Policy Bundles (Catalog → Deployable Guardrails)

A policy bundle is deployable configuration that the Enforcement Proxy uses to make deterministic and semantic decisions.

How bundles are generated

• • agent identity + owner
• • environment tier (dev/test/prod)
• • tool mappings + destination classes
• • risk tier + data classification
• • org defaults

MVP example structure

{
  "meta": { "version": "1.0", "source": "FuseGov Catalog" },
  "stage1_rules": [
    {
      "id": "allow_internal_reads",
      "effect": "PERMIT",
      "conditions": { "destination_class": "INTERNAL", "tool_scope": "read_only" }
    },
    {
      "id": "require_semantic_check_external_write",
      "effect": "REQUIRES_SEMANTIC_CHECK",
      "conditions": { "destination_class": "EXTERNAL", "tool_scope": "write" }
    }
  ],
  "degraded_matrix": [
    {
      "description": "fail closed for external writes",
      "condition": { "destination_class": "EXTERNAL", "tool_scope": "write" },
      "fallback_decision": "BLOCK",
      "matrix_rule_id": "fail_closed_ext_write"
    }
  ]
}

Applying bundles

• • pulled by the proxy at startup, or pushed by platform tooling
• • each decision can be bound to a policy digest for audit evidence