Your First Policy
Write an allow/deny rule to control which MCP tools your agent can invoke.
Default behavior: implicit deny
If no policy matches a (agentId, toolName) pair, the request is blocked. You must explicitly allow each tool your agent needs.
In the Dashboard
The fastest way to create your first policy — no API calls needed:
- 1In the ShieldAgent dashboard, go to Policies in the left sidebar.
- 2Click New Policy.
- 3Set Tool Name (e.g. read_file), Action to allow, and optionally scope to a specific agent.
- 4Click Save — the policy takes effect automatically.
All changes are reflected in the audit trail. Use the dashboard to iterate quickly; automate with the API for CI/CD or IaC.
Via SDK
How Policies Are Evaluated
Only tools/call requests are policy-checked. Other MCP methods (tools/list, resources/read) pass through.
Allow a Tool
Allow your agent to call read_file on any path:
import ShieldAgent from '@shieldagent/sdk';
const client = new ShieldAgent();
await client.policies.create({
agentId: "<agent-id>",
toolName: "read_file",
action: "allow",
});Deny with a Condition
Block bash calls that contain rm -rf:
{
"tenantId": "<tenant-id>",
"agentId": "<agent-id>",
"toolName": "bash",
"action": "deny",
"conditions": [
{
"type": "param_contains",
"param": "arguments.command",
"value": "rm -rf"
}
]
}All conditions use AND logic — every condition must match for the rule to apply. If a condition fails, the evaluator moves to the next rule.
Tenant-Wide Policy
Set agentId to null to apply the rule to every agent in the tenant. Agent-specific rules always win over tenant-wide rules.
{
"tenantId": "<tenant-id>",
"agentId": null,
"toolName": "tools_list",
"action": "allow"
}Policy Actions
| Action | Behavior |
|---|---|
| allow | Permit the tool call (subject to conditions) |
| deny | Block the tool call and return an error to the agent |
| shadow | Log the call without blocking; useful for observing new tools before enforcing |