Breakglass Protocol
Breakglass Protocol¶
Emergency override mechanism for blocked enforcement decisions. When a critical action is blocked by policy but must proceed, operators trigger a breakglass override, a time-limited bypass with mandatory justification, immutable audit trail, and post-incident review requirements.
Warning
Use sparingly. Breakglass overrides bypass normal authorisation. Every event is recorded in the Provenance Vault and requires post-incident review. A per-agent cooldown (max 3 per 30 minutes) prevents abuse.
| | |
| --- | --- |
| Concept | Description |
| BreakglassEvent | A time-limited authorisation override with justification, severity, and audit trail |
| Justification | Mandatory written rationale (min 10 chars) explaining why the override is needed |
| Severity | critical, high, or medium, controls visibility and review priority |
| Cooldown | Max 3 breakglass events per agent per 30-minute window |
| Auto-expire | Override auto-expires after configured duration (default 15 min, max 2 hours) |
| Post-incident review | Events require review annotation after the fact for compliance |
Trigger a Breakglass Override¶
import requests
BASE = "https://www.xybern.com/api/v1"
HEADERS = {"X-API-Key": "xb_your_key"}
override = requests.post(f"{BASE}/enforce/breakglass", headers=HEADERS, json={
"agent_id": "agent_deploy_01",
"action_type": "deploy:production",
"justification": "Critical hotfix for payment processing outage — approved by VP Eng",
"triggered_by": "oncall_engineer_42",
"severity": "critical",
"duration_minutes": 15,
"max_actions": 5,
})
bg = override.json()["event"]
print(f"Override active: {bg['breakglass_id']}")
print(f"Expires in: {bg['remaining_seconds']}s")
How It Works at Intercept Time¶
When an action is blocked and the agent has an active breakglass override, the decision is automatically flipped to allow with a breakglass proof attached:
{
"decision": "allow",
"decision_id": "enf_abc123",
"decision_path": "breakglass",
"reasoning": "Policy violation detected | Breakglass override active (bg_xyz789)",
"breakglass": {
"breakglass_id": "bg_xyz789",
"remaining_seconds": 842,
"reason": "Breakglass override 'bg_xyz789' active (expires in 842s)"
}
}
When a decision is blocked and no active override exists, the response includes a hint:
Close an Override Early¶
requests.post(f"{BASE}/enforce/breakglass/{bg_id}/close", headers=HEADERS, json={
"reason": "Hotfix deployed successfully, no longer needed"
})
Add Post-Incident Review¶
requests.post(f"{BASE}/enforce/breakglass/{bg_id}/review", headers=HEADERS, json={
"reviewed_by": "security_lead_01",
"review_notes": "Override was justified — payment outage affected 12k users. "
"Root cause: stale policy blocking deploy:production for this agent. "
"Action: Updated policy to allow during incident windows."
})
List & Stats¶
# List all breakglass events
requests.get(f"{BASE}/enforce/breakglass", headers=HEADERS)
# Active overrides only
requests.get(f"{BASE}/enforce/breakglass?active_only=true", headers=HEADERS)
# Aggregate stats
requests.get(f"{BASE}/enforce/breakglass/stats", headers=HEADERS)
# → { total_events, active_overrides, pending_review, reviewed, by_severity, ... }
Dashboard¶
The Authorisation Layer dashboard includes a dedicated Breakglass Protocol tab showing:
- Active overrides with real-time countdown timers, severity badges, and one-click close
- Event history, closed and expired events with review status indicators
- Severity breakdown, critical/high/medium counts at a glance
- Post-incident review, review button on unreviewed events, notes visible inline