Policy-as-Code SDK
Policy-as-Code SDK¶
Define authorisation policies as Python code, version them in Git, and deploy atomically via the SDK. Xybern diffs your policy definitions against the current state and creates, updates, or removes policies automatically, with full Provenance Vault tracking.
| Concept | Description |
Policy |
A fluent builder for a single enforcement policy, .on(), .when_*(), .block() |
PolicyPack |
A versioned collection of policies deployed as one atomic unit |
PolicyClient |
SDK sub-client at client.policies for deploy, rollback, validate operations |
| Deploy | Create/update/delete policies from a pack — POST /v1/enforce/policy-packs |
| Rollback | Revert to previous pack version — POST /v1/enforce/policy-packs/:name/rollback |
| Validate | Dry-run a pack without deploying — POST /v1/enforce/policy-packs/validate |
| Source Hash | SHA-256 fingerprint of policy definitions, idempotent redeployments |
Define Policies with the Python DSL¶
from xybern import Xybern, PolicyPack, Policy
client = Xybern(api_key="xb_your_key")
pack = PolicyPack("finance-controls", version="2.0.0",
description="Production trading controls")
# Block low-trust agents from executing trades
pack.add(Policy("Block Untrusted Traders")
.on("execute_trade")
.when_threshold(trust_below=50)
.block("Agents with trust < 50 cannot trade"))
# No deployments on weekends
pack.add(Policy("Weekend Deploy Freeze")
.on("deploy:*")
.when_time(blocked_days=[6, 7])
.escalate("Weekend deploys require human approval"))
# Detect PII in prompts
pack.add(Policy("PII Scanner")
.on("send_prompt")
.when_content_matches(r"\b\d{3}-\d{2}-\d{4}\b", r"\bSSN\b")
.block("PII detected in prompt content"))
# Limit delegation chain depth
pack.add(Policy("Chain Depth Guard")
.when_chain(max_depth=3)
.escalate("Delegation chain too deep"))
Deploy a Policy Pack¶
# Deploy to live enforcement
result = client.policies.deploy(pack)
print(result)
# → {"ok": true, "pack": {...}, "summary": {"created": 4, "updated": 0, "deleted": 0}}
# Deploy in shadow mode (observe only, never enforced)
result = client.policies.deploy(pack, deploy_mode="shadow")
# Redeploy with changes — Xybern auto-diffs
pack_v2 = PolicyPack("finance-controls", version="2.1.0")
pack_v2.add(Policy("Block Untrusted Traders")
.on("execute_trade")
.when_threshold(trust_below=60) # raised threshold
.block("Agents with trust < 60 cannot trade"))
result = client.policies.deploy(pack_v2)
# → {"summary": {"created": 0, "updated": 1, "deleted": 3, "unchanged": 0}}
Validate Without Deploying¶
# Dry-run validation
validation = client.policies.validate(pack)
print(validation)
# → {"ok": true, "valid": true, "policy_count": 4, "policies": [...]}
Rollback to Previous Version¶
# Something went wrong — rollback instantly
result = client.policies.rollback("finance-controls")
# → redeploys previous version's policies
Delete a Pack¶
# Remove a pack and all its managed policies
result = client.policies.delete("finance-controls")
# → {"ok": true, "policies_removed": 4}
REST API Reference¶
POST /v1/enforce/policy-packs, Deploy a policy packGET /v1/enforce/policy-packs, List all packsGET /v1/enforce/policy-packs/:name, Get a specific packPOST /v1/enforce/policy-packs/:name/rollback, Rollback to previous versionDELETE /v1/enforce/policy-packs/:name, Delete a packPOST /v1/enforce/policy-packs/validate, Dry-run validationGET /v1/enforce/policy-packs/stats, Pack statistics
Dashboard¶
The Authorisation Layer Control Plane includes a dedicated Policy-as-Code view showing all active packs, their version, policy count, deploy mode, source hash, and deployment timestamp. From the dashboard you can rollback or delete packs with one click.