Pramiti Docs

Policy Decision Point

ALLOW, DENY, REWRITE, ESCALATE — the core evaluation pipeline

The Policy Decision Point (PDP) is the core of Aegis. It evaluates every proposed agent action against workspace-scoped constraints and returns a deterministic verdict.

How It Works

AegisRouter (router.py)

The AegisRouter class is the top-level orchestrator:

  1. Parses the namespaced tool name (e.g., salesforce.update_contact)
  2. Resolves the workspace and agent identity
  3. Calls the policy engine to evaluate constraints
  4. Records an attestation for every decision
  5. Routes allowed calls to the downstream server

Evidence classification (_classify_evidence()) determines the quality of evidence used for the decision — higher-quality evidence (steward-confirmed constraints) produces higher-confidence verdicts.

AegisPolicyEngine (policy_engine.py)

The AegisPolicyEngine evaluates workspace-scoped constraints:

decision = engine.evaluate(
    tool_name="salesforce.update_contact",
    arguments={"contact_id": "123", "email": "new@example.com"},
    agent_id="agent-7",
    workspace_id=workspace_id
)
# decision.verdict: "allow" | "deny" | "rewrite" | "escalate"
# decision.reasons: list of constraint evaluation results
# decision.rewrites: list of field modifications (for REWRITE verdicts)

The policy engine supports:

  • 10 comparison operators: eq, neq, gt, gte, lt, lte, in, not_in, regex, glob
  • Compound logic: all (AND) and any (OR) combinators
  • Dot-notation field access: arguments.amount, arguments.contact.email
  • Value references: value_ref for dynamic constraint values
  • Glob matching: Tool name patterns like salesforce.* or *.delete_*

AegisMCPGate (mcp_gate.py)

The enforcement point for MCP tool calls. Every tool call passes through the gate:

  1. Resolves agent identity from headers (extract_agent_identity())
  2. Calls the policy engine for evaluation
  3. Handles REWRITE verdicts by applying safe transformations
  4. Records attestations via the attestation store
  5. Formats tiered error responses (agents get sanitized errors, not internal details)

The GateResult dataclass carries the verdict, modified arguments (for rewrites), and the attestation ID.

Architecture

Agent Request

AegisMCPGate (enforcement point)

AegisPolicyEngine (constraint evaluation)
    ↓                    ↓
JSON Predicates     SHACL Shapes
(auto-tier)         (formal-tier)
    ↓                    ↓
PolicyDecision (verdict + reasons)

AttestationStore (signed record)

Execute or Block

Configuration

Constraints are managed via the REST API:

POST /api/v1/aegis/constraints
{
  "workspace_id": "ws-1",
  "tool_patterns": ["salesforce.update_*"],
  "tier": "auto",
  "predicate": {
    "all": [
      {"field": "arguments.amount", "op": "lte", "value": 10000},
      {"field": "arguments.status", "op": "neq", "value": "deleted"}
    ]
  },
  "verdict_on_match": "deny"
}

Technical Details

  • Read actions (determined by _is_read_action() heuristic and the ToolActionClassifier) are pass-through by default
  • Regex evaluation has a 1-second timeout to prevent ReDoS attacks (_eval_regex_with_timeout())
  • The gate formats errors with _format_error() which strips internal details before returning to agents
  • All verdicts are recorded — both ALLOW and DENY produce attestation records for audit completeness

On this page