grith.aidocs

Centralised policies

pro

Author and distribute named policy bundles from the dashboard.

Pro

A policy is a named bundle of (scoring thresholds, filter configs, profile overrides, channel mappings) that can be applied to any subset of the team. Use policies to manage different security postures across roles, projects, or environments without editing each developer's local config.

Anatomy

A policy declares:

  • Profile override — which supervisor profile to use as the baseline.
  • Threshold overridesproxy.auto_allow_threshold, auto_deny_threshold.
  • Filter overrides — paths.toml, egress.toml, etc. (any subset).
  • Channel allowlist — which notification channels can be used.
  • Capability tightening — narrow the capability set beyond the profile default.

Example policy bundle from the dashboard:

[policy.tight-prod]
description = "Hardened policy for production-touching sessions"

[policy.tight-prod.thresholds]
auto_allow_threshold = 2.0
auto_deny_threshold  = 6.0

[policy.tight-prod.profile]
override = "minimal"

[policy.tight-prod.filters.egress]
content = """
[[deny]]
host = "*"
score = 5.0
[[allow]]
host = "internal.acme.com"
score = -2.0
"""

[policy.tight-prod.channels]
allowed = ["pagerduty", "slack-prod"]

Applying

In the dashboard, policies are applied either:

  • By default — every device in the team gets it as the baseline.
  • By role — assigned to a tag, applied to devices with that tag.
  • By session — devices pick the policy at grith exec time with --policy <name>.

Session-time selection

grith exec --profile claude-code --zone dayjob --policy tight-prod -- claude

The --policy overlay applies on top of the resolved profile + zone. Useful for "this is a production-touching session, tighten everything".

If --policy isn't passed, the device's default policy is used.

Lifecycle

Policies are versioned in the dashboard:

  • Edit → save as draft → preview → publish.
  • Published policies replace the prior version on next device sync.
  • Rollback to a prior version is one click in the dashboard; the device picks it up on next sync.

Use cases

  • Per-environment policiesdev, staging, prod with progressively tighter scoring.
  • Per-role policiesengineer vs. oncall vs. incident-responder, each with different notification + threshold settings.
  • Compliance policiespci-touching policy that auto-denies anything egressing to non-allowlisted destinations.

Auditing policy changes

Every policy edit is recorded in the dashboard's audit log:

  • Who edited.
  • When.
  • What changed (diff vs. prior version).

For Enterprise compliance setups, this audit is exportable as part of Compliance reporting.

See also

PreviousTeam syncNextAnalytics & cost
Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.