Skip to main content

Policy Engine

The Policy Engine is Phase 1 of CLPI (Card Lifecycle & Policy Intelligence) — the governance layer that transforms alignment cards into lifecycle-managed artifacts with policy enforcement, trust recovery, risk intelligence, and on-chain anchoring.
The policy engine translates Alignment Card declarations into enforceable rules over concrete tools. An alignment card says an agent may perform web_fetch. The capabilities section of the same card says web_fetch means mcp__browser__navigate and mcp__browser__click — but not mcp__filesystem__delete. The card declares intent. The enforcement section enforces it.
Since UC-4 (2026-04-15), policy is part of the alignment card, not a separate artifact. The capabilities, enforcement, and per-capability forbidden rules live as sections of the unified card. There is no standalone policy YAML file, no PUT /v1/agents/:id/policy endpoint, and no mnemom policy CLI group. Use mnemom card evaluate + PUT /v1/agents/{id}/alignment-card instead. See the policy management guide for the customer workflow and the migration guide if you’re coming from the pre-UC model.
The policy engine is a parallel enforcement layer to alignment enforcement (observe/nudge/enforce). Alignment enforcement checks agent behavior against card values. Policy enforcement checks tool usage against the card’s capabilities + enforcement sections. Both run independently and produce separate verdicts.

How the engine reads the card

The policy engine reads three sections of the canonical (composed) alignment card:
SectionPurpose
capabilitiesBridge card-level semantic actions (web_fetch, read_file) to concrete tool glob patterns (mcp__browser__*)
enforcement.forbiddenTools that are always blocked, regardless of mappings
enforcement (top-level knobs)Fallback behavior for unmatched tools — default_mode, unmapped_tool_action, grace_period_hours
Two optional card sections extend the model:
SectionPurpose
autonomy.escalation_triggersConditions that trigger escalation regardless of individual tool verdicts
autonomy.max_autonomous_valueCurrency-denominated ceiling on autonomous actions
The full normative schema for these sections is at /specifications/alignment-card-schema.

Example excerpt of a card’s policy sections

# ... (values, principal, autonomy sections omitted) ...

capabilities:
  web_browsing:
    description: "Browser-based research and navigation"
    tools:
      - "mcp__browser__*"
    card_actions:
      - web_fetch
      - web_search

  file_reading:
    tools:
      - "mcp__filesystem__read*"
      - "mcp__filesystem__list*"
    card_actions:
      - read_file

enforcement:
  default_mode: warn              # warn | enforce | off
  unmapped_tool_action: warn      # allow | warn | deny
  unmapped_severity: medium
  grace_period_hours: 24
  forbidden:
    - pattern: "mcp__filesystem__delete*"
      reason: "File deletion not permitted"
      severity: critical
    - pattern: "mcp__shell__*"
      reason: "Shell execution not permitted"
      severity: high

Three evaluation contexts

The same capabilities + enforcement sections are evaluated at three stages, each with different inputs and consequences.

CI/CD evaluation

Static evaluation runs in pipelines before deployment. It validates the card against the unified schema and evaluates its policy sections against a declared tool list.Commands:
# Validate the card (schema + structure)
mnemom card validate card.yaml

# Evaluate the card's policy against a tool list
mnemom card evaluate card.yaml --tools mcp__browser__navigate,mcp__slack__post_message
What it checks:
  • Card YAML conforms to the unified schema (capability glob validity, enforcement-mode enums, forbidden-rule structure).
  • Capability card_actions reference actions that exist in autonomy.bounded_actions.
  • Each tool in the --tools list matches a capability, hits a forbidden rule, or falls through to the unmapped_tool_action default.
  • Coverage report identifies card actions with no backing capability mapping.
Use case: pre-deploy gates. See the CI/CD policy gates guide for GitHub Actions + GitLab CI templates.

Capability mapping

Capability mappings are the core of the card’s policy sections. They bridge the gap between what the card declares (abstract actions like web_fetch) and what agents actually invoke (concrete tool names like mcp__browser__navigate).

Structure

Each capability has a name, a list of tool glob patterns, and a list of card actions it satisfies: 
capabilities:
  web_browsing:
    tools:
      - "mcp__browser__navigate"
      - "mcp__browser__click"
      - "mcp__browser__screenshot"
    card_actions:
      - web_fetch
      - web_search

  database_read:
    tools:
      - "mcp__postgres__query"
      - "mcp__postgres__list_tables"
    card_actions:
      - read_data

Glob patterns

Tool patterns support standard glob syntax for flexible matching:
PatternMatches
mcp__browser__*All browser tools (navigate, click, screenshot, etc.)
mcp__filesystem__read*read_file, read_directory, read_metadata
mcp__*__list*Any MCP server’s list operations
custom_tool_v?custom_tool_v1, custom_tool_v2, etc.
Start with broad globs during initial card development, then tighten them as you understand which specific tools your agent uses. A mapping like mcp__browser__* is fine for week one. By month two, enumerate the specific tools.

