> ## Documentation Index
> Fetch the complete documentation index at: https://docs.goantiai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Policies

> How policies control what your agents are allowed to do.

A **policy** is a rule that tells Anti AI what an agent is allowed to do.

Anti AI uses a **deny-by-default** model — if there's no policy that explicitly allows something, it's denied.

## How policies work

```
Agent requests: scope="stripe:charge:write"
                        ↓
Anti AI checks: does any policy allow this?
                        ↓
         Yes → issue token with that scope
         No  → deny with 403
```

## Policy language: Rego

Anti AI uses **Rego** — the policy language from Open Policy Agent (OPA).

```rego theme={null}
package oculus.authz

default allow = false

allow {
    input.action == "stripe:customer:read"
    input.subject.status == "active"
}
```

*"By default, deny everything. Allow `stripe:customer:read` if the agent is active."*

## Scope format

```
stripe:customer:read     ← read Stripe customers
stripe:charge:write      ← create Stripe charges
github:repo:read         ← read GitHub repos
db:read                  ← read from the database
aws:s3:read              ← read from S3
```

## Policy versioning

Every update saves the previous version. View history, compare versions, and roll back with one click.
