Policies
A policy is a rule that Detecte evaluates against every action. Policies have a when (a Mongo-style expression) and a then (an outcome).
Anatomy
{
name: "Cap refunds at $1,000",
agents: ["agent_support_bot"], // optional; empty = all agents
when: {
action: "refund_order",
"params.amount": { $gt: 1000 }
},
then: {
decision: "block", // allow | block | escalate | require_approval
message: "Refunds over $1,000 require human approval.",
approvers: ["alice@acme.com"] // for require_approval
},
enabled: true
}Outcomes
| Outcome | What happens |
|---|---|
allow | Action proceeds. |
block | Action is denied; an incident is created. |
escalate | Action proceeds but is flagged in the dashboard and webhooks. |
require_approval | Action pauses; one of the named approvers must click approve in the dashboard. |
Strictest result wins
If multiple policies match a single action, the outcome is the strictest:
block > require_approval > escalate > allow
Anomaly upgrades
Even if no policy blocks an action, Detecte's anomaly engine can upgrade the outcome from allow to escalate when behavior diverges sharply from the agent's baseline (e.g., a transfer 14× the agent's median amount).
See also
- Operators reference — every supported expression operator.
- Recipes — copy-paste policies for common patterns.
- Visual builder — point-and-click in the dashboard.