></div> <h2> 12 · Real-World Recipes </h2> <h3> Recipe 1: GDPR &amp; Regulatory Compliance </h3> <p>Block any request that involves personally identifiable information in regulated contexts, and log all attempts for your audit trail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Hard block on PII requests </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_intent_guard</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">GDPR PII Block</span><span class="sh">"</span><span class="p">,</span> <span class="n">keywords</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">passport</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ssn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">date of birth</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">address</span><span class="sh">"</span><span class="p">],</span> <span class="n">natural_language_trigger</span><span class="o">=</span><span class="sh">"</span><span class="s">user is asking for or wants to share personal identifying information</span><span class="sh">"</span><span class="p">,</span> <span class="n">target</span><span class="o">=</span><span class="sh">"</span><span class="s">user_input</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="o">=</span><span class="sh">'</span><span class="s">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">PII_REQUEST_BLOCKED</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">code</span><span class="sh">"</span><span class="s">: 403, </span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">This request cannot be processed under GDPR Article 9.</span><span class="sh">"</span><span class="s">}</span><span class="sh">'</span><span class="p">,</span> <span class="n">allow_override</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Shadow log NL-adjacent queries without blocking (for audit) </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_intent_guard</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">PII Audit Log</span><span class="sh">"</span><span class="p">,</span> <span class="n">natural_language_trigger</span><span class="o">=</span><span class="sh">"</span><span class="s">user discusses personal data or privacy</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="o">=</span><span class="sh">""</span><span class="p">,</span> <span class="n">action_override</span><span class="o">=</span><span class="sh">"</span><span class="s">LOG_ONLY</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">50</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> Recipe 2: SRE / Production Safety </h3> <p>Require human approval before any SQL execution touches a production database, with a 5-minute auto-reject timeout.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Require approval for production SQL </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_tool_approval</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Production SQL Approval</span><span class="sh">"</span><span class="p">,</span> <span class="n">required_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">execute_sql</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">run_migration</span><span class="sh">"</span><span class="p">],</span> <span class="n">required_apps</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">production_db</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">prod_rds</span><span class="sh">"</span><span class="p">],</span> <span class="n">approval_message</span><span class="o">=</span><span class="sh">"</span><span class="s">⚠️ This will execute SQL on PRODUCTION. Review the query carefully.</span><span class="sh">"</span><span class="p">,</span> <span class="n">show_code_preview</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">auto_approve_after</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="c1"># wait indefinitely </span> <span class="n">priority</span><span class="o">=</span><span class="mi">95</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Inject safety guidelines into all SQL tool descriptions </span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_tool_guide</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">SQL Safety Rules</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="sh">"""</span><span class="s"> 🔴 PRODUCTION SAFETY RULES: - Never use DELETE without a WHERE clause - Always prefer UPDATE over DELETE for soft deletes - Wrap schema changes in transactions - Validate row counts before bulk operations </span><span class="sh">"""</span><span class="p">,</span> <span class="n">target_tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">execute_sql</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">run_migration</span><span class="sh">"</span><span class="p">],</span> <span class="n">prepend</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">90</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> Recipe 3: Structured API Responses </h3> <p>Force all agent responses through a JSON schema formatter when the agent is used as a backend API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">add_output_formatter</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">API JSON Response</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_type</span><span class="o">=</span><span class="sh">"</span><span class="s">json_schema</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_config</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">schema</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">required</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">enum</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">partial</span><span class="sh">"</span><span class="p">]},</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">actions</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">array</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">items</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}},</span> <span