Universal policy

One change.
Every agent.

Label your agents env=prod. Write a rule targeting that set. Save. Every matching agent hot-reloads in place and reports applied, without dropping a single in-flight call.

Selector

env=prod tier=primary

Matches 47 agents in real time

Policy rule

- id: block-external-write

target: "http_post"

when: "params.host not in trusted"

action: deny

Fleet · live

47/47 · 1.2s

Applied 47

Stale 0

Dropped calls 0

Hash a4f2…

From edit to applied

Three steps.
Seconds, not minutes.

01

Target

Type a selector. env=prod matches every agent with that label. The editor previews "47 agents" the moment you type it.

02

Test

The diff badge shows how many recent verdicts the rule would flip across the matched set. Inspect the samples. Decide whether to ship.

03

Apply

Save. The platform notifies every matched agent over SSE. Each pulls, validates, hot-reloads, and reports applied. The counter flips to 47/47.

The invariant

Nothing drops.
Nothing tears.

The runtime's policy engine is a pointer swap under a read-write lock. An in-flight Evaluate grabs the pointer under a read lock, releases it, and runs the verdict against an immutable Policy. The swap acquires a write lock and publishes a new pointer. The read side either sees v1 or v2, never a torn mixture.

The per-run HMAC trace chain key is derived once at run start and is not rotated on hot reload. A run started under policy v1 keeps its chain key across the swap to v2. The verifier reads the whole trace end-to-end and confirms the chain is intact.

Back to story