Skip to content

Add support for Cedar as a policy language, in addition to TOML#34

Open
marcbrooker wants to merge 5 commits into
strands-agents:mainfrom
marcbrooker:main
Open

Add support for Cedar as a policy language, in addition to TOML#34
marcbrooker wants to merge 5 commits into
strands-agents:mainfrom
marcbrooker:main

Conversation

@marcbrooker

@marcbrooker marcbrooker commented Jun 17, 2026

Copy link
Copy Markdown

Description

Add support for Cedar as a policy language, in addition to TOML.

Type of Change

New feature
Breaking change
Documentation update
Other (please describe):

Testing

How have you tested the change? Verify that the changes do not break functionality or introduce new warnings.

  • I ran the relevant test suites for the bindings I touched (cargo test --workspace --all-targets, pytest tests/python, npm test)
  • If I touched Rust, I ran cargo fmt and cargo clippy

Checklist

  • I have read the CONTRIBUTING document
  • I have reviewed and understand every line of code in this PR, including any generated by AI tools, and I can explain why it works
  • My change is focused and reasonably small; I have split unrelated work into separate PRs
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

marcbrooker and others added 5 commits June 16, 2026 16:42
@marcbrooker
feat: add Cedar authorization policies alongside TOML config
81a7ad1 
Operators can now express sandbox authorization in the Cedar policy
language in addition to the existing TOML configuration. Policies gate
the full agent-sandbox action vocabulary at the Kernel boundary:
fs:read/stat/write/list/create/delete/rename, env:read, net:request,
and mcp:call.

Semantics are additive-restriction-only: with no policy, behavior is
unchanged (default-allow); with a policy loaded, a gated action must be
permitted by Cedar or it is denied. This layers on top of the built-in
SSRF and VFS-permission checks and can never weaken them.

A policy can be supplied three ways: the `--policy <file>` CLI flag,
`ShellBuilder::policy_file()`/`policy_str()`, or a `policy = "file.cedar"`
key in the TOML config (resolved relative to the config file).

Only the generic, public cedar-policy API is used. cedar-policy is not
wasm-safe, so the dependency, the `policy` module, and all plumbing are
gated to non-wasm; the `Kernel::check_policy` trait default is a no-op,
so wasm builds compile with policy disabled.
@marcbrooker
docs: document Cedar policies in README and add runnable examples
c95c4c8 
Add an "Authorization Policies (Cedar)" section to the README covering the
action vocabulary, the three ways to load a policy, and the additive-only
composition with the SSRF guard and filesystem permissions.

Add examples/ with three Cedar policies of increasing complexity (read-only,
a workspace jail, and mixed controls with a forbid override) and a
run-policies.sh script that runs each against strands-shell and shows which
commands are allowed and which are denied.
@marcbrooker
feat: expose Cedar policy_file/policy from the Python API
e404fb9 
Add `policy_file` and `policy_str` to the native PyO3 ShellBuilder, and
surface them on the customer-facing `Shell` constructor as the `policy_file`
(path) and `policy` (inline text) keyword args. Passing both raises; an
explicit policy here overrides a `policy` key from a config_file.

Update the README's policy section to show the Python API, and add pytest
coverage for the read-only-from-Python, file-vs-inline, no-policy,
mutual-exclusion, and malformed-policy cases.
@marcbrooker
Merge branch 'strands-agents:main' into main
2a5cf94
@marcbrooker
docs: add egress-allowlist and shield-secrets policy examples
5f60f40 
Add two examples grounded in the "lethal trifecta" of agent security
(private data + untrusted input + external communication), each cutting one
leg:

- 04-egress-allowlist.cedar — network only as GET to a single host; other
  hosts and non-GET methods are denied, closing the exfiltration channel.
- 05-shield-secrets.cedar — full read/write of a project tree but a forbid
  override that blocks reading .env / .pem / .ssh / credentials.

Extend run-policies.sh to demonstrate both and update the example and main
READMEs.
@ryanycoleman ryanycoleman self-requested a review June 19, 2026 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanycoleman ryanycoleman Awaiting requested review from ryanycoleman

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marcbrooker