policies · index

Policies & Sandboxing

Contextual policies, cost controls, risk escalation, and the Omnibox OS sandbox.

documented

Omnigent’s policy engine is the part that makes the meta-harness idea operational. Policies intercept actions such as tool calls, LLM requests, and file operations, then return ALLOW, ASK, DENY, or no opinion. Source: policy overview.

Contextual means stateful

Most tool allowlists are static. Omnigent policies maintain state across the session: cumulative cost, tool-call history, data classification labels, and custom policy state. That enables spend caps, rate limits, risk scoring, model routing, and approval gates that get stricter as context changes. Sources: policy overview, Databricks contextual policies blog.

Built-in policy families

Safety

OS-tool approval, PII blocking, GitHub/Gmail/GDrive/Calendar controls, intent-based authorization, risk scoring, CEL, prompt policy, and sandbox enforcement.

Cost

Per-session budgets, per-user daily budgets, task-switch detection, and routing trivial work away from expensive models.

Source: built-in policies.

Omnibox OS sandbox

Omnibox restricts filesystem, network, and environment access. Linux uses Bubblewrap namespaces plus seccomp. macOS uses Seatbelt / sandbox-exec. If a sandbox is requested and unavailable, Omnigent errors rather than silently running unsandboxed. Source: OS sandbox config.

Important boundary

The OS sandbox applies to sys_os_* tool calls and declared terminals that reference the policy. The docs say it does not automatically sandbox MCP server subprocesses or the Omnigent supervisor process. Source: OS sandbox config.