Skip to main content

Documentation Index

Fetch the complete documentation index at: https://hypha-docs.plinqx.app/llms.txt

Use this file to discover all available pages before exploring further.

Policies define governance rules that control how tools can be executed. Use policies to enforce rate limits, require approvals, mask sensitive data, and more.

What are Policies?

Policies are rules that apply to tool executions. They can:
  • Require Approvals: Block execution until approved
  • Limit Rates: Restrict calls per time window
  • Set Quotas: Limit total usage per period
  • Mask Fields: Redact sensitive data from responses
  • Deny Access: Block specific tools or principals
  • Allow Access: Explicitly permit (bypass other rules)

Policy Scopes

Policies can apply at different levels:
ScopeApplies To
GlobalAll tool executions tenant-wide
CollectionAll tools in a specific Collection
ToolA specific tool only
PrincipalRequests from a specific Principal
Use more specific scopes (Tool, Principal) for fine-grained control, and global scopes for organization-wide rules.

Creating Policies

1

Navigate to Policies

Click Policies in the sidebar (under Governance).
2

Create Policy

Click Create Policy.
3

Configure Scope

Choose the policy scope:
  • Global: Applies to all tools
  • Collection: Select a specific Collection
  • Tool: Select a specific tool
  • Principal: Select a specific Principal
4

Add Rules

Add one or more rules (see Rule Types below).
5

Set Priority

Set priority (higher = evaluated first).
6

Save

Click Save to create the policy.

Rule Types

Approval Rules

Require approval before execution:
  • Auto-approve: Automatically approve (useful for logging)
  • Single Approver: Require one approval
  • Multi-approver: Require multiple approvals
  • Approvers: Select who can approve

Rate Limit Rules

Limit calls per time window:
  • Window: Per minute, per hour, or per day
  • Limit: Maximum calls per window
  • Scope: All principals or specific ones
Rate limits are enforced per Principal by default. Use specific Principal scopes for per-user limits.

Quota Rules

Limit total usage per period:
  • Period: Daily or monthly
  • Limit: Maximum calls per period
  • Scope: All principals or specific ones
Quotas are hard limits. Once exceeded, the tool is unavailable until the quota resets.

Field Masking Rules

Redact sensitive fields:
  • Input Masking: Hide fields in request logs
  • Output Masking: Redact fields from responses
  • Fields: List of field paths to mask (JSONPath)

Deny Rules

Block execution entirely:
  • Condition: Optional condition expression
  • Message: Error message to return

Allow Rules

Explicitly permit execution:
  • Bypass: Bypass other rules
  • Condition: Optional condition expression

Policy Evaluation

Policies are evaluated in priority order:
  1. Higher Priority First: Policies with higher priority are evaluated first
  2. Terminal Decisions: Some rules stop evaluation (DENY, PENDING_APPROVAL)
  3. Continue Evaluation: Other rules continue (ALLOW, RATE_LIMITED)
Once a terminal decision is reached (DENY, PENDING_APPROVAL), evaluation stops. ALLOW rules can bypass other rules.

Condition Expressions

Policies can include conditions: 
// Example: Only apply to specific tools
tool.name === 'sf_query'

// Example: Only apply during business hours
hour >= 9 && hour <= 17

// Example: Only apply to high-risk operations
tool.riskLevel === 'HIGH'

Best Practices

Start with Global

Create global policies for organization-wide rules

Use Specific Scopes

Use tool/principal scopes for fine-grained control

Set Priorities

Use priorities to control evaluation order

Test Policies

Test policies in Playground before production

Next Steps

Set Up Approvals

Configure approval workflows

View Audit Logs

Monitor policy enforcement