How matching works

When the policy engine evaluates a tool, it follows this order:
  1. Forbidden check: does the tool match any enforcement.forbidden[].pattern? If yes, the tool is a violation regardless of capability mappings.
  2. Capability match: does the tool match any capabilities[*].tools glob? If yes, the tool is allowed and mapped to the corresponding card actions.
  3. Default fallback: if neither forbidden nor mapped, apply enforcement.unmapped_tool_action.
A tool can match multiple capabilities. This isn’t an error — it means the tool satisfies multiple card actions (e.g., a file-read tool satisfying both read_file and read_source_code).

Enforcement modes

enforcement.default_mode is the card’s policy-enforcement posture:

Warn

Log violations but do not block. X-Policy-Verdict: warn header returned. Default mode.

Enforce

Block requests with policy violations. X-Policy-Verdict: fail header returned. HTTP 403 for non-streaming requests.

Off

Skip policy evaluation entirely. No X-Policy-Verdict header. No performance overhead.
Policy enforcement (enforcement.default_mode) and alignment enforcement (integrity.enforcement_mode) are parallel systems. Setting alignment enforcement to enforce does not affect policy enforcement, and vice versa. An agent can be in alignment observe mode and policy enforce mode simultaneously — meaning alignment violations are logged but policy violations are blocked.

Relationship to alignment enforcement

SystemCard sectionWhat it checksVerdict source
Alignment enforcementintegrity.enforcement_modeAgent behavior against card values and autonomy envelopeAIP integrity checkpoints, AAP verification
Policy enforcementenforcement.default_modeTool usage against policy rules and capability mappingsPolicy engine evaluation
Both systems produce independent verdicts. Both are surfaced in the conscience timeline and observability exports.

Forbidden rules

enforcement.forbidden defines tools that must never be used, regardless of capability mappings. They’re always checked first in the evaluation pipeline. 
enforcement:
  forbidden:
    - pattern: "mcp__filesystem__delete*"
      reason: "File deletion not permitted"
      severity: critical
    - pattern: "mcp__shell__*"
      reason: "Shell execution not permitted"
      severity: high
    - pattern: "mcp__*__drop_table"
      reason: "Table deletion not permitted"
      severity: critical
    - pattern: "mcp__email__send_bulk*"
      reason: "Bulk email sending restricted"
      severity: medium
Each rule has three fields:
FieldTypeDescription
patternstring (glob)Tool name pattern to match
reasonstringHuman-readable explanation for auditing
severityenumcritical, high, medium, or low
Policy enforcement.forbidden rules complement alignment card autonomy.forbidden_actions. Card forbidden actions declare intent (“this agent must never delete files”). Policy forbidden rules enforce that intent at the tool level (“block all tools matching mcp__filesystem__delete*”). Both are checked — card-level by alignment enforcement, tool-level by policy enforcement.

Unmapped tool handling

When a tool does not match any capability or forbidden rule, enforcement.unmapped_tool_action determines what happens. 
enforcement:
  unmapped_tool_action: warn
  unmapped_severity: medium
  grace_period_hours: 24

Unmapped tool actions

ActionBehavior
denyTreat the unmapped tool as a violation. Blocked in enforce mode.
warnLog a warning but allow the tool invocation. Default.
allowSilently permit the tool. No log entry.

Choosing the right default

Use allow during early development when tool sets are still evolving. This avoids noise from constantly changing tool inventories.

Grace period

New tools appear when agents gain new MCP server connections or when tool providers add capabilities. The grace period prevents these newly discovered tools from immediately becoming violations. 
enforcement:
  grace_period_hours: 24
How it works:
  1. The policy engine tracks when each tool is first seen via tool_first_seen records.
  2. When an unmapped tool is encountered, the engine checks how long ago it was first seen.
  3. If the tool was first seen within the grace period window, it is treated as allow regardless of unmapped_tool_action.
  4. After the grace period expires, the tool falls back to the configured unmapped_tool_action.
This gives operators time to amend the card’s capabilities section after adding new tools or MCP servers, without immediately triggering violations in enforce mode.
The default grace period is 24 hours. Set it to 0 to disable grace periods entirely (strict mode). Set it higher (48–72 hours) for teams that deploy on weekly cycles and need more time to update cards.

Composition across scopes

In organizations with multiple agents, the capabilities and enforcement sections compose from platform → org → agent scopes per card composition rules. These are merged at storage time, not request time: every gateway read hits the pre-composed canonical card.

