{
  "schema_version": "2026-05-15.policy.v1",
  "id": "default-agent-policy",
  "name": "TokRepo Default Agent Policy",
  "default_action": "plan_first",
  "description": "Baseline policy for autonomous agents using TokRepo. It favors discovery, verification, dry-run, and staging before activation.",
  "rules": [
    {
      "id": "deny-secret-upload",
      "when": {
        "operation": "push",
        "file_contains": ["secret", "api_key", "private_key", "token"]
      },
      "action": "deny",
      "reason": "Agents must never publish secrets or credential-like material."
    },
    {
      "id": "require-verify-before-install",
      "when": {
        "operation": "install",
        "verification_status": "missing"
      },
      "action": "plan_first",
      "reason": "Call tokrepo_verify or tokrepo verify before activation so hashes, policy, and permissions are explicit."
    },
    {
      "id": "stage-global-config",
      "when": {
        "permission_envelope.global_config_write": true
      },
      "action": "stage",
      "reason": "Global config writes should be staged or explicitly approved by the user."
    },
    {
      "id": "confirm-code-execution",
      "when": {
        "permission_envelope.executes_code": true
      },
      "action": "confirm",
      "reason": "Executable assets require an explicit confirmation boundary."
    },
    {
      "id": "confirm-network-or-secrets",
      "when": {
        "any": [
          { "permission_envelope.network": true },
          { "permission_envelope.requires_secrets": "non_empty" }
        ]
      },
      "action": "confirm",
      "reason": "Network access and secrets require user awareness."
    },
    {
      "id": "block-deny-policy",
      "when": {
        "policy_decision.decision": "deny"
      },
      "action": "deny",
      "reason": "TokRepo install policy denied the asset."
    },
    {
      "id": "allow-low-risk-reviewed-assets",
      "when": {
        "policy_decision.decision": "allow",
        "trust_score_v2.status": "trusted",
        "permission_envelope.executes_code": false,
        "permission_envelope.global_config_write": false,
        "permission_envelope.network": false
      },
      "action": "plan_first",
      "reason": "Even trusted low-risk assets should still go through the install plan before writes."
    }
  ],
  "required_sequence": [
    "tokrepo_discover",
    "tokrepo_detail",
    "tokrepo_verify",
    "tokrepo audit when a persistent trust-history snapshot is needed",
    "tokrepo_install_plan",
    "dry-run or stage",
    "install after policy allows or user confirms",
    "post_verify",
    "tokrepo agent-handoff --json when reusable improvements exist"
  ],
  "telemetry": {
    "allowed": ["anonymous aggregate funnel events"],
    "disabled_by": "TOKREPO_TELEMETRY=0",
    "never_send": ["task text", "file contents", "secrets", "private repository contents"]
  },
  "funnel_events": [
    "init_agent",
    "tokrepo_discover",
    "agent_check",
    "verify_asset",
    "audit_asset",
    "install_plan",
    "install_dry_run",
    "install_apply",
    "agent_handoff",
    "push"
  ]
}