Skip to main content
Drako’s enforcement pipeline evaluates a set of configurable policies before every tool call executes. All policies live in .drako.yaml under the policies: key. Generate an initial config from your scan: 
drako init        # autopilot — audit-first, smart defaults
drako upgrade --balanced  # enable enforcement when ready
Presidio-based PII/PCI scanning on every tool call payload. If the payload contains critical PII in enforce mode, the action is rejected before it reaches any downstream API.Detected entity types: SSN, credit card numbers, email addresses, phone numbers, passport numbers, and more.
policies:
  dlp:
    mode: enforce        # audit | enforce | off
    sensitivity: high    # low | medium | high
FieldDefaultDescription
modeauditaudit logs violations; enforce blocks the call
sensitivitymediumDLP sensitivity level — higher catches more at the cost of more false positives
Start with mode: audit to measure your baseline PII exposure before enabling enforcement.
Declare exactly which tools each agent is permitted to use. Allowlisting, not denylisting — every tool not on the permitted list is blocked by default.
policies:
  odd:
    enforcement_mode: enforce  # audit | enforce | off
    default_policy: deny       # allow | deny
    agents:
      researcher:
        permitted_tools: [web_search, file_reader]
        forbidden_tools: [code_runner, send_email]
      writer:
        permitted_tools: [send_email, file_reader]
FieldDefaultDescription
enforcement_modeauditaudit logs violations; enforce blocks them
default_policyallowWhat to do when no agent rule matches the call
permitted_tools[]Allowlist — any tool not listed is blocked
forbidden_tools[]Denylist — listed tools are always blocked
If both permitted_tools and forbidden_tools are set for an agent, forbidden_tools takes precedence.
Three enforcement modes:
  • audit — log violations, allow the call
  • enforce — block the call, return a policy violation error
  • escalate — block the call and trigger a HITL escalation
Prevents one failing tool or agent from cascading failures across the rest of your system.Hierarchy: tool circuit breaker → agent circuit breaker → fleet haltWhen a circuit breaker trips, operations don’t die — they fail over to deterministic code, a simpler agent, a human operator, or a retry queue. State is preserved.
policies:
  circuit_breaker:
    agent_level:
      failure_threshold: 5         # open circuit after N failures
      time_window_seconds: 60      # sliding window
      recovery_timeout_seconds: 30 # wait before half-opening
FieldDefaultDescription
failure_threshold10Number of failures before opening the circuit
time_window_seconds300Sliding window for failure counting
recovery_timeout_seconds60Cooldown before allowing trial requests
Pair the circuit breaker with policies.fallback to define what happens when a circuit opens — escalate to a human, swap to a backup agent, or preserve state for replay.
Pre-action guardrails evaluated before execution: spend caps per action and session, data volume limits, and blast radius constraints.
policies:
  magnitude:
    max_spend_per_action_usd: 10.00
    max_spend_per_session_usd: 100.00
    max_records_per_action: 50
    enforcement_mode: enforce       # audit | enforce
FieldDefaultDescription
max_spend_per_action_usdMax cost of a single tool call
max_spend_per_session_usdMax cumulative session spend
max_records_per_actionMax records returned by a single tool call
enforcement_modeauditenforce blocks calls that exceed limits
In proxy mode, magnitude also enforces max_actions_per_minute rate limiting per agent, returning HTTP 429 when exceeded.
Two-gate cryptographic verification that prevents prompt injection from hijacking approved actions.
  • Gate 1 — fingerprints the decision at the moment it’s made (SHA-256 + Ed25519)
  • Gate 2 — verifies nothing changed between fingerprinting and execution
If a hallucination or injection alters the action in between, it’s blocked. Every verification produces SOC 2-ready audit proof.
policies:
  intent_verification:
    mode: enforce                  # audit | enforce | off
    required_for:
      tool_types: [payment, write, execute]
      tools: [delete_record]
    anti_replay: true
    intent_ttl_seconds: 300
FieldDefaultDescription
modeoffenforce blocks calls without a valid intent token
anti_replaytrueReject reused intent tokens
intent_ttl_seconds300Token validity window
Intent fingerprinting is available only via the SDK runtime (govern()), not proxy mode.
When one agent detects a threat, every agent benefits. Drako shares anonymous Indicators of Compromise (IOCs) across tenants.
  • Six AI-native IOC types
  • EigenTrust quality scoring — low-quality IOCs are filtered before propagation
  • Sub-5s propagation — one detection in São Paulo protects a deployment in Berlin
  • Anonymous — no agent identity or payload content is shared
The IOC check runs automatically as part of the enforcement pipeline (_check_policy in the base middleware). No additional configuration is required to receive community-shared IOCs.To opt out of sharing (receive only, no contributions):
policies:
  collective_intelligence:
    share_iocs: false  # receive community IOCs but do not contribute

Governance levels

The governance_level field controls how policies are activated during drako upgrade:
LevelBehavior
autopilotAudit mode. Logs all violations, blocks nothing.
balancedDLP enforce, ODD enforce, HITL rejects on timeout.
strict+ intent verification, cryptographic audit, magnitude enforce.
customNo managed upgrade path — you control every field.
drako upgrade --balanced  # when you're ready for enforcement
drako upgrade --strict    # maximum governance for enterprise

Build docs developers (and LLMs) love

Get started for freeTalk to us