Merge rules

SectionMerge strategyEffect
capabilitiesUnionAgent can add new capabilities but cannot remove platform or org capabilities
enforcement.forbiddenDeny-overrides unionBoth org and agent forbidden rules are enforced; agent cannot subtract
enforcement.default_modeStrictest wins (enforce > warn > off)Agent can tighten, not loosen
enforcement.unmapped_tool_actionOrg is floorAgent can strengthen (allowwarndeny) but cannot weaken
autonomy.escalation_triggersUnionBoth org and agent triggers are evaluated

Strengthening enforcement

The org mode acts as a floor; the agent can only move in the stricter direction: 
allow → warn → deny     (unmapped_tool_action)
off   → warn → enforce  (default_mode)
If the org sets unmapped_tool_action: warn, an agent can set it to deny (stricter) but not allow (weaker).

Transaction guardrails

Transaction-scoped cards can further restrict the composed enforcement via intersection semantics. A transaction guardrail can only narrow what’s permitted — never expand it. 
# Transaction-level override: restrict to read-only tools for this operation
transaction_guardrails:
  allowed_capabilities:
    - file_reading
    - database_read
  # All other capabilities are denied for this transaction

Coverage report

Every mnemom card evaluate run produces a coverage report that quantifies how well the card’s capabilities section maps to its autonomy.bounded_actions. This identifies gaps between what the card declares and what the policy actually covers.

Coverage metrics

MetricDescription
total_card_actionsNumber of actions declared in the card’s autonomy.bounded_actions
mapped_card_actionsNumber of card actions covered by at least one capability
unmapped_card_actionsCard actions with no corresponding capability
coverage_pctmapped_card_actions / total_card_actions * 100

Example output

{
  "coverage": {
    "total_card_actions": 8,
    "mapped_card_actions": 6,
    "unmapped_card_actions": 2,
    "coverage_pct": 75.0,
    "unmapped_actions": [
      "send_notification",
      "generate_report"
    ],
    "mapped_actions": {
      "web_fetch": ["web_browsing"],
      "web_search": ["web_browsing"],
      "read_file": ["file_reading"],
      "read_data": ["database_read"],
      "write_data": ["database_write"],
      "compare": ["data_analysis"]
    }
  }
}
A coverage percentage below 100% means some card actions have no backing capability mapping. Tools implementing those actions will fall through to enforcement.unmapped_tool_action. Aim for 100% coverage in production cards.

Using coverage in CI/CD

# Evaluate a card and fail if coverage is below threshold
mnemom card evaluate \
  card.yaml \
  --tools mcp__browser__navigate,mcp__filesystem__read_file \
  --min-coverage 90

# Exit code 1 if coverage < 90%
This integrates naturally into pre-deploy gates: a card change that reduces coverage below the threshold blocks the merge. See CI/CD policy gates for the full pipeline template.

Putting it together

Here’s the full alignment card for a research agent that can browse the web and read files but cannot delete anything or execute shell commands: 
card_version: unified/2026-04-15
card_id: ac-research-agent-v2
agent_id: mnm-your-agent-id
issued_at: "2026-03-04T00:00:00Z"

principal:
  type: human
  relationship: delegated_authority

values:
  declared: [transparency, harm_prevention, accuracy]

autonomy:
  bounded_actions:
    - inference
    - web_fetch
    - web_search
    - read_file
    - search
  forbidden_actions:
    - delete_files
    - execute_shell
    - exfiltrate_data

capabilities:
  web_browsing:
    description: "Browser-based research and navigation"
    tools:
      - "mcp__browser__navigate"
      - "mcp__browser__click"
      - "mcp__browser__screenshot"
      - "mcp__browser__evaluate_script"
    card_actions: [web_fetch, web_search]

  file_reading:
    tools:
      - "mcp__filesystem__read_file"
      - "mcp__filesystem__list_directory"
    card_actions: [read_file]

  search:
    tools:
      - "mcp__search__query"
      - "mcp__search__suggest"
    card_actions: [search]

enforcement:
  default_mode: warn
  unmapped_tool_action: warn
  unmapped_severity: medium
  grace_period_hours: 24
  forbidden:
    - pattern: "mcp__filesystem__delete*"
      reason: "File deletion not permitted for research agents"
      severity: critical
    - pattern: "mcp__filesystem__write*"
      reason: "File writing not permitted for research agents"
      severity: high
    - pattern: "mcp__shell__*"
      reason: "Shell execution never permitted"
      severity: critical

audit:
  trace_format: ap-trace-v1
  retention_days: 90
  tamper_evidence: append_only

Limitations

  • Policy evaluation adds latency to gateway requests (typically under 5 ms for cards with fewer than 100 capability patterns).
  • Glob patterns match tool names only, not tool arguments. A tool can be permitted by policy but still violate alignment constraints based on how it’s called.
  • Grace periods are tracked per-agent, not per-card-version. Updating a card doesn’t reset grace-period timers for previously seen tools.
  • Coverage reports require a valid autonomy.bounded_actions list. Agents with an empty envelope get a coverage report with 0% coverage (no denominator).

See also