class="p">},</span> <span class="p">}</span> <span class="p">},</span> <span class="n">triggers</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">always</span><span class="sh">"</span><span class="p">}],</span> <span class="c1"># apply to all responses </span> <span class="n">priority</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h3> Recipe 4: Policy-as-Code with .cuga Folder </h3> <p>Define all policies as versioned markdown files in your repository and load them at startup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .cuga/intent_guards/no_competitors.md</span> <span class="nn">---</span> <span class="na">id</span><span class="pi">:</span> <span class="s">guard_no_competitors</span> <span class="na">name</span><span class="pi">:</span> <span class="s">No Competitor Mentions</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Prevents discussion of competitor products</span> <span class="na">type</span><span class="pi">:</span> <span class="s">intent_guard</span> <span class="na">priority</span><span class="pi">:</span> <span class="m">85</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">triggers</span><span class="pi">:</span> <span class="na">keywords</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">competitor_x</span><span class="pi">,</span> <span class="nv">competitor_y</span><span class="pi">,</span> <span class="nv">other_product</span><span class="pi">]</span> <span class="na">target</span><span class="pi">:</span> <span class="s">user_input</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">or</span> <span class="na">allow_override</span><span class="pi">:</span> <span class="kc">false</span> <span class="nn">---</span> <span class="s">I'm only able to discuss our own products and services.</span> <span class="s">Is there something I can help you with on our platform?</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In your agent startup code </span><span class="k">async</span> <span class="k">def</span> <span class="nf">startup</span><span class="p">(</span><span class="n">agent</span><span class="p">:</span> <span class="n">CugaAgent</span><span class="p">):</span> <span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">load_from_folder</span><span class="p">(</span><span class="sh">"</span><span class="s">.cuga</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Loaded </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="k">await</span> <span class="n">agent</span><span class="p">.</span><span class="n">policies</span><span class="p">.</span><span class="nf">list</span><span class="p">())</span><span class="si">}</span><span class="s"> policies</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># In CI/CD: load, validate, deploy # cuga-policy load-from-file policies-staging.json # cuga-policy validate --all # cuga-policy export-to-file policies-prod.json </span></code></pre> </div> <h2> 13 · Conclusion </h2> <p>The CUGA policy system represents a fundamental shift in how we think about AI agent governance. Instead of embedding business rules, compliance requirements, and behavioral constraints directly into agent code — where they become tightly coupled, hard to audit, and impossible to change without a redeploy — policies externalize all of that into a first-class, runtime-configurable layer.</p> <p>The five policy types cover the full spectrum of governance needs:</p> <ul> <li> <strong>Playbook</strong> — guide the agent's reasoning without constraining it</li> <li> <strong>Intent Guard</strong> — hard stops for forbidden territory</li> <li> <strong>Tool Guide</strong> — contextual enrichment for smarter tool use</li> <li> <strong>Tool Approval</strong> — human-in-the-loop for high-stakes actions</li> <li> <strong>Output Formatter</strong> — consistent, structured outputs at scale</li> </ul> <p>The trigger system — combining deterministic keyword matching with semantic embedding search and LLM conflict resolution — gives you the precision of rule-based systems with the flexibility of natural language understanding. And the storage layer, with its pluggable backends and automatic embedding generation, ensures that policy matching stays fast and accurate as your policy library grows.</p> <p>Perhaps most importantly, the <code>.cuga</code> folder and CLI tooling make policies a first-class engineering artifact: version-controlled, reviewable in PRs, testable in CI, and deployable independently of your agent code. This is what production-grade AI governance looks like.</p> <blockquote> <p>The goal is not to constrain what your AI agent can do — it's to ensure that what it does is always intentional, auditable, and aligned with the rules of your business.</p> </blockquote> <p>Whether you are deploying a customer-facing support agent, an internal SRE copilot, or a multi-tenant enterprise product, the CUGA policy system gives you the tools to run AI agents with confidence.</p> <h2> Try it, star us, give feedback </h2> <p>We'd love for you to try CUGA Policies and tell us what works — and what doesn't. If you find it useful, star us on GitHub and share your feedback so we can keep improving. Policies are a key part of our mission to make AI agents safe and reliable enough for real production use.</p> <p><strong>Try policies in your agent</strong> — <a href="https://github.com/cuga-project/cuga-agent?tab=readme-ov-file#quick-start" rel="noopener noreferrer">Quick Start</a>: add a <code>.cuga/</code> folder, define a few guards or playbooks, and see how behavior changes without touching your code.</p> <p><strong>Star us on GitHub</strong> — it helps others discover CUGA and lets us know you value what we're building.</p> <p><strong>Give us feedback</strong> — open an issue, join our Discord, or reach out. We read every piece of feedback and use it to prioritize what to build next.</p> <p><em>CUGA Team</em></p> ai agents mcp