Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

policy

package

Go to main page

Versions in this module

v0

v0.1.1-20260304232444-b3de41b

Mar 4, 2026

v0.1.0

Feb 24, 2026

Changes in this version

+ var BannedCommands = []string

+ var BannedSubcommandPatterns = []BannedSubcommand

+ var DangerousPipePatterns = []*regexp.Regexp

+ var ProtectedFiles = []string

+ func MergeUserDenylist(userDenied []string) []string

+ type BannedSubcommand struct

+ Args []string

+ Command string

+ Flags []string

+ type BashCheckResult struct

+ Allowed bool

+ InputTokens int

+ OutputTokens int

+ Reason string

+ type BashChecker struct

+ AllowedDirs []string

+ LLMChecker func(ctx context.Context, command string, allowedDirs []string) (*BashCheckResult, error)

+ OnDecision func(command, step string, allowed bool, reason string, durationMs int64, ...)

+ UserDeniedCommands []string

+ Workspace string

+ func NewBashChecker(workspace string, allowedDirs, userDeniedCommands []string) *BashChecker

+ func (c *BashChecker) Check(ctx context.Context, command string) (bool, string, error)

+ func (c *BashChecker) CheckDeterministic(command string) (bool, string)

+ func (c *BashChecker) SetLLMChecker(checker LLMPolicyChecker)

+ type GenerateResult struct

+ Content string

+ InputTokens int

+ OutputTokens int

+ type LLMPolicyChecker interface

+ CheckBashCommand func(ctx context.Context, command string, allowedDirs []string) (*BashCheckResult, error)

+ type LLMProvider interface

+ Generate func(ctx context.Context, prompt string) (*GenerateResult, error)

+ type MCPPolicy struct

+ AllowedTools []string

+ DefaultDeny bool

+ type Policy struct

+ ConfigDir string

+ DefaultDeny bool

+ HomeDir string

+ MCP *MCPPolicy

+ Security *SecurityPolicy

+ Tools map[string]*ToolPolicy

+ Workspace string

+ func LoadFile(path string) (*Policy, error)

+ func New() *Policy

+ func NewRestrictive() *Policy

+ func Parse(content string) (*Policy, error)

+ func (p *Policy) CheckCommand(tool, cmd string) (bool, string)

+ func (p *Policy) CheckDomain(tool, domain string) (bool, string)

+ func (p *Policy) CheckMCPTool(server, tool string) (bool, string, string)

+ func (p *Policy) CheckPath(tool, path string) (bool, string)

+ func (p *Policy) GetToolPolicy(tool string) *ToolPolicy

+ func (p *Policy) IsProtectedFile(path string) bool

+ func (p *Policy) IsToolEnabled(tool string) bool

+ type SecurityPolicy struct

+ ExtraKeywords []string

+ ExtraPatterns []string

+ type SmallLLMChecker struct

+ func NewSmallLLMChecker(provider LLMProvider) *SmallLLMChecker

+ func (c *SmallLLMChecker) CheckBashCommand(ctx context.Context, command string, allowedDirs []string) (*BashCheckResult, error)

+ func (c *SmallLLMChecker) SetSecurityScope(scope string)

+ type ToolPolicy struct

+ Allow []string

+ AllowDomains []string

+ AllowedDirs []string

+ Allowlist []string

+ Deny []string

+ Denylist []string

+ Enabled bool

+ RateLimit int

+ Sandbox string