Skip to main content

Policies and enforcement

Policy enforcement is designed to be deterministic and pre-execution.

Enforcement lifecycle

For each governed command (install, publish, run, test):

resolve authenticated identity and active workspace context
fetch latest policy snapshot (with safe fallback behavior)
evaluate request at org, team, and user scope
produce verdict (ALLOW, WARN, BLOCK)
emit audit event
execute command only when policy permits

Policy precedence

Recommended precedence model:

global/system safety rules (highest priority)
organization baseline rules
team-specific rules
user-specific overrides (lowest priority)

When conflicting rules exist, deny-first handling should win unless explicitly approved by policy model.

Verdict meanings

ALLOW: execution proceeds normally
WARN: execution proceeds, warning is recorded for visibility
BLOCK: execution is terminated before package-manager side effects

Emergency continuity

Break-glass behavior exists for operational continuity:

emergency override must be enabled by admin in dashboard
CLI caller must have authorized role to use --admin-skip
bypass usage should always be audited

Recommended policy categories

denied package names / scopes
publish destination and registry constraints
file leak preflight controls for publish
package metadata and provenance checks
size jump and anomaly checks

Enforcement lifecycle
Policy precedence
Verdict meanings
Emergency continuity
Recommended policy categories