Skip to content
Execlave
Back to Docs

Policies & Security

Guard your AI agents with automated policy enforcement, kill switches, and access control.

Copy this prompt to your AI coding assistant
Set up comprehensive security policies in Execlave to protect my AI agents. Here's what you need to do using the Execlave REST API: 1. Create a Prompt Injection Detection policy (blocks malicious prompts): curl -X POST http://localhost:4000/api/policies \ -H "X-API-Key: <my-api-key>" \ -H "Content-Type: application/json" \ -d '{ "name": "Block Prompt Injection", "policyType": "prompt_injection", "enforcementMode": "block", "config": { "threshold": 0.8, "scanInput": true, "scanOutput": false }, "agentIds": [], "active": true }' 2. Create a PII Protection policy (detects and redacts personal information): curl -X POST http://localhost:4000/api/policies \ -H "X-API-Key: <my-api-key>" \ -H "Content-Type: application/json" \ -d '{ "name": "PII Protection", "policyType": "pii_detection", "enforcementMode": "log", "config": { "detectEmails": true, "detectSSNs": true, "detectCreditCards": true }, "agentIds": [], "active": true }' 3. Create a Cost Limit policy (prevents runaway spending): curl -X POST http://localhost:4000/api/policies \ -H "X-API-Key: <my-api-key>" \ -H "Content-Type: application/json" \ -d '{ "name": "Daily Cost Limit", "policyType": "cost_limit", "enforcementMode": "block", "config": { "maxCostPerDay": 50.00, "maxCostPerTrace": 1.00 }, "agentIds": [], "active": true }' 4. Create a Rate Limit policy (prevents excessive usage): curl -X POST http://localhost:4000/api/policies \ -H "X-API-Key: <my-api-key>" \ -H "Content-Type: application/json" \ -d '{ "name": "Agent Rate Limit", "policyType": "rate_limit", "enforcementMode": "block", "config": { "maxRequestsPerMinute": 60, "maxRequestsPerHour": 1000 }, "agentIds": [], "active": true }' 5. Set up pre-execution enforcement in your code: // JavaScript/TypeScript import { ag } from './lib/execlave'; async function handleMessage(input: string) { // Check policies BEFORE calling the LLM const check = await ag.enforcePreExecution({ agentId: 'my-chatbot', input: input, model: 'gpt-4', }); if (!check.allowed) { return `Request blocked: ${check.violations[0].message}`; } // Safe to proceed with LLM call const response = await llm.call(input); return response; } These policies apply to ALL agents by default (empty agentIds array). To scope to specific agents, pass their UUIDs in the agentIds array.

How Policies Work

Policies are rules that govern how your AI agents operate. Each policy has a type (what it checks) and an enforcement mode (what happens on violation):

Log

Record the violation but allow the request to proceed. Good for monitoring.

Warn

Flag the request and notify admins. The request continues but is tracked.

Block

Reject the request entirely. The LLM call is prevented from executing.

Policies can be scoped to all agents or to specific agents by ID. Evaluation happens on trace ingestion and optionally via pre-execution checks.

Policy Types

Kill Switch

Instantly pause any agent when you detect issues. Paused agents reject all new trace submissions and LLM calls (SDK throws AgentPausedError).

Pause an Agent

# Via API
curl -X PATCH http://localhost:4000/api/agents/AGENT_ID/pause \
  -H "X-API-Key: ag_prod_xxx" \
  -H "Content-Type: application/json" \
  -d '{"reason": "Detected harmful outputs in production"}'

# Via Dashboard: Agents → Select Agent → Settings → Pause Agent

Resume an Agent

curl -X PATCH http://localhost:4000/api/agents/AGENT_ID/resume \
  -H "X-API-Key: ag_prod_xxx"

# Via Dashboard: Agents → Select Agent → Settings → Resume Agent

Handle in Your App

// The SDK automatically checks agent status before each trace
import { AgentPausedError } from '@execlave/sdk';

try {
  const response = await tracedCall('User message');
} catch (err) {
  if (err instanceof AgentPausedError) {
    // Show a friendly message to the user
    return 'This service is temporarily unavailable for maintenance.';
  }
  throw err;
}

Agent-to-Agent Access Grants

In multi-agent systems, control which agents can invoke other agents. Access grants define allowed actions and optional expiration.

Available Actions

executereadwritedeleteinvokequerysubscribedelegate
# Grant agent-a permission to execute and read from agent-b
curl -X POST http://localhost:4000/api/agents/AGENT_A_UUID/grants \
  -H "X-API-Key: ag_prod_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "targetAgentId": "AGENT_B_UUID",
    "allowedActions": ["execute", "read"],
    "expiresAt": "2025-12-31T23:59:59Z"
  }'

# Check authorization before an agent-to-agent call
curl -X POST http://localhost:4000/api/agents/authorize \
  -H "X-API-Key: ag_prod_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "sourceAgentId": "agent-a",
    "targetAgentId": "agent-b",
    "action": "execute"
  }'

Webhook Notifications

Get notified in real-time when policy violations or anomalies occur.

Available Events

policy.violatedagent.pausedagent.resumedtrace.anomalycost.threshold
curl -X POST http://localhost:4000/api/webhooks \
  -H "X-API-Key: ag_prod_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-app.com/execlave-webhook",
    "events": ["policy.violated", "agent.paused"],
    "secret": "whsec_your_signing_secret"
